- Code documented
[strongswan.git] / Source / charon / sa / authenticator.h
1 /**
2 * @file authenticator.h
3 *
4 * @brief Interface of authenticator_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #ifndef _AUTHENTICATOR_H_
24 #define _AUTHENTICATOR_H_
25
26 #include <types.h>
27 #include <encoding/payloads/auth_payload.h>
28 #include <encoding/payloads/id_payload.h>
29 #include <network/packet.h>
30 #include <sa/ike_sa.h>
31
32
33 typedef struct authenticator_t authenticator_t;
34
35 /**
36 * @brief Class authenticator_t. Used to authenticate a peer.
37 *
38 * Currently the following two AUTH methods are supported:
39 * - SHARED_KEY_MESSAGE_INTEGRITY_CODE
40 * - RSA_DIGITAL_SIGNATURE
41 *
42 * This class retrieves needed data for specific AUTH methods (RSA keys, shared secrets, etc.)
43 * over an internal stored protected_ike_sa_t object or directly from the configuration_manager_t over
44 * the daemon_t object charon.
45 *
46 * @ingroup sa
47 */
48 struct authenticator_t {
49
50 /**
51 * @brief Verify's given authentication data.
52 *
53 * To verify a received AUTH payload the following data must be provided:
54 * - the last received IKEv2 Message from the other peer in binary form
55 * - the nonce value sent to the other peer
56 * - the ID payload of the other peer
57 *
58 * @param this authenticator_t object
59 * @param last_received_packet binary representation of the last received IKEv2-Message
60 * @param my_nonce The sent nonce (without payload header)
61 * @param other_id_payload The ID payload received from other peer
62 * @param initiator Type of other peer. TRUE, if it is original initiator, FALSE otherwise
63 * @param[out] verified
64 * - TRUE, if verification succeeded
65 * - FALSE, if verification data could not be verified
66 *
67 * @return
68 * - SUCCESS if verification could be processed (does not mean the data could be verified)
69 * - NOT_SUPPORTED if AUTH method not supported
70 * - NOT_FOUND if the data for specific AUTH method could not be found (e.g. shared secret, rsa key)
71 * - TODO rsa errors!!
72 */
73 status_t (*verify_auth_data) (authenticator_t *this,
74 auth_payload_t *auth_payload,
75 chunk_t last_received_packet,
76 chunk_t my_nonce,
77 id_payload_t *other_id_payload,
78 bool initiator,
79 bool *verified);
80
81 /**
82 * @brief Computes authentication data and creates specific AUTH payload.
83 *
84 * To create an AUTH payload, the following data must be provided:
85 * - the last sent IKEv2 Message in binary form
86 * - the nonce value received from the other peer
87 * - the ID payload of myself
88 *
89 * @param this authenticator_t object
90 * @param[out] auth_payload The object of typee auth_payload_t will be created at pointing location
91 * @param last_sent_packet binary representation of the last sent IKEv2-Message
92 * @param other_nonce The received nonce (without payload header)
93 * @param my_id_payload The ID payload going to send to other peer
94 * @param initiator Type of myself. TRUE, if I'm original initiator, FALSE otherwise
95
96 * @return
97 * - SUCCESS if authentication data could be computed
98 * - NOT_SUPPORTED if AUTH method not supported
99 * - NOT_FOUND if the data for AUTH method could not be found
100 * - TODO rsa errors!!
101 */
102 status_t (*compute_auth_data) (authenticator_t *this,
103 auth_payload_t **auth_payload,
104 chunk_t last_sent_packet,
105 chunk_t other_nonce,
106 id_payload_t *my_id_payload,
107 bool initiator);
108
109 /**
110 * @brief Destroys a authenticator_t object.
111 *
112 * @param this authenticator_t object
113 */
114 void (*destroy) (authenticator_t *this);
115 };
116
117 /**
118 * @brief Creates an authenticator object.
119 *
120 * @warning: The following functions of the assigned protected_ike_sa_t object
121 * must return a valid value:
122 * - protected_ike_sa_t.get_sa_config
123 * - protected_ike_sa_t.get_prf
124 * - protected_ike_sa_t.get_logger
125 * This preconditions are not given in IKE_SA states INITIATOR_INIT or RESPONDER_INIT!
126 *
127 * @param ike_sa object of type protected_ike_sa_t
128 *
129 * @ingroup sa
130 */
131 authenticator_t *authenticator_create(protected_ike_sa_t *ike_sa);
132
133 #endif //_AUTHENTICATOR_H_