added PSK support
[strongswan.git] / src / charon / sa / authenticator.h
1 /**
2 * @file authenticator.h
3 *
4 * @brief Interface of authenticator_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2006 Martin Willi
10 * Copyright (C) 2005 Jan Hutter
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #ifndef AUTHENTICATOR_H_
25 #define AUTHENTICATOR_H_
26
27 #include <types.h>
28 #include <sa/ike_sa.h>
29 #include <network/packet.h>
30 #include <encoding/payloads/auth_payload.h>
31 #include <encoding/payloads/id_payload.h>
32
33
34 typedef struct authenticator_t authenticator_t;
35
36 /**
37 * @brief Class used to authenticate a peer.
38 *
39 * Currently the following two AUTH methods are supported:
40 * - SHARED_KEY_MESSAGE_INTEGRITY_CODE
41 * - RSA_DIGITAL_SIGNATURE
42 *
43 * This class retrieves needed data for specific AUTH methods (RSA keys, shared secrets, etc.)
44 * over an internal stored protected_ike_sa_t object or directly from the configuration_t over
45 * the daemon_t object "charon".
46 *
47 * @b Constructors:
48 * - authenticator_create()
49 *
50 * @ingroup sa
51 */
52 struct authenticator_t {
53
54 /**
55 * @brief Verify's given authentication data.
56 *
57 * To verify a received AUTH payload the following data must be provided:
58 * - the last received IKEv2 Message from the other peer in binary form
59 * - the nonce value sent to the other peer
60 * - the ID payload of the other peer
61 *
62 * @param this calling object
63 * @param last_received_packet binary representation of the last received IKEv2-Message
64 * @param my_nonce the sent nonce (without payload header)
65 * @param my_id my ID
66 * @param other_id peer ID
67 * @param initiator type of peer. TRUE, if it is original initiator, FALSE otherwise
68 *
69 * @todo Document RSA error status types
70 *
71 * @return
72 * - SUCCESS if verification successful
73 * - FAILED if verification failed
74 * - NOT_SUPPORTED if AUTH method not supported
75 * - NOT_FOUND if the data for specific AUTH method could not be found
76 * (e.g. shared secret, rsa key)
77 */
78 status_t (*verify_auth_data) (authenticator_t *this,
79 auth_payload_t *auth_payload,
80 chunk_t last_received_packet,
81 chunk_t my_nonce,
82 identification_t *my_id,
83 identification_t *other_id,
84 bool initiator);
85
86 /**
87 * @brief Computes authentication data and creates specific AUTH payload.
88 *
89 * To create an AUTH payload, the following data must be provided:
90 * - the last sent IKEv2 Message in binary form
91 * - the nonce value received from the other peer
92 * - the ID payload of myself
93 *
94 * @param this calling object
95 * @param[out] auth_payload The object of typee auth_payload_t will be created at pointing location
96 * @param last_sent_packet binary representation of the last sent IKEv2-Message
97 * @param other_nonce the received nonce (without payload header)
98 * @param my_id my ID
99 * @param other_id peer ID
100 * @param initiator type of myself. TRUE, if I'm original initiator, FALSE otherwise
101 *
102 * @todo Document RSA error status types
103 *
104 * @return
105 * - SUCCESS if authentication data could be computed
106 * - NOT_SUPPORTED if AUTH method not supported
107 * - NOT_FOUND if the data for AUTH method could not be found
108 */
109 status_t (*compute_auth_data) (authenticator_t *this,
110 auth_payload_t **auth_payload,
111 chunk_t last_sent_packet,
112 chunk_t other_nonce,
113 identification_t *my_id,
114 identification_t *other_id,
115 bool initiator);
116
117 /**
118 * @brief Destroys a authenticator_t object.
119 *
120 * @param this calling object
121 */
122 void (*destroy) (authenticator_t *this);
123 };
124
125 /**
126 * @brief Creates an authenticator object.
127 *
128 * @param ike_sa associated ike_sa
129 * @param auth_method authentication method to use for own signature/mac
130 *
131 * @return authenticator_t object
132 *
133 * @ingroup sa
134 */
135 authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_method);
136
137 #endif /* AUTHENTICATOR_H_ */