b1645c21cb38c012dc45776458bdb99ec9372127
[strongswan.git] / src / charon / sa / authenticators / authenticator.h
1 /**
2 * @file authenticator.h
3 *
4 * @brief Interface of authenticator_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2006 Martin Willi
10 * Copyright (C) 2005 Jan Hutter
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #ifndef AUTHENTICATOR_H_
25 #define AUTHENTICATOR_H_
26
27 typedef enum auth_method_t auth_method_t;
28 typedef struct authenticator_t authenticator_t;
29
30 #include <types.h>
31 #include <sa/ike_sa.h>
32 #include <encoding/payloads/auth_payload.h>
33
34 /**
35 * Method to use for authentication.
36 *
37 * @ingroup authenticator
38 */
39 enum auth_method_t {
40 /**
41 * Computed as specified in section 2.15 of RFC using
42 * an RSA private key over a PKCS#1 padded hash.
43 */
44 AUTH_RSA = 1,
45
46 /**
47 * Computed as specified in section 2.15 of RFC using the
48 * shared key associated with the identity in the ID payload
49 * and the negotiated prf function
50 */
51 AUTH_PSK = 2,
52
53 /**
54 * Computed as specified in section 2.15 of RFC using a
55 * DSS private key over a SHA-1 hash.
56 */
57 AUTH_DSS = 3,
58
59 /**
60 * EAP authentication. This value is never negotiated and therefore
61 * a value from private use.
62 */
63 AUTH_EAP = 201,
64 };
65
66 /**
67 * enum names for auth_method_t.
68 *
69 * @ingroup authenticator
70 */
71 extern enum_name_t *auth_method_names;
72
73 /**
74 * @brief Authenticator interface implemented by the various authenticators.
75 *
76 * Currently the following two AUTH methods are supported:
77 * - shared key message integrity code (AUTH_PSK)
78 * - RSA digital signature (AUTH_RSA)
79 *
80 * @b Constructors:
81 * - authenticator_create()
82 *
83 * @ingroup authenticator
84 */
85 struct authenticator_t {
86
87 /**
88 * @brief Verify a received authentication payload.
89 *
90 * @param this calling object
91 * @param ike_sa_init binary representation of received ike_sa_init
92 * @param my_nonce the sent nonce
93 * @param auth_payload authentication payload to verify
94 *
95 * @return
96 * - SUCCESS,
97 * - FAILED if verification failed
98 * - INVALID_ARG if auth_method does not match
99 * - NOT_FOUND if credentials not found
100 */
101 status_t (*verify) (authenticator_t *this, chunk_t ike_sa_init,
102 chunk_t my_nonce, auth_payload_t *auth_payload);
103
104 /**
105 * @brief Build an authentication payload to send to the other peer.
106 *
107 * @param this calling object
108 * @param ike_sa_init binary representation of sent ike_sa_init
109 * @param other_nonce the received nonce
110 * @param[out] auth_payload the resulting authentication payload
111 *
112 * @return
113 * - SUCCESS,
114 * - NOT_FOUND if the data for AUTH method could not be found
115 */
116 status_t (*build) (authenticator_t *this, chunk_t ike_sa_init,
117 chunk_t other_nonce, auth_payload_t **auth_payload);
118
119 /**
120 * @brief Destroys a authenticator_t object.
121 *
122 * @param this calling object
123 */
124 void (*destroy) (authenticator_t *this);
125 };
126
127 /**
128 * @brief Creates an authenticator for the specified auth method.
129 *
130 * @param ike_sa associated ike_sa
131 * @param auth_method authentication method to use for build()/verify()
132 *
133 * @return authenticator_t object
134 *
135 * @ingroup sa
136 */
137 authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_method);
138
139 #endif /* AUTHENTICATOR_H_ */