bf264d4e430f8befca4d9f564858a6efbf2cedbc
[strongswan.git] / src / charon / sa / authenticators / authenticator.h
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Copyright (C) 2005-2008 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 *
17 * $Id$
18 */
19
20 /**
21 * @defgroup authenticator authenticator
22 * @{ @ingroup authenticators
23 */
24
25 #ifndef AUTHENTICATOR_H_
26 #define AUTHENTICATOR_H_
27
28 typedef enum auth_method_t auth_method_t;
29 typedef enum auth_class_t auth_class_t;
30 typedef struct authenticator_t authenticator_t;
31
32 #include <library.h>
33 #include <sa/ike_sa.h>
34 #include <config/peer_cfg.h>
35 #include <encoding/payloads/auth_payload.h>
36
37 /**
38 * Method to use for authentication, as defined in IKEv2.
39 */
40 enum auth_method_t {
41 /**
42 * Computed as specified in section 2.15 of RFC using
43 * an RSA private key over a PKCS#1 padded hash.
44 */
45 AUTH_RSA = 1,
46
47 /**
48 * Computed as specified in section 2.15 of RFC using the
49 * shared key associated with the identity in the ID payload
50 * and the negotiated prf function
51 */
52 AUTH_PSK = 2,
53
54 /**
55 * Computed as specified in section 2.15 of RFC using a
56 * DSS private key over a SHA-1 hash.
57 */
58 AUTH_DSS = 3,
59
60 /**
61 * ECDSA with SHA-256 on the P-256 curve as specified in RFC 4754
62 */
63 AUTH_ECDSA_256 = 9,
64
65 /**
66 * ECDSA with SHA-384 on the P-384 curve as specified in RFC 4754
67 */
68 AUTH_ECDSA_384 = 10,
69
70 /**
71 * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
72 */
73 AUTH_ECDSA_521 = 11,
74 };
75
76 /**
77 * enum names for auth_method_t.
78 */
79 extern enum_name_t *auth_method_names;
80
81 /**
82 * Class of authentication to use. This is different to auth_method_t in that
83 * it does not specify a method, but a class of acceptable methods. The found
84 * certificate finally dictates wich method is used.
85 */
86 enum auth_class_t {
87 /** authentication using public keys (RSA, ECDSA) */
88 AUTH_CLASS_PUBKEY = 1,
89 /** authentication using a pre-shared secrets */
90 AUTH_CLASS_PSK = 2,
91 /** authentication using EAP */
92 AUTH_CLASS_EAP = 3,
93 };
94
95 /**
96 * enum strings for auth_class_t
97 */
98 extern enum_name_t *auth_class_names;
99
100 /**
101 * Authenticator interface implemented by the various authenticators.
102 *
103 * Currently the following two AUTH methods are supported:
104 * - shared key message integrity code
105 * - RSA digital signature
106 * - EAP using the EAP framework and one of the EAP plugins
107 * - ECDSA is supported using OpenSSL
108 */
109 struct authenticator_t {
110
111 /**
112 * Verify a received authentication payload.
113 *
114 * @param ike_sa_init binary representation of received ike_sa_init
115 * @param my_nonce the sent nonce
116 * @param auth_payload authentication payload to verify
117 * @return
118 * - SUCCESS,
119 * - FAILED if verification failed
120 * - INVALID_ARG if auth_method does not match
121 * - NOT_FOUND if credentials not found
122 */
123 status_t (*verify) (authenticator_t *this, chunk_t ike_sa_init,
124 chunk_t my_nonce, auth_payload_t *auth_payload);
125
126 /**
127 * Build an authentication payload to send to the other peer.
128 *
129 * @param ike_sa_init binary representation of sent ike_sa_init
130 * @param other_nonce the received nonce
131 * @param auth_payload the resulting authentication payload
132 * @return
133 * - SUCCESS,
134 * - NOT_FOUND if credentials not found
135 */
136 status_t (*build) (authenticator_t *this, chunk_t ike_sa_init,
137 chunk_t other_nonce, auth_payload_t **auth_payload);
138
139 /**
140 * Destroys a authenticator_t object.
141 */
142 void (*destroy) (authenticator_t *this);
143 };
144
145 /**
146 * Creates an authenticator for the specified auth class (as configured).
147 *
148 * @param ike_sa associated ike_sa
149 * @param class class of authentication to use
150 * @return authenticator_t object
151 */
152 authenticator_t *authenticator_create_from_class(ike_sa_t *ike_sa,
153 auth_class_t class);
154
155 /**
156 * Creates an authenticator for method (as received in payload).
157 *
158 * @param ike_sa associated ike_sa
159 * @param method method as found in payload
160 * @return authenticator_t object
161 */
162 authenticator_t *authenticator_create_from_method(ike_sa_t *ike_sa,
163 auth_method_t method);
164
165 #endif /* AUTHENTICATOR_H_ @} */