merged the modularization branch (credentials) back to trunk
[strongswan.git] / src / charon / sa / authenticators / authenticator.h
1 /*
2 * Copyright (C) 2005-2006 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 *
16 * $Id$
17 */
18
19 /**
20 * @defgroup authenticator authenticator
21 * @{ @ingroup authenticators
22 */
23
24 #ifndef AUTHENTICATOR_H_
25 #define AUTHENTICATOR_H_
26
27 typedef enum auth_method_t auth_method_t;
28 typedef struct authenticator_t authenticator_t;
29
30 #include <library.h>
31 #include <sa/ike_sa.h>
32 #include <encoding/payloads/auth_payload.h>
33
34 /**
35 * Method to use for authentication.
36 */
37 enum auth_method_t {
38 /**
39 * Computed as specified in section 2.15 of RFC using
40 * an RSA private key over a PKCS#1 padded hash.
41 */
42 AUTH_RSA = 1,
43
44 /**
45 * Computed as specified in section 2.15 of RFC using the
46 * shared key associated with the identity in the ID payload
47 * and the negotiated prf function
48 */
49 AUTH_PSK = 2,
50
51 /**
52 * Computed as specified in section 2.15 of RFC using a
53 * DSS private key over a SHA-1 hash.
54 */
55 AUTH_DSS = 3,
56
57 /**
58 * EAP authentication. This value is never negotiated and therefore
59 * a value from private use.
60 */
61 AUTH_EAP = 201,
62 };
63
64 /**
65 * enum names for auth_method_t.
66 */
67 extern enum_name_t *auth_method_names;
68
69 /**
70 * Authenticator interface implemented by the various authenticators.
71 *
72 * Currently the following two AUTH methods are supported:
73 * - shared key message integrity code (AUTH_PSK)
74 * - RSA digital signature (AUTH_RSA)
75 */
76 struct authenticator_t {
77
78 /**
79 * Verify a received authentication payload.
80 *
81 * @param ike_sa_init binary representation of received ike_sa_init
82 * @param my_nonce the sent nonce
83 * @param auth_payload authentication payload to verify
84 *
85 * @return
86 * - SUCCESS,
87 * - FAILED if verification failed
88 * - INVALID_ARG if auth_method does not match
89 * - NOT_FOUND if credentials not found
90 */
91 status_t (*verify) (authenticator_t *this, chunk_t ike_sa_init,
92 chunk_t my_nonce, auth_payload_t *auth_payload);
93
94 /**
95 * Build an authentication payload to send to the other peer.
96 *
97 * @param ike_sa_init binary representation of sent ike_sa_init
98 * @param other_nonce the received nonce
99 * @param[out] auth_payload the resulting authentication payload
100 *
101 * @return
102 * - SUCCESS,
103 * - NOT_FOUND if the data for AUTH method could not be found
104 */
105 status_t (*build) (authenticator_t *this, chunk_t ike_sa_init,
106 chunk_t other_nonce, auth_payload_t **auth_payload);
107
108 /**
109 * Destroys a authenticator_t object.
110 */
111 void (*destroy) (authenticator_t *this);
112 };
113
114 /**
115 * Creates an authenticator for the specified auth method.
116 *
117 * @param ike_sa associated ike_sa
118 * @param auth_method authentication method to use for build()/verify()
119 *
120 * @return authenticator_t object
121 */
122 authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_method);
123
124 #endif /* AUTHENTICATOR_H_ @} */