merged multi-auth branch back into trunk
[strongswan.git] / src / charon / sa / authenticators / authenticator.h
1 /*
2 * Copyright (C) 2005-2009 Martin Willi
3 * Copyright (C) 2008 Tobias Brunner
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 *
17 * $Id$
18 */
19
20 /**
21 * @defgroup authenticator authenticator
22 * @{ @ingroup authenticators
23 */
24
25 #ifndef AUTHENTICATOR_H_
26 #define AUTHENTICATOR_H_
27
28 typedef enum auth_method_t auth_method_t;
29 typedef enum auth_class_t auth_class_t;
30 typedef struct authenticator_t authenticator_t;
31
32 #include <library.h>
33 #include <config/auth_cfg.h>
34 #include <sa/ike_sa.h>
35
36 /**
37 * Method to use for authentication, as defined in IKEv2.
38 */
39 enum auth_method_t {
40 /**
41 * Computed as specified in section 2.15 of RFC using
42 * an RSA private key over a PKCS#1 padded hash.
43 */
44 AUTH_RSA = 1,
45
46 /**
47 * Computed as specified in section 2.15 of RFC using the
48 * shared key associated with the identity in the ID payload
49 * and the negotiated prf function
50 */
51 AUTH_PSK = 2,
52
53 /**
54 * Computed as specified in section 2.15 of RFC using a
55 * DSS private key over a SHA-1 hash.
56 */
57 AUTH_DSS = 3,
58
59 /**
60 * ECDSA with SHA-256 on the P-256 curve as specified in RFC 4754
61 */
62 AUTH_ECDSA_256 = 9,
63
64 /**
65 * ECDSA with SHA-384 on the P-384 curve as specified in RFC 4754
66 */
67 AUTH_ECDSA_384 = 10,
68
69 /**
70 * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
71 */
72 AUTH_ECDSA_521 = 11,
73 };
74
75 /**
76 * enum names for auth_method_t.
77 */
78 extern enum_name_t *auth_method_names;
79
80 /**
81 * Class of authentication to use. This is different to auth_method_t in that
82 * it does not specify a method, but a class of acceptable methods. The found
83 * certificate finally dictates wich method is used.
84 */
85 enum auth_class_t {
86 /** any class acceptable */
87 AUTH_CLASS_ANY = 0,
88 /** authentication using public keys (RSA, ECDSA) */
89 AUTH_CLASS_PUBKEY = 1,
90 /** authentication using a pre-shared secrets */
91 AUTH_CLASS_PSK = 2,
92 /** authentication using EAP */
93 AUTH_CLASS_EAP = 3,
94 };
95
96 /**
97 * enum strings for auth_class_t
98 */
99 extern enum_name_t *auth_class_names;
100
101 /**
102 * Authenticator interface implemented by the various authenticators.
103 *
104 * An authenticator implementation handles AUTH and EAP payloads. Received
105 * messages are passed to the process() method, to send authentication data
106 * the message is passed to the build() method.
107 */
108 struct authenticator_t {
109
110 /**
111 * Process an incoming message using the authenticator.
112 *
113 * @param message message containing authentication payloads
114 * @return
115 * - SUCCESS if authentication successful
116 * - FAILED if authentication failed
117 * - NEED_MORE if another exchange required
118 */
119 status_t (*process)(authenticator_t *this, message_t *message);
120
121 /**
122 * Attach authentication data to an outgoing message.
123 *
124 * @param message message to add authentication data to
125 * @return
126 * - SUCCESS if authentication successful
127 * - FAILED if authentication failed
128 * - NEED_MORE if another exchange required
129 */
130 status_t (*build)(authenticator_t *this, message_t *message);
131
132 /**
133 * Destroy authenticator instance.
134 */
135 void (*destroy) (authenticator_t *this);
136 };
137
138 /**
139 * Create an authenticator to build signatures.
140 *
141 * @param ike_sa associated ike_sa
142 * @param cfg authentication configuration
143 * @param received_nonce nonce received in IKE_SA_INIT
144 * @param sent_init sent IKE_SA_INIT message data
145 * @return authenticator, NULL if not supported
146 */
147 authenticator_t *authenticator_create_builder(
148 ike_sa_t *ike_sa, auth_cfg_t *cfg,
149 chunk_t received_nonce, chunk_t sent_init);
150
151 /**
152 * Create an authenticator to verify signatures.
153 *
154 * @param ike_sa associated ike_sa
155 * @param message message containing authentication data
156 * @param sent_nonce nonce sent in IKE_SA_INIT
157 * @param received_init received IKE_SA_INIT message data
158 * @return authenticator, NULL if not supported
159 */
160 authenticator_t *authenticator_create_verifier(
161 ike_sa_t *ike_sa, message_t *message,
162 chunk_t sent_nonce, chunk_t received_init);
163
164 #endif /** AUTHENTICATOR_H_ @}*/