ECDSA with OpenSSL
[strongswan.git] / src / charon / sa / authenticators / authenticator.h
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Copyright (C) 2005-2006 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 *
17 * $Id$
18 */
19
20 /**
21 * @defgroup authenticator authenticator
22 * @{ @ingroup authenticators
23 */
24
25 #ifndef AUTHENTICATOR_H_
26 #define AUTHENTICATOR_H_
27
28 typedef enum auth_method_t auth_method_t;
29 typedef struct authenticator_t authenticator_t;
30
31 #include <library.h>
32 #include <sa/ike_sa.h>
33 #include <config/peer_cfg.h>
34 #include <encoding/payloads/auth_payload.h>
35
36 /**
37 * Method to use for authentication.
38 */
39 enum auth_method_t {
40 /**
41 * Computed as specified in section 2.15 of RFC using
42 * an RSA private key over a PKCS#1 padded hash.
43 */
44 AUTH_RSA = 1,
45
46 /**
47 * Computed as specified in section 2.15 of RFC using the
48 * shared key associated with the identity in the ID payload
49 * and the negotiated prf function
50 */
51 AUTH_PSK = 2,
52
53 /**
54 * Computed as specified in section 2.15 of RFC using a
55 * DSS private key over a SHA-1 hash.
56 */
57 AUTH_DSS = 3,
58
59 /**
60 * ECDSA with SHA-256 on the P-256 curve as specified in RFC 4754
61 */
62 AUTH_ECDSA_256 = 9,
63
64 /**
65 * ECDSA with SHA-384 on the P-384 curve as specified in RFC 4754
66 */
67 AUTH_ECDSA_384 = 10,
68
69 /**
70 * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
71 */
72 AUTH_ECDSA_521 = 11,
73
74 /**
75 * EAP authentication. This value is never negotiated and therefore
76 * a value from private use.
77 */
78 AUTH_EAP = 201,
79 };
80
81 /**
82 * enum names for auth_method_t.
83 */
84 extern enum_name_t *auth_method_names;
85
86 /**
87 * Authenticator interface implemented by the various authenticators.
88 *
89 * Currently the following two AUTH methods are supported:
90 * - shared key message integrity code
91 * - RSA digital signature
92 * - ECDSA is supported using OpenSSL
93 */
94 struct authenticator_t {
95
96 /**
97 * Verify a received authentication payload.
98 *
99 * @param ike_sa_init binary representation of received ike_sa_init
100 * @param my_nonce the sent nonce
101 * @param auth_payload authentication payload to verify
102 *
103 * @return
104 * - SUCCESS,
105 * - FAILED if verification failed
106 * - INVALID_ARG if auth_method does not match
107 * - NOT_FOUND if credentials not found
108 */
109 status_t (*verify) (authenticator_t *this, chunk_t ike_sa_init,
110 chunk_t my_nonce, auth_payload_t *auth_payload);
111
112 /**
113 * Build an authentication payload to send to the other peer.
114 *
115 * @param ike_sa_init binary representation of sent ike_sa_init
116 * @param other_nonce the received nonce
117 * @param[out] auth_payload the resulting authentication payload
118 *
119 * @return
120 * - SUCCESS,
121 * - NOT_FOUND if the data for AUTH method could not be found
122 */
123 status_t (*build) (authenticator_t *this, chunk_t ike_sa_init,
124 chunk_t other_nonce, auth_payload_t **auth_payload);
125
126 /**
127 * Destroys a authenticator_t object.
128 */
129 void (*destroy) (authenticator_t *this);
130 };
131
132 /**
133 * Creates an authenticator for the specified auth method (as configured).
134 *
135 * @param ike_sa associated ike_sa
136 * @param auth_method authentication method to use for build()/verify()
137 *
138 * @return authenticator_t object
139 */
140 authenticator_t *authenticator_create(ike_sa_t *ike_sa, config_auth_method_t auth_method);
141
142 /**
143 * Creates an authenticator from the given auth payload.
144 *
145 * @param ike_sa associated ike_sa
146 * @param auth_payload auth payload
147 *
148 * @return authenticator_t object
149 */
150 authenticator_t *authenticator_create_from_auth_payload(ike_sa_t *ike_sa, auth_payload_t *auth_payload);
151
152 #endif /* AUTHENTICATOR_H_ @} */