5ceae0d64122a6a8b0f9c9b8ed02391b40a3e512
[strongswan.git] / src / libcharon / sa / authenticator.c
1 /*
2 * Copyright (C) 2006-2009 Martin Willi
3 * Copyright (C) 2008 Tobias Brunner
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <string.h>
18
19 #include "authenticator.h"
20
21 #include <sa/ikev2/authenticators/pubkey_authenticator.h>
22 #include <sa/ikev2/authenticators/psk_authenticator.h>
23 #include <sa/ikev2/authenticators/eap_authenticator.h>
24 #include <sa/ikev1/authenticators/psk_v1_authenticator.h>
25 #include <sa/ikev1/authenticators/pubkey_v1_authenticator.h>
26 #include <sa/ikev1/authenticators/hybrid_authenticator.h>
27 #include <encoding/payloads/auth_payload.h>
28
29
30 ENUM_BEGIN(auth_method_names, AUTH_RSA, AUTH_DSS,
31 "RSA signature",
32 "pre-shared key",
33 "DSS signature");
34 ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_DS, AUTH_DSS,
35 "ECDSA-256 signature",
36 "ECDSA-384 signature",
37 "ECDSA-521 signature",
38 "secure password method",
39 "NULL authentication",
40 "digital signature");
41 ENUM_NEXT(auth_method_names, AUTH_BLISS, AUTH_BLISS, AUTH_DS,
42 "BLISS signature");
43 ENUM_NEXT(auth_method_names, AUTH_XAUTH_INIT_PSK, AUTH_HYBRID_RESP_RSA, AUTH_BLISS,
44 "XAuthInitPSK",
45 "XAuthRespPSK",
46 "XAuthInitRSA",
47 "XauthRespRSA",
48 "HybridInitRSA",
49 "HybridRespRSA",
50 );
51 ENUM_END(auth_method_names, AUTH_HYBRID_RESP_RSA);
52
53 #ifdef USE_IKEV2
54
55 /**
56 * Described in header.
57 */
58 authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
59 chunk_t received_nonce, chunk_t sent_nonce,
60 chunk_t received_init, chunk_t sent_init,
61 char reserved[3])
62 {
63 switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
64 {
65 case AUTH_CLASS_ANY:
66 /* defaults to PUBKEY */
67 case AUTH_CLASS_PUBKEY:
68 return (authenticator_t*)pubkey_authenticator_create_builder(ike_sa,
69 received_nonce, sent_init, reserved);
70 case AUTH_CLASS_PSK:
71 return (authenticator_t*)psk_authenticator_create_builder(ike_sa,
72 received_nonce, sent_init, reserved);
73 case AUTH_CLASS_EAP:
74 return (authenticator_t*)eap_authenticator_create_builder(ike_sa,
75 received_nonce, sent_nonce,
76 received_init, sent_init, reserved);
77 default:
78 return NULL;
79 }
80 }
81
82 /**
83 * Described in header.
84 */
85 authenticator_t *authenticator_create_verifier(
86 ike_sa_t *ike_sa, message_t *message,
87 chunk_t received_nonce, chunk_t sent_nonce,
88 chunk_t received_init, chunk_t sent_init,
89 char reserved[3])
90 {
91 auth_payload_t *auth_payload;
92
93 auth_payload = (auth_payload_t*)message->get_payload(message, PLV2_AUTH);
94 if (auth_payload == NULL)
95 {
96 return (authenticator_t*)eap_authenticator_create_verifier(ike_sa,
97 received_nonce, sent_nonce,
98 received_init, sent_init, reserved);
99 }
100 switch (auth_payload->get_auth_method(auth_payload))
101 {
102 case AUTH_RSA:
103 case AUTH_ECDSA_256:
104 case AUTH_ECDSA_384:
105 case AUTH_ECDSA_521:
106 case AUTH_DS:
107 case AUTH_BLISS:
108 return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa,
109 sent_nonce, received_init, reserved);
110 case AUTH_PSK:
111 return (authenticator_t*)psk_authenticator_create_verifier(ike_sa,
112 sent_nonce, received_init, reserved);
113 default:
114 return NULL;
115 }
116 }
117
118 #endif /* USE_IKEV2 */
119
120 #ifdef USE_IKEV1
121
122 /**
123 * Described in header.
124 */
125 authenticator_t *authenticator_create_v1(ike_sa_t *ike_sa, bool initiator,
126 auth_method_t auth_method, diffie_hellman_t *dh,
127 chunk_t dh_value, chunk_t sa_payload,
128 chunk_t id_payload)
129 {
130 switch (auth_method)
131 {
132 case AUTH_PSK:
133 case AUTH_XAUTH_INIT_PSK:
134 case AUTH_XAUTH_RESP_PSK:
135 return (authenticator_t*)psk_v1_authenticator_create(ike_sa,
136 initiator, dh, dh_value, sa_payload,
137 id_payload, FALSE);
138 case AUTH_RSA:
139 case AUTH_XAUTH_INIT_RSA:
140 case AUTH_XAUTH_RESP_RSA:
141 return (authenticator_t*)pubkey_v1_authenticator_create(ike_sa,
142 initiator, dh, dh_value, sa_payload,
143 id_payload, KEY_RSA);
144 case AUTH_ECDSA_256:
145 case AUTH_ECDSA_384:
146 case AUTH_ECDSA_521:
147 return (authenticator_t*)pubkey_v1_authenticator_create(ike_sa,
148 initiator, dh, dh_value, sa_payload,
149 id_payload, KEY_ECDSA);
150 case AUTH_HYBRID_INIT_RSA:
151 case AUTH_HYBRID_RESP_RSA:
152 return (authenticator_t*)hybrid_authenticator_create(ike_sa,
153 initiator, dh, dh_value, sa_payload,
154 id_payload);
155 default:
156 return NULL;
157 }
158 }
159
160 #endif /* USE_IKEV1 */