Fixed EAP authentication regression
[strongswan.git] / src / charon / sa / authenticators / authenticator.h
index 54a6b03..c608816 100644 (file)
@@ -1,6 +1,6 @@
 /*
+ * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -13,8 +13,6 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * $Id$
  */
 
 /**
 #define AUTHENTICATOR_H_
 
 typedef enum auth_method_t auth_method_t;
+typedef enum auth_class_t auth_class_t;
 typedef struct authenticator_t authenticator_t;
 
 #include <library.h>
+#include <config/auth_cfg.h>
 #include <sa/ike_sa.h>
-#include <config/peer_cfg.h>
-#include <encoding/payloads/auth_payload.h>
 
 /**
- * Method to use for authentication.
+ * Method to use for authentication, as defined in IKEv2.
  */
 enum auth_method_t {
        /**
@@ -70,12 +68,6 @@ enum auth_method_t {
         * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
         */
        AUTH_ECDSA_521 = 11,
-       
-       /**
-        * EAP authentication. This value is never negotiated and therefore
-        * a value from private use.
-        */
-       AUTH_EAP = 201,
 };
 
 /**
@@ -84,69 +76,93 @@ enum auth_method_t {
 extern enum_name_t *auth_method_names;
 
 /**
+ * Class of authentication to use. This is different to auth_method_t in that
+ * it does not specify a method, but a class of acceptable methods. The found
+ * certificate finally dictates wich method is used.
+ */
+enum auth_class_t {
+       /** any class acceptable */
+       AUTH_CLASS_ANY = 0,
+       /** authentication using public keys (RSA, ECDSA) */
+       AUTH_CLASS_PUBKEY = 1,
+       /** authentication using a pre-shared secrets */
+       AUTH_CLASS_PSK = 2,
+       /** authentication using EAP */
+       AUTH_CLASS_EAP = 3,
+};
+
+/**
+ * enum strings for auth_class_t
+ */
+extern enum_name_t *auth_class_names;
+
+/**
  * Authenticator interface implemented by the various authenticators.
  *
- * Currently the following two AUTH methods are supported:
- *  - shared key message integrity code
- *  - RSA digital signature
- *  - ECDSA is supported using OpenSSL
+ * An authenticator implementation handles AUTH and EAP payloads. Received
+ * messages are passed to the process() method, to send authentication data
+ * the message is passed to the build() method.
  */
 struct authenticator_t {
 
        /**
-        * Verify a received authentication payload.
-        *
-        * @param ike_sa_init           binary representation of received ike_sa_init
-        * @param my_nonce                      the sent nonce
-        * @param auth_payload          authentication payload to verify
+        * Process an incoming message using the authenticator.
         *
+        * @param message               message containing authentication payloads
         * @return
-        *                                                      - SUCCESS,
-        *                                                      - FAILED if verification failed
-        *                                                      - INVALID_ARG if auth_method does not match
-        *                                                      - NOT_FOUND if credentials not found
+        *                                              - SUCCESS if authentication successful
+        *                                              - FAILED if authentication failed
+        *                                              - NEED_MORE if another exchange required
         */
-       status_t (*verify) (authenticator_t *this, chunk_t ike_sa_init,
-                                               chunk_t my_nonce, auth_payload_t *auth_payload);
-
+       status_t (*process)(authenticator_t *this, message_t *message);
+       
        /**
-        * Build an authentication payload to send to the other peer.
-        *
-        * @param ike_sa_init           binary representation of sent ike_sa_init
-        * @param other_nonce           the received nonce
-        * @param[out] auth_payload     the resulting authentication payload
+        * Attach authentication data to an outgoing message.
         *
+        * @param message               message to add authentication data to
         * @return
-        *                                                      - SUCCESS,
-        *                                                      - NOT_FOUND if the data for AUTH method could not be found
+        *                                              - SUCCESS if authentication successful
+        *                                              - FAILED if authentication failed
+        *                                              - NEED_MORE if another exchange required
         */
-       status_t (*build) (authenticator_t *this, chunk_t ike_sa_init,
-                                          chunk_t other_nonce, auth_payload_t **auth_payload);
-
+       status_t (*build)(authenticator_t *this, message_t *message);
+       
        /**
-        * Destroys a authenticator_t object.
+        * Destroy authenticator instance.
         */
        void (*destroy) (authenticator_t *this);
 };
 
 /**
- * Creates an authenticator for the specified auth method (as configured).
+ * Create an authenticator to build signatures.
  *
- * @param ike_sa               associated ike_sa
- * @param auth_method  authentication method to use for build()/verify()
- *
- * @return                             authenticator_t object
+ * @param ike_sa                       associated ike_sa
+ * @param cfg                          authentication configuration
+ * @param received_nonce       nonce received in IKE_SA_INIT
+ * @param sent_nonce           nonce sent in IKE_SA_INIT
+ * @param received_init                received IKE_SA_INIT message data
+ * @param sent_init                    sent IKE_SA_INIT message data
+ * @return                                     authenticator, NULL if not supported
  */
-authenticator_t *authenticator_create(ike_sa_t *ike_sa, config_auth_method_t auth_method);
+authenticator_t *authenticator_create_builder(
+                                                                       ike_sa_t *ike_sa, auth_cfg_t *cfg,
+                                                                       chunk_t received_nonce, chunk_t sent_nonce,
+                                                                       chunk_t received_init, chunk_t sent_init);
 
 /**
- * Creates an authenticator from the given auth payload.
- * 
- * @param ike_sa               associated ike_sa
- * @param auth_payload auth payload
+ * Create an authenticator to verify signatures.
  * 
- * @return                             authenticator_t object
+ * @param ike_sa                       associated ike_sa
+ * @param message                      message containing authentication data
+ * @param received_nonce       nonce received in IKE_SA_INIT
+ * @param sent_nonce           nonce sent in IKE_SA_INIT
+ * @param received_init                received IKE_SA_INIT message data
+ * @param sent_init                    sent IKE_SA_INIT message data
+ * @return                                     authenticator, NULL if not supported
  */
-authenticator_t *authenticator_create_from_auth_payload(ike_sa_t *ike_sa, auth_payload_t *auth_payload);
+authenticator_t *authenticator_create_verifier(
+                                                                       ike_sa_t *ike_sa, message_t *message,
+                                                                       chunk_t received_nonce, chunk_t sent_nonce,
+                                                                       chunk_t received_init, chunk_t sent_init);
 
-#endif /* AUTHENTICATOR_H_ @} */
+#endif /** AUTHENTICATOR_H_ @}*/