Fixed EAP authentication regression
[strongswan.git] / src / charon / sa / authenticators / authenticator.h
index 9d37a06..c608816 100644 (file)
@@ -1,12 +1,6 @@
-/**
- * @file authenticator.h
- *
- * @brief Interface of authenticator_t.
- *
- */
-
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
  * for more details.
  */
 
+/**
+ * @defgroup authenticator authenticator
+ * @{ @ingroup authenticators
+ */
+
 #ifndef AUTHENTICATOR_H_
 #define AUTHENTICATOR_H_
 
 typedef enum auth_method_t auth_method_t;
+typedef enum auth_class_t auth_class_t;
 typedef struct authenticator_t authenticator_t;
 
 #include <library.h>
+#include <config/auth_cfg.h>
 #include <sa/ike_sa.h>
-#include <encoding/payloads/auth_payload.h>
 
 /**
- * Method to use for authentication.
- *
- * @ingroup authenticator
+ * Method to use for authentication, as defined in IKEv2.
  */
 enum auth_method_t {
        /**
@@ -57,83 +55,114 @@ enum auth_method_t {
        AUTH_DSS = 3,
        
        /**
-        * EAP authentication. This value is never negotiated and therefore
-        * a value from private use.
+        * ECDSA with SHA-256 on the P-256 curve as specified in RFC 4754
         */
-       AUTH_EAP = 201,
+       AUTH_ECDSA_256 = 9,
+       
+       /**
+        * ECDSA with SHA-384 on the P-384 curve as specified in RFC 4754
+        */
+       AUTH_ECDSA_384 = 10,
+       
+       /**
+        * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
+        */
+       AUTH_ECDSA_521 = 11,
 };
 
 /**
  * enum names for auth_method_t.
- *
- * @ingroup authenticator
  */
 extern enum_name_t *auth_method_names;
 
 /**
- * @brief Authenticator interface implemented by the various authenticators.
- *
- * Currently the following two AUTH methods are supported:
- *  - shared key message integrity code (AUTH_PSK)
- *  - RSA digital signature (AUTH_RSA)
- *
- * @b Constructors:
- *  - authenticator_create()
+ * Class of authentication to use. This is different to auth_method_t in that
+ * it does not specify a method, but a class of acceptable methods. The found
+ * certificate finally dictates wich method is used.
+ */
+enum auth_class_t {
+       /** any class acceptable */
+       AUTH_CLASS_ANY = 0,
+       /** authentication using public keys (RSA, ECDSA) */
+       AUTH_CLASS_PUBKEY = 1,
+       /** authentication using a pre-shared secrets */
+       AUTH_CLASS_PSK = 2,
+       /** authentication using EAP */
+       AUTH_CLASS_EAP = 3,
+};
+
+/**
+ * enum strings for auth_class_t
+ */
+extern enum_name_t *auth_class_names;
+
+/**
+ * Authenticator interface implemented by the various authenticators.
  *
- * @ingroup authenticator
+ * An authenticator implementation handles AUTH and EAP payloads. Received
+ * messages are passed to the process() method, to send authentication data
+ * the message is passed to the build() method.
  */
 struct authenticator_t {
 
        /**
-        * @brief Verify a received authentication payload.
-        *
-        * @param this                          calling object
-        * @param ike_sa_init           binary representation of received ike_sa_init
-        * @param my_nonce                      the sent nonce
-        * @param auth_payload          authentication payload to verify
+        * Process an incoming message using the authenticator.
         *
+        * @param message               message containing authentication payloads
         * @return
-        *                                                      - SUCCESS,
-        *                                                      - FAILED if verification failed
-        *                                                      - INVALID_ARG if auth_method does not match
-        *                                                      - NOT_FOUND if credentials not found
+        *                                              - SUCCESS if authentication successful
+        *                                              - FAILED if authentication failed
+        *                                              - NEED_MORE if another exchange required
         */
-       status_t (*verify) (authenticator_t *this, chunk_t ike_sa_init,
-                                               chunk_t my_nonce, auth_payload_t *auth_payload);
-
+       status_t (*process)(authenticator_t *this, message_t *message);
+       
        /**
-        * @brief Build an authentication payload to send to the other peer.
-        *
-        * @param this                          calling object
-        * @param ike_sa_init           binary representation of sent ike_sa_init
-        * @param other_nonce           the received nonce
-        * @param[out] auth_payload     the resulting authentication payload
+        * Attach authentication data to an outgoing message.
         *
+        * @param message               message to add authentication data to
         * @return
-        *                                                      - SUCCESS,
-        *                                                      - NOT_FOUND if the data for AUTH method could not be found
+        *                                              - SUCCESS if authentication successful
+        *                                              - FAILED if authentication failed
+        *                                              - NEED_MORE if another exchange required
         */
-       status_t (*build) (authenticator_t *this, chunk_t ike_sa_init,
-                                          chunk_t other_nonce, auth_payload_t **auth_payload);
-
+       status_t (*build)(authenticator_t *this, message_t *message);
+       
        /**
-        * @brief Destroys a authenticator_t object.
-        *
-        * @param this                          calling object
+        * Destroy authenticator instance.
         */
        void (*destroy) (authenticator_t *this);
 };
 
 /**
- * @brief Creates an authenticator for the specified auth method.
- *
- * @param ike_sa               associated ike_sa
- * @param auth_method  authentication method to use for build()/verify()
+ * Create an authenticator to build signatures.
  *
- * @return                             authenticator_t object
- *
- * @ingroup sa
+ * @param ike_sa                       associated ike_sa
+ * @param cfg                          authentication configuration
+ * @param received_nonce       nonce received in IKE_SA_INIT
+ * @param sent_nonce           nonce sent in IKE_SA_INIT
+ * @param received_init                received IKE_SA_INIT message data
+ * @param sent_init                    sent IKE_SA_INIT message data
+ * @return                                     authenticator, NULL if not supported
+ */
+authenticator_t *authenticator_create_builder(
+                                                                       ike_sa_t *ike_sa, auth_cfg_t *cfg,
+                                                                       chunk_t received_nonce, chunk_t sent_nonce,
+                                                                       chunk_t received_init, chunk_t sent_init);
+
+/**
+ * Create an authenticator to verify signatures.
+ * 
+ * @param ike_sa                       associated ike_sa
+ * @param message                      message containing authentication data
+ * @param received_nonce       nonce received in IKE_SA_INIT
+ * @param sent_nonce           nonce sent in IKE_SA_INIT
+ * @param received_init                received IKE_SA_INIT message data
+ * @param sent_init                    sent IKE_SA_INIT message data
+ * @return                                     authenticator, NULL if not supported
  */
-authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_method);
+authenticator_t *authenticator_create_verifier(
+                                                                       ike_sa_t *ike_sa, message_t *message,
+                                                                       chunk_t received_nonce, chunk_t sent_nonce,
+                                                                       chunk_t received_init, chunk_t sent_init);
 
-#endif /* AUTHENTICATOR_H_ */
+#endif /** AUTHENTICATOR_H_ @}*/