X-Git-Url: https://git.strongswan.org/?p=strongswan.git;a=blobdiff_plain;f=src%2Fcharon%2Fsa%2Fauthenticators%2Fauthenticator.h;h=c60881629a58ecd97ea4694b0303994ebf0ed708;hp=d0286be3e6642a3aea30cd78c397cf76cdd0959d;hb=25f2d52f30b3a028882355c875966354d3eeedee;hpb=552cc11b1f017ce4962fca741f567d098f768574 diff --git a/src/charon/sa/authenticators/authenticator.h b/src/charon/sa/authenticators/authenticator.h index d0286be..c608816 100644 --- a/src/charon/sa/authenticators/authenticator.h +++ b/src/charon/sa/authenticators/authenticator.h @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2009 Martin Willi + * Copyright (C) 2008 Tobias Brunner * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -12,8 +13,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id$ */ /** @@ -25,14 +24,15 @@ #define AUTHENTICATOR_H_ typedef enum auth_method_t auth_method_t; +typedef enum auth_class_t auth_class_t; typedef struct authenticator_t authenticator_t; #include +#include #include -#include /** - * Method to use for authentication. + * Method to use for authentication, as defined in IKEv2. */ enum auth_method_t { /** @@ -55,10 +55,19 @@ enum auth_method_t { AUTH_DSS = 3, /** - * EAP authentication. This value is never negotiated and therefore - * a value from private use. + * ECDSA with SHA-256 on the P-256 curve as specified in RFC 4754 + */ + AUTH_ECDSA_256 = 9, + + /** + * ECDSA with SHA-384 on the P-384 curve as specified in RFC 4754 + */ + AUTH_ECDSA_384 = 10, + + /** + * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754 */ - AUTH_EAP = 201, + AUTH_ECDSA_521 = 11, }; /** @@ -67,58 +76,93 @@ enum auth_method_t { extern enum_name_t *auth_method_names; /** + * Class of authentication to use. This is different to auth_method_t in that + * it does not specify a method, but a class of acceptable methods. The found + * certificate finally dictates wich method is used. + */ +enum auth_class_t { + /** any class acceptable */ + AUTH_CLASS_ANY = 0, + /** authentication using public keys (RSA, ECDSA) */ + AUTH_CLASS_PUBKEY = 1, + /** authentication using a pre-shared secrets */ + AUTH_CLASS_PSK = 2, + /** authentication using EAP */ + AUTH_CLASS_EAP = 3, +}; + +/** + * enum strings for auth_class_t + */ +extern enum_name_t *auth_class_names; + +/** * Authenticator interface implemented by the various authenticators. * - * Currently the following two AUTH methods are supported: - * - shared key message integrity code (AUTH_PSK) - * - RSA digital signature (AUTH_RSA) + * An authenticator implementation handles AUTH and EAP payloads. Received + * messages are passed to the process() method, to send authentication data + * the message is passed to the build() method. */ struct authenticator_t { /** - * Verify a received authentication payload. - * - * @param ike_sa_init binary representation of received ike_sa_init - * @param my_nonce the sent nonce - * @param auth_payload authentication payload to verify + * Process an incoming message using the authenticator. * + * @param message message containing authentication payloads * @return - * - SUCCESS, - * - FAILED if verification failed - * - INVALID_ARG if auth_method does not match - * - NOT_FOUND if credentials not found + * - SUCCESS if authentication successful + * - FAILED if authentication failed + * - NEED_MORE if another exchange required */ - status_t (*verify) (authenticator_t *this, chunk_t ike_sa_init, - chunk_t my_nonce, auth_payload_t *auth_payload); - + status_t (*process)(authenticator_t *this, message_t *message); + /** - * Build an authentication payload to send to the other peer. - * - * @param ike_sa_init binary representation of sent ike_sa_init - * @param other_nonce the received nonce - * @param[out] auth_payload the resulting authentication payload + * Attach authentication data to an outgoing message. * + * @param message message to add authentication data to * @return - * - SUCCESS, - * - NOT_FOUND if the data for AUTH method could not be found + * - SUCCESS if authentication successful + * - FAILED if authentication failed + * - NEED_MORE if another exchange required */ - status_t (*build) (authenticator_t *this, chunk_t ike_sa_init, - chunk_t other_nonce, auth_payload_t **auth_payload); - + status_t (*build)(authenticator_t *this, message_t *message); + /** - * Destroys a authenticator_t object. + * Destroy authenticator instance. */ void (*destroy) (authenticator_t *this); }; /** - * Creates an authenticator for the specified auth method. - * - * @param ike_sa associated ike_sa - * @param auth_method authentication method to use for build()/verify() + * Create an authenticator to build signatures. * - * @return authenticator_t object + * @param ike_sa associated ike_sa + * @param cfg authentication configuration + * @param received_nonce nonce received in IKE_SA_INIT + * @param sent_nonce nonce sent in IKE_SA_INIT + * @param received_init received IKE_SA_INIT message data + * @param sent_init sent IKE_SA_INIT message data + * @return authenticator, NULL if not supported + */ +authenticator_t *authenticator_create_builder( + ike_sa_t *ike_sa, auth_cfg_t *cfg, + chunk_t received_nonce, chunk_t sent_nonce, + chunk_t received_init, chunk_t sent_init); + +/** + * Create an authenticator to verify signatures. + * + * @param ike_sa associated ike_sa + * @param message message containing authentication data + * @param received_nonce nonce received in IKE_SA_INIT + * @param sent_nonce nonce sent in IKE_SA_INIT + * @param received_init received IKE_SA_INIT message data + * @param sent_init sent IKE_SA_INIT message data + * @return authenticator, NULL if not supported */ -authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_method); +authenticator_t *authenticator_create_verifier( + ike_sa_t *ike_sa, message_t *message, + chunk_t received_nonce, chunk_t sent_nonce, + chunk_t received_init, chunk_t sent_init); -#endif /* AUTHENTICATOR_H_ @} */ +#endif /** AUTHENTICATOR_H_ @}*/