diff options
Diffstat (limited to 'src/charon/sa/authenticator.h')
-rw-r--r-- | src/charon/sa/authenticator.h | 138 |
1 files changed, 138 insertions, 0 deletions
diff --git a/src/charon/sa/authenticator.h b/src/charon/sa/authenticator.h new file mode 100644 index 000000000..b6bc317ac --- /dev/null +++ b/src/charon/sa/authenticator.h @@ -0,0 +1,138 @@ +/** + * @file authenticator.h + * + * @brief Interface of authenticator_t. + * + */ + +/* + * Copyright (C) 2005 Jan Hutter, Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef AUTHENTICATOR_H_ +#define AUTHENTICATOR_H_ + +#include <types.h> +#include <sa/ike_sa.h> +#include <network/packet.h> +#include <encoding/payloads/auth_payload.h> +#include <encoding/payloads/id_payload.h> + + +typedef struct authenticator_t authenticator_t; + +/** + * @brief Class used to authenticate a peer. + * + * Currently the following two AUTH methods are supported: + * - SHARED_KEY_MESSAGE_INTEGRITY_CODE + * - RSA_DIGITAL_SIGNATURE + * + * This class retrieves needed data for specific AUTH methods (RSA keys, shared secrets, etc.) + * over an internal stored protected_ike_sa_t object or directly from the configuration_t over + * the daemon_t object "charon". + * + * @b Constructors: + * - authenticator_create() + * + * @ingroup sa + */ +struct authenticator_t { + + /** + * @brief Verify's given authentication data. + * + * To verify a received AUTH payload the following data must be provided: + * - the last received IKEv2 Message from the other peer in binary form + * - the nonce value sent to the other peer + * - the ID payload of the other peer + * + * @param this calling object + * @param last_received_packet binary representation of the last received IKEv2-Message + * @param my_nonce the sent nonce (without payload header) + * @param other_id_payload the ID payload received from other peer + * @param initiator type of other peer. TRUE, if it is original initiator, FALSE otherwise + * + * @todo Document RSA error status types + * + * @return + * - SUCCESS if verification successful + * - FAILED if verification failed + * - NOT_SUPPORTED if AUTH method not supported + * - NOT_FOUND if the data for specific AUTH method could not be found + * (e.g. shared secret, rsa key) + */ + status_t (*verify_auth_data) (authenticator_t *this, + auth_payload_t *auth_payload, + chunk_t last_received_packet, + chunk_t my_nonce, + id_payload_t *other_id_payload, + bool initiator); + + /** + * @brief Computes authentication data and creates specific AUTH payload. + * + * To create an AUTH payload, the following data must be provided: + * - the last sent IKEv2 Message in binary form + * - the nonce value received from the other peer + * - the ID payload of myself + * + * @param this calling object + * @param[out] auth_payload The object of typee auth_payload_t will be created at pointing location + * @param last_sent_packet binary representation of the last sent IKEv2-Message + * @param other_nonce the received nonce (without payload header) + * @param my_id_payload the ID payload going to send to other peer + * @param initiator type of myself. TRUE, if I'm original initiator, FALSE otherwise + * + * @todo Document RSA error status types + * + * @return + * - SUCCESS if authentication data could be computed + * - NOT_SUPPORTED if AUTH method not supported + * - NOT_FOUND if the data for AUTH method could not be found + */ + status_t (*compute_auth_data) (authenticator_t *this, + auth_payload_t **auth_payload, + chunk_t last_sent_packet, + chunk_t other_nonce, + id_payload_t *my_id_payload, + bool initiator); + + /** + * @brief Destroys a authenticator_t object. + * + * @param this calling object + */ + void (*destroy) (authenticator_t *this); +}; + +/** + * @brief Creates an authenticator object. + * + * @warning: The following functions of the assigned protected_ike_sa_t object + * must return a valid value: + * - protected_ike_sa_t.get_policy + * - protected_ike_sa_t.get_prf + * - protected_ike_sa_t.get_logger + * This preconditions are not given in IKE_SA states INITIATOR_INIT or RESPONDER_INIT! + * + * @param ike_sa object of type protected_ike_sa_t + * + * @return authenticator_t object + * + * @ingroup sa + */ +authenticator_t *authenticator_create(protected_ike_sa_t *ike_sa); + +#endif /* AUTHENTICATOR_H_ */ |