Annotation of embedaddon/strongswan/src/libcharon/sa/authenticator.h, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (C) 2008-2018 Tobias Brunner
! 3: * Copyright (C) 2005-2009 Martin Willi
! 4: * Copyright (C) 2005 Jan Hutter
! 5: * HSR Hochschule fuer Technik Rapperswil
! 6: *
! 7: * This program is free software; you can redistribute it and/or modify it
! 8: * under the terms of the GNU General Public License as published by the
! 9: * Free Software Foundation; either version 2 of the License, or (at your
! 10: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
! 11: *
! 12: * This program is distributed in the hope that it will be useful, but
! 13: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! 14: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
! 15: * for more details.
! 16: */
! 17:
! 18: /**
! 19: * @defgroup authenticator authenticator
! 20: * @{ @ingroup sa
! 21: */
! 22:
! 23: #ifndef AUTHENTICATOR_H_
! 24: #define AUTHENTICATOR_H_
! 25:
! 26: typedef enum auth_method_t auth_method_t;
! 27: typedef struct authenticator_t authenticator_t;
! 28:
! 29: #include <library.h>
! 30: #include <credentials/auth_cfg.h>
! 31: #include <sa/ike_sa.h>
! 32:
! 33: /**
! 34: * Method to use for authentication, as defined in IKEv2.
! 35: */
! 36: enum auth_method_t {
! 37:
! 38: /**
! 39: * No authentication used.
! 40: */
! 41: AUTH_NONE = 0,
! 42:
! 43: /**
! 44: * Computed as specified in section 2.15 of RFC using
! 45: * an RSA private key over a PKCS#1 padded hash.
! 46: */
! 47: AUTH_RSA = 1,
! 48:
! 49: /**
! 50: * Computed as specified in section 2.15 of RFC using the
! 51: * shared key associated with the identity in the ID payload
! 52: * and the negotiated prf function
! 53: */
! 54: AUTH_PSK = 2,
! 55:
! 56: /**
! 57: * Computed as specified in section 2.15 of RFC using a
! 58: * DSS private key over a SHA-1 hash.
! 59: */
! 60: AUTH_DSS = 3,
! 61:
! 62: /**
! 63: * ECDSA with SHA-256 on the P-256 curve as specified in RFC 4754
! 64: */
! 65: AUTH_ECDSA_256 = 9,
! 66:
! 67: /**
! 68: * ECDSA with SHA-384 on the P-384 curve as specified in RFC 4754
! 69: */
! 70: AUTH_ECDSA_384 = 10,
! 71:
! 72: /**
! 73: * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
! 74: */
! 75: AUTH_ECDSA_521 = 11,
! 76:
! 77: /**
! 78: * Generic Secure Password Authentication Method as specified in RFC 6467
! 79: */
! 80: AUTH_GSPM = 12,
! 81:
! 82: /**
! 83: * NULL Authentication Method as specified in draft-ietf-ipsecme-ikev2-null-auth
! 84: */
! 85: AUTH_NULL = 13,
! 86:
! 87: /**
! 88: * Digital Signature as specified in RFC 7427
! 89: */
! 90: AUTH_DS = 14,
! 91:
! 92: /**
! 93: * IKEv1 initiator XAUTH with PSK, outside of IANA range
! 94: */
! 95: AUTH_XAUTH_INIT_PSK = 256,
! 96:
! 97: /**
! 98: * IKEv1 responder XAUTH with PSK, outside of IANA range
! 99: */
! 100: AUTH_XAUTH_RESP_PSK,
! 101:
! 102: /**
! 103: * IKEv1 initiator XAUTH with RSA, outside of IANA range
! 104: */
! 105: AUTH_XAUTH_INIT_RSA,
! 106:
! 107: /**
! 108: * IKEv1 responder XAUTH with RSA, outside of IANA range
! 109: */
! 110: AUTH_XAUTH_RESP_RSA,
! 111:
! 112: /**
! 113: * IKEv1 initiator XAUTH, responder RSA, outside of IANA range
! 114: */
! 115: AUTH_HYBRID_INIT_RSA,
! 116:
! 117: /**
! 118: * IKEv1 responder XAUTH, initiator RSA, outside of IANA range
! 119: */
! 120: AUTH_HYBRID_RESP_RSA,
! 121: };
! 122:
! 123: /**
! 124: * enum names for auth_method_t.
! 125: */
! 126: extern enum_name_t *auth_method_names;
! 127:
! 128: /**
! 129: * Authenticator interface implemented by the various authenticators.
! 130: *
! 131: * An authenticator implementation handles AUTH and EAP payloads. Received
! 132: * messages are passed to the process() method, to send authentication data
! 133: * the message is passed to the build() method.
! 134: */
! 135: struct authenticator_t {
! 136:
! 137: /**
! 138: * Process an incoming message using the authenticator.
! 139: *
! 140: * @param message message containing authentication payloads
! 141: * @return
! 142: * - SUCCESS if authentication successful
! 143: * - FAILED if authentication failed
! 144: * - NEED_MORE if another exchange required
! 145: */
! 146: status_t (*process)(authenticator_t *this, message_t *message);
! 147:
! 148: /**
! 149: * Attach authentication data to an outgoing message.
! 150: *
! 151: * @param message message to add authentication data to
! 152: * @return
! 153: * - SUCCESS if authentication successful
! 154: * - FAILED if authentication failed
! 155: * - NEED_MORE if another exchange required
! 156: */
! 157: status_t (*build)(authenticator_t *this, message_t *message);
! 158:
! 159: /**
! 160: * Optional method to set a Postquantum Preshared Key (PPK) to be used
! 161: * during authentication.
! 162: *
! 163: * Has to be called before the final call to process()/build().
! 164: *
! 165: * @param ppk PPK to use
! 166: * @param no_ppk_auth whether to add a NO_PPK_AUTH notify in build()
! 167: */
! 168: void (*use_ppk)(authenticator_t *this, chunk_t ppk, bool no_ppk_auth);
! 169:
! 170: /**
! 171: * Check if the authenticator is capable of mutual authentication.
! 172: *
! 173: * Some authenticator authenticate both peers, e.g. EAP. To support
! 174: * mutual authentication with only a single authenticator (EAP-only
! 175: * authentication), it must be mutual. This method is invoked in ike_auth
! 176: * to check if the given authenticator is capable of doing so.
! 177: */
! 178: bool (*is_mutual)(authenticator_t *this);
! 179:
! 180: /**
! 181: * Destroy authenticator instance.
! 182: */
! 183: void (*destroy) (authenticator_t *this);
! 184: };
! 185:
! 186: /**
! 187: * Create an IKEv2 authenticator to build signatures.
! 188: *
! 189: * @param ike_sa associated ike_sa
! 190: * @param cfg authentication configuration
! 191: * @param received_nonce nonce received in IKE_SA_INIT
! 192: * @param sent_nonce nonce sent in IKE_SA_INIT
! 193: * @param received_init received IKE_SA_INIT message data
! 194: * @param sent_init sent IKE_SA_INIT message data
! 195: * @param reserved reserved bytes of the ID payload
! 196: * @return authenticator, NULL if not supported
! 197: */
! 198: authenticator_t *authenticator_create_builder(
! 199: ike_sa_t *ike_sa, auth_cfg_t *cfg,
! 200: chunk_t received_nonce, chunk_t sent_nonce,
! 201: chunk_t received_init, chunk_t sent_init,
! 202: char reserved[3]);
! 203:
! 204: /**
! 205: * Create an IKEv2 authenticator to verify signatures.
! 206: *
! 207: * @param ike_sa associated ike_sa
! 208: * @param message message containing authentication data
! 209: * @param received_nonce nonce received in IKE_SA_INIT
! 210: * @param sent_nonce nonce sent in IKE_SA_INIT
! 211: * @param received_init received IKE_SA_INIT message data
! 212: * @param sent_init sent IKE_SA_INIT message data
! 213: * @param reserved reserved bytes of the ID payload
! 214: * @return authenticator, NULL if not supported
! 215: */
! 216: authenticator_t *authenticator_create_verifier(
! 217: ike_sa_t *ike_sa, message_t *message,
! 218: chunk_t received_nonce, chunk_t sent_nonce,
! 219: chunk_t received_init, chunk_t sent_init,
! 220: char reserved[3]);
! 221:
! 222: /**
! 223: * Create an IKEv1 authenticator to build and verify signatures or hash
! 224: * payloads.
! 225: *
! 226: * @note Due to the fixed ID, these authenticators can only be used in one
! 227: * direction at a time.
! 228: *
! 229: * @param ike_sa associated IKE_SA
! 230: * @param initiator TRUE if we are the IKE_SA initiator
! 231: * @param auth_method negotiated authentication method to use
! 232: * @param dh diffie hellman key exchange
! 233: * @param dh_value others public diffie hellman value
! 234: * @param sa_payload generated SA payload data, without payload header
! 235: * @param id_payload encoded ID payload of peer to authenticate or verify
! 236: * without payload header (gets owned)
! 237: * @return authenticator, NULL if not supported
! 238: */
! 239: authenticator_t *authenticator_create_v1(ike_sa_t *ike_sa, bool initiator,
! 240: auth_method_t auth_method, diffie_hellman_t *dh,
! 241: chunk_t dh_value, chunk_t sa_payload,
! 242: chunk_t id_payload);
! 243:
! 244: #endif /** AUTHENTICATOR_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>