Annotation of embedaddon/strongswan/src/libcharon/sa/authenticator.h, revision 1.1.1.1
1.1 misho 1: /*
2: * Copyright (C) 2008-2018 Tobias Brunner
3: * Copyright (C) 2005-2009 Martin Willi
4: * Copyright (C) 2005 Jan Hutter
5: * HSR Hochschule fuer Technik Rapperswil
6: *
7: * This program is free software; you can redistribute it and/or modify it
8: * under the terms of the GNU General Public License as published by the
9: * Free Software Foundation; either version 2 of the License, or (at your
10: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11: *
12: * This program is distributed in the hope that it will be useful, but
13: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15: * for more details.
16: */
17:
18: /**
19: * @defgroup authenticator authenticator
20: * @{ @ingroup sa
21: */
22:
23: #ifndef AUTHENTICATOR_H_
24: #define AUTHENTICATOR_H_
25:
26: typedef enum auth_method_t auth_method_t;
27: typedef struct authenticator_t authenticator_t;
28:
29: #include <library.h>
30: #include <credentials/auth_cfg.h>
31: #include <sa/ike_sa.h>
32:
33: /**
34: * Method to use for authentication, as defined in IKEv2.
35: */
36: enum auth_method_t {
37:
38: /**
39: * No authentication used.
40: */
41: AUTH_NONE = 0,
42:
43: /**
44: * Computed as specified in section 2.15 of RFC using
45: * an RSA private key over a PKCS#1 padded hash.
46: */
47: AUTH_RSA = 1,
48:
49: /**
50: * Computed as specified in section 2.15 of RFC using the
51: * shared key associated with the identity in the ID payload
52: * and the negotiated prf function
53: */
54: AUTH_PSK = 2,
55:
56: /**
57: * Computed as specified in section 2.15 of RFC using a
58: * DSS private key over a SHA-1 hash.
59: */
60: AUTH_DSS = 3,
61:
62: /**
63: * ECDSA with SHA-256 on the P-256 curve as specified in RFC 4754
64: */
65: AUTH_ECDSA_256 = 9,
66:
67: /**
68: * ECDSA with SHA-384 on the P-384 curve as specified in RFC 4754
69: */
70: AUTH_ECDSA_384 = 10,
71:
72: /**
73: * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
74: */
75: AUTH_ECDSA_521 = 11,
76:
77: /**
78: * Generic Secure Password Authentication Method as specified in RFC 6467
79: */
80: AUTH_GSPM = 12,
81:
82: /**
83: * NULL Authentication Method as specified in draft-ietf-ipsecme-ikev2-null-auth
84: */
85: AUTH_NULL = 13,
86:
87: /**
88: * Digital Signature as specified in RFC 7427
89: */
90: AUTH_DS = 14,
91:
92: /**
93: * IKEv1 initiator XAUTH with PSK, outside of IANA range
94: */
95: AUTH_XAUTH_INIT_PSK = 256,
96:
97: /**
98: * IKEv1 responder XAUTH with PSK, outside of IANA range
99: */
100: AUTH_XAUTH_RESP_PSK,
101:
102: /**
103: * IKEv1 initiator XAUTH with RSA, outside of IANA range
104: */
105: AUTH_XAUTH_INIT_RSA,
106:
107: /**
108: * IKEv1 responder XAUTH with RSA, outside of IANA range
109: */
110: AUTH_XAUTH_RESP_RSA,
111:
112: /**
113: * IKEv1 initiator XAUTH, responder RSA, outside of IANA range
114: */
115: AUTH_HYBRID_INIT_RSA,
116:
117: /**
118: * IKEv1 responder XAUTH, initiator RSA, outside of IANA range
119: */
120: AUTH_HYBRID_RESP_RSA,
121: };
122:
123: /**
124: * enum names for auth_method_t.
125: */
126: extern enum_name_t *auth_method_names;
127:
128: /**
129: * Authenticator interface implemented by the various authenticators.
130: *
131: * An authenticator implementation handles AUTH and EAP payloads. Received
132: * messages are passed to the process() method, to send authentication data
133: * the message is passed to the build() method.
134: */
135: struct authenticator_t {
136:
137: /**
138: * Process an incoming message using the authenticator.
139: *
140: * @param message message containing authentication payloads
141: * @return
142: * - SUCCESS if authentication successful
143: * - FAILED if authentication failed
144: * - NEED_MORE if another exchange required
145: */
146: status_t (*process)(authenticator_t *this, message_t *message);
147:
148: /**
149: * Attach authentication data to an outgoing message.
150: *
151: * @param message message to add authentication data to
152: * @return
153: * - SUCCESS if authentication successful
154: * - FAILED if authentication failed
155: * - NEED_MORE if another exchange required
156: */
157: status_t (*build)(authenticator_t *this, message_t *message);
158:
159: /**
160: * Optional method to set a Postquantum Preshared Key (PPK) to be used
161: * during authentication.
162: *
163: * Has to be called before the final call to process()/build().
164: *
165: * @param ppk PPK to use
166: * @param no_ppk_auth whether to add a NO_PPK_AUTH notify in build()
167: */
168: void (*use_ppk)(authenticator_t *this, chunk_t ppk, bool no_ppk_auth);
169:
170: /**
171: * Check if the authenticator is capable of mutual authentication.
172: *
173: * Some authenticator authenticate both peers, e.g. EAP. To support
174: * mutual authentication with only a single authenticator (EAP-only
175: * authentication), it must be mutual. This method is invoked in ike_auth
176: * to check if the given authenticator is capable of doing so.
177: */
178: bool (*is_mutual)(authenticator_t *this);
179:
180: /**
181: * Destroy authenticator instance.
182: */
183: void (*destroy) (authenticator_t *this);
184: };
185:
186: /**
187: * Create an IKEv2 authenticator to build signatures.
188: *
189: * @param ike_sa associated ike_sa
190: * @param cfg authentication configuration
191: * @param received_nonce nonce received in IKE_SA_INIT
192: * @param sent_nonce nonce sent in IKE_SA_INIT
193: * @param received_init received IKE_SA_INIT message data
194: * @param sent_init sent IKE_SA_INIT message data
195: * @param reserved reserved bytes of the ID payload
196: * @return authenticator, NULL if not supported
197: */
198: authenticator_t *authenticator_create_builder(
199: ike_sa_t *ike_sa, auth_cfg_t *cfg,
200: chunk_t received_nonce, chunk_t sent_nonce,
201: chunk_t received_init, chunk_t sent_init,
202: char reserved[3]);
203:
204: /**
205: * Create an IKEv2 authenticator to verify signatures.
206: *
207: * @param ike_sa associated ike_sa
208: * @param message message containing authentication data
209: * @param received_nonce nonce received in IKE_SA_INIT
210: * @param sent_nonce nonce sent in IKE_SA_INIT
211: * @param received_init received IKE_SA_INIT message data
212: * @param sent_init sent IKE_SA_INIT message data
213: * @param reserved reserved bytes of the ID payload
214: * @return authenticator, NULL if not supported
215: */
216: authenticator_t *authenticator_create_verifier(
217: ike_sa_t *ike_sa, message_t *message,
218: chunk_t received_nonce, chunk_t sent_nonce,
219: chunk_t received_init, chunk_t sent_init,
220: char reserved[3]);
221:
222: /**
223: * Create an IKEv1 authenticator to build and verify signatures or hash
224: * payloads.
225: *
226: * @note Due to the fixed ID, these authenticators can only be used in one
227: * direction at a time.
228: *
229: * @param ike_sa associated IKE_SA
230: * @param initiator TRUE if we are the IKE_SA initiator
231: * @param auth_method negotiated authentication method to use
232: * @param dh diffie hellman key exchange
233: * @param dh_value others public diffie hellman value
234: * @param sa_payload generated SA payload data, without payload header
235: * @param id_payload encoded ID payload of peer to authenticate or verify
236: * without payload header (gets owned)
237: * @return authenticator, NULL if not supported
238: */
239: authenticator_t *authenticator_create_v1(ike_sa_t *ike_sa, bool initiator,
240: auth_method_t auth_method, diffie_hellman_t *dh,
241: chunk_t dh_value, chunk_t sa_payload,
242: chunk_t id_payload);
243:
244: #endif /** AUTHENTICATOR_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>