2 * @file authenticator.h
4 * @brief Interface of authenticator_t.
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
23 #ifndef AUTHENTICATOR_H_
24 #define AUTHENTICATOR_H_
27 #include <sa/ike_sa.h>
28 #include <network/packet.h>
29 #include <encoding/payloads/auth_payload.h>
30 #include <encoding/payloads/id_payload.h>
33 typedef struct authenticator_t authenticator_t
;
36 * @brief Class used to authenticate a peer.
38 * Currently the following two AUTH methods are supported:
39 * - SHARED_KEY_MESSAGE_INTEGRITY_CODE
40 * - RSA_DIGITAL_SIGNATURE
42 * This class retrieves needed data for specific AUTH methods (RSA keys, shared secrets, etc.)
43 * over an internal stored protected_ike_sa_t object or directly from the configuration_t over
44 * the daemon_t object "charon".
47 * - authenticator_create()
51 struct authenticator_t
{
54 * @brief Verify's given authentication data.
56 * To verify a received AUTH payload the following data must be provided:
57 * - the last received IKEv2 Message from the other peer in binary form
58 * - the nonce value sent to the other peer
59 * - the ID payload of the other peer
61 * @param this calling object
62 * @param last_received_packet binary representation of the last received IKEv2-Message
63 * @param my_nonce the sent nonce (without payload header)
64 * @param other_id_payload the ID payload received from other peer
65 * @param initiator type of other peer. TRUE, if it is original initiator, FALSE otherwise
67 * @todo Document RSA error status types
70 * - SUCCESS if verification successful
71 * - FAILED if verification failed
72 * - NOT_SUPPORTED if AUTH method not supported
73 * - NOT_FOUND if the data for specific AUTH method could not be found
74 * (e.g. shared secret, rsa key)
76 status_t (*verify_auth_data
) (authenticator_t
*this,
77 auth_payload_t
*auth_payload
,
78 chunk_t last_received_packet
,
80 id_payload_t
*other_id_payload
,
84 * @brief Computes authentication data and creates specific AUTH payload.
86 * To create an AUTH payload, the following data must be provided:
87 * - the last sent IKEv2 Message in binary form
88 * - the nonce value received from the other peer
89 * - the ID payload of myself
91 * @param this calling object
92 * @param[out] auth_payload The object of typee auth_payload_t will be created at pointing location
93 * @param last_sent_packet binary representation of the last sent IKEv2-Message
94 * @param other_nonce the received nonce (without payload header)
95 * @param my_id_payload the ID payload going to send to other peer
96 * @param initiator type of myself. TRUE, if I'm original initiator, FALSE otherwise
98 * @todo Document RSA error status types
101 * - SUCCESS if authentication data could be computed
102 * - NOT_SUPPORTED if AUTH method not supported
103 * - NOT_FOUND if the data for AUTH method could not be found
105 status_t (*compute_auth_data
) (authenticator_t
*this,
106 auth_payload_t
**auth_payload
,
107 chunk_t last_sent_packet
,
109 id_payload_t
*my_id_payload
,
113 * @brief Destroys a authenticator_t object.
115 * @param this calling object
117 void (*destroy
) (authenticator_t
*this);
121 * @brief Creates an authenticator object.
123 * @warning: The following functions of the assigned protected_ike_sa_t object
124 * must return a valid value:
125 * - protected_ike_sa_t.get_policy
126 * - protected_ike_sa_t.get_prf
127 * - protected_ike_sa_t.get_logger
128 * This preconditions are not given in IKE_SA states INITIATOR_INIT or RESPONDER_INIT!
130 * @param ike_sa object of type protected_ike_sa_t
132 * @return authenticator_t object
136 authenticator_t
*authenticator_create(protected_ike_sa_t
*ike_sa
);
138 #endif /* AUTHENTICATOR_H_ */