2006-10-30 14:07:05 +00:00
|
|
|
/*
|
2008-06-10 09:08:27 +00:00
|
|
|
* Copyright (C) 2008 Tobias Brunner
|
2008-08-22 10:44:51 +00:00
|
|
|
* Copyright (C) 2005-2008 Martin Willi
|
2006-10-30 14:07:05 +00:00
|
|
|
* Copyright (C) 2005 Jan Hutter
|
|
|
|
|
* Hochschule fuer Technik Rapperswil
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
|
|
|
* under the terms of the GNU General Public License as published by the
|
|
|
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
|
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful, but
|
|
|
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
|
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
|
|
* for more details.
|
2008-03-13 14:14:44 +00:00
|
|
|
*
|
|
|
|
|
* $Id$
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @defgroup authenticator authenticator
|
|
|
|
|
* @{ @ingroup authenticators
|
2006-10-30 14:07:05 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef AUTHENTICATOR_H_
|
|
|
|
|
#define AUTHENTICATOR_H_
|
|
|
|
|
|
|
|
|
|
typedef enum auth_method_t auth_method_t;
|
2008-08-22 10:44:51 +00:00
|
|
|
typedef enum auth_class_t auth_class_t;
|
2006-10-30 14:07:05 +00:00
|
|
|
typedef struct authenticator_t authenticator_t;
|
|
|
|
|
|
2006-10-31 12:27:59 +00:00
|
|
|
#include <library.h>
|
2006-10-30 14:07:05 +00:00
|
|
|
#include <sa/ike_sa.h>
|
2008-06-10 09:08:27 +00:00
|
|
|
#include <config/peer_cfg.h>
|
2006-10-30 14:07:05 +00:00
|
|
|
#include <encoding/payloads/auth_payload.h>
|
|
|
|
|
|
|
|
|
|
/**
|
2008-08-22 10:44:51 +00:00
|
|
|
* Method to use for authentication, as defined in IKEv2.
|
2006-10-30 14:07:05 +00:00
|
|
|
*/
|
|
|
|
|
enum auth_method_t {
|
|
|
|
|
/**
|
|
|
|
|
* Computed as specified in section 2.15 of RFC using
|
|
|
|
|
* an RSA private key over a PKCS#1 padded hash.
|
|
|
|
|
*/
|
|
|
|
|
AUTH_RSA = 1,
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Computed as specified in section 2.15 of RFC using the
|
|
|
|
|
* shared key associated with the identity in the ID payload
|
|
|
|
|
* and the negotiated prf function
|
|
|
|
|
*/
|
|
|
|
|
AUTH_PSK = 2,
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Computed as specified in section 2.15 of RFC using a
|
|
|
|
|
* DSS private key over a SHA-1 hash.
|
|
|
|
|
*/
|
|
|
|
|
AUTH_DSS = 3,
|
|
|
|
|
|
2008-06-10 09:08:27 +00:00
|
|
|
/**
|
|
|
|
|
* ECDSA with SHA-256 on the P-256 curve as specified in RFC 4754
|
|
|
|
|
*/
|
|
|
|
|
AUTH_ECDSA_256 = 9,
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* ECDSA with SHA-384 on the P-384 curve as specified in RFC 4754
|
|
|
|
|
*/
|
|
|
|
|
AUTH_ECDSA_384 = 10,
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
|
|
|
|
|
*/
|
|
|
|
|
AUTH_ECDSA_521 = 11,
|
2006-10-30 14:07:05 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* enum names for auth_method_t.
|
|
|
|
|
*/
|
|
|
|
|
extern enum_name_t *auth_method_names;
|
|
|
|
|
|
2008-08-22 10:44:51 +00:00
|
|
|
/**
|
|
|
|
|
* Class of authentication to use. This is different to auth_method_t in that
|
|
|
|
|
* it does not specify a method, but a class of acceptable methods. The found
|
|
|
|
|
* certificate finally dictates wich method is used.
|
|
|
|
|
*/
|
|
|
|
|
enum auth_class_t {
|
|
|
|
|
/** authentication using public keys (RSA, ECDSA) */
|
|
|
|
|
AUTH_CLASS_PUBKEY = 1,
|
|
|
|
|
/** authentication using a pre-shared secrets */
|
|
|
|
|
AUTH_CLASS_PSK = 2,
|
|
|
|
|
/** authentication using EAP */
|
|
|
|
|
AUTH_CLASS_EAP = 3,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* enum strings for auth_class_t
|
|
|
|
|
*/
|
|
|
|
|
extern enum_name_t *auth_class_names;
|
|
|
|
|
|
2006-10-30 14:07:05 +00:00
|
|
|
/**
|
2008-03-13 14:14:44 +00:00
|
|
|
* Authenticator interface implemented by the various authenticators.
|
2006-10-30 14:07:05 +00:00
|
|
|
*
|
|
|
|
|
* Currently the following two AUTH methods are supported:
|
2008-06-10 09:08:27 +00:00
|
|
|
* - shared key message integrity code
|
|
|
|
|
* - RSA digital signature
|
2008-08-22 10:44:51 +00:00
|
|
|
* - EAP using the EAP framework and one of the EAP plugins
|
2008-06-10 09:08:27 +00:00
|
|
|
* - ECDSA is supported using OpenSSL
|
2006-10-30 14:07:05 +00:00
|
|
|
*/
|
|
|
|
|
struct authenticator_t {
|
|
|
|
|
|
|
|
|
|
/**
|
2008-03-13 14:14:44 +00:00
|
|
|
* Verify a received authentication payload.
|
2006-10-30 14:07:05 +00:00
|
|
|
*
|
2008-08-22 10:44:51 +00:00
|
|
|
* @param ike_sa_init binary representation of received ike_sa_init
|
|
|
|
|
* @param my_nonce the sent nonce
|
|
|
|
|
* @param auth_payload authentication payload to verify
|
2006-10-30 14:07:05 +00:00
|
|
|
* @return
|
2008-08-22 10:44:51 +00:00
|
|
|
* - SUCCESS,
|
|
|
|
|
* - FAILED if verification failed
|
|
|
|
|
* - INVALID_ARG if auth_method does not match
|
|
|
|
|
* - NOT_FOUND if credentials not found
|
2006-10-30 14:07:05 +00:00
|
|
|
*/
|
|
|
|
|
status_t (*verify) (authenticator_t *this, chunk_t ike_sa_init,
|
|
|
|
|
chunk_t my_nonce, auth_payload_t *auth_payload);
|
|
|
|
|
|
|
|
|
|
/**
|
2008-03-13 14:14:44 +00:00
|
|
|
* Build an authentication payload to send to the other peer.
|
2006-10-30 14:07:05 +00:00
|
|
|
*
|
2008-08-22 10:44:51 +00:00
|
|
|
* @param ike_sa_init binary representation of sent ike_sa_init
|
|
|
|
|
* @param other_nonce the received nonce
|
|
|
|
|
* @param auth_payload the resulting authentication payload
|
2006-10-30 14:07:05 +00:00
|
|
|
* @return
|
2008-08-22 10:44:51 +00:00
|
|
|
* - SUCCESS,
|
|
|
|
|
* - NOT_FOUND if credentials not found
|
2006-10-30 14:07:05 +00:00
|
|
|
*/
|
|
|
|
|
status_t (*build) (authenticator_t *this, chunk_t ike_sa_init,
|
|
|
|
|
chunk_t other_nonce, auth_payload_t **auth_payload);
|
|
|
|
|
|
|
|
|
|
/**
|
2008-03-13 14:14:44 +00:00
|
|
|
* Destroys a authenticator_t object.
|
2006-10-30 14:07:05 +00:00
|
|
|
*/
|
|
|
|
|
void (*destroy) (authenticator_t *this);
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
2008-08-22 10:44:51 +00:00
|
|
|
* Creates an authenticator for the specified auth class (as configured).
|
2006-10-30 14:07:05 +00:00
|
|
|
*
|
|
|
|
|
* @param ike_sa associated ike_sa
|
2008-08-22 10:44:51 +00:00
|
|
|
* @param class class of authentication to use
|
2006-10-30 14:07:05 +00:00
|
|
|
* @return authenticator_t object
|
|
|
|
|
*/
|
2008-08-22 10:44:51 +00:00
|
|
|
authenticator_t *authenticator_create_from_class(ike_sa_t *ike_sa,
|
|
|
|
|
auth_class_t class);
|
2008-06-10 09:08:27 +00:00
|
|
|
|
|
|
|
|
/**
|
2008-08-22 10:44:51 +00:00
|
|
|
* Creates an authenticator for method (as received in payload).
|
2008-06-10 09:08:27 +00:00
|
|
|
*
|
|
|
|
|
* @param ike_sa associated ike_sa
|
2008-08-22 10:44:51 +00:00
|
|
|
* @param method method as found in payload
|
2008-06-10 09:08:27 +00:00
|
|
|
* @return authenticator_t object
|
|
|
|
|
*/
|
2008-08-22 10:44:51 +00:00
|
|
|
authenticator_t *authenticator_create_from_method(ike_sa_t *ike_sa,
|
|
|
|
|
auth_method_t method);
|
2006-10-30 14:07:05 +00:00
|
|
|
|
2009-03-24 17:43:01 +00:00
|
|
|
#endif /** AUTHENTICATOR_H_ @}*/
|
