1 files changed, 44 insertions, 31 deletions

diff --git a/src/charon/sa/authenticators/authenticator.h b/src/charon/sa/authenticators/authenticator.h
index 3c961d23e..aa5a73e86 100644
--- a/src/charon/sa/authenticators/authenticator.h
+++ b/src/charon/sa/authenticators/authenticator.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2008 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * $Id: authenticator.h 4051 2008-06-10 09:08:27Z tobias $
+ * $Id: authenticator.h 4276 2008-08-22 10:44:51Z martin $
  */
 
 /**
@@ -26,6 +26,7 @@
 #define AUTHENTICATOR_H_
 
 typedef enum auth_method_t auth_method_t;
+typedef enum auth_class_t auth_class_t;
 typedef struct authenticator_t authenticator_t;
 
 #include <library.h>
@@ -34,7 +35,7 @@ typedef struct authenticator_t authenticator_t;
 #include <encoding/payloads/auth_payload.h>
 
 /**
- * Method to use for authentication.
+ * Method to use for authentication, as defined in IKEv2.
  */
 enum auth_method_t {
 	/**
@@ -70,12 +71,6 @@ enum auth_method_t {
 	 * ECDSA with SHA-512 on the P-521 curve as specified in RFC 4754
 	 */
 	AUTH_ECDSA_521 = 11,
-	
-	/**
-	 * EAP authentication. This value is never negotiated and therefore
-	 * a value from private use.
-	 */
-	AUTH_EAP = 201,
 };
 
 /**
@@ -84,11 +79,31 @@ enum auth_method_t {
 extern enum_name_t *auth_method_names;
 
 /**
+ * Class of authentication to use. This is different to auth_method_t in that
+ * it does not specify a method, but a class of acceptable methods. The found
+ * certificate finally dictates wich method is used.
+ */
+enum auth_class_t {
+	/** authentication using public keys (RSA, ECDSA) */
+	AUTH_CLASS_PUBKEY = 1,
+	/** authentication using a pre-shared secrets */
+	AUTH_CLASS_PSK = 2,
+	/** authentication using EAP */
+	AUTH_CLASS_EAP = 3,
+};
+
+/**
+ * enum strings for auth_class_t
+ */
+extern enum_name_t *auth_class_names;
+
+/**
  * Authenticator interface implemented by the various authenticators.
  *
  * Currently the following two AUTH methods are supported:
  *  - shared key message integrity code
  *  - RSA digital signature
+ *  - EAP using the EAP framework and one of the EAP plugins
  *  - ECDSA is supported using OpenSSL
  */
 struct authenticator_t {
@@ -96,15 +111,14 @@ struct authenticator_t {
 	/**
 	 * Verify a received authentication payload.
 	 *
-	 * @param ike_sa_init		binary representation of received ike_sa_init
-	 * @param my_nonce			the sent nonce
-	 * @param auth_payload		authentication payload to verify
-	 *
+	 * @param ike_sa_init	binary representation of received ike_sa_init
+	 * @param my_nonce		the sent nonce
+	 * @param auth_payload	authentication payload to verify
 	 * @return
-	 *							- SUCCESS,
-	 *							- FAILED if verification failed
-	 *							- INVALID_ARG if auth_method does not match
-	 *							- NOT_FOUND if credentials not found
+	 *						- SUCCESS,
+	 *						- FAILED if verification failed
+	 *						- INVALID_ARG if auth_method does not match
+	 *						- NOT_FOUND if credentials not found
 	 */
 	status_t (*verify) (authenticator_t *this, chunk_t ike_sa_init,
 						chunk_t my_nonce, auth_payload_t *auth_payload);
@@ -112,13 +126,12 @@ struct authenticator_t {
 	/**
 	 * Build an authentication payload to send to the other peer.
 	 *
-	 * @param ike_sa_init		binary representation of sent ike_sa_init
-	 * @param other_nonce		the received nonce
-	 * @param[out] auth_payload	the resulting authentication payload
-	 *
+	 * @param ike_sa_init	binary representation of sent ike_sa_init
+	 * @param other_nonce	the received nonce
+	 * @param auth_payload	the resulting authentication payload
 	 * @return
-	 *							- SUCCESS,
-	 *							- NOT_FOUND if the data for AUTH method could not be found
+	 *						- SUCCESS,
+	 *						- NOT_FOUND if credentials not found
 	 */
 	status_t (*build) (authenticator_t *this, chunk_t ike_sa_init,
 					   chunk_t other_nonce, auth_payload_t **auth_payload);
@@ -130,23 +143,23 @@ struct authenticator_t {
 };
 
 /**
- * Creates an authenticator for the specified auth method (as configured).
+ * Creates an authenticator for the specified auth class (as configured).
  *
  * @param ike_sa		associated ike_sa
- * @param auth_method	authentication method to use for build()/verify()
- *
+ * @param class			class of authentication to use
  * @return				authenticator_t object
  */
-authenticator_t *authenticator_create(ike_sa_t *ike_sa, config_auth_method_t auth_method);
+authenticator_t *authenticator_create_from_class(ike_sa_t *ike_sa,
+												 auth_class_t class);
 
 /**
- * Creates an authenticator from the given auth payload.
+ * Creates an authenticator for method (as received in payload).
  * 
  * @param ike_sa		associated ike_sa
- * @param auth_payload	auth payload
- * 
+ * @param method		method as found in payload
  * @return				authenticator_t object
  */
-authenticator_t *authenticator_create_from_auth_payload(ike_sa_t *ike_sa, auth_payload_t *auth_payload);
+authenticator_t *authenticator_create_from_method(ike_sa_t *ike_sa,	
+												  auth_method_t method);
 
 #endif /* AUTHENTICATOR_H_ @} */