Removed strayed code fragment
[strongswan.git] / src / charon / sa / authenticators / eap / eap_method.h
1 /*
2 * Copyright (C) 2006 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 /**
17 * @defgroup eap_method eap_method
18 * @{ @ingroup eap
19 */
20
21 #ifndef EAP_METHOD_H_
22 #define EAP_METHOD_H_
23
24 typedef struct eap_method_t eap_method_t;
25 typedef enum eap_role_t eap_role_t;
26 typedef enum eap_type_t eap_type_t;
27 typedef enum eap_code_t eap_code_t;
28
29 #include <library.h>
30 #include <utils/identification.h>
31 #include <encoding/payloads/eap_payload.h>
32
33 /**
34 * Role of an eap_method, SERVER or PEER (client)
35 */
36 enum eap_role_t {
37 EAP_SERVER,
38 EAP_PEER,
39 };
40 /**
41 * enum names for eap_role_t.
42 */
43 extern enum_name_t *eap_role_names;
44
45 /**
46 * EAP types, defines the EAP method implementation
47 */
48 enum eap_type_t {
49 EAP_IDENTITY = 1,
50 EAP_NOTIFICATION = 2,
51 EAP_NAK = 3,
52 EAP_MD5 = 4,
53 EAP_OTP = 5,
54 EAP_GTC = 6,
55 EAP_SIM = 18,
56 EAP_AKA = 23,
57 EAP_MSCHAPV2 = 26,
58 /** not a method, but an implementation providing different methods */
59 EAP_RADIUS = 253,
60 EAP_EXPANDED = 254,
61 EAP_EXPERIMENTAL = 255,
62 };
63
64 /**
65 * enum names for eap_type_t.
66 */
67 extern enum_name_t *eap_type_names;
68
69 /**
70 * short string enum names for eap_type_t.
71 */
72 extern enum_name_t *eap_type_short_names;
73
74 /**
75 * Lookup the EAP method type from a string.
76 *
77 * @param name EAP method name (such as "md5", "aka")
78 * @return method type, 0 if unkown
79 */
80 eap_type_t eap_type_from_string(char *name);
81
82 /**
83 * EAP code, type of an EAP message
84 */
85 enum eap_code_t {
86 EAP_REQUEST = 1,
87 EAP_RESPONSE = 2,
88 EAP_SUCCESS = 3,
89 EAP_FAILURE = 4,
90 };
91
92 /**
93 * enum names for eap_code_t.
94 */
95 extern enum_name_t *eap_code_names;
96
97 /**
98 * short string enum names for eap_code_t.
99 */
100 extern enum_name_t *eap_code_short_names;
101
102 /**
103 * Interface of an EAP method for server and client side.
104 *
105 * An EAP method initiates an EAP exchange and processes requests and
106 * responses. An EAP method may need multiple exchanges before succeeding, and
107 * the eap_authentication may use multiple EAP methods to authenticate a peer.
108 * To accomplish these requirements, all EAP methods have their own
109 * implementation while the eap_authenticatior uses one or more of these
110 * EAP methods. Sending of EAP(SUCCESS/FAILURE) message is not the job
111 * of the method, the eap_authenticator does this.
112 * An EAP method may establish a MSK, this is used the complete the
113 * authentication. Even if a mutual EAP method is used, the traditional
114 * AUTH payloads are required. Only these include the nonces and messages from
115 * ike_sa_init and therefore prevent man in the middle attacks.
116 * The EAP method must use an initial EAP identifier value != 0, as a preceding
117 * EAP-Identity exchange always uses identifier 0.
118 */
119 struct eap_method_t {
120
121 /**
122 * Initiate the EAP exchange.
123 *
124 * initiate() is only useable for server implementations, as clients only
125 * reply to server requests.
126 * A eap_payload is created in "out" if result is NEED_MORE.
127 *
128 * @param out eap_payload to send to the client
129 * @return
130 * - NEED_MORE, if an other exchange is required
131 * - FAILED, if unable to create eap request payload
132 */
133 status_t (*initiate) (eap_method_t *this, eap_payload_t **out);
134
135 /**
136 * Process a received EAP message.
137 *
138 * A eap_payload is created in "out" if result is NEED_MORE.
139 *
140 * @param in eap_payload response received
141 * @param out created eap_payload to send
142 * @return
143 * - NEED_MORE, if an other exchange is required
144 * - FAILED, if EAP method failed
145 * - SUCCESS, if EAP method succeeded
146 */
147 status_t (*process) (eap_method_t *this, eap_payload_t *in,
148 eap_payload_t **out);
149
150 /**
151 * Get the EAP type implemented in this method.
152 *
153 * @param vendor pointer receiving vendor identifier for type, 0 for none
154 * @return type of the EAP method
155 */
156 eap_type_t (*get_type) (eap_method_t *this, u_int32_t *vendor);
157
158 /**
159 * Check if this EAP method authenticates the server.
160 *
161 * Some EAP methods provide mutual authentication and
162 * allow authentication using only EAP, if the peer supports it.
163 *
164 * @return TRUE if methods provides mutual authentication
165 */
166 bool (*is_mutual) (eap_method_t *this);
167
168 /**
169 * Get the MSK established by this EAP method.
170 *
171 * Not all EAP methods establish a shared secret. For implementations of
172 * the EAP-Identity method, get_msk() returns the received identity.
173 *
174 * @param msk chunk receiving internal stored MSK
175 * @return
176 * - SUCCESS, or
177 * - FAILED, if MSK not established (yet)
178 */
179 status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
180
181 /**
182 * Destroys a eap_method_t object.
183 */
184 void (*destroy) (eap_method_t *this);
185 };
186
187 /**
188 * Constructor definition for a pluggable EAP method.
189 *
190 * Each EAP module must define a constructor function which will return
191 * an initialized object with the methods defined in eap_method_t.
192 * Constructors for server and peers are identical, to support both roles
193 * of a EAP method, a plugin needs register two constructors in the
194 * eap_manager_t.
195 * The passed identites are of type ID_EAP and valid only during the
196 * constructor invocation.
197 *
198 * @param server ID of the server to use for credential lookup
199 * @param peer ID of the peer to use for credential lookup
200 * @return implementation of the eap_method_t interface
201 */
202 typedef eap_method_t *(*eap_constructor_t)(identification_t *server,
203 identification_t *peer);
204
205 #endif /** EAP_METHOD_H_ @}*/