edc939deb667717cbed9c0c988529eb1d12fc25f
[strongswan.git] / src / charon / sa / authenticators / eap / eap_method.h
1 /*
2 * Copyright (C) 2006 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * $Id$
16 */
17
18 /**
19 * @defgroup eap_method eap_method
20 * @{ @ingroup eap
21 */
22
23 #ifndef EAP_METHOD_H_
24 #define EAP_METHOD_H_
25
26 typedef struct eap_method_t eap_method_t;
27 typedef enum eap_role_t eap_role_t;
28 typedef enum eap_type_t eap_type_t;
29 typedef enum eap_code_t eap_code_t;
30
31 #include <library.h>
32 #include <utils/identification.h>
33 #include <encoding/payloads/eap_payload.h>
34
35 /**
36 * Role of an eap_method, SERVER or PEER (client)
37 */
38 enum eap_role_t {
39 EAP_SERVER,
40 EAP_PEER,
41 };
42 /**
43 * enum names for eap_role_t.
44 */
45 extern enum_name_t *eap_role_names;
46
47 /**
48 * EAP types, defines the EAP method implementation
49 */
50 enum eap_type_t {
51 EAP_IDENTITY = 1,
52 EAP_NOTIFICATION = 2,
53 EAP_NAK = 3,
54 EAP_MD5 = 4,
55 EAP_OTP = 5,
56 EAP_GTC = 6,
57 EAP_SIM = 18,
58 EAP_AKA = 23,
59 EAP_MSCHAPV2 = 26,
60 EAP_EXPANDED = 254,
61 EAP_EXPERIMENTAL = 255,
62 };
63
64 /**
65 * enum names for eap_type_t.
66 */
67 extern enum_name_t *eap_type_names;
68
69 /**
70 * EAP code, type of an EAP message
71 */
72 enum eap_code_t {
73 EAP_REQUEST = 1,
74 EAP_RESPONSE = 2,
75 EAP_SUCCESS = 3,
76 EAP_FAILURE = 4,
77 };
78
79 /**
80 * enum names for eap_code_t.
81 */
82 extern enum_name_t *eap_code_names;
83
84
85 /**
86 * Interface of an EAP method for server and client side.
87 *
88 * An EAP method initiates an EAP exchange and processes requests and
89 * responses. An EAP method may need multiple exchanges before succeeding, and
90 * the eap_authentication may use multiple EAP methods to authenticate a peer.
91 * To accomplish these requirements, all EAP methods have their own
92 * implementation while the eap_authenticatior uses one or more of these
93 * EAP methods. Sending of EAP(SUCCESS/FAILURE) message is not the job
94 * of the method, the eap_authenticator does this.
95 * An EAP method may establish a MSK, this is used the complete the
96 * authentication. Even if a mutual EAP method is used, the traditional
97 * AUTH payloads are required. Only these include the nonces and messages from
98 * ike_sa_init and therefore prevent man in the middle attacks.
99 * The EAP method must use an initial EAP identifier value != 0, as a preceding
100 * EAP-Identity exchange always uses identifier 0.
101 */
102 struct eap_method_t {
103
104 /**
105 * Initiate the EAP exchange.
106 *
107 * initiate() is only useable for server implementations, as clients only
108 * reply to server requests.
109 * A eap_payload is created in "out" if result is NEED_MORE.
110 *
111 * @param out eap_payload to send to the client
112 * @return
113 * - NEED_MORE, if an other exchange is required
114 * - FAILED, if unable to create eap request payload
115 */
116 status_t (*initiate) (eap_method_t *this, eap_payload_t **out);
117
118 /**
119 * Process a received EAP message.
120 *
121 * A eap_payload is created in "out" if result is NEED_MORE.
122 *
123 * @param in eap_payload response received
124 * @param out created eap_payload to send
125 * @return
126 * - NEED_MORE, if an other exchange is required
127 * - FAILED, if EAP method failed
128 * - SUCCESS, if EAP method succeeded
129 */
130 status_t (*process) (eap_method_t *this, eap_payload_t *in,
131 eap_payload_t **out);
132
133 /**
134 * Get the EAP type implemented in this method.
135 *
136 * @param vendor pointer receiving vendor identifier for type, 0 for none
137 * @return type of the EAP method
138 */
139 eap_type_t (*get_type) (eap_method_t *this, u_int32_t *vendor);
140
141 /**
142 * Check if this EAP method authenticates the server.
143 *
144 * Some EAP methods provide mutual authentication and
145 * allow authentication using only EAP, if the peer supports it.
146 *
147 * @return TRUE if methods provides mutual authentication
148 */
149 bool (*is_mutual) (eap_method_t *this);
150
151 /**
152 * Get the MSK established by this EAP method.
153 *
154 * Not all EAP methods establish a shared secret. For implementations of
155 * the EAP-Identity method, get_msk() returns the received identity.
156 *
157 * @param msk chunk receiving internal stored MSK
158 * @return
159 * - SUCCESS, or
160 * - FAILED, if MSK not established (yet)
161 */
162 status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
163
164 /**
165 * Destroys a eap_method_t object.
166 */
167 void (*destroy) (eap_method_t *this);
168 };
169
170 /**
171 * Constructor definition for a pluggable EAP method.
172 *
173 * Each EAP module must define a constructor function which will return
174 * an initialized object with the methods defined in eap_method_t.
175 * Constructors for server and peers are identical, to support both roles
176 * of a EAP method, a plugin needs register two constructors in the
177 * eap_manager_t.
178 * The passed identites are of type ID_EAP and valid only during the
179 * constructor invocation.
180 *
181 * @param server ID of the server to use for credential lookup
182 * @param peer ID of the peer to use for credential lookup
183 * @return implementation of the eap_method_t interface
184 */
185 typedef eap_method_t *(*eap_constructor_t)(identification_t *server,
186 identification_t *peer);
187
188 #endif /* EAP_METHOD_H_ @} */