src/charon/sa/authenticators/eap/eap_method.h

   1 /*
   2  * Copyright (C) 2006 Martin Willi
   3  * Hochschule fuer Technik Rapperswil
   4  *
   5  * This program is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License as published by the
   7  * Free Software Foundation; either version 2 of the License, or (at your
   8  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
   9  *
  10  * This program is distributed in the hope that it will be useful, but
  11  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  12  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  13  * for more details.
  14  *
  15  * $Id$
  16  */
  17
  18 /**
  19  * @defgroup eap_method eap_method
  20  * @{ @ingroup eap
  21  */
  22
  23 #ifndef EAP_METHOD_H_
  24 #define EAP_METHOD_H_
  25
  26 typedef struct eap_method_t eap_method_t;
  27 typedef enum eap_role_t eap_role_t;
  28 typedef enum eap_type_t eap_type_t;
  29 typedef enum eap_code_t eap_code_t;
  30
  31 #include <library.h>
  32 #include <utils/identification.h>
  33 #include <encoding/payloads/eap_payload.h>
  34
  35 /**
  36  * Role of an eap_method, SERVER or PEER (client)
  37  */
  38 enum eap_role_t {
  39         EAP_SERVER,
  40         EAP_PEER,
  41 };
  42 /**
  43  * enum names for eap_role_t.
  44  */
  45 extern enum_name_t *eap_role_names;
  46
  47 /**
  48  * EAP types, defines the EAP method implementation
  49  */
  50 enum eap_type_t {
  51         EAP_IDENTITY = 1,
  52         EAP_NOTIFICATION = 2,
  53         EAP_NAK = 3,
  54         EAP_MD5 = 4,
  55         EAP_OTP = 5,
  56         EAP_GTC = 6,
  57         EAP_SIM = 18,
  58         EAP_AKA = 23,
  59         EAP_MSCHAPV2 = 26,
  60         EAP_EXPANDED = 254,
  61         EAP_EXPERIMENTAL = 255,
  62 };
  63
  64 /**
  65  * enum names for eap_type_t.
  66  */
  67 extern enum_name_t *eap_type_names;
  68
  69 /**
  70  * EAP code, type of an EAP message
  71  */
  72 enum eap_code_t {
  73         EAP_REQUEST = 1,
  74         EAP_RESPONSE = 2,
  75         EAP_SUCCESS = 3,
  76         EAP_FAILURE = 4,
  77 };
  78
  79 /**
  80  * enum names for eap_code_t.
  81  */
  82 extern enum_name_t *eap_code_names;
  83
  84
  85 /**
  86  * Interface of an EAP method for server and client side.
  87  *
  88  * An EAP method initiates an EAP exchange and processes requests and
  89  * responses. An EAP method may need multiple exchanges before succeeding, and
  90  * the eap_authentication may use multiple EAP methods to authenticate a peer.
  91  * To accomplish these requirements, all EAP methods have their own
  92  * implementation while the eap_authenticatior uses one or more of these
  93  * EAP methods. Sending of EAP(SUCCESS/FAILURE) message is not the job
  94  * of the method, the eap_authenticator does this.
  95  * An EAP method may establish a MSK, this is used the complete the
  96  * authentication. Even if a mutual EAP method is used, the traditional
  97  * AUTH payloads are required. Only these include the nonces and messages from
  98  * ike_sa_init and therefore prevent man in the middle attacks.
  99  * The EAP method must use an initial EAP identifier value != 0, as a preceding
 100  * EAP-Identity exchange always uses identifier 0.
 101  */
 102 struct eap_method_t {
 103
 104         /**
 105          * Initiate the EAP exchange.
 106          *
 107          * initiate() is only useable for server implementations, as clients only
 108          * reply to server requests.
 109          * A eap_payload is created in "out" if result is NEED_MORE.
 110          *
 111          * @param out           eap_payload to send to the client
 112          * @return
 113          *                                      - NEED_MORE, if an other exchange is required
 114          *                                      - FAILED, if unable to create eap request payload
 115          */
 116         status_t (*initiate) (eap_method_t *this, eap_payload_t **out);
 117
 118         /**
 119          * Process a received EAP message.
 120          *
 121          * A eap_payload is created in "out" if result is NEED_MORE.
 122          *
 123          * @param in            eap_payload response received
 124          * @param out           created eap_payload to send
 125          * @return
 126          *                                      - NEED_MORE, if an other exchange is required
 127          *                                      - FAILED, if EAP method failed
 128          *                                      - SUCCESS, if EAP method succeeded
 129          */
 130         status_t (*process) (eap_method_t *this, eap_payload_t *in,
 131                                                  eap_payload_t **out);
 132
 133         /**
 134          * Get the EAP type implemented in this method.
 135          *
 136          * @param vendor        pointer receiving vendor identifier for type, 0 for none
 137          * @return                      type of the EAP method
 138          */
 139         eap_type_t (*get_type) (eap_method_t *this, u_int32_t *vendor);
 140
 141         /**
 142          * Check if this EAP method authenticates the server.
 143          *
 144          * Some EAP methods provide mutual authentication and
 145          * allow authentication using only EAP, if the peer supports it.
 146          *
 147          * @return                      TRUE if methods provides mutual authentication
 148          */
 149         bool (*is_mutual) (eap_method_t *this);
 150
 151         /**
 152          * Get the MSK established by this EAP method.
 153          *
 154          * Not all EAP methods establish a shared secret. For implementations of
 155          * the EAP-Identity method, get_msk() returns the received identity.
 156          *
 157          * @param msk           chunk receiving internal stored MSK
 158          * @return
 159          *                                      - SUCCESS, or
 160          *                                      - FAILED, if MSK not established (yet)
 161          */
 162         status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
 163
 164         /**
 165          * Destroys a eap_method_t object.
 166          */
 167         void (*destroy) (eap_method_t *this);
 168 };
 169
 170 /**
 171  * Constructor definition for a pluggable EAP method.
 172  *
 173  * Each EAP module must define a constructor function which will return
 174  * an initialized object with the methods defined in eap_method_t.
 175  * Constructors for server and peers are identical, to support both roles
 176  * of a EAP method, a plugin needs register two constructors in the
 177  * eap_manager_t.
 178  * The passed identites are of type ID_EAP and valid only during the
 179  * constructor invocation.
 180  *
 181  * @param server                ID of the server to use for credential lookup
 182  * @param peer                  ID of the peer to use for credential lookup
 183  * @return                              implementation of the eap_method_t interface
 184  */
 185 typedef eap_method_t *(*eap_constructor_t)(identification_t *server,
 186                                                                                    identification_t *peer);
 187
 188 #endif /* EAP_METHOD_H_ @} */