implemented Expanded EAP types to support vendor specific methods
[strongswan.git] / src / charon / sa / authenticators / eap / eap_method.h
1 /**
2 * @file eap_method.h
3 *
4 * @brief Interface eap_method_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #ifndef EAP_METHOD_H_
24 #define EAP_METHOD_H_
25
26 typedef struct eap_method_t eap_method_t;
27 typedef enum eap_role_t eap_role_t;
28 typedef enum eap_type_t eap_type_t;
29 typedef enum eap_code_t eap_code_t;
30
31 #include <library.h>
32 #include <utils/identification.h>
33 #include <encoding/payloads/eap_payload.h>
34
35 /**
36 * Role of an eap_method, SERVER or PEER (client)
37 *
38 * @ingroup eap
39 */
40 enum eap_role_t {
41 EAP_SERVER,
42 EAP_PEER,
43 };
44 /**
45 * enum names for eap_role_t.
46 *
47 * @ingroup eap
48 */
49 extern enum_name_t *eap_role_names;
50
51 /**
52 * EAP types, defines the EAP method implementation
53 *
54 * @ingroup eap
55 */
56 enum eap_type_t {
57 EAP_IDENTITY = 1,
58 EAP_NOTIFICATION = 2,
59 EAP_NAK = 3,
60 EAP_MD5 = 4,
61 EAP_ONE_TIME_PASSWORD = 5,
62 EAP_TOKEN_CARD = 6,
63 EAP_SIM = 18,
64 EAP_AKA = 23,
65 EAP_EXPANDED = 254,
66 EAP_EXPERIMENTAL = 255,
67 };
68
69 /**
70 * enum names for eap_type_t.
71 *
72 * @ingroup eap
73 */
74 extern enum_name_t *eap_type_names;
75
76 /**
77 * EAP code, type of an EAP message
78 *
79 * @ingroup eap
80 */
81 enum eap_code_t {
82 EAP_REQUEST = 1,
83 EAP_RESPONSE = 2,
84 EAP_SUCCESS = 3,
85 EAP_FAILURE = 4,
86 };
87
88 /**
89 * enum names for eap_code_t.
90 *
91 * @ingroup eap
92 */
93 extern enum_name_t *eap_code_names;
94
95
96 /**
97 * @brief Interface of an EAP method for server and client side.
98 *
99 * An EAP method initiates an EAP exchange and processes requests and
100 * responses. An EAP method may need multiple exchanges before succeeding, and
101 * the eap_authentication may use multiple EAP methods to authenticate a peer.
102 * To accomplish these requirements, all EAP methods have their own
103 * implementation while the eap_authenticatior uses one or more of these
104 * EAP methods. Sending of EAP(SUCCESS/FAILURE) message is not the job
105 * of the method, the eap_authenticator does this.
106 * An EAP method may establish a MSK, this is used the complete the
107 * authentication. Even if a mutual EAP method is used, the traditional
108 * AUTH payloads are required. Only these include the nonces and messages from
109 * ike_sa_init and therefore prevent man in the middle attacks.
110 *
111 * @b Constructors:
112 * - eap_method_create()
113 *
114 * @ingroup eap
115 */
116 struct eap_method_t {
117
118 /**
119 * @brief Initiate the EAP exchange.
120 *
121 * initiate() is only useable for server implementations, as clients only
122 * reply to server requests.
123 * A eap_payload is created in "out" if result is NEED_MORE.
124 *
125 * @param this calling object
126 * @param out eap_payload to send to the client
127 * @return
128 * - NEED_MORE, if an other exchange is required
129 * - FAILED, if unable to create eap request payload
130 */
131 status_t (*initiate) (eap_method_t *this, eap_payload_t **out);
132
133 /**
134 * @brief Process a received EAP message.
135 *
136 * A eap_payload is created in "out" if result is NEED_MORE.
137 *
138 * @param this calling object
139 * @param in eap_payload response received
140 * @param out created eap_payload to send
141 * @return
142 * - NEED_MORE, if an other exchange is required
143 * - FAILED, if EAP method failed
144 * - SUCCESS, if EAP method succeeded
145 */
146 status_t (*process) (eap_method_t *this, eap_payload_t *in,
147 eap_payload_t **out);
148
149 /**
150 * @brief Get the EAP type implemented in this method.
151 *
152 * @param this calling object
153 * @param vendor pointer receiving vendor identifier for type, 0 for none
154 * @return type of the EAP method
155 */
156 eap_type_t (*get_type) (eap_method_t *this, u_int32_t *vendor);
157
158 /**
159 * @brief Check if this EAP method authenticates the server.
160 *
161 * Some EAP methods provide mutual authentication and
162 * allow authentication using only EAP, if the peer supports it.
163 *
164 * @param this calling object
165 * @return TRUE if methods provides mutual authentication
166 */
167 bool (*is_mutual) (eap_method_t *this);
168
169 /**
170 * @brief Get the MSK established by this EAP method.
171 *
172 * Not all EAP methods establish a shared secret.
173 *
174 * @param this calling object
175 * @param msk chunk receiving internal stored MSK
176 * @return
177 * - SUCCESS, or
178 * - FAILED, if MSK not established (yet)
179 */
180 status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
181
182 /**
183 * @brief Destroys a eap_method_t object.
184 *
185 * @param this calling object
186 */
187 void (*destroy) (eap_method_t *this);
188 };
189
190 /**
191 * @brief Creates an EAP method for a specific type and role.
192 *
193 * @param eap_type EAP type to use
194 * @param eap_vendor vendor identifier if a vendor specifc EAP type is used
195 * @param role role of the eap_method, server or peer
196 * @param server ID of acting server
197 * @param peer ID of involved peer (client)
198 * @return eap_method_t object
199 *
200 * @ingroup eap
201 */
202 eap_method_t *eap_method_create(eap_type_t eap_type, u_int32_t eap_vendor,
203 eap_role_t role, identification_t *server,
204 identification_t *peer);
205
206 /**
207 * @brief (Re-)Load all EAP modules in the EAP modules directory.
208 *
209 * For security reasons, the directory and all it's modules must be owned
210 * by root and must not be writeable by someone else.
211 *
212 * @param dir directory of the EAP modules
213 *
214 * @ingroup eap
215 */
216 void eap_method_load(char *directory);
217
218 /**
219 * @brief Unload all loaded EAP modules
220 *
221 * @ingroup eap
222 */
223 void eap_method_unload();
224
225 /**
226 * @brief Constructor definition for a pluggable EAP module.
227 *
228 * Each EAP module must define a constructor function which will return
229 * an initialized object with the methods defined in eap_method_t. The
230 * constructor must be named eap_create() and it's signature must be equal
231 * to that of eap_constructor_t.
232 * A module may implement only a single role. If it does not support the role
233 * requested, NULL should be returned. Multiple modules are allowed of the
234 * same EAP type to support seperate implementations of peer/server.
235 *
236 * @param role role the module will play, peer or server
237 * @param server ID of the server to use for credential lookup
238 * @param peer ID of the peer to use for credential lookup
239 * @return implementation of the eap_method_t interface
240 *
241 * @ingroup eap
242 */
243 typedef eap_method_t *(*eap_constructor_t)(eap_role_t role,
244 identification_t *server,
245 identification_t *peer);
246
247 #endif /* EAP_METHOD_H_ */