updated Doxyfile
[strongswan.git] / src / charon / sa / authenticators / eap_authenticator.h
1 /*
2 * Copyright (C) 2006 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * $Id$
16 */
17
18 /**
19 * @defgroup eap_authenticator eap_authenticator
20 * @{ @ingroup authenticators
21 */
22
23 #ifndef EAP_AUTHENTICATOR_H_
24 #define EAP_AUTHENTICATOR_H_
25
26 typedef struct eap_authenticator_t eap_authenticator_t;
27
28 #include <sa/authenticators/authenticator.h>
29 #include <encoding/payloads/eap_payload.h>
30
31 /**
32 * Implementation of the authenticator_t interface using AUTH_CLASS_EAP.
33 *
34 * Authentication using EAP involves the most complex authenticator. It stays
35 * alive over multiple ike_auth transactions and handles multiple EAP
36 * messages.
37 * EAP authentication must be clearly distinguished between using
38 * mutual EAP methods and using methods not providing server authentication.
39 * If no mutual authentication is used, the server must prove it's identity
40 * by traditional AUTH methods (RSA, psk). Only when the EAP method is mutual,
41 * the client should accept an EAP-only authentication.
42 * RFC4306 does always use traditional authentiction, EAP only authentication
43 * is described in the internet draft draft-eronen-ipsec-ikev2-eap-auth-05.txt.
44 *
45 * @verbatim
46 ike_sa_init
47 ------------------------->
48 <-------------------------
49 followed by multiple ike_auth:
50
51 +--------+ +--------+
52 | EAP | ID, SA, TS, N(EAP_ONLY) | EAP |
53 | client | ---------------------------> | server |
54 | | ID, [AUTH,] EAP | | AUTH payload is
55 | | <--------------------------- | | only included if
56 | | EAP | | authentication
57 | | ---------------------------> | | is not mutual.
58 | | EAP | |
59 | | <--------------------------- | |
60 | | EAP | |
61 | | ---------------------------> | |
62 | | EAP(SUCCESS) | |
63 | | <--------------------------- | |
64 | | AUTH | | If EAP establishes
65 | | ---------------------------> | | a session key, AUTH
66 | | AUTH, SA, TS | | payloads use this
67 | | <--------------------------- | | key, not SK_pi/pr
68 +--------+ +--------+
69
70 @endverbatim
71 */
72 struct eap_authenticator_t {
73
74 /**
75 * Implemented authenticator_t interface.
76 */
77 authenticator_t authenticator_interface;
78
79 /**
80 * Check if the EAP method was/is mutual and secure.
81 *
82 * RFC4306 proposes to authenticate the EAP responder (server) by standard
83 * IKEv2 methods (RSA, psk). Not all, but some EAP methods
84 * provide mutual authentication, which would result in a redundant
85 * authentication. If the client supports EAP_ONLY_AUTHENTICATION, and
86 * the the server provides mutual authentication, authentication using
87 * RSA/PSK may be omitted. If the server did not include a traditional
88 * AUTH payload, the client must verify that the server initiated mutual
89 * EAP authentication before it can trust the server.
90 *
91 * @return TRUE, if no AUTH payload required, FALSE otherwise
92 */
93 bool (*is_mutual) (eap_authenticator_t* this);
94
95 /**
96 * Initiate the EAP exchange.
97 *
98 * The server initiates EAP exchanges, so the client never calls
99 * this method. If initiate() returns NEED_MORE, the EAP authentication
100 * process started. In any case, a payload is created in "out".
101 *
102 * @param type EAP method to use to authenticate client
103 * @param vendor EAP vendor identifier, if type is vendor specific, or 0
104 * @param out created initiaal EAP message to send
105 * @return
106 * - FAILED, if initiation failed
107 * - NEED_MORE, if more EAP exchanges reqired
108 */
109 status_t (*initiate) (eap_authenticator_t* this, eap_type_t type,
110 u_int32_t vendor, eap_payload_t **out);
111
112 /**
113 * Process an EAP message.
114 *
115 * After receiving an EAP message "in", the peer/server processes
116 * the payload and creates a reply/subsequent request.
117 * The server side always returns NEED_MORE if another EAP message
118 * is expected from the client, SUCCESS if EAP exchange completed and
119 * "out" is EAP_SUCCES, or FAILED if the EAP exchange failed with
120 * a EAP_FAILURE payload in "out". Anyway, a payload in "out" is always
121 * created.
122 * The peer (client) side only creates a "out" payload if result is
123 * NEED_MORE, a SUCCESS/FAILED is returned whenever a
124 * EAP_SUCCESS/EAP_FAILURE message is received in "in".
125 * If a SUCCESS is returned (on any side), the EAP authentication was
126 * successful and the AUTH payload can be exchanged.
127 *
128 * @param in received EAP message
129 * @param out created EAP message to send
130 * @return
131 * - FAILED, if authentication/EAP exchange failed
132 * - SUCCESS, if authentication completed
133 * - NEED_MORE, if more EAP exchanges reqired
134 */
135 status_t (*process) (eap_authenticator_t* this,
136 eap_payload_t *in, eap_payload_t **out);
137 };
138
139 /**
140 * Creates an authenticator for AUTH_CLASS_EAP.
141 *
142 * @param ike_sa associated ike_sa
143 * @return eap_authenticator_t object
144 */
145 eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa);
146
147 #endif /** EAP_AUTHENTICATOR_H_ @}*/