typos
[strongswan.git] / src / charon / sa / authenticators / eap_authenticator.h
1 /**
2 * @file eap_authenticator.h
3 *
4 * @brief Interface of eap_authenticator_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #ifndef EAP_AUTHENTICATOR_H_
24 #define EAP_AUTHENTICATOR_H_
25
26 typedef struct eap_authenticator_t eap_authenticator_t;
27
28 #include <sa/authenticators/authenticator.h>
29 #include <encoding/payloads/eap_payload.h>
30
31 /**
32 * @brief Implementation of the authenticator_t interface using AUTH_EAP.
33 *
34 * Authentication using EAP involves the most complex authenticator. It stays
35 * alive over multiple ike_auth transactions and handles multiple EAP
36 * messages.
37 * EAP authentication must be clearly distinguished between using
38 * mutual EAP methods and using methods not providing server authentication.
39 * If no mutual authentication is used, the server must prove it's identity
40 * by traditional AUTH methods (RSA, psk). Only when the EAP method is mutual,
41 * the client should accept an EAP-only authentication.
42 * RFC4306 does always use traditional authentiction, EAP only authentication
43 * is described in the internet draft draft-eronen-ipsec-ikev2-eap-auth-05.txt.
44 *
45 * @verbatim
46 ike_sa_init
47 ------------------------->
48 <-------------------------
49 followed by multiple ike_auth:
50
51 +--------+ +--------+
52 | EAP | ID, SA, TS, N(EAP_ONLY) | EAP |
53 | client | ---------------------------> | server |
54 | | ID, [AUTH,] EAP | | AUTH payload is
55 | | <--------------------------- | | only included if
56 | | EAP | | authentication
57 | | ---------------------------> | | is not mutual.
58 | | EAP | |
59 | | <--------------------------- | |
60 | | EAP | |
61 | | ---------------------------> | |
62 | | EAP(SUCCESS) | |
63 | | <--------------------------- | |
64 | | AUTH | | If EAP establishes
65 | | ---------------------------> | | a session key, AUTH
66 | | AUTH, SA, TS | | payloads use this
67 | | <--------------------------- | | key, not SK_pi/pr
68 +--------+ +--------+
69
70 @endverbatim
71 * @b Constructors:
72 * - eap_authenticator_create()
73 * - authenticator_create() using auth_method AUTH_EAP
74 *
75 * @ingroup authenticators
76 */
77 struct eap_authenticator_t {
78
79 /**
80 * Implemented authenticator_t interface.
81 */
82 authenticator_t authenticator_interface;
83
84 /**
85 * @brief Check if the EAP method was/is mutual and secure.
86 *
87 * RFC4306 proposes to authenticate the EAP responder (server) by standard
88 * IKEv2 methods (RSA, psk). Not all, but some EAP methods
89 * provide mutual authentication, which would result in a redundant
90 * authentication. If the client supports EAP_ONLY_AUTHENTICATION, and
91 * the the server provides mutual authentication, authentication using
92 * RSA/PSK may be omitted. If the server did not include a traditional
93 * AUTH payload, the client must verify that the server initiated mutual
94 * EAP authentication before it can trust the server.
95 *
96 * @param this calling object
97 * @return TRUE, if no AUTH payload required, FALSE otherwise
98 */
99 bool (*is_mutual) (eap_authenticator_t* this);
100
101 /**
102 * @brief Initiate the EAP exchange.
103 *
104 * The server initiates EAP exchanges, so the client never calls
105 * this method. If initiate() returns NEED_MORE, the EAP authentication
106 * process started. In any case, a payload is created in "out".
107 *
108 * @param this calling object
109 * @param type EAP method to use to authenticate client
110 * @param out created initiaal EAP message to send
111 * @return
112 * - FAILED, if initiation failed
113 * - NEED_MORE, if more EAP exchanges reqired
114 */
115 status_t (*initiate) (eap_authenticator_t* this, eap_type_t type,
116 eap_payload_t **out);
117
118 /**
119 * @brief Process an EAP message.
120 *
121 * After receiving an EAP message "in", the peer/server processes
122 * the payload and creates a reply/subsequent request.
123 * The server side always returns NEED_MORE if another EAP message
124 * is expected from the client, SUCCESS if EAP exchange completed and
125 * "out" is EAP_SUCCES, or FAILED if the EAP exchange failed with
126 * a EAP_FAILURE payload in "out". Anyway, a payload in "out" is always
127 * created.
128 * The peer (client) side only creates a "out" payload if result is
129 * NEED_MORE, a SUCCESS/FAILED is returned whenever a
130 * EAP_SUCCESS/EAP_FAILURE message is received in "in".
131 * If a SUCCESS is returned (on any side), the EAP authentication was
132 * successful and the AUTH payload can be exchanged.
133 *
134 * @param this calling object
135 * @param in received EAP message
136 * @param out created EAP message to send
137 * @return
138 * - FAILED, if authentication/EAP exchange failed
139 * - SUCCESS, if authentication completed
140 * - NEED_MORE, if more EAP exchanges reqired
141 */
142 status_t (*process) (eap_authenticator_t* this,
143 eap_payload_t *in, eap_payload_t **out);
144 };
145
146 /**
147 * @brief Creates an authenticator for AUTH_EAP.
148 *
149 * @param ike_sa associated ike_sa
150 * @return eap_authenticator_t object
151 *
152 * @ingroup authenticators
153 */
154 eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa);
155
156 #endif /* EAP_AUTHENTICATOR_H_ */