0eab2b5ff6ad836e2a005be50651a82a6774d561
[strongswan.git] / src / libcharon / sa / authenticators / eap / eap_method.h
1 /*
2 * Copyright (C) 2006 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 /**
17 * @defgroup eap_method eap_method
18 * @{ @ingroup eap
19 */
20
21 #ifndef EAP_METHOD_H_
22 #define EAP_METHOD_H_
23
24 typedef struct eap_method_t eap_method_t;
25 typedef enum eap_role_t eap_role_t;
26
27 #include <library.h>
28 #include <utils/identification.h>
29 #include <eap/eap.h>
30 #include <encoding/payloads/eap_payload.h>
31
32 /**
33 * Role of an eap_method, SERVER or PEER (client)
34 */
35 enum eap_role_t {
36 EAP_SERVER,
37 EAP_PEER,
38 };
39 /**
40 * enum names for eap_role_t.
41 */
42 extern enum_name_t *eap_role_names;
43
44 /**
45 * Interface of an EAP method for server and client side.
46 *
47 * An EAP method initiates an EAP exchange and processes requests and
48 * responses. An EAP method may need multiple exchanges before succeeding, and
49 * the eap_authentication may use multiple EAP methods to authenticate a peer.
50 * To accomplish these requirements, all EAP methods have their own
51 * implementation while the eap_authenticatior uses one or more of these
52 * EAP methods. Sending of EAP(SUCCESS/FAILURE) message is not the job
53 * of the method, the eap_authenticator does this.
54 * An EAP method may establish a MSK, this is used the complete the
55 * authentication. Even if a mutual EAP method is used, the traditional
56 * AUTH payloads are required. Only these include the nonces and messages from
57 * ike_sa_init and therefore prevent man in the middle attacks.
58 * The EAP method must use an initial EAP identifier value != 0, as a preceding
59 * EAP-Identity exchange always uses identifier 0.
60 */
61 struct eap_method_t {
62
63 /**
64 * Initiate the EAP exchange.
65 *
66 * initiate() is only useable for server implementations, as clients only
67 * reply to server requests.
68 * A eap_payload is created in "out" if result is NEED_MORE.
69 *
70 * @param out eap_payload to send to the client
71 * @return
72 * - NEED_MORE, if an other exchange is required
73 * - FAILED, if unable to create eap request payload
74 */
75 status_t (*initiate) (eap_method_t *this, eap_payload_t **out);
76
77 /**
78 * Process a received EAP message.
79 *
80 * A eap_payload is created in "out" if result is NEED_MORE.
81 *
82 * @param in eap_payload response received
83 * @param out created eap_payload to send
84 * @return
85 * - NEED_MORE, if an other exchange is required
86 * - FAILED, if EAP method failed
87 * - SUCCESS, if EAP method succeeded
88 */
89 status_t (*process) (eap_method_t *this, eap_payload_t *in,
90 eap_payload_t **out);
91
92 /**
93 * Get the EAP type implemented in this method.
94 *
95 * @param vendor pointer receiving vendor identifier for type, 0 for none
96 * @return type of the EAP method
97 */
98 eap_type_t (*get_type) (eap_method_t *this, u_int32_t *vendor);
99
100 /**
101 * Check if this EAP method authenticates the server.
102 *
103 * Some EAP methods provide mutual authentication and
104 * allow authentication using only EAP, if the peer supports it.
105 *
106 * @return TRUE if methods provides mutual authentication
107 */
108 bool (*is_mutual) (eap_method_t *this);
109
110 /**
111 * Get the MSK established by this EAP method.
112 *
113 * Not all EAP methods establish a shared secret. For implementations of
114 * the EAP-Identity method, get_msk() returns the received identity.
115 *
116 * @param msk chunk receiving internal stored MSK
117 * @return
118 * - SUCCESS, or
119 * - FAILED, if MSK not established (yet)
120 */
121 status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
122
123 /**
124 * Get the current EAP identifier.
125 *
126 * @return current EAP identifier
127 */
128 u_int8_t (*get_identifier) (eap_method_t *this);
129
130 /**
131 * Set the EAP identifier to a deterministic value, overwriting
132 * the randomly initialized default value.
133 *
134 * @param identifier current EAP identifier
135 */
136 void (*set_identifier) (eap_method_t *this, u_int8_t identifier);
137
138 /**
139 * Destroys a eap_method_t object.
140 */
141 void (*destroy) (eap_method_t *this);
142 };
143
144 /**
145 * Constructor definition for a pluggable EAP method.
146 *
147 * Each EAP module must define a constructor function which will return
148 * an initialized object with the methods defined in eap_method_t.
149 * Constructors for server and peers are identical, to support both roles
150 * of a EAP method, a plugin needs register two constructors in the
151 * eap_manager_t.
152 * The passed identites are of type ID_EAP and valid only during the
153 * constructor invocation.
154 *
155 * @param server ID of the server to use for credential lookup
156 * @param peer ID of the peer to use for credential lookup
157 * @return implementation of the eap_method_t interface
158 */
159 typedef eap_method_t *(*eap_constructor_t)(identification_t *server,
160 identification_t *peer);
161
162 #endif /** EAP_METHOD_H_ @}*/