implemented server side support for EAP-TTLS
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 16 Aug 2010 14:40:24 +0000 (16:40 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 16 Aug 2010 14:44:13 +0000 (16:44 +0200)
src/libcharon/plugins/eap_ttls/Makefile.am
src/libcharon/plugins/eap_ttls/eap_ttls.c
src/libcharon/plugins/eap_ttls/eap_ttls.h
src/libcharon/plugins/eap_ttls/eap_ttls_avp.c [new file with mode: 0644]
src/libcharon/plugins/eap_ttls/eap_ttls_avp.h [new file with mode: 0644]
src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
src/libcharon/plugins/eap_ttls/eap_ttls_server.c [new file with mode: 0644]
src/libcharon/plugins/eap_ttls/eap_ttls_server.h [new file with mode: 0644]

index 47be979..94ce5cc 100644 (file)
@@ -12,7 +12,10 @@ libstrongswan_eap_ttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
 endif
 
 libstrongswan_eap_ttls_la_SOURCES = \
-       eap_ttls_plugin.h eap_ttls_plugin.c eap_ttls.h eap_ttls.c \
-       eap_ttls_peer.h eap_ttls_peer.c
+       eap_ttls_plugin.h eap_ttls_plugin.c \
+       eap_ttls_avp.h eap_ttls_avp.c \
+       eap_ttls.h eap_ttls.c \
+       eap_ttls_peer.h eap_ttls_peer.c \
+       eap_ttls_server.h eap_ttls_server.c
 
 libstrongswan_eap_ttls_la_LDFLAGS = -module -avoid-version
index dd24f40..ad3360d 100644 (file)
@@ -15,6 +15,7 @@
 
 #include "eap_ttls.h"
 #include "eap_ttls_peer.h"
+#include "eap_ttls_server.h"
 
 #include <tls.h>
 
@@ -424,8 +425,8 @@ METHOD(eap_method_t, destroy, void,
  * Generic private constructor
  */
 static eap_ttls_t *eap_ttls_create(identification_t *server,
-                                                                identification_t *peer, bool is_server,
-                                                                tls_application_t *application)
+                                                                  identification_t *peer, bool is_server,
+                                                                  tls_application_t *application)
 {
        private_eap_ttls_t *this;
 
@@ -447,13 +448,14 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
 }
 
 eap_ttls_t *eap_ttls_create_server(identification_t *server,
-                                                                identification_t *peer)
+                                                                  identification_t *peer)
 {
-       return eap_ttls_create(server, peer, TRUE, NULL);
+       return eap_ttls_create(server, peer, TRUE,
+                                                  &eap_ttls_server_create(server, peer)->application);
 }
 
 eap_ttls_t *eap_ttls_create_peer(identification_t *server,
-                                                          identification_t *peer)
+                                                                identification_t *peer)
 {
        return eap_ttls_create(server, peer, FALSE,
                                                   &eap_ttls_peer_create(server, peer)->application);
index 74cc836..6e3bf2c 100644 (file)
@@ -44,7 +44,7 @@ struct eap_ttls_t {
  * @return                     eap_ttls_t object
  */
 eap_ttls_t *eap_ttls_create_server(identification_t *server,
-                                                                identification_t *peer);
+                                                                  identification_t *peer);
 
 /**
  * Creates the EAP method EAP-TTLS acting as peer.
@@ -54,6 +54,6 @@ eap_ttls_t *eap_ttls_create_server(identification_t *server,
  * @return                     eap_ttls_t object
  */
 eap_ttls_t *eap_ttls_create_peer(identification_t *server,
-                                                          identification_t *peer);
+                                                                identification_t *peer);
 
 #endif /** EAP_TTLS_H_ @}*/
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
new file mode 100644 (file)
index 0000000..2c840dd
--- /dev/null
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_ttls_avp.h"
+
+#include <debug.h>
+
+#define AVP_EAP_MESSAGE                79
+
+typedef struct private_eap_ttls_avp_t private_eap_ttls_avp_t;
+
+/**
+ * Private data of an eap_ttls_avp_t object.
+ */
+struct private_eap_ttls_avp_t {
+
+       /**
+        * Public eap_ttls_avp_t interface.
+        */
+       eap_ttls_avp_t public;
+};
+
+METHOD(eap_ttls_avp_t, build, void,
+       private_eap_ttls_avp_t *this, tls_writer_t *writer, chunk_t data)
+{
+       char zero_padding[] = { 0x00, 0x00, 0x00 };
+       chunk_t   avp_padding;
+       u_int8_t  avp_flags;
+       u_int32_t avp_len;
+
+       avp_flags = 0x40;
+       avp_len = 8 + data.len;
+       avp_padding = chunk_create(zero_padding, (4 - data.len) % 4);
+
+       writer->write_uint32(writer, AVP_EAP_MESSAGE);
+       writer->write_uint8(writer, avp_flags);
+       writer->write_uint24(writer, avp_len);
+       writer->write_data(writer, data);
+       writer->write_data(writer, avp_padding);
+}
+
+METHOD(eap_ttls_avp_t, process, status_t,
+       private_eap_ttls_avp_t* this, tls_reader_t *reader, chunk_t *data)
+{
+       u_int32_t avp_code;
+       u_int8_t  avp_flags;
+       u_int32_t avp_len, data_len;
+
+       if (!reader->read_uint32(reader, &avp_code) ||
+               !reader->read_uint8(reader, &avp_flags) ||
+               !reader->read_uint24(reader, &avp_len))
+       {
+               DBG1(DBG_IKE, "received invalid AVP");
+               return FAILED;
+       }
+       if (avp_code != AVP_EAP_MESSAGE)
+       {
+               DBG1(DBG_IKE, "expected AVP_EAP_MESSAGE but received %u", avp_code);
+               return FAILED;
+       }
+       data_len = avp_len - 8;
+       if (!reader->read_data(reader, data_len + (4 - avp_len) % 4, data))
+       {
+               DBG1(DBG_IKE, "received insufficient AVP data");
+               return FAILED;
+       }
+       data->len = data_len;
+       return SUCCESS; 
+}
+
+METHOD(eap_ttls_avp_t, destroy, void,
+       private_eap_ttls_avp_t *this)
+{
+       free(this);
+}
+
+/**
+ * See header
+ */
+eap_ttls_avp_t *eap_ttls_avp_create(void)
+{
+       private_eap_ttls_avp_t *this;
+
+       INIT(this,
+               .public= {
+                       .process = _process,
+                       .build = _build,
+                       .destroy = _destroy,
+               },
+       );
+
+       return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.h b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.h
new file mode 100644 (file)
index 0000000..cad1d9c
--- /dev/null
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_ttls_avp eap_ttls_avp
+ * @{ @ingroup eap_ttls
+ */
+
+#ifndef EAP_TTLS_AVP_H_
+#define EAP_TTLS_AVP_H_
+
+typedef struct eap_ttls_avp_t eap_ttls_avp_t;
+
+#include <library.h>
+
+#include <tls_reader.h>
+#include <tls_writer.h>
+
+/**
+ * EAP-TTLS Attribute-Value Pair (AVP) handler.
+ */
+struct eap_ttls_avp_t {
+
+       /**
+        * Process received EAP-TTLS EAP Message AVP.
+        *
+        * @param reader        TLS data buffer
+        * @param data          received EAP Message
+        * @return
+        *                                      - SUCCESS if AVP processing succeeded
+        *                                      - FAILED if AVP processing failed
+        *                                      - NEED_MORE if another invocation of process/build needed
+        */
+       status_t (*process)(eap_ttls_avp_t *this, tls_reader_t *reader,
+                                               chunk_t *data);
+
+       /**
+        * Build EAP-TTLS EAP Message AVP to send out.
+        *
+        * @param writer        TLS data buffer to write to
+        * @param data          EAP Message to send
+        */
+       void (*build)(eap_ttls_avp_t *this, tls_writer_t *writer, chunk_t data);
+
+       /**
+        * Destroy a eap_ttls_application_t.
+        */
+       void (*destroy)(eap_ttls_avp_t *this);
+};
+
+/**
+ * Create an eap_ttls_avp instance.
+ */
+eap_ttls_avp_t *eap_ttls_avp_create(void);
+
+#endif /** EAP_TTLS_AVP_H_ @}*/
index 566a75d..b47ed93 100644 (file)
  */
 
 #include "eap_ttls_peer.h"
+#include "eap_ttls_avp.h"
 
 #include <debug.h>
 #include <daemon.h>
 
 #include <sa/authenticators/eap/eap_method.h>
 
-#define AVP_EAP_MESSAGE                79
-
 typedef struct private_eap_ttls_peer_t private_eap_ttls_peer_t;
 
 /**
@@ -58,59 +57,12 @@ struct private_eap_ttls_peer_t {
      * Pending outbound EAP message 
         */
        eap_payload_t *out;
-};
-
-/**
- * Send an EAP-Message Attribute-Value Pair
- */
-static void send_avp_eap_message(tls_writer_t *writer, chunk_t data)
-{
-       char zero_padding[] = { 0x00, 0x00, 0x00 };
-       chunk_t   avp_padding;
-       u_int8_t  avp_flags;
-       u_int32_t avp_len;
-
-       avp_flags = 0x40;
-       avp_len = 8 + data.len;
-       avp_padding = chunk_create(zero_padding, (4 - data.len) % 4);
-
-       writer->write_uint32(writer, AVP_EAP_MESSAGE);
-       writer->write_uint8(writer, avp_flags);
-       writer->write_uint24(writer, avp_len);
-       writer->write_data(writer, data);
-       writer->write_data(writer, avp_padding);
-}
 
-/**
- * Process an EAP-Message Attribute-Value Pair
- */
-static status_t process_avp_eap_message(tls_reader_t *reader, chunk_t *data)
-{
-       u_int32_t avp_code;
-       u_int8_t  avp_flags;
-       u_int32_t avp_len, data_len;
-
-       if (!reader->read_uint32(reader, &avp_code) ||
-               !reader->read_uint8(reader, &avp_flags) ||
-               !reader->read_uint24(reader, &avp_len))
-       {
-               DBG1(DBG_IKE, "received invalid AVP");
-               return FAILED;
-       }
-       if (avp_code != AVP_EAP_MESSAGE)
-       {
-               DBG1(DBG_IKE, "expected AVP_EAP_MESSAGE but received %u", avp_code);
-               return FAILED;
-       }
-       data_len = avp_len - 8;
-       if (!reader->read_data(reader, data_len + (4 - avp_len) % 4, data))
-       {
-               DBG1(DBG_IKE, "received insufficient AVP data");
-               return FAILED;
-       }
-       data->len = data_len;
-       return SUCCESS; 
-}
+       /**
+        * AVP handler
+        */
+       eap_ttls_avp_t *avp;
+};
 
 METHOD(tls_application_t, process, status_t,
        private_eap_ttls_peer_t *this, tls_reader_t *reader)
@@ -120,10 +72,10 @@ METHOD(tls_application_t, process, status_t,
        payload_t *payload;
        eap_payload_t *in;
        eap_code_t code;
-       eap_type_t type;
-       u_int32_t vendor;
+       eap_type_t type, received_type;
+       u_int32_t vendor, received_vendor;
 
-       status = process_avp_eap_message(reader, &data);
+       status = this->avp->process(this->avp, reader, &data);
        if (status == FAILED)
        {
                return FAILED;
@@ -137,37 +89,36 @@ METHOD(tls_application_t, process, status_t,
                return FAILED;
        }
        code = in->get_code(in);
-       type = in->get_type(in, &vendor);
+       received_type = in->get_type(in, &received_vendor);
        DBG1(DBG_IKE, "received tunneled EAP-TTLS AVP [EAP/%N/%N]",
-                                  eap_code_short_names, code, eap_type_short_names, type);
-
+                                                       eap_code_short_names, code,
+                                                       eap_type_short_names, received_type);
        if (code != EAP_REQUEST)
        {
+               DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_REQUEST);
                in->destroy(in);
                return FAILED;
        }
 
        if (this->method == NULL)
        {
-               if (vendor)
+               if (received_vendor)
                {
                        DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d",
-                                type, vendor);
+                                received_type, received_vendor);
                }
                else
                {
                        DBG1(DBG_IKE, "server requested %N authentication",
-                                eap_type_names, type);
+                                eap_type_names, received_type);
                }
-               this->method = charon->eap->create_instance(charon->eap, type, vendor,
+               this->method = charon->eap->create_instance(charon->eap,
+                                                                       received_type, received_vendor,
                                                                        EAP_PEER, this->server, this->peer);
                if (!this->method)
                {
-                       u_int8_t identifier = in->get_identifier(in);
-
-                       DBG1(DBG_IKE, "EAP method not supported, sending EAP_NAK");
-                       in->destroy(in);
-                       this->out = eap_payload_create_nak(identifier);
+                       DBG1(DBG_IKE, "EAP method not supported");
+                       this->out = eap_payload_create_nak(in->get_identifier(in));
                        in->destroy(in);
                        return NEED_MORE;
                }
@@ -175,6 +126,13 @@ METHOD(tls_application_t, process, status_t,
                
        type = this->method->get_type(this->method, &vendor);
 
+       if (type != received_type || vendor != received_vendor)
+       {
+               DBG1(DBG_IKE, "received invalid EAP request");
+               in->destroy(in);
+               return FAILED;
+       }
+
        if (this->method->process(this->method, in, &this->out) == NEED_MORE)
        {
                in->destroy(in);
@@ -226,7 +184,7 @@ METHOD(tls_application_t, build, status_t,
 
                /* get the raw EAP message data */
                data = this->out->get_data(this->out);
-               send_avp_eap_message(writer, data);
+               this->avp->build(this->avp, writer, data);
 
                this->out->destroy(this->out);
                this->out = NULL;
@@ -241,6 +199,7 @@ METHOD(tls_application_t, destroy, void,
        this->peer->destroy(this->peer);
        DESTROY_IF(this->method);
        DESTROY_IF(this->out);
+       this->avp->destroy(this->avp);
        free(this);
 }
 
@@ -263,6 +222,7 @@ eap_ttls_peer_t *eap_ttls_peer_create(identification_t *server,
                .start_phase2 = TRUE,
                .method = NULL,
                .out = NULL,
+               .avp = eap_ttls_avp_create(),
        );
 
        return &this->public;
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_server.c b/src/libcharon/plugins/eap_ttls/eap_ttls_server.c
new file mode 100644 (file)
index 0000000..45fc794
--- /dev/null
@@ -0,0 +1,273 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_ttls_server.h"
+#include "eap_ttls_avp.h"
+
+#include <debug.h>
+#include <daemon.h>
+
+#include <sa/authenticators/eap/eap_method.h>
+
+typedef struct private_eap_ttls_server_t private_eap_ttls_server_t;
+
+/**
+ * Private data of an eap_ttls_server_t object.
+ */
+struct private_eap_ttls_server_t {
+
+       /**
+        * Public eap_ttls_server_t interface.
+        */
+       eap_ttls_server_t public;
+
+       /**
+        * Server identity
+        */
+       identification_t *server;
+
+       /**
+        * Peer identity
+        */
+       identification_t *peer;
+
+       /**
+        * Current EAP-TTLS state
+        */
+       bool start_phase2;
+
+       /**
+     * Current phase 2 EAP method 
+        */
+       eap_method_t *method;
+
+       /**
+     * Pending outbound EAP message 
+        */
+       eap_payload_t *out;
+
+       /**
+        * AVP handler
+        */
+       eap_ttls_avp_t *avp;
+};
+
+METHOD(tls_application_t, process, status_t,
+       private_eap_ttls_server_t *this, tls_reader_t *reader)
+{
+       chunk_t data;
+       status_t status;
+       payload_t *payload;
+       eap_payload_t *in;
+       eap_code_t code;
+       eap_type_t type, received_type;
+       u_int32_t vendor, received_vendor;
+
+       status = this->avp->process(this->avp, reader, &data);
+       if (status == FAILED)
+       {
+               return FAILED;
+       }
+       in = eap_payload_create_data(data);
+       payload = (payload_t*)in;
+
+       if (payload->verify(payload) != SUCCESS)
+       {
+               in->destroy(in);
+               return FAILED;
+       }
+       code = in->get_code(in);
+       received_type = in->get_type(in, &received_vendor);
+       DBG1(DBG_IKE, "received tunneled EAP-TTLS AVP [EAP/%N/%N]",
+                                                       eap_code_short_names, code,
+                                                       eap_type_short_names, received_type);
+       if (code != EAP_RESPONSE)
+       {
+               DBG1(DBG_IKE, "%N expected", eap_code_names, EAP_RESPONSE);
+               in->destroy(in);
+               return FAILED;
+       }
+
+       if (this->method)
+       {
+               type = this->method->get_type(this->method, &vendor);
+
+               if (type != received_type || vendor != received_vendor)
+               {
+                       if (received_vendor == 0 && received_type == EAP_NAK)
+                       {
+                               DBG1(DBG_IKE, "peer does not support %N", eap_type_names, type);
+                       }
+                       else
+                       {
+                               DBG1(DBG_IKE, "received invalid EAP response");
+                       }
+                       in->destroy(in);
+                       return FAILED;
+               }
+       }
+               
+       if (!received_vendor && received_type == EAP_IDENTITY)
+       {
+               chunk_t eap_id;
+               char * eap_type_str;
+
+               if (this->method == NULL)
+               {
+                       /* Received an EAP Identity response without a matching request */
+                       this->method = charon->eap->create_instance(charon->eap,
+                                                                                        EAP_IDENTITY, 0, EAP_SERVER,
+                                                                                        this->server, this->peer);
+                       if (this->method == NULL)
+                       {
+                               DBG1(DBG_IKE, "%N method not available",
+                                                          eap_type_names, EAP_IDENTITY);
+                               return FAILED;
+                       }
+               }
+
+               if (this->method->process(this->method, in, &this->out) != SUCCESS)
+               {
+
+                       DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_IDENTITY);
+                       return FAILED;
+               }
+
+               if (this->method->get_msk(this->method, &eap_id) == SUCCESS)
+               {
+                       this->peer->destroy(this->peer);
+                       this->peer = identification_create_from_data(eap_id);
+                       DBG1(DBG_IKE, "received EAP identity '%Y'", this->peer);
+               }
+
+               in->destroy(in);
+               this->method->destroy(this->method);
+               this->method = NULL;
+
+               /* Start Phase 2 of EAP-TTLS authentication */
+               eap_type_str = lib->settings->get_str(lib->settings,
+                                                       "charon.plugins.eap-ttls.phase2_method", "md5");
+               type = eap_type_from_string(eap_type_str);
+               if (type == 0)
+               {
+                       DBG1(DBG_IKE, "unrecognized phase2 method \"%s\"", eap_type_str);
+                       return FAILED;
+               }
+               DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, type);
+
+               this->method = charon->eap->create_instance(charon->eap, type, 0,
+                                                                       EAP_SERVER, this->server, this->peer);
+               if (this->method == NULL)
+               {
+                       DBG1(DBG_IKE, "%N method not available", eap_type_names, type);
+                       return FAILED;
+               }
+               if (this->method->initiate(this->method, &this->out) == NEED_MORE)
+               {
+                       return NEED_MORE;
+               }
+               else
+               {
+                       DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
+                       return FAILED;
+               }
+       }
+               
+       if (this->method == 0)
+       {
+               DBG1(DBG_IKE, "no %N phase2 method installed", eap_type_names, EAP_TTLS);
+               in->destroy(in);
+               return FAILED;
+       }
+
+       status = this->method->process(this->method, in, &this->out);
+       in->destroy(in);
+       
+       switch (status)
+       {
+               case SUCCESS:
+                       DBG1(DBG_IKE, "%N phase2 authentication of '%Y' with %N successful",
+                                                       eap_type_names, EAP_TTLS, this->peer,
+                                                       eap_type_names, type);
+                       break;
+               case NEED_MORE:
+                       break;
+               case FAILED:
+               default:
+                       DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
+       }               
+       return status;
+}
+
+METHOD(tls_application_t, build, status_t,
+       private_eap_ttls_server_t *this, tls_writer_t *writer)
+{
+       chunk_t data;
+       eap_code_t code;
+       eap_type_t type;
+       u_int32_t vendor;
+
+       if (this->out)
+       {
+               code = this->out->get_code(this->out);
+               type = this->out->get_type(this->out, &vendor);
+               DBG1(DBG_IKE, "sending tunneled EAP-TTLS AVP [EAP/%N/%N]",
+                                               eap_code_short_names, code, eap_type_short_names, type);
+
+               /* get the raw EAP message data */
+               data = this->out->get_data(this->out);
+               this->avp->build(this->avp, writer, data);
+
+               this->out->destroy(this->out);
+               this->out = NULL;
+       }
+       return INVALID_STATE;
+}
+
+METHOD(tls_application_t, destroy, void,
+       private_eap_ttls_server_t *this)
+{
+       this->server->destroy(this->server);
+       this->peer->destroy(this->peer);
+       DESTROY_IF(this->method);
+       DESTROY_IF(this->out);
+       this->avp->destroy(this->avp);
+       free(this);
+}
+
+/**
+ * See header
+ */
+eap_ttls_server_t *eap_ttls_server_create(identification_t *server,
+                                                                                 identification_t *peer)
+{
+       private_eap_ttls_server_t *this;
+
+       INIT(this,
+               .public.application = {
+                       .process = _process,
+                       .build = _build,
+                       .destroy = _destroy,
+               },
+               .server = server->clone(server),
+               .peer = peer->clone(peer),
+               .start_phase2 = TRUE,
+               .method = NULL,
+               .out = NULL,
+               .avp = eap_ttls_avp_create(),
+       );
+
+       return &this->public;
+}
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_server.h b/src/libcharon/plugins/eap_ttls/eap_ttls_server.h
new file mode 100644 (file)
index 0000000..a66a813
--- /dev/null
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_ttls_server eap_ttls_server
+ * @{ @ingroup eap_ttls
+ */
+
+#ifndef EAP_TTLS_SERVER_H_
+#define EAP_TTLS_SERVER_H_
+
+typedef struct eap_ttls_server_t eap_ttls_server_t;
+
+#include "tls_application.h"
+
+#include <library.h>
+
+/**
+ * TLS application data handler as server.
+ */
+struct eap_ttls_server_t {
+
+       /**
+        * Implements the TLS application data handler.
+        */
+       tls_application_t application;
+};
+
+/**
+ * Create an eap_ttls_server instance.
+ */
+eap_ttls_server_t *eap_ttls_server_create(identification_t *server,
+                                                                                 identification_t *peer);
+
+#endif /** EAP_TTLS_SERVER_H_ @}*/