Return to eap_method.h CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / sa / eap |
1.1 misho 1: /* 2: * Copyright (C) 2006 Martin Willi 3: * HSR Hochschule fuer Technik Rapperswil 4: * 5: * This program is free software; you can redistribute it and/or modify it 6: * under the terms of the GNU General Public License as published by the 7: * Free Software Foundation; either version 2 of the License, or (at your 8: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. 9: * 10: * This program is distributed in the hope that it will be useful, but 11: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY 12: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 13: * for more details. 14: */ 15: 16: /** 17: * @defgroup eap_method eap_method 18: * @{ @ingroup eap 19: */ 20: 21: #ifndef EAP_METHOD_H_ 22: #define EAP_METHOD_H_ 23: 24: typedef struct eap_method_t eap_method_t; 25: typedef enum eap_role_t eap_role_t; 26: 27: #include <library.h> 28: #include <plugins/plugin.h> 29: #include <utils/identification.h> 30: #include <eap/eap.h> 31: #include <encoding/payloads/eap_payload.h> 32: 33: /** 34: * Role of an eap_method, SERVER or PEER (client) 35: */ 36: enum eap_role_t { 37: EAP_SERVER, 38: EAP_PEER, 39: }; 40: /** 41: * enum names for eap_role_t. 42: */ 43: extern enum_name_t *eap_role_names; 44: 45: /** 46: * Interface of an EAP method for server and client side. 47: * 48: * An EAP method initiates an EAP exchange and processes requests and 49: * responses. An EAP method may need multiple exchanges before succeeding, and 50: * the eap_authentication may use multiple EAP methods to authenticate a peer. 51: * To accomplish these requirements, all EAP methods have their own 52: * implementation while the eap_authenticator uses one or more of these 53: * EAP methods. Sending of EAP(SUCCESS/FAILURE) message is not the job 54: * of the method, the eap_authenticator does this. 55: * An EAP method may establish a MSK, this is used the complete the 56: * authentication. Even if a mutual EAP method is used, the traditional 57: * AUTH payloads are required. Only these include the nonces and messages from 58: * ike_sa_init and therefore prevent man in the middle attacks. 59: * The EAP method must use an initial EAP identifier value != 0, as a preceding 60: * EAP-Identity exchange always uses identifier 0. 61: */ 62: struct eap_method_t { 63: 64: /** 65: * Initiate the EAP exchange. 66: * 67: * initiate() is only usable for server implementations, as clients only 68: * reply to server requests. 69: * A eap_payload is created in "out" if result is NEED_MORE. 70: * 71: * @param out eap_payload to send to the client 72: * @return 73: * - NEED_MORE, if an other exchange is required 74: * - FAILED, if unable to create eap request payload 75: */ 76: status_t (*initiate) (eap_method_t *this, eap_payload_t **out); 77: 78: /** 79: * Process a received EAP message. 80: * 81: * A eap_payload is created in "out" if result is NEED_MORE. 82: * 83: * @param in eap_payload response received 84: * @param out created eap_payload to send 85: * @return 86: * - NEED_MORE, if an other exchange is required 87: * - FAILED, if EAP method failed 88: * - SUCCESS, if EAP method succeeded 89: */ 90: status_t (*process) (eap_method_t *this, eap_payload_t *in, 91: eap_payload_t **out); 92: 93: /** 94: * Get the EAP type implemented in this method. 95: * 96: * @param vendor pointer receiving vendor identifier for type, 0 for none 97: * @return type of the EAP method 98: */ 99: eap_type_t (*get_type) (eap_method_t *this, uint32_t *vendor); 100: 101: /** 102: * Check if this EAP method authenticates the server. 103: * 104: * Some EAP methods provide mutual authentication and 105: * allow authentication using only EAP, if the peer supports it. 106: * 107: * @return TRUE if methods provides mutual authentication 108: */ 109: bool (*is_mutual) (eap_method_t *this); 110: 111: /** 112: * Get the MSK established by this EAP method. 113: * 114: * Not all EAP methods establish a shared secret. For implementations of 115: * the EAP-Identity method, get_msk() returns the received identity. 116: * 117: * @param msk chunk receiving internal stored MSK 118: * @return 119: * - SUCCESS, or 120: * - FAILED, if MSK not established (yet) 121: */ 122: status_t (*get_msk) (eap_method_t *this, chunk_t *msk); 123: 124: /** 125: * Get the current EAP identifier. 126: * 127: * @return current EAP identifier 128: */ 129: uint8_t (*get_identifier) (eap_method_t *this); 130: 131: /** 132: * Set the EAP identifier to a deterministic value, overwriting 133: * the randomly initialized default value. 134: * 135: * @param identifier current EAP identifier 136: */ 137: void (*set_identifier) (eap_method_t *this, uint8_t identifier); 138: 139: /** 140: * Get authentication details performed by this EAP method. 141: * 142: * After EAP completion, the auth data contains additional information 143: * of the authentication process, used certificates etc. 144: * This method is optional to implement, but if it is, it must return 145: * a valid auth_cfg. 146: * 147: * @return auth method, internal data 148: */ 149: auth_cfg_t* (*get_auth)(eap_method_t *this); 150: 151: /** 152: * Destroys a eap_method_t object. 153: */ 154: void (*destroy) (eap_method_t *this); 155: }; 156: 157: /** 158: * Constructor definition for a pluggable EAP method. 159: * 160: * Each EAP module must define a constructor function which will return 161: * an initialized object with the methods defined in eap_method_t. 162: * Constructors for server and peers are identical, to support both roles 163: * of a EAP method, a plugin needs register two constructors in the 164: * eap_manager_t. 165: * The passed identities are of type ID_EAP and valid only during the 166: * constructor invocation. 167: * 168: * @param server ID of the server to use for credential lookup 169: * @param peer ID of the peer to use for credential lookup 170: * @return implementation of the eap_method_t interface 171: */ 172: typedef eap_method_t *(*eap_constructor_t)(identification_t *server, 173: identification_t *peer); 174: 175: /** 176: * Helper function to (un-)register EAP methods from plugin features. 177: * 178: * This function is a plugin_feature_callback_t and can be used with the 179: * PLUGIN_CALLBACK macro to register a EAP method constructor. 180: * 181: * @param plugin plugin registering the EAP method constructor 182: * @param feature associated plugin feature 183: * @param reg TRUE to register, FALSE to unregister. 184: * @param data data passed to callback, an eap_constructor_t 185: */ 186: bool eap_method_register(plugin_t *plugin, plugin_feature_t *feature, 187: bool reg, void *data); 188: 189: #endif /** EAP_METHOD_H_ @}*/