root / src / charon / sa / authenticators / eap / eap_method.h @ 80b44cd71a32917fc127013f6f394aa561143413
History | View | Annotate | Download (5.8 KB)
| 1 | /*
|
|---|---|
| 2 | * Copyright (C) 2006 Martin Willi |
| 3 | * Hochschule fuer Technik Rapperswil |
| 4 | * |
| 5 | * This program is free software; you can redistribute it and/or modify it |
| 6 | * under the terms of the GNU General Public License as published by the |
| 7 | * Free Software Foundation; either version 2 of the License, or (at your |
| 8 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. |
| 9 | * |
| 10 | * This program is distributed in the hope that it will be useful, but |
| 11 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY |
| 12 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 13 | * for more details. |
| 14 | */ |
| 15 | |
| 16 | /**
|
| 17 | * @defgroup eap_method eap_method |
| 18 | * @{ @ingroup eap
|
| 19 | */ |
| 20 | |
| 21 | #ifndef EAP_METHOD_H_
|
| 22 | #define EAP_METHOD_H_
|
| 23 | |
| 24 | typedef struct eap_method_t eap_method_t; |
| 25 | typedef enum eap_role_t eap_role_t; |
| 26 | typedef enum eap_type_t eap_type_t; |
| 27 | typedef enum eap_code_t eap_code_t; |
| 28 | |
| 29 | #include <library.h> |
| 30 | #include <utils/identification.h> |
| 31 | #include <encoding/payloads/eap_payload.h> |
| 32 | |
| 33 | /**
|
| 34 | * Role of an eap_method, SERVER or PEER (client) |
| 35 | */ |
| 36 | enum eap_role_t {
|
| 37 | EAP_SERVER, |
| 38 | EAP_PEER, |
| 39 | }; |
| 40 | /**
|
| 41 | * enum names for eap_role_t. |
| 42 | */ |
| 43 | extern enum_name_t *eap_role_names;
|
| 44 | |
| 45 | /**
|
| 46 | * EAP types, defines the EAP method implementation |
| 47 | */ |
| 48 | enum eap_type_t {
|
| 49 | EAP_IDENTITY = 1,
|
| 50 | EAP_NOTIFICATION = 2,
|
| 51 | EAP_NAK = 3,
|
| 52 | EAP_MD5 = 4,
|
| 53 | EAP_OTP = 5,
|
| 54 | EAP_GTC = 6,
|
| 55 | EAP_SIM = 18,
|
| 56 | EAP_AKA = 23,
|
| 57 | EAP_MSCHAPV2 = 26,
|
| 58 | /** not a method, but an implementation providing different methods */
|
| 59 | EAP_RADIUS = 253,
|
| 60 | EAP_EXPANDED = 254,
|
| 61 | EAP_EXPERIMENTAL = 255,
|
| 62 | }; |
| 63 | |
| 64 | /**
|
| 65 | * enum names for eap_type_t. |
| 66 | */ |
| 67 | extern enum_name_t *eap_type_names;
|
| 68 | |
| 69 | /**
|
| 70 | * short string enum names for eap_type_t. |
| 71 | */ |
| 72 | extern enum_name_t *eap_type_short_names;
|
| 73 | |
| 74 | /**
|
| 75 | * Lookup the EAP method type from a string. |
| 76 | * |
| 77 | * @param name EAP method name (such as "md5", "aka") |
| 78 | * @return method type, 0 if unkown |
| 79 | */ |
| 80 | eap_type_t eap_type_from_string(char *name);
|
| 81 | |
| 82 | /**
|
| 83 | * EAP code, type of an EAP message |
| 84 | */ |
| 85 | enum eap_code_t {
|
| 86 | EAP_REQUEST = 1,
|
| 87 | EAP_RESPONSE = 2,
|
| 88 | EAP_SUCCESS = 3,
|
| 89 | EAP_FAILURE = 4,
|
| 90 | }; |
| 91 | |
| 92 | /**
|
| 93 | * enum names for eap_code_t. |
| 94 | */ |
| 95 | extern enum_name_t *eap_code_names;
|
| 96 | |
| 97 | /**
|
| 98 | * short string enum names for eap_code_t. |
| 99 | */ |
| 100 | extern enum_name_t *eap_code_short_names;
|
| 101 | |
| 102 | /**
|
| 103 | * Interface of an EAP method for server and client side. |
| 104 | * |
| 105 | * An EAP method initiates an EAP exchange and processes requests and |
| 106 | * responses. An EAP method may need multiple exchanges before succeeding, and |
| 107 | * the eap_authentication may use multiple EAP methods to authenticate a peer. |
| 108 | * To accomplish these requirements, all EAP methods have their own |
| 109 | * implementation while the eap_authenticatior uses one or more of these |
| 110 | * EAP methods. Sending of EAP(SUCCESS/FAILURE) message is not the job |
| 111 | * of the method, the eap_authenticator does this. |
| 112 | * An EAP method may establish a MSK, this is used the complete the |
| 113 | * authentication. Even if a mutual EAP method is used, the traditional |
| 114 | * AUTH payloads are required. Only these include the nonces and messages from |
| 115 | * ike_sa_init and therefore prevent man in the middle attacks. |
| 116 | * The EAP method must use an initial EAP identifier value != 0, as a preceding |
| 117 | * EAP-Identity exchange always uses identifier 0. |
| 118 | */ |
| 119 | struct eap_method_t {
|
| 120 | |
| 121 | /**
|
| 122 | * Initiate the EAP exchange. |
| 123 | * |
| 124 | * initiate() is only useable for server implementations, as clients only |
| 125 | * reply to server requests. |
| 126 | * A eap_payload is created in "out" if result is NEED_MORE. |
| 127 | * |
| 128 | * @param out eap_payload to send to the client |
| 129 | * @return |
| 130 | * - NEED_MORE, if an other exchange is required |
| 131 | * - FAILED, if unable to create eap request payload |
| 132 | */ |
| 133 | status_t (*initiate) (eap_method_t *this, eap_payload_t **out); |
| 134 | |
| 135 | /**
|
| 136 | * Process a received EAP message. |
| 137 | * |
| 138 | * A eap_payload is created in "out" if result is NEED_MORE. |
| 139 | * |
| 140 | * @param in eap_payload response received |
| 141 | * @param out created eap_payload to send |
| 142 | * @return |
| 143 | * - NEED_MORE, if an other exchange is required |
| 144 | * - FAILED, if EAP method failed |
| 145 | * - SUCCESS, if EAP method succeeded |
| 146 | */ |
| 147 | status_t (*process) (eap_method_t *this, eap_payload_t *in, |
| 148 | eap_payload_t **out); |
| 149 | |
| 150 | /**
|
| 151 | * Get the EAP type implemented in this method. |
| 152 | * |
| 153 | * @param vendor pointer receiving vendor identifier for type, 0 for none |
| 154 | * @return type of the EAP method |
| 155 | */ |
| 156 | eap_type_t (*get_type) (eap_method_t *this, u_int32_t *vendor); |
| 157 | |
| 158 | /**
|
| 159 | * Check if this EAP method authenticates the server. |
| 160 | * |
| 161 | * Some EAP methods provide mutual authentication and |
| 162 | * allow authentication using only EAP, if the peer supports it. |
| 163 | * |
| 164 | * @return TRUE if methods provides mutual authentication |
| 165 | */ |
| 166 | bool (*is_mutual) (eap_method_t *this);
|
| 167 | |
| 168 | /**
|
| 169 | * Get the MSK established by this EAP method. |
| 170 | * |
| 171 | * Not all EAP methods establish a shared secret. For implementations of |
| 172 | * the EAP-Identity method, get_msk() returns the received identity. |
| 173 | * |
| 174 | * @param msk chunk receiving internal stored MSK |
| 175 | * @return |
| 176 | * - SUCCESS, or |
| 177 | * - FAILED, if MSK not established (yet) |
| 178 | */ |
| 179 | status_t (*get_msk) (eap_method_t *this, chunk_t *msk); |
| 180 | |
| 181 | /**
|
| 182 | * Destroys a eap_method_t object. |
| 183 | */ |
| 184 | void (*destroy) (eap_method_t *this);
|
| 185 | }; |
| 186 | |
| 187 | /**
|
| 188 | * Constructor definition for a pluggable EAP method. |
| 189 | * |
| 190 | * Each EAP module must define a constructor function which will return |
| 191 | * an initialized object with the methods defined in eap_method_t. |
| 192 | * Constructors for server and peers are identical, to support both roles |
| 193 | * of a EAP method, a plugin needs register two constructors in the |
| 194 | * eap_manager_t. |
| 195 | * The passed identites are of type ID_EAP and valid only during the |
| 196 | * constructor invocation. |
| 197 | * |
| 198 | * @param server ID of the server to use for credential lookup |
| 199 | * @param peer ID of the peer to use for credential lookup |
| 200 | * @return implementation of the eap_method_t interface |
| 201 | */ |
| 202 | typedef eap_method_t *(*eap_constructor_t)(identification_t *server,
|
| 203 | identification_t *peer); |
| 204 | |
| 205 | #endif /** EAP_METHOD_H_ @}*/ |