[thirdparty/strongswan.git] / src / libcharon / sa / ikev2 / authenticators / eap_authenticator.h

/*
 * Copyright (C) 2006-2009 Martin Willi
 *
 * Copyright (C) secunet Security Networks AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

/**
 * @defgroup eap_authenticator eap_authenticator
 * @{ @ingroup authenticators_v2
 */

#ifndef EAP_AUTHENTICATOR_H_
#define EAP_AUTHENTICATOR_H_

typedef struct eap_authenticator_t eap_authenticator_t;

#include <sa/authenticator.h>

/**
 * Implementation of authenticator_t using EAP authentication.
 *
 * Authentication using EAP involves the most complex authenticator. It stays
 * alive over multiple ike_auth transactions and handles multiple EAP
 * messages.
 *
 * @verbatim
                          ike_sa_init
                   ------------------------->
                   <-------------------------
                 followed by multiple ike_auth:

     +--------+                                +--------+
     |  EAP   |       IDi, [IDr,] SA, TS       |  EAP   |
     | client |  --------------------------->  | server |
     |        |          ID, AUTH, EAP         |        |
     |        |  <---------------------------  |        |
     |        |              EAP               |        |
     |        |  --------------------------->  |        |
     |        |              EAP               |        |
     |        |  <---------------------------  |        |
     |        |              EAP               |        |
     |        |  --------------------------->  |        |
     |        |           EAP(SUCCESS)         |        |
     |        |  <---------------------------  |        |
     |        |              AUTH              |        |  If EAP establishes
     |        |  --------------------------->  |        |  a session key, AUTH
     |        |          AUTH, SA, TS          |        |  payloads use this
     |        |  <---------------------------  |        |  key, not SK_pi/pr
     +--------+                                +--------+

   @endverbatim
 */
struct eap_authenticator_t {

	/**
	 * Implemented authenticator_t interface.
	 */
	authenticator_t authenticator;
};

/**
 * Create an authenticator to authenticate against an EAP server.
 *
 * @param ike_sa			associated ike_sa
 * @param received_nonce	nonce received in IKE_SA_INIT
 * @param sent_nonce		nonce sent in IKE_SA_INIT
 * @param received_init		received IKE_SA_INIT message data
 * @param sent_init			sent IKE_SA_INIT message data
 * @param reserved			reserved bytes of ID payload
 * @return					EAP authenticator
 */
eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
									chunk_t received_nonce, chunk_t sent_nonce,
									chunk_t received_init, chunk_t sent_init,
									char reserved[3]);

/**
 * Create an authenticator to authenticate EAP clients.
 *
 * @param ike_sa			associated ike_sa
 * @param received_nonce	nonce received in IKE_SA_INIT
 * @param sent_nonce		nonce sent in IKE_SA_INIT
 * @param received_init		received IKE_SA_INIT message data
 * @param sent_init			sent IKE_SA_INIT message data
 * @param reserved			reserved bytes of ID payload
 * @return					EAP authenticator
 */
eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
									chunk_t received_nonce, chunk_t sent_nonce,
									chunk_t received_init, chunk_t sent_init,
									char reserved[3]);

#endif /** EAP_AUTHENTICATOR_H_ @}*/
Commit	Line	Data
f27f6296	1	/*
a44bb934	2	* Copyright (C) 2006-2009 Martin Willi
19ef2aec TB	3	*
19ef2aec TB	4	* Copyright (C) secunet Security Networks AG
f27f6296 MW	5	*
	6	* This program is free software; you can redistribute it and/or modify it
	7	* under the terms of the GNU General Public License as published by the
	8	* Free Software Foundation; either version 2 of the License, or (at your
	9	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	10	*
	11	* This program is distributed in the hope that it will be useful, but
	12	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	13	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	14	* for more details.
552cc11b MW	15	*/
	16
	17	/**
	18	* @defgroup eap_authenticator eap_authenticator
22bf44c8	19	* @{ @ingroup authenticators_v2
f27f6296 MW	20	*/
	21
	22	#ifndef EAP_AUTHENTICATOR_H_
	23	#define EAP_AUTHENTICATOR_H_
	24
	25	typedef struct eap_authenticator_t eap_authenticator_t;
	26
15a682f4	27	#include <sa/authenticator.h>
f27f6296 MW	28
f27f6296 MW	29	/**
a44bb934	30	* Implementation of authenticator_t using EAP authentication.
f27f6296 MW	31	*
	32	* Authentication using EAP involves the most complex authenticator. It stays
	33	* alive over multiple ike_auth transactions and handles multiple EAP
	34	* messages.
f27f6296 MW	35	*
	36	* @verbatim
	37	ike_sa_init
	38	------------------------->
	39	<-------------------------
	40	followed by multiple ike_auth:
	41
	42	+--------+ +--------+
a44bb934	43	\| EAP \| IDi, [IDr,] SA, TS \| EAP \|
f27f6296	44	\| client \| ---------------------------> \| server \|
a44bb934 MW	45	\| \| ID, AUTH, EAP \| \|
	46	\| \| <--------------------------- \| \|
	47	\| \| EAP \| \|
	48	\| \| ---------------------------> \| \|
f27f6296 MW	49	\| \| EAP \| \|
	50	\| \| <--------------------------- \| \|
	51	\| \| EAP \| \|
	52	\| \| ---------------------------> \| \|
	53	\| \| EAP(SUCCESS) \| \|
	54	\| \| <--------------------------- \| \|
	55	\| \| AUTH \| \| If EAP establishes
	56	\| \| ---------------------------> \| \| a session key, AUTH
	57	\| \| AUTH, SA, TS \| \| payloads use this
	58	\| \| <--------------------------- \| \| key, not SK_pi/pr
	59	+--------+ +--------+
	60
	61	@endverbatim
f27f6296 MW	62	*/
	63	struct eap_authenticator_t {
	64
	65	/**
	66	* Implemented authenticator_t interface.
	67	*/
a44bb934	68	authenticator_t authenticator;
f27f6296 MW	69	};
	70
	71	/**
a44bb934	72	* Create an authenticator to authenticate against an EAP server.
f27f6296	73	*
a44bb934 MW	74	* @param ike_sa associated ike_sa
a44bb934 MW	75	* @param received_nonce nonce received in IKE_SA_INIT
25f2d52f MW	76	* @param sent_nonce nonce sent in IKE_SA_INIT
25f2d52f MW	77	* @param received_init received IKE_SA_INIT message data
a44bb934	78	* @param sent_init sent IKE_SA_INIT message data
5f15faeb	79	* @param reserved reserved bytes of ID payload
a44bb934 MW	80	* @return EAP authenticator
	81	*/
	82	eap_authenticator_t eap_authenticator_create_builder(ike_sa_t ike_sa,
25f2d52f	83	chunk_t received_nonce, chunk_t sent_nonce,
5f15faeb MW	84	chunk_t received_init, chunk_t sent_init,
5f15faeb MW	85	char reserved[3]);
a44bb934 MW	86
	87	/**
	88	* Create an authenticator to authenticate EAP clients.
7daf5226	89	*
a44bb934	90	* @param ike_sa associated ike_sa
25f2d52f	91	* @param received_nonce nonce received in IKE_SA_INIT
a44bb934 MW	92	* @param sent_nonce nonce sent in IKE_SA_INIT
a44bb934 MW	93	* @param received_init received IKE_SA_INIT message data
25f2d52f	94	* @param sent_init sent IKE_SA_INIT message data
5f15faeb	95	* @param reserved reserved bytes of ID payload
a44bb934	96	* @return EAP authenticator
f27f6296	97	*/
a44bb934	98	eap_authenticator_t eap_authenticator_create_verifier(ike_sa_t ike_sa,
25f2d52f	99	chunk_t received_nonce, chunk_t sent_nonce,
5f15faeb MW	100	chunk_t received_init, chunk_t sent_init,
5f15faeb MW	101	char reserved[3]);
f27f6296	102
1490ff4d	103	#endif /** EAP_AUTHENTICATOR_H_ @}*/