[thirdparty/strongswan.git] / src / libsimaka / simaka_provider.h

/*
 * Copyright (C) 2008-2011 Martin Willi
 *
 * Copyright (C) secunet Security Networks AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

/**
 * @defgroup simaka_provider simaka_provider
 * @{ @ingroup libsimaka
 */

#ifndef SIMAKA_PROVIDER_H_
#define SIMAKA_PROVIDER_H_

typedef struct simaka_provider_t simaka_provider_t;

#include "simaka_manager.h"

#include <utils/identification.h>

/**
 * Interface for a triplet/quintuplet provider (used as EAP server).
 *
 * A SIM provider hands out triplets for SIM authentication and quintuplets
 * for AKA authentication. Multiple SIM provider instances can serve as
 * authentication backend to authenticate clients using SIM/AKA.
 * An implementation supporting only one of SIM/AKA authentication may
 * implement the other methods with return_false().
 */
struct simaka_provider_t {

	/**
	 * Create a challenge for SIM authentication.
	 *
	 * @param id		permanent identity of peer to gen triplet for
	 * @param rand		RAND output buffer, fixed size 16 bytes
	 * @param sres		SRES output buffer, fixed size 4 byte
	 * @param kc		KC output buffer, fixed size 8 bytes
	 * @return			TRUE if triplet received, FALSE otherwise
	 */
	bool (*get_triplet)(simaka_provider_t *this, identification_t *id,
						char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
						char kc[SIM_KC_LEN]);

	/**
	 * Create a challenge for AKA authentication.
	 *
	 * The XRES value is the only one with variable length. Pass a buffer
	 * of at least AKA_RES_MAX, the actual number of bytes is written to the
	 * xres_len value. While the standard would allow any bit length between
	 * 32 and 128 bits, we support only full bytes for now.
	 *
	 * @param id		permanent identity of peer to create challenge for
	 * @param rand		buffer receiving random value rand
	 * @param xres		buffer receiving expected authentication result xres
	 * @param xres_len	number of bytes written to xres buffer
	 * @param ck		buffer receiving encryption key ck
	 * @param ik		buffer receiving integrity key ik
	 * @param autn		authentication token autn
	 * @return			TRUE if quintuplet generated successfully
	 */
	bool (*get_quintuplet)(simaka_provider_t *this, identification_t *id,
						   char rand[AKA_RAND_LEN],
						   char xres[AKA_RES_MAX], int *xres_len,
						   char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
						   char autn[AKA_AUTN_LEN]);

	/**
	 * Process AKA resynchronization request of a peer.
	 *
	 * @param id		permanent identity of peer requesting resynchronization
	 * @param rand		random value rand
	 * @param auts		synchronization parameter auts
	 * @return			TRUE if resynchronized successfully
	 */
	bool (*resync)(simaka_provider_t *this, identification_t *id,
				   char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);

	/**
	 * Check if peer uses a pseudonym, get permanent identity.
	 *
	 * @param id		pseudonym identity candidate
	 * @return			permanent identity, NULL if id not a pseudonym
	 */
	identification_t* (*is_pseudonym)(simaka_provider_t *this,
									  identification_t *id);

	/**
	 * Generate a pseudonym identity for a given peer identity.
	 *
	 * @param id		permanent identity to generate a pseudonym for
	 * @return			generated pseudonym, NULL to not use a pseudonym identity
	 */
	identification_t* (*gen_pseudonym)(simaka_provider_t *this,
									   identification_t *id);

	/**
	 * Check if peer uses reauthentication, retrieve reauth parameters.
	 *
	 * @param id		reauthentication identity (candidate)
	 * @param mk		buffer receiving master key MK
	 * @param counter	pointer receiving current counter value, host order
	 * @return			permanent identity, NULL if id not a reauth identity
	 */
	identification_t* (*is_reauth)(simaka_provider_t *this, identification_t *id,
								   char mk[HASH_SIZE_SHA1], uint16_t *counter);

	/**
	 * Generate a fast reauthentication identity, associated to a master key.
	 *
	 * @param id		permanent peer identity
	 * @param mk		master key to store along with generated identity
	 * @return			fast reauthentication identity, NULL to not use reauth
	 */
	identification_t* (*gen_reauth)(simaka_provider_t *this, identification_t *id,
									char mk[HASH_SIZE_SHA1]);
};

#endif /** SIMAKA_CARD_H_ @}*/
Commit	Line	Data
f58db724	1	/*
efee3ed8	2	* Copyright (C) 2008-2011 Martin Willi
19ef2aec TB	3	*
19ef2aec TB	4	* Copyright (C) secunet Security Networks AG
f58db724 MW	5	*
	6	* This program is free software; you can redistribute it and/or modify it
	7	* under the terms of the GNU General Public License as published by the
	8	* Free Software Foundation; either version 2 of the License, or (at your
	9	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	10	*
	11	* This program is distributed in the hope that it will be useful, but
	12	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	13	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	14	* for more details.
	15	*/
	16
	17	/**
efee3ed8 MW	18	* @defgroup simaka_provider simaka_provider
efee3ed8 MW	19	* @{ @ingroup libsimaka
f58db724 MW	20	*/
f58db724 MW	21
efee3ed8 MW	22	#ifndef SIMAKA_PROVIDER_H_
efee3ed8 MW	23	#define SIMAKA_PROVIDER_H_
f58db724	24
efee3ed8 MW	25	typedef struct simaka_provider_t simaka_provider_t;
	26
	27	#include "simaka_manager.h"
	28
	29	#include <utils/identification.h>
f58db724 MW	30
	31	/**
	32	* Interface for a triplet/quintuplet provider (used as EAP server).
	33	*
	34	* A SIM provider hands out triplets for SIM authentication and quintuplets
	35	* for AKA authentication. Multiple SIM provider instances can serve as
	36	* authentication backend to authenticate clients using SIM/AKA.
	37	* An implementation supporting only one of SIM/AKA authentication may
	38	* implement the other methods with return_false().
	39	*/
efee3ed8	40	struct simaka_provider_t {
f58db724 MW	41
	42	/**
	43	* Create a challenge for SIM authentication.
	44	*
	45	* @param id permanent identity of peer to gen triplet for
	46	* @param rand RAND output buffer, fixed size 16 bytes
	47	* @param sres SRES output buffer, fixed size 4 byte
	48	* @param kc KC output buffer, fixed size 8 bytes
	49	* @return TRUE if triplet received, FALSE otherwise
	50	*/
efee3ed8	51	bool (get_triplet)(simaka_provider_t this, identification_t *id,
f58db724 MW	52	char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN],
	53	char kc[SIM_KC_LEN]);
	54
	55	/**
	56	* Create a challenge for AKA authentication.
	57	*
	58	* The XRES value is the only one with variable length. Pass a buffer
	59	* of at least AKA_RES_MAX, the actual number of bytes is written to the
	60	* xres_len value. While the standard would allow any bit length between
	61	* 32 and 128 bits, we support only full bytes for now.
	62	*
	63	* @param id permanent identity of peer to create challenge for
	64	* @param rand buffer receiving random value rand
	65	* @param xres buffer receiving expected authentication result xres
1fafc56b	66	* @param xres_len number of bytes written to xres buffer
f58db724 MW	67	* @param ck buffer receiving encryption key ck
	68	* @param ik buffer receiving integrity key ik
	69	* @param autn authentication token autn
	70	* @return TRUE if quintuplet generated successfully
	71	*/
efee3ed8	72	bool (get_quintuplet)(simaka_provider_t this, identification_t *id,
f58db724 MW	73	char rand[AKA_RAND_LEN],
	74	char xres[AKA_RES_MAX], int *xres_len,
	75	char ck[AKA_CK_LEN], char ik[AKA_IK_LEN],
	76	char autn[AKA_AUTN_LEN]);
	77
	78	/**
b3ab7a48	79	* Process AKA resynchronization request of a peer.
f58db724	80	*
b3ab7a48	81	* @param id permanent identity of peer requesting resynchronization
f58db724 MW	82	* @param rand random value rand
	83	* @param auts synchronization parameter auts
	84	* @return TRUE if resynchronized successfully
	85	*/
efee3ed8	86	bool (resync)(simaka_provider_t this, identification_t *id,
f58db724 MW	87	char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]);
	88
	89	/**
	90	* Check if peer uses a pseudonym, get permanent identity.
	91	*
	92	* @param id pseudonym identity candidate
	93	* @return permanent identity, NULL if id not a pseudonym
	94	*/
efee3ed8	95	identification_t* (is_pseudonym)(simaka_provider_t this,
f58db724 MW	96	identification_t *id);
	97
	98	/**
b3ab7a48	99	* Generate a pseudonym identity for a given peer identity.
f58db724 MW	100	*
	101	* @param id permanent identity to generate a pseudonym for
	102	* @return generated pseudonym, NULL to not use a pseudonym identity
	103	*/
efee3ed8	104	identification_t* (gen_pseudonym)(simaka_provider_t this,
f58db724 MW	105	identification_t *id);
	106
	107	/**
	108	* Check if peer uses reauthentication, retrieve reauth parameters.
	109	*
	110	* @param id reauthentication identity (candidate)
	111	* @param mk buffer receiving master key MK
	112	* @param counter pointer receiving current counter value, host order
	113	* @return permanent identity, NULL if id not a reauth identity
	114	*/
efee3ed8	115	identification_t* (is_reauth)(simaka_provider_t this, identification_t *id,
b12c53ce	116	char mk[HASH_SIZE_SHA1], uint16_t *counter);
f58db724 MW	117
	118	/**
	119	* Generate a fast reauthentication identity, associated to a master key.
	120	*
	121	* @param id permanent peer identity
	122	* @param mk master key to store along with generated identity
	123	* @return fast reauthentication identity, NULL to not use reauth
	124	*/
efee3ed8	125	identification_t* (gen_reauth)(simaka_provider_t this, identification_t *id,
f58db724 MW	126	char mk[HASH_SIZE_SHA1]);
	127	};
	128
efee3ed8	129	#endif /** SIMAKA_CARD_H_ @}*/