1ee8496b2d5dd2ee17a2741aca10633c67035059
[strongswan.git] / src / charon / plugins / eap_aka / eap_aka.h
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * $Id$
16 */
17
18 /**
19 * @defgroup eap_aka_i eap_aka
20 * @{ @ingroup eap_aka
21 */
22
23 #ifndef EAP_AKA_H_
24 #define EAP_AKA_H_
25
26 typedef struct eap_aka_t eap_aka_t;
27
28 #include <sa/authenticators/eap/eap_method.h>
29
30 /** check SEQ values as client for validity, disabled by default */
31 #ifndef SEQ_CHECK
32 # define SEQ_CHECK 0
33 #endif
34
35 /**
36 * Implementation of the eap_method_t interface using EAP-AKA.
37 *
38 * EAP-AKA uses 3rd generation mobile phone standard authentication
39 * mechanism for authentication. It is a mutual authentication
40 * mechanism which establishs a shared key and therefore supports EAP_ONLY
41 * authentication. This implementation follows the standard of the
42 * 3GPP2 (S.S0055) and not the one of 3GGP.
43 * The shared key used for authentication is from ipsec.secrets. The
44 * peers ID is used to query it.
45 * The AKA mechanism uses sequence numbers to detect replay attacks. The
46 * peer stores the sequence number normally in a USIM and accepts
47 * incremental sequence numbers (incremental for lifetime of the USIM). To
48 * prevent a complex sequence number management, this implementation uses
49 * a sequence number derived from time. It is initialized to the startup
50 * time of the daemon. As long as the (UTC) time of the system is not
51 * turned back while the daemon is not running, this method is secure.
52 * To enable time based SEQs, #define SEQ_CHECK as 1. Default is to accept
53 * any SEQ numbers. This allows an attacker to do replay attacks. But since
54 * the server has proven his identity via IKE, such an attack is only
55 * possible between server and AAA (if any).
56 */
57 struct eap_aka_t {
58
59 /**
60 * Implemented eap_method_t interface.
61 */
62 eap_method_t eap_method_interface;
63 };
64
65 /**
66 * Creates the server implementation of the EAP method EAP-AKA.
67 *
68 * @param server ID of the EAP server
69 * @param peer ID of the EAP client
70 * @return eap_aka_t object
71 */
72 eap_aka_t *eap_aka_create_server(identification_t *server, identification_t *peer);
73
74 /**
75 * Creates the peer implementation of the EAP method EAP-AKA.
76 *
77 * @param server ID of the EAP server
78 * @param peer ID of the EAP client
79 * @return eap_aka_t object
80 */
81 eap_aka_t *eap_aka_create_peer(identification_t *server, identification_t *peer);
82
83 #endif /* EAP_AKA_H_ @}*/