/**********************************************************************
 * @protocol	Internet Key Exchange Protocol (IKEv2)                 
 * @subprotocol IKE EAP                                                
 * @reference	RFC 4306                                               
 * @variant		Excludes optional payloads                             
 **********************************************************************/

/**
 * Modeling notes:
 * - It's not clear what to put in the EAP payloads; we now model them
 * as nonces, but maybe it is better to view them as a function of the
 * actor.
 */

/**
 * MACRO DEFINITIONS
 * Needs preprocessing by cpp before fed to scyther
 */

#define __IKEV2__
#ifndef __ORACLE__
#include "common.h"
#endif

#define AUTHii {SPIi, O, SA1, g(i), Ni, Nr, prf(SKi, I)}sk(I)
#define AUTHir {SPIi, O, SA1, Gi, Ni, Nr, prf(SKr, I)}sk(I)
#define AUTHri {SPIi, SPIr, SA1, Gr, Nr, Ni, prf(SKi, R)}sk(R)
#define AUTHrr {SPIi, SPIr, SA1, g(r), Nr, Ni, prf(SKr, R)}sk(R)


usertype Number, SecurityAssociation, TrafficSelector;
const O: Number;
const SA1 ,SA2, SA3: SecurityAssociation;
const TSi, TSr: TrafficSelector;

/**
 * This role serves as an "oracle" to ensure the executability of the 
 * protocol by taking care of the problems that arise from our way of 
 * modelling Diffie-Hellman keys.
 */
protocol @executability(E) {
#define Gi g(i)
#define Gr g(r)
	role E {
		var i, r, Ni, Nr, SPIi, SPIr, EAP, EAPOK: Nonce;
		var I, R: Agent;

		// msg 3
		recv_!E1( E, E, {I, SA2, TSi, TSr}SKi );
		send_!E2( E, E, {I, SA2, TSi, TSr}SKr );

		// msg 4
		recv_!E3( E, E, {R, AUTHrr, EAP}SKr );
		send_!E4( E, E, {R, AUTHri, EAP}SKi );

		// msg 5
		recv_!E5( E, E, {EAP}SKi );
		send_!E6( E, E, {EAP}SKr );

		// msg 6
		recv_!E7( E, E, {EAPOK}SKr );
		send_!E8( E, E, {EAPOK}SKi );

		// msg 7
		recv_!E9( E, E, {AUTHii}SKi );
		send_!EA( E, E, {AUTHir}SKr );

		// msg 8
		send_!EB( E, E, {AUTHrr, SA2, TSi, TSr}SKr );
		send_!EC( E, E, {AUTHri, SA2, TSi, TSr}SKi );
	}
#undef Gi
#undef Gr
}


protocol ikev2-eap2(I, R)
{

	role I {
		fresh i, Ni, SPIi:	Nonce;
		var   Nr, SPIr:		Nonce;
		var   EAP, EAPOK:	Nonce;
		var   Gr:			Ticket;


		/* IKE_SA_INIT */
		send_1( I, R, SPIi, O, SA1, g(i), Ni );
		recv_2( R, I, HDR, SA1, Gr, Nr );

		/* IKE_AUTH */
		send_!3( I, R, HDR, {I, SA2, TSi, TSr}SKi );
		recv_!4( R, I, HDR, {R, AUTHri, EAP}SKi );
		send_!5( I, R, HDR, {EAP}SKi );
		recv_!6( R, I, HDR, {EAPOK}SKi );
		claim( I, Running, R, Ni,g(i),Nr,Gr,TSi,TSr,EAP,EAPOK );
		send_!7( I, R, HDR, {AUTHii}SKi );
		recv_!8( R, I, HDR, {AUTHri, SA2, TSi, TSr}SKi );

		/* SECURITY CLAIMS */
		claim( I, SKR, SKi );

		claim( I, Alive );
		claim( I, Weakagree );
		claim( I, Commit, R, Ni,g(i),Nr,Gr,TSi,TSr,EAP,EAPOK );
				
	}

	role R {
		fresh EAP, EAPOK:	Nonce;
		fresh r, Nr, SPIr:	Nonce;
		var   Ni, SPIi:		Nonce;
		var   Gi:			Ticket;


		/* IKE_SA_INIT */
		recv_1( I, R, SPIi, O, SA1, Gi, Ni );
		send_2( R, I, HDR, SA1, g(r), Nr );

		/* IKE_AUTH */
		recv_!3( I, R, HDR, {I, SA2, TSi, TSr}SKr );
		send_!4( R, I, HDR, {R, AUTHrr, EAP}SKr );
		recv_!5( I, R, HDR, {EAP}SKr );
		send_!6( R, I, HDR, {EAPOK}SKr );
		recv_!7( I, R, HDR, {AUTHir}SKr );
		claim( R, Running, I, Ni,Gi,Nr,g(r),TSi,TSr,EAP,EAPOK );
		send_!8( R, I, HDR, {AUTHrr, SA2, TSi, TSr}SKr );


		/* SECURITY CLAIMS */
		claim( R, SKR, SKr );

		claim( R, Alive );
		claim( R, Weakagree );
		claim( R, Commit, I, Ni,Gi,Nr,g(r),TSi,TSr,EAP,EAPOK );
				
	}
}