diff options
Diffstat (limited to 'src/libcharon/encoding/payloads/encryption_payload.h')
| -rw-r--r-- | src/libcharon/encoding/payloads/encryption_payload.h | 118 |
1 files changed, 27 insertions, 91 deletions
diff --git a/src/libcharon/encoding/payloads/encryption_payload.h b/src/libcharon/encoding/payloads/encryption_payload.h index ac5326b87..e99c42fb7 100644 --- a/src/libcharon/encoding/payloads/encryption_payload.h +++ b/src/libcharon/encoding/payloads/encryption_payload.h @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -25,45 +26,30 @@ typedef struct encryption_payload_t encryption_payload_t; #include <library.h> -#include <crypto/crypters/crypter.h> -#include <crypto/signers/signer.h> +#include <crypto/aead.h> #include <encoding/payloads/payload.h> -#include <utils/linked_list.h> /** * Encrpytion payload length in bytes without IV and following data. */ #define ENCRYPTION_PAYLOAD_HEADER_LENGTH 4 - /** * The encryption payload as described in RFC section 3.14. - * - * Before any crypt/decrypt/sign/verify operation can occur, - * the transforms must be set. After that, a parsed encryption payload - * can be decrypted, which also will parse the contained payloads. - * Encryption is done the same way, added payloads will get generated - * and then encrypted. - * For signature building, there is the FULL packet needed. Meaning it - * must be builded after generation of all payloads and the encryption - * of the encryption payload. - * Signature verificatin is done before decryption. */ struct encryption_payload_t { + /** * Implements payload_t interface. */ payload_t payload_interface; /** - * Creates an iterator for all contained payloads. + * Get the payload length. * - * iterator_t object has to get destroyed by the caller. - * - * @param forward iterator direction (TRUE: front to end) - * return created iterator_t object + * @return (expected) payload length */ - iterator_t *(*create_payload_iterator) (encryption_payload_t *this, bool forward); + size_t (*get_length)(encryption_payload_t *this); /** * Adds a payload to this encryption payload. @@ -73,89 +59,39 @@ struct encryption_payload_t { void (*add_payload) (encryption_payload_t *this, payload_t *payload); /** - * Reove the last payload in the contained payload list. + * Remove the first payload in the list * * @param payload removed payload - * @return - * - SUCCESS, or - * - NOT_FOUND if list empty - */ - status_t (*remove_first_payload) (encryption_payload_t *this, payload_t **payload); - - /** - * Get the number of payloads. - * - * @return number of contained payloads + * @return payload, NULL if none left */ - size_t (*get_payload_count) (encryption_payload_t *this); + payload_t* (*remove_payload)(encryption_payload_t *this); /** - * Set transforms to use. - * - * To decryption, encryption, signature building and verifying, - * the payload needs a crypter and a signer object. + * Set the AEAD transform to use. * - * @warning Do NOT call this function again after encryption, since - * the signer must be the same while encrypting and signature building! - * - * @param crypter crypter_t to use for data de-/encryption - * @param signer signer_t to use for data signing/verifying + * @param aead aead transform to use */ - void (*set_transforms) (encryption_payload_t *this, crypter_t *crypter, signer_t *signer); + void (*set_transform) (encryption_payload_t *this, aead_t *aead); /** - * Generate and encrypt contained payloads. - * - * This function generates the content for added payloads - * and encrypts them. Signature is not built, since we need - * additional data (the full message). + * Generate, encrypt and sign contained payloads. * - * @return SUCCESS, or INVALID_STATE if transforms not set + * @param assoc associated data + * @return TRUE if encrypted */ - status_t (*encrypt) (encryption_payload_t *this); + bool (*encrypt) (encryption_payload_t *this, chunk_t assoc); /** - * Decrypt and parse contained payloads. - * - * This function decrypts the contained data. After, - * the payloads are parsed internally and are accessible - * via the iterator. - * - * @return - * - SUCCESS, or - * - INVALID_STATE if transforms not set, or - * - FAILED if data is invalid - */ - status_t (*decrypt) (encryption_payload_t *this); - - /** - * Build the signature. - * - * The signature is built over the FULL message, so the header - * and every payload (inclusive this one) must already be generated. - * The generated message is supplied via the data paramater. - * - * @param data chunk contains the already generated message - * @return - * - SUCCESS, or - * - INVALID_STATE if transforms not set - */ - status_t (*build_signature) (encryption_payload_t *this, chunk_t data); - - /** - * Verify the signature. - * - * Since the signature is built over the full message, we need - * this data to do the verification. The message data - * is supplied via the data argument. - * - * @param data chunk contains the message - * @return - * - SUCCESS, or - * - FAILED if signature invalid, or - * - INVALID_STATE if transforms not set + * Decrypt, verify and parse contained payloads. + * + * @param assoc associated data + * - SUCCESS if parsing successful + * - PARSE_ERROR if sub-payload parsing failed + * - VERIFY_ERROR if sub-payload verification failed + * - FAILED if integrity check failed + * - INVALID_STATE if aead not supplied, but needed */ - status_t (*verify_signature) (encryption_payload_t *this, chunk_t data); + status_t (*decrypt) (encryption_payload_t *this, chunk_t assoc); /** * Destroys an encryption_payload_t object. @@ -166,7 +102,7 @@ struct encryption_payload_t { /** * Creates an empty encryption_payload_t object. * - * @return encryption_payload_t object + * @return encryption_payload_t object */ encryption_payload_t *encryption_payload_create(void); |