summaryrefslogtreecommitdiff
path: root/src/libipsec/esp_context.h
blob: 322dab97fb9a4a9b5cacdb48f924fb341ba9ebfd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
/*
 * Copyright (C) 2012-2013 Tobias Brunner
 * Copyright (C) 2012 Giuliano Grassi
 * Copyright (C) 2012 Ralf Sager
 * Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

/**
 * @defgroup esp_context esp_context
 * @{ @ingroup libipsec
 */

#ifndef ESP_CONTEXT_H_
#define ESP_CONTEXT_H_

#include <library.h>
#include <crypto/aead.h>

typedef struct esp_context_t esp_context_t;

/**
 *  ESP context, handles sequence numbers and maintains cryptographic primitives
 */
struct esp_context_t {

	/**
	 * Get AEAD wrapper or method to encrypt/decrypt/authenticate ESP packets.
	 *
	 * @return				AEAD wrapper of method
	 */
	aead_t *(*get_aead)(esp_context_t *this);

	/**
	 * Get the current outbound ESP sequence number or the highest authenticated
	 * inbound sequence number.
	 *
	 * @return			current sequence number, in host byte order
	 */
	uint32_t (*get_seqno)(esp_context_t *this);

	/**
	 * Allocate the next outbound ESP sequence number.
	 *
	 * @param seqno		the sequence number, in host byte order
	 * @return			FALSE if the sequence number cycled or inbound context
	 */
	bool (*next_seqno)(esp_context_t *this, uint32_t *seqno);

	/**
	 * Verify an ESP sequence number.  Checks whether a packet with this
	 * sequence number was already received, using the anti-replay window.
	 * This operation does not modify the internal state.  After the sequence
	 * number is successfully verified and the ESP packet is authenticated,
	 * set_authenticated_seqno() should be called.
	 *
	 * @param seqno		the sequence number to verify, in host byte order
	 * @return			TRUE when sequence number is valid
	 */
	bool (*verify_seqno)(esp_context_t *this, uint32_t seqno);

	/**
	 * Adds a sequence number that was successfully verified and
	 * authenticated.  A user MUST call verify_seqno() immediately before
	 * calling this method.
	 *
	 * @param seqno		verified and authenticated seq number in host byte order
	 */
	void (*set_authenticated_seqno)(esp_context_t *this,
									uint32_t seqno);

	/**
	 * Destroy an esp_context_t
	 */
	void (*destroy)(esp_context_t *this);

};

/**
 * Create an esp_context_t instance
 *
 * @param enc_alg		encryption algorithm
 * @param enc_key		encryption key
 * @param int_alg		integrity protection algorithm
 * @param int_key		integrity protection key
 * @param inbound		TRUE to create an inbound ESP context
 * @return				ESP context instance, or NULL if creation fails
 */
esp_context_t *esp_context_create(int enc_alg, chunk_t enc_key, int int_alg,
								  chunk_t int_key, bool inbound);

#endif /** ESP_CONTEXT_H_ @}*/