ESP packet wrapper added, handles encryption/decryption/verification etc.
[strongswan.git] / src / libipsec / esp_packet.h
1 /*
2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2012 Giuliano Grassi
4 * Copyright (C) 2012 Ralf Sager
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /**
19 * @defgroup esp_packet esp_packet
20 * @{ @ingroup libipsec
21 */
22
23 #ifndef ESP_PACKET_H_
24 #define ESP_PACKET_H_
25
26 #include "esp_context.h"
27
28 #include <library.h>
29 #include <utils/host.h>
30
31 typedef struct esp_packet_t esp_packet_t;
32
33 /**
34 * ESP packet
35 */
36 struct esp_packet_t {
37
38 /**
39 * Get the source address of this packet
40 *
41 * @return source host
42 */
43 host_t *(*get_source)(esp_packet_t *this);
44
45 /**
46 * Get the destination address of this packet
47 *
48 * @return destination host
49 */
50 host_t *(*get_destination)(esp_packet_t *this);
51
52 /**
53 * Parse the packet header before decryption. Tries to read the SPI
54 * from the packet to find a corresponding SA.
55 *
56 * @param spi parsed SPI, in network byte order
57 * @return TRUE when successful, FALSE otherwise (e.g. when the
58 * length of the packet is invalid)
59 */
60 bool (*parse_header)(esp_packet_t *this, u_int32_t *spi);
61
62 /**
63 * Authenticate and decrypt the packet. Also verifies the sequence number
64 * using the supplied ESP context and updates the anti-replay window.
65 *
66 * @param esp_context ESP context of corresponding inbound IPsec SA
67 * @return - SUCCESS if successfully authenticated,
68 * decrypted and parsed
69 * - PARSE_ERROR if the length of the packet or the
70 * padding is invalid
71 * - VERIFY_ERROR if the sequence number
72 * verification failed
73 * - FAILED if the ICV (MAC) check or the actual
74 * decryption failed
75 */
76 status_t (*decrypt)(esp_packet_t *this, esp_context_t *esp_context);
77
78 /**
79 * Encapsulate and encrypt the packet. The sequence number will be generated
80 * using the supplied ESP context.
81 *
82 * @param esp_context ESP context of corresponding outbound IPsec SA
83 * @param spi SPI value to use, in network byte order
84 * @return - SUCCESS if encrypted
85 * - FAILED if sequence number cycled or any of the
86 * cryptographic functions failed
87 * - NOT_FOUND if no suitable RNG could be found
88 */
89 status_t (*encrypt)(esp_packet_t *this, esp_context_t *esp_context,
90 u_int32_t spi);
91
92 /**
93 * Get the next header field of a packet.
94 *
95 * @note Packet has to be in the decrypted state.
96 *
97 * @return next header field
98 */
99 u_int8_t (*get_next_header)(esp_packet_t *this);
100
101 /**
102 * Get the plaintext payload of this packet (e.g. inner IP packet).
103 *
104 * @return plaintext payload (internal data),
105 * chunk_empty if not decrypted
106 */
107 chunk_t (*get_payload)(esp_packet_t *this);
108
109 /**
110 * Get the packet data to send / as received on the wire.
111 *
112 * @return encrypted packet data (internal data),
113 * chunk_empty if not encrypted
114 */
115 chunk_t (*get_packet_data)(esp_packet_t *this);
116
117 /**
118 * Destroy an esp_packet_t
119 */
120 void (*destroy)(esp_packet_t *this);
121
122 };
123
124 /**
125 * Create an ESP packet out of data from the wire.
126 *
127 * @param src source address from which the packet was sent, owned
128 * @param dst destination address to which the packet was sent, owned
129 * @param data the packet data as received, gets owned
130 * @return esp_packet_t instance
131 */
132 esp_packet_t *esp_packet_create_from_packet(host_t *src, host_t *dst,
133 chunk_t data);
134
135 /**
136 * Create an ESP packet from a plaintext payload (e.g. inner IP packet)
137 *
138 * @param src source address
139 * @param dst destination address
140 * @param payload plaintext payload (e.g. inner IP packet), gets owned
141 * @param next_header next header type of the payload (e.g IPPROTO_IPIP)
142 * @return esp_packet_t instance
143 */
144 esp_packet_t *esp_packet_create_from_payload(host_t *src, host_t *dst,
145 chunk_t payload, u_int8_t next_header);
146
147 #endif /** ESP_PACKET_H_ @}*/
148