From 47eb8943b299900054beded5e21717989ff4bb8e Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 5 Jul 2012 13:56:24 +0200 Subject: ESP packet wrapper added, handles encryption/decryption/verification etc. --- src/libipsec/esp_packet.h | 148 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 148 insertions(+) create mode 100644 src/libipsec/esp_packet.h (limited to 'src/libipsec/esp_packet.h') diff --git a/src/libipsec/esp_packet.h b/src/libipsec/esp_packet.h new file mode 100644 index 000000000..473eeb4e5 --- /dev/null +++ b/src/libipsec/esp_packet.h @@ -0,0 +1,148 @@ +/* + * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012 Giuliano Grassi + * Copyright (C) 2012 Ralf Sager + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup esp_packet esp_packet + * @{ @ingroup libipsec + */ + +#ifndef ESP_PACKET_H_ +#define ESP_PACKET_H_ + +#include "esp_context.h" + +#include +#include + +typedef struct esp_packet_t esp_packet_t; + +/** + * ESP packet + */ +struct esp_packet_t { + + /** + * Get the source address of this packet + * + * @return source host + */ + host_t *(*get_source)(esp_packet_t *this); + + /** + * Get the destination address of this packet + * + * @return destination host + */ + host_t *(*get_destination)(esp_packet_t *this); + + /** + * Parse the packet header before decryption. Tries to read the SPI + * from the packet to find a corresponding SA. + * + * @param spi parsed SPI, in network byte order + * @return TRUE when successful, FALSE otherwise (e.g. when the + * length of the packet is invalid) + */ + bool (*parse_header)(esp_packet_t *this, u_int32_t *spi); + + /** + * Authenticate and decrypt the packet. Also verifies the sequence number + * using the supplied ESP context and updates the anti-replay window. + * + * @param esp_context ESP context of corresponding inbound IPsec SA + * @return - SUCCESS if successfully authenticated, + * decrypted and parsed + * - PARSE_ERROR if the length of the packet or the + * padding is invalid + * - VERIFY_ERROR if the sequence number + * verification failed + * - FAILED if the ICV (MAC) check or the actual + * decryption failed + */ + status_t (*decrypt)(esp_packet_t *this, esp_context_t *esp_context); + + /** + * Encapsulate and encrypt the packet. The sequence number will be generated + * using the supplied ESP context. + * + * @param esp_context ESP context of corresponding outbound IPsec SA + * @param spi SPI value to use, in network byte order + * @return - SUCCESS if encrypted + * - FAILED if sequence number cycled or any of the + * cryptographic functions failed + * - NOT_FOUND if no suitable RNG could be found + */ + status_t (*encrypt)(esp_packet_t *this, esp_context_t *esp_context, + u_int32_t spi); + + /** + * Get the next header field of a packet. + * + * @note Packet has to be in the decrypted state. + * + * @return next header field + */ + u_int8_t (*get_next_header)(esp_packet_t *this); + + /** + * Get the plaintext payload of this packet (e.g. inner IP packet). + * + * @return plaintext payload (internal data), + * chunk_empty if not decrypted + */ + chunk_t (*get_payload)(esp_packet_t *this); + + /** + * Get the packet data to send / as received on the wire. + * + * @return encrypted packet data (internal data), + * chunk_empty if not encrypted + */ + chunk_t (*get_packet_data)(esp_packet_t *this); + + /** + * Destroy an esp_packet_t + */ + void (*destroy)(esp_packet_t *this); + +}; + +/** + * Create an ESP packet out of data from the wire. + * + * @param src source address from which the packet was sent, owned + * @param dst destination address to which the packet was sent, owned + * @param data the packet data as received, gets owned + * @return esp_packet_t instance + */ +esp_packet_t *esp_packet_create_from_packet(host_t *src, host_t *dst, + chunk_t data); + +/** + * Create an ESP packet from a plaintext payload (e.g. inner IP packet) + * + * @param src source address + * @param dst destination address + * @param payload plaintext payload (e.g. inner IP packet), gets owned + * @param next_header next header type of the payload (e.g IPPROTO_IPIP) + * @return esp_packet_t instance + */ +esp_packet_t *esp_packet_create_from_payload(host_t *src, host_t *dst, + chunk_t payload, u_int8_t next_header); + +#endif /** ESP_PACKET_H_ @}*/ + -- cgit v1.2.3 From 05a2a7950cb5ea440b41882da05f1eae280ba979 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Sat, 7 Jul 2012 13:31:07 +0200 Subject: esp_packet_t implements packet_t interface This should allow to avoid unnecessary cloning of packet data. --- src/libipsec/esp_packet.h | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) (limited to 'src/libipsec/esp_packet.h') diff --git a/src/libipsec/esp_packet.h b/src/libipsec/esp_packet.h index 473eeb4e5..7dbbd1986 100644 --- a/src/libipsec/esp_packet.h +++ b/src/libipsec/esp_packet.h @@ -27,6 +27,7 @@ #include #include +#include typedef struct esp_packet_t esp_packet_t; @@ -35,6 +36,11 @@ typedef struct esp_packet_t esp_packet_t; */ struct esp_packet_t { + /** + * Implements packet_t interface to access the raw ESP packet + */ + packet_t packet; + /** * Get the source address of this packet * @@ -106,14 +112,6 @@ struct esp_packet_t { */ chunk_t (*get_payload)(esp_packet_t *this); - /** - * Get the packet data to send / as received on the wire. - * - * @return encrypted packet data (internal data), - * chunk_empty if not encrypted - */ - chunk_t (*get_packet_data)(esp_packet_t *this); - /** * Destroy an esp_packet_t */ @@ -124,13 +122,10 @@ struct esp_packet_t { /** * Create an ESP packet out of data from the wire. * - * @param src source address from which the packet was sent, owned - * @param dst destination address to which the packet was sent, owned - * @param data the packet data as received, gets owned + * @param packet the packet data as received, gets owned * @return esp_packet_t instance */ -esp_packet_t *esp_packet_create_from_packet(host_t *src, host_t *dst, - chunk_t data); +esp_packet_t *esp_packet_create_from_packet(packet_t *packet); /** * Create an ESP packet from a plaintext payload (e.g. inner IP packet) @@ -142,7 +137,8 @@ esp_packet_t *esp_packet_create_from_packet(host_t *src, host_t *dst, * @return esp_packet_t instance */ esp_packet_t *esp_packet_create_from_payload(host_t *src, host_t *dst, - chunk_t payload, u_int8_t next_header); + chunk_t payload, + u_int8_t next_header); #endif /** ESP_PACKET_H_ @}*/ -- cgit v1.2.3 From b37758c41eb3137a4398847e729d6fa3d70617a6 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Fri, 13 Jul 2012 15:23:00 +0200 Subject: Represent the payload of an ESP packet as ip_packet_t instead of a chunk_t --- src/libipsec/esp_packet.h | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) (limited to 'src/libipsec/esp_packet.h') diff --git a/src/libipsec/esp_packet.h b/src/libipsec/esp_packet.h index 7dbbd1986..a1d1602c1 100644 --- a/src/libipsec/esp_packet.h +++ b/src/libipsec/esp_packet.h @@ -23,6 +23,7 @@ #ifndef ESP_PACKET_H_ #define ESP_PACKET_H_ +#include "ip_packet.h" #include "esp_context.h" #include @@ -105,12 +106,20 @@ struct esp_packet_t { u_int8_t (*get_next_header)(esp_packet_t *this); /** - * Get the plaintext payload of this packet (e.g. inner IP packet). + * Get the plaintext payload of this packet. * * @return plaintext payload (internal data), - * chunk_empty if not decrypted + * NULL if not decrypted */ - chunk_t (*get_payload)(esp_packet_t *this); + ip_packet_t *(*get_payload)(esp_packet_t *this); + + /** + * Extract the plaintext payload from this packet. + * + * @return plaintext payload (has to be destroyed), + * NULL if not decrypted + */ + ip_packet_t *(*extract_payload)(esp_packet_t *this); /** * Destroy an esp_packet_t @@ -128,17 +137,15 @@ struct esp_packet_t { esp_packet_t *esp_packet_create_from_packet(packet_t *packet); /** - * Create an ESP packet from a plaintext payload (e.g. inner IP packet) + * Create an ESP packet from a plaintext payload * * @param src source address * @param dst destination address - * @param payload plaintext payload (e.g. inner IP packet), gets owned - * @param next_header next header type of the payload (e.g IPPROTO_IPIP) + * @param payload plaintext payload, gets owned * @return esp_packet_t instance */ esp_packet_t *esp_packet_create_from_payload(host_t *src, host_t *dst, - chunk_t payload, - u_int8_t next_header); + ip_packet_t *payload); #endif /** ESP_PACKET_H_ @}*/ -- cgit v1.2.3