ec_err_t ec_channel_init(ec_channel_t *ch, ec_cert_t *c, ec_ctx_t *ctx, unsigned char *dh);
ctxshould point to a context where the remote certificate can be found, and will be used for validation purposes - if trust chain checks are performed, then those certificates will also need to be available.
cis the certificate used as the local endpoint. This certificate does not need to be available in
dh, which should be a buffer of at least
EC_CHANNEL_DH_BYTESbytes. The contents of this buffer should be provided to
ec_channel_start()on the remote end.
ec_err_t ec_channel_start(ec_channel_t *ch, unsigned char *dh, int checks);
dhshould contain the negotiation packet generated by
ec_channel_init()on the remote end.
checksis a bitfield determining which checks should be run on the remote certificate. All checks must pass for channel setup to complete successfully.
EC_CHECK_SIGNwill always be tested, whether or not they are set.
ec_err_t ec_channel_encrypt(ec_channel_t *ch, unsigned char *buf, size_t len,
unsigned char *mac, uint64_t *ctr);
EC_CHANNEL_MAC_BYTESbytes) for the message will be stored in
*mac, and the message sequence number will be stored in
ctris not NULL.
ec_err_t ec_channel_decrypt(ec_channel_t *ch, unsigned char *buf, size_t len,
unsigned char *mac, uint64_t ctr);
macshould be the MAC generated by the other end of the channel using
ctrshould be set to the sequence number of the message being decrypted. Otherwise, this can be left at zero, and it will be set automatically.
ec_cert_t *ec_channel_remote(ec_channel_t *ch);