embedded IPsec source code documentation


esp.c File Reference


Detailed Description

This module contains the Encapsulating Security Payload code.

Author:
Niklaus Schild <n.schild@gmx.ch>
OUTLINE:

IMPLEMENTATION: All functions work in-place (i.g. mainipulate directly the original packet without copying any data). For the encapsulation routine, the caller must ensure that space for the new IP and ESP header are available in front of the packet:

| pointer to packet header ________________________\/________________________________________________ | ¦ ¦ ¦ ¦ padd ¦ ev. | | Ethernet ¦ newIP ¦ ESP ¦ original (inner) packet ¦ next-proto ¦ ICV | |__________¦_______¦______¦_____________________________¦____________¦_____| ¦ ¦ ¦ ¦ ¦<-room for new headers-->¦ ¦<- room tail ->¦

This document is part of embedded IPsec
Copyright (c) 2003 Niklaus Schild and Christian Scheurer, HTI Biel/Bienne
All rights reserved.
This file contains code from the OpenSSL Project
portions Copyright (c) 1998-2003 OpenSSL (www.openssl.org)


Definition in file esp.c.

#include <string.h>
#include "ipsec/ipsec.h"
#include "ipsec/util.h"
#include "ipsec/debug.h"
#include "ipsec/sa.h"
#include "ipsec/des.h"
#include "ipsec/md5.h"
#include "ipsec/sha1.h"
#include "ipsec/esp.h"

Go to the source code of this file.

Functions

__u8 ipsec_esp_get_padding (int len)
ipsec_status ipsec_esp_decapsulate (ipsec_ip_header *packet, int *offset, int *len, sad_entry *sa)
ipsec_status ipsec_esp_encapsulate (ipsec_ip_header *packet, int *offset, int *len, sad_entry *sa, __u32 src_addr, __u32 dest_addr)

Variables

__u32 ipsec_esp_bitmap = 0
__u32 ipsec_esp_lastSeq = 0


Function Documentation

ipsec_status ipsec_esp_decapsulate ipsec_ip_header packet,
int *  offset,
int *  len,
sad_entry sa
 

Decapsulates an IP packet containing an ESP header.

Parameters:
packet pointer to the ESP header
offset pointer to the offset which is passed back
len pointer to the length of the decapsulated packet
sa pointer to the SA
Returns:
IPSEC_STATUS_SUCCESS if the packet could be decapsulated properly

IPSEC_STATUS_FAILURE if the SA's authentication algorithm was invalid or if ICV comparison failed

IPSEC_STATUS_BAD_PACKET if the decryption gave back a strange packet

Definition at line 111 of file esp.c.

ipsec_status ipsec_esp_encapsulate ipsec_ip_header packet,
int *  offset,
int *  len,
sad_entry sa,
__u32  src_addr,
__u32  dest_addr
 

Encapsulates an IP packet into an ESP packet which will again be added to an IP packet.

Parameters:
packet pointer to the IP packet
offset pointer to the offset which will point to the new encapsulated packet
len pointer to the length of the new encapsulated packet
sa pointer to the SA
src_addr source IP address of the outer IP header
dest_addr destination IP address of the outer IP header
Returns:
IPSEC_STATUS_SUCCESS if the packet was properly encapsulated

IPSEC_STATUS_TTL_EXPIRED if the TTL expired

IPSEC_STATUS_FAILURE if the SA contained a bad authentication algorithm

Todo:
fix TTL update and checksum calculation

id must be generated properly and incremented

1st packet needs to be sent out with squ = 1

Definition at line 230 of file esp.c.

__u8 ipsec_esp_get_padding int  len  ) 
 

Returns the number of padding needed for a certain ESP packet size

Parameters:
len the length of the packet
Returns:
the length of padding needed

Definition at line 90 of file esp.c.


Variable Documentation

__u32 ipsec_esp_bitmap = 0
 

save session state to detect replays - must be 32 bits. Note: must be initialized with zero (0x00000000) when a new SA is established!

Definition at line 75 of file esp.c.

__u32 ipsec_esp_lastSeq = 0
 

save session state to detect replays Note: must be initialized with zero (0x00000000) when a new SA is established!

Definition at line 78 of file esp.c.


Copyright 2003 by Christian Scheurer and Niklaus Schild