source
code documentation
ipsec.c File Reference
Detailed Description
embedded IPsec implementation (tunnel mode with manual keying only)
- Author:
- Christian Scheurer <http://www.christianscheurer.ch>
OUTLINE:
The different IPsec functions are glued together at this place. All intercepted inbound and outbound traffic which require IPsec processing is passed to this module. The packets are then processed processes according their SA.
IMPLEMENTATION:
For SA management code of the sa.c module was used. Then AH and ESP functionality out of ah.c and esp.c was used to process the packets properly.
NOTES:
This document is part of embedded IPsec
Copyright (c) 2003 Niklaus Schild and Christian Scheurer, HTI Biel/Bienne
All rights reserved.
Definition in file ipsec.c.
#include "ipsec/debug.h"
#include "ipsec/ipsec.h"
#include "ipsec/util.h"
#include "ipsec/sa.h"
#include "ipsec/ah.h"
#include "ipsec/esp.h"
Go to the source code of this file.
|
Functions |
int | ipsec_input (unsigned char *packet, int packet_size, int *payload_offset, int *payload_size, db_set_netif *databases) |
int | ipsec_output (unsigned char *packet, int packet_size, int *payload_offset, int *payload_size, __u32 src, __u32 dst, spd_entry *spd) |
Function Documentation
int ipsec_input |
( |
unsigned char * |
packet, |
|
|
int |
packet_size, |
|
|
int * |
payload_offset, |
|
|
int * |
payload_size, |
|
|
db_set_netif * |
databases |
|
) |
|
|
|
IPsec input processing
This function is called by the ipsec device driver when a packet arrives having AH or ESP in the protocol field. A SA lookup gets the appropriate SA which is then passed to the packet processing funciton ipsec_ah_check() or ipsec_esp_decapsulate(). After successfully processing an IPsec packet an check together with an SPD lookup verifies if the packet was processed acording the right SA.
- Parameters:
-
packet | pointer used to access the intercepted original packet |
packet_size | length of the intercepted packet |
payload_offset | pointer used to return offset of the new IP packet relative to original packet pointer |
payload_size | pointer used to return total size of the new IP packet |
databases | Collection of all security policy databases for the active IPsec device |
- Returns:
- int return status code
Definition at line 81 of file ipsec.c. |
int ipsec_output |
( |
unsigned char * |
packet, |
|
|
int |
packet_size, |
|
|
int * |
payload_offset, |
|
|
int * |
payload_size, |
|
|
__u32 |
src, |
|
|
__u32 |
dst, |
|
|
spd_entry * |
spd |
|
) |
|
|
|
IPsec output processing
This function is called when outbound packets need IPsec processing. Depending the SA, passed via the SPD entry ipsec_ah_check() and ipsec_esp_encapsulate() is called to encapsulate the packet in a IPsec header.
- Parameters:
-
packet | pointer used to access the intercepted original packet |
packet_size | length of the intercepted packet |
payload_offset | pointer used to return offset of the new IP packet relative to original packet pointer |
payload_size | pointer used to return total size of the new IP packet |
src | IP address of the local tunnel start point (external IP address) |
dst | IP address of the remote tunnel end point (external IP address) |
spd | pointer to security policy database where the rules for IPsec processing are stored |
- Returns:
- int return status code
- Todo:
- invoke IKE to generate a proper SA for this SPD entry
Definition at line 193 of file ipsec.c. |
|