embedded IPsec source code documentation

Main Page | Alphabetical List | Data Structures | File List | Data Fields | Globals | Related Pages

ah.c File Reference

Detailed Description

RFC2402 - IP Authentication Header (AH).

Author:
Christian Scheurer <http://www.christianscheurer.ch>
OUTLINE: The AH functions are used to authenticate IPsec traffic.

IMPLEMENTATION: All functions work in-place (i.g. manipulate directly the original packet without copying any data). For the encapsulation routine, the caller must ensure that space for the new IP and AH header are available in front of the packet:


                                  | pointer to packet header
     ____________________________\/_____________________________
    |          ¦       ¦         ¦                              |
    | Ethernet ¦ newIP ¦ AH, ICV ¦   original (inner) packet    |
    |__________¦_______¦_________¦______________________________|
    ¦                            ¦
    ¦<-- room for new headers -->¦

This document is part of embedded IPsec
Copyright (c) 2003 Niklaus Schild and Christian Scheurer, HTI Biel/Bienne
All rights reserved.
This file contains code from the OpenSSL Project
portions Copyright (c) 1998-2003 OpenSSL (www.openssl.org)

Definition in file ah.c.

#include <string.h>
#include "ipsec/ipsec.h"
#include "ipsec/util.h"
#include "ipsec/debug.h"
#include "ipsec/sa.h"
#include "ipsec/md5.h"
#include "ipsec/sha1.h"
#include "ipsec/ah.h"

Go to the source code of this file.

Functions

int ipsec_ah_check (ipsec_ip_header *outer_packet, int *payload_offset, int *payload_size, sad_entry *sa)
int ipsec_ah_encapsulate (ipsec_ip_header *inner_packet, int *payload_offset, int *payload_size, sad_entry *sa, __u32 src, __u32 dst)

Variables

__u32 ipsec_ah_bitmap = 0
__u32 ipsec_ah_lastSeq = 0

Function Documentation

int ipsec_ah_check ipsec_ip_header outer_packet,
int *  payload_offset,
int *  payload_size,
sad_entry sa
 

Checks AH header and ICV (RFC 2402). Mutable fields of the outer IP header are set to zero prior to the ICV calculation.

Todo:
Extend function to support transport mode
Parameters:
outer_packet pointer used to access the (outer) IP packet which hast to be checked
payload_offset pointer used to return offset of inner (original) IP packet relative to the start of the outer header
payload_size pointer used to return total size of the inner (original) IP packet
sa pointer to security association holding the secret authentication key
Returns:
IPSEC_STATUS_SUCCESS packet could be authenticated

IPSEC_STATUS_FAILURE packet is corrupted or ICV does not match

IPSEC_STATUS_NOT_IMPLEMENTED invalid mode (only IPSEC_TUNNEL mode is implemented)

Definition at line 100 of file ah.c.

int ipsec_ah_encapsulate ipsec_ip_header inner_packet,
int *  payload_offset,
int *  payload_size,
sad_entry sa,
__u32  src,
__u32  dst
 

Adds AH and outer IP header, calculates ICV (RFC 2402).

Warning:
Attention: this function requires room (IPSEC_AH_HDR_SIZE + IPSEC_AUTH_ICV + IPSEC_MIN_IPHDR_SIZE) in front of the inner_packet pointer to add outer IP header and AH header. Depending on the TCP/IP stack implementation, additional space for the Link layer (Ethernet header) should be added).

Todo:
Extend function to support transport mode
Parameters:
inner_packet pointer used to access the (outer) IP packet which hast to be checked
payload_offset pointer used to return offset of inner (original) IP packet relative to the start of the outer header
payload_size pointer used to return total size of the inner (original) IP packet
src IP address of the local tunnel start point (external IP address)
dst IP address of the remote tunnel end point (external IP address)
sa pointer to security association holding the secret authentication key
Returns:
IPSEC_STATUS_SUCCESS packet could be authenticated

IPSEC_STATUS_FAILURE packet is corrupted or ICV does not match

IPSEC_STATUS_NOT_IMPLEMENTED invalid mode (only IPSEC_TUNNEL mode is implemented)

Todo:
fix TTL update and checksum calculation

id must be generated properly and incremented

Definition at line 214 of file ah.c.

Variable Documentation

__u32 ipsec_ah_bitmap = 0
 

save session state to detect replays - must be 32 bits. Note: must be initialized with zero (0x00000000) when a new SA is established!

Definition at line 76 of file ah.c.

__u32 ipsec_ah_lastSeq = 0
 

save session state to detect replays Note: must be initialized with zero (0x00000000) when a new SA is established!

Definition at line 79 of file ah.c.

Copyright 2003 by Christian Scheurer and Niklaus Schild