embedded IPsec source code documentation


ipsec.c File Reference


Detailed Description

embedded IPsec implementation (tunnel mode with manual keying only)

Author:
Christian Scheurer <http://www.christianscheurer.ch>
OUTLINE:

The different IPsec functions are glued together at this place. All intercepted inbound and outbound traffic which require IPsec processing is passed to this module. The packets are then processed processes according their SA.

IMPLEMENTATION:

For SA management code of the sa.c module was used. Then AH and ESP functionality out of ah.c and esp.c was used to process the packets properly.

NOTES:

This document is part of embedded IPsec
Copyright (c) 2003 Niklaus Schild and Christian Scheurer, HTI Biel/Bienne
All rights reserved.


Definition in file ipsec.c.

#include "ipsec/debug.h"
#include "ipsec/ipsec.h"
#include "ipsec/util.h"
#include "ipsec/sa.h"
#include "ipsec/ah.h"
#include "ipsec/esp.h"

Go to the source code of this file.

Functions

int ipsec_input (unsigned char *packet, int packet_size, int *payload_offset, int *payload_size, db_set_netif *databases)
int ipsec_output (unsigned char *packet, int packet_size, int *payload_offset, int *payload_size, __u32 src, __u32 dst, spd_entry *spd)


Function Documentation

int ipsec_input unsigned char *  packet,
int  packet_size,
int *  payload_offset,
int *  payload_size,
db_set_netif databases
 

IPsec input processing

This function is called by the ipsec device driver when a packet arrives having AH or ESP in the protocol field. A SA lookup gets the appropriate SA which is then passed to the packet processing funciton ipsec_ah_check() or ipsec_esp_decapsulate(). After successfully processing an IPsec packet an check together with an SPD lookup verifies if the packet was processed acording the right SA.

Parameters:
packet pointer used to access the intercepted original packet
packet_size length of the intercepted packet
payload_offset pointer used to return offset of the new IP packet relative to original packet pointer
payload_size pointer used to return total size of the new IP packet
databases Collection of all security policy databases for the active IPsec device
Returns:
int return status code

Definition at line 81 of file ipsec.c.

int ipsec_output unsigned char *  packet,
int  packet_size,
int *  payload_offset,
int *  payload_size,
__u32  src,
__u32  dst,
spd_entry spd
 

IPsec output processing

This function is called when outbound packets need IPsec processing. Depending the SA, passed via the SPD entry ipsec_ah_check() and ipsec_esp_encapsulate() is called to encapsulate the packet in a IPsec header.

Parameters:
packet pointer used to access the intercepted original packet
packet_size length of the intercepted packet
payload_offset pointer used to return offset of the new IP packet relative to original packet pointer
payload_size pointer used to return total size of the new IP packet
src IP address of the local tunnel start point (external IP address)
dst IP address of the remote tunnel end point (external IP address)
spd pointer to security policy database where the rules for IPsec processing are stored
Returns:
int return status code
Todo:
invoke IKE to generate a proper SA for this SPD entry

Definition at line 193 of file ipsec.c.


Copyright 2003 by Christian Scheurer and Niklaus Schild