ipsec.h

用于嵌入式系统的TCP/IP协议栈及若干服务

/*
*            Copyright (c) 1998-2001 by NETsilicon Inc.
*
*  This software is copyrighted by and is the sole property of
*  NETsilicon.  All rights, title, ownership, or other interests
*  in the software remain the property of NETsilicon.  This
*  software may only be used in accordance with the corresponding
*  license agreement.  Any unauthorized use, duplication, transmission,
*  distribution, or disclosure of this software is expressly forbidden.
*
*  This Copyright notice may not be removed or modified without prior
*  written consent of NETsilicon.
*
*  NETsilicon, reserves the right to modify this software
*  without notice.
*
*  NETsilicon
*  411 Waverley Oaks Road                  USA 781.647.1234
*  Suite 227                               http://www.netsilicon.com
*  Waltham, MA 02452                       AmericaSales@netsilicon.com
*
*************************************************************************
*  $Name: Fusion 6.52 Fusion 6.51 $
*  $Date: 2001/10/05 15:18:45 $
*  $Source: M:/psisrc/routing/incl/rcs/ipsec.h $
*  $Revision: 1.4 $
*************************************************************************
*  File Description: IP security defines 
*************************************************************************/

/* MD5.H - header file for MD5C.C */
/***
 * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
 * rights reserved.
 *
 * License to copy and use this software is granted provided that it
 * is identified as the "RSA Data Security, Inc. MD5 Message-Digest
 * Algorithm" in all material mentioning or referencing this software
 * or this function.
 *
 * License is also granted to make and use derivative works provided
 * that such works are identified as "derived from the RSA Data
 * Security, Inc. MD5 Message-Digest Algorithm" in all material
 * mentioning or referencing the derived work.
 *
 * RSA Data Security, Inc. makes no representations concerning either
 * the merchantability of this software or the suitability of this
 * software for any particular purpose. It is provided "as is"
 * without express or implied warranty of any kind.
 *
 * These notices must be retained in any copies of any part of this
 * documentation and/or software.
   ***/ 

/* PROTOTYPES should be set to one if and only if the compiler supports
   function argument prototyping. The following makes PROTOTYPES default to
   0 if it has not already been defined with C compiler flags. */

#ifndef PROTOTYPES
#define PROTOTYPES 0
#endif

/* POINTER defines a generic pointer type */
typedef unsigned char *POINTER;

/* UINT2 defines a two byte word */
typedef unsigned short int UINT2;

/* PROTO_LIST is defined depending on how PROTOTYPES is defined above. If
   using PROTOTYPES, then PROTO_LIST returns the list, otherwise it returns
   an empty list. */

#ifdef PROTOTYPES
#define PROTO_LIST(list) list
#else
#define PROTO_LIST(list) ()
#endif

#if 0 /* Not Used by FUSION.  It has its own MD5 Library */
/* UINT4 defines a four byte word */
typedef unsigned long int UINT4;
/* MD5 context. */
#define MAX_AUTH_DATA_LEN 32
typedef struct {
	/* note size is 5 so we can share ctx with SHA */
	UINT4               state[MAX_AUTH_DATA_LEN >>2];		/* state (ABCD) */
	UINT4               count[2];		/* # of bits, modulo 2^64 (lsb first) */
	unsigned char       buffer[MAX_AUTH_DATA_LEN <<1];		/* input buffer */
}                   MD5_CTX,HASH_CTX;

void MD5Init        PROTO_LIST((MD5_CTX *));
void MD5Update      PROTO_LIST((MD5_CTX *, unsigned char *, unsigned int));
void MD5Final		PROTO_LIST((unsigned char *, MD5_CTX *));
#else
#include "md5.h"
#define HASH_CTX MD5_CTX

#endif

/* a security association */
#define IP_MAX_KEYLEN 64
typedef struct sec_assn{
	struct sec_assn	*sa_fwd;
	struct sec_assn	*sa_bwd;
	struct sec_assn	*sa_other; /*other 1/2 of sa pair*/
	/* if this is new inbound SA when rekeying, points to
	   original inbound SA
	*/ 
	struct sec_assn     *sa_rekey;
	unsigned long	dest;
	unsigned long	src;
#if IPV6
	unsigned char	v6dest[16];
	unsigned char	v6src[16];
#endif
	int			state;
	unsigned long  lifebytes;
	unsigned long  liferekey;
	unsigned long  currbytes;
	unsigned long	aspi;
	unsigned long  atype;		/* ah type */
	HASH_CTX		acontext[2];
	unsigned char  akeyblk[IP_MAX_KEYLEN];
	unsigned  long	akeylen;
	unsigned char  areplay;
	unsigned long  aseq;
	unsigned long  aseq_bitmap;
	unsigned long	espi;
	unsigned long	etype;		/* esp type */
	unsigned char	ekey[IP_MAX_KEYLEN];
	unsigned  long	ekeylen;
	unsigned char	eiv[IP_MAX_KEYLEN];
	unsigned  long	eivlen;
	unsigned char  *e_rsakey;
	unsigned char  ereplay;
	unsigned long  eseq;
	unsigned long  eseq_bitmap;
	/* esp authentication */
	unsigned long  espatype;		/* ah type */
	HASH_CTX		espacontext[2];
	unsigned char  espakeyblk[IP_MAX_KEYLEN];
	unsigned  long	espakeylen;
}SECA;

#define SECA_STATE_INACTIVE 0
#define SECA_STATE_ACTIVE   1
#define SECA_STATE_CWAIT    2
#define SECA_STATE_REKEY    3

#define ESPTYPE_TEST	0xff

#define AREPLAY_DEF      1

/* the authentication header */
#define MAX_AUTH_DATA_LEN 32
#define AUTH_HDR_LEN 12
typedef struct{
	unsigned char	nexthdr;		/* next protocol */
	unsigned char	len;			/* len of hdr */
	unsigned char	res[2];		/* reserved */
	unsigned char	spi[4];		/* params index */
	unsigned char	seq[4];		/* anti-replay*/
	unsigned char	audata[MAX_AUTH_DATA_LEN];	/* 128 bits */
}AUTH_HDR;

#define HASH_LEN_MD5	16
#define HASH_LEN_SHA	20

/* the encryption header */
#define MAX_ESP_IV_LEN 8
#define ESP_HDR_LEN 8
typedef struct{
	unsigned char	spi[4];		/* params index */
	unsigned char  seq[4];
	unsigned char	iv[MAX_ESP_IV_LEN];	/*vector */
}ESP_HDR;


/* client pair structure */
#define IPSEC_MAX_IDLEN  32
typedef struct ipsec_clinfo{
	int    clen;		/* len of client info */
	byte   cinfo[IPSEC_MAX_IDLEN]; /* client string (fqdn,addr,etc) */
}IPSEC_CLINFO;

#define ipsec_idtype cinfo[0]
#define ipsec_idprot cinfo[1]
#define ipsec_idport cinfo[2]

typedef struct ipsec_clpair{
	IPSEC_CLINFO   l;
	IPSEC_CLINFO   r;
}IPSEC_CLIENT_PAIR;

/* key info about an SA bundle */
typedef struct ipsec_sakinfo{
	dword  lifekbytes;
	dword  aspi;		/* AH spi */
	dword  atype;		/* ah type */
	dword  akeylen;
	byte   akey[IP_MAX_KEYLEN];
	dword  espi;		/* ESP spi */
	dword  etype;		/* esp type */
	dword  ekeylen;
	byte   ekey[IP_MAX_KEYLEN];
	dword  eivlen;
	byte   eiv[IP_MAX_KEYLEN];  /* ESP IV */
	dword  eatype;		/* esp auth type */
	dword  eakeylen;
	byte   eakey[IP_MAX_KEYLEN];
	int    replay;
}IPSEC_SA_KINFO;

#define DOI_IPSEC		1

/* isakmp callback codes */
#define IPSEC_OPEN          1
#define IPSEC_OPEN_CWAIT    2
#define IPSEC_OPEN_REKEY1   3
#define IPSEC_OPEN_REKEY2   4
#define IPSEC_CLOSED        5
#define IPSEC_COMMITTED     6
#define IPSEC_FAILED        7

/* define ranges for client versus isakmp generated spi's
   to allow manual keying in the client
*/
#define IPSEC_MANSPI_MAX   1000

/* sha1 stuff */
void SHA1Init        PROTO_LIST((HASH_CTX *));
void SHA1Update      PROTO_LIST((HASH_CTX *, unsigned char *, unsigned int));
void SHA1Final		PROTO_LIST((unsigned char *, HASH_CTX *));


#if P2_IP
fnc_prot(SECA *,ipsecFindSA,(ipa,ipa))
fnc_prot(SECA *,ipsecFindSA,(ipa ,ipa))
fnc_prot(SECA *,ipsecFindSAFromSpi,(ipa,dword,int))
fnc_prot(SECA *,ipAddSA,( ipa, ipa,IPSEC_SA_KINFO *))
fnc_prot(int, ipDelSA,( ipa,ipa))
fnc_prot(int, ipBuildSecureHdr,( byte *, int,ipa,ipa, snad_pt *,byte *,int))
fnc_prot(int, ipParseSecureHeader,(byte *,int,ipa,ipa ,int,void *))
fnc_prot(int,ipSecDesEncrypt,(byte *,int,byte *,int,SECA *,byte))
fnc_prot(int,ipSecNullEncrypt,(byte *,int,byte *,int,SECA *,byte))
fnc_prot(byte *,ipSecDesEncrInit,(byte *,int))

#endif