36 #define IpsecSadEntry struct _IpsecSadEntry
39 #include "ipsec_config.h"
75 #ifndef GPL_LICENSE_TERMS_ACCEPTED
76 #error Before compiling CycloneIPSEC Open, you must accept the terms of the GPL license
80 #define CYCLONE_IPSEC_VERSION_STRING "2.4.0"
82 #define CYCLONE_IPSEC_MAJOR_VERSION 2
84 #define CYCLONE_IPSEC_MINOR_VERSION 4
86 #define CYCLONE_IPSEC_REV_NUMBER 0
90 #define IPSEC_SUPPORT ENABLED
91 #elif (IPSEC_SUPPORT != ENABLED && IPSEC_SUPPORT != DISABLED)
92 #error IPSEC_SUPPORT parameter is not valid
96 #ifndef IPSEC_ANTI_REPLAY_SUPPORT
97 #define IPSEC_ANTI_REPLAY_SUPPORT ENABLED
98 #elif (IPSEC_ANTI_REPLAY_SUPPORT != ENABLED && IPSEC_ANTI_REPLAY_SUPPORT != DISABLED)
99 #error IPSEC_ANTI_REPLAY_SUPPORT parameter is not valid
103 #ifndef IPSEC_ANTI_REPLAY_WINDOW_SIZE
104 #define IPSEC_ANTI_REPLAY_WINDOW_SIZE 64
105 #elif (IPSEC_ANTI_REPLAY_WINDOW_SIZE < 1)
106 #error IPSEC_ANTI_REPLAY_WINDOW_SIZE parameter is not valid
110 #ifndef IPSEC_MAX_ID_LEN
111 #define IPSEC_MAX_ID_LEN 64
112 #elif (IPSEC_MAX_ID_LEN < 0)
113 #error IPSEC_MAX_ID_LEN is not valid
117 #ifndef IPSEC_MAX_PSK_LEN
118 #define IPSEC_MAX_PSK_LEN 64
119 #elif (IPSEC_MAX_PSK_LEN < 0)
120 #error IPSEC_MAX_PSK_LEN is not valid
124 #ifndef IPSEC_MAX_ENC_KEY_LEN
125 #define IPSEC_MAX_ENC_KEY_LEN 36
126 #elif (IPSEC_MAX_ENC_KEY_LEN < 1)
127 #error IPSEC_MAX_ENC_KEY_LEN parameter is not valid
131 #ifndef IPSEC_MAX_AUTH_KEY_LEN
132 #define IPSEC_MAX_AUTH_KEY_LEN 64
133 #elif (IPSEC_MAX_AUTH_KEY_LEN < 1)
134 #error IPSEC_MAX_AUTH_KEY_LEN parameter is not valid
138 #define IPSEC_SPI_SIZE 4
141 #define IPSEC_PROTOCOL_ANY 0
144 #define IPSEC_PORT_START_ANY 0
145 #define IPSEC_PORT_END_ANY 65535
148 #define IPSEC_PORT_START_OPAQUE 65535
149 #define IPSEC_PORT_END_OPAQUE 0
152 #define IPSEC_ICMP_PORT(type, code) (((type) * 256) + (code))
369 #if (ESP_SUPPORT == ENABLED)
387 #if (IPSEC_ANTI_REPLAY_SUPPORT == ENABLED)
443 #if (AH_CMAC_SUPPORT == ENABLED || ESP_CMAC_SUPPORT == ENABLED)
446 #if (AH_HMAC_SUPPORT == ENABLED || ESP_HMAC_SUPPORT == ENABLED)
449 #if (ESP_SUPPORT == ENABLED)
AH (IP Authentication Header)
Collection of AEAD algorithms.
Block cipher modes of operation.
General definitions for cryptographic algorithms.
CipherMode
Cipher operation modes.
ESP (IP Encapsulating Security Payload)
Collection of hash algorithms.
ICMP (Internet Control Message Protocol)
error_t ipsecSetSpdEntry(IpsecContext *context, uint_t index, IpsecSpdEntry *params)
Set entry at specified index in SPD database.
void ipsecGetDefaultSettings(IpsecSettings *settings)
Initialize settings with default values.
#define IPSEC_MAX_PSK_LEN
error_t ipsecSetSadEntry(IpsecContext *context, uint_t index, IpsecSadEntry *params)
Set entry at specified index in SAD database.
#define IPSEC_ANTI_REPLAY_WINDOW_SIZE
error_t ipsecInit(IpsecContext *context, const IpsecSettings *settings)
IPsec service initialization.
IpsecPolicyAction
Policy action.
@ IPSEC_POLICY_ACTION_PROTECT
@ IPSEC_POLICY_ACTION_INVALID
@ IPSEC_POLICY_ACTION_DISCARD
@ IPSEC_POLICY_ACTION_BYPASS
IpsecSaState
IPsec SAD entry state.
@ IPSEC_SA_STATE_RESERVED
IpsecDfPolicy
DF flag policy.
error_t ipsecSetPadEntry(IpsecContext *context, uint_t index, IpsecPadEntry *params)
Set entry at specified index in PAD database.
IpsecProtocol
Security protocols.
IpsecMode
IPsec protocol modes.
IpsecAuthMethod
Authentication methods.
@ IPSEC_AUTH_METHOD_IKEV2
@ IPSEC_AUTH_METHOD_IKEV1
@ IPSEC_AUTH_METHOD_INVALID
@ IPSEC_PFP_FLAG_LOCAL_PORT
@ IPSEC_PFP_FLAG_REMOTE_PORT
@ IPSEC_PFP_FLAG_LOCAL_ADDR
@ IPSEC_PFP_FLAG_REMOTE_ADDR
@ IPSEC_PFP_FLAG_NEXT_PROTOCOL
error_t ipsecClearSadEntry(IpsecContext *context, uint_t index)
Clear entry at specified index in SAD database.
#define IPSEC_MAX_ENC_KEY_LEN
error_t ipsecClearSpdEntry(IpsecContext *context, uint_t index)
Clear entry at specified index in SPD database.
#define IPSEC_MAX_AUTH_KEY_LEN
@ IPSEC_ID_TYPE_KEY_ID
Key ID.
@ IPSEC_ID_TYPE_IPV6_ADDR
IPv6 address.
@ IPSEC_ID_TYPE_RFC822_ADDR
RFC 822 email address.
@ IPSEC_ID_TYPE_IPV4_ADDR
IPv4 address.
@ IPSEC_ID_TYPE_FQDN
Fully-qualified domain name.
@ IPSEC_ID_TYPE_DN
X.500 distinguished name.
error_t ipsecClearPadEntry(IpsecContext *context, uint_t index)
Clear entry at specified index in PAD database.
Collection of MAC algorithms.
uint32_t systime_t
System time.
Security Association Database (SAD) entry.
CipherMode cipherMode
Cipher mode of operation.
uint32_t antiReplayWindow[(IPSEC_ANTI_REPLAY_WINDOW_SIZE+31)/32]
Anti-replay window.
bool_t esn
Extended sequence numbers.
size_t ivLen
Length of the initialization vector, in bytes.
const HashAlgo * authHashAlgo
Hash algorithm for HMAC-based integrity calculations.
size_t icvLen
Length of the ICV tag, in bytes.
uint64_t seqNum
Sequence number counter.
const CipherAlgo * authCipherAlgo
Cipher algorithm for CMAC-based integrity calculations.
uint8_t iv[16]
Initialization vector.
const CipherAlgo * cipherAlgo
Cipher algorithm.
IpsecMode mode
IPsec mode (tunnel or transport)
IpsecSaState state
SAD entry state.
uint8_t authKey[IPSEC_MAX_AUTH_KEY_LEN]
Integrity protection key.
CipherContext cipherContext
Cipher context.
IpsecDfPolicy dfPolicy
DF flag policy.
bool_t antiReplayEnabled
Anti-replay mechanism enabled.
size_t authKeyLen
Length of the integrity protection key, in bytes.
size_t saltLen
Length of the salt, in bytes.
size_t encKeyLen
Length of the encryption key, in bytes.
IpsecDirection direction
Direction.
uint8_t encKey[IPSEC_MAX_ENC_KEY_LEN]
Encryption key.
uint32_t spi
Security parameter index.
systime_t lifetimeStart
Timestamp.
IpAddr tunnelDestIpAddr
Tunnel header IP destination address.
IpsecProtocol protocol
Security protocol (AH or ESP)
IpsecSelector selector
Traffic selector.
Common interface for encryption algorithms.
Common interface for hash algorithms.
uint_t numSpdEntries
Number of entries in the SPD database.
IpsecSadEntry * sad
Security Association Database (SAD)
IpsecPadEntry * pad
Peer Authorization Database (PAD)
const PrngAlgo * prngAlgo
Pseudo-random number generator to be used.
CmacContext cmacContext
CMAC context.
uint_t numSadEntries
Number of entries in the SAD database.
HmacContext hmacContext
HMAC context.
uint_t numPadEntries
Number of entries in the PAD database.
IpsecSpdEntry * spd
Security Policy Database (SPD)
void * prngContext
Pseudo-random number generator context.
IpAddr remoteIpAddr
Remote IP address.
IpAddr localIpAddr
Local IP address.
uint16_t remotePort
Remote port.
uint8_t nextProtocol
Next layer protocol.
uint16_t localPort
Local port.
Peer Authorization Database (PAD) entry.
size_t trustedCaListLen
Trusted CA list (PEM format)
IpsecAuthMethod authMethod
Authentication method (IKEv1, IKEv2, KINK)
size_t pskLen
Length of the pre-shared key, in bytes.
IpsecIdType idType
ID type.
const char_t * trustedCaList
size_t idLen
Length of the ID, in bytes.
IpsecPortRange localPort
Local port range.
IpsecAddrRange localIpAddr
Local IP address range.
IpsecAddrRange remoteIpAddr
Remote IP address range.
uint8_t nextProtocol
Next layer protocol.
IpsecPortRange remotePort
Remote port range.
uint_t numSpdEntries
Number of entries in the SPD database.
const PrngAlgo * prngAlgo
Pseudo-random number generator to be used.
IpsecPadEntry * padEntries
Peer Authorization Database (PAD)
IpsecSadEntry * sadEntries
Security Association Database (SAD)
uint_t numSadEntries
Number of entries in the SAD database.
uint_t numPadEntries
Number of entries in the PAD database.
IpsecSpdEntry * spdEntries
Security Policy Database (SPD)
void * prngContext
Pseudo-random number generator context.
Security Policy Database (SPD) entry.
IpsecPolicyAction policyAction
Processing choice (DISCARD, BYPASS or PROTECT)
bool_t esn
Extended sequence numbers.
IpAddr remoteTunnelAddr
Remote tunnel IP address.
IpAddr localTunnelAddr
Local tunnel IP address.
IpsecMode mode
IPsec mode (tunnel or transport)
uint_t pfpFlags
PFP flags.
IpsecProtocol protocol
Security protocol (AH or ESP)
IpsecSelector selector
Traffic selector.
TCP (Transmission Control Protocol)
UDP (User Datagram Protocol)
Generic cipher algorithm context.
IpsecAddrRange ipAddr
IPv4 or IPv6 address range.