ah.h
Go to the documentation of this file.
1 /**
2  * @file ah.h
3  * @brief AH (IP Authentication Header)
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2022-2025 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneIPSEC Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 2.5.0
29  **/
30 
31 #ifndef _AH_H
32 #define _AH_H
33 
34 //Dependencies
35 #include "ipsec/ipsec.h"
36 
37 //AH support
38 #ifndef AH_SUPPORT
39  #define AH_SUPPORT DISABLED
40 #elif (AH_SUPPORT != ENABLED && AH_SUPPORT != DISABLED)
41  #error AH_SUPPORT parameter is not valid
42 #endif
43 
44 //Extended Sequence Numbers support
45 #ifndef AH_ESN_SUPPORT
46  #define AH_ESN_SUPPORT ENABLED
47 #elif (AH_ESN_SUPPORT != ENABLED && AH_ESN_SUPPORT != DISABLED)
48  #error AH_ESN_SUPPORT parameter is not valid
49 #endif
50 
51 //CMAC integrity support
52 #ifndef AH_CMAC_SUPPORT
53  #define AH_CMAC_SUPPORT DISABLED
54 #elif (AH_CMAC_SUPPORT != ENABLED && AH_CMAC_SUPPORT != DISABLED)
55  #error AH_CMAC_SUPPORT parameter is not valid
56 #endif
57 
58 //HMAC integrity support
59 #ifndef AH_HMAC_SUPPORT
60  #define AH_HMAC_SUPPORT ENABLED
61 #elif (AH_HMAC_SUPPORT != ENABLED && AH_HMAC_SUPPORT != DISABLED)
62  #error AH_HMAC_SUPPORT parameter is not valid
63 #endif
64 
65 //KMAC128 integrity support (experimental)
66 #ifndef AH_KMAC128_SUPPORT
67  #define AH_KMAC128_SUPPORT DISABLED
68 #elif (AH_KMAC128_SUPPORT != ENABLED && AH_KMAC128_SUPPORT != DISABLED)
69  #error AH_KMAC128_SUPPORT parameter is not valid
70 #endif
71 
72 //KMAC256 integrity support (experimental)
73 #ifndef AH_KMAC256_SUPPORT
74  #define AH_KMAC256_SUPPORT DISABLED
75 #elif (AH_KMAC256_SUPPORT != ENABLED && AH_KMAC256_SUPPORT != DISABLED)
76  #error AH_KMAC256_SUPPORT parameter is not valid
77 #endif
78 
79 //AES 128-bit cipher support
80 #ifndef AH_AES_128_SUPPORT
81  #define AH_AES_128_SUPPORT DISABLED
82 #elif (AH_AES_128_SUPPORT != ENABLED && AH_AES_128_SUPPORT != DISABLED)
83  #error AH_AES_128_SUPPORT parameter is not valid
84 #endif
85 
86 //MD5 hash support (insecure)
87 #ifndef AH_MD5_SUPPORT
88  #define AH_MD5_SUPPORT DISABLED
89 #elif (AH_MD5_SUPPORT != ENABLED && AH_MD5_SUPPORT != DISABLED)
90  #error AH_MD5_SUPPORT parameter is not valid
91 #endif
92 
93 //SHA-1 hash support (weak)
94 #ifndef AH_SHA1_SUPPORT
95  #define AH_SHA1_SUPPORT ENABLED
96 #elif (AH_SHA1_SUPPORT != ENABLED && AH_SHA1_SUPPORT != DISABLED)
97  #error AH_SHA1_SUPPORT parameter is not valid
98 #endif
99 
100 //SHA-256 hash support
101 #ifndef AH_SHA256_SUPPORT
102  #define AH_SHA256_SUPPORT ENABLED
103 #elif (AH_SHA256_SUPPORT != ENABLED && AH_SHA256_SUPPORT != DISABLED)
104  #error AH_SHA256_SUPPORT parameter is not valid
105 #endif
106 
107 //SHA-384 hash support
108 #ifndef AH_SHA384_SUPPORT
109  #define AH_SHA384_SUPPORT ENABLED
110 #elif (AH_SHA384_SUPPORT != ENABLED && AH_SHA384_SUPPORT != DISABLED)
111  #error AH_SHA384_SUPPORT parameter is not valid
112 #endif
113 
114 //SHA-512 hash support
115 #ifndef AH_SHA512_SUPPORT
116  #define AH_SHA512_SUPPORT ENABLED
117 #elif (AH_SHA512_SUPPORT != ENABLED && AH_SHA512_SUPPORT != DISABLED)
118  #error AH_SHA512_SUPPORT parameter is not valid
119 #endif
120 
121 //SHA3-256 hash support (experimental)
122 #ifndef AH_SHA3_256_SUPPORT
123  #define AH_SHA3_256_SUPPORT DISABLED
124 #elif (AH_SHA3_256_SUPPORT != ENABLED && AH_SHA3_256_SUPPORT != DISABLED)
125  #error AH_SHA3_256_SUPPORT parameter is not valid
126 #endif
127 
128 //SHA3-384 hash support (experimental)
129 #ifndef AH_SHA3_384_SUPPORT
130  #define AH_SHA3_384_SUPPORT DISABLED
131 #elif (AH_SHA3_384_SUPPORT != ENABLED && AH_SHA3_384_SUPPORT != DISABLED)
132  #error AH_SHA3_384_SUPPORT parameter is not valid
133 #endif
134 
135 //SHA3-512 hash support (experimental)
136 #ifndef AH_SHA3_512_SUPPORT
137  #define AH_SHA3_512_SUPPORT DISABLED
138 #elif (AH_SHA3_512_SUPPORT != ENABLED && AH_SHA3_512_SUPPORT != DISABLED)
139  #error AH_SHA3_512_SUPPORT parameter is not valid
140 #endif
141 
142 //SM3 hash support (experimental)
143 #ifndef AH_SM3_SUPPORT
144  #define AH_SM3_SUPPORT DISABLED
145 #elif (AH_SM3_SUPPORT != ENABLED && AH_SM3_SUPPORT != DISABLED)
146  #error AH_SM3_SUPPORT parameter is not valid
147 #endif
148 
149 //Maximum digest size
150 #if (AH_HMAC_SUPPORT == ENABLED && AH_SHA512_SUPPORT == ENABLED)
151  #define AH_MAX_DIGEST_SIZE 64
152 #elif (AH_HMAC_SUPPORT == ENABLED && AH_SHA384_SUPPORT == ENABLED)
153  #define AH_MAX_DIGEST_SIZE 48
154 #elif (AH_HMAC_SUPPORT == ENABLED && AH_SHA256_SUPPORT == ENABLED)
155  #define AH_MAX_DIGEST_SIZE 32
156 #else
157  #define AH_MAX_DIGEST_SIZE 12
158 #endif
159 
160 //Maximum size of the ICV field
161 #if (AH_HMAC_SUPPORT == ENABLED && AH_SHA512_SUPPORT == ENABLED)
162  #define AH_MAX_ICV_SIZE 32
163 #elif (AH_HMAC_SUPPORT == ENABLED && AH_SHA384_SUPPORT == ENABLED)
164  #define AH_MAX_ICV_SIZE 24
165 #elif (AH_HMAC_SUPPORT == ENABLED && AH_SHA256_SUPPORT == ENABLED)
166  #define AH_MAX_ICV_SIZE 16
167 #else
168  #define AH_MAX_ICV_SIZE 12
169 #endif
170 
171 //Maximum overhead caused by AH security protocol
172 #define AH_MAX_OVERHEAD (sizeof(AhHeader) + AH_MAX_ICV_SIZE)
173 
174 //C++ guard
175 #ifdef __cplusplus
176 extern "C" {
177 #endif
178 
179 //CC-RX, CodeWarrior or Win32 compiler?
180 #if defined(__CCRX__)
181  #pragma pack
182 #elif defined(__CWCC__) || defined(_WIN32)
183  #pragma pack(push, 1)
184 #endif
185 
186 
187 /**
188  * @brief AH header
189  **/
190 
191 typedef __packed_struct
192 {
193  uint8_t nextHeader; //0
194  uint8_t payloadLen; //1
195  uint16_t reserved; //2-3
196  uint32_t spi; //4-7
197  uint32_t seqNum; //8-11
198  uint8_t icv[]; //12
199 } AhHeader;
200 
201 
202 //CC-RX, CodeWarrior or Win32 compiler?
203 #if defined(__CCRX__)
204  #pragma unpack
205 #elif defined(__CWCC__) || defined(_WIN32)
206  #pragma pack(pop)
207 #endif
208 
209 //AH related functions
210 error_t ipv4ProcessAhHeader(NetInterface *interface,
211  const Ipv4Header *ipv4Header, const NetBuffer *buffer, size_t offset,
212  NetRxAncillary *ancillary);
213 
214 error_t ahGenerateIcv(IpsecSadEntry *sa, const Ipv4Header *ipv4Header,
215  AhHeader *ahHeader, const NetBuffer *buffer, size_t offset);
216 
217 error_t ahVerifyIcv(IpsecSadEntry *sa, const Ipv4Header *ipv4Header,
218  const AhHeader *ahHeader, const NetBuffer *buffer, size_t offset);
219 
220 void ahProcessMutableIpv4Options(Ipv4Header *header);
221 
222 void ahDumpHeader(const AhHeader *ahHeader);
223 
224 //C++ guard
225 #ifdef __cplusplus
226 }
227 #endif
228 
229 #endif
icv
uint8_t icv[]
Definition: ah.h:198
Ipv4Header
#define Ipv4Header
Definition: ipv4.h:36
reserved
uint16_t reserved
Definition: ah.h:195
spi
uint32_t spi
Definition: ah.h:196
NetBuffer
Structure describing a buffer that spans multiple chunks.
Definition: net_mem.h:89
__packed_struct
typedef __packed_struct
AH header.
Definition: ah.h:192
seqNum
uint32_t seqNum
Definition: ah.h:197
ahProcessMutableIpv4Options
void ahProcessMutableIpv4Options(Ipv4Header *header)
Zeroize mutable IPv4 options.
Definition: ah.c:690
error_t
error_t
Error codes.
Definition: error.h:43
AhHeader
AhHeader
Definition: ah.h:199
NetRxAncillary
#define NetRxAncillary
Definition: net_misc.h:40
NetInterface
#define NetInterface
Definition: net.h:36
payloadLen
uint8_t payloadLen
Definition: ah.h:194
nextHeader
uint8_t nextHeader
Definition: ipv6.h:282
ahGenerateIcv
error_t ahGenerateIcv(IpsecSadEntry *sa, const Ipv4Header *ipv4Header, AhHeader *ahHeader, const NetBuffer *buffer, size_t offset)
ICV generation.
Definition: ah.c:275
IpsecSadEntry
#define IpsecSadEntry
Definition: ipsec.h:36
ipsec.h
IPsec (IP security)
ahDumpHeader
void ahDumpHeader(const AhHeader *ahHeader)
Dump AH header for debugging purpose.
Definition: ah.c:756
ahVerifyIcv
error_t ahVerifyIcv(IpsecSadEntry *sa, const Ipv4Header *ipv4Header, const AhHeader *ahHeader, const NetBuffer *buffer, size_t offset)
ICV verification.
Definition: ah.c:449
ipv4ProcessAhHeader
error_t ipv4ProcessAhHeader(NetInterface *interface, const Ipv4Header *ipv4Header, const NetBuffer *buffer, size_t offset, NetRxAncillary *ancillary)
Process AH protected packet.
Definition: ah.c:60