ipsecdev.c ( File view )

  • By 残星浮梦 2016-01-13
  • View(s):0
  • Download(s):2
  • Point(s): 1
			/*
 * embedded IPsec
 * Copyright (c) 2003 Niklaus Schild and Christian Scheurer, HTI Biel/Bienne
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without modification,
 * are permitted provided that the following conditions are met:
 *
 * 1. Redistributions of source code must retain the above copyright notice,
 *    this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright notice,
 *    this list of conditions and the following disclaimer in the documentation
 *    and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote products
 *    derived from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
 * SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
 * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
 * OF SUCH DAMAGE.
 *
 */

/** @file ipsecdev.c
 *  @brief IPsec network adapter for lwIP
 *
 *  @author Christian Scheurer <http://www.christianscheurer.ch> <BR>
 *
 *  <B>OUTLINE:</B>
 *
 *  This network interface will be inserted between the TCP/IP stack and the
 *  driver of the physical network adapter. With this, all inbound and outbound 
 *  traffic can be intercepted and forwarded to the IPsec stack if required.
 *
 *  <B>IMPLEMENTATION:</B>
 *
 *  The main duty of ipsecdev device is to identify the network traffic and
 *  forward it to the appropriate protocol handler:
 *
 *     - AH/ESP => forward to ipsec_input()
 *     - IP traffic with policy BYPASS => forward to ip_input()
 *     - IP traffic with policy DISCARD, or traffic with policy APPLY but without
 *       IPsec header
 *
 *  To decide how packets must be processed, a lookup in the Security Policy
 *  Database is required. With this, all IPsec logic and IPsec related processing
 *  is put outside ipsecdev. The motivation is to separate IPsec processing from
 *  TCP/IP-Stack and network driver peculiarities. 
 *  If the ipsec stack need to be ported to an other target, all major changes
 *  can be done in this module while the rest can be left untouched.  
 *
 *  <B>NOTES:</B>
 *
 * This version of ipsecdev is able to handle traffic passed by a cs8900 driver
 * in combination with lwIP 0.6.3 STABLE. It has a similar structure as dumpdev
 * or cs9800if.
 *
 * This document is part of <EM>embedded IPsec<BR>
 * Copyright (c) 2003 Niklaus Schild and Christian Scheurer, HTI Biel/Bienne<BR>
 * All rights reserved.</EM><HR>
 */

#include "lwip/mem.h"

#include "netif/ipsecdev.h"

#include "ipsec/debug.h"
#include "ipsec/ipsec.h"
#include "ipsec/util.h"
#include "ipsec/sa.h"


#define IPSECDEV_NAME0 'i'		/**< 1st letter of device name "is" */
#define IPSECDEV_NAME1 's' 		/**< 2nd letter of device name "is" */

extern sad_entry inbound_sad_config[]; /**< inbound SAD configuration data  */
extern spd_entry inbound_spd_config[]; /**< inbound SPD configuration data  */
extern sad_entry outbound_sad_config[];/**< outbound SAD configuration data */
extern spd_entry outbound_spd_config[];/**< outbound SPD configuration data */

extern db_set_netif	db_sets[];
db_set_netif 	*databases; 	/**< reference to the SPD and SA configuration*/
struct netif	mapped_netif;	/**< handler of physical output device  	*/
__u32			tunnel_src_addr;/**< tunnel source address (external address this IPsec device) */
__u32			tunnel_dst_addr;/**< tunnel destination address (external address the other IPsec tunnel endpoint) */


/**
 * This is just used to provide an consisstend interface. This function has no functionality.
 *
 * @param  netif  initialized lwIP network interface data structure of this device
 * @return void
 */
void ipsecdev_service(struct netif *netif)
{

	struct netif *i ;
	IPSEC_LOG_TRC(IPSEC_TRACE_ENTER, "ipsecdev_service", ("netif=%p", (void *)netif) );
	i = netif ;
	IPSEC_LOG_TRC(IPSEC_TRACE_RETURN, "ipsecdev_service", ("void") );
	return ;

}


/**
 * This function is used to process incomming IP packets.
 *
 * This function is called by the physical network driver when a new packet has been
 * received. To decide how to handle the packet, the Security Policy Database 
 * is called. ESP and AH packets are directly forwarded to ipsec_input() while other 
 * packets must pass the SPD lookup.
 *
 * @param p      pbuf containing the received packet
 * @param inp    lwIP network interface data structure for this device. The structure must be
 *               initialized with IP, netmask and gateway address.
 * @return err_t return code
 */
err_t ipsecdev_input(struct pbuf *p, struct netif *inp)
{

	int retcode;
	int payload_offset	= 0;
	int payload_size	= 0;
	spd_entry		*spd ;

	IPSEC_LOG_TRC(IPSEC_TRACE_ENTER, 
	              "ipsecdev_input", 
				  ("p=%p, inp=%p",
			      (void *)p, (void *)inp)
				 );

	IPSEC_DUMP_BUFFER("ipsecdev_input", p->payload, 0, p->len) ;

	if(p == NULL || p->payload == NULL)
 	{

  		IPSEC_LOG_DBG("ipsecdev_input", IPSEC_STATUS_DATA_SIZE_ERROR, ("Packet has no payload. Can't pass it to higher level protocol stacks."));
		pbuf_free(p) ;
	
}
	else 
	{


		/* minimal sanity check of inbound data (packet buffer & IP header fields must be <= MTU) */
		if((p->tot_len > IPSEC_MTU) || (ipsec_ntohs(((ipsec_ip_header *)((unsigned char *)p->payload))->len) > IPSEC_MTU))
	 	{

	  		IPSEC_LOG_DBG("ipsecdev_input", IPSEC_STATUS_DATA_SIZE_ERROR, ("Packet to long (%d > %d (IPSEC_MTU))", p->tot_len, IPSEC_MTU) );
			/* in case of error, free pbuf and return ERR_OK as lwIP does */
			pbuf_free(p) ;
			IPSEC_LOG_TRC(IPSEC_TRACE_RETURN, "ipsecdev_input", ("return = %d", ERR_OK) );
			return ERR_OK;
		
}

		if(p->next != NULL)
	 	{

	  		IPSEC_LOG_DBG("ipsecdev_input", IPSEC_STATUS_DATA_SIZE_ERROR, ("can not handle chained pbuf - (packet must be < %d bytes )", PBUF_POOL_BUFSIZE - PBUF_LINK_HLEN - IPSEC_HLEN) );
			/* in case of error, free pbuf and return ERR_OK as lwIP does */
			pbuf_free(p) ;
			IPSEC_LOG_TRC(IPSEC_TRACE_RETURN, "ipsecdev_input", ("return = %d", ERR_OK) );
			return ERR_OK;
		
}


		if( ((ipsec_ip_header*)(p->payload))->protocol == IPSEC_PROTO_ESP || ((ipsec_ip_header*)(p->payload))->protocol == IPSEC_PROTO_AH)
		{

			/* we got an IPsec packet which must be handled by the IPsec engine */
			retcode = ipsec_input(p->payload, p->len, (int *)&payload_offset, (int *)&payload_size, databases);

			if(retcode == IPSEC_STATUS_SUCCESS)
			{

				/** @todo Attention: the pbuf structure should be updated using pbuf_header() */
				/* remove obsolete ESP headers */
				p->payload = (unsigned char *)(p->payload) + payload_offset;
				p->len = payload_size;
				p->tot_len = payload_size;

				IPSEC_LOG_MSG("ipsecdev_input", ("fwd decapsulated IPsec packet to ip_input()") );
				retcode = ip_input(p, inp);		
				IPSEC_LOG_TRC(IPSEC_TRACE_RETURN, "ipsecdev_input", ("retcode = %d", retcode) );
				return retcode;

			
}
			else
			{

				IPSEC_LOG_ERR("ipsecdev_input", retcode, ("error on ipsec_input() processing (retcode = %d)", retcode));
				pbuf_free(p) ;
			
}			
		
}
		else
		{

			/* check what the policy says about non-IPsec traffic */
			spd = ipsec_spd_lookup(p->payload, &databases->inbound_spd) ;
			if(spd == NULL)
			{

				IPSEC_LOG_ERR("ipsecdev_input", IPSEC_STATUS_NO_POLICY_FOUND, ("no matching SPD policy found")) ;
				pbuf_free(p) ;
			
}
			else
			{

				switch(spd->policy)
			 	{

					case POLICY_APPLY:
						IPSEC_LOG_AUD("ipsecdev_input", IPSEC_AUDIT_APPLY, ("POLICY_APPLY: got non-IPsec packet which should be one")) ;
						pbuf_free(p) ;
						break;
					case POLICY_DISCARD:
						IPSEC_LOG_AUD("ipsecdev_input", IPSEC_AUDIT_DISCARD, ("POLICY_DISCARD: dropping packet")) ;
						pbuf_free(p) ;
						break;
					case POLICY_BYPASS:
						IPSEC_LOG_AUD("ipsecdev_input", IPSEC_AUDIT_BYPASS, ("POLICY_BYPASS: forwarding packet to ip_input")) ;
						ip_input(p, inp);
						break;
					default:
						pbuf_free(p) ;
						IPSEC_LOG_ERR("ipsecdev_input", IPSEC_STATUS_FAILURE, ("IPSEC_STATUS_FAILURE: dropping packet")) ;
						IPSEC_LOG_AUD("ipsecdev_input", IPSEC_AUDIT_FAILURE, ("unknown Security Policy: dropping packet")) ;
				
} 
			
}
		
}
	
}

	/* usually return ERR_OK as lwIP does */
	IPSEC_LOG_TRC(IPSEC_TRACE_RETURN, "ipsecdev_input", ("retcode = %d", ERR_OK) );
	return ERR_OK;

}


/**
 * This function is used to send a packet out to the network device.
 *
 * IPsec processing for outbound traffic is done here before forwarding the IP packet 
 * to the physical network device. The SPD is queried in order to know how
 * the packet must be handled.
 *
 * @param  netif   initialized lwIP network interface data structure of this device
 * @param  p       pbuf containing a complete IP packet as payload
 * @param  ipaddr  destination IP address
 * @return err_t   status
 */
err_t ipsecdev_output(struct netif *netif, struct pbuf *p, struct ip_addr *ipaddr)
{

	struct pbuf *p_cpy = NULL;
	int payload_size ;
	int payload_offset ;
	spd_entry *spd ;
	ipsec_status status ;
	struct ip_addr dest_addr;
	int retcode;

	IPSEC_LOG_TRC(IPSEC_TRACE_ENTER, 
	              "ipsecdev_output", 
				  ("netif=%p, p=%p, ipaddr=%p", (void *)netif, (void *)p, (void *)ipaddr ) 
				 );


	/* minimal sanity check of inbound data (packet buffer & IP header fields must be <= MTU) */
	if((p->tot_len > IPSEC_MTU) || (ipsec_ntohs(((ipsec_ip_header *)((unsigned char *)p->payload))->len) > IP
...
...
(Not finished, please download and read the complete file)
			
...
Expand> <Close

Want complete source code? Download it here

Point(s): 1

Download
0 lines left, continue to read
Sponsored links

File list

Tips: You can preview the content of files by clicking file names^_^
Name Size Date
01.97 kB
01.97 kB
ah.c13.66 kB2003-12-12|13:49
des.c37.21 kB2003-12-12|01:02
esp.c14.04 kB2003-12-12|13:49
ipsec.c10.18 kB2003-12-12|13:49
md5.c18.27 kB2013-06-24|17:22
sa.c34.38 kB2003-12-12|01:02
sha1.c21.95 kB2003-12-04|14:55
util.c13.83 kB2004-06-19|18:49
01.97 kB
01.97 kB
ah.h2.99 kB2003-12-12|01:02
debug.h8.08 kB2003-12-12|11:41
des.h2.93 kB2003-12-12|01:02
esp.h3.24 kB2003-12-12|01:02
ipsec.h2.98 kB2003-12-12|01:02
md5.h2.97 kB2003-12-12|01:02
sa.h9.98 kB2003-12-12|01:02
sha1.h2.88 kB2003-12-12|01:02
types.h6.17 kB2003-12-12|01:02
util.h3.81 kB2003-12-12|01:02
01.97 kB
dumpdev.h2.30 kB2003-12-12|01:02
ipsecdev.h3.03 kB2003-12-12|01:02
01.97 kB
01.97 kB
keil_1000_ah_md5.h2.51 kB2003-12-12|01:02
keil_1001_ah_sha1.h2.53 kB2003-12-12|01:02
keil_1002_esp_3des.h2.55 kB2003-12-12|01:02
keil_1003_esp_3des_md5.h2.68 kB2003-12-12|01:02
keil_1004_esp_3des_sha1.h2.71 kB2003-12-12|01:02
keil_bypass.h2.19 kB2003-12-12|01:02
keil_netconfig.h2.24 kB2003-12-12|01:02
phy_2000_ah_md5.h2.51 kB2003-12-12|01:02
phy_2001_ah_sha1.h2.53 kB2003-12-12|01:02
phy_2002_esp_3des.h2.55 kB2003-12-12|01:02
phy_2003_esp_3des_md5.h2.68 kB2003-12-12|01:02
phy_2004_esp_3des_sha1.h2.71 kB2003-12-12|01:02
phy_bypass.h2.20 kB2003-12-12|01:02
phy_netconfig.h2.25 kB2003-12-12|01:02
01.97 kB
01.97 kB
dumpdev-espdata.h4.51 kB2003-12-12|01:02
dumpdev-espdata.zip3.09 kB2003-11-24|19:45
dumpdev-httpgetdata.h28.08 kB2003-12-12|01:02
dumpdev-httpgetdata.zip32.70 kB2003-11-11|17:51
dumpdev-pingdata.h6.58 kB2003-12-12|01:02
dumpdev-pingdata.zip8.07 kB2003-11-11|17:51
01.97 kB
ah_test-sample_ah_packet.h3.46 kB2003-12-12|01:42
ah_test-sample_ah_packet.zip1.76 kB2003-11-18|19:12
structural_test.h3.16 kB2003-12-12|01:02
01.97 kB
dumpdev.c14.90 kB2003-12-12|01:02
ipsecdev.c18.58 kB2003-12-12|13:49
01.97 kB
01.97 kB
ah_test.c7.29 kB2003-12-12|01:42
des_test.c11.87 kB2003-12-12|01:02
esp_test.c14.96 kB2003-12-12|11:40
main.c5.35 kB2003-12-12|01:02
md5_test.c7.34 kB2003-12-12|01:02
sa_test.c32.48 kB2003-12-12|11:40
sha1_test.c11.65 kB2003-12-12|01:02
util_test.c10.19 kB2004-06-19|18:47
...
Sponsored links

ipsecdev.c (172.21 kB)

Need 1 point
Your Point(s)

Your Point isn't enough.

Get point immediately by PayPal

More(Debit card / Credit card / PayPal Credit / Online Banking)

Submit your source codes. Get more point

LOGIN

Don't have an account? Register now
Need any help?
Mail to: support@codeforge.com

切换到中文版?

CodeForge Chinese Version
CodeForge English Version

Where are you going?

^_^"Oops ...

Sorry!This guy is mysterious, its blog hasn't been opened, try another, please!
OK

Warm tip!

CodeForge to FavoriteFavorite by Ctrl+D