| rjw | 6c1fd8f | 2022-11-30 14:33:01 +0800 | [diff] [blame] | 1 | #ifndef IPSEC_COMMON_INTERFACE_H |
| 2 | #define IPSEC_COMMON_INTERFACE_H |
| 3 | |
| 4 | #include "kal_public_api.h" |
| 5 | |
| 6 | #define MAX_IPV4_ADDR_SIZE (4) |
| 7 | #define MAX_IP_ADDR_SIZE (16) |
| 8 | #define MAX_IP_FRAGMENT_SIZE (10) |
| 9 | #define IPSEC_SAID_INVALID (0XFFFFFFFF) |
| 10 | #define IPSEC_SPI_INVALID (0) |
| 11 | |
| 12 | #define IPSEC_ALGO_MAX_KEY_LEN (128) //need confirm |
| 13 | |
| 14 | /* Define the max selector number support in a SA/SP entry*/ |
| 15 | #define IPSEC_MAX_SELECTOR_NUM (2) |
| 16 | |
| 17 | /* Define maximum SA/SP entries to be deleted in |
| 18 | MSG_ID_IPSEC_MULTI_SA_SP_DELETE_REQ*/ |
| 19 | #define IPSEC_MAX_SASP_DEL_NUM (50) |
| 20 | |
| 21 | /* SA_DEL CAUSE */ |
| 22 | #define IPSEC_HARD_LIFETIME_OUT (0) |
| 23 | |
| 24 | /*for async data flow*/ |
| 25 | typedef enum |
| 26 | { |
| 27 | IPSEC_PKT_STATUS_INVALID, |
| 28 | IPSEC_ENCRYPTION_IN, |
| 29 | IPSEC_ENCRYPTION_SUCCESS, |
| 30 | IPSEC_DECRYPTION_IN, |
| 31 | IPSEC_DECRYPTION_SUCCESS, |
| 32 | IPSEC_INTEGRITY_IN, |
| 33 | IPSEC_INTEGRITY_SUCCESS |
| 34 | |
| 35 | }ipsec_pkt_status_enum; |
| 36 | |
| 37 | |
| 38 | typedef enum |
| 39 | { |
| 40 | IPSEC_ENTRY_UNUSED = 0, |
| 41 | IPSEC_ENTRY_USED = 1 |
| 42 | |
| 43 | }ipsec_entry_status_enum; |
| 44 | |
| 45 | |
| 46 | typedef enum |
| 47 | { |
| 48 | IPSEC_SUCCESS, |
| 49 | IPSEC_FAILURE, /* for general fail */ |
| 50 | |
| 51 | /**** other particular failure ****/ |
| 52 | /* - sa/sp add/del fail */ |
| 53 | /* - encap/decap fail */ |
| 54 | IPSEC_ENCAP_NO_RULE, |
| 55 | IPSEC_DECAP_NO_RULE = IPSEC_ENCAP_NO_RULE, |
| 56 | IPSEC_DECAP_PACKET_SA_UNMATCH, |
| 57 | |
| 58 | /* - spi alloc/free fail */ |
| 59 | IPSEC_SPI_FREE_FAIL_SA_EXISTANT, |
| 60 | |
| 61 | /*-sa suspend*/ |
| 62 | IPSEC_ENCAP_SA_SUSPEND |
| 63 | |
| 64 | }ipsec_status_enum; |
| 65 | |
| 66 | |
| 67 | typedef enum |
| 68 | { |
| 69 | IPSEC_TRANSPORT_MODE, |
| 70 | IPSEC_TUNNEL_MODE, |
| 71 | IPSEC_TUNNEL_MODE_UDP_ENCAP |
| 72 | }ipsec_mode_enum; |
| 73 | |
| 74 | |
| 75 | typedef enum |
| 76 | { |
| 77 | IPSEC_IPV6_EXT_HOPOPT = 0, |
| 78 | IPSEC_ICMP = 1, |
| 79 | IPSEC_IPV4 = 4, |
| 80 | IPSEC_TCP = 6, |
| 81 | IPSEC_UDP = 17, |
| 82 | IPSEC_IPV6 = 41, |
| 83 | IPSEC_IPV6_EXT_ROUTING = 43, |
| 84 | IPSEC_IPV6_EXT_FRAGMENT = 44, |
| 85 | |
| 86 | IPSEC_ESP = 50, |
| 87 | IPSEC_AH = 51, |
| 88 | IPSEC_ICMPV6 = 58, |
| 89 | IPSEC_IPV6_EXT_NONXT = 59, |
| 90 | IPSEC_IPV6_EXT_DESTOPT = 60, |
| 91 | |
| 92 | /* NOT support proto_range and protocol_opaque */ |
| 93 | IPSEC_PROTO_ANY = 255, |
| 94 | |
| 95 | /* not used in selector */ |
| 96 | IPSEC_PROTO_OPAQUE = IPSEC_PROTO_ANY |
| 97 | |
| 98 | }ipsec_proto_enum; |
| 99 | |
| 100 | |
| 101 | typedef enum |
| 102 | { |
| 103 | IPSEC_DIRECTION_INVALID, |
| 104 | IPSEC_DIRECTION_IN, |
| 105 | IPSEC_DIRECTION_OUT |
| 106 | }ipsec_direction_enum; |
| 107 | |
| 108 | |
| 109 | typedef enum |
| 110 | { |
| 111 | IPSEC_FAMILY_IPV4, |
| 112 | IPSEC_FAMILY_IPV6 |
| 113 | |
| 114 | }ipsec_addr_family_enum; |
| 115 | |
| 116 | |
| 117 | typedef enum |
| 118 | { |
| 119 | IPSEC_BYPASS, |
| 120 | IPSEC_PROTECTED, |
| 121 | IPSEC_DISCARD |
| 122 | |
| 123 | }ipsec_action_enum; |
| 124 | |
| 125 | |
| 126 | typedef enum |
| 127 | { |
| 128 | IPSEC_ENCR_DES_IV64 = 1, |
| 129 | IPSEC_ENCR_DES = 2, |
| 130 | IPSEC_ENCR_3DES = 3, |
| 131 | IPSEC_ENCR_RC5 = 4, |
| 132 | IPSEC_ENCR_IDEA = 5, |
| 133 | IPSEC_ENCR_CAST = 6, |
| 134 | IPSEC_ENCR_BLOWFISH = 7, |
| 135 | IPSEC_ENCR_3IDEA = 8, |
| 136 | IPSEC_ENCR_DES_IV32 = 9, |
| 137 | // 10-reserved |
| 138 | IPSEC_ENCR_NULL = 11, |
| 139 | IPSEC_ENCR_AES_CBC = 12, |
| 140 | IPSEC_ENCR_AES_CTR = 13, |
| 141 | //IPSEC_ENCR_AES_CCM_8 = 14, /*Combined-mode algo*/ |
| 142 | //IPSEC_ENCR_AES_CCM_12 = 15, /*Combined-mode algo*/ |
| 143 | //IPSEC_ENCR_AES_CCM_16 = 16, /*Combined-mode algo*/ |
| 144 | //17-unassigned |
| 145 | //IPSEC_ENCR_AES_GCM_8 = 18, /*Combined-mode algo*/ |
| 146 | //IPSEC_ENCR_AES_GCM_12 = 19, /*Combined-mode algo*/ |
| 147 | //IPSEC_ENCR_AES_GCM_16 = 20, /*Combined-mode algo*/ |
| 148 | //IPSEC_ENCR_NULL_AUTH_AES_GMAC = 21, /*Combined-mode algo*/ |
| 149 | //22-reserved for IEEE P1619 XTS-AES |
| 150 | IPSEC_ENCR_CAMELLA_CBC = 23, |
| 151 | IPSEC_ENCR_CAMELLA_CTR = 24, |
| 152 | //IPSEC_ENCR_CAMELLA_CCM_8 = 25, /*Combined-mode algo*/ |
| 153 | //IPSEC_ENCR_CAMELLA_CCM_12 = 26, /*Combined-mode algo*/ |
| 154 | //IPSEC_ENCR_CAMELLA_CCM_16 = 27, /*Combined-mode algo*/ |
| 155 | //IPSEC_ENCR_CHACHA20_POLY1305 = 28, /*Combined-mode algo*/ |
| 156 | IPSEC_ENCR_AES_CCM_8_IIV = 29, |
| 157 | IPSEC_ENCR_AES_GCM_16_IIV = 30, |
| 158 | IPSEC_ENCR_CHACHA20_POLY1305_IIV = 31 |
| 159 | |
| 160 | // 21-1023: unassigned |
| 161 | // 1024-65535: Private use |
| 162 | }ipsec_encry_algo_enum; |
| 163 | |
| 164 | |
| 165 | typedef enum |
| 166 | { |
| 167 | //0-NONE |
| 168 | IPSEC_AUTH_HMAC_MD5_96 = 1, |
| 169 | IPSEC_AUTH_HMAC_SHA1_96 = 2, |
| 170 | IPSEC_AUTH_DES_MAC = 3, |
| 171 | IPSEC_AUTH_KPDK_MD5 = 4, |
| 172 | IPSEC_AUTH_AES_XCBC_96 = 5, |
| 173 | IPSEC_AUTH_HMAC_MD5_128 = 6, |
| 174 | IPSEC_AUTH_HMAC_SHA1_160 = 7, |
| 175 | IPSEC_AUTH_AES_CMAC_96 = 8, |
| 176 | IPSEC_AUTH_AES_128_GMAC = 9, |
| 177 | IPSEC_AUTH_AES_192_GMAC = 10, |
| 178 | IPSEC_AUTH_AES_256_GMAC = 11, |
| 179 | IPSEC_AUTH_HMAC_SHA2_256_128 = 12, |
| 180 | IPSEC_AUTH_HMAC_SHA2_384_192 = 13, |
| 181 | IPSEC_AUTH_HMAC_SHA2_512_256 = 14, |
| 182 | IPSEC_AUTH_NULL = 15 //??? |
| 183 | |
| 184 | //15~1023: Unassigned |
| 185 | //1024~65535: Private use |
| 186 | }ipsec_integ_algo_enum; |
| 187 | |
| 188 | |
| 189 | typedef enum |
| 190 | { |
| 191 | IPSEC_COM_NULL, |
| 192 | IPSEC_COM_AES_CCM_8 = 14, /*Combined-mode algo*/ |
| 193 | IPSEC_COM_AES_CCM_12 = 15, /*Combined-mode algo*/ |
| 194 | IPSEC_COM_AES_CCM_16 = 16, /*Combined-mode algo*/ |
| 195 | //17-unassigned |
| 196 | IPSEC_COM_AES_GCM_8 = 18, /*Combined-mode algo*/ |
| 197 | IPSEC_COM_AES_GCM_12 = 19, /*Combined-mode algo*/ |
| 198 | IPSEC_COM_AES_GCM_16 = 20, /*Combined-mode algo*/ |
| 199 | IPSEC_COM_ENCR_NULL_AUTH_AES_GMAC = 21, /*Combined-mode algo*/ |
| 200 | |
| 201 | IPSEC_COM_CAMELLA_CCM_8 = 25, /*Combined-mode algo*/ |
| 202 | IPSEC_COM_CAMELLA_CCM_12 = 26, /*Combined-mode algo*/ |
| 203 | IPSEC_COM_CAMELLA_CCM_16 = 27, /*Combined-mode algo*/ |
| 204 | IPSEC_COM_CHACHA20_POLY1305 = 28 /*Combined-mode algo*/ |
| 205 | |
| 206 | }ipsec_com_algo_enum; |
| 207 | |
| 208 | #define IPSEC_PORT_OPAQUE 0XFFFF |
| 209 | typedef struct |
| 210 | { |
| 211 | kal_uint8 src_addr[MAX_IP_ADDR_SIZE]; |
| 212 | kal_uint8 dst_addr[MAX_IP_ADDR_SIZE]; |
| 213 | ipsec_addr_family_enum addr_family; |
| 214 | kal_uint8 src_prefix; /* <= 32/128 */ |
| 215 | kal_uint8 dst_prefix; /* <= 32/128 */ |
| 216 | ipsec_proto_enum next_layer_protocol; |
| 217 | kal_uint16 src_port[2];//0-begin,1-end |
| 218 | kal_uint16 dst_port[2];//0-begin,1-end |
| 219 | /* |
| 220 | address and port can either be a single value or a range. |
| 221 | SINGLE_PORT: port[0] = port[1] = value |
| 222 | ANY_PORT: port[0]=0, port[1]=0XFFFF; |
| 223 | OPAQUE_PORT: port[0]=0xFFFF, port[1]=0; |
| 224 | |
| 225 | SINGLE_ADDR: addr=value, prefix=32/128 |
| 226 | ANY_ADDR: addr=any, prefix=0; |
| 227 | */ |
| 228 | |
| 229 | }ipsec_selector_t; |
| 230 | |
| 231 | |
| 232 | typedef struct |
| 233 | { |
| 234 | kal_uint8 tunnel_src[MAX_IP_ADDR_SIZE]; |
| 235 | kal_uint8 tunnel_dst[MAX_IP_ADDR_SIZE]; |
| 236 | ipsec_addr_family_enum tunnel_addr_family; |
| 237 | kal_uint8 tunnel_dscp;//the lower 6 bits is valid; 000000 indicate copy from inner, else use this value. |
| 238 | kal_uint16 udp_sport;//only for Tunnel_UDP-Encap |
| 239 | kal_uint16 udp_dport;//only for Tunnel_UDP-Encap |
| 240 | |
| 241 | }ipsec_tunnel_info_t; |
| 242 | |
| 243 | |
| 244 | typedef struct |
| 245 | { |
| 246 | kal_uint8 flags;//for esn, stateful_fragment_checking, Bypass_DF, Bypass_DSCP? |
| 247 | ipsec_addr_family_enum tunnel_addr_family; |
| 248 | kal_uint8 tunnel_src[MAX_IP_ADDR_SIZE];//only for tunnel mode |
| 249 | kal_uint8 tunnel_dst[MAX_IP_ADDR_SIZE];//only for tunnel mode |
| 250 | |
| 251 | //Used as paras when invoke SA creation? |
| 252 | kal_uint32 e_algos;// encryption |
| 253 | kal_uint32 i_algos; |
| 254 | kal_uint32 c_algos; |
| 255 | }ipsec_process_info_t; |
| 256 | |
| 257 | |
| 258 | typedef struct |
| 259 | { |
| 260 | kal_uint64 byte_limit; /* = 0 if no use*/ |
| 261 | kal_uint64 packet_limit;/* = 0 if no use*/ |
| 262 | kal_uint32 add_expire_seconds; /* = 0 if no use*/ |
| 263 | kal_uint32 use_expire_seconds; /* = 0 if no use*/ |
| 264 | }ipsec_lft_t; |
| 265 | |
| 266 | |
| 267 | typedef struct |
| 268 | { |
| 269 | /* = ESP_OUTER_HEADER(0/20/40 byte) + UDP_HEADER(0/8 bytes) |
| 270 | + ESP_SPI_LEN + ESP_SN_LEN + encry_algo.iv_len + integrity_algo.trunc_icv_len |
| 271 | + ESP_PAD_LENGTH_LEN + ESP_NEXT_HEADER_LEN */ |
| 272 | kal_uint32 fixed_length;//in BYTE; |
| 273 | |
| 274 | // = encry_algo.block_size or 4 |
| 275 | // in BYTE; for users to calculate padding size |
| 276 | // (text + 2 + pad) % blk-size = 0 |
| 277 | kal_uint32 encry_block_size; |
| 278 | |
| 279 | }esp_overhead_info_t; |
| 280 | |
| 281 | |
| 282 | //Fragmentation buffer structure for encapsulated packet |
| 283 | typedef struct |
| 284 | { |
| 285 | kal_uint8 *p_ip_frag; |
| 286 | kal_uint32 frag_size; |
| 287 | }ipsec_fragment_info_t; |
| 288 | |
| 289 | |
| 290 | kal_int32 ipsec_get_esp_overhead_info(kal_uint32 said, esp_overhead_info_t *p_ovhd_info); |
| 291 | kal_int32 ipsec_get_encap_buffer_size(kal_uint32 said, kal_uint32 text_size, |
| 292 | kal_uint32 *p_inbuf_size, kal_uint32 *p_outbuf_size); |
| 293 | kal_int32 ipsec_get_decap_buffer_size(kal_uint32 said, kal_uint32 text_size, |
| 294 | kal_uint32 *p_inbuf_size, kal_uint32 *p_outbuf_size); |
| 295 | |
| 296 | #endif |