/****************************************************************************** * Copyright (c) 2000-2019 Ericsson Telecom AB * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License v2.0 * which accompanies this distribution, and is available at * https://www.eclipse.org/org/documents/epl-2.0/EPL-2.0.html ******************************************************************************/ /////////////////////////////////////////////////////////////////////////////// // // File: TCCIPsec_Definitions.ttcn // Description: TCC Useful Functions: Definitions for IPsec functions // Rev: R36B // Prodnr: CNL 113 472 // /////////////////////////////////////////////////////////////////////////////// module TCCIPsec_Definitions { /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_IPsecResult // // Purpose: // Declares the possible return values of IPsec handling functions // // Elements: // ok: // The function finished successfully // parameterInvalid: // One of the function parameters was invalid // The error is indicated either by the library or the kernel. // alreadyExisted: // Entry already existed while trying to add it // notFound: // Entry was not found while trying to delete or modify it // insufficientPrivilege: // The calling process does not have the necessary privilege to use the // PF_KEY interface or to handle the databases of IPsec. // notImplemented: // Not implemented: // The library is compiled without IPsec support or with limited support // Support for SPD handling is platform dependent // socketError: // Other type of error during socket operation // The logs contain details on the error // // Detailed Comments: // /////////////////////////////////////////////////////////////////////////////// type enumerated TCCIPsec_Result { ok (0), parameterInvalid, alreadyExisted, notFound, insufficientPrivilege, notImplemented, socketError }; /////////////////////////////////////////////////////////////////////////////// // Const: c_TCCIPsec_anyPort // // Purpose: // Provides port value representing any port // // Value: // 0 // // Detailed Comments: // - // /////////////////////////////////////////////////////////////////////////////// const integer c_TCCIPsec_anyPort := 0; /////////////////////////////////////////////////////////////////////////////// // Const: c_TCCIPsec_prefixAll // // Purpose: // Provides port value representing any port // // Value: // 0 // // Detailed Comments: // - // /////////////////////////////////////////////////////////////////////////////// const integer c_TCCIPsec_prefixAll := -1; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_Protocol // // Purpose: // Declares identifiers for the possible security protocols // // Elements: // ah: // Authentication Header // esp: // Encapsulated Security Payload // // Detailed Comments: // /////////////////////////////////////////////////////////////////////////////// type enumerated TCCIPsec_Protocol { ah (2), esp (3) /*,ipComp (9)*/ }; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_IPsecMode // // Purpose: // Declares identifiers for the possible security association // // Elements: // anyMode: this is the unspecified, default mode // transport: turns on transport mode in security association // tunnel: turns on tunneling mode in security association // // Detailed Comments: // - // /////////////////////////////////////////////////////////////////////////////// type enumerated TCCIPsec_IPsecMode { anyMode (0), transport (1), tunnel (2) }; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_Extension // // Purpose: // Defines a union of possible extensions for Security Associations (SAs) // // Elements: // policyId - *integer*: // Identifier to link a Security Association (SA) to Security Policy (SP) // hardLifetime - *integer*: // Hard Lifetime in seconds // softLifetime - *integer*: // Soft Lifetime in seconds // // Detailed Comments: // - // /////////////////////////////////////////////////////////////////////////////// type union TCCIPsec_Extension { integer policyId, integer hardLifetime, integer softLifetime }; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_ExtensionList // // Purpose: // Defines a list of extensions for the SA adding function // // Elements: // record of *TCCIPsec_Extension* // // Detailed Comments: // - // /////////////////////////////////////////////////////////////////////////////// type record of TCCIPsec_Extension TCCIPsec_ExtensionList; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_Key // // Purpose: // Defines a union for storing a key for an SA. // The key is specified inside the *TCCIPsec_Algorithm* alg parameter of // the f_IPsec_SADB_add function. // // Elements: // hex - *hexstring*: // Key in hexstring format // text - *charstring*: // Key in charstring format // // Detailed Comments: // /////////////////////////////////////////////////////////////////////////////// type union TCCIPsec_Key { hexstring hex, charstring text }; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_EAlgo // // Purpose: // Declares identifiers for the possible encryption algorithms // // Elements: // EALG_NONE: // The "null" algorithm // EALG_3DESCBC: // The "3des-cbc" algorithm (rfc2451) // EALG_NULL: // The NULL encryption algorithm (rfc2367) // EALG_AESCBC: // The "aes-cbc" algorithm ( // // Detailed Comments: // /////////////////////////////////////////////////////////////////////////////// type enumerated TCCIPsec_EAlgo { EALG_NONE (0), EALG_3DESCBC (3), EALG_NULL(11), EALG_AESCBC (12) }; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_AAlgo // // Purpose: // Declares identifiers for the possible integrity protection algorithms // // Elements: // AALG_NONE: // The "null" algorithm // AALG_MD5HMAC: // The "hmac-md5" algorithm (rfc2403) // AALG_SHA1HMAC: // The "hmac-sha1" algorithm (rfc2404) // // Detailed Comments: // /////////////////////////////////////////////////////////////////////////////// type enumerated TCCIPsec_AAlgo { AALG_NONE (0), AALG_MD5HMAC (2), AALG_SHA1HMAC (3) }; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_Encr // // Purpose: // Defines a record for storing the encryption algorithm identifier and // key. // // Elements: // algo - *TCCIPsec_EAlgo*: // Identifier of the encryption algorithm // key - *TCCIPsec_Key*: // Key for the algorithm // // Detailed Comments: // /////////////////////////////////////////////////////////////////////////////// type record TCCIPsec_Encr { TCCIPsec_EAlgo algo, TCCIPsec_Key key }; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_Auth // // Purpose: // Defines a record for storing the integrity protection algorithm // identifier and key. // // Elements: // algo - *TCCIPsec_AAlgo*: // Identifier of the integrity protection algorithm // key - *TCCIPsec_Key*: // Key for the algorithm // // Detailed Comments: // /////////////////////////////////////////////////////////////////////////////// type record TCCIPsec_Auth { TCCIPsec_AAlgo algo, TCCIPsec_Key key }; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_Auth // // Purpose: // Defines a record for storing the encryption and integrity protection // algorithm identifiers and the keys. // // Elements: // ealgo - *TCCIPsec_EAlgo*: // Identifier of the encryption algorithm // ekey - *TCCIPsec_Key*: // Key for the encryption algorithm // aalgo - *TCCIPsec_AAlgo*: // Identifier of the integrity protection algorithm // akey - *TCCIPsec_Key*: // Key for the integrity protection algorithm // // Detailed Comments: // /////////////////////////////////////////////////////////////////////////////// type record TCCIPsec_EncrAndAuth { TCCIPsec_EAlgo ealgo, TCCIPsec_Key ekey, TCCIPsec_AAlgo aalgo, TCCIPsec_Key akey }; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_Algorithm // // Purpose: // Defines a union for storing the possible combination of algorithms with // its keys. It is used as the *TCCIPsec_Algorithm* alg parameter of the // f_IPsec_SADB_add function. // // Elements: // encr - *TCCIPsec_Encr*: // encryption algorithm data // auth - *TCCIPsec_Auth* // integrity protection algorithm data // encrAndAuth - *TCCIPsec_EncrAndAuth* // Key in charstring format // // Detailed Comments: // /////////////////////////////////////////////////////////////////////////////// type union TCCIPsec_Algorithm { TCCIPsec_Encr encr, TCCIPsec_Auth auth, TCCIPsec_EncrAndAuth encrAndAuth /*,Compr compr*/ }; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_TranspProto // // Purpose: // Declares identifiers for the possible upper layer protocols // // Elements: // anyTranspProto: // Either TCP or UDP protocol // tcpProto: // The TCP protocol // udpProto: // The UDP protocol // // Detailed Comments: // /////////////////////////////////////////////////////////////////////////////// type enumerated TCCIPsec_TranspProto { anyTranspProto (0), tcpProto (6), udpProto (17) }; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_TranspProto // // Purpose: // Declares identifiers for the possible directions for which a policy is // applied. // // Elements: // inDir: // incoming packets // outDir: // outgoing packets // fwdDir: // forwarded packets // // Detailed Comments: // /////////////////////////////////////////////////////////////////////////////// type enumerated TCCIPsec_PolicyDirection { inDir (1), outDir (2), fwdDir (3) }; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_DiscardRule // // Purpose: // Declares a type to represent the policy rule to discard packets. // // Elements: // - // // Detailed Comments: // - // /////////////////////////////////////////////////////////////////////////////// type record TCCIPsec_DiscardRule {}; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_NoneRule // // Purpose: // Declares a type to represent the policy rule to bypass IPsec. // // Elements: // - // // Detailed Comments: // - // /////////////////////////////////////////////////////////////////////////////// type record TCCIPsec_NoneRule {}; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_Transport // // Purpose: // Declares a type to represent the transport IPsec mode - // as opposed to tunnel mode // // Elements: // - // // Detailed Comments: // - // /////////////////////////////////////////////////////////////////////////////// type record TCCIPsec_Transport {}; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_Tunnel // // Purpose: // Declares a type to represent the tunnel IPsec mode - // as opposed to transport mode // // Elements: // srcAddr: source address // srcPort: source port // dstAddr: destination address // dstPort: destination port // // Detailed Comments: Address and port pairs for the tunnel. Used in SPDB rules. // /////////////////////////////////////////////////////////////////////////////// type record TCCIPsec_Tunnel { charstring srcAddr, integer srcPort, charstring dstAddr, integer dstPort }; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_Mode // // Purpose: // Declares an union for storing to IPsec mode // // Elements: // transport - *TCCIPsec_Transport*: // identifies the transport IPsec mode // tunnel - *TCCIPsec_Tunnel*: // identifies the tunnel IPsec mode // // Detailed Comments: // IPsec supports transport and tunnel mode. // /////////////////////////////////////////////////////////////////////////////// type union TCCIPsec_Mode { TCCIPsec_Transport transport, TCCIPsec_Tunnel tunnel }; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_DefaultLevel // // Purpose: // Declares a type to represent the policy level indicating that system // defaults has to be used. // // Elements: // - // // Detailed Comments: // - // /////////////////////////////////////////////////////////////////////////////// type record TCCIPsec_DefaultLevel {}; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_UseLevel // // Purpose: // Declares a type to represent the policy level indicating that IPsec // should be used if appropriate SA is available. If SA is naot available // IPsec is bypassed. // // Elements: // - // // Detailed Comments: // - // /////////////////////////////////////////////////////////////////////////////// type record TCCIPsec_UseLevel {}; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_UseLevel // // Purpose: // Declares a type to represent the policy level indicating that IPsec // has to be used unconditionally. // // Elements: // - // // Detailed Comments: // - // /////////////////////////////////////////////////////////////////////////////// type record TCCIPsec_RequireLevel {}; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_UseLevel // // Purpose: // Declares a type to represent the policy level indicating that IPsec // has to be used with the SA or SAs indicated by id. // // Elements: // id - *integer*: // link to SAs // // Detailed Comments: // An SA is linked to an SP when the SA has a policyId extension with the // value of the SP's id. // /////////////////////////////////////////////////////////////////////////////// type record TCCIPsec_UniqueLevel { integer id } /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_RuleLevel // // Purpose: // Defines a union for storing rule level. // // Elements: // defaultLevel - *TCCIPsec_DefaultLevel*: // The level represnting default // use - *TCCIPsec_UseLevel* // The use level // require - *TCCIPsec_RequireLevel* // The require level // unique - *TCCIPsec_UniqueLevel* // The unique level // // Detailed Comments: // - // /////////////////////////////////////////////////////////////////////////////// type union TCCIPsec_RuleLevel { TCCIPsec_DefaultLevel defaultLevel, TCCIPsec_UseLevel use, TCCIPsec_RequireLevel require, TCCIPsec_UniqueLevel unique }; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_Rule // // Purpose: // Declares a record for storing an IPsec rule. // // Elements: // protocol - *TCCIPsec_Protocol*: // The security protocol to use // mode - *TCCIPsec_Mode*: // IPsec mode // level - *TCCIPsec_RuleLevel*: // rule level // // Detailed Comments: // - // /////////////////////////////////////////////////////////////////////////////// type record TCCIPsec_Rule { TCCIPsec_Protocol protocol, TCCIPsec_Mode mode, TCCIPsec_RuleLevel level }; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_ExtensionList // // Purpose: // Defines a list of IPsec rules // // Elements: // record of *TCCIPsec_Rule* // // Detailed Comments: // - // /////////////////////////////////////////////////////////////////////////////// type record of TCCIPsec_Rule TCCIPsec_RuleList; /////////////////////////////////////////////////////////////////////////////// // Type: TCCIPsec_RuleLevel // // Purpose: // Defines a union for storing a policy rule. // // Elements: // discard - *TCCIPsec_DiscardRule*: // The discard policy rule // noneRule - *TCCIPsec_NoneRule* // The none policy rule // require - *TCCIPsec_RequireLevel* // The require level // ipSec - *TCCIPsec_RuleList* // A list of IPsec policy rules // // Detailed Comments: // - // /////////////////////////////////////////////////////////////////////////////// type union TCCIPsec_PolicyRule { TCCIPsec_DiscardRule discard, TCCIPsec_NoneRule noneRule, TCCIPsec_RuleList ipSec }; } // TCCIPsec_Definitions