[keystone-rtos/netapi.git] / ti / runtime / netapi / applications / ipsec_offload / ipsecmgr / src / netapilib_interface.c
1 /*
2 * Copyright (C) 2013 Texas Instruments Incorporated - http://www.ti.com/
3 *
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the
15 * distribution.
16 *
17 * Neither the name of Texas Instruments Incorporated nor the names of
18 * its contributors may be used to endorse or promote products derived
19 * from this software without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
24 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
25 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
26 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
27 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
31 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 *
33 */
35 /* Standard includes */
36 #include <stdio.h>
37 #include <arpa/inet.h>
38 #include <inttypes.h>
40 /* ipsecmgr includes */
41 #include <ipsecmgr_snoop.h>
42 #include <ipsecmgr_syslog.h>
44 #include "netapilib_interface.h"
47 extern ipsecMgrMcb_t globalDB;
48 extern NETAPI_T netapi_handle;
49 extern ipsecMgrIfConfigEntry_T ipConfigList[];
53 int compareIPAddr(unsigned char* ip1, unsigned char* ip2, int ip_type)
54 {
55 int found = 1;
56 int i;
57 if (ip_type == nwal_IPV4)
58 {
59 for (i = 0; i < NWAL_IPV4_ADDR_SIZE; i++)
60 {
61 if (ip1[i] != ip2[i])
62 {
63 found = 0;
64 break;
65 }
66 }
67 return found;
68 }
69 else
70 {
71 for (i = 0; i < NWAL_IPV6_ADDR_SIZE; i++)
72 {
73 if (ip1[i] != ip2[i])
74 {
75 found = 0;
76 break;
77 }
78 }
79 return found;
80 }
81 }
82 /**************************************************************************
83 * FUNCTION PURPOSE: Internal function to find a free slot to store APPID
84 * in list
85 **************************************************************************
86 * DESCRIPTION: Internal internal function to find a free slot in SA list for an SA
87 ********************************************************************/
88 int findFreeAppIdSlot(ipsecMgrAppId_T *pList)
89 {
90 int i;
91 for(i=0;i<64;i++)
92 {
93 if (!pList[i].in_use)
94 {
95 if (free)
96 pList[i].in_use = 1; //pending
97 return i;
98 }
99 }
100 return -1;
101 }
103 /********************************************************************
104 * FUNCTION PURPOSE: Internal function to find a SA app id in SA list
105 * and free SA Slot entry if specified
106 ********************************************************************
107 * DESCRIPTION: Internal function to find a SA app id in SA list
108 * and free SA Slot entry if specified
109 ********************************************************************/
110 int findAppIdSlot(ipsecMgrAppId_T *pList, uint32_t saAppId, int free)
111 {
112 int i;
113 for(i=0;i<64;i++)
114 {
115 if ((pList[i].in_use) && (pList[i].saAppId == saAppId))
116 {
117 if(free)
118 pList[i].in_use = 0;
119 return i;
120 }
121 }
122 return -1;
123 }
125 /**************************************************************************
126 * FUNCTION PURPOSE: The function is used to translate the SA configuration
127 * parameters received from the IPSec Snopper and call the NETAPI function
128 * to create a security association
129 ********************************************************************/
130 int netapilib_ifAddSA
131 (
132 ipsecmgr_af_t af,
133 ipsecmgr_sa_id_t *sa_id,
134 ipsecmgr_sa_info_t *sa_info,
135 ipsecmgr_sa_dscp_map_cfg_t *dscp_map_cfg,
136 ipsecmgr_ifname_t *if_name,
137 ipsecmgr_sa_encap_tmpl_t *encap,
138 ipsecmgr_fp_handle_t *sa_handle
139 )
140 {
141 int i;
142 uint8_t auth_key[36];
143 uint8_t encr_key[36];
144 int error, index,slot;
145 NETAPI_SEC_SA_INFO_T saInfo;
146 nwalSecKeyParams_t keyParams;
147 void * p_rx_inflow_mode_handle;
148 void * p_tx_inflow_mode_handle;
149 NETCP_CFG_ROUTE_T route;
150 NETCP_CFG_FLOW_T flow;
151 NETCP_CFG_SA_HANDLE_T pSaHandle;
152 char* pTok = NULL;
153 int iface;
154 cpu_set_t cpu_set;
155 ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
156 "netapilib_ifAddSA:, DEBUG: Translating SA\n");
159 /* assign main net_test thread to run on core 0 */
160 CPU_ZERO( &cpu_set);
161 CPU_SET( 0, &cpu_set);
162 hplib_utilSetupThread(0, &cpu_set, hplib_spinLock_Type_LOL);
164 memset((void *)&saInfo, 0, sizeof (NETAPI_SEC_SA_INFO_T));
165 memset((void *)&keyParams, 0, sizeof (nwalSecKeyParams_t));
166 memset((void *)&route, 0, sizeof (NETCP_CFG_ROUTE_T));
167 memset((void *)&flow, 0, sizeof (NETCP_CFG_FLOW_T));
169 /* Initialize the SA Config structure. */
170 /* Get the IP protocol version. */
171 if (af == IPSECMGR_AF_IPV4)
172 {
173 saInfo.ipType = nwal_IPV4;
174 /* Populate the source and destination IP addresses. */
175 for (index = 0; index < NWAL_IPV4_ADDR_SIZE; index++)
176 {
177 saInfo.dst.ipv4[index] = sa_id->daddr.ipv4[index];
178 saInfo.src.ipv4[index] = sa_info->saddr.ipv4[index];
179 }
180 }
181 else if (af == IPSECMGR_AF_IPV6)
182 {
183 saInfo.ipType = nwal_IPV6;
185 /* Populate the source and destination IP addresses. */
186 for (index = 0; index < NWAL_IPV6_ADDR_SIZE; index++)
187 {
188 saInfo.dst.ipv6[index] = sa_id->daddr.ipv6[index];
189 saInfo.src.ipv6[index] = sa_info->saddr.ipv6[index];
190 }
191 }
192 else
193 {
194 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
195 "netapilib_ifAddSA: Address family (%d) is invalid\n", af);
196 return -1;
197 }
198 /* Get the SPI. */
199 saInfo.spi = sa_id->spi;
201 /* Get the SA direction. */
202 if (sa_info->dir == DIR_INBOUND)
203 {
204 slot = findFreeAppIdSlot(&globalDB.rx_sa[0]);
205 if (slot == -1)
206 {
207 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
208 "netapilib_ifAddSA:, Too many INBOUND SAs already offloaded\n");
209 return -1;
210 }
211 saInfo.dir = NWAL_SA_DIR_INBOUND;
212 /* need to check which interface this SA will be attached to */
214 globalDB.rx_sa[slot].iface = iface;
215 flow.dma_engine= 1;
216 flow.flowid = globalDB.flowId[0];
217 printf("add_sa: iface: %d, flowid: %d\n",
218 iface,
219 flow.flowid);
221 route.p_flow = &flow;
222 route.p_dest_q = globalDB.pktio_channel[0];
224 printf("add_sa: p_dest_q: 0x%x, flowId: 0x%x\n",
225 route.p_dest_q,
226 route.p_flow->flowid);
228 route.valid_params |= NETCP_CFG_VALID_PARAM_ROUTE_TYPE;
229 route.routeType = NWAL_ROUTE_RX_INTF;
230 }
231 else if (sa_info->dir == DIR_OUTBOUND)
232 {
233 slot = findFreeAppIdSlot(&globalDB.tx_sa[0]);
234 if (slot == -1)
235 {
236 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
237 "netapilib_ifAddSA:, Too many OUTBOUND SAs already offloaded\n");
238 return -1;
239 }
240 saInfo.dir = NWAL_SA_DIR_OUTBOUND;
241 }
242 else
243 {
244 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
245 "netapilib_ifAddSA: IPSec direction (%d) is invalid\n", sa_info->dir);
246 return -1;
247 }
250 /* Get the replay Window */
251 saInfo.replayWindow = sa_info->replay_window;
253 /* Get the IPSec protocol. */
254 if (sa_id->proto == SA_PROTO_AH)
255 saInfo.proto = nwal_IpSecProtoAH;
256 else if (sa_id->proto == SA_PROTO_ESP)
257 saInfo.proto = nwal_IpSecProtoESP;
258 else
259 {
260 ipsecmgr_syslog_msg(SYSLOG_LEVEL_INFO,
261 "netapilib_ifAddSA: IPSec protocol (%d) is invalid.\n", sa_id->proto);
262 return -1;
263 }
264 /* Get the IPSec mode. */
265 if (sa_info->mode == SA_MODE_TRANSPORT)
266 saInfo.saMode = nwal_SA_MODE_TRANSPORT;
267 else if (sa_info->mode == SA_MODE_TUNNEL)
268 saInfo.saMode = nwal_SA_MODE_TUNNEL;
269 else
270 {
271 ipsecmgr_syslog_msg(SYSLOG_LEVEL_INFO,
272 "netapilib_ifAddSA: IPSec mode (%d) is invalid.\n", sa_info->mode);
273 return -1;
274 }
275 /* Get the authentication mode algorithm. */
276 if (sa_info->auth.algo == SA_AALG_HMAC_SHA1)
277 saInfo.authMode = NWAL_SA_AALG_HMAC_SHA1;
278 else if (sa_info->auth.algo == SA_AALG_HMAC_MD5)
279 saInfo.authMode = NWAL_SA_AALG_HMAC_MD5;
280 else if (sa_info->auth.algo == SA_AALG_AES_XCBC)
281 saInfo.authMode = NWAL_SA_AALG_AES_XCBC;
282 else if (sa_info->auth.algo == SA_AALG_NONE || sa_info->auth.algo == SA_AALG_NULL)
283 saInfo.authMode = NWAL_SA_AALG_NULL;
284 else
285 {
286 ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
287 "netapilib_ifAddSA: Authentication algorithm (%d) is invalid\n", sa_info->auth.algo);
288 return -1;
289 }
291 /* Get the encryption mode algorithm. */
292 if (sa_info->enc.algo == SA_EALG_NULL)
293 saInfo.cipherMode = NWAL_SA_EALG_NULL;
294 else if (sa_info->enc.algo == SA_EALG_AES_CTR)
295 saInfo.cipherMode = NWAL_SA_EALG_AES_CTR;
296 else if (sa_info->enc.algo == SA_EALG_AES_CBC)
297 saInfo.cipherMode = NWAL_SA_EALG_AES_CBC;
298 else if (sa_info->enc.algo == SA_EALG_3DES_CBC)
299 saInfo.cipherMode = NWAL_SA_EALG_3DES_CBC;
300 else if (sa_info->enc.algo == SA_EALG_DES_CBC)
301 saInfo.cipherMode = NWAL_SA_EALG_DES_CBC;
302 else
303 {
304 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
305 "netapilib_ifAddSA: Encryption algorithm (%d) is invalid\n", sa_info->enc.algo);
306 return -1;
307 }
308 /* Validate the key lengths. */
309 if ((keyParams.macKeySize = sa_info->auth_key_len) > 32)
310 {
311 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
312 "netapilib_ifAddSA: Authentication key size (%d) is invalid.\n", sa_info->auth_key_len);
313 return -1;
314 }
315 if ((keyParams.encKeySize = sa_info->enc_key_len) > 32)
316 {
317 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
318 "netapilib_ifAddSA: Encryption key size (%d) is invalid.\n", sa_info->enc_key_len);
319 return -1;
320 }
322 /* Get the authentication/encryption keys. */
323 keyParams.pAuthKey = &sa_info->auth_key[0];
324 keyParams.pEncKey = &sa_info->enc_key[0];
326 if (saInfo.dir == NWAL_SA_DIR_INBOUND)
327 {
328 /* Inbound == RX */
329 globalDB.rx_sa[slot].saAppId = netapi_secAddSA(netapi_handle,
330 NETCP_CFG_NO_INTERFACE,
331 &saInfo,
332 &keyParams,
333 NETAPI_SEC_SA_INFLOW,
334 (NETCP_CFG_ROUTE_HANDLE_T)&route,
335 &p_rx_inflow_mode_handle,
336 &p_tx_inflow_mode_handle,
337 NULL, &error);
339 if (error == NETAPI_ERR_OK)
340 {
341 *sa_handle = globalDB.rx_sa[slot].saAppId;
342 }
343 else
344 {
345 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
346 "netapilib_ifAddSA: netapi_secAddSA returned error: %d.\n",
347 error);
348 return -1;
349 }
350 }
351 else
352 {
353 /* OUTBOUND == TX */
354 globalDB.tx_sa[slot].saAppId = netapi_secAddSA(netapi_handle,
355 NETCP_CFG_NO_INTERFACE,
356 &saInfo,
357 &keyParams,
358 NETAPI_SEC_SA_INFLOW,
359 (NETCP_CFG_ROUTE_HANDLE_T)NULL,
360 &p_rx_inflow_mode_handle,
361 &p_tx_inflow_mode_handle,
362 NULL, &error);
363 if (error == NETAPI_ERR_OK)
364 {
365 *sa_handle = globalDB.tx_sa[slot].saAppId;
366 }
367 else
368 {
369 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
370 "netapilib_ifAddSA: netapi_secAddSA returned error: %d.\n",
371 error);
372 return -1;
373 }
374 }
376 ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
377 "netapilib_ifAddSA: Translation of SA successful, app_id: 0x%x\n", *sa_handle);
379 /* SA was created successfully. */
380 return 0;
381 }
384 #if 0
385 /**************************************************************************
386 * FUNCTION PURPOSE: The function is used to translate the SA configuration
387 * parameters received from the IPSec Snopper and call the NETAPI function
388 * to create a security association
389 ********************************************************************/
390 int netapilib_ifAddSA
391 (
392 ipsecmgr_af_t af,
393 ipsecmgr_sa_id_t *sa_id,
394 ipsecmgr_sa_info_t *sa_info,
395 ipsecmgr_sa_dscp_map_cfg_t *dscp_map_cfg,
396 ipsecmgr_ifname_t *if_name,
397 ipsecmgr_sa_encap_tmpl_t *encap,
398 ipsecmgr_fp_handle_t *sa_handle
399 )
400 {
401 int i;
402 uint8_t auth_key[36];
403 uint8_t encr_key[36];
404 int error, index,slot;
405 NETAPI_SEC_SA_INFO_T saInfo;
406 nwalSecKeyParams_t keyParams;
407 void * p_rx_inflow_mode_handle;
408 void * p_tx_inflow_mode_handle;
409 NETCP_CFG_ROUTE_T route;
410 NETCP_CFG_FLOW_T flow;
411 NETCP_CFG_SA_HANDLE_T pSaHandle;
412 char* pTok = NULL;
413 int iface;
414 cpu_set_t cpu_set;
415 ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
416 "netapilib_ifAddSA:, DEBUG: Translating SA\n");
419 /* assign main net_test thread to run on core 0 */
420 CPU_ZERO( &cpu_set);
421 CPU_SET( 0, &cpu_set);
422 hplib_utilSetupThread(0, &cpu_set, hplib_spinLock_Type_LOL);
424 memset((void *)&saInfo, 0, sizeof (NETAPI_SEC_SA_INFO_T));
425 memset((void *)&keyParams, 0, sizeof (nwalSecKeyParams_t));
426 memset((void *)&route, 0, sizeof (NETCP_CFG_ROUTE_T));
427 memset((void *)&flow, 0, sizeof (NETCP_CFG_FLOW_T));
429 /* Initialize the SA Config structure. */
430 /* Get the IP protocol version. */
431 if (af == IPSECMGR_AF_IPV4)
432 {
433 saInfo.ipType = nwal_IPV4;
434 /* Populate the source and destination IP addresses. */
435 for (index = 0; index < NWAL_IPV4_ADDR_SIZE; index++)
436 {
437 saInfo.dst.ipv4[index] = sa_id->daddr.ipv4[index];
438 saInfo.src.ipv4[index] = sa_info->saddr.ipv4[index];
439 }
440 }
441 else if (af == IPSECMGR_AF_IPV6)
442 {
443 saInfo.ipType = nwal_IPV6;
445 /* Populate the source and destination IP addresses. */
446 for (index = 0; index < NWAL_IPV6_ADDR_SIZE; index++)
447 {
448 saInfo.dst.ipv6[index] = sa_id->daddr.ipv6[index];
449 saInfo.src.ipv6[index] = sa_info->saddr.ipv6[index];
450 }
451 }
452 else
453 {
454 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
455 "netapilib_ifAddSA: Address family (%d) is invalid\n", af);
456 return -1;
457 }
458 /* Get the SPI. */
459 saInfo.spi = sa_id->spi;
461 /* Get the SA direction. */
462 if (sa_info->dir == DIR_INBOUND)
463 {
464 slot = findFreeAppIdSlot(&globalDB.rx_sa[0]);
465 if (slot == -1)
466 {
467 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
468 "netapilib_ifAddSA:, Too many INBOUND SAs already offloaded\n");
469 return -1;
470 }
471 saInfo.dir = NWAL_SA_DIR_INBOUND;
472 /* need to check which interface this SA will be attached to */
473 for (i=0;i<16;i++)
474 {
475 #if 1
476 /* get interface for destination ip address */
477 if (compareIPAddr(&ipConfigList[i].ip[0],
478 saInfo.ipType == nwal_IPV4 ?
479 &saInfo.dst.ipv4[0]:
480 &saInfo.dst.ipv6[0],
481 saInfo.ipType))
482 {
483 pTok = strtok(ipConfigList[i].name, ":.");
484 /* now we have the interface name, is this eth0 or eth1 */
485 if (pTok)
486 {
487 /* now we have interface name, now find the i/f number */
488 if(strstr(pTok,"eth"))
489 {
490 sscanf(pTok,"eth%d", &iface);
491 }
492 else if(strstr(pTok,"br"))
493 {
494 sscanf(pTok,"br%d", &iface);
495 }
496 else
497 {
498 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
499 "netapilib_ifAddSA: invalid interface\n");
500 return -1;
501 }
502 }
503 #endif
504 globalDB.rx_sa[slot].iface = iface;
505 flow.dma_engine= 1;
506 flow.flowid = globalDB.flowId[iface];
507 printf("add_sa: iface: %d, flowid: %d\n",
508 iface,
509 flow.flowid);
511 route.p_flow = &flow;
512 route.p_dest_q = globalDB.pktio_channel[iface];
514 printf("add_sa: p_dest_q: 0x%x, flowId: 0x%x\n",
515 route.p_dest_q,
516 route.p_flow->flowid);
518 route.valid_params |= NETCP_CFG_VALID_PARAM_ROUTE_TYPE;
519 route.routeType = NETCP_CFG_ROUTE_RX_INTF_W_FLOW;
520 printf("add_sa: pktio_handle: 0x%x\n", globalDB.pktio_channel[iface]);
521 break;
522 }
523 }
524 }
525 else if (sa_info->dir == DIR_OUTBOUND)
526 {
527 slot = findFreeAppIdSlot(&globalDB.tx_sa[0]);
528 if (slot == -1)
529 {
530 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
531 "netapilib_ifAddSA:, Too many OUTBOUND SAs already offloaded\n");
532 return -1;
533 }
534 saInfo.dir = NWAL_SA_DIR_OUTBOUND;
535 }
536 else
537 {
538 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
539 "netapilib_ifAddSA: IPSec direction (%d) is invalid\n", sa_info->dir);
540 return -1;
541 }
544 /* Get the replay Window */
545 saInfo.replayWindow = sa_info->replay_window;
547 /* Get the IPSec protocol. */
548 if (sa_id->proto == SA_PROTO_AH)
549 saInfo.proto = nwal_IpSecProtoAH;
550 else if (sa_id->proto == SA_PROTO_ESP)
551 saInfo.proto = nwal_IpSecProtoESP;
552 else
553 {
554 ipsecmgr_syslog_msg(SYSLOG_LEVEL_INFO,
555 "netapilib_ifAddSA: IPSec protocol (%d) is invalid.\n", sa_id->proto);
556 return -1;
557 }
558 /* Get the IPSec mode. */
559 if (sa_info->mode == SA_MODE_TRANSPORT)
560 saInfo.saMode = nwal_SA_MODE_TRANSPORT;
561 else if (sa_info->mode == SA_MODE_TUNNEL)
562 saInfo.saMode = nwal_SA_MODE_TUNNEL;
563 else
564 {
565 ipsecmgr_syslog_msg(SYSLOG_LEVEL_INFO,
566 "netapilib_ifAddSA: IPSec mode (%d) is invalid.\n", sa_info->mode);
567 return -1;
568 }
569 /* Get the authentication mode algorithm. */
570 if (sa_info->auth.algo == SA_AALG_HMAC_SHA1)
571 saInfo.authMode = NWAL_SA_AALG_HMAC_SHA1;
572 else if (sa_info->auth.algo == SA_AALG_HMAC_MD5)
573 saInfo.authMode = NWAL_SA_AALG_HMAC_MD5;
574 else if (sa_info->auth.algo == SA_AALG_AES_XCBC)
575 saInfo.authMode = NWAL_SA_AALG_AES_XCBC;
576 else if (sa_info->auth.algo == SA_AALG_NONE || sa_info->auth.algo == SA_AALG_NULL)
577 saInfo.authMode = NWAL_SA_AALG_NULL;
578 else
579 {
580 ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
581 "netapilib_ifAddSA: Authentication algorithm (%d) is invalid\n", sa_info->auth.algo);
582 return -1;
583 }
585 /* Get the encryption mode algorithm. */
586 if (sa_info->enc.algo == SA_EALG_NULL)
587 saInfo.cipherMode = NWAL_SA_EALG_NULL;
588 else if (sa_info->enc.algo == SA_EALG_AES_CTR)
589 saInfo.cipherMode = NWAL_SA_EALG_AES_CTR;
590 else if (sa_info->enc.algo == SA_EALG_AES_CBC)
591 saInfo.cipherMode = NWAL_SA_EALG_AES_CBC;
592 else if (sa_info->enc.algo == SA_EALG_3DES_CBC)
593 saInfo.cipherMode = NWAL_SA_EALG_3DES_CBC;
594 else if (sa_info->enc.algo == SA_EALG_DES_CBC)
595 saInfo.cipherMode = NWAL_SA_EALG_DES_CBC;
596 else
597 {
598 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
599 "netapilib_ifAddSA: Encryption algorithm (%d) is invalid\n", sa_info->enc.algo);
600 return -1;
601 }
602 /* Validate the key lengths. */
603 if ((keyParams.macKeySize = sa_info->auth_key_len) > 32)
604 {
605 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
606 "netapilib_ifAddSA: Authentication key size (%d) is invalid.\n", sa_info->auth_key_len);
607 return -1;
608 }
609 if ((keyParams.encKeySize = sa_info->enc_key_len) > 32)
610 {
611 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
612 "netapilib_ifAddSA: Encryption key size (%d) is invalid.\n", sa_info->enc_key_len);
613 return -1;
614 }
616 /* Get the authentication/encryption keys. */
617 keyParams.pAuthKey = &sa_info->auth_key[0];
618 keyParams.pEncKey = &sa_info->enc_key[0];
620 if (saInfo.dir == NWAL_SA_DIR_INBOUND)
621 {
622 /* Inbound == RX */
623 globalDB.rx_sa[slot].saAppId = netapi_secAddSA(netapi_handle,
624 NETCP_CFG_NO_INTERFACE,
625 &saInfo,
626 &keyParams,
627 NETAPI_SEC_SA_INFLOW,
628 (NETCP_CFG_ROUTE_HANDLE_T)&route,
629 &p_rx_inflow_mode_handle,
630 &p_tx_inflow_mode_handle,
631 NULL, &error);
633 if (error == NETAPI_ERR_OK)
634 {
635 *sa_handle = globalDB.rx_sa[slot].saAppId;
636 }
637 else
638 {
639 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
640 "netapilib_ifAddSA: netapi_secAddSA returned error: %d.\n",
641 error);
642 return -1;
643 }
644 }
645 else
646 {
647 /* OUTBOUND == TX */
648 globalDB.tx_sa[slot].saAppId = netapi_secAddSA(netapi_handle,
649 NETCP_CFG_NO_INTERFACE,
650 &saInfo,
651 &keyParams,
652 NETAPI_SEC_SA_INFLOW,
653 (NETCP_CFG_ROUTE_HANDLE_T)NULL,
654 &p_rx_inflow_mode_handle,
655 &p_tx_inflow_mode_handle,
656 NULL, &error);
657 if (error == NETAPI_ERR_OK)
658 {
659 *sa_handle = globalDB.tx_sa[slot].saAppId;
660 }
661 else
662 {
663 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
664 "netapilib_ifAddSA: netapi_secAddSA returned error: %d.\n",
665 error);
666 return -1;
667 }
668 }
670 ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
671 "netapilib_ifAddSA: Translation of SA successful, app_id: 0x%x\n", *sa_handle);
673 /* SA was created successfully. */
674 return 0;
675 }
677 #endif
679 /**************************************************************************
680 * FUNCTION PURPOSE: The function is used to translate the SA configuration
681 * parameters received from the IPSec Snopper and call the NETAPI function
682 * to delete a security association
683 ********************************************************************/
684 int netapilib_ifDeleteSA (ipsecmgr_fp_handle_t sa_handle)
685 {
686 int error, slot;
687 cpu_set_t cpu_set;
689 /* assign main net_test thread to run on core 0 */
690 CPU_ZERO( &cpu_set);
691 CPU_SET( 0, &cpu_set);
692 hplib_utilSetupThread(0, &cpu_set, hplib_spinLock_Type_LOL);
693 slot = findAppIdSlot(&globalDB.rx_sa[0],sa_handle, 1);
695 /* Determine if rx_sa or tx_sa is being deleted */
696 if (slot != -1)
697 {
698 /* found rx SA, see if there is policy assoicated with rx SA
699 if so, then delete it first*/
700 if (globalDB.rx_sa[slot].spAppId)
701 {
702 netapi_secDelRxPolicy(netapi_handle,
703 (NETCP_CFG_IPSEC_POLICY_T) globalDB.rx_sa[slot].spAppId,
704 &error);
705 ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
706 "netapilib_ifDeleteSA: SP deleted: sp_app_id: 0x%x, slot: %d, error: %d\n",
707 globalDB.rx_sa[slot].spAppId, slot, error);
708 netapi_secDelSA(netapi_handle,
709 NETCP_CFG_NO_INTERFACE,
710 (NETCP_CFG_SA_T) sa_handle,
711 &error);
712 ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
713 "netapilib_ifDeleteSA: SA deleted: sa_app_id: 0x%x, slot: %d, error: %d\n",
714 sa_handle, slot, error);
716 }
717 }
718 else
719 {
720 /* not rx SA, check for tx_sa */
721 slot = findAppIdSlot(&globalDB.tx_sa[0], sa_handle, 1);
723 if (slot != -1)
724 {
725 /* found tx SA, delete it now */
726 netapi_secDelSA(netapi_handle,
727 NETCP_CFG_NO_INTERFACE,
728 (NETCP_CFG_SA_T) sa_handle,
729 &error);
730 ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
731 "netapilib_ifDeleteSA: SA deleted: sa_app_id: 0x%x, slot: %d, error: %d\n",
732 sa_handle, slot, error);
733 }
734 else
735 {
736 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
737 "netapilib_ifDeleteSA: sa_app_id 0x%x not found in internal list\n",
738 sa_handle);
739 return -1;
740 }
741 }
743 return error;
744 }
746 /**************************************************************************
747 * FUNCTION PURPOSE: The function is used to translate the SP configuration
748 * parameters received from the IPSec Snopper and call the NETAPI function
749 * to create a security policy
750 ********************************************************************/
751 int32_t netapilib_ifAddSP
752 (
753 ipsecmgr_af_t af,
754 ipsecmgr_selector_t *sel,
755 ipsecmgr_dir_t dir,
756 uint32_t reqid,
757 ipsecmgr_fp_handle_t sa_handle,
758 ipsecmgr_policy_id_t policy_id,
759 ipsecmgr_fp_handle_t *sp_handle
760 )
761 {
762 #ifdef ENABLE_ADD_POLICY
763 #warning "ENABLE_ADD_POLICY"
764 NETCP_CFG_IPSEC_POLICY_T spAppIdIn;
765 int error, index, slot;
766 nwal_IpType ipType;
767 nwalIpAddr_t src_ip_addr;
768 nwalIpAddr_t dst_ip_addr;
769 nwalIpOpt_t ip_qualifiers;
770 NETCP_CFG_SA_T sa =(NETCP_CFG_SA_T)sa_handle;
771 NETCP_CFG_ROUTE_T route;
772 NETCP_CFG_FLOW_T flow;
773 NETCP_CFG_PA_HANDLE_T pPaHandleOuterIP;
774 NETCP_CFG_PA_HANDLE_T pPaHandleInnerIP;
775 NETCP_CFG_SA_HANDLE_T pSaHandle;
777 cpu_set_t cpu_set;
778 /* assign main net_test thread to run on core 0 */
779 CPU_ZERO( &cpu_set);
780 CPU_SET( 0, &cpu_set);
781 hplib_utilSetupThread(0, &cpu_set, hplib_spinLock_Type_LOL);
782 ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,"netapilib_ifAddSP: called\n");
785 if (dir == DIR_OUTBOUND)
786 {
787 ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
788 "netapilib_ifAddSP: called for outbound SA, no RX policy required\n");
789 return 0;
790 }
791 slot = findAppIdSlot(&globalDB.rx_sa[0],sa_handle, 0);
792 if (slot == -1)
793 {
794 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
795 "netapilib_ifAddSA:, SA app_id not found\n");
796 return -1;
797 }
801 flow.dma_engine= 1;
802 flow.flowid = globalDB.flowId[globalDB.rx_sa[slot].iface];
803 route.p_flow = &flow;
804 route.p_dest_q = globalDB.pktio_channel[globalDB.rx_sa[slot].iface];
807 /* Get the IP protocol version. */
808 if (af == IPSECMGR_AF_IPV4)
809 {
810 ipType = nwal_IPV4;
811 /* Populate the source and destination IP addresses. */
812 for (index = 0; index < NWAL_IPV4_ADDR_SIZE; index++)
813 {
814 dst_ip_addr.ipv4[index] = sel->daddr.ipv4[index];
815 src_ip_addr.ipv4[index] = sel->saddr.ipv4[index];
816 }
817 }
818 else if (af == IPSECMGR_AF_IPV6)
819 {
820 ipType = nwal_IPV6;
821 /* Populate the source and destination IP addresses. */
822 for (index = 0; index < NWAL_IPV6_ADDR_SIZE; index++)
823 {
824 dst_ip_addr.ipv6[index] = sel->daddr.ipv6[index];
825 src_ip_addr.ipv6[index] = sel->saddr.ipv6[index];
826 }
827 }
828 else
829 {
830 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
831 "netapilib_ifAddSP: Address family (%d) is invalid\n", af);
832 return -1;
833 }
835 globalDB.rx_sa[slot].spAppId = netapi_secAddRxPolicy(netapi_handle,
836 (NETCP_CFG_SA_T) sa_handle,
837 ipType,
838 &src_ip_addr,
839 &dst_ip_addr,
840 NULL,
841 (NETCP_CFG_ROUTE_HANDLE_T)&route,
842 NULL,
843 &error);
845 if (error == NETAPI_ERR_OK)
846 {
847 *sp_handle = globalDB.rx_sa[slot].spAppId;
848 }
849 else
850 {
851 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
852 "netapilib_ifAddSA: netapi_secAddRxPolicy returned error: %d.\n",
853 error);
854 return -1;
855 }
856 ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
857 "netapilib_ifAddSA: Translation of SP successful, app_id: 0x%x\n", *sp_handle);
859 #endif
860 return 0;
861 }
863 /**************************************************************************
864 * FUNCTION PURPOSE: The function is used to translate the SP configuration
865 * parameters received from the IPSec Snopper and call the NETAPI function
866 * to delete a security association
867 ********************************************************************/
868 int32_t netapilib_ifDeleteSP
869 (
870 ipsecmgr_fp_handle_t sp_handle,
871 ipsecmgr_policy_id_t policy_id,
872 ipsecmgr_dir_t dir
873 )
874 {
875 cpu_set_t cpu_set;
876 /* assign main net_test thread to run on core 0 */
877 CPU_ZERO( &cpu_set);
878 CPU_SET( 0, &cpu_set);
879 hplib_utilSetupThread(0, &cpu_set, hplib_spinLock_Type_LOL);
880 /* Security Policy is deleted as part of deleting SA */
881 return 0;
882 #if 0
883 int error =0;
884 ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,"netapilib_ifDeleteSP: called\n");
886 if (dir == DIR_OUTBOUND)
887 {
888 ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
889 "netapilib_ifDeleteSP: called for outbound SA, no RX policy to delete\n");
890 return 0;
891 }
892 netapi_secDelRxPolicy(netapi_handle,
893 (NETCP_CFG_IPSEC_POLICY_T) sp_handle,
894 &error);
896 return 0;
897 #endif
898 }
900 /**************************************************************************
901 * FUNCTION PURPOSE: The function is used to translate the SA configuration
902 * parameters received from the IPSec Snopper and retrieve SA context
903 * information for SA.
904 *************************************************************************/
905 int netapilib_ifGetSACtx
906 (
907 ipsecmgr_fp_handle_t sa_handle,
908 ipsecmgr_sa_hw_ctx_t* hw_ctx
909 )
910 {
911 uint32_t swInfo0 = 0;
912 uint32_t swInfo1 = 0;
913 nwalGlobCxtInfo_t info;
914 nwal_RetValue retVal;
916 memset(&info, 0, sizeof(nwalGlobCxtInfo_t));
917 NETAPI_HANDLE_T * n = (NETAPI_HANDLE_T *) netapi_handle;
918 ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,"netapilib_ifGetSACtx: called\n");
921 netapip_netcpCfgGetSaInflowInfo(&netapi_get_global()->nwal_context,
922 (NETCP_CFG_SA_T) sa_handle,
923 &swInfo0,
924 &swInfo1);
926 hw_ctx->swinfo_sz = 2;
927 hw_ctx->swinfo[0] = swInfo0;
928 hw_ctx->swinfo[1] = swInfo1;
930 retVal = nwal_getGlobCxtInfo(((NETAPI_GLOBAL_T*) (n->global))->nwal_context.nwalInstHandle,
931 &info);
932 if (retVal != nwal_OK)
933 {
934 ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
935 "netapilib_ifGetSACtx: nwal_getGlobCxtInfo returned error: 0x%x\n", retVal);
936 return -1;
937 }
938 hw_ctx->flow_id = info.rxSaPaFlowId;
940 ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
941 "netapilib_ifGetSACtx: rxPaSaflowId: 0x%x, rxSaPaflowId: 0x%x\n",
942 info.rxPaSaFlowId,
943 info.rxSaPaFlowId);
944 ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
945 "netapilib_ifGetSACtx: swInfo0: 0x%x, swInfo1: 0x%x, flowId: 0x%x\n",
946 hw_ctx->swinfo[0],
947 hw_ctx->swinfo[1],
948 hw_ctx->flow_id);
950 /* return success */
951 return 0;
952 }