summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9ba8688)
raw | patch | inline | side by side (parent: 9ba8688)
| author | Tinku Mannan <tmannan@ti.com> | |
| Wed, 14 Nov 2012 22:30:18 +0000 (17:30 -0500) | ||
| committer | Tinku Mannan <tmannan@ti.com> | |
| Wed, 14 Nov 2012 22:30:18 +0000 (17:30 -0500) |
index d341dce1b9d0b78983015edaecfaf6c922d4ad24..a60263af5b9626ad350929d55f7a075802f4e26e 100755 (executable)
* @def TUNE_NETAPI_MAX_SA
* This defines the maximum number of security associations
*/
-#define TUNE_NETAPI_MAX_SA 8 //rx&tx combined (so MAX_SA/4 tunnels typically)
+#define TUNE_NETAPI_MAX_SA 64 //rx&tx combined (so MAX_SA/4 tunnels typically)
/**
* @ingroup tune_parameters
* @def TUNE_NETAPI_MAX_POLICY
* This defines the maximum number of security policies.
*/
-#define TUNE_NETAPI_MAX_POLICY 8 //rx policies
+#define TUNE_NETAPI_MAX_POLICY 64 //rx policies
#endif
index 84bc14ff052ff8222b512c1446dbe709113e9d36..70fba462d83034cf3d3a880997cd2efa0c7c30c3 100755 (executable)
* @def NETCP_CFG_CLASS_TYPE_L4
* @ingroup cfg_constants
* This defines classifier type to be Class L4. Class L4 classifiers specifiy the L4 protocol information of the packets to matched; the L2,L3 portions of the classifier are implied by supplied handles from the mac interface create and IP Add APIs
+ */
#define NETCP_CFG_CLASS_TYPE_L4 0
/**
index 388e2e19052489a86ccd1ed8e4494c157f3fd486..624623783b7127fdad4e6fbbc354fa42eb5b10f6 100755 (executable)
nwal_TransID_t trans_id;
unsigned int appId = NETAPI_NETCP_MATCH_IPSEC | iface_no;
int tunnelId;
-nwalSaIpSecId_t saInfo;
+nwalSaIpSecId_t nwalSaIpSecId;
int have_to_wait=1;
nwalCreateSAParams_t createParam =
{
NWAL_SA_DIR_INBOUND,
0,
0,
- NWAL_SA_AALG_HMAC_SHA1, /* update from input */
- NWAL_SA_EALG_AES_CTR, /* update from input */
+ NWAL_SA_AALG_HMAC_SHA1, //update
+ NWAL_SA_EALG_AES_CTR, //update
{ 0x00}, /* remMacAddr: NA */
- 12, /* update from input, mac size */
+ 12, /* macSize */
NWAL_MATCH_ACTION_CONTINUE_NEXT_ROUTE, /* Continue parsing to next route for match */
NWAL_NEXT_ROUTE_FAIL_ACTION_HOST, /* For next route fail action by default is route to host */
CPPI_PARAM_NOT_SPECIFIED, /* Use default flow configured to NWAL if packet is routed to host */
pTransInfo->netapi_handle = h;
/* build SA parameters */
- saInfo.spi = sa_info->spi;
- memcpy(&saInfo.dst, &sa_info->dst, sizeof( nwalIpAddr_t));
- memcpy(&saInfo.src, &sa_info->src, sizeof( nwalIpAddr_t));
- saInfo.proto = sa_info->proto;
+ memset(&nwalSaIpSecId, 0, sizeof(nwalSaIpSecId_t));
+ nwalSaIpSecId.spi = sa_info->spi;
+ memcpy(&nwalSaIpSecId.dst, &sa_info->dst, sizeof( nwalIpAddr_t));
+ memcpy(&nwalSaIpSecId.src, &sa_info->src, sizeof( nwalIpAddr_t));
+ nwalSaIpSecId.proto = sa_info->proto;
createParam.macHandle = mac_handle;
createParam.ipType = sa_info->ipType;
//memcpy(&createParam.saIpSecParam.src,&sa_info->src, sizeof(nwalIpAddr_t));
createParam.saIpSecParam.cipherMode = sa_info->cipherMode;
createParam.saIpSecParam.esnLo = sa_info->esnLo;
createParam.saIpSecParam.esnHi = sa_info->esnHi;
- if ((sa_info->cipherMode == NWAL_SA_EALG_AES_GCM) || (sa_info->cipherMode == NWAL_SA_EALG_AES_CCM))
- {
- createParam.saIpSecParam.macSize = 16;
- }
- if ((sa_info->authMode == NWAL_SA_AALG_NULL) &&
- (!((sa_info->cipherMode == NWAL_SA_EALG_AES_GCM) ||
- (sa_info->cipherMode == NWAL_SA_EALG_AES_CCM))))
- {
- createParam.saIpSecParam.replayWindow = 0;
- createParam.saIpSecParam.macSize = 0;
- }
+ if (sa_info->authMode == NWAL_SA_AALG_NULL)
+ {
+ createParam.saIpSecParam.replayWindow = 0;
+ createParam.saIpSecParam.macSize = 0;
+ }
memcpy(&createParam.keyParam,key_params,sizeof(nwalSecKeyParams_t));
if (route != NULL)
retValue = nwal_setSecAssoc (((NETAPI_GLOBAL_T*) (n->global))->nwal_context.nwalInstHandle,
trans_id,
(nwal_AppId) appId,
- &saInfo,
+ &nwalSaIpSecId,
&createParam,
&pTransInfo->handle);
if(retValue == nwal_TRANS_COMPLETE)
dmSaParam.dmSaParam.macSize=12; /**todo: pass in or deduce */
dmSaParam.dmSaParam.aadSize=0; /**todo: pass in or deduce */
dmSaParam.dmSaParam.enc1st = (sa_info->dir ==NWAL_SA_DIR_OUTBOUND) ? nwal_TRUE : nwal_FALSE; //encypt 1st for outbound
- if ((sa_info->cipherMode == NWAL_SA_EALG_AES_GCM) || (sa_info->cipherMode == NWAL_SA_EALG_AES_CCM))
- {
- dmSaParam.dmSaParam.macSize = 16;
- dmSaParam.dmSaParam.aadSize=8;
- /* Enc1st needs to always be true for combined mode algorithms */
- dmSaParam.dmSaParam.enc1st = nwal_TRUE;
- }
- else
- {
- dmSaParam.dmSaParam.macSize=12; /**todo: pass in or deduce */
- dmSaParam.dmSaParam.aadSize=0; /**todo: pass in or deduce */
- }
-
if (sa_info->authMode == NWAL_SA_AALG_NULL)
{
dmSaParam.dmSaParam.enc1st = nwal_TRUE;
tunnelId,
(sa_info->dir == NWAL_SA_DIR_INBOUND) ? TRUE: FALSE,
inflow_mode,
- &saInfo, &createParam,
+ &nwalSaIpSecId, &createParam,
*p_inflow_mode_handle,
*p_data_mode_handle);
return (appId);
index cb32319e0f6f3b525684212714b72b203cf6748e..5c79d8a2e3e750606864030966eec7da6c77b2c2 100755 (executable)
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************/
-//#define NET_TEST_ENABLE_SIDE_BAND_LOW_LEVEL_API
+#define NET_TEST_ENABLE_INFLOW_LOW_LEVEL_API
+#ifdef NET_TEST_ENABLE_INFLOW_LOW_LEVEL_API
+#define NWAL_ENABLE_SA
+#endif
+#define NET_TEST_ENABLE_SIDE_BAND_LOW_LEVEL_API
#ifdef NET_TEST_ENABLE_SIDE_BAND_LOW_LEVEL_API
#define NWAL_ENABLE_SA
#endif
{
NETCP_CFG_CLASS_TYPE_L4,
{
- {0,0, NWAL_APP_PLOAD_PROTO_UDP, {2500}}
+ .c_l4={0,0, NWAL_APP_PLOAD_PROTO_UDP, {2500}}
}
};
{
NETCP_CFG_CLASS_TYPE_L4,
{
- {0,0, NWAL_APP_PLOAD_PROTO_UDP, {2502}}
+ .c_l4= {0,0, NWAL_APP_PLOAD_PROTO_UDP, {2502}}
}
};
{
NETCP_CFG_CLASS_TYPE_L3_L4,
{
- {0, 4 ,0/*fill in below*/ , NULL, NULL, //L2/L3
+ .c_l3_l4={0, 4 ,0/*fill in below*/ , NULL, NULL, //L2/L3
NWAL_APP_PLOAD_PROTO_UDP, {2504}} //L4
}
};
PKTIO_CONTROL_T zap_channel_control={PKTIO_CLEAR, NULL};
/* security objects. (for loopback mode) */
-netTestSA_t sa_info[6];
+netTestSA_t sa_info[7];
int netapi_algorithm_set = 0;
int netapi_sec_sa_mode = 2;
/* tmannan-end */
{ 1, 2, 3, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }, /* Src IP (them) -> set below */
{ 1, 2, 3, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }, /* dst IP (us)-> set below*/
64,/* replayWindow */
- NWAL_SA_AALG_GMAC,
+ NWAL_SA_AALG_AES_XCBC,
NWAL_SA_EALG_NULL,
0,0 //na
}
{ 1, 2, 3, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }, /* Src IP (them) -> set below */
{ 1, 2, 3, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }, /* dst IP (us)-> set below*/
64,/* replayWindow */
- NWAL_SA_AALG_GMAC,
+ NWAL_SA_AALG_AES_XCBC,
NWAL_SA_EALG_NULL,
0,0 //na
}
static nwalSecKeyParams_t ourTXKeyParams[7] ={
{
- 16, /* encKeySize: CTR 16 bytes Encryption Key and 4 bytes Salt : 24 bytes:NWAL_SA_EALG_3DES_CBC and 0 bytes Salt*/
+ 32, /* encKeySize: CTR 16 bytes Encryption Key and 4 bytes Salt : 24 bytes:NWAL_SA_EALG_3DES_CBC and 0 bytes Salt*/
20, /* macKeySize: 16 bytes NWAL_SA_AALG_HMAC_SHA1 */
NULL, //set below
NULL, //set below
},
{
0, /* encKeySize: CTR 16 bytes Encryption Key and 3 bytes Salt : 24 bytes:NWAL_SA_EALG_AES_CTR and 0 bytes Salt*/
- 24, /* macKeySize 0*/
+ 16, /* macKeySize 0*/
NULL, //set below
NULL, //set below
}
/* these keys are for aes-ctr and hmac sha2_256 */
static nwalSecKeyParams_t ourRXKeyParams[7] ={
{
- 16, /* encKeySize: CTR 16 bytes Encryption Key and 4 bytes Salt : 24 bytes:NWAL_SA_EALG_3DES_CBC and 0 bytes Salt*/
+ 32, /* encKeySize: CTR 16 bytes Encryption Key and 4 bytes Salt : 24 bytes:NWAL_SA_EALG_3DES_CBC and 0 bytes Salt*/
20, /* macKeySize: 16 bytes NWAL_SA_AALG_HMAC_SHA1 */
NULL, //set below
NULL, //set below
},
{
0, /* encKeySize: CTR 16 bytes Encryption Key and 3 bytes Salt : 24 bytes:NWAL_SA_EALG_AES_CTR and 0 bytes Salt*/
- 24, /* macKeySize 0*/
+ 16, /* macKeySize 0*/
NULL, //set below
NULL, //set below
}
/* post it to netcp tx channel*/
meta.u.tx_meta=&meta_tx;
if (stats.sec_tx<20) dump_descr((long *) tip, stats.sec_tx);
- pktio_send(netcp_tx_chan,tip,&meta,&err);
+#ifdef NET_TEST_ENABLE_INFLOW_LOW_LEVEL_API
+#if 0
+ nwal_mCmdSetCrypPort (tip,
+ &p_sa_info->tx_psCmdInfo,
+ p_sa_info->tx_pkt_info.saOffBytes,
+ meta_tx.saPayloadLen,
+ p_sa_info->swInfo0,
+ p_sa_info->swInfo1,
+ NWAL_ENET_PORT_UNKNOWN);
+#endif
+ nwal_mCmdSetL4CkSumCrypPort(tip,
+ &p_sa_info->tx_psCmdInfo,
+ meta_tx.l4OffBytes,
+ meta_tx.ploadLen + meta_tx.l4HdrLen,
+ meta_tx.pseudoHdrChecksum,
+ p_sa_info->tx_pkt_info.saOffBytes,
+ meta_tx.saPayloadLen,
+ p_sa_info->swInfo0,
+ p_sa_info->swInfo1,
+ NWAL_ENET_PORT_UNKNOWN);
+
+ pPloadDesc = Pktlib_getDescFromPacket(tip);
+ pPloadDesc = Qmss_osalConvertDescVirtToPhy(pPloadDesc);
+ Qmss_queuePushDescSizeRaw(p_sa_info->tx_psCmdInfo.txQueue,
+ pPloadDesc,
+ NWAL_DESC_SIZE);
+#else
+ pktio_send(netcp_tx_chan,tip,&meta,&err);
+#endif
stats.tx +=1;
stats.sec_tx +=1;
}
meta_tx.encSize = len - p_sa_info->tx_payload_info.encOffset -p_sa_info->auth_tag_size;
meta_tx.authSize = len - meta_tx.authOffset - p_sa_info->auth_tag_size;
-#if 0
- printf("recv_cb(): encOffset %d\n", meta_tx.encOffset);
- printf("recv_cb():authOffset %d\n", meta_tx.authOffset);
- printf("recv_cb(): encSize %d\n", meta_tx.encSize);
- printf("recv_cb(): authSize %d\n", meta_tx.authSize);
-#endif
if (p_sa_info->cipherMode == NWAL_SA_EALG_AES_CTR)
{
tx_sa[i].cipherMode);
}
}
-netapi_dump_internal_heap_stats();
+//netapi_dump_internal_heap_stats();
}
//******************************************************
tmp_spi = htonl((long)(tx_sa[i].spi));
trie_insert(p_trie_sa,(char *)&tmp_spi,4, (void *) &sa_info[i]); //asociate with tx sa SPI
}
- else if ((tx_sa[i].authMode == NWAL_SA_AALG_GMAC) && (rx_sa[i].cipherMode == NWAL_SA_EALG_NULL))
+ else if ((tx_sa[i].authMode == NWAL_SA_AALG_AES_XCBC) && (rx_sa[i].cipherMode == NWAL_SA_EALG_NULL))
{
/* static configuration, will not change */
sa_info[i].tx_payload_info.aadSize = 0;
sa_info[i].tx_payload_info.encOffset = netTest_MAC_HEADER_LEN +
netTest_IP_HEADER_LEN +
netTest_ESP_HEADER_LEN +
- netTest_AES_GMAC_IV_LEN;
+ netTest_NULL_IV_LEN;
#ifdef EXPERIMENTAL
sa_info[i].iv_len=0;
sa_info[i].bl=4;
sa_info[i].tx_payload_info.pPkt = 0;
sa_info[i].cipherMode = NWAL_SA_EALG_NULL;
- sa_info[i].authMode = NWAL_SA_AALG_GMAC;
+ sa_info[i].authMode = NWAL_SA_AALG_AES_XCBC;
sa_info[i].inner_ip_offset = sa_info[i].tx_payload_info.encOffset;
- sa_info[i].auth_tag_size = netTest_AES_GMAC_ICV_LEN; /* icv or mac size,. always 12 except for AES_CCM/AES_GCM , GMAC*/
+ sa_info[i].auth_tag_size = netTest_ICV_LEN; /* icv or mac size,. always 12 except for AES_CCM/AES_GCM , GMAC*/
sa_info[i].tx_pkt_info.enetPort = 0;
sa_info[i].tx_pkt_info.ipOffBytes = sa_info[i].tx_payload_info.encOffset;
FILE * fpr = NULL;
-
+nwalSaIpSecId_t nwalSaIpSecId;
err= getrlimit(RLIMIT_STACK,&rl);
if (!err) printf(" stack limit = %d\n",rl.rlim_cur); else printf("getrlimit failed\n");
sa_info[i].tx_data_mode_handle,
&sa_info[i].tx_dmPSCmdInfo);
}
+#endif
+#ifdef NET_TEST_ENABLE_INFLOW_LOW_LEVEL_API
+ if(config.ipsec_mode_tx == IPSEC_MODE_TX_INFLOW)
+ {
+ memset(&nwalSaIpSecId, 0, sizeof(nwalSaIpSecId_t));
+ nwalSaIpSecId.spi = tx_sa[i].spi;
+ memcpy(&(nwalSaIpSecId.src), &config.local_ipsec_ip,sizeof( nwalIpAddr_t));
+ memcpy(&(nwalSaIpSecId.dst), &config.remote_ipsec_ip,sizeof( nwalIpAddr_t));
+ nwalSaIpSecId.proto= tx_sa[i].proto;
+
+ nwalRetVal = nwal_initPSCmdInfo(PKTIO_GET_NWAL_INSTANCE(netcp_tx_chan),
+ &sa_info[i].tx_pkt_info,
+ &sa_info[i].tx_psCmdInfo);
+
+ if (nwalRetVal == nwal_OK)
+ {
+ if (nwal_getSecAssoc(PKTIO_GET_NWAL_INSTANCE(netcp_tx_chan),
+ &nwalSaIpSecId,
+ NWAL_SA_DIR_OUTBOUND,
+ &(sa_info[i].tx_inflow_mode_handle),
+ &sa_info[i].swInfo0,
+ &sa_info[i].swInfo1) != nwal_TRUE)
+ {
+ printf("main: nwal_getSecAssoc failed\n");
+ exit (1);
+ }
+ }
+ else
+ {
+ printf("main: nwal_initPSCmdInfo failed\n");
+ exit (1);
+ }
+ }
#endif
}
index 74702ed116d5a4e43aff8fb23100ae18196213e6..dbb9d90b7e874f8d24812c0a72d8a023077b90cc 100755 (executable)
/* ============================================================= */
-#define MAX_SEC_INDEX 6
+#define MAX_SEC_INDEX 7
//IPSEC MODE(only choose one rx and one tx)
nwalTxDmPSCmdInfo_t rx_dmPSCmdInfo;
nwalTxDmPSCmdInfo_t tx_dmPSCmdInfo;
#endif
+#ifdef NET_TEST_ENABLE_INFLOW_LOW_LEVEL_API
+ nwalTxPSCmdInfo_t tx_psCmdInfo;
+ uint32_t swInfo0;
+ uint32_t swInfo1;
+#endif
} netTestSA_t;