netlib: set SA by IP rule.
authorMike Scherban <m-scherban@ti.com>
Tue, 28 Jul 2015 13:32:16 +0000 (08:32 -0500)
committerTinku Mannan <tmannan@ti.com>
Mon, 3 Aug 2015 18:14:01 +0000 (14:14 -0400)
Adds new API for creating a security association from an IP rule:
netapi_secAddSAIP().

Signed-off-by: Mike Scherban <m-scherban@ti.com>
ti/runtime/netapi/netapi_sec.h
ti/runtime/netapi/src/netapi_loc.h
ti/runtime/netapi/src/netapi_sec.c
ti/runtime/netapi/src/netcp_cfg.c

index d447c6d694b34c966a3ca9dea4d2aa45cb831475..c4e8addfd653ba5614dc90389413c5c89a611f01 100755 (executable)
@@ -136,7 +136,6 @@ typedef struct NETAPI_SEC_SA_INFO_tag
  * @ingroup security_constants
  */
 #define NETAPI_SEC_SA_SIDEBAND 0x1
-
 /**
  *  @ingroup cfg_security_functions
  *  @brief netapi_secAddSA  API to add an IPSEC SA.
@@ -171,6 +170,44 @@ NETCP_CFG_SA_T netapi_secAddSA(NETAPI_T                     h,
                                 void**                      inflow_mode_handle,
                                 void*                       user_data,
                                 int*                        perr);
+
+/**
+ *  @ingroup cfg_security_functions
+ *  @brief netapi_secAddSAIP  API to add an IPSEC SA with IP handle.
+ *
+ *  @details API to add an IPSec SA. SAs are IPSec security contexts and define a uni-directional
+ *           secure path (tunnel or transport). SAs are attached to MAC interfaces that have already
+ *           been created. API allows SA to be configured as either inflow or sideband mode. This API is used for both receive and transmit SAs.
+ *  @param[in]  h            The NETAPI handle, @ref NETAPI_T
+ *  @param[in]  iface_no     Interface to attach SA to.
+ *  @param[in]  sa_info      Information on the SA being added, @ref NETAPI_SEC_SA_INFO_T
+ *  @param[in]  key_params   Security key information for the SA.
+ *  @param[in]  mode         SA implementation mode @ref NETAPI_SEC_SA_SIDEBAND or @ref NETAPI_SEC_SA_INFLOW
+ *  @param[in]  route        Optional: @ref NETCP_CFG_ROUTE_HANDLE_T
+ *  @param[in]  data_mode_handle     Returned data mode handle for PKTIO (in the case of sideband SAs)
+ *  @param[in]  inflow_mode_handle   Returned inflow mode handle for PKTIO (in the case of TX inflow SAs)
+ *  @param[in]  user_data     Optional: pointer to user provided data associated with SA, optional
+ *  @param[in]  ip_rule      IP rule @ref NETCP_CFG_IP_T
+ *  @param[out]  perr        Pointer to error code.
+ *  @retval     Application id associated with created SA @ref NETCP_CFG_SA_T. 
+ *              This ID is used when referencing this SA in subsequent APIs (eg. to delete it).
+ *              Also in the case of Receive Inflow,  packets will be tagged with this ID so that s/w will know 
+ *              that the packet has already been decrypted, authenticated and window-replay checked.
+ *              (note: if a RX policy is matched also then the ID associated with the policy will be tagged instead).
+ *  @pre        @ref netapi_init
+ */
+NETCP_CFG_SA_T netapi_secAddSAIP(NETAPI_T h,
+                                 int iface_no,
+                                 NETAPI_SEC_SA_INFO_T *sa_info,
+                                 nwalSecKeyParams_t * key_params,
+                                 int inflow_mode,
+                                 NETCP_CFG_ROUTE_HANDLE_T  route,
+                                 void **p_data_mode_handle,
+                                 void **p_inflow_mode_handle,
+                                 void * p_user_data,
+                                 NETCP_CFG_IP_T ip_rule,
+                                 int * perr);
+
 /**
  *  @ingroup cfg_security_functions
  *  @brief  netapi_secDelSA: API to delete an IPSEC SA. 
index 81a07b7bfaee3a47885f3e6d0ab60387be30135f..3b047cf8ce196f93d89f81f32e4eb967506cf300 100755 (executable)
@@ -424,6 +424,7 @@ void netapip_netcpCfgInsertSa(NETAPI_NWAL_GLOBAL_CONTEXT_T *p,
 void *netapip_netcpCfgGetSaHandles( NETAPI_NWAL_GLOBAL_CONTEXT_T *p,
                           int sa_slot, void ** p_sideband);
 void* netapip_netcpCfgGetMacHandle(NETAPI_NWAL_GLOBAL_CONTEXT_T *p,int iface_no);
+void *netapip_netcpCfgGetIpHandle(NETAPI_NWAL_GLOBAL_CONTEXT_T *p,int iface_no,int ip_slot);
 NetapiNwalTransInfo_t *  netapip_getFreeTransInfo(NETAPI_HANDLE_T *p_handle,
                                                   NETAPI_PROC_GLOBAL_T *p_global,
                                                   nwal_TransID_t *pTransId);
index 9c6c6a2d00fc627fdbc55b3cde1e09041f48a66b..2ebe700ecb74a10321b26359529828a5b74c44de 100755 (executable)
@@ -48,16 +48,17 @@ NETAPI_SA_INFO_LOCAL_T netapi_sa_db[TUNE_NETAPI_MAX_SA];
  ********************************************************************
  * DESCRIPTION:  API to add an IPSEC SA
  ********************************************************************/
-NETCP_CFG_SA_T netapi_secAddSA(NETAPI_T h,
-                               int iface_no,
-                               NETAPI_SEC_SA_INFO_T *sa_info,
-                               nwalSecKeyParams_t * key_params,
-                               int inflow_mode,
-                               NETCP_CFG_ROUTE_HANDLE_T  route,
-                               void **p_data_mode_handle,
-                               void **p_inflow_mode_handle,
-                               void * p_user_data,
-                               int * perr)
+NETCP_CFG_SA_T netapi_secAddSAInternal(NETAPI_T h,
+                                       int iface_no,
+                                       NETAPI_SEC_SA_INFO_T *sa_info,
+                                       nwalSecKeyParams_t * key_params,
+                                       int inflow_mode,
+                                       NETCP_CFG_ROUTE_HANDLE_T  route,
+                                       void **p_data_mode_handle,
+                                       void **p_inflow_mode_handle,
+                                       void * p_user_data,
+                                       NETCP_CFG_IP_T ip_rule,
+                                       int * perr)
 {
     NETAPI_HANDLE_T * n = (NETAPI_HANDLE_T *) h;
     nwal_RetValue       retValue;
@@ -73,6 +74,8 @@ NETCP_CFG_SA_T netapi_secAddSA(NETAPI_T h,
     uint32_t    swInfo1 = 0;
     int sa_db_slot;
     int free_sa_db_slot = 0;
+    int ip_slot = 0;
+    void * handle;
     nwalCreateSAParams_t    createParam =
     {
         /* mac handle */
@@ -100,8 +103,17 @@ NETCP_CFG_SA_T netapi_secAddSA(NETAPI_T h,
            {0}
     };
 
+    /* Get IP slot for IP rule. */
+    if (ip_rule)
+    {
+        ip_slot = netapi_cfgGetMatchId(ip_rule);
+        handle = netapip_netcpCfgGetIpHandle(&netapi_get_global()->nwal_context,iface_no,ip_slot);
+    }
+    else
+    {
+        handle = netapip_netcpCfgGetMacHandle(&netapi_get_global()->nwal_context,iface_no);
+    }
 
-    void * mac_handle = netapip_netcpCfgGetMacHandle(&netapi_get_global()->nwal_context,iface_no);
     *perr =NETAPI_ERR_OK;
     if ((!n) || (!sa_info)  ||  (!p_data_mode_handle))
     {
@@ -193,7 +205,7 @@ NETCP_CFG_SA_T netapi_secAddSA(NETAPI_T h,
         memcpy(&saInfo.dst, &sa_info->dst, sizeof( nwalIpAddr_t));
         memcpy(&saInfo.src, &sa_info->src, sizeof( nwalIpAddr_t));
         saInfo.proto = sa_info->proto;
-        createParam.macHandle = mac_handle;
+        createParam.handle = handle;
         createParam.ipType = sa_info->ipType;
         createParam.saIpSecParam.dir = sa_info->dir;
         createParam.saIpSecParam.saMode = sa_info->saMode;
@@ -362,6 +374,68 @@ NETCP_CFG_SA_T netapi_secAddSA(NETAPI_T h,
     return  (appId);
 }
 
+/********************************************************************
+ * FUNCTION PURPOSE:  API to add an IPSEC SA
+ ********************************************************************
+ * DESCRIPTION:  API to add an IPSEC SA
+ ********************************************************************/
+NETCP_CFG_SA_T netapi_secAddSA(NETAPI_T h,
+                                 int iface_no,
+                                 NETAPI_SEC_SA_INFO_T *sa_info,
+                                 nwalSecKeyParams_t * key_params,
+                                 int inflow_mode,
+                                 NETCP_CFG_ROUTE_HANDLE_T  route,
+                                 void **p_data_mode_handle,
+                                 void **p_inflow_mode_handle,
+                                 void * p_user_data,
+                                 int * perr)
+{
+       *perr = 0;
+       return netapi_secAddSAInternal(h,
+                                       iface_no,
+                                       sa_info,
+                                       key_params,
+                                       inflow_mode,
+                                       route,
+                                       p_data_mode_handle,
+                                       p_inflow_mode_handle,
+                                       p_user_data,
+                                       0,
+                                       perr);
+}
+
+/********************************************************************
+ * FUNCTION PURPOSE:  API IP handle to add an IPSEC SA
+ ********************************************************************
+ * DESCRIPTION:  API to add an IPSEC SA.
+ *              Piggy back off perr for IP handle flag and IP slot.
+ ********************************************************************/
+NETCP_CFG_SA_T netapi_secAddSAIP(NETAPI_T h,
+                                 int iface_no,
+                                 NETAPI_SEC_SA_INFO_T *sa_info,
+                                 nwalSecKeyParams_t * key_params,
+                                 int inflow_mode,
+                                 NETCP_CFG_ROUTE_HANDLE_T  route,
+                                 void **p_data_mode_handle,
+                                 void **p_inflow_mode_handle,
+                                 void * p_user_data,
+                                 NETCP_CFG_IP_T ip_rule,
+                                 int * perr)
+{
+       *perr = 0;
+       return netapi_secAddSAInternal(h,
+                                       iface_no,
+                                       sa_info,
+                                       key_params,
+                                       inflow_mode,
+                                       route,
+                                       p_data_mode_handle,
+                                       p_inflow_mode_handle,
+                                       p_user_data,
+                                       ip_rule,
+                                       perr);
+}
+
 /********************************************************************
  * FUNCTION PURPOSE:  Internal function  to dynamically switch between inflow
  *                                  and sideband mode
index e836174e9a44e2c1e4cfba6874b55c37bc943e54..3f04d1abf4d46cecdb645c41d742257cca632a25 100755 (executable)
@@ -498,7 +498,7 @@ static void netapip_netcpCfgDeleteIp(NETAPI_NWAL_GLOBAL_CONTEXT_T *p,
  ***************************************************************************
  * DESCRIPTION: Netapi internal function to get IP handle associated with IP address
  ***************************************************************************/
-static void *netapip_netcpCfgGetIpHandle(NETAPI_NWAL_GLOBAL_CONTEXT_T *p,
+void *netapip_netcpCfgGetIpHandle(NETAPI_NWAL_GLOBAL_CONTEXT_T *p,
                                          int iface_no,
                                          int ip_slot)
 {