summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: 79fb917)
raw | patch | inline | side by side (from parent 1: 79fb917)
author | Tinku Mannan <tmannan@ti.com> | |
Fri, 12 Jul 2013 19:49:39 +0000 (15:49 -0400) | ||
committer | Tinku Mannan <tmannan@ti.com> | |
Fri, 12 Jul 2013 20:12:30 +0000 (16:12 -0400) |
1. Fix for SDOCM00102515(Graceful shutdown of netapi ipsecmgr daemon not supported).
2. Netapi ipsecmgr daemon makefile update to support compile time flag to enable RX policy creation.
3. Fix in netapi_secAddRxPolicy when constructing APPID for IPSEC policy.
2. Netapi ipsecmgr daemon makefile update to support compile time flag to enable RX policy creation.
3. Fix in netapi_secAddRxPolicy when constructing APPID for IPSEC policy.
diff --git a/ti/runtime/netapi/applications/ipsec_offload/ipsecmgr/build/Makefile b/ti/runtime/netapi/applications/ipsec_offload/ipsecmgr/build/Makefile
index 7b952f4297f27b1ef255ac3b2b7c6415b16912fd..f454de71fc81fbf96109ac295dda6b2858fbfe0e 100755 (executable)
PDK_ARMV7LIBDIR ?= ARMV7LIBDIR
CSL_DEVICE ?= -DDEVICE_K2H
-
ifdef CROSS_TOOL_INSTALL_PATH
## Support backwards compatibility with KeyStone1 approach
CC = $(CROSS_TOOL_INSTALL_PATH)/$(CROSS_TOOL_PRFX)gcc
###############################################################################
CFLAGS+= $(DEBUG_FLAG) -I../ -I. $(CSL_DEVICE) -D__ARMv7 -D_VIRTUAL_ADDR_SUPPORT -D__LINUX_USER_SPACE -D_LITTLE_ENDIAN=1 -DNWAL_ENABLE_SA -DMAKEFILE_BUILD -D _GNU_SOURCE
+ifeq ($(ENABLE_ADD_POLICY),y)
+ CFLAGS += -DENABLE_ADD_POLICY
+endif
OUTPUT_FILE_OPTION = -o
EXE_NAME = $(EXE_NAME_PRFX).out
diff --git a/ti/runtime/netapi/applications/ipsec_offload/ipsecmgr/src/netapi_ipsecmgr.c b/ti/runtime/netapi/applications/ipsec_offload/ipsecmgr/src/netapi_ipsecmgr.c
index d474382ad995a22c810e4f40849955c6bdc262fc..dd0d2022da5140e9b78948aa52ff74a54bbb86dc 100755 (executable)
NETAPI_T netapi_handle;
//paSysStats_t netcp_stats;
-ipsecMgrMcb_t globalCfg;
+ipsecMgrMcb_t globalDB;
/* Lock file for the daemon */
#define LOCK_FILE "/var/lock/ipsecmgr_daemon"
256 //extra room
};
+
+static int QUIT = 0;
+
/* stub functions */
static void recv_cb(struct PKTIO_HANDLE_Tag * channel, Ti_Pkt* p_recv[],
PKTIO_METADATA_T meta[], int n_pkts,
}
+void cleanup_sa_sp()
+{
+ int slot, error=0;;
+ /* delete any offloaded rx SA's and policies */
+ /* and delete any offloaded tx SA's */
+ for (slot = 0;slot < 64;slot++)
+ {
+ if(globalDB.rx_sa[slot].in_use)
+ {
+ globalDB.rx_sa[slot].in_use = 0;
+ if(globalDB.rx_sa[slot].spAppId)
+ {
+ netapi_secDelRxPolicy(netapi_handle,
+ (NETCP_CFG_IPSEC_POLICY_T) globalDB.rx_sa[slot].spAppId,
+ &error);
+ ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
+ "cleanup_sa_sp: SP deleted: sp_app_id: 0x%x, slot: %d, error: %d\n",
+ globalDB.rx_sa[slot].spAppId, slot, error);
+ }
+ netapi_secDelSA(netapi_handle,
+ NETCP_CFG_NO_INTERFACE,
+ (NETCP_CFG_SA_T) globalDB.rx_sa[slot].saAppId,
+ &error);
+ ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
+ "cleanup_sa_sp: SA deleted: sa_app_id: 0x%x, slot: %d, error: %d\n",
+ globalDB.rx_sa[slot].saAppId, slot, error);
+
+ }
+ if(globalDB.tx_sa[slot].in_use)
+ {
+ globalDB.tx_sa[slot].in_use = 0;
+ netapi_secDelSA(netapi_handle,
+ NETCP_CFG_NO_INTERFACE,
+ (NETCP_CFG_SA_T) globalDB.tx_sa[slot].saAppId,
+ &error);
+ ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
+ "cleanup_sa_sp: SA deleted: sa_app_id: 0x%x, slot: %d, error: %d\n",
+ globalDB.tx_sa[slot].saAppId, slot, error);
+ }
+ }
+}
+
static void* snoop_run_thread (void* arg)
{
/* Poll for message from Kernel */
ipsecmgr_snoop_run();
+
+ if (QUIT == 1)
+ break;
}
+ printf("snoop_run_thread: calling shutdowns\n");
+ ipsecmgr_snoop_shutdown ();
+ cleanup_sa_sp();
+ netapi_shutdown(netapi_handle);
return;
}
* @n
* SIGTERM handler.
*
- * @param[in] lock_file
- * Lock file to be used by the daemon
+ * @param[in] signum
+ * signal number to terminate deamon.
*/
static void sig_term_handler(int signum)
{
+ QUIT = 1;
/* Cleanup and exit */
- ipsecmgr_snoop_shutdown ();
-
- netapi_shutdown(netapi_handle);
- exit (0);
+ //ipsecmgr_snoop_shutdown ();
+ //netapi_shutdown(netapi_handle);
+ //exit (0);
}
/**
if (pthread_create(&snoop_run_th, (void*) NULL, snoop_run_thread, NULL))
{
ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
- "ERROR: NETAPI Proxy Poll Thread failed to start, error code\n");
-
- /* Cleanup the plugin and exit */
- //netapiIPSecMgrMcb.pluginMcb.exit ();
+ "ERROR: snoop run thread failed to start, error code\n");
return -1;
}
/* Setup signal handler for SIGTERM */
if (signal(SIGTERM, sig_term_handler) == SIG_ERR) {
ipsecmgr_syslog_msg(SYSLOG_LEVEL_WARN,
- "snoop_run: cannot handle SIGTERM\n");
+ "init_ipsecmgr: cannot handle SIGTERM\n");
}
/* Wait for the NETAPI Proxy task to finish its processing and exit. */
pthread_join (snoop_run_th, NULL);
if(pDts)
{
fread((void*)&temp, sizeof(uint32_t), 1, pDts);
- globalCfg.qNum= (int)swap32(temp);
+ globalDB.qNum= (int)swap32(temp);
fclose(pDts);
}
else
if(pDts)
{
fread((void*)&temp, sizeof(uint32_t), 1, pDts);
- globalCfg.flowId = (int)swap32(temp);
+ globalDB.flowId = (int)swap32(temp);
fclose(pDts);
}
else
PKTIO_HANDLE_T *pktio_channel;
PKTIO_CFG_T pktio_cfg;
- pktio_cfg.qnum = globalCfg.qNum;
+ pktio_cfg.qnum = globalDB.qNum;
pktio_cfg.flags1 = PKTIO_RX;
pktio_cfg.flags2 = PKTIO_GLOBAL | PKTIO_PKT;
pktio_cfg.max_n = 8;
- globalCfg.pktio_channel = netapi_pktioCreate(netapi_handle,
+ globalDB.pktio_channel = netapi_pktioCreate(netapi_handle,
&name[0],
(PKTIO_CB)recv_cb,
&pktio_cfg,
&error);
- if (!globalCfg.pktio_channel)
+ if (!globalDB.pktio_channel)
{
ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
"create_pktio_channel: failed\n");
int32_t retVal;
ipsecmgr_syslog_init();
+ memset(&globalDB, 0, sizeof(globalDB));
+
/* create netapi */
netapi_handle = netapi_init(NETAPI_SYS_MASTER, &our_netapi_default_cfg);
return -1;
}
else
+ netapi_netcpCfgExceptions(netapi_handle, NETCP_CFG_ALL_EXCEPTIONS, NETCP_CFG_ACTION_DISCARD, (NETCP_CFG_ROUTE_HANDLE_T) NULL);
+
printf("main: netapi_init passed\n");
if (get_kernel_config())
#endif
printf("main: calling daemonize\n");
/* Create the proxy daemon. */
- //daemonize (LOCK_FILE);
+ daemonize (LOCK_FILE);
/* Initialize and start the IPSec Mgr Snoop functionality */
if ((retVal = init_ipsecmgr ()) < 0)
return -1;
}
else
- printf("main: init_ipsecmgr passed\n");
+ printf("main: ipsecmgr daemon shutdonw complete\n");
+
}
diff --git a/ti/runtime/netapi/applications/ipsec_offload/ipsecmgr/src/netapilib_interface.c b/ti/runtime/netapi/applications/ipsec_offload/ipsecmgr/src/netapilib_interface.c
index 6256ed596ab6489c130f634178366a7bd80f2174..2ecc3deddbedd2b9b37b8622a44e01afb94ad7d8 100755 (executable)
#include "netapilib_interface.h"
-extern ipsecMgrMcb_t globalCfg;
+extern ipsecMgrMcb_t globalDB;
extern NETAPI_T netapi_handle;
-NETCP_CFG_SA_T saAppIdOut = 0;
-NETCP_CFG_SA_T saAppIdIn = 0;
+
+
+/**************************************************************************
+ * FUNCTION PURPOSE: Internal function to find a free slot to store APPID
+ * in list
+ **************************************************************************
+ * DESCRIPTION: Internal internal function to find a free slot in SA list for an SA
+ ********************************************************************/
+int findFreeAppIdSlot(ipsecMgrAppId_T *pList)
+{
+ int i;
+ for(i=0;i<64;i++)
+ {
+ if (!pList[i].in_use)
+ {
+ if (free)
+ pList[i].in_use = 1; //pending
+ return i;
+ }
+ }
+ return -1;
+}
+
+/********************************************************************
+ * FUNCTION PURPOSE: Internal function to find a SA app id in SA list
+ * and free SA Slot entry if specified
+ ********************************************************************
+ * DESCRIPTION: Internal function to find a SA app id in SA list
+ * and free SA Slot entry if specified
+ ********************************************************************/
+int findAppIdSlot(ipsecMgrAppId_T *pList, uint32_t saAppId, int free)
+{
+ int i;
+ for(i=0;i<64;i++)
+ {
+ if ((pList[i].in_use) && (pList[i].saAppId == saAppId))
+ {
+ if(free)
+ pList[i].in_use = 0;
+ return i;
+ }
+ }
+ return -1;
+}
/**************************************************************************
* FUNCTION PURPOSE: The function is used to translate the SA configuration
{
uint8_t auth_key[36];
uint8_t encr_key[36];
- int error, index;
+ int error, index,slot;
NETAPI_SEC_SA_INFO_T saInfo;
nwalSecKeyParams_t keyParams;
void * p_rx_inflow_mode_handle;
NETCP_CFG_ROUTE_T route;
NETCP_CFG_FLOW_T flow;
NETCP_CFG_SA_HANDLE_T pSaHandle;
+
+
ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
"netapilib_ifAddSA:, DEBUG: Translating SA\n");
-
memset((void *)&saInfo, 0, sizeof (NETAPI_SEC_SA_INFO_T));
memset((void *)&keyParams, 0, sizeof (nwalSecKeyParams_t));
memset((void *)&route, 0, sizeof (NETCP_CFG_ROUTE_T));
memset((void *)&flow, 0, sizeof (NETCP_CFG_FLOW_T));
flow.dma_engine= 1;
- flow.flowid = globalCfg.flowId;
+ flow.flowid = globalDB.flowId;
route.p_flow = &flow;
- route.p_dest_q = globalCfg.pktio_channel;
+ route.p_dest_q = globalDB.pktio_channel;
/* Initialize the SA Config structure. */
/* Get the SA direction. */
if (sa_info->dir == DIR_INBOUND)
+ {
+ slot = findFreeAppIdSlot(&globalDB.rx_sa[0]);
+ if (slot == -1)
+ {
+ ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
+ "netapilib_ifAddSA:, Too many INBOUND SAs already offloaded\n");
+ return -1;
+ }
saInfo.dir = NWAL_SA_DIR_INBOUND;
+ }
else if (sa_info->dir == DIR_OUTBOUND)
+ {
+ slot = findFreeAppIdSlot(&globalDB.tx_sa[0]);
+ if (slot == -1)
+ {
+ ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
+ "netapilib_ifAddSA:, Too many OUTBOUND SAs already offloaded\n");
+ return -1;
+ }
saInfo.dir = NWAL_SA_DIR_OUTBOUND;
+ }
else
{
ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
}
/* Get the authentication mode algorithm. */
if (sa_info->auth.algo == SA_AALG_HMAC_SHA1)
- {
saInfo.authMode = NWAL_SA_AALG_HMAC_SHA1;
- ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
- "netapilib_ifAddSA: auth algo is SA_AALG_HMAC_SHA1\n");
- }
else if (sa_info->auth.algo == SA_AALG_HMAC_MD5)
saInfo.authMode = NWAL_SA_AALG_HMAC_MD5;
else if (sa_info->auth.algo == SA_AALG_NONE || sa_info->auth.algo == SA_AALG_NULL)
else if (sa_info->enc.algo == SA_EALG_AES_CTR)
saInfo.cipherMode = NWAL_SA_EALG_AES_CTR;
else if (sa_info->enc.algo == SA_EALG_AES_CBC)
- {
saInfo.cipherMode = NWAL_SA_EALG_AES_CBC;
- ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,"encr algo is NWAL_SA_EALG_AES_CBC\n");
- }
else if (sa_info->enc.algo == SA_EALG_3DES_CBC)
saInfo.cipherMode = NWAL_SA_EALG_3DES_CBC;
else if (sa_info->enc.algo == SA_EALG_DES_CBC)
if (saInfo.dir == NWAL_SA_DIR_INBOUND)
{
/* Inbound == RX */
- saAppIdIn = netapi_secAddSA(netapi_handle,
+ globalDB.rx_sa[slot].saAppId = netapi_secAddSA(netapi_handle,
NETCP_CFG_NO_INTERFACE,
&saInfo,
&keyParams,
if (error == NETAPI_ERR_OK)
{
- *sa_handle = saAppIdIn;
+ *sa_handle = globalDB.rx_sa[slot].saAppId;
}
else
{
else
{
/* OUTBOUND == TX */
- saAppIdOut = netapi_secAddSA(netapi_handle,
+ globalDB.tx_sa[slot].saAppId = netapi_secAddSA(netapi_handle,
NETCP_CFG_NO_INTERFACE,
&saInfo,
&keyParams,
NULL, &error);
if (error == NETAPI_ERR_OK)
{
- *sa_handle = saAppIdOut;
+ *sa_handle = globalDB.tx_sa[slot].saAppId;
+ printf("netapilib_ifAddSA: using slot: %d\n", slot);
#if 0
netapi_secGetPaHandle(netapi_handle,
saAppIdOut,
********************************************************************/
int netapilib_ifDeleteSA (ipsecmgr_fp_handle_t sa_handle)
{
- int error;
- ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
- "netapilib_ifDeleteSA: sa_app_id 0x%x\n", sa_handle);
- netapi_secDelSA(netapi_handle,
- NETCP_CFG_NO_INTERFACE,
- (NETCP_CFG_SA_T) sa_handle,
- &error);
+ int error, slot;
+
+ slot = findAppIdSlot(&globalDB.rx_sa[0],sa_handle, 1);
+
+ /* Determine if rx_sa or tx_sa is being deleted */
+ if (slot != -1)
+ {
+ /* found rx SA, see if there is policy assoicated with rx SA
+ if so, then delete it first*/
+ if (globalDB.rx_sa[slot].spAppId)
+ {
+ netapi_secDelRxPolicy(netapi_handle,
+ (NETCP_CFG_IPSEC_POLICY_T) globalDB.rx_sa[slot].spAppId,
+ &error);
+ ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
+ "netapilib_ifDeleteSA: SP deleted: sp_app_id: 0x%x, slot: %d, error: %d\n",
+ globalDB.rx_sa[slot].spAppId, slot, error);
+ netapi_secDelSA(netapi_handle,
+ NETCP_CFG_NO_INTERFACE,
+ (NETCP_CFG_SA_T) sa_handle,
+ &error);
+ ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
+ "netapilib_ifDeleteSA: SA deleted: sa_app_id: 0x%x, slot: %d, error: %d\n",
+ sa_handle, slot, error);
+
+ }
+ }
+ else
+ {
+ /* not rx SA, check for tx_sa */
+ slot = findAppIdSlot(&globalDB.tx_sa[0], sa_handle, 1);
+
+ if (slot != -1)
+ {
+ /* found tx SA, delete it now */
+ netapi_secDelSA(netapi_handle,
+ NETCP_CFG_NO_INTERFACE,
+ (NETCP_CFG_SA_T) sa_handle,
+ &error);
+ ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
+ "netapilib_ifDeleteSA: SA deleted: sa_app_id: 0x%x, slot: %d, error: %d\n",
+ sa_handle, slot, error);
+ }
+ else
+ {
+ ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
+ "netapilib_ifDeleteSA: sa_app_id 0x%x not found in internal list\n",
+ sa_handle);
+ return -1;
+ }
+ }
+
return error;
}
ipsecmgr_fp_handle_t *sp_handle
)
{
+#ifdef ENABLE_ADD_POLICY
NETCP_CFG_IPSEC_POLICY_T spAppIdIn;
- int error, index;
+ int error, index, slot;
nwal_IpType ipType;
nwalIpAddr_t src_ip_addr;
nwalIpAddr_t dst_ip_addr;
"netapilib_ifAddSP: called for outbound SA, no RX policy required\n");
return 0;
}
+ slot = findAppIdSlot(&globalDB.rx_sa[0],sa_handle, 0);
+ if (slot == -1)
+ {
+ ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
+ "netapilib_ifAddSA:, Too many OUTBOUND SAs already offloaded\n");
+ return -1;
+ }
+
+
flow.dma_engine= 1;
- flow.flowid = globalCfg.flowId;
+ flow.flowid = globalDB.flowId;
route.p_flow = &flow;
- route.p_dest_q = globalCfg.pktio_channel;
+ route.p_dest_q = globalDB.pktio_channel;
/* Get the IP protocol version. */
if (af == IPSECMGR_AF_IPV4)
return -1;
}
+#if 0
ip_qualifiers.flowLabel = 1;
ip_qualifiers.proto = 1;
ip_qualifiers.tos = 1;
ip_qualifiers.validParams = 1;
-
- spAppIdIn = netapi_secAddRxPolicy(netapi_handle,
+#endif
+ globalDB.rx_sa[slot].spAppId = netapi_secAddRxPolicy(netapi_handle,
(NETCP_CFG_SA_T) sa_handle,
ipType,
&src_ip_addr,
NULL,
&error);
- if (error == NETAPI_ERR_OK)
- {
- *sp_handle = spAppIdIn;
- }
- else
- {
- ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
- "netapilib_ifAddSA: netapi_secAddRxPolicy returned error: %d.\n",
- error);
- return -1;
+ if (error == NETAPI_ERR_OK)
+ {
+ *sp_handle = globalDB.rx_sa[slot].spAppId;
+ }
+ else
+ {
+ ipsecmgr_syslog_msg (SYSLOG_LEVEL_ERROR,
+ "netapilib_ifAddSA: netapi_secAddRxPolicy returned error: %d.\n",
+ error);
+ return -1;
}
-
- ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
- "netapi_proxy:DEBUG: Translation of SP successful.\n");
+ ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,
+ "netapilib_ifAddSA: Translation of SP successful, app_id: 0x%x\n", *sp_handle);
#if 0
netapi_secGetPaHandle(netapi_handle,
(NETCP_CFG_SA_T)sa_handle,
pPaHandle,
pSaHandle);
+#endif
#endif
return 0;
}
ipsecmgr_dir_t dir
)
{
+ /* Security Policy is deleted as part of deleting SA */
+ return 0;
+#if 0
int error =0;
ipsecmgr_syslog_msg (SYSLOG_LEVEL_INFO,"netapilib_ifDeleteSP: called\n");
&error);
return 0;
+#endif
}
/**************************************************************************
diff --git a/ti/runtime/netapi/applications/ipsec_offload/ipsecmgr/src/netapilib_interface.h b/ti/runtime/netapi/applications/ipsec_offload/ipsecmgr/src/netapilib_interface.h
index 0a1744c61fe376d174af51cd8760d43a1ba29512..4d24790724fad219753ae8d631f9418fb17ab05a 100755 (executable)
#include "ti/runtime/netapi/netapi.h"
+
+/* Container for applicaion ID's for offloaded SA's */
+typedef struct {
+ int in_use;
+ uint32_t saAppId;
+ uint32_t spAppId;
+} ipsecMgrAppId_T;
+
typedef struct {
int flowId;
PKTIO_HANDLE_T* pktio_channel;
int qNum;
+ /* list to store offloaded RX SA appIds and RX Policies */
+ ipsecMgrAppId_T rx_sa[64];
+ /* list to store offloaded TX SA appIds */
+ ipsecMgrAppId_T tx_sa[64];
} ipsecMgrMcb_t;
+
+
+
+
int netapilib_ifAddSA
(
ipsecmgr_af_t af,
index 8d3473532887627f7ee76ea6b7f43cd0ca20925c..5ba018e1c28b87fb419d660ba10c271e0f07ff26 100755 (executable)
#include "netapi_sec.h"
-
/********************************************************************
* FUNCTION PURPOSE: API to add an IPSEC SA
********************************************************************
void * mac_handle = netapip_netcpCfgGetMacHandle(&netapi_get_global()->nwal_context,iface_no);
- *perr =0;
+ *perr =NETAPI_ERR_OK;
if ((!n) || (!sa_info) || (!p_data_mode_handle))
{
*perr = NETAPI_ERR_BAD_INPUT;
nwal_RetValue retValue;
NetapiNwalTransInfo_t *pTransInfo;
nwal_TransID_t trans_id;
- unsigned int appId = NETAPI_NETCP_MATCH_IPSEC_POLICY | (sa& NETAPI_NETCP_MATCH_ID_MASK);
+ unsigned int appId = NETAPI_NETCP_MATCH_IPSEC_POLICY;
int policyId;
int tunnelId= netapi_cfgGetMatchId(sa);
void * blah;
NETAPI_HANDLE_T * n = (NETAPI_HANDLE_T *) h;
void * handle_inflow;
void * handle_sideband;
- int tunnelId = (handle >>8) &0xffff;
+ int tunnelId = (handle >> NETAPI_NETCP_MATCH_ID_SHIFT) & NETAPI_NETCP_MATCH_ID_MASK;
int have_to_wait = 1;
handle_inflow = netapip_netcpCfgGetSaHandles(&netapi_get_global()->nwal_context,
tunnelId, &handle_sideband);