hipl-core team mailing list archive
-
hipl-core team
-
Mailing list archive
-
Message #00077
[ipsec_esp] 4915 - factored out setting up SAs in BEX _and_ made hipd part of user_ipsec a module
Hi,
I'm currently trying to fix and to modularize the userspace ipsec and esp token extensions (should not exactly be of the core functionality, right!?) in the HIPL codebase. These changes will take more than a day, so I decided to go for an own branch in launchpad and to request a merge in the end. For the peer review to work nonetheless, I subscribed hipl-core to the commit notifications (except for my first branch-opening push). So, you'll find the according diff below:
------------------------------------------------------------
revno: 4915
committer: Rene Hummen <rene.hummen@xxxxxxxxxxxxxxxxx>
branch nick: ipsec_esp
timestamp: Wed 2010-08-25 14:53:17 +0200
message:
factored out setting up SAs in BEX _and_ made hipd part of user_ipsec a module
sorry for the large combined commit. i tried shelving to split, but bzr
threw an error...
added:
modules/user_ipsec/
modules/user_ipsec/Makefile.am
modules/user_ipsec/hipd/
modules/user_ipsec/hipd/user_ipsec.c
modules/user_ipsec/hipd/user_ipsec.h
modules/user_ipsec/module_info.xml
renamed:
hipd/user_ipsec_hipd_msg.c => modules/user_ipsec/hipd/user_ipsec_hipd_msg.c
hipd/user_ipsec_hipd_msg.h => modules/user_ipsec/hipd/user_ipsec_hipd_msg.h
hipd/user_ipsec_sadb_api.c => modules/user_ipsec/hipd/user_ipsec_sadb_api.c
hipd/user_ipsec_sadb_api.h => modules/user_ipsec/hipd/user_ipsec_sadb_api.h
modified:
Makefile.am
hipd/esp_prot_hipd_msg.c
hipd/hadb.c
hipd/hadb.h
hipd/hipd.c
hipd/init.c
hipd/input.c
hipd/input.h
hipd/output.c
hipd/user.c
modules/user_ipsec/hipd/user_ipsec_hipd_msg.c
modules/user_ipsec/hipd/user_ipsec_hipd_msg.h
modules/user_ipsec/hipd/user_ipsec_sadb_api.c
diff:
=== modified file 'Makefile.am'
--- Makefile.am 2010-08-20 14:34:13 +0000
+++ Makefile.am 2010-08-25 12:53:17 +0000
@@ -74,9 +74,7 @@
hipd/output.c \
hipd/pkt_handling.c \
hipd/registration.c \
- hipd/user.c \
- hipd/user_ipsec_hipd_msg.c \
- hipd/user_ipsec_sadb_api.c
+ hipd/user.c
if HIP_MIDAUTH
hipd_hipd_SOURCES += hipd/pisa.c
@@ -165,6 +163,7 @@
include modules/heartbeat/Makefile.am
include modules/heartbeat_update/Makefile.am
include modules/update/Makefile.am
+include modules/user_ipsec/Makefile.am
### library dependencies ###
=== modified file 'hipd/esp_prot_hipd_msg.c'
--- hipd/esp_prot_hipd_msg.c 2010-08-19 09:32:20 +0000
+++ hipd/esp_prot_hipd_msg.c 2010-08-25 12:53:17 +0000
@@ -53,8 +53,8 @@
#include "output.h"
#include "esp_prot_hipd_msg.h"
-/** @todo Remove this dependency from core to UPDATE module */
#include "modules/update/hipd/update.h"
+#include "modules/user_ipsec/hipd/user_ipsec.h"
/**
* Sends second update message for a public-key-based anchor element update
=== modified file 'hipd/hadb.c'
--- hipd/hadb.c 2010-08-19 09:32:20 +0000
+++ hipd/hadb.c 2010-08-25 12:53:17 +0000
@@ -94,7 +94,6 @@
#include "netdev.h"
#include "oppdb.h"
#include "output.h"
-#include "user_ipsec_sadb_api.h"
#include "hadb.h"
=== modified file 'hipd/hadb.h'
--- hipd/hadb.h 2010-08-19 09:32:20 +0000
+++ hipd/hadb.h 2010-08-25 12:53:17 +0000
@@ -41,9 +41,6 @@
#define do_gettimeofday(x) gettimeofday(x, NULL)
-/* For switch userspace / kernel IPsec */
-extern int hip_use_userspace_ipsec;
-
extern hip_xmit_func_set_t nat_xmit_func_set;
extern HIP_HASHTABLE *hadb_hit;
=== modified file 'hipd/hipd.c'
--- hipd/hipd.c 2010-08-25 09:06:43 +0000
+++ hipd/hipd.c 2010-08-25 12:53:17 +0000
@@ -144,12 +144,6 @@
int address_change_time_counter = -1;
-/*Define hip_use_userspace_ipsec variable to indicate whether use
- * userspace ipsec or not. If it is 1, hip uses the user space ipsec.
- * It will not use if hip_use_userspace_ipsec = 0. Added By Tao Wan
- */
-int hip_use_userspace_ipsec = 0;
-
int esp_prot_active = 0;
int esp_prot_num_transforms = 0;
uint8_t esp_prot_transforms[MAX_NUM_TRANSFORMS];
=== modified file 'hipd/init.c'
--- hipd/init.c 2010-08-25 09:06:43 +0000
+++ hipd/init.c 2010-08-25 12:53:17 +0000
@@ -768,28 +768,36 @@
hip_register_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_check_i2, 20000);
hip_register_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_handle_i2, 30000);
+ hip_register_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_setup_ipsec_sa_i2, 30500);
hip_register_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_send_r2, 40000);
hip_register_handle_function(HIP_I2, HIP_STATE_I1_SENT, &hip_check_i2, 20000);
hip_register_handle_function(HIP_I2, HIP_STATE_I1_SENT, &hip_handle_i2, 30000);
+ hip_register_handle_function(HIP_I2, HIP_STATE_I1_SENT, &hip_setup_ipsec_sa_i2, 30500);
hip_register_handle_function(HIP_I2, HIP_STATE_I1_SENT, &hip_send_r2, 40000);
hip_register_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_check_i2, 20000);
hip_register_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_handle_i2_in_i2_sent, 21000);
hip_register_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_handle_i2, 30000);
+ hip_register_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_setup_ipsec_sa_i2, 30500);
hip_register_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_send_r2, 40000);
hip_register_handle_function(HIP_I2, HIP_STATE_R2_SENT, &hip_check_i2, 20000);
hip_register_handle_function(HIP_I2, HIP_STATE_R2_SENT, &hip_handle_i2, 30000);
+ hip_register_handle_function(HIP_I2, HIP_STATE_R2_SENT, &hip_setup_ipsec_sa_i2, 30500);
hip_register_handle_function(HIP_I2, HIP_STATE_R2_SENT, &hip_send_r2, 40000);
hip_register_handle_function(HIP_I2, HIP_STATE_ESTABLISHED, &hip_check_i2, 20000);
hip_register_handle_function(HIP_I2, HIP_STATE_ESTABLISHED, &hip_handle_i2, 30000);
+ hip_register_handle_function(HIP_I2, HIP_STATE_ESTABLISHED, &hip_setup_ipsec_sa_i2, 30500);
hip_register_handle_function(HIP_I2, HIP_STATE_ESTABLISHED, &hip_send_r2, 40000);
hip_register_handle_function(HIP_I2, HIP_STATE_CLOSING, &hip_check_i2, 20000);
hip_register_handle_function(HIP_I2, HIP_STATE_CLOSING, &hip_handle_i2, 30000);
+ hip_register_handle_function(HIP_I2, HIP_STATE_CLOSING, &hip_setup_ipsec_sa_i2, 30500);
hip_register_handle_function(HIP_I2, HIP_STATE_CLOSING, &hip_send_r2, 40000);
hip_register_handle_function(HIP_I2, HIP_STATE_CLOSED, &hip_check_i2, 20000);
hip_register_handle_function(HIP_I2, HIP_STATE_CLOSED, &hip_handle_i2, 30000);
+ hip_register_handle_function(HIP_I2, HIP_STATE_CLOSED, &hip_setup_ipsec_sa_i2, 30500);
hip_register_handle_function(HIP_I2, HIP_STATE_CLOSED, &hip_send_r2, 40000);
hip_register_handle_function(HIP_I2, HIP_STATE_NONE, &hip_check_i2, 20000);
hip_register_handle_function(HIP_I2, HIP_STATE_NONE, &hip_handle_i2, 30000);
+ hip_register_handle_function(HIP_I2, HIP_STATE_NONE, &hip_setup_ipsec_sa_i2, 30500);
hip_register_handle_function(HIP_I2, HIP_STATE_NONE, &hip_send_r2, 40000);
hip_register_handle_function(HIP_R1, HIP_STATE_I1_SENT, &hip_check_r1, 20000);
@@ -807,6 +815,7 @@
hip_register_handle_function(HIP_R2, HIP_STATE_I2_SENT, &hip_check_r2, 20000);
hip_register_handle_function(HIP_R2, HIP_STATE_I2_SENT, &hip_handle_r2, 30000);
+ hip_register_handle_function(HIP_R2, HIP_STATE_I2_SENT, &hip_setup_ipsec_sa_r2, 30500);
hip_register_handle_function(HIP_NOTIFY, HIP_STATE_I1_SENT, &hip_check_notify, 20000);
hip_register_handle_function(HIP_NOTIFY, HIP_STATE_I1_SENT, &hip_handle_notify, 30000);
=== modified file 'hipd/input.c'
--- hipd/input.c 2010-08-20 14:34:13 +0000
+++ hipd/input.c 2010-08-25 12:53:17 +0000
@@ -1098,11 +1098,8 @@
const uint32_t ha_state,
struct hip_packet_context *ctx)
{
- int err = 0, tfm = 0, retransmission = 0, idx = 0;
- uint32_t spi_recvd = 0, spi_in = 0;
- const struct hip_esp_info *esp_info = NULL;
- const struct hip_locator *locator = NULL;
- struct hip_spi_out_item spi_out_data;
+ int err = 0, retransmission = 0;
+ const struct hip_locator *locator = NULL;
if (ha_state == HIP_STATE_ESTABLISHED) {
retransmission = 1;
@@ -1117,32 +1114,6 @@
ctx->hadb_entry->peer_udp_port = ctx->msg_ports->src_port;
}
- HIP_IFEL(!(esp_info = hip_get_param(ctx->input_msg, HIP_PARAM_ESP_INFO)),
- -EINVAL,
- "Parameter SPI not found.\n");
-
- spi_recvd = ntohl(esp_info->new_spi);
- memset(&spi_out_data, 0, sizeof(struct hip_spi_out_item));
- spi_out_data.spi = spi_recvd;
-
- ctx->hadb_entry->spi_outbound_current = spi_recvd;
- HIP_DEBUG("Set SPI out = 0x%x\n", spi_recvd);
-
- /* Copy SPI out value here or otherwise ICE code has zero SPI */
- ctx->hadb_entry->spi_outbound_new = spi_recvd;
- HIP_DEBUG("Set default SPI out = 0x%x\n", spi_recvd);
-
- HIP_DEBUG("entry should have only one spi_in now, test\n");
-
- spi_in = ctx->hadb_entry->spi_inbound_current;
- HIP_DEBUG("spi_in: 0x%x\n", spi_in);
-
- tfm = ctx->hadb_entry->esp_transform;
- HIP_DEBUG("esp_transform: %i\n", tfm);
-
- HIP_DEBUG("R2 packet source port: %d, destination port %d.\n",
- ctx->msg_ports->src_port, ctx->msg_ports->dst_port);
-
/********** ESP-PROT anchor [OPTIONAL] **********/
HIP_IFEL(esp_prot_r2_handle_anchor(ctx->hadb_entry,
ctx->input_msg),
@@ -1155,51 +1126,6 @@
HIP_DEBUG("Locator parameter support in BEX is not implemented!\n");
}
- HIP_DEBUG_HIT("hit our", &(ctx->hadb_entry)->hit_our);
- HIP_DEBUG_HIT("hit peer", &(ctx->hadb_entry)->hit_peer);
- HIP_IFEL(hip_add_sa(ctx->src_addr,
- ctx->dst_addr,
- &ctx->input_msg->hits,
- &ctx->input_msg->hitr,
- spi_in,
- tfm,
- &(ctx->hadb_entry)->esp_in,
- &(ctx->hadb_entry)->auth_in,
- HIP_SPI_DIRECTION_IN,
- 0,
- ctx->hadb_entry),
- -1,
- "Failed to setup IPsec SPD/SA entries, peer:src\n");
-
- HIP_IFEL(hip_add_sa(ctx->dst_addr,
- ctx->src_addr,
- &ctx->input_msg->hitr,
- &ctx->input_msg->hits,
- spi_recvd,
- tfm,
- &ctx->hadb_entry->esp_out,
- &ctx->hadb_entry->auth_out,
- HIP_SPI_DIRECTION_OUT,
- 0,
- ctx->hadb_entry),
- -1,
- "Failed to setup IPsec SPD/SA entries, peer:dst\n");
-
- /** @todo Check for -EAGAIN */
- HIP_DEBUG("Set up outbound IPsec SA, SPI = 0x%x (host).\n", spi_recvd);
-
- /* Source IPv6 address is implicitly the preferred address after the
- * base exchange. */
-
- idx = hip_devaddr2ifindex(ctx->dst_addr);
-
- if (idx != 0) {
- HIP_DEBUG("ifindex = %d\n", idx);
- // hip_hadb_set_spi_ifindex_deprecated(ctx->hadb_entry, spi_in, idx);
- } else {
- HIP_ERROR("Couldn't get device ifindex of address\n");
- }
-
#ifdef CONFIG_HIP_RVS
hip_relay_handle_relay_to_in_client(packet_type, ha_state, ctx);
#endif /* CONFIG_HIP_RVS */
@@ -1214,11 +1140,6 @@
hip_handle_reg_from(ctx->hadb_entry, ctx->input_msg);
- /* These will change SAs' state from ACQUIRE to VALID, and wake up any
- * transport sockets waiting for a SA. */
- // hip_finalize_sa(&entry->hit_peer, spi_recvd);
- // hip_finalize_sa(&entry->hit_our, spi_in);
-
ctx->hadb_entry->state = HIP_STATE_ESTABLISHED;
hip_hadb_insert_state(ctx->hadb_entry);
@@ -1257,6 +1178,61 @@
return err;
}
+int hip_setup_ipsec_sa_r2(UNUSED const uint8_t packet_type,
+ UNUSED const uint32_t ha_state,
+ struct hip_packet_context *ctx)
+{
+ const struct hip_esp_info *esp_info = NULL;
+ int err = 0;
+
+ HIP_IFEL(!(esp_info = hip_get_param(ctx->input_msg, HIP_PARAM_ESP_INFO)),
+ -EINVAL, "Parameter SPI not found.\n");
+
+ ctx->hadb_entry->spi_outbound_current = ntohl(esp_info->new_spi);
+ /* Copy SPI out value here or otherwise ICE code has zero SPI */
+ ctx->hadb_entry->spi_outbound_new = ntohl(esp_info->new_spi);
+
+ // set up inbound IPsec SA
+ HIP_IFEL(hip_add_sa(ctx->src_addr,
+ ctx->dst_addr,
+ &ctx->input_msg->hits,
+ &ctx->input_msg->hitr,
+ ctx->hadb_entry->spi_inbound_current,
+ ctx->hadb_entry->esp_transform,
+ &(ctx->hadb_entry)->esp_in,
+ &(ctx->hadb_entry)->auth_in,
+ HIP_SPI_DIRECTION_IN,
+ 0,
+ ctx->hadb_entry),
+ -1,
+ "Failed to setup IPsec SPD/SA entries, peer:src\n");
+
+ // set up outbound IPsec SA
+ HIP_IFEL(hip_add_sa(ctx->dst_addr,
+ ctx->src_addr,
+ &ctx->input_msg->hitr,
+ &ctx->input_msg->hits,
+ ctx->hadb_entry->spi_outbound_current,
+ ctx->hadb_entry->esp_transform,
+ &ctx->hadb_entry->esp_out,
+ &ctx->hadb_entry->auth_out,
+ HIP_SPI_DIRECTION_OUT,
+ 0,
+ ctx->hadb_entry),
+ -1,
+ "Failed to setup IPsec SPD/SA entries, peer:dst\n");
+
+ out_err:
+ if (err) {
+ HIP_ERROR("Failed to setup IPsec SAs, removing IPsec state!");
+
+ /* delete all IPsec related SPD/SA for this ctx->hadb_entry*/
+ hip_delete_security_associations_and_sp(ctx->hadb_entry);
+ }
+
+ return err;
+}
+
/**
* hip_check_i1
*
@@ -1733,16 +1709,10 @@
struct hip_packet_context *ctx)
{
int err = 0, retransmission = 0;
- uint32_t spi_out = 0;
- const struct hip_esp_info *esp_info = NULL;
- hip_transform_suite_t esp_tfm;
- struct hip_spi_in_item spi_in_data;
const struct hip_locator *locator = NULL;
int if_index = 0;
struct sockaddr_storage ss_addr;
struct sockaddr *addr = NULL;
- const struct hip_esp_transform *esp_tf = NULL;
- struct hip_spi_out_item spi_out_data;
/* Get the interface index of the network device which has our
* local IP address. */
@@ -1786,32 +1756,8 @@
/*hip_hadb_set_xmit_function_set(ctx->hadb_entry, &nat_xmit_func_set);*/
}
- /* If we have old SAs with these HITs delete them */
- hip_delete_security_associations_and_sp(ctx->hadb_entry);
-
- HIP_IFEL(!(esp_tf = hip_get_param(ctx->input_msg,
- HIP_PARAM_ESP_TRANSFORM)),
- -ENOENT, "Did not find ESP transform on i2\n");
- HIP_IFEL(!(esp_info = hip_get_param(ctx->input_msg,
- HIP_PARAM_ESP_INFO)),
- -ENOENT, "Did not find SPI LSI on i2\n");
-
-
ctx->hadb_entry->peer_controls |= ntohs(ctx->input_msg->control);
- /* move this below setup_sa */
- memset(&spi_out_data, 0, sizeof(struct hip_spi_out_item));
- spi_out_data.spi = ntohl(esp_info->new_spi);
- ctx->hadb_entry->spi_outbound_current = spi_out_data.spi;
- /* 99999
- * HIP_DEBUG("Adding spi 0x%x\n", spi_out_data.spi);
- * HIP_IFE(hip_hadb_add_spi_old(ctx->hadb_entry, HIP_SPI_DIRECTION_OUT,
- * &spi_out_data), -1);*/
- ctx->hadb_entry->esp_transform = hip_select_esp_transform(esp_tf);
- HIP_IFEL(!(esp_tfm = ctx->hadb_entry->esp_transform),
- -1,
- "Could not select proper ESP transform\n");
-
HIP_IFEL(hip_hadb_add_peer_addr(ctx->hadb_entry,
ctx->src_addr,
0,
@@ -1832,33 +1778,83 @@
HIP_IFEL(esp_prot_i2_handle_anchor(ctx), -1,
"failed to handle esp prot anchor\n");
- /************************************************/
-
- /* Set up IPsec associations */
- err = hip_add_sa(ctx->src_addr,
+ /***** LOCATOR PARAMETER *****/
+ locator = hip_get_param(ctx->input_msg, HIP_PARAM_LOCATOR);
+ if (locator) {
+ HIP_DEBUG("Locator parameter support in BEX is not implemented!\n");
+ }
+
+#ifdef CONFIG_HIP_PERFORMANCE
+ HIP_DEBUG("Stop and write PERF_BASE\n");
+ hip_perf_stop_benchmark(perf_set, PERF_BASE);
+ hip_perf_write_benchmark(perf_set, PERF_BASE);
+#endif
+
+ ctx->hadb_entry->state = HIP_STATE_ESTABLISHED;
+ HIP_INFO("Reached %s state\n", hip_state_str(ctx->hadb_entry->state));
+ if (ctx->hadb_entry->hip_msg_retrans.buf) {
+ ctx->hadb_entry->hip_msg_retrans.count = 0;
+ memset(ctx->hadb_entry->hip_msg_retrans.buf, 0, HIP_MAX_NETWORK_PACKET);
+ }
+out_err:
+ if (err) {
+ ctx->error = err;
+ }
+ return err;
+}
+
+int hip_setup_ipsec_sa_i2(UNUSED const uint8_t packet_type,
+ UNUSED const uint32_t ha_state,
+ struct hip_packet_context *ctx)
+{
+ const struct hip_esp_transform *esp_tfm = NULL;
+ const struct hip_esp_info *esp_info = NULL;
+ int err = 0;
+
+ HIP_IFEL(!(esp_tfm = hip_get_param(ctx->input_msg,
+ HIP_PARAM_ESP_TRANSFORM)),
+ -ENOENT, "Did not find ESP transform on i2\n");
+ HIP_IFEL(!(esp_info = hip_get_param(ctx->input_msg,
+ HIP_PARAM_ESP_INFO)),
+ -ENOENT, "Did not find SPI on i2\n");
+
+ /* If we have old SAs with these HITs delete them */
+ hip_delete_security_associations_and_sp(ctx->hadb_entry);
+
+ HIP_IFEL(!(ctx->hadb_entry->esp_transform = hip_select_esp_transform(esp_tfm)),
+ -1,
+ "Could not select proper ESP transform\n");
+
+ ctx->hadb_entry->spi_outbound_current = ntohl(esp_info->new_spi);
+ ctx->hadb_entry->spi_outbound_new = ntohl(esp_info->new_spi);
+
+ /* Set up inbound IPsec associations */
+ HIP_IFEL(hip_add_sa(ctx->src_addr,
ctx->dst_addr,
&ctx->input_msg->hits,
&ctx->input_msg->hitr,
ctx->hadb_entry->spi_inbound_current,
- esp_tfm,
+ ctx->hadb_entry->esp_transform,
&ctx->hadb_entry->esp_in,
&ctx->hadb_entry->auth_in,
HIP_SPI_DIRECTION_IN,
0,
- ctx->hadb_entry);
-
- /* Remove the IPsec associations if there was an error when creating
- * them.
- */
- if (err) {
- err = -1;
- HIP_ERROR("Failed to setup inbound SA with SPI=%d\n", ctx->hadb_entry->spi_inbound_current);
- hip_delete_security_associations_and_sp(ctx->hadb_entry);
- goto out_err;
- }
-
- spi_out = ntohl(esp_info->new_spi);
- HIP_DEBUG("Setting up outbound IPsec SA, SPI=0x%x\n", spi_out);
+ ctx->hadb_entry),
+ -1, "Failed to setup inbound SA");
+
+ /* Set up outbound IPsec associations */
+ HIP_IFEL(hip_add_sa(ctx->dst_addr,
+ ctx->src_addr,
+ &ctx->input_msg->hitr,
+ &ctx->input_msg->hits,
+ ctx->hadb_entry->spi_outbound_current,
+ ctx->hadb_entry->esp_transform,
+ &ctx->hadb_entry->esp_out,
+ &ctx->hadb_entry->auth_out,
+ HIP_SPI_DIRECTION_OUT,
+ 0,
+ ctx->hadb_entry),
+ -1, "Failed to setup outbound SA");
HIP_IFEL(hip_setup_hit_sp_pair(&ctx->input_msg->hits,
&ctx->input_msg->hitr,
@@ -1870,40 +1866,14 @@
-1,
"Failed to set up an SP pair.\n");
- memset(&spi_in_data, 0, sizeof(struct hip_spi_in_item));
- spi_in_data.spi = ctx->hadb_entry->spi_inbound_current;
- spi_in_data.ifindex = hip_devaddr2ifindex(ctx->dst_addr);
-
- if (spi_in_data.ifindex) {
- HIP_DEBUG("spi_in_data.ifindex = %d.\n", spi_in_data.ifindex);
- } else {
- HIP_ERROR("Could not get device ifindex of address.\n");
- }
-
- ctx->hadb_entry->spi_outbound_new = spi_out;
-
- /***** LOCATOR PARAMETER *****/
- locator = hip_get_param(ctx->input_msg, HIP_PARAM_LOCATOR);
- if (locator) {
- HIP_DEBUG("Locator parameter support in BEX is not implemented!\n");
- }
-
-#ifdef CONFIG_HIP_PERFORMANCE
- HIP_DEBUG("Stop and write PERF_BASE\n");
- hip_perf_stop_benchmark(perf_set, PERF_BASE);
- hip_perf_write_benchmark(perf_set, PERF_BASE);
-#endif
-
- ctx->hadb_entry->state = HIP_STATE_ESTABLISHED;
- HIP_INFO("Reached %s state\n", hip_state_str(ctx->hadb_entry->state));
- if (ctx->hadb_entry->hip_msg_retrans.buf) {
- ctx->hadb_entry->hip_msg_retrans.count = 0;
- memset(ctx->hadb_entry->hip_msg_retrans.buf, 0, HIP_MAX_NETWORK_PACKET);
- }
-out_err:
+ out_err:
if (err) {
- ctx->error = err;
+ HIP_ERROR("Failed to setup IPsec SAs, removing IPsec state!");
+
+ /* delete all IPsec related SPD/SA for this ctx->hadb_entry*/
+ hip_delete_security_associations_and_sp(ctx->hadb_entry);
}
+
return err;
}
=== modified file 'hipd/input.h'
--- hipd/input.h 2010-07-07 16:42:17 +0000
+++ hipd/input.h 2010-08-25 12:53:17 +0000
@@ -98,6 +98,10 @@
const uint32_t ha_state,
struct hip_packet_context *ctx);
+int hip_setup_ipsec_sa_i2(const uint8_t packet_type,
+ const uint32_t ha_state,
+ struct hip_packet_context *ctx);
+
int hip_check_notify(const uint8_t packet_type,
const uint32_t ha_state,
struct hip_packet_context *ctx);
@@ -122,4 +126,8 @@
const uint32_t ha_state,
struct hip_packet_context *ctx);
+int hip_setup_ipsec_sa_r2(const uint8_t packet_type,
+ const uint32_t ha_state,
+ struct hip_packet_context *ctx);
+
#endif /* HIP_HIPD_INPUT_H */
=== modified file 'hipd/output.c'
--- hipd/output.c 2010-08-20 14:34:13 +0000
+++ hipd/output.c 2010-08-25 12:53:17 +0000
@@ -1025,30 +1025,6 @@
}
#endif
- err = hip_add_sa(ctx->dst_addr,
- ctx->src_addr,
- &ctx->input_msg->hitr,
- &ctx->input_msg->hits,
- ctx->hadb_entry->spi_outbound_current,
- ctx->hadb_entry->esp_transform,
- &ctx->hadb_entry->esp_out,
- &ctx->hadb_entry->auth_out,
- HIP_SPI_DIRECTION_OUT,
- 0,
- ctx->hadb_entry);
- if (err) {
- HIP_ERROR("Failed to setup outbound SA with SPI = %d.\n",
- ctx->hadb_entry->spi_outbound_current);
-
- /* delete all IPsec related SPD/SA for this ctx->hadb_entry*/
- hip_delete_security_associations_and_sp(ctx->hadb_entry);
- goto out_err;
- }
-
- /* @todo Check if err = -EAGAIN... */
- HIP_DEBUG("Set up outbound IPsec SA, SPI=0x%x\n",
- ctx->hadb_entry->spi_outbound_new);
-
err = hip_send_pkt(ctx->dst_addr,
ctx->src_addr,
(ctx->hadb_entry->nat_mode ? hip_get_local_nat_udp_port() : 0),
=== modified file 'hipd/user.c'
--- hipd/user.c 2010-08-25 09:06:43 +0000
+++ hipd/user.c 2010-08-25 12:53:17 +0000
@@ -88,7 +88,6 @@
#include "output.h"
#include "registration.h"
#include "user.h"
-#include "user_ipsec_hipd_msg.h"
struct usr_msg_handle {
@@ -714,10 +713,6 @@
err = hip_netdev_trigger_bex_msg(msg);
goto out_err;
break;
- case HIP_MSG_USERSPACE_IPSEC:
- HIP_DUMP_MSG(msg);
- err = hip_userspace_ipsec_activate(msg);
- break;
case HIP_MSG_RESTART_DUMMY_INTERFACE:
set_up_device(HIP_HIT_DEV, 0);
err = set_up_device(HIP_HIT_DEV, 1);
=== added directory 'modules/user_ipsec'
=== added file 'modules/user_ipsec/Makefile.am'
--- modules/user_ipsec/Makefile.am 1970-01-01 00:00:00 +0000
+++ modules/user_ipsec/Makefile.am 2010-08-25 12:53:17 +0000
@@ -0,0 +1,7 @@
+lib_LTLIBRARIES += modules/user_ipsec/hipd/libuser_ipsec.la
+
+modules_user_ipsec_hipd_libuser_ipsec_la_SOURCES = modules/user_ipsec/hipd/user_ipsec_hipd_msg.c \
+ modules/user_ipsec/hipd/user_ipsec_sadb_api.c \
+ modules/user_ipsec/hipd/user_ipsec.c
+
+hipd_hipd_LDADD += modules/user_ipsec/hipd/libuser_ipsec.la
=== added directory 'modules/user_ipsec/hipd'
=== added file 'modules/user_ipsec/hipd/user_ipsec.c'
--- modules/user_ipsec/hipd/user_ipsec.c 1970-01-01 00:00:00 +0000
+++ modules/user_ipsec/hipd/user_ipsec.c 2010-08-25 12:53:17 +0000
@@ -0,0 +1,54 @@
+/**
+ * @file
+ *
+ * Copyright (c) 2010 Aalto University) and RWTH Aachen University.
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use,
+ * copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following
+ * conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+ * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * Implements hooking of the userspace ipsec extension into the hipd.
+ *
+ * @brief hooks extension into hipd
+ *
+ * @author Rene Hummen <rene.hummen@xxxxxxxxxxxxxx>
+ */
+
+#include "user_ipsec.h"
+#include "lib/core/ife.h"
+#include "hipd/user.h"
+#include "lib/core/icomm.h"
+#include "user_ipsec_hipd_msg.h"
+
+// determines whether userspace ipsec is active or not
+int hip_use_userspace_ipsec = 0;
+
+int user_ipsec_init(void)
+{
+ int err = 0;
+
+ HIP_IFEL(hip_user_register_handle(HIP_MSG_USERSPACE_IPSEC,
+ &hip_userspace_ipsec_activate,
+ 20000),
+ -1, "Error on registering user_ipsec user message handle function.\n");
+
+ out_err:
+ return err;
+}
=== added file 'modules/user_ipsec/hipd/user_ipsec.h'
--- modules/user_ipsec/hipd/user_ipsec.h 1970-01-01 00:00:00 +0000
+++ modules/user_ipsec/hipd/user_ipsec.h 2010-08-25 12:53:17 +0000
@@ -0,0 +1,36 @@
+/**
+ * @file
+ *
+ * Copyright (c) 2010 Aalto University) and RWTH Aachen University.
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use,
+ * copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following
+ * conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+ * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * Implements hooking of the userspace ipsec extension into the hipd.
+ *
+ * @brief hooks extension into hipd
+ *
+ * @author Rene Hummen <rene.hummen@xxxxxxxxxxxxxx>
+ */
+
+extern int hip_use_userspace_ipsec;
+
+int user_ipsec_init(void);
=== renamed file 'hipd/user_ipsec_hipd_msg.c' => 'modules/user_ipsec/hipd/user_ipsec_hipd_msg.c'
--- hipd/user_ipsec_hipd_msg.c 2010-08-19 09:32:20 +0000
+++ modules/user_ipsec/hipd/user_ipsec_hipd_msg.c 2010-08-25 12:53:17 +0000
@@ -40,12 +40,13 @@
#include "lib/core/ife.h"
#include "lib/core/protodefs.h"
#include "lib/tool/xfrmapi.h"
-#include "esp_prot_hipd_msg.h"
-#include "hadb.h"
-#include "hipd.h"
-#include "init.h"
+#include "hipd/esp_prot_hipd_msg.h"
+#include "hipd/hadb.h"
+#include "hipd/hipd.h"
+#include "hipd/init.h"
#include "user_ipsec_sadb_api.h"
#include "user_ipsec_hipd_msg.h"
+#include "user_ipsec.h"
/**
@@ -54,7 +55,8 @@
* @param msg the message sent by the firewall
* @return 0, if ok, != 0 else
*/
-int hip_userspace_ipsec_activate(const struct hip_common *msg)
+int hip_userspace_ipsec_activate(struct hip_common *msg,
+ UNUSED struct sockaddr_in6 *src)
{
const struct hip_tlv_common *param = NULL;
int err = 0, activate = 0;
=== renamed file 'hipd/user_ipsec_hipd_msg.h' => 'modules/user_ipsec/hipd/user_ipsec_hipd_msg.h'
--- hipd/user_ipsec_hipd_msg.h 2010-07-07 16:42:17 +0000
+++ modules/user_ipsec/hipd/user_ipsec_hipd_msg.h 2010-08-25 12:53:17 +0000
@@ -38,8 +38,10 @@
#include <netinet/in.h>
#include "lib/core/protodefs.h"
+#include "lib/core/common.h"
-int hip_userspace_ipsec_activate(const struct hip_common *msg);
+int hip_userspace_ipsec_activate(struct hip_common *msg,
+ UNUSED struct sockaddr_in6 *src);
struct hip_common *create_add_sa_msg(const struct in6_addr *saddr,
const struct in6_addr *daddr,
const struct in6_addr *src_hit,
=== renamed file 'hipd/user_ipsec_sadb_api.c' => 'modules/user_ipsec/hipd/user_ipsec_sadb_api.c'
--- hipd/user_ipsec_sadb_api.c 2010-07-07 16:42:17 +0000
+++ modules/user_ipsec/hipd/user_ipsec_sadb_api.c 2010-08-25 12:53:17 +0000
@@ -42,7 +42,7 @@
#include "lib/core/prefix.h"
#include "lib/core/protodefs.h"
#include "lib/core/state.h"
-#include "user.h"
+#include "hipd/user.h"
#include "user_ipsec_hipd_msg.h"
#include "user_ipsec_sadb_api.h"
=== renamed file 'hipd/user_ipsec_sadb_api.h' => 'modules/user_ipsec/hipd/user_ipsec_sadb_api.h'
=== added file 'modules/user_ipsec/module_info.xml'
--- modules/user_ipsec/module_info.xml 1970-01-01 00:00:00 +0000
+++ modules/user_ipsec/module_info.xml 2010-08-25 12:53:17 +0000
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!-- Mandatory: name, version -->
+<module
+ name="user_ipsec"
+ version="0.0.1"
+ description="Userspace IPsec functionality."
+ developer=""
+ bugaddress="hipl-users@xxxxxxxxxxxxx"
+ webpage="http://infrahip.hiit.fi/";>
+
+ <!-- Mandatory: name, header_file, init_function -->
+ <application
+ name="hipd"
+ header_file="modules/user_ipsec/hipd/user_ipsec.h"
+ init_function="user_ipsec_init" />
+</module>
+
--
Dipl.-Inform. Rene Hummen, Ph.D. Student
Distributed Systems Group
RWTH Aachen University, Germany
tel: +49 241 80 20772
web: http://ds.rwth-aachen.de/members/hummen
Follow ups
