hipl-core team mailing list archive
-
hipl-core team
-
Mailing list archive
-
Message #00146
[Branch ~rene-hummen/hipl/ipsec_esp] Rev 4920: added IPsec SA handling for userspace IPsec
------------------------------------------------------------
revno: 4920
committer: Rene Hummen <rene.hummen@xxxxxxxxxxxxxxxxx>
branch nick: ipsec_esp
timestamp: Mon 2010-09-06 19:09:57 +0200
message:
added IPsec SA handling for userspace IPsec
this includes unregistering of kernelspace IPsec hooks and registration
of userspace pendants.
modified:
modules/user_ipsec/hipd/user_ipsec.c
modules/user_ipsec/hipd/user_ipsec_sadb_api.c
modules/user_ipsec/hipd/user_ipsec_sadb_api.h
--
lp:~rene-hummen/hipl/ipsec_esp
https://code.launchpad.net/~rene-hummen/hipl/ipsec_esp
Your team HIPL core team is subscribed to branch lp:~rene-hummen/hipl/ipsec_esp.
To unsubscribe from this branch go to https://code.launchpad.net/~rene-hummen/hipl/ipsec_esp/+edit-subscription
=== modified file 'modules/user_ipsec/hipd/user_ipsec.c'
--- modules/user_ipsec/hipd/user_ipsec.c 2010-08-25 12:53:17 +0000
+++ modules/user_ipsec/hipd/user_ipsec.c 2010-09-06 17:09:57 +0000
@@ -32,9 +32,13 @@
*/
#include "user_ipsec.h"
+#include "hipd/input.h"
+#include "hipd/user.h"
+#include "hipd/pkt_handling.h"
#include "lib/core/ife.h"
-#include "hipd/user.h"
#include "lib/core/icomm.h"
+#include "lib/core/state.h"
+#include "user_ipsec_sadb_api.h"
#include "user_ipsec_hipd_msg.h"
// determines whether userspace ipsec is active or not
@@ -49,6 +53,46 @@
20000),
-1, "Error on registering user_ipsec user message handle function.\n");
+ HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_setup_ipsec_sa_i2),
+ -1, "Error when unregistered kernel-space IPsec handle functions\n");
+ HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_I1_SENT, &hip_setup_ipsec_sa_i2),
+ -1, "Error when unregistered kernel-space IPsec handle functions\n");
+ HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_setup_ipsec_sa_i2),
+ -1, "Error when unregistered kernel-space IPsec handle functions\n");
+ HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_R2_SENT, &hip_setup_ipsec_sa_i2),
+ -1, "Error when unregistered kernel-space IPsec handle functions\n");
+ HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_ESTABLISHED, &hip_setup_ipsec_sa_i2),
+ -1, "Error when unregistered kernel-space IPsec handle functions\n");
+ HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_CLOSING, &hip_setup_ipsec_sa_i2),
+ -1, "Error when unregistered kernel-space IPsec handle functions\n");
+ HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_CLOSED, &hip_setup_ipsec_sa_i2),
+ -1, "Error when unregistered kernel-space IPsec handle functions\n");
+ HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_NONE, &hip_setup_ipsec_sa_i2),
+ -1, "Error when unregistered kernel-space IPsec handle functions\n");
+
+ HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_setup_user_ipsec_sa_i2, 30500),
+ -1, "Error when registering userspace IPsec handle functions");
+ HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_I1_SENT, &hip_setup_user_ipsec_sa_i2, 30500),
+ -1, "Error when registering userspace IPsec handle functions");
+ HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_setup_user_ipsec_sa_i2, 30500),
+ -1, "Error when registering userspace IPsec handle functions");
+ HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_R2_SENT, &hip_setup_user_ipsec_sa_i2, 30500),
+ -1, "Error when registering userspace IPsec handle functions");
+ HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_ESTABLISHED, &hip_setup_user_ipsec_sa_i2, 30500),
+ -1, "Error when registering userspace IPsec handle functions");
+ HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_CLOSING, &hip_setup_user_ipsec_sa_i2, 30500),
+ -1, "Error when registering userspace IPsec handle functions");
+ HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_CLOSED, &hip_setup_user_ipsec_sa_i2, 30500),
+ -1, "Error when registering userspace IPsec handle functions");
+ HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_NONE, &hip_setup_user_ipsec_sa_i2, 30500),
+ -1, "Error when registering userspace IPsec handle functions");
+
+ HIP_IFEL(hip_unregister_handle_function(HIP_R2, HIP_STATE_I2_SENT, &hip_setup_ipsec_sa_r2),
+ -1, "Error when unregistered kernel-space IPsec handle functions\n");
+
+ HIP_IFEL(hip_register_handle_function(HIP_R2, HIP_STATE_I2_SENT, &hip_setup_user_ipsec_sa_r2, 30500),
+ -1, "Error when registering userspace IPsec handle functions");
+
out_err:
return err;
}
=== modified file 'modules/user_ipsec/hipd/user_ipsec_sadb_api.c'
--- modules/user_ipsec/hipd/user_ipsec_sadb_api.c 2010-08-25 12:53:17 +0000
+++ modules/user_ipsec/hipd/user_ipsec_sadb_api.c 2010-09-06 17:09:57 +0000
@@ -35,6 +35,7 @@
#include <stdint.h>
#include <netinet/in.h>
+#include <errno.h>
#include "lib/core/debug.h"
#include "lib/core/icomm.h"
@@ -42,6 +43,7 @@
#include "lib/core/prefix.h"
#include "lib/core/protodefs.h"
#include "lib/core/state.h"
+#include "lib/core/transform.h"
#include "hipd/user.h"
#include "user_ipsec_hipd_msg.h"
#include "user_ipsec_sadb_api.h"
@@ -99,16 +101,18 @@
* @param entry host association entry for this connection
* @return 0, if correct, otherwise -1
*/
-uint32_t hip_userspace_ipsec_add_sa(const struct in6_addr *saddr,
- const struct in6_addr *daddr,
- const struct in6_addr *src_hit,
- const struct in6_addr *dst_hit,
- const uint32_t spi, const int ealg,
- const struct hip_crypto_key *enckey,
- const struct hip_crypto_key *authkey,
- const int retransmission,
- const int direction, const int update,
- hip_ha_t *entry)
+static int hip_userspace_ipsec_add_sa(const struct in6_addr *saddr,
+ const struct in6_addr *daddr,
+ const struct in6_addr *src_hit,
+ const struct in6_addr *dst_hit,
+ const uint32_t spi,
+ const int ealg,
+ const struct hip_crypto_key *enckey,
+ const struct hip_crypto_key *authkey,
+ const int retransmission,
+ const int direction,
+ const int update,
+ hip_ha_t *entry)
{
struct hip_common *msg = NULL;
in_port_t sport, dport;
@@ -138,3 +142,120 @@
out_err:
return err;
}
+
+int hip_setup_user_ipsec_sa_i2(UNUSED const uint8_t packet_type,
+ UNUSED const uint32_t ha_state,
+ struct hip_packet_context *ctx)
+{
+ const struct hip_esp_transform *esp_tfm = NULL;
+ const struct hip_esp_info *esp_info = NULL;
+ int err = 0;
+
+ HIP_IFEL(!(esp_tfm = hip_get_param(ctx->input_msg,
+ HIP_PARAM_ESP_TRANSFORM)),
+ -ENOENT, "Did not find ESP transform on i2\n");
+ HIP_IFEL(!(esp_info = hip_get_param(ctx->input_msg,
+ HIP_PARAM_ESP_INFO)),
+ -ENOENT, "Did not find SPI on i2\n");
+
+ HIP_IFEL(!(ctx->hadb_entry->esp_transform = hip_select_esp_transform(esp_tfm)),
+ -1, "Could not select proper ESP transform\n");
+
+ ctx->hadb_entry->spi_outbound_current = ntohl(esp_info->new_spi);
+ ctx->hadb_entry->spi_outbound_new = ntohl(esp_info->new_spi);
+
+ /* Set up inbound IPsec associations */
+ HIP_IFEL(hip_userspace_ipsec_add_sa(ctx->src_addr,
+ ctx->dst_addr,
+ &ctx->input_msg->hits,
+ &ctx->input_msg->hitr,
+ ctx->hadb_entry->spi_inbound_current,
+ ctx->hadb_entry->esp_transform,
+ &ctx->hadb_entry->esp_in,
+ &ctx->hadb_entry->auth_in,
+ ctx->hadb_entry->retrans_state,
+ HIP_SPI_DIRECTION_IN,
+ 0,
+ ctx->hadb_entry),
+ -1, "Failed to setup inbound SA");
+
+ /* Set up outbound IPsec associations */
+ HIP_IFEL(hip_userspace_ipsec_add_sa(ctx->dst_addr,
+ ctx->src_addr,
+ &ctx->input_msg->hitr,
+ &ctx->input_msg->hits,
+ ctx->hadb_entry->spi_outbound_current,
+ ctx->hadb_entry->esp_transform,
+ &ctx->hadb_entry->esp_out,
+ &ctx->hadb_entry->auth_out,
+ ctx->hadb_entry->retrans_state,
+ HIP_SPI_DIRECTION_OUT,
+ 0,
+ ctx->hadb_entry),
+ -1, "Failed to setup outbound SA");
+
+ out_err:
+ if (err) {
+ HIP_ERROR("Failed to setup IPsec SAs, removing IPsec state!");
+
+ // TODO remove existing entries
+ }
+
+ return err;
+}
+
+int hip_setup_user_ipsec_sa_r2(UNUSED const uint8_t packet_type,
+ UNUSED const uint32_t ha_state,
+ struct hip_packet_context *ctx)
+{
+ const struct hip_esp_info *esp_info = NULL;
+ int err = 0;
+
+ HIP_IFEL(!(esp_info = hip_get_param(ctx->input_msg, HIP_PARAM_ESP_INFO)),
+ -EINVAL, "Parameter SPI not found.\n");
+
+ ctx->hadb_entry->spi_outbound_current = ntohl(esp_info->new_spi);
+ /* Copy SPI out value here or otherwise ICE code has zero SPI */
+ ctx->hadb_entry->spi_outbound_new = ntohl(esp_info->new_spi);
+
+ // set up inbound IPsec SA
+ HIP_IFEL(hip_userspace_ipsec_add_sa(ctx->src_addr,
+ ctx->dst_addr,
+ &ctx->input_msg->hits,
+ &ctx->input_msg->hitr,
+ ctx->hadb_entry->spi_inbound_current,
+ ctx->hadb_entry->esp_transform,
+ &(ctx->hadb_entry)->esp_in,
+ &(ctx->hadb_entry)->auth_in,
+ ctx->hadb_entry->retrans_state,
+ HIP_SPI_DIRECTION_IN,
+ 0,
+ ctx->hadb_entry),
+ -1,
+ "Failed to setup IPsec SPD/SA entries, peer:src\n");
+
+ // set up outbound IPsec SA
+ HIP_IFEL(hip_userspace_ipsec_add_sa(ctx->dst_addr,
+ ctx->src_addr,
+ &ctx->input_msg->hitr,
+ &ctx->input_msg->hits,
+ ctx->hadb_entry->spi_outbound_current,
+ ctx->hadb_entry->esp_transform,
+ &ctx->hadb_entry->esp_out,
+ &ctx->hadb_entry->auth_out,
+ ctx->hadb_entry->retrans_state,
+ HIP_SPI_DIRECTION_OUT,
+ 0,
+ ctx->hadb_entry),
+ -1,
+ "Failed to setup IPsec SPD/SA entries, peer:dst\n");
+
+ out_err:
+ if (err) {
+ HIP_ERROR("Failed to setup IPsec SAs, removing IPsec state!");
+
+ // TODO remove existing entries
+ }
+
+ return err;
+}
=== modified file 'modules/user_ipsec/hipd/user_ipsec_sadb_api.h'
--- modules/user_ipsec/hipd/user_ipsec_sadb_api.h 2010-08-25 12:53:17 +0000
+++ modules/user_ipsec/hipd/user_ipsec_sadb_api.h 2010-09-06 17:09:57 +0000
@@ -36,22 +36,16 @@
#ifndef HIP_HIPD_USER_IPSEC_SADB_API_H
#define HIP_HIPD_USER_IPSEC_SADB_API_H
-#include <stdint.h>
-#include <netinet/in.h>
-
-#include "lib/core/protodefs.h"
-
-uint32_t hip_userspace_ipsec_add_sa(const struct in6_addr *saddr,
- const struct in6_addr *daddr,
- const struct in6_addr *src_hit,
- const struct in6_addr *dst_hit,
- const uint32_t spi, const int ealg,
- const struct hip_crypto_key *enckey,
- const struct hip_crypto_key *authkey,
- const int retransmission,
- const int direction, const int update,
- hip_ha_t *entry);
-
-int hip_userspace_ipsec_setup_default_sp_prefix_pair(void);
+#include "lib/core/builder.h"
+#include "lib/core/common.h"
+
+
+int hip_setup_user_ipsec_sa_i2(UNUSED const uint8_t packet_type,
+ UNUSED const uint32_t ha_state,
+ struct hip_packet_context *ctx);
+
+int hip_setup_user_ipsec_sa_r2(UNUSED const uint8_t packet_type,
+ UNUSED const uint32_t ha_state,
+ struct hip_packet_context *ctx);
#endif /*HIP_HIPD_USER_IPSEC_SADB_API_H*/