hipl-core team mailing list archive
-
hipl-core team
-
Mailing list archive
-
Message #00158
[Branch ~rene-hummen/hipl/ipsec_esp] Rev 4925: unified IPsec SA handling for BEX packets
------------------------------------------------------------
revno: 4925
committer: Rene Hummen <rene.hummen@xxxxxxxxxxxxxxxxx>
branch nick: ipsec_esp
timestamp: Wed 2010-09-08 16:44:25 +0200
message:
unified IPsec SA handling for BEX packets
modified:
hipd/init.c
hipd/input.c
hipd/input.h
hipd/output.c
modules/user_ipsec/hipd/user_ipsec.c
--
lp:~rene-hummen/hipl/ipsec_esp
https://code.launchpad.net/~rene-hummen/hipl/ipsec_esp
Your team HIPL core team is subscribed to branch lp:~rene-hummen/hipl/ipsec_esp.
To unsubscribe from this branch go to https://code.launchpad.net/~rene-hummen/hipl/ipsec_esp/+edit-subscription
=== modified file 'hipd/init.c'
--- hipd/init.c 2010-09-03 11:40:19 +0000
+++ hipd/init.c 2010-09-08 14:44:25 +0000
@@ -766,7 +766,7 @@
hip_register_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_check_i2, 20000);
hip_register_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_handle_i2, 30000);
- hip_register_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_setup_ipsec_sa_i2, 30500);
+ hip_register_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_setup_ipsec_sa, 30500);
hip_register_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_create_r2, 40000);
hip_register_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_add_rvs_reg_from, 41000);
hip_register_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_hmac2_and_sign, 42000);
@@ -774,7 +774,7 @@
hip_register_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_send_r2, 50000);
hip_register_handle_function(HIP_I2, HIP_STATE_I1_SENT, &hip_check_i2, 20000);
hip_register_handle_function(HIP_I2, HIP_STATE_I1_SENT, &hip_handle_i2, 30000);
- hip_register_handle_function(HIP_I2, HIP_STATE_I1_SENT, &hip_setup_ipsec_sa_i2, 30500);
+ hip_register_handle_function(HIP_I2, HIP_STATE_I1_SENT, &hip_setup_ipsec_sa, 30500);
hip_register_handle_function(HIP_I2, HIP_STATE_I1_SENT, &hip_create_r2, 40000);
hip_register_handle_function(HIP_I2, HIP_STATE_I1_SENT, &hip_add_rvs_reg_from, 41000);
hip_register_handle_function(HIP_I2, HIP_STATE_I1_SENT, &hip_hmac2_and_sign, 42000);
@@ -783,7 +783,7 @@
hip_register_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_check_i2, 20000);
hip_register_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_handle_i2_in_i2_sent, 21000);
hip_register_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_handle_i2, 30000);
- hip_register_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_setup_ipsec_sa_i2, 30500);
+ hip_register_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_setup_ipsec_sa, 30500);
hip_register_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_create_r2, 40000);
hip_register_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_add_rvs_reg_from, 41000);
hip_register_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_hmac2_and_sign, 42000);
@@ -791,7 +791,7 @@
hip_register_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_send_r2, 50000);
hip_register_handle_function(HIP_I2, HIP_STATE_R2_SENT, &hip_check_i2, 20000);
hip_register_handle_function(HIP_I2, HIP_STATE_R2_SENT, &hip_handle_i2, 30000);
- hip_register_handle_function(HIP_I2, HIP_STATE_R2_SENT, &hip_setup_ipsec_sa_i2, 30500);
+ hip_register_handle_function(HIP_I2, HIP_STATE_R2_SENT, &hip_setup_ipsec_sa, 30500);
hip_register_handle_function(HIP_I2, HIP_STATE_R2_SENT, &hip_create_r2, 40000);
hip_register_handle_function(HIP_I2, HIP_STATE_R2_SENT, &hip_add_rvs_reg_from, 41000);
hip_register_handle_function(HIP_I2, HIP_STATE_R2_SENT, &hip_hmac2_and_sign, 42000);
@@ -799,7 +799,7 @@
hip_register_handle_function(HIP_I2, HIP_STATE_R2_SENT, &hip_send_r2, 50000);
hip_register_handle_function(HIP_I2, HIP_STATE_ESTABLISHED, &hip_check_i2, 20000);
hip_register_handle_function(HIP_I2, HIP_STATE_ESTABLISHED, &hip_handle_i2, 30000);
- hip_register_handle_function(HIP_I2, HIP_STATE_ESTABLISHED, &hip_setup_ipsec_sa_i2, 30500);
+ hip_register_handle_function(HIP_I2, HIP_STATE_ESTABLISHED, &hip_setup_ipsec_sa, 30500);
hip_register_handle_function(HIP_I2, HIP_STATE_ESTABLISHED, &hip_create_r2, 40000);
hip_register_handle_function(HIP_I2, HIP_STATE_ESTABLISHED, &hip_add_rvs_reg_from, 41000);
hip_register_handle_function(HIP_I2, HIP_STATE_ESTABLISHED, &hip_hmac2_and_sign, 42000);
@@ -807,7 +807,7 @@
hip_register_handle_function(HIP_I2, HIP_STATE_ESTABLISHED, &hip_send_r2, 50000);
hip_register_handle_function(HIP_I2, HIP_STATE_CLOSING, &hip_check_i2, 20000);
hip_register_handle_function(HIP_I2, HIP_STATE_CLOSING, &hip_handle_i2, 30000);
- hip_register_handle_function(HIP_I2, HIP_STATE_CLOSING, &hip_setup_ipsec_sa_i2, 30500);
+ hip_register_handle_function(HIP_I2, HIP_STATE_CLOSING, &hip_setup_ipsec_sa, 30500);
hip_register_handle_function(HIP_I2, HIP_STATE_CLOSING, &hip_create_r2, 40000);
hip_register_handle_function(HIP_I2, HIP_STATE_CLOSING, &hip_add_rvs_reg_from, 41000);
hip_register_handle_function(HIP_I2, HIP_STATE_CLOSING, &hip_hmac2_and_sign, 42000);
@@ -815,7 +815,7 @@
hip_register_handle_function(HIP_I2, HIP_STATE_CLOSING, &hip_send_r2, 50000);
hip_register_handle_function(HIP_I2, HIP_STATE_CLOSED, &hip_check_i2, 20000);
hip_register_handle_function(HIP_I2, HIP_STATE_CLOSED, &hip_handle_i2, 30000);
- hip_register_handle_function(HIP_I2, HIP_STATE_CLOSED, &hip_setup_ipsec_sa_i2, 30500);
+ hip_register_handle_function(HIP_I2, HIP_STATE_CLOSED, &hip_setup_ipsec_sa, 30500);
hip_register_handle_function(HIP_I2, HIP_STATE_CLOSED, &hip_create_r2, 40000);
hip_register_handle_function(HIP_I2, HIP_STATE_CLOSED, &hip_add_rvs_reg_from, 41000);
hip_register_handle_function(HIP_I2, HIP_STATE_CLOSED, &hip_hmac2_and_sign, 42000);
@@ -823,7 +823,7 @@
hip_register_handle_function(HIP_I2, HIP_STATE_CLOSED, &hip_send_r2, 50000);
hip_register_handle_function(HIP_I2, HIP_STATE_NONE, &hip_check_i2, 20000);
hip_register_handle_function(HIP_I2, HIP_STATE_NONE, &hip_handle_i2, 30000);
- hip_register_handle_function(HIP_I2, HIP_STATE_NONE, &hip_setup_ipsec_sa_i2, 30500);
+ hip_register_handle_function(HIP_I2, HIP_STATE_NONE, &hip_setup_ipsec_sa, 30500);
hip_register_handle_function(HIP_I2, HIP_STATE_NONE, &hip_create_r2, 40000);
hip_register_handle_function(HIP_I2, HIP_STATE_NONE, &hip_add_rvs_reg_from, 41000);
hip_register_handle_function(HIP_I2, HIP_STATE_NONE, &hip_hmac2_and_sign, 42000);
@@ -861,7 +861,7 @@
hip_register_handle_function(HIP_R2, HIP_STATE_I2_SENT, &hip_check_r2, 20000);
hip_register_handle_function(HIP_R2, HIP_STATE_I2_SENT, &hip_handle_r2, 30000);
- hip_register_handle_function(HIP_R2, HIP_STATE_I2_SENT, &hip_setup_ipsec_sa_r2, 30500);
+ hip_register_handle_function(HIP_R2, HIP_STATE_I2_SENT, &hip_setup_ipsec_sa, 30500);
hip_register_handle_function(HIP_NOTIFY, HIP_STATE_I1_SENT, &hip_check_notify, 20000);
hip_register_handle_function(HIP_NOTIFY, HIP_STATE_I1_SENT, &hip_handle_notify, 30000);
=== modified file 'hipd/input.c'
--- hipd/input.c 2010-09-06 17:17:47 +0000
+++ hipd/input.c 2010-09-08 14:44:25 +0000
@@ -1154,9 +1154,9 @@
return err;
}
-int hip_setup_ipsec_sa_r2(UNUSED const uint8_t packet_type,
- UNUSED const uint32_t ha_state,
- struct hip_packet_context *ctx)
+int hip_setup_ipsec_sa(UNUSED const uint8_t packet_type,
+ UNUSED const uint32_t ha_state,
+ struct hip_packet_context *ctx)
{
const struct hip_esp_info *esp_info = NULL;
int err = 0;
@@ -1180,8 +1180,7 @@
HIP_SPI_DIRECTION_IN,
0,
ctx->hadb_entry),
- -1,
- "Failed to setup IPsec SPD/SA entries, peer:src\n");
+ -1, "Failed to setup IPsec SPD/SA entries, peer:src\n");
// set up outbound IPsec SA
HIP_IFEL(hip_add_sa(ctx->dst_addr,
@@ -1195,8 +1194,16 @@
HIP_SPI_DIRECTION_OUT,
0,
ctx->hadb_entry),
- -1,
- "Failed to setup IPsec SPD/SA entries, peer:dst\n");
+ -1, "Failed to setup IPsec SPD/SA entries, peer:dst\n");
+
+ // set up corresponding IPsec policies
+ HIP_IFEL(hip_setup_hit_sp_pair(&ctx->input_msg->hits,
+ &ctx->input_msg->hitr,
+ ctx->src_addr, ctx->dst_addr,
+ IPPROTO_ESP,
+ 1,
+ 1),
+ -1, "Setting up SP pair failed\n");
out_err:
if (err) {
@@ -1685,6 +1692,7 @@
int if_index = 0;
struct sockaddr_storage ss_addr;
struct sockaddr *addr = NULL;
+ const struct hip_esp_transform *esp_tfm = NULL;
/* Get the interface index of the network device which has our
* local IP address. */
@@ -1745,102 +1753,35 @@
}
HIP_DEBUG("retransmission: %s\n", (retransmission ? "yes" : "no"));
- /***** LOCATOR PARAMETER *****/
- locator = hip_get_param(ctx->input_msg, HIP_PARAM_LOCATOR);
- if (locator) {
- HIP_DEBUG("Locator parameter support in BEX is not implemented!\n");
- }
-
-#ifdef CONFIG_HIP_PERFORMANCE
- HIP_DEBUG("Stop and write PERF_BASE\n");
- hip_perf_stop_benchmark(perf_set, PERF_BASE);
- hip_perf_write_benchmark(perf_set, PERF_BASE);
-#endif
-
- ctx->hadb_entry->state = HIP_STATE_ESTABLISHED;
- HIP_INFO("Reached %s state\n", hip_state_str(ctx->hadb_entry->state));
- if (ctx->hadb_entry->hip_msg_retrans.buf) {
- ctx->hadb_entry->hip_msg_retrans.count = 0;
- memset(ctx->hadb_entry->hip_msg_retrans.buf, 0, HIP_MAX_NETWORK_PACKET);
- }
-out_err:
- if (err) {
- ctx->error = err;
- }
- return err;
-}
-
-int hip_setup_ipsec_sa_i2(UNUSED const uint8_t packet_type,
- UNUSED const uint32_t ha_state,
- struct hip_packet_context *ctx)
-{
- const struct hip_esp_transform *esp_tfm = NULL;
- const struct hip_esp_info *esp_info = NULL;
- int err = 0;
-
HIP_IFEL(!(esp_tfm = hip_get_param(ctx->input_msg,
HIP_PARAM_ESP_TRANSFORM)),
-ENOENT, "Did not find ESP transform on i2\n");
- HIP_IFEL(!(esp_info = hip_get_param(ctx->input_msg,
- HIP_PARAM_ESP_INFO)),
- -ENOENT, "Did not find SPI on i2\n");
-
- /* If we have old SAs with these HITs delete them */
- hip_delete_security_associations_and_sp(ctx->hadb_entry);
HIP_IFEL(!(ctx->hadb_entry->esp_transform = hip_select_esp_transform(esp_tfm)),
- -1,
- "Could not select proper ESP transform\n");
-
- ctx->hadb_entry->spi_outbound_current = ntohl(esp_info->new_spi);
- ctx->hadb_entry->spi_outbound_new = ntohl(esp_info->new_spi);
-
- /* Set up inbound IPsec associations */
- HIP_IFEL(hip_add_sa(ctx->src_addr,
- ctx->dst_addr,
- &ctx->input_msg->hits,
- &ctx->input_msg->hitr,
- ctx->hadb_entry->spi_inbound_current,
- ctx->hadb_entry->esp_transform,
- &ctx->hadb_entry->esp_in,
- &ctx->hadb_entry->auth_in,
- HIP_SPI_DIRECTION_IN,
- 0,
- ctx->hadb_entry),
- -1, "Failed to setup inbound SA");
-
- /* Set up outbound IPsec associations */
- HIP_IFEL(hip_add_sa(ctx->dst_addr,
- ctx->src_addr,
- &ctx->input_msg->hitr,
- &ctx->input_msg->hits,
- ctx->hadb_entry->spi_outbound_current,
- ctx->hadb_entry->esp_transform,
- &ctx->hadb_entry->esp_out,
- &ctx->hadb_entry->auth_out,
- HIP_SPI_DIRECTION_OUT,
- 0,
- ctx->hadb_entry),
- -1, "Failed to setup outbound SA");
-
- HIP_IFEL(hip_setup_hit_sp_pair(&ctx->input_msg->hits,
- &ctx->input_msg->hitr,
- ctx->src_addr,
- ctx->dst_addr,
- IPPROTO_ESP,
- 1,
- 1),
- -1,
- "Failed to set up an SP pair.\n");
-
- out_err:
+ -1, "Could not select proper ESP transform\n");
+
+ /***** LOCATOR PARAMETER *****/
+ locator = hip_get_param(ctx->input_msg, HIP_PARAM_LOCATOR);
+ if (locator) {
+ HIP_DEBUG("Locator parameter support in BEX is not implemented!\n");
+ }
+
+#ifdef CONFIG_HIP_PERFORMANCE
+ HIP_DEBUG("Stop and write PERF_BASE\n");
+ hip_perf_stop_benchmark(perf_set, PERF_BASE);
+ hip_perf_write_benchmark(perf_set, PERF_BASE);
+#endif
+
+ ctx->hadb_entry->state = HIP_STATE_ESTABLISHED;
+ HIP_INFO("Reached %s state\n", hip_state_str(ctx->hadb_entry->state));
+ if (ctx->hadb_entry->hip_msg_retrans.buf) {
+ ctx->hadb_entry->hip_msg_retrans.count = 0;
+ memset(ctx->hadb_entry->hip_msg_retrans.buf, 0, HIP_MAX_NETWORK_PACKET);
+ }
+out_err:
if (err) {
- HIP_ERROR("Failed to setup IPsec SAs, removing IPsec state!");
-
- /* delete all IPsec related SPD/SA for this ctx->hadb_entry*/
- hip_delete_security_associations_and_sp(ctx->hadb_entry);
+ ctx->error = err;
}
-
return err;
}
=== modified file 'hipd/input.h'
--- hipd/input.h 2010-09-06 17:17:16 +0000
+++ hipd/input.h 2010-09-08 14:44:25 +0000
@@ -98,10 +98,6 @@
const uint32_t ha_state,
struct hip_packet_context *ctx);
-int hip_setup_ipsec_sa_i2(const uint8_t packet_type,
- const uint32_t ha_state,
- struct hip_packet_context *ctx);
-
int hip_check_notify(const uint8_t packet_type,
const uint32_t ha_state,
struct hip_packet_context *ctx);
@@ -126,8 +122,8 @@
const uint32_t ha_state,
struct hip_packet_context *ctx);
-int hip_setup_ipsec_sa_r2(const uint8_t packet_type,
- const uint32_t ha_state,
- struct hip_packet_context *ctx);
+int hip_setup_ipsec_sa(const uint8_t packet_type,
+ const uint32_t ha_state,
+ struct hip_packet_context *ctx);
#endif /* HIP_HIPD_INPUT_H */
=== modified file 'hipd/output.c'
--- hipd/output.c 2010-09-03 11:40:19 +0000
+++ hipd/output.c 2010-09-08 14:44:25 +0000
@@ -549,15 +549,6 @@
HIP_DEBUG("set up inbound IPsec SA, SPI=0x%x (host)\n",
ctx->hadb_entry->spi_inbound_current);
- HIP_IFEL(hip_setup_hit_sp_pair(&ctx->input_msg->hits,
- &ctx->input_msg->hitr,
- ctx->src_addr, ctx->dst_addr,
- IPPROTO_ESP,
- 1,
- 1),
- -1,
- "Setting up SP pair failed\n");
-
esp_info = hip_get_param_readwrite(ctx->output_msg, HIP_PARAM_ESP_INFO);
HIP_ASSERT(esp_info); /* Builder internal error */
esp_info->new_spi = htonl(ctx->hadb_entry->spi_inbound_current);
=== modified file 'modules/user_ipsec/hipd/user_ipsec.c'
--- modules/user_ipsec/hipd/user_ipsec.c 2010-09-06 17:09:57 +0000
+++ modules/user_ipsec/hipd/user_ipsec.c 2010-09-08 14:44:25 +0000
@@ -53,21 +53,21 @@
20000),
-1, "Error on registering user_ipsec user message handle function.\n");
- HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_setup_ipsec_sa_i2),
- -1, "Error when unregistered kernel-space IPsec handle functions\n");
- HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_I1_SENT, &hip_setup_ipsec_sa_i2),
- -1, "Error when unregistered kernel-space IPsec handle functions\n");
- HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_setup_ipsec_sa_i2),
- -1, "Error when unregistered kernel-space IPsec handle functions\n");
- HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_R2_SENT, &hip_setup_ipsec_sa_i2),
- -1, "Error when unregistered kernel-space IPsec handle functions\n");
- HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_ESTABLISHED, &hip_setup_ipsec_sa_i2),
- -1, "Error when unregistered kernel-space IPsec handle functions\n");
- HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_CLOSING, &hip_setup_ipsec_sa_i2),
- -1, "Error when unregistered kernel-space IPsec handle functions\n");
- HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_CLOSED, &hip_setup_ipsec_sa_i2),
- -1, "Error when unregistered kernel-space IPsec handle functions\n");
- HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_NONE, &hip_setup_ipsec_sa_i2),
+ HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_setup_ipsec_sa),
+ -1, "Error when unregistered kernel-space IPsec handle functions\n");
+ HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_I1_SENT, &hip_setup_ipsec_sa),
+ -1, "Error when unregistered kernel-space IPsec handle functions\n");
+ HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_setup_ipsec_sa),
+ -1, "Error when unregistered kernel-space IPsec handle functions\n");
+ HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_R2_SENT, &hip_setup_ipsec_sa),
+ -1, "Error when unregistered kernel-space IPsec handle functions\n");
+ HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_ESTABLISHED, &hip_setup_ipsec_sa),
+ -1, "Error when unregistered kernel-space IPsec handle functions\n");
+ HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_CLOSING, &hip_setup_ipsec_sa),
+ -1, "Error when unregistered kernel-space IPsec handle functions\n");
+ HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_CLOSED, &hip_setup_ipsec_sa),
+ -1, "Error when unregistered kernel-space IPsec handle functions\n");
+ HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_NONE, &hip_setup_ipsec_sa),
-1, "Error when unregistered kernel-space IPsec handle functions\n");
HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_setup_user_ipsec_sa_i2, 30500),
@@ -87,7 +87,7 @@
HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_NONE, &hip_setup_user_ipsec_sa_i2, 30500),
-1, "Error when registering userspace IPsec handle functions");
- HIP_IFEL(hip_unregister_handle_function(HIP_R2, HIP_STATE_I2_SENT, &hip_setup_ipsec_sa_r2),
+ HIP_IFEL(hip_unregister_handle_function(HIP_R2, HIP_STATE_I2_SENT, &hip_setup_ipsec_sa),
-1, "Error when unregistered kernel-space IPsec handle functions\n");
HIP_IFEL(hip_register_handle_function(HIP_R2, HIP_STATE_I2_SENT, &hip_setup_user_ipsec_sa_r2, 30500),
