hipl-core team mailing list archive
-
hipl-core team
-
Mailing list archive
-
Message #00165
[Branch ~rene-hummen/hipl/ipsec_esp] Rev 4932: Added and registered user-space IPsec SA updates
------------------------------------------------------------
revno: 4932
committer: Rene Hummen <rene.hummen@xxxxxxxxxxxxxxxxx>
branch nick: ipsec_esp
timestamp: Fri 2010-09-10 16:26:44 +0200
message:
Added and registered user-space IPsec SA updates
Unregistered kernel-space IPsec hooks when using user-space IPSec
extension for the above registration to make any sense.
modified:
modules/update/hipd/update.c
modules/update/hipd/update.h
modules/user_ipsec/hipd/user_ipsec.c
modules/user_ipsec/hipd/user_ipsec_sadb_api.c
modules/user_ipsec/hipd/user_ipsec_sadb_api.h
--
lp:~rene-hummen/hipl/ipsec_esp
https://code.launchpad.net/~rene-hummen/hipl/ipsec_esp
Your team HIPL core team is subscribed to branch lp:~rene-hummen/hipl/ipsec_esp.
To unsubscribe from this branch go to https://code.launchpad.net/~rene-hummen/hipl/ipsec_esp/+edit-subscription
=== modified file 'modules/update/hipd/update.c'
--- modules/update/hipd/update.c 2010-09-08 17:01:14 +0000
+++ modules/update/hipd/update.c 2010-09-10 14:26:44 +0000
@@ -785,16 +785,19 @@
ipv6_addr_copy(&ha->peer_addr, dst_addr);
}
-static int hip_update_ipsec_sa(UNUSED const uint8_t packet_type,
- UNUSED const uint32_t ha_state,
- struct hip_packet_context *ctx)
+int hip_update_ipsec_sa(UNUSED const uint8_t packet_type,
+ UNUSED const uint32_t ha_state,
+ struct hip_packet_context *ctx)
{
int err = 0;
- HIP_IFEL(hip_recreate_security_associations_and_sp(ctx->hadb_entry,
- ctx->src_addr,
- ctx->dst_addr),
- -1, "failed to update IPsec SAs and SPs\n");
+ // don't update IPsec SAs and SPs for 1st UPDATE packet
+ if(!hip_get_param(ctx->input_msg, HIP_PARAM_LOCATOR)) {
+ HIP_IFEL(hip_recreate_security_associations_and_sp(ctx->hadb_entry,
+ ctx->src_addr,
+ ctx->dst_addr),
+ -1, "failed to update IPsec SAs and SPs\n");
+ }
out_err:
return err;
=== modified file 'modules/update/hipd/update.h'
--- modules/update/hipd/update.h 2010-07-07 16:22:48 +0000
+++ modules/update/hipd/update.h 2010-09-10 14:26:44 +0000
@@ -46,6 +46,10 @@
struct hip_locator_info_addr_item *locators,
int type);
+int hip_update_ipsec_sa(const uint8_t packet_type,
+ const uint32_t ha_state,
+ struct hip_packet_context *ctx);
+
int hip_update_init(void);
#endif /* HIP_HIPD_UPDATE_H */
=== modified file 'modules/user_ipsec/hipd/user_ipsec.c'
--- modules/user_ipsec/hipd/user_ipsec.c 2010-09-08 14:52:49 +0000
+++ modules/user_ipsec/hipd/user_ipsec.c 2010-09-10 14:26:44 +0000
@@ -39,9 +39,12 @@
#include "lib/core/icomm.h"
#include "lib/core/state.h"
#include "lib/tool/xfrmapi.h"
+#include "modules/update/hipd/update.h"
#include "user_ipsec_sadb_api.h"
#include "user_ipsec_hipd_msg.h"
+#define SA_HANDLE_FN_PRIO 60000
+
// determines whether userspace ipsec is active or not
int hip_use_userspace_ipsec = 0;
@@ -71,28 +74,38 @@
HIP_IFEL(hip_unregister_handle_function(HIP_I2, HIP_STATE_NONE, &hip_setup_ipsec_sa),
-1, "Error when unregistered kernel-space IPsec handle functions\n");
- HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_setup_user_ipsec_sa, 30500),
- -1, "Error when registering userspace IPsec handle functions");
- HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_I1_SENT, &hip_setup_user_ipsec_sa, 30500),
- -1, "Error when registering userspace IPsec handle functions");
- HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_setup_user_ipsec_sa, 30500),
- -1, "Error when registering userspace IPsec handle functions");
- HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_R2_SENT, &hip_setup_user_ipsec_sa, 30500),
- -1, "Error when registering userspace IPsec handle functions");
- HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_ESTABLISHED, &hip_setup_user_ipsec_sa, 30500),
- -1, "Error when registering userspace IPsec handle functions");
- HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_CLOSING, &hip_setup_user_ipsec_sa, 30500),
- -1, "Error when registering userspace IPsec handle functions");
- HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_CLOSED, &hip_setup_user_ipsec_sa, 30500),
- -1, "Error when registering userspace IPsec handle functions");
- HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_NONE, &hip_setup_user_ipsec_sa, 30500),
+ HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_UNASSOCIATED, &hip_setup_user_ipsec_sa, SA_HANDLE_FN_PRIO),
+ -1, "Error when registering userspace IPsec handle functions");
+ HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_I1_SENT, &hip_setup_user_ipsec_sa, SA_HANDLE_FN_PRIO),
+ -1, "Error when registering userspace IPsec handle functions");
+ HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_I2_SENT, &hip_setup_user_ipsec_sa, SA_HANDLE_FN_PRIO),
+ -1, "Error when registering userspace IPsec handle functions");
+ HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_R2_SENT, &hip_setup_user_ipsec_sa, SA_HANDLE_FN_PRIO),
+ -1, "Error when registering userspace IPsec handle functions");
+ HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_ESTABLISHED, &hip_setup_user_ipsec_sa, SA_HANDLE_FN_PRIO),
+ -1, "Error when registering userspace IPsec handle functions");
+ HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_CLOSING, &hip_setup_user_ipsec_sa, SA_HANDLE_FN_PRIO),
+ -1, "Error when registering userspace IPsec handle functions");
+ HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_CLOSED, &hip_setup_user_ipsec_sa, SA_HANDLE_FN_PRIO),
+ -1, "Error when registering userspace IPsec handle functions");
+ HIP_IFEL(hip_register_handle_function(HIP_I2, HIP_STATE_NONE, &hip_setup_user_ipsec_sa, SA_HANDLE_FN_PRIO),
-1, "Error when registering userspace IPsec handle functions");
HIP_IFEL(hip_unregister_handle_function(HIP_R2, HIP_STATE_I2_SENT, &hip_setup_ipsec_sa),
-1, "Error when unregistered kernel-space IPsec handle functions\n");
- HIP_IFEL(hip_register_handle_function(HIP_R2, HIP_STATE_I2_SENT, &hip_setup_user_ipsec_sa, 30500),
- -1, "Error when registering userspace IPsec handle functions");
+ HIP_IFEL(hip_register_handle_function(HIP_R2, HIP_STATE_I2_SENT, &hip_setup_user_ipsec_sa, SA_HANDLE_FN_PRIO),
+ -1, "Error when registering userspace IPsec handle functions");
+
+ HIP_IFEL(hip_unregister_handle_function(HIP_UPDATE, HIP_STATE_R2_SENT, &hip_update_ipsec_sa),
+ -1, "Error when unregistering kernel-space IPsec handle functions\n");
+ HIP_IFEL(hip_unregister_handle_function(HIP_UPDATE, HIP_STATE_ESTABLISHED, &hip_update_ipsec_sa),
+ -1, "Error when unregistering kernel-space IPsec handle functions\n");
+
+ HIP_IFEL(hip_register_handle_function(HIP_UPDATE, HIP_STATE_R2_SENT, &hip_update_user_ipsec_sas, SA_HANDLE_FN_PRIO),
+ -1, "Error when registering userspace IPsec handle functions");
+ HIP_IFEL(hip_register_handle_function(HIP_UPDATE, HIP_STATE_ESTABLISHED, &hip_update_user_ipsec_sas, SA_HANDLE_FN_PRIO),
+ -1, "Error when registering userspace IPsec handle functions");
// remove default IPsec hooks from kernel-space for HIP namespace
hip_delete_default_prefix_sp_pair();
=== modified file 'modules/user_ipsec/hipd/user_ipsec_sadb_api.c'
--- modules/user_ipsec/hipd/user_ipsec_sadb_api.c 2010-09-08 15:54:51 +0000
+++ modules/user_ipsec/hipd/user_ipsec_sadb_api.c 2010-09-10 14:26:44 +0000
@@ -204,3 +204,51 @@
return err;
}
+
+/**
+ * Update IPsec SAs after mobility and multi-homing event
+ *
+ * @param packet_type the packet type
+ * @param ha_state the HA state
+ * @param ctx the packet context
+ * @return zero on success or negative on failure
+ */
+int hip_update_user_ipsec_sas(UNUSED const uint8_t packet_type,
+ UNUSED const uint32_t ha_state,
+ struct hip_packet_context *ctx)
+{
+ int err = 0;
+
+ /* Set up inbound IPsec associations */
+ HIP_IFEL(hip_userspace_ipsec_add_sa(ctx->src_addr,
+ ctx->dst_addr,
+ &ctx->input_msg->hits,
+ &ctx->input_msg->hitr,
+ ctx->hadb_entry->spi_inbound_current,
+ ctx->hadb_entry->esp_transform,
+ &ctx->hadb_entry->esp_in,
+ &ctx->hadb_entry->auth_in,
+ ctx->hadb_entry->retrans_state,
+ HIP_SPI_DIRECTION_IN,
+ UPDATE_IPSEC_SA,
+ ctx->hadb_entry),
+ -1, "Failed to setup inbound SA");
+
+ /* Set up outbound IPsec associations */
+ HIP_IFEL(hip_userspace_ipsec_add_sa(ctx->dst_addr,
+ ctx->src_addr,
+ &ctx->input_msg->hitr,
+ &ctx->input_msg->hits,
+ ctx->hadb_entry->spi_outbound_current,
+ ctx->hadb_entry->esp_transform,
+ &ctx->hadb_entry->esp_out,
+ &ctx->hadb_entry->auth_out,
+ ctx->hadb_entry->retrans_state,
+ HIP_SPI_DIRECTION_OUT,
+ UPDATE_IPSEC_SA,
+ ctx->hadb_entry),
+ -1, "Failed to setup outbound SA");
+
+ out_err:
+ return err;
+}
=== modified file 'modules/user_ipsec/hipd/user_ipsec_sadb_api.h'
--- modules/user_ipsec/hipd/user_ipsec_sadb_api.h 2010-09-08 15:54:51 +0000
+++ modules/user_ipsec/hipd/user_ipsec_sadb_api.h 2010-09-10 14:26:44 +0000
@@ -52,8 +52,12 @@
const int update,
hip_ha_t *entry);
-int hip_setup_user_ipsec_sa(UNUSED const uint8_t packet_type,
- UNUSED const uint32_t ha_state,
- struct hip_packet_context *ctx);
+int hip_setup_user_ipsec_sa(const uint8_t packet_type,
+ const uint32_t ha_state,
+ struct hip_packet_context *ctx);
+
+int hip_update_user_ipsec_sas(const uint8_t packet_type,
+ const uint32_t ha_state,
+ struct hip_packet_context *ctx);
#endif /*HIP_HIPD_USER_IPSEC_SADB_API_H*/