1/*
2 **************************************************************************
3 * Copyright (c) 2014,2015, The Linux Foundation. All rights reserved.
4 * Permission to use, copy, modify, and/or distribute this software for
5 * any purpose with or without fee is hereby granted, provided that the
6 * above copyright notice and this permission notice appear in all copies.
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
10 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
13 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14 **************************************************************************
15 */
16
17/* * nss_ipsecmgr.h
18 *	NSS to HLOS IPSec Manager interface definitions.
19 */
20#ifndef __NSS_IPSECMGR_H
21#define __NSS_IPSECMGR_H
22
23#define NSS_IPSECMGR_DEBUG_LVL_ERROR 1
24#define NSS_IPSECMGR_DEBUG_LVL_WARN 2
25#define NSS_IPSECMGR_DEBUG_LVL_INFO 3
26#define NSS_IPSECMGR_DEBUG_LVL_TRACE 4
27
28#define NSS_IPSECMGR_TUN_NAME "ipsectun%d"
29#define NSS_IPSECMGR_MAX_TUNNELS (NSS_CRYPTO_MAX_IDXS/2)
30
31/*
32 * This is a rough estimate need to be accurate but large enough to
33 * accomodate most usecases
34 */
35#define NSS_IPSECMGR_TUN_MAX_HDR_LEN 96
36
37/*
38 * Space required in the head and tail of the buffer
39 */
40#define NSS_IPSECMGR_TUN_HEADROOM 128
41#define NSS_IPSECMGR_TUN_TAILROOM 128
42
43#define NSS_IPSECMGR_TUN_MTU(x) (x - NSS_IPSECMGR_TUN_MAX_HDR_LEN)
44
45#define NSS_IPSECMGR_NATT_PORT_DATA 4500
46
47/**
48 * @brief Definition of an IPsec encapsulation rule for an add operation
49 */
50struct nss_ipsecmgr_encap_add {
51	uint32_t inner_ipv4_src;	/**< inner IPv4 source address */
52	uint32_t inner_ipv4_dst;	/**< inner IPv4 destination address */
53
54	uint32_t outer_ipv4_src;	/**< outer IPv4 source address */
55	uint32_t outer_ipv4_dst;	/**< outer IPv4 destination address */
56
57	uint32_t esp_spi;		/**< ESP header's SPI index */
58
59	uint16_t inner_src_port;	/**< inner protocol's source port */
60	uint16_t inner_dst_port;	/**< inner protocol's destination port */
61
62	uint16_t crypto_index;		/**< crypto session index returned by the driver */
63	uint8_t cipher_algo;		/**< Cipher algorithm */
64	uint8_t auth_algo;		/**< Authentication algorithm */
65
66	uint8_t nat_t_req;		/**< apply NAT-T header */
67	uint8_t inner_ipv4_proto;	/**< inner IPv4 protocol */
68	uint8_t outer_ipv4_ttl;		/**< outer IPv4 time to live */
69	uint8_t esp_icv_len;		/**< ESP trailer's ICV length */
70
71	uint8_t esp_seq_skip;		/**< Skip ESP sequence number in header*/
72	uint8_t esp_tail_skip;		/**< Skip ESP trailer*/
73	uint8_t use_pattern;		/**< Use random pattern in hash calculation */
74	uint8_t res;			/**< reserve for 4-byte alignment */
75};
76
77/**
78 * @brief Definition of an IPsec encapsulation rule for a delete operation
79 */
80struct nss_ipsecmgr_encap_del {
81	uint32_t inner_ipv4_src;	/**< inner IPv4 source address */
82	uint32_t inner_ipv4_dst;	/**< inner IPv4 destination address */
83
84	uint16_t inner_src_port;	/**< inner protocol's source port */
85	uint16_t inner_dst_port;	/**< inner protocol's destination port */
86
87	uint8_t inner_ipv4_proto;	/**< inner IPv4 protocol */
88	uint8_t use_pattern;		/**< Use random pattern in hash calculation */
89	uint8_t res[2];			/**< reserve for 4-byte alignment */
90};
91
92/**
93 * @brief Definition of an IPsec decapsulation rule for an add operation
94 */
95struct nss_ipsecmgr_decap_add {
96	uint32_t outer_ipv4_src;	/**< outer IPv4 source address */
97	uint32_t outer_ipv4_dst;	/**< outer IPv4 destination address */
98
99	uint32_t esp_spi;		/**< ESP header's SPI index */
100
101	uint16_t crypto_index;		/**< crypto session index returned by the driver */
102	uint16_t window_size;		/**< sequence number window size for anti-replay */
103
104	uint8_t cipher_algo;		/**< Cipher algorithm */
105	uint8_t auth_algo;		/**< Authentication algorithm */
106	uint8_t esp_icv_len;		/**< ESP trailer's ICV length */
107	uint8_t nat_t_req;		/**< Remove NAT-T header */
108
109	uint8_t esp_seq_skip;		/**< Skip ESP sequence number in header*/
110	uint8_t esp_tail_skip;		/**< Skip ESP trailer*/
111	uint8_t res[2];			/**< reserve for 4-byte alignment */
112};
113
114/**
115 * @brief Definition of an IPsec decapsulation rule for a delete operation
116 */
117struct nss_ipsecmgr_decap_del {
118	uint32_t outer_ipv4_src;	/**< outer IPv4 source address */
119	uint32_t outer_ipv4_dst;	/**< outer IPv4 destination address */
120
121	uint32_t esp_spi;		/**< ESP header's SPI index */
122};
123
124/**
125 * @brief Rule types
126 */
127enum nss_ipsecmgr_rule_type {
128	NSS_IPSECMGR_RULE_TYPE_NONE = 0,	/**< Invalid rule type */
129	NSS_IPSECMGR_RULE_TYPE_ENCAP = 1,	/**< rule is for encap */
130	NSS_IPSECMGR_RULE_TYPE_DECAP = 2,	/**< rule is for decap */
131	NSS_IPSECMGR_RULE_TYPE_MAX
132};
133
134/**
135 * @brief NSS IPsec manager rule definition
136 */
137union nss_ipsecmgr_rule {
138	struct nss_ipsecmgr_encap_add encap_add;	/**< encap rule add */
139	struct nss_ipsecmgr_encap_del encap_del;	/**< encap rule del */
140	struct nss_ipsecmgr_decap_add decap_add;	/**< decap rule add */
141	struct nss_ipsecmgr_decap_del decap_del;	/**< decap rule del */
142};
143
144/**
145 * @brief SA stats exported by NSS IPsec manager
146 */
147struct nss_ipsecmgr_sa_stats {
148	enum nss_ipsecmgr_rule_type type;		/**< Encap/Decap */
149	uint32_t esp_spi;				/**< ESP SPI */
150	uint32_t seqnum;				/**< SA sequence number */
151	uint32_t crypto_index;				/**< crypto session index */
152	uint32_t pkts_processed;			/**< packets processed */
153	uint32_t pkts_dropped;				/**< packets dropped */
154	uint32_t pkts_failed;				/**< packets failed to be processed */
155};
156
157/**
158 * @brief NSS IPsec manager event type
159 */
160enum nss_ipsecmgr_event_type {
161	NSS_IPSECMGR_EVENT_NONE = 0,			/**< invalid event type */
162	NSS_IPSECMGR_EVENT_SA_STATS,			/**< statistics sync */
163	NSS_IPSECMGR_EVENT_MAX
164};
165
166/**
167 * @brief NSS IPsec manager event
168 */
169struct nss_ipsecmgr_event {
170	enum nss_ipsecmgr_event_type type;		/**< Event type */
171	union {
172		struct nss_ipsecmgr_sa_stats stats;	/**< Event: SA statistics */
173	}data;
174};
175
176#ifdef __KERNEL__ /* only kernel will use */
177
178/**
179 * @brief Callback function registered by the IPsec tunnel users
180 *
181 * @param ctx[IN] callback context associated with the tunnel
182 * @param skb[IN] the packet
183 *
184 * @return
185 */
186typedef void (*nss_ipsecmgr_data_cb_t) (void *ctx, struct sk_buff *skb);
187
188/**
189 * @brief Callback function registered by the IPsec tunnel users
190 * 	  to receive NSS IPsec manager events
191 *
192 * @param ctx[IN] callback context associated with the tunnel
193 * @param ev[IN] IPsec event
194 *
195 * @return
196 */
197typedef void (*nss_ipsecmgr_event_cb_t) (void *ctx, struct nss_ipsecmgr_event *ev);
198
199/**
200 * @brief Create a new IPsec tunnel interface
201 *
202 * @param ctx[IN] context that the caller wants to be stored per tunnel
203 * @param cb[IN] the callback function for receiving data
204 * @param event_cb[IN] the callback function for receiving events
205 *
206 * @return Netdevice for the IPsec tunnel interface
207 *
208 * @note This needs to be created for receiving data from NSS IPsec
209 * 	 and sending data to the NSS IPsec (if requried). The need for
210 * 	 this is to provide a data interface on Host which can use it
211 * 	 to either receive IPsec decapsulated packets or send plain text
212 * 	 packets to get IPsec encapsulated. This will help bind SA(s) to
213 * 	 tunnels so when the tunnel goes away all associated SA(s)
214 */
215struct net_device *nss_ipsecmgr_tunnel_add(void *ctx, nss_ipsecmgr_data_cb_t data_cb, nss_ipsecmgr_event_cb_t event_cb);
216
217/**
218 * @brief Delete the IPsec tunnel
219 *
220 * @param tun[IN] IPsec tunnel device on host
221 *
222 * @return true when successful
223 */
224bool nss_ipsecmgr_tunnel_del(struct net_device *tun);
225
226/**
227 * @brief Add a new Security Association to the IPsec tunnel
228 *
229 * @param tun[IN] pseudo IPsec tunnel device
230 * @param rule[IN] IPsec rule structure associated with the SA
231 * @param type[IN] ingress or egress type
232 *
233 * @return
234 */
235bool nss_ipsecmgr_sa_add(struct net_device *tun, union nss_ipsecmgr_rule *rule, enum nss_ipsecmgr_rule_type type);
236
237/**
238 * @brief Delete an existing security association from the IPsec tunnel
239 *
240 * @param tun[IN] pseudo IPsec tunnel device
241 * @param rule[IN] IPsec rule structure associated with the SA
242 * @param type[IN] ingress or egress type
243 *
244 * @return
245 */
246bool nss_ipsecmgr_sa_del(struct net_device *tun, union nss_ipsecmgr_rule *rule, enum nss_ipsecmgr_rule_type type);
247
248
249/**
250 * @brief flush rules for all sa belonging to a specific tunnel
251 *
252 * @param dev[IN] pseudo IPsec tunnel device
253 * @param skb[IN]  the packet
254 * @param type[IN] ingress or egress type
255 *
256 * @return true for success
257 */
258bool nss_ipsecmgr_sa_flush(struct net_device *dev, enum nss_ipsecmgr_rule_type type);
259
260#endif /* (__KERNEL__) */
261#endif /* __NSS_IPSECMGR_H */
262