1/* 2 ************************************************************************** 3 * Copyright (c) 2014,2015, The Linux Foundation. All rights reserved. 4 * Permission to use, copy, modify, and/or distribute this software for 5 * any purpose with or without fee is hereby granted, provided that the 6 * above copyright notice and this permission notice appear in all copies. 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 10 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 12 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT 13 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 ************************************************************************** 15 */ 16 17/* * nss_ipsecmgr.h 18 * NSS to HLOS IPSec Manager interface definitions. 19 */ 20#ifndef __NSS_IPSECMGR_H 21#define __NSS_IPSECMGR_H 22 23#define NSS_IPSECMGR_DEBUG_LVL_ERROR 1 24#define NSS_IPSECMGR_DEBUG_LVL_WARN 2 25#define NSS_IPSECMGR_DEBUG_LVL_INFO 3 26#define NSS_IPSECMGR_DEBUG_LVL_TRACE 4 27 28#define NSS_IPSECMGR_TUN_NAME "ipsectun%d" 29#define NSS_IPSECMGR_MAX_TUNNELS (NSS_CRYPTO_MAX_IDXS/2) 30 31/* 32 * This is a rough estimate need to be accurate but large enough to 33 * accomodate most usecases 34 */ 35#define NSS_IPSECMGR_TUN_MAX_HDR_LEN 96 36 37/* 38 * Space required in the head and tail of the buffer 39 */ 40#define NSS_IPSECMGR_TUN_HEADROOM 128 41#define NSS_IPSECMGR_TUN_TAILROOM 128 42 43#define NSS_IPSECMGR_TUN_MTU(x) (x - NSS_IPSECMGR_TUN_MAX_HDR_LEN) 44 45#define NSS_IPSECMGR_NATT_PORT_DATA 4500 46 47/** 48 * @brief Definition of an IPsec encapsulation rule for an add operation 49 */ 50struct nss_ipsecmgr_encap_add { 51 uint32_t inner_ipv4_src; /**< inner IPv4 source address */ 52 uint32_t inner_ipv4_dst; /**< inner IPv4 destination address */ 53 54 uint32_t outer_ipv4_src; /**< outer IPv4 source address */ 55 uint32_t outer_ipv4_dst; /**< outer IPv4 destination address */ 56 57 uint32_t esp_spi; /**< ESP header's SPI index */ 58 59 uint16_t inner_src_port; /**< inner protocol's source port */ 60 uint16_t inner_dst_port; /**< inner protocol's destination port */ 61 62 uint16_t crypto_index; /**< crypto session index returned by the driver */ 63 uint8_t cipher_algo; /**< Cipher algorithm */ 64 uint8_t auth_algo; /**< Authentication algorithm */ 65 66 uint8_t nat_t_req; /**< apply NAT-T header */ 67 uint8_t inner_ipv4_proto; /**< inner IPv4 protocol */ 68 uint8_t outer_ipv4_ttl; /**< outer IPv4 time to live */ 69 uint8_t esp_icv_len; /**< ESP trailer's ICV length */ 70 71 uint8_t esp_seq_skip; /**< Skip ESP sequence number in header*/ 72 uint8_t esp_tail_skip; /**< Skip ESP trailer*/ 73 uint8_t use_pattern; /**< Use random pattern in hash calculation */ 74 uint8_t res; /**< reserve for 4-byte alignment */ 75}; 76 77/** 78 * @brief Definition of an IPsec encapsulation rule for a delete operation 79 */ 80struct nss_ipsecmgr_encap_del { 81 uint32_t inner_ipv4_src; /**< inner IPv4 source address */ 82 uint32_t inner_ipv4_dst; /**< inner IPv4 destination address */ 83 84 uint16_t inner_src_port; /**< inner protocol's source port */ 85 uint16_t inner_dst_port; /**< inner protocol's destination port */ 86 87 uint8_t inner_ipv4_proto; /**< inner IPv4 protocol */ 88 uint8_t use_pattern; /**< Use random pattern in hash calculation */ 89 uint8_t res[2]; /**< reserve for 4-byte alignment */ 90}; 91 92/** 93 * @brief Definition of an IPsec decapsulation rule for an add operation 94 */ 95struct nss_ipsecmgr_decap_add { 96 uint32_t outer_ipv4_src; /**< outer IPv4 source address */ 97 uint32_t outer_ipv4_dst; /**< outer IPv4 destination address */ 98 99 uint32_t esp_spi; /**< ESP header's SPI index */ 100 101 uint16_t crypto_index; /**< crypto session index returned by the driver */ 102 uint16_t window_size; /**< sequence number window size for anti-replay */ 103 104 uint8_t cipher_algo; /**< Cipher algorithm */ 105 uint8_t auth_algo; /**< Authentication algorithm */ 106 uint8_t esp_icv_len; /**< ESP trailer's ICV length */ 107 uint8_t nat_t_req; /**< Remove NAT-T header */ 108 109 uint8_t esp_seq_skip; /**< Skip ESP sequence number in header*/ 110 uint8_t esp_tail_skip; /**< Skip ESP trailer*/ 111 uint8_t res[2]; /**< reserve for 4-byte alignment */ 112}; 113 114/** 115 * @brief Definition of an IPsec decapsulation rule for a delete operation 116 */ 117struct nss_ipsecmgr_decap_del { 118 uint32_t outer_ipv4_src; /**< outer IPv4 source address */ 119 uint32_t outer_ipv4_dst; /**< outer IPv4 destination address */ 120 121 uint32_t esp_spi; /**< ESP header's SPI index */ 122}; 123 124/** 125 * @brief Rule types 126 */ 127enum nss_ipsecmgr_rule_type { 128 NSS_IPSECMGR_RULE_TYPE_NONE = 0, /**< Invalid rule type */ 129 NSS_IPSECMGR_RULE_TYPE_ENCAP = 1, /**< rule is for encap */ 130 NSS_IPSECMGR_RULE_TYPE_DECAP = 2, /**< rule is for decap */ 131 NSS_IPSECMGR_RULE_TYPE_MAX 132}; 133 134/** 135 * @brief NSS IPsec manager rule definition 136 */ 137union nss_ipsecmgr_rule { 138 struct nss_ipsecmgr_encap_add encap_add; /**< encap rule add */ 139 struct nss_ipsecmgr_encap_del encap_del; /**< encap rule del */ 140 struct nss_ipsecmgr_decap_add decap_add; /**< decap rule add */ 141 struct nss_ipsecmgr_decap_del decap_del; /**< decap rule del */ 142}; 143 144/** 145 * @brief SA stats exported by NSS IPsec manager 146 */ 147struct nss_ipsecmgr_sa_stats { 148 enum nss_ipsecmgr_rule_type type; /**< Encap/Decap */ 149 uint32_t esp_spi; /**< ESP SPI */ 150 uint32_t seqnum; /**< SA sequence number */ 151 uint32_t crypto_index; /**< crypto session index */ 152 uint32_t pkts_processed; /**< packets processed */ 153 uint32_t pkts_dropped; /**< packets dropped */ 154 uint32_t pkts_failed; /**< packets failed to be processed */ 155}; 156 157/** 158 * @brief NSS IPsec manager event type 159 */ 160enum nss_ipsecmgr_event_type { 161 NSS_IPSECMGR_EVENT_NONE = 0, /**< invalid event type */ 162 NSS_IPSECMGR_EVENT_SA_STATS, /**< statistics sync */ 163 NSS_IPSECMGR_EVENT_MAX 164}; 165 166/** 167 * @brief NSS IPsec manager event 168 */ 169struct nss_ipsecmgr_event { 170 enum nss_ipsecmgr_event_type type; /**< Event type */ 171 union { 172 struct nss_ipsecmgr_sa_stats stats; /**< Event: SA statistics */ 173 }data; 174}; 175 176#ifdef __KERNEL__ /* only kernel will use */ 177 178/** 179 * @brief Callback function registered by the IPsec tunnel users 180 * 181 * @param ctx[IN] callback context associated with the tunnel 182 * @param skb[IN] the packet 183 * 184 * @return 185 */ 186typedef void (*nss_ipsecmgr_data_cb_t) (void *ctx, struct sk_buff *skb); 187 188/** 189 * @brief Callback function registered by the IPsec tunnel users 190 * to receive NSS IPsec manager events 191 * 192 * @param ctx[IN] callback context associated with the tunnel 193 * @param ev[IN] IPsec event 194 * 195 * @return 196 */ 197typedef void (*nss_ipsecmgr_event_cb_t) (void *ctx, struct nss_ipsecmgr_event *ev); 198 199/** 200 * @brief Create a new IPsec tunnel interface 201 * 202 * @param ctx[IN] context that the caller wants to be stored per tunnel 203 * @param cb[IN] the callback function for receiving data 204 * @param event_cb[IN] the callback function for receiving events 205 * 206 * @return Netdevice for the IPsec tunnel interface 207 * 208 * @note This needs to be created for receiving data from NSS IPsec 209 * and sending data to the NSS IPsec (if requried). The need for 210 * this is to provide a data interface on Host which can use it 211 * to either receive IPsec decapsulated packets or send plain text 212 * packets to get IPsec encapsulated. This will help bind SA(s) to 213 * tunnels so when the tunnel goes away all associated SA(s) 214 */ 215struct net_device *nss_ipsecmgr_tunnel_add(void *ctx, nss_ipsecmgr_data_cb_t data_cb, nss_ipsecmgr_event_cb_t event_cb); 216 217/** 218 * @brief Delete the IPsec tunnel 219 * 220 * @param tun[IN] IPsec tunnel device on host 221 * 222 * @return true when successful 223 */ 224bool nss_ipsecmgr_tunnel_del(struct net_device *tun); 225 226/** 227 * @brief Add a new Security Association to the IPsec tunnel 228 * 229 * @param tun[IN] pseudo IPsec tunnel device 230 * @param rule[IN] IPsec rule structure associated with the SA 231 * @param type[IN] ingress or egress type 232 * 233 * @return 234 */ 235bool nss_ipsecmgr_sa_add(struct net_device *tun, union nss_ipsecmgr_rule *rule, enum nss_ipsecmgr_rule_type type); 236 237/** 238 * @brief Delete an existing security association from the IPsec tunnel 239 * 240 * @param tun[IN] pseudo IPsec tunnel device 241 * @param rule[IN] IPsec rule structure associated with the SA 242 * @param type[IN] ingress or egress type 243 * 244 * @return 245 */ 246bool nss_ipsecmgr_sa_del(struct net_device *tun, union nss_ipsecmgr_rule *rule, enum nss_ipsecmgr_rule_type type); 247 248 249/** 250 * @brief flush rules for all sa belonging to a specific tunnel 251 * 252 * @param dev[IN] pseudo IPsec tunnel device 253 * @param skb[IN] the packet 254 * @param type[IN] ingress or egress type 255 * 256 * @return true for success 257 */ 258bool nss_ipsecmgr_sa_flush(struct net_device *dev, enum nss_ipsecmgr_rule_type type); 259 260#endif /* (__KERNEL__) */ 261#endif /* __NSS_IPSECMGR_H */ 262