|
1 // Copyright (c) 2005-2009 Nokia Corporation and/or its subsidiary(-ies). |
|
2 // All rights reserved. |
|
3 // This component and the accompanying materials are made available |
|
4 // under the terms of "Eclipse Public License v1.0" |
|
5 // which accompanies this distribution, and is available |
|
6 // at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
7 // |
|
8 // Initial Contributors: |
|
9 // Nokia Corporation - initial contribution. |
|
10 // |
|
11 // Contributors: |
|
12 // |
|
13 // Description: |
|
14 // pfkey.h - IPv6/IPv4 IPSEC KEY protocol family |
|
15 // |
|
16 |
|
17 |
|
18 |
|
19 /** |
|
20 @internalComponent |
|
21 */ |
|
22 #ifndef __PFKEY_H__ |
|
23 #define __PFKEY_H__ |
|
24 |
|
25 #include <es_prot.h> |
|
26 #include "ipsec.h" |
|
27 #include "sadb.h" |
|
28 #include "epdb.h" |
|
29 |
|
30 #include "ah_eng.h" |
|
31 #include "esp_eng.h" |
|
32 #include "ipip_eng.h" |
|
33 #include "natt_eng.h" |
|
34 |
|
35 class CProviderKey; |
|
36 |
|
37 // |
|
38 // CProtocolKey |
|
39 // |
|
40 class CProtocolKey : public CProtocolBase, public MAssociationManager |
|
41 /** |
|
42 * The PFKEY protocol implementation. |
|
43 * |
|
44 * PFKEY protocol manages the PFKEY sockets and maintains the Security |
|
45 * Association Database (SAD). |
|
46 * |
|
47 * PFKEY protocol provides MAssociationManger API, which defines the |
|
48 * services for the SECPOL protocol and SAD. |
|
49 */ |
|
50 { |
|
51 public: |
|
52 CProtocolKey(); |
|
53 CProtocolKey& operator=(const CProtocolKey&); |
|
54 virtual ~CProtocolKey(); |
|
55 virtual CServProviderBase *NewSAPL(TUint aProtocol); |
|
56 virtual void InitL(TDesC& aTag); |
|
57 virtual void StartL(); |
|
58 virtual void BindToL(CProtocolBase *protocol); |
|
59 virtual void BindL(CProtocolBase *aProtocol, TUint id); |
|
60 virtual void Identify(TServerProtocolDesc *) const; |
|
61 |
|
62 virtual TInt GetOption(TUint aLevel, TUint aName, TDes8& aOption, CProtocolBase* aSourceProtocol=NULL); |
|
63 virtual TInt SetOption(TUint aLevel, TUint aName,const TDesC8& aOption, CProtocolBase* aSourceProtocol=NULL); |
|
64 |
|
65 virtual void Open(); |
|
66 virtual void Close(); |
|
67 |
|
68 // Methods to be used from the SECPOL |
|
69 TInt Acquire( |
|
70 CSecurityAssoc * &aSA, |
|
71 const TSecurityAssocSpec &aSpec, |
|
72 #ifdef SYMBIAN_IPSEC_VOIP_SUPPORT |
|
73 const CPropList *aPropList, |
|
74 #endif //SYMBIAN_IPSEC_VOIP_SUPPORT |
|
75 const CTransportSelector *aTS, |
|
76 const RIpAddress &aSrc, |
|
77 const RIpAddress &aDst, |
|
78 const RPolicySelectorInfo &aInfo, |
|
79 TBool aTunnel); |
|
80 |
|
81 #ifdef SYMBIAN_IPSEC_VOIP_SUPPORT |
|
82 TInt Verify( const CSecurityAssoc *aSA, const TSecurityAssocSpec &aSpec, |
|
83 const CPropList *aPropList, |
|
84 const RIpAddress &aSrc, const RIpAddress &aDst, const RPolicySelectorInfo &aInfo); |
|
85 #else |
|
86 TInt Verify( |
|
87 const CSecurityAssoc *aSA, |
|
88 const TSecurityAssocSpec &aSpec, |
|
89 const RIpAddress &aSrc, |
|
90 const RIpAddress &aDst, |
|
91 const RPolicySelectorInfo &aInfo); |
|
92 #endif // SYMBIAN_IPSEC_VOIP_SUPPORT |
|
93 |
|
94 TInt ApplyL( // Outbound |
|
95 CSecurityAssoc *aSa, |
|
96 RMBufSendPacket &aPacket, |
|
97 RMBufSendInfo &info, |
|
98 const TIpAddress &aTunnel); |
|
99 TInt ApplyL( // Inbound |
|
100 CSecurityAssoc * &aSa, |
|
101 RMBufRecvPacket &aPacket, |
|
102 RMBufRecvInfo &info, |
|
103 TInt aProtocol, |
|
104 TIpAddress &aTunnel); |
|
105 TInt Overhead(const CSecurityAssoc *const aSa, const TIpAddress &aTunnel) const; |
|
106 void SetAlgorithms(CAlgorithmList*& aList); |
|
107 |
|
108 // Methods to be used from the CSecurityAssoc |
|
109 inline void TimerOn(CSecurityAssoc &aSa, TInt aDelta); |
|
110 void Expired(const CSecurityAssoc &aSa, TInt aType, const TLifetime &aLifetime); |
|
111 |
|
112 // Generic |
|
113 void Delete(CSecurityAssoc *aSa); |
|
114 CSecurityAssoc *Lookup(TUint8 aType, TUint32 aSPI, const TIpAddress &aDst) const; |
|
115 REndPoints &EndPointCollection() { return iEndPointCollection; } |
|
116 |
|
117 // PFKEYv2 main entry (called by CProviderKey |
|
118 TInt Exec(const TDesC8 &aMsg, CProviderKey *aSrc = NULL); |
|
119 private: |
|
120 virtual CSecurityAssoc *Lookup(TUint8 aType, TUint32 aSPI, const TIpAddress &aDst, TInt &aHash) const; |
|
121 |
|
122 static CSecurityAssoc *FindEgg(CSecurityAssoc *sa, const TPfkeyMessage &aMsg, const struct sadb_msg &aBase); |
|
123 |
|
124 // These ExecNNN methods are only used in key_msg.cpp (not intended for general use) |
|
125 TInt ExecGetSPI(TPfkeyMessage &aMsg, struct sadb_msg &aBase, CProviderKey *aSrc); |
|
126 TInt ExecUpdate(TPfkeyMessage &aMsg, struct sadb_msg &aBase, CProviderKey *aSrc); |
|
127 TInt ExecAdd(TPfkeyMessage &aMsg, struct sadb_msg &aBase, CProviderKey *aSrc); |
|
128 TInt ExecDelete(TPfkeyMessage &aMsg, struct sadb_msg &aBase, CProviderKey *aSrc, TBool deliverMsg=ETrue); |
|
129 TInt ExecGet(TPfkeyMessage &aMsg, struct sadb_msg &aBase, CProviderKey *aSrc); |
|
130 TInt ExecAcquire(TPfkeyMessage &aMsg, struct sadb_msg &aBase, CProviderKey *aSrc); |
|
131 TInt ExecRegister(TPfkeyMessage &aMsg, struct sadb_msg &aBase, CProviderKey *aSrc); |
|
132 TInt ExecFlush(TPfkeyMessage &aMsg, struct sadb_msg &aBase, CProviderKey *aSrc); |
|
133 TInt ExecDump(TPfkeyMessage &aMsg, struct sadb_msg &aBase, CProviderKey *aSrc); |
|
134 void DumpSA(TPfkeyMessage &aKey, struct sadb_msg &aBase, CProviderKey *aDst, CSecurityAssoc *sa); |
|
135 // |
|
136 void Deliver(const TPfkeyMessage &aMsg); |
|
137 void DeliverRegistered(const TPfkeyMessage &aMsg); |
|
138 |
|
139 inline TInt HashSize() const; |
|
140 inline TInt Hash(const TIp6Addr &addr, TUint8 type) const; |
|
141 |
|
142 /** |
|
143 * The Security Association DataBase (SAD). |
|
144 * |
|
145 * The Collection of Security Associations |
|
146 * hashed by *remote address*. The size of the |
|
147 * hash is automatically controlled by the size |
|
148 * of this array. Feel free to place any other |
|
149 * magic constant (prime!) here, the code will adjust) |
|
150 */ |
|
151 CSecurityAssoc *iHash[111]; |
|
152 |
|
153 MTimeoutManager *iTimer; //< Timing services. |
|
154 TUint32 iSequenceNumber; //< Current sequence number for the kernel originated PF_KEY msgs |
|
155 TDblQue<CProviderKey> iSAPlist; //< Housekeeping of attached sockets (= SAP's) |
|
156 TIpsecAH iEngineAH; //< IPsec Authentication engine |
|
157 TIpsecESP iEngineESP; //< IPsec Encryption engine |
|
158 TIpsecIPIP iEngineIPIP; //< IPsec IP-in-IP tunneling engine |
|
159 TIpsecNATT iEngineNATT; //< IPsec NAT Traversal engine |
|
160 CIpsecCryptoManager *iCrypto; //< IPsec Crypto Library Manager |
|
161 REndPoints iEndPointCollection; //< The named end point collection. |
|
162 RArray<RIpAddress> iEndPoints; //< The SetOpt EP definitions |
|
163 RMBufAllocator iRMBufAllocator; //< RMBufAllocator used in encryption/decryption operation |
|
164 }; |
|
165 |
|
166 |
|
167 |
|
168 void CProtocolKey::TimerOn(CSecurityAssoc &aSa, TInt aDelta) |
|
169 /** |
|
170 * Activate a timeout call on SA. |
|
171 * |
|
172 * @param aSa The security association |
|
173 * @param aDelta The delay in seconds. |
|
174 */ |
|
175 { |
|
176 iTimer->Set(aSa.iTimeout, aDelta); |
|
177 } |
|
178 |
|
179 TInt CProtocolKey::HashSize() const |
|
180 /** |
|
181 * Return number of entries in the hash array. |
|
182 */ |
|
183 { |
|
184 return sizeof(iHash) / sizeof(iHash[0]); |
|
185 } |
|
186 |
|
187 TInt CProtocolKey::Hash(const TIp6Addr &addr, TUint8 type) const |
|
188 /** |
|
189 * Compute hash value from IPv6 address and assocation type. |
|
190 * |
|
191 * Hash computes the hash value from IPv6 address (128 bits) and |
|
192 * association type code, return a pointer to the list of Security |
|
193 * Associations, which include all associations with this remote host |
|
194 * (the list may include associations with other hosts that map to |
|
195 * the same hash value!) |
|
196 * |
|
197 * @param addr The IPv6 address |
|
198 * @param type The association type (AH or ESP) |
|
199 * @return Index into hash table (iHash). |
|
200 */ |
|
201 { |
|
202 const TUint32 tmp = |
|
203 addr.u.iAddr32[0] ^ |
|
204 addr.u.iAddr32[1] ^ |
|
205 addr.u.iAddr32[2] ^ |
|
206 addr.u.iAddr32[3]; |
|
207 return ((tmp >> 16) ^ tmp ^ type) % HashSize(); |
|
208 } |
|
209 |
|
210 |
|
211 // |
|
212 // PF_KEY Socket Provider Base |
|
213 // |
|
214 |
|
215 /** |
|
216 * Max value for Security Association type. |
|
217 * |
|
218 * The maximum allowed value (for this implementation) for Security |
|
219 * association type (AH, ESP, etc.) value. The pfkey2.h value |
|
220 * SADB_SATYPE_MAX is not used. This allows compiled code to work even |
|
221 * if some future PFKEY adds more types. The limit is now taken from |
|
222 * the size of the sadb_msg_satype field (= uint8_t). Only needed in |
|
223 * building a bitmap for a REGISTERED listener. |
|
224 */ |
|
225 const TUint KProviderKey_SATYPE_MAX = 255; |
|
226 |
|
227 class CProviderKey: public CProviderIpsecBase |
|
228 /** |
|
229 * The PFKEY socket provider (SAP). |
|
230 */ |
|
231 { |
|
232 public: |
|
233 CProviderKey(CProtocolKey& aProtocol); |
|
234 void Start(); |
|
235 TUint Write(const TDesC8 &aDesc,TUint options, TSockAddr* aAddr=NULL); |
|
236 |
|
237 TInt SetOption(TUint level,TUint name, const TDesC8 &anOption); |
|
238 TInt GetOption(TUint level,TUint name,TDes8 &anOption) const; |
|
239 public: |
|
240 // For CProtocolKey only |
|
241 void Deliver(const TPfkeyMessage &aMsg); |
|
242 TUint8 iRegistered[(KProviderKey_SATYPE_MAX+7)/8]; //< Registered to listen protocols (now only AH and ESP). |
|
243 protected: |
|
244 CProtocolKey& iProtocol; //< PFKEY protocol object |
|
245 }; |
|
246 |
|
247 #endif |