policy.h

Go to the documentation of this file.

/*
 * Copyright (c) 2023 NVIDIA CORPORATION AND AFFILIATES.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without modification, are permitted
 * provided that the following conditions are met:
 *     * Redistributions of source code must retain the above copyright notice, this list of
 *       conditions and the following disclaimer.
 *     * Redistributions in binary form must reproduce the above copyright notice, this list of
 *       conditions and the following disclaimer in the documentation and/or other materials
 *       provided with the distribution.
 *     * Neither the name of the NVIDIA CORPORATION nor the names of its contributors may be used
 *       to endorse or promote products derived from this software without specific prior written
 *       permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
 * FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NVIDIA CORPORATION BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TOR (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 */
 
#ifndef POLICY_H_
#define POLICY_H_
 
#include <sys/un.h>
 
#include "flow_encrypt.h"
#include "flow_decrypt.h"
 
#ifdef __cplusplus
extern "C" {
#endif
 
#define MAX_IP_ADDR_LEN (INET6_ADDRSTRLEN) /* Maximal IP address size */
#define POLICY_DIR_IN (0)          /* Ingress traffic */
#define POLICY_DIR_OUT (1)         /* Egress  traffic */
#define POLICY_MODE_TRANSPORT (0)      /* Policy transport mode */
#define POLICY_MODE_TUNNEL (1)         /* Policy tunnel mode */
#define POLICY_L3_TYPE_IPV4 (4)        /* Policy L3 type IPV4 */
#define POLICY_L3_TYPE_IPV6 (6)        /* Policy L3 type IPV6 */
#define POLICY_L4_TYPE_UDP (IPPROTO_UDP)   /* Policy L4 type UDP */
#define POLICY_L4_TYPE_TCP (IPPROTO_TCP)   /* Policy L4 type TCP */
#define POLICY_KEY_TYPE_128 (0)        /* Policy key type 128 */
#define POLICY_KEY_TYPE_256 (1)        /* Policy key type 256 */
#define POLICY_RECORD_MIN_SIZE (224)       /* Record size for Key of 16 bytes */
#define POLICY_RECORD_MAX_SIZE (240)       /* Record size for Key of 32 bytes */
 
/* Policy struct */
struct ipsec_security_gw_ipsec_policy {
    /* Protocols attributes */
    uint16_t src_port;     /* Policy inner source port */
    uint16_t dst_port;     /* Policy inner destination port */
    uint8_t l3_protocol;       /* Policy L3 proto {POLICY_L3_TYPE_IPV4, POLICY_L3_TYPE_IPV6} */
    uint8_t l4_protocol;       /* Policy L4 proto {POLICY_L4_TYPE_UDP, POLICY_L4_TYPE_TCP} */
    uint8_t outer_l3_protocol; /* Policy outer L3 type {POLICY_L3_TYPE_IPV4, POLICY_L3_TYPE_IPV6} */
 
    /* Policy attributes */
    uint8_t policy_direction; /* Policy direction {POLICY_DIR_IN, POLICY_DIR_OUT} */
    uint8_t policy_mode;      /* Policy IPSEC mode {POLICY_MODE_TRANSPORT, POLICY_MODE_TUNNEL} */
 
    /* Security Association attributes */
    uint8_t esn;               /* Is ESN enabled? */
    uint8_t icv_length;        /* ICV length in bytes {8, 12, 16} */
    uint8_t key_type;          /* AES key type {POLICY_KEY_TYPE_128, POLICY_KEY_TYPE_256} */
    uint32_t spi;              /* Security Parameter Index */
    uint32_t salt;             /* Cryptographic salt */
    uint8_t enc_key_data[MAX_KEY_LEN]; /* Encryption key (binary) */
 
    /* Policy inner and outer addresses */
    char src_ip_addr[MAX_IP_ADDR_LEN + 1];  /* Policy inner IP source address in string format */
    char dst_ip_addr[MAX_IP_ADDR_LEN + 1];  /* Policy inner IP destination address in string format */
    char outer_src_ip[MAX_IP_ADDR_LEN + 1]; /* Policy outer IP source address in string format */
    char outer_dst_ip[MAX_IP_ADDR_LEN + 1]; /* Policy outer IP destination address in string format */
};
 
/*
 * Print policy attributes
 *
 * @policy [in]: application IPSEC policy
 */
void print_policy_attrs(struct ipsec_security_gw_ipsec_policy *policy);
 
/*
 * Handle encrypt policy, function logic includes:
 * - parsing the new policy and create encrypt rule structure
 * - create suitable security association
 * - add DOCA flow entry which describes the encrypt rule
 *
 * @app_cfg [in]: application configuration structure
 * @ports [in]: DOCA flow ports array
 * @policy [in]: new policy
 * @rule [out]: encrypt rule structure
 * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
 */
doca_error_t ipsec_security_gw_handle_encrypt_policy(struct ipsec_security_gw_config *app_cfg,
                             struct ipsec_security_gw_ports_map *ports[],
                             struct ipsec_security_gw_ipsec_policy *policy,
                             struct encrypt_rule *rule);
 
/*
 * Handle decrypt policy, function logic includes:
 * - parsing the new policy and create decrypt rule structure
 * - create suitable security association
 * - add DOCA flow entry which describes the decrypt rule
 *
 * @app_cfg [in]: application configuration structure
 * @secured_port [in]: DOCA flow port for secured port
 * @policy [in]: new policy
 * @rule [out]: encrypt rule structure
 * @return: DOCA_SUCCESS on success and DOCA_ERROR otherwise
 */
doca_error_t ipsec_security_gw_handle_decrypt_policy(struct ipsec_security_gw_config *app_cfg,
                             struct doca_flow_port *secured_port,
                             struct ipsec_security_gw_ipsec_policy *policy,
                             struct decrypt_rule *rule);
 
#ifdef __cplusplus
} /* extern "C" */
#endif
 
#endif /* POLICY_H_ */