#!/bin/sh
# SPDX-License-Identifier: GPL-2.0-or-later
# Copyright (c) 2018 Petr Vorel <pvorel@suse.cz>
# Copyright (c) 2016 Red Hat Inc.,  All Rights Reserved.
# Copyright (c) 2016 Oracle and/or its affiliates. All Rights Reserved.
# Author: Hangbin Liu <haliu@redhat.com>

# Authenticated encryption with associated data
AEALGO="rfc4106_128"
# Encryption algorithm
EALGO="des3_ede"
# Authentication algorithm
AALGO="sha1"
# Compression algorithm
CALGO="deflate"

IPSEC_REQUESTS="500"

ipsec_lib_usage()
{
	echo "l n     n is the number of test link when tests run"
	echo "m x     x is ipsec mode, could be transport / tunnel"
	echo "p x     x is ipsec protocol, could be ah / esp / comp"
	echo "s x     x is icmp message size array"
	echo "S n     n is IPsec SPI value"
	echo "k x     key for vti interface"
	echo "A x     Authenticated encryption with associated data algorithm"
	echo "e x     Encryption algorithm"
	echo "a x     Authentication algorithm"
	echo "c x     Compression algorithm"
	echo "r x     Num of requests, PING_MAX or netstress' '-r' opt"
}

ipsec_lib_parse_args()
{
	case "$1" in
	l) LINK_NUM=$2;;
	m) IPSEC_MODE=$2;;
	p) IPSEC_PROTO=$2;;
	s) TST_TEST_DATA="$2"; TST_TEST_DATA_IFS=":";;
	S) SPI=$2;;
	k) VTI_KEY=$2;;
	A) AEALGO=$2;;
	e) EALGO=$2;;
	a) AALGO=$2;;
	c) CALGO=$2;;
	r) IPSEC_REQUESTS="$2";;
	esac
}

ipsec_lib_setup()
{
	case $AEALGO in
	rfc4106_128|rfc4543_128) AEALGO_KEY=$(get_key 160);;
	rfc4106_192|rfc4543_192) AEALGO_KEY=$(get_key 224);;
	rfc4106_256|rfc4543_256) AEALGO_KEY=$(get_key 288);;
	rfc4309_128) AEALGO_KEY=$(get_key 152);;
	rfc4309_192) AEALGO_KEY=$(get_key 216);;
	rfc4309_256) AEALGO_KEY=$(get_key 280);;
	esac

	case $EALGO in
	des) EALGO_KEY=$(get_key 64);;
	des3_ede) EALGO_KEY=$(get_key 192);;
	cast5) EALGO_KEY=$(get_key 128);;
	blowfish) EALGO_KEY=$(get_key 448);;
	aes|twofish|camellia|serpent) EALGO_KEY=$(get_key 256);;
	*) tst_brk TBROK "unknown enc alg: $EALGO";;
	esac

	case $AALGO in
	sha1|rmd160) AALGO_KEY=$(get_key 160);;
	sha256) AALGO_KEY=$(get_key 256);;
	sha384) AALGO_KEY=$(get_key 384);;
	sha512) AALGO_KEY=$(get_key 512);;
	*) tst_brk TBROK "unknown auth alg: $AALGO";;
	esac

	SPI=${SPI:-1000}
	VTI_KEY=${VTI_KEY:-10}
	cleanup_vti=
	ALG=
	ALGR=

	if [ -n "$IPSEC_MODE" ]; then
		tst_net_run "tst_check_drivers xfrm_user" || \
			tst_brk TCONF "xfrm_user driver not available on lhost or rhost"
		cleanup_xfrm=1
	fi
}

TST_OPTS="l:m:p:s:S:k:A:e:a:c:r:"
TST_PARSE_ARGS=ipsec_lib_parse_args
TST_SETUP=${TST_SETUP:-ipsec_lib_setup}
TST_USAGE=ipsec_lib_usage
. tst_net.sh

get_key()
{
	local bits=$1
	local bytes=$(( $bits / 8))
	echo "0x$(hexdump -vn $bytes -e '1/1 "%02x"' /dev/urandom)"
}

tst_ipsec_setup()
{
	ipsec_lib_setup
	# Configure SAD/SPD
	if [ -n "$IPSEC_MODE" -a -n "$IPSEC_PROTO" ]; then
		tst_res TINFO "IPsec[$IPSEC_PROTO/$IPSEC_MODE]"
		tst_ipsec lhost $(tst_ipaddr) $(tst_ipaddr rhost)
		tst_ipsec rhost $(tst_ipaddr rhost) $(tst_ipaddr)
	fi
}

# tst_ipsec_cleanup: flush ipsec state and policy rules
tst_ipsec_cleanup()
{
	[ -z "$cleanup_xfrm" ] && return

	ip xfrm state flush
	ip xfrm policy flush
	tst_rhost_run -c "ip xfrm state flush && ip xfrm policy flush"

	if [ -n "$cleanup_vti" ]; then
		ip li del $cleanup_vti 2>/dev/null
		tst_rhost_run -c "ip li del $cleanup_vti 2>/dev/null"
	fi
}

ipsec_set_algoline()
{
	case $IPSEC_PROTO in
	ah)
		ALG='auth hmac('$AALGO') '$AALGO_KEY
		ALGR='auth hmac\('$AALGO'\) '$AALGO_KEY
		;;
	esp)
		ALG="enc $EALGO $EALGO_KEY auth "'hmac('$AALGO') '$AALGO_KEY
		ALGR="enc $EALGO $EALGO_KEY auth "'hmac\('$AALGO'\) '$AALGO_KEY
		;;
	esp_aead)
		case $AEALGO in
		rfc4106_128|rfc4106_192|rfc4106_256)
			ALG="aead "'rfc4106(gcm(aes))'" $AEALGO_KEY 128"
			ALGR="aead "'rfc4106\(gcm\(aes\)\)'" $AEALGO_KEY 128"
			;;
		rfc4309_128|rfc4309_192|rfc4309_256)
			ALG="aead "'rfc4309(ccm(aes))'" $AEALGO_KEY 128"
			ALGR="aead "'rfc4309\(ccm\(aes\)\)'" $AEALGO_KEY 128"
			;;
		rfc4543_128|rfc4543_192|rfc4543_256)
			ALG="aead "'rfc4543(gcm(aes))'" $AEALGO_KEY 128"
			ALGR="aead "'rfc4543\(gcm\(aes\)\)'" $AEALGO_KEY 128"
			;;
		esac
		;;
	comp)
		ALG="comp $CALGO"
		ALGR=$ALG
		;;
	*)
		tst_brk TCONF "tst_ipsec protocol mismatch"
		;;
	esac
}

# tst_ipsec target src_addr dst_addr: config ipsec
#
# target: target of the configuration host ( lhost / rhost )
# src_addr: source IP address
# dst_addr: destination IP address
tst_ipsec()
{
	if [ $# -ne 3 ]; then
		tst_brk TCONF "tst_ipsec parameter mismatch"
	fi

	local target=$1
	local src=$2
	local dst=$3
	local mode=$IPSEC_MODE
	local p="proto $IPSEC_PROTO"
	[ "$IPSEC_PROTO" = "esp_aead" ] && p="proto esp"

	ipsec_set_algoline

	if [ $target = lhost ]; then
		local spi_1="0x$SPI"
		local spi_2="0x$(( $SPI + 1 ))"
		TST_RTNL_CHK ip xfrm state add src $src dst $dst spi $spi_1 \
			$p $ALG mode $mode sel src $src dst $dst
		ROD ip xfrm state add src $dst dst $src spi $spi_2 \
			$p $ALG mode $mode sel src $dst dst $src

		ROD ip xfrm policy add src $src dst $dst dir out tmpl src $src \
			dst $dst $p mode $mode
		ROD ip xfrm policy add src $dst dst $src dir in tmpl src $dst \
			dst $src $p mode $mode level use
	elif [ $target = rhost ]; then
		local spi_1="0x$(( $SPI + 1 ))"
		local spi_2="0x$SPI"
		tst_rhost_run -s -c "ip xfrm state add src $src dst $dst \
			spi $spi_1 $p $ALGR mode $mode sel src $src dst $dst"
		tst_rhost_run -s -c "ip xfrm state add src $dst dst $src \
			spi $spi_2 $p $ALGR mode $mode sel src $dst dst $src"

		tst_rhost_run -s -c "ip xfrm policy add src $src dst $dst \
			dir out tmpl src $src dst $dst $p mode $mode"
		tst_rhost_run -s -c "ip xfrm policy add src $dst dst $src dir \
			in tmpl src $dst dst $src $p mode $mode level use"
	fi
}

# tst_ipsec_vti target src_addr dst_addr vti_name
#
# target: target of the configuration host ( lhost / rhost )
# src_addr: source IP address
# dst_addr: destination IP address
# vti_name: name of vti interface
tst_ipsec_vti()
{
	if [ $# -ne 4 ]; then
		tst_brk TCONF "tst_ipsec_vti parameter mismatch"
	fi

	local target=$1
	local src=$2
	local dst=$3
	local vti=$4
	local m="mode $IPSEC_MODE"
	local p="proto $IPSEC_PROTO"
	[ "$IPSEC_PROTO" = "esp_aead" ] && p="proto esp"

	local key="key $VTI_KEY"
	local mrk="mark $VTI_KEY"
	local type="type vti$TST_IPV6"
	local d="dev $(tst_iface)"
	local rd="dev $(tst_iface rhost)"

	ip li add type vti help 2>&1 | grep -q vti || \
		tst_brk TCONF "iproute doesn't support 'vti'"

	ipsec_set_algoline

	local o_dir="src $src dst $dst"
	local i_dir="src $dst dst $src"
	local ipx="ip -${TST_IPV6:-4} xf"

	cleanup_vti=$vti

	if [ $target = lhost ]; then
		TST_RTNL_CHK ip li add $vti $type local $src remote $dst $key $d
		ROD ip li set $vti up

		local spi_1="spi 0x$SPI"
		local spi_2="spi 0x$(( $SPI + 1 ))"
		TST_RTNL_CHK $ipx st add $o_dir $p $spi_1 $ALG $m
		ROD $ipx st add $i_dir $p $spi_2 $ALG $m
		ROD $ipx po add dir out tmpl $o_dir $p $m $mrk
		ROD $ipx po add dir in tmpl $i_dir $p $m $mrk
	elif [ $target = rhost ]; then
		tst_rhost_run -s -c \
			"ip li add $vti $type local $src remote $dst $key $rd"
		tst_rhost_run -s -c "ip li set $vti up"

		local spi_1="spi 0x$(( $SPI + 1 ))"
		local spi_2="spi 0x$SPI"
		tst_rhost_run -s -c "$ipx st add $o_dir $p $spi_1 $ALGR $m"
		tst_rhost_run -s -c "$ipx st add $i_dir $p $spi_2 $ALGR $m"
		tst_rhost_run -s -c "$ipx po add dir out tmpl $o_dir $p $m $mrk"
		tst_rhost_run -s -c "$ipx po add dir in tmpl $i_dir $p $m $mrk"
	fi
}

# Setup vti/vti6 interface for IPsec tunneling
# The function sets variables:
#  * tst_vti - vti interface name,
#  * ip_loc_tun - local IP address on vti interface
#  * ip_rmt_tun - remote IP address
tst_ipsec_setup_vti()
{
	ipsec_lib_setup

	if_loc=$(tst_iface)
	if_rmt=$(tst_iface rhost)

	ip_loc=$(tst_ipaddr)
	ip_rmt=$(tst_ipaddr rhost)

	tst_vti="ltp_vti0"

	tst_res TINFO "Test vti$TST_IPV6 + IPsec[$IPSEC_PROTO/$IPSEC_MODE]"

	tst_ipsec_vti lhost $ip_loc $ip_rmt $tst_vti
	tst_ipsec_vti rhost $ip_rmt $ip_loc $tst_vti

	local mask=
	if [ "$TST_IPV6" ]; then
		ip_loc_tun="${IPV6_NET32_UNUSED}::1";
		ip_rmt_tun="${IPV6_NET32_UNUSED}::2";
		mask=64
		ROD ip -6 route add ${IPV6_NET32_UNUSED}::/$mask dev $tst_vti
	else
		ip_loc_tun="${IPV4_NET16_UNUSED}.1.1";
		ip_rmt_tun="${IPV4_NET16_UNUSED}.1.2";
		mask=30
		ROD ip route add ${IPV4_NET16_UNUSED}.1.0/$mask dev $tst_vti
	fi

	tst_res TINFO "Add IPs to vti tunnel, " \
		       "loc: $ip_loc_tun/$mask, rmt: $ip_rmt_tun/$mask"

	ROD ip a add $ip_loc_tun/$mask dev $tst_vti nodad
	tst_rhost_run -s -c "ip a add $ip_rmt_tun/$mask dev $tst_vti"
}