+static void
+vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
+ mp)
+{
+ vl_api_ipsec_tunnel_if_add_del_reply_t *rmp;
+ ipsec_main_t *im = &ipsec_main;
+ vnet_main_t *vnm = im->vnet_main;
+ u32 sw_if_index = ~0;
+ int rv;
+
+#if WITH_LIBSSL > 0
+ ipsec_add_del_tunnel_args_t tun;
+
+ clib_memset (&tun, 0, sizeof (ipsec_add_del_tunnel_args_t));
+
+ tun.is_add = mp->is_add;
+ tun.esn = mp->esn;
+ tun.anti_replay = mp->anti_replay;
+ tun.local_spi = ntohl (mp->local_spi);
+ tun.remote_spi = ntohl (mp->remote_spi);
+ tun.crypto_alg = mp->crypto_alg;
+ tun.local_crypto_key_len = mp->local_crypto_key_len;
+ tun.remote_crypto_key_len = mp->remote_crypto_key_len;
+ tun.integ_alg = mp->integ_alg;
+ tun.local_integ_key_len = mp->local_integ_key_len;
+ tun.remote_integ_key_len = mp->remote_integ_key_len;
+ tun.udp_encap = mp->udp_encap;
+ tun.tx_table_id = ntohl (mp->tx_table_id);
+ memcpy (&tun.local_ip.ip4, mp->local_ip, 4);
+ memcpy (&tun.remote_ip.ip4, mp->remote_ip, 4);
+ memcpy (&tun.local_crypto_key, &mp->local_crypto_key,
+ mp->local_crypto_key_len);
+ memcpy (&tun.remote_crypto_key, &mp->remote_crypto_key,
+ mp->remote_crypto_key_len);
+ memcpy (&tun.local_integ_key, &mp->local_integ_key,
+ mp->local_integ_key_len);
+ memcpy (&tun.remote_integ_key, &mp->remote_integ_key,
+ mp->remote_integ_key_len);
+ tun.renumber = mp->renumber;
+ tun.show_instance = ntohl (mp->show_instance);
+
+ rv = ipsec_add_del_tunnel_if_internal (vnm, &tun, &sw_if_index);
+
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ /* *INDENT-OFF* */
+ REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY,
+ ({
+ rmp->sw_if_index = htonl (sw_if_index);
+ }));
+ /* *INDENT-ON* */
+}
+
+static void
+send_ipsec_sa_details (ipsec_sa_t * sa, vl_api_registration_t * reg,
+ u32 context, u32 sw_if_index)
+{
+ vl_api_ipsec_sa_details_t *mp;
+
+ mp = vl_msg_api_alloc (sizeof (*mp));
+ clib_memset (mp, 0, sizeof (*mp));
+ mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_DETAILS);
+ mp->context = context;
+
+ mp->entry.sad_id = htonl (sa->id);
+ mp->entry.spi = htonl (sa->spi);
+ mp->entry.protocol = ipsec_proto_encode (sa->protocol);
+ mp->entry.tx_table_id =
+ htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4));
+
+ mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
+ ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
+
+ mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
+ ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
+
+ mp->entry.flags = ipsec_sad_flags_encode (sa);
+
+ if (sa->is_tunnel)
+ {
+ ip_address_encode (&sa->tunnel_src_addr, IP46_TYPE_ANY,
+ &mp->entry.tunnel_src);
+ ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY,
+ &mp->entry.tunnel_dst);
+ }
+
+ mp->sw_if_index = htonl (sw_if_index);
+ mp->salt = clib_host_to_net_u32 (sa->salt);
+ mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
+ mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
+ if (sa->use_esn)
+ {
+ mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
+ mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
+ }
+ if (sa->use_anti_replay)
+ mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
+
+ vl_api_send_msg (reg, (u8 *) mp);
+}
+
+
+static void
+vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
+{
+ vl_api_registration_t *reg;
+ ipsec_main_t *im = &ipsec_main;
+ vnet_main_t *vnm = im->vnet_main;
+ ipsec_sa_t *sa;
+ ipsec_tunnel_if_t *t;
+ u32 *sa_index_to_tun_if_index = 0;
+
+#if WITH_LIBSSL > 0
+ reg = vl_api_client_index_to_registration (mp->client_index);
+ if (!reg || pool_elts (im->sad) == 0)
+ return;
+
+ vec_validate_init_empty (sa_index_to_tun_if_index, vec_len (im->sad) - 1,
+ ~0);
+
+ /* *INDENT-OFF* */
+ pool_foreach (t, im->tunnel_interfaces,
+ ({
+ vnet_hw_interface_t *hi;
+ u32 sw_if_index = ~0;
+
+ hi = vnet_get_hw_interface (vnm, t->hw_if_index);
+ sw_if_index = hi->sw_if_index;
+ sa_index_to_tun_if_index[t->input_sa_index] = sw_if_index;
+ sa_index_to_tun_if_index[t->output_sa_index] = sw_if_index;
+ }));
+
+ pool_foreach (sa, im->sad,
+ ({
+ if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == sa->id)
+ send_ipsec_sa_details (sa, reg, mp->context,
+ sa_index_to_tun_if_index[sa - im->sad]);
+ }));
+ /* *INDENT-ON* */
+
+ vec_free (sa_index_to_tun_if_index);
+#else
+ clib_warning ("unimplemented");
+#endif
+}
+
+
+static void
+vl_api_ipsec_tunnel_if_set_key_t_handler (vl_api_ipsec_tunnel_if_set_key_t *
+ mp)
+{
+ vl_api_ipsec_tunnel_if_set_key_reply_t *rmp;
+ ipsec_main_t *im = &ipsec_main;
+ vnet_main_t *vnm = im->vnet_main;
+ vnet_sw_interface_t *sw;
+ u8 *key = 0;
+ int rv;
+
+#if WITH_LIBSSL > 0
+ sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index));
+
+ switch (mp->key_type)
+ {
+ case IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO:
+ case IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO:
+ if (mp->alg < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
+ mp->alg >= IPSEC_CRYPTO_N_ALG)
+ {
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+ goto out;
+ }
+ break;
+ case IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG:
+ case IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG:
+ if (mp->alg >= IPSEC_INTEG_N_ALG)
+ {
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+ goto out;
+ }
+ break;
+ case IPSEC_IF_SET_KEY_TYPE_NONE:
+ default:
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+ goto out;
+ break;
+ }
+
+ key = vec_new (u8, mp->key_len);
+ clib_memcpy (key, mp->key, mp->key_len);
+
+ rv = ipsec_set_interface_key (vnm, sw->hw_if_index, mp->key_type, mp->alg,
+ key);
+ vec_free (key);
+#else
+ clib_warning ("unimplemented");
+#endif
+
+out:
+ REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_KEY_REPLY);
+}
+
+
+static void
+vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp)
+{
+ vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp;
+ ipsec_main_t *im = &ipsec_main;
+ vnet_main_t *vnm = im->vnet_main;
+ vnet_sw_interface_t *sw;
+ int rv;
+
+#if WITH_LIBSSL > 0
+ sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index));
+
+ rv = ipsec_set_interface_sa (vnm, sw->hw_if_index, ntohl (mp->sa_id),
+ mp->is_outbound);
+#else
+ clib_warning ("unimplemented");
+#endif
+
+ REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY);
+}
+
+