_(IPSEC_SAD_ADD_DEL_ENTRY, ipsec_sad_add_del_entry) \
_(IPSEC_SA_SET_KEY, ipsec_sa_set_key) \
_(IPSEC_SPD_DUMP, ipsec_spd_dump) \
+_(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \
_(IKEV2_PROFILE_ADD_DEL, ikev2_profile_add_del) \
_(IKEV2_PROFILE_SET_AUTH, ikev2_profile_set_auth) \
_(IKEV2_PROFILE_SET_ID, ikev2_profile_set_id) \
_(IKEV2_PROFILE_SET_TS, ikev2_profile_set_ts) \
-_(IKEV2_SET_LOCAL_KEY, ikev2_set_local_key)
+_(IKEV2_SET_LOCAL_KEY, ikev2_set_local_key) \
+_(IKEV2_SET_RESPONDER, ikev2_set_responder) \
+_(IKEV2_SET_IKE_TRANSFORMS, ikev2_set_ike_transforms) \
+_(IKEV2_SET_ESP_TRANSFORMS, ikev2_set_esp_transforms) \
+_(IKEV2_SET_SA_LIFETIME, ikev2_set_sa_lifetime) \
+_(IKEV2_INITIATE_SA_INIT, ikev2_initiate_sa_init) \
+_(IKEV2_INITIATE_DEL_IKE_SA, ikev2_initiate_del_ike_sa) \
+_(IKEV2_INITIATE_DEL_CHILD_SA, ikev2_initiate_del_child_sa) \
+_(IKEV2_INITIATE_REKEY_CHILD_SA, ikev2_initiate_rekey_child_sa)
static void vl_api_ipsec_spd_add_del_t_handler
(vl_api_ipsec_spd_add_del_t * mp)
vl_api_ipsec_spd_add_del_reply_t *rmp;
int rv;
-#if DPDK > 0
rv = ipsec_add_del_spd (vm, ntohl (mp->spd_id), mp->is_add);
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_REPLY);
#endif
vl_api_ipsec_sad_add_del_entry_reply_t *rmp;
int rv;
#if WITH_LIBSSL > 0
+ ipsec_main_t *im = &ipsec_main;
ipsec_sa_t sa;
memset (&sa, 0, sizeof (sa));
sa.crypto_key_len = mp->crypto_key_length;
clib_memcpy (&sa.crypto_key, mp->crypto_key, sizeof (sa.crypto_key));
/* check for unsupported integ-alg */
-#if DPDK_CRYPTO==1
- if (mp->integrity_algorithm < IPSEC_INTEG_ALG_NONE ||
-#else
- if (mp->integrity_algorithm < IPSEC_INTEG_ALG_SHA1_96 ||
-#endif
- mp->integrity_algorithm >= IPSEC_INTEG_N_ALG)
+ if (mp->integrity_algorithm >= IPSEC_INTEG_N_ALG)
{
clib_warning ("unsupported integ-alg: '%U'", format_ipsec_integ_alg,
mp->integrity_algorithm);
goto out;
}
-#if DPDK_CRYPTO==1
- /*Special cases, aes-gcm-128 encryption */
- if (mp->crypto_algorithm == IPSEC_CRYPTO_ALG_AES_GCM_128)
- {
- if (mp->integrity_algorithm != IPSEC_INTEG_ALG_NONE
- && mp->integrity_algorithm != IPSEC_INTEG_ALG_AES_GCM_128)
- {
- clib_warning
- ("unsupported: aes-gcm-128 crypto-alg needs none as integ-alg");
- rv = VNET_API_ERROR_UNIMPLEMENTED;
- goto out;
- }
- else /*set integ-alg internally to aes-gcm-128 */
- mp->integrity_algorithm = IPSEC_INTEG_ALG_AES_GCM_128;
- }
- else if (mp->integrity_algorithm == IPSEC_INTEG_ALG_AES_GCM_128)
- {
- clib_warning ("unsupported integ-alg: aes-gcm-128");
- rv = VNET_API_ERROR_UNIMPLEMENTED;
- goto out;
- }
- else if (mp->integrity_algorithm == IPSEC_INTEG_ALG_NONE)
- {
- clib_warning ("unsupported integ-alg: none");
- rv = VNET_API_ERROR_UNIMPLEMENTED;
- goto out;
- }
-#endif
-
sa.integ_alg = mp->integrity_algorithm;
sa.integ_key_len = mp->integrity_key_length;
clib_memcpy (&sa.integ_key, mp->integrity_key, sizeof (sa.integ_key));
clib_memcpy (&sa.tunnel_dst_addr.ip4.data, mp->tunnel_dst_address, 4);
}
+ ASSERT (im->cb.check_support_cb);
+ clib_error_t *err = im->cb.check_support_cb (&sa);
+ if (err)
+ {
+ clib_warning ("%s", err->what);
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+ goto out;
+ }
+
rv = ipsec_add_del_sa (vm, &sa, mp->is_add);
#else
rv = VNET_API_ERROR_UNIMPLEMENTED;
REPLY_MACRO (VL_API_IPSEC_SA_SET_KEY_REPLY);
}
+static void
+vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
+ mp)
+{
+ vl_api_ipsec_tunnel_if_add_del_reply_t *rmp;
+ int rv;
+
+#if WITH_LIBSSL > 0
+ ipsec_add_del_tunnel_args_t tun;
+
+ memset (&tun, 0, sizeof (ipsec_add_del_tunnel_args_t));
+
+ tun.is_add = mp->is_add;
+ tun.esn = mp->esn;
+ tun.anti_replay = mp->anti_replay;
+ tun.local_spi = ntohl (mp->local_spi);
+ tun.remote_spi = ntohl (mp->remote_spi);
+ tun.crypto_alg = mp->crypto_alg;
+ tun.local_crypto_key_len = mp->local_crypto_key_len;
+ tun.remote_crypto_key_len = mp->remote_crypto_key_len;
+ tun.integ_alg = mp->integ_alg;
+ tun.local_integ_key_len = mp->local_integ_key_len;
+ tun.remote_integ_key_len = mp->remote_integ_key_len;
+ memcpy (&tun.local_ip, mp->local_ip, 4);
+ memcpy (&tun.remote_ip, mp->remote_ip, 4);
+ memcpy (&tun.local_crypto_key, &mp->local_crypto_key,
+ mp->local_crypto_key_len);
+ memcpy (&tun.remote_crypto_key, &mp->remote_crypto_key,
+ mp->remote_crypto_key_len);
+ memcpy (&tun.local_integ_key, &mp->local_integ_key,
+ mp->local_integ_key_len);
+ memcpy (&tun.remote_integ_key, &mp->remote_integ_key,
+ mp->remote_integ_key_len);
+
+ rv = ipsec_add_del_tunnel_if (&tun);
+
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY);
+}
+
static void
vl_api_ikev2_profile_add_del_t_handler (vl_api_ikev2_profile_add_del_t * mp)
{
REPLY_MACRO (VL_API_IKEV2_SET_LOCAL_KEY_REPLY);
}
+static void
+vl_api_ikev2_set_responder_t_handler (vl_api_ikev2_set_responder_t * mp)
+{
+ vl_api_ikev2_set_responder_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ u8 *tmp = format (0, "%s", mp->name);
+ ip4_address_t ip4;
+ clib_memcpy (&ip4, mp->address, sizeof (ip4));
+
+ error = ikev2_set_profile_responder (vm, tmp, mp->sw_if_index, ip4);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_SET_RESPONDER_REPLY);
+}
+
+static void
+vl_api_ikev2_set_ike_transforms_t_handler (vl_api_ikev2_set_ike_transforms_t *
+ mp)
+{
+ vl_api_ikev2_set_ike_transforms_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ u8 *tmp = format (0, "%s", mp->name);
+
+ error =
+ ikev2_set_profile_ike_transforms (vm, tmp, mp->crypto_alg, mp->integ_alg,
+ mp->dh_group, mp->crypto_key_size);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_SET_IKE_TRANSFORMS_REPLY);
+}
+
+static void
+vl_api_ikev2_set_esp_transforms_t_handler (vl_api_ikev2_set_esp_transforms_t *
+ mp)
+{
+ vl_api_ikev2_set_esp_transforms_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ u8 *tmp = format (0, "%s", mp->name);
+
+ error =
+ ikev2_set_profile_esp_transforms (vm, tmp, mp->crypto_alg, mp->integ_alg,
+ mp->dh_group, mp->crypto_key_size);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_SET_ESP_TRANSFORMS_REPLY);
+}
+
+static void
+vl_api_ikev2_set_sa_lifetime_t_handler (vl_api_ikev2_set_sa_lifetime_t * mp)
+{
+ vl_api_ikev2_set_sa_lifetime_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ u8 *tmp = format (0, "%s", mp->name);
+
+ error =
+ ikev2_set_profile_sa_lifetime (vm, tmp, mp->lifetime, mp->lifetime_jitter,
+ mp->handover, mp->lifetime_maxdata);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_SET_SA_LIFETIME_REPLY);
+}
+
+static void
+vl_api_ikev2_initiate_sa_init_t_handler (vl_api_ikev2_initiate_sa_init_t * mp)
+{
+ vl_api_ikev2_initiate_sa_init_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ u8 *tmp = format (0, "%s", mp->name);
+
+ error = ikev2_initiate_sa_init (vm, tmp);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_INITIATE_SA_INIT_REPLY);
+}
+
+static void
+vl_api_ikev2_initiate_del_ike_sa_t_handler (vl_api_ikev2_initiate_del_ike_sa_t
+ * mp)
+{
+ vl_api_ikev2_initiate_del_ike_sa_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ error = ikev2_initiate_delete_ike_sa (vm, mp->ispi);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_IKE_SA_REPLY);
+}
+
+static void
+ vl_api_ikev2_initiate_del_child_sa_t_handler
+ (vl_api_ikev2_initiate_del_child_sa_t * mp)
+{
+ vl_api_ikev2_initiate_del_child_sa_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ error = ikev2_initiate_delete_child_sa (vm, mp->ispi);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_CHILD_SA_REPLY);
+}
+
+static void
+ vl_api_ikev2_initiate_rekey_child_sa_t_handler
+ (vl_api_ikev2_initiate_rekey_child_sa_t * mp)
+{
+ vl_api_ikev2_initiate_rekey_child_sa_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ error = ikev2_initiate_rekey_child_sa (vm, mp->ispi);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_INITIATE_REKEY_CHILD_SA_REPLY);
+}
+
/*
* ipsec_api_hookup
* Add vpe's API message handlers to the table.