dpdk: rework cryptodev ipsec build and setup

[vpp.git] / src / vnet / ipsec / ipsec_api.c

diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 30cc5bd..3073226 100644 (file)
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -26,7 +26,7 @@
 
 #include <vnet/vnet_msg_enum.h>
 
-#if IPSEC > 0
+#if WITH_LIBSSL > 0
 #include <vnet/ipsec/ipsec.h>
 #include <vnet/ipsec/ikev2.h>
 #endif /* IPSEC */
@@ -63,7 +63,7 @@ _(IKEV2_SET_LOCAL_KEY, ikev2_set_local_key)
 static void vl_api_ipsec_spd_add_del_t_handler
   (vl_api_ipsec_spd_add_del_t * mp)
 {
-#if IPSEC == 0
+#if WITH_LIBSSL == 0
   clib_warning ("unimplemented");
 #else
 
@@ -95,7 +95,7 @@ static void vl_api_ipsec_interface_add_del_spd_t_handler
 
   VALIDATE_SW_IF_INDEX (mp);
 
-#if IPSEC > 0
+#if WITH_LIBSSL > 0
   rv = ipsec_set_interface_spd (vm, sw_if_index, spd_id, mp->is_add);
 #else
   rv = VNET_API_ERROR_UNIMPLEMENTED;
@@ -113,7 +113,7 @@ static void vl_api_ipsec_spd_add_del_entry_t_handler
   vl_api_ipsec_spd_add_del_entry_reply_t *rmp;
   int rv;
 
-#if IPSEC > 0
+#if WITH_LIBSSL > 0
   ipsec_policy_t p;
 
   memset (&p, 0, sizeof (p));
@@ -176,7 +176,8 @@ static void vl_api_ipsec_sad_add_del_entry_t_handler
   vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
   vl_api_ipsec_sad_add_del_entry_reply_t *rmp;
   int rv;
-#if IPSEC > 0
+#if WITH_LIBSSL > 0
+  ipsec_main_t *im = &ipsec_main;
   ipsec_sa_t sa;
 
   memset (&sa, 0, sizeof (sa));
@@ -204,11 +205,7 @@ static void vl_api_ipsec_sad_add_del_entry_t_handler
   sa.crypto_key_len = mp->crypto_key_length;
   clib_memcpy (&sa.crypto_key, mp->crypto_key, sizeof (sa.crypto_key));
   /* check for unsupported integ-alg */
-#if DPDK_CRYPTO==1
   if (mp->integrity_algorithm < IPSEC_INTEG_ALG_NONE ||
-#else
-  if (mp->integrity_algorithm < IPSEC_INTEG_ALG_SHA1_96 ||
-#endif
       mp->integrity_algorithm >= IPSEC_INTEG_N_ALG)
     {
       clib_warning ("unsupported integ-alg: '%U'", format_ipsec_integ_alg,
@@ -217,35 +214,6 @@ static void vl_api_ipsec_sad_add_del_entry_t_handler
       goto out;
     }
 
-#if DPDK_CRYPTO==1
-  /*Special cases, aes-gcm-128 encryption */
-  if (mp->crypto_algorithm == IPSEC_CRYPTO_ALG_AES_GCM_128)
-    {
-      if (mp->integrity_algorithm != IPSEC_INTEG_ALG_NONE
-         && mp->integrity_algorithm != IPSEC_INTEG_ALG_AES_GCM_128)
-       {
-         clib_warning
-           ("unsupported: aes-gcm-128 crypto-alg needs none as integ-alg");
-         rv = VNET_API_ERROR_UNIMPLEMENTED;
-         goto out;
-       }
-      else                     /*set integ-alg internally to aes-gcm-128 */
-       mp->integrity_algorithm = IPSEC_INTEG_ALG_AES_GCM_128;
-    }
-  else if (mp->integrity_algorithm == IPSEC_INTEG_ALG_AES_GCM_128)
-    {
-      clib_warning ("unsupported integ-alg: aes-gcm-128");
-      rv = VNET_API_ERROR_UNIMPLEMENTED;
-      goto out;
-    }
-  else if (mp->integrity_algorithm == IPSEC_INTEG_ALG_NONE)
-    {
-      clib_warning ("unsupported integ-alg: none");
-      rv = VNET_API_ERROR_UNIMPLEMENTED;
-      goto out;
-    }
-#endif
-
   sa.integ_alg = mp->integrity_algorithm;
   sa.integ_key_len = mp->integrity_key_length;
   clib_memcpy (&sa.integ_key, mp->integrity_key, sizeof (sa.integ_key));
@@ -263,6 +231,15 @@ static void vl_api_ipsec_sad_add_del_entry_t_handler
       clib_memcpy (&sa.tunnel_dst_addr.ip4.data, mp->tunnel_dst_address, 4);
     }
 
+  ASSERT (im->cb.check_support_cb);
+  clib_error_t *err = im->cb.check_support_cb (&sa);
+  if (err)
+    {
+      clib_warning ("%s", err->what);
+      rv = VNET_API_ERROR_UNIMPLEMENTED;
+      goto out;
+    }
+
   rv = ipsec_add_del_sa (vm, &sa, mp->is_add);
 #else
   rv = VNET_API_ERROR_UNIMPLEMENTED;
@@ -324,7 +301,7 @@ vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp)
   ipsec_spd_t *spd;
   uword *p;
   u32 spd_index;
-#if IPSEC > 0
+#if WITH_LIBSSL > 0
   q = vl_api_client_index_to_input_queue (mp->client_index);
   if (q == 0)
     return;
@@ -355,7 +332,7 @@ vl_api_ipsec_sa_set_key_t_handler (vl_api_ipsec_sa_set_key_t * mp)
   vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
   vl_api_ipsec_sa_set_key_reply_t *rmp;
   int rv;
-#if IPSEC > 0
+#if WITH_LIBSSL > 0
   ipsec_sa_t sa;
   sa.id = ntohl (mp->sa_id);
   sa.crypto_key_len = mp->crypto_key_length;
@@ -377,7 +354,7 @@ vl_api_ikev2_profile_add_del_t_handler (vl_api_ikev2_profile_add_del_t * mp)
   vl_api_ikev2_profile_add_del_reply_t *rmp;
   int rv = 0;
 
-#if IPSEC > 0
+#if WITH_LIBSSL > 0
   vlib_main_t *vm = vlib_get_main ();
   clib_error_t *error;
   u8 *tmp = format (0, "%s", mp->name);
@@ -399,7 +376,7 @@ static void
   vl_api_ikev2_profile_set_auth_reply_t *rmp;
   int rv = 0;
 
-#if IPSEC > 0
+#if WITH_LIBSSL > 0
   vlib_main_t *vm = vlib_get_main ();
   clib_error_t *error;
   u8 *tmp = format (0, "%s", mp->name);
@@ -423,7 +400,7 @@ vl_api_ikev2_profile_set_id_t_handler (vl_api_ikev2_profile_set_id_t * mp)
   vl_api_ikev2_profile_add_del_reply_t *rmp;
   int rv = 0;
 
-#if IPSEC > 0
+#if WITH_LIBSSL > 0
   vlib_main_t *vm = vlib_get_main ();
   clib_error_t *error;
   u8 *tmp = format (0, "%s", mp->name);
@@ -447,7 +424,7 @@ vl_api_ikev2_profile_set_ts_t_handler (vl_api_ikev2_profile_set_ts_t * mp)
   vl_api_ikev2_profile_set_ts_reply_t *rmp;
   int rv = 0;
 
-#if IPSEC > 0
+#if WITH_LIBSSL > 0
   vlib_main_t *vm = vlib_get_main ();
   clib_error_t *error;
   u8 *tmp = format (0, "%s", mp->name);
@@ -470,7 +447,7 @@ vl_api_ikev2_set_local_key_t_handler (vl_api_ikev2_set_local_key_t * mp)
   vl_api_ikev2_profile_set_ts_reply_t *rmp;
   int rv = 0;
 
-#if IPSEC > 0
+#if WITH_LIBSSL > 0
   vlib_main_t *vm = vlib_get_main ();
   clib_error_t *error;