X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec.c;h=ab3c83b02f5ca344ff6a5942f1f2621e879f5e54;hb=430ac939d115b59e3f7f704645c6f88878223e1b;hp=ee85c402e868e7056472256c30f192b2d25b7e8e;hpb=7cd468a3d7dee7d6c92f69a0bb7061ae208ec727;p=vpp.git

diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c
index ee85c402e86..ab3c83b02f5 100644
--- a/src/vnet/ipsec/ipsec.c
+++ b/src/vnet/ipsec/ipsec.c
@@ -22,23 +22,10 @@
 
 #include <vnet/ipsec/ipsec.h>
 #include <vnet/ipsec/ikev2.h>
-
-#if DPDK_CRYPTO==1
-#include <vnet/devices/dpdk/ipsec/esp.h>
-#define ESP_NODE "dpdk-esp-encrypt"
-#else
 #include <vnet/ipsec/esp.h>
-#define ESP_NODE "esp-encrypt"
-#endif
+#include <vnet/ipsec/ah.h>
 
-#if DPDK_CRYPTO==0
-/* dummy function */
-static int
-add_del_sa_sess (u32 sa_index, u8 is_add)
-{
-  return 0;
-}
-#endif
+ipsec_main_t ipsec_main;
 
 u32
 ipsec_get_sa_index_by_sa_id (u32 sa_id)
@@ -393,7 +380,7 @@ ipsec_add_del_policy (vlib_main_t * vm, ipsec_policy_t * policy, int is_add)
   return 0;
 }
 
-static u8
+u8
 ipsec_is_sa_used (u32 sa_index)
 {
   ipsec_main_t *im = &ipsec_main;
@@ -430,6 +417,7 @@ ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add)
   ipsec_sa_t *sa = 0;
   uword *p;
   u32 sa_index;
+  clib_error_t *err;
 
   clib_warning ("id %u spi %u", new_sa->id, new_sa->spi);
 
@@ -449,7 +437,12 @@ ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add)
 	  return VNET_API_ERROR_SYSCALL_ERROR_1;	/* sa used in policy */
 	}
       hash_unset (im->sa_index_by_sa_id, sa->id);
-      add_del_sa_sess (sa_index, is_add);
+      if (im->cb.add_del_sa_sess_cb)
+	{
+	  err = im->cb.add_del_sa_sess_cb (sa_index, 0);
+	  if (err)
+	    return VNET_API_ERROR_SYSCALL_ERROR_1;
+	}
       pool_put (im->sad, sa);
     }
   else				/* create new SA */
@@ -458,8 +451,12 @@ ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add)
       clib_memcpy (sa, new_sa, sizeof (*sa));
       sa_index = sa - im->sad;
       hash_set (im->sa_index_by_sa_id, sa->id, sa_index);
-      if (add_del_sa_sess (sa_index, is_add) < 0)
-	return VNET_API_ERROR_SYSCALL_ERROR_1;
+      if (im->cb.add_del_sa_sess_cb)
+	{
+	  err = im->cb.add_del_sa_sess_cb (sa_index, 1);
+	  if (err)
+	    return VNET_API_ERROR_SYSCALL_ERROR_1;
+	}
     }
   return 0;
 }
@@ -471,6 +468,7 @@ ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update)
   uword *p;
   u32 sa_index;
   ipsec_sa_t *sa = 0;
+  clib_error_t *err;
 
   p = hash_get (im->sa_index_by_sa_id, sa_update->id);
   if (!p)
@@ -495,10 +493,14 @@ ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update)
       sa->integ_key_len = sa_update->integ_key_len;
     }
 
-  if (sa->crypto_key_len + sa->integ_key_len > 0)
+  if (0 < sa_update->crypto_key_len || 0 < sa_update->integ_key_len)
     {
-      if (add_del_sa_sess (sa_index, 0) < 0)
-	return VNET_API_ERROR_SYSCALL_ERROR_1;
+      if (im->cb.add_del_sa_sess_cb)
+	{
+	  err = im->cb.add_del_sa_sess_cb (sa_index, 0);
+	  if (err)
+	    return VNET_API_ERROR_SYSCALL_ERROR_1;
+	}
     }
 
   return 0;
@@ -521,6 +523,17 @@ ipsec_rand_seed (void)
   RAND_seed ((const void *) &seed_data, sizeof (seed_data));
 }
 
+static clib_error_t *
+ipsec_check_support (ipsec_sa_t * sa)
+{
+  if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128)
+    return clib_error_return (0, "unsupported aes-gcm-128 crypto-alg");
+  if (sa->integ_alg == IPSEC_INTEG_ALG_NONE)
+    return clib_error_return (0, "unsupported none integ-alg");
+
+  return 0;
+}
+
 static clib_error_t *
 ipsec_init (vlib_main_t * vm)
 {
@@ -547,14 +560,28 @@ ipsec_init (vlib_main_t * vm)
   ASSERT (node);
   im->error_drop_node_index = node->index;
 
-  node = vlib_get_node_by_name (vm, (u8 *) ESP_NODE);
-
+  node = vlib_get_node_by_name (vm, (u8 *) "esp-encrypt");
   ASSERT (node);
   im->esp_encrypt_node_index = node->index;
 
-  node = vlib_get_node_by_name (vm, (u8 *) "ip4-lookup");
+  node = vlib_get_node_by_name (vm, (u8 *) "esp-decrypt");
   ASSERT (node);
-  im->ip4_lookup_node_index = node->index;
+  im->esp_decrypt_node_index = node->index;
+
+  node = vlib_get_node_by_name (vm, (u8 *) "ah-encrypt");
+  ASSERT (node);
+  im->ah_encrypt_node_index = node->index;
+
+  node = vlib_get_node_by_name (vm, (u8 *) "ah-decrypt");
+  ASSERT (node);
+  im->ah_decrypt_node_index = node->index;
+
+  im->esp_encrypt_next_index = IPSEC_OUTPUT_NEXT_ESP_ENCRYPT;
+  im->esp_decrypt_next_index = IPSEC_INPUT_NEXT_ESP_DECRYPT;
+  im->ah_encrypt_next_index = IPSEC_OUTPUT_NEXT_AH_ENCRYPT;
+  im->ah_decrypt_next_index = IPSEC_INPUT_NEXT_AH_DECRYPT;
+
+  im->cb.check_support_cb = ipsec_check_support;
 
   if ((error = vlib_call_init_function (vm, ipsec_cli_init)))
     return error;
@@ -562,7 +589,7 @@ ipsec_init (vlib_main_t * vm)
   if ((error = vlib_call_init_function (vm, ipsec_tunnel_if_init)))
     return error;
 
-  esp_init ();
+  ipsec_proto_init ();
 
   if ((error = ikev2_init (vm)))
     return error;