X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec.c;h=d15bfec1b9eee1b2262dc89c8db379f62ea48bc2;hb=717de096c4d715eab6b783aaa28f26a9114925da;hp=cfe434ab457ed0377091c88c0ce0faed58067a38;hpb=d04b60bfa940e21ab4676a1cb3c15989748be40a;p=vpp.git

diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c
index cfe434ab457..d15bfec1b9e 100644
--- a/src/vnet/ipsec/ipsec.c
+++ b/src/vnet/ipsec/ipsec.c
@@ -19,10 +19,15 @@
 #include <vnet/api_errno.h>
 #include <vnet/ip/ip.h>
 #include <vnet/interface.h>
+#include <vnet/udp/udp.h>
 
 #include <vnet/ipsec/ipsec.h>
 #include <vnet/ipsec/ikev2.h>
 #include <vnet/ipsec/esp.h>
+#include <vnet/ipsec/ah.h>
+
+
+ipsec_main_t ipsec_main;
 
 u32
 ipsec_get_sa_index_by_sa_id (u32 sa_id)
@@ -130,20 +135,15 @@ ipsec_add_del_spd (vlib_main_t * vm, u32 spd_id, int is_add)
 static int
 ipsec_spd_entry_sort (void *a1, void *a2)
 {
-  ipsec_main_t *im = &ipsec_main;
   u32 *id1 = a1;
   u32 *id2 = a2;
-  ipsec_spd_t *spd;
+  ipsec_spd_t *spd = ipsec_main.spd_to_sort;
   ipsec_policy_t *p1, *p2;
 
-  /* *INDENT-OFF* */
-  pool_foreach (spd, im->spds, ({
-    p1 = pool_elt_at_index(spd->policies, *id1);
-    p2 = pool_elt_at_index(spd->policies, *id2);
-    if (p1 && p2)
-      return p2->priority - p1->priority;
-  }));
-  /* *INDENT-ON* */
+  p1 = pool_elt_at_index (spd->policies, *id1);
+  p2 = pool_elt_at_index (spd->policies, *id2);
+  if (p1 && p2)
+    return p2->priority - p1->priority;
 
   return 0;
 }
@@ -186,6 +186,8 @@ ipsec_add_del_policy (vlib_main_t * vm, ipsec_policy_t * policy, int is_add)
       clib_memcpy (vp, policy, sizeof (*vp));
       policy_index = vp - spd->policies;
 
+      ipsec_main.spd_to_sort = spd;
+
       if (policy->is_outbound)
 	{
 	  if (policy->is_ipv6)
@@ -251,6 +253,7 @@ ipsec_add_del_policy (vlib_main_t * vm, ipsec_policy_t * policy, int is_add)
 	    }
 	}
 
+      ipsec_main.spd_to_sort = NULL;
     }
   else
     {
@@ -363,13 +366,13 @@ ipsec_add_del_policy (vlib_main_t * vm, ipsec_policy_t * policy, int is_add)
                       if (vec_elt(spd->ipv4_inbound_policy_discard_and_bypass_indices, j) == i) {
                         vec_del1 (spd->ipv4_inbound_policy_discard_and_bypass_indices, j);
                         break;
+                      }
                     }
                   }
               }
           }
           pool_put (spd->policies, vp);
           break;
-        }
       }));
       /* *INDENT-ON* */
     }
@@ -377,7 +380,7 @@ ipsec_add_del_policy (vlib_main_t * vm, ipsec_policy_t * policy, int is_add)
   return 0;
 }
 
-static u8
+u8
 ipsec_is_sa_used (u32 sa_index)
 {
   ipsec_main_t *im = &ipsec_main;
@@ -414,6 +417,7 @@ ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add)
   ipsec_sa_t *sa = 0;
   uword *p;
   u32 sa_index;
+  clib_error_t *err;
 
   clib_warning ("id %u spi %u", new_sa->id, new_sa->spi);
 
@@ -433,9 +437,12 @@ ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add)
 	  return VNET_API_ERROR_SYSCALL_ERROR_1;	/* sa used in policy */
 	}
       hash_unset (im->sa_index_by_sa_id, sa->id);
-      if (im->cb.add_del_sa_sess_cb &&
-	  im->cb.add_del_sa_sess_cb (sa_index, is_add) < 0)
-	return VNET_API_ERROR_SYSCALL_ERROR_1;
+      if (im->cb.add_del_sa_sess_cb)
+	{
+	  err = im->cb.add_del_sa_sess_cb (sa_index, 0);
+	  if (err)
+	    return VNET_API_ERROR_SYSCALL_ERROR_1;
+	}
       pool_put (im->sad, sa);
     }
   else				/* create new SA */
@@ -444,9 +451,12 @@ ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add)
       clib_memcpy (sa, new_sa, sizeof (*sa));
       sa_index = sa - im->sad;
       hash_set (im->sa_index_by_sa_id, sa->id, sa_index);
-      if (im->cb.add_del_sa_sess_cb &&
-	  im->cb.add_del_sa_sess_cb (sa_index, is_add) < 0)
-	return VNET_API_ERROR_SYSCALL_ERROR_1;
+      if (im->cb.add_del_sa_sess_cb)
+	{
+	  err = im->cb.add_del_sa_sess_cb (sa_index, 1);
+	  if (err)
+	    return VNET_API_ERROR_SYSCALL_ERROR_1;
+	}
     }
   return 0;
 }
@@ -458,6 +468,7 @@ ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update)
   uword *p;
   u32 sa_index;
   ipsec_sa_t *sa = 0;
+  clib_error_t *err;
 
   p = hash_get (im->sa_index_by_sa_id, sa_update->id);
   if (!p)
@@ -482,11 +493,14 @@ ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update)
       sa->integ_key_len = sa_update->integ_key_len;
     }
 
-  if (sa->crypto_key_len + sa->integ_key_len > 0)
+  if (0 < sa_update->crypto_key_len || 0 < sa_update->integ_key_len)
     {
-      if (im->cb.add_del_sa_sess_cb &&
-	  im->cb.add_del_sa_sess_cb (sa_index, 0) < 0)
-	return VNET_API_ERROR_SYSCALL_ERROR_1;
+      if (im->cb.add_del_sa_sess_cb)
+	{
+	  err = im->cb.add_del_sa_sess_cb (sa_index, 0);
+	  if (err)
+	    return VNET_API_ERROR_SYSCALL_ERROR_1;
+	}
     }
 
   return 0;
@@ -516,8 +530,6 @@ ipsec_check_support (ipsec_sa_t * sa)
     return clib_error_return (0, "unsupported aes-gcm-128 crypto-alg");
   if (sa->integ_alg == IPSEC_INTEG_ALG_NONE)
     return clib_error_return (0, "unsupported none integ-alg");
-  if (sa->integ_alg == IPSEC_INTEG_ALG_AES_GCM_128)
-    return clib_error_return (0, "unsupported aes-gcm-128 integ-alg");
 
   return 0;
 }
@@ -556,8 +568,18 @@ ipsec_init (vlib_main_t * vm)
   ASSERT (node);
   im->esp_decrypt_node_index = node->index;
 
+  node = vlib_get_node_by_name (vm, (u8 *) "ah-encrypt");
+  ASSERT (node);
+  im->ah_encrypt_node_index = node->index;
+
+  node = vlib_get_node_by_name (vm, (u8 *) "ah-decrypt");
+  ASSERT (node);
+  im->ah_decrypt_node_index = node->index;
+
   im->esp_encrypt_next_index = IPSEC_OUTPUT_NEXT_ESP_ENCRYPT;
   im->esp_decrypt_next_index = IPSEC_INPUT_NEXT_ESP_DECRYPT;
+  im->ah_encrypt_next_index = IPSEC_OUTPUT_NEXT_AH_ENCRYPT;
+  im->ah_decrypt_next_index = IPSEC_INPUT_NEXT_AH_DECRYPT;
 
   im->cb.check_support_cb = ipsec_check_support;
 
@@ -567,7 +589,7 @@ ipsec_init (vlib_main_t * vm)
   if ((error = vlib_call_init_function (vm, ipsec_tunnel_if_init)))
     return error;
 
-  esp_init ();
+  ipsec_proto_init ();
 
   if ((error = ikev2_init (vm)))
     return error;