X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_api.c;h=2c7c0d9626d97f4de0af15e9e0104c5f3533dd16;hb=f2922422d972644e67d1ca989e40cd0100ecb06d;hp=e6f5bd31428798a597b81a064946aeb98df8f55b;hpb=231c4696872cb344f28648949603840136c0795d;p=vpp.git diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index e6f5bd31428..2c7c0d9626d 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -53,13 +53,11 @@ _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \ _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \ _(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \ _(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \ -_(IPSEC_SA_SET_KEY, ipsec_sa_set_key) \ _(IPSEC_SA_DUMP, ipsec_sa_dump) \ _(IPSEC_SPDS_DUMP, ipsec_spds_dump) \ _(IPSEC_SPD_DUMP, ipsec_spd_dump) \ _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \ _(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \ -_(IPSEC_TUNNEL_IF_SET_KEY, ipsec_tunnel_if_set_key) \ _(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \ _(IPSEC_SELECT_BACKEND, ipsec_select_backend) \ _(IPSEC_BACKEND_DUMP, ipsec_backend_dump) @@ -207,7 +205,7 @@ ipsec_proto_decode (vl_api_ipsec_proto_t in, ipsec_protocol_t * out) *out = IPSEC_PROTOCOL_AH; return (0); } - return (VNET_API_ERROR_UNIMPLEMENTED); + return (VNET_API_ERROR_INVALID_PROTOCOL); } static vl_api_ipsec_proto_t @@ -237,7 +235,7 @@ ipsec_crypto_algo_decode (vl_api_ipsec_crypto_alg_t in, foreach_ipsec_crypto_alg #undef _ } - return (VNET_API_ERROR_UNIMPLEMENTED); + return (VNET_API_ERROR_INVALID_ALGORITHM); } static vl_api_ipsec_crypto_alg_t @@ -270,7 +268,7 @@ ipsec_integ_algo_decode (vl_api_ipsec_integ_alg_t in, ipsec_integ_alg_t * out) foreach_ipsec_integ_alg #undef _ } - return (VNET_API_ERROR_UNIMPLEMENTED); + return (VNET_API_ERROR_INVALID_ALGORITHM); } static vl_api_ipsec_integ_alg_t @@ -308,11 +306,18 @@ ipsec_sa_flags_decode (vl_api_ipsec_sad_flags_t in) ipsec_sa_flags_t flags = IPSEC_SA_FLAG_NONE; in = clib_net_to_host_u32 (in); -#define _(v,f,s) if (in & IPSEC_API_SAD_FLAG_##f) \ - flags |= IPSEC_SA_FLAG_##f; - foreach_ipsec_sa_flags -#undef _ - return (flags); + if (in & IPSEC_API_SAD_FLAG_USE_ESN) + flags |= IPSEC_SA_FLAG_USE_ESN; + if (in & IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY) + flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY; + if (in & IPSEC_API_SAD_FLAG_IS_TUNNEL) + flags |= IPSEC_SA_FLAG_IS_TUNNEL; + if (in & IPSEC_API_SAD_FLAG_IS_TUNNEL_V6) + flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6; + if (in & IPSEC_API_SAD_FLAG_UDP_ENCAP) + flags |= IPSEC_SA_FLAG_UDP_ENCAP; + + return (flags); } static vl_api_ipsec_sad_flags_t @@ -320,15 +325,15 @@ ipsec_sad_flags_encode (const ipsec_sa_t * sa) { vl_api_ipsec_sad_flags_t flags = IPSEC_API_SAD_FLAG_NONE; - if (sa->use_esn) - flags |= IPSEC_API_SAD_FLAG_USE_EXTENDED_SEQ_NUM; - if (sa->use_anti_replay) + if (ipsec_sa_is_set_USE_ESN (sa)) + flags |= IPSEC_API_SAD_FLAG_USE_ESN; + if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa)) flags |= IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY; - if (sa->is_tunnel) + if (ipsec_sa_is_set_IS_TUNNEL (sa)) flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL; - if (sa->is_tunnel_ip6) + if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa)) flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6; - if (sa->udp_encap) + if (ipsec_sa_is_set_UDP_ENCAP (sa)) flags |= IPSEC_API_SAD_FLAG_UDP_ENCAP; return clib_host_to_net_u32 (flags); @@ -378,12 +383,11 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler ip_address_decode (&mp->entry.tunnel_src, &tun_src); ip_address_decode (&mp->entry.tunnel_dst, &tun_dst); - if (mp->is_add) rv = ipsec_sa_add (id, spi, proto, crypto_alg, &crypto_key, integ_alg, &integ_key, flags, - 0, &tun_src, &tun_dst, &sa_index); + 0, mp->entry.salt, &tun_src, &tun_dst, &sa_index); else rv = ipsec_sa_del (id); @@ -585,29 +589,6 @@ vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t * #endif } -static void -vl_api_ipsec_sa_set_key_t_handler (vl_api_ipsec_sa_set_key_t * mp) -{ - vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main (); - vl_api_ipsec_sa_set_key_reply_t *rmp; - ipsec_key_t ck, ik; - u32 id; - int rv; -#if WITH_LIBSSL > 0 - - id = ntohl (mp->sa_id); - - ipsec_key_decode (&mp->crypto_key, &ck); - ipsec_key_decode (&mp->integrity_key, &ik); - - rv = ipsec_set_sa_key (id, &ck, &ik); -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IPSEC_SA_SET_KEY_REPLY); -} - static void vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * mp) @@ -616,6 +597,7 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * ipsec_main_t *im = &ipsec_main; vnet_main_t *vnm = im->vnet_main; u32 sw_if_index = ~0; + ip46_type_t itype; int rv; #if WITH_LIBSSL > 0 @@ -636,8 +618,10 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * tun.remote_integ_key_len = mp->remote_integ_key_len; tun.udp_encap = mp->udp_encap; tun.tx_table_id = ntohl (mp->tx_table_id); - memcpy (&tun.local_ip.ip4, mp->local_ip, 4); - memcpy (&tun.remote_ip.ip4, mp->remote_ip, 4); + tun.salt = mp->salt; + itype = ip_address_decode (&mp->local_ip, &tun.local_ip); + itype = ip_address_decode (&mp->remote_ip, &tun.remote_ip); + tun.is_ip6 = (IP46_TYPE_IP6 == itype); memcpy (&tun.local_crypto_key, &mp->local_crypto_key, mp->local_crypto_key_len); memcpy (&tun.remote_crypto_key, &mp->remote_crypto_key, @@ -688,7 +672,7 @@ send_ipsec_sa_details (ipsec_sa_t * sa, vl_api_registration_t * reg, mp->entry.flags = ipsec_sad_flags_encode (sa); - if (sa->is_tunnel) + if (ipsec_sa_is_set_IS_TUNNEL (sa)) { ip_address_encode (&sa->tunnel_src_addr, IP46_TYPE_ANY, &mp->entry.tunnel_src); @@ -700,12 +684,12 @@ send_ipsec_sa_details (ipsec_sa_t * sa, vl_api_registration_t * reg, mp->salt = clib_host_to_net_u32 (sa->salt); mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq)); mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq)); - if (sa->use_esn) + if (ipsec_sa_is_set_USE_ESN (sa)) { mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi)); mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi)); } - if (sa->use_anti_replay) + if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa)) mp->replay_window = clib_host_to_net_u64 (sa->replay_window); vl_api_send_msg (reg, (u8 *) mp); @@ -756,62 +740,6 @@ vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp) #endif } - -static void -vl_api_ipsec_tunnel_if_set_key_t_handler (vl_api_ipsec_tunnel_if_set_key_t * - mp) -{ - vl_api_ipsec_tunnel_if_set_key_reply_t *rmp; - ipsec_main_t *im = &ipsec_main; - vnet_main_t *vnm = im->vnet_main; - vnet_sw_interface_t *sw; - u8 *key = 0; - int rv; - -#if WITH_LIBSSL > 0 - sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index)); - - switch (mp->key_type) - { - case IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO: - case IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO: - if (mp->alg < IPSEC_CRYPTO_ALG_AES_CBC_128 || - mp->alg >= IPSEC_CRYPTO_N_ALG) - { - rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; - } - break; - case IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG: - case IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG: - if (mp->alg >= IPSEC_INTEG_N_ALG) - { - rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; - } - break; - case IPSEC_IF_SET_KEY_TYPE_NONE: - default: - rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; - break; - } - - key = vec_new (u8, mp->key_len); - clib_memcpy (key, mp->key, mp->key_len); - - rv = ipsec_set_interface_key (vnm, sw->hw_if_index, mp->key_type, mp->alg, - key); - vec_free (key); -#else - clib_warning ("unimplemented"); -#endif - -out: - REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_KEY_REPLY); -} - - static void vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp) { @@ -900,23 +828,13 @@ vl_api_ipsec_select_backend_t_handler (vl_api_ipsec_select_backend_t * mp) switch (protocol) { case IPSEC_PROTOCOL_ESP: - if (pool_is_free_index (im->esp_backends, mp->index)) - { - rv = VNET_API_ERROR_INVALID_VALUE; - break; - } - ipsec_select_esp_backend (im, mp->index); + rv = ipsec_select_esp_backend (im, mp->index); break; case IPSEC_PROTOCOL_AH: - if (pool_is_free_index (im->ah_backends, mp->index)) - { - rv = VNET_API_ERROR_INVALID_VALUE; - break; - } - ipsec_select_ah_backend (im, mp->index); + rv = ipsec_select_ah_backend (im, mp->index); break; default: - rv = VNET_API_ERROR_INVALID_VALUE; + rv = VNET_API_ERROR_INVALID_PROTOCOL; break; } #else