X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_api.c;h=371e4fe4ed0d30552958286cdff5dc263e035c3f;hb=495d7ffbc82823edccabab960fc81a909f80075d;hp=753d7530de45ac32ccee9ca0f4301d03a658d282;hpb=e524d45eff40c773049e03ea5063216b469bbfcc;p=vpp.git diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index 753d7530de4..371e4fe4ed0 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -30,6 +30,7 @@ #if WITH_LIBSSL > 0 #include +#include #endif /* IPSEC */ #define vl_typedefs /* define message structures */ @@ -53,16 +54,17 @@ _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \ _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \ _(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \ _(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \ -_(IPSEC_SA_SET_KEY, ipsec_sa_set_key) \ _(IPSEC_SA_DUMP, ipsec_sa_dump) \ _(IPSEC_SPDS_DUMP, ipsec_spds_dump) \ _(IPSEC_SPD_DUMP, ipsec_spd_dump) \ _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \ _(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \ -_(IPSEC_TUNNEL_IF_SET_KEY, ipsec_tunnel_if_set_key) \ _(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \ _(IPSEC_SELECT_BACKEND, ipsec_select_backend) \ -_(IPSEC_BACKEND_DUMP, ipsec_backend_dump) +_(IPSEC_BACKEND_DUMP, ipsec_backend_dump) \ +_(IPSEC_TUNNEL_PROTECT_UPDATE, ipsec_tunnel_protect_update) \ +_(IPSEC_TUNNEL_PROTECT_DEL, ipsec_tunnel_protect_del) \ +_(IPSEC_TUNNEL_PROTECT_DUMP, ipsec_tunnel_protect_dump) static void vl_api_ipsec_spd_add_del_t_handler (vl_api_ipsec_spd_add_del_t * mp) @@ -106,6 +108,132 @@ static void vl_api_ipsec_interface_add_del_spd_t_handler REPLY_MACRO (VL_API_IPSEC_INTERFACE_ADD_DEL_SPD_REPLY); } +static void vl_api_ipsec_tunnel_protect_update_t_handler + (vl_api_ipsec_tunnel_protect_update_t * mp) +{ + vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main (); + vl_api_ipsec_tunnel_protect_update_reply_t *rmp; + u32 sw_if_index, ii, *sa_ins = NULL; + int rv; + + sw_if_index = ntohl (mp->tunnel.sw_if_index); + + VALIDATE_SW_IF_INDEX (&(mp->tunnel)); + +#if WITH_LIBSSL > 0 + + for (ii = 0; ii < mp->tunnel.n_sa_in; ii++) + vec_add1 (sa_ins, ntohl (mp->tunnel.sa_in[ii])); + + rv = ipsec_tun_protect_update (sw_if_index, + ntohl (mp->tunnel.sa_out), sa_ins); +#else + rv = VNET_API_ERROR_UNIMPLEMENTED; +#endif + + BAD_SW_IF_INDEX_LABEL; + + REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_UPDATE_REPLY); +} + +static void vl_api_ipsec_tunnel_protect_del_t_handler + (vl_api_ipsec_tunnel_protect_del_t * mp) +{ + vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main (); + vl_api_ipsec_tunnel_protect_del_reply_t *rmp; + int rv; + u32 sw_if_index; + + sw_if_index = ntohl (mp->sw_if_index); + + VALIDATE_SW_IF_INDEX (mp); + +#if WITH_LIBSSL > 0 + rv = ipsec_tun_protect_del (sw_if_index); +#else + rv = VNET_API_ERROR_UNIMPLEMENTED; +#endif + + BAD_SW_IF_INDEX_LABEL; + + REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_DEL_REPLY); +} + +typedef struct ipsec_tunnel_protect_walk_ctx_t_ +{ + vl_api_registration_t *reg; + u32 context; +} ipsec_tunnel_protect_walk_ctx_t; + +static walk_rc_t +send_ipsec_tunnel_protect_details (index_t itpi, void *arg) +{ + ipsec_tunnel_protect_walk_ctx_t *ctx = arg; + vl_api_ipsec_tunnel_protect_details_t *mp; + ipsec_tun_protect_t *itp; + u32 sai, ii = 0; + + itp = ipsec_tun_protect_get (itpi); + + + mp = vl_msg_api_alloc (sizeof (*mp) + (sizeof (u32) * itp->itp_n_sa_in)); + clib_memset (mp, 0, sizeof (*mp)); + mp->_vl_msg_id = ntohs (VL_API_IPSEC_TUNNEL_PROTECT_DETAILS); + mp->context = ctx->context; + + mp->tun.sw_if_index = htonl (itp->itp_sw_if_index); + + mp->tun.sa_out = htonl (itp->itp_out_sa); + mp->tun.n_sa_in = itp->itp_n_sa_in; + /* *INDENT-OFF* */ + FOR_EACH_IPSEC_PROTECT_INPUT_SAI(itp, sai, + ({ + mp->tun.sa_in[ii++] = htonl (sai); + })); + /* *INDENT-ON* */ + + vl_api_send_msg (ctx->reg, (u8 *) mp); + + return (WALK_CONTINUE); +} + +static void +vl_api_ipsec_tunnel_protect_dump_t_handler (vl_api_ipsec_tunnel_protect_dump_t + * mp) +{ + vl_api_registration_t *reg; + u32 sw_if_index; + +#if WITH_LIBSSL > 0 + reg = vl_api_client_index_to_registration (mp->client_index); + if (!reg) + return; + + ipsec_tunnel_protect_walk_ctx_t ctx = { + .reg = reg, + .context = mp->context, + }; + + sw_if_index = ntohl (mp->sw_if_index); + + if (~0 == sw_if_index) + { + ipsec_tun_protect_walk (send_ipsec_tunnel_protect_details, &ctx); + } + else + { + index_t itpi; + + itpi = ipsec_tun_protect_find (sw_if_index); + + if (INDEX_INVALID != itpi) + send_ipsec_tunnel_protect_details (itpi, &ctx); + } +#else + clib_warning ("unimplemented"); +#endif +} + static int ipsec_spd_action_decode (vl_api_ipsec_spd_action_t in, ipsec_policy_action_t * out) @@ -150,11 +278,10 @@ static void vl_api_ipsec_spd_entry_add_del_t_handler p.is_ipv6 = (itype == IP46_TYPE_IP6); p.protocol = mp->entry.protocol; - /* leave the ports in network order */ - p.rport.start = mp->entry.remote_port_start; - p.rport.stop = mp->entry.remote_port_stop; - p.lport.start = mp->entry.local_port_start; - p.lport.stop = mp->entry.local_port_stop; + p.rport.start = ntohs (mp->entry.remote_port_start); + p.rport.stop = ntohs (mp->entry.remote_port_stop); + p.lport.start = ntohs (mp->entry.local_port_start); + p.lport.stop = ntohs (mp->entry.local_port_stop); rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy); @@ -385,14 +512,14 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler ip_address_decode (&mp->entry.tunnel_src, &tun_src); ip_address_decode (&mp->entry.tunnel_dst, &tun_dst); - if (mp->is_add) - rv = ipsec_sa_add (id, spi, proto, - crypto_alg, &crypto_key, - integ_alg, &integ_key, flags, - 0, &tun_src, &tun_dst, &sa_index); + rv = ipsec_sa_add_and_lock (id, spi, proto, + crypto_alg, &crypto_key, + integ_alg, &integ_key, flags, + 0, mp->entry.salt, &tun_src, &tun_dst, + &sa_index); else - rv = ipsec_sa_del (id); + rv = ipsec_sa_unlock_id (id); #else rv = VNET_API_ERROR_UNIMPLEMENTED; @@ -489,10 +616,10 @@ send_ipsec_spd_details (ipsec_policy_t * p, vl_api_registration_t * reg, &mp->entry.remote_address_start); ip_address_encode (&p->raddr.stop, IP46_TYPE_ANY, &mp->entry.remote_address_stop); - mp->entry.local_port_start = p->lport.start; - mp->entry.local_port_stop = p->lport.stop; - mp->entry.remote_port_start = p->rport.start; - mp->entry.remote_port_stop = p->rport.stop; + mp->entry.local_port_start = htons (p->lport.start); + mp->entry.local_port_stop = htons (p->lport.stop); + mp->entry.remote_port_start = htons (p->rport.start); + mp->entry.remote_port_stop = htons (p->rport.stop); mp->entry.protocol = p->protocol; mp->entry.policy = ipsec_spd_action_encode (p->policy); mp->entry.sa_id = htonl (p->sa_id); @@ -592,29 +719,6 @@ vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t * #endif } -static void -vl_api_ipsec_sa_set_key_t_handler (vl_api_ipsec_sa_set_key_t * mp) -{ - vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main (); - vl_api_ipsec_sa_set_key_reply_t *rmp; - ipsec_key_t ck, ik; - u32 id; - int rv; -#if WITH_LIBSSL > 0 - - id = ntohl (mp->sa_id); - - ipsec_key_decode (&mp->crypto_key, &ck); - ipsec_key_decode (&mp->integrity_key, &ik); - - rv = ipsec_set_sa_key (id, &ck, &ik); -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IPSEC_SA_SET_KEY_REPLY); -} - static void vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * mp) @@ -644,6 +748,7 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * tun.remote_integ_key_len = mp->remote_integ_key_len; tun.udp_encap = mp->udp_encap; tun.tx_table_id = ntohl (mp->tx_table_id); + tun.salt = mp->salt; itype = ip_address_decode (&mp->local_ip, &tun.local_ip); itype = ip_address_decode (&mp->remote_ip, &tun.remote_ip); tun.is_ip6 = (IP46_TYPE_IP6 == itype); @@ -765,62 +870,6 @@ vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp) #endif } - -static void -vl_api_ipsec_tunnel_if_set_key_t_handler (vl_api_ipsec_tunnel_if_set_key_t * - mp) -{ - vl_api_ipsec_tunnel_if_set_key_reply_t *rmp; - ipsec_main_t *im = &ipsec_main; - vnet_main_t *vnm = im->vnet_main; - vnet_sw_interface_t *sw; - u8 *key = 0; - int rv; - -#if WITH_LIBSSL > 0 - sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index)); - - switch (mp->key_type) - { - case IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO: - case IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO: - if (mp->alg < IPSEC_CRYPTO_ALG_AES_CBC_128 || - mp->alg >= IPSEC_CRYPTO_N_ALG) - { - rv = VNET_API_ERROR_INVALID_ALGORITHM; - goto out; - } - break; - case IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG: - case IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG: - if (mp->alg >= IPSEC_INTEG_N_ALG) - { - rv = VNET_API_ERROR_INVALID_ALGORITHM; - goto out; - } - break; - case IPSEC_IF_SET_KEY_TYPE_NONE: - default: - rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; - break; - } - - key = vec_new (u8, mp->key_len); - clib_memcpy (key, mp->key, mp->key_len); - - rv = ipsec_set_interface_key (vnm, sw->hw_if_index, mp->key_type, mp->alg, - key); - vec_free (key); -#else - clib_warning ("unimplemented"); -#endif - -out: - REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_KEY_REPLY); -} - - static void vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp) { @@ -909,23 +958,13 @@ vl_api_ipsec_select_backend_t_handler (vl_api_ipsec_select_backend_t * mp) switch (protocol) { case IPSEC_PROTOCOL_ESP: - if (pool_is_free_index (im->esp_backends, mp->index)) - { - rv = VNET_API_ERROR_INVALID_VALUE; - break; - } - ipsec_select_esp_backend (im, mp->index); + rv = ipsec_select_esp_backend (im, mp->index); break; case IPSEC_PROTOCOL_AH: - if (pool_is_free_index (im->ah_backends, mp->index)) - { - rv = VNET_API_ERROR_INVALID_VALUE; - break; - } - ipsec_select_ah_backend (im, mp->index); + rv = ipsec_select_ah_backend (im, mp->index); break; default: - rv = VNET_API_ERROR_INVALID_VALUE; + rv = VNET_API_ERROR_INVALID_PROTOCOL; break; } #else @@ -969,6 +1008,13 @@ ipsec_api_hookup (vlib_main_t * vm) foreach_vpe_api_msg; #undef _ + /* + * Adding and deleting SAs is MP safe since when they are added/delete + * no traffic is using them + */ + am->is_mp_safe[VL_API_IPSEC_SAD_ENTRY_ADD_DEL] = 1; + am->is_mp_safe[VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY] = 1; + /* * Set up the (msg_name, crc, message-id) table */