X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_api.c;h=ffc7f59fb8cbc550154bfe3457708cc6a65525bc;hb=bdc0e6b7;hp=ae62ade35fbcfe744234f894c90626d629c35beb;hpb=28029530963223c5c3b94f7a2f9d1343662a1a04;p=vpp.git diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index ae62ade35fb..ffc7f59fb8c 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -56,6 +56,8 @@ _(IPSEC_SA_SET_KEY, ipsec_sa_set_key) \ _(IPSEC_SA_DUMP, ipsec_sa_dump) \ _(IPSEC_SPD_DUMP, ipsec_spd_dump) \ _(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \ +_(IPSEC_TUNNEL_IF_SET_KEY, ipsec_tunnel_if_set_key) \ +_(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \ _(IKEV2_PROFILE_ADD_DEL, ikev2_profile_add_del) \ _(IKEV2_PROFILE_SET_AUTH, ikev2_profile_set_auth) \ _(IKEV2_PROFILE_SET_ID, ikev2_profile_set_id) \ @@ -190,17 +192,9 @@ static void vl_api_ipsec_sad_add_del_entry_t_handler sa.id = ntohl (mp->sad_id); sa.spi = ntohl (mp->spi); - /* security protocol AH unsupported */ - if (mp->protocol == IPSEC_PROTOCOL_AH) - { - clib_warning ("unsupported security protocol 'AH'"); - rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; - } sa.protocol = mp->protocol; /* check for unsupported crypto-alg */ - if (mp->crypto_algorithm < IPSEC_CRYPTO_ALG_AES_CBC_128 || - mp->crypto_algorithm >= IPSEC_CRYPTO_N_ALG) + if (mp->crypto_algorithm >= IPSEC_CRYPTO_N_ALG) { clib_warning ("unsupported crypto-alg: '%U'", format_ipsec_crypto_alg, mp->crypto_algorithm); @@ -225,6 +219,7 @@ static void vl_api_ipsec_sad_add_del_entry_t_handler sa.use_esn = mp->use_extended_sequence_number; sa.is_tunnel = mp->is_tunnel; sa.is_tunnel_ip6 = mp->is_tunnel_ipv6; + sa.udp_encap = mp->udp_encap; if (sa.is_tunnel_ip6) { clib_memcpy (&sa.tunnel_src_addr, mp->tunnel_src_address, 16); @@ -235,6 +230,7 @@ static void vl_api_ipsec_sad_add_del_entry_t_handler clib_memcpy (&sa.tunnel_src_addr.ip4.data, mp->tunnel_src_address, 4); clib_memcpy (&sa.tunnel_dst_addr.ip4.data, mp->tunnel_dst_address, 4); } + sa.use_anti_replay = mp->use_anti_replay; ASSERT (im->cb.check_support_cb); clib_error_t *err = im->cb.check_support_cb (&sa); @@ -256,7 +252,7 @@ out: } static void -send_ipsec_spd_details (ipsec_policy_t * p, unix_shared_memory_queue_t * q, +send_ipsec_spd_details (ipsec_policy_t * p, vl_api_registration_t * reg, u32 context) { vl_api_ipsec_spd_details_t *mp; @@ -294,21 +290,21 @@ send_ipsec_spd_details (ipsec_policy_t * p, unix_shared_memory_queue_t * q, mp->bytes = clib_host_to_net_u64 (p->counter.bytes); mp->packets = clib_host_to_net_u64 (p->counter.packets); - vl_msg_api_send_shmem (q, (u8 *) & mp); + vl_api_send_msg (reg, (u8 *) mp); } static void vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp) { - unix_shared_memory_queue_t *q; + vl_api_registration_t *reg; ipsec_main_t *im = &ipsec_main; ipsec_policy_t *policy; ipsec_spd_t *spd; uword *p; u32 spd_index; #if WITH_LIBSSL > 0 - q = vl_api_client_index_to_input_queue (mp->client_index); - if (q == 0) + reg = vl_api_client_index_to_registration (mp->client_index); + if (!reg) return; p = hash_get (im->spd_index_by_spd_id, ntohl (mp->spd_id)); @@ -322,7 +318,7 @@ vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp) pool_foreach (policy, spd->policies, ({ if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id) - send_ipsec_spd_details (policy, q, + send_ipsec_spd_details (policy, reg, mp->context);} )); /* *INDENT-ON* */ @@ -389,6 +385,8 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * mp->local_integ_key_len); memcpy (&tun.remote_integ_key, &mp->remote_integ_key, mp->remote_integ_key_len); + tun.renumber = mp->renumber; + tun.show_instance = ntohl (mp->show_instance); rv = ipsec_add_del_tunnel_if_internal (vnm, &tun, &sw_if_index); @@ -404,7 +402,7 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * } static void -send_ipsec_sa_details (ipsec_sa_t * sa, unix_shared_memory_queue_t * q, +send_ipsec_sa_details (ipsec_sa_t * sa, vl_api_registration_t * reg, u32 context, u32 sw_if_index) { vl_api_ipsec_sa_details_t *mp; @@ -459,15 +457,16 @@ send_ipsec_sa_details (ipsec_sa_t * sa, unix_shared_memory_queue_t * q, if (sa->use_anti_replay) mp->replay_window = clib_host_to_net_u64 (sa->replay_window); mp->total_data_size = clib_host_to_net_u64 (sa->total_data_size); + mp->udp_encap = sa->udp_encap; - vl_msg_api_send_shmem (q, (u8 *) & mp); + vl_api_send_msg (reg, (u8 *) mp); } static void vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp) { - unix_shared_memory_queue_t *q; + vl_api_registration_t *reg; ipsec_main_t *im = &ipsec_main; vnet_main_t *vnm = im->vnet_main; ipsec_sa_t *sa; @@ -475,8 +474,8 @@ vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp) u32 *sa_index_to_tun_if_index = 0; #if WITH_LIBSSL > 0 - q = vl_api_client_index_to_input_queue (mp->client_index); - if (q == 0 || pool_elts (im->sad) == 0) + reg = vl_api_client_index_to_registration (mp->client_index); + if (!reg || pool_elts (im->sad) == 0) return; vec_validate_init_empty (sa_index_to_tun_if_index, vec_len (im->sad) - 1, @@ -497,7 +496,7 @@ vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp) pool_foreach (sa, im->sad, ({ if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == sa->id) - send_ipsec_sa_details (sa, q, mp->context, + send_ipsec_sa_details (sa, reg, mp->context, sa_index_to_tun_if_index[sa - im->sad]); })); /* *INDENT-ON* */ @@ -509,6 +508,83 @@ vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp) } +static void +vl_api_ipsec_tunnel_if_set_key_t_handler (vl_api_ipsec_tunnel_if_set_key_t * + mp) +{ + vl_api_ipsec_tunnel_if_set_key_reply_t *rmp; + ipsec_main_t *im = &ipsec_main; + vnet_main_t *vnm = im->vnet_main; + vnet_sw_interface_t *sw; + u8 *key = 0; + int rv; + +#if WITH_LIBSSL > 0 + sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index)); + + switch (mp->key_type) + { + case IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO: + case IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO: + if (mp->alg < IPSEC_CRYPTO_ALG_AES_CBC_128 || + mp->alg >= IPSEC_CRYPTO_N_ALG) + { + rv = VNET_API_ERROR_UNIMPLEMENTED; + goto out; + } + break; + case IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG: + case IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG: + if (mp->alg >= IPSEC_INTEG_N_ALG) + { + rv = VNET_API_ERROR_UNIMPLEMENTED; + goto out; + } + break; + case IPSEC_IF_SET_KEY_TYPE_NONE: + default: + rv = VNET_API_ERROR_UNIMPLEMENTED; + goto out; + break; + } + + key = vec_new (u8, mp->key_len); + clib_memcpy (key, mp->key, mp->key_len); + + rv = ipsec_set_interface_key (vnm, sw->hw_if_index, mp->key_type, mp->alg, + key); + vec_free (key); +#else + clib_warning ("unimplemented"); +#endif + +out: + REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_KEY_REPLY); +} + + +static void +vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp) +{ + vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp; + ipsec_main_t *im = &ipsec_main; + vnet_main_t *vnm = im->vnet_main; + vnet_sw_interface_t *sw; + int rv; + +#if WITH_LIBSSL > 0 + sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index)); + + rv = ipsec_set_interface_sa (vnm, sw->hw_if_index, ntohl (mp->sa_id), + mp->is_outbound); +#else + clib_warning ("unimplemented"); +#endif + + REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY); +} + + static void vl_api_ikev2_profile_add_del_t_handler (vl_api_ikev2_profile_add_del_t * mp) { @@ -813,7 +889,7 @@ static void /* * ipsec_api_hookup * Add vpe's API message handlers to the table. - * vlib has alread mapped shared memory and + * vlib has already mapped shared memory and * added the client registration handlers. * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process() */