#include <vnet/classify/input_acl.h>
#if DPDK > 0
#include <vnet/ipsec/ipsec.h>
+#include <vnet/ipsec/ikev2.h>
#else
#include <inttypes.h>
#endif
#endif
}
+uword
+unformat_ikev2_auth_method (unformat_input_t * input, va_list * args)
+{
+#if DPDK > 0
+ u32 * r = va_arg (*args, u32 *);
+
+ if (0) ;
+#define _(v,f,s) else if (unformat (input, s)) *r = IKEV2_AUTH_METHOD_##f;
+ foreach_ikev2_auth_method
+#undef _
+ else
+ return 0;
+ return 1;
+#else
+ return 0;
+#endif
+}
+
+uword
+unformat_ikev2_id_type (unformat_input_t * input, va_list * args)
+{
+#if DPDK > 0
+ u32 * r = va_arg (*args, u32 *);
+
+ if (0) ;
+#define _(v,f,s) else if (unformat (input, s)) *r = IKEV2_ID_TYPE_##f;
+ foreach_ikev2_id_type
+#undef _
+ else
+ return 0;
+ return 1;
+#else
+ return 0;
+#endif
+}
+
u8 * format_ip4_address (u8 * s, va_list * args)
{
u8 * a = va_arg (*args, u8 *);
_(ipsec_spd_add_del_entry_reply) \
_(ipsec_sad_add_del_entry_reply) \
_(ipsec_sa_set_key_reply) \
+_(ikev2_profile_add_del_reply) \
+_(ikev2_profile_set_auth_reply) \
+_(ikev2_profile_set_id_reply) \
+_(ikev2_profile_set_ts_reply) \
+_(ikev2_set_local_key_reply) \
_(delete_loopback_reply) \
_(bd_ip_mac_add_del_reply) \
_(map_del_domain_reply) \
_(IPSEC_SPD_ADD_DEL_ENTRY_REPLY, ipsec_spd_add_del_entry_reply) \
_(IPSEC_SAD_ADD_DEL_ENTRY_REPLY, ipsec_sad_add_del_entry_reply) \
_(IPSEC_SA_SET_KEY_REPLY, ipsec_sa_set_key_reply) \
+_(IKEV2_PROFILE_ADD_DEL_REPLY, ikev2_profile_add_del_reply) \
+_(IKEV2_PROFILE_SET_AUTH_REPLY, ikev2_profile_set_auth_reply) \
+_(IKEV2_PROFILE_SET_ID_REPLY, ikev2_profile_set_id_reply) \
+_(IKEV2_PROFILE_SET_TS_REPLY, ikev2_profile_set_ts_reply) \
+_(IKEV2_SET_LOCAL_KEY_REPLY, ikev2_set_local_key_reply) \
_(DELETE_LOOPBACK_REPLY, delete_loopback_reply) \
_(BD_IP_MAC_ADD_DEL_REPLY, bd_ip_mac_add_del_reply) \
_(DHCP_COMPL_EVENT, dhcp_compl_event) \
#endif
}
+static int
+api_ikev2_profile_add_del (vat_main_t * vam)
+{
+#if DPDK > 0
+ unformat_input_t * i = vam->input;
+ vl_api_ikev2_profile_add_del_t * mp;
+ f64 timeout;
+ u8 is_add = 1;
+ u8 * name = 0;
+
+ const char * valid_chars = "a-zA-Z0-9_";
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
+ if (unformat (i, "del"))
+ is_add = 0;
+ else if (unformat (i, "name %U", unformat_token, valid_chars, &name))
+ vec_add1 (name, 0);
+ else {
+ errmsg ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ if (!vec_len (name)) {
+ errmsg ("profile name must be specified");
+ return -99;
+ }
+
+ if (vec_len (name) > 64) {
+ errmsg ("profile name too long");
+ return -99;
+ }
+
+ M(IKEV2_PROFILE_ADD_DEL, ikev2_profile_add_del);
+
+ memcpy(mp->name, name, vec_len (name));
+ mp->is_add = is_add;
+ vec_free (name);
+
+ S; W;
+ /* NOTREACHED */
+ return 0;
+#else
+ clib_warning ("unsupported (no dpdk)");
+ return -99;
+#endif
+}
+
+static int
+api_ikev2_profile_set_auth (vat_main_t * vam)
+{
+#if DPDK > 0
+ unformat_input_t * i = vam->input;
+ vl_api_ikev2_profile_set_auth_t * mp;
+ f64 timeout;
+ u8 * name = 0;
+ u8 * data = 0;
+ u32 auth_method = 0;
+ u8 is_hex = 0;
+
+ const char * valid_chars = "a-zA-Z0-9_";
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
+ if (unformat (i, "name %U", unformat_token, valid_chars, &name))
+ vec_add1 (name, 0);
+ else if (unformat (i, "auth_method %U",
+ unformat_ikev2_auth_method, &auth_method))
+ ;
+ else if (unformat (i, "auth_data 0x%U", unformat_hex_string, &data))
+ is_hex = 1;
+ else if (unformat (i, "auth_data %v", &data))
+ ;
+ else {
+ errmsg ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ if (!vec_len (name)) {
+ errmsg ("profile name must be specified");
+ return -99;
+ }
+
+ if (vec_len (name) > 64) {
+ errmsg ("profile name too long");
+ return -99;
+ }
+
+ if (!vec_len(data)) {
+ errmsg ("auth_data must be specified");
+ return -99;
+ }
+
+ if (!auth_method) {
+ errmsg ("auth_method must be specified");
+ return -99;
+ }
+
+ M(IKEV2_PROFILE_SET_AUTH, ikev2_profile_set_auth);
+
+ mp->is_hex = is_hex;
+ mp->auth_method = (u8) auth_method;
+ mp->data_len = vec_len (data);
+ memcpy (mp->name, name, vec_len (name));
+ memcpy (mp->data, data, vec_len (data));
+ vec_free (name);
+ vec_free (data);
+
+ S; W;
+ /* NOTREACHED */
+ return 0;
+#else
+ clib_warning ("unsupported (no dpdk)");
+ return -99;
+#endif
+}
+
+static int
+api_ikev2_profile_set_id (vat_main_t * vam)
+{
+#if DPDK > 0
+ unformat_input_t * i = vam->input;
+ vl_api_ikev2_profile_set_id_t * mp;
+ f64 timeout;
+ u8 * name = 0;
+ u8 * data = 0;
+ u8 is_local = 0;
+ u32 id_type = 0;
+ ip4_address_t ip4;
+
+ const char * valid_chars = "a-zA-Z0-9_";
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
+ if (unformat (i, "name %U", unformat_token, valid_chars, &name))
+ vec_add1 (name, 0);
+ else if (unformat (i, "id_type %U",
+ unformat_ikev2_id_type, &id_type))
+ ;
+ else if (unformat (i, "id_data %U", unformat_ip4_address, &ip4))
+ {
+ data = vec_new(u8, 4);
+ memcpy(data, ip4.as_u8, 4);
+ }
+ else if (unformat (i, "id_data 0x%U", unformat_hex_string, &data))
+ ;
+ else if (unformat (i, "id_data %v", &data))
+ ;
+ else if (unformat (i, "local"))
+ is_local = 1;
+ else if (unformat (i, "remote"))
+ is_local = 0;
+ else {
+ errmsg ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ if (!vec_len (name)) {
+ errmsg ("profile name must be specified");
+ return -99;
+ }
+
+ if (vec_len (name) > 64) {
+ errmsg ("profile name too long");
+ return -99;
+ }
+
+ if (!vec_len(data)) {
+ errmsg ("id_data must be specified");
+ return -99;
+ }
+
+ if (!id_type) {
+ errmsg ("id_type must be specified");
+ return -99;
+ }
+
+ M(IKEV2_PROFILE_SET_ID, ikev2_profile_set_id);
+
+ mp->is_local = is_local;
+ mp->id_type = (u8) id_type;
+ mp->data_len = vec_len (data);
+ memcpy (mp->name, name, vec_len (name));
+ memcpy (mp->data, data, vec_len (data));
+ vec_free (name);
+ vec_free (data);
+
+ S; W;
+ /* NOTREACHED */
+ return 0;
+#else
+ clib_warning ("unsupported (no dpdk)");
+ return -99;
+#endif
+}
+
+static int
+api_ikev2_profile_set_ts (vat_main_t * vam)
+{
+#if DPDK > 0
+ unformat_input_t * i = vam->input;
+ vl_api_ikev2_profile_set_ts_t * mp;
+ f64 timeout;
+ u8 * name = 0;
+ u8 is_local = 0;
+ u32 proto = 0, start_port = 0, end_port = (u32) ~0;
+ ip4_address_t start_addr, end_addr;
+
+ const char * valid_chars = "a-zA-Z0-9_";
+
+ start_addr.as_u32 = 0;
+ end_addr.as_u32 = (u32) ~0;
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
+ if (unformat (i, "name %U", unformat_token, valid_chars, &name))
+ vec_add1 (name, 0);
+ else if (unformat (i, "protocol %d", &proto))
+ ;
+ else if (unformat (i, "start_port %d", &start_port))
+ ;
+ else if (unformat (i, "end_port %d", &end_port))
+ ;
+ else if (unformat (i, "start_addr %U", unformat_ip4_address, &start_addr))
+ ;
+ else if (unformat (i, "end_addr %U", unformat_ip4_address, &end_addr))
+ ;
+ else if (unformat (i, "local"))
+ is_local = 1;
+ else if (unformat (i, "remote"))
+ is_local = 0;
+ else {
+ errmsg ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ if (!vec_len (name)) {
+ errmsg ("profile name must be specified");
+ return -99;
+ }
+
+ if (vec_len (name) > 64) {
+ errmsg ("profile name too long");
+ return -99;
+ }
+
+ M(IKEV2_PROFILE_SET_TS, ikev2_profile_set_ts);
+
+ mp->is_local = is_local;
+ mp->proto = (u8) proto;
+ mp->start_port = (u16) start_port;
+ mp->end_port = (u16) end_port;
+ mp->start_addr = start_addr.as_u32;
+ mp->end_addr = end_addr.as_u32;
+ memcpy (mp->name, name, vec_len (name));
+ vec_free (name);
+
+ S; W;
+ /* NOTREACHED */
+ return 0;
+#else
+ clib_warning ("unsupported (no dpdk)");
+ return -99;
+#endif
+}
+
+static int
+api_ikev2_set_local_key (vat_main_t * vam)
+{
+#if DPDK > 0
+ unformat_input_t * i = vam->input;
+ vl_api_ikev2_set_local_key_t * mp;
+ f64 timeout;
+ u8 * file = 0;
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) {
+ if (unformat (i, "file %v", &file))
+ vec_add1 (file, 0);
+ else {
+ errmsg ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ if (!vec_len (file)) {
+ errmsg ("RSA key file must be specified");
+ return -99;
+ }
+
+ if (vec_len (file) > 256) {
+ errmsg ("file name too long");
+ return -99;
+ }
+
+ M(IKEV2_SET_LOCAL_KEY, ikev2_set_local_key);
+
+ memcpy (mp->key_file, file, vec_len (file));
+ vec_free (file);
+
+ S; W;
+ /* NOTREACHED */
+ return 0;
+#else
+ clib_warning ("unsupported (no dpdk)");
+ return -99;
+#endif
+}
+
/*
* MAP
*/
" laddr_stop <ip4|ip6> raddr_start <ip4|ip6> raddr_stop <ip4|ip6>\n" \
" [lport_start <n> lport_stop <n>] [rport_start <n> rport_stop <n>]" )\
_(ipsec_sa_set_key, "sa_id <n> crypto_key <hex> integ_key <hex>") \
+_(ikev2_profile_add_del, "name <profile_name> [del]") \
+_(ikev2_profile_set_auth, "name <profile_name> auth_method <method>\n" \
+ "(auth_data 0x<data> | auth_data <data>)") \
+_(ikev2_profile_set_id, "name <profile_name> id_type <type>\n" \
+ "(id_data 0x<data> | id_data <data>) (local|remote)") \
+_(ikev2_profile_set_ts, "name <profile_name> protocol <proto>\n" \
+ "start_port <port> end_port <port> start_addr <ip4> end_addr <ip4>\n" \
+ "(local|remote)") \
+_(ikev2_set_local_key, "file <absolute_file_path>") \
_(delete_loopback,"sw_if_index <nn>") \
_(bd_ip_mac_add_del, "bd_id <bridge-domain-id> <ip4/6-addr> <mac-addr> [del]") \
_(map_add_domain, \
#if IPSEC > 0
#include <vnet/ipsec/ipsec.h>
+#include <vnet/ipsec/ikev2.h>
#endif /* IPSEC */
#if DPDK > 0
#include <vnet/devices/virtio/vhost-user.h>
_(IPSEC_SPD_ADD_DEL_ENTRY, ipsec_spd_add_del_entry) \
_(IPSEC_SAD_ADD_DEL_ENTRY, ipsec_sad_add_del_entry) \
_(IPSEC_SA_SET_KEY, ipsec_sa_set_key) \
+_(IKEV2_PROFILE_ADD_DEL, ikev2_profile_add_del) \
+_(IKEV2_PROFILE_SET_AUTH, ikev2_profile_set_auth) \
+_(IKEV2_PROFILE_SET_ID, ikev2_profile_set_id) \
+_(IKEV2_PROFILE_SET_TS, ikev2_profile_set_ts) \
+_(IKEV2_SET_LOCAL_KEY, ikev2_set_local_key) \
_(DELETE_LOOPBACK, delete_loopback) \
_(BD_IP_MAC_ADD_DEL, bd_ip_mac_add_del) \
_(MAP_ADD_DOMAIN, map_add_domain) \
VALIDATE_SW_IF_INDEX(mp);
-#if IPSEC > 0
+#if IPSEC > 0
rv = ipsec_set_interface_spd(vm, sw_if_index, spd_id, mp->is_add);
#else
rv = VNET_API_ERROR_UNIMPLEMENTED;
vl_api_ipsec_spd_add_del_entry_reply_t * rmp;
int rv;
-#if IPSEC > 0
+#if IPSEC > 0
ipsec_policy_t p;
+ memset(&p, 0, sizeof(p));
+
p.id = ntohl(mp->spd_id);
p.priority = ntohl(mp->priority);
p.is_outbound = mp->is_outbound;
#if IPSEC > 0
ipsec_sa_t sa;
+ memset(&sa, 0, sizeof(sa));
+
sa.id = ntohl(mp->sad_id);
sa.spi = ntohl(mp->spi);
/* security protocol AH unsupported */
/* check for unsupported crypto-alg */
if (mp->crypto_algorithm < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
mp->crypto_algorithm > IPSEC_CRYPTO_ALG_AES_CBC_256) {
- clib_warning("unsupported crypto-alg: '%U'", format_ipsec_crypto_alg,
+ clib_warning("unsupported crypto-alg: '%U'", format_ipsec_crypto_alg,
mp->crypto_algorithm);
rv = VNET_API_ERROR_UNIMPLEMENTED;
goto out;
out:
REPLY_MACRO(VL_API_IPSEC_SAD_ADD_DEL_ENTRY_REPLY);
}
+
+static void
+vl_api_ikev2_profile_add_del_t_handler
+(vl_api_ikev2_profile_add_del_t * mp)
+{
+ vlib_main_t * vm = vlib_get_main();
+ vl_api_ikev2_profile_add_del_reply_t * rmp;
+ int rv = 0;
+
+#if IPSEC > 0
+ clib_error_t * error;
+ u8 * tmp = format(0, "%s", mp->name);
+ error = ikev2_add_del_profile(vm, tmp, mp->is_add);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO(VL_API_IKEV2_PROFILE_ADD_DEL_REPLY);
+}
+
+static void
+vl_api_ikev2_profile_set_auth_t_handler
+(vl_api_ikev2_profile_set_auth_t * mp)
+{
+ vlib_main_t * vm = vlib_get_main();
+ vl_api_ikev2_profile_set_auth_reply_t * rmp;
+ int rv = 0;
+
+#if IPSEC > 0
+ clib_error_t * error;
+ u8 * tmp = format(0, "%s", mp->name);
+ u8 * data = vec_new (u8, mp->data_len);
+ memcpy(data, mp->data, mp->data_len);
+ error = ikev2_set_profile_auth(vm, tmp, mp->auth_method, data, mp->is_hex);
+ vec_free (tmp);
+ vec_free (data);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO(VL_API_IKEV2_PROFILE_SET_AUTH_REPLY);
+}
+
+static void
+vl_api_ikev2_profile_set_id_t_handler
+(vl_api_ikev2_profile_set_id_t * mp)
+{
+ vlib_main_t * vm = vlib_get_main();
+ vl_api_ikev2_profile_set_id_reply_t * rmp;
+ int rv = 0;
+
+#if IPSEC > 0
+ clib_error_t * error;
+ u8 * tmp = format(0, "%s", mp->name);
+ u8 * data = vec_new (u8, mp->data_len);
+ memcpy(data, mp->data, mp->data_len);
+ error = ikev2_set_profile_id(vm, tmp, mp->id_type, data, mp->is_local);
+ vec_free (tmp);
+ vec_free (data);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO(VL_API_IKEV2_PROFILE_SET_ID_REPLY);
+}
+
+static void
+vl_api_ikev2_profile_set_ts_t_handler
+(vl_api_ikev2_profile_set_ts_t * mp)
+{
+ vlib_main_t * vm = vlib_get_main();
+ vl_api_ikev2_profile_set_ts_reply_t * rmp;
+ int rv = 0;
+
+#if IPSEC > 0
+ clib_error_t * error;
+ u8 * tmp = format(0, "%s", mp->name);
+ error = ikev2_set_profile_ts(vm, tmp, mp->proto, mp->start_port,
+ mp->end_port, (ip4_address_t) mp->start_addr,
+ (ip4_address_t) mp->end_addr, mp->is_local);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO(VL_API_IKEV2_PROFILE_SET_TS_REPLY);
+}
+
+static void
+vl_api_ikev2_set_local_key_t_handler
+(vl_api_ikev2_set_local_key_t * mp)
+{
+ vlib_main_t * vm = vlib_get_main();
+ vl_api_ikev2_set_local_key_reply_t * rmp;
+ int rv = 0;
+
+#if IPSEC > 0
+ clib_error_t * error;
+
+ error = ikev2_set_local_key(vm, mp->key_file);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO(VL_API_IKEV2_SET_LOCAL_KEY_REPLY);
+}
+
static void
vl_api_map_add_domain_t_handler
(vl_api_map_add_domain_t * mp)
i32 retval;
};
+/** \brief IKEv2: Add/delete profile
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+
+ @param name - IKEv2 profile name
+ @param is_add - Add IKEv2 profile if non-zero, else delete
+*/
+define ikev2_profile_add_del {
+ u32 client_index;
+ u32 context;
+
+ u8 name[64];
+ u8 is_add;
+};
+
+/** \brief Reply for IKEv2: Add/delete profile
+ @param context - returned sender context, to match reply w/ request
+ @param retval - return code
+*/
+define ikev2_profile_add_del_reply {
+ u32 context;
+ i32 retval;
+};
+
+/** \brief IKEv2: Set IKEv2 profile authentication method
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+
+ @param name - IKEv2 profile name
+ @param auth_method - IKEv2 authentication method (shared-key-mic/rsa-sig)
+ @param is_hex - Authentication data in hex format if non-zero, else string
+ @param data_len - Authentication data length
+ @param data - Authentication data (for rsa-sig cert file path)
+*/
+define ikev2_profile_set_auth {
+ u32 client_index;
+ u32 context;
+
+ u8 name[64];
+ u8 auth_method;
+ u8 is_hex;
+ u32 data_len;
+ u8 data[0];
+};
+
+/** \brief Reply for IKEv2: Set IKEv2 profile authentication method
+ @param context - returned sender context, to match reply w/ request
+ @param retval - return code
+*/
+define ikev2_profile_set_auth_reply {
+ u32 context;
+ i32 retval;
+};
+
+/** \brief IKEv2: Set IKEv2 profile local/remote identification
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+
+ @param name - IKEv2 profile name
+ @param is_local - Identification is local if non-zero, else remote
+ @param id_type - Identification type
+ @param data_len - Identification data length
+ @param data - Identification data
+*/
+define ikev2_profile_set_id {
+ u32 client_index;
+ u32 context;
+
+ u8 name[64];
+ u8 is_local;
+ u8 id_type;
+ u32 data_len;
+ u8 data[0];
+};
+
+/** \brief Reply for IKEv2:
+ @param context - returned sender context, to match reply w/ request
+ @param retval - return code
+*/
+define ikev2_profile_set_id_reply {
+ u32 context;
+ i32 retval;
+};
+
+/** \brief IKEv2: Set IKEv2 profile traffic selector parameters
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+
+ @param name - IKEv2 profile name
+ @param is_local - Traffic selector is local if non-zero, else remote
+ @param proto - Traffic selector IP protocol (if zero not relevant)
+ @param start_port - The smallest port number allowed by traffic selector
+ @param end_port - The largest port number allowed by traffic selector
+ @param start_addr - The smallest address included in traffic selector
+ @param end_addr - The largest address included in traffic selector
+*/
+define ikev2_profile_set_ts {
+ u32 client_index;
+ u32 context;
+
+ u8 name[64];
+ u8 is_local;
+ u8 proto;
+ u16 start_port;
+ u16 end_port;
+ u32 start_addr;
+ u32 end_addr;
+};
+
+/** \brief Reply for IKEv2: Set IKEv2 profile traffic selector parameters
+ @param context - returned sender context, to match reply w/ request
+ @param retval - return code
+*/
+define ikev2_profile_set_ts_reply {
+ u32 context;
+ i32 retval;
+};
+
+/** \brief IKEv2: Set IKEv2 local RSA private key
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+
+ @param key_file - Key file absolute path
+*/
+define ikev2_set_local_key {
+ u32 client_index;
+ u32 context;
+
+ u8 key_file[256];
+};
+
+/** \brief Reply for IKEv2: Set IKEv2 local key
+ @param context - returned sender context, to match reply w/ request
+ @param retval - return code
+*/
+define ikev2_set_local_key_reply {
+ u32 context;
+ i32 retval;
+};
+
/** \brief Tell client about a DHCP completion event
@param client_index - opaque cookie to identify the sender
@param pid - client pid registered to receive notification
Code Review / vpp.git / commitdiff