2 *------------------------------------------------------------------
3 * ipsec_api.c - ipsec api
5 * Copyright (c) 2016 Cisco and/or its affiliates.
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at:
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 *------------------------------------------------------------------
20 #include <vnet/vnet.h>
21 #include <vlibmemory/api.h>
23 #include <vnet/interface.h>
24 #include <vnet/api_errno.h>
25 #include <vnet/ip/ip.h>
26 #include <vnet/ip/ip_types_api.h>
27 #include <vnet/ipsec/ipsec_types_api.h>
28 #include <vnet/tunnel/tunnel_types_api.h>
29 #include <vnet/fib/fib.h>
30 #include <vnet/ipip/ipip.h>
31 #include <vnet/tunnel/tunnel_types_api.h>
33 #include <vnet/vnet_msg_enum.h>
36 #include <vnet/ipsec/ipsec.h>
37 #include <vnet/ipsec/ipsec_tun.h>
38 #include <vnet/ipsec/ipsec_itf.h>
41 #define vl_typedefs /* define message structures */
42 #include <vnet/vnet_all_api_h.h>
45 #define vl_endianfun /* define message structures */
46 #include <vnet/vnet_all_api_h.h>
49 /* instantiate all the print functions we know about */
50 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
52 #include <vnet/vnet_all_api_h.h>
55 #include <vlibapi/api_helper_macros.h>
57 #define foreach_vpe_api_msg \
58 _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \
59 _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \
60 _(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \
61 _(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \
62 _(IPSEC_SAD_ENTRY_ADD_DEL_V2, ipsec_sad_entry_add_del_v2) \
63 _(IPSEC_SA_DUMP, ipsec_sa_dump) \
64 _(IPSEC_SA_V2_DUMP, ipsec_sa_v2_dump) \
65 _(IPSEC_SPDS_DUMP, ipsec_spds_dump) \
66 _(IPSEC_SPD_DUMP, ipsec_spd_dump) \
67 _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \
68 _(IPSEC_ITF_CREATE, ipsec_itf_create) \
69 _(IPSEC_ITF_DELETE, ipsec_itf_delete) \
70 _(IPSEC_ITF_DUMP, ipsec_itf_dump) \
71 _(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \
72 _(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \
73 _(IPSEC_SELECT_BACKEND, ipsec_select_backend) \
74 _(IPSEC_BACKEND_DUMP, ipsec_backend_dump) \
75 _(IPSEC_TUNNEL_PROTECT_UPDATE, ipsec_tunnel_protect_update) \
76 _(IPSEC_TUNNEL_PROTECT_DEL, ipsec_tunnel_protect_del) \
77 _(IPSEC_TUNNEL_PROTECT_DUMP, ipsec_tunnel_protect_dump) \
78 _(IPSEC_SET_ASYNC_MODE, ipsec_set_async_mode)
81 vl_api_ipsec_spd_add_del_t_handler (vl_api_ipsec_spd_add_del_t * mp)
84 clib_warning ("unimplemented");
87 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
88 vl_api_ipsec_spd_add_del_reply_t *rmp;
91 rv = ipsec_add_del_spd (vm, ntohl (mp->spd_id), mp->is_add);
93 REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_REPLY);
97 static void vl_api_ipsec_interface_add_del_spd_t_handler
98 (vl_api_ipsec_interface_add_del_spd_t * mp)
100 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
101 vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
103 u32 sw_if_index __attribute__ ((unused));
104 u32 spd_id __attribute__ ((unused));
106 sw_if_index = ntohl (mp->sw_if_index);
107 spd_id = ntohl (mp->spd_id);
109 VALIDATE_SW_IF_INDEX (mp);
112 rv = ipsec_set_interface_spd (vm, sw_if_index, spd_id, mp->is_add);
114 rv = VNET_API_ERROR_UNIMPLEMENTED;
117 BAD_SW_IF_INDEX_LABEL;
119 REPLY_MACRO (VL_API_IPSEC_INTERFACE_ADD_DEL_SPD_REPLY);
122 static void vl_api_ipsec_tunnel_protect_update_t_handler
123 (vl_api_ipsec_tunnel_protect_update_t * mp)
125 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
126 vl_api_ipsec_tunnel_protect_update_reply_t *rmp;
127 u32 sw_if_index, ii, *sa_ins = NULL;
131 sw_if_index = ntohl (mp->tunnel.sw_if_index);
133 VALIDATE_SW_IF_INDEX (&(mp->tunnel));
137 for (ii = 0; ii < mp->tunnel.n_sa_in; ii++)
138 vec_add1 (sa_ins, ntohl (mp->tunnel.sa_in[ii]));
140 ip_address_decode2 (&mp->tunnel.nh, &nh);
142 rv = ipsec_tun_protect_update (sw_if_index, &nh,
143 ntohl (mp->tunnel.sa_out), sa_ins);
145 rv = VNET_API_ERROR_UNIMPLEMENTED;
148 BAD_SW_IF_INDEX_LABEL;
150 REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_UPDATE_REPLY);
153 static void vl_api_ipsec_tunnel_protect_del_t_handler
154 (vl_api_ipsec_tunnel_protect_del_t * mp)
156 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
157 vl_api_ipsec_tunnel_protect_del_reply_t *rmp;
162 sw_if_index = ntohl (mp->sw_if_index);
164 VALIDATE_SW_IF_INDEX (mp);
167 ip_address_decode2 (&mp->nh, &nh);
168 rv = ipsec_tun_protect_del (sw_if_index, &nh);
170 rv = VNET_API_ERROR_UNIMPLEMENTED;
173 BAD_SW_IF_INDEX_LABEL;
175 REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_DEL_REPLY);
178 typedef struct ipsec_dump_walk_ctx_t_
180 vl_api_registration_t *reg;
182 } ipsec_dump_walk_ctx_t;
185 send_ipsec_tunnel_protect_details (index_t itpi, void *arg)
187 ipsec_dump_walk_ctx_t *ctx = arg;
188 vl_api_ipsec_tunnel_protect_details_t *mp;
189 ipsec_tun_protect_t *itp;
193 itp = ipsec_tun_protect_get (itpi);
195 mp = vl_msg_api_alloc (sizeof (*mp) + (sizeof (u32) * itp->itp_n_sa_in));
196 clib_memset (mp, 0, sizeof (*mp));
197 mp->_vl_msg_id = ntohs (VL_API_IPSEC_TUNNEL_PROTECT_DETAILS);
198 mp->context = ctx->context;
200 mp->tun.sw_if_index = htonl (itp->itp_sw_if_index);
201 ip_address_encode2 (itp->itp_key, &mp->tun.nh);
203 sa = ipsec_sa_get (itp->itp_out_sa);
204 mp->tun.sa_out = htonl (sa->id);
205 mp->tun.n_sa_in = itp->itp_n_sa_in;
207 FOR_EACH_IPSEC_PROTECT_INPUT_SA(itp, sa,
209 mp->tun.sa_in[ii++] = htonl (sa->id);
213 vl_api_send_msg (ctx->reg, (u8 *) mp);
215 return (WALK_CONTINUE);
219 vl_api_ipsec_tunnel_protect_dump_t_handler (vl_api_ipsec_tunnel_protect_dump_t
222 vl_api_registration_t *reg;
226 reg = vl_api_client_index_to_registration (mp->client_index);
230 ipsec_dump_walk_ctx_t ctx = {
232 .context = mp->context,
235 sw_if_index = ntohl (mp->sw_if_index);
237 if (~0 == sw_if_index)
239 ipsec_tun_protect_walk (send_ipsec_tunnel_protect_details, &ctx);
243 ipsec_tun_protect_walk_itf (sw_if_index,
244 send_ipsec_tunnel_protect_details, &ctx);
247 clib_warning ("unimplemented");
252 ipsec_spd_action_decode (vl_api_ipsec_spd_action_t in,
253 ipsec_policy_action_t * out)
255 in = clib_net_to_host_u32 (in);
259 #define _(v,f,s) case IPSEC_API_SPD_ACTION_##f: \
260 *out = IPSEC_POLICY_ACTION_##f; \
262 foreach_ipsec_policy_action
265 return (VNET_API_ERROR_UNIMPLEMENTED);
268 static void vl_api_ipsec_spd_entry_add_del_t_handler
269 (vl_api_ipsec_spd_entry_add_del_t * mp)
271 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
272 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
282 clib_memset (&p, 0, sizeof (p));
284 p.id = ntohl (mp->entry.spd_id);
285 p.priority = ntohl (mp->entry.priority);
287 itype = ip_address_decode (&mp->entry.remote_address_start, &p.raddr.start);
288 ip_address_decode (&mp->entry.remote_address_stop, &p.raddr.stop);
289 ip_address_decode (&mp->entry.local_address_start, &p.laddr.start);
290 ip_address_decode (&mp->entry.local_address_stop, &p.laddr.stop);
292 p.is_ipv6 = (itype == IP46_TYPE_IP6);
294 p.protocol = mp->entry.protocol;
295 p.rport.start = ntohs (mp->entry.remote_port_start);
296 p.rport.stop = ntohs (mp->entry.remote_port_stop);
297 p.lport.start = ntohs (mp->entry.local_port_start);
298 p.lport.stop = ntohs (mp->entry.local_port_stop);
300 rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy);
305 /* policy action resolve unsupported */
306 if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
308 clib_warning ("unsupported action: 'resolve'");
309 rv = VNET_API_ERROR_UNIMPLEMENTED;
312 p.sa_id = ntohl (mp->entry.sa_id);
314 ipsec_policy_mk_type (mp->entry.is_outbound, p.is_ipv6, p.policy,
319 rv = ipsec_add_del_policy (vm, &p, mp->is_add, &stat_index);
324 rv = VNET_API_ERROR_UNIMPLEMENTED;
330 REPLY_MACRO2 (VL_API_IPSEC_SPD_ENTRY_ADD_DEL_REPLY,
332 rmp->stat_index = ntohl(stat_index);
337 static void vl_api_ipsec_sad_entry_add_del_t_handler
338 (vl_api_ipsec_sad_entry_add_del_t * mp)
340 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
341 vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
342 ip46_address_t tun_src = { }, tun_dst =
345 ipsec_key_t crypto_key, integ_key;
346 ipsec_crypto_alg_t crypto_alg;
347 ipsec_integ_alg_t integ_alg;
348 ipsec_protocol_t proto;
349 ipsec_sa_flags_t flags;
350 u32 id, spi, sa_index = ~0;
355 id = ntohl (mp->entry.sad_id);
356 spi = ntohl (mp->entry.spi);
358 rv = ipsec_proto_decode (mp->entry.protocol, &proto);
363 rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg);
368 rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg);
373 ipsec_key_decode (&mp->entry.crypto_key, &crypto_key);
374 ipsec_key_decode (&mp->entry.integrity_key, &integ_key);
376 flags = ipsec_sa_flags_decode (mp->entry.flags);
378 ip_address_decode (&mp->entry.tunnel_src, &tun_src);
379 ip_address_decode (&mp->entry.tunnel_dst, &tun_dst);
382 rv = ipsec_sa_add_and_lock (id, spi, proto,
383 crypto_alg, &crypto_key,
384 integ_alg, &integ_key, flags,
385 0, mp->entry.salt, &tun_src, &tun_dst,
386 TUNNEL_ENCAP_DECAP_FLAG_NONE,
389 htons (mp->entry.udp_src_port),
390 htons (mp->entry.udp_dst_port));
392 rv = ipsec_sa_unlock_id (id);
395 rv = VNET_API_ERROR_UNIMPLEMENTED;
400 REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY,
402 rmp->stat_index = htonl (sa_index);
407 static void vl_api_ipsec_sad_entry_add_del_v2_t_handler
408 (vl_api_ipsec_sad_entry_add_del_v2_t * mp)
410 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
411 vl_api_ipsec_sad_entry_add_del_v2_reply_t *rmp;
412 ip46_address_t tun_src = { }, tun_dst =
415 tunnel_encap_decap_flags_t tunnel_flags;
416 ipsec_key_t crypto_key, integ_key;
417 ipsec_crypto_alg_t crypto_alg;
418 ipsec_integ_alg_t integ_alg;
419 ipsec_protocol_t proto;
420 ipsec_sa_flags_t flags;
421 u32 id, spi, sa_index = ~0;
426 id = ntohl (mp->entry.sad_id);
427 spi = ntohl (mp->entry.spi);
429 rv = ipsec_proto_decode (mp->entry.protocol, &proto);
434 rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg);
439 rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg);
445 tunnel_encap_decap_flags_decode (mp->entry.tunnel_flags, &tunnel_flags);
450 ipsec_key_decode (&mp->entry.crypto_key, &crypto_key);
451 ipsec_key_decode (&mp->entry.integrity_key, &integ_key);
453 flags = ipsec_sa_flags_decode (mp->entry.flags);
455 ip_address_decode (&mp->entry.tunnel_src, &tun_src);
456 ip_address_decode (&mp->entry.tunnel_dst, &tun_dst);
459 rv = ipsec_sa_add_and_lock (id, spi, proto,
460 crypto_alg, &crypto_key,
461 integ_alg, &integ_key, flags,
462 0, mp->entry.salt, &tun_src, &tun_dst,
464 ip_dscp_decode (mp->entry.dscp),
466 htons (mp->entry.udp_src_port),
467 htons (mp->entry.udp_dst_port));
469 rv = ipsec_sa_unlock_id (id);
472 rv = VNET_API_ERROR_UNIMPLEMENTED;
477 REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_V2_REPLY,
479 rmp->stat_index = htonl (sa_index);
485 send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg,
488 vl_api_ipsec_spds_details_t *mp;
491 mp = vl_msg_api_alloc (sizeof (*mp));
492 clib_memset (mp, 0, sizeof (*mp));
493 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPDS_DETAILS);
494 mp->context = context;
496 mp->spd_id = htonl (spd->id);
497 #define _(s, n) n_policies += vec_len (spd->policies[IPSEC_SPD_POLICY_##s]);
498 foreach_ipsec_spd_policy_type
500 mp->npolicies = htonl (n_policies);
502 vl_api_send_msg (reg, (u8 *) mp);
506 vl_api_ipsec_spds_dump_t_handler (vl_api_ipsec_spds_dump_t * mp)
508 vl_api_registration_t *reg;
509 ipsec_main_t *im = &ipsec_main;
512 reg = vl_api_client_index_to_registration (mp->client_index);
517 pool_foreach (spd, im->spds, ({
518 send_ipsec_spds_details (spd, reg, mp->context);
522 clib_warning ("unimplemented");
526 vl_api_ipsec_spd_action_t
527 ipsec_spd_action_encode (ipsec_policy_action_t in)
529 vl_api_ipsec_spd_action_t out = IPSEC_API_SPD_ACTION_BYPASS;
533 #define _(v,f,s) case IPSEC_POLICY_ACTION_##f: \
534 out = IPSEC_API_SPD_ACTION_##f; \
536 foreach_ipsec_policy_action
539 return (clib_host_to_net_u32 (out));
543 send_ipsec_spd_details (ipsec_policy_t * p, vl_api_registration_t * reg,
546 vl_api_ipsec_spd_details_t *mp;
548 mp = vl_msg_api_alloc (sizeof (*mp));
549 clib_memset (mp, 0, sizeof (*mp));
550 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_DETAILS);
551 mp->context = context;
553 mp->entry.spd_id = htonl (p->id);
554 mp->entry.priority = htonl (p->priority);
555 mp->entry.is_outbound = ((p->type == IPSEC_SPD_POLICY_IP6_OUTBOUND) ||
556 (p->type == IPSEC_SPD_POLICY_IP4_OUTBOUND));
558 ip_address_encode (&p->laddr.start, IP46_TYPE_ANY,
559 &mp->entry.local_address_start);
560 ip_address_encode (&p->laddr.stop, IP46_TYPE_ANY,
561 &mp->entry.local_address_stop);
562 ip_address_encode (&p->raddr.start, IP46_TYPE_ANY,
563 &mp->entry.remote_address_start);
564 ip_address_encode (&p->raddr.stop, IP46_TYPE_ANY,
565 &mp->entry.remote_address_stop);
566 mp->entry.local_port_start = htons (p->lport.start);
567 mp->entry.local_port_stop = htons (p->lport.stop);
568 mp->entry.remote_port_start = htons (p->rport.start);
569 mp->entry.remote_port_stop = htons (p->rport.stop);
570 mp->entry.protocol = p->protocol;
571 mp->entry.policy = ipsec_spd_action_encode (p->policy);
572 mp->entry.sa_id = htonl (p->sa_id);
574 vl_api_send_msg (reg, (u8 *) mp);
578 vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp)
580 vl_api_registration_t *reg;
581 ipsec_main_t *im = &ipsec_main;
582 ipsec_spd_policy_type_t ptype;
583 ipsec_policy_t *policy;
588 reg = vl_api_client_index_to_registration (mp->client_index);
592 p = hash_get (im->spd_index_by_spd_id, ntohl (mp->spd_id));
597 spd = pool_elt_at_index (im->spds, spd_index);
600 FOR_EACH_IPSEC_SPD_POLICY_TYPE(ptype) {
601 vec_foreach(ii, spd->policies[ptype])
603 policy = pool_elt_at_index(im->policies, *ii);
605 if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id)
606 send_ipsec_spd_details (policy, reg, mp->context);
611 clib_warning ("unimplemented");
616 send_ipsec_spd_interface_details (vl_api_registration_t * reg, u32 spd_index,
617 u32 sw_if_index, u32 context)
619 vl_api_ipsec_spd_interface_details_t *mp;
621 mp = vl_msg_api_alloc (sizeof (*mp));
622 clib_memset (mp, 0, sizeof (*mp));
623 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_INTERFACE_DETAILS);
624 mp->context = context;
626 mp->spd_index = htonl (spd_index);
627 mp->sw_if_index = htonl (sw_if_index);
629 vl_api_send_msg (reg, (u8 *) mp);
633 vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t *
636 ipsec_main_t *im = &ipsec_main;
637 vl_api_registration_t *reg;
641 reg = vl_api_client_index_to_registration (mp->client_index);
645 if (mp->spd_index_valid)
647 spd_index = ntohl (mp->spd_index);
649 hash_foreach(k, v, im->spd_index_by_sw_if_index, ({
651 send_ipsec_spd_interface_details(reg, v, k, mp->context);
658 hash_foreach(k, v, im->spd_index_by_sw_if_index, ({
659 send_ipsec_spd_interface_details(reg, v, k, mp->context);
665 clib_warning ("unimplemented");
670 ipsec_tun_mk_input_sa_id (u32 ti)
672 return (0x80000000 | ti);
676 ipsec_tun_mk_output_sa_id (u32 ti)
678 return (0xc0000000 | ti);
682 vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
685 vl_api_ipsec_tunnel_if_add_del_reply_t *rmp;
686 u32 sw_if_index = ~0;
690 ip46_address_t local_ip = ip46_address_initializer;
691 ip46_address_t remote_ip = ip46_address_initializer;
692 ipsec_key_t crypto_key, integ_key;
693 ipsec_sa_flags_t flags;
694 ip46_type_t local_ip_type, remote_ip_type;
695 ipip_transport_t transport;
698 local_ip_type = ip_address_decode (&mp->local_ip, &local_ip);
699 remote_ip_type = ip_address_decode (&mp->remote_ip, &remote_ip);
700 transport = (IP46_TYPE_IP6 == local_ip_type ?
701 IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4);
703 if (local_ip_type != remote_ip_type)
705 rv = VNET_API_ERROR_INVALID_VALUE;
709 flags = IPSEC_SA_FLAG_NONE;
712 flags |= IPSEC_SA_FLAG_UDP_ENCAP;
714 flags |= IPSEC_SA_FLAG_USE_ESN;
716 flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
718 ipsec_mk_key (&crypto_key, mp->remote_crypto_key,
719 mp->remote_crypto_key_len);
720 ipsec_mk_key (&integ_key, mp->remote_integ_key, mp->remote_integ_key_len);
721 ipsec_mk_key (&crypto_key, mp->local_crypto_key, mp->local_crypto_key_len);
722 ipsec_mk_key (&integ_key, mp->local_integ_key, mp->local_integ_key_len);
725 fib_table_find (fib_proto_from_ip46 (local_ip_type),
726 ntohl (mp->tx_table_id));
730 rv = VNET_API_ERROR_NO_SUCH_FIB;
736 // remote = input, local = output
737 /* create an ip-ip tunnel, then the two SA, then bind them */
738 rv = ipip_add_tunnel (transport,
739 (mp->renumber ? ntohl (mp->show_instance) : ~0),
741 &remote_ip, fib_index,
742 TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0,
743 TUNNEL_MODE_P2P, &sw_if_index);
748 rv = ipsec_sa_add_and_lock (ipsec_tun_mk_input_sa_id (sw_if_index),
749 ntohl (mp->remote_spi),
755 (flags | IPSEC_SA_FLAG_IS_INBOUND),
756 ntohl (mp->tx_table_id),
757 mp->salt, &remote_ip, &local_ip,
758 TUNNEL_ENCAP_DECAP_FLAG_NONE,
760 IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
765 rv = ipsec_sa_add_and_lock (ipsec_tun_mk_output_sa_id (sw_if_index),
766 ntohl (mp->local_spi),
773 ntohl (mp->tx_table_id),
774 mp->salt, &local_ip, &remote_ip,
775 TUNNEL_ENCAP_DECAP_FLAG_NONE,
777 IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
782 rv = ipsec_tun_protect_update_one (sw_if_index, NULL,
783 ipsec_tun_mk_output_sa_id
785 ipsec_tun_mk_input_sa_id
790 /* the SAs are locked as a result of being used for proection,
791 * they cannot be removed from the API, since they cannot be refered
792 * to by the API. unlock them now, so that if the tunnel is rekeyed
795 ipsec_sa_unlock_id (ipsec_tun_mk_input_sa_id (sw_if_index));
796 ipsec_sa_unlock_id (ipsec_tun_mk_output_sa_id (sw_if_index));
801 ipip_tunnel_key_t key = {
802 .transport = transport,
803 .fib_index = fib_index,
809 ipip_tunnel_t *t = ipip_tunnel_db_find (&key);
813 rv = ipsec_tun_protect_del (t->sw_if_index, NULL);
814 ipip_del_tunnel (t->sw_if_index);
817 rv = VNET_API_ERROR_NO_SUCH_ENTRY;
821 rv = VNET_API_ERROR_UNIMPLEMENTED;
825 REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY,
827 rmp->sw_if_index = htonl (sw_if_index);
833 vl_api_ipsec_itf_create_t_handler (vl_api_ipsec_itf_create_t * mp)
835 vl_api_ipsec_itf_create_reply_t *rmp;
837 u32 sw_if_index = ~0;
840 rv = tunnel_mode_decode (mp->itf.mode, &mode);
843 rv = ipsec_itf_create (ntohl (mp->itf.user_instance), mode, &sw_if_index);
846 REPLY_MACRO2 (VL_API_IPSEC_ITF_CREATE_REPLY,
848 rmp->sw_if_index = htonl (sw_if_index);
854 vl_api_ipsec_itf_delete_t_handler (vl_api_ipsec_itf_delete_t * mp)
856 vl_api_ipsec_itf_delete_reply_t *rmp;
859 rv = ipsec_itf_delete (ntohl (mp->sw_if_index));
861 REPLY_MACRO (VL_API_IPSEC_ITF_DELETE_REPLY);
865 vl_api_ipsec_itf_dump_t_handler (vl_api_ipsec_itf_dump_t * mp)
869 typedef struct ipsec_sa_dump_match_ctx_t_
873 } ipsec_sa_dump_match_ctx_t;
876 ipsec_sa_dump_match_sa (index_t itpi, void *arg)
878 ipsec_sa_dump_match_ctx_t *ctx = arg;
879 ipsec_tun_protect_t *itp;
882 itp = ipsec_tun_protect_get (itpi);
884 if (itp->itp_out_sa == ctx->sai)
886 ctx->sw_if_index = itp->itp_sw_if_index;
890 FOR_EACH_IPSEC_PROTECT_INPUT_SAI (itp, sai,
894 ctx->sw_if_index = itp->itp_sw_if_index;
900 return (WALK_CONTINUE);
904 send_ipsec_sa_details (ipsec_sa_t * sa, void *arg)
906 ipsec_dump_walk_ctx_t *ctx = arg;
907 vl_api_ipsec_sa_details_t *mp;
908 ipsec_main_t *im = &ipsec_main;
910 mp = vl_msg_api_alloc (sizeof (*mp));
911 clib_memset (mp, 0, sizeof (*mp));
912 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_DETAILS);
913 mp->context = ctx->context;
915 mp->entry.sad_id = htonl (sa->id);
916 mp->entry.spi = htonl (sa->spi);
917 mp->entry.protocol = ipsec_proto_encode (sa->protocol);
918 mp->entry.tx_table_id =
919 htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4));
921 mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
922 ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
924 mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
925 ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
927 mp->entry.flags = ipsec_sad_flags_encode (sa);
928 mp->entry.salt = clib_host_to_net_u32 (sa->salt);
930 if (ipsec_sa_is_set_IS_PROTECT (sa))
932 ipsec_sa_dump_match_ctx_t ctx = {
936 ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx);
938 mp->sw_if_index = htonl (ctx.sw_if_index);
941 mp->sw_if_index = ~0;
943 if (ipsec_sa_is_set_IS_TUNNEL (sa))
945 ip_address_encode (&sa->tunnel_src_addr, IP46_TYPE_ANY,
946 &mp->entry.tunnel_src);
947 ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY,
948 &mp->entry.tunnel_dst);
950 if (ipsec_sa_is_set_UDP_ENCAP (sa))
952 mp->entry.udp_src_port = sa->udp_hdr.src_port;
953 mp->entry.udp_dst_port = sa->udp_hdr.dst_port;
956 mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
957 mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
958 if (ipsec_sa_is_set_USE_ESN (sa))
960 mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
961 mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
963 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
964 mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
966 mp->stat_index = clib_host_to_net_u32 (sa->stat_index);
968 vl_api_send_msg (ctx->reg, (u8 *) mp);
970 return (WALK_CONTINUE);
974 vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
976 vl_api_registration_t *reg;
979 reg = vl_api_client_index_to_registration (mp->client_index);
983 ipsec_dump_walk_ctx_t ctx = {
985 .context = mp->context,
988 ipsec_sa_walk (send_ipsec_sa_details, &ctx);
991 clib_warning ("unimplemented");
996 send_ipsec_sa_v2_details (ipsec_sa_t * sa, void *arg)
998 ipsec_dump_walk_ctx_t *ctx = arg;
999 vl_api_ipsec_sa_v2_details_t *mp;
1000 ipsec_main_t *im = &ipsec_main;
1002 mp = vl_msg_api_alloc (sizeof (*mp));
1003 clib_memset (mp, 0, sizeof (*mp));
1004 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_V2_DETAILS);
1005 mp->context = ctx->context;
1007 mp->entry.sad_id = htonl (sa->id);
1008 mp->entry.spi = htonl (sa->spi);
1009 mp->entry.protocol = ipsec_proto_encode (sa->protocol);
1010 mp->entry.tx_table_id =
1011 htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4));
1013 mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
1014 ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
1016 mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
1017 ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
1019 mp->entry.flags = ipsec_sad_flags_encode (sa);
1020 mp->entry.salt = clib_host_to_net_u32 (sa->salt);
1022 if (ipsec_sa_is_set_IS_PROTECT (sa))
1024 ipsec_sa_dump_match_ctx_t ctx = {
1025 .sai = sa - im->sad,
1028 ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx);
1030 mp->sw_if_index = htonl (ctx.sw_if_index);
1033 mp->sw_if_index = ~0;
1035 if (ipsec_sa_is_set_IS_TUNNEL (sa))
1037 ip_address_encode (&sa->tunnel_src_addr, IP46_TYPE_ANY,
1038 &mp->entry.tunnel_src);
1039 ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY,
1040 &mp->entry.tunnel_dst);
1042 if (ipsec_sa_is_set_UDP_ENCAP (sa))
1044 mp->entry.udp_src_port = sa->udp_hdr.src_port;
1045 mp->entry.udp_dst_port = sa->udp_hdr.dst_port;
1048 mp->entry.tunnel_flags = tunnel_encap_decap_flags_encode (sa->tunnel_flags);
1049 mp->entry.dscp = ip_dscp_encode (sa->dscp);
1051 mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
1052 mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
1053 if (ipsec_sa_is_set_USE_ESN (sa))
1055 mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
1056 mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
1058 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
1059 mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
1061 mp->stat_index = clib_host_to_net_u32 (sa->stat_index);
1063 vl_api_send_msg (ctx->reg, (u8 *) mp);
1065 return (WALK_CONTINUE);
1069 vl_api_ipsec_sa_v2_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
1071 vl_api_registration_t *reg;
1074 reg = vl_api_client_index_to_registration (mp->client_index);
1078 ipsec_dump_walk_ctx_t ctx = {
1080 .context = mp->context,
1083 ipsec_sa_walk (send_ipsec_sa_v2_details, &ctx);
1086 clib_warning ("unimplemented");
1091 vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp)
1093 vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp;
1097 VALIDATE_SW_IF_INDEX(mp);
1099 if (mp->is_outbound)
1100 rv = ipsec_tun_protect_update_out (ntohl (mp->sw_if_index), NULL,
1103 rv = ipsec_tun_protect_update_in (ntohl (mp->sw_if_index), NULL,
1107 clib_warning ("unimplemented");
1110 BAD_SW_IF_INDEX_LABEL;
1112 REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY);
1116 vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp)
1118 vl_api_registration_t *rp;
1119 ipsec_main_t *im = &ipsec_main;
1120 u32 context = mp->context;
1122 rp = vl_api_client_index_to_registration (mp->client_index);
1126 clib_warning ("Client %d AWOL", mp->client_index);
1130 ipsec_ah_backend_t *ab;
1131 ipsec_esp_backend_t *eb;
1133 pool_foreach (ab, im->ah_backends, {
1134 vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
1135 clib_memset (mp, 0, sizeof (*mp));
1136 mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
1137 mp->context = context;
1138 snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (ab->name),
1140 mp->protocol = ntohl (IPSEC_API_PROTO_AH);
1141 mp->index = ab - im->ah_backends;
1142 mp->active = mp->index == im->ah_current_backend ? 1 : 0;
1143 vl_api_send_msg (rp, (u8 *)mp);
1145 pool_foreach (eb, im->esp_backends, {
1146 vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
1147 clib_memset (mp, 0, sizeof (*mp));
1148 mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
1149 mp->context = context;
1150 snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (eb->name),
1152 mp->protocol = ntohl (IPSEC_API_PROTO_ESP);
1153 mp->index = eb - im->esp_backends;
1154 mp->active = mp->index == im->esp_current_backend ? 1 : 0;
1155 vl_api_send_msg (rp, (u8 *)mp);
1161 vl_api_ipsec_select_backend_t_handler (vl_api_ipsec_select_backend_t * mp)
1163 ipsec_main_t *im = &ipsec_main;
1164 vl_api_ipsec_select_backend_reply_t *rmp;
1165 ipsec_protocol_t protocol;
1167 if (pool_elts (im->sad) > 0)
1169 rv = VNET_API_ERROR_INSTANCE_IN_USE;
1173 rv = ipsec_proto_decode (mp->protocol, &protocol);
1181 case IPSEC_PROTOCOL_ESP:
1182 rv = ipsec_select_esp_backend (im, mp->index);
1184 case IPSEC_PROTOCOL_AH:
1185 rv = ipsec_select_ah_backend (im, mp->index);
1188 rv = VNET_API_ERROR_INVALID_PROTOCOL;
1192 clib_warning ("unimplemented"); /* FIXME */
1195 REPLY_MACRO (VL_API_IPSEC_SELECT_BACKEND_REPLY);
1199 vl_api_ipsec_set_async_mode_t_handler (vl_api_ipsec_set_async_mode_t * mp)
1201 vl_api_ipsec_set_async_mode_reply_t *rmp;
1204 vnet_crypto_request_async_mode (mp->async_enable);
1205 ipsec_set_async_mode (mp->async_enable);
1207 REPLY_MACRO (VL_API_IPSEC_SET_ASYNC_MODE_REPLY);
1212 * Add vpe's API message handlers to the table.
1213 * vlib has already mapped shared memory and
1214 * added the client registration handlers.
1215 * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process()
1217 #define vl_msg_name_crc_list
1218 #include <vnet/vnet_all_api_h.h>
1219 #undef vl_msg_name_crc_list
1222 setup_message_id_table (api_main_t * am)
1224 #define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id);
1225 foreach_vl_msg_name_crc_ipsec;
1229 static clib_error_t *
1230 ipsec_api_hookup (vlib_main_t * vm)
1232 api_main_t *am = vlibapi_get_main ();
1235 vl_msg_api_set_handlers(VL_API_##N, #n, \
1236 vl_api_##n##_t_handler, \
1238 vl_api_##n##_t_endian, \
1239 vl_api_##n##_t_print, \
1240 sizeof(vl_api_##n##_t), 1);
1241 foreach_vpe_api_msg;
1245 * Set up the (msg_name, crc, message-id) table
1247 setup_message_id_table (am);
1252 VLIB_API_INIT_FUNCTION (ipsec_api_hookup);
1255 * fd.io coding-style-patch-verification: ON
1258 * eval: (c-set-style "gnu")