2 *------------------------------------------------------------------
3 * ipsec_api.c - ipsec api
5 * Copyright (c) 2016 Cisco and/or its affiliates.
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at:
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 *------------------------------------------------------------------
20 #include <vnet/vnet.h>
21 #include <vlibmemory/api.h>
23 #include <vnet/interface.h>
24 #include <vnet/api_errno.h>
25 #include <vnet/ip/ip.h>
26 #include <vnet/ip/ip_types_api.h>
27 #include <vnet/ipsec/ipsec_types_api.h>
28 #include <vnet/tunnel/tunnel_types_api.h>
29 #include <vnet/fib/fib.h>
30 #include <vnet/ipip/ipip.h>
32 #include <vnet/vnet_msg_enum.h>
35 #include <vnet/ipsec/ipsec.h>
36 #include <vnet/ipsec/ipsec_tun.h>
37 #include <vnet/ipsec/ipsec_itf.h>
40 #define vl_typedefs /* define message structures */
41 #include <vnet/vnet_all_api_h.h>
44 #define vl_endianfun /* define message structures */
45 #include <vnet/vnet_all_api_h.h>
48 /* instantiate all the print functions we know about */
49 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
51 #include <vnet/vnet_all_api_h.h>
54 #include <vlibapi/api_helper_macros.h>
56 #define foreach_vpe_api_msg \
57 _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \
58 _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \
59 _(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \
60 _(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \
61 _(IPSEC_SA_DUMP, ipsec_sa_dump) \
62 _(IPSEC_SPDS_DUMP, ipsec_spds_dump) \
63 _(IPSEC_SPD_DUMP, ipsec_spd_dump) \
64 _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \
65 _(IPSEC_ITF_CREATE, ipsec_itf_create) \
66 _(IPSEC_ITF_DELETE, ipsec_itf_delete) \
67 _(IPSEC_ITF_DUMP, ipsec_itf_dump) \
68 _(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \
69 _(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \
70 _(IPSEC_SELECT_BACKEND, ipsec_select_backend) \
71 _(IPSEC_BACKEND_DUMP, ipsec_backend_dump) \
72 _(IPSEC_TUNNEL_PROTECT_UPDATE, ipsec_tunnel_protect_update) \
73 _(IPSEC_TUNNEL_PROTECT_DEL, ipsec_tunnel_protect_del) \
74 _(IPSEC_TUNNEL_PROTECT_DUMP, ipsec_tunnel_protect_dump) \
75 _(IPSEC_SET_ASYNC_MODE, ipsec_set_async_mode)
78 vl_api_ipsec_spd_add_del_t_handler (vl_api_ipsec_spd_add_del_t * mp)
81 clib_warning ("unimplemented");
84 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
85 vl_api_ipsec_spd_add_del_reply_t *rmp;
88 rv = ipsec_add_del_spd (vm, ntohl (mp->spd_id), mp->is_add);
90 REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_REPLY);
94 static void vl_api_ipsec_interface_add_del_spd_t_handler
95 (vl_api_ipsec_interface_add_del_spd_t * mp)
97 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
98 vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
100 u32 sw_if_index __attribute__ ((unused));
101 u32 spd_id __attribute__ ((unused));
103 sw_if_index = ntohl (mp->sw_if_index);
104 spd_id = ntohl (mp->spd_id);
106 VALIDATE_SW_IF_INDEX (mp);
109 rv = ipsec_set_interface_spd (vm, sw_if_index, spd_id, mp->is_add);
111 rv = VNET_API_ERROR_UNIMPLEMENTED;
114 BAD_SW_IF_INDEX_LABEL;
116 REPLY_MACRO (VL_API_IPSEC_INTERFACE_ADD_DEL_SPD_REPLY);
119 static void vl_api_ipsec_tunnel_protect_update_t_handler
120 (vl_api_ipsec_tunnel_protect_update_t * mp)
122 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
123 vl_api_ipsec_tunnel_protect_update_reply_t *rmp;
124 u32 sw_if_index, ii, *sa_ins = NULL;
128 sw_if_index = ntohl (mp->tunnel.sw_if_index);
130 VALIDATE_SW_IF_INDEX (&(mp->tunnel));
134 for (ii = 0; ii < mp->tunnel.n_sa_in; ii++)
135 vec_add1 (sa_ins, ntohl (mp->tunnel.sa_in[ii]));
137 ip_address_decode2 (&mp->tunnel.nh, &nh);
139 rv = ipsec_tun_protect_update (sw_if_index, &nh,
140 ntohl (mp->tunnel.sa_out), sa_ins);
142 rv = VNET_API_ERROR_UNIMPLEMENTED;
145 BAD_SW_IF_INDEX_LABEL;
147 REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_UPDATE_REPLY);
150 static void vl_api_ipsec_tunnel_protect_del_t_handler
151 (vl_api_ipsec_tunnel_protect_del_t * mp)
153 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
154 vl_api_ipsec_tunnel_protect_del_reply_t *rmp;
159 sw_if_index = ntohl (mp->sw_if_index);
161 VALIDATE_SW_IF_INDEX (mp);
164 ip_address_decode2 (&mp->nh, &nh);
165 rv = ipsec_tun_protect_del (sw_if_index, &nh);
167 rv = VNET_API_ERROR_UNIMPLEMENTED;
170 BAD_SW_IF_INDEX_LABEL;
172 REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_DEL_REPLY);
175 typedef struct ipsec_dump_walk_ctx_t_
177 vl_api_registration_t *reg;
179 } ipsec_dump_walk_ctx_t;
182 send_ipsec_tunnel_protect_details (index_t itpi, void *arg)
184 ipsec_dump_walk_ctx_t *ctx = arg;
185 vl_api_ipsec_tunnel_protect_details_t *mp;
186 ipsec_tun_protect_t *itp;
190 itp = ipsec_tun_protect_get (itpi);
192 mp = vl_msg_api_alloc (sizeof (*mp) + (sizeof (u32) * itp->itp_n_sa_in));
193 clib_memset (mp, 0, sizeof (*mp));
194 mp->_vl_msg_id = ntohs (VL_API_IPSEC_TUNNEL_PROTECT_DETAILS);
195 mp->context = ctx->context;
197 mp->tun.sw_if_index = htonl (itp->itp_sw_if_index);
198 ip_address_encode2 (itp->itp_key, &mp->tun.nh);
200 sa = ipsec_sa_get (itp->itp_out_sa);
201 mp->tun.sa_out = htonl (sa->id);
202 mp->tun.n_sa_in = itp->itp_n_sa_in;
204 FOR_EACH_IPSEC_PROTECT_INPUT_SA(itp, sa,
206 mp->tun.sa_in[ii++] = htonl (sa->id);
210 vl_api_send_msg (ctx->reg, (u8 *) mp);
212 return (WALK_CONTINUE);
216 vl_api_ipsec_tunnel_protect_dump_t_handler (vl_api_ipsec_tunnel_protect_dump_t
219 vl_api_registration_t *reg;
223 reg = vl_api_client_index_to_registration (mp->client_index);
227 ipsec_dump_walk_ctx_t ctx = {
229 .context = mp->context,
232 sw_if_index = ntohl (mp->sw_if_index);
234 if (~0 == sw_if_index)
236 ipsec_tun_protect_walk (send_ipsec_tunnel_protect_details, &ctx);
240 ipsec_tun_protect_walk_itf (sw_if_index,
241 send_ipsec_tunnel_protect_details, &ctx);
244 clib_warning ("unimplemented");
249 ipsec_spd_action_decode (vl_api_ipsec_spd_action_t in,
250 ipsec_policy_action_t * out)
252 in = clib_net_to_host_u32 (in);
256 #define _(v,f,s) case IPSEC_API_SPD_ACTION_##f: \
257 *out = IPSEC_POLICY_ACTION_##f; \
259 foreach_ipsec_policy_action
262 return (VNET_API_ERROR_UNIMPLEMENTED);
265 static void vl_api_ipsec_spd_entry_add_del_t_handler
266 (vl_api_ipsec_spd_entry_add_del_t * mp)
268 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
269 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
279 clib_memset (&p, 0, sizeof (p));
281 p.id = ntohl (mp->entry.spd_id);
282 p.priority = ntohl (mp->entry.priority);
284 itype = ip_address_decode (&mp->entry.remote_address_start, &p.raddr.start);
285 ip_address_decode (&mp->entry.remote_address_stop, &p.raddr.stop);
286 ip_address_decode (&mp->entry.local_address_start, &p.laddr.start);
287 ip_address_decode (&mp->entry.local_address_stop, &p.laddr.stop);
289 p.is_ipv6 = (itype == IP46_TYPE_IP6);
291 p.protocol = mp->entry.protocol;
292 p.rport.start = ntohs (mp->entry.remote_port_start);
293 p.rport.stop = ntohs (mp->entry.remote_port_stop);
294 p.lport.start = ntohs (mp->entry.local_port_start);
295 p.lport.stop = ntohs (mp->entry.local_port_stop);
297 rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy);
302 /* policy action resolve unsupported */
303 if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
305 clib_warning ("unsupported action: 'resolve'");
306 rv = VNET_API_ERROR_UNIMPLEMENTED;
309 p.sa_id = ntohl (mp->entry.sa_id);
311 ipsec_policy_mk_type (mp->entry.is_outbound, p.is_ipv6, p.policy,
316 rv = ipsec_add_del_policy (vm, &p, mp->is_add, &stat_index);
321 rv = VNET_API_ERROR_UNIMPLEMENTED;
327 REPLY_MACRO2 (VL_API_IPSEC_SPD_ENTRY_ADD_DEL_REPLY,
329 rmp->stat_index = ntohl(stat_index);
334 static void vl_api_ipsec_sad_entry_add_del_t_handler
335 (vl_api_ipsec_sad_entry_add_del_t * mp)
337 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
338 vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
339 ip46_address_t tun_src = { }, tun_dst =
342 ipsec_key_t crypto_key, integ_key;
343 ipsec_crypto_alg_t crypto_alg;
344 ipsec_integ_alg_t integ_alg;
345 ipsec_protocol_t proto;
346 ipsec_sa_flags_t flags;
347 u32 id, spi, sa_index = ~0;
352 id = ntohl (mp->entry.sad_id);
353 spi = ntohl (mp->entry.spi);
355 rv = ipsec_proto_decode (mp->entry.protocol, &proto);
360 rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg);
365 rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg);
370 ipsec_key_decode (&mp->entry.crypto_key, &crypto_key);
371 ipsec_key_decode (&mp->entry.integrity_key, &integ_key);
373 flags = ipsec_sa_flags_decode (mp->entry.flags);
375 ip_address_decode (&mp->entry.tunnel_src, &tun_src);
376 ip_address_decode (&mp->entry.tunnel_dst, &tun_dst);
379 rv = ipsec_sa_add_and_lock (id, spi, proto,
380 crypto_alg, &crypto_key,
381 integ_alg, &integ_key, flags,
382 0, mp->entry.salt, &tun_src, &tun_dst,
383 &sa_index, htons (mp->entry.udp_src_port),
384 htons (mp->entry.udp_dst_port));
386 rv = ipsec_sa_unlock_id (id);
389 rv = VNET_API_ERROR_UNIMPLEMENTED;
394 REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY,
396 rmp->stat_index = htonl (sa_index);
402 send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg,
405 vl_api_ipsec_spds_details_t *mp;
408 mp = vl_msg_api_alloc (sizeof (*mp));
409 clib_memset (mp, 0, sizeof (*mp));
410 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPDS_DETAILS);
411 mp->context = context;
413 mp->spd_id = htonl (spd->id);
414 #define _(s, n) n_policies += vec_len (spd->policies[IPSEC_SPD_POLICY_##s]);
415 foreach_ipsec_spd_policy_type
417 mp->npolicies = htonl (n_policies);
419 vl_api_send_msg (reg, (u8 *) mp);
423 vl_api_ipsec_spds_dump_t_handler (vl_api_ipsec_spds_dump_t * mp)
425 vl_api_registration_t *reg;
426 ipsec_main_t *im = &ipsec_main;
429 reg = vl_api_client_index_to_registration (mp->client_index);
434 pool_foreach (spd, im->spds, ({
435 send_ipsec_spds_details (spd, reg, mp->context);
439 clib_warning ("unimplemented");
443 vl_api_ipsec_spd_action_t
444 ipsec_spd_action_encode (ipsec_policy_action_t in)
446 vl_api_ipsec_spd_action_t out = IPSEC_API_SPD_ACTION_BYPASS;
450 #define _(v,f,s) case IPSEC_POLICY_ACTION_##f: \
451 out = IPSEC_API_SPD_ACTION_##f; \
453 foreach_ipsec_policy_action
456 return (clib_host_to_net_u32 (out));
460 send_ipsec_spd_details (ipsec_policy_t * p, vl_api_registration_t * reg,
463 vl_api_ipsec_spd_details_t *mp;
465 mp = vl_msg_api_alloc (sizeof (*mp));
466 clib_memset (mp, 0, sizeof (*mp));
467 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_DETAILS);
468 mp->context = context;
470 mp->entry.spd_id = htonl (p->id);
471 mp->entry.priority = htonl (p->priority);
472 mp->entry.is_outbound = ((p->type == IPSEC_SPD_POLICY_IP6_OUTBOUND) ||
473 (p->type == IPSEC_SPD_POLICY_IP4_OUTBOUND));
475 ip_address_encode (&p->laddr.start, IP46_TYPE_ANY,
476 &mp->entry.local_address_start);
477 ip_address_encode (&p->laddr.stop, IP46_TYPE_ANY,
478 &mp->entry.local_address_stop);
479 ip_address_encode (&p->raddr.start, IP46_TYPE_ANY,
480 &mp->entry.remote_address_start);
481 ip_address_encode (&p->raddr.stop, IP46_TYPE_ANY,
482 &mp->entry.remote_address_stop);
483 mp->entry.local_port_start = htons (p->lport.start);
484 mp->entry.local_port_stop = htons (p->lport.stop);
485 mp->entry.remote_port_start = htons (p->rport.start);
486 mp->entry.remote_port_stop = htons (p->rport.stop);
487 mp->entry.protocol = p->protocol;
488 mp->entry.policy = ipsec_spd_action_encode (p->policy);
489 mp->entry.sa_id = htonl (p->sa_id);
491 vl_api_send_msg (reg, (u8 *) mp);
495 vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp)
497 vl_api_registration_t *reg;
498 ipsec_main_t *im = &ipsec_main;
499 ipsec_spd_policy_type_t ptype;
500 ipsec_policy_t *policy;
505 reg = vl_api_client_index_to_registration (mp->client_index);
509 p = hash_get (im->spd_index_by_spd_id, ntohl (mp->spd_id));
514 spd = pool_elt_at_index (im->spds, spd_index);
517 FOR_EACH_IPSEC_SPD_POLICY_TYPE(ptype) {
518 vec_foreach(ii, spd->policies[ptype])
520 policy = pool_elt_at_index(im->policies, *ii);
522 if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id)
523 send_ipsec_spd_details (policy, reg, mp->context);
528 clib_warning ("unimplemented");
533 send_ipsec_spd_interface_details (vl_api_registration_t * reg, u32 spd_index,
534 u32 sw_if_index, u32 context)
536 vl_api_ipsec_spd_interface_details_t *mp;
538 mp = vl_msg_api_alloc (sizeof (*mp));
539 clib_memset (mp, 0, sizeof (*mp));
540 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_INTERFACE_DETAILS);
541 mp->context = context;
543 mp->spd_index = htonl (spd_index);
544 mp->sw_if_index = htonl (sw_if_index);
546 vl_api_send_msg (reg, (u8 *) mp);
550 vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t *
553 ipsec_main_t *im = &ipsec_main;
554 vl_api_registration_t *reg;
558 reg = vl_api_client_index_to_registration (mp->client_index);
562 if (mp->spd_index_valid)
564 spd_index = ntohl (mp->spd_index);
566 hash_foreach(k, v, im->spd_index_by_sw_if_index, ({
568 send_ipsec_spd_interface_details(reg, v, k, mp->context);
575 hash_foreach(k, v, im->spd_index_by_sw_if_index, ({
576 send_ipsec_spd_interface_details(reg, v, k, mp->context);
582 clib_warning ("unimplemented");
587 ipsec_tun_mk_input_sa_id (u32 ti)
589 return (0x80000000 | ti);
593 ipsec_tun_mk_output_sa_id (u32 ti)
595 return (0xc0000000 | ti);
599 vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
602 vl_api_ipsec_tunnel_if_add_del_reply_t *rmp;
603 u32 sw_if_index = ~0;
607 ip46_address_t local_ip = ip46_address_initializer;
608 ip46_address_t remote_ip = ip46_address_initializer;
609 ipsec_key_t crypto_key, integ_key;
610 ipsec_sa_flags_t flags;
611 ip46_type_t local_ip_type, remote_ip_type;
612 ipip_transport_t transport;
615 local_ip_type = ip_address_decode (&mp->local_ip, &local_ip);
616 remote_ip_type = ip_address_decode (&mp->remote_ip, &remote_ip);
617 transport = (IP46_TYPE_IP6 == local_ip_type ?
618 IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4);
620 if (local_ip_type != remote_ip_type)
622 rv = VNET_API_ERROR_INVALID_VALUE;
626 flags = IPSEC_SA_FLAG_NONE;
629 flags |= IPSEC_SA_FLAG_UDP_ENCAP;
631 flags |= IPSEC_SA_FLAG_USE_ESN;
633 flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
635 ipsec_mk_key (&crypto_key, mp->remote_crypto_key,
636 mp->remote_crypto_key_len);
637 ipsec_mk_key (&integ_key, mp->remote_integ_key, mp->remote_integ_key_len);
638 ipsec_mk_key (&crypto_key, mp->local_crypto_key, mp->local_crypto_key_len);
639 ipsec_mk_key (&integ_key, mp->local_integ_key, mp->local_integ_key_len);
642 fib_table_find (fib_proto_from_ip46 (local_ip_type),
643 ntohl (mp->tx_table_id));
647 rv = VNET_API_ERROR_NO_SUCH_FIB;
653 // remote = input, local = output
654 /* create an ip-ip tunnel, then the two SA, then bind them */
655 rv = ipip_add_tunnel (transport,
656 (mp->renumber ? ntohl (mp->show_instance) : ~0),
658 &remote_ip, fib_index,
659 TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0,
660 TUNNEL_MODE_P2P, &sw_if_index);
665 rv = ipsec_sa_add_and_lock (ipsec_tun_mk_input_sa_id (sw_if_index),
666 ntohl (mp->remote_spi),
672 (flags | IPSEC_SA_FLAG_IS_INBOUND),
673 ntohl (mp->tx_table_id),
674 mp->salt, &remote_ip, &local_ip, NULL,
675 IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
680 rv = ipsec_sa_add_and_lock (ipsec_tun_mk_output_sa_id (sw_if_index),
681 ntohl (mp->local_spi),
688 ntohl (mp->tx_table_id),
689 mp->salt, &local_ip, &remote_ip, NULL,
690 IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
695 rv = ipsec_tun_protect_update_one (sw_if_index, NULL,
696 ipsec_tun_mk_output_sa_id
698 ipsec_tun_mk_input_sa_id
703 /* the SAs are locked as a result of being used for proection,
704 * they cannot be removed from the API, since they cannot be refered
705 * to by the API. unlock them now, so that if the tunnel is rekeyed
708 ipsec_sa_unlock_id (ipsec_tun_mk_input_sa_id (sw_if_index));
709 ipsec_sa_unlock_id (ipsec_tun_mk_output_sa_id (sw_if_index));
714 ipip_tunnel_key_t key = {
715 .transport = transport,
716 .fib_index = fib_index,
722 ipip_tunnel_t *t = ipip_tunnel_db_find (&key);
726 rv = ipsec_tun_protect_del (t->sw_if_index, NULL);
727 ipip_del_tunnel (t->sw_if_index);
730 rv = VNET_API_ERROR_NO_SUCH_ENTRY;
734 rv = VNET_API_ERROR_UNIMPLEMENTED;
738 REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY,
740 rmp->sw_if_index = htonl (sw_if_index);
746 vl_api_ipsec_itf_create_t_handler (vl_api_ipsec_itf_create_t * mp)
748 vl_api_ipsec_itf_create_reply_t *rmp;
750 u32 sw_if_index = ~0;
753 rv = tunnel_mode_decode (mp->itf.mode, &mode);
756 rv = ipsec_itf_create (ntohl (mp->itf.user_instance), mode, &sw_if_index);
759 REPLY_MACRO2 (VL_API_IPSEC_ITF_CREATE_REPLY,
761 rmp->sw_if_index = htonl (sw_if_index);
767 vl_api_ipsec_itf_delete_t_handler (vl_api_ipsec_itf_delete_t * mp)
769 vl_api_ipsec_itf_delete_reply_t *rmp;
772 rv = ipsec_itf_delete (ntohl (mp->sw_if_index));
774 REPLY_MACRO (VL_API_IPSEC_ITF_DELETE_REPLY);
778 vl_api_ipsec_itf_dump_t_handler (vl_api_ipsec_itf_dump_t * mp)
782 typedef struct ipsec_sa_dump_match_ctx_t_
786 } ipsec_sa_dump_match_ctx_t;
789 ipsec_sa_dump_match_sa (index_t itpi, void *arg)
791 ipsec_sa_dump_match_ctx_t *ctx = arg;
792 ipsec_tun_protect_t *itp;
795 itp = ipsec_tun_protect_get (itpi);
797 if (itp->itp_out_sa == ctx->sai)
799 ctx->sw_if_index = itp->itp_sw_if_index;
803 FOR_EACH_IPSEC_PROTECT_INPUT_SAI (itp, sai,
807 ctx->sw_if_index = itp->itp_sw_if_index;
813 return (WALK_CONTINUE);
817 send_ipsec_sa_details (ipsec_sa_t * sa, void *arg)
819 ipsec_dump_walk_ctx_t *ctx = arg;
820 vl_api_ipsec_sa_details_t *mp;
821 ipsec_main_t *im = &ipsec_main;
823 mp = vl_msg_api_alloc (sizeof (*mp));
824 clib_memset (mp, 0, sizeof (*mp));
825 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_DETAILS);
826 mp->context = ctx->context;
828 mp->entry.sad_id = htonl (sa->id);
829 mp->entry.spi = htonl (sa->spi);
830 mp->entry.protocol = ipsec_proto_encode (sa->protocol);
831 mp->entry.tx_table_id =
832 htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4));
834 mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
835 ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
837 mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
838 ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
840 mp->entry.flags = ipsec_sad_flags_encode (sa);
841 mp->entry.salt = clib_host_to_net_u32 (sa->salt);
843 if (ipsec_sa_is_set_IS_PROTECT (sa))
845 ipsec_sa_dump_match_ctx_t ctx = {
849 ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx);
851 mp->sw_if_index = htonl (ctx.sw_if_index);
854 mp->sw_if_index = ~0;
856 if (ipsec_sa_is_set_IS_TUNNEL (sa))
858 ip_address_encode (&sa->tunnel_src_addr, IP46_TYPE_ANY,
859 &mp->entry.tunnel_src);
860 ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY,
861 &mp->entry.tunnel_dst);
863 if (ipsec_sa_is_set_UDP_ENCAP (sa))
865 mp->entry.udp_src_port = sa->udp_hdr.src_port;
866 mp->entry.udp_dst_port = sa->udp_hdr.dst_port;
869 mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
870 mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
871 if (ipsec_sa_is_set_USE_ESN (sa))
873 mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
874 mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
876 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
877 mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
879 mp->stat_index = clib_host_to_net_u32 (sa->stat_index);
881 vl_api_send_msg (ctx->reg, (u8 *) mp);
883 return (WALK_CONTINUE);
887 vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
889 vl_api_registration_t *reg;
892 reg = vl_api_client_index_to_registration (mp->client_index);
896 ipsec_dump_walk_ctx_t ctx = {
898 .context = mp->context,
901 ipsec_sa_walk (send_ipsec_sa_details, &ctx);
904 clib_warning ("unimplemented");
909 vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp)
911 vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp;
915 VALIDATE_SW_IF_INDEX(mp);
918 rv = ipsec_tun_protect_update_out (ntohl (mp->sw_if_index), NULL,
921 rv = ipsec_tun_protect_update_in (ntohl (mp->sw_if_index), NULL,
925 clib_warning ("unimplemented");
928 BAD_SW_IF_INDEX_LABEL;
930 REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY);
934 vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp)
936 vl_api_registration_t *rp;
937 ipsec_main_t *im = &ipsec_main;
938 u32 context = mp->context;
940 rp = vl_api_client_index_to_registration (mp->client_index);
944 clib_warning ("Client %d AWOL", mp->client_index);
948 ipsec_ah_backend_t *ab;
949 ipsec_esp_backend_t *eb;
951 pool_foreach (ab, im->ah_backends, {
952 vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
953 clib_memset (mp, 0, sizeof (*mp));
954 mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
955 mp->context = context;
956 snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (ab->name),
958 mp->protocol = ntohl (IPSEC_API_PROTO_AH);
959 mp->index = ab - im->ah_backends;
960 mp->active = mp->index == im->ah_current_backend ? 1 : 0;
961 vl_api_send_msg (rp, (u8 *)mp);
963 pool_foreach (eb, im->esp_backends, {
964 vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
965 clib_memset (mp, 0, sizeof (*mp));
966 mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
967 mp->context = context;
968 snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (eb->name),
970 mp->protocol = ntohl (IPSEC_API_PROTO_ESP);
971 mp->index = eb - im->esp_backends;
972 mp->active = mp->index == im->esp_current_backend ? 1 : 0;
973 vl_api_send_msg (rp, (u8 *)mp);
979 vl_api_ipsec_select_backend_t_handler (vl_api_ipsec_select_backend_t * mp)
981 ipsec_main_t *im = &ipsec_main;
982 vl_api_ipsec_select_backend_reply_t *rmp;
983 ipsec_protocol_t protocol;
985 if (pool_elts (im->sad) > 0)
987 rv = VNET_API_ERROR_INSTANCE_IN_USE;
991 rv = ipsec_proto_decode (mp->protocol, &protocol);
999 case IPSEC_PROTOCOL_ESP:
1000 rv = ipsec_select_esp_backend (im, mp->index);
1002 case IPSEC_PROTOCOL_AH:
1003 rv = ipsec_select_ah_backend (im, mp->index);
1006 rv = VNET_API_ERROR_INVALID_PROTOCOL;
1010 clib_warning ("unimplemented"); /* FIXME */
1013 REPLY_MACRO (VL_API_IPSEC_SELECT_BACKEND_REPLY);
1017 vl_api_ipsec_set_async_mode_t_handler (vl_api_ipsec_set_async_mode_t * mp)
1019 vl_api_ipsec_set_async_mode_reply_t *rmp;
1022 vnet_crypto_request_async_mode (mp->async_enable);
1023 ipsec_set_async_mode (mp->async_enable);
1025 REPLY_MACRO (VL_API_IPSEC_SET_ASYNC_MODE_REPLY);
1030 * Add vpe's API message handlers to the table.
1031 * vlib has already mapped shared memory and
1032 * added the client registration handlers.
1033 * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process()
1035 #define vl_msg_name_crc_list
1036 #include <vnet/vnet_all_api_h.h>
1037 #undef vl_msg_name_crc_list
1040 setup_message_id_table (api_main_t * am)
1042 #define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id);
1043 foreach_vl_msg_name_crc_ipsec;
1047 static clib_error_t *
1048 ipsec_api_hookup (vlib_main_t * vm)
1050 api_main_t *am = vlibapi_get_main ();
1053 vl_msg_api_set_handlers(VL_API_##N, #n, \
1054 vl_api_##n##_t_handler, \
1056 vl_api_##n##_t_endian, \
1057 vl_api_##n##_t_print, \
1058 sizeof(vl_api_##n##_t), 1);
1059 foreach_vpe_api_msg;
1063 * Set up the (msg_name, crc, message-id) table
1065 setup_message_id_table (am);
1070 VLIB_API_INIT_FUNCTION (ipsec_api_hookup);
1073 * fd.io coding-style-patch-verification: ON
1076 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob