2 *------------------------------------------------------------------
3 * ipsec_api.c - ipsec api
5 * Copyright (c) 2016 Cisco and/or its affiliates.
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at:
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 *------------------------------------------------------------------
20 #include <vnet/vnet.h>
21 #include <vlibmemory/api.h>
23 #include <vnet/interface.h>
24 #include <vnet/api_errno.h>
25 #include <vnet/ip/ip.h>
26 #include <vnet/ip/ip_types_api.h>
27 #include <vnet/fib/fib.h>
29 #include <vnet/vnet_msg_enum.h>
32 #include <vnet/ipsec/ipsec.h>
33 #include <vnet/ipsec/ipsec_tun.h>
36 #define vl_typedefs /* define message structures */
37 #include <vnet/vnet_all_api_h.h>
40 #define vl_endianfun /* define message structures */
41 #include <vnet/vnet_all_api_h.h>
44 /* instantiate all the print functions we know about */
45 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
47 #include <vnet/vnet_all_api_h.h>
50 #include <vlibapi/api_helper_macros.h>
52 #define foreach_vpe_api_msg \
53 _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \
54 _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \
55 _(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \
56 _(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \
57 _(IPSEC_SA_DUMP, ipsec_sa_dump) \
58 _(IPSEC_SPDS_DUMP, ipsec_spds_dump) \
59 _(IPSEC_SPD_DUMP, ipsec_spd_dump) \
60 _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \
61 _(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \
62 _(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \
63 _(IPSEC_SELECT_BACKEND, ipsec_select_backend) \
64 _(IPSEC_BACKEND_DUMP, ipsec_backend_dump) \
65 _(IPSEC_TUNNEL_PROTECT_UPDATE, ipsec_tunnel_protect_update) \
66 _(IPSEC_TUNNEL_PROTECT_DEL, ipsec_tunnel_protect_del) \
67 _(IPSEC_TUNNEL_PROTECT_DUMP, ipsec_tunnel_protect_dump)
70 vl_api_ipsec_spd_add_del_t_handler (vl_api_ipsec_spd_add_del_t * mp)
73 clib_warning ("unimplemented");
76 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
77 vl_api_ipsec_spd_add_del_reply_t *rmp;
80 rv = ipsec_add_del_spd (vm, ntohl (mp->spd_id), mp->is_add);
82 REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_REPLY);
86 static void vl_api_ipsec_interface_add_del_spd_t_handler
87 (vl_api_ipsec_interface_add_del_spd_t * mp)
89 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
90 vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
92 u32 sw_if_index __attribute__ ((unused));
93 u32 spd_id __attribute__ ((unused));
95 sw_if_index = ntohl (mp->sw_if_index);
96 spd_id = ntohl (mp->spd_id);
98 VALIDATE_SW_IF_INDEX (mp);
101 rv = ipsec_set_interface_spd (vm, sw_if_index, spd_id, mp->is_add);
103 rv = VNET_API_ERROR_UNIMPLEMENTED;
106 BAD_SW_IF_INDEX_LABEL;
108 REPLY_MACRO (VL_API_IPSEC_INTERFACE_ADD_DEL_SPD_REPLY);
111 static void vl_api_ipsec_tunnel_protect_update_t_handler
112 (vl_api_ipsec_tunnel_protect_update_t * mp)
114 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
115 vl_api_ipsec_tunnel_protect_update_reply_t *rmp;
116 u32 sw_if_index, ii, *sa_ins = NULL;
119 sw_if_index = ntohl (mp->tunnel.sw_if_index);
121 VALIDATE_SW_IF_INDEX (&(mp->tunnel));
125 for (ii = 0; ii < mp->tunnel.n_sa_in; ii++)
126 vec_add1 (sa_ins, ntohl (mp->tunnel.sa_in[ii]));
128 rv = ipsec_tun_protect_update (sw_if_index,
129 ntohl (mp->tunnel.sa_out), sa_ins);
131 rv = VNET_API_ERROR_UNIMPLEMENTED;
134 BAD_SW_IF_INDEX_LABEL;
136 REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_UPDATE_REPLY);
139 static void vl_api_ipsec_tunnel_protect_del_t_handler
140 (vl_api_ipsec_tunnel_protect_del_t * mp)
142 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
143 vl_api_ipsec_tunnel_protect_del_reply_t *rmp;
147 sw_if_index = ntohl (mp->sw_if_index);
149 VALIDATE_SW_IF_INDEX (mp);
152 rv = ipsec_tun_protect_del (sw_if_index);
154 rv = VNET_API_ERROR_UNIMPLEMENTED;
157 BAD_SW_IF_INDEX_LABEL;
159 REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_DEL_REPLY);
162 typedef struct ipsec_tunnel_protect_walk_ctx_t_
164 vl_api_registration_t *reg;
166 } ipsec_tunnel_protect_walk_ctx_t;
169 send_ipsec_tunnel_protect_details (index_t itpi, void *arg)
171 ipsec_tunnel_protect_walk_ctx_t *ctx = arg;
172 vl_api_ipsec_tunnel_protect_details_t *mp;
173 ipsec_tun_protect_t *itp;
176 itp = ipsec_tun_protect_get (itpi);
179 mp = vl_msg_api_alloc (sizeof (*mp) + (sizeof (u32) * itp->itp_n_sa_in));
180 clib_memset (mp, 0, sizeof (*mp));
181 mp->_vl_msg_id = ntohs (VL_API_IPSEC_TUNNEL_PROTECT_DETAILS);
182 mp->context = ctx->context;
184 mp->tun.sw_if_index = htonl (itp->itp_sw_if_index);
186 mp->tun.sa_out = htonl (itp->itp_out_sa);
187 mp->tun.n_sa_in = itp->itp_n_sa_in;
189 FOR_EACH_IPSEC_PROTECT_INPUT_SAI(itp, sai,
191 mp->tun.sa_in[ii++] = htonl (sai);
195 vl_api_send_msg (ctx->reg, (u8 *) mp);
197 return (WALK_CONTINUE);
201 vl_api_ipsec_tunnel_protect_dump_t_handler (vl_api_ipsec_tunnel_protect_dump_t
204 vl_api_registration_t *reg;
208 reg = vl_api_client_index_to_registration (mp->client_index);
212 ipsec_tunnel_protect_walk_ctx_t ctx = {
214 .context = mp->context,
217 sw_if_index = ntohl (mp->sw_if_index);
219 if (~0 == sw_if_index)
221 ipsec_tun_protect_walk (send_ipsec_tunnel_protect_details, &ctx);
227 itpi = ipsec_tun_protect_find (sw_if_index);
229 if (INDEX_INVALID != itpi)
230 send_ipsec_tunnel_protect_details (itpi, &ctx);
233 clib_warning ("unimplemented");
238 ipsec_spd_action_decode (vl_api_ipsec_spd_action_t in,
239 ipsec_policy_action_t * out)
241 in = clib_net_to_host_u32 (in);
245 #define _(v,f,s) case IPSEC_API_SPD_ACTION_##f: \
246 *out = IPSEC_POLICY_ACTION_##f; \
248 foreach_ipsec_policy_action
251 return (VNET_API_ERROR_UNIMPLEMENTED);
254 static void vl_api_ipsec_spd_entry_add_del_t_handler
255 (vl_api_ipsec_spd_entry_add_del_t * mp)
257 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
258 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
268 clib_memset (&p, 0, sizeof (p));
270 p.id = ntohl (mp->entry.spd_id);
271 p.priority = ntohl (mp->entry.priority);
273 itype = ip_address_decode (&mp->entry.remote_address_start, &p.raddr.start);
274 ip_address_decode (&mp->entry.remote_address_stop, &p.raddr.stop);
275 ip_address_decode (&mp->entry.local_address_start, &p.laddr.start);
276 ip_address_decode (&mp->entry.local_address_stop, &p.laddr.stop);
278 p.is_ipv6 = (itype == IP46_TYPE_IP6);
280 p.protocol = mp->entry.protocol;
281 p.rport.start = ntohs (mp->entry.remote_port_start);
282 p.rport.stop = ntohs (mp->entry.remote_port_stop);
283 p.lport.start = ntohs (mp->entry.local_port_start);
284 p.lport.stop = ntohs (mp->entry.local_port_stop);
286 rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy);
291 /* policy action resolve unsupported */
292 if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
294 clib_warning ("unsupported action: 'resolve'");
295 rv = VNET_API_ERROR_UNIMPLEMENTED;
298 p.sa_id = ntohl (mp->entry.sa_id);
300 ipsec_policy_mk_type (mp->entry.is_outbound, p.is_ipv6, p.policy,
305 rv = ipsec_add_del_policy (vm, &p, mp->is_add, &stat_index);
310 rv = VNET_API_ERROR_UNIMPLEMENTED;
316 REPLY_MACRO2 (VL_API_IPSEC_SPD_ENTRY_ADD_DEL_REPLY,
318 rmp->stat_index = ntohl(stat_index);
324 ipsec_proto_decode (vl_api_ipsec_proto_t in, ipsec_protocol_t * out)
326 in = clib_net_to_host_u32 (in);
330 case IPSEC_API_PROTO_ESP:
331 *out = IPSEC_PROTOCOL_ESP;
333 case IPSEC_API_PROTO_AH:
334 *out = IPSEC_PROTOCOL_AH;
337 return (VNET_API_ERROR_INVALID_PROTOCOL);
340 static vl_api_ipsec_proto_t
341 ipsec_proto_encode (ipsec_protocol_t p)
345 case IPSEC_PROTOCOL_ESP:
346 return clib_host_to_net_u32 (IPSEC_API_PROTO_ESP);
347 case IPSEC_PROTOCOL_AH:
348 return clib_host_to_net_u32 (IPSEC_API_PROTO_AH);
350 return (VNET_API_ERROR_UNIMPLEMENTED);
354 ipsec_crypto_algo_decode (vl_api_ipsec_crypto_alg_t in,
355 ipsec_crypto_alg_t * out)
357 in = clib_net_to_host_u32 (in);
361 #define _(v,f,s) case IPSEC_API_CRYPTO_ALG_##f: \
362 *out = IPSEC_CRYPTO_ALG_##f; \
364 foreach_ipsec_crypto_alg
367 return (VNET_API_ERROR_INVALID_ALGORITHM);
370 static vl_api_ipsec_crypto_alg_t
371 ipsec_crypto_algo_encode (ipsec_crypto_alg_t c)
375 #define _(v,f,s) case IPSEC_CRYPTO_ALG_##f: \
376 return clib_host_to_net_u32(IPSEC_API_CRYPTO_ALG_##f);
377 foreach_ipsec_crypto_alg
379 case IPSEC_CRYPTO_N_ALG:
383 return (VNET_API_ERROR_UNIMPLEMENTED);
388 ipsec_integ_algo_decode (vl_api_ipsec_integ_alg_t in, ipsec_integ_alg_t * out)
390 in = clib_net_to_host_u32 (in);
394 #define _(v,f,s) case IPSEC_API_INTEG_ALG_##f: \
395 *out = IPSEC_INTEG_ALG_##f; \
397 foreach_ipsec_integ_alg
400 return (VNET_API_ERROR_INVALID_ALGORITHM);
403 static vl_api_ipsec_integ_alg_t
404 ipsec_integ_algo_encode (ipsec_integ_alg_t i)
408 #define _(v,f,s) case IPSEC_INTEG_ALG_##f: \
409 return (clib_host_to_net_u32(IPSEC_API_INTEG_ALG_##f));
410 foreach_ipsec_integ_alg
412 case IPSEC_INTEG_N_ALG:
416 return (VNET_API_ERROR_UNIMPLEMENTED);
420 ipsec_key_decode (const vl_api_key_t * key, ipsec_key_t * out)
422 ipsec_mk_key (out, key->data, key->length);
426 ipsec_key_encode (const ipsec_key_t * in, vl_api_key_t * out)
428 out->length = in->len;
429 clib_memcpy (out->data, in->data, out->length);
432 static ipsec_sa_flags_t
433 ipsec_sa_flags_decode (vl_api_ipsec_sad_flags_t in)
435 ipsec_sa_flags_t flags = IPSEC_SA_FLAG_NONE;
436 in = clib_net_to_host_u32 (in);
438 if (in & IPSEC_API_SAD_FLAG_USE_ESN)
439 flags |= IPSEC_SA_FLAG_USE_ESN;
440 if (in & IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)
441 flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
442 if (in & IPSEC_API_SAD_FLAG_IS_TUNNEL)
443 flags |= IPSEC_SA_FLAG_IS_TUNNEL;
444 if (in & IPSEC_API_SAD_FLAG_IS_TUNNEL_V6)
445 flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
446 if (in & IPSEC_API_SAD_FLAG_UDP_ENCAP)
447 flags |= IPSEC_SA_FLAG_UDP_ENCAP;
452 static vl_api_ipsec_sad_flags_t
453 ipsec_sad_flags_encode (const ipsec_sa_t * sa)
455 vl_api_ipsec_sad_flags_t flags = IPSEC_API_SAD_FLAG_NONE;
457 if (ipsec_sa_is_set_USE_ESN (sa))
458 flags |= IPSEC_API_SAD_FLAG_USE_ESN;
459 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
460 flags |= IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY;
461 if (ipsec_sa_is_set_IS_TUNNEL (sa))
462 flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL;
463 if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
464 flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6;
465 if (ipsec_sa_is_set_UDP_ENCAP (sa))
466 flags |= IPSEC_API_SAD_FLAG_UDP_ENCAP;
468 return clib_host_to_net_u32 (flags);
471 static void vl_api_ipsec_sad_entry_add_del_t_handler
472 (vl_api_ipsec_sad_entry_add_del_t * mp)
474 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
475 vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
476 ip46_address_t tun_src = { }, tun_dst =
479 ipsec_key_t crypto_key, integ_key;
480 ipsec_crypto_alg_t crypto_alg;
481 ipsec_integ_alg_t integ_alg;
482 ipsec_protocol_t proto;
483 ipsec_sa_flags_t flags;
484 u32 id, spi, sa_index = ~0;
489 id = ntohl (mp->entry.sad_id);
490 spi = ntohl (mp->entry.spi);
492 rv = ipsec_proto_decode (mp->entry.protocol, &proto);
497 rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg);
502 rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg);
507 ipsec_key_decode (&mp->entry.crypto_key, &crypto_key);
508 ipsec_key_decode (&mp->entry.integrity_key, &integ_key);
510 flags = ipsec_sa_flags_decode (mp->entry.flags);
512 ip_address_decode (&mp->entry.tunnel_src, &tun_src);
513 ip_address_decode (&mp->entry.tunnel_dst, &tun_dst);
516 rv = ipsec_sa_add_and_lock (id, spi, proto,
517 crypto_alg, &crypto_key,
518 integ_alg, &integ_key, flags,
519 0, mp->entry.salt, &tun_src, &tun_dst,
522 rv = ipsec_sa_unlock_id (id);
525 rv = VNET_API_ERROR_UNIMPLEMENTED;
530 REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY,
532 rmp->stat_index = htonl (sa_index);
538 send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg,
541 vl_api_ipsec_spds_details_t *mp;
544 mp = vl_msg_api_alloc (sizeof (*mp));
545 clib_memset (mp, 0, sizeof (*mp));
546 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPDS_DETAILS);
547 mp->context = context;
549 mp->spd_id = htonl (spd->id);
550 #define _(s, n) n_policies += vec_len (spd->policies[IPSEC_SPD_POLICY_##s]);
551 foreach_ipsec_spd_policy_type
553 mp->npolicies = htonl (n_policies);
555 vl_api_send_msg (reg, (u8 *) mp);
559 vl_api_ipsec_spds_dump_t_handler (vl_api_ipsec_spds_dump_t * mp)
561 vl_api_registration_t *reg;
562 ipsec_main_t *im = &ipsec_main;
565 reg = vl_api_client_index_to_registration (mp->client_index);
570 pool_foreach (spd, im->spds, ({
571 send_ipsec_spds_details (spd, reg, mp->context);
575 clib_warning ("unimplemented");
579 vl_api_ipsec_spd_action_t
580 ipsec_spd_action_encode (ipsec_policy_action_t in)
582 vl_api_ipsec_spd_action_t out = IPSEC_API_SPD_ACTION_BYPASS;
586 #define _(v,f,s) case IPSEC_POLICY_ACTION_##f: \
587 out = IPSEC_API_SPD_ACTION_##f; \
589 foreach_ipsec_policy_action
592 return (clib_host_to_net_u32 (out));
596 send_ipsec_spd_details (ipsec_policy_t * p, vl_api_registration_t * reg,
599 vl_api_ipsec_spd_details_t *mp;
601 mp = vl_msg_api_alloc (sizeof (*mp));
602 clib_memset (mp, 0, sizeof (*mp));
603 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_DETAILS);
604 mp->context = context;
606 mp->entry.spd_id = htonl (p->id);
607 mp->entry.priority = htonl (p->priority);
608 mp->entry.is_outbound = ((p->type == IPSEC_SPD_POLICY_IP6_OUTBOUND) ||
609 (p->type == IPSEC_SPD_POLICY_IP4_OUTBOUND));
611 ip_address_encode (&p->laddr.start, IP46_TYPE_ANY,
612 &mp->entry.local_address_start);
613 ip_address_encode (&p->laddr.stop, IP46_TYPE_ANY,
614 &mp->entry.local_address_stop);
615 ip_address_encode (&p->raddr.start, IP46_TYPE_ANY,
616 &mp->entry.remote_address_start);
617 ip_address_encode (&p->raddr.stop, IP46_TYPE_ANY,
618 &mp->entry.remote_address_stop);
619 mp->entry.local_port_start = htons (p->lport.start);
620 mp->entry.local_port_stop = htons (p->lport.stop);
621 mp->entry.remote_port_start = htons (p->rport.start);
622 mp->entry.remote_port_stop = htons (p->rport.stop);
623 mp->entry.protocol = p->protocol;
624 mp->entry.policy = ipsec_spd_action_encode (p->policy);
625 mp->entry.sa_id = htonl (p->sa_id);
627 vl_api_send_msg (reg, (u8 *) mp);
631 vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp)
633 vl_api_registration_t *reg;
634 ipsec_main_t *im = &ipsec_main;
635 ipsec_spd_policy_type_t ptype;
636 ipsec_policy_t *policy;
641 reg = vl_api_client_index_to_registration (mp->client_index);
645 p = hash_get (im->spd_index_by_spd_id, ntohl (mp->spd_id));
650 spd = pool_elt_at_index (im->spds, spd_index);
653 FOR_EACH_IPSEC_SPD_POLICY_TYPE(ptype) {
654 vec_foreach(ii, spd->policies[ptype])
656 policy = pool_elt_at_index(im->policies, *ii);
658 if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id)
659 send_ipsec_spd_details (policy, reg, mp->context);
664 clib_warning ("unimplemented");
669 send_ipsec_spd_interface_details (vl_api_registration_t * reg, u32 spd_index,
670 u32 sw_if_index, u32 context)
672 vl_api_ipsec_spd_interface_details_t *mp;
674 mp = vl_msg_api_alloc (sizeof (*mp));
675 clib_memset (mp, 0, sizeof (*mp));
676 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_INTERFACE_DETAILS);
677 mp->context = context;
679 mp->spd_index = htonl (spd_index);
680 mp->sw_if_index = htonl (sw_if_index);
682 vl_api_send_msg (reg, (u8 *) mp);
686 vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t *
689 ipsec_main_t *im = &ipsec_main;
690 vl_api_registration_t *reg;
694 reg = vl_api_client_index_to_registration (mp->client_index);
698 if (mp->spd_index_valid)
700 spd_index = ntohl (mp->spd_index);
702 hash_foreach(k, v, im->spd_index_by_sw_if_index, ({
704 send_ipsec_spd_interface_details(reg, v, k, mp->context);
711 hash_foreach(k, v, im->spd_index_by_sw_if_index, ({
712 send_ipsec_spd_interface_details(reg, v, k, mp->context);
718 clib_warning ("unimplemented");
723 vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
726 vl_api_ipsec_tunnel_if_add_del_reply_t *rmp;
727 ipsec_main_t *im = &ipsec_main;
728 vnet_main_t *vnm = im->vnet_main;
729 u32 sw_if_index = ~0;
734 ipsec_add_del_tunnel_args_t tun;
736 clib_memset (&tun, 0, sizeof (ipsec_add_del_tunnel_args_t));
738 tun.is_add = mp->is_add;
740 tun.anti_replay = mp->anti_replay;
741 tun.local_spi = ntohl (mp->local_spi);
742 tun.remote_spi = ntohl (mp->remote_spi);
743 tun.crypto_alg = mp->crypto_alg;
744 tun.local_crypto_key_len = mp->local_crypto_key_len;
745 tun.remote_crypto_key_len = mp->remote_crypto_key_len;
746 tun.integ_alg = mp->integ_alg;
747 tun.local_integ_key_len = mp->local_integ_key_len;
748 tun.remote_integ_key_len = mp->remote_integ_key_len;
749 tun.udp_encap = mp->udp_encap;
750 tun.tx_table_id = ntohl (mp->tx_table_id);
752 itype = ip_address_decode (&mp->local_ip, &tun.local_ip);
753 itype = ip_address_decode (&mp->remote_ip, &tun.remote_ip);
754 tun.is_ip6 = (IP46_TYPE_IP6 == itype);
755 memcpy (&tun.local_crypto_key, &mp->local_crypto_key,
756 mp->local_crypto_key_len);
757 memcpy (&tun.remote_crypto_key, &mp->remote_crypto_key,
758 mp->remote_crypto_key_len);
759 memcpy (&tun.local_integ_key, &mp->local_integ_key,
760 mp->local_integ_key_len);
761 memcpy (&tun.remote_integ_key, &mp->remote_integ_key,
762 mp->remote_integ_key_len);
763 tun.renumber = mp->renumber;
764 tun.show_instance = ntohl (mp->show_instance);
766 rv = ipsec_add_del_tunnel_if_internal (vnm, &tun, &sw_if_index);
769 rv = VNET_API_ERROR_UNIMPLEMENTED;
773 REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY,
775 rmp->sw_if_index = htonl (sw_if_index);
781 send_ipsec_sa_details (ipsec_sa_t * sa, vl_api_registration_t * reg,
782 u32 context, u32 sw_if_index)
784 vl_api_ipsec_sa_details_t *mp;
786 mp = vl_msg_api_alloc (sizeof (*mp));
787 clib_memset (mp, 0, sizeof (*mp));
788 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_DETAILS);
789 mp->context = context;
791 mp->entry.sad_id = htonl (sa->id);
792 mp->entry.spi = htonl (sa->spi);
793 mp->entry.protocol = ipsec_proto_encode (sa->protocol);
794 mp->entry.tx_table_id =
795 htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4));
797 mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
798 ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
800 mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
801 ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
803 mp->entry.flags = ipsec_sad_flags_encode (sa);
805 if (ipsec_sa_is_set_IS_TUNNEL (sa))
807 ip_address_encode (&sa->tunnel_src_addr, IP46_TYPE_ANY,
808 &mp->entry.tunnel_src);
809 ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY,
810 &mp->entry.tunnel_dst);
813 mp->sw_if_index = htonl (sw_if_index);
814 mp->salt = clib_host_to_net_u32 (sa->salt);
815 mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
816 mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
817 if (ipsec_sa_is_set_USE_ESN (sa))
819 mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
820 mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
822 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
823 mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
825 vl_api_send_msg (reg, (u8 *) mp);
830 vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
832 vl_api_registration_t *reg;
833 ipsec_main_t *im = &ipsec_main;
834 vnet_main_t *vnm = im->vnet_main;
836 ipsec_tunnel_if_t *t;
837 u32 *sa_index_to_tun_if_index = 0;
840 reg = vl_api_client_index_to_registration (mp->client_index);
841 if (!reg || pool_elts (im->sad) == 0)
844 vec_validate_init_empty (sa_index_to_tun_if_index, vec_len (im->sad) - 1,
848 pool_foreach (t, im->tunnel_interfaces,
850 vnet_hw_interface_t *hi;
851 u32 sw_if_index = ~0;
853 hi = vnet_get_hw_interface (vnm, t->hw_if_index);
854 sw_if_index = hi->sw_if_index;
855 sa_index_to_tun_if_index[t->input_sa_index] = sw_if_index;
856 sa_index_to_tun_if_index[t->output_sa_index] = sw_if_index;
859 pool_foreach (sa, im->sad,
861 if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == sa->id)
862 send_ipsec_sa_details (sa, reg, mp->context,
863 sa_index_to_tun_if_index[sa - im->sad]);
867 vec_free (sa_index_to_tun_if_index);
869 clib_warning ("unimplemented");
874 vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp)
876 vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp;
877 ipsec_main_t *im = &ipsec_main;
878 vnet_main_t *vnm = im->vnet_main;
879 vnet_sw_interface_t *sw;
883 sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index));
885 rv = ipsec_set_interface_sa (vnm, sw->hw_if_index, ntohl (mp->sa_id),
888 clib_warning ("unimplemented");
891 REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY);
895 vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp)
897 vl_api_registration_t *rp;
898 ipsec_main_t *im = &ipsec_main;
899 u32 context = mp->context;
901 rp = vl_api_client_index_to_registration (mp->client_index);
905 clib_warning ("Client %d AWOL", mp->client_index);
909 ipsec_ah_backend_t *ab;
910 ipsec_esp_backend_t *eb;
912 pool_foreach (ab, im->ah_backends, {
913 vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
914 clib_memset (mp, 0, sizeof (*mp));
915 mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
916 mp->context = context;
917 snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (ab->name),
919 mp->protocol = ntohl (IPSEC_API_PROTO_AH);
920 mp->index = ab - im->ah_backends;
921 mp->active = mp->index == im->ah_current_backend ? 1 : 0;
922 vl_api_send_msg (rp, (u8 *)mp);
924 pool_foreach (eb, im->esp_backends, {
925 vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
926 clib_memset (mp, 0, sizeof (*mp));
927 mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
928 mp->context = context;
929 snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (eb->name),
931 mp->protocol = ntohl (IPSEC_API_PROTO_ESP);
932 mp->index = eb - im->esp_backends;
933 mp->active = mp->index == im->esp_current_backend ? 1 : 0;
934 vl_api_send_msg (rp, (u8 *)mp);
940 vl_api_ipsec_select_backend_t_handler (vl_api_ipsec_select_backend_t * mp)
942 ipsec_main_t *im = &ipsec_main;
943 vl_api_ipsec_select_backend_reply_t *rmp;
944 ipsec_protocol_t protocol;
946 if (pool_elts (im->sad) > 0)
948 rv = VNET_API_ERROR_INSTANCE_IN_USE;
952 rv = ipsec_proto_decode (mp->protocol, &protocol);
960 case IPSEC_PROTOCOL_ESP:
961 rv = ipsec_select_esp_backend (im, mp->index);
963 case IPSEC_PROTOCOL_AH:
964 rv = ipsec_select_ah_backend (im, mp->index);
967 rv = VNET_API_ERROR_INVALID_PROTOCOL;
971 clib_warning ("unimplemented"); /* FIXME */
974 REPLY_MACRO (VL_API_IPSEC_SELECT_BACKEND_REPLY);
979 * Add vpe's API message handlers to the table.
980 * vlib has already mapped shared memory and
981 * added the client registration handlers.
982 * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process()
984 #define vl_msg_name_crc_list
985 #include <vnet/vnet_all_api_h.h>
986 #undef vl_msg_name_crc_list
989 setup_message_id_table (api_main_t * am)
991 #define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id);
992 foreach_vl_msg_name_crc_ipsec;
996 static clib_error_t *
997 ipsec_api_hookup (vlib_main_t * vm)
999 api_main_t *am = &api_main;
1002 vl_msg_api_set_handlers(VL_API_##N, #n, \
1003 vl_api_##n##_t_handler, \
1005 vl_api_##n##_t_endian, \
1006 vl_api_##n##_t_print, \
1007 sizeof(vl_api_##n##_t), 1);
1008 foreach_vpe_api_msg;
1012 * Adding and deleting SAs is MP safe since when they are added/delete
1013 * no traffic is using them
1015 am->is_mp_safe[VL_API_IPSEC_SAD_ENTRY_ADD_DEL] = 1;
1016 am->is_mp_safe[VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY] = 1;
1019 * Set up the (msg_name, crc, message-id) table
1021 setup_message_id_table (am);
1026 VLIB_API_INIT_FUNCTION (ipsec_api_hookup);
1029 * fd.io coding-style-patch-verification: ON
1032 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob