2 *------------------------------------------------------------------
3 * ipsec_api.c - ipsec api
5 * Copyright (c) 2016 Cisco and/or its affiliates.
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at:
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 *------------------------------------------------------------------
20 #include <vnet/vnet.h>
21 #include <vlibmemory/api.h>
23 #include <vnet/interface.h>
24 #include <vnet/api_errno.h>
25 #include <vnet/ip/ip.h>
26 #include <vnet/ip/ip_types_api.h>
27 #include <vnet/fib/fib.h>
29 #include <vnet/vnet_msg_enum.h>
32 #include <vnet/ipsec/ipsec.h>
33 #include <vnet/ipsec/ipsec_tun.h>
36 #define vl_typedefs /* define message structures */
37 #include <vnet/vnet_all_api_h.h>
40 #define vl_endianfun /* define message structures */
41 #include <vnet/vnet_all_api_h.h>
44 /* instantiate all the print functions we know about */
45 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
47 #include <vnet/vnet_all_api_h.h>
50 #include <vlibapi/api_helper_macros.h>
52 #define foreach_vpe_api_msg \
53 _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \
54 _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \
55 _(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \
56 _(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \
57 _(IPSEC_SA_DUMP, ipsec_sa_dump) \
58 _(IPSEC_SPDS_DUMP, ipsec_spds_dump) \
59 _(IPSEC_SPD_DUMP, ipsec_spd_dump) \
60 _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \
61 _(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \
62 _(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \
63 _(IPSEC_SELECT_BACKEND, ipsec_select_backend) \
64 _(IPSEC_BACKEND_DUMP, ipsec_backend_dump) \
65 _(IPSEC_TUNNEL_PROTECT_UPDATE, ipsec_tunnel_protect_update) \
66 _(IPSEC_TUNNEL_PROTECT_DEL, ipsec_tunnel_protect_del) \
67 _(IPSEC_TUNNEL_PROTECT_DUMP, ipsec_tunnel_protect_dump)
70 vl_api_ipsec_spd_add_del_t_handler (vl_api_ipsec_spd_add_del_t * mp)
73 clib_warning ("unimplemented");
76 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
77 vl_api_ipsec_spd_add_del_reply_t *rmp;
80 rv = ipsec_add_del_spd (vm, ntohl (mp->spd_id), mp->is_add);
82 REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_REPLY);
86 static void vl_api_ipsec_interface_add_del_spd_t_handler
87 (vl_api_ipsec_interface_add_del_spd_t * mp)
89 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
90 vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
92 u32 sw_if_index __attribute__ ((unused));
93 u32 spd_id __attribute__ ((unused));
95 sw_if_index = ntohl (mp->sw_if_index);
96 spd_id = ntohl (mp->spd_id);
98 VALIDATE_SW_IF_INDEX (mp);
101 rv = ipsec_set_interface_spd (vm, sw_if_index, spd_id, mp->is_add);
103 rv = VNET_API_ERROR_UNIMPLEMENTED;
106 BAD_SW_IF_INDEX_LABEL;
108 REPLY_MACRO (VL_API_IPSEC_INTERFACE_ADD_DEL_SPD_REPLY);
111 static void vl_api_ipsec_tunnel_protect_update_t_handler
112 (vl_api_ipsec_tunnel_protect_update_t * mp)
114 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
115 vl_api_ipsec_tunnel_protect_update_reply_t *rmp;
116 u32 sw_if_index, ii, *sa_ins = NULL;
119 sw_if_index = ntohl (mp->tunnel.sw_if_index);
121 VALIDATE_SW_IF_INDEX (&(mp->tunnel));
125 for (ii = 0; ii < mp->tunnel.n_sa_in; ii++)
126 vec_add1 (sa_ins, ntohl (mp->tunnel.sa_in[ii]));
128 rv = ipsec_tun_protect_update (sw_if_index,
129 ntohl (mp->tunnel.sa_out), sa_ins);
131 rv = VNET_API_ERROR_UNIMPLEMENTED;
134 BAD_SW_IF_INDEX_LABEL;
136 REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_UPDATE_REPLY);
139 static void vl_api_ipsec_tunnel_protect_del_t_handler
140 (vl_api_ipsec_tunnel_protect_del_t * mp)
142 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
143 vl_api_ipsec_tunnel_protect_del_reply_t *rmp;
147 sw_if_index = ntohl (mp->sw_if_index);
149 VALIDATE_SW_IF_INDEX (mp);
152 rv = ipsec_tun_protect_del (sw_if_index);
154 rv = VNET_API_ERROR_UNIMPLEMENTED;
157 BAD_SW_IF_INDEX_LABEL;
159 REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_DEL_REPLY);
162 typedef struct ipsec_tunnel_protect_walk_ctx_t_
164 vl_api_registration_t *reg;
166 } ipsec_tunnel_protect_walk_ctx_t;
169 send_ipsec_tunnel_protect_details (index_t itpi, void *arg)
171 ipsec_tunnel_protect_walk_ctx_t *ctx = arg;
172 vl_api_ipsec_tunnel_protect_details_t *mp;
173 ipsec_tun_protect_t *itp;
176 itp = ipsec_tun_protect_get (itpi);
179 mp = vl_msg_api_alloc (sizeof (*mp) + (sizeof (u32) * itp->itp_n_sa_in));
180 clib_memset (mp, 0, sizeof (*mp));
181 mp->_vl_msg_id = ntohs (VL_API_IPSEC_TUNNEL_PROTECT_DETAILS);
182 mp->context = ctx->context;
184 mp->tun.sw_if_index = htonl (itp->itp_sw_if_index);
186 mp->tun.sa_out = htonl (itp->itp_out_sa);
187 mp->tun.n_sa_in = itp->itp_n_sa_in;
189 FOR_EACH_IPSEC_PROTECT_INPUT_SAI(itp, sai,
191 mp->tun.sa_in[ii++] = htonl (sai);
195 vl_api_send_msg (ctx->reg, (u8 *) mp);
197 return (WALK_CONTINUE);
201 vl_api_ipsec_tunnel_protect_dump_t_handler (vl_api_ipsec_tunnel_protect_dump_t
204 vl_api_registration_t *reg;
208 reg = vl_api_client_index_to_registration (mp->client_index);
212 ipsec_tunnel_protect_walk_ctx_t ctx = {
214 .context = mp->context,
217 sw_if_index = ntohl (mp->sw_if_index);
219 if (~0 == sw_if_index)
221 ipsec_tun_protect_walk (send_ipsec_tunnel_protect_details, &ctx);
227 itpi = ipsec_tun_protect_find (sw_if_index);
229 if (INDEX_INVALID != itpi)
230 send_ipsec_tunnel_protect_details (itpi, &ctx);
233 clib_warning ("unimplemented");
238 ipsec_spd_action_decode (vl_api_ipsec_spd_action_t in,
239 ipsec_policy_action_t * out)
241 in = clib_net_to_host_u32 (in);
245 #define _(v,f,s) case IPSEC_API_SPD_ACTION_##f: \
246 *out = IPSEC_POLICY_ACTION_##f; \
248 foreach_ipsec_policy_action
251 return (VNET_API_ERROR_UNIMPLEMENTED);
254 static void vl_api_ipsec_spd_entry_add_del_t_handler
255 (vl_api_ipsec_spd_entry_add_del_t * mp)
257 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
258 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
268 clib_memset (&p, 0, sizeof (p));
270 p.id = ntohl (mp->entry.spd_id);
271 p.priority = ntohl (mp->entry.priority);
273 itype = ip_address_decode (&mp->entry.remote_address_start, &p.raddr.start);
274 ip_address_decode (&mp->entry.remote_address_stop, &p.raddr.stop);
275 ip_address_decode (&mp->entry.local_address_start, &p.laddr.start);
276 ip_address_decode (&mp->entry.local_address_stop, &p.laddr.stop);
278 p.is_ipv6 = (itype == IP46_TYPE_IP6);
280 p.protocol = mp->entry.protocol;
281 p.rport.start = ntohs (mp->entry.remote_port_start);
282 p.rport.stop = ntohs (mp->entry.remote_port_stop);
283 p.lport.start = ntohs (mp->entry.local_port_start);
284 p.lport.stop = ntohs (mp->entry.local_port_stop);
286 rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy);
291 /* policy action resolve unsupported */
292 if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
294 clib_warning ("unsupported action: 'resolve'");
295 rv = VNET_API_ERROR_UNIMPLEMENTED;
298 p.sa_id = ntohl (mp->entry.sa_id);
300 ipsec_policy_mk_type (mp->entry.is_outbound, p.is_ipv6, p.policy,
305 rv = ipsec_add_del_policy (vm, &p, mp->is_add, &stat_index);
310 rv = VNET_API_ERROR_UNIMPLEMENTED;
316 REPLY_MACRO2 (VL_API_IPSEC_SPD_ENTRY_ADD_DEL_REPLY,
318 rmp->stat_index = ntohl(stat_index);
324 ipsec_proto_decode (vl_api_ipsec_proto_t in, ipsec_protocol_t * out)
326 in = clib_net_to_host_u32 (in);
330 case IPSEC_API_PROTO_ESP:
331 *out = IPSEC_PROTOCOL_ESP;
333 case IPSEC_API_PROTO_AH:
334 *out = IPSEC_PROTOCOL_AH;
337 return (VNET_API_ERROR_INVALID_PROTOCOL);
340 static vl_api_ipsec_proto_t
341 ipsec_proto_encode (ipsec_protocol_t p)
345 case IPSEC_PROTOCOL_ESP:
346 return clib_host_to_net_u32 (IPSEC_API_PROTO_ESP);
347 case IPSEC_PROTOCOL_AH:
348 return clib_host_to_net_u32 (IPSEC_API_PROTO_AH);
350 return (VNET_API_ERROR_UNIMPLEMENTED);
354 ipsec_crypto_algo_decode (vl_api_ipsec_crypto_alg_t in,
355 ipsec_crypto_alg_t * out)
357 in = clib_net_to_host_u32 (in);
361 #define _(v,f,s) case IPSEC_API_CRYPTO_ALG_##f: \
362 *out = IPSEC_CRYPTO_ALG_##f; \
364 foreach_ipsec_crypto_alg
367 return (VNET_API_ERROR_INVALID_ALGORITHM);
370 static vl_api_ipsec_crypto_alg_t
371 ipsec_crypto_algo_encode (ipsec_crypto_alg_t c)
375 #define _(v,f,s) case IPSEC_CRYPTO_ALG_##f: \
376 return clib_host_to_net_u32(IPSEC_API_CRYPTO_ALG_##f);
377 foreach_ipsec_crypto_alg
379 case IPSEC_CRYPTO_N_ALG:
383 return (VNET_API_ERROR_UNIMPLEMENTED);
388 ipsec_integ_algo_decode (vl_api_ipsec_integ_alg_t in, ipsec_integ_alg_t * out)
390 in = clib_net_to_host_u32 (in);
394 #define _(v,f,s) case IPSEC_API_INTEG_ALG_##f: \
395 *out = IPSEC_INTEG_ALG_##f; \
397 foreach_ipsec_integ_alg
400 return (VNET_API_ERROR_INVALID_ALGORITHM);
403 static vl_api_ipsec_integ_alg_t
404 ipsec_integ_algo_encode (ipsec_integ_alg_t i)
408 #define _(v,f,s) case IPSEC_INTEG_ALG_##f: \
409 return (clib_host_to_net_u32(IPSEC_API_INTEG_ALG_##f));
410 foreach_ipsec_integ_alg
412 case IPSEC_INTEG_N_ALG:
416 return (VNET_API_ERROR_UNIMPLEMENTED);
420 ipsec_key_decode (const vl_api_key_t * key, ipsec_key_t * out)
422 ipsec_mk_key (out, key->data, key->length);
426 ipsec_key_encode (const ipsec_key_t * in, vl_api_key_t * out)
428 out->length = in->len;
429 clib_memcpy (out->data, in->data, out->length);
432 static ipsec_sa_flags_t
433 ipsec_sa_flags_decode (vl_api_ipsec_sad_flags_t in)
435 ipsec_sa_flags_t flags = IPSEC_SA_FLAG_NONE;
436 in = clib_net_to_host_u32 (in);
438 if (in & IPSEC_API_SAD_FLAG_USE_ESN)
439 flags |= IPSEC_SA_FLAG_USE_ESN;
440 if (in & IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)
441 flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
442 if (in & IPSEC_API_SAD_FLAG_IS_TUNNEL)
443 flags |= IPSEC_SA_FLAG_IS_TUNNEL;
444 if (in & IPSEC_API_SAD_FLAG_IS_TUNNEL_V6)
445 flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
446 if (in & IPSEC_API_SAD_FLAG_UDP_ENCAP)
447 flags |= IPSEC_SA_FLAG_UDP_ENCAP;
452 static vl_api_ipsec_sad_flags_t
453 ipsec_sad_flags_encode (const ipsec_sa_t * sa)
455 vl_api_ipsec_sad_flags_t flags = IPSEC_API_SAD_FLAG_NONE;
457 if (ipsec_sa_is_set_USE_ESN (sa))
458 flags |= IPSEC_API_SAD_FLAG_USE_ESN;
459 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
460 flags |= IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY;
461 if (ipsec_sa_is_set_IS_TUNNEL (sa))
462 flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL;
463 if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
464 flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6;
465 if (ipsec_sa_is_set_UDP_ENCAP (sa))
466 flags |= IPSEC_API_SAD_FLAG_UDP_ENCAP;
468 return clib_host_to_net_u32 (flags);
471 static void vl_api_ipsec_sad_entry_add_del_t_handler
472 (vl_api_ipsec_sad_entry_add_del_t * mp)
474 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
475 vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
476 ip46_address_t tun_src = { }, tun_dst =
479 ipsec_key_t crypto_key, integ_key;
480 ipsec_crypto_alg_t crypto_alg;
481 ipsec_integ_alg_t integ_alg;
482 ipsec_protocol_t proto;
483 ipsec_sa_flags_t flags;
484 u32 id, spi, sa_index = ~0;
489 id = ntohl (mp->entry.sad_id);
490 spi = ntohl (mp->entry.spi);
492 rv = ipsec_proto_decode (mp->entry.protocol, &proto);
497 rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg);
502 rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg);
507 ipsec_key_decode (&mp->entry.crypto_key, &crypto_key);
508 ipsec_key_decode (&mp->entry.integrity_key, &integ_key);
510 flags = ipsec_sa_flags_decode (mp->entry.flags);
512 ip_address_decode (&mp->entry.tunnel_src, &tun_src);
513 ip_address_decode (&mp->entry.tunnel_dst, &tun_dst);
516 rv = ipsec_sa_add (id, spi, proto,
517 crypto_alg, &crypto_key,
518 integ_alg, &integ_key, flags,
519 0, mp->entry.salt, &tun_src, &tun_dst, &sa_index);
521 rv = ipsec_sa_del (id);
524 rv = VNET_API_ERROR_UNIMPLEMENTED;
529 REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY,
531 rmp->stat_index = htonl (sa_index);
537 send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg,
540 vl_api_ipsec_spds_details_t *mp;
543 mp = vl_msg_api_alloc (sizeof (*mp));
544 clib_memset (mp, 0, sizeof (*mp));
545 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPDS_DETAILS);
546 mp->context = context;
548 mp->spd_id = htonl (spd->id);
549 #define _(s, n) n_policies += vec_len (spd->policies[IPSEC_SPD_POLICY_##s]);
550 foreach_ipsec_spd_policy_type
552 mp->npolicies = htonl (n_policies);
554 vl_api_send_msg (reg, (u8 *) mp);
558 vl_api_ipsec_spds_dump_t_handler (vl_api_ipsec_spds_dump_t * mp)
560 vl_api_registration_t *reg;
561 ipsec_main_t *im = &ipsec_main;
564 reg = vl_api_client_index_to_registration (mp->client_index);
569 pool_foreach (spd, im->spds, ({
570 send_ipsec_spds_details (spd, reg, mp->context);
574 clib_warning ("unimplemented");
578 vl_api_ipsec_spd_action_t
579 ipsec_spd_action_encode (ipsec_policy_action_t in)
581 vl_api_ipsec_spd_action_t out = IPSEC_API_SPD_ACTION_BYPASS;
585 #define _(v,f,s) case IPSEC_POLICY_ACTION_##f: \
586 out = IPSEC_API_SPD_ACTION_##f; \
588 foreach_ipsec_policy_action
591 return (clib_host_to_net_u32 (out));
595 send_ipsec_spd_details (ipsec_policy_t * p, vl_api_registration_t * reg,
598 vl_api_ipsec_spd_details_t *mp;
600 mp = vl_msg_api_alloc (sizeof (*mp));
601 clib_memset (mp, 0, sizeof (*mp));
602 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_DETAILS);
603 mp->context = context;
605 mp->entry.spd_id = htonl (p->id);
606 mp->entry.priority = htonl (p->priority);
607 mp->entry.is_outbound = ((p->type == IPSEC_SPD_POLICY_IP6_OUTBOUND) ||
608 (p->type == IPSEC_SPD_POLICY_IP4_OUTBOUND));
610 ip_address_encode (&p->laddr.start, IP46_TYPE_ANY,
611 &mp->entry.local_address_start);
612 ip_address_encode (&p->laddr.stop, IP46_TYPE_ANY,
613 &mp->entry.local_address_stop);
614 ip_address_encode (&p->raddr.start, IP46_TYPE_ANY,
615 &mp->entry.remote_address_start);
616 ip_address_encode (&p->raddr.stop, IP46_TYPE_ANY,
617 &mp->entry.remote_address_stop);
618 mp->entry.local_port_start = htons (p->lport.start);
619 mp->entry.local_port_stop = htons (p->lport.stop);
620 mp->entry.remote_port_start = htons (p->rport.start);
621 mp->entry.remote_port_stop = htons (p->rport.stop);
622 mp->entry.protocol = p->protocol;
623 mp->entry.policy = ipsec_spd_action_encode (p->policy);
624 mp->entry.sa_id = htonl (p->sa_id);
626 vl_api_send_msg (reg, (u8 *) mp);
630 vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp)
632 vl_api_registration_t *reg;
633 ipsec_main_t *im = &ipsec_main;
634 ipsec_spd_policy_type_t ptype;
635 ipsec_policy_t *policy;
640 reg = vl_api_client_index_to_registration (mp->client_index);
644 p = hash_get (im->spd_index_by_spd_id, ntohl (mp->spd_id));
649 spd = pool_elt_at_index (im->spds, spd_index);
652 FOR_EACH_IPSEC_SPD_POLICY_TYPE(ptype) {
653 vec_foreach(ii, spd->policies[ptype])
655 policy = pool_elt_at_index(im->policies, *ii);
657 if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id)
658 send_ipsec_spd_details (policy, reg, mp->context);
663 clib_warning ("unimplemented");
668 send_ipsec_spd_interface_details (vl_api_registration_t * reg, u32 spd_index,
669 u32 sw_if_index, u32 context)
671 vl_api_ipsec_spd_interface_details_t *mp;
673 mp = vl_msg_api_alloc (sizeof (*mp));
674 clib_memset (mp, 0, sizeof (*mp));
675 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_INTERFACE_DETAILS);
676 mp->context = context;
678 mp->spd_index = htonl (spd_index);
679 mp->sw_if_index = htonl (sw_if_index);
681 vl_api_send_msg (reg, (u8 *) mp);
685 vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t *
688 ipsec_main_t *im = &ipsec_main;
689 vl_api_registration_t *reg;
693 reg = vl_api_client_index_to_registration (mp->client_index);
697 if (mp->spd_index_valid)
699 spd_index = ntohl (mp->spd_index);
701 hash_foreach(k, v, im->spd_index_by_sw_if_index, ({
703 send_ipsec_spd_interface_details(reg, v, k, mp->context);
710 hash_foreach(k, v, im->spd_index_by_sw_if_index, ({
711 send_ipsec_spd_interface_details(reg, v, k, mp->context);
717 clib_warning ("unimplemented");
722 vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
725 vl_api_ipsec_tunnel_if_add_del_reply_t *rmp;
726 ipsec_main_t *im = &ipsec_main;
727 vnet_main_t *vnm = im->vnet_main;
728 u32 sw_if_index = ~0;
733 ipsec_add_del_tunnel_args_t tun;
735 clib_memset (&tun, 0, sizeof (ipsec_add_del_tunnel_args_t));
737 tun.is_add = mp->is_add;
739 tun.anti_replay = mp->anti_replay;
740 tun.local_spi = ntohl (mp->local_spi);
741 tun.remote_spi = ntohl (mp->remote_spi);
742 tun.crypto_alg = mp->crypto_alg;
743 tun.local_crypto_key_len = mp->local_crypto_key_len;
744 tun.remote_crypto_key_len = mp->remote_crypto_key_len;
745 tun.integ_alg = mp->integ_alg;
746 tun.local_integ_key_len = mp->local_integ_key_len;
747 tun.remote_integ_key_len = mp->remote_integ_key_len;
748 tun.udp_encap = mp->udp_encap;
749 tun.tx_table_id = ntohl (mp->tx_table_id);
751 itype = ip_address_decode (&mp->local_ip, &tun.local_ip);
752 itype = ip_address_decode (&mp->remote_ip, &tun.remote_ip);
753 tun.is_ip6 = (IP46_TYPE_IP6 == itype);
754 memcpy (&tun.local_crypto_key, &mp->local_crypto_key,
755 mp->local_crypto_key_len);
756 memcpy (&tun.remote_crypto_key, &mp->remote_crypto_key,
757 mp->remote_crypto_key_len);
758 memcpy (&tun.local_integ_key, &mp->local_integ_key,
759 mp->local_integ_key_len);
760 memcpy (&tun.remote_integ_key, &mp->remote_integ_key,
761 mp->remote_integ_key_len);
762 tun.renumber = mp->renumber;
763 tun.show_instance = ntohl (mp->show_instance);
765 rv = ipsec_add_del_tunnel_if_internal (vnm, &tun, &sw_if_index);
768 rv = VNET_API_ERROR_UNIMPLEMENTED;
772 REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY,
774 rmp->sw_if_index = htonl (sw_if_index);
780 send_ipsec_sa_details (ipsec_sa_t * sa, vl_api_registration_t * reg,
781 u32 context, u32 sw_if_index)
783 vl_api_ipsec_sa_details_t *mp;
785 mp = vl_msg_api_alloc (sizeof (*mp));
786 clib_memset (mp, 0, sizeof (*mp));
787 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_DETAILS);
788 mp->context = context;
790 mp->entry.sad_id = htonl (sa->id);
791 mp->entry.spi = htonl (sa->spi);
792 mp->entry.protocol = ipsec_proto_encode (sa->protocol);
793 mp->entry.tx_table_id =
794 htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4));
796 mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
797 ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
799 mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
800 ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
802 mp->entry.flags = ipsec_sad_flags_encode (sa);
804 if (ipsec_sa_is_set_IS_TUNNEL (sa))
806 ip_address_encode (&sa->tunnel_src_addr, IP46_TYPE_ANY,
807 &mp->entry.tunnel_src);
808 ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY,
809 &mp->entry.tunnel_dst);
812 mp->sw_if_index = htonl (sw_if_index);
813 mp->salt = clib_host_to_net_u32 (sa->salt);
814 mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
815 mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
816 if (ipsec_sa_is_set_USE_ESN (sa))
818 mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
819 mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
821 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
822 mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
824 vl_api_send_msg (reg, (u8 *) mp);
829 vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
831 vl_api_registration_t *reg;
832 ipsec_main_t *im = &ipsec_main;
833 vnet_main_t *vnm = im->vnet_main;
835 ipsec_tunnel_if_t *t;
836 u32 *sa_index_to_tun_if_index = 0;
839 reg = vl_api_client_index_to_registration (mp->client_index);
840 if (!reg || pool_elts (im->sad) == 0)
843 vec_validate_init_empty (sa_index_to_tun_if_index, vec_len (im->sad) - 1,
847 pool_foreach (t, im->tunnel_interfaces,
849 vnet_hw_interface_t *hi;
850 u32 sw_if_index = ~0;
852 hi = vnet_get_hw_interface (vnm, t->hw_if_index);
853 sw_if_index = hi->sw_if_index;
854 sa_index_to_tun_if_index[t->input_sa_index] = sw_if_index;
855 sa_index_to_tun_if_index[t->output_sa_index] = sw_if_index;
858 pool_foreach (sa, im->sad,
860 if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == sa->id)
861 send_ipsec_sa_details (sa, reg, mp->context,
862 sa_index_to_tun_if_index[sa - im->sad]);
866 vec_free (sa_index_to_tun_if_index);
868 clib_warning ("unimplemented");
873 vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp)
875 vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp;
876 ipsec_main_t *im = &ipsec_main;
877 vnet_main_t *vnm = im->vnet_main;
878 vnet_sw_interface_t *sw;
882 sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index));
884 rv = ipsec_set_interface_sa (vnm, sw->hw_if_index, ntohl (mp->sa_id),
887 clib_warning ("unimplemented");
890 REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY);
894 vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp)
896 vl_api_registration_t *rp;
897 ipsec_main_t *im = &ipsec_main;
898 u32 context = mp->context;
900 rp = vl_api_client_index_to_registration (mp->client_index);
904 clib_warning ("Client %d AWOL", mp->client_index);
908 ipsec_ah_backend_t *ab;
909 ipsec_esp_backend_t *eb;
911 pool_foreach (ab, im->ah_backends, {
912 vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
913 clib_memset (mp, 0, sizeof (*mp));
914 mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
915 mp->context = context;
916 snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (ab->name),
918 mp->protocol = ntohl (IPSEC_API_PROTO_AH);
919 mp->index = ab - im->ah_backends;
920 mp->active = mp->index == im->ah_current_backend ? 1 : 0;
921 vl_api_send_msg (rp, (u8 *)mp);
923 pool_foreach (eb, im->esp_backends, {
924 vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
925 clib_memset (mp, 0, sizeof (*mp));
926 mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
927 mp->context = context;
928 snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (eb->name),
930 mp->protocol = ntohl (IPSEC_API_PROTO_ESP);
931 mp->index = eb - im->esp_backends;
932 mp->active = mp->index == im->esp_current_backend ? 1 : 0;
933 vl_api_send_msg (rp, (u8 *)mp);
939 vl_api_ipsec_select_backend_t_handler (vl_api_ipsec_select_backend_t * mp)
941 ipsec_main_t *im = &ipsec_main;
942 vl_api_ipsec_select_backend_reply_t *rmp;
943 ipsec_protocol_t protocol;
945 if (pool_elts (im->sad) > 0)
947 rv = VNET_API_ERROR_INSTANCE_IN_USE;
951 rv = ipsec_proto_decode (mp->protocol, &protocol);
959 case IPSEC_PROTOCOL_ESP:
960 rv = ipsec_select_esp_backend (im, mp->index);
962 case IPSEC_PROTOCOL_AH:
963 rv = ipsec_select_ah_backend (im, mp->index);
966 rv = VNET_API_ERROR_INVALID_PROTOCOL;
970 clib_warning ("unimplemented"); /* FIXME */
973 REPLY_MACRO (VL_API_IPSEC_SELECT_BACKEND_REPLY);
978 * Add vpe's API message handlers to the table.
979 * vlib has already mapped shared memory and
980 * added the client registration handlers.
981 * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process()
983 #define vl_msg_name_crc_list
984 #include <vnet/vnet_all_api_h.h>
985 #undef vl_msg_name_crc_list
988 setup_message_id_table (api_main_t * am)
990 #define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id);
991 foreach_vl_msg_name_crc_ipsec;
995 static clib_error_t *
996 ipsec_api_hookup (vlib_main_t * vm)
998 api_main_t *am = &api_main;
1001 vl_msg_api_set_handlers(VL_API_##N, #n, \
1002 vl_api_##n##_t_handler, \
1004 vl_api_##n##_t_endian, \
1005 vl_api_##n##_t_print, \
1006 sizeof(vl_api_##n##_t), 1);
1007 foreach_vpe_api_msg;
1011 * Adding and deleting SAs is MP safe since when they are added/delete
1012 * no traffic is using them
1014 am->is_mp_safe[VL_API_IPSEC_SAD_ENTRY_ADD_DEL] = 1;
1015 am->is_mp_safe[VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY] = 1;
1018 * Set up the (msg_name, crc, message-id) table
1020 setup_message_id_table (am);
1025 VLIB_API_INIT_FUNCTION (ipsec_api_hookup);
1028 * fd.io coding-style-patch-verification: ON
1031 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob