X-Git-Url: https://gerrit.fd.io/r/gitweb?p=vpp.git;a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_api.c;h=177300aeb9adc870ab2a15bd406184a818caacdf;hp=3f30a7dc32108dc0e8c99a82039afd97e7ac0cca;hb=e5d34919b;hpb=b4a7a7dcf81f85ca3a22c791fb57d7eddc111661 diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index 3f30a7dc321..177300aeb9a 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -23,12 +23,16 @@ #include #include #include +#include +#include +#include +#include #include #if WITH_LIBSSL > 0 #include -#include +#include #endif /* IPSEC */ #define vl_typedefs /* define message structures */ @@ -50,31 +54,19 @@ #define foreach_vpe_api_msg \ _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \ _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \ -_(IPSEC_SPD_ADD_DEL_ENTRY, ipsec_spd_add_del_entry) \ -_(IPSEC_SAD_ADD_DEL_ENTRY, ipsec_sad_add_del_entry) \ -_(IPSEC_SA_SET_KEY, ipsec_sa_set_key) \ +_(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \ +_(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \ _(IPSEC_SA_DUMP, ipsec_sa_dump) \ _(IPSEC_SPDS_DUMP, ipsec_spds_dump) \ _(IPSEC_SPD_DUMP, ipsec_spd_dump) \ _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \ _(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \ -_(IPSEC_TUNNEL_IF_SET_KEY, ipsec_tunnel_if_set_key) \ _(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \ -_(IKEV2_PROFILE_ADD_DEL, ikev2_profile_add_del) \ -_(IKEV2_PROFILE_SET_AUTH, ikev2_profile_set_auth) \ -_(IKEV2_PROFILE_SET_ID, ikev2_profile_set_id) \ -_(IKEV2_PROFILE_SET_TS, ikev2_profile_set_ts) \ -_(IKEV2_SET_LOCAL_KEY, ikev2_set_local_key) \ -_(IKEV2_SET_RESPONDER, ikev2_set_responder) \ -_(IKEV2_SET_IKE_TRANSFORMS, ikev2_set_ike_transforms) \ -_(IKEV2_SET_ESP_TRANSFORMS, ikev2_set_esp_transforms) \ -_(IKEV2_SET_SA_LIFETIME, ikev2_set_sa_lifetime) \ -_(IKEV2_INITIATE_SA_INIT, ikev2_initiate_sa_init) \ -_(IKEV2_INITIATE_DEL_IKE_SA, ikev2_initiate_del_ike_sa) \ -_(IKEV2_INITIATE_DEL_CHILD_SA, ikev2_initiate_del_child_sa) \ -_(IKEV2_INITIATE_REKEY_CHILD_SA, ikev2_initiate_rekey_child_sa) \ _(IPSEC_SELECT_BACKEND, ipsec_select_backend) \ -_(IPSEC_BACKEND_DUMP, ipsec_backend_dump) +_(IPSEC_BACKEND_DUMP, ipsec_backend_dump) \ +_(IPSEC_TUNNEL_PROTECT_UPDATE, ipsec_tunnel_protect_update) \ +_(IPSEC_TUNNEL_PROTECT_DEL, ipsec_tunnel_protect_del) \ +_(IPSEC_TUNNEL_PROTECT_DUMP, ipsec_tunnel_protect_dump) static void vl_api_ipsec_spd_add_del_t_handler (vl_api_ipsec_spd_add_del_t * mp) @@ -118,140 +110,283 @@ static void vl_api_ipsec_interface_add_del_spd_t_handler REPLY_MACRO (VL_API_IPSEC_INTERFACE_ADD_DEL_SPD_REPLY); } -static void vl_api_ipsec_spd_add_del_entry_t_handler - (vl_api_ipsec_spd_add_del_entry_t * mp) +static void vl_api_ipsec_tunnel_protect_update_t_handler + (vl_api_ipsec_tunnel_protect_update_t * mp) { vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main (); - vl_api_ipsec_spd_add_del_entry_reply_t *rmp; + vl_api_ipsec_tunnel_protect_update_reply_t *rmp; + u32 sw_if_index, ii, *sa_ins = NULL; + ip_address_t nh; int rv; + sw_if_index = ntohl (mp->tunnel.sw_if_index); + + VALIDATE_SW_IF_INDEX (&(mp->tunnel)); + #if WITH_LIBSSL > 0 - ipsec_policy_t p; - clib_memset (&p, 0, sizeof (p)); + for (ii = 0; ii < mp->tunnel.n_sa_in; ii++) + vec_add1 (sa_ins, ntohl (mp->tunnel.sa_in[ii])); + + ip_address_decode2 (&mp->tunnel.nh, &nh); + + rv = ipsec_tun_protect_update (sw_if_index, &nh, + ntohl (mp->tunnel.sa_out), sa_ins); +#else + rv = VNET_API_ERROR_UNIMPLEMENTED; +#endif + + BAD_SW_IF_INDEX_LABEL; + + REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_UPDATE_REPLY); +} + +static void vl_api_ipsec_tunnel_protect_del_t_handler + (vl_api_ipsec_tunnel_protect_del_t * mp) +{ + vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main (); + vl_api_ipsec_tunnel_protect_del_reply_t *rmp; + ip_address_t nh; + u32 sw_if_index; + int rv; + + sw_if_index = ntohl (mp->sw_if_index); + + VALIDATE_SW_IF_INDEX (mp); + +#if WITH_LIBSSL > 0 + ip_address_decode2 (&mp->nh, &nh); + rv = ipsec_tun_protect_del (sw_if_index, &nh); +#else + rv = VNET_API_ERROR_UNIMPLEMENTED; +#endif + + BAD_SW_IF_INDEX_LABEL; + + REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_DEL_REPLY); +} - p.id = ntohl (mp->spd_id); - p.priority = ntohl (mp->priority); - p.is_outbound = mp->is_outbound; - p.is_ipv6 = mp->is_ipv6; +typedef struct ipsec_dump_walk_ctx_t_ +{ + vl_api_registration_t *reg; + u32 context; +} ipsec_dump_walk_ctx_t; + +static walk_rc_t +send_ipsec_tunnel_protect_details (index_t itpi, void *arg) +{ + ipsec_dump_walk_ctx_t *ctx = arg; + vl_api_ipsec_tunnel_protect_details_t *mp; + ipsec_tun_protect_t *itp; + u32 sai, ii = 0; + + itp = ipsec_tun_protect_get (itpi); + + mp = vl_msg_api_alloc (sizeof (*mp) + (sizeof (u32) * itp->itp_n_sa_in)); + clib_memset (mp, 0, sizeof (*mp)); + mp->_vl_msg_id = ntohs (VL_API_IPSEC_TUNNEL_PROTECT_DETAILS); + mp->context = ctx->context; + + mp->tun.sw_if_index = htonl (itp->itp_sw_if_index); + ip_address_encode2 (itp->itp_key, &mp->tun.nh); + + mp->tun.sa_out = htonl (itp->itp_out_sa); + mp->tun.n_sa_in = itp->itp_n_sa_in; + /* *INDENT-OFF* */ + FOR_EACH_IPSEC_PROTECT_INPUT_SAI(itp, sai, + ({ + mp->tun.sa_in[ii++] = htonl (sai); + })); + /* *INDENT-ON* */ + + vl_api_send_msg (ctx->reg, (u8 *) mp); + + return (WALK_CONTINUE); +} + +static void +vl_api_ipsec_tunnel_protect_dump_t_handler (vl_api_ipsec_tunnel_protect_dump_t + * mp) +{ + vl_api_registration_t *reg; + u32 sw_if_index; + +#if WITH_LIBSSL > 0 + reg = vl_api_client_index_to_registration (mp->client_index); + if (!reg) + return; + + ipsec_dump_walk_ctx_t ctx = { + .reg = reg, + .context = mp->context, + }; + + sw_if_index = ntohl (mp->sw_if_index); - if (mp->is_ipv6 || mp->is_ip_any) + if (~0 == sw_if_index) { - clib_memcpy (&p.raddr.start, mp->remote_address_start, 16); - clib_memcpy (&p.raddr.stop, mp->remote_address_stop, 16); - clib_memcpy (&p.laddr.start, mp->local_address_start, 16); - clib_memcpy (&p.laddr.stop, mp->local_address_stop, 16); + ipsec_tun_protect_walk (send_ipsec_tunnel_protect_details, &ctx); } else { - clib_memcpy (&p.raddr.start.ip4.data, mp->remote_address_start, 4); - clib_memcpy (&p.raddr.stop.ip4.data, mp->remote_address_stop, 4); - clib_memcpy (&p.laddr.start.ip4.data, mp->local_address_start, 4); - clib_memcpy (&p.laddr.stop.ip4.data, mp->local_address_stop, 4); + ipsec_tun_protect_walk_itf (sw_if_index, + send_ipsec_tunnel_protect_details, &ctx); } - p.protocol = mp->protocol; - p.rport.start = ntohs (mp->remote_port_start); - p.rport.stop = ntohs (mp->remote_port_stop); - p.lport.start = ntohs (mp->local_port_start); - p.lport.stop = ntohs (mp->local_port_stop); +#else + clib_warning ("unimplemented"); +#endif +} + +static int +ipsec_spd_action_decode (vl_api_ipsec_spd_action_t in, + ipsec_policy_action_t * out) +{ + in = clib_net_to_host_u32 (in); + + switch (in) + { +#define _(v,f,s) case IPSEC_API_SPD_ACTION_##f: \ + *out = IPSEC_POLICY_ACTION_##f; \ + return (0); + foreach_ipsec_policy_action +#undef _ + } + return (VNET_API_ERROR_UNIMPLEMENTED); +} + +static void vl_api_ipsec_spd_entry_add_del_t_handler + (vl_api_ipsec_spd_entry_add_del_t * mp) +{ + vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main (); + vl_api_ipsec_spd_entry_add_del_reply_t *rmp; + ip46_type_t itype; + u32 stat_index; + int rv; + + stat_index = ~0; + +#if WITH_LIBSSL > 0 + ipsec_policy_t p; + + clib_memset (&p, 0, sizeof (p)); + + p.id = ntohl (mp->entry.spd_id); + p.priority = ntohl (mp->entry.priority); + + itype = ip_address_decode (&mp->entry.remote_address_start, &p.raddr.start); + ip_address_decode (&mp->entry.remote_address_stop, &p.raddr.stop); + ip_address_decode (&mp->entry.local_address_start, &p.laddr.start); + ip_address_decode (&mp->entry.local_address_stop, &p.laddr.stop); + + p.is_ipv6 = (itype == IP46_TYPE_IP6); + + p.protocol = mp->entry.protocol; + p.rport.start = ntohs (mp->entry.remote_port_start); + p.rport.stop = ntohs (mp->entry.remote_port_stop); + p.lport.start = ntohs (mp->entry.local_port_start); + p.lport.stop = ntohs (mp->entry.local_port_stop); + + rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy); + + if (rv) + goto out; + /* policy action resolve unsupported */ - if (mp->policy == IPSEC_POLICY_ACTION_RESOLVE) + if (p.policy == IPSEC_POLICY_ACTION_RESOLVE) { clib_warning ("unsupported action: 'resolve'"); rv = VNET_API_ERROR_UNIMPLEMENTED; goto out; } - p.policy = mp->policy; - p.sa_id = ntohl (mp->sa_id); + p.sa_id = ntohl (mp->entry.sa_id); + rv = + ipsec_policy_mk_type (mp->entry.is_outbound, p.is_ipv6, p.policy, + &p.type); + if (rv) + goto out; - rv = ipsec_add_del_policy (vm, &p, mp->is_add); + rv = ipsec_add_del_policy (vm, &p, mp->is_add, &stat_index); if (rv) goto out; - if (mp->is_ip_any) - { - p.is_ipv6 = 1; - rv = ipsec_add_del_policy (vm, &p, mp->is_add); - } #else rv = VNET_API_ERROR_UNIMPLEMENTED; goto out; #endif out: - REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_ENTRY_REPLY); + /* *INDENT-OFF* */ + REPLY_MACRO2 (VL_API_IPSEC_SPD_ENTRY_ADD_DEL_REPLY, + ({ + rmp->stat_index = ntohl(stat_index); + })); + /* *INDENT-ON* */ } -static void vl_api_ipsec_sad_add_del_entry_t_handler - (vl_api_ipsec_sad_add_del_entry_t * mp) +static void vl_api_ipsec_sad_entry_add_del_t_handler + (vl_api_ipsec_sad_entry_add_del_t * mp) { vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main (); - vl_api_ipsec_sad_add_del_entry_reply_t *rmp; + vl_api_ipsec_sad_entry_add_del_reply_t *rmp; + ip46_address_t tun_src = { }, tun_dst = + { + }; + ipsec_key_t crypto_key, integ_key; + ipsec_crypto_alg_t crypto_alg; + ipsec_integ_alg_t integ_alg; + ipsec_protocol_t proto; + ipsec_sa_flags_t flags; + u32 id, spi, sa_index = ~0; int rv; + #if WITH_LIBSSL > 0 - ipsec_main_t *im = &ipsec_main; - ipsec_sa_t sa; - clib_memset (&sa, 0, sizeof (sa)); + id = ntohl (mp->entry.sad_id); + spi = ntohl (mp->entry.spi); - sa.id = ntohl (mp->sad_id); - sa.spi = ntohl (mp->spi); - sa.protocol = mp->protocol; - /* check for unsupported crypto-alg */ - if (mp->crypto_algorithm >= IPSEC_CRYPTO_N_ALG) - { - clib_warning ("unsupported crypto-alg: '%U'", format_ipsec_crypto_alg, - mp->crypto_algorithm); - rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; - } - sa.crypto_alg = mp->crypto_algorithm; - sa.crypto_key_len = mp->crypto_key_length; - clib_memcpy (&sa.crypto_key, mp->crypto_key, sizeof (sa.crypto_key)); - /* check for unsupported integ-alg */ - if (mp->integrity_algorithm >= IPSEC_INTEG_N_ALG) - { - clib_warning ("unsupported integ-alg: '%U'", format_ipsec_integ_alg, - mp->integrity_algorithm); - rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; - } + rv = ipsec_proto_decode (mp->entry.protocol, &proto); - sa.integ_alg = mp->integrity_algorithm; - sa.integ_key_len = mp->integrity_key_length; - clib_memcpy (&sa.integ_key, mp->integrity_key, sizeof (sa.integ_key)); - sa.use_esn = mp->use_extended_sequence_number; - sa.is_tunnel = mp->is_tunnel; - sa.is_tunnel_ip6 = mp->is_tunnel_ipv6; - sa.udp_encap = mp->udp_encap; - if (sa.is_tunnel_ip6) - { - clib_memcpy (&sa.tunnel_src_addr, mp->tunnel_src_address, 16); - clib_memcpy (&sa.tunnel_dst_addr, mp->tunnel_dst_address, 16); - } - else - { - clib_memcpy (&sa.tunnel_src_addr.ip4.data, mp->tunnel_src_address, 4); - clib_memcpy (&sa.tunnel_dst_addr.ip4.data, mp->tunnel_dst_address, 4); - } - sa.use_anti_replay = mp->use_anti_replay; + if (rv) + goto out; - clib_error_t *err = ipsec_check_support_cb (im, &sa); - if (err) - { - clib_warning ("%s", err->what); - rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; - } + rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg); + + if (rv) + goto out; + + rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg); + + if (rv) + goto out; + + ipsec_key_decode (&mp->entry.crypto_key, &crypto_key); + ipsec_key_decode (&mp->entry.integrity_key, &integ_key); + + flags = ipsec_sa_flags_decode (mp->entry.flags); + + ip_address_decode (&mp->entry.tunnel_src, &tun_src); + ip_address_decode (&mp->entry.tunnel_dst, &tun_dst); + + if (mp->is_add) + rv = ipsec_sa_add_and_lock (id, spi, proto, + crypto_alg, &crypto_key, + integ_alg, &integ_key, flags, + 0, mp->entry.salt, &tun_src, &tun_dst, + &sa_index, IPSEC_UDP_PORT_NONE); + else + rv = ipsec_sa_unlock_id (id); - rv = ipsec_add_del_sa (vm, &sa, mp->is_add); #else rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; #endif out: - REPLY_MACRO (VL_API_IPSEC_SAD_ADD_DEL_ENTRY_REPLY); + /* *INDENT-OFF* */ + REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY, + { + rmp->stat_index = htonl (sa_index); + }); + /* *INDENT-ON* */ } static void @@ -259,6 +394,7 @@ send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg, u32 context) { vl_api_ipsec_spds_details_t *mp; + u32 n_policies = 0; mp = vl_msg_api_alloc (sizeof (*mp)); clib_memset (mp, 0, sizeof (*mp)); @@ -266,7 +402,10 @@ send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg, mp->context = context; mp->spd_id = htonl (spd->id); - mp->npolicies = htonl (pool_len (spd->policies)); +#define _(s, n) n_policies += vec_len (spd->policies[IPSEC_SPD_POLICY_##s]); + foreach_ipsec_spd_policy_type +#undef _ + mp->npolicies = htonl (n_policies); vl_api_send_msg (reg, (u8 *) mp); } @@ -292,6 +431,22 @@ vl_api_ipsec_spds_dump_t_handler (vl_api_ipsec_spds_dump_t * mp) #endif } +vl_api_ipsec_spd_action_t +ipsec_spd_action_encode (ipsec_policy_action_t in) +{ + vl_api_ipsec_spd_action_t out = IPSEC_API_SPD_ACTION_BYPASS; + + switch (in) + { +#define _(v,f,s) case IPSEC_POLICY_ACTION_##f: \ + out = IPSEC_API_SPD_ACTION_##f; \ + break; + foreach_ipsec_policy_action +#undef _ + } + return (clib_host_to_net_u32 (out)); +} + static void send_ipsec_spd_details (ipsec_policy_t * p, vl_api_registration_t * reg, u32 context) @@ -303,33 +458,26 @@ send_ipsec_spd_details (ipsec_policy_t * p, vl_api_registration_t * reg, mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_DETAILS); mp->context = context; - mp->spd_id = htonl (p->id); - mp->priority = htonl (p->priority); - mp->is_outbound = p->is_outbound; - mp->is_ipv6 = p->is_ipv6; - if (p->is_ipv6) - { - memcpy (mp->local_start_addr, &p->laddr.start.ip6, 16); - memcpy (mp->local_stop_addr, &p->laddr.stop.ip6, 16); - memcpy (mp->remote_start_addr, &p->raddr.start.ip6, 16); - memcpy (mp->remote_stop_addr, &p->raddr.stop.ip6, 16); - } - else - { - memcpy (mp->local_start_addr, &p->laddr.start.ip4, 4); - memcpy (mp->local_stop_addr, &p->laddr.stop.ip4, 4); - memcpy (mp->remote_start_addr, &p->raddr.start.ip4, 4); - memcpy (mp->remote_stop_addr, &p->raddr.stop.ip4, 4); - } - mp->local_start_port = htons (p->lport.start); - mp->local_stop_port = htons (p->lport.stop); - mp->remote_start_port = htons (p->rport.start); - mp->remote_stop_port = htons (p->rport.stop); - mp->protocol = p->protocol; - mp->policy = p->policy; - mp->sa_id = htonl (p->sa_id); - mp->bytes = clib_host_to_net_u64 (p->counter.bytes); - mp->packets = clib_host_to_net_u64 (p->counter.packets); + mp->entry.spd_id = htonl (p->id); + mp->entry.priority = htonl (p->priority); + mp->entry.is_outbound = ((p->type == IPSEC_SPD_POLICY_IP6_OUTBOUND) || + (p->type == IPSEC_SPD_POLICY_IP4_OUTBOUND)); + + ip_address_encode (&p->laddr.start, IP46_TYPE_ANY, + &mp->entry.local_address_start); + ip_address_encode (&p->laddr.stop, IP46_TYPE_ANY, + &mp->entry.local_address_stop); + ip_address_encode (&p->raddr.start, IP46_TYPE_ANY, + &mp->entry.remote_address_start); + ip_address_encode (&p->raddr.stop, IP46_TYPE_ANY, + &mp->entry.remote_address_stop); + mp->entry.local_port_start = htons (p->lport.start); + mp->entry.local_port_stop = htons (p->lport.stop); + mp->entry.remote_port_start = htons (p->rport.start); + mp->entry.remote_port_stop = htons (p->rport.stop); + mp->entry.protocol = p->protocol; + mp->entry.policy = ipsec_spd_action_encode (p->policy); + mp->entry.sa_id = htonl (p->sa_id); vl_api_send_msg (reg, (u8 *) mp); } @@ -339,10 +487,11 @@ vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp) { vl_api_registration_t *reg; ipsec_main_t *im = &ipsec_main; + ipsec_spd_policy_type_t ptype; ipsec_policy_t *policy; ipsec_spd_t *spd; uword *p; - u32 spd_index; + u32 spd_index, *ii; #if WITH_LIBSSL > 0 reg = vl_api_client_index_to_registration (mp->client_index); if (!reg) @@ -356,12 +505,15 @@ vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp) spd = pool_elt_at_index (im->spds, spd_index); /* *INDENT-OFF* */ - pool_foreach (policy, spd->policies, - ({ - if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id) - send_ipsec_spd_details (policy, reg, - mp->context);} - )); + FOR_EACH_IPSEC_SPD_POLICY_TYPE(ptype) { + vec_foreach(ii, spd->policies[ptype]) + { + policy = pool_elt_at_index(im->policies, *ii); + + if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id) + send_ipsec_spd_details (policy, reg, mp->context); + } + } /* *INDENT-ON* */ #else clib_warning ("unimplemented"); @@ -422,26 +574,16 @@ vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t * #endif } -static void -vl_api_ipsec_sa_set_key_t_handler (vl_api_ipsec_sa_set_key_t * mp) +static u32 +ipsec_tun_mk_input_sa_id (u32 ti) { - vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main (); - vl_api_ipsec_sa_set_key_reply_t *rmp; - int rv; -#if WITH_LIBSSL > 0 - ipsec_sa_t sa; - sa.id = ntohl (mp->sa_id); - sa.crypto_key_len = mp->crypto_key_length; - clib_memcpy (&sa.crypto_key, mp->crypto_key, sizeof (sa.crypto_key)); - sa.integ_key_len = mp->integrity_key_length; - clib_memcpy (&sa.integ_key, mp->integrity_key, sizeof (sa.integ_key)); - - rv = ipsec_set_sa_key (vm, &sa); -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif + return (0x80000000 | ti); +} - REPLY_MACRO (VL_API_IPSEC_SA_SET_KEY_REPLY); +static u32 +ipsec_tun_mk_output_sa_id (u32 ti) +{ + return (0xc0000000 | ti); } static void @@ -449,556 +591,290 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * mp) { vl_api_ipsec_tunnel_if_add_del_reply_t *rmp; - ipsec_main_t *im = &ipsec_main; - vnet_main_t *vnm = im->vnet_main; u32 sw_if_index = ~0; int rv; #if WITH_LIBSSL > 0 - ipsec_add_del_tunnel_args_t tun; - - clib_memset (&tun, 0, sizeof (ipsec_add_del_tunnel_args_t)); - - tun.is_add = mp->is_add; - tun.esn = mp->esn; - tun.anti_replay = mp->anti_replay; - tun.local_spi = ntohl (mp->local_spi); - tun.remote_spi = ntohl (mp->remote_spi); - tun.crypto_alg = mp->crypto_alg; - tun.local_crypto_key_len = mp->local_crypto_key_len; - tun.remote_crypto_key_len = mp->remote_crypto_key_len; - tun.integ_alg = mp->integ_alg; - tun.local_integ_key_len = mp->local_integ_key_len; - tun.remote_integ_key_len = mp->remote_integ_key_len; - tun.udp_encap = mp->udp_encap; - memcpy (&tun.local_ip, mp->local_ip, 4); - memcpy (&tun.remote_ip, mp->remote_ip, 4); - memcpy (&tun.local_crypto_key, &mp->local_crypto_key, - mp->local_crypto_key_len); - memcpy (&tun.remote_crypto_key, &mp->remote_crypto_key, - mp->remote_crypto_key_len); - memcpy (&tun.local_integ_key, &mp->local_integ_key, - mp->local_integ_key_len); - memcpy (&tun.remote_integ_key, &mp->remote_integ_key, - mp->remote_integ_key_len); - tun.renumber = mp->renumber; - tun.show_instance = ntohl (mp->show_instance); - - rv = ipsec_add_del_tunnel_if_internal (vnm, &tun, &sw_if_index); - -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY, ( - { - rmp->sw_if_index = - htonl (sw_if_index); - })); -} - -static void -send_ipsec_sa_details (ipsec_sa_t * sa, vl_api_registration_t * reg, - u32 context, u32 sw_if_index) -{ - vl_api_ipsec_sa_details_t *mp; - - mp = vl_msg_api_alloc (sizeof (*mp)); - clib_memset (mp, 0, sizeof (*mp)); - mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_DETAILS); - mp->context = context; - - mp->sa_id = htonl (sa->id); - mp->sw_if_index = htonl (sw_if_index); - - mp->spi = htonl (sa->spi); - mp->protocol = sa->protocol; + ip46_address_t local_ip = ip46_address_initializer; + ip46_address_t remote_ip = ip46_address_initializer; + ipsec_key_t crypto_key, integ_key; + ipsec_sa_flags_t flags; + ip46_type_t local_ip_type, remote_ip_type; + ipip_transport_t transport; + u32 fib_index; + + local_ip_type = ip_address_decode (&mp->local_ip, &local_ip); + remote_ip_type = ip_address_decode (&mp->remote_ip, &remote_ip); + transport = (IP46_TYPE_IP6 == local_ip_type ? + IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4); + + if (local_ip_type != remote_ip_type) + { + rv = VNET_API_ERROR_INVALID_VALUE; + goto done; + } - mp->crypto_alg = sa->crypto_alg; - mp->crypto_key_len = sa->crypto_key_len; - memcpy (mp->crypto_key, sa->crypto_key, sa->crypto_key_len); + flags = IPSEC_SA_FLAG_NONE; - mp->integ_alg = sa->integ_alg; - mp->integ_key_len = sa->integ_key_len; - memcpy (mp->integ_key, sa->integ_key, sa->integ_key_len); + if (mp->udp_encap) + flags |= IPSEC_SA_FLAG_UDP_ENCAP; + if (mp->esn) + flags |= IPSEC_SA_FLAG_USE_ESN; + if (mp->anti_replay) + flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY; - mp->use_esn = sa->use_esn; - mp->use_anti_replay = sa->use_anti_replay; + ipsec_mk_key (&crypto_key, mp->remote_crypto_key, + mp->remote_crypto_key_len); + ipsec_mk_key (&integ_key, mp->remote_integ_key, mp->remote_integ_key_len); + ipsec_mk_key (&crypto_key, mp->local_crypto_key, mp->local_crypto_key_len); + ipsec_mk_key (&integ_key, mp->local_integ_key, mp->local_integ_key_len); - mp->is_tunnel = sa->is_tunnel; - mp->is_tunnel_ip6 = sa->is_tunnel_ip6; + fib_index = + fib_table_find (fib_proto_from_ip46 (local_ip_type), + ntohl (mp->tx_table_id)); - if (sa->is_tunnel) + if (~0 == fib_index) { - if (sa->is_tunnel_ip6) - { - memcpy (mp->tunnel_src_addr, &sa->tunnel_src_addr.ip6, 16); - memcpy (mp->tunnel_dst_addr, &sa->tunnel_dst_addr.ip6, 16); - } - else - { - memcpy (mp->tunnel_src_addr, &sa->tunnel_src_addr.ip4, 4); - memcpy (mp->tunnel_dst_addr, &sa->tunnel_dst_addr.ip4, 4); - } + rv = VNET_API_ERROR_NO_SUCH_FIB; + goto done; } - mp->salt = clib_host_to_net_u32 (sa->salt); - mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq)); - mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq)); - if (sa->use_esn) + if (mp->is_add) { - mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi)); - mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi)); + // remote = input, local = output + /* create an ip-ip tunnel, then the two SA, then bind them */ + rv = ipip_add_tunnel (transport, + (mp->renumber ? ntohl (mp->show_instance) : ~0), + &local_ip, + &remote_ip, fib_index, + TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0, + TUNNEL_MODE_P2P, &sw_if_index); + + if (rv) + goto done; + + rv = ipsec_sa_add_and_lock (ipsec_tun_mk_input_sa_id (sw_if_index), + ntohl (mp->remote_spi), + IPSEC_PROTOCOL_ESP, + mp->crypto_alg, + &crypto_key, + mp->integ_alg, + &integ_key, + (flags | IPSEC_SA_FLAG_IS_INBOUND), + ntohl (mp->tx_table_id), + mp->salt, &remote_ip, &local_ip, NULL, + IPSEC_UDP_PORT_NONE); + + if (rv) + goto done; + + rv = ipsec_sa_add_and_lock (ipsec_tun_mk_output_sa_id (sw_if_index), + ntohl (mp->local_spi), + IPSEC_PROTOCOL_ESP, + mp->crypto_alg, + &crypto_key, + mp->integ_alg, + &integ_key, + flags, + ntohl (mp->tx_table_id), + mp->salt, &local_ip, &remote_ip, NULL, + IPSEC_UDP_PORT_NONE); + + if (rv) + goto done; + + rv = ipsec_tun_protect_update_one (sw_if_index, NULL, + ipsec_tun_mk_output_sa_id + (sw_if_index), + ipsec_tun_mk_input_sa_id + (sw_if_index)); + if (rv) + goto done; + + /* the SAs are locked as a result of being used for proection, + * they cannot be removed from the API, since they cannot be refered + * to by the API. unlock them now, so that if the tunnel is rekeyed + * they-ll disapper + */ + ipsec_sa_unlock_id (ipsec_tun_mk_input_sa_id (sw_if_index)); + ipsec_sa_unlock_id (ipsec_tun_mk_output_sa_id (sw_if_index)); } - if (sa->use_anti_replay) - mp->replay_window = clib_host_to_net_u64 (sa->replay_window); - mp->total_data_size = clib_host_to_net_u64 (sa->total_data_size); - mp->udp_encap = sa->udp_encap; - - vl_api_send_msg (reg, (u8 *) mp); -} - - -static void -vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp) -{ - vl_api_registration_t *reg; - ipsec_main_t *im = &ipsec_main; - vnet_main_t *vnm = im->vnet_main; - ipsec_sa_t *sa; - ipsec_tunnel_if_t *t; - u32 *sa_index_to_tun_if_index = 0; - -#if WITH_LIBSSL > 0 - reg = vl_api_client_index_to_registration (mp->client_index); - if (!reg || pool_elts (im->sad) == 0) - return; - - vec_validate_init_empty (sa_index_to_tun_if_index, vec_len (im->sad) - 1, - ~0); - - /* *INDENT-OFF* */ - pool_foreach (t, im->tunnel_interfaces, - ({ - vnet_hw_interface_t *hi; - u32 sw_if_index = ~0; - - hi = vnet_get_hw_interface (vnm, t->hw_if_index); - sw_if_index = hi->sw_if_index; - sa_index_to_tun_if_index[t->input_sa_index] = sw_if_index; - sa_index_to_tun_if_index[t->output_sa_index] = sw_if_index; - })); - - pool_foreach (sa, im->sad, - ({ - if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == sa->id) - send_ipsec_sa_details (sa, reg, mp->context, - sa_index_to_tun_if_index[sa - im->sad]); - })); - /* *INDENT-ON* */ - - vec_free (sa_index_to_tun_if_index); -#else - clib_warning ("unimplemented"); -#endif -} - - -static void -vl_api_ipsec_tunnel_if_set_key_t_handler (vl_api_ipsec_tunnel_if_set_key_t * - mp) -{ - vl_api_ipsec_tunnel_if_set_key_reply_t *rmp; - ipsec_main_t *im = &ipsec_main; - vnet_main_t *vnm = im->vnet_main; - vnet_sw_interface_t *sw; - u8 *key = 0; - int rv; + else + { + /* *INDENT-OFF* */ + ipip_tunnel_key_t key = { + .transport = transport, + .fib_index = fib_index, + .src = local_ip, + .dst = remote_ip + }; + /* *INDENT-ON* */ -#if WITH_LIBSSL > 0 - sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index)); + ipip_tunnel_t *t = ipip_tunnel_db_find (&key); - switch (mp->key_type) - { - case IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO: - case IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO: - if (mp->alg < IPSEC_CRYPTO_ALG_AES_CBC_128 || - mp->alg >= IPSEC_CRYPTO_N_ALG) - { - rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; - } - break; - case IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG: - case IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG: - if (mp->alg >= IPSEC_INTEG_N_ALG) + if (NULL != t) { - rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; + rv = ipsec_tun_protect_del (t->sw_if_index, NULL); + ipip_del_tunnel (t->sw_if_index); } - break; - case IPSEC_IF_SET_KEY_TYPE_NONE: - default: - rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; - break; + else + rv = VNET_API_ERROR_NO_SUCH_ENTRY; } - key = vec_new (u8, mp->key_len); - clib_memcpy (key, mp->key, mp->key_len); - - rv = ipsec_set_interface_key (vnm, sw->hw_if_index, mp->key_type, mp->alg, - key); - vec_free (key); -#else - clib_warning ("unimplemented"); -#endif - -out: - REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_KEY_REPLY); -} - - -static void -vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp) -{ - vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp; - ipsec_main_t *im = &ipsec_main; - vnet_main_t *vnm = im->vnet_main; - vnet_sw_interface_t *sw; - int rv; - -#if WITH_LIBSSL > 0 - sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index)); - - rv = ipsec_set_interface_sa (vnm, sw->hw_if_index, ntohl (mp->sa_id), - mp->is_outbound); -#else - clib_warning ("unimplemented"); -#endif - - REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY); -} - - -static void -vl_api_ikev2_profile_add_del_t_handler (vl_api_ikev2_profile_add_del_t * mp) -{ - vl_api_ikev2_profile_add_del_reply_t *rmp; - int rv = 0; - -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - u8 *tmp = format (0, "%s", mp->name); - error = ikev2_add_del_profile (vm, tmp, mp->is_add); - vec_free (tmp); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_PROFILE_ADD_DEL_REPLY); -} - -static void - vl_api_ikev2_profile_set_auth_t_handler - (vl_api_ikev2_profile_set_auth_t * mp) -{ - vl_api_ikev2_profile_set_auth_reply_t *rmp; - int rv = 0; - -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - u8 *tmp = format (0, "%s", mp->name); - u8 *data = vec_new (u8, mp->data_len); - clib_memcpy (data, mp->data, mp->data_len); - error = ikev2_set_profile_auth (vm, tmp, mp->auth_method, data, mp->is_hex); - vec_free (tmp); - vec_free (data); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_AUTH_REPLY); -} - -static void -vl_api_ikev2_profile_set_id_t_handler (vl_api_ikev2_profile_set_id_t * mp) -{ - vl_api_ikev2_profile_add_del_reply_t *rmp; - int rv = 0; - -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - u8 *tmp = format (0, "%s", mp->name); - u8 *data = vec_new (u8, mp->data_len); - clib_memcpy (data, mp->data, mp->data_len); - error = ikev2_set_profile_id (vm, tmp, mp->id_type, data, mp->is_local); - vec_free (tmp); - vec_free (data); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; #else rv = VNET_API_ERROR_UNIMPLEMENTED; #endif - - REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_ID_REPLY); +done: + /* *INDENT-OFF* */ + REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY, + ({ + rmp->sw_if_index = htonl (sw_if_index); + })); + /* *INDENT-ON* */ } -static void -vl_api_ikev2_profile_set_ts_t_handler (vl_api_ikev2_profile_set_ts_t * mp) +typedef struct ipsec_sa_dump_match_ctx_t_ { - vl_api_ikev2_profile_set_ts_reply_t *rmp; - int rv = 0; - -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - u8 *tmp = format (0, "%s", mp->name); - error = ikev2_set_profile_ts (vm, tmp, mp->proto, mp->start_port, - mp->end_port, (ip4_address_t) mp->start_addr, - (ip4_address_t) mp->end_addr, mp->is_local); - vec_free (tmp); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif + index_t sai; + u32 sw_if_index; +} ipsec_sa_dump_match_ctx_t; - REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_TS_REPLY); -} - -static void -vl_api_ikev2_set_local_key_t_handler (vl_api_ikev2_set_local_key_t * mp) +static walk_rc_t +ipsec_sa_dump_match_sa (index_t itpi, void *arg) { - vl_api_ikev2_profile_set_ts_reply_t *rmp; - int rv = 0; + ipsec_sa_dump_match_ctx_t *ctx = arg; + ipsec_tun_protect_t *itp; + index_t sai; -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - - error = ikev2_set_local_key (vm, mp->key_file); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_SET_LOCAL_KEY_REPLY); -} - -static void -vl_api_ikev2_set_responder_t_handler (vl_api_ikev2_set_responder_t * mp) -{ - vl_api_ikev2_set_responder_reply_t *rmp; - int rv = 0; + itp = ipsec_tun_protect_get (itpi); -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - - u8 *tmp = format (0, "%s", mp->name); - ip4_address_t ip4; - clib_memcpy (&ip4, mp->address, sizeof (ip4)); - - error = ikev2_set_profile_responder (vm, tmp, mp->sw_if_index, ip4); - vec_free (tmp); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif + if (itp->itp_out_sa == ctx->sai) + { + ctx->sw_if_index = itp->itp_sw_if_index; + return (WALK_STOP); + } + /* *INDENT-OFF* */ + FOR_EACH_IPSEC_PROTECT_INPUT_SAI (itp, sai, + ({ + if (sai == ctx->sai) + { + ctx->sw_if_index = itp->itp_sw_if_index; + return (WALK_STOP); + } + })); + /* *INDENT-OFF* */ - REPLY_MACRO (VL_API_IKEV2_SET_RESPONDER_REPLY); + return (WALK_CONTINUE); } -static void -vl_api_ikev2_set_ike_transforms_t_handler (vl_api_ikev2_set_ike_transforms_t * - mp) +static walk_rc_t +send_ipsec_sa_details (ipsec_sa_t * sa, void *arg) { - vl_api_ikev2_set_ike_transforms_reply_t *rmp; - int rv = 0; + ipsec_dump_walk_ctx_t *ctx = arg; + vl_api_ipsec_sa_details_t *mp; + ipsec_main_t *im = &ipsec_main; -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; + mp = vl_msg_api_alloc (sizeof (*mp)); + clib_memset (mp, 0, sizeof (*mp)); + mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_DETAILS); + mp->context = ctx->context; - u8 *tmp = format (0, "%s", mp->name); + mp->entry.sad_id = htonl (sa->id); + mp->entry.spi = htonl (sa->spi); + mp->entry.protocol = ipsec_proto_encode (sa->protocol); + mp->entry.tx_table_id = + htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4)); - error = - ikev2_set_profile_ike_transforms (vm, tmp, mp->crypto_alg, mp->integ_alg, - mp->dh_group, mp->crypto_key_size); - vec_free (tmp); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif + mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg); + ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key); - REPLY_MACRO (VL_API_IKEV2_SET_IKE_TRANSFORMS_REPLY); -} + mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg); + ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key); -static void -vl_api_ikev2_set_esp_transforms_t_handler (vl_api_ikev2_set_esp_transforms_t * - mp) -{ - vl_api_ikev2_set_esp_transforms_reply_t *rmp; - int rv = 0; + mp->entry.flags = ipsec_sad_flags_encode (sa); + mp->entry.salt = clib_host_to_net_u32 (sa->salt); -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - - u8 *tmp = format (0, "%s", mp->name); - - error = - ikev2_set_profile_esp_transforms (vm, tmp, mp->crypto_alg, mp->integ_alg, - mp->dh_group, mp->crypto_key_size); - vec_free (tmp); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_SET_ESP_TRANSFORMS_REPLY); -} + if (ipsec_sa_is_set_IS_PROTECT (sa)) + { + ipsec_sa_dump_match_ctx_t ctx = { + .sai = sa - im->sad, + .sw_if_index = ~0, + }; + ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx); -static void -vl_api_ikev2_set_sa_lifetime_t_handler (vl_api_ikev2_set_sa_lifetime_t * mp) -{ - vl_api_ikev2_set_sa_lifetime_reply_t *rmp; - int rv = 0; + mp->sw_if_index = htonl (ctx.sw_if_index); + } + else + mp->sw_if_index = ~0; -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; + if (ipsec_sa_is_set_IS_TUNNEL (sa)) + { + ip_address_encode (&sa->tunnel_src_addr, IP46_TYPE_ANY, + &mp->entry.tunnel_src); + ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY, + &mp->entry.tunnel_dst); + } - u8 *tmp = format (0, "%s", mp->name); + mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq)); + mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq)); + if (ipsec_sa_is_set_USE_ESN (sa)) + { + mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi)); + mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi)); + } + if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa)) + mp->replay_window = clib_host_to_net_u64 (sa->replay_window); - error = - ikev2_set_profile_sa_lifetime (vm, tmp, mp->lifetime, mp->lifetime_jitter, - mp->handover, mp->lifetime_maxdata); - vec_free (tmp); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif + vl_api_send_msg (ctx->reg, (u8 *) mp); - REPLY_MACRO (VL_API_IKEV2_SET_SA_LIFETIME_REPLY); + return (WALK_CONTINUE); } static void -vl_api_ikev2_initiate_sa_init_t_handler (vl_api_ikev2_initiate_sa_init_t * mp) +vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp) { - vl_api_ikev2_initiate_sa_init_reply_t *rmp; - int rv = 0; + vl_api_registration_t *reg; #if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - - u8 *tmp = format (0, "%s", mp->name); - - error = ikev2_initiate_sa_init (vm, tmp); - vec_free (tmp); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_INITIATE_SA_INIT_REPLY); -} + reg = vl_api_client_index_to_registration (mp->client_index); + if (!reg) + return; -static void -vl_api_ikev2_initiate_del_ike_sa_t_handler (vl_api_ikev2_initiate_del_ike_sa_t - * mp) -{ - vl_api_ikev2_initiate_del_ike_sa_reply_t *rmp; - int rv = 0; + ipsec_dump_walk_ctx_t ctx = { + .reg = reg, + .context = mp->context, + }; -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; + ipsec_sa_walk (send_ipsec_sa_details, &ctx); - error = ikev2_initiate_delete_ike_sa (vm, mp->ispi); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; #else - rv = VNET_API_ERROR_UNIMPLEMENTED; + clib_warning ("unimplemented"); #endif - - REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_IKE_SA_REPLY); } static void - vl_api_ikev2_initiate_del_child_sa_t_handler - (vl_api_ikev2_initiate_del_child_sa_t * mp) +vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp) { - vl_api_ikev2_initiate_del_child_sa_reply_t *rmp; - int rv = 0; + vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp; + int rv; #if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; + VALIDATE_SW_IF_INDEX(mp); - error = ikev2_initiate_delete_child_sa (vm, mp->ispi); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif - - REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_CHILD_SA_REPLY); -} - -static void - vl_api_ikev2_initiate_rekey_child_sa_t_handler - (vl_api_ikev2_initiate_rekey_child_sa_t * mp) -{ - vl_api_ikev2_initiate_rekey_child_sa_reply_t *rmp; - int rv = 0; - -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; + if (mp->is_outbound) + rv = ipsec_tun_protect_update_out (ntohl (mp->sw_if_index), NULL, + ntohl (mp->sa_id)); + else + rv = ipsec_tun_protect_update_in (ntohl (mp->sw_if_index), NULL, + ntohl (mp->sa_id)); - error = ikev2_initiate_rekey_child_sa (vm, mp->ispi); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; #else - rv = VNET_API_ERROR_UNIMPLEMENTED; + clib_warning ("unimplemented"); #endif - REPLY_MACRO (VL_API_IKEV2_INITIATE_REKEY_CHILD_SA_REPLY); -} - -/* - * ipsec_api_hookup - * Add vpe's API message handlers to the table. - * vlib has already mapped shared memory and - * added the client registration handlers. - * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process() - */ -#define vl_msg_name_crc_list -#include -#undef vl_msg_name_crc_list + BAD_SW_IF_INDEX_LABEL; -static void -setup_message_id_table (api_main_t * am) -{ -#define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id); - foreach_vl_msg_name_crc_ipsec; -#undef _ + REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY); } static void @@ -1026,7 +902,7 @@ vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp) mp->context = context; snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (ab->name), ab->name); - mp->protocol = IPSEC_PROTOCOL_AH; + mp->protocol = ntohl (IPSEC_API_PROTO_AH); mp->index = ab - im->ah_backends; mp->active = mp->index == im->ah_current_backend ? 1 : 0; vl_api_send_msg (rp, (u8 *)mp); @@ -1038,7 +914,7 @@ vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp) mp->context = context; snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (eb->name), eb->name); - mp->protocol = IPSEC_PROTOCOL_ESP; + mp->protocol = ntohl (IPSEC_API_PROTO_ESP); mp->index = eb - im->esp_backends; mp->active = mp->index == im->esp_current_backend ? 1 : 0; vl_api_send_msg (rp, (u8 *)mp); @@ -1051,33 +927,30 @@ vl_api_ipsec_select_backend_t_handler (vl_api_ipsec_select_backend_t * mp) { ipsec_main_t *im = &ipsec_main; vl_api_ipsec_select_backend_reply_t *rmp; + ipsec_protocol_t protocol; int rv = 0; if (pool_elts (im->sad) > 0) { rv = VNET_API_ERROR_INSTANCE_IN_USE; goto done; } + + rv = ipsec_proto_decode (mp->protocol, &protocol); + + if (rv) + goto done; + #if WITH_LIBSSL > 0 - switch (mp->protocol) + switch (protocol) { case IPSEC_PROTOCOL_ESP: - if (pool_is_free_index (im->esp_backends, mp->index)) - { - rv = VNET_API_ERROR_INVALID_VALUE; - break; - } - ipsec_select_esp_backend (im, mp->index); + rv = ipsec_select_esp_backend (im, mp->index); break; case IPSEC_PROTOCOL_AH: - if (pool_is_free_index (im->ah_backends, mp->index)) - { - rv = VNET_API_ERROR_INVALID_VALUE; - break; - } - ipsec_select_ah_backend (im, mp->index); + rv = ipsec_select_ah_backend (im, mp->index); break; default: - rv = VNET_API_ERROR_INVALID_VALUE; + rv = VNET_API_ERROR_INVALID_PROTOCOL; break; } #else @@ -1087,10 +960,29 @@ done: REPLY_MACRO (VL_API_IPSEC_SELECT_BACKEND_REPLY); } +/* + * ipsec_api_hookup + * Add vpe's API message handlers to the table. + * vlib has already mapped shared memory and + * added the client registration handlers. + * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process() + */ +#define vl_msg_name_crc_list +#include +#undef vl_msg_name_crc_list + +static void +setup_message_id_table (api_main_t * am) +{ +#define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id); + foreach_vl_msg_name_crc_ipsec; +#undef _ +} + static clib_error_t * ipsec_api_hookup (vlib_main_t * vm) { - api_main_t *am = &api_main; + api_main_t *am = vlibapi_get_main (); #define _(N,n) \ vl_msg_api_set_handlers(VL_API_##N, #n, \ @@ -1102,6 +994,13 @@ ipsec_api_hookup (vlib_main_t * vm) foreach_vpe_api_msg; #undef _ + /* + * Adding and deleting SAs is MP safe since when they are added/delete + * no traffic is using them + */ + am->is_mp_safe[VL_API_IPSEC_SAD_ENTRY_ADD_DEL] = 1; + am->is_mp_safe[VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY] = 1; + /* * Set up the (msg_name, crc, message-id) table */