X-Git-Url: https://gerrit.fd.io/r/gitweb?p=vpp.git;a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_api.c;h=335996ee07797d088df899ee54800d785de7b9e5;hp=06e7ba0d784251573bb1e1167c3e53ada7af4551;hb=a9e2774f5;hpb=3b6c84c8411f0052410fa0f207fd90f99cee5a2b diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index 06e7ba0d784..335996ee077 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -68,8 +68,6 @@ _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \ _(IPSEC_ITF_CREATE, ipsec_itf_create) \ _(IPSEC_ITF_DELETE, ipsec_itf_delete) \ _(IPSEC_ITF_DUMP, ipsec_itf_dump) \ -_(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \ -_(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \ _(IPSEC_SELECT_BACKEND, ipsec_select_backend) \ _(IPSEC_BACKEND_DUMP, ipsec_backend_dump) \ _(IPSEC_TUNNEL_PROTECT_UPDATE, ipsec_tunnel_protect_update) \ @@ -666,169 +664,6 @@ vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t * #endif } -static u32 -ipsec_tun_mk_input_sa_id (u32 ti) -{ - return (0x80000000 | ti); -} - -static u32 -ipsec_tun_mk_output_sa_id (u32 ti) -{ - return (0xc0000000 | ti); -} - -static void -vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * - mp) -{ - vl_api_ipsec_tunnel_if_add_del_reply_t *rmp; - u32 sw_if_index = ~0; - int rv; - -#if WITH_LIBSSL > 0 - ip46_address_t local_ip = ip46_address_initializer; - ip46_address_t remote_ip = ip46_address_initializer; - ipsec_key_t crypto_key, integ_key; - ipsec_sa_flags_t flags; - ip46_type_t local_ip_type, remote_ip_type; - ipip_transport_t transport; - u32 fib_index; - - local_ip_type = ip_address_decode (&mp->local_ip, &local_ip); - remote_ip_type = ip_address_decode (&mp->remote_ip, &remote_ip); - transport = (IP46_TYPE_IP6 == local_ip_type ? - IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4); - - if (local_ip_type != remote_ip_type) - { - rv = VNET_API_ERROR_INVALID_VALUE; - goto done; - } - - flags = IPSEC_SA_FLAG_NONE; - - if (mp->udp_encap) - flags |= IPSEC_SA_FLAG_UDP_ENCAP; - if (mp->esn) - flags |= IPSEC_SA_FLAG_USE_ESN; - if (mp->anti_replay) - flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY; - - ipsec_mk_key (&crypto_key, mp->remote_crypto_key, - mp->remote_crypto_key_len); - ipsec_mk_key (&integ_key, mp->remote_integ_key, mp->remote_integ_key_len); - ipsec_mk_key (&crypto_key, mp->local_crypto_key, mp->local_crypto_key_len); - ipsec_mk_key (&integ_key, mp->local_integ_key, mp->local_integ_key_len); - - fib_index = - fib_table_find (fib_proto_from_ip46 (local_ip_type), - ntohl (mp->tx_table_id)); - - if (~0 == fib_index) - { - rv = VNET_API_ERROR_NO_SUCH_FIB; - goto done; - } - - if (mp->is_add) - { - // remote = input, local = output - /* create an ip-ip tunnel, then the two SA, then bind them */ - rv = ipip_add_tunnel (transport, - (mp->renumber ? ntohl (mp->show_instance) : ~0), - &local_ip, - &remote_ip, fib_index, - TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0, - TUNNEL_MODE_P2P, &sw_if_index); - - if (rv) - goto done; - - rv = ipsec_sa_add_and_lock (ipsec_tun_mk_input_sa_id (sw_if_index), - ntohl (mp->remote_spi), - IPSEC_PROTOCOL_ESP, - mp->crypto_alg, - &crypto_key, - mp->integ_alg, - &integ_key, - (flags | IPSEC_SA_FLAG_IS_INBOUND), - ntohl (mp->tx_table_id), - mp->salt, &remote_ip, &local_ip, - TUNNEL_ENCAP_DECAP_FLAG_NONE, - IP_DSCP_CS0, NULL, - IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE); - - if (rv) - goto done; - - rv = ipsec_sa_add_and_lock (ipsec_tun_mk_output_sa_id (sw_if_index), - ntohl (mp->local_spi), - IPSEC_PROTOCOL_ESP, - mp->crypto_alg, - &crypto_key, - mp->integ_alg, - &integ_key, - flags, - ntohl (mp->tx_table_id), - mp->salt, &local_ip, &remote_ip, - TUNNEL_ENCAP_DECAP_FLAG_NONE, - IP_DSCP_CS0, NULL, - IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE); - - if (rv) - goto done; - - rv = ipsec_tun_protect_update_one (sw_if_index, NULL, - ipsec_tun_mk_output_sa_id - (sw_if_index), - ipsec_tun_mk_input_sa_id - (sw_if_index)); - if (rv) - goto done; - - /* the SAs are locked as a result of being used for proection, - * they cannot be removed from the API, since they cannot be refered - * to by the API. unlock them now, so that if the tunnel is rekeyed - * they-ll disapper - */ - ipsec_sa_unlock_id (ipsec_tun_mk_input_sa_id (sw_if_index)); - ipsec_sa_unlock_id (ipsec_tun_mk_output_sa_id (sw_if_index)); - } - else - { - /* *INDENT-OFF* */ - ipip_tunnel_key_t key = { - .transport = transport, - .fib_index = fib_index, - .src = local_ip, - .dst = remote_ip - }; - /* *INDENT-ON* */ - - ipip_tunnel_t *t = ipip_tunnel_db_find (&key); - - if (NULL != t) - { - rv = ipsec_tun_protect_del (t->sw_if_index, NULL); - ipip_del_tunnel (t->sw_if_index); - } - else - rv = VNET_API_ERROR_NO_SUCH_ENTRY; - } - -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif -done: - /* *INDENT-OFF* */ - REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY, - ({ - rmp->sw_if_index = htonl (sw_if_index); - })); - /* *INDENT-ON* */ -} - static void vl_api_ipsec_itf_create_t_handler (vl_api_ipsec_itf_create_t * mp) { @@ -1087,31 +922,6 @@ vl_api_ipsec_sa_v2_dump_t_handler (vl_api_ipsec_sa_dump_t * mp) #endif } -static void -vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp) -{ - vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp; - int rv; - -#if WITH_LIBSSL > 0 - VALIDATE_SW_IF_INDEX(mp); - - if (mp->is_outbound) - rv = ipsec_tun_protect_update_out (ntohl (mp->sw_if_index), NULL, - ntohl (mp->sa_id)); - else - rv = ipsec_tun_protect_update_in (ntohl (mp->sw_if_index), NULL, - ntohl (mp->sa_id)); - -#else - clib_warning ("unimplemented"); -#endif - - BAD_SW_IF_INDEX_LABEL; - - REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY); -} - static void vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp) {