for easy integration with ptoducts running their own Ike stack.
Without the VPP IKE plugin loaded, the product is free to handle
IKE packets as it pleases.
Change-Id: Id0839f4d58b797f4c2da0382eb499fc08b05f66f
Signed-off-by: Neale Ranns <nranns@cisco.com>
--- /dev/null
+# Copyright (c) 2018 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+add_vpp_plugin(ikev2
+ SOURCES
+ ikev2.c
+ ikev2_api.c
+ ikev2_cli.c
+ ikev2_crypto.c
+ ikev2_format.c
+ ikev2_payload.c
+
+ API_FILES
+ ikev2.api
+
+ API_TEST_SOURCES
+ ikev2_test.c
+
+ INSTALL_HEADERS
+ ikev2.h
+ ikev2_priv.h
+
+ COMPONENT vpp-plugin-ikev2
+)
--- /dev/null
+/* Hey Emacs use -*- mode: C -*- */
+/*
+ * Copyright (c) 2015-2016 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+option version = "1.0.0";
+
+/** \brief Get the plugin version
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+*/
+define ikev2_plugin_get_version
+{
+ u32 client_index;
+ u32 context;
+};
+
+/** \brief Reply to get the plugin version
+ @param context - returned sender context, to match reply w/ request
+ @param major - Incremented every time a known breaking behavior change is introduced
+ @param minor - Incremented with small changes, may be used to avoid buggy versions
+*/
+define ikev2_plugin_get_version_reply
+{
+ u32 context;
+ u32 major;
+ u32 minor;
+};
+
+/** \brief IKEv2: Add/delete profile
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+
+ @param name - IKEv2 profile name
+ @param is_add - Add IKEv2 profile if non-zero, else delete
+*/
+autoreply define ikev2_profile_add_del
+{
+ u32 client_index;
+ u32 context;
+
+ u8 name[64];
+ u8 is_add;
+};
+
+/** \brief IKEv2: Set IKEv2 profile authentication method
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+
+ @param name - IKEv2 profile name
+ @param auth_method - IKEv2 authentication method (shared-key-mic/rsa-sig)
+ @param is_hex - Authentication data in hex format if non-zero, else string
+ @param data_len - Authentication data length
+ @param data - Authentication data (for rsa-sig cert file path)
+*/
+autoreply define ikev2_profile_set_auth
+{
+ u32 client_index;
+ u32 context;
+
+ u8 name[64];
+ u8 auth_method;
+ u8 is_hex;
+ u32 data_len;
+ u8 data[data_len];
+};
+
+/** \brief IKEv2: Set IKEv2 profile local/remote identification
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+
+ @param name - IKEv2 profile name
+ @param is_local - Identification is local if non-zero, else remote
+ @param id_type - Identification type
+ @param data_len - Identification data length
+ @param data - Identification data
+*/
+autoreply define ikev2_profile_set_id
+{
+ u32 client_index;
+ u32 context;
+
+ u8 name[64];
+ u8 is_local;
+ u8 id_type;
+ u32 data_len;
+ u8 data[data_len];
+};
+
+/** \brief IKEv2: Set IKEv2 profile traffic selector parameters
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+
+ @param name - IKEv2 profile name
+ @param is_local - Traffic selector is local if non-zero, else remote
+ @param proto - Traffic selector IP protocol (if zero not relevant)
+ @param start_port - The smallest port number allowed by traffic selector
+ @param end_port - The largest port number allowed by traffic selector
+ @param start_addr - The smallest address included in traffic selector
+ @param end_addr - The largest address included in traffic selector
+*/
+autoreply define ikev2_profile_set_ts
+{
+ u32 client_index;
+ u32 context;
+
+ u8 name[64];
+ u8 is_local;
+ u8 proto;
+ u16 start_port;
+ u16 end_port;
+ u32 start_addr;
+ u32 end_addr;
+};
+
+/** \brief IKEv2: Set IKEv2 local RSA private key
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+
+ @param key_file - Key file absolute path
+*/
+autoreply define ikev2_set_local_key
+{
+ u32 client_index;
+ u32 context;
+
+ u8 key_file[256];
+};
+
+/** \brief IKEv2: Set IKEv2 responder interface and IP address
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+
+ @param name - IKEv2 profile name
+ @param sw_if_index - interface index
+ @param address - interface address
+*/
+autoreply define ikev2_set_responder
+{
+ u32 client_index;
+ u32 context;
+
+ u8 name[64];
+ u32 sw_if_index;
+ u8 address[4];
+};
+
+/** \brief IKEv2: Set IKEv2 IKE transforms in SA_INIT proposal (RFC 7296)
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+
+ @param name - IKEv2 profile name
+ @param crypto_alg - encryption algorithm
+ @param crypto_key_size - encryption key size
+ @param integ_alg - integrity algorithm
+ @param dh_group - Diffie-Hellman group
+
+*/
+autoreply define ikev2_set_ike_transforms
+{
+ u32 client_index;
+ u32 context;
+
+ u8 name[64];
+ u32 crypto_alg;
+ u32 crypto_key_size;
+ u32 integ_alg;
+ u32 dh_group;
+};
+
+/** \brief IKEv2: Set IKEv2 ESP transforms in SA_INIT proposal (RFC 7296)
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+
+ @param name - IKEv2 profile name
+ @param crypto_alg - encryption algorithm
+ @param crypto_key_size - encryption key size
+ @param integ_alg - integrity algorithm
+ @param dh_group - Diffie-Hellman group
+
+*/
+autoreply define ikev2_set_esp_transforms
+{
+ u32 client_index;
+ u32 context;
+
+ u8 name[64];
+ u32 crypto_alg;
+ u32 crypto_key_size;
+ u32 integ_alg;
+ u32 dh_group;
+};
+
+/** \brief IKEv2: Set Child SA lifetime, limited by time and/or data
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+
+ @param name - IKEv2 profile name
+ @param lifetime - SA maximum life time in seconds (0 to disable)
+ @param lifetime_jitter - Jitter added to prevent simultaneous rekeying
+ @param handover - Hand over time
+ @param lifetime_maxdata - SA maximum life time in bytes (0 to disable)
+
+*/
+autoreply define ikev2_set_sa_lifetime
+{
+ u32 client_index;
+ u32 context;
+
+ u8 name[64];
+ u64 lifetime;
+ u32 lifetime_jitter;
+ u32 handover;
+ u64 lifetime_maxdata;
+};
+
+/** \brief IKEv2: Initiate the SA_INIT exchange
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+
+ @param name - IKEv2 profile name
+
+*/
+autoreply define ikev2_initiate_sa_init
+{
+ u32 client_index;
+ u32 context;
+
+ u8 name[64];
+};
+
+/** \brief IKEv2: Initiate the delete IKE SA exchange
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+
+ @param ispi - IKE SA initiator SPI
+
+*/
+autoreply define ikev2_initiate_del_ike_sa
+{
+ u32 client_index;
+ u32 context;
+
+ u64 ispi;
+};
+
+/** \brief IKEv2: Initiate the delete Child SA exchange
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+
+ @param ispi - Child SA initiator SPI
+
+*/
+autoreply define ikev2_initiate_del_child_sa
+{
+ u32 client_index;
+ u32 context;
+
+ u32 ispi;
+};
+
+/** \brief IKEv2: Initiate the rekey Child SA exchange
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+
+ @param ispi - Child SA initiator SPI
+
+*/
+autoreply define ikev2_initiate_rekey_child_sa
+{
+ u32 client_index;
+ u32 context;
+
+ u32 ispi;
+};
+
+/*
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
+
*/
#include <vlib/vlib.h>
+#include <vlib/unix/plugin.h>
+#include <vpp/app/version.h>
#include <vnet/vnet.h>
#include <vnet/pg/pg.h>
#include <vppinfra/error.h>
#include <vppinfra/random.h>
#include <vnet/udp/udp.h>
#include <vnet/ipsec/ipsec.h>
-#include <vnet/ipsec/ikev2.h>
-#include <vnet/ipsec/ikev2_priv.h>
+#include <plugins/ikev2/ikev2.h>
+#include <plugins/ikev2/ikev2_priv.h>
#include <openssl/sha.h>
ikev2_main_t ikev2_main;
vlib_thread_main_t *tm = vlib_get_thread_main ();
int thread_id;
+ if ((error = vlib_call_init_function (vm, ipsec_init)))
+ return error;
+
clib_memset (km, 0, sizeof (ikev2_main_t));
km->vnet_main = vnet_get_main ();
km->vlib_main = vm;
return 0;
}
+VLIB_INIT_FUNCTION (ikev2_init);
static u8
ikev2_mngr_process_child_sa (ikev2_sa_t * sa, ikev2_child_sa_t * csa)
"ikev2-manager-process",
};
+VLIB_PLUGIN_REGISTER () = {
+ .version = VPP_BUILD_VER,
+ .description = "IKEv2",
+};
/* *INDENT-ON* */
/*
--- /dev/null
+/*
+ *------------------------------------------------------------------
+ * ipsec_api.c - ipsec api
+ *
+ * Copyright (c) 2016 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *------------------------------------------------------------------
+ */
+
+#include <vnet/vnet.h>
+#include <vlibmemory/api.h>
+#include <vnet/api_errno.h>
+#include <vpp/app/version.h>
+
+#include <ikev2/ikev2.h>
+#include <ikev2/ikev2_priv.h>
+
+/* define message IDs */
+#include <plugins/ikev2/ikev2_msg_enum.h>
+
+#define vl_typedefs /* define message structures */
+#include <ikev2/ikev2.api.h>
+#undef vl_typedefs
+
+#define vl_endianfun /* define message structures */
+#include <ikev2/ikev2.api.h>
+#undef vl_endianfun
+
+/* instantiate all the print functions we know about */
+#define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
+#define vl_printfun
+#include <ikev2/ikev2.api.h>
+#undef vl_printfun
+
+/* Get the API version number */
+#define vl_api_version(n,v) static u32 api_version=(v);
+#include <ikev2/ikev2.api.h>
+#undef vl_api_version
+
+extern ikev2_main_t ikev2_main;
+
+#define IKEV2_PLUGIN_VERSION_MAJOR 1
+#define IKEV2_PLUGIN_VERSION_MINOR 0
+#define REPLY_MSG_ID_BASE ikev2_main.msg_id_base
+#include <vlibapi/api_helper_macros.h>
+
+#define foreach_ikev2_api_msg \
+_(IKEV2_PLUGIN_GET_VERSION, ikev2_plugin_get_version) \
+_(IKEV2_PROFILE_ADD_DEL, ikev2_profile_add_del) \
+_(IKEV2_PROFILE_SET_AUTH, ikev2_profile_set_auth) \
+_(IKEV2_PROFILE_SET_ID, ikev2_profile_set_id) \
+_(IKEV2_PROFILE_SET_TS, ikev2_profile_set_ts) \
+_(IKEV2_SET_LOCAL_KEY, ikev2_set_local_key) \
+_(IKEV2_SET_RESPONDER, ikev2_set_responder) \
+_(IKEV2_SET_IKE_TRANSFORMS, ikev2_set_ike_transforms) \
+_(IKEV2_SET_ESP_TRANSFORMS, ikev2_set_esp_transforms) \
+_(IKEV2_SET_SA_LIFETIME, ikev2_set_sa_lifetime) \
+_(IKEV2_INITIATE_SA_INIT, ikev2_initiate_sa_init) \
+_(IKEV2_INITIATE_DEL_IKE_SA, ikev2_initiate_del_ike_sa) \
+_(IKEV2_INITIATE_DEL_CHILD_SA, ikev2_initiate_del_child_sa) \
+_(IKEV2_INITIATE_REKEY_CHILD_SA, ikev2_initiate_rekey_child_sa)
+
+static void
+vl_api_ikev2_plugin_get_version_t_handler (vl_api_ikev2_plugin_get_version_t *
+ mp)
+{
+ ikev2_main_t *im = &ikev2_main;
+ vl_api_ikev2_plugin_get_version_reply_t *rmp;
+ int msg_size = sizeof (*rmp);
+ vl_api_registration_t *reg;
+
+ reg = vl_api_client_index_to_registration (mp->client_index);
+ if (!reg)
+ return;
+
+ rmp = vl_msg_api_alloc (msg_size);
+ clib_memset (rmp, 0, msg_size);
+ rmp->_vl_msg_id =
+ ntohs (VL_API_IKEV2_PLUGIN_GET_VERSION_REPLY + im->msg_id_base);
+ rmp->context = mp->context;
+ rmp->major = htonl (IKEV2_PLUGIN_VERSION_MAJOR);
+ rmp->minor = htonl (IKEV2_PLUGIN_VERSION_MINOR);
+
+ vl_api_send_msg (reg, (u8 *) rmp);
+}
+
+static void
+vl_api_ikev2_profile_add_del_t_handler (vl_api_ikev2_profile_add_del_t * mp)
+{
+ vl_api_ikev2_profile_add_del_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+ u8 *tmp = format (0, "%s", mp->name);
+ error = ikev2_add_del_profile (vm, tmp, mp->is_add);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_PROFILE_ADD_DEL_REPLY);
+}
+
+static void
+ vl_api_ikev2_profile_set_auth_t_handler
+ (vl_api_ikev2_profile_set_auth_t * mp)
+{
+ vl_api_ikev2_profile_set_auth_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+ int data_len = ntohl (mp->data_len);
+ u8 *tmp = format (0, "%s", mp->name);
+ u8 *data = vec_new (u8, data_len);
+ clib_memcpy (data, mp->data, data_len);
+ error = ikev2_set_profile_auth (vm, tmp, mp->auth_method, data, mp->is_hex);
+ vec_free (tmp);
+ vec_free (data);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_AUTH_REPLY);
+}
+
+static void
+vl_api_ikev2_profile_set_id_t_handler (vl_api_ikev2_profile_set_id_t * mp)
+{
+ vl_api_ikev2_profile_add_del_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+ u8 *tmp = format (0, "%s", mp->name);
+ int data_len = ntohl (mp->data_len);
+ u8 *data = vec_new (u8, data_len);
+ clib_memcpy (data, mp->data, data_len);
+ error = ikev2_set_profile_id (vm, tmp, mp->id_type, data, mp->is_local);
+ vec_free (tmp);
+ vec_free (data);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_ID_REPLY);
+}
+
+static void
+vl_api_ikev2_profile_set_ts_t_handler (vl_api_ikev2_profile_set_ts_t * mp)
+{
+ vl_api_ikev2_profile_set_ts_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+ u8 *tmp = format (0, "%s", mp->name);
+ error = ikev2_set_profile_ts (vm, tmp, mp->proto, mp->start_port,
+ mp->end_port, (ip4_address_t) mp->start_addr,
+ (ip4_address_t) mp->end_addr, mp->is_local);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_TS_REPLY);
+}
+
+static void
+vl_api_ikev2_set_local_key_t_handler (vl_api_ikev2_set_local_key_t * mp)
+{
+ vl_api_ikev2_profile_set_ts_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ error = ikev2_set_local_key (vm, mp->key_file);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_SET_LOCAL_KEY_REPLY);
+}
+
+static void
+vl_api_ikev2_set_responder_t_handler (vl_api_ikev2_set_responder_t * mp)
+{
+ vl_api_ikev2_set_responder_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ u8 *tmp = format (0, "%s", mp->name);
+ ip4_address_t ip4;
+ clib_memcpy (&ip4, mp->address, sizeof (ip4));
+
+ error = ikev2_set_profile_responder (vm, tmp, mp->sw_if_index, ip4);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_SET_RESPONDER_REPLY);
+}
+
+static void
+vl_api_ikev2_set_ike_transforms_t_handler (vl_api_ikev2_set_ike_transforms_t *
+ mp)
+{
+ vl_api_ikev2_set_ike_transforms_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ u8 *tmp = format (0, "%s", mp->name);
+
+ error =
+ ikev2_set_profile_ike_transforms (vm, tmp, mp->crypto_alg, mp->integ_alg,
+ mp->dh_group, mp->crypto_key_size);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_SET_IKE_TRANSFORMS_REPLY);
+}
+
+static void
+vl_api_ikev2_set_esp_transforms_t_handler (vl_api_ikev2_set_esp_transforms_t *
+ mp)
+{
+ vl_api_ikev2_set_esp_transforms_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ u8 *tmp = format (0, "%s", mp->name);
+
+ error =
+ ikev2_set_profile_esp_transforms (vm, tmp, mp->crypto_alg, mp->integ_alg,
+ mp->dh_group, mp->crypto_key_size);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_SET_ESP_TRANSFORMS_REPLY);
+}
+
+static void
+vl_api_ikev2_set_sa_lifetime_t_handler (vl_api_ikev2_set_sa_lifetime_t * mp)
+{
+ vl_api_ikev2_set_sa_lifetime_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ u8 *tmp = format (0, "%s", mp->name);
+
+ error =
+ ikev2_set_profile_sa_lifetime (vm, tmp, mp->lifetime, mp->lifetime_jitter,
+ mp->handover, mp->lifetime_maxdata);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_SET_SA_LIFETIME_REPLY);
+}
+
+static void
+vl_api_ikev2_initiate_sa_init_t_handler (vl_api_ikev2_initiate_sa_init_t * mp)
+{
+ vl_api_ikev2_initiate_sa_init_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ u8 *tmp = format (0, "%s", mp->name);
+
+ error = ikev2_initiate_sa_init (vm, tmp);
+ vec_free (tmp);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_INITIATE_SA_INIT_REPLY);
+}
+
+static void
+vl_api_ikev2_initiate_del_ike_sa_t_handler (vl_api_ikev2_initiate_del_ike_sa_t
+ * mp)
+{
+ vl_api_ikev2_initiate_del_ike_sa_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ error = ikev2_initiate_delete_ike_sa (vm, mp->ispi);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_IKE_SA_REPLY);
+}
+
+static void
+ vl_api_ikev2_initiate_del_child_sa_t_handler
+ (vl_api_ikev2_initiate_del_child_sa_t * mp)
+{
+ vl_api_ikev2_initiate_del_child_sa_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ error = ikev2_initiate_delete_child_sa (vm, mp->ispi);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_CHILD_SA_REPLY);
+}
+
+static void
+ vl_api_ikev2_initiate_rekey_child_sa_t_handler
+ (vl_api_ikev2_initiate_rekey_child_sa_t * mp)
+{
+ vl_api_ikev2_initiate_rekey_child_sa_reply_t *rmp;
+ int rv = 0;
+
+#if WITH_LIBSSL > 0
+ vlib_main_t *vm = vlib_get_main ();
+ clib_error_t *error;
+
+ error = ikev2_initiate_rekey_child_sa (vm, mp->ispi);
+ if (error)
+ rv = VNET_API_ERROR_UNSPECIFIED;
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+ REPLY_MACRO (VL_API_IKEV2_INITIATE_REKEY_CHILD_SA_REPLY);
+}
+
+/*
+ * ikev2_api_hookup
+ * Add vpe's API message handlers to the table.
+ * vlib has already mapped shared memory and
+ * added the client registration handlers.
+ * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process()
+ */
+#define vl_msg_name_crc_list
+#include <ikev2/ikev2.api.h>
+#undef vl_msg_name_crc_list
+
+static void
+setup_message_id_table (ikev2_main_t * im, api_main_t * am)
+{
+#define _(id,n,crc) \
+ vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id + im->msg_id_base);
+ foreach_vl_msg_name_crc_ikev2;
+#undef _
+}
+
+static clib_error_t *
+ikev2_plugin_api_hookup (vlib_main_t * vm)
+{
+ ikev2_main_t *im = &ikev2_main;
+#define _(N,n) \
+ vl_msg_api_set_handlers(VL_API_##N + im->msg_id_base, #n, \
+ vl_api_##n##_t_handler, \
+ vl_noop_handler, \
+ vl_api_##n##_t_endian, \
+ vl_api_##n##_t_print, \
+ sizeof(vl_api_##n##_t), 1);
+ foreach_ikev2_api_msg;
+#undef _
+
+ return (NULL);
+}
+
+static clib_error_t *
+ikev2_api_init (vlib_main_t * vm)
+{
+ ikev2_main_t *im = &ikev2_main;
+ clib_error_t *error = 0;
+ u8 *name;
+
+ name = format (0, "ikev2_%08x%c", api_version, 0);
+
+ /* Ask for a correctly-sized block of API message decode slots */
+ im->msg_id_base = vl_msg_api_get_msg_ids ((char *) name,
+ VL_MSG_FIRST_AVAILABLE);
+
+ error = ikev2_plugin_api_hookup (vm);
+
+ /* Add our API messages to the global name_crc hash table */
+ setup_message_id_table (im, &api_main);
+
+ vec_free (name);
+
+ return (error);
+}
+
+VLIB_INIT_FUNCTION (ikev2_api_init);
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
#include <vnet/pg/pg.h>
#include <vppinfra/error.h>
#include <vnet/udp/udp.h>
-#include <vnet/ipsec/ikev2.h>
-#include <vnet/ipsec/ikev2_priv.h>
+#include <plugins/ikev2/ikev2.h>
+#include <plugins/ikev2/ikev2_priv.h>
u8 *
format_ikev2_id_type_and_data (u8 * s, va_list * args)
#include <vnet/pg/pg.h>
#include <vppinfra/error.h>
#include <vnet/udp/udp.h>
-#include <vnet/ipsec/ikev2.h>
-#include <vnet/ipsec/ikev2_priv.h>
+#include <plugins/ikev2/ikev2.h>
+#include <plugins/ikev2/ikev2_priv.h>
#include <openssl/obj_mac.h>
#include <openssl/ec.h>
#include <openssl/x509.h>
#include <vnet/interface.h>
#include <vnet/ipsec/ipsec.h>
-#include <vnet/ipsec/ikev2.h>
-#include <vnet/ipsec/ikev2_priv.h>
+#include <plugins/ikev2/ikev2.h>
+#include <plugins/ikev2/ikev2_priv.h>
u8 *
format_ikev2_sa_transform (u8 * s, va_list * args)
--- /dev/null
+/*
+ * Copyright (c) 2016 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef included_ikev2_msg_enum_h
+#define included_ikev2_msg_enum_h
+
+#include <vppinfra/byte_order.h>
+
+#define vl_msg_id(n,h) n,
+typedef enum {
+#include <ikev2/ikev2.api.h>
+ /* We'll want to know how many messages IDs we need... */
+ VL_MSG_FIRST_AVAILABLE,
+} vl_msg_id_t;
+#undef vl_msg_id
+
+#endif
#include <vnet/interface.h>
#include <vnet/ipsec/ipsec.h>
-#include <vnet/ipsec/ikev2.h>
-#include <vnet/ipsec/ikev2_priv.h>
+#include <plugins/ikev2/ikev2.h>
+#include <plugins/ikev2/ikev2_priv.h>
/* *INDENT-OFF* */
-typedef CLIB_PACKED (struct
- {
- u8 nextpayload;
- u8 flags;
- u16 length;
- u8 protocol_id;
- u8 spi_size;
- u16 msg_type;
- u8 payload[0];}) ike_notify_payload_header_t;
+typedef CLIB_PACKED (struct {
+ u8 nextpayload;
+ u8 flags;
+ u16 length;
+ u8 protocol_id;
+ u8 spi_size;
+ u16 msg_type;
+ u8 payload[0];
+}) ike_notify_payload_header_t;
/* *INDENT-ON* */
/* *INDENT-OFF* */
-typedef CLIB_PACKED (struct
- {
- u8 ts_type;
- u8 protocol_id;
- u16 selector_len;
- u16 start_port;
- u16 end_port;
- ip4_address_t start_addr;
- ip4_address_t end_addr;}) ikev2_ts_payload_entry_t;
+typedef CLIB_PACKED (struct {
+ u8 ts_type;
+ u8 protocol_id;
+ u16 selector_len;
+ u16 start_port;
+ u16 end_port;
+ ip4_address_t start_addr;
+ ip4_address_t end_addr;
+}) ikev2_ts_payload_entry_t;
/* *INDENT-OFF* */
/* *INDENT-OFF* */
-typedef CLIB_PACKED (struct
- {
- u8 nextpayload;
- u8 flags;
- u16 length;
- u8 num_ts;
- u8 reserved[3];
- ikev2_ts_payload_entry_t ts[0];})
- ike_ts_payload_header_t;
+typedef CLIB_PACKED (struct {
+ u8 nextpayload;
+ u8 flags;
+ u16 length;
+ u8 num_ts;
+ u8 reserved[3];
+ ikev2_ts_payload_entry_t ts[0];
+}) ike_ts_payload_header_t;
/* *INDENT-OFF* */
/* *INDENT-OFF* */
#include <vnet/ip/ip.h>
#include <vnet/ethernet/ethernet.h>
-#include <vnet/ipsec/ikev2.h>
+#include <plugins/ikev2/ikev2.h>
#include <vppinfra/hash.h>
#include <vppinfra/elog.h>
ikev2_main_per_thread_data_t *per_thread_data;
+ /* API message ID base */
+ u16 msg_id_base;
} ikev2_main_t;
extern ikev2_main_t ikev2_main;
--- /dev/null
+/*
+ *------------------------------------------------------------------
+ * api_format.c
+ *
+ * Copyright (c) 2014-2016 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *------------------------------------------------------------------
+ */
+
+#include <vat/vat.h>
+#include <vlibapi/api.h>
+#include <vlibmemory/api.h>
+#include <vppinfra/error.h>
+#include <plugins/ikev2/ikev2.h>
+
+#define __plugin_msg_base ikev2_test_main.msg_id_base
+#include <vlibapi/vat_helper_macros.h>
+
+/* Declare message IDs */
+#include <ikev2/ikev2_msg_enum.h>
+
+#define vl_typedefs /* define message structures */
+#include <ikev2/ikev2.api.h>
+#undef vl_typedefs
+
+/* declare message handlers for each api */
+
+#define vl_endianfun /* define message structures */
+#include <ikev2/ikev2.api.h>
+#undef vl_endianfun
+
+/* instantiate all the print functions we know about */
+#define vl_print(handle, ...)
+#define vl_printfun
+#include <ikev2/ikev2.api.h>
+#undef vl_printfun
+
+/* Get the API version number. */
+#define vl_api_version(n,v) static u32 api_version=(v);
+#include <ikev2/ikev2.api.h>
+#undef vl_api_version
+
+typedef struct
+{
+ /* API message ID base */
+ u16 msg_id_base;
+ vat_main_t *vat_main;
+} ikev2_test_main_t;
+
+ikev2_test_main_t ikev2_test_main;
+
+uword
+unformat_ikev2_auth_method (unformat_input_t * input, va_list * args)
+{
+ u32 *r = va_arg (*args, u32 *);
+
+ if (0);
+#define _(v,f,s) else if (unformat (input, s)) *r = IKEV2_AUTH_METHOD_##f;
+ foreach_ikev2_auth_method
+#undef _
+ else
+ return 0;
+ return 1;
+}
+
+uword
+unformat_ikev2_id_type (unformat_input_t * input, va_list * args)
+{
+ u32 *r = va_arg (*args, u32 *);
+
+ if (0);
+#define _(v,f,s) else if (unformat (input, s)) *r = IKEV2_ID_TYPE_##f;
+ foreach_ikev2_id_type
+#undef _
+ else
+ return 0;
+ return 1;
+}
+
+/*
+ * Generate boilerplate reply handlers, which
+ * dig the return value out of the xxx_reply_t API message,
+ * stick it into vam->retval, and set vam->result_ready
+ *
+ * Could also do this by pointing N message decode slots at
+ * a single function, but that could break in subtle ways.
+ */
+
+#define foreach_standard_reply_retval_handler \
+_(ikev2_profile_add_del_reply) \
+_(ikev2_profile_set_auth_reply) \
+_(ikev2_profile_set_id_reply) \
+_(ikev2_profile_set_ts_reply) \
+_(ikev2_set_local_key_reply) \
+_(ikev2_set_responder_reply) \
+_(ikev2_set_ike_transforms_reply) \
+_(ikev2_set_esp_transforms_reply) \
+_(ikev2_set_sa_lifetime_reply) \
+_(ikev2_initiate_sa_init_reply) \
+_(ikev2_initiate_del_ike_sa_reply) \
+_(ikev2_initiate_del_child_sa_reply) \
+_(ikev2_initiate_rekey_child_sa_reply)
+
+#define _(n) \
+ static void vl_api_##n##_t_handler \
+ (vl_api_##n##_t * mp) \
+ { \
+ vat_main_t * vam = ikev2_test_main.vat_main; \
+ i32 retval = ntohl(mp->retval); \
+ if (vam->async_mode) { \
+ vam->async_errors += (retval < 0); \
+ } else { \
+ vam->retval = retval; \
+ vam->result_ready = 1; \
+ } \
+ }
+foreach_standard_reply_retval_handler;
+#undef _
+
+/*
+ * Table of message reply handlers, must include boilerplate handlers
+ * we just generated
+ */
+
+#define foreach_vpe_api_reply_msg \
+_(IKEV2_PROFILE_ADD_DEL_REPLY, ikev2_profile_add_del_reply) \
+_(IKEV2_PROFILE_SET_AUTH_REPLY, ikev2_profile_set_auth_reply) \
+_(IKEV2_PROFILE_SET_ID_REPLY, ikev2_profile_set_id_reply) \
+_(IKEV2_PROFILE_SET_TS_REPLY, ikev2_profile_set_ts_reply) \
+_(IKEV2_SET_LOCAL_KEY_REPLY, ikev2_set_local_key_reply) \
+_(IKEV2_SET_RESPONDER_REPLY, ikev2_set_responder_reply) \
+_(IKEV2_SET_IKE_TRANSFORMS_REPLY, ikev2_set_ike_transforms_reply) \
+_(IKEV2_SET_ESP_TRANSFORMS_REPLY, ikev2_set_esp_transforms_reply) \
+_(IKEV2_SET_SA_LIFETIME_REPLY, ikev2_set_sa_lifetime_reply) \
+_(IKEV2_INITIATE_SA_INIT_REPLY, ikev2_initiate_sa_init_reply) \
+_(IKEV2_INITIATE_DEL_IKE_SA_REPLY, ikev2_initiate_del_ike_sa_reply) \
+_(IKEV2_INITIATE_DEL_CHILD_SA_REPLY, ikev2_initiate_del_child_sa_reply) \
+_(IKEV2_INITIATE_REKEY_CHILD_SA_REPLY, ikev2_initiate_rekey_child_sa_reply)
+
+
+static int
+api_ikev2_profile_add_del (vat_main_t * vam)
+{
+ unformat_input_t *i = vam->input;
+ vl_api_ikev2_profile_add_del_t *mp;
+ u8 is_add = 1;
+ u8 *name = 0;
+ int ret;
+
+ const char *valid_chars = "a-zA-Z0-9_";
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (i, "del"))
+ is_add = 0;
+ else if (unformat (i, "name %U", unformat_token, valid_chars, &name))
+ vec_add1 (name, 0);
+ else
+ {
+ errmsg ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ if (!vec_len (name))
+ {
+ errmsg ("profile name must be specified");
+ return -99;
+ }
+
+ if (vec_len (name) > 64)
+ {
+ errmsg ("profile name too long");
+ return -99;
+ }
+
+ M (IKEV2_PROFILE_ADD_DEL, mp);
+
+ clib_memcpy (mp->name, name, vec_len (name));
+ mp->is_add = is_add;
+ vec_free (name);
+
+ S (mp);
+ W (ret);
+ return ret;
+}
+
+static int
+api_ikev2_profile_set_auth (vat_main_t * vam)
+{
+ unformat_input_t *i = vam->input;
+ vl_api_ikev2_profile_set_auth_t *mp;
+ u8 *name = 0;
+ u8 *data = 0;
+ u32 auth_method = 0;
+ u8 is_hex = 0;
+ int ret;
+
+ const char *valid_chars = "a-zA-Z0-9_";
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (i, "name %U", unformat_token, valid_chars, &name))
+ vec_add1 (name, 0);
+ else if (unformat (i, "auth_method %U",
+ unformat_ikev2_auth_method, &auth_method))
+ ;
+ else if (unformat (i, "auth_data 0x%U", unformat_hex_string, &data))
+ is_hex = 1;
+ else if (unformat (i, "auth_data %v", &data))
+ ;
+ else
+ {
+ errmsg ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ if (!vec_len (name))
+ {
+ errmsg ("profile name must be specified");
+ return -99;
+ }
+
+ if (vec_len (name) > 64)
+ {
+ errmsg ("profile name too long");
+ return -99;
+ }
+
+ if (!vec_len (data))
+ {
+ errmsg ("auth_data must be specified");
+ return -99;
+ }
+
+ if (!auth_method)
+ {
+ errmsg ("auth_method must be specified");
+ return -99;
+ }
+
+ M (IKEV2_PROFILE_SET_AUTH, mp);
+
+ mp->is_hex = is_hex;
+ mp->auth_method = (u8) auth_method;
+ mp->data_len = vec_len (data);
+ clib_memcpy (mp->name, name, vec_len (name));
+ clib_memcpy (mp->data, data, vec_len (data));
+ vec_free (name);
+ vec_free (data);
+
+ S (mp);
+ W (ret);
+ return ret;
+}
+
+static int
+api_ikev2_profile_set_id (vat_main_t * vam)
+{
+ unformat_input_t *i = vam->input;
+ vl_api_ikev2_profile_set_id_t *mp;
+ u8 *name = 0;
+ u8 *data = 0;
+ u8 is_local = 0;
+ u32 id_type = 0;
+ ip4_address_t ip4;
+ int ret;
+
+ const char *valid_chars = "a-zA-Z0-9_";
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (i, "name %U", unformat_token, valid_chars, &name))
+ vec_add1 (name, 0);
+ else if (unformat (i, "id_type %U", unformat_ikev2_id_type, &id_type))
+ ;
+ else if (unformat (i, "id_data %U", unformat_ip4_address, &ip4))
+ {
+ data = vec_new (u8, 4);
+ clib_memcpy (data, ip4.as_u8, 4);
+ }
+ else if (unformat (i, "id_data 0x%U", unformat_hex_string, &data))
+ ;
+ else if (unformat (i, "id_data %v", &data))
+ ;
+ else if (unformat (i, "local"))
+ is_local = 1;
+ else if (unformat (i, "remote"))
+ is_local = 0;
+ else
+ {
+ errmsg ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ if (!vec_len (name))
+ {
+ errmsg ("profile name must be specified");
+ return -99;
+ }
+
+ if (vec_len (name) > 64)
+ {
+ errmsg ("profile name too long");
+ return -99;
+ }
+
+ if (!vec_len (data))
+ {
+ errmsg ("id_data must be specified");
+ return -99;
+ }
+
+ if (!id_type)
+ {
+ errmsg ("id_type must be specified");
+ return -99;
+ }
+
+ M (IKEV2_PROFILE_SET_ID, mp);
+
+ mp->is_local = is_local;
+ mp->id_type = (u8) id_type;
+ mp->data_len = vec_len (data);
+ clib_memcpy (mp->name, name, vec_len (name));
+ clib_memcpy (mp->data, data, vec_len (data));
+ vec_free (name);
+ vec_free (data);
+
+ S (mp);
+ W (ret);
+ return ret;
+}
+
+static int
+api_ikev2_profile_set_ts (vat_main_t * vam)
+{
+ unformat_input_t *i = vam->input;
+ vl_api_ikev2_profile_set_ts_t *mp;
+ u8 *name = 0;
+ u8 is_local = 0;
+ u32 proto = 0, start_port = 0, end_port = (u32) ~ 0;
+ ip4_address_t start_addr, end_addr;
+
+ const char *valid_chars = "a-zA-Z0-9_";
+ int ret;
+
+ start_addr.as_u32 = 0;
+ end_addr.as_u32 = (u32) ~ 0;
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (i, "name %U", unformat_token, valid_chars, &name))
+ vec_add1 (name, 0);
+ else if (unformat (i, "protocol %d", &proto))
+ ;
+ else if (unformat (i, "start_port %d", &start_port))
+ ;
+ else if (unformat (i, "end_port %d", &end_port))
+ ;
+ else
+ if (unformat (i, "start_addr %U", unformat_ip4_address, &start_addr))
+ ;
+ else if (unformat (i, "end_addr %U", unformat_ip4_address, &end_addr))
+ ;
+ else if (unformat (i, "local"))
+ is_local = 1;
+ else if (unformat (i, "remote"))
+ is_local = 0;
+ else
+ {
+ errmsg ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ if (!vec_len (name))
+ {
+ errmsg ("profile name must be specified");
+ return -99;
+ }
+
+ if (vec_len (name) > 64)
+ {
+ errmsg ("profile name too long");
+ return -99;
+ }
+
+ M (IKEV2_PROFILE_SET_TS, mp);
+
+ mp->is_local = is_local;
+ mp->proto = (u8) proto;
+ mp->start_port = (u16) start_port;
+ mp->end_port = (u16) end_port;
+ mp->start_addr = start_addr.as_u32;
+ mp->end_addr = end_addr.as_u32;
+ clib_memcpy (mp->name, name, vec_len (name));
+ vec_free (name);
+
+ S (mp);
+ W (ret);
+ return ret;
+}
+
+static int
+api_ikev2_set_local_key (vat_main_t * vam)
+{
+ unformat_input_t *i = vam->input;
+ vl_api_ikev2_set_local_key_t *mp;
+ u8 *file = 0;
+ int ret;
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (i, "file %v", &file))
+ vec_add1 (file, 0);
+ else
+ {
+ errmsg ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ if (!vec_len (file))
+ {
+ errmsg ("RSA key file must be specified");
+ return -99;
+ }
+
+ if (vec_len (file) > 256)
+ {
+ errmsg ("file name too long");
+ return -99;
+ }
+
+ M (IKEV2_SET_LOCAL_KEY, mp);
+
+ clib_memcpy (mp->key_file, file, vec_len (file));
+ vec_free (file);
+
+ S (mp);
+ W (ret);
+ return ret;
+}
+
+static int
+api_ikev2_set_responder (vat_main_t * vam)
+{
+ unformat_input_t *i = vam->input;
+ vl_api_ikev2_set_responder_t *mp;
+ int ret;
+ u8 *name = 0;
+ u32 sw_if_index = ~0;
+ ip4_address_t address;
+
+ const char *valid_chars = "a-zA-Z0-9_";
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat
+ (i, "%U interface %d address %U", unformat_token, valid_chars,
+ &name, &sw_if_index, unformat_ip4_address, &address))
+ vec_add1 (name, 0);
+ else
+ {
+ errmsg ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ if (!vec_len (name))
+ {
+ errmsg ("profile name must be specified");
+ return -99;
+ }
+
+ if (vec_len (name) > 64)
+ {
+ errmsg ("profile name too long");
+ return -99;
+ }
+
+ M (IKEV2_SET_RESPONDER, mp);
+
+ clib_memcpy (mp->name, name, vec_len (name));
+ vec_free (name);
+
+ mp->sw_if_index = sw_if_index;
+ clib_memcpy (mp->address, &address, sizeof (address));
+
+ S (mp);
+ W (ret);
+ return ret;
+}
+
+static int
+api_ikev2_set_ike_transforms (vat_main_t * vam)
+{
+ unformat_input_t *i = vam->input;
+ vl_api_ikev2_set_ike_transforms_t *mp;
+ int ret;
+ u8 *name = 0;
+ u32 crypto_alg, crypto_key_size, integ_alg, dh_group;
+
+ const char *valid_chars = "a-zA-Z0-9_";
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (i, "%U %d %d %d %d", unformat_token, valid_chars, &name,
+ &crypto_alg, &crypto_key_size, &integ_alg, &dh_group))
+ vec_add1 (name, 0);
+ else
+ {
+ errmsg ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ if (!vec_len (name))
+ {
+ errmsg ("profile name must be specified");
+ return -99;
+ }
+
+ if (vec_len (name) > 64)
+ {
+ errmsg ("profile name too long");
+ return -99;
+ }
+
+ M (IKEV2_SET_IKE_TRANSFORMS, mp);
+
+ clib_memcpy (mp->name, name, vec_len (name));
+ vec_free (name);
+ mp->crypto_alg = crypto_alg;
+ mp->crypto_key_size = crypto_key_size;
+ mp->integ_alg = integ_alg;
+ mp->dh_group = dh_group;
+
+ S (mp);
+ W (ret);
+ return ret;
+}
+
+
+static int
+api_ikev2_set_esp_transforms (vat_main_t * vam)
+{
+ unformat_input_t *i = vam->input;
+ vl_api_ikev2_set_esp_transforms_t *mp;
+ int ret;
+ u8 *name = 0;
+ u32 crypto_alg, crypto_key_size, integ_alg, dh_group;
+
+ const char *valid_chars = "a-zA-Z0-9_";
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (i, "%U %d %d %d %d", unformat_token, valid_chars, &name,
+ &crypto_alg, &crypto_key_size, &integ_alg, &dh_group))
+ vec_add1 (name, 0);
+ else
+ {
+ errmsg ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ if (!vec_len (name))
+ {
+ errmsg ("profile name must be specified");
+ return -99;
+ }
+
+ if (vec_len (name) > 64)
+ {
+ errmsg ("profile name too long");
+ return -99;
+ }
+
+ M (IKEV2_SET_ESP_TRANSFORMS, mp);
+
+ clib_memcpy (mp->name, name, vec_len (name));
+ vec_free (name);
+ mp->crypto_alg = crypto_alg;
+ mp->crypto_key_size = crypto_key_size;
+ mp->integ_alg = integ_alg;
+ mp->dh_group = dh_group;
+
+ S (mp);
+ W (ret);
+ return ret;
+}
+
+static int
+api_ikev2_set_sa_lifetime (vat_main_t * vam)
+{
+ unformat_input_t *i = vam->input;
+ vl_api_ikev2_set_sa_lifetime_t *mp;
+ int ret;
+ u8 *name = 0;
+ u64 lifetime, lifetime_maxdata;
+ u32 lifetime_jitter, handover;
+
+ const char *valid_chars = "a-zA-Z0-9_";
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (i, "%U %lu %u %u %lu", unformat_token, valid_chars, &name,
+ &lifetime, &lifetime_jitter, &handover,
+ &lifetime_maxdata))
+ vec_add1 (name, 0);
+ else
+ {
+ errmsg ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ if (!vec_len (name))
+ {
+ errmsg ("profile name must be specified");
+ return -99;
+ }
+
+ if (vec_len (name) > 64)
+ {
+ errmsg ("profile name too long");
+ return -99;
+ }
+
+ M (IKEV2_SET_SA_LIFETIME, mp);
+
+ clib_memcpy (mp->name, name, vec_len (name));
+ vec_free (name);
+ mp->lifetime = lifetime;
+ mp->lifetime_jitter = lifetime_jitter;
+ mp->handover = handover;
+ mp->lifetime_maxdata = lifetime_maxdata;
+
+ S (mp);
+ W (ret);
+ return ret;
+}
+
+static int
+api_ikev2_initiate_sa_init (vat_main_t * vam)
+{
+ unformat_input_t *i = vam->input;
+ vl_api_ikev2_initiate_sa_init_t *mp;
+ int ret;
+ u8 *name = 0;
+
+ const char *valid_chars = "a-zA-Z0-9_";
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (i, "%U", unformat_token, valid_chars, &name))
+ vec_add1 (name, 0);
+ else
+ {
+ errmsg ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ if (!vec_len (name))
+ {
+ errmsg ("profile name must be specified");
+ return -99;
+ }
+
+ if (vec_len (name) > 64)
+ {
+ errmsg ("profile name too long");
+ return -99;
+ }
+
+ M (IKEV2_INITIATE_SA_INIT, mp);
+
+ clib_memcpy (mp->name, name, vec_len (name));
+ vec_free (name);
+
+ S (mp);
+ W (ret);
+ return ret;
+}
+
+static int
+api_ikev2_initiate_del_ike_sa (vat_main_t * vam)
+{
+ unformat_input_t *i = vam->input;
+ vl_api_ikev2_initiate_del_ike_sa_t *mp;
+ int ret;
+ u64 ispi;
+
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (i, "%lx", &ispi))
+ ;
+ else
+ {
+ errmsg ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ M (IKEV2_INITIATE_DEL_IKE_SA, mp);
+
+ mp->ispi = ispi;
+
+ S (mp);
+ W (ret);
+ return ret;
+}
+
+static int
+api_ikev2_initiate_del_child_sa (vat_main_t * vam)
+{
+ unformat_input_t *i = vam->input;
+ vl_api_ikev2_initiate_del_child_sa_t *mp;
+ int ret;
+ u32 ispi;
+
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (i, "%x", &ispi))
+ ;
+ else
+ {
+ errmsg ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ M (IKEV2_INITIATE_DEL_CHILD_SA, mp);
+
+ mp->ispi = ispi;
+
+ S (mp);
+ W (ret);
+ return ret;
+}
+
+static int
+api_ikev2_initiate_rekey_child_sa (vat_main_t * vam)
+{
+ unformat_input_t *i = vam->input;
+ vl_api_ikev2_initiate_rekey_child_sa_t *mp;
+ int ret;
+ u32 ispi;
+
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (i, "%x", &ispi))
+ ;
+ else
+ {
+ errmsg ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ M (IKEV2_INITIATE_REKEY_CHILD_SA, mp);
+
+ mp->ispi = ispi;
+
+ S (mp);
+ W (ret);
+ return ret;
+}
+
+
+/* List of API message constructors, CLI names map to api_xxx */
+#define foreach_vpe_api_msg \
+_(ikev2_profile_add_del, "name <profile_name> [del]") \
+_(ikev2_profile_set_auth, "name <profile_name> auth_method <method>\n" \
+ "(auth_data 0x<data> | auth_data <data>)") \
+_(ikev2_profile_set_id, "name <profile_name> id_type <type>\n" \
+ "(id_data 0x<data> | id_data <data>) (local|remote)") \
+_(ikev2_profile_set_ts, "name <profile_name> protocol <proto>\n" \
+ "start_port <port> end_port <port> start_addr <ip4> end_addr <ip4>\n" \
+ "(local|remote)") \
+_(ikev2_set_local_key, "file <absolute_file_path>") \
+_(ikev2_set_responder, "<profile_name> interface <interface> address <addr>") \
+_(ikev2_set_ike_transforms, "<profile_name> <crypto alg> <key size> <integrity alg> <DH group>") \
+_(ikev2_set_esp_transforms, "<profile_name> <crypto alg> <key size> <integrity alg> <DH group>") \
+_(ikev2_set_sa_lifetime, "<profile_name> <seconds> <jitter> <handover> <max bytes>") \
+_(ikev2_initiate_sa_init, "<profile_name>") \
+_(ikev2_initiate_del_ike_sa, "<ispi>") \
+_(ikev2_initiate_del_child_sa, "<ispi>") \
+_(ikev2_initiate_rekey_child_sa, "<ispi>")
+
+static void
+ikev2_vat_api_hookup (vat_main_t * vam)
+{
+ ikev2_test_main_t *sm = &ikev2_test_main;
+ /* Hook up handlers for replies from the data plane plug-in */
+#define _(N,n) \
+ vl_msg_api_set_handlers((VL_API_##N + sm->msg_id_base), \
+ #n, \
+ vl_api_##n##_t_handler, \
+ vl_noop_handler, \
+ vl_api_##n##_t_endian, \
+ vl_api_##n##_t_print, \
+ sizeof(vl_api_##n##_t), 1);
+ foreach_vpe_api_reply_msg;
+#undef _
+
+ /* API messages we can send */
+#define _(n,h) hash_set_mem (vam->function_by_name, #n, api_##n);
+ foreach_vpe_api_msg;
+#undef _
+
+ /* Help strings */
+#define _(n,h) hash_set_mem (vam->help_by_name, #n, h);
+ foreach_vpe_api_msg;
+#undef _
+}
+
+clib_error_t *
+vat_plugin_register (vat_main_t * vam)
+{
+ ikev2_test_main_t *sm = &ikev2_test_main;
+ u8 *name;
+
+ sm->vat_main = vam;
+
+ name = format (0, "ikev2_%08x%c", api_version, 0);
+ sm->msg_id_base = vl_client_get_first_plugin_msg_id ((char *) name);
+
+ if (sm->msg_id_base != (u16) ~ 0)
+ ikev2_vat_api_hookup (vam);
+
+ vec_free (name);
+
+ return 0;
+}
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
#include <vnet/classify/flow_classify.h>
#include <vnet/mpls/mpls.h>
#include <vnet/ipsec/ipsec.h>
-#include <vnet/ipsec/ikev2.h>
#include <inttypes.h>
#include <vnet/cop/cop.h>
#include <vnet/ip/ip6_hop_by_hop.h>
return format (s, "%s", t);
}
-uword
-unformat_ikev2_auth_method (unformat_input_t * input, va_list * args)
-{
- u32 *r = va_arg (*args, u32 *);
-
- if (0);
-#define _(v,f,s) else if (unformat (input, s)) *r = IKEV2_AUTH_METHOD_##f;
- foreach_ikev2_auth_method
-#undef _
- else
- return 0;
- return 1;
-}
-
-uword
-unformat_ikev2_id_type (unformat_input_t * input, va_list * args)
-{
- u32 *r = va_arg (*args, u32 *);
-
- if (0);
-#define _(v,f,s) else if (unformat (input, s)) *r = IKEV2_ID_TYPE_##f;
- foreach_ikev2_id_type
-#undef _
- else
- return 0;
- return 1;
-}
#else /* VPP_API_TEST_BUILTIN == 1 */
static uword
api_unformat_sw_if_index (unformat_input_t * input, va_list * args)
_(ipsec_tunnel_if_add_del_reply) \
_(ipsec_tunnel_if_set_key_reply) \
_(ipsec_tunnel_if_set_sa_reply) \
-_(ikev2_profile_add_del_reply) \
-_(ikev2_profile_set_auth_reply) \
-_(ikev2_profile_set_id_reply) \
-_(ikev2_profile_set_ts_reply) \
-_(ikev2_set_local_key_reply) \
-_(ikev2_set_responder_reply) \
-_(ikev2_set_ike_transforms_reply) \
-_(ikev2_set_esp_transforms_reply) \
-_(ikev2_set_sa_lifetime_reply) \
-_(ikev2_initiate_sa_init_reply) \
-_(ikev2_initiate_del_ike_sa_reply) \
-_(ikev2_initiate_del_child_sa_reply) \
-_(ikev2_initiate_rekey_child_sa_reply) \
_(delete_loopback_reply) \
_(bd_ip_mac_add_del_reply) \
_(bd_ip_mac_flush_reply) \
_(IPSEC_TUNNEL_IF_ADD_DEL_REPLY, ipsec_tunnel_if_add_del_reply) \
_(IPSEC_TUNNEL_IF_SET_KEY_REPLY, ipsec_tunnel_if_set_key_reply) \
_(IPSEC_TUNNEL_IF_SET_SA_REPLY, ipsec_tunnel_if_set_sa_reply) \
-_(IKEV2_PROFILE_ADD_DEL_REPLY, ikev2_profile_add_del_reply) \
-_(IKEV2_PROFILE_SET_AUTH_REPLY, ikev2_profile_set_auth_reply) \
-_(IKEV2_PROFILE_SET_ID_REPLY, ikev2_profile_set_id_reply) \
-_(IKEV2_PROFILE_SET_TS_REPLY, ikev2_profile_set_ts_reply) \
-_(IKEV2_SET_LOCAL_KEY_REPLY, ikev2_set_local_key_reply) \
-_(IKEV2_SET_RESPONDER_REPLY, ikev2_set_responder_reply) \
-_(IKEV2_SET_IKE_TRANSFORMS_REPLY, ikev2_set_ike_transforms_reply) \
-_(IKEV2_SET_ESP_TRANSFORMS_REPLY, ikev2_set_esp_transforms_reply) \
-_(IKEV2_SET_SA_LIFETIME_REPLY, ikev2_set_sa_lifetime_reply) \
-_(IKEV2_INITIATE_SA_INIT_REPLY, ikev2_initiate_sa_init_reply) \
-_(IKEV2_INITIATE_DEL_IKE_SA_REPLY, ikev2_initiate_del_ike_sa_reply) \
-_(IKEV2_INITIATE_DEL_CHILD_SA_REPLY, ikev2_initiate_del_child_sa_reply) \
-_(IKEV2_INITIATE_REKEY_CHILD_SA_REPLY, ikev2_initiate_rekey_child_sa_reply) \
_(DELETE_LOOPBACK_REPLY, delete_loopback_reply) \
_(BD_IP_MAC_ADD_DEL_REPLY, bd_ip_mac_add_del_reply) \
_(BD_IP_MAC_FLUSH_REPLY, bd_ip_mac_flush_reply) \
return ret;
}
-static int
-api_ikev2_profile_add_del (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ikev2_profile_add_del_t *mp;
- u8 is_add = 1;
- u8 *name = 0;
- int ret;
-
- const char *valid_chars = "a-zA-Z0-9_";
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (i, "del"))
- is_add = 0;
- else if (unformat (i, "name %U", unformat_token, valid_chars, &name))
- vec_add1 (name, 0);
- else
- {
- errmsg ("parse error '%U'", format_unformat_error, i);
- return -99;
- }
- }
-
- if (!vec_len (name))
- {
- errmsg ("profile name must be specified");
- return -99;
- }
-
- if (vec_len (name) > 64)
- {
- errmsg ("profile name too long");
- return -99;
- }
-
- M (IKEV2_PROFILE_ADD_DEL, mp);
-
- clib_memcpy (mp->name, name, vec_len (name));
- mp->is_add = is_add;
- vec_free (name);
-
- S (mp);
- W (ret);
- return ret;
-}
-
-static int
-api_ikev2_profile_set_auth (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ikev2_profile_set_auth_t *mp;
- u8 *name = 0;
- u8 *data = 0;
- u32 auth_method = 0;
- u8 is_hex = 0;
- int ret;
-
- const char *valid_chars = "a-zA-Z0-9_";
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (i, "name %U", unformat_token, valid_chars, &name))
- vec_add1 (name, 0);
- else if (unformat (i, "auth_method %U",
- unformat_ikev2_auth_method, &auth_method))
- ;
- else if (unformat (i, "auth_data 0x%U", unformat_hex_string, &data))
- is_hex = 1;
- else if (unformat (i, "auth_data %v", &data))
- ;
- else
- {
- errmsg ("parse error '%U'", format_unformat_error, i);
- return -99;
- }
- }
-
- if (!vec_len (name))
- {
- errmsg ("profile name must be specified");
- return -99;
- }
-
- if (vec_len (name) > 64)
- {
- errmsg ("profile name too long");
- return -99;
- }
-
- if (!vec_len (data))
- {
- errmsg ("auth_data must be specified");
- return -99;
- }
-
- if (!auth_method)
- {
- errmsg ("auth_method must be specified");
- return -99;
- }
-
- M (IKEV2_PROFILE_SET_AUTH, mp);
-
- mp->is_hex = is_hex;
- mp->auth_method = (u8) auth_method;
- mp->data_len = vec_len (data);
- clib_memcpy (mp->name, name, vec_len (name));
- clib_memcpy (mp->data, data, vec_len (data));
- vec_free (name);
- vec_free (data);
-
- S (mp);
- W (ret);
- return ret;
-}
-
-static int
-api_ikev2_profile_set_id (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ikev2_profile_set_id_t *mp;
- u8 *name = 0;
- u8 *data = 0;
- u8 is_local = 0;
- u32 id_type = 0;
- ip4_address_t ip4;
- int ret;
-
- const char *valid_chars = "a-zA-Z0-9_";
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (i, "name %U", unformat_token, valid_chars, &name))
- vec_add1 (name, 0);
- else if (unformat (i, "id_type %U", unformat_ikev2_id_type, &id_type))
- ;
- else if (unformat (i, "id_data %U", unformat_ip4_address, &ip4))
- {
- data = vec_new (u8, 4);
- clib_memcpy (data, ip4.as_u8, 4);
- }
- else if (unformat (i, "id_data 0x%U", unformat_hex_string, &data))
- ;
- else if (unformat (i, "id_data %v", &data))
- ;
- else if (unformat (i, "local"))
- is_local = 1;
- else if (unformat (i, "remote"))
- is_local = 0;
- else
- {
- errmsg ("parse error '%U'", format_unformat_error, i);
- return -99;
- }
- }
-
- if (!vec_len (name))
- {
- errmsg ("profile name must be specified");
- return -99;
- }
-
- if (vec_len (name) > 64)
- {
- errmsg ("profile name too long");
- return -99;
- }
-
- if (!vec_len (data))
- {
- errmsg ("id_data must be specified");
- return -99;
- }
-
- if (!id_type)
- {
- errmsg ("id_type must be specified");
- return -99;
- }
-
- M (IKEV2_PROFILE_SET_ID, mp);
-
- mp->is_local = is_local;
- mp->id_type = (u8) id_type;
- mp->data_len = vec_len (data);
- clib_memcpy (mp->name, name, vec_len (name));
- clib_memcpy (mp->data, data, vec_len (data));
- vec_free (name);
- vec_free (data);
-
- S (mp);
- W (ret);
- return ret;
-}
-
-static int
-api_ikev2_profile_set_ts (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ikev2_profile_set_ts_t *mp;
- u8 *name = 0;
- u8 is_local = 0;
- u32 proto = 0, start_port = 0, end_port = (u32) ~ 0;
- ip4_address_t start_addr, end_addr;
-
- const char *valid_chars = "a-zA-Z0-9_";
- int ret;
-
- start_addr.as_u32 = 0;
- end_addr.as_u32 = (u32) ~ 0;
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (i, "name %U", unformat_token, valid_chars, &name))
- vec_add1 (name, 0);
- else if (unformat (i, "protocol %d", &proto))
- ;
- else if (unformat (i, "start_port %d", &start_port))
- ;
- else if (unformat (i, "end_port %d", &end_port))
- ;
- else
- if (unformat (i, "start_addr %U", unformat_ip4_address, &start_addr))
- ;
- else if (unformat (i, "end_addr %U", unformat_ip4_address, &end_addr))
- ;
- else if (unformat (i, "local"))
- is_local = 1;
- else if (unformat (i, "remote"))
- is_local = 0;
- else
- {
- errmsg ("parse error '%U'", format_unformat_error, i);
- return -99;
- }
- }
-
- if (!vec_len (name))
- {
- errmsg ("profile name must be specified");
- return -99;
- }
-
- if (vec_len (name) > 64)
- {
- errmsg ("profile name too long");
- return -99;
- }
-
- M (IKEV2_PROFILE_SET_TS, mp);
-
- mp->is_local = is_local;
- mp->proto = (u8) proto;
- mp->start_port = (u16) start_port;
- mp->end_port = (u16) end_port;
- mp->start_addr = start_addr.as_u32;
- mp->end_addr = end_addr.as_u32;
- clib_memcpy (mp->name, name, vec_len (name));
- vec_free (name);
-
- S (mp);
- W (ret);
- return ret;
-}
-
-static int
-api_ikev2_set_local_key (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ikev2_set_local_key_t *mp;
- u8 *file = 0;
- int ret;
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (i, "file %v", &file))
- vec_add1 (file, 0);
- else
- {
- errmsg ("parse error '%U'", format_unformat_error, i);
- return -99;
- }
- }
-
- if (!vec_len (file))
- {
- errmsg ("RSA key file must be specified");
- return -99;
- }
-
- if (vec_len (file) > 256)
- {
- errmsg ("file name too long");
- return -99;
- }
-
- M (IKEV2_SET_LOCAL_KEY, mp);
-
- clib_memcpy (mp->key_file, file, vec_len (file));
- vec_free (file);
-
- S (mp);
- W (ret);
- return ret;
-}
-
-static int
-api_ikev2_set_responder (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ikev2_set_responder_t *mp;
- int ret;
- u8 *name = 0;
- u32 sw_if_index = ~0;
- ip4_address_t address;
-
- const char *valid_chars = "a-zA-Z0-9_";
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat
- (i, "%U interface %d address %U", unformat_token, valid_chars,
- &name, &sw_if_index, unformat_ip4_address, &address))
- vec_add1 (name, 0);
- else
- {
- errmsg ("parse error '%U'", format_unformat_error, i);
- return -99;
- }
- }
-
- if (!vec_len (name))
- {
- errmsg ("profile name must be specified");
- return -99;
- }
-
- if (vec_len (name) > 64)
- {
- errmsg ("profile name too long");
- return -99;
- }
-
- M (IKEV2_SET_RESPONDER, mp);
-
- clib_memcpy (mp->name, name, vec_len (name));
- vec_free (name);
-
- mp->sw_if_index = sw_if_index;
- clib_memcpy (mp->address, &address, sizeof (address));
-
- S (mp);
- W (ret);
- return ret;
-}
-
-static int
-api_ikev2_set_ike_transforms (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ikev2_set_ike_transforms_t *mp;
- int ret;
- u8 *name = 0;
- u32 crypto_alg, crypto_key_size, integ_alg, dh_group;
-
- const char *valid_chars = "a-zA-Z0-9_";
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (i, "%U %d %d %d %d", unformat_token, valid_chars, &name,
- &crypto_alg, &crypto_key_size, &integ_alg, &dh_group))
- vec_add1 (name, 0);
- else
- {
- errmsg ("parse error '%U'", format_unformat_error, i);
- return -99;
- }
- }
-
- if (!vec_len (name))
- {
- errmsg ("profile name must be specified");
- return -99;
- }
-
- if (vec_len (name) > 64)
- {
- errmsg ("profile name too long");
- return -99;
- }
-
- M (IKEV2_SET_IKE_TRANSFORMS, mp);
-
- clib_memcpy (mp->name, name, vec_len (name));
- vec_free (name);
- mp->crypto_alg = crypto_alg;
- mp->crypto_key_size = crypto_key_size;
- mp->integ_alg = integ_alg;
- mp->dh_group = dh_group;
-
- S (mp);
- W (ret);
- return ret;
-}
-
-
-static int
-api_ikev2_set_esp_transforms (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ikev2_set_esp_transforms_t *mp;
- int ret;
- u8 *name = 0;
- u32 crypto_alg, crypto_key_size, integ_alg, dh_group;
-
- const char *valid_chars = "a-zA-Z0-9_";
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (i, "%U %d %d %d %d", unformat_token, valid_chars, &name,
- &crypto_alg, &crypto_key_size, &integ_alg, &dh_group))
- vec_add1 (name, 0);
- else
- {
- errmsg ("parse error '%U'", format_unformat_error, i);
- return -99;
- }
- }
-
- if (!vec_len (name))
- {
- errmsg ("profile name must be specified");
- return -99;
- }
-
- if (vec_len (name) > 64)
- {
- errmsg ("profile name too long");
- return -99;
- }
-
- M (IKEV2_SET_ESP_TRANSFORMS, mp);
-
- clib_memcpy (mp->name, name, vec_len (name));
- vec_free (name);
- mp->crypto_alg = crypto_alg;
- mp->crypto_key_size = crypto_key_size;
- mp->integ_alg = integ_alg;
- mp->dh_group = dh_group;
-
- S (mp);
- W (ret);
- return ret;
-}
-
-static int
-api_ikev2_set_sa_lifetime (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ikev2_set_sa_lifetime_t *mp;
- int ret;
- u8 *name = 0;
- u64 lifetime, lifetime_maxdata;
- u32 lifetime_jitter, handover;
-
- const char *valid_chars = "a-zA-Z0-9_";
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (i, "%U %lu %u %u %lu", unformat_token, valid_chars, &name,
- &lifetime, &lifetime_jitter, &handover,
- &lifetime_maxdata))
- vec_add1 (name, 0);
- else
- {
- errmsg ("parse error '%U'", format_unformat_error, i);
- return -99;
- }
- }
-
- if (!vec_len (name))
- {
- errmsg ("profile name must be specified");
- return -99;
- }
-
- if (vec_len (name) > 64)
- {
- errmsg ("profile name too long");
- return -99;
- }
-
- M (IKEV2_SET_SA_LIFETIME, mp);
-
- clib_memcpy (mp->name, name, vec_len (name));
- vec_free (name);
- mp->lifetime = lifetime;
- mp->lifetime_jitter = lifetime_jitter;
- mp->handover = handover;
- mp->lifetime_maxdata = lifetime_maxdata;
-
- S (mp);
- W (ret);
- return ret;
-}
-
-static int
-api_ikev2_initiate_sa_init (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ikev2_initiate_sa_init_t *mp;
- int ret;
- u8 *name = 0;
-
- const char *valid_chars = "a-zA-Z0-9_";
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (i, "%U", unformat_token, valid_chars, &name))
- vec_add1 (name, 0);
- else
- {
- errmsg ("parse error '%U'", format_unformat_error, i);
- return -99;
- }
- }
-
- if (!vec_len (name))
- {
- errmsg ("profile name must be specified");
- return -99;
- }
-
- if (vec_len (name) > 64)
- {
- errmsg ("profile name too long");
- return -99;
- }
-
- M (IKEV2_INITIATE_SA_INIT, mp);
-
- clib_memcpy (mp->name, name, vec_len (name));
- vec_free (name);
-
- S (mp);
- W (ret);
- return ret;
-}
-
-static int
-api_ikev2_initiate_del_ike_sa (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ikev2_initiate_del_ike_sa_t *mp;
- int ret;
- u64 ispi;
-
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (i, "%lx", &ispi))
- ;
- else
- {
- errmsg ("parse error '%U'", format_unformat_error, i);
- return -99;
- }
- }
-
- M (IKEV2_INITIATE_DEL_IKE_SA, mp);
-
- mp->ispi = ispi;
-
- S (mp);
- W (ret);
- return ret;
-}
-
-static int
-api_ikev2_initiate_del_child_sa (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ikev2_initiate_del_child_sa_t *mp;
- int ret;
- u32 ispi;
-
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (i, "%x", &ispi))
- ;
- else
- {
- errmsg ("parse error '%U'", format_unformat_error, i);
- return -99;
- }
- }
-
- M (IKEV2_INITIATE_DEL_CHILD_SA, mp);
-
- mp->ispi = ispi;
-
- S (mp);
- W (ret);
- return ret;
-}
-
-static int
-api_ikev2_initiate_rekey_child_sa (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ikev2_initiate_rekey_child_sa_t *mp;
- int ret;
- u32 ispi;
-
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (i, "%x", &ispi))
- ;
- else
- {
- errmsg ("parse error '%U'", format_unformat_error, i);
- return -99;
- }
- }
-
- M (IKEV2_INITIATE_REKEY_CHILD_SA, mp);
-
- mp->ispi = ispi;
-
- S (mp);
- W (ret);
- return ret;
-}
-
static int
api_get_first_msg_id (vat_main_t * vam)
{
_(ipsec_tunnel_if_set_key, "<intfc> <local|remote> <crypto|integ>\n" \
" <alg> <hex>\n") \
_(ipsec_tunnel_if_set_sa, "<intfc> sa_id <n> <inbound|outbound>\n") \
-_(ikev2_profile_add_del, "name <profile_name> [del]") \
-_(ikev2_profile_set_auth, "name <profile_name> auth_method <method>\n" \
- "(auth_data 0x<data> | auth_data <data>)") \
-_(ikev2_profile_set_id, "name <profile_name> id_type <type>\n" \
- "(id_data 0x<data> | id_data <data>) (local|remote)") \
-_(ikev2_profile_set_ts, "name <profile_name> protocol <proto>\n" \
- "start_port <port> end_port <port> start_addr <ip4> end_addr <ip4>\n" \
- "(local|remote)") \
-_(ikev2_set_local_key, "file <absolute_file_path>") \
-_(ikev2_set_responder, "<profile_name> interface <interface> address <addr>") \
-_(ikev2_set_ike_transforms, "<profile_name> <crypto alg> <key size> <integrity alg> <DH group>") \
-_(ikev2_set_esp_transforms, "<profile_name> <crypto alg> <key size> <integrity alg> <DH group>") \
-_(ikev2_set_sa_lifetime, "<profile_name> <seconds> <jitter> <handover> <max bytes>") \
-_(ikev2_initiate_sa_init, "<profile_name>") \
-_(ikev2_initiate_del_ike_sa, "<ispi>") \
-_(ikev2_initiate_del_child_sa, "<ispi>") \
-_(ikev2_initiate_rekey_child_sa, "<ispi>") \
_(delete_loopback,"sw_if_index <nn>") \
_(bd_ip_mac_add_del, "bd_id <bridge-domain-id> <ip4/6-addr> <mac-addr> [del]") \
_(bd_ip_mac_flush, "bd_id <bridge-domain-id>") \
ipsec/esp_decrypt.c
ipsec/ah_decrypt.c
ipsec/ah_encrypt.c
- ipsec/ikev2.c
- ipsec/ikev2_crypto.c
- ipsec/ikev2_cli.c
- ipsec/ikev2_payload.c
- ipsec/ikev2_format.c
ipsec/ipsec_api.c
)
ipsec/ipsec_if.h
ipsec/esp.h
ipsec/ah.h
- ipsec/ikev2.h
- ipsec/ikev2_priv.h
)
##############################################################################
vl_api_key_t integrity_key;
};
-/** \brief IKEv2: Add/delete profile
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param name - IKEv2 profile name
- @param is_add - Add IKEv2 profile if non-zero, else delete
-*/
-autoreply define ikev2_profile_add_del
-{
- u32 client_index;
- u32 context;
-
- u8 name[64];
- u8 is_add;
-};
-
-/** \brief IKEv2: Set IKEv2 profile authentication method
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param name - IKEv2 profile name
- @param auth_method - IKEv2 authentication method (shared-key-mic/rsa-sig)
- @param is_hex - Authentication data in hex format if non-zero, else string
- @param data_len - Authentication data length
- @param data - Authentication data (for rsa-sig cert file path)
-*/
-autoreply define ikev2_profile_set_auth
-{
- u32 client_index;
- u32 context;
-
- u8 name[64];
- u8 auth_method;
- u8 is_hex;
- u32 data_len;
- u8 data[data_len];
-};
-
-/** \brief IKEv2: Set IKEv2 profile local/remote identification
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param name - IKEv2 profile name
- @param is_local - Identification is local if non-zero, else remote
- @param id_type - Identification type
- @param data_len - Identification data length
- @param data - Identification data
-*/
-autoreply define ikev2_profile_set_id
-{
- u32 client_index;
- u32 context;
-
- u8 name[64];
- u8 is_local;
- u8 id_type;
- u32 data_len;
- u8 data[data_len];
-};
-
-/** \brief IKEv2: Set IKEv2 profile traffic selector parameters
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param name - IKEv2 profile name
- @param is_local - Traffic selector is local if non-zero, else remote
- @param proto - Traffic selector IP protocol (if zero not relevant)
- @param start_port - The smallest port number allowed by traffic selector
- @param end_port - The largest port number allowed by traffic selector
- @param start_addr - The smallest address included in traffic selector
- @param end_addr - The largest address included in traffic selector
-*/
-autoreply define ikev2_profile_set_ts
-{
- u32 client_index;
- u32 context;
-
- u8 name[64];
- u8 is_local;
- u8 proto;
- u16 start_port;
- u16 end_port;
- u32 start_addr;
- u32 end_addr;
-};
-
-/** \brief IKEv2: Set IKEv2 local RSA private key
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param key_file - Key file absolute path
-*/
-autoreply define ikev2_set_local_key
-{
- u32 client_index;
- u32 context;
-
- u8 key_file[256];
-};
-
-/** \brief IKEv2: Set IKEv2 responder interface and IP address
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param name - IKEv2 profile name
- @param sw_if_index - interface index
- @param address - interface address
-*/
-autoreply define ikev2_set_responder
-{
- u32 client_index;
- u32 context;
-
- u8 name[64];
- u32 sw_if_index;
- u8 address[4];
-};
-
-/** \brief IKEv2: Set IKEv2 IKE transforms in SA_INIT proposal (RFC 7296)
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param name - IKEv2 profile name
- @param crypto_alg - encryption algorithm
- @param crypto_key_size - encryption key size
- @param integ_alg - integrity algorithm
- @param dh_group - Diffie-Hellman group
-
-*/
-autoreply define ikev2_set_ike_transforms
-{
- u32 client_index;
- u32 context;
-
- u8 name[64];
- u32 crypto_alg;
- u32 crypto_key_size;
- u32 integ_alg;
- u32 dh_group;
-};
-
-/** \brief IKEv2: Set IKEv2 ESP transforms in SA_INIT proposal (RFC 7296)
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param name - IKEv2 profile name
- @param crypto_alg - encryption algorithm
- @param crypto_key_size - encryption key size
- @param integ_alg - integrity algorithm
- @param dh_group - Diffie-Hellman group
-
-*/
-autoreply define ikev2_set_esp_transforms
-{
- u32 client_index;
- u32 context;
-
- u8 name[64];
- u32 crypto_alg;
- u32 crypto_key_size;
- u32 integ_alg;
- u32 dh_group;
-};
-
-/** \brief IKEv2: Set Child SA lifetime, limited by time and/or data
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param name - IKEv2 profile name
- @param lifetime - SA maximum life time in seconds (0 to disable)
- @param lifetime_jitter - Jitter added to prevent simultaneous rekeying
- @param handover - Hand over time
- @param lifetime_maxdata - SA maximum life time in bytes (0 to disable)
-
-*/
-autoreply define ikev2_set_sa_lifetime
-{
- u32 client_index;
- u32 context;
-
- u8 name[64];
- u64 lifetime;
- u32 lifetime_jitter;
- u32 handover;
- u64 lifetime_maxdata;
-};
-
-/** \brief IKEv2: Initiate the SA_INIT exchange
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param name - IKEv2 profile name
-
-*/
-autoreply define ikev2_initiate_sa_init
-{
- u32 client_index;
- u32 context;
-
- u8 name[64];
-};
-
-/** \brief IKEv2: Initiate the delete IKE SA exchange
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param ispi - IKE SA initiator SPI
-
-*/
-autoreply define ikev2_initiate_del_ike_sa
-{
- u32 client_index;
- u32 context;
-
- u64 ispi;
-};
-
-/** \brief IKEv2: Initiate the delete Child SA exchange
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param ispi - Child SA initiator SPI
-
-*/
-autoreply define ikev2_initiate_del_child_sa
-{
- u32 client_index;
- u32 context;
-
- u32 ispi;
-};
-
-/** \brief IKEv2: Initiate the rekey Child SA exchange
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param ispi - Child SA initiator SPI
-
-*/
-autoreply define ikev2_initiate_rekey_child_sa
-{
- u32 client_index;
- u32 context;
-
- u32 ispi;
-};
-
/** \brief IPsec: Get SPD interfaces
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
#include <vnet/udp/udp.h>
#include <vnet/ipsec/ipsec.h>
-#include <vnet/ipsec/ikev2.h>
#include <vnet/ipsec/esp.h>
#include <vnet/ipsec/ah.h>
ipsec_proto_init ();
- if ((error = ikev2_init (vm)))
- return error;
-
return 0;
}
#if WITH_LIBSSL > 0
#include <vnet/ipsec/ipsec.h>
-#include <vnet/ipsec/ikev2.h>
#endif /* IPSEC */
#define vl_typedefs /* define message structures */
_(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \
_(IPSEC_TUNNEL_IF_SET_KEY, ipsec_tunnel_if_set_key) \
_(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \
-_(IKEV2_PROFILE_ADD_DEL, ikev2_profile_add_del) \
-_(IKEV2_PROFILE_SET_AUTH, ikev2_profile_set_auth) \
-_(IKEV2_PROFILE_SET_ID, ikev2_profile_set_id) \
-_(IKEV2_PROFILE_SET_TS, ikev2_profile_set_ts) \
-_(IKEV2_SET_LOCAL_KEY, ikev2_set_local_key) \
-_(IKEV2_SET_RESPONDER, ikev2_set_responder) \
-_(IKEV2_SET_IKE_TRANSFORMS, ikev2_set_ike_transforms) \
-_(IKEV2_SET_ESP_TRANSFORMS, ikev2_set_esp_transforms) \
-_(IKEV2_SET_SA_LIFETIME, ikev2_set_sa_lifetime) \
-_(IKEV2_INITIATE_SA_INIT, ikev2_initiate_sa_init) \
-_(IKEV2_INITIATE_DEL_IKE_SA, ikev2_initiate_del_ike_sa) \
-_(IKEV2_INITIATE_DEL_CHILD_SA, ikev2_initiate_del_child_sa) \
-_(IKEV2_INITIATE_REKEY_CHILD_SA, ikev2_initiate_rekey_child_sa) \
_(IPSEC_SELECT_BACKEND, ipsec_select_backend) \
_(IPSEC_BACKEND_DUMP, ipsec_backend_dump)
REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY);
}
-
-static void
-vl_api_ikev2_profile_add_del_t_handler (vl_api_ikev2_profile_add_del_t * mp)
-{
- vl_api_ikev2_profile_add_del_reply_t *rmp;
- int rv = 0;
-
-#if WITH_LIBSSL > 0
- vlib_main_t *vm = vlib_get_main ();
- clib_error_t *error;
- u8 *tmp = format (0, "%s", mp->name);
- error = ikev2_add_del_profile (vm, tmp, mp->is_add);
- vec_free (tmp);
- if (error)
- rv = VNET_API_ERROR_UNSPECIFIED;
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IKEV2_PROFILE_ADD_DEL_REPLY);
-}
-
-static void
- vl_api_ikev2_profile_set_auth_t_handler
- (vl_api_ikev2_profile_set_auth_t * mp)
-{
- vl_api_ikev2_profile_set_auth_reply_t *rmp;
- int rv = 0;
-
-#if WITH_LIBSSL > 0
- vlib_main_t *vm = vlib_get_main ();
- clib_error_t *error;
- int data_len = ntohl (mp->data_len);
- u8 *tmp = format (0, "%s", mp->name);
- u8 *data = vec_new (u8, data_len);
- clib_memcpy (data, mp->data, data_len);
- error = ikev2_set_profile_auth (vm, tmp, mp->auth_method, data, mp->is_hex);
- vec_free (tmp);
- vec_free (data);
- if (error)
- rv = VNET_API_ERROR_UNSPECIFIED;
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_AUTH_REPLY);
-}
-
-static void
-vl_api_ikev2_profile_set_id_t_handler (vl_api_ikev2_profile_set_id_t * mp)
-{
- vl_api_ikev2_profile_add_del_reply_t *rmp;
- int rv = 0;
-
-#if WITH_LIBSSL > 0
- vlib_main_t *vm = vlib_get_main ();
- clib_error_t *error;
- u8 *tmp = format (0, "%s", mp->name);
- int data_len = ntohl (mp->data_len);
- u8 *data = vec_new (u8, data_len);
- clib_memcpy (data, mp->data, data_len);
- error = ikev2_set_profile_id (vm, tmp, mp->id_type, data, mp->is_local);
- vec_free (tmp);
- vec_free (data);
- if (error)
- rv = VNET_API_ERROR_UNSPECIFIED;
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_ID_REPLY);
-}
-
-static void
-vl_api_ikev2_profile_set_ts_t_handler (vl_api_ikev2_profile_set_ts_t * mp)
-{
- vl_api_ikev2_profile_set_ts_reply_t *rmp;
- int rv = 0;
-
-#if WITH_LIBSSL > 0
- vlib_main_t *vm = vlib_get_main ();
- clib_error_t *error;
- u8 *tmp = format (0, "%s", mp->name);
- error = ikev2_set_profile_ts (vm, tmp, mp->proto, mp->start_port,
- mp->end_port, (ip4_address_t) mp->start_addr,
- (ip4_address_t) mp->end_addr, mp->is_local);
- vec_free (tmp);
- if (error)
- rv = VNET_API_ERROR_UNSPECIFIED;
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_TS_REPLY);
-}
-
-static void
-vl_api_ikev2_set_local_key_t_handler (vl_api_ikev2_set_local_key_t * mp)
-{
- vl_api_ikev2_profile_set_ts_reply_t *rmp;
- int rv = 0;
-
-#if WITH_LIBSSL > 0
- vlib_main_t *vm = vlib_get_main ();
- clib_error_t *error;
-
- error = ikev2_set_local_key (vm, mp->key_file);
- if (error)
- rv = VNET_API_ERROR_UNSPECIFIED;
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IKEV2_SET_LOCAL_KEY_REPLY);
-}
-
-static void
-vl_api_ikev2_set_responder_t_handler (vl_api_ikev2_set_responder_t * mp)
-{
- vl_api_ikev2_set_responder_reply_t *rmp;
- int rv = 0;
-
-#if WITH_LIBSSL > 0
- vlib_main_t *vm = vlib_get_main ();
- clib_error_t *error;
-
- u8 *tmp = format (0, "%s", mp->name);
- ip4_address_t ip4;
- clib_memcpy (&ip4, mp->address, sizeof (ip4));
-
- error = ikev2_set_profile_responder (vm, tmp, mp->sw_if_index, ip4);
- vec_free (tmp);
- if (error)
- rv = VNET_API_ERROR_UNSPECIFIED;
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IKEV2_SET_RESPONDER_REPLY);
-}
-
-static void
-vl_api_ikev2_set_ike_transforms_t_handler (vl_api_ikev2_set_ike_transforms_t *
- mp)
-{
- vl_api_ikev2_set_ike_transforms_reply_t *rmp;
- int rv = 0;
-
-#if WITH_LIBSSL > 0
- vlib_main_t *vm = vlib_get_main ();
- clib_error_t *error;
-
- u8 *tmp = format (0, "%s", mp->name);
-
- error =
- ikev2_set_profile_ike_transforms (vm, tmp, mp->crypto_alg, mp->integ_alg,
- mp->dh_group, mp->crypto_key_size);
- vec_free (tmp);
- if (error)
- rv = VNET_API_ERROR_UNSPECIFIED;
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IKEV2_SET_IKE_TRANSFORMS_REPLY);
-}
-
-static void
-vl_api_ikev2_set_esp_transforms_t_handler (vl_api_ikev2_set_esp_transforms_t *
- mp)
-{
- vl_api_ikev2_set_esp_transforms_reply_t *rmp;
- int rv = 0;
-
-#if WITH_LIBSSL > 0
- vlib_main_t *vm = vlib_get_main ();
- clib_error_t *error;
-
- u8 *tmp = format (0, "%s", mp->name);
-
- error =
- ikev2_set_profile_esp_transforms (vm, tmp, mp->crypto_alg, mp->integ_alg,
- mp->dh_group, mp->crypto_key_size);
- vec_free (tmp);
- if (error)
- rv = VNET_API_ERROR_UNSPECIFIED;
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IKEV2_SET_ESP_TRANSFORMS_REPLY);
-}
-
-static void
-vl_api_ikev2_set_sa_lifetime_t_handler (vl_api_ikev2_set_sa_lifetime_t * mp)
-{
- vl_api_ikev2_set_sa_lifetime_reply_t *rmp;
- int rv = 0;
-
-#if WITH_LIBSSL > 0
- vlib_main_t *vm = vlib_get_main ();
- clib_error_t *error;
-
- u8 *tmp = format (0, "%s", mp->name);
-
- error =
- ikev2_set_profile_sa_lifetime (vm, tmp, mp->lifetime, mp->lifetime_jitter,
- mp->handover, mp->lifetime_maxdata);
- vec_free (tmp);
- if (error)
- rv = VNET_API_ERROR_UNSPECIFIED;
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IKEV2_SET_SA_LIFETIME_REPLY);
-}
-
-static void
-vl_api_ikev2_initiate_sa_init_t_handler (vl_api_ikev2_initiate_sa_init_t * mp)
-{
- vl_api_ikev2_initiate_sa_init_reply_t *rmp;
- int rv = 0;
-
-#if WITH_LIBSSL > 0
- vlib_main_t *vm = vlib_get_main ();
- clib_error_t *error;
-
- u8 *tmp = format (0, "%s", mp->name);
-
- error = ikev2_initiate_sa_init (vm, tmp);
- vec_free (tmp);
- if (error)
- rv = VNET_API_ERROR_UNSPECIFIED;
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IKEV2_INITIATE_SA_INIT_REPLY);
-}
-
-static void
-vl_api_ikev2_initiate_del_ike_sa_t_handler (vl_api_ikev2_initiate_del_ike_sa_t
- * mp)
-{
- vl_api_ikev2_initiate_del_ike_sa_reply_t *rmp;
- int rv = 0;
-
-#if WITH_LIBSSL > 0
- vlib_main_t *vm = vlib_get_main ();
- clib_error_t *error;
-
- error = ikev2_initiate_delete_ike_sa (vm, mp->ispi);
- if (error)
- rv = VNET_API_ERROR_UNSPECIFIED;
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_IKE_SA_REPLY);
-}
-
-static void
- vl_api_ikev2_initiate_del_child_sa_t_handler
- (vl_api_ikev2_initiate_del_child_sa_t * mp)
-{
- vl_api_ikev2_initiate_del_child_sa_reply_t *rmp;
- int rv = 0;
-
-#if WITH_LIBSSL > 0
- vlib_main_t *vm = vlib_get_main ();
- clib_error_t *error;
-
- error = ikev2_initiate_delete_child_sa (vm, mp->ispi);
- if (error)
- rv = VNET_API_ERROR_UNSPECIFIED;
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_CHILD_SA_REPLY);
-}
-
-static void
- vl_api_ikev2_initiate_rekey_child_sa_t_handler
- (vl_api_ikev2_initiate_rekey_child_sa_t * mp)
-{
- vl_api_ikev2_initiate_rekey_child_sa_reply_t *rmp;
- int rv = 0;
-
-#if WITH_LIBSSL > 0
- vlib_main_t *vm = vlib_get_main ();
- clib_error_t *error;
-
- error = ikev2_initiate_rekey_child_sa (vm, mp->ispi);
- if (error)
- rv = VNET_API_ERROR_UNSPECIFIED;
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IKEV2_INITIATE_REKEY_CHILD_SA_REPLY);
-}
-
-/*
- * ipsec_api_hookup
- * Add vpe's API message handlers to the table.
- * vlib has already mapped shared memory and
- * added the client registration handlers.
- * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process()
- */
-#define vl_msg_name_crc_list
-#include <vnet/vnet_all_api_h.h>
-#undef vl_msg_name_crc_list
-
-static void
-setup_message_id_table (api_main_t * am)
-{
-#define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id);
- foreach_vl_msg_name_crc_ipsec;
-#undef _
-}
-
static void
vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp)
{
REPLY_MACRO (VL_API_IPSEC_SELECT_BACKEND_REPLY);
}
+/*
+ * ipsec_api_hookup
+ * Add vpe's API message handlers to the table.
+ * vlib has already mapped shared memory and
+ * added the client registration handlers.
+ * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process()
+ */
+#define vl_msg_name_crc_list
+#include <vnet/vnet_all_api_h.h>
+#undef vl_msg_name_crc_list
+
+static void
+setup_message_id_table (api_main_t * am)
+{
+#define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id);
+ foreach_vl_msg_name_crc_ipsec;
+#undef _
+}
+
static clib_error_t *
ipsec_api_hookup (vlib_main_t * vm)
{
Code Review / vpp.git / commitdiff