_(ipsec_interface_add_del_spd_reply) \
_(ipsec_spd_entry_add_del_reply) \
_(ipsec_sad_entry_add_del_reply) \
-_(ipsec_sa_set_key_reply) \
_(ipsec_tunnel_if_add_del_reply) \
-_(ipsec_tunnel_if_set_key_reply) \
_(ipsec_tunnel_if_set_sa_reply) \
_(delete_loopback_reply) \
_(bd_ip_mac_add_del_reply) \
_(IPSEC_SPD_ENTRY_ADD_DEL_REPLY, ipsec_spd_entry_add_del_reply) \
_(IPSEC_SAD_ENTRY_ADD_DEL_REPLY, ipsec_sad_entry_add_del_reply) \
_(IPSEC_SA_DETAILS, ipsec_sa_details) \
-_(IPSEC_SA_SET_KEY_REPLY, ipsec_sa_set_key_reply) \
_(IPSEC_TUNNEL_IF_ADD_DEL_REPLY, ipsec_tunnel_if_add_del_reply) \
-_(IPSEC_TUNNEL_IF_SET_KEY_REPLY, ipsec_tunnel_if_set_key_reply) \
_(IPSEC_TUNNEL_IF_SET_SA_REPLY, ipsec_tunnel_if_set_sa_reply) \
_(DELETE_LOOPBACK_REPLY, delete_loopback_reply) \
_(BD_IP_MAC_ADD_DEL_REPLY, bd_ip_mac_add_del_reply) \
return ret;
}
-static int
-api_ipsec_sa_set_key (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ipsec_sa_set_key_t *mp;
- u32 sa_id;
- u8 *ck = 0, *ik = 0;
- int ret;
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (i, "sa_id %d", &sa_id))
- ;
- else if (unformat (i, "crypto_key %U", unformat_hex_string, &ck))
- ;
- else if (unformat (i, "integ_key %U", unformat_hex_string, &ik))
- ;
- else
- {
- clib_warning ("parse error '%U'", format_unformat_error, i);
- return -99;
- }
- }
-
- M (IPSEC_SA_SET_KEY, mp);
-
- mp->sa_id = ntohl (sa_id);
- mp->crypto_key.length = vec_len (ck);
- mp->integrity_key.length = vec_len (ik);
-
- if (mp->crypto_key.length > sizeof (mp->crypto_key.data))
- mp->crypto_key.length = sizeof (mp->crypto_key.data);
-
- if (mp->integrity_key.length > sizeof (mp->integrity_key.data))
- mp->integrity_key.length = sizeof (mp->integrity_key.data);
-
- if (ck)
- clib_memcpy (mp->crypto_key.data, ck, mp->crypto_key.length);
- if (ik)
- clib_memcpy (mp->integrity_key.data, ik, mp->integrity_key.length);
-
- S (mp);
- W (ret);
- return ret;
-}
-
static int
api_ipsec_tunnel_if_add_del (vat_main_t * vam)
{
return ret;
}
-static int
-api_ipsec_tunnel_if_set_key (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ipsec_tunnel_if_set_key_t *mp;
- u32 sw_if_index = ~0;
- u8 key_type = IPSEC_IF_SET_KEY_TYPE_NONE;
- u8 *key = 0;
- u32 alg = ~0;
- int ret;
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (i, "%U", api_unformat_sw_if_index, vam, &sw_if_index))
- ;
- else
- if (unformat
- (i, "local crypto %U", unformat_ipsec_api_crypto_alg, &alg))
- key_type = IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO;
- else
- if (unformat
- (i, "remote crypto %U", unformat_ipsec_api_crypto_alg, &alg))
- key_type = IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO;
- else
- if (unformat
- (i, "local integ %U", unformat_ipsec_api_integ_alg, &alg))
- key_type = IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG;
- else
- if (unformat
- (i, "remote integ %U", unformat_ipsec_api_integ_alg, &alg))
- key_type = IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG;
- else if (unformat (i, "%U", unformat_hex_string, &key))
- ;
- else
- {
- clib_warning ("parse error '%U'", format_unformat_error, i);
- return -99;
- }
- }
-
- if (sw_if_index == ~0)
- {
- errmsg ("interface must be specified");
- return -99;
- }
-
- if (key_type == IPSEC_IF_SET_KEY_TYPE_NONE)
- {
- errmsg ("key type must be specified");
- return -99;
- }
-
- if (alg == ~0)
- {
- errmsg ("algorithm must be specified");
- return -99;
- }
-
- if (vec_len (key) == 0)
- {
- errmsg ("key must be specified");
- return -99;
- }
-
- M (IPSEC_TUNNEL_IF_SET_KEY, mp);
-
- mp->sw_if_index = htonl (sw_if_index);
- mp->alg = alg;
- mp->key_type = key_type;
- mp->key_len = vec_len (key);
- clib_memcpy (mp->key, key, vec_len (key));
-
- S (mp);
- W (ret);
-
- return ret;
-}
-
static int
api_ipsec_tunnel_if_set_sa (vat_main_t * vam)
{
" (inbound|outbound) [sa_id <n>] laddr_start <ip4|ip6>\n" \
" laddr_stop <ip4|ip6> raddr_start <ip4|ip6> raddr_stop <ip4|ip6>\n" \
" [lport_start <n> lport_stop <n>] [rport_start <n> rport_stop <n>]" ) \
-_(ipsec_sa_set_key, "sa_id <n> crypto_key <hex> integ_key <hex>") \
_(ipsec_tunnel_if_add_del, "local_spi <n> remote_spi <n>\n" \
" crypto_alg <alg> local_crypto_key <hex> remote_crypto_key <hex>\n" \
" integ_alg <alg> local_integ_key <hex> remote_integ_key <hex>\n" \
" local_ip <addr> remote_ip <addr> [esn] [anti_replay] [del]\n" \
" [instance <n>]") \
_(ipsec_sa_dump, "[sa_id <n>]") \
-_(ipsec_tunnel_if_set_key, "<intfc> <local|remote> <crypto|integ>\n" \
- " <alg> <hex>\n") \
_(ipsec_tunnel_if_set_sa, "<intfc> sa_id <n> <inbound|outbound>\n") \
_(delete_loopback,"sw_if_index <nn>") \
_(bd_ip_mac_add_del, "bd_id <bridge-domain-id> <ip4/6-addr> <mac-addr> [del]") \
pool_put (cm->keys, key);
}
-void
-vnet_crypto_key_modify (vlib_main_t * vm, vnet_crypto_key_index_t index,
- vnet_crypto_alg_t alg, u8 * data, u16 length)
-{
- vnet_crypto_main_t *cm = &crypto_main;
- vnet_crypto_engine_t *engine;
- vnet_crypto_key_t *key = pool_elt_at_index (cm->keys, index);
-
- if (vec_len (key->data))
- clib_memset (key->data, 0, vec_len (key->data));
- vec_free (key->data);
- vec_validate_aligned (key->data, length - 1, CLIB_CACHE_LINE_BYTES);
- clib_memcpy (key->data, data, length);
- key->alg = alg;
-
- /* *INDENT-OFF* */
- vec_foreach (engine, cm->engines)
- if (engine->key_op_handler)
- engine->key_op_handler (vm, VNET_CRYPTO_KEY_OP_MODIFY, index);
- /* *INDENT-ON* */
-}
-
static void
vnet_crypto_init_cipher_data (vnet_crypto_alg_t alg, vnet_crypto_op_id_t eid,
vnet_crypto_op_id_t did, char *name, u8 is_aead)
u32 vnet_crypto_key_add (vlib_main_t * vm, vnet_crypto_alg_t alg,
u8 * data, u16 length);
void vnet_crypto_key_del (vlib_main_t * vm, vnet_crypto_key_index_t index);
-void vnet_crypto_key_modify (vlib_main_t * vm, vnet_crypto_key_index_t index,
- vnet_crypto_alg_t alg, u8 * data, u16 len);
format_function_t format_vnet_crypto_alg;
format_function_t format_vnet_crypto_engine;
u32 stat_index;
};
-/** \brief IPsec: Update Security Association keys
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param sa_id - sa id
-
- @param crypto_key - crypto keying material
- @param integrity_key - integrity keying material
-*/
-
-autoreply define ipsec_sa_set_key
-{
- u32 client_index;
- u32 context;
-
- u32 sa_id;
-
- vl_api_key_t crypto_key;
- vl_api_key_t integrity_key;
-};
-
/** \brief IPsec: Get SPD interfaces
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
u64 total_data_size;
};
-/** \brief Set key on IPsec interface
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
- @param sw_if_index - index of tunnel interface
- @param key_type - type of key being set
- @param alg - algorithm used with key
- @param key_len - length key in bytes
- @param key - key
-*/
-autoreply define ipsec_tunnel_if_set_key {
- u32 client_index;
- u32 context;
- u32 sw_if_index;
- u8 key_type;
- u8 alg;
- u8 key_len;
- u8 key[128];
-};
-
/** \brief Set new SA on IPsec interface
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
_(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \
_(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \
_(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \
-_(IPSEC_SA_SET_KEY, ipsec_sa_set_key) \
_(IPSEC_SA_DUMP, ipsec_sa_dump) \
_(IPSEC_SPDS_DUMP, ipsec_spds_dump) \
_(IPSEC_SPD_DUMP, ipsec_spd_dump) \
_(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \
_(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \
-_(IPSEC_TUNNEL_IF_SET_KEY, ipsec_tunnel_if_set_key) \
_(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \
_(IPSEC_SELECT_BACKEND, ipsec_select_backend) \
_(IPSEC_BACKEND_DUMP, ipsec_backend_dump)
#endif
}
-static void
-vl_api_ipsec_sa_set_key_t_handler (vl_api_ipsec_sa_set_key_t * mp)
-{
- vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
- vl_api_ipsec_sa_set_key_reply_t *rmp;
- ipsec_key_t ck, ik;
- u32 id;
- int rv;
-#if WITH_LIBSSL > 0
-
- id = ntohl (mp->sa_id);
-
- ipsec_key_decode (&mp->crypto_key, &ck);
- ipsec_key_decode (&mp->integrity_key, &ik);
-
- rv = ipsec_set_sa_key (id, &ck, &ik);
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IPSEC_SA_SET_KEY_REPLY);
-}
-
static void
vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
mp)
#endif
}
-
-static void
-vl_api_ipsec_tunnel_if_set_key_t_handler (vl_api_ipsec_tunnel_if_set_key_t *
- mp)
-{
- vl_api_ipsec_tunnel_if_set_key_reply_t *rmp;
- ipsec_main_t *im = &ipsec_main;
- vnet_main_t *vnm = im->vnet_main;
- vnet_sw_interface_t *sw;
- u8 *key = 0;
- int rv;
-
-#if WITH_LIBSSL > 0
- sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index));
-
- switch (mp->key_type)
- {
- case IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO:
- case IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO:
- if (mp->alg < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
- mp->alg >= IPSEC_CRYPTO_N_ALG)
- {
- rv = VNET_API_ERROR_INVALID_ALGORITHM;
- goto out;
- }
- break;
- case IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG:
- case IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG:
- if (mp->alg >= IPSEC_INTEG_N_ALG)
- {
- rv = VNET_API_ERROR_INVALID_ALGORITHM;
- goto out;
- }
- break;
- case IPSEC_IF_SET_KEY_TYPE_NONE:
- default:
- rv = VNET_API_ERROR_UNIMPLEMENTED;
- goto out;
- break;
- }
-
- key = vec_new (u8, mp->key_len);
- clib_memcpy (key, mp->key, mp->key_len);
-
- rv = ipsec_set_interface_key (vnm, sw->hw_if_index, mp->key_type, mp->alg,
- key);
- vec_free (key);
-#else
- clib_warning ("unimplemented");
-#endif
-
-out:
- REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_KEY_REPLY);
-}
-
-
static void
vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp)
{
};
/* *INDENT-ON* */
-static clib_error_t *
-set_ipsec_sa_key_command_fn (vlib_main_t * vm,
- unformat_input_t * input,
- vlib_cli_command_t * cmd)
-{
- unformat_input_t _line_input, *line_input = &_line_input;
- ipsec_key_t ck = { }, ik =
- {
- };
- clib_error_t *error = NULL;
- u32 id;
-
- if (!unformat_user (input, unformat_line_input, line_input))
- return 0;
-
- while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (line_input, "%u", &id))
- ;
- else
- if (unformat (line_input, "crypto-key %U", unformat_ipsec_key, &ck))
- ;
- else if (unformat (line_input, "integ-key %U", unformat_ipsec_key, &ik))
- ;
- else
- {
- error = clib_error_return (0, "parse error: '%U'",
- format_unformat_error, line_input);
- goto done;
- }
- }
-
- ipsec_set_sa_key (id, &ck, &ik);
-
-done:
- unformat_free (line_input);
-
- return error;
-}
-
-/* *INDENT-OFF* */
-VLIB_CLI_COMMAND (set_ipsec_sa_key_command, static) = {
- .path = "set ipsec sa",
- .short_help = "set ipsec sa <id> crypto-key <key> integ-key <key>",
- .function = set_ipsec_sa_key_command_fn,
-};
-/* *INDENT-ON* */
-
static void
ipsec_sa_show_all (vlib_main_t * vm, ipsec_main_t * im)
{
};
/* *INDENT-ON* */
-static clib_error_t *
-set_interface_key_command_fn (vlib_main_t * vm,
- unformat_input_t * input,
- vlib_cli_command_t * cmd)
-{
- unformat_input_t _line_input, *line_input = &_line_input;
- ipsec_main_t *im = &ipsec_main;
- ipsec_if_set_key_type_t type = IPSEC_IF_SET_KEY_TYPE_NONE;
- u32 hw_if_index = (u32) ~ 0;
- u32 alg;
- u8 *key = 0;
- clib_error_t *error = NULL;
-
- if (!unformat_user (input, unformat_line_input, line_input))
- return 0;
-
- while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (line_input, "%U",
- unformat_vnet_hw_interface, im->vnet_main, &hw_if_index))
- ;
- else
- if (unformat
- (line_input, "local crypto %U", unformat_ipsec_crypto_alg, &alg))
- type = IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO;
- else
- if (unformat
- (line_input, "remote crypto %U", unformat_ipsec_crypto_alg, &alg))
- type = IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO;
- else
- if (unformat
- (line_input, "local integ %U", unformat_ipsec_integ_alg, &alg))
- type = IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG;
- else
- if (unformat
- (line_input, "remote integ %U", unformat_ipsec_integ_alg, &alg))
- type = IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG;
- else if (unformat (line_input, "%U", unformat_hex_string, &key))
- ;
- else
- {
- error = clib_error_return (0, "parse error: '%U'",
- format_unformat_error, line_input);
- goto done;
- }
- }
-
- if (type == IPSEC_IF_SET_KEY_TYPE_NONE)
- {
- error = clib_error_return (0, "unknown key type");
- goto done;
- }
-
- if (alg > 0 && vec_len (key) == 0)
- {
- error = clib_error_return (0, "key is not specified");
- goto done;
- }
-
- if (hw_if_index == (u32) ~ 0)
- {
- error = clib_error_return (0, "interface not specified");
- goto done;
- }
-
- ipsec_set_interface_key (im->vnet_main, hw_if_index, type, alg, key);
-
-done:
- vec_free (key);
- unformat_free (line_input);
-
- return error;
-}
-
-/* *INDENT-OFF* */
-VLIB_CLI_COMMAND (set_interface_key_command, static) = {
- .path = "set interface ipsec key",
- .short_help =
- "set interface ipsec key <int> <local|remote> <crypto|integ> <key type> <key>",
- .function = set_interface_key_command_fn,
-};
-/* *INDENT-ON* */
-
clib_error_t *
ipsec_cli_init (vlib_main_t * vm)
{
return 0;
}
-int
-ipsec_set_interface_key (vnet_main_t * vnm, u32 hw_if_index,
- ipsec_if_set_key_type_t type, u8 alg, u8 * key)
-{
- vlib_main_t *vm = vlib_get_main ();
- ipsec_main_t *im = &ipsec_main;
- vnet_hw_interface_t *hi;
- ipsec_tunnel_if_t *t;
- ipsec_sa_t *sa;
-
- hi = vnet_get_hw_interface (vnm, hw_if_index);
- t = pool_elt_at_index (im->tunnel_interfaces, hi->dev_instance);
-
- if (hi->flags & VNET_HW_INTERFACE_FLAG_LINK_UP)
- return VNET_API_ERROR_SYSCALL_ERROR_1;
-
- if (type == IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO)
- {
- sa = pool_elt_at_index (im->sad, t->output_sa_index);
- ipsec_sa_set_crypto_alg (sa, alg);
- ipsec_mk_key (&sa->crypto_key, key, vec_len (key));
- sa->crypto_calg = im->crypto_algs[alg].alg;
- vnet_crypto_key_modify (vm, sa->crypto_key_index, sa->crypto_calg,
- key, vec_len (key));
- }
- else if (type == IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG)
- {
- sa = pool_elt_at_index (im->sad, t->output_sa_index);
- ipsec_sa_set_integ_alg (sa, alg);
- ipsec_mk_key (&sa->integ_key, key, vec_len (key));
- sa->integ_calg = im->integ_algs[alg].alg;
- vnet_crypto_key_modify (vm, sa->integ_key_index, sa->integ_calg,
- key, vec_len (key));
- }
- else if (type == IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO)
- {
- sa = pool_elt_at_index (im->sad, t->input_sa_index);
- ipsec_sa_set_crypto_alg (sa, alg);
- ipsec_mk_key (&sa->crypto_key, key, vec_len (key));
- sa->crypto_calg = im->crypto_algs[alg].alg;
- vnet_crypto_key_modify (vm, sa->crypto_key_index, sa->crypto_calg,
- key, vec_len (key));
- }
- else if (type == IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG)
- {
- sa = pool_elt_at_index (im->sad, t->input_sa_index);
- ipsec_sa_set_integ_alg (sa, alg);
- ipsec_mk_key (&sa->integ_key, key, vec_len (key));
- sa->integ_calg = im->integ_algs[alg].alg;
- vnet_crypto_key_modify (vm, sa->integ_key_index, sa->integ_calg,
- key, vec_len (key));
- }
- else
- return VNET_API_ERROR_INVALID_VALUE;
-
- return 0;
-}
-
-
int
ipsec_set_interface_sa (vnet_main_t * vnm, u32 hw_if_index, u32 sa_id,
u8 is_outbound)
#include <vnet/ipsec/ipsec_sa.h>
-typedef enum
-{
- IPSEC_IF_SET_KEY_TYPE_NONE,
- IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO,
- IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO,
- IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG,
- IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG,
-} ipsec_if_set_key_type_t;
-
typedef struct
{
/* Required for pool_get_aligned */
ipsec_gre_tunnel_add_del_args_t *
args);
-extern int ipsec_set_interface_key (vnet_main_t * vnm, u32 hw_if_index,
- ipsec_if_set_key_type_t type,
- u8 alg, u8 * key);
extern int ipsec_set_interface_sa (vnet_main_t * vnm, u32 hw_if_index,
u32 sa_id, u8 is_outbound);
return 0;
}
-int
-ipsec_set_sa_key (u32 id, const ipsec_key_t * ck, const ipsec_key_t * ik)
-{
- vlib_main_t *vm = vlib_get_main ();
- ipsec_main_t *im = &ipsec_main;
- uword *p;
- u32 sa_index;
- ipsec_sa_t *sa = 0;
- clib_error_t *err;
-
- p = hash_get (im->sa_index_by_sa_id, id);
- if (!p)
- return VNET_API_ERROR_SYSCALL_ERROR_1; /* no such sa-id */
-
- sa_index = p[0];
- sa = pool_elt_at_index (im->sad, sa_index);
-
- /* new crypto key */
- if (ck)
- {
- clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key));
- vnet_crypto_key_modify (vm, sa->crypto_key_index, sa->crypto_calg,
- (u8 *) ck->data, ck->len);
- }
-
- /* new integ key */
- if (ik)
- {
- clib_memcpy (&sa->integ_key, ik, sizeof (sa->integ_key));
- vnet_crypto_key_modify (vm, sa->integ_key_index, sa->integ_calg,
- (u8 *) ik->data, ik->len);
- }
-
- if (ck || ik)
- {
- err = ipsec_call_add_del_callbacks (im, sa, sa_index, 0);
- if (err)
- {
- clib_error_free (err);
- return VNET_API_ERROR_SYSCALL_ERROR_1;
- }
- }
-
- return 0;
-}
-
u32
ipsec_get_sa_index_by_sa_id (u32 sa_id)
{
ipsec_integ_alg_t integ_alg);
extern u8 ipsec_is_sa_used (u32 sa_index);
-extern int ipsec_set_sa_key (u32 id,
- const ipsec_key_t * ck, const ipsec_key_t * ik);
extern u32 ipsec_get_sa_index_by_sa_id (u32 sa_id);
typedef walk_rc_t (*ipsec_sa_walk_cb_t) (ipsec_sa_t * sa, void *ctx);
Code Review / vpp.git / commitdiff