FD.io VPP  v17.07.01-10-g3be13f0
Vector Packet Processing
ipsec_api.c
Go to the documentation of this file.
1 /*
2  *------------------------------------------------------------------
3  * ipsec_api.c - ipsec api
4  *
5  * Copyright (c) 2016 Cisco and/or its affiliates.
6  * Licensed under the Apache License, Version 2.0 (the "License");
7  * you may not use this file except in compliance with the License.
8  * You may obtain a copy of the License at:
9  *
10  * http://www.apache.org/licenses/LICENSE-2.0
11  *
12  * Unless required by applicable law or agreed to in writing, software
13  * distributed under the License is distributed on an "AS IS" BASIS,
14  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15  * See the License for the specific language governing permissions and
16  * limitations under the License.
17  *------------------------------------------------------------------
18  */
19 
20 #include <vnet/vnet.h>
21 #include <vlibmemory/api.h>
22 
23 #include <vnet/interface.h>
24 #include <vnet/api_errno.h>
25 #include <vnet/ip/ip.h>
26 
27 #include <vnet/vnet_msg_enum.h>
28 
29 #if WITH_LIBSSL > 0
30 #include <vnet/ipsec/ipsec.h>
31 #include <vnet/ipsec/ikev2.h>
32 #endif /* IPSEC */
33 
34 #define vl_typedefs /* define message structures */
35 #include <vnet/vnet_all_api_h.h>
36 #undef vl_typedefs
37 
38 #define vl_endianfun /* define message structures */
39 #include <vnet/vnet_all_api_h.h>
40 #undef vl_endianfun
41 
42 /* instantiate all the print functions we know about */
43 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
44 #define vl_printfun
45 #include <vnet/vnet_all_api_h.h>
46 #undef vl_printfun
47 
49 
50 #define foreach_vpe_api_msg \
51 _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \
52 _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \
53 _(IPSEC_SPD_ADD_DEL_ENTRY, ipsec_spd_add_del_entry) \
54 _(IPSEC_SAD_ADD_DEL_ENTRY, ipsec_sad_add_del_entry) \
55 _(IPSEC_SA_SET_KEY, ipsec_sa_set_key) \
56 _(IPSEC_SPD_DUMP, ipsec_spd_dump) \
57 _(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \
58 _(IKEV2_PROFILE_ADD_DEL, ikev2_profile_add_del) \
59 _(IKEV2_PROFILE_SET_AUTH, ikev2_profile_set_auth) \
60 _(IKEV2_PROFILE_SET_ID, ikev2_profile_set_id) \
61 _(IKEV2_PROFILE_SET_TS, ikev2_profile_set_ts) \
62 _(IKEV2_SET_LOCAL_KEY, ikev2_set_local_key) \
63 _(IKEV2_SET_RESPONDER, ikev2_set_responder) \
64 _(IKEV2_SET_IKE_TRANSFORMS, ikev2_set_ike_transforms) \
65 _(IKEV2_SET_ESP_TRANSFORMS, ikev2_set_esp_transforms) \
66 _(IKEV2_SET_SA_LIFETIME, ikev2_set_sa_lifetime) \
67 _(IKEV2_INITIATE_SA_INIT, ikev2_initiate_sa_init) \
68 _(IKEV2_INITIATE_DEL_IKE_SA, ikev2_initiate_del_ike_sa) \
69 _(IKEV2_INITIATE_DEL_CHILD_SA, ikev2_initiate_del_child_sa) \
70 _(IKEV2_INITIATE_REKEY_CHILD_SA, ikev2_initiate_rekey_child_sa)
71 
74 {
75 #if WITH_LIBSSL == 0
76  clib_warning ("unimplemented");
77 #else
78 
79  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
80  vl_api_ipsec_spd_add_del_reply_t *rmp;
81  int rv;
82 
83  rv = ipsec_add_del_spd (vm, ntohl (mp->spd_id), mp->is_add);
84 
85  REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_REPLY);
86 #endif
87 }
88 
91 {
92  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
93  vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
94  int rv;
95  u32 sw_if_index __attribute__ ((unused));
96  u32 spd_id __attribute__ ((unused));
97 
98  sw_if_index = ntohl (mp->sw_if_index);
99  spd_id = ntohl (mp->spd_id);
100 
102 
103 #if WITH_LIBSSL > 0
104  rv = ipsec_set_interface_spd (vm, sw_if_index, spd_id, mp->is_add);
105 #else
106  rv = VNET_API_ERROR_UNIMPLEMENTED;
107 #endif
108 
110 
111  REPLY_MACRO (VL_API_IPSEC_INTERFACE_ADD_DEL_SPD_REPLY);
112 }
113 
116 {
117  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
118  vl_api_ipsec_spd_add_del_entry_reply_t *rmp;
119  int rv;
120 
121 #if WITH_LIBSSL > 0
122  ipsec_policy_t p;
123 
124  memset (&p, 0, sizeof (p));
125 
126  p.id = ntohl (mp->spd_id);
127  p.priority = ntohl (mp->priority);
128  p.is_outbound = mp->is_outbound;
129  p.is_ipv6 = mp->is_ipv6;
130 
131  if (mp->is_ipv6 || mp->is_ip_any)
132  {
137  }
138  else
139  {
140  clib_memcpy (&p.raddr.start.ip4.data, mp->remote_address_start, 4);
141  clib_memcpy (&p.raddr.stop.ip4.data, mp->remote_address_stop, 4);
142  clib_memcpy (&p.laddr.start.ip4.data, mp->local_address_start, 4);
143  clib_memcpy (&p.laddr.stop.ip4.data, mp->local_address_stop, 4);
144  }
145  p.protocol = mp->protocol;
146  p.rport.start = ntohs (mp->remote_port_start);
147  p.rport.stop = ntohs (mp->remote_port_stop);
148  p.lport.start = ntohs (mp->local_port_start);
149  p.lport.stop = ntohs (mp->local_port_stop);
150  /* policy action resolve unsupported */
151  if (mp->policy == IPSEC_POLICY_ACTION_RESOLVE)
152  {
153  clib_warning ("unsupported action: 'resolve'");
154  rv = VNET_API_ERROR_UNIMPLEMENTED;
155  goto out;
156  }
157  p.policy = mp->policy;
158  p.sa_id = ntohl (mp->sa_id);
159 
160  rv = ipsec_add_del_policy (vm, &p, mp->is_add);
161  if (rv)
162  goto out;
163 
164  if (mp->is_ip_any)
165  {
166  p.is_ipv6 = 1;
167  rv = ipsec_add_del_policy (vm, &p, mp->is_add);
168  }
169 #else
170  rv = VNET_API_ERROR_UNIMPLEMENTED;
171  goto out;
172 #endif
173 
174 out:
175  REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_ENTRY_REPLY);
176 }
177 
180 {
181  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
182  vl_api_ipsec_sad_add_del_entry_reply_t *rmp;
183  int rv;
184 #if WITH_LIBSSL > 0
185  ipsec_main_t *im = &ipsec_main;
186  ipsec_sa_t sa;
187 
188  memset (&sa, 0, sizeof (sa));
189 
190  sa.id = ntohl (mp->sad_id);
191  sa.spi = ntohl (mp->spi);
192  /* security protocol AH unsupported */
193  if (mp->protocol == IPSEC_PROTOCOL_AH)
194  {
195  clib_warning ("unsupported security protocol 'AH'");
196  rv = VNET_API_ERROR_UNIMPLEMENTED;
197  goto out;
198  }
199  sa.protocol = mp->protocol;
200  /* check for unsupported crypto-alg */
201  if (mp->crypto_algorithm < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
203  {
204  clib_warning ("unsupported crypto-alg: '%U'", format_ipsec_crypto_alg,
205  mp->crypto_algorithm);
206  rv = VNET_API_ERROR_UNIMPLEMENTED;
207  goto out;
208  }
209  sa.crypto_alg = mp->crypto_algorithm;
211  clib_memcpy (&sa.crypto_key, mp->crypto_key, sizeof (sa.crypto_key));
212  /* check for unsupported integ-alg */
214  {
215  clib_warning ("unsupported integ-alg: '%U'", format_ipsec_integ_alg,
216  mp->integrity_algorithm);
217  rv = VNET_API_ERROR_UNIMPLEMENTED;
218  goto out;
219  }
220 
223  clib_memcpy (&sa.integ_key, mp->integrity_key, sizeof (sa.integ_key));
225  sa.is_tunnel = mp->is_tunnel;
226  sa.is_tunnel_ip6 = mp->is_tunnel_ipv6;
227  if (sa.is_tunnel_ip6)
228  {
231  }
232  else
233  {
234  clib_memcpy (&sa.tunnel_src_addr.ip4.data, mp->tunnel_src_address, 4);
235  clib_memcpy (&sa.tunnel_dst_addr.ip4.data, mp->tunnel_dst_address, 4);
236  }
237 
238  ASSERT (im->cb.check_support_cb);
239  clib_error_t *err = im->cb.check_support_cb (&sa);
240  if (err)
241  {
242  clib_warning ("%s", err->what);
243  rv = VNET_API_ERROR_UNIMPLEMENTED;
244  goto out;
245  }
246 
247  rv = ipsec_add_del_sa (vm, &sa, mp->is_add);
248 #else
249  rv = VNET_API_ERROR_UNIMPLEMENTED;
250  goto out;
251 #endif
252 
253 out:
254  REPLY_MACRO (VL_API_IPSEC_SAD_ADD_DEL_ENTRY_REPLY);
255 }
256 
257 static void
259  u32 context)
260 {
262 
263  mp = vl_msg_api_alloc (sizeof (*mp));
264  memset (mp, 0, sizeof (*mp));
265  mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_DETAILS);
266  mp->context = context;
267 
268  mp->spd_id = htonl (p->id);
269  mp->priority = htonl (p->priority);
270  mp->is_outbound = p->is_outbound;
271  mp->is_ipv6 = p->is_ipv6;
272  if (p->is_ipv6)
273  {
274  memcpy (mp->local_start_addr, &p->laddr.start.ip6, 16);
275  memcpy (mp->local_stop_addr, &p->laddr.stop.ip6, 16);
276  memcpy (mp->remote_start_addr, &p->raddr.start.ip6, 16);
277  memcpy (mp->remote_stop_addr, &p->raddr.stop.ip6, 16);
278  }
279  else
280  {
281  memcpy (mp->local_start_addr, &p->laddr.start.ip4, 4);
282  memcpy (mp->local_stop_addr, &p->laddr.stop.ip4, 4);
283  memcpy (mp->remote_start_addr, &p->raddr.start.ip4, 4);
284  memcpy (mp->remote_stop_addr, &p->raddr.stop.ip4, 4);
285  }
286  mp->local_start_port = htons (p->lport.start);
287  mp->local_stop_port = htons (p->lport.stop);
288  mp->remote_start_port = htons (p->rport.start);
289  mp->remote_stop_port = htons (p->rport.stop);
290  mp->protocol = p->protocol;
291  mp->policy = p->policy;
292  mp->sa_id = htonl (p->sa_id);
293  mp->bytes = clib_host_to_net_u64 (p->counter.bytes);
294  mp->packets = clib_host_to_net_u64 (p->counter.packets);
295 
296  vl_msg_api_send_shmem (q, (u8 *) & mp);
297 }
298 
299 static void
301 {
303  ipsec_main_t *im = &ipsec_main;
304  ipsec_policy_t *policy;
305  ipsec_spd_t *spd;
306  uword *p;
307  u32 spd_index;
308 #if WITH_LIBSSL > 0
310  if (q == 0)
311  return;
312 
313  p = hash_get (im->spd_index_by_spd_id, ntohl (mp->spd_id));
314  if (!p)
315  return;
316 
317  spd_index = p[0];
318  spd = pool_elt_at_index (im->spds, spd_index);
319 
320  /* *INDENT-OFF* */
321  pool_foreach (policy, spd->policies,
322  ({
323  if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id)
324  send_ipsec_spd_details (policy, q,
325  mp->context);}
326  ));
327  /* *INDENT-ON* */
328 #else
329  clib_warning ("unimplemented");
330 #endif
331 }
332 
333 static void
335 {
336  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
337  vl_api_ipsec_sa_set_key_reply_t *rmp;
338  int rv;
339 #if WITH_LIBSSL > 0
340  ipsec_sa_t sa;
341  sa.id = ntohl (mp->sa_id);
343  clib_memcpy (&sa.crypto_key, mp->crypto_key, sizeof (sa.crypto_key));
345  clib_memcpy (&sa.integ_key, mp->integrity_key, sizeof (sa.integ_key));
346 
347  rv = ipsec_set_sa_key (vm, &sa);
348 #else
349  rv = VNET_API_ERROR_UNIMPLEMENTED;
350 #endif
351 
352  REPLY_MACRO (VL_API_IPSEC_SA_SET_KEY_REPLY);
353 }
354 
355 static void
357  mp)
358 {
360  ipsec_main_t *im = &ipsec_main;
361  vnet_main_t *vnm = im->vnet_main;
362  u32 sw_if_index = ~0;
363  int rv;
364 
365 #if WITH_LIBSSL > 0
367 
368  memset (&tun, 0, sizeof (ipsec_add_del_tunnel_args_t));
369 
370  tun.is_add = mp->is_add;
371  tun.esn = mp->esn;
372  tun.anti_replay = mp->anti_replay;
373  tun.local_spi = ntohl (mp->local_spi);
374  tun.remote_spi = ntohl (mp->remote_spi);
375  tun.crypto_alg = mp->crypto_alg;
378  tun.integ_alg = mp->integ_alg;
381  memcpy (&tun.local_ip, mp->local_ip, 4);
382  memcpy (&tun.remote_ip, mp->remote_ip, 4);
383  memcpy (&tun.local_crypto_key, &mp->local_crypto_key,
385  memcpy (&tun.remote_crypto_key, &mp->remote_crypto_key,
387  memcpy (&tun.local_integ_key, &mp->local_integ_key,
388  mp->local_integ_key_len);
389  memcpy (&tun.remote_integ_key, &mp->remote_integ_key,
391 
392  rv = ipsec_add_del_tunnel_if_internal (vnm, &tun, &sw_if_index);
393 
394 #else
395  rv = VNET_API_ERROR_UNIMPLEMENTED;
396 #endif
397 
398  REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY, (
399  {
400  rmp->sw_if_index =
401  htonl (sw_if_index);
402  }));
403 }
404 
405 
406 static void
408 {
409  vl_api_ikev2_profile_add_del_reply_t *rmp;
410  int rv = 0;
411 
412 #if WITH_LIBSSL > 0
413  vlib_main_t *vm = vlib_get_main ();
414  clib_error_t *error;
415  u8 *tmp = format (0, "%s", mp->name);
416  error = ikev2_add_del_profile (vm, tmp, mp->is_add);
417  vec_free (tmp);
418  if (error)
419  rv = VNET_API_ERROR_UNSPECIFIED;
420 #else
421  rv = VNET_API_ERROR_UNIMPLEMENTED;
422 #endif
423 
424  REPLY_MACRO (VL_API_IKEV2_PROFILE_ADD_DEL_REPLY);
425 }
426 
427 static void
430 {
431  vl_api_ikev2_profile_set_auth_reply_t *rmp;
432  int rv = 0;
433 
434 #if WITH_LIBSSL > 0
435  vlib_main_t *vm = vlib_get_main ();
436  clib_error_t *error;
437  u8 *tmp = format (0, "%s", mp->name);
438  u8 *data = vec_new (u8, mp->data_len);
439  clib_memcpy (data, mp->data, mp->data_len);
440  error = ikev2_set_profile_auth (vm, tmp, mp->auth_method, data, mp->is_hex);
441  vec_free (tmp);
442  vec_free (data);
443  if (error)
444  rv = VNET_API_ERROR_UNSPECIFIED;
445 #else
446  rv = VNET_API_ERROR_UNIMPLEMENTED;
447 #endif
448 
449  REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_AUTH_REPLY);
450 }
451 
452 static void
454 {
455  vl_api_ikev2_profile_add_del_reply_t *rmp;
456  int rv = 0;
457 
458 #if WITH_LIBSSL > 0
459  vlib_main_t *vm = vlib_get_main ();
460  clib_error_t *error;
461  u8 *tmp = format (0, "%s", mp->name);
462  u8 *data = vec_new (u8, mp->data_len);
463  clib_memcpy (data, mp->data, mp->data_len);
464  error = ikev2_set_profile_id (vm, tmp, mp->id_type, data, mp->is_local);
465  vec_free (tmp);
466  vec_free (data);
467  if (error)
468  rv = VNET_API_ERROR_UNSPECIFIED;
469 #else
470  rv = VNET_API_ERROR_UNIMPLEMENTED;
471 #endif
472 
473  REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_ID_REPLY);
474 }
475 
476 static void
478 {
479  vl_api_ikev2_profile_set_ts_reply_t *rmp;
480  int rv = 0;
481 
482 #if WITH_LIBSSL > 0
483  vlib_main_t *vm = vlib_get_main ();
484  clib_error_t *error;
485  u8 *tmp = format (0, "%s", mp->name);
486  error = ikev2_set_profile_ts (vm, tmp, mp->proto, mp->start_port,
487  mp->end_port, (ip4_address_t) mp->start_addr,
488  (ip4_address_t) mp->end_addr, mp->is_local);
489  vec_free (tmp);
490  if (error)
491  rv = VNET_API_ERROR_UNSPECIFIED;
492 #else
493  rv = VNET_API_ERROR_UNIMPLEMENTED;
494 #endif
495 
496  REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_TS_REPLY);
497 }
498 
499 static void
501 {
502  vl_api_ikev2_profile_set_ts_reply_t *rmp;
503  int rv = 0;
504 
505 #if WITH_LIBSSL > 0
506  vlib_main_t *vm = vlib_get_main ();
507  clib_error_t *error;
508 
509  error = ikev2_set_local_key (vm, mp->key_file);
510  if (error)
511  rv = VNET_API_ERROR_UNSPECIFIED;
512 #else
513  rv = VNET_API_ERROR_UNIMPLEMENTED;
514 #endif
515 
516  REPLY_MACRO (VL_API_IKEV2_SET_LOCAL_KEY_REPLY);
517 }
518 
519 static void
521 {
522  vl_api_ikev2_set_responder_reply_t *rmp;
523  int rv = 0;
524 
525 #if WITH_LIBSSL > 0
526  vlib_main_t *vm = vlib_get_main ();
527  clib_error_t *error;
528 
529  u8 *tmp = format (0, "%s", mp->name);
530  ip4_address_t ip4;
531  clib_memcpy (&ip4, mp->address, sizeof (ip4));
532 
533  error = ikev2_set_profile_responder (vm, tmp, mp->sw_if_index, ip4);
534  vec_free (tmp);
535  if (error)
536  rv = VNET_API_ERROR_UNSPECIFIED;
537 #else
538  rv = VNET_API_ERROR_UNIMPLEMENTED;
539 #endif
540 
541  REPLY_MACRO (VL_API_IKEV2_SET_RESPONDER_REPLY);
542 }
543 
544 static void
546  mp)
547 {
548  vl_api_ikev2_set_ike_transforms_reply_t *rmp;
549  int rv = 0;
550 
551 #if WITH_LIBSSL > 0
552  vlib_main_t *vm = vlib_get_main ();
553  clib_error_t *error;
554 
555  u8 *tmp = format (0, "%s", mp->name);
556 
557  error =
559  mp->dh_group, mp->crypto_key_size);
560  vec_free (tmp);
561  if (error)
562  rv = VNET_API_ERROR_UNSPECIFIED;
563 #else
564  rv = VNET_API_ERROR_UNIMPLEMENTED;
565 #endif
566 
567  REPLY_MACRO (VL_API_IKEV2_SET_IKE_TRANSFORMS_REPLY);
568 }
569 
570 static void
572  mp)
573 {
574  vl_api_ikev2_set_esp_transforms_reply_t *rmp;
575  int rv = 0;
576 
577 #if WITH_LIBSSL > 0
578  vlib_main_t *vm = vlib_get_main ();
579  clib_error_t *error;
580 
581  u8 *tmp = format (0, "%s", mp->name);
582 
583  error =
585  mp->dh_group, mp->crypto_key_size);
586  vec_free (tmp);
587  if (error)
588  rv = VNET_API_ERROR_UNSPECIFIED;
589 #else
590  rv = VNET_API_ERROR_UNIMPLEMENTED;
591 #endif
592 
593  REPLY_MACRO (VL_API_IKEV2_SET_ESP_TRANSFORMS_REPLY);
594 }
595 
596 static void
598 {
599  vl_api_ikev2_set_sa_lifetime_reply_t *rmp;
600  int rv = 0;
601 
602 #if WITH_LIBSSL > 0
603  vlib_main_t *vm = vlib_get_main ();
604  clib_error_t *error;
605 
606  u8 *tmp = format (0, "%s", mp->name);
607 
608  error =
610  mp->handover, mp->lifetime_maxdata);
611  vec_free (tmp);
612  if (error)
613  rv = VNET_API_ERROR_UNSPECIFIED;
614 #else
615  rv = VNET_API_ERROR_UNIMPLEMENTED;
616 #endif
617 
618  REPLY_MACRO (VL_API_IKEV2_SET_SA_LIFETIME_REPLY);
619 }
620 
621 static void
623 {
624  vl_api_ikev2_initiate_sa_init_reply_t *rmp;
625  int rv = 0;
626 
627 #if WITH_LIBSSL > 0
628  vlib_main_t *vm = vlib_get_main ();
629  clib_error_t *error;
630 
631  u8 *tmp = format (0, "%s", mp->name);
632 
633  error = ikev2_initiate_sa_init (vm, tmp);
634  vec_free (tmp);
635  if (error)
636  rv = VNET_API_ERROR_UNSPECIFIED;
637 #else
638  rv = VNET_API_ERROR_UNIMPLEMENTED;
639 #endif
640 
641  REPLY_MACRO (VL_API_IKEV2_INITIATE_SA_INIT_REPLY);
642 }
643 
644 static void
646  * mp)
647 {
648  vl_api_ikev2_initiate_del_ike_sa_reply_t *rmp;
649  int rv = 0;
650 
651 #if WITH_LIBSSL > 0
652  vlib_main_t *vm = vlib_get_main ();
653  clib_error_t *error;
654 
655  error = ikev2_initiate_delete_ike_sa (vm, mp->ispi);
656  if (error)
657  rv = VNET_API_ERROR_UNSPECIFIED;
658 #else
659  rv = VNET_API_ERROR_UNIMPLEMENTED;
660 #endif
661 
662  REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_IKE_SA_REPLY);
663 }
664 
665 static void
668 {
669  vl_api_ikev2_initiate_del_child_sa_reply_t *rmp;
670  int rv = 0;
671 
672 #if WITH_LIBSSL > 0
673  vlib_main_t *vm = vlib_get_main ();
674  clib_error_t *error;
675 
676  error = ikev2_initiate_delete_child_sa (vm, mp->ispi);
677  if (error)
678  rv = VNET_API_ERROR_UNSPECIFIED;
679 #else
680  rv = VNET_API_ERROR_UNIMPLEMENTED;
681 #endif
682 
683  REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_CHILD_SA_REPLY);
684 }
685 
686 static void
689 {
690  vl_api_ikev2_initiate_rekey_child_sa_reply_t *rmp;
691  int rv = 0;
692 
693 #if WITH_LIBSSL > 0
694  vlib_main_t *vm = vlib_get_main ();
695  clib_error_t *error;
696 
697  error = ikev2_initiate_rekey_child_sa (vm, mp->ispi);
698  if (error)
699  rv = VNET_API_ERROR_UNSPECIFIED;
700 #else
701  rv = VNET_API_ERROR_UNIMPLEMENTED;
702 #endif
703 
704  REPLY_MACRO (VL_API_IKEV2_INITIATE_REKEY_CHILD_SA_REPLY);
705 }
706 
707 /*
708  * ipsec_api_hookup
709  * Add vpe's API message handlers to the table.
710  * vlib has alread mapped shared memory and
711  * added the client registration handlers.
712  * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process()
713  */
714 #define vl_msg_name_crc_list
715 #include <vnet/vnet_all_api_h.h>
716 #undef vl_msg_name_crc_list
717 
718 static void
720 {
721 #define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id);
722  foreach_vl_msg_name_crc_ipsec;
723 #undef _
724 }
725 
726 static clib_error_t *
728 {
729  api_main_t *am = &api_main;
730 
731 #define _(N,n) \
732  vl_msg_api_set_handlers(VL_API_##N, #n, \
733  vl_api_##n##_t_handler, \
734  vl_noop_handler, \
735  vl_api_##n##_t_endian, \
736  vl_api_##n##_t_print, \
737  sizeof(vl_api_##n##_t), 1);
739 #undef _
740 
741  /*
742  * Set up the (msg_name, crc, message-id) table
743  */
745 
746  return 0;
747 }
748 
750 
751 /*
752  * fd.io coding-style-patch-verification: ON
753  *
754  * Local Variables:
755  * eval: (c-set-style "gnu")
756  * End:
757  */
ip46_address_t stop
Definition: ipsec.h:137
static void vl_api_ikev2_profile_set_auth_t_handler(vl_api_ikev2_profile_set_auth_t *mp)
Definition: ipsec_api.c:429
static void vl_api_ipsec_sa_set_key_t_handler(vl_api_ipsec_sa_set_key_t *mp)
Definition: ipsec_api.c:334
static void vl_api_ikev2_set_local_key_t_handler(vl_api_ikev2_set_local_key_t *mp)
Definition: ipsec_api.c:500
ipsec_spd_t * spds
Definition: ipsec.h:246
u8 crypto_algorithm
Definition: ipsec.api:149
u8 use_extended_sequence_number
Definition: ipsec.api:157
u32 sa_id
Definition: ipsec.api:103
u8 integrity_key_length
Definition: ipsec.api:154
clib_error_t * ikev2_set_profile_responder(vlib_main_t *vm, u8 *name, u32 sw_if_index, ip4_address_t ip4)
Definition: ikev2.c:2796
u16 stop
Definition: ipsec.h:142
int ipsec_add_del_policy(vlib_main_t *vm, ipsec_policy_t *policy, int is_add)
Definition: ipsec.c:152
ip46_address_t tunnel_src_addr
Definition: ipsec.h:119
IKEv2: Set Child SA lifetime, limited by time and/or data.
Definition: ipsec.api:367
u32 id
Definition: ipsec.h:102
clib_error_t * ikev2_add_del_profile(vlib_main_t *vm, u8 *name, int is_add)
Definition: ikev2.c:2655
static void vl_api_ikev2_initiate_rekey_child_sa_t_handler(vl_api_ikev2_initiate_rekey_child_sa_t *mp)
Definition: ipsec_api.c:688
u8 tunnel_dst_address[16]
Definition: ipsec.api:162
IKEv2: Add/delete profile.
Definition: ipsec.api:199
u16 local_port_start
Definition: ipsec.api:98
VLIB_API_INIT_FUNCTION(ipsec_api_hookup)
i32 priority
Definition: ipsec.h:186
IPsec: Update Security Association keys.
Definition: ipsec.api:178
int ipsec_set_interface_spd(vlib_main_t *vm, u32 sw_if_index, u32 spd_id, int is_add)
Definition: ipsec.c:39
clib_error_t * ikev2_initiate_delete_ike_sa(vlib_main_t *vm, u64 ispi)
Definition: ikev2.c:3110
u8 is_add
Definition: ipsec.api:80
#define REPLY_MACRO2(t, body)
ipsec_integ_alg_t integ_alg
Definition: ipsec.h:110
IPsec: Add/delete Security Policy Database entry.
Definition: ipsec.api:76
static void setup_message_id_table(api_main_t *am)
Definition: ipsec_api.c:719
u8 is_tunnel
Definition: ipsec.h:117
static void vl_api_ipsec_spd_add_del_entry_t_handler(vl_api_ipsec_spd_add_del_entry_t *mp)
Definition: ipsec_api.c:115
clib_error_t * ikev2_set_profile_sa_lifetime(vlib_main_t *vm, u8 *name, u64 lifetime, u32 jitter, u32 handover, u64 maxdata)
Definition: ikev2.c:2867
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:419
u8 policy
Definition: ipsec.api:102
u16 remote_port_stop
Definition: ipsec.api:97
u8 crypto_key[128]
Definition: ipsec.api:151
#define foreach_vpe_api_msg
Definition: ipsec_api.c:50
u8 crypto_key[128]
Definition: ipsec.h:108
int ipsec_add_del_spd(vlib_main_t *vm, u32 spd_id, int is_add)
Definition: ipsec.c:86
u8 protocol
Definition: ipsec.api:94
u32 spi
Definition: ipsec.h:103
port_range_t lport
Definition: ipsec.h:194
static void vl_api_ipsec_interface_add_del_spd_t_handler(vl_api_ipsec_interface_add_del_spd_t *mp)
Definition: ipsec_api.c:90
IKEv2: Set IKEv2 IKE transforms in SA_INIT proposal (RFC 7296)
Definition: ipsec.api:321
u32 spd_id
Definition: ipsec.api:82
u8 local_address_start[16]
Definition: ipsec.api:91
u8 integ_key[128]
Definition: ipsec.h:112
u8 is_tunnel
Definition: ipsec.api:159
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
Definition: pool.h:376
u8 crypto_key_length
Definition: ipsec.api:150
u32 sad_id
Definition: ipsec.api:143
clib_error_t * ikev2_initiate_sa_init(vlib_main_t *vm, u8 *name)
Definition: ikev2.c:2890
ipsec_main_t ipsec_main
Definition: ipsec.h:282
#define vec_new(T, N)
Create new vector of given type and length (unspecified alignment, no header).
Definition: vec.h:310
clib_error_t * ikev2_set_profile_auth(vlib_main_t *vm, u8 *name, u8 auth_method, u8 *auth_data, u8 data_hex_format)
Definition: ikev2.c:2686
static void vl_api_ipsec_tunnel_if_add_del_t_handler(vl_api_ipsec_tunnel_if_add_del_t *mp)
Definition: ipsec_api.c:356
static void vl_api_ikev2_set_responder_t_handler(vl_api_ikev2_set_responder_t *mp)
Definition: ipsec_api.c:520
u8 use_esn
Definition: ipsec.h:114
ip4_address_t remote_ip
Definition: ipsec.h:150
static void vl_api_ipsec_spd_dump_t_handler(vl_api_ipsec_spd_dump_t *mp)
Definition: ipsec_api.c:300
u16 start
Definition: ipsec.h:142
static void vl_api_ikev2_profile_set_ts_t_handler(vl_api_ikev2_profile_set_ts_t *mp)
Definition: ipsec_api.c:477
ipsec_main_callbacks_t cb
Definition: ipsec.h:279
IKEv2: Initiate the delete Child SA exchange.
Definition: ipsec.api:416
clib_error_t * ikev2_set_profile_esp_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
Definition: ikev2.c:2842
IKEv2: Set IKEv2 profile local/remote identification.
Definition: ipsec.api:240
IKEv2: Set IKEv2 profile traffic selector parameters.
Definition: ipsec.api:264
static void vl_api_ikev2_initiate_del_child_sa_t_handler(vl_api_ikev2_initiate_del_child_sa_t *mp)
Definition: ipsec_api.c:667
u8 * format_ipsec_crypto_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:58
ipsec_policy_t * policies
Definition: ipsec.h:210
i32 priority
Definition: ipsec.api:83
void * vl_msg_api_alloc(int nbytes)
static void vl_api_ipsec_spd_add_del_t_handler(vl_api_ipsec_spd_add_del_t *mp)
Definition: ipsec_api.c:73
u8 local_address_stop[16]
Definition: ipsec.api:92
#define hash_get(h, key)
Definition: hash.h:248
clib_error_t * ikev2_set_profile_id(vlib_main_t *vm, u8 *name, u8 id_type, u8 *data, int is_local)
Definition: ikev2.c:2718
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:397
counter_t packets
packet counter
Definition: counter.h:141
Add/delete IPsec tunnel interface response.
Definition: ipsec.api:541
u8 is_tunnel_ip6
Definition: ipsec.h:118
IKEv2: Initiate the rekey Child SA exchange.
Definition: ipsec.api:431
clib_error_t *(* check_support_cb)(ipsec_sa_t *sa)
Definition: ipsec.h:240
IPsec: Add/delete Security Policy Database.
Definition: ipsec.api:23
vnet_main_t * vnet_main
Definition: ipsec.h:259
clib_error_t * ikev2_initiate_delete_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3070
static void vl_api_ikev2_initiate_sa_init_t_handler(vl_api_ikev2_initiate_sa_init_t *mp)
Definition: ipsec_api.c:622
#define REPLY_MACRO(t)
static void vl_api_ikev2_set_sa_lifetime_t_handler(vl_api_ikev2_set_sa_lifetime_t *mp)
Definition: ipsec_api.c:597
ip46_address_range_t laddr
Definition: ipsec.h:191
u8 is_add
Definition: ipsec.api:141
u16 local_port_stop
Definition: ipsec.api:99
static void vl_api_ikev2_set_ike_transforms_t_handler(vl_api_ikev2_set_ike_transforms_t *mp)
Definition: ipsec_api.c:545
uword * spd_index_by_spd_id
Definition: ipsec.h:265
clib_error_t * ikev2_set_local_key(vlib_main_t *vm, u8 *file)
Definition: ikev2.c:2643
clib_error_t * ikev2_set_profile_ts(vlib_main_t *vm, u8 *name, u8 protocol_id, u16 start_port, u16 end_port, ip4_address_t start_addr, ip4_address_t end_addr, int is_local)
Definition: ikev2.c:2757
ip46_address_t tunnel_dst_addr
Definition: ipsec.h:120
#define BAD_SW_IF_INDEX_LABEL
IPsec: Add/delete SPD from interface.
Definition: ipsec.api:41
clib_error_t * ikev2_initiate_rekey_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3220
ipsec_crypto_alg_t crypto_alg
Definition: ipsec.h:153
api_main_t api_main
Definition: api_shared.c:35
u16 remote_port_start
Definition: ipsec.api:96
static void vl_api_ikev2_set_esp_transforms_t_handler(vl_api_ikev2_set_esp_transforms_t *mp)
Definition: ipsec_api.c:571
u8 remote_address_stop[16]
Definition: ipsec.api:90
int ipsec_add_del_sa(vlib_main_t *vm, ipsec_sa_t *new_sa, int is_add)
Definition: ipsec.c:411
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:340
IPsec: Add/delete Security Association Database entry.
Definition: ipsec.api:137
ip46_address_t start
Definition: ipsec.h:137
#define clib_warning(format, args...)
Definition: error.h:59
#define clib_memcpy(a, b, c)
Definition: string.h:69
unix_shared_memory_queue_t * vl_api_client_index_to_input_queue(u32 index)
u8 remote_address_start[16]
Definition: ipsec.api:89
int ipsec_set_sa_key(vlib_main_t *vm, ipsec_sa_t *sa_update)
Definition: ipsec.c:455
u8 tunnel_src_address[16]
Definition: ipsec.api:161
IKEv2: Initiate the SA_INIT exchange.
Definition: ipsec.api:386
static void vl_api_ipsec_sad_add_del_entry_t_handler(vl_api_ipsec_sad_add_del_entry_t *mp)
Definition: ipsec_api.c:179
port_range_t rport
Definition: ipsec.h:195
ip46_address_range_t raddr
Definition: ipsec.h:192
void vl_msg_api_send_shmem(unix_shared_memory_queue_t *q, u8 *elem)
#define ASSERT(truth)
unsigned int u32
Definition: types.h:88
IKEv2: Set IKEv2 responder interface and IP address.
Definition: ipsec.api:300
u32 spi
Definition: ipsec.api:145
ipsec_integ_alg_t integ_alg
Definition: ipsec.h:158
ip4_address_t local_ip
Definition: ipsec.h:150
IKEv2: Initiate the delete IKE SA exchange.
Definition: ipsec.api:401
IKEv2: Set IKEv2 profile authentication method.
Definition: ipsec.api:218
u8 integ_key_len
Definition: ipsec.h:111
Dump ipsec policy database data.
Definition: ipsec.api:445
ipsec_protocol_t protocol
Definition: ipsec.h:104
static vlib_main_t * vlib_get_main(void)
Definition: global_funcs.h:23
u64 uword
Definition: types.h:112
IPsec policy database response.
Definition: ipsec.api:472
u8 * format_ipsec_integ_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:90
u8 crypto_key_len
Definition: ipsec.h:107
counter_t bytes
byte counter
Definition: counter.h:142
static void vl_api_ikev2_profile_set_id_t_handler(vl_api_ikev2_profile_set_id_t *mp)
Definition: ipsec_api.c:453
int ipsec_add_del_tunnel_if_internal(vnet_main_t *vnm, ipsec_add_del_tunnel_args_t *args, u32 *sw_if_index)
Definition: ipsec_if.c:113
IKEv2: Set IKEv2 local RSA private key.
Definition: ipsec.api:284
unsigned char u8
Definition: types.h:56
static void send_ipsec_spd_details(ipsec_policy_t *p, unix_shared_memory_queue_t *q, u32 context)
Definition: ipsec_api.c:258
vlib_counter_t counter
Definition: ipsec.h:203
u8 is_outbound
Definition: ipsec.h:187
u8 integrity_algorithm
Definition: ipsec.api:153
u8 integrity_key[128]
Definition: ipsec.api:155
u8 is_tunnel_ipv6
Definition: ipsec.api:160
clib_error_t * ikev2_set_profile_ike_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
Definition: ikev2.c:2817
IKEv2: Set IKEv2 ESP transforms in SA_INIT proposal (RFC 7296)
Definition: ipsec.api:344
static void vl_api_ikev2_profile_add_del_t_handler(vl_api_ikev2_profile_add_del_t *mp)
Definition: ipsec_api.c:407
ipsec_crypto_alg_t crypto_alg
Definition: ipsec.h:106
static void vl_api_ikev2_initiate_del_ike_sa_t_handler(vl_api_ikev2_initiate_del_ike_sa_t *mp)
Definition: ipsec_api.c:645
static clib_error_t * ipsec_api_hookup(vlib_main_t *vm)
Definition: ipsec_api.c:727
u8 is_outbound
Definition: ipsec.api:84
u8 is_ipv6
Definition: ipsec.api:87
Add or delete IPsec tunnel interface.
Definition: ipsec.api:514
#define VALIDATE_SW_IF_INDEX(mp)
u8 protocol
Definition: ipsec.api:147
struct _unix_shared_memory_queue unix_shared_memory_queue_t
u8 is_ip_any
Definition: ipsec.api:88