FD.io VPP  v18.04-17-g3a0d853
Vector Packet Processing
ipsec_api.c
Go to the documentation of this file.
1 /*
2  *------------------------------------------------------------------
3  * ipsec_api.c - ipsec api
4  *
5  * Copyright (c) 2016 Cisco and/or its affiliates.
6  * Licensed under the Apache License, Version 2.0 (the "License");
7  * you may not use this file except in compliance with the License.
8  * You may obtain a copy of the License at:
9  *
10  * http://www.apache.org/licenses/LICENSE-2.0
11  *
12  * Unless required by applicable law or agreed to in writing, software
13  * distributed under the License is distributed on an "AS IS" BASIS,
14  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15  * See the License for the specific language governing permissions and
16  * limitations under the License.
17  *------------------------------------------------------------------
18  */
19 
20 #include <vnet/vnet.h>
21 #include <vlibmemory/api.h>
22 
23 #include <vnet/interface.h>
24 #include <vnet/api_errno.h>
25 #include <vnet/ip/ip.h>
26 
27 #include <vnet/vnet_msg_enum.h>
28 
29 #if WITH_LIBSSL > 0
30 #include <vnet/ipsec/ipsec.h>
31 #include <vnet/ipsec/ikev2.h>
32 #endif /* IPSEC */
33 
34 #define vl_typedefs /* define message structures */
35 #include <vnet/vnet_all_api_h.h>
36 #undef vl_typedefs
37 
38 #define vl_endianfun /* define message structures */
39 #include <vnet/vnet_all_api_h.h>
40 #undef vl_endianfun
41 
42 /* instantiate all the print functions we know about */
43 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
44 #define vl_printfun
45 #include <vnet/vnet_all_api_h.h>
46 #undef vl_printfun
47 
49 
50 #define foreach_vpe_api_msg \
51 _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \
52 _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \
53 _(IPSEC_SPD_ADD_DEL_ENTRY, ipsec_spd_add_del_entry) \
54 _(IPSEC_SAD_ADD_DEL_ENTRY, ipsec_sad_add_del_entry) \
55 _(IPSEC_SA_SET_KEY, ipsec_sa_set_key) \
56 _(IPSEC_SA_DUMP, ipsec_sa_dump) \
57 _(IPSEC_SPD_DUMP, ipsec_spd_dump) \
58 _(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \
59 _(IPSEC_TUNNEL_IF_SET_KEY, ipsec_tunnel_if_set_key) \
60 _(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \
61 _(IKEV2_PROFILE_ADD_DEL, ikev2_profile_add_del) \
62 _(IKEV2_PROFILE_SET_AUTH, ikev2_profile_set_auth) \
63 _(IKEV2_PROFILE_SET_ID, ikev2_profile_set_id) \
64 _(IKEV2_PROFILE_SET_TS, ikev2_profile_set_ts) \
65 _(IKEV2_SET_LOCAL_KEY, ikev2_set_local_key) \
66 _(IKEV2_SET_RESPONDER, ikev2_set_responder) \
67 _(IKEV2_SET_IKE_TRANSFORMS, ikev2_set_ike_transforms) \
68 _(IKEV2_SET_ESP_TRANSFORMS, ikev2_set_esp_transforms) \
69 _(IKEV2_SET_SA_LIFETIME, ikev2_set_sa_lifetime) \
70 _(IKEV2_INITIATE_SA_INIT, ikev2_initiate_sa_init) \
71 _(IKEV2_INITIATE_DEL_IKE_SA, ikev2_initiate_del_ike_sa) \
72 _(IKEV2_INITIATE_DEL_CHILD_SA, ikev2_initiate_del_child_sa) \
73 _(IKEV2_INITIATE_REKEY_CHILD_SA, ikev2_initiate_rekey_child_sa)
74 
77 {
78 #if WITH_LIBSSL == 0
79  clib_warning ("unimplemented");
80 #else
81 
82  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
83  vl_api_ipsec_spd_add_del_reply_t *rmp;
84  int rv;
85 
86  rv = ipsec_add_del_spd (vm, ntohl (mp->spd_id), mp->is_add);
87 
88  REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_REPLY);
89 #endif
90 }
91 
94 {
95  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
96  vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
97  int rv;
98  u32 sw_if_index __attribute__ ((unused));
99  u32 spd_id __attribute__ ((unused));
100 
101  sw_if_index = ntohl (mp->sw_if_index);
102  spd_id = ntohl (mp->spd_id);
103 
105 
106 #if WITH_LIBSSL > 0
107  rv = ipsec_set_interface_spd (vm, sw_if_index, spd_id, mp->is_add);
108 #else
109  rv = VNET_API_ERROR_UNIMPLEMENTED;
110 #endif
111 
113 
114  REPLY_MACRO (VL_API_IPSEC_INTERFACE_ADD_DEL_SPD_REPLY);
115 }
116 
119 {
120  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
121  vl_api_ipsec_spd_add_del_entry_reply_t *rmp;
122  int rv;
123 
124 #if WITH_LIBSSL > 0
125  ipsec_policy_t p;
126 
127  memset (&p, 0, sizeof (p));
128 
129  p.id = ntohl (mp->spd_id);
130  p.priority = ntohl (mp->priority);
131  p.is_outbound = mp->is_outbound;
132  p.is_ipv6 = mp->is_ipv6;
133 
134  if (mp->is_ipv6 || mp->is_ip_any)
135  {
140  }
141  else
142  {
143  clib_memcpy (&p.raddr.start.ip4.data, mp->remote_address_start, 4);
144  clib_memcpy (&p.raddr.stop.ip4.data, mp->remote_address_stop, 4);
145  clib_memcpy (&p.laddr.start.ip4.data, mp->local_address_start, 4);
146  clib_memcpy (&p.laddr.stop.ip4.data, mp->local_address_stop, 4);
147  }
148  p.protocol = mp->protocol;
149  p.rport.start = ntohs (mp->remote_port_start);
150  p.rport.stop = ntohs (mp->remote_port_stop);
151  p.lport.start = ntohs (mp->local_port_start);
152  p.lport.stop = ntohs (mp->local_port_stop);
153  /* policy action resolve unsupported */
154  if (mp->policy == IPSEC_POLICY_ACTION_RESOLVE)
155  {
156  clib_warning ("unsupported action: 'resolve'");
157  rv = VNET_API_ERROR_UNIMPLEMENTED;
158  goto out;
159  }
160  p.policy = mp->policy;
161  p.sa_id = ntohl (mp->sa_id);
162 
163  rv = ipsec_add_del_policy (vm, &p, mp->is_add);
164  if (rv)
165  goto out;
166 
167  if (mp->is_ip_any)
168  {
169  p.is_ipv6 = 1;
170  rv = ipsec_add_del_policy (vm, &p, mp->is_add);
171  }
172 #else
173  rv = VNET_API_ERROR_UNIMPLEMENTED;
174  goto out;
175 #endif
176 
177 out:
178  REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_ENTRY_REPLY);
179 }
180 
183 {
184  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
185  vl_api_ipsec_sad_add_del_entry_reply_t *rmp;
186  int rv;
187 #if WITH_LIBSSL > 0
188  ipsec_main_t *im = &ipsec_main;
189  ipsec_sa_t sa;
190 
191  memset (&sa, 0, sizeof (sa));
192 
193  sa.id = ntohl (mp->sad_id);
194  sa.spi = ntohl (mp->spi);
195  sa.protocol = mp->protocol;
196  /* check for unsupported crypto-alg */
197  if (mp->crypto_algorithm < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
199  {
200  clib_warning ("unsupported crypto-alg: '%U'", format_ipsec_crypto_alg,
201  mp->crypto_algorithm);
202  rv = VNET_API_ERROR_UNIMPLEMENTED;
203  goto out;
204  }
205  sa.crypto_alg = mp->crypto_algorithm;
207  clib_memcpy (&sa.crypto_key, mp->crypto_key, sizeof (sa.crypto_key));
208  /* check for unsupported integ-alg */
210  {
211  clib_warning ("unsupported integ-alg: '%U'", format_ipsec_integ_alg,
212  mp->integrity_algorithm);
213  rv = VNET_API_ERROR_UNIMPLEMENTED;
214  goto out;
215  }
216 
219  clib_memcpy (&sa.integ_key, mp->integrity_key, sizeof (sa.integ_key));
221  sa.is_tunnel = mp->is_tunnel;
222  sa.is_tunnel_ip6 = mp->is_tunnel_ipv6;
223  if (sa.is_tunnel_ip6)
224  {
227  }
228  else
229  {
230  clib_memcpy (&sa.tunnel_src_addr.ip4.data, mp->tunnel_src_address, 4);
231  clib_memcpy (&sa.tunnel_dst_addr.ip4.data, mp->tunnel_dst_address, 4);
232  }
234 
235  ASSERT (im->cb.check_support_cb);
236  clib_error_t *err = im->cb.check_support_cb (&sa);
237  if (err)
238  {
239  clib_warning ("%s", err->what);
240  rv = VNET_API_ERROR_UNIMPLEMENTED;
241  goto out;
242  }
243 
244  rv = ipsec_add_del_sa (vm, &sa, mp->is_add);
245 #else
246  rv = VNET_API_ERROR_UNIMPLEMENTED;
247  goto out;
248 #endif
249 
250 out:
251  REPLY_MACRO (VL_API_IPSEC_SAD_ADD_DEL_ENTRY_REPLY);
252 }
253 
254 static void
256  u32 context)
257 {
259 
260  mp = vl_msg_api_alloc (sizeof (*mp));
261  memset (mp, 0, sizeof (*mp));
262  mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_DETAILS);
263  mp->context = context;
264 
265  mp->spd_id = htonl (p->id);
266  mp->priority = htonl (p->priority);
267  mp->is_outbound = p->is_outbound;
268  mp->is_ipv6 = p->is_ipv6;
269  if (p->is_ipv6)
270  {
271  memcpy (mp->local_start_addr, &p->laddr.start.ip6, 16);
272  memcpy (mp->local_stop_addr, &p->laddr.stop.ip6, 16);
273  memcpy (mp->remote_start_addr, &p->raddr.start.ip6, 16);
274  memcpy (mp->remote_stop_addr, &p->raddr.stop.ip6, 16);
275  }
276  else
277  {
278  memcpy (mp->local_start_addr, &p->laddr.start.ip4, 4);
279  memcpy (mp->local_stop_addr, &p->laddr.stop.ip4, 4);
280  memcpy (mp->remote_start_addr, &p->raddr.start.ip4, 4);
281  memcpy (mp->remote_stop_addr, &p->raddr.stop.ip4, 4);
282  }
283  mp->local_start_port = htons (p->lport.start);
284  mp->local_stop_port = htons (p->lport.stop);
285  mp->remote_start_port = htons (p->rport.start);
286  mp->remote_stop_port = htons (p->rport.stop);
287  mp->protocol = p->protocol;
288  mp->policy = p->policy;
289  mp->sa_id = htonl (p->sa_id);
290  mp->bytes = clib_host_to_net_u64 (p->counter.bytes);
291  mp->packets = clib_host_to_net_u64 (p->counter.packets);
292 
293  vl_api_send_msg (reg, (u8 *) mp);
294 }
295 
296 static void
298 {
300  ipsec_main_t *im = &ipsec_main;
301  ipsec_policy_t *policy;
302  ipsec_spd_t *spd;
303  uword *p;
304  u32 spd_index;
305 #if WITH_LIBSSL > 0
307  if (!reg)
308  return;
309 
310  p = hash_get (im->spd_index_by_spd_id, ntohl (mp->spd_id));
311  if (!p)
312  return;
313 
314  spd_index = p[0];
315  spd = pool_elt_at_index (im->spds, spd_index);
316 
317  /* *INDENT-OFF* */
318  pool_foreach (policy, spd->policies,
319  ({
320  if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id)
321  send_ipsec_spd_details (policy, reg,
322  mp->context);}
323  ));
324  /* *INDENT-ON* */
325 #else
326  clib_warning ("unimplemented");
327 #endif
328 }
329 
330 static void
332 {
333  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
334  vl_api_ipsec_sa_set_key_reply_t *rmp;
335  int rv;
336 #if WITH_LIBSSL > 0
337  ipsec_sa_t sa;
338  sa.id = ntohl (mp->sa_id);
340  clib_memcpy (&sa.crypto_key, mp->crypto_key, sizeof (sa.crypto_key));
342  clib_memcpy (&sa.integ_key, mp->integrity_key, sizeof (sa.integ_key));
343 
344  rv = ipsec_set_sa_key (vm, &sa);
345 #else
346  rv = VNET_API_ERROR_UNIMPLEMENTED;
347 #endif
348 
349  REPLY_MACRO (VL_API_IPSEC_SA_SET_KEY_REPLY);
350 }
351 
352 static void
354  mp)
355 {
357  ipsec_main_t *im = &ipsec_main;
358  vnet_main_t *vnm = im->vnet_main;
359  u32 sw_if_index = ~0;
360  int rv;
361 
362 #if WITH_LIBSSL > 0
364 
365  memset (&tun, 0, sizeof (ipsec_add_del_tunnel_args_t));
366 
367  tun.is_add = mp->is_add;
368  tun.esn = mp->esn;
369  tun.anti_replay = mp->anti_replay;
370  tun.local_spi = ntohl (mp->local_spi);
371  tun.remote_spi = ntohl (mp->remote_spi);
372  tun.crypto_alg = mp->crypto_alg;
375  tun.integ_alg = mp->integ_alg;
378  memcpy (&tun.local_ip, mp->local_ip, 4);
379  memcpy (&tun.remote_ip, mp->remote_ip, 4);
380  memcpy (&tun.local_crypto_key, &mp->local_crypto_key,
382  memcpy (&tun.remote_crypto_key, &mp->remote_crypto_key,
384  memcpy (&tun.local_integ_key, &mp->local_integ_key,
385  mp->local_integ_key_len);
386  memcpy (&tun.remote_integ_key, &mp->remote_integ_key,
388 
389  rv = ipsec_add_del_tunnel_if_internal (vnm, &tun, &sw_if_index);
390 
391 #else
392  rv = VNET_API_ERROR_UNIMPLEMENTED;
393 #endif
394 
395  REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY, (
396  {
397  rmp->sw_if_index =
398  htonl (sw_if_index);
399  }));
400 }
401 
402 static void
404  u32 context, u32 sw_if_index)
405 {
407 
408  mp = vl_msg_api_alloc (sizeof (*mp));
409  memset (mp, 0, sizeof (*mp));
410  mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_DETAILS);
411  mp->context = context;
412 
413  mp->sa_id = htonl (sa->id);
414  mp->sw_if_index = htonl (sw_if_index);
415 
416  mp->spi = htonl (sa->spi);
417  mp->protocol = sa->protocol;
418 
419  mp->crypto_alg = sa->crypto_alg;
420  mp->crypto_key_len = sa->crypto_key_len;
421  memcpy (mp->crypto_key, sa->crypto_key, sa->crypto_key_len);
422 
423  mp->integ_alg = sa->integ_alg;
424  mp->integ_key_len = sa->integ_key_len;
425  memcpy (mp->integ_key, sa->integ_key, sa->integ_key_len);
426 
427  mp->use_esn = sa->use_esn;
429 
430  mp->is_tunnel = sa->is_tunnel;
431  mp->is_tunnel_ip6 = sa->is_tunnel_ip6;
432 
433  if (sa->is_tunnel)
434  {
435  if (sa->is_tunnel_ip6)
436  {
437  memcpy (mp->tunnel_src_addr, &sa->tunnel_src_addr.ip6, 16);
438  memcpy (mp->tunnel_dst_addr, &sa->tunnel_dst_addr.ip6, 16);
439  }
440  else
441  {
442  memcpy (mp->tunnel_src_addr, &sa->tunnel_src_addr.ip4, 4);
443  memcpy (mp->tunnel_dst_addr, &sa->tunnel_dst_addr.ip4, 4);
444  }
445  }
446 
447  mp->salt = clib_host_to_net_u32 (sa->salt);
448  mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
449  mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
450  if (sa->use_esn)
451  {
452  mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
453  mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
454  }
455  if (sa->use_anti_replay)
456  mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
457  mp->total_data_size = clib_host_to_net_u64 (sa->total_data_size);
458 
459  vl_api_send_msg (reg, (u8 *) mp);
460 }
461 
462 
463 static void
465 {
467  ipsec_main_t *im = &ipsec_main;
468  vnet_main_t *vnm = im->vnet_main;
469  ipsec_sa_t *sa;
471  u32 *sa_index_to_tun_if_index = 0;
472 
473 #if WITH_LIBSSL > 0
475  if (!reg || pool_elts (im->sad) == 0)
476  return;
477 
478  vec_validate_init_empty (sa_index_to_tun_if_index, vec_len (im->sad) - 1,
479  ~0);
480 
481  /* *INDENT-OFF* */
483  ({
484  vnet_hw_interface_t *hi;
485  u32 sw_if_index = ~0;
486 
487  hi = vnet_get_hw_interface (vnm, t->hw_if_index);
488  sw_if_index = hi->sw_if_index;
489  sa_index_to_tun_if_index[t->input_sa_index] = sw_if_index;
490  sa_index_to_tun_if_index[t->output_sa_index] = sw_if_index;
491  }));
492 
493  pool_foreach (sa, im->sad,
494  ({
495  if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == sa->id)
496  send_ipsec_sa_details (sa, reg, mp->context,
497  sa_index_to_tun_if_index[sa - im->sad]);
498  }));
499  /* *INDENT-ON* */
500 
501  vec_free (sa_index_to_tun_if_index);
502 #else
503  clib_warning ("unimplemented");
504 #endif
505 }
506 
507 
508 static void
510  mp)
511 {
512  vl_api_ipsec_tunnel_if_set_key_reply_t *rmp;
513  ipsec_main_t *im = &ipsec_main;
514  vnet_main_t *vnm = im->vnet_main;
516  u8 *key = 0;
517  int rv;
518 
519 #if WITH_LIBSSL > 0
520  sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index));
521 
522  switch (mp->key_type)
523  {
526  if (mp->alg < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
527  mp->alg > IPSEC_CRYPTO_N_ALG)
528  {
529  rv = VNET_API_ERROR_UNIMPLEMENTED;
530  goto out;
531  }
532  break;
535  if (mp->alg > IPSEC_INTEG_N_ALG)
536  {
537  rv = VNET_API_ERROR_UNIMPLEMENTED;
538  goto out;
539  }
540  break;
542  default:
543  rv = VNET_API_ERROR_UNIMPLEMENTED;
544  goto out;
545  break;
546  }
547 
548  key = vec_new (u8, mp->key_len);
549  clib_memcpy (key, mp->key, mp->key_len);
550 
551  rv = ipsec_set_interface_key (vnm, sw->hw_if_index, mp->key_type, mp->alg,
552  key);
553  vec_free (key);
554 #else
555  clib_warning ("unimplemented");
556 #endif
557 
558 out:
559  REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_KEY_REPLY);
560 }
561 
562 
563 static void
565 {
566  vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp;
567  ipsec_main_t *im = &ipsec_main;
568  vnet_main_t *vnm = im->vnet_main;
570  int rv;
571 
572 #if WITH_LIBSSL > 0
573  sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index));
574 
575  rv = ipsec_set_interface_sa (vnm, sw->hw_if_index, ntohl (mp->sa_id),
576  mp->is_outbound);
577 #else
578  clib_warning ("unimplemented");
579 #endif
580 
581  REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY);
582 }
583 
584 
585 static void
587 {
588  vl_api_ikev2_profile_add_del_reply_t *rmp;
589  int rv = 0;
590 
591 #if WITH_LIBSSL > 0
593  clib_error_t *error;
594  u8 *tmp = format (0, "%s", mp->name);
595  error = ikev2_add_del_profile (vm, tmp, mp->is_add);
596  vec_free (tmp);
597  if (error)
598  rv = VNET_API_ERROR_UNSPECIFIED;
599 #else
600  rv = VNET_API_ERROR_UNIMPLEMENTED;
601 #endif
602 
603  REPLY_MACRO (VL_API_IKEV2_PROFILE_ADD_DEL_REPLY);
604 }
605 
606 static void
609 {
610  vl_api_ikev2_profile_set_auth_reply_t *rmp;
611  int rv = 0;
612 
613 #if WITH_LIBSSL > 0
615  clib_error_t *error;
616  u8 *tmp = format (0, "%s", mp->name);
617  u8 *data = vec_new (u8, mp->data_len);
618  clib_memcpy (data, mp->data, mp->data_len);
619  error = ikev2_set_profile_auth (vm, tmp, mp->auth_method, data, mp->is_hex);
620  vec_free (tmp);
621  vec_free (data);
622  if (error)
623  rv = VNET_API_ERROR_UNSPECIFIED;
624 #else
625  rv = VNET_API_ERROR_UNIMPLEMENTED;
626 #endif
627 
628  REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_AUTH_REPLY);
629 }
630 
631 static void
633 {
634  vl_api_ikev2_profile_add_del_reply_t *rmp;
635  int rv = 0;
636 
637 #if WITH_LIBSSL > 0
639  clib_error_t *error;
640  u8 *tmp = format (0, "%s", mp->name);
641  u8 *data = vec_new (u8, mp->data_len);
642  clib_memcpy (data, mp->data, mp->data_len);
643  error = ikev2_set_profile_id (vm, tmp, mp->id_type, data, mp->is_local);
644  vec_free (tmp);
645  vec_free (data);
646  if (error)
647  rv = VNET_API_ERROR_UNSPECIFIED;
648 #else
649  rv = VNET_API_ERROR_UNIMPLEMENTED;
650 #endif
651 
652  REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_ID_REPLY);
653 }
654 
655 static void
657 {
658  vl_api_ikev2_profile_set_ts_reply_t *rmp;
659  int rv = 0;
660 
661 #if WITH_LIBSSL > 0
663  clib_error_t *error;
664  u8 *tmp = format (0, "%s", mp->name);
665  error = ikev2_set_profile_ts (vm, tmp, mp->proto, mp->start_port,
666  mp->end_port, (ip4_address_t) mp->start_addr,
667  (ip4_address_t) mp->end_addr, mp->is_local);
668  vec_free (tmp);
669  if (error)
670  rv = VNET_API_ERROR_UNSPECIFIED;
671 #else
672  rv = VNET_API_ERROR_UNIMPLEMENTED;
673 #endif
674 
675  REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_TS_REPLY);
676 }
677 
678 static void
680 {
681  vl_api_ikev2_profile_set_ts_reply_t *rmp;
682  int rv = 0;
683 
684 #if WITH_LIBSSL > 0
686  clib_error_t *error;
687 
688  error = ikev2_set_local_key (vm, mp->key_file);
689  if (error)
690  rv = VNET_API_ERROR_UNSPECIFIED;
691 #else
692  rv = VNET_API_ERROR_UNIMPLEMENTED;
693 #endif
694 
695  REPLY_MACRO (VL_API_IKEV2_SET_LOCAL_KEY_REPLY);
696 }
697 
698 static void
700 {
701  vl_api_ikev2_set_responder_reply_t *rmp;
702  int rv = 0;
703 
704 #if WITH_LIBSSL > 0
706  clib_error_t *error;
707 
708  u8 *tmp = format (0, "%s", mp->name);
709  ip4_address_t ip4;
710  clib_memcpy (&ip4, mp->address, sizeof (ip4));
711 
712  error = ikev2_set_profile_responder (vm, tmp, mp->sw_if_index, ip4);
713  vec_free (tmp);
714  if (error)
715  rv = VNET_API_ERROR_UNSPECIFIED;
716 #else
717  rv = VNET_API_ERROR_UNIMPLEMENTED;
718 #endif
719 
720  REPLY_MACRO (VL_API_IKEV2_SET_RESPONDER_REPLY);
721 }
722 
723 static void
725  mp)
726 {
727  vl_api_ikev2_set_ike_transforms_reply_t *rmp;
728  int rv = 0;
729 
730 #if WITH_LIBSSL > 0
732  clib_error_t *error;
733 
734  u8 *tmp = format (0, "%s", mp->name);
735 
736  error =
738  mp->dh_group, mp->crypto_key_size);
739  vec_free (tmp);
740  if (error)
741  rv = VNET_API_ERROR_UNSPECIFIED;
742 #else
743  rv = VNET_API_ERROR_UNIMPLEMENTED;
744 #endif
745 
746  REPLY_MACRO (VL_API_IKEV2_SET_IKE_TRANSFORMS_REPLY);
747 }
748 
749 static void
751  mp)
752 {
753  vl_api_ikev2_set_esp_transforms_reply_t *rmp;
754  int rv = 0;
755 
756 #if WITH_LIBSSL > 0
758  clib_error_t *error;
759 
760  u8 *tmp = format (0, "%s", mp->name);
761 
762  error =
764  mp->dh_group, mp->crypto_key_size);
765  vec_free (tmp);
766  if (error)
767  rv = VNET_API_ERROR_UNSPECIFIED;
768 #else
769  rv = VNET_API_ERROR_UNIMPLEMENTED;
770 #endif
771 
772  REPLY_MACRO (VL_API_IKEV2_SET_ESP_TRANSFORMS_REPLY);
773 }
774 
775 static void
777 {
778  vl_api_ikev2_set_sa_lifetime_reply_t *rmp;
779  int rv = 0;
780 
781 #if WITH_LIBSSL > 0
783  clib_error_t *error;
784 
785  u8 *tmp = format (0, "%s", mp->name);
786 
787  error =
789  mp->handover, mp->lifetime_maxdata);
790  vec_free (tmp);
791  if (error)
792  rv = VNET_API_ERROR_UNSPECIFIED;
793 #else
794  rv = VNET_API_ERROR_UNIMPLEMENTED;
795 #endif
796 
797  REPLY_MACRO (VL_API_IKEV2_SET_SA_LIFETIME_REPLY);
798 }
799 
800 static void
802 {
803  vl_api_ikev2_initiate_sa_init_reply_t *rmp;
804  int rv = 0;
805 
806 #if WITH_LIBSSL > 0
808  clib_error_t *error;
809 
810  u8 *tmp = format (0, "%s", mp->name);
811 
812  error = ikev2_initiate_sa_init (vm, tmp);
813  vec_free (tmp);
814  if (error)
815  rv = VNET_API_ERROR_UNSPECIFIED;
816 #else
817  rv = VNET_API_ERROR_UNIMPLEMENTED;
818 #endif
819 
820  REPLY_MACRO (VL_API_IKEV2_INITIATE_SA_INIT_REPLY);
821 }
822 
823 static void
825  * mp)
826 {
827  vl_api_ikev2_initiate_del_ike_sa_reply_t *rmp;
828  int rv = 0;
829 
830 #if WITH_LIBSSL > 0
832  clib_error_t *error;
833 
834  error = ikev2_initiate_delete_ike_sa (vm, mp->ispi);
835  if (error)
836  rv = VNET_API_ERROR_UNSPECIFIED;
837 #else
838  rv = VNET_API_ERROR_UNIMPLEMENTED;
839 #endif
840 
841  REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_IKE_SA_REPLY);
842 }
843 
844 static void
847 {
848  vl_api_ikev2_initiate_del_child_sa_reply_t *rmp;
849  int rv = 0;
850 
851 #if WITH_LIBSSL > 0
853  clib_error_t *error;
854 
855  error = ikev2_initiate_delete_child_sa (vm, mp->ispi);
856  if (error)
857  rv = VNET_API_ERROR_UNSPECIFIED;
858 #else
859  rv = VNET_API_ERROR_UNIMPLEMENTED;
860 #endif
861 
862  REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_CHILD_SA_REPLY);
863 }
864 
865 static void
868 {
869  vl_api_ikev2_initiate_rekey_child_sa_reply_t *rmp;
870  int rv = 0;
871 
872 #if WITH_LIBSSL > 0
874  clib_error_t *error;
875 
876  error = ikev2_initiate_rekey_child_sa (vm, mp->ispi);
877  if (error)
878  rv = VNET_API_ERROR_UNSPECIFIED;
879 #else
880  rv = VNET_API_ERROR_UNIMPLEMENTED;
881 #endif
882 
883  REPLY_MACRO (VL_API_IKEV2_INITIATE_REKEY_CHILD_SA_REPLY);
884 }
885 
886 /*
887  * ipsec_api_hookup
888  * Add vpe's API message handlers to the table.
889  * vlib has alread mapped shared memory and
890  * added the client registration handlers.
891  * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process()
892  */
893 #define vl_msg_name_crc_list
894 #include <vnet/vnet_all_api_h.h>
895 #undef vl_msg_name_crc_list
896 
897 static void
899 {
900 #define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id);
901  foreach_vl_msg_name_crc_ipsec;
902 #undef _
903 }
904 
905 static clib_error_t *
907 {
908  api_main_t *am = &api_main;
909 
910 #define _(N,n) \
911  vl_msg_api_set_handlers(VL_API_##N, #n, \
912  vl_api_##n##_t_handler, \
913  vl_noop_handler, \
914  vl_api_##n##_t_endian, \
915  vl_api_##n##_t_print, \
916  sizeof(vl_api_##n##_t), 1);
918 #undef _
919 
920  /*
921  * Set up the (msg_name, crc, message-id) table
922  */
924 
925  return 0;
926 }
927 
929 
930 /*
931  * fd.io coding-style-patch-verification: ON
932  *
933  * Local Variables:
934  * eval: (c-set-style "gnu")
935  * End:
936  */
ip46_address_t stop
Definition: ipsec.h:148
int ipsec_set_interface_key(vnet_main_t *vnm, u32 hw_if_index, ipsec_if_set_key_type_t type, u8 alg, u8 *key)
Definition: ipsec_if.c:353
static void vl_api_ikev2_profile_set_auth_t_handler(vl_api_ikev2_profile_set_auth_t *mp)
Definition: ipsec_api.c:608
static void vl_api_ipsec_sa_set_key_t_handler(vl_api_ipsec_sa_set_key_t *mp)
Definition: ipsec_api.c:331
static void vl_api_ikev2_set_local_key_t_handler(vl_api_ikev2_set_local_key_t *mp)
Definition: ipsec_api.c:679
ipsec_spd_t * spds
Definition: ipsec.h:259
int ipsec_set_interface_sa(vnet_main_t *vnm, u32 hw_if_index, u32 sa_id, u8 is_outbound)
Definition: ipsec_if.c:403
u8 crypto_algorithm
Definition: ipsec.api:151
u8 use_extended_sequence_number
Definition: ipsec.api:159
u32 sa_id
Definition: ipsec.api:105
u8 integrity_key_length
Definition: ipsec.api:156
clib_error_t * ikev2_set_profile_responder(vlib_main_t *vm, u8 *name, u32 sw_if_index, ip4_address_t ip4)
Definition: ikev2.c:2807
ipsec_tunnel_if_t * tunnel_interfaces
Definition: ipsec.h:263
u16 stop
Definition: ipsec.h:153
int ipsec_add_del_policy(vlib_main_t *vm, ipsec_policy_t *policy, int is_add)
Definition: ipsec.c:155
ip46_address_t tunnel_src_addr
Definition: ipsec.h:130
IKEv2: Set Child SA lifetime, limited by time and/or data.
Definition: ipsec.api:370
u32 id
Definition: ipsec.h:113
clib_error_t * ikev2_add_del_profile(vlib_main_t *vm, u8 *name, int is_add)
Definition: ikev2.c:2666
static void vl_api_ikev2_initiate_rekey_child_sa_t_handler(vl_api_ikev2_initiate_rekey_child_sa_t *mp)
Definition: ipsec_api.c:867
static void vl_api_ipsec_tunnel_if_set_key_t_handler(vl_api_ipsec_tunnel_if_set_key_t *mp)
Definition: ipsec_api.c:509
u8 tunnel_dst_address[16]
Definition: ipsec.api:165
IKEv2: Add/delete profile.
Definition: ipsec.api:202
u16 local_port_start
Definition: ipsec.api:100
VLIB_API_INIT_FUNCTION(ipsec_api_hookup)
i32 priority
Definition: ipsec.h:197
IPsec: Update Security Association keys.
Definition: ipsec.api:181
int ipsec_set_interface_spd(vlib_main_t *vm, u32 sw_if_index, u32 spd_id, int is_add)
Definition: ipsec.c:42
clib_error_t * ikev2_initiate_delete_ike_sa(vlib_main_t *vm, u64 ispi)
Definition: ikev2.c:3125
u8 is_add
Definition: ipsec.api:82
#define REPLY_MACRO2(t, body)
static void vl_api_send_msg(vl_api_registration_t *rp, u8 *elem)
Definition: api.h:34
ipsec_integ_alg_t integ_alg
Definition: ipsec.h:121
IPsec: Add/delete Security Policy Database entry.
Definition: ipsec.api:78
static void setup_message_id_table(api_main_t *am)
Definition: ipsec_api.c:898
u8 is_tunnel
Definition: ipsec.h:128
static void vl_api_ipsec_sa_dump_t_handler(vl_api_ipsec_sa_dump_t *mp)
Definition: ipsec_api.c:464
static vnet_sw_interface_t * vnet_get_sw_interface(vnet_main_t *vnm, u32 sw_if_index)
static void vl_api_ipsec_spd_add_del_entry_t_handler(vl_api_ipsec_spd_add_del_entry_t *mp)
Definition: ipsec_api.c:118
clib_error_t * ikev2_set_profile_sa_lifetime(vlib_main_t *vm, u8 *name, u64 lifetime, u32 jitter, u32 handover, u64 maxdata)
Definition: ikev2.c:2878
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:419
u8 policy
Definition: ipsec.api:104
u16 remote_port_stop
Definition: ipsec.api:99
void * vl_msg_api_alloc(int nbytes)
u8 crypto_key[128]
Definition: ipsec.api:153
#define foreach_vpe_api_msg
Definition: ipsec_api.c:50
u8 crypto_key[128]
Definition: ipsec.h:119
int ipsec_add_del_spd(vlib_main_t *vm, u32 spd_id, int is_add)
Definition: ipsec.c:89
u8 protocol
Definition: ipsec.api:96
u32 spi
Definition: ipsec.h:114
port_range_t lport
Definition: ipsec.h:205
u32 seq_hi
Definition: ipsec.h:137
static void vl_api_ipsec_interface_add_del_spd_t_handler(vl_api_ipsec_interface_add_del_spd_t *mp)
Definition: ipsec_api.c:93
IKEv2: Set IKEv2 IKE transforms in SA_INIT proposal (RFC 7296)
Definition: ipsec.api:324
u64 replay_window
Definition: ipsec.h:140
u32 spd_id
Definition: ipsec.api:84
u8 local_address_start[16]
Definition: ipsec.api:93
u8 integ_key[128]
Definition: ipsec.h:123
u8 is_tunnel
Definition: ipsec.api:162
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
Definition: pool.h:440
u8 crypto_key_length
Definition: ipsec.api:152
u32 sad_id
Definition: ipsec.api:145
ipsec_main_t ipsec_main
Definition: ipsec.c:28
clib_error_t * ikev2_initiate_sa_init(vlib_main_t *vm, u8 *name)
Definition: ikev2.c:2901
#define vec_new(T, N)
Create new vector of given type and length (unspecified alignment, no header).
Definition: vec.h:306
clib_error_t * ikev2_set_profile_auth(vlib_main_t *vm, u8 *name, u8 auth_method, u8 *auth_data, u8 data_hex_format)
Definition: ikev2.c:2697
static void vl_api_ipsec_tunnel_if_add_del_t_handler(vl_api_ipsec_tunnel_if_add_del_t *mp)
Definition: ipsec_api.c:353
static void vl_api_ikev2_set_responder_t_handler(vl_api_ikev2_set_responder_t *mp)
Definition: ipsec_api.c:699
u8 use_esn
Definition: ipsec.h:125
Set key on IPsec interface.
Definition: ipsec.api:628
ip4_address_t remote_ip
Definition: ipsec.h:161
static void vl_api_ipsec_spd_dump_t_handler(vl_api_ipsec_spd_dump_t *mp)
Definition: ipsec_api.c:297
u16 start
Definition: ipsec.h:153
static void vl_api_ikev2_profile_set_ts_t_handler(vl_api_ikev2_profile_set_ts_t *mp)
Definition: ipsec_api.c:656
ipsec_main_callbacks_t cb
Definition: ipsec.h:296
IKEv2: Initiate the delete Child SA exchange.
Definition: ipsec.api:419
unsigned long u64
Definition: types.h:89
clib_error_t * ikev2_set_profile_esp_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
Definition: ikev2.c:2853
IKEv2: Set IKEv2 profile local/remote identification.
Definition: ipsec.api:243
IKEv2: Set IKEv2 profile traffic selector parameters.
Definition: ipsec.api:267
static void vl_api_ikev2_initiate_del_child_sa_t_handler(vl_api_ikev2_initiate_del_child_sa_t *mp)
Definition: ipsec_api.c:846
u8 * format_ipsec_crypto_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:58
ipsec_policy_t * policies
Definition: ipsec.h:221
i32 priority
Definition: ipsec.api:85
static void vl_api_ipsec_spd_add_del_t_handler(vl_api_ipsec_spd_add_del_t *mp)
Definition: ipsec_api.c:76
u8 local_address_stop[16]
Definition: ipsec.api:94
u32 last_seq
Definition: ipsec.h:138
#define hash_get(h, key)
Definition: hash.h:248
clib_error_t * ikev2_set_profile_id(vlib_main_t *vm, u8 *name, u8 id_type, u8 *data, int is_local)
Definition: ikev2.c:2729
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:461
counter_t packets
packet counter
Definition: counter.h:141
Add/delete IPsec tunnel interface response.
Definition: ipsec.api:544
u8 is_tunnel_ip6
Definition: ipsec.h:129
IKEv2: Initiate the rekey Child SA exchange.
Definition: ipsec.api:434
clib_error_t *(* check_support_cb)(ipsec_sa_t *sa)
Definition: ipsec.h:253
IPsec: Add/delete Security Policy Database.
Definition: ipsec.api:25
u32 salt
Definition: ipsec.h:133
vnet_main_t * vnet_main
Definition: ipsec.h:272
u32 last_seq_hi
Definition: ipsec.h:139
clib_error_t * ikev2_initiate_delete_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3085
static void vl_api_ikev2_initiate_sa_init_t_handler(vl_api_ikev2_initiate_sa_init_t *mp)
Definition: ipsec_api.c:801
#define REPLY_MACRO(t)
static void vl_api_ikev2_set_sa_lifetime_t_handler(vl_api_ikev2_set_sa_lifetime_t *mp)
Definition: ipsec_api.c:776
ip46_address_range_t laddr
Definition: ipsec.h:202
u8 is_add
Definition: ipsec.api:143
static void send_ipsec_sa_details(ipsec_sa_t *sa, vl_api_registration_t *reg, u32 context, u32 sw_if_index)
Definition: ipsec_api.c:403
u16 local_port_stop
Definition: ipsec.api:101
static void vl_api_ikev2_set_ike_transforms_t_handler(vl_api_ikev2_set_ike_transforms_t *mp)
Definition: ipsec_api.c:724
uword * spd_index_by_spd_id
Definition: ipsec.h:278
clib_error_t * ikev2_set_local_key(vlib_main_t *vm, u8 *file)
Definition: ikev2.c:2654
clib_error_t * ikev2_set_profile_ts(vlib_main_t *vm, u8 *name, u8 protocol_id, u16 start_port, u16 end_port, ip4_address_t start_addr, ip4_address_t end_addr, int is_local)
Definition: ikev2.c:2768
static void vl_api_ipsec_tunnel_if_set_sa_t_handler(vl_api_ipsec_tunnel_if_set_sa_t *mp)
Definition: ipsec_api.c:564
API main structure, used by both vpp and binary API clients.
Definition: api_common.h:199
ip46_address_t tunnel_dst_addr
Definition: ipsec.h:131
An API client registration, only in vpp/vlib.
Definition: api_common.h:44
#define BAD_SW_IF_INDEX_LABEL
IPsec: Add/delete SPD from interface.
Definition: ipsec.api:43
clib_error_t * ikev2_initiate_rekey_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3235
ipsec_crypto_alg_t crypto_alg
Definition: ipsec.h:164
u16 remote_port_start
Definition: ipsec.api:98
static void vl_api_ikev2_set_esp_transforms_t_handler(vl_api_ikev2_set_esp_transforms_t *mp)
Definition: ipsec_api.c:750
vlib_main_t * vm
Definition: buffer.c:294
u8 remote_address_stop[16]
Definition: ipsec.api:92
int ipsec_add_del_sa(vlib_main_t *vm, ipsec_sa_t *new_sa, int is_add)
Definition: ipsec.c:414
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:336
IPsec: Add/delete Security Association Database entry.
Definition: ipsec.api:139
ip46_address_t start
Definition: ipsec.h:148
#define clib_warning(format, args...)
Definition: error.h:59
#define clib_memcpy(a, b, c)
Definition: string.h:75
u8 remote_address_start[16]
Definition: ipsec.api:91
int ipsec_set_sa_key(vlib_main_t *vm, ipsec_sa_t *sa_update)
Definition: ipsec.c:465
u8 tunnel_src_address[16]
Definition: ipsec.api:164
Set new SA on IPsec interface.
Definition: ipsec.api:645
IKEv2: Initiate the SA_INIT exchange.
Definition: ipsec.api:389
static vl_api_registration_t * vl_api_client_index_to_registration(u32 index)
Definition: api.h:56
static void vl_api_ipsec_sad_add_del_entry_t_handler(vl_api_ipsec_sad_add_del_entry_t *mp)
Definition: ipsec_api.c:182
port_range_t rport
Definition: ipsec.h:206
ip46_address_range_t raddr
Definition: ipsec.h:203
static void send_ipsec_spd_details(ipsec_policy_t *p, vl_api_registration_t *reg, u32 context)
Definition: ipsec_api.c:255
#define ASSERT(truth)
unsigned int u32
Definition: types.h:88
Dump IPsec security association.
Definition: ipsec.api:555
IKEv2: Set IKEv2 responder interface and IP address.
Definition: ipsec.api:303
u32 spi
Definition: ipsec.api:147
ipsec_integ_alg_t integ_alg
Definition: ipsec.h:169
ip4_address_t local_ip
Definition: ipsec.h:161
ipsec_sa_t * sad
Definition: ipsec.h:260
IKEv2: Initiate the delete IKE SA exchange.
Definition: ipsec.api:404
u64 total_data_size
Definition: ipsec.h:143
IKEv2: Set IKEv2 profile authentication method.
Definition: ipsec.api:221
u8 integ_key_len
Definition: ipsec.h:122
Dump ipsec policy database data.
Definition: ipsec.api:448
u8 use_anti_replay
Definition: ipsec.api:160
ipsec_protocol_t protocol
Definition: ipsec.h:115
static vlib_main_t * vlib_get_main(void)
Definition: global_funcs.h:23
u32 seq
Definition: ipsec.h:136
u64 uword
Definition: types.h:112
IPsec policy database response.
Definition: ipsec.api:475
u8 * format_ipsec_integ_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:90
u8 crypto_key_len
Definition: ipsec.h:118
counter_t bytes
byte counter
Definition: counter.h:142
static void vl_api_ikev2_profile_set_id_t_handler(vl_api_ikev2_profile_set_id_t *mp)
Definition: ipsec_api.c:632
int ipsec_add_del_tunnel_if_internal(vnet_main_t *vnm, ipsec_add_del_tunnel_args_t *args, u32 *sw_if_index)
Definition: ipsec_if.c:151
IKEv2: Set IKEv2 local RSA private key.
Definition: ipsec.api:287
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
unsigned char u8
Definition: types.h:56
vlib_counter_t counter
Definition: ipsec.h:214
u8 is_outbound
Definition: ipsec.h:198
u8 integrity_algorithm
Definition: ipsec.api:155
u8 integrity_key[128]
Definition: ipsec.api:157
u8 is_tunnel_ipv6
Definition: ipsec.api:163
clib_error_t * ikev2_set_profile_ike_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
Definition: ikev2.c:2828
IKEv2: Set IKEv2 ESP transforms in SA_INIT proposal (RFC 7296)
Definition: ipsec.api:347
static void vl_api_ikev2_profile_add_del_t_handler(vl_api_ikev2_profile_add_del_t *mp)
Definition: ipsec_api.c:586
ipsec_crypto_alg_t crypto_alg
Definition: ipsec.h:117
static void vl_api_ikev2_initiate_del_ike_sa_t_handler(vl_api_ikev2_initiate_del_ike_sa_t *mp)
Definition: ipsec_api.c:824
static clib_error_t * ipsec_api_hookup(vlib_main_t *vm)
Definition: ipsec_api.c:906
u8 is_outbound
Definition: ipsec.api:86
u8 is_ipv6
Definition: ipsec.api:89
IPsec security association database response.
Definition: ipsec.api:587
#define vec_validate_init_empty(V, I, INIT)
Make sure vector is long enough for given index and initialize empty space (no header, unspecified alignment)
Definition: vec.h:483
u8 use_anti_replay
Definition: ipsec.h:126
api_main_t api_main
Definition: api_shared.c:35
Add or delete IPsec tunnel interface.
Definition: ipsec.api:517
#define VALIDATE_SW_IF_INDEX(mp)
u8 protocol
Definition: ipsec.api:149
u8 is_ip_any
Definition: ipsec.api:90
static uword pool_elts(void *v)
Number of active elements in a pool.
Definition: pool.h:128