FD.io VPP  v19.01.3-6-g70449b9b9
Vector Packet Processing
ipsec_api.c
Go to the documentation of this file.
1 /*
2  *------------------------------------------------------------------
3  * ipsec_api.c - ipsec api
4  *
5  * Copyright (c) 2016 Cisco and/or its affiliates.
6  * Licensed under the Apache License, Version 2.0 (the "License");
7  * you may not use this file except in compliance with the License.
8  * You may obtain a copy of the License at:
9  *
10  * http://www.apache.org/licenses/LICENSE-2.0
11  *
12  * Unless required by applicable law or agreed to in writing, software
13  * distributed under the License is distributed on an "AS IS" BASIS,
14  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15  * See the License for the specific language governing permissions and
16  * limitations under the License.
17  *------------------------------------------------------------------
18  */
19 
20 #include <vnet/vnet.h>
21 #include <vlibmemory/api.h>
22 
23 #include <vnet/interface.h>
24 #include <vnet/api_errno.h>
25 #include <vnet/ip/ip.h>
26 #include <vnet/fib/fib.h>
27 
28 #include <vnet/vnet_msg_enum.h>
29 
30 #if WITH_LIBSSL > 0
31 #include <vnet/ipsec/ipsec.h>
32 #include <vnet/ipsec/ikev2.h>
33 #endif /* IPSEC */
34 
35 #define vl_typedefs /* define message structures */
36 #include <vnet/vnet_all_api_h.h>
37 #undef vl_typedefs
38 
39 #define vl_endianfun /* define message structures */
40 #include <vnet/vnet_all_api_h.h>
41 #undef vl_endianfun
42 
43 /* instantiate all the print functions we know about */
44 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
45 #define vl_printfun
46 #include <vnet/vnet_all_api_h.h>
47 #undef vl_printfun
48 
50 
51 #define foreach_vpe_api_msg \
52 _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \
53 _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \
54 _(IPSEC_SPD_ADD_DEL_ENTRY, ipsec_spd_add_del_entry) \
55 _(IPSEC_SAD_ADD_DEL_ENTRY, ipsec_sad_add_del_entry) \
56 _(IPSEC_SA_SET_KEY, ipsec_sa_set_key) \
57 _(IPSEC_SA_DUMP, ipsec_sa_dump) \
58 _(IPSEC_SPDS_DUMP, ipsec_spds_dump) \
59 _(IPSEC_SPD_DUMP, ipsec_spd_dump) \
60 _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \
61 _(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \
62 _(IPSEC_TUNNEL_IF_SET_KEY, ipsec_tunnel_if_set_key) \
63 _(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \
64 _(IKEV2_PROFILE_ADD_DEL, ikev2_profile_add_del) \
65 _(IKEV2_PROFILE_SET_AUTH, ikev2_profile_set_auth) \
66 _(IKEV2_PROFILE_SET_ID, ikev2_profile_set_id) \
67 _(IKEV2_PROFILE_SET_TS, ikev2_profile_set_ts) \
68 _(IKEV2_SET_LOCAL_KEY, ikev2_set_local_key) \
69 _(IKEV2_SET_RESPONDER, ikev2_set_responder) \
70 _(IKEV2_SET_IKE_TRANSFORMS, ikev2_set_ike_transforms) \
71 _(IKEV2_SET_ESP_TRANSFORMS, ikev2_set_esp_transforms) \
72 _(IKEV2_SET_SA_LIFETIME, ikev2_set_sa_lifetime) \
73 _(IKEV2_INITIATE_SA_INIT, ikev2_initiate_sa_init) \
74 _(IKEV2_INITIATE_DEL_IKE_SA, ikev2_initiate_del_ike_sa) \
75 _(IKEV2_INITIATE_DEL_CHILD_SA, ikev2_initiate_del_child_sa) \
76 _(IKEV2_INITIATE_REKEY_CHILD_SA, ikev2_initiate_rekey_child_sa) \
77 _(IPSEC_SELECT_BACKEND, ipsec_select_backend) \
78 _(IPSEC_BACKEND_DUMP, ipsec_backend_dump)
79 
80 static void
82 {
83 #if WITH_LIBSSL == 0
84  clib_warning ("unimplemented");
85 #else
86 
87  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
88  vl_api_ipsec_spd_add_del_reply_t *rmp;
89  int rv;
90 
91  rv = ipsec_add_del_spd (vm, ntohl (mp->spd_id), mp->is_add);
92 
93  REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_REPLY);
94 #endif
95 }
96 
99 {
100  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
101  vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
102  int rv;
103  u32 sw_if_index __attribute__ ((unused));
104  u32 spd_id __attribute__ ((unused));
105 
106  sw_if_index = ntohl (mp->sw_if_index);
107  spd_id = ntohl (mp->spd_id);
108 
110 
111 #if WITH_LIBSSL > 0
112  rv = ipsec_set_interface_spd (vm, sw_if_index, spd_id, mp->is_add);
113 #else
114  rv = VNET_API_ERROR_UNIMPLEMENTED;
115 #endif
116 
118 
119  REPLY_MACRO (VL_API_IPSEC_INTERFACE_ADD_DEL_SPD_REPLY);
120 }
121 
124 {
125  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
126  vl_api_ipsec_spd_add_del_entry_reply_t *rmp;
127  int rv;
128 
129 #if WITH_LIBSSL > 0
130  ipsec_policy_t p;
131 
132  clib_memset (&p, 0, sizeof (p));
133 
134  p.id = ntohl (mp->spd_id);
135  p.priority = ntohl (mp->priority);
136  p.is_outbound = mp->is_outbound;
137  p.is_ipv6 = mp->is_ipv6;
138 
139  if (mp->is_ipv6 || mp->is_ip_any)
140  {
145  }
146  else
147  {
148  clib_memcpy (&p.raddr.start.ip4.data, mp->remote_address_start, 4);
149  clib_memcpy (&p.raddr.stop.ip4.data, mp->remote_address_stop, 4);
150  clib_memcpy (&p.laddr.start.ip4.data, mp->local_address_start, 4);
151  clib_memcpy (&p.laddr.stop.ip4.data, mp->local_address_stop, 4);
152  }
153  p.protocol = mp->protocol;
154  p.rport.start = ntohs (mp->remote_port_start);
155  p.rport.stop = ntohs (mp->remote_port_stop);
156  p.lport.start = ntohs (mp->local_port_start);
157  p.lport.stop = ntohs (mp->local_port_stop);
158  /* policy action resolve unsupported */
159  if (mp->policy == IPSEC_POLICY_ACTION_RESOLVE)
160  {
161  clib_warning ("unsupported action: 'resolve'");
162  rv = VNET_API_ERROR_UNIMPLEMENTED;
163  goto out;
164  }
165  p.policy = mp->policy;
166  p.sa_id = ntohl (mp->sa_id);
167 
168  rv = ipsec_add_del_policy (vm, &p, mp->is_add);
169  if (rv)
170  goto out;
171 
172  if (mp->is_ip_any)
173  {
174  p.is_ipv6 = 1;
175  rv = ipsec_add_del_policy (vm, &p, mp->is_add);
176  }
177 #else
178  rv = VNET_API_ERROR_UNIMPLEMENTED;
179  goto out;
180 #endif
181 
182 out:
183  REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_ENTRY_REPLY);
184 }
185 
188 {
189  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
190  vl_api_ipsec_sad_add_del_entry_reply_t *rmp;
191  int rv;
192 #if WITH_LIBSSL > 0
193  ipsec_main_t *im = &ipsec_main;
194  ipsec_sa_t sa;
195 
196  clib_memset (&sa, 0, sizeof (sa));
197 
198  sa.id = ntohl (mp->sad_id);
199  sa.spi = ntohl (mp->spi);
200  sa.protocol = mp->protocol;
201  /* check for unsupported crypto-alg */
203  {
204  clib_warning ("unsupported crypto-alg: '%U'", format_ipsec_crypto_alg,
205  mp->crypto_algorithm);
206  rv = VNET_API_ERROR_UNIMPLEMENTED;
207  goto out;
208  }
209  sa.crypto_alg = mp->crypto_algorithm;
211  clib_memcpy (&sa.crypto_key, mp->crypto_key, sizeof (sa.crypto_key));
212  /* check for unsupported integ-alg */
214  {
215  clib_warning ("unsupported integ-alg: '%U'", format_ipsec_integ_alg,
216  mp->integrity_algorithm);
217  rv = VNET_API_ERROR_UNIMPLEMENTED;
218  goto out;
219  }
220 
223  clib_memcpy (&sa.integ_key, mp->integrity_key, sizeof (sa.integ_key));
225  sa.is_tunnel = mp->is_tunnel;
226  sa.is_tunnel_ip6 = mp->is_tunnel_ipv6;
227  sa.udp_encap = mp->udp_encap;
228  if (sa.is_tunnel_ip6)
229  {
232  }
233  else
234  {
235  clib_memcpy (&sa.tunnel_src_addr.ip4.data, mp->tunnel_src_address, 4);
236  clib_memcpy (&sa.tunnel_dst_addr.ip4.data, mp->tunnel_dst_address, 4);
237  }
239 
240  clib_error_t *err = ipsec_check_support_cb (im, &sa);
241  if (err)
242  {
243  clib_warning ("%s", err->what);
244  rv = VNET_API_ERROR_UNIMPLEMENTED;
245  goto out;
246  }
247 
248  rv = ipsec_add_del_sa (vm, &sa, mp->is_add);
249 #else
250  rv = VNET_API_ERROR_UNIMPLEMENTED;
251  goto out;
252 #endif
253 
254 out:
255  REPLY_MACRO (VL_API_IPSEC_SAD_ADD_DEL_ENTRY_REPLY);
256 }
257 
258 static void
260  u32 context)
261 {
263 
264  mp = vl_msg_api_alloc (sizeof (*mp));
265  clib_memset (mp, 0, sizeof (*mp));
266  mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPDS_DETAILS);
267  mp->context = context;
268 
269  mp->spd_id = htonl (spd->id);
270  mp->npolicies = htonl (pool_len (spd->policies));
271 
272  vl_api_send_msg (reg, (u8 *) mp);
273 }
274 
275 static void
277 {
279  ipsec_main_t *im = &ipsec_main;
280  ipsec_spd_t *spd;
281 #if WITH_LIBSSL > 0
283  if (!reg)
284  return;
285 
286  /* *INDENT-OFF* */
287  pool_foreach (spd, im->spds, ({
288  send_ipsec_spds_details (spd, reg, mp->context);
289  }));
290  /* *INDENT-ON* */
291 #else
292  clib_warning ("unimplemented");
293 #endif
294 }
295 
296 static void
298  u32 context)
299 {
301 
302  mp = vl_msg_api_alloc (sizeof (*mp));
303  clib_memset (mp, 0, sizeof (*mp));
304  mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_DETAILS);
305  mp->context = context;
306 
307  mp->spd_id = htonl (p->id);
308  mp->priority = htonl (p->priority);
309  mp->is_outbound = p->is_outbound;
310  mp->is_ipv6 = p->is_ipv6;
311  if (p->is_ipv6)
312  {
313  memcpy (mp->local_start_addr, &p->laddr.start.ip6, 16);
314  memcpy (mp->local_stop_addr, &p->laddr.stop.ip6, 16);
315  memcpy (mp->remote_start_addr, &p->raddr.start.ip6, 16);
316  memcpy (mp->remote_stop_addr, &p->raddr.stop.ip6, 16);
317  }
318  else
319  {
320  memcpy (mp->local_start_addr, &p->laddr.start.ip4, 4);
321  memcpy (mp->local_stop_addr, &p->laddr.stop.ip4, 4);
322  memcpy (mp->remote_start_addr, &p->raddr.start.ip4, 4);
323  memcpy (mp->remote_stop_addr, &p->raddr.stop.ip4, 4);
324  }
325  mp->local_start_port = htons (p->lport.start);
326  mp->local_stop_port = htons (p->lport.stop);
327  mp->remote_start_port = htons (p->rport.start);
328  mp->remote_stop_port = htons (p->rport.stop);
329  mp->protocol = p->protocol;
330  mp->policy = p->policy;
331  mp->sa_id = htonl (p->sa_id);
332  mp->bytes = clib_host_to_net_u64 (p->counter.bytes);
333  mp->packets = clib_host_to_net_u64 (p->counter.packets);
334 
335  vl_api_send_msg (reg, (u8 *) mp);
336 }
337 
338 static void
340 {
342  ipsec_main_t *im = &ipsec_main;
343  ipsec_policy_t *policy;
344  ipsec_spd_t *spd;
345  uword *p;
346  u32 spd_index;
347 #if WITH_LIBSSL > 0
349  if (!reg)
350  return;
351 
352  p = hash_get (im->spd_index_by_spd_id, ntohl (mp->spd_id));
353  if (!p)
354  return;
355 
356  spd_index = p[0];
357  spd = pool_elt_at_index (im->spds, spd_index);
358 
359  /* *INDENT-OFF* */
360  pool_foreach (policy, spd->policies,
361  ({
362  if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id)
363  send_ipsec_spd_details (policy, reg,
364  mp->context);}
365  ));
366  /* *INDENT-ON* */
367 #else
368  clib_warning ("unimplemented");
369 #endif
370 }
371 
372 static void
374  u32 sw_if_index, u32 context)
375 {
377 
378  mp = vl_msg_api_alloc (sizeof (*mp));
379  clib_memset (mp, 0, sizeof (*mp));
380  mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_INTERFACE_DETAILS);
381  mp->context = context;
382 
383  mp->spd_index = htonl (spd_index);
384  mp->sw_if_index = htonl (sw_if_index);
385 
386  vl_api_send_msg (reg, (u8 *) mp);
387 }
388 
389 static void
391  mp)
392 {
393  ipsec_main_t *im = &ipsec_main;
395  u32 k, v, spd_index;
396 
397 #if WITH_LIBSSL > 0
399  if (!reg)
400  return;
401 
402  if (mp->spd_index_valid)
403  {
404  spd_index = ntohl (mp->spd_index);
405  /* *INDENT-OFF* */
407  if (v == spd_index)
408  send_ipsec_spd_interface_details(reg, v, k, mp->context);
409  }));
410  /* *INDENT-ON* */
411  }
412  else
413  {
414  /* *INDENT-OFF* */
416  send_ipsec_spd_interface_details(reg, v, k, mp->context);
417  }));
418  /* *INDENT-ON* */
419  }
420 
421 #else
422  clib_warning ("unimplemented");
423 #endif
424 }
425 
426 static void
428 {
429  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
430  vl_api_ipsec_sa_set_key_reply_t *rmp;
431  int rv;
432 #if WITH_LIBSSL > 0
433  ipsec_sa_t sa;
434  sa.id = ntohl (mp->sa_id);
436  clib_memcpy (&sa.crypto_key, mp->crypto_key, sizeof (sa.crypto_key));
438  clib_memcpy (&sa.integ_key, mp->integrity_key, sizeof (sa.integ_key));
439 
440  rv = ipsec_set_sa_key (vm, &sa);
441 #else
442  rv = VNET_API_ERROR_UNIMPLEMENTED;
443 #endif
444 
445  REPLY_MACRO (VL_API_IPSEC_SA_SET_KEY_REPLY);
446 }
447 
448 static void
450  mp)
451 {
453  ipsec_main_t *im = &ipsec_main;
454  vnet_main_t *vnm = im->vnet_main;
455  u32 sw_if_index = ~0;
456  int rv;
457 
458 #if WITH_LIBSSL > 0
460 
461  clib_memset (&tun, 0, sizeof (ipsec_add_del_tunnel_args_t));
462 
463  tun.is_add = mp->is_add;
464  tun.esn = mp->esn;
465  tun.anti_replay = mp->anti_replay;
466  tun.local_spi = ntohl (mp->local_spi);
467  tun.remote_spi = ntohl (mp->remote_spi);
468  tun.crypto_alg = mp->crypto_alg;
471  tun.integ_alg = mp->integ_alg;
474  tun.udp_encap = mp->udp_encap;
475  tun.tx_table_id = ntohl (mp->tx_table_id);
476  memcpy (&tun.local_ip, mp->local_ip, 4);
477  memcpy (&tun.remote_ip, mp->remote_ip, 4);
478  memcpy (&tun.local_crypto_key, &mp->local_crypto_key,
480  memcpy (&tun.remote_crypto_key, &mp->remote_crypto_key,
482  memcpy (&tun.local_integ_key, &mp->local_integ_key,
483  mp->local_integ_key_len);
484  memcpy (&tun.remote_integ_key, &mp->remote_integ_key,
486  tun.renumber = mp->renumber;
487  tun.show_instance = ntohl (mp->show_instance);
488 
489  rv = ipsec_add_del_tunnel_if_internal (vnm, &tun, &sw_if_index);
490 
491 #else
492  rv = VNET_API_ERROR_UNIMPLEMENTED;
493 #endif
494 
495  REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY, (
496  {
497  rmp->sw_if_index =
498  htonl (sw_if_index);
499  }));
500 }
501 
502 static void
504  u32 context, u32 sw_if_index)
505 {
507 
508  mp = vl_msg_api_alloc (sizeof (*mp));
509  clib_memset (mp, 0, sizeof (*mp));
510  mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_DETAILS);
511  mp->context = context;
512 
513  mp->sa_id = htonl (sa->id);
514  mp->sw_if_index = htonl (sw_if_index);
515 
516  mp->spi = htonl (sa->spi);
517  mp->protocol = sa->protocol;
518 
519  mp->crypto_alg = sa->crypto_alg;
520  mp->crypto_key_len = sa->crypto_key_len;
521  memcpy (mp->crypto_key, sa->crypto_key, sa->crypto_key_len);
522 
523  mp->integ_alg = sa->integ_alg;
524  mp->integ_key_len = sa->integ_key_len;
525  memcpy (mp->integ_key, sa->integ_key, sa->integ_key_len);
526 
527  mp->use_esn = sa->use_esn;
529 
530  mp->is_tunnel = sa->is_tunnel;
531  mp->is_tunnel_ip6 = sa->is_tunnel_ip6;
532 
533  if (sa->is_tunnel)
534  {
535  if (sa->is_tunnel_ip6)
536  {
537  memcpy (mp->tunnel_src_addr, &sa->tunnel_src_addr.ip6, 16);
538  memcpy (mp->tunnel_dst_addr, &sa->tunnel_dst_addr.ip6, 16);
539  }
540  else
541  {
542  memcpy (mp->tunnel_src_addr, &sa->tunnel_src_addr.ip4, 4);
543  memcpy (mp->tunnel_dst_addr, &sa->tunnel_dst_addr.ip4, 4);
544  }
545  }
546 
547  mp->salt = clib_host_to_net_u32 (sa->salt);
548  mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
549  mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
550  if (sa->use_esn)
551  {
552  mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
553  mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
554  }
555  if (sa->use_anti_replay)
556  mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
557  mp->total_data_size = clib_host_to_net_u64 (sa->total_data_size);
558  mp->udp_encap = sa->udp_encap;
559 
560  if (~0 != sa->tx_fib_index)
561  mp->tx_table_id =
563  else
564  mp->tx_table_id = ~0;
565 
566  vl_api_send_msg (reg, (u8 *) mp);
567 }
568 
569 
570 static void
572 {
574  ipsec_main_t *im = &ipsec_main;
575  vnet_main_t *vnm = im->vnet_main;
576  ipsec_sa_t *sa;
578  u32 *sa_index_to_tun_if_index = 0;
579 
580 #if WITH_LIBSSL > 0
582  if (!reg || pool_elts (im->sad) == 0)
583  return;
584 
585  vec_validate_init_empty (sa_index_to_tun_if_index, vec_len (im->sad) - 1,
586  ~0);
587 
588  /* *INDENT-OFF* */
590  ({
591  vnet_hw_interface_t *hi;
592  u32 sw_if_index = ~0;
593 
594  hi = vnet_get_hw_interface (vnm, t->hw_if_index);
595  sw_if_index = hi->sw_if_index;
596  sa_index_to_tun_if_index[t->input_sa_index] = sw_if_index;
597  sa_index_to_tun_if_index[t->output_sa_index] = sw_if_index;
598  }));
599 
600  pool_foreach (sa, im->sad,
601  ({
602  if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == sa->id)
603  send_ipsec_sa_details (sa, reg, mp->context,
604  sa_index_to_tun_if_index[sa - im->sad]);
605  }));
606  /* *INDENT-ON* */
607 
608  vec_free (sa_index_to_tun_if_index);
609 #else
610  clib_warning ("unimplemented");
611 #endif
612 }
613 
614 
615 static void
617  mp)
618 {
619  vl_api_ipsec_tunnel_if_set_key_reply_t *rmp;
620  ipsec_main_t *im = &ipsec_main;
621  vnet_main_t *vnm = im->vnet_main;
623  u8 *key = 0;
624  int rv;
625 
626 #if WITH_LIBSSL > 0
627  sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index));
628 
629  switch (mp->key_type)
630  {
633  if (mp->alg < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
634  mp->alg >= IPSEC_CRYPTO_N_ALG)
635  {
636  rv = VNET_API_ERROR_UNIMPLEMENTED;
637  goto out;
638  }
639  break;
642  if (mp->alg >= IPSEC_INTEG_N_ALG)
643  {
644  rv = VNET_API_ERROR_UNIMPLEMENTED;
645  goto out;
646  }
647  break;
649  default:
650  rv = VNET_API_ERROR_UNIMPLEMENTED;
651  goto out;
652  break;
653  }
654 
655  key = vec_new (u8, mp->key_len);
656  clib_memcpy (key, mp->key, mp->key_len);
657 
658  rv = ipsec_set_interface_key (vnm, sw->hw_if_index, mp->key_type, mp->alg,
659  key);
660  vec_free (key);
661 #else
662  clib_warning ("unimplemented");
663 #endif
664 
665 out:
666  REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_KEY_REPLY);
667 }
668 
669 
670 static void
672 {
673  vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp;
674  ipsec_main_t *im = &ipsec_main;
675  vnet_main_t *vnm = im->vnet_main;
677  int rv;
678 
679 #if WITH_LIBSSL > 0
680  sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index));
681 
682  rv = ipsec_set_interface_sa (vnm, sw->hw_if_index, ntohl (mp->sa_id),
683  mp->is_outbound);
684 #else
685  clib_warning ("unimplemented");
686 #endif
687 
688  REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY);
689 }
690 
691 
692 static void
694 {
695  vl_api_ikev2_profile_add_del_reply_t *rmp;
696  int rv = 0;
697 
698 #if WITH_LIBSSL > 0
700  clib_error_t *error;
701  u8 *tmp = format (0, "%s", mp->name);
702  error = ikev2_add_del_profile (vm, tmp, mp->is_add);
703  vec_free (tmp);
704  if (error)
705  rv = VNET_API_ERROR_UNSPECIFIED;
706 #else
707  rv = VNET_API_ERROR_UNIMPLEMENTED;
708 #endif
709 
710  REPLY_MACRO (VL_API_IKEV2_PROFILE_ADD_DEL_REPLY);
711 }
712 
713 static void
716 {
717  vl_api_ikev2_profile_set_auth_reply_t *rmp;
718  int rv = 0;
719 
720 #if WITH_LIBSSL > 0
722  clib_error_t *error;
723  int data_len = ntohl (mp->data_len);
724  u8 *tmp = format (0, "%s", mp->name);
725  u8 *data = vec_new (u8, data_len);
726  clib_memcpy (data, mp->data, data_len);
727  error = ikev2_set_profile_auth (vm, tmp, mp->auth_method, data, mp->is_hex);
728  vec_free (tmp);
729  vec_free (data);
730  if (error)
731  rv = VNET_API_ERROR_UNSPECIFIED;
732 #else
733  rv = VNET_API_ERROR_UNIMPLEMENTED;
734 #endif
735 
736  REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_AUTH_REPLY);
737 }
738 
739 static void
741 {
742  vl_api_ikev2_profile_add_del_reply_t *rmp;
743  int rv = 0;
744 
745 #if WITH_LIBSSL > 0
747  clib_error_t *error;
748  u8 *tmp = format (0, "%s", mp->name);
749  int data_len = ntohl (mp->data_len);
750  u8 *data = vec_new (u8, data_len);
751  clib_memcpy (data, mp->data, data_len);
752  error = ikev2_set_profile_id (vm, tmp, mp->id_type, data, mp->is_local);
753  vec_free (tmp);
754  vec_free (data);
755  if (error)
756  rv = VNET_API_ERROR_UNSPECIFIED;
757 #else
758  rv = VNET_API_ERROR_UNIMPLEMENTED;
759 #endif
760 
761  REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_ID_REPLY);
762 }
763 
764 static void
766 {
767  vl_api_ikev2_profile_set_ts_reply_t *rmp;
768  int rv = 0;
769 
770 #if WITH_LIBSSL > 0
772  clib_error_t *error;
773  u8 *tmp = format (0, "%s", mp->name);
774  error = ikev2_set_profile_ts (vm, tmp, mp->proto, mp->start_port,
775  mp->end_port, (ip4_address_t) mp->start_addr,
776  (ip4_address_t) mp->end_addr, mp->is_local);
777  vec_free (tmp);
778  if (error)
779  rv = VNET_API_ERROR_UNSPECIFIED;
780 #else
781  rv = VNET_API_ERROR_UNIMPLEMENTED;
782 #endif
783 
784  REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_TS_REPLY);
785 }
786 
787 static void
789 {
790  vl_api_ikev2_profile_set_ts_reply_t *rmp;
791  int rv = 0;
792 
793 #if WITH_LIBSSL > 0
795  clib_error_t *error;
796 
797  error = ikev2_set_local_key (vm, mp->key_file);
798  if (error)
799  rv = VNET_API_ERROR_UNSPECIFIED;
800 #else
801  rv = VNET_API_ERROR_UNIMPLEMENTED;
802 #endif
803 
804  REPLY_MACRO (VL_API_IKEV2_SET_LOCAL_KEY_REPLY);
805 }
806 
807 static void
809 {
810  vl_api_ikev2_set_responder_reply_t *rmp;
811  int rv = 0;
812 
813 #if WITH_LIBSSL > 0
815  clib_error_t *error;
816 
817  u8 *tmp = format (0, "%s", mp->name);
818  ip4_address_t ip4;
819  clib_memcpy (&ip4, mp->address, sizeof (ip4));
820 
821  error = ikev2_set_profile_responder (vm, tmp, mp->sw_if_index, ip4);
822  vec_free (tmp);
823  if (error)
824  rv = VNET_API_ERROR_UNSPECIFIED;
825 #else
826  rv = VNET_API_ERROR_UNIMPLEMENTED;
827 #endif
828 
829  REPLY_MACRO (VL_API_IKEV2_SET_RESPONDER_REPLY);
830 }
831 
832 static void
834  mp)
835 {
836  vl_api_ikev2_set_ike_transforms_reply_t *rmp;
837  int rv = 0;
838 
839 #if WITH_LIBSSL > 0
841  clib_error_t *error;
842 
843  u8 *tmp = format (0, "%s", mp->name);
844 
845  error =
847  mp->dh_group, mp->crypto_key_size);
848  vec_free (tmp);
849  if (error)
850  rv = VNET_API_ERROR_UNSPECIFIED;
851 #else
852  rv = VNET_API_ERROR_UNIMPLEMENTED;
853 #endif
854 
855  REPLY_MACRO (VL_API_IKEV2_SET_IKE_TRANSFORMS_REPLY);
856 }
857 
858 static void
860  mp)
861 {
862  vl_api_ikev2_set_esp_transforms_reply_t *rmp;
863  int rv = 0;
864 
865 #if WITH_LIBSSL > 0
867  clib_error_t *error;
868 
869  u8 *tmp = format (0, "%s", mp->name);
870 
871  error =
873  mp->dh_group, mp->crypto_key_size);
874  vec_free (tmp);
875  if (error)
876  rv = VNET_API_ERROR_UNSPECIFIED;
877 #else
878  rv = VNET_API_ERROR_UNIMPLEMENTED;
879 #endif
880 
881  REPLY_MACRO (VL_API_IKEV2_SET_ESP_TRANSFORMS_REPLY);
882 }
883 
884 static void
886 {
887  vl_api_ikev2_set_sa_lifetime_reply_t *rmp;
888  int rv = 0;
889 
890 #if WITH_LIBSSL > 0
892  clib_error_t *error;
893 
894  u8 *tmp = format (0, "%s", mp->name);
895 
896  error =
898  mp->handover, mp->lifetime_maxdata);
899  vec_free (tmp);
900  if (error)
901  rv = VNET_API_ERROR_UNSPECIFIED;
902 #else
903  rv = VNET_API_ERROR_UNIMPLEMENTED;
904 #endif
905 
906  REPLY_MACRO (VL_API_IKEV2_SET_SA_LIFETIME_REPLY);
907 }
908 
909 static void
911 {
912  vl_api_ikev2_initiate_sa_init_reply_t *rmp;
913  int rv = 0;
914 
915 #if WITH_LIBSSL > 0
917  clib_error_t *error;
918 
919  u8 *tmp = format (0, "%s", mp->name);
920 
921  error = ikev2_initiate_sa_init (vm, tmp);
922  vec_free (tmp);
923  if (error)
924  rv = VNET_API_ERROR_UNSPECIFIED;
925 #else
926  rv = VNET_API_ERROR_UNIMPLEMENTED;
927 #endif
928 
929  REPLY_MACRO (VL_API_IKEV2_INITIATE_SA_INIT_REPLY);
930 }
931 
932 static void
934  * mp)
935 {
936  vl_api_ikev2_initiate_del_ike_sa_reply_t *rmp;
937  int rv = 0;
938 
939 #if WITH_LIBSSL > 0
941  clib_error_t *error;
942 
943  error = ikev2_initiate_delete_ike_sa (vm, mp->ispi);
944  if (error)
945  rv = VNET_API_ERROR_UNSPECIFIED;
946 #else
947  rv = VNET_API_ERROR_UNIMPLEMENTED;
948 #endif
949 
950  REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_IKE_SA_REPLY);
951 }
952 
953 static void
956 {
957  vl_api_ikev2_initiate_del_child_sa_reply_t *rmp;
958  int rv = 0;
959 
960 #if WITH_LIBSSL > 0
962  clib_error_t *error;
963 
964  error = ikev2_initiate_delete_child_sa (vm, mp->ispi);
965  if (error)
966  rv = VNET_API_ERROR_UNSPECIFIED;
967 #else
968  rv = VNET_API_ERROR_UNIMPLEMENTED;
969 #endif
970 
971  REPLY_MACRO (VL_API_IKEV2_INITIATE_DEL_CHILD_SA_REPLY);
972 }
973 
974 static void
977 {
978  vl_api_ikev2_initiate_rekey_child_sa_reply_t *rmp;
979  int rv = 0;
980 
981 #if WITH_LIBSSL > 0
983  clib_error_t *error;
984 
985  error = ikev2_initiate_rekey_child_sa (vm, mp->ispi);
986  if (error)
987  rv = VNET_API_ERROR_UNSPECIFIED;
988 #else
989  rv = VNET_API_ERROR_UNIMPLEMENTED;
990 #endif
991 
992  REPLY_MACRO (VL_API_IKEV2_INITIATE_REKEY_CHILD_SA_REPLY);
993 }
994 
995 /*
996  * ipsec_api_hookup
997  * Add vpe's API message handlers to the table.
998  * vlib has already mapped shared memory and
999  * added the client registration handlers.
1000  * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process()
1001  */
1002 #define vl_msg_name_crc_list
1003 #include <vnet/vnet_all_api_h.h>
1004 #undef vl_msg_name_crc_list
1005 
1006 static void
1008 {
1009 #define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id);
1010  foreach_vl_msg_name_crc_ipsec;
1011 #undef _
1012 }
1013 
1014 static void
1016 {
1018  ipsec_main_t *im = &ipsec_main;
1019  u32 context = mp->context;
1020 
1022 
1023  if (rp == 0)
1024  {
1025  clib_warning ("Client %d AWOL", mp->client_index);
1026  return;
1027  }
1028 
1029  ipsec_ah_backend_t *ab;
1030  ipsec_esp_backend_t *eb;
1031  /* *INDENT-OFF* */
1032  pool_foreach (ab, im->ah_backends, {
1033  vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
1034  clib_memset (mp, 0, sizeof (*mp));
1035  mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
1036  mp->context = context;
1037  snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (ab->name),
1038  ab->name);
1039  mp->protocol = IPSEC_PROTOCOL_AH;
1040  mp->index = ab - im->ah_backends;
1041  mp->active = mp->index == im->ah_current_backend ? 1 : 0;
1042  vl_api_send_msg (rp, (u8 *)mp);
1043  });
1044  pool_foreach (eb, im->esp_backends, {
1045  vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
1046  clib_memset (mp, 0, sizeof (*mp));
1047  mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
1048  mp->context = context;
1049  snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (eb->name),
1050  eb->name);
1051  mp->protocol = IPSEC_PROTOCOL_ESP;
1052  mp->index = eb - im->esp_backends;
1053  mp->active = mp->index == im->esp_current_backend ? 1 : 0;
1054  vl_api_send_msg (rp, (u8 *)mp);
1055  });
1056  /* *INDENT-ON* */
1057 }
1058 
1059 static void
1061 {
1062  ipsec_main_t *im = &ipsec_main;
1063  vl_api_ipsec_select_backend_reply_t *rmp;
1064  int rv = 0;
1065  if (pool_elts (im->sad) > 0)
1066  {
1067  rv = VNET_API_ERROR_INSTANCE_IN_USE;
1068  goto done;
1069  }
1070 #if WITH_LIBSSL > 0
1071  switch (mp->protocol)
1072  {
1073  case IPSEC_PROTOCOL_ESP:
1074  if (pool_is_free_index (im->esp_backends, mp->index))
1075  {
1076  rv = VNET_API_ERROR_INVALID_VALUE;
1077  break;
1078  }
1079  ipsec_select_esp_backend (im, mp->index);
1080  break;
1081  case IPSEC_PROTOCOL_AH:
1082  if (pool_is_free_index (im->ah_backends, mp->index))
1083  {
1084  rv = VNET_API_ERROR_INVALID_VALUE;
1085  break;
1086  }
1087  ipsec_select_ah_backend (im, mp->index);
1088  break;
1089  default:
1090  rv = VNET_API_ERROR_INVALID_VALUE;
1091  break;
1092  }
1093 #else
1094  clib_warning ("unimplemented"); /* FIXME */
1095 #endif
1096 done:
1097  REPLY_MACRO (VL_API_IPSEC_SELECT_BACKEND_REPLY);
1098 }
1099 
1100 static clib_error_t *
1102 {
1103  api_main_t *am = &api_main;
1104 
1105 #define _(N,n) \
1106  vl_msg_api_set_handlers(VL_API_##N, #n, \
1107  vl_api_##n##_t_handler, \
1108  vl_noop_handler, \
1109  vl_api_##n##_t_endian, \
1110  vl_api_##n##_t_print, \
1111  sizeof(vl_api_##n##_t), 1);
1113 #undef _
1114 
1115  /*
1116  * Set up the (msg_name, crc, message-id) table
1117  */
1119 
1120  return 0;
1121 }
1122 
1124 
1125 /*
1126  * fd.io coding-style-patch-verification: ON
1127  *
1128  * Local Variables:
1129  * eval: (c-set-style "gnu")
1130  * End:
1131  */
ip46_address_t stop
Definition: ipsec.h:158
int ipsec_set_interface_key(vnet_main_t *vnm, u32 hw_if_index, ipsec_if_set_key_type_t type, u8 alg, u8 *key)
Definition: ipsec_if.c:478
static void vl_api_ikev2_profile_set_auth_t_handler(vl_api_ikev2_profile_set_auth_t *mp)
Definition: ipsec_api.c:715
static void vl_api_ipsec_sa_set_key_t_handler(vl_api_ipsec_sa_set_key_t *mp)
Definition: ipsec_api.c:427
static void vl_api_ikev2_set_local_key_t_handler(vl_api_ikev2_set_local_key_t *mp)
Definition: ipsec_api.c:788
ipsec_spd_t * spds
Definition: ipsec.h:352
int ipsec_set_interface_sa(vnet_main_t *vnm, u32 hw_if_index, u32 sa_id, u8 is_outbound)
Definition: ipsec_if.c:528
u8 crypto_algorithm
Definition: ipsec.api:152
u8 use_extended_sequence_number
Definition: ipsec.api:160
u32 sa_id
Definition: ipsec.api:105
u8 integrity_key_length
Definition: ipsec.api:157
clib_error_t * ikev2_set_profile_responder(vlib_main_t *vm, u8 *name, u32 sw_if_index, ip4_address_t ip4)
Definition: ikev2.c:2824
ipsec_tunnel_if_t * tunnel_interfaces
Definition: ipsec.h:356
u16 stop
Definition: ipsec.h:163
int ipsec_add_del_policy(vlib_main_t *vm, ipsec_policy_t *policy, int is_add)
Definition: ipsec.c:154
ip46_address_t tunnel_src_addr
Definition: ipsec.h:139
IKEv2: Set Child SA lifetime, limited by time and/or data.
Definition: ipsec.api:372
u32 id
Definition: ipsec.h:121
IPsec: SPD interface response.
Definition: ipsec.api:537
clib_error_t * ikev2_add_del_profile(vlib_main_t *vm, u8 *name, int is_add)
Definition: ikev2.c:2683
static void vl_api_ikev2_initiate_rekey_child_sa_t_handler(vl_api_ikev2_initiate_rekey_child_sa_t *mp)
Definition: ipsec_api.c:976
static void vl_api_ipsec_tunnel_if_set_key_t_handler(vl_api_ipsec_tunnel_if_set_key_t *mp)
Definition: ipsec_api.c:616
u8 tunnel_dst_address[16]
Definition: ipsec.api:166
Dump IPsec backends.
Definition: ipsec.api:717
IKEv2: Add/delete profile.
Definition: ipsec.api:204
u16 local_port_start
Definition: ipsec.api:100
VLIB_API_INIT_FUNCTION(ipsec_api_hookup)
i32 priority
Definition: ipsec.h:211
IPsec: Update Security Association keys.
Definition: ipsec.api:183
unsigned long u64
Definition: types.h:89
int ipsec_set_interface_spd(vlib_main_t *vm, u32 sw_if_index, u32 spd_id, int is_add)
Definition: ipsec.c:44
clib_error_t * ikev2_initiate_delete_ike_sa(vlib_main_t *vm, u64 ispi)
Definition: ikev2.c:3143
u8 is_add
Definition: ipsec.api:82
#define REPLY_MACRO2(t, body)
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
static void vl_api_send_msg(vl_api_registration_t *rp, u8 *elem)
Definition: api.h:34
ipsec_integ_alg_t integ_alg
Definition: ipsec.h:129
IPsec: Add/delete Security Policy Database entry.
Definition: ipsec.api:78
static void setup_message_id_table(api_main_t *am)
Definition: ipsec_api.c:1007
u8 is_tunnel
Definition: ipsec.h:136
static void vl_api_ipsec_sa_dump_t_handler(vl_api_ipsec_sa_dump_t *mp)
Definition: ipsec_api.c:571
static vnet_sw_interface_t * vnet_get_sw_interface(vnet_main_t *vnm, u32 sw_if_index)
static void vl_api_ipsec_spd_add_del_entry_t_handler(vl_api_ipsec_spd_add_del_entry_t *mp)
Definition: ipsec_api.c:123
int ipsec_select_ah_backend(ipsec_main_t *im, u32 backend_idx)
Definition: ipsec.c:672
clib_error_t * ikev2_set_profile_sa_lifetime(vlib_main_t *vm, u8 *name, u64 lifetime, u32 jitter, u32 handover, u64 maxdata)
Definition: ikev2.c:2895
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:419
u8 policy
Definition: ipsec.api:104
u16 remote_port_stop
Definition: ipsec.api:99
void * vl_msg_api_alloc(int nbytes)
u8 crypto_key[128]
Definition: ipsec.api:154
unsigned char u8
Definition: types.h:56
#define foreach_vpe_api_msg
Definition: ipsec_api.c:51
#define pool_len(p)
Number of elements in pool vector.
Definition: pool.h:140
u8 crypto_key[128]
Definition: ipsec.h:127
int ipsec_add_del_spd(vlib_main_t *vm, u32 spd_id, int is_add)
Definition: ipsec.c:93
u8 protocol
Definition: ipsec.api:96
u32 spi
Definition: ipsec.h:122
port_range_t lport
Definition: ipsec.h:219
u32 seq_hi
Definition: ipsec.h:147
uword * spd_index_by_sw_if_index
Definition: ipsec.h:372
static void vl_api_ipsec_interface_add_del_spd_t_handler(vl_api_ipsec_interface_add_del_spd_t *mp)
Definition: ipsec_api.c:98
#define clib_memcpy(d, s, n)
Definition: string.h:180
u8 udp_encap
Definition: ipsec.api:167
IKEv2: Set IKEv2 IKE transforms in SA_INIT proposal (RFC 7296)
Definition: ipsec.api:326
u64 replay_window
Definition: ipsec.h:150
u32 spd_id
Definition: ipsec.api:84
u8 local_address_start[16]
Definition: ipsec.api:93
u8 integ_key[128]
Definition: ipsec.h:131
Select IPsec backend.
Definition: ipsec.api:742
u8 is_tunnel
Definition: ipsec.api:163
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
Definition: pool.h:490
u8 crypto_key_length
Definition: ipsec.api:153
u32 sad_id
Definition: ipsec.api:146
ipsec_main_t ipsec_main
Definition: ipsec.c:30
u32 sw_if_index
Definition: vxlan_gbp.api:37
clib_error_t * ikev2_initiate_sa_init(vlib_main_t *vm, u8 *name)
Definition: ikev2.c:2918
#define vec_new(T, N)
Create new vector of given type and length (unspecified alignment, no header).
Definition: vec.h:311
clib_error_t * ikev2_set_profile_auth(vlib_main_t *vm, u8 *name, u8 auth_method, u8 *auth_data, u8 data_hex_format)
Definition: ikev2.c:2714
static void vl_api_ipsec_tunnel_if_add_del_t_handler(vl_api_ipsec_tunnel_if_add_del_t *mp)
Definition: ipsec_api.c:449
static void vl_api_ikev2_set_responder_t_handler(vl_api_ikev2_set_responder_t *mp)
Definition: ipsec_api.c:808
u8 use_esn
Definition: ipsec.h:133
Set key on IPsec interface.
Definition: ipsec.api:688
static void vl_api_ipsec_backend_dump_t_handler(vl_api_ipsec_backend_dump_t *mp)
Definition: ipsec_api.c:1015
int ipsec_select_esp_backend(ipsec_main_t *im, u32 backend_idx)
Definition: ipsec.c:693
#define hash_foreach(key_var, value_var, h, body)
Definition: hash.h:442
ip4_address_t remote_ip
Definition: ipsec.h:171
static void vl_api_ipsec_spd_dump_t_handler(vl_api_ipsec_spd_dump_t *mp)
Definition: ipsec_api.c:339
static void vl_api_ipsec_spd_interface_dump_t_handler(vl_api_ipsec_spd_interface_dump_t *mp)
Definition: ipsec_api.c:390
u16 start
Definition: ipsec.h:163
static void vl_api_ikev2_profile_set_ts_t_handler(vl_api_ikev2_profile_set_ts_t *mp)
Definition: ipsec_api.c:765
IKEv2: Initiate the delete Child SA exchange.
Definition: ipsec.api:421
clib_error_t * ikev2_set_profile_esp_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
Definition: ikev2.c:2870
unsigned int u32
Definition: types.h:88
IKEv2: Set IKEv2 profile local/remote identification.
Definition: ipsec.api:245
IKEv2: Set IKEv2 profile traffic selector parameters.
Definition: ipsec.api:269
static void vl_api_ikev2_initiate_del_child_sa_t_handler(vl_api_ikev2_initiate_del_child_sa_t *mp)
Definition: ipsec_api.c:955
u8 * format_ipsec_crypto_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:58
ipsec_policy_t * policies
Definition: ipsec.h:235
i32 priority
Definition: ipsec.api:85
u8 udp_encap
Definition: ipsec.h:138
static void vl_api_ipsec_spd_add_del_t_handler(vl_api_ipsec_spd_add_del_t *mp)
Definition: ipsec_api.c:81
u8 local_address_stop[16]
Definition: ipsec.api:94
u32 last_seq
Definition: ipsec.h:148
#define hash_get(h, key)
Definition: hash.h:249
clib_error_t * ikev2_set_profile_id(vlib_main_t *vm, u8 *name, u8 id_type, u8 *data, int is_local)
Definition: ikev2.c:2746
u32 tx_fib_index
Definition: ipsec.h:142
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:511
counter_t packets
packet counter
Definition: counter_types.h:28
Dump IPsec all SPD IDs response.
Definition: ipsec.api:458
Add/delete IPsec tunnel interface response.
Definition: ipsec.api:599
u8 is_tunnel_ip6
Definition: ipsec.h:137
IKEv2: Initiate the rekey Child SA exchange.
Definition: ipsec.api:436
IPsec: Add/delete Security Policy Database.
Definition: ipsec.api:25
u32 salt
Definition: ipsec.h:143
vnet_main_t * vnet_main
Definition: ipsec.h:365
clib_error_t * ipsec_check_support_cb(ipsec_main_t *im, ipsec_sa_t *sa)
Definition: ipsec.c:579
u32 last_seq_hi
Definition: ipsec.h:149
clib_error_t * ikev2_initiate_delete_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3103
static void vl_api_ikev2_initiate_sa_init_t_handler(vl_api_ikev2_initiate_sa_init_t *mp)
Definition: ipsec_api.c:910
#define REPLY_MACRO(t)
static void vl_api_ikev2_set_sa_lifetime_t_handler(vl_api_ikev2_set_sa_lifetime_t *mp)
Definition: ipsec_api.c:885
ip46_address_range_t laddr
Definition: ipsec.h:216
u8 is_add
Definition: ipsec.api:144
static void send_ipsec_sa_details(ipsec_sa_t *sa, vl_api_registration_t *reg, u32 context, u32 sw_if_index)
Definition: ipsec_api.c:503
u16 local_port_stop
Definition: ipsec.api:101
static void vl_api_ikev2_set_ike_transforms_t_handler(vl_api_ikev2_set_ike_transforms_t *mp)
Definition: ipsec_api.c:833
uword * spd_index_by_spd_id
Definition: ipsec.h:371
clib_error_t * ikev2_set_local_key(vlib_main_t *vm, u8 *file)
Definition: ikev2.c:2671
clib_error_t * ikev2_set_profile_ts(vlib_main_t *vm, u8 *name, u8 protocol_id, u16 start_port, u16 end_port, ip4_address_t start_addr, ip4_address_t end_addr, int is_local)
Definition: ikev2.c:2785
static void vl_api_ipsec_tunnel_if_set_sa_t_handler(vl_api_ipsec_tunnel_if_set_sa_t *mp)
Definition: ipsec_api.c:671
API main structure, used by both vpp and binary API clients.
Definition: api_common.h:202
ip46_address_t tunnel_dst_addr
Definition: ipsec.h:140
An API client registration, only in vpp/vlib.
Definition: api_common.h:45
#define BAD_SW_IF_INDEX_LABEL
IPsec: Add/delete SPD from interface.
Definition: ipsec.api:43
clib_error_t * ikev2_initiate_rekey_child_sa(vlib_main_t *vm, u32 ispi)
Definition: ikev2.c:3253
ipsec_crypto_alg_t crypto_alg
Definition: ipsec.h:174
u16 remote_port_start
Definition: ipsec.api:98
static void vl_api_ikev2_set_esp_transforms_t_handler(vl_api_ikev2_set_esp_transforms_t *mp)
Definition: ipsec_api.c:859
vlib_main_t * vm
Definition: buffer.c:301
ipsec_ah_backend_t * ah_backends
Definition: ipsec.h:398
u8 remote_address_stop[16]
Definition: ipsec.api:92
int ipsec_add_del_sa(vlib_main_t *vm, ipsec_sa_t *new_sa, int is_add)
Definition: ipsec.c:432
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:341
IPsec: Add/delete Security Association Database entry.
Definition: ipsec.api:140
Dump IPsec all SPD IDs.
Definition: ipsec.api:448
ip46_address_t start
Definition: ipsec.h:158
#define clib_warning(format, args...)
Definition: error.h:59
u8 remote_address_start[16]
Definition: ipsec.api:91
int ipsec_set_sa_key(vlib_main_t *vm, ipsec_sa_t *sa_update)
Definition: ipsec.c:477
#define pool_is_free_index(P, I)
Use free bitmap to query whether given index is free.
Definition: pool.h:283
u8 tunnel_src_address[16]
Definition: ipsec.api:165
Set new SA on IPsec interface.
Definition: ipsec.api:705
IKEv2: Initiate the SA_INIT exchange.
Definition: ipsec.api:391
static vl_api_registration_t * vl_api_client_index_to_registration(u32 index)
Definition: api.h:56
static void vl_api_ipsec_sad_add_del_entry_t_handler(vl_api_ipsec_sad_add_del_entry_t *mp)
Definition: ipsec_api.c:187
static void vl_api_ipsec_spds_dump_t_handler(vl_api_ipsec_spds_dump_t *mp)
Definition: ipsec_api.c:276
static void send_ipsec_spd_interface_details(vl_api_registration_t *reg, u32 spd_index, u32 sw_if_index, u32 context)
Definition: ipsec_api.c:373
port_range_t rport
Definition: ipsec.h:220
ip46_address_range_t raddr
Definition: ipsec.h:217
static void send_ipsec_spd_details(ipsec_policy_t *p, vl_api_registration_t *reg, u32 context)
Definition: ipsec_api.c:297
Dump IPsec security association.
Definition: ipsec.api:610
IKEv2: Set IKEv2 responder interface and IP address.
Definition: ipsec.api:305
u32 spi
Definition: ipsec.api:148
ipsec_integ_alg_t integ_alg
Definition: ipsec.h:179
ip4_address_t local_ip
Definition: ipsec.h:171
ipsec_sa_t * sad
Definition: ipsec.h:353
IKEv2: Initiate the delete IKE SA exchange.
Definition: ipsec.api:406
u32 fib_table_get_table_id(u32 fib_index, fib_protocol_t proto)
Get the Table-ID of the FIB from protocol and index.
Definition: fib_table.c:1053
u64 total_data_size
Definition: ipsec.h:153
IKEv2: Set IKEv2 profile authentication method.
Definition: ipsec.api:223
u8 integ_key_len
Definition: ipsec.h:130
Dump ipsec policy database data.
Definition: ipsec.api:470
u8 use_anti_replay
Definition: ipsec.api:161
ipsec_protocol_t protocol
Definition: ipsec.h:123
static void send_ipsec_spds_details(ipsec_spd_t *spd, vl_api_registration_t *reg, u32 context)
Definition: ipsec_api.c:259
static vlib_main_t * vlib_get_main(void)
Definition: global_funcs.h:23
u32 seq
Definition: ipsec.h:146
IPsec policy database response.
Definition: ipsec.api:497
u8 * format_ipsec_integ_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:90
IPsec: Get SPD interfaces.
Definition: ipsec.api:525
u8 crypto_key_len
Definition: ipsec.h:126
counter_t bytes
byte counter
Definition: counter_types.h:29
static void vl_api_ikev2_profile_set_id_t_handler(vl_api_ikev2_profile_set_id_t *mp)
Definition: ipsec_api.c:740
int ipsec_add_del_tunnel_if_internal(vnet_main_t *vnm, ipsec_add_del_tunnel_args_t *args, u32 *sw_if_index)
Definition: ipsec_if.c:254
IKEv2: Set IKEv2 local RSA private key.
Definition: ipsec.api:289
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
vlib_counter_t counter
Definition: ipsec.h:228
u8 is_outbound
Definition: ipsec.h:212
u8 integrity_algorithm
Definition: ipsec.api:156
u8 integrity_key[128]
Definition: ipsec.api:158
u8 is_tunnel_ipv6
Definition: ipsec.api:164
u64 uword
Definition: types.h:112
clib_error_t * ikev2_set_profile_ike_transforms(vlib_main_t *vm, u8 *name, ikev2_transform_encr_type_t crypto_alg, ikev2_transform_integ_type_t integ_alg, ikev2_transform_dh_type_t dh_type, u32 crypto_key_size)
Definition: ikev2.c:2845
IKEv2: Set IKEv2 ESP transforms in SA_INIT proposal (RFC 7296)
Definition: ipsec.api:349
vl_api_gbp_endpoint_tun_t tun
Definition: gbp.api:119
u32 id
Definition: ipsec.h:233
static void vl_api_ikev2_profile_add_del_t_handler(vl_api_ikev2_profile_add_del_t *mp)
Definition: ipsec_api.c:693
ipsec_crypto_alg_t crypto_alg
Definition: ipsec.h:125
static void vl_api_ikev2_initiate_del_ike_sa_t_handler(vl_api_ikev2_initiate_del_ike_sa_t *mp)
Definition: ipsec_api.c:933
static clib_error_t * ipsec_api_hookup(vlib_main_t *vm)
Definition: ipsec_api.c:1101
u8 is_outbound
Definition: ipsec.api:86
u8 is_ipv6
Definition: ipsec.api:89
static void vl_api_ipsec_select_backend_t_handler(vl_api_ipsec_select_backend_t *mp)
Definition: ipsec_api.c:1060
IPsec security association database response.
Definition: ipsec.api:644
ipsec_esp_backend_t * esp_backends
Definition: ipsec.h:400
#define vec_validate_init_empty(V, I, INIT)
Make sure vector is long enough for given index and initialize empty space (no header, unspecified alignment)
Definition: vec.h:488
u8 use_anti_replay
Definition: ipsec.h:134
api_main_t api_main
Definition: api_shared.c:35
Add or delete IPsec tunnel interface.
Definition: ipsec.api:568
#define VALIDATE_SW_IF_INDEX(mp)
u8 protocol
Definition: ipsec.api:150
u8 is_ip_any
Definition: ipsec.api:90
static uword pool_elts(void *v)
Number of active elements in a pool.
Definition: pool.h:128