diff options
author | Neale Ranns <neale@graphiant.com> | 2021-06-24 14:57:56 +0000 |
---|---|---|
committer | Matthew Smith <mgsmith@netgate.com> | 2021-06-28 21:26:30 +0000 |
commit | ff2e4138cc020dea4ab0f21f1b172b28f5ed3565 (patch) | |
tree | 9ba66a5ef80aff8d8d8fb56c6f7d1cd873d70380 /src/vnet/ipsec/ipsec_api.c | |
parent | 9c23ff8c8ab2ba881540a1c9c6d331d2ed6c8c6a (diff) |
ipsec: Split the SA add_del API into an separate add and del
Type: improvement
the rationale being that the del only requires the SA's ID, so it's a
bit mean to require the client to fill out all the other information as
well.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Ibbc20405e74d6a0e1a3797465ead5271f15888e4
Diffstat (limited to 'src/vnet/ipsec/ipsec_api.c')
-rw-r--r-- | src/vnet/ipsec/ipsec_api.c | 114 |
1 files changed, 79 insertions, 35 deletions
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index a0c2768318f..73f4474a604 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -291,6 +291,11 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler int rv; id = ntohl (mp->entry.sad_id); + if (!mp->is_add) + { + rv = ipsec_sa_unlock_id (id); + goto out; + } spi = ntohl (mp->entry.spi); rv = ipsec_proto_decode (mp->entry.protocol, &proto); @@ -316,13 +321,10 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler ip_address_decode2 (&mp->entry.tunnel_src, &tun.t_src); ip_address_decode2 (&mp->entry.tunnel_dst, &tun.t_dst); - if (mp->is_add) - rv = ipsec_sa_add_and_lock ( - id, spi, proto, crypto_alg, &crypto_key, integ_alg, &integ_key, flags, - mp->entry.salt, htons (mp->entry.udp_src_port), - htons (mp->entry.udp_dst_port), &tun, &sa_index); - else - rv = ipsec_sa_unlock_id (id); + rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &crypto_key, + integ_alg, &integ_key, flags, mp->entry.salt, + htons (mp->entry.udp_src_port), + htons (mp->entry.udp_dst_port), &tun, &sa_index); out: /* *INDENT-OFF* */ @@ -355,6 +357,12 @@ static void vl_api_ipsec_sad_entry_add_del_v2_t_handler }; id = ntohl (mp->entry.sad_id); + if (!mp->is_add) + { + rv = ipsec_sa_unlock_id (id); + goto out; + } + spi = ntohl (mp->entry.spi); rv = ipsec_proto_decode (mp->entry.protocol, &proto); @@ -387,13 +395,10 @@ static void vl_api_ipsec_sad_entry_add_del_v2_t_handler ip_address_decode2 (&mp->entry.tunnel_src, &tun.t_src); ip_address_decode2 (&mp->entry.tunnel_dst, &tun.t_dst); - if (mp->is_add) rv = ipsec_sa_add_and_lock ( id, spi, proto, crypto_alg, &crypto_key, integ_alg, &integ_key, flags, mp->entry.salt, htons (mp->entry.udp_src_port), htons (mp->entry.udp_dst_port), &tun, &sa_index); - else - rv = ipsec_sa_unlock_id (id); out: /* *INDENT-OFF* */ @@ -404,65 +409,104 @@ out: /* *INDENT-ON* */ } -static void -vl_api_ipsec_sad_entry_add_del_v3_t_handler ( - vl_api_ipsec_sad_entry_add_del_v3_t *mp) +static int +ipsec_sad_entry_add_v3 (const vl_api_ipsec_sad_entry_v3_t *entry, + u32 *sa_index) { - vl_api_ipsec_sad_entry_add_del_v3_reply_t *rmp; ipsec_key_t crypto_key, integ_key; ipsec_crypto_alg_t crypto_alg; ipsec_integ_alg_t integ_alg; ipsec_protocol_t proto; ipsec_sa_flags_t flags; - u32 id, spi, sa_index = ~0; + u32 id, spi; tunnel_t tun; int rv; - id = ntohl (mp->entry.sad_id); - spi = ntohl (mp->entry.spi); + id = ntohl (entry->sad_id); + spi = ntohl (entry->spi); - rv = ipsec_proto_decode (mp->entry.protocol, &proto); + rv = ipsec_proto_decode (entry->protocol, &proto); if (rv) - goto out; + return (rv); - rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg); + rv = ipsec_crypto_algo_decode (entry->crypto_algorithm, &crypto_alg); if (rv) - goto out; + return (rv); - rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg); + rv = ipsec_integ_algo_decode (entry->integrity_algorithm, &integ_alg); if (rv) - goto out; + return (rv); - flags = ipsec_sa_flags_decode (mp->entry.flags); + flags = ipsec_sa_flags_decode (entry->flags); if (flags & IPSEC_SA_FLAG_IS_TUNNEL) { - rv = tunnel_decode (&mp->entry.tunnel, &tun); + rv = tunnel_decode (&entry->tunnel, &tun); if (rv) - goto out; + return (rv); } - ipsec_key_decode (&mp->entry.crypto_key, &crypto_key); - ipsec_key_decode (&mp->entry.integrity_key, &integ_key); + ipsec_key_decode (&entry->crypto_key, &crypto_key); + ipsec_key_decode (&entry->integrity_key, &integ_key); - if (mp->is_add) - rv = ipsec_sa_add_and_lock ( - id, spi, proto, crypto_alg, &crypto_key, integ_alg, &integ_key, flags, - mp->entry.salt, htons (mp->entry.udp_src_port), - htons (mp->entry.udp_dst_port), &tun, &sa_index); + return ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &crypto_key, + integ_alg, &integ_key, flags, entry->salt, + htons (entry->udp_src_port), + htons (entry->udp_dst_port), &tun, sa_index); +} + +static void +vl_api_ipsec_sad_entry_add_del_v3_t_handler ( + vl_api_ipsec_sad_entry_add_del_v3_t *mp) +{ + vl_api_ipsec_sad_entry_add_del_v3_reply_t *rmp; + u32 id, sa_index = ~0; + int rv; + + id = ntohl (mp->entry.sad_id); + + if (!mp->is_add) + { + rv = ipsec_sa_unlock_id (id); + } else - rv = ipsec_sa_unlock_id (id); + { + rv = ipsec_sad_entry_add_v3 (&mp->entry, &sa_index); + } -out: REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_V3_REPLY, { rmp->stat_index = htonl (sa_index); }); } static void +vl_api_ipsec_sad_entry_del_t_handler (vl_api_ipsec_sad_entry_del_t *mp) +{ + vl_api_ipsec_sad_entry_del_reply_t *rmp; + int rv; + + rv = ipsec_sa_unlock_id (ntohl (mp->id)); + + REPLY_MACRO (VL_API_IPSEC_SAD_ENTRY_DEL_REPLY); +} + +static void +vl_api_ipsec_sad_entry_add_t_handler (vl_api_ipsec_sad_entry_add_t *mp) +{ + vl_api_ipsec_sad_entry_add_reply_t *rmp; + u32 sa_index = ~0; + int rv; + + rv = ipsec_sad_entry_add_v3 (&mp->entry, &sa_index); + + REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_REPLY, + { rmp->stat_index = htonl (sa_index); }); +} + +static void send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg, u32 context) { |