summaryrefslogtreecommitdiffstats
path: root/src/vnet
diff options
context:
space:
mode:
authorPrashant Maheshwari <pmahesh2@cisco.com>2019-11-14 12:42:59 +0530
committerNeale Ranns <nranns@cisco.com>2019-12-03 05:45:27 +0000
commitdbf68c9aa258238260df34c0e864223ea4f3a987 (patch)
tree545f58115df3ef1570ea526675401018cf59ccea /src/vnet
parentabde62fb83ebd0e0e1204fc77affe909fc95ba51 (diff)
ipsec: Changes to make ipsec encoder/decoders reusable by the plugins
Type: fix Signed-off-by: Prashant Maheshwari <pmahesh2@cisco.com> Change-Id: I81b937fc8cfec36f8fb5de711ffbb02f23f3664e Signed-off-by: Prashant Maheshwari <pmahesh2@cisco.com>
Diffstat (limited to 'src/vnet')
-rw-r--r--src/vnet/CMakeLists.txt3
-rw-r--r--src/vnet/ipsec/ipsec.api109
-rw-r--r--src/vnet/ipsec/ipsec.h1
-rw-r--r--src/vnet/ipsec/ipsec_api.c148
-rw-r--r--src/vnet/ipsec/ipsec_types.api132
-rw-r--r--src/vnet/ipsec/ipsec_types_api.c177
-rw-r--r--src/vnet/ipsec/ipsec_types_api.h53
7 files changed, 368 insertions, 255 deletions
diff --git a/src/vnet/CMakeLists.txt b/src/vnet/CMakeLists.txt
index 8afbc1cec13..18898e152d1 100644
--- a/src/vnet/CMakeLists.txt
+++ b/src/vnet/CMakeLists.txt
@@ -584,6 +584,7 @@ list(APPEND VNET_SOURCES
ipsec/ah_decrypt.c
ipsec/ah_encrypt.c
ipsec/ipsec_api.c
+ ipsec/ipsec_types_api.c
)
list(APPEND VNET_MULTIARCH_SOURCES
@@ -596,6 +597,7 @@ list(APPEND VNET_MULTIARCH_SOURCES
ipsec/ipsec_tun_in.c
)
+list(APPEND VNET_API_FILES ipsec/ipsec_types.api)
list(APPEND VNET_API_FILES ipsec/ipsec.api)
list(APPEND VNET_SOURCES
@@ -608,6 +610,7 @@ list(APPEND VNET_HEADERS
ipsec/ipsec_spd_policy.h
ipsec/ipsec_sa.h
ipsec/ipsec_tun.h
+ ipsec/ipsec_types_api.h
ipsec/ipsec_punt.h
ipsec/esp.h
ipsec/ah.h
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index 72677d6e0ea..6d34d056003 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -16,7 +16,7 @@
option version = "3.0.0";
-import "vnet/ip/ip_types.api";
+import "vnet/ipsec/ipsec_types.api";
import "vnet/interface_types.api";
/** \brief IPsec: Add/delete Security Policy Database
@@ -180,113 +180,6 @@ define ipsec_spd_details {
vl_api_ipsec_spd_entry_t entry;
};
-/*
- * @brief Support cryptographic algorithms
- */
-enum ipsec_crypto_alg
-{
- IPSEC_API_CRYPTO_ALG_NONE = 0,
- IPSEC_API_CRYPTO_ALG_AES_CBC_128,
- IPSEC_API_CRYPTO_ALG_AES_CBC_192,
- IPSEC_API_CRYPTO_ALG_AES_CBC_256,
- IPSEC_API_CRYPTO_ALG_AES_CTR_128,
- IPSEC_API_CRYPTO_ALG_AES_CTR_192,
- IPSEC_API_CRYPTO_ALG_AES_CTR_256,
- IPSEC_API_CRYPTO_ALG_AES_GCM_128,
- IPSEC_API_CRYPTO_ALG_AES_GCM_192,
- IPSEC_API_CRYPTO_ALG_AES_GCM_256,
- IPSEC_API_CRYPTO_ALG_DES_CBC,
- IPSEC_API_CRYPTO_ALG_3DES_CBC,
-};
-
-/*
- * @brief Supported Integrity Algorithms
- */
-enum ipsec_integ_alg
-{
- IPSEC_API_INTEG_ALG_NONE = 0,
- /* RFC2403 */
- IPSEC_API_INTEG_ALG_MD5_96,
- /* RFC2404 */
- IPSEC_API_INTEG_ALG_SHA1_96,
- /* draft-ietf-ipsec-ciph-sha-256-00 */
- IPSEC_API_INTEG_ALG_SHA_256_96,
- /* RFC4868 */
- IPSEC_API_INTEG_ALG_SHA_256_128,
- /* RFC4868 */
- IPSEC_API_INTEG_ALG_SHA_384_192,
- /* RFC4868 */
- IPSEC_API_INTEG_ALG_SHA_512_256,
-};
-
-enum ipsec_sad_flags
-{
- IPSEC_API_SAD_FLAG_NONE = 0,
- /* Enable extended sequence numbers */
- IPSEC_API_SAD_FLAG_USE_ESN = 0x01,
- /* Enable Anti-replay */
- IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY = 0x02,
- /* IPsec tunnel mode if non-zero, else transport mode */
- IPSEC_API_SAD_FLAG_IS_TUNNEL = 0x04,
- /* IPsec tunnel mode is IPv6 if non-zero,
- * else IPv4 tunnel only valid if is_tunnel is non-zero */
- IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 = 0x08,
- /* enable UDP encapsulation for NAT traversal */
- IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10,
-};
-
-enum ipsec_proto
-{
- IPSEC_API_PROTO_ESP,
- IPSEC_API_PROTO_AH,
-};
-
-typedef key
-{
- /* the length of the key */
- u8 length;
- /* The data for the key */
- u8 data[128];
-};
-
-/** \brief IPsec: Security Association Database entry
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
- @param is_add - add SAD entry if non-zero, else delete
- @param sad_id - sad id
- @param spi - security parameter index
- @param protocol - 0 = AH, 1 = ESP
- @param crypto_algorithm - a supported crypto algorithm
- @param crypto_key - crypto keying material
- @param integrity_algorithm - one of the supported algorithms
- @param integrity_key - integrity keying material
- @param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
- @param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
- @param tx_table_id - the FIB id used for encapsulated packets
- @param salt - for use with counter mode ciphers
- */
-typedef ipsec_sad_entry
-{
- u32 sad_id;
-
- u32 spi;
-
- vl_api_ipsec_proto_t protocol;
-
- vl_api_ipsec_crypto_alg_t crypto_algorithm;
- vl_api_key_t crypto_key;
-
- vl_api_ipsec_integ_alg_t integrity_algorithm;
- vl_api_key_t integrity_key;
-
- vl_api_ipsec_sad_flags_t flags;
-
- vl_api_address_t tunnel_src;
- vl_api_address_t tunnel_dst;
- u32 tx_table_id;
- u32 salt;
-};
-
/** \brief IPsec: Add/delete Security Association Database entry
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h
index be928a2572e..975ebc63a48 100644
--- a/src/vnet/ipsec/ipsec.h
+++ b/src/vnet/ipsec/ipsec.h
@@ -245,6 +245,7 @@ ipsec_sa_get (u32 sa_index)
void ipsec_add_feature (const char *arc_name, const char *node_name,
u32 * out_feature_index);
+
#endif /* __IPSEC_H__ */
/*
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 6784f0b08f9..893eee45ac9 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -24,6 +24,7 @@
#include <vnet/api_errno.h>
#include <vnet/ip/ip.h>
#include <vnet/ip/ip_types_api.h>
+#include <vnet/ipsec/ipsec_types_api.h>
#include <vnet/fib/fib.h>
#include <vnet/ipip/ipip.h>
@@ -321,153 +322,6 @@ out:
/* *INDENT-ON* */
}
-static int
-ipsec_proto_decode (vl_api_ipsec_proto_t in, ipsec_protocol_t * out)
-{
- in = clib_net_to_host_u32 (in);
-
- switch (in)
- {
- case IPSEC_API_PROTO_ESP:
- *out = IPSEC_PROTOCOL_ESP;
- return (0);
- case IPSEC_API_PROTO_AH:
- *out = IPSEC_PROTOCOL_AH;
- return (0);
- }
- return (VNET_API_ERROR_INVALID_PROTOCOL);
-}
-
-static vl_api_ipsec_proto_t
-ipsec_proto_encode (ipsec_protocol_t p)
-{
- switch (p)
- {
- case IPSEC_PROTOCOL_ESP:
- return clib_host_to_net_u32 (IPSEC_API_PROTO_ESP);
- case IPSEC_PROTOCOL_AH:
- return clib_host_to_net_u32 (IPSEC_API_PROTO_AH);
- }
- return (VNET_API_ERROR_UNIMPLEMENTED);
-}
-
-static int
-ipsec_crypto_algo_decode (vl_api_ipsec_crypto_alg_t in,
- ipsec_crypto_alg_t * out)
-{
- in = clib_net_to_host_u32 (in);
-
- switch (in)
- {
-#define _(v,f,s) case IPSEC_API_CRYPTO_ALG_##f: \
- *out = IPSEC_CRYPTO_ALG_##f; \
- return (0);
- foreach_ipsec_crypto_alg
-#undef _
- }
- return (VNET_API_ERROR_INVALID_ALGORITHM);
-}
-
-static vl_api_ipsec_crypto_alg_t
-ipsec_crypto_algo_encode (ipsec_crypto_alg_t c)
-{
- switch (c)
- {
-#define _(v,f,s) case IPSEC_CRYPTO_ALG_##f: \
- return clib_host_to_net_u32(IPSEC_API_CRYPTO_ALG_##f);
- foreach_ipsec_crypto_alg
-#undef _
- case IPSEC_CRYPTO_N_ALG:
- break;
- }
- ASSERT (0);
- return (VNET_API_ERROR_UNIMPLEMENTED);
-}
-
-static int
-ipsec_integ_algo_decode (vl_api_ipsec_integ_alg_t in, ipsec_integ_alg_t * out)
-{
- in = clib_net_to_host_u32 (in);
-
- switch (in)
- {
-#define _(v,f,s) case IPSEC_API_INTEG_ALG_##f: \
- *out = IPSEC_INTEG_ALG_##f; \
- return (0);
- foreach_ipsec_integ_alg
-#undef _
- }
- return (VNET_API_ERROR_INVALID_ALGORITHM);
-}
-
-static vl_api_ipsec_integ_alg_t
-ipsec_integ_algo_encode (ipsec_integ_alg_t i)
-{
- switch (i)
- {
-#define _(v,f,s) case IPSEC_INTEG_ALG_##f: \
- return (clib_host_to_net_u32(IPSEC_API_INTEG_ALG_##f));
- foreach_ipsec_integ_alg
-#undef _
- case IPSEC_INTEG_N_ALG:
- break;
- }
- ASSERT (0);
- return (VNET_API_ERROR_UNIMPLEMENTED);
-}
-
-static void
-ipsec_key_decode (const vl_api_key_t * key, ipsec_key_t * out)
-{
- ipsec_mk_key (out, key->data, key->length);
-}
-
-static void
-ipsec_key_encode (const ipsec_key_t * in, vl_api_key_t * out)
-{
- out->length = in->len;
- clib_memcpy (out->data, in->data, out->length);
-}
-
-static ipsec_sa_flags_t
-ipsec_sa_flags_decode (vl_api_ipsec_sad_flags_t in)
-{
- ipsec_sa_flags_t flags = IPSEC_SA_FLAG_NONE;
- in = clib_net_to_host_u32 (in);
-
- if (in & IPSEC_API_SAD_FLAG_USE_ESN)
- flags |= IPSEC_SA_FLAG_USE_ESN;
- if (in & IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)
- flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
- if (in & IPSEC_API_SAD_FLAG_IS_TUNNEL)
- flags |= IPSEC_SA_FLAG_IS_TUNNEL;
- if (in & IPSEC_API_SAD_FLAG_IS_TUNNEL_V6)
- flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
- if (in & IPSEC_API_SAD_FLAG_UDP_ENCAP)
- flags |= IPSEC_SA_FLAG_UDP_ENCAP;
-
- return (flags);
-}
-
-static vl_api_ipsec_sad_flags_t
-ipsec_sad_flags_encode (const ipsec_sa_t * sa)
-{
- vl_api_ipsec_sad_flags_t flags = IPSEC_API_SAD_FLAG_NONE;
-
- if (ipsec_sa_is_set_USE_ESN (sa))
- flags |= IPSEC_API_SAD_FLAG_USE_ESN;
- if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
- flags |= IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY;
- if (ipsec_sa_is_set_IS_TUNNEL (sa))
- flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL;
- if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
- flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6;
- if (ipsec_sa_is_set_UDP_ENCAP (sa))
- flags |= IPSEC_API_SAD_FLAG_UDP_ENCAP;
-
- return clib_host_to_net_u32 (flags);
-}
-
static void vl_api_ipsec_sad_entry_add_del_t_handler
(vl_api_ipsec_sad_entry_add_del_t * mp)
{
diff --git a/src/vnet/ipsec/ipsec_types.api b/src/vnet/ipsec/ipsec_types.api
new file mode 100644
index 00000000000..3015613b3c9
--- /dev/null
+++ b/src/vnet/ipsec/ipsec_types.api
@@ -0,0 +1,132 @@
+/* Hey Emacs use -*- mode: C -*- */
+/*
+ * Copyright (c) 2015-2016 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+option version = "3.0.0";
+
+import "vnet/ip/ip_types.api";
+
+/*
+ * @brief Support cryptographic algorithms
+ */
+enum ipsec_crypto_alg
+{
+ IPSEC_API_CRYPTO_ALG_NONE = 0,
+ IPSEC_API_CRYPTO_ALG_AES_CBC_128,
+ IPSEC_API_CRYPTO_ALG_AES_CBC_192,
+ IPSEC_API_CRYPTO_ALG_AES_CBC_256,
+ IPSEC_API_CRYPTO_ALG_AES_CTR_128,
+ IPSEC_API_CRYPTO_ALG_AES_CTR_192,
+ IPSEC_API_CRYPTO_ALG_AES_CTR_256,
+ IPSEC_API_CRYPTO_ALG_AES_GCM_128,
+ IPSEC_API_CRYPTO_ALG_AES_GCM_192,
+ IPSEC_API_CRYPTO_ALG_AES_GCM_256,
+ IPSEC_API_CRYPTO_ALG_DES_CBC,
+ IPSEC_API_CRYPTO_ALG_3DES_CBC,
+};
+
+/*
+ * @brief Supported Integrity Algorithms
+ */
+enum ipsec_integ_alg
+{
+ IPSEC_API_INTEG_ALG_NONE = 0,
+ /* RFC2403 */
+ IPSEC_API_INTEG_ALG_MD5_96,
+ /* RFC2404 */
+ IPSEC_API_INTEG_ALG_SHA1_96,
+ /* draft-ietf-ipsec-ciph-sha-256-00 */
+ IPSEC_API_INTEG_ALG_SHA_256_96,
+ /* RFC4868 */
+ IPSEC_API_INTEG_ALG_SHA_256_128,
+ /* RFC4868 */
+ IPSEC_API_INTEG_ALG_SHA_384_192,
+ /* RFC4868 */
+ IPSEC_API_INTEG_ALG_SHA_512_256,
+};
+
+enum ipsec_sad_flags
+{
+ IPSEC_API_SAD_FLAG_NONE = 0,
+ /* Enable extended sequence numbers */
+ IPSEC_API_SAD_FLAG_USE_ESN = 0x01,
+ /* Enable Anti-replay */
+ IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY = 0x02,
+ /* IPsec tunnel mode if non-zero, else transport mode */
+ IPSEC_API_SAD_FLAG_IS_TUNNEL = 0x04,
+ /* IPsec tunnel mode is IPv6 if non-zero,
+ * else IPv4 tunnel only valid if is_tunnel is non-zero */
+ IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 = 0x08,
+ /* enable UDP encapsulation for NAT traversal */
+ IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10,
+};
+
+enum ipsec_proto
+{
+ IPSEC_API_PROTO_ESP,
+ IPSEC_API_PROTO_AH,
+};
+
+typedef key
+{
+ /* the length of the key */
+ u8 length;
+ /* The data for the key */
+ u8 data[128];
+};
+
+/** \brief IPsec: Security Association Database entry
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+ @param is_add - add SAD entry if non-zero, else delete
+ @param sad_id - sad id
+ @param spi - security parameter index
+ @param protocol - 0 = AH, 1 = ESP
+ @param crypto_algorithm - a supported crypto algorithm
+ @param crypto_key - crypto keying material
+ @param integrity_algorithm - one of the supported algorithms
+ @param integrity_key - integrity keying material
+ @param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
+ @param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
+ @param tx_table_id - the FIB id used for encapsulated packets
+ @param salt - for use with counter mode ciphers
+ */
+typedef ipsec_sad_entry
+{
+ u32 sad_id;
+
+ u32 spi;
+
+ vl_api_ipsec_proto_t protocol;
+
+ vl_api_ipsec_crypto_alg_t crypto_algorithm;
+ vl_api_key_t crypto_key;
+
+ vl_api_ipsec_integ_alg_t integrity_algorithm;
+ vl_api_key_t integrity_key;
+
+ vl_api_ipsec_sad_flags_t flags;
+
+ vl_api_address_t tunnel_src;
+ vl_api_address_t tunnel_dst;
+ u32 tx_table_id;
+ u32 salt;
+};
+
+/*
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/vnet/ipsec/ipsec_types_api.c b/src/vnet/ipsec/ipsec_types_api.c
new file mode 100644
index 00000000000..0c59e48c645
--- /dev/null
+++ b/src/vnet/ipsec/ipsec_types_api.c
@@ -0,0 +1,177 @@
+/*
+ * Copyright (c) 2019 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+#include <vnet/ipsec/ipsec_types_api.h>
+#include <vlibapi/api_types.h>
+
+#define vl_typedefs /* define message structures */
+#include <vnet/vnet_all_api_h.h>
+#undef vl_typedefs
+
+int
+ipsec_proto_decode (vl_api_ipsec_proto_t in, ipsec_protocol_t * out)
+{
+ in = clib_net_to_host_u32 (in);
+
+ switch (in)
+ {
+ case IPSEC_API_PROTO_ESP:
+ *out = IPSEC_PROTOCOL_ESP;
+ return (0);
+ case IPSEC_API_PROTO_AH:
+ *out = IPSEC_PROTOCOL_AH;
+ return (0);
+ }
+ return (VNET_API_ERROR_INVALID_PROTOCOL);
+}
+
+vl_api_ipsec_proto_t
+ipsec_proto_encode (ipsec_protocol_t p)
+{
+ switch (p)
+ {
+ case IPSEC_PROTOCOL_ESP:
+ return clib_host_to_net_u32 (IPSEC_API_PROTO_ESP);
+ case IPSEC_PROTOCOL_AH:
+ return clib_host_to_net_u32 (IPSEC_API_PROTO_AH);
+ }
+ return (VNET_API_ERROR_UNIMPLEMENTED);
+}
+
+int
+ipsec_crypto_algo_decode (vl_api_ipsec_crypto_alg_t in,
+ ipsec_crypto_alg_t * out)
+{
+ in = clib_net_to_host_u32 (in);
+
+ switch (in)
+ {
+#define _(v,f,s) case IPSEC_API_CRYPTO_ALG_##f: \
+ *out = IPSEC_CRYPTO_ALG_##f; \
+ return (0);
+ foreach_ipsec_crypto_alg
+#undef _
+ }
+ return (VNET_API_ERROR_INVALID_ALGORITHM);
+}
+
+vl_api_ipsec_crypto_alg_t
+ipsec_crypto_algo_encode (ipsec_crypto_alg_t c)
+{
+ switch (c)
+ {
+#define _(v,f,s) case IPSEC_CRYPTO_ALG_##f: \
+ return clib_host_to_net_u32(IPSEC_API_CRYPTO_ALG_##f);
+ foreach_ipsec_crypto_alg
+#undef _
+ case IPSEC_CRYPTO_N_ALG:
+ break;
+ }
+ ASSERT (0);
+ return (VNET_API_ERROR_UNIMPLEMENTED);
+}
+
+int
+ipsec_integ_algo_decode (vl_api_ipsec_integ_alg_t in, ipsec_integ_alg_t * out)
+{
+ in = clib_net_to_host_u32 (in);
+
+ switch (in)
+ {
+#define _(v,f,s) case IPSEC_API_INTEG_ALG_##f: \
+ *out = IPSEC_INTEG_ALG_##f; \
+ return (0);
+ foreach_ipsec_integ_alg
+#undef _
+ }
+ return (VNET_API_ERROR_INVALID_ALGORITHM);
+}
+
+vl_api_ipsec_integ_alg_t
+ipsec_integ_algo_encode (ipsec_integ_alg_t i)
+{
+ switch (i)
+ {
+#define _(v,f,s) case IPSEC_INTEG_ALG_##f: \
+ return (clib_host_to_net_u32(IPSEC_API_INTEG_ALG_##f));
+ foreach_ipsec_integ_alg
+#undef _
+ case IPSEC_INTEG_N_ALG:
+ break;
+ }
+ ASSERT (0);
+ return (VNET_API_ERROR_UNIMPLEMENTED);
+}
+
+void
+ipsec_key_decode (const vl_api_key_t * key, ipsec_key_t * out)
+{
+ ipsec_mk_key (out, key->data, key->length);
+}
+
+void
+ipsec_key_encode (const ipsec_key_t * in, vl_api_key_t * out)
+{
+ out->length = in->len;
+ clib_memcpy (out->data, in->data, out->length);
+}
+
+ipsec_sa_flags_t
+ipsec_sa_flags_decode (vl_api_ipsec_sad_flags_t in)
+{
+ ipsec_sa_flags_t flags = IPSEC_SA_FLAG_NONE;
+ in = clib_net_to_host_u32 (in);
+
+ if (in & IPSEC_API_SAD_FLAG_USE_ESN)
+ flags |= IPSEC_SA_FLAG_USE_ESN;
+ if (in & IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)
+ flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
+ if (in & IPSEC_API_SAD_FLAG_IS_TUNNEL)
+ flags |= IPSEC_SA_FLAG_IS_TUNNEL;
+ if (in & IPSEC_API_SAD_FLAG_IS_TUNNEL_V6)
+ flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
+ if (in & IPSEC_API_SAD_FLAG_UDP_ENCAP)
+ flags |= IPSEC_SA_FLAG_UDP_ENCAP;
+
+ return (flags);
+}
+
+vl_api_ipsec_sad_flags_t
+ipsec_sad_flags_encode (const ipsec_sa_t * sa)
+{
+ vl_api_ipsec_sad_flags_t flags = IPSEC_API_SAD_FLAG_NONE;
+
+ if (ipsec_sa_is_set_USE_ESN (sa))
+ flags |= IPSEC_API_SAD_FLAG_USE_ESN;
+ if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
+ flags |= IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY;
+ if (ipsec_sa_is_set_IS_TUNNEL (sa))
+ flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL;
+ if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
+ flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6;
+ if (ipsec_sa_is_set_UDP_ENCAP (sa))
+ flags |= IPSEC_API_SAD_FLAG_UDP_ENCAP;
+
+ return clib_host_to_net_u32 (flags);
+}
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/vnet/ipsec/ipsec_types_api.h b/src/vnet/ipsec/ipsec_types_api.h
new file mode 100644
index 00000000000..2b180831db1
--- /dev/null
+++ b/src/vnet/ipsec/ipsec_types_api.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2019 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Encode/decode function from/to API to internal types
+ */
+#ifndef __IPSEC_TYPES_API_H__
+#define __IPSEC_TYPES_API_H__
+
+#include <vnet/ipsec/ipsec.h>
+#include <vnet/ipsec/ipsec.api_types.h>
+
+extern int ipsec_proto_decode (vl_api_ipsec_proto_t in,
+ ipsec_protocol_t * out);
+extern vl_api_ipsec_proto_t ipsec_proto_encode (ipsec_protocol_t p);
+
+extern int ipsec_crypto_algo_decode (vl_api_ipsec_crypto_alg_t in,
+ ipsec_crypto_alg_t * out);
+extern vl_api_ipsec_crypto_alg_t ipsec_crypto_algo_encode (ipsec_crypto_alg_t
+ c);
+
+extern int ipsec_integ_algo_decode (vl_api_ipsec_integ_alg_t in,
+ ipsec_integ_alg_t * out);
+extern vl_api_ipsec_integ_alg_t ipsec_integ_algo_encode (ipsec_integ_alg_t i);
+
+extern void ipsec_key_decode (const vl_api_key_t * key, ipsec_key_t * out);
+extern void ipsec_key_encode (const ipsec_key_t * in, vl_api_key_t * out);
+
+extern ipsec_sa_flags_t ipsec_sa_flags_decode (vl_api_ipsec_sad_flags_t in);
+extern vl_api_ipsec_sad_flags_t ipsec_sad_flags_encode (const ipsec_sa_t *
+ sa);
+
+#endif
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */