From 7c44d78ef2e7bf0c8714be4184511ed8f23ff239 Mon Sep 17 00:00:00 2001 From: Neale Ranns Date: Mon, 25 Feb 2019 10:28:29 +0000 Subject: IKEv2 to plugin for easy integration with ptoducts running their own Ike stack. Without the VPP IKE plugin loaded, the product is free to handle IKE packets as it pleases. Change-Id: Id0839f4d58b797f4c2da0382eb499fc08b05f66f Signed-off-by: Neale Ranns --- src/vat/api_format.c | 708 --------------------------------------------------- 1 file changed, 708 deletions(-) (limited to 'src/vat') diff --git a/src/vat/api_format.c b/src/vat/api_format.c index daeec503856..cef60e05725 100644 --- a/src/vat/api_format.c +++ b/src/vat/api_format.c @@ -41,7 +41,6 @@ #include #include #include -#include #include #include #include @@ -395,33 +394,6 @@ format_ipsec_integ_alg (u8 * s, va_list * args) return format (s, "%s", t); } -uword -unformat_ikev2_auth_method (unformat_input_t * input, va_list * args) -{ - u32 *r = va_arg (*args, u32 *); - - if (0); -#define _(v,f,s) else if (unformat (input, s)) *r = IKEV2_AUTH_METHOD_##f; - foreach_ikev2_auth_method -#undef _ - else - return 0; - return 1; -} - -uword -unformat_ikev2_id_type (unformat_input_t * input, va_list * args) -{ - u32 *r = va_arg (*args, u32 *); - - if (0); -#define _(v,f,s) else if (unformat (input, s)) *r = IKEV2_ID_TYPE_##f; - foreach_ikev2_id_type -#undef _ - else - return 0; - return 1; -} #else /* VPP_API_TEST_BUILTIN == 1 */ static uword api_unformat_sw_if_index (unformat_input_t * input, va_list * args) @@ -5214,19 +5186,6 @@ _(ipsec_sa_set_key_reply) \ _(ipsec_tunnel_if_add_del_reply) \ _(ipsec_tunnel_if_set_key_reply) \ _(ipsec_tunnel_if_set_sa_reply) \ -_(ikev2_profile_add_del_reply) \ -_(ikev2_profile_set_auth_reply) \ -_(ikev2_profile_set_id_reply) \ -_(ikev2_profile_set_ts_reply) \ -_(ikev2_set_local_key_reply) \ -_(ikev2_set_responder_reply) \ -_(ikev2_set_ike_transforms_reply) \ -_(ikev2_set_esp_transforms_reply) \ -_(ikev2_set_sa_lifetime_reply) \ -_(ikev2_initiate_sa_init_reply) \ -_(ikev2_initiate_del_ike_sa_reply) \ -_(ikev2_initiate_del_child_sa_reply) \ -_(ikev2_initiate_rekey_child_sa_reply) \ _(delete_loopback_reply) \ _(bd_ip_mac_add_del_reply) \ _(bd_ip_mac_flush_reply) \ @@ -5470,19 +5429,6 @@ _(IPSEC_SA_SET_KEY_REPLY, ipsec_sa_set_key_reply) \ _(IPSEC_TUNNEL_IF_ADD_DEL_REPLY, ipsec_tunnel_if_add_del_reply) \ _(IPSEC_TUNNEL_IF_SET_KEY_REPLY, ipsec_tunnel_if_set_key_reply) \ _(IPSEC_TUNNEL_IF_SET_SA_REPLY, ipsec_tunnel_if_set_sa_reply) \ -_(IKEV2_PROFILE_ADD_DEL_REPLY, ikev2_profile_add_del_reply) \ -_(IKEV2_PROFILE_SET_AUTH_REPLY, ikev2_profile_set_auth_reply) \ -_(IKEV2_PROFILE_SET_ID_REPLY, ikev2_profile_set_id_reply) \ -_(IKEV2_PROFILE_SET_TS_REPLY, ikev2_profile_set_ts_reply) \ -_(IKEV2_SET_LOCAL_KEY_REPLY, ikev2_set_local_key_reply) \ -_(IKEV2_SET_RESPONDER_REPLY, ikev2_set_responder_reply) \ -_(IKEV2_SET_IKE_TRANSFORMS_REPLY, ikev2_set_ike_transforms_reply) \ -_(IKEV2_SET_ESP_TRANSFORMS_REPLY, ikev2_set_esp_transforms_reply) \ -_(IKEV2_SET_SA_LIFETIME_REPLY, ikev2_set_sa_lifetime_reply) \ -_(IKEV2_INITIATE_SA_INIT_REPLY, ikev2_initiate_sa_init_reply) \ -_(IKEV2_INITIATE_DEL_IKE_SA_REPLY, ikev2_initiate_del_ike_sa_reply) \ -_(IKEV2_INITIATE_DEL_CHILD_SA_REPLY, ikev2_initiate_del_child_sa_reply) \ -_(IKEV2_INITIATE_REKEY_CHILD_SA_REPLY, ikev2_initiate_rekey_child_sa_reply) \ _(DELETE_LOOPBACK_REPLY, delete_loopback_reply) \ _(BD_IP_MAC_ADD_DEL_REPLY, bd_ip_mac_add_del_reply) \ _(BD_IP_MAC_FLUSH_REPLY, bd_ip_mac_flush_reply) \ @@ -15466,643 +15412,6 @@ api_ipsec_tunnel_if_set_sa (vat_main_t * vam) return ret; } -static int -api_ikev2_profile_add_del (vat_main_t * vam) -{ - unformat_input_t *i = vam->input; - vl_api_ikev2_profile_add_del_t *mp; - u8 is_add = 1; - u8 *name = 0; - int ret; - - const char *valid_chars = "a-zA-Z0-9_"; - - while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) - { - if (unformat (i, "del")) - is_add = 0; - else if (unformat (i, "name %U", unformat_token, valid_chars, &name)) - vec_add1 (name, 0); - else - { - errmsg ("parse error '%U'", format_unformat_error, i); - return -99; - } - } - - if (!vec_len (name)) - { - errmsg ("profile name must be specified"); - return -99; - } - - if (vec_len (name) > 64) - { - errmsg ("profile name too long"); - return -99; - } - - M (IKEV2_PROFILE_ADD_DEL, mp); - - clib_memcpy (mp->name, name, vec_len (name)); - mp->is_add = is_add; - vec_free (name); - - S (mp); - W (ret); - return ret; -} - -static int -api_ikev2_profile_set_auth (vat_main_t * vam) -{ - unformat_input_t *i = vam->input; - vl_api_ikev2_profile_set_auth_t *mp; - u8 *name = 0; - u8 *data = 0; - u32 auth_method = 0; - u8 is_hex = 0; - int ret; - - const char *valid_chars = "a-zA-Z0-9_"; - - while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) - { - if (unformat (i, "name %U", unformat_token, valid_chars, &name)) - vec_add1 (name, 0); - else if (unformat (i, "auth_method %U", - unformat_ikev2_auth_method, &auth_method)) - ; - else if (unformat (i, "auth_data 0x%U", unformat_hex_string, &data)) - is_hex = 1; - else if (unformat (i, "auth_data %v", &data)) - ; - else - { - errmsg ("parse error '%U'", format_unformat_error, i); - return -99; - } - } - - if (!vec_len (name)) - { - errmsg ("profile name must be specified"); - return -99; - } - - if (vec_len (name) > 64) - { - errmsg ("profile name too long"); - return -99; - } - - if (!vec_len (data)) - { - errmsg ("auth_data must be specified"); - return -99; - } - - if (!auth_method) - { - errmsg ("auth_method must be specified"); - return -99; - } - - M (IKEV2_PROFILE_SET_AUTH, mp); - - mp->is_hex = is_hex; - mp->auth_method = (u8) auth_method; - mp->data_len = vec_len (data); - clib_memcpy (mp->name, name, vec_len (name)); - clib_memcpy (mp->data, data, vec_len (data)); - vec_free (name); - vec_free (data); - - S (mp); - W (ret); - return ret; -} - -static int -api_ikev2_profile_set_id (vat_main_t * vam) -{ - unformat_input_t *i = vam->input; - vl_api_ikev2_profile_set_id_t *mp; - u8 *name = 0; - u8 *data = 0; - u8 is_local = 0; - u32 id_type = 0; - ip4_address_t ip4; - int ret; - - const char *valid_chars = "a-zA-Z0-9_"; - - while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) - { - if (unformat (i, "name %U", unformat_token, valid_chars, &name)) - vec_add1 (name, 0); - else if (unformat (i, "id_type %U", unformat_ikev2_id_type, &id_type)) - ; - else if (unformat (i, "id_data %U", unformat_ip4_address, &ip4)) - { - data = vec_new (u8, 4); - clib_memcpy (data, ip4.as_u8, 4); - } - else if (unformat (i, "id_data 0x%U", unformat_hex_string, &data)) - ; - else if (unformat (i, "id_data %v", &data)) - ; - else if (unformat (i, "local")) - is_local = 1; - else if (unformat (i, "remote")) - is_local = 0; - else - { - errmsg ("parse error '%U'", format_unformat_error, i); - return -99; - } - } - - if (!vec_len (name)) - { - errmsg ("profile name must be specified"); - return -99; - } - - if (vec_len (name) > 64) - { - errmsg ("profile name too long"); - return -99; - } - - if (!vec_len (data)) - { - errmsg ("id_data must be specified"); - return -99; - } - - if (!id_type) - { - errmsg ("id_type must be specified"); - return -99; - } - - M (IKEV2_PROFILE_SET_ID, mp); - - mp->is_local = is_local; - mp->id_type = (u8) id_type; - mp->data_len = vec_len (data); - clib_memcpy (mp->name, name, vec_len (name)); - clib_memcpy (mp->data, data, vec_len (data)); - vec_free (name); - vec_free (data); - - S (mp); - W (ret); - return ret; -} - -static int -api_ikev2_profile_set_ts (vat_main_t * vam) -{ - unformat_input_t *i = vam->input; - vl_api_ikev2_profile_set_ts_t *mp; - u8 *name = 0; - u8 is_local = 0; - u32 proto = 0, start_port = 0, end_port = (u32) ~ 0; - ip4_address_t start_addr, end_addr; - - const char *valid_chars = "a-zA-Z0-9_"; - int ret; - - start_addr.as_u32 = 0; - end_addr.as_u32 = (u32) ~ 0; - - while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) - { - if (unformat (i, "name %U", unformat_token, valid_chars, &name)) - vec_add1 (name, 0); - else if (unformat (i, "protocol %d", &proto)) - ; - else if (unformat (i, "start_port %d", &start_port)) - ; - else if (unformat (i, "end_port %d", &end_port)) - ; - else - if (unformat (i, "start_addr %U", unformat_ip4_address, &start_addr)) - ; - else if (unformat (i, "end_addr %U", unformat_ip4_address, &end_addr)) - ; - else if (unformat (i, "local")) - is_local = 1; - else if (unformat (i, "remote")) - is_local = 0; - else - { - errmsg ("parse error '%U'", format_unformat_error, i); - return -99; - } - } - - if (!vec_len (name)) - { - errmsg ("profile name must be specified"); - return -99; - } - - if (vec_len (name) > 64) - { - errmsg ("profile name too long"); - return -99; - } - - M (IKEV2_PROFILE_SET_TS, mp); - - mp->is_local = is_local; - mp->proto = (u8) proto; - mp->start_port = (u16) start_port; - mp->end_port = (u16) end_port; - mp->start_addr = start_addr.as_u32; - mp->end_addr = end_addr.as_u32; - clib_memcpy (mp->name, name, vec_len (name)); - vec_free (name); - - S (mp); - W (ret); - return ret; -} - -static int -api_ikev2_set_local_key (vat_main_t * vam) -{ - unformat_input_t *i = vam->input; - vl_api_ikev2_set_local_key_t *mp; - u8 *file = 0; - int ret; - - while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) - { - if (unformat (i, "file %v", &file)) - vec_add1 (file, 0); - else - { - errmsg ("parse error '%U'", format_unformat_error, i); - return -99; - } - } - - if (!vec_len (file)) - { - errmsg ("RSA key file must be specified"); - return -99; - } - - if (vec_len (file) > 256) - { - errmsg ("file name too long"); - return -99; - } - - M (IKEV2_SET_LOCAL_KEY, mp); - - clib_memcpy (mp->key_file, file, vec_len (file)); - vec_free (file); - - S (mp); - W (ret); - return ret; -} - -static int -api_ikev2_set_responder (vat_main_t * vam) -{ - unformat_input_t *i = vam->input; - vl_api_ikev2_set_responder_t *mp; - int ret; - u8 *name = 0; - u32 sw_if_index = ~0; - ip4_address_t address; - - const char *valid_chars = "a-zA-Z0-9_"; - - while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) - { - if (unformat - (i, "%U interface %d address %U", unformat_token, valid_chars, - &name, &sw_if_index, unformat_ip4_address, &address)) - vec_add1 (name, 0); - else - { - errmsg ("parse error '%U'", format_unformat_error, i); - return -99; - } - } - - if (!vec_len (name)) - { - errmsg ("profile name must be specified"); - return -99; - } - - if (vec_len (name) > 64) - { - errmsg ("profile name too long"); - return -99; - } - - M (IKEV2_SET_RESPONDER, mp); - - clib_memcpy (mp->name, name, vec_len (name)); - vec_free (name); - - mp->sw_if_index = sw_if_index; - clib_memcpy (mp->address, &address, sizeof (address)); - - S (mp); - W (ret); - return ret; -} - -static int -api_ikev2_set_ike_transforms (vat_main_t * vam) -{ - unformat_input_t *i = vam->input; - vl_api_ikev2_set_ike_transforms_t *mp; - int ret; - u8 *name = 0; - u32 crypto_alg, crypto_key_size, integ_alg, dh_group; - - const char *valid_chars = "a-zA-Z0-9_"; - - while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) - { - if (unformat (i, "%U %d %d %d %d", unformat_token, valid_chars, &name, - &crypto_alg, &crypto_key_size, &integ_alg, &dh_group)) - vec_add1 (name, 0); - else - { - errmsg ("parse error '%U'", format_unformat_error, i); - return -99; - } - } - - if (!vec_len (name)) - { - errmsg ("profile name must be specified"); - return -99; - } - - if (vec_len (name) > 64) - { - errmsg ("profile name too long"); - return -99; - } - - M (IKEV2_SET_IKE_TRANSFORMS, mp); - - clib_memcpy (mp->name, name, vec_len (name)); - vec_free (name); - mp->crypto_alg = crypto_alg; - mp->crypto_key_size = crypto_key_size; - mp->integ_alg = integ_alg; - mp->dh_group = dh_group; - - S (mp); - W (ret); - return ret; -} - - -static int -api_ikev2_set_esp_transforms (vat_main_t * vam) -{ - unformat_input_t *i = vam->input; - vl_api_ikev2_set_esp_transforms_t *mp; - int ret; - u8 *name = 0; - u32 crypto_alg, crypto_key_size, integ_alg, dh_group; - - const char *valid_chars = "a-zA-Z0-9_"; - - while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) - { - if (unformat (i, "%U %d %d %d %d", unformat_token, valid_chars, &name, - &crypto_alg, &crypto_key_size, &integ_alg, &dh_group)) - vec_add1 (name, 0); - else - { - errmsg ("parse error '%U'", format_unformat_error, i); - return -99; - } - } - - if (!vec_len (name)) - { - errmsg ("profile name must be specified"); - return -99; - } - - if (vec_len (name) > 64) - { - errmsg ("profile name too long"); - return -99; - } - - M (IKEV2_SET_ESP_TRANSFORMS, mp); - - clib_memcpy (mp->name, name, vec_len (name)); - vec_free (name); - mp->crypto_alg = crypto_alg; - mp->crypto_key_size = crypto_key_size; - mp->integ_alg = integ_alg; - mp->dh_group = dh_group; - - S (mp); - W (ret); - return ret; -} - -static int -api_ikev2_set_sa_lifetime (vat_main_t * vam) -{ - unformat_input_t *i = vam->input; - vl_api_ikev2_set_sa_lifetime_t *mp; - int ret; - u8 *name = 0; - u64 lifetime, lifetime_maxdata; - u32 lifetime_jitter, handover; - - const char *valid_chars = "a-zA-Z0-9_"; - - while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) - { - if (unformat (i, "%U %lu %u %u %lu", unformat_token, valid_chars, &name, - &lifetime, &lifetime_jitter, &handover, - &lifetime_maxdata)) - vec_add1 (name, 0); - else - { - errmsg ("parse error '%U'", format_unformat_error, i); - return -99; - } - } - - if (!vec_len (name)) - { - errmsg ("profile name must be specified"); - return -99; - } - - if (vec_len (name) > 64) - { - errmsg ("profile name too long"); - return -99; - } - - M (IKEV2_SET_SA_LIFETIME, mp); - - clib_memcpy (mp->name, name, vec_len (name)); - vec_free (name); - mp->lifetime = lifetime; - mp->lifetime_jitter = lifetime_jitter; - mp->handover = handover; - mp->lifetime_maxdata = lifetime_maxdata; - - S (mp); - W (ret); - return ret; -} - -static int -api_ikev2_initiate_sa_init (vat_main_t * vam) -{ - unformat_input_t *i = vam->input; - vl_api_ikev2_initiate_sa_init_t *mp; - int ret; - u8 *name = 0; - - const char *valid_chars = "a-zA-Z0-9_"; - - while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) - { - if (unformat (i, "%U", unformat_token, valid_chars, &name)) - vec_add1 (name, 0); - else - { - errmsg ("parse error '%U'", format_unformat_error, i); - return -99; - } - } - - if (!vec_len (name)) - { - errmsg ("profile name must be specified"); - return -99; - } - - if (vec_len (name) > 64) - { - errmsg ("profile name too long"); - return -99; - } - - M (IKEV2_INITIATE_SA_INIT, mp); - - clib_memcpy (mp->name, name, vec_len (name)); - vec_free (name); - - S (mp); - W (ret); - return ret; -} - -static int -api_ikev2_initiate_del_ike_sa (vat_main_t * vam) -{ - unformat_input_t *i = vam->input; - vl_api_ikev2_initiate_del_ike_sa_t *mp; - int ret; - u64 ispi; - - - while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) - { - if (unformat (i, "%lx", &ispi)) - ; - else - { - errmsg ("parse error '%U'", format_unformat_error, i); - return -99; - } - } - - M (IKEV2_INITIATE_DEL_IKE_SA, mp); - - mp->ispi = ispi; - - S (mp); - W (ret); - return ret; -} - -static int -api_ikev2_initiate_del_child_sa (vat_main_t * vam) -{ - unformat_input_t *i = vam->input; - vl_api_ikev2_initiate_del_child_sa_t *mp; - int ret; - u32 ispi; - - - while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) - { - if (unformat (i, "%x", &ispi)) - ; - else - { - errmsg ("parse error '%U'", format_unformat_error, i); - return -99; - } - } - - M (IKEV2_INITIATE_DEL_CHILD_SA, mp); - - mp->ispi = ispi; - - S (mp); - W (ret); - return ret; -} - -static int -api_ikev2_initiate_rekey_child_sa (vat_main_t * vam) -{ - unformat_input_t *i = vam->input; - vl_api_ikev2_initiate_rekey_child_sa_t *mp; - int ret; - u32 ispi; - - - while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) - { - if (unformat (i, "%x", &ispi)) - ; - else - { - errmsg ("parse error '%U'", format_unformat_error, i); - return -99; - } - } - - M (IKEV2_INITIATE_REKEY_CHILD_SA, mp); - - mp->ispi = ispi; - - S (mp); - W (ret); - return ret; -} - static int api_get_first_msg_id (vat_main_t * vam) { @@ -23175,23 +22484,6 @@ _(ipsec_sa_dump, "[sa_id ]") \ _(ipsec_tunnel_if_set_key, " \n" \ " \n") \ _(ipsec_tunnel_if_set_sa, " sa_id \n") \ -_(ikev2_profile_add_del, "name [del]") \ -_(ikev2_profile_set_auth, "name auth_method \n" \ - "(auth_data 0x | auth_data )") \ -_(ikev2_profile_set_id, "name id_type \n" \ - "(id_data 0x | id_data ) (local|remote)") \ -_(ikev2_profile_set_ts, "name protocol \n" \ - "start_port end_port start_addr end_addr \n" \ - "(local|remote)") \ -_(ikev2_set_local_key, "file ") \ -_(ikev2_set_responder, " interface address ") \ -_(ikev2_set_ike_transforms, " ") \ -_(ikev2_set_esp_transforms, " ") \ -_(ikev2_set_sa_lifetime, " ") \ -_(ikev2_initiate_sa_init, "") \ -_(ikev2_initiate_del_ike_sa, "") \ -_(ikev2_initiate_del_child_sa, "") \ -_(ikev2_initiate_rekey_child_sa, "") \ _(delete_loopback,"sw_if_index ") \ _(bd_ip_mac_add_del, "bd_id [del]") \ _(bd_ip_mac_flush, "bd_id ") \ -- cgit