From ff2e4138cc020dea4ab0f21f1b172b28f5ed3565 Mon Sep 17 00:00:00 2001 From: Neale Ranns Date: Thu, 24 Jun 2021 14:57:56 +0000 Subject: ipsec: Split the SA add_del API into an separate add and del Type: improvement the rationale being that the del only requires the SA's ID, so it's a bit mean to require the client to fill out all the other information as well. Signed-off-by: Neale Ranns Change-Id: Ibbc20405e74d6a0e1a3797465ead5271f15888e4 --- src/vnet/ipsec/ipsec.api | 20 +++++++- src/vnet/ipsec/ipsec_api.c | 114 +++++++++++++++++++++++++++++++-------------- 2 files changed, 98 insertions(+), 36 deletions(-) (limited to 'src/vnet/ipsec') diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api index 8d4580a2c28..be45c3e2401 100644 --- a/src/vnet/ipsec/ipsec.api +++ b/src/vnet/ipsec/ipsec.api @@ -14,7 +14,7 @@ * limitations under the License. */ -option version = "5.0.1"; +option version = "5.0.2"; import "vnet/ipsec/ipsec_types.api"; import "vnet/interface_types.api"; @@ -211,6 +211,18 @@ define ipsec_sad_entry_add_del_v3 bool is_add; vl_api_ipsec_sad_entry_v3_t entry; }; +define ipsec_sad_entry_add +{ + u32 client_index; + u32 context; + vl_api_ipsec_sad_entry_v3_t entry; +}; +autoreply define ipsec_sad_entry_del +{ + u32 client_index; + u32 context; + u32 id; +}; define ipsec_sad_entry_add_del_reply { @@ -231,6 +243,12 @@ define ipsec_sad_entry_add_del_v3_reply i32 retval; u32 stat_index; }; +define ipsec_sad_entry_add_reply +{ + u32 context; + i32 retval; + u32 stat_index; +}; /** \brief Add or Update Protection for a tunnel with IPSEC diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index a0c2768318f..73f4474a604 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -291,6 +291,11 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler int rv; id = ntohl (mp->entry.sad_id); + if (!mp->is_add) + { + rv = ipsec_sa_unlock_id (id); + goto out; + } spi = ntohl (mp->entry.spi); rv = ipsec_proto_decode (mp->entry.protocol, &proto); @@ -316,13 +321,10 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler ip_address_decode2 (&mp->entry.tunnel_src, &tun.t_src); ip_address_decode2 (&mp->entry.tunnel_dst, &tun.t_dst); - if (mp->is_add) - rv = ipsec_sa_add_and_lock ( - id, spi, proto, crypto_alg, &crypto_key, integ_alg, &integ_key, flags, - mp->entry.salt, htons (mp->entry.udp_src_port), - htons (mp->entry.udp_dst_port), &tun, &sa_index); - else - rv = ipsec_sa_unlock_id (id); + rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &crypto_key, + integ_alg, &integ_key, flags, mp->entry.salt, + htons (mp->entry.udp_src_port), + htons (mp->entry.udp_dst_port), &tun, &sa_index); out: /* *INDENT-OFF* */ @@ -355,6 +357,12 @@ static void vl_api_ipsec_sad_entry_add_del_v2_t_handler }; id = ntohl (mp->entry.sad_id); + if (!mp->is_add) + { + rv = ipsec_sa_unlock_id (id); + goto out; + } + spi = ntohl (mp->entry.spi); rv = ipsec_proto_decode (mp->entry.protocol, &proto); @@ -387,13 +395,10 @@ static void vl_api_ipsec_sad_entry_add_del_v2_t_handler ip_address_decode2 (&mp->entry.tunnel_src, &tun.t_src); ip_address_decode2 (&mp->entry.tunnel_dst, &tun.t_dst); - if (mp->is_add) rv = ipsec_sa_add_and_lock ( id, spi, proto, crypto_alg, &crypto_key, integ_alg, &integ_key, flags, mp->entry.salt, htons (mp->entry.udp_src_port), htons (mp->entry.udp_dst_port), &tun, &sa_index); - else - rv = ipsec_sa_unlock_id (id); out: /* *INDENT-OFF* */ @@ -404,64 +409,103 @@ out: /* *INDENT-ON* */ } -static void -vl_api_ipsec_sad_entry_add_del_v3_t_handler ( - vl_api_ipsec_sad_entry_add_del_v3_t *mp) +static int +ipsec_sad_entry_add_v3 (const vl_api_ipsec_sad_entry_v3_t *entry, + u32 *sa_index) { - vl_api_ipsec_sad_entry_add_del_v3_reply_t *rmp; ipsec_key_t crypto_key, integ_key; ipsec_crypto_alg_t crypto_alg; ipsec_integ_alg_t integ_alg; ipsec_protocol_t proto; ipsec_sa_flags_t flags; - u32 id, spi, sa_index = ~0; + u32 id, spi; tunnel_t tun; int rv; - id = ntohl (mp->entry.sad_id); - spi = ntohl (mp->entry.spi); + id = ntohl (entry->sad_id); + spi = ntohl (entry->spi); - rv = ipsec_proto_decode (mp->entry.protocol, &proto); + rv = ipsec_proto_decode (entry->protocol, &proto); if (rv) - goto out; + return (rv); - rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg); + rv = ipsec_crypto_algo_decode (entry->crypto_algorithm, &crypto_alg); if (rv) - goto out; + return (rv); - rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg); + rv = ipsec_integ_algo_decode (entry->integrity_algorithm, &integ_alg); if (rv) - goto out; + return (rv); - flags = ipsec_sa_flags_decode (mp->entry.flags); + flags = ipsec_sa_flags_decode (entry->flags); if (flags & IPSEC_SA_FLAG_IS_TUNNEL) { - rv = tunnel_decode (&mp->entry.tunnel, &tun); + rv = tunnel_decode (&entry->tunnel, &tun); if (rv) - goto out; + return (rv); } - ipsec_key_decode (&mp->entry.crypto_key, &crypto_key); - ipsec_key_decode (&mp->entry.integrity_key, &integ_key); + ipsec_key_decode (&entry->crypto_key, &crypto_key); + ipsec_key_decode (&entry->integrity_key, &integ_key); - if (mp->is_add) - rv = ipsec_sa_add_and_lock ( - id, spi, proto, crypto_alg, &crypto_key, integ_alg, &integ_key, flags, - mp->entry.salt, htons (mp->entry.udp_src_port), - htons (mp->entry.udp_dst_port), &tun, &sa_index); + return ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &crypto_key, + integ_alg, &integ_key, flags, entry->salt, + htons (entry->udp_src_port), + htons (entry->udp_dst_port), &tun, sa_index); +} + +static void +vl_api_ipsec_sad_entry_add_del_v3_t_handler ( + vl_api_ipsec_sad_entry_add_del_v3_t *mp) +{ + vl_api_ipsec_sad_entry_add_del_v3_reply_t *rmp; + u32 id, sa_index = ~0; + int rv; + + id = ntohl (mp->entry.sad_id); + + if (!mp->is_add) + { + rv = ipsec_sa_unlock_id (id); + } else - rv = ipsec_sa_unlock_id (id); + { + rv = ipsec_sad_entry_add_v3 (&mp->entry, &sa_index); + } -out: REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_V3_REPLY, { rmp->stat_index = htonl (sa_index); }); } +static void +vl_api_ipsec_sad_entry_del_t_handler (vl_api_ipsec_sad_entry_del_t *mp) +{ + vl_api_ipsec_sad_entry_del_reply_t *rmp; + int rv; + + rv = ipsec_sa_unlock_id (ntohl (mp->id)); + + REPLY_MACRO (VL_API_IPSEC_SAD_ENTRY_DEL_REPLY); +} + +static void +vl_api_ipsec_sad_entry_add_t_handler (vl_api_ipsec_sad_entry_add_t *mp) +{ + vl_api_ipsec_sad_entry_add_reply_t *rmp; + u32 sa_index = ~0; + int rv; + + rv = ipsec_sad_entry_add_v3 (&mp->entry, &sa_index); + + REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_REPLY, + { rmp->stat_index = htonl (sa_index); }); +} + static void send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg, u32 context) -- cgit 1.2.3-korg