From e5f42feb4f373d8109c52a5ced9c38fc4323d6ed Mon Sep 17 00:00:00 2001 From: Matus Fabian Date: Fri, 8 Apr 2016 11:18:08 +0200 Subject: Add IKEv2 APIs Change-Id: I5936b05aa927b67c707b5858ffee45fc7a5d2043 Signed-off-by: Matus Fabian --- vpp/api/api.c | 134 +++++++++++++++++++++++++++++++++++++++++++++++++++-- vpp/api/vpe.api | 140 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 271 insertions(+), 3 deletions(-) (limited to 'vpp') diff --git a/vpp/api/api.c b/vpp/api/api.c index aaa4be58f55..f9e69024ae0 100644 --- a/vpp/api/api.c +++ b/vpp/api/api.c @@ -78,6 +78,7 @@ #if IPSEC > 0 #include +#include #endif /* IPSEC */ #if DPDK > 0 #include @@ -302,6 +303,11 @@ _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \ _(IPSEC_SPD_ADD_DEL_ENTRY, ipsec_spd_add_del_entry) \ _(IPSEC_SAD_ADD_DEL_ENTRY, ipsec_sad_add_del_entry) \ _(IPSEC_SA_SET_KEY, ipsec_sa_set_key) \ +_(IKEV2_PROFILE_ADD_DEL, ikev2_profile_add_del) \ +_(IKEV2_PROFILE_SET_AUTH, ikev2_profile_set_auth) \ +_(IKEV2_PROFILE_SET_ID, ikev2_profile_set_id) \ +_(IKEV2_PROFILE_SET_TS, ikev2_profile_set_ts) \ +_(IKEV2_SET_LOCAL_KEY, ikev2_set_local_key) \ _(DELETE_LOOPBACK, delete_loopback) \ _(BD_IP_MAC_ADD_DEL, bd_ip_mac_add_del) \ _(MAP_ADD_DOMAIN, map_add_domain) \ @@ -4624,7 +4630,7 @@ static void vl_api_ipsec_interface_add_del_spd_t_handler VALIDATE_SW_IF_INDEX(mp); -#if IPSEC > 0 +#if IPSEC > 0 rv = ipsec_set_interface_spd(vm, sw_if_index, spd_id, mp->is_add); #else rv = VNET_API_ERROR_UNIMPLEMENTED; @@ -4642,9 +4648,11 @@ static void vl_api_ipsec_spd_add_del_entry_t_handler vl_api_ipsec_spd_add_del_entry_reply_t * rmp; int rv; -#if IPSEC > 0 +#if IPSEC > 0 ipsec_policy_t p; + memset(&p, 0, sizeof(p)); + p.id = ntohl(mp->spd_id); p.priority = ntohl(mp->priority); p.is_outbound = mp->is_outbound; @@ -4695,6 +4703,8 @@ static void vl_api_ipsec_sad_add_del_entry_t_handler #if IPSEC > 0 ipsec_sa_t sa; + memset(&sa, 0, sizeof(sa)); + sa.id = ntohl(mp->sad_id); sa.spi = ntohl(mp->spi); /* security protocol AH unsupported */ @@ -4707,7 +4717,7 @@ static void vl_api_ipsec_sad_add_del_entry_t_handler /* check for unsupported crypto-alg */ if (mp->crypto_algorithm < IPSEC_CRYPTO_ALG_AES_CBC_128 || mp->crypto_algorithm > IPSEC_CRYPTO_ALG_AES_CBC_256) { - clib_warning("unsupported crypto-alg: '%U'", format_ipsec_crypto_alg, + clib_warning("unsupported crypto-alg: '%U'", format_ipsec_crypto_alg, mp->crypto_algorithm); rv = VNET_API_ERROR_UNIMPLEMENTED; goto out; @@ -4741,6 +4751,124 @@ static void vl_api_ipsec_sad_add_del_entry_t_handler out: REPLY_MACRO(VL_API_IPSEC_SAD_ADD_DEL_ENTRY_REPLY); } + +static void +vl_api_ikev2_profile_add_del_t_handler +(vl_api_ikev2_profile_add_del_t * mp) +{ + vlib_main_t * vm = vlib_get_main(); + vl_api_ikev2_profile_add_del_reply_t * rmp; + int rv = 0; + +#if IPSEC > 0 + clib_error_t * error; + u8 * tmp = format(0, "%s", mp->name); + error = ikev2_add_del_profile(vm, tmp, mp->is_add); + vec_free (tmp); + if (error) + rv = VNET_API_ERROR_UNSPECIFIED; +#else + rv = VNET_API_ERROR_UNIMPLEMENTED; +#endif + + REPLY_MACRO(VL_API_IKEV2_PROFILE_ADD_DEL_REPLY); +} + +static void +vl_api_ikev2_profile_set_auth_t_handler +(vl_api_ikev2_profile_set_auth_t * mp) +{ + vlib_main_t * vm = vlib_get_main(); + vl_api_ikev2_profile_set_auth_reply_t * rmp; + int rv = 0; + +#if IPSEC > 0 + clib_error_t * error; + u8 * tmp = format(0, "%s", mp->name); + u8 * data = vec_new (u8, mp->data_len); + memcpy(data, mp->data, mp->data_len); + error = ikev2_set_profile_auth(vm, tmp, mp->auth_method, data, mp->is_hex); + vec_free (tmp); + vec_free (data); + if (error) + rv = VNET_API_ERROR_UNSPECIFIED; +#else + rv = VNET_API_ERROR_UNIMPLEMENTED; +#endif + + REPLY_MACRO(VL_API_IKEV2_PROFILE_SET_AUTH_REPLY); +} + +static void +vl_api_ikev2_profile_set_id_t_handler +(vl_api_ikev2_profile_set_id_t * mp) +{ + vlib_main_t * vm = vlib_get_main(); + vl_api_ikev2_profile_set_id_reply_t * rmp; + int rv = 0; + +#if IPSEC > 0 + clib_error_t * error; + u8 * tmp = format(0, "%s", mp->name); + u8 * data = vec_new (u8, mp->data_len); + memcpy(data, mp->data, mp->data_len); + error = ikev2_set_profile_id(vm, tmp, mp->id_type, data, mp->is_local); + vec_free (tmp); + vec_free (data); + if (error) + rv = VNET_API_ERROR_UNSPECIFIED; +#else + rv = VNET_API_ERROR_UNIMPLEMENTED; +#endif + + REPLY_MACRO(VL_API_IKEV2_PROFILE_SET_ID_REPLY); +} + +static void +vl_api_ikev2_profile_set_ts_t_handler +(vl_api_ikev2_profile_set_ts_t * mp) +{ + vlib_main_t * vm = vlib_get_main(); + vl_api_ikev2_profile_set_ts_reply_t * rmp; + int rv = 0; + +#if IPSEC > 0 + clib_error_t * error; + u8 * tmp = format(0, "%s", mp->name); + error = ikev2_set_profile_ts(vm, tmp, mp->proto, mp->start_port, + mp->end_port, (ip4_address_t) mp->start_addr, + (ip4_address_t) mp->end_addr, mp->is_local); + vec_free (tmp); + if (error) + rv = VNET_API_ERROR_UNSPECIFIED; +#else + rv = VNET_API_ERROR_UNIMPLEMENTED; +#endif + + REPLY_MACRO(VL_API_IKEV2_PROFILE_SET_TS_REPLY); +} + +static void +vl_api_ikev2_set_local_key_t_handler +(vl_api_ikev2_set_local_key_t * mp) +{ + vlib_main_t * vm = vlib_get_main(); + vl_api_ikev2_set_local_key_reply_t * rmp; + int rv = 0; + +#if IPSEC > 0 + clib_error_t * error; + + error = ikev2_set_local_key(vm, mp->key_file); + if (error) + rv = VNET_API_ERROR_UNSPECIFIED; +#else + rv = VNET_API_ERROR_UNIMPLEMENTED; +#endif + + REPLY_MACRO(VL_API_IKEV2_SET_LOCAL_KEY_REPLY); +} + static void vl_api_map_add_domain_t_handler (vl_api_map_add_domain_t * mp) diff --git a/vpp/api/vpe.api b/vpp/api/vpe.api index dd20a0b81da..d9e62e2ab12 100644 --- a/vpp/api/vpe.api +++ b/vpp/api/vpe.api @@ -2594,6 +2594,146 @@ define ipsec_sa_set_key_reply { i32 retval; }; +/** \brief IKEv2: Add/delete profile + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + + @param name - IKEv2 profile name + @param is_add - Add IKEv2 profile if non-zero, else delete +*/ +define ikev2_profile_add_del { + u32 client_index; + u32 context; + + u8 name[64]; + u8 is_add; +}; + +/** \brief Reply for IKEv2: Add/delete profile + @param context - returned sender context, to match reply w/ request + @param retval - return code +*/ +define ikev2_profile_add_del_reply { + u32 context; + i32 retval; +}; + +/** \brief IKEv2: Set IKEv2 profile authentication method + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + + @param name - IKEv2 profile name + @param auth_method - IKEv2 authentication method (shared-key-mic/rsa-sig) + @param is_hex - Authentication data in hex format if non-zero, else string + @param data_len - Authentication data length + @param data - Authentication data (for rsa-sig cert file path) +*/ +define ikev2_profile_set_auth { + u32 client_index; + u32 context; + + u8 name[64]; + u8 auth_method; + u8 is_hex; + u32 data_len; + u8 data[0]; +}; + +/** \brief Reply for IKEv2: Set IKEv2 profile authentication method + @param context - returned sender context, to match reply w/ request + @param retval - return code +*/ +define ikev2_profile_set_auth_reply { + u32 context; + i32 retval; +}; + +/** \brief IKEv2: Set IKEv2 profile local/remote identification + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + + @param name - IKEv2 profile name + @param is_local - Identification is local if non-zero, else remote + @param id_type - Identification type + @param data_len - Identification data length + @param data - Identification data +*/ +define ikev2_profile_set_id { + u32 client_index; + u32 context; + + u8 name[64]; + u8 is_local; + u8 id_type; + u32 data_len; + u8 data[0]; +}; + +/** \brief Reply for IKEv2: + @param context - returned sender context, to match reply w/ request + @param retval - return code +*/ +define ikev2_profile_set_id_reply { + u32 context; + i32 retval; +}; + +/** \brief IKEv2: Set IKEv2 profile traffic selector parameters + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + + @param name - IKEv2 profile name + @param is_local - Traffic selector is local if non-zero, else remote + @param proto - Traffic selector IP protocol (if zero not relevant) + @param start_port - The smallest port number allowed by traffic selector + @param end_port - The largest port number allowed by traffic selector + @param start_addr - The smallest address included in traffic selector + @param end_addr - The largest address included in traffic selector +*/ +define ikev2_profile_set_ts { + u32 client_index; + u32 context; + + u8 name[64]; + u8 is_local; + u8 proto; + u16 start_port; + u16 end_port; + u32 start_addr; + u32 end_addr; +}; + +/** \brief Reply for IKEv2: Set IKEv2 profile traffic selector parameters + @param context - returned sender context, to match reply w/ request + @param retval - return code +*/ +define ikev2_profile_set_ts_reply { + u32 context; + i32 retval; +}; + +/** \brief IKEv2: Set IKEv2 local RSA private key + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + + @param key_file - Key file absolute path +*/ +define ikev2_set_local_key { + u32 client_index; + u32 context; + + u8 key_file[256]; +}; + +/** \brief Reply for IKEv2: Set IKEv2 local key + @param context - returned sender context, to match reply w/ request + @param retval - return code +*/ +define ikev2_set_local_key_reply { + u32 context; + i32 retval; +}; + /** \brief Tell client about a DHCP completion event @param client_index - opaque cookie to identify the sender @param pid - client pid registered to receive notification -- cgit 1.2.3-korg