net/qede/base: change valloc to vzalloc
[dpdk.git] / examples / ipsec-secgw / esp.c
1 /*-
2  *   BSD LICENSE
3  *
4  *   Copyright(c) 2016 Intel Corporation. All rights reserved.
5  *   All rights reserved.
6  *
7  *   Redistribution and use in source and binary forms, with or without
8  *   modification, are permitted provided that the following conditions
9  *   are met:
10  *
11  *     * Redistributions of source code must retain the above copyright
12  *       notice, this list of conditions and the following disclaimer.
13  *     * Redistributions in binary form must reproduce the above copyright
14  *       notice, this list of conditions and the following disclaimer in
15  *       the documentation and/or other materials provided with the
16  *       distribution.
17  *     * Neither the name of Intel Corporation nor the names of its
18  *       contributors may be used to endorse or promote products derived
19  *       from this software without specific prior written permission.
20  *
21  *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22  *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23  *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
24  *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
25  *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
26  *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
27  *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28  *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29  *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30  *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
31  *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32  */
33
34 #include <stdint.h>
35 #include <stdlib.h>
36 #include <sys/types.h>
37 #include <sys/stat.h>
38 #include <netinet/in.h>
39 #include <netinet/ip.h>
40 #include <netinet/ip6.h>
41 #include <fcntl.h>
42 #include <unistd.h>
43
44 #include <rte_common.h>
45 #include <rte_crypto.h>
46 #include <rte_cryptodev.h>
47 #include <rte_random.h>
48
49 #include "ipsec.h"
50 #include "esp.h"
51 #include "ipip.h"
52
53 int
54 esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
55                 struct rte_crypto_op *cop)
56 {
57         struct ip *ip4;
58         struct rte_crypto_sym_op *sym_cop;
59         int32_t payload_len, ip_hdr_len;
60
61         RTE_ASSERT(m != NULL);
62         RTE_ASSERT(sa != NULL);
63         RTE_ASSERT(cop != NULL);
64
65         ip4 = rte_pktmbuf_mtod(m, struct ip *);
66         if (likely(ip4->ip_v == IPVERSION))
67                 ip_hdr_len = ip4->ip_hl * 4;
68         else if (ip4->ip_v == IP6_VERSION)
69                 /* XXX No option headers supported */
70                 ip_hdr_len = sizeof(struct ip6_hdr);
71         else {
72                 RTE_LOG(ERR, IPSEC_ESP, "invalid IP packet type %d\n",
73                                 ip4->ip_v);
74                 return -EINVAL;
75         }
76
77         payload_len = rte_pktmbuf_pkt_len(m) - ip_hdr_len -
78                 sizeof(struct esp_hdr) - sa->iv_len - sa->digest_len;
79
80         if ((payload_len & (sa->block_size - 1)) || (payload_len <= 0)) {
81                 RTE_LOG_DP(DEBUG, IPSEC_ESP, "payload %d not multiple of %u\n",
82                                 payload_len, sa->block_size);
83                 return -EINVAL;
84         }
85
86         sym_cop = get_sym_cop(cop);
87
88         sym_cop->m_src = m;
89         sym_cop->cipher.data.offset =  ip_hdr_len + sizeof(struct esp_hdr) +
90                 sa->iv_len;
91         sym_cop->cipher.data.length = payload_len;
92
93         struct cnt_blk *icb;
94         uint8_t *aad;
95         uint8_t *iv = RTE_PTR_ADD(ip4, ip_hdr_len + sizeof(struct esp_hdr));
96
97         switch (sa->cipher_algo) {
98         case RTE_CRYPTO_CIPHER_NULL:
99         case RTE_CRYPTO_CIPHER_AES_CBC:
100                 sym_cop->cipher.iv.data = iv;
101                 sym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
102                                  ip_hdr_len + sizeof(struct esp_hdr));
103                 sym_cop->cipher.iv.length = sa->iv_len;
104                 break;
105         case RTE_CRYPTO_CIPHER_AES_CTR:
106         case RTE_CRYPTO_CIPHER_AES_GCM:
107                 icb = get_cnt_blk(m);
108                 icb->salt = sa->salt;
109                 memcpy(&icb->iv, iv, 8);
110                 icb->cnt = rte_cpu_to_be_32(1);
111                 sym_cop->cipher.iv.data = (uint8_t *)icb;
112                 sym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
113                          (uint8_t *)icb - rte_pktmbuf_mtod(m, uint8_t *));
114                 sym_cop->cipher.iv.length = 16;
115                 break;
116         default:
117                 RTE_LOG(ERR, IPSEC_ESP, "unsupported cipher algorithm %u\n",
118                                 sa->cipher_algo);
119                 return -EINVAL;
120         }
121
122         switch (sa->auth_algo) {
123         case RTE_CRYPTO_AUTH_NULL:
124         case RTE_CRYPTO_AUTH_SHA1_HMAC:
125         case RTE_CRYPTO_AUTH_SHA256_HMAC:
126                 sym_cop->auth.data.offset = ip_hdr_len;
127                 sym_cop->auth.data.length = sizeof(struct esp_hdr) +
128                         sa->iv_len + payload_len;
129                 break;
130         case RTE_CRYPTO_AUTH_AES_GCM:
131                 aad = get_aad(m);
132                 memcpy(aad, iv - sizeof(struct esp_hdr), 8);
133                 sym_cop->auth.aad.data = aad;
134                 sym_cop->auth.aad.phys_addr = rte_pktmbuf_mtophys_offset(m,
135                                 aad - rte_pktmbuf_mtod(m, uint8_t *));
136                 sym_cop->auth.aad.length = 8;
137                 break;
138         default:
139                 RTE_LOG(ERR, IPSEC_ESP, "unsupported auth algorithm %u\n",
140                                 sa->auth_algo);
141                 return -EINVAL;
142         }
143
144         sym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, void*,
145                         rte_pktmbuf_pkt_len(m) - sa->digest_len);
146         sym_cop->auth.digest.phys_addr = rte_pktmbuf_mtophys_offset(m,
147                         rte_pktmbuf_pkt_len(m) - sa->digest_len);
148         sym_cop->auth.digest.length = sa->digest_len;
149
150         return 0;
151 }
152
153 int
154 esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
155                 struct rte_crypto_op *cop)
156 {
157         struct ip *ip4, *ip;
158         struct ip6_hdr *ip6;
159         uint8_t *nexthdr, *pad_len;
160         uint8_t *padding;
161         uint16_t i;
162
163         RTE_ASSERT(m != NULL);
164         RTE_ASSERT(sa != NULL);
165         RTE_ASSERT(cop != NULL);
166
167         if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
168                 RTE_LOG(ERR, IPSEC_ESP, "failed crypto op\n");
169                 return -1;
170         }
171
172         nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
173                         rte_pktmbuf_pkt_len(m) - sa->digest_len - 1);
174         pad_len = nexthdr - 1;
175
176         padding = pad_len - *pad_len;
177         for (i = 0; i < *pad_len; i++) {
178                 if (padding[i] != i + 1) {
179                         RTE_LOG(ERR, IPSEC_ESP, "invalid padding\n");
180                         return -EINVAL;
181                 }
182         }
183
184         if (rte_pktmbuf_trim(m, *pad_len + 2 + sa->digest_len)) {
185                 RTE_LOG(ERR, IPSEC_ESP,
186                                 "failed to remove pad_len + digest\n");
187                 return -EINVAL;
188         }
189
190         if (unlikely(sa->flags == TRANSPORT)) {
191                 ip = rte_pktmbuf_mtod(m, struct ip *);
192                 ip4 = (struct ip *)rte_pktmbuf_adj(m,
193                                 sizeof(struct esp_hdr) + sa->iv_len);
194                 if (likely(ip->ip_v == IPVERSION)) {
195                         memmove(ip4, ip, ip->ip_hl * 4);
196                         ip4->ip_p = *nexthdr;
197                         ip4->ip_len = htons(rte_pktmbuf_data_len(m));
198                 } else {
199                         ip6 = (struct ip6_hdr *)ip4;
200                         /* XXX No option headers supported */
201                         memmove(ip6, ip, sizeof(struct ip6_hdr));
202                         ip6->ip6_nxt = *nexthdr;
203                         ip6->ip6_plen = htons(rte_pktmbuf_data_len(m));
204                 }
205         } else
206                 ipip_inbound(m, sizeof(struct esp_hdr) + sa->iv_len);
207
208         return 0;
209 }
210
211 int
212 esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
213                 struct rte_crypto_op *cop)
214 {
215         struct ip *ip4;
216         struct ip6_hdr *ip6;
217         struct esp_hdr *esp = NULL;
218         uint8_t *padding, *new_ip, nlp;
219         struct rte_crypto_sym_op *sym_cop;
220         int32_t i;
221         uint16_t pad_payload_len, pad_len, ip_hdr_len;
222
223         RTE_ASSERT(m != NULL);
224         RTE_ASSERT(sa != NULL);
225         RTE_ASSERT(cop != NULL);
226
227         ip_hdr_len = 0;
228
229         ip4 = rte_pktmbuf_mtod(m, struct ip *);
230         if (likely(ip4->ip_v == IPVERSION)) {
231                 if (unlikely(sa->flags == TRANSPORT)) {
232                         ip_hdr_len = ip4->ip_hl * 4;
233                         nlp = ip4->ip_p;
234                 } else
235                         nlp = IPPROTO_IPIP;
236         } else if (ip4->ip_v == IP6_VERSION) {
237                 if (unlikely(sa->flags == TRANSPORT)) {
238                         /* XXX No option headers supported */
239                         ip_hdr_len = sizeof(struct ip6_hdr);
240                         ip6 = (struct ip6_hdr *)ip4;
241                         nlp = ip6->ip6_nxt;
242                 } else
243                         nlp = IPPROTO_IPV6;
244         } else {
245                 RTE_LOG(ERR, IPSEC_ESP, "invalid IP packet type %d\n",
246                                 ip4->ip_v);
247                 return -EINVAL;
248         }
249
250         /* Padded payload length */
251         pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) -
252                         ip_hdr_len + 2, sa->block_size);
253         pad_len = pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m);
254
255         RTE_ASSERT(sa->flags == IP4_TUNNEL || sa->flags == IP6_TUNNEL ||
256                         sa->flags == TRANSPORT);
257
258         if (likely(sa->flags == IP4_TUNNEL))
259                 ip_hdr_len = sizeof(struct ip);
260         else if (sa->flags == IP6_TUNNEL)
261                 ip_hdr_len = sizeof(struct ip6_hdr);
262         else if (sa->flags != TRANSPORT) {
263                 RTE_LOG(ERR, IPSEC_ESP, "Unsupported SA flags: 0x%x\n",
264                                 sa->flags);
265                 return -EINVAL;
266         }
267
268         /* Check maximum packet size */
269         if (unlikely(ip_hdr_len + sizeof(struct esp_hdr) + sa->iv_len +
270                         pad_payload_len + sa->digest_len > IP_MAXPACKET)) {
271                 RTE_LOG(ERR, IPSEC_ESP, "ipsec packet is too big\n");
272                 return -EINVAL;
273         }
274
275         padding = (uint8_t *)rte_pktmbuf_append(m, pad_len + sa->digest_len);
276         if (unlikely(padding == NULL)) {
277                 RTE_LOG(ERR, IPSEC_ESP, "not enough mbuf trailing space\n");
278                 return -ENOSPC;
279         }
280         rte_prefetch0(padding);
281
282         switch (sa->flags) {
283         case IP4_TUNNEL:
284                 ip4 = ip4ip_outbound(m, sizeof(struct esp_hdr) + sa->iv_len,
285                                 &sa->src, &sa->dst);
286                 esp = (struct esp_hdr *)(ip4 + 1);
287                 break;
288         case IP6_TUNNEL:
289                 ip6 = ip6ip_outbound(m, sizeof(struct esp_hdr) + sa->iv_len,
290                                 &sa->src, &sa->dst);
291                 esp = (struct esp_hdr *)(ip6 + 1);
292                 break;
293         case TRANSPORT:
294                 new_ip = (uint8_t *)rte_pktmbuf_prepend(m,
295                                 sizeof(struct esp_hdr) + sa->iv_len);
296                 memmove(new_ip, ip4, ip_hdr_len);
297                 esp = (struct esp_hdr *)(new_ip + ip_hdr_len);
298                 if (likely(ip4->ip_v == IPVERSION)) {
299                         ip4 = (struct ip *)new_ip;
300                         ip4->ip_p = IPPROTO_ESP;
301                         ip4->ip_len = htons(rte_pktmbuf_data_len(m));
302                 } else {
303                         ip6 = (struct ip6_hdr *)new_ip;
304                         ip6->ip6_nxt = IPPROTO_ESP;
305                         ip6->ip6_plen = htons(rte_pktmbuf_data_len(m));
306                 }
307         }
308
309         sa->seq++;
310         esp->spi = rte_cpu_to_be_32(sa->spi);
311         esp->seq = rte_cpu_to_be_32((uint32_t)sa->seq);
312
313         uint64_t *iv = (uint64_t *)(esp + 1);
314
315         sym_cop = get_sym_cop(cop);
316         sym_cop->m_src = m;
317         switch (sa->cipher_algo) {
318         case RTE_CRYPTO_CIPHER_NULL:
319         case RTE_CRYPTO_CIPHER_AES_CBC:
320                 memset(iv, 0, sa->iv_len);
321                 sym_cop->cipher.data.offset = ip_hdr_len +
322                         sizeof(struct esp_hdr);
323                 sym_cop->cipher.data.length = pad_payload_len + sa->iv_len;
324                 break;
325         case RTE_CRYPTO_CIPHER_AES_CTR:
326         case RTE_CRYPTO_CIPHER_AES_GCM:
327                 *iv = sa->seq;
328                 sym_cop->cipher.data.offset = ip_hdr_len +
329                         sizeof(struct esp_hdr) + sa->iv_len;
330                 sym_cop->cipher.data.length = pad_payload_len;
331                 break;
332         default:
333                 RTE_LOG(ERR, IPSEC_ESP, "unsupported cipher algorithm %u\n",
334                                 sa->cipher_algo);
335                 return -EINVAL;
336         }
337
338         /* Fill pad_len using default sequential scheme */
339         for (i = 0; i < pad_len - 2; i++)
340                 padding[i] = i + 1;
341         padding[pad_len - 2] = pad_len - 2;
342         padding[pad_len - 1] = nlp;
343
344         struct cnt_blk *icb = get_cnt_blk(m);
345         icb->salt = sa->salt;
346         icb->iv = sa->seq;
347         icb->cnt = rte_cpu_to_be_32(1);
348         sym_cop->cipher.iv.data = (uint8_t *)icb;
349         sym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
350                          (uint8_t *)icb - rte_pktmbuf_mtod(m, uint8_t *));
351         sym_cop->cipher.iv.length = 16;
352
353         uint8_t *aad;
354
355         switch (sa->auth_algo) {
356         case RTE_CRYPTO_AUTH_NULL:
357         case RTE_CRYPTO_AUTH_SHA1_HMAC:
358         case RTE_CRYPTO_AUTH_SHA256_HMAC:
359                 sym_cop->auth.data.offset = ip_hdr_len;
360                 sym_cop->auth.data.length = sizeof(struct esp_hdr) +
361                         sa->iv_len + pad_payload_len;
362                 break;
363         case RTE_CRYPTO_AUTH_AES_GCM:
364                 aad = get_aad(m);
365                 memcpy(aad, esp, 8);
366                 sym_cop->auth.aad.data = aad;
367                 sym_cop->auth.aad.phys_addr = rte_pktmbuf_mtophys_offset(m,
368                                 aad - rte_pktmbuf_mtod(m, uint8_t *));
369                 sym_cop->auth.aad.length = 8;
370                 break;
371         default:
372                 RTE_LOG(ERR, IPSEC_ESP, "unsupported auth algorithm %u\n",
373                                 sa->auth_algo);
374                 return -EINVAL;
375         }
376
377         sym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, uint8_t *,
378                         rte_pktmbuf_pkt_len(m) - sa->digest_len);
379         sym_cop->auth.digest.phys_addr = rte_pktmbuf_mtophys_offset(m,
380                         rte_pktmbuf_pkt_len(m) - sa->digest_len);
381         sym_cop->auth.digest.length = sa->digest_len;
382
383         return 0;
384 }
385
386 int
387 esp_outbound_post(struct rte_mbuf *m __rte_unused,
388                 struct ipsec_sa *sa __rte_unused,
389                 struct rte_crypto_op *cop)
390 {
391         RTE_ASSERT(m != NULL);
392         RTE_ASSERT(sa != NULL);
393         RTE_ASSERT(cop != NULL);
394
395         if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
396                 RTE_LOG(ERR, IPSEC_ESP, "Failed crypto op\n");
397                 return -1;
398         }
399
400         return 0;
401 }