/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2016-2017 Intel Corporation
+ * Copyright(c) 2016-2020 Intel Corporation
*/
#include <sys/types.h>
#include <netinet/in.h>
#include <rte_crypto.h>
#include <rte_security.h>
#include <rte_cryptodev.h>
+#include <rte_ipsec.h>
#include <rte_ethdev.h>
#include <rte_mbuf.h>
#include <rte_hash.h>
memcpy((uint8_t *)&tunnel->ipv4.dst_ip,
(uint8_t *)&sa->dst.ip.ip4, 4);
+ } else if (IS_IP6_TUNNEL(sa->flags)) {
+ tunnel->type =
+ RTE_SECURITY_IPSEC_TUNNEL_IPV6;
+ tunnel->ipv6.hlimit = IPDEFTTL;
+ tunnel->ipv6.dscp = 0;
+ tunnel->ipv6.flabel = 0;
+
+ memcpy((uint8_t *)&tunnel->ipv6.src_addr,
+ (uint8_t *)&sa->src.ip.ip6.ip6_b, 16);
+
+ memcpy((uint8_t *)&tunnel->ipv6.dst_addr,
+ (uint8_t *)&sa->dst.ip.ip6.ip6_b, 16);
}
- /* TODO support for Transport and IPV6 tunnel */
+ /* TODO support for Transport */
}
ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
+ ipsec->replay_win_sz = app_sa_prm.window_size;
+ ipsec->options.esn = app_sa_prm.enable_esn;
}
int
-create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa)
+create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
+ struct rte_ipsec_session *ips)
{
struct rte_cryptodev_info cdev_info;
unsigned long cdev_id_qp = 0;
ipsec_ctx->tbl[cdev_id_qp].id,
ipsec_ctx->tbl[cdev_id_qp].qp);
- if (sa->type != RTE_SECURITY_ACTION_TYPE_NONE) {
+ if (ips->type != RTE_SECURITY_ACTION_TYPE_NONE &&
+ ips->type != RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
struct rte_security_session_conf sess_conf = {
- .action_type = sa->type,
+ .action_type = ips->type,
.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
{.ipsec = {
.spi = sa->spi,
.salt = sa->salt,
.options = { 0 },
+ .replay_win_sz = 0,
.direction = sa->direction,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = (IS_TUNNEL(sa->flags)) ?
};
- if (sa->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
struct rte_security_ctx *ctx = (struct rte_security_ctx *)
rte_cryptodev_get_sec_ctx(
ipsec_ctx->tbl[cdev_id_qp].id);
/* Set IPsec parameters in conf */
set_ipsec_conf(sa, &(sess_conf.ipsec));
- sa->sec_session = rte_security_session_create(ctx,
+ ips->security.ses = rte_security_session_create(ctx,
&sess_conf, ipsec_ctx->session_priv_pool);
- if (sa->sec_session == NULL) {
+ if (ips->security.ses == NULL) {
RTE_LOG(ERR, IPSEC,
"SEC Session init failed: err: %d\n", ret);
return -1;
return -1;
}
} else {
- sa->crypto_session = rte_cryptodev_sym_session_create(
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
+ struct rte_cryptodev_info info;
+ uint16_t cdev_id;
+
+ cdev_id = ipsec_ctx->tbl[cdev_id_qp].id;
+ rte_cryptodev_info_get(cdev_id, &info);
+ if (!(info.feature_flags &
+ RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO))
+ return -ENOTSUP;
+
+ ips->crypto.dev_id = cdev_id;
+ }
+ ips->crypto.ses = rte_cryptodev_sym_session_create(
ipsec_ctx->session_pool);
rte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id,
- sa->crypto_session, sa->xforms,
+ ips->crypto.ses, sa->xforms,
ipsec_ctx->session_priv_pool);
rte_cryptodev_info_get(ipsec_ctx->tbl[cdev_id_qp].id,
}
int
-create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa)
+create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
+ struct rte_ipsec_session *ips)
{
int32_t ret = 0;
struct rte_security_ctx *sec_ctx;
struct rte_security_session_conf sess_conf = {
- .action_type = sa->type,
+ .action_type = ips->type,
.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
{.ipsec = {
.spi = sa->spi,
.salt = sa->salt,
.options = { 0 },
+ .replay_win_sz = 0,
.direction = sa->direction,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = (sa->flags == IP4_TUNNEL ||
RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on port %u\n",
sa->spi, sa->portid);
- if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
+ if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
struct rte_flow_error err;
const struct rte_security_capability *sec_cap;
int ret = 0;
return -1;
}
- sa->sec_session = rte_security_session_create(sec_ctx,
+ ips->security.ses = rte_security_session_create(sec_ctx,
&sess_conf, skt_ctx->session_pool);
- if (sa->sec_session == NULL) {
+ if (ips->security.ses == NULL) {
RTE_LOG(ERR, IPSEC,
"SEC Session init failed: err: %d\n", ret);
return -1;
/* iterate until ESP tunnel*/
while (sec_cap->action != RTE_SECURITY_ACTION_TYPE_NONE) {
- if (sec_cap->action == sa->type &&
+ if (sec_cap->action == ips->type &&
sec_cap->protocol ==
RTE_SECURITY_PROTOCOL_IPSEC &&
sec_cap->ipsec.mode ==
return -1;
}
- sa->ol_flags = sec_cap->ol_flags;
- sa->security_ctx = sec_ctx;
+ ips->security.ol_flags = sec_cap->ol_flags;
+ ips->security.ctx = sec_ctx;
sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
if (IS_IP6(sa->flags)) {
sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
sa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
- sa->action[0].conf = sa->sec_session;
+ sa->action[0].conf = ips->security.ses;
sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
unsigned int i;
unsigned int j;
- rte_eth_dev_info_get(sa->portid, &dev_info);
+ /* Don't create flow if default flow is created */
+ if (flow_info_tbl[sa->portid].rx_def_flow)
+ return 0;
+
+ ret = rte_eth_dev_info_get(sa->portid, &dev_info);
+ if (ret != 0) {
+ RTE_LOG(ERR, IPSEC,
+ "Error during getting device (port %u) info: %s\n",
+ sa->portid, strerror(-ret));
+ return ret;
+ }
+
sa->action[2].type = RTE_FLOW_ACTION_TYPE_END;
/* Try RSS. */
sa->action[1].type = RTE_FLOW_ACTION_TYPE_RSS;
if (ret)
goto flow_create_failure;
} else if (sa->attr.egress &&
- (sa->ol_flags &
- RTE_SECURITY_TX_HW_TRAILER_OFFLOAD)) {
+ (ips->security.ol_flags &
+ RTE_SECURITY_TX_HW_TRAILER_OFFLOAD)) {
sa->action[1].type =
RTE_FLOW_ACTION_TYPE_PASSTHRU;
sa->action[2].type =
err.message);
return -1;
}
- } else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
+ } else if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
const struct rte_security_capability *sec_cap;
sec_ctx = (struct rte_security_ctx *)
sess_conf.userdata = (void *) sa;
- sa->sec_session = rte_security_session_create(sec_ctx,
+ ips->security.ses = rte_security_session_create(sec_ctx,
&sess_conf, skt_ctx->session_pool);
- if (sa->sec_session == NULL) {
+ if (ips->security.ses == NULL) {
RTE_LOG(ERR, IPSEC,
"SEC Session init failed: err: %d\n", ret);
return -1;
/* iterate until ESP tunnel*/
while (sec_cap->action !=
RTE_SECURITY_ACTION_TYPE_NONE) {
- if (sec_cap->action == sa->type &&
+ if (sec_cap->action == ips->type &&
sec_cap->protocol ==
RTE_SECURITY_PROTOCOL_IPSEC &&
sec_cap->ipsec.mode ==
return -1;
}
- sa->ol_flags = sec_cap->ol_flags;
- sa->security_ctx = sec_ctx;
+ ips->security.ol_flags = sec_cap->ol_flags;
+ ips->security.ctx = sec_ctx;
}
- sa->cdev_id_qp = 0;
return 0;
}
static inline void
ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
- struct rte_mbuf *pkts[], struct ipsec_sa *sas[],
+ struct rte_mbuf *pkts[], void *sas[],
uint16_t nb_pkts)
{
int32_t ret = 0, i;
struct ipsec_mbuf_metadata *priv;
struct rte_crypto_sym_op *sym_cop;
struct ipsec_sa *sa;
+ struct rte_ipsec_session *ips;
for (i = 0; i < nb_pkts; i++) {
if (unlikely(sas[i] == NULL)) {
rte_prefetch0(pkts[i]);
priv = get_priv(pkts[i]);
- sa = sas[i];
+ sa = ipsec_mask_saptr(sas[i]);
priv->sa = sa;
+ ips = ipsec_get_primary_session(sa);
- switch (sa->type) {
+ switch (ips->type) {
case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL:
priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
rte_prefetch0(&priv->sym_cop);
- if ((unlikely(sa->sec_session == NULL)) &&
- create_lookaside_session(ipsec_ctx, sa)) {
+ if ((unlikely(ips->security.ses == NULL)) &&
+ create_lookaside_session(ipsec_ctx, sa, ips)) {
rte_pktmbuf_free(pkts[i]);
continue;
}
sym_cop->m_src = pkts[i];
rte_security_attach_session(&priv->cop,
- sa->sec_session);
+ ips->security.ses);
break;
+
+ case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
+ RTE_LOG(ERR, IPSEC, "CPU crypto is not supported by the"
+ " legacy mode.");
+ rte_pktmbuf_free(pkts[i]);
+ continue;
+
case RTE_SECURITY_ACTION_TYPE_NONE:
priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
rte_prefetch0(&priv->sym_cop);
- if ((unlikely(sa->crypto_session == NULL)) &&
- create_lookaside_session(ipsec_ctx, sa)) {
+ if ((unlikely(ips->crypto.ses == NULL)) &&
+ create_lookaside_session(ipsec_ctx, sa, ips)) {
rte_pktmbuf_free(pkts[i]);
continue;
}
rte_crypto_op_attach_sym_session(&priv->cop,
- sa->crypto_session);
+ ips->crypto.ses);
ret = xform_func(pkts[i], sa, &priv->cop);
if (unlikely(ret)) {
}
break;
case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL:
- RTE_ASSERT(sa->sec_session != NULL);
+ RTE_ASSERT(ips->security.ses != NULL);
ipsec_ctx->ol_pkts[ipsec_ctx->ol_pkts_cnt++] = pkts[i];
- if (sa->ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA)
+ if (ips->security.ol_flags &
+ RTE_SECURITY_TX_OLOAD_NEED_MDATA)
rte_security_set_pkt_metadata(
- sa->security_ctx,
- sa->sec_session, pkts[i], NULL);
+ ips->security.ctx, ips->security.ses,
+ pkts[i], NULL);
continue;
case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO:
- RTE_ASSERT(sa->sec_session != NULL);
+ RTE_ASSERT(ips->security.ses != NULL);
priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
rte_prefetch0(&priv->sym_cop);
rte_security_attach_session(&priv->cop,
- sa->sec_session);
+ ips->security.ses);
ret = xform_func(pkts[i], sa, &priv->cop);
if (unlikely(ret)) {
}
ipsec_ctx->ol_pkts[ipsec_ctx->ol_pkts_cnt++] = pkts[i];
- if (sa->ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA)
+ if (ips->security.ol_flags &
+ RTE_SECURITY_TX_OLOAD_NEED_MDATA)
rte_security_set_pkt_metadata(
- sa->security_ctx,
- sa->sec_session, pkts[i], NULL);
+ ips->security.ctx, ips->security.ses,
+ pkts[i], NULL);
continue;
}
RTE_ASSERT(sa != NULL);
- if (sa->type == RTE_SECURITY_ACTION_TYPE_NONE) {
+ if (ipsec_get_action_type(sa) ==
+ RTE_SECURITY_ACTION_TYPE_NONE) {
ret = xform_func(pkt, sa, cops[j]);
if (unlikely(ret)) {
rte_pktmbuf_free(pkt);
continue;
}
- } else if (sa->type ==
+ } else if (ipsec_get_action_type(sa) ==
RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
if (cops[j]->status) {
rte_pktmbuf_free(pkt);
ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
uint16_t nb_pkts, uint16_t len)
{
- struct ipsec_sa *sas[nb_pkts];
+ void *sas[nb_pkts];
inbound_sa_lookup(ctx->sa_ctx, pkts, sas, nb_pkts);
ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len)
{
- struct ipsec_sa *sas[nb_pkts];
+ void *sas[nb_pkts];
outbound_sa_lookup(ctx->sa_ctx, sa_idx, sas, nb_pkts);