/* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2016-2017 Intel Corporation
+ * Copyright(c) 2016-2020 Intel Corporation
*/
/*
}
};
-static struct ipsec_sa sa_out[IPSEC_SA_MAX_ENTRIES];
+#define SA_INIT_NB 128
+
+static struct ipsec_sa *sa_out;
+static uint32_t sa_out_sz;
static uint32_t nb_sa_out;
static struct ipsec_sa_cnt sa_out_cnt;
-static struct ipsec_sa sa_in[IPSEC_SA_MAX_ENTRIES];
+static struct ipsec_sa *sa_in;
+static uint32_t sa_in_sz;
static uint32_t nb_sa_in;
static struct ipsec_sa_cnt sa_in_cnt;
return nb_bytes;
}
+static int
+extend_sa_arr(struct ipsec_sa **sa_tbl, uint32_t cur_cnt, uint32_t *cur_sz)
+{
+ if (*sa_tbl == NULL) {
+ *sa_tbl = calloc(SA_INIT_NB, sizeof(struct ipsec_sa));
+ if (*sa_tbl == NULL)
+ return -1;
+ *cur_sz = SA_INIT_NB;
+ return 0;
+ }
+
+ if (cur_cnt >= *cur_sz) {
+ *sa_tbl = realloc(*sa_tbl,
+ *cur_sz * sizeof(struct ipsec_sa) * 2);
+ if (*sa_tbl == NULL)
+ return -1;
+ /* clean reallocated extra space */
+ memset(&(*sa_tbl)[*cur_sz], 0,
+ *cur_sz * sizeof(struct ipsec_sa));
+ *cur_sz *= 2;
+ }
+
+ return 0;
+}
+
void
parse_sa_tokens(char **tokens, uint32_t n_tokens,
struct parse_status *status)
if (strcmp(tokens[0], "in") == 0) {
ri = &nb_sa_in;
sa_cnt = &sa_in_cnt;
-
- APP_CHECK(*ri <= IPSEC_SA_MAX_ENTRIES - 1, status,
- "too many sa rules, abort insertion\n");
- if (status->status < 0)
+ if (extend_sa_arr(&sa_in, nb_sa_in, &sa_in_sz) < 0)
return;
-
rule = &sa_in[*ri];
rule->direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
} else {
ri = &nb_sa_out;
sa_cnt = &sa_out_cnt;
-
- APP_CHECK(*ri <= IPSEC_SA_MAX_ENTRIES - 1, status,
- "too many sa rules, abort insertion\n");
- if (status->status < 0)
+ if (extend_sa_arr(&sa_out, nb_sa_out, &sa_out_sz) < 0)
return;
-
rule = &sa_out[*ri];
rule->direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
}
RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
else if (strcmp(tokens[ti], "no-offload") == 0)
ips->type = RTE_SECURITY_ACTION_TYPE_NONE;
+ else if (strcmp(tokens[ti], "cpu-crypto") == 0)
+ ips->type = RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO;
else {
APP_CHECK(0, status, "Invalid input \"%s\"",
tokens[ti]);
if (status->status < 0)
return;
- if ((ips->type != RTE_SECURITY_ACTION_TYPE_NONE) && (portid_p == 0))
+ if ((ips->type != RTE_SECURITY_ACTION_TYPE_NONE && ips->type !=
+ RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) && (portid_p == 0))
printf("Missing portid option, falling back to non-offload\n");
- if (!type_p || !portid_p) {
+ if (!type_p || (!portid_p && ips->type !=
+ RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)) {
ips->type = RTE_SECURITY_ACTION_TYPE_NONE;
rule->portid = -1;
}
case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL:
printf("lookaside-protocol-offload ");
break;
+ case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
+ printf("cpu-crypto-accelerated");
+ break;
}
fallback_ips = &sa->sessions[IPSEC_SESSION_FALLBACK];
if (fallback_ips != NULL && sa->fallback_sessions > 0) {
printf("inline fallback: ");
- if (fallback_ips->type == RTE_SECURITY_ACTION_TYPE_NONE)
+ switch (fallback_ips->type) {
+ case RTE_SECURITY_ACTION_TYPE_NONE:
printf("lookaside-none");
- else
+ break;
+ case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
+ printf("cpu-crypto-accelerated");
+ break;
+ default:
printf("invalid");
+ break;
+ }
}
printf("\n");
}
return NULL;
}
- sa_ctx = rte_malloc(NULL, sizeof(struct sa_ctx) +
+ sa_ctx = rte_zmalloc(NULL, sizeof(struct sa_ctx) +
sizeof(struct ipsec_sa) * nb_sa, RTE_CACHE_LINE_SIZE);
if (sa_ctx == NULL) {
return -EINVAL;
}
-
switch (WITHOUT_TRANSPORT_VERSION(sa->flags)) {
case IP4_TUNNEL:
sa->src.ip.ip4 = rte_cpu_to_be_32(sa->src.ip.ip4);
}
if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
- struct rte_ipsec_session *ips;
iv_length = 12;
sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AEAD;
sa->digest_len;
sa->xforms = &sa_ctx->xf[idx].a;
-
- ips = ipsec_get_primary_session(sa);
- if (ips->type ==
- RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
- ips->type ==
- RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
- rc = create_inline_session(skt_ctx, sa, ips);
- if (rc != 0) {
- RTE_LOG(ERR, IPSEC_ESP,
- "create_inline_session() failed\n");
- return -EINVAL;
- }
- }
- print_one_sa_rule(sa, inbound);
} else {
switch (sa->cipher_algo) {
case RTE_CRYPTO_CIPHER_NULL:
sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
sa_ctx->xf[idx].b.next = NULL;
sa->xforms = &sa_ctx->xf[idx].a;
+ }
- print_one_sa_rule(sa, inbound);
+ if (ips->type ==
+ RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
+ ips->type ==
+ RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
+ rc = create_inline_session(skt_ctx, sa, ips);
+ if (rc != 0) {
+ RTE_LOG(ERR, IPSEC_ESP,
+ "create_inline_session() failed\n");
+ return -EINVAL;
+ }
}
+
+ print_one_sa_rule(sa, inbound);
}
return 0;
return rc;
}
+static int
+sa_cmp(const void *p, const void *q)
+{
+ uint32_t spi1 = ((const struct ipsec_sa *)p)->spi;
+ uint32_t spi2 = ((const struct ipsec_sa *)q)->spi;
+
+ return (int)(spi1 - spi2);
+}
+
/*
* Walk through all SA rules to find an SA with given SPI
*/
int
sa_spi_present(struct sa_ctx *sa_ctx, uint32_t spi, int inbound)
{
- uint32_t i, num;
+ uint32_t num;
+ struct ipsec_sa *sa;
+ struct ipsec_sa tmpl;
const struct ipsec_sa *sar;
sar = sa_ctx->sa;
else
num = nb_sa_out;
- for (i = 0; i != num; i++) {
- if (sar[i].spi == spi)
- return i;
- }
+ tmpl.spi = spi;
+
+ sa = bsearch(&tmpl, sar, num, sizeof(struct ipsec_sa), sa_cmp);
+ if (sa != NULL)
+ return RTE_PTR_DIFF(sa, sar) / sizeof(struct ipsec_sa);
return -ENOENT;
}
void *sa_arr[], uint16_t nb_pkts)
{
uint32_t i;
- struct ip *ip;
- uint32_t *src4_addr;
- uint8_t *src6_addr;
void *result_sa;
struct ipsec_sa *sa;
intsa |= IPSEC_SA_OFFLOAD_FALLBACK_FLAG;
result_sa = (void *)intsa;
}
-
- ip = rte_pktmbuf_mtod(pkts[i], struct ip *);
- switch (WITHOUT_TRANSPORT_VERSION(sa->flags)) {
- case IP4_TUNNEL:
- src4_addr = RTE_PTR_ADD(ip,
- offsetof(struct ip, ip_src));
- if ((ip->ip_v == IPVERSION) &&
- (sa->src.ip.ip4 == *src4_addr) &&
- (sa->dst.ip.ip4 == *(src4_addr + 1)))
- sa_arr[i] = result_sa;
- else
- sa_arr[i] = NULL;
- break;
- case IP6_TUNNEL:
- src6_addr = RTE_PTR_ADD(ip,
- offsetof(struct ip6_hdr, ip6_src));
- if ((ip->ip_v == IP6_VERSION) &&
- !memcmp(&sa->src.ip.ip6.ip6, src6_addr, 16) &&
- !memcmp(&sa->dst.ip.ip6.ip6, src6_addr + 16, 16))
- sa_arr[i] = result_sa;
- else
- sa_arr[i] = NULL;
- break;
- case TRANSPORT:
- sa_arr[i] = result_sa;
- }
+ sa_arr[i] = result_sa;
}
}
}
return 0;
}
+
+void
+sa_sort_arr(void)
+{
+ qsort(sa_in, nb_sa_in, sizeof(struct ipsec_sa), sa_cmp);
+ qsort(sa_out, nb_sa_out, sizeof(struct ipsec_sa), sa_cmp);
+}