X-Git-Url: http://git.droids-corp.org/?a=blobdiff_plain;ds=inline;f=examples%2Fipsec-secgw%2Fsa.c;h=cd1397531a25e73388cd84421fc39ec11f4d83f1;hb=46d3f57537059ef9ec497f97d98e57a1e5f2f417;hp=1f025a777108a13662f4dad6e872a3d910e53796;hpb=2cf67788ae895b4e3c05059e1feb06f6d3d8865e;p=dpdk.git

diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 1f025a7771..cd1397531a 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -1,5 +1,5 @@
 /* SPDX-License-Identifier: BSD-3-Clause
- * Copyright(c) 2016-2017 Intel Corporation
+ * Copyright(c) 2016-2020 Intel Corporation
  */
 
 /*
@@ -76,6 +76,13 @@ const struct supported_cipher_algo cipher_algos[] = {
 		.block_size = 16,
 		.key_len = 16
 	},
+	{
+		.keyword = "aes-192-cbc",
+		.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+		.iv_len = 16,
+		.block_size = 16,
+		.key_len = 24
+	},
 	{
 		.keyword = "aes-256-cbc",
 		.algo = RTE_CRYPTO_CIPHER_AES_CBC,
@@ -130,19 +137,38 @@ const struct supported_aead_algo aead_algos[] = {
 		.key_len = 20,
 		.digest_len = 16,
 		.aad_len = 8,
+	},
+	{
+		.keyword = "aes-192-gcm",
+		.algo = RTE_CRYPTO_AEAD_AES_GCM,
+		.iv_len = 8,
+		.block_size = 4,
+		.key_len = 28,
+		.digest_len = 16,
+		.aad_len = 8,
+	},
+	{
+		.keyword = "aes-256-gcm",
+		.algo = RTE_CRYPTO_AEAD_AES_GCM,
+		.iv_len = 8,
+		.block_size = 4,
+		.key_len = 36,
+		.digest_len = 16,
+		.aad_len = 8,
 	}
 };
 
 #define SA_INIT_NB	128
 
-static struct ipsec_sa *sa_out;
+static uint32_t nb_crypto_sessions;
+struct ipsec_sa *sa_out;
+uint32_t nb_sa_out;
 static uint32_t sa_out_sz;
-static uint32_t nb_sa_out;
 static struct ipsec_sa_cnt sa_out_cnt;
 
-static struct ipsec_sa *sa_in;
+struct ipsec_sa *sa_in;
+uint32_t nb_sa_in;
 static uint32_t sa_in_sz;
-static uint32_t nb_sa_in;
 static struct ipsec_sa_cnt sa_in_cnt;
 
 static const struct supported_cipher_algo *
@@ -271,6 +297,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 	uint32_t type_p = 0;
 	uint32_t portid_p = 0;
 	uint32_t fallback_p = 0;
+	int16_t status_p = 0;
 
 	if (strcmp(tokens[0], "in") == 0) {
 		ri = &nb_sa_in;
@@ -295,6 +322,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 	if (atoi(tokens[1]) == INVALID_SPI)
 		return;
 	rule->spi = atoi(tokens[1]);
+	rule->portid = UINT16_MAX;
 	ips = ipsec_get_primary_session(rule);
 
 	for (ti = 2; ti < n_tokens; ti++) {
@@ -617,6 +645,8 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 				RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
 			else if (strcmp(tokens[ti], "no-offload") == 0)
 				ips->type = RTE_SECURITY_ACTION_TYPE_NONE;
+			else if (strcmp(tokens[ti], "cpu-crypto") == 0)
+				ips->type = RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO;
 			else {
 				APP_CHECK(0, status, "Invalid input \"%s\"",
 						tokens[ti]);
@@ -634,9 +664,14 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 			INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
 			if (status->status < 0)
 				return;
-			rule->portid = atoi(tokens[ti]);
-			if (status->status < 0)
+			if (rule->portid == UINT16_MAX)
+				rule->portid = atoi(tokens[ti]);
+			else if (rule->portid != atoi(tokens[ti])) {
+				APP_CHECK(0, status,
+					"portid %s not matching with already assigned portid %u",
+					tokens[ti], rule->portid);
 				return;
+			}
 			portid_p = 1;
 			continue;
 		}
@@ -667,18 +702,61 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 			if (status->status < 0)
 				return;
 			fb = ipsec_get_fallback_session(rule);
-			if (strcmp(tokens[ti], "lookaside-none") == 0) {
+			if (strcmp(tokens[ti], "lookaside-none") == 0)
 				fb->type = RTE_SECURITY_ACTION_TYPE_NONE;
-			} else {
+			else if (strcmp(tokens[ti], "cpu-crypto") == 0)
+				fb->type = RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO;
+			else {
 				APP_CHECK(0, status, "unrecognized fallback "
 					"type %s.", tokens[ti]);
 				return;
 			}
 
 			rule->fallback_sessions = 1;
+			nb_crypto_sessions++;
 			fallback_p = 1;
 			continue;
 		}
+		if (strcmp(tokens[ti], "flow-direction") == 0) {
+			switch (ips->type) {
+			case RTE_SECURITY_ACTION_TYPE_NONE:
+			case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
+				rule->fdir_flag = 1;
+				INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
+				if (status->status < 0)
+					return;
+				if (rule->portid == UINT16_MAX)
+					rule->portid = atoi(tokens[ti]);
+				else if (rule->portid != atoi(tokens[ti])) {
+					APP_CHECK(0, status,
+						"portid %s not matching with already assigned portid %u",
+						tokens[ti], rule->portid);
+					return;
+				}
+				INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
+				if (status->status < 0)
+					return;
+				rule->fdir_qid = atoi(tokens[ti]);
+				/* validating portid and queueid */
+				status_p = check_flow_params(rule->portid,
+						rule->fdir_qid);
+				if (status_p < 0) {
+					printf("port id %u / queue id %u is "
+						"not valid\n", rule->portid,
+						 rule->fdir_qid);
+				}
+				break;
+			case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO:
+			case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL:
+			case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL:
+			default:
+				APP_CHECK(0, status,
+					"flow director not supported for security session type %d",
+					ips->type);
+				return;
+			}
+			continue;
+		}
 
 		/* unrecognizeable input */
 		APP_CHECK(0, status, "unrecognized input \"%s\"",
@@ -710,14 +788,16 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 	if (status->status < 0)
 		return;
 
-	if ((ips->type != RTE_SECURITY_ACTION_TYPE_NONE) && (portid_p == 0))
+	if ((ips->type != RTE_SECURITY_ACTION_TYPE_NONE && ips->type !=
+			RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) && (portid_p == 0))
 		printf("Missing portid option, falling back to non-offload\n");
 
-	if (!type_p || !portid_p) {
+	if (!type_p || (!portid_p && ips->type !=
+			RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)) {
 		ips->type = RTE_SECURITY_ACTION_TYPE_NONE;
-		rule->portid = -1;
 	}
 
+	nb_crypto_sessions++;
 	*ri = *ri + 1;
 }
 
@@ -747,7 +827,8 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound)
 	}
 
 	for (i = 0; i < RTE_DIM(aead_algos); i++) {
-		if (aead_algos[i].algo == sa->aead_algo) {
+		if (aead_algos[i].algo == sa->aead_algo &&
+				aead_algos[i].key_len-4 == sa->cipher_key_len) {
 			printf("%s ", aead_algos[i].keyword);
 			break;
 		}
@@ -799,32 +880,33 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound)
 	case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL:
 		printf("lookaside-protocol-offload ");
 		break;
+	case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
+		printf("cpu-crypto-accelerated ");
+		break;
 	}
 
 	fallback_ips = &sa->sessions[IPSEC_SESSION_FALLBACK];
 	if (fallback_ips != NULL && sa->fallback_sessions > 0) {
 		printf("inline fallback: ");
-		if (fallback_ips->type == RTE_SECURITY_ACTION_TYPE_NONE)
+		switch (fallback_ips->type) {
+		case RTE_SECURITY_ACTION_TYPE_NONE:
 			printf("lookaside-none");
-		else
+			break;
+		case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
+			printf("cpu-crypto-accelerated");
+			break;
+		default:
 			printf("invalid");
+			break;
+		}
 	}
+	if (sa->fdir_flag == 1)
+		printf("flow-direction port %d queue %d", sa->portid,
+				sa->fdir_qid);
+
 	printf("\n");
 }
 
-struct ipsec_xf {
-	struct rte_crypto_sym_xform a;
-	struct rte_crypto_sym_xform b;
-};
-
-struct sa_ctx {
-	void *satbl; /* pointer to array of rte_ipsec_sa objects*/
-	struct ipsec_sad sad;
-	struct ipsec_xf *xf;
-	uint32_t nb_sa;
-	struct ipsec_sa sa[];
-};
-
 static struct sa_ctx *
 sa_create(const char *name, int32_t socket_id, uint32_t nb_sa)
 {
@@ -1026,7 +1108,6 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
 				return -EINVAL;
 		}
 
-
 		switch (WITHOUT_TRANSPORT_VERSION(sa->flags)) {
 		case IP4_TUNNEL:
 			sa->src.ip.ip4 = rte_cpu_to_be_32(sa->src.ip.ip4);
@@ -1044,7 +1125,6 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
 		}
 
 		if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
-			struct rte_ipsec_session *ips;
 			iv_length = 12;
 
 			sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AEAD;
@@ -1064,20 +1144,6 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
 				sa->digest_len;
 
 			sa->xforms = &sa_ctx->xf[idx].a;
-
-			ips = ipsec_get_primary_session(sa);
-			if (ips->type ==
-				RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
-				ips->type ==
-				RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
-				rc = create_inline_session(skt_ctx, sa, ips);
-				if (rc != 0) {
-					RTE_LOG(ERR, IPSEC_ESP,
-						"create_inline_session() failed\n");
-					return -EINVAL;
-				}
-			}
-			print_one_sa_rule(sa, inbound);
 		} else {
 			switch (sa->cipher_algo) {
 			case RTE_CRYPTO_CIPHER_NULL:
@@ -1142,9 +1208,27 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
 			sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
 			sa_ctx->xf[idx].b.next = NULL;
 			sa->xforms = &sa_ctx->xf[idx].a;
+		}
+
+		if (ips->type ==
+			RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||
+			ips->type ==
+			RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
+			rc = create_inline_session(skt_ctx, sa, ips);
+			if (rc != 0) {
+				RTE_LOG(ERR, IPSEC_ESP,
+					"create_inline_session() failed\n");
+				return -EINVAL;
+			}
+		}
 
-			print_one_sa_rule(sa, inbound);
+		if (sa->fdir_flag && inbound) {
+			rc = create_ipsec_esp_flow(sa);
+			if (rc != 0)
+				RTE_LOG(ERR, IPSEC_ESP,
+					"create_ipsec_esp_flow() failed\n");
 		}
+		print_one_sa_rule(sa, inbound);
 	}
 
 	return 0;
@@ -1543,3 +1627,9 @@ sa_sort_arr(void)
 	qsort(sa_in, nb_sa_in, sizeof(struct ipsec_sa), sa_cmp);
 	qsort(sa_out, nb_sa_out, sizeof(struct ipsec_sa), sa_cmp);
 }
+
+uint32_t
+get_nb_crypto_sessions(void)
+{
+	return nb_crypto_sessions;
+}