X-Git-Url: http://git.droids-corp.org/?a=blobdiff_plain;f=examples%2Fipsec-secgw%2Fsa.c;h=7bb9ef36c2d3eadbdbfa8eaf0e70ba6e4bc60bd9;hb=3dbfacbf93f6737e38bc47e4e3f53c7ebd4d7766;hp=a6bf5e8b13b5b906d117a951d76e9ffd60272c8b;hpb=053e1f3c1378b9e73811d0217c46d644ed1f37ef;p=dpdk.git diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index a6bf5e8b13..7bb9ef36c2 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -76,6 +76,13 @@ const struct supported_cipher_algo cipher_algos[] = { .block_size = 16, .key_len = 16 }, + { + .keyword = "aes-192-cbc", + .algo = RTE_CRYPTO_CIPHER_AES_CBC, + .iv_len = 16, + .block_size = 16, + .key_len = 24 + }, { .keyword = "aes-256-cbc", .algo = RTE_CRYPTO_CIPHER_AES_CBC, @@ -130,11 +137,30 @@ const struct supported_aead_algo aead_algos[] = { .key_len = 20, .digest_len = 16, .aad_len = 8, + }, + { + .keyword = "aes-192-gcm", + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .iv_len = 8, + .block_size = 4, + .key_len = 28, + .digest_len = 16, + .aad_len = 8, + }, + { + .keyword = "aes-256-gcm", + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .iv_len = 8, + .block_size = 4, + .key_len = 36, + .digest_len = 16, + .aad_len = 8, } }; #define SA_INIT_NB 128 +static uint32_t nb_crypto_sessions; struct ipsec_sa *sa_out; uint32_t nb_sa_out; static uint32_t sa_out_sz; @@ -271,6 +297,8 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, uint32_t type_p = 0; uint32_t portid_p = 0; uint32_t fallback_p = 0; + int16_t status_p = 0; + uint16_t udp_encap_p = 0; if (strcmp(tokens[0], "in") == 0) { ri = &nb_sa_in; @@ -295,6 +323,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, if (atoi(tokens[1]) == INVALID_SPI) return; rule->spi = atoi(tokens[1]); + rule->portid = UINT16_MAX; ips = ipsec_get_primary_session(rule); for (ti = 2; ti < n_tokens; ti++) { @@ -636,9 +665,14 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, INCREMENT_TOKEN_INDEX(ti, n_tokens, status); if (status->status < 0) return; - rule->portid = atoi(tokens[ti]); - if (status->status < 0) + if (rule->portid == UINT16_MAX) + rule->portid = atoi(tokens[ti]); + else if (rule->portid != atoi(tokens[ti])) { + APP_CHECK(0, status, + "portid %s not matching with already assigned portid %u", + tokens[ti], rule->portid); return; + } portid_p = 1; continue; } @@ -680,9 +714,67 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, } rule->fallback_sessions = 1; + nb_crypto_sessions++; fallback_p = 1; continue; } + if (strcmp(tokens[ti], "flow-direction") == 0) { + switch (ips->type) { + case RTE_SECURITY_ACTION_TYPE_NONE: + case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO: + rule->fdir_flag = 1; + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); + if (status->status < 0) + return; + if (rule->portid == UINT16_MAX) + rule->portid = atoi(tokens[ti]); + else if (rule->portid != atoi(tokens[ti])) { + APP_CHECK(0, status, + "portid %s not matching with already assigned portid %u", + tokens[ti], rule->portid); + return; + } + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); + if (status->status < 0) + return; + rule->fdir_qid = atoi(tokens[ti]); + /* validating portid and queueid */ + status_p = check_flow_params(rule->portid, + rule->fdir_qid); + if (status_p < 0) { + printf("port id %u / queue id %u is " + "not valid\n", rule->portid, + rule->fdir_qid); + } + break; + case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO: + case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL: + case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL: + default: + APP_CHECK(0, status, + "flow director not supported for security session type %d", + ips->type); + return; + } + continue; + } + if (strcmp(tokens[ti], "udp-encap") == 0) { + APP_CHECK(ips->type == + RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + status, "UDP encapsulation is allowed if the " + "session is of type lookaside-protocol-offload " + "only."); + if (status->status < 0) + return; + APP_CHECK_PRESENCE(udp_encap_p, tokens[ti], status); + if (status->status < 0) + return; + + rule->udp_encap = 1; + app_sa_prm.udp_encap = 1; + udp_encap_p = 1; + continue; + } /* unrecognizeable input */ APP_CHECK(0, status, "unrecognized input \"%s\"", @@ -721,9 +813,9 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, if (!type_p || (!portid_p && ips->type != RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)) { ips->type = RTE_SECURITY_ACTION_TYPE_NONE; - rule->portid = -1; } + nb_crypto_sessions++; *ri = *ri + 1; } @@ -753,7 +845,8 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) } for (i = 0; i < RTE_DIM(aead_algos); i++) { - if (aead_algos[i].algo == sa->aead_algo) { + if (aead_algos[i].algo == sa->aead_algo && + aead_algos[i].key_len-4 == sa->cipher_key_len) { printf("%s ", aead_algos[i].keyword); break; } @@ -806,7 +899,7 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) printf("lookaside-protocol-offload "); break; case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO: - printf("cpu-crypto-accelerated"); + printf("cpu-crypto-accelerated "); break; } @@ -825,6 +918,10 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) break; } } + if (sa->fdir_flag == 1) + printf("flow-direction port %d queue %d", sa->portid, + sa->fdir_qid); + printf("\n"); } @@ -1143,6 +1240,12 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], } } + if (sa->fdir_flag && inbound) { + rc = create_ipsec_esp_flow(sa); + if (rc != 0) + RTE_LOG(ERR, IPSEC_ESP, + "create_ipsec_esp_flow() failed\n"); + } print_one_sa_rule(sa, inbound); } @@ -1542,3 +1645,9 @@ sa_sort_arr(void) qsort(sa_in, nb_sa_in, sizeof(struct ipsec_sa), sa_cmp); qsort(sa_out, nb_sa_out, sizeof(struct ipsec_sa), sa_cmp); } + +uint32_t +get_nb_crypto_sessions(void) +{ + return nb_crypto_sessions; +}