X-Git-Url: http://git.droids-corp.org/?a=blobdiff_plain;f=examples%2Fipsec-secgw%2Fsa.c;h=cd1397531a25e73388cd84421fc39ec11f4d83f1;hb=1d049dc7623e4c0506c9c34dbb168ad9530daae0;hp=5a9c960478f849510c23ea69a33d1643acca44e1;hpb=e1143d7dbbf484837f3eefb077a9b0af0f7e1c45;p=dpdk.git diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 5a9c960478..cd1397531a 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -1,5 +1,5 @@ /* SPDX-License-Identifier: BSD-3-Clause - * Copyright(c) 2016-2017 Intel Corporation + * Copyright(c) 2016-2020 Intel Corporation */ /* @@ -76,6 +76,13 @@ const struct supported_cipher_algo cipher_algos[] = { .block_size = 16, .key_len = 16 }, + { + .keyword = "aes-192-cbc", + .algo = RTE_CRYPTO_CIPHER_AES_CBC, + .iv_len = 16, + .block_size = 16, + .key_len = 24 + }, { .keyword = "aes-256-cbc", .algo = RTE_CRYPTO_CIPHER_AES_CBC, @@ -130,19 +137,38 @@ const struct supported_aead_algo aead_algos[] = { .key_len = 20, .digest_len = 16, .aad_len = 8, + }, + { + .keyword = "aes-192-gcm", + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .iv_len = 8, + .block_size = 4, + .key_len = 28, + .digest_len = 16, + .aad_len = 8, + }, + { + .keyword = "aes-256-gcm", + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .iv_len = 8, + .block_size = 4, + .key_len = 36, + .digest_len = 16, + .aad_len = 8, } }; #define SA_INIT_NB 128 -static struct ipsec_sa *sa_out; +static uint32_t nb_crypto_sessions; +struct ipsec_sa *sa_out; +uint32_t nb_sa_out; static uint32_t sa_out_sz; -static uint32_t nb_sa_out; static struct ipsec_sa_cnt sa_out_cnt; -static struct ipsec_sa *sa_in; +struct ipsec_sa *sa_in; +uint32_t nb_sa_in; static uint32_t sa_in_sz; -static uint32_t nb_sa_in; static struct ipsec_sa_cnt sa_in_cnt; static const struct supported_cipher_algo * @@ -271,6 +297,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, uint32_t type_p = 0; uint32_t portid_p = 0; uint32_t fallback_p = 0; + int16_t status_p = 0; if (strcmp(tokens[0], "in") == 0) { ri = &nb_sa_in; @@ -295,6 +322,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, if (atoi(tokens[1]) == INVALID_SPI) return; rule->spi = atoi(tokens[1]); + rule->portid = UINT16_MAX; ips = ipsec_get_primary_session(rule); for (ti = 2; ti < n_tokens; ti++) { @@ -617,6 +645,8 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; else if (strcmp(tokens[ti], "no-offload") == 0) ips->type = RTE_SECURITY_ACTION_TYPE_NONE; + else if (strcmp(tokens[ti], "cpu-crypto") == 0) + ips->type = RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO; else { APP_CHECK(0, status, "Invalid input \"%s\"", tokens[ti]); @@ -634,9 +664,14 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, INCREMENT_TOKEN_INDEX(ti, n_tokens, status); if (status->status < 0) return; - rule->portid = atoi(tokens[ti]); - if (status->status < 0) + if (rule->portid == UINT16_MAX) + rule->portid = atoi(tokens[ti]); + else if (rule->portid != atoi(tokens[ti])) { + APP_CHECK(0, status, + "portid %s not matching with already assigned portid %u", + tokens[ti], rule->portid); return; + } portid_p = 1; continue; } @@ -667,18 +702,61 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, if (status->status < 0) return; fb = ipsec_get_fallback_session(rule); - if (strcmp(tokens[ti], "lookaside-none") == 0) { + if (strcmp(tokens[ti], "lookaside-none") == 0) fb->type = RTE_SECURITY_ACTION_TYPE_NONE; - } else { + else if (strcmp(tokens[ti], "cpu-crypto") == 0) + fb->type = RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO; + else { APP_CHECK(0, status, "unrecognized fallback " "type %s.", tokens[ti]); return; } rule->fallback_sessions = 1; + nb_crypto_sessions++; fallback_p = 1; continue; } + if (strcmp(tokens[ti], "flow-direction") == 0) { + switch (ips->type) { + case RTE_SECURITY_ACTION_TYPE_NONE: + case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO: + rule->fdir_flag = 1; + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); + if (status->status < 0) + return; + if (rule->portid == UINT16_MAX) + rule->portid = atoi(tokens[ti]); + else if (rule->portid != atoi(tokens[ti])) { + APP_CHECK(0, status, + "portid %s not matching with already assigned portid %u", + tokens[ti], rule->portid); + return; + } + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); + if (status->status < 0) + return; + rule->fdir_qid = atoi(tokens[ti]); + /* validating portid and queueid */ + status_p = check_flow_params(rule->portid, + rule->fdir_qid); + if (status_p < 0) { + printf("port id %u / queue id %u is " + "not valid\n", rule->portid, + rule->fdir_qid); + } + break; + case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO: + case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL: + case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL: + default: + APP_CHECK(0, status, + "flow director not supported for security session type %d", + ips->type); + return; + } + continue; + } /* unrecognizeable input */ APP_CHECK(0, status, "unrecognized input \"%s\"", @@ -710,14 +788,16 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, if (status->status < 0) return; - if ((ips->type != RTE_SECURITY_ACTION_TYPE_NONE) && (portid_p == 0)) + if ((ips->type != RTE_SECURITY_ACTION_TYPE_NONE && ips->type != + RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) && (portid_p == 0)) printf("Missing portid option, falling back to non-offload\n"); - if (!type_p || !portid_p) { + if (!type_p || (!portid_p && ips->type != + RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)) { ips->type = RTE_SECURITY_ACTION_TYPE_NONE; - rule->portid = -1; } + nb_crypto_sessions++; *ri = *ri + 1; } @@ -747,7 +827,8 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) } for (i = 0; i < RTE_DIM(aead_algos); i++) { - if (aead_algos[i].algo == sa->aead_algo) { + if (aead_algos[i].algo == sa->aead_algo && + aead_algos[i].key_len-4 == sa->cipher_key_len) { printf("%s ", aead_algos[i].keyword); break; } @@ -799,32 +880,33 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL: printf("lookaside-protocol-offload "); break; + case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO: + printf("cpu-crypto-accelerated "); + break; } fallback_ips = &sa->sessions[IPSEC_SESSION_FALLBACK]; if (fallback_ips != NULL && sa->fallback_sessions > 0) { printf("inline fallback: "); - if (fallback_ips->type == RTE_SECURITY_ACTION_TYPE_NONE) + switch (fallback_ips->type) { + case RTE_SECURITY_ACTION_TYPE_NONE: printf("lookaside-none"); - else + break; + case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO: + printf("cpu-crypto-accelerated"); + break; + default: printf("invalid"); + break; + } } + if (sa->fdir_flag == 1) + printf("flow-direction port %d queue %d", sa->portid, + sa->fdir_qid); + printf("\n"); } -struct ipsec_xf { - struct rte_crypto_sym_xform a; - struct rte_crypto_sym_xform b; -}; - -struct sa_ctx { - void *satbl; /* pointer to array of rte_ipsec_sa objects*/ - struct ipsec_sad sad; - struct ipsec_xf *xf; - uint32_t nb_sa; - struct ipsec_sa sa[]; -}; - static struct sa_ctx * sa_create(const char *name, int32_t socket_id, uint32_t nb_sa) { @@ -848,7 +930,7 @@ sa_create(const char *name, int32_t socket_id, uint32_t nb_sa) return NULL; } - sa_ctx = rte_malloc(NULL, sizeof(struct sa_ctx) + + sa_ctx = rte_zmalloc(NULL, sizeof(struct sa_ctx) + sizeof(struct ipsec_sa) * nb_sa, RTE_CACHE_LINE_SIZE); if (sa_ctx == NULL) { @@ -1026,7 +1108,6 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], return -EINVAL; } - switch (WITHOUT_TRANSPORT_VERSION(sa->flags)) { case IP4_TUNNEL: sa->src.ip.ip4 = rte_cpu_to_be_32(sa->src.ip.ip4); @@ -1044,7 +1125,6 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], } if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) { - struct rte_ipsec_session *ips; iv_length = 12; sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AEAD; @@ -1064,20 +1144,6 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], sa->digest_len; sa->xforms = &sa_ctx->xf[idx].a; - - ips = ipsec_get_primary_session(sa); - if (ips->type == - RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || - ips->type == - RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { - rc = create_inline_session(skt_ctx, sa, ips); - if (rc != 0) { - RTE_LOG(ERR, IPSEC_ESP, - "create_inline_session() failed\n"); - return -EINVAL; - } - } - print_one_sa_rule(sa, inbound); } else { switch (sa->cipher_algo) { case RTE_CRYPTO_CIPHER_NULL: @@ -1142,9 +1208,27 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b; sa_ctx->xf[idx].b.next = NULL; sa->xforms = &sa_ctx->xf[idx].a; + } + + if (ips->type == + RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || + ips->type == + RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { + rc = create_inline_session(skt_ctx, sa, ips); + if (rc != 0) { + RTE_LOG(ERR, IPSEC_ESP, + "create_inline_session() failed\n"); + return -EINVAL; + } + } - print_one_sa_rule(sa, inbound); + if (sa->fdir_flag && inbound) { + rc = create_ipsec_esp_flow(sa); + if (rc != 0) + RTE_LOG(ERR, IPSEC_ESP, + "create_ipsec_esp_flow() failed\n"); } + print_one_sa_rule(sa, inbound); } return 0; @@ -1460,9 +1544,6 @@ inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], void *sa_arr[], uint16_t nb_pkts) { uint32_t i; - struct ip *ip; - uint32_t *src4_addr; - uint8_t *src6_addr; void *result_sa; struct ipsec_sa *sa; @@ -1488,32 +1569,7 @@ inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], intsa |= IPSEC_SA_OFFLOAD_FALLBACK_FLAG; result_sa = (void *)intsa; } - - ip = rte_pktmbuf_mtod(pkts[i], struct ip *); - switch (WITHOUT_TRANSPORT_VERSION(sa->flags)) { - case IP4_TUNNEL: - src4_addr = RTE_PTR_ADD(ip, - offsetof(struct ip, ip_src)); - if ((ip->ip_v == IPVERSION) && - (sa->src.ip.ip4 == *src4_addr) && - (sa->dst.ip.ip4 == *(src4_addr + 1))) - sa_arr[i] = result_sa; - else - sa_arr[i] = NULL; - break; - case IP6_TUNNEL: - src6_addr = RTE_PTR_ADD(ip, - offsetof(struct ip6_hdr, ip6_src)); - if ((ip->ip_v == IP6_VERSION) && - !memcmp(&sa->src.ip.ip6.ip6, src6_addr, 16) && - !memcmp(&sa->dst.ip.ip6.ip6, src6_addr + 16, 16)) - sa_arr[i] = result_sa; - else - sa_arr[i] = NULL; - break; - case TRANSPORT: - sa_arr[i] = result_sa; - } + sa_arr[i] = result_sa; } } @@ -1571,3 +1627,9 @@ sa_sort_arr(void) qsort(sa_in, nb_sa_in, sizeof(struct ipsec_sa), sa_cmp); qsort(sa_out, nb_sa_out, sizeof(struct ipsec_sa), sa_cmp); } + +uint32_t +get_nb_crypto_sessions(void) +{ + return nb_crypto_sessions; +}