From 4a67af84f11335e956fae9bcbece2ed12f02019e Mon Sep 17 00:00:00 2001 From: Marcin Smoczynski Date: Mon, 14 Oct 2019 15:48:39 +0200 Subject: [PATCH] examples/ipsec-secgw: clean SA structure Cleanup ipsec_sa structure by removing every field that is already in the rte_ipsec_session structure: * cryptodev/security session union * action type * offload flags * security context References to abovementioned fields are changed to direct references to matching fields of rte_ipsec_session structure. Such refactoring is needed to introduce many sessions per SA feature, e.g. fallback session for inline offload processing. Signed-off-by: Marcin Smoczynski Acked-by: Konstantin Ananyev Acked-by: Radu Nicolau Acked-by: Akhil Goyal Tested-by: Bernard Iremonger --- examples/ipsec-secgw/esp.c | 35 +++++++---- examples/ipsec-secgw/ipsec.c | 93 +++++++++++++++------------- examples/ipsec-secgw/ipsec.h | 27 +++++--- examples/ipsec-secgw/ipsec_process.c | 30 ++++----- examples/ipsec-secgw/sa.c | 66 ++++++++++---------- 5 files changed, 138 insertions(+), 113 deletions(-) diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c index d6d7b12562..c1b49da1e7 100644 --- a/examples/ipsec-secgw/esp.c +++ b/examples/ipsec-secgw/esp.c @@ -30,7 +30,8 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa, int32_t payload_len, ip_hdr_len; RTE_ASSERT(sa != NULL); - if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) + if (ipsec_get_action_type(sa) == + RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) return 0; RTE_ASSERT(m != NULL); @@ -148,13 +149,16 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa, uint8_t *nexthdr, *pad_len; uint8_t *padding; uint16_t i; + struct rte_ipsec_session *ips; RTE_ASSERT(m != NULL); RTE_ASSERT(sa != NULL); RTE_ASSERT(cop != NULL); - if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) || - (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) { + ips = ipsec_get_session(sa); + + if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) || + (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) { if (m->ol_flags & PKT_RX_SEC_OFFLOAD) { if (m->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED) cop->status = RTE_CRYPTO_OP_STATUS_ERROR; @@ -169,8 +173,8 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa, return -1; } - if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO && - sa->ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) { + if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO && + ips->security.ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) { nexthdr = &m->inner_esp_next_proto; } else { nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*, @@ -225,10 +229,12 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, struct rte_crypto_sym_op *sym_cop; int32_t i; uint16_t pad_payload_len, pad_len, ip_hdr_len; + struct rte_ipsec_session *ips; RTE_ASSERT(m != NULL); RTE_ASSERT(sa != NULL); + ips = ipsec_get_session(sa); ip_hdr_len = 0; ip4 = rte_pktmbuf_mtod(m, struct ip *); @@ -277,9 +283,10 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, } /* Add trailer padding if it is not constructed by HW */ - if (sa->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || - (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO && - !(sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) { + if (ips->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || + (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO && + !(ips->security.ol_flags & + RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) { padding = (uint8_t *)rte_pktmbuf_append(m, pad_len + sa->digest_len); if (unlikely(padding == NULL)) { @@ -344,8 +351,9 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, } } - if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { - if (sa->ol_flags & RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) { + if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { + if (ips->security.ol_flags & + RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) { /* Set the inner esp next protocol for HW trailer */ m->inner_esp_next_proto = nlp; m->packet_type |= RTE_PTYPE_TUNNEL_ESP; @@ -448,11 +456,14 @@ esp_outbound_post(struct rte_mbuf *m, struct ipsec_sa *sa, struct rte_crypto_op *cop) { + enum rte_security_session_action_type type; RTE_ASSERT(m != NULL); RTE_ASSERT(sa != NULL); - if ((sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) || - (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) { + type = ipsec_get_action_type(sa); + + if ((type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) || + (type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) { m->ol_flags |= PKT_TX_SEC_OFFLOAD; } else { RTE_ASSERT(cop != NULL); diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 51fb22e8a5..5b63a13fda 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -52,7 +52,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) } int -create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) +create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa, + struct rte_ipsec_session *ips) { struct rte_cryptodev_info cdev_info; unsigned long cdev_id_qp = 0; @@ -83,9 +84,9 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) ipsec_ctx->tbl[cdev_id_qp].id, ipsec_ctx->tbl[cdev_id_qp].qp); - if (sa->type != RTE_SECURITY_ACTION_TYPE_NONE) { + if (ips->type != RTE_SECURITY_ACTION_TYPE_NONE) { struct rte_security_session_conf sess_conf = { - .action_type = sa->type, + .action_type = ips->type, .protocol = RTE_SECURITY_PROTOCOL_IPSEC, {.ipsec = { .spi = sa->spi, @@ -102,7 +103,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) }; - if (sa->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { + if (ips->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { struct rte_security_ctx *ctx = (struct rte_security_ctx *) rte_cryptodev_get_sec_ctx( ipsec_ctx->tbl[cdev_id_qp].id); @@ -110,9 +111,9 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) /* Set IPsec parameters in conf */ set_ipsec_conf(sa, &(sess_conf.ipsec)); - sa->sec_session = rte_security_session_create(ctx, + ips->security.ses = rte_security_session_create(ctx, &sess_conf, ipsec_ctx->session_priv_pool); - if (sa->sec_session == NULL) { + if (ips->security.ses == NULL) { RTE_LOG(ERR, IPSEC, "SEC Session init failed: err: %d\n", ret); return -1; @@ -122,10 +123,10 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) return -1; } } else { - sa->crypto_session = rte_cryptodev_sym_session_create( + ips->crypto.ses = rte_cryptodev_sym_session_create( ipsec_ctx->session_pool); rte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id, - sa->crypto_session, sa->xforms, + ips->crypto.ses, sa->xforms, ipsec_ctx->session_priv_pool); rte_cryptodev_info_get(ipsec_ctx->tbl[cdev_id_qp].id, @@ -138,12 +139,13 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) } int -create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) +create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, + struct rte_ipsec_session *ips) { int32_t ret = 0; struct rte_security_ctx *sec_ctx; struct rte_security_session_conf sess_conf = { - .action_type = sa->type, + .action_type = ips->type, .protocol = RTE_SECURITY_PROTOCOL_IPSEC, {.ipsec = { .spi = sa->spi, @@ -163,7 +165,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on port %u\n", sa->spi, sa->portid); - if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { + if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { struct rte_flow_error err; const struct rte_security_capability *sec_cap; int ret = 0; @@ -177,9 +179,9 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) return -1; } - sa->sec_session = rte_security_session_create(sec_ctx, + ips->security.ses = rte_security_session_create(sec_ctx, &sess_conf, skt_ctx->session_pool); - if (sa->sec_session == NULL) { + if (ips->security.ses == NULL) { RTE_LOG(ERR, IPSEC, "SEC Session init failed: err: %d\n", ret); return -1; @@ -189,7 +191,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) /* iterate until ESP tunnel*/ while (sec_cap->action != RTE_SECURITY_ACTION_TYPE_NONE) { - if (sec_cap->action == sa->type && + if (sec_cap->action == ips->type && sec_cap->protocol == RTE_SECURITY_PROTOCOL_IPSEC && sec_cap->ipsec.mode == @@ -205,8 +207,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) return -1; } - sa->ol_flags = sec_cap->ol_flags; - sa->security_ctx = sec_ctx; + ips->security.ol_flags = sec_cap->ol_flags; + ips->security.ctx = sec_ctx; sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH; if (IS_IP6(sa->flags)) { @@ -235,7 +237,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END; sa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY; - sa->action[0].conf = sa->sec_session; + sa->action[0].conf = ips->security.ses; sa->action[1].type = RTE_FLOW_ACTION_TYPE_END; @@ -308,8 +310,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa) if (ret) goto flow_create_failure; } else if (sa->attr.egress && - (sa->ol_flags & - RTE_SECURITY_TX_HW_TRAILER_OFFLOAD)) { + (ips->security.ol_flags & + RTE_SECURITY_TX_HW_TRAILER_OFFLOAD)) { sa->action[1].type = RTE_FLOW_ACTION_TYPE_PASSTHRU; sa->action[2].type = @@ -325,7 +327,7 @@ flow_create_failure: err.message); return -1; } - } else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { + } else if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { const struct rte_security_capability *sec_cap; sec_ctx = (struct rte_security_ctx *) @@ -353,9 +355,9 @@ flow_create_failure: sess_conf.userdata = (void *) sa; - sa->sec_session = rte_security_session_create(sec_ctx, + ips->security.ses = rte_security_session_create(sec_ctx, &sess_conf, skt_ctx->session_pool); - if (sa->sec_session == NULL) { + if (ips->security.ses == NULL) { RTE_LOG(ERR, IPSEC, "SEC Session init failed: err: %d\n", ret); return -1; @@ -371,7 +373,7 @@ flow_create_failure: /* iterate until ESP tunnel*/ while (sec_cap->action != RTE_SECURITY_ACTION_TYPE_NONE) { - if (sec_cap->action == sa->type && + if (sec_cap->action == ips->type && sec_cap->protocol == RTE_SECURITY_PROTOCOL_IPSEC && sec_cap->ipsec.mode == @@ -387,8 +389,8 @@ flow_create_failure: return -1; } - sa->ol_flags = sec_cap->ol_flags; - sa->security_ctx = sec_ctx; + ips->security.ol_flags = sec_cap->ol_flags; + ips->security.ctx = sec_ctx; } sa->cdev_id_qp = 0; @@ -435,6 +437,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, struct ipsec_mbuf_metadata *priv; struct rte_crypto_sym_op *sym_cop; struct ipsec_sa *sa; + struct rte_ipsec_session *ips; for (i = 0; i < nb_pkts; i++) { if (unlikely(sas[i] == NULL)) { @@ -448,16 +451,17 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, priv = get_priv(pkts[i]); sa = sas[i]; priv->sa = sa; + ips = ipsec_get_session(sa); - switch (sa->type) { + switch (ips->type) { case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL: priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC; priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; rte_prefetch0(&priv->sym_cop); - if ((unlikely(sa->sec_session == NULL)) && - create_lookaside_session(ipsec_ctx, sa)) { + if ((unlikely(ips->security.ses == NULL)) && + create_lookaside_session(ipsec_ctx, sa, ips)) { rte_pktmbuf_free(pkts[i]); continue; } @@ -466,7 +470,7 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, sym_cop->m_src = pkts[i]; rte_security_attach_session(&priv->cop, - sa->sec_session); + ips->security.ses); break; case RTE_SECURITY_ACTION_TYPE_NONE: @@ -475,14 +479,14 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, rte_prefetch0(&priv->sym_cop); - if ((unlikely(sa->crypto_session == NULL)) && - create_lookaside_session(ipsec_ctx, sa)) { + if ((unlikely(ips->crypto.ses == NULL)) && + create_lookaside_session(ipsec_ctx, sa, ips)) { rte_pktmbuf_free(pkts[i]); continue; } rte_crypto_op_attach_sym_session(&priv->cop, - sa->crypto_session); + ips->crypto.ses); ret = xform_func(pkts[i], sa, &priv->cop); if (unlikely(ret)) { @@ -491,21 +495,22 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, } break; case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL: - RTE_ASSERT(sa->sec_session != NULL); + RTE_ASSERT(ips->security.ses != NULL); ipsec_ctx->ol_pkts[ipsec_ctx->ol_pkts_cnt++] = pkts[i]; - if (sa->ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA) + if (ips->security.ol_flags & + RTE_SECURITY_TX_OLOAD_NEED_MDATA) rte_security_set_pkt_metadata( - sa->security_ctx, - sa->sec_session, pkts[i], NULL); + ips->security.ctx, ips->security.ses, + pkts[i], NULL); continue; case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO: - RTE_ASSERT(sa->sec_session != NULL); + RTE_ASSERT(ips->security.ses != NULL); priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC; priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; rte_prefetch0(&priv->sym_cop); rte_security_attach_session(&priv->cop, - sa->sec_session); + ips->security.ses); ret = xform_func(pkts[i], sa, &priv->cop); if (unlikely(ret)) { @@ -514,10 +519,11 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, } ipsec_ctx->ol_pkts[ipsec_ctx->ol_pkts_cnt++] = pkts[i]; - if (sa->ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA) + if (ips->security.ol_flags & + RTE_SECURITY_TX_OLOAD_NEED_MDATA) rte_security_set_pkt_metadata( - sa->security_ctx, - sa->sec_session, pkts[i], NULL); + ips->security.ctx, ips->security.ses, + pkts[i], NULL); continue; } @@ -586,13 +592,14 @@ ipsec_dequeue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, RTE_ASSERT(sa != NULL); - if (sa->type == RTE_SECURITY_ACTION_TYPE_NONE) { + if (ipsec_get_action_type(sa) == + RTE_SECURITY_ACTION_TYPE_NONE) { ret = xform_func(pkt, sa, cops[j]); if (unlikely(ret)) { rte_pktmbuf_free(pkt); continue; } - } else if (sa->type == + } else if (ipsec_get_action_type(sa) == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { if (cops[j]->status) { rte_pktmbuf_free(pkt); diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index 1efa6e4888..a4ad81b0e9 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -87,10 +87,6 @@ struct ipsec_sa { uint32_t cdev_id_qp; uint64_t seq; uint32_t salt; - union { - struct rte_cryptodev_sym_session *crypto_session; - struct rte_security_session *sec_session; - }; enum rte_crypto_cipher_algorithm cipher_algo; enum rte_crypto_auth_algorithm auth_algo; enum rte_crypto_aead_algorithm aead_algo; @@ -114,11 +110,8 @@ struct ipsec_sa { struct rte_crypto_sym_xform *xforms; struct rte_security_ipsec_xform *sec_xform; }; - enum rte_security_session_action_type type; enum rte_security_ipsec_sa_direction direction; uint16_t portid; - struct rte_security_ctx *security_ctx; - uint32_t ol_flags; #define MAX_RTE_FLOW_PATTERN (4) #define MAX_RTE_FLOW_ACTIONS (3) @@ -284,6 +277,20 @@ get_sym_cop(struct rte_crypto_op *cop) return (cop + 1); } +static inline struct rte_ipsec_session * +ipsec_get_session(struct ipsec_sa *sa) +{ + return &sa->ips; +} + +static inline enum rte_security_session_action_type +ipsec_get_action_type(struct ipsec_sa *sa) +{ + struct rte_ipsec_session *ips; + ips = ipsec_get_session(sa); + return ips->type; +} + int inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx); @@ -338,9 +345,11 @@ void enqueue_cop_burst(struct cdev_qp *cqp); int -create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa); +create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa, + struct rte_ipsec_session *ips); int -create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa); +create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, + struct rte_ipsec_session *ips); #endif /* __IPSEC_H__ */ diff --git a/examples/ipsec-secgw/ipsec_process.c b/examples/ipsec-secgw/ipsec_process.c index 868f1a28d5..239d81ef66 100644 --- a/examples/ipsec-secgw/ipsec_process.c +++ b/examples/ipsec-secgw/ipsec_process.c @@ -94,22 +94,16 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct ipsec_ctx *ctx, /* setup crypto section */ if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) { - if (sa->crypto_session == NULL) { - rc = create_lookaside_session(ctx, sa); - if (rc != 0) - return rc; - } - ss->crypto.ses = sa->crypto_session; + RTE_ASSERT(ss->crypto.ses == NULL); + rc = create_lookaside_session(ctx, sa, ss); + if (rc != 0) + return rc; /* setup session action type */ - } else if (sa->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { - if (sa->sec_session == NULL) { - rc = create_lookaside_session(ctx, sa); - if (rc != 0) - return rc; - } - ss->security.ses = sa->sec_session; - ss->security.ctx = sa->security_ctx; - ss->security.ol_flags = sa->ol_flags; + } else if (ss->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { + RTE_ASSERT(ss->security.ses == NULL); + rc = create_lookaside_session(ctx, sa, ss); + if (rc != 0) + return rc; } else RTE_ASSERT(0); @@ -218,7 +212,7 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf) pg = grp + i; sa = pg->id.ptr; - ips = &sa->ips; + ips = ipsec_get_session(sa); /* no valid HW session for that SA, try to create one */ if (sa == NULL || (ips->crypto.ses == NULL && @@ -226,8 +220,8 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf) k = 0; /* process packets inline */ - else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || - sa->type == + else if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || + ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { satp = rte_ipsec_sa_type(ips->sa); diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 14ee947310..52752e15f3 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -224,6 +224,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, struct parse_status *status) { struct ipsec_sa *rule = NULL; + struct rte_ipsec_session *ips; uint32_t ti; /*token index*/ uint32_t *ri /*rule index*/; uint32_t cipher_algo_p = 0; @@ -262,6 +263,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, if (atoi(tokens[1]) == INVALID_SPI) return; rule->spi = atoi(tokens[1]); + ips = ipsec_get_session(rule); for (ti = 2; ti < n_tokens; ti++) { if (strcmp(tokens[ti], "mode") == 0) { @@ -558,18 +560,18 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, return; if (strcmp(tokens[ti], "inline-crypto-offload") == 0) - rule->type = + ips->type = RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO; else if (strcmp(tokens[ti], "inline-protocol-offload") == 0) - rule->type = + ips->type = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL; else if (strcmp(tokens[ti], "lookaside-protocol-offload") == 0) - rule->type = + ips->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; else if (strcmp(tokens[ti], "no-offload") == 0) - rule->type = RTE_SECURITY_ACTION_TYPE_NONE; + ips->type = RTE_SECURITY_ACTION_TYPE_NONE; else { APP_CHECK(0, status, "Invalid input \"%s\"", tokens[ti]); @@ -624,11 +626,11 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, if (status->status < 0) return; - if ((rule->type != RTE_SECURITY_ACTION_TYPE_NONE) && (portid_p == 0)) + if ((ips->type != RTE_SECURITY_ACTION_TYPE_NONE) && (portid_p == 0)) printf("Missing portid option, falling back to non-offload\n"); if (!type_p || !portid_p) { - rule->type = RTE_SECURITY_ACTION_TYPE_NONE; + ips->type = RTE_SECURITY_ACTION_TYPE_NONE; rule->portid = -1; } @@ -640,6 +642,7 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) { uint32_t i; uint8_t a, b, c, d; + const struct rte_ipsec_session *ips; printf("\tspi_%s(%3u):", inbound?"in":"out", sa->spi); @@ -695,8 +698,10 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) printf("Transport "); break; } + + ips = &sa->ips; printf(" type:"); - switch (sa->type) { + switch (ips->type) { case RTE_SECURITY_ACTION_TYPE_NONE: printf("no-offload "); break; @@ -884,6 +889,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], uint16_t iv_length, aad_length; int inline_status; int32_t rc; + struct rte_ipsec_session *ips; /* for ESN upper 32 bits of SQN also need to be part of AAD */ aad_length = (app_sa_prm.enable_esn != 0) ? sizeof(uint32_t) : 0; @@ -898,9 +904,10 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], } *sa = entries[i]; sa->seq = 0; + ips = ipsec_get_session(sa); - if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || - sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { + if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || + ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { if (check_eth_dev_caps(sa->portid, inbound)) return -EINVAL; } @@ -915,7 +922,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], sa->dst.ip.ip4 = rte_cpu_to_be_32(sa->dst.ip.ip4); break; case TRANSPORT: - if (sa->type == + if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { inline_status = sa_add_address_inline_crypto(sa); @@ -926,6 +933,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], } if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) { + struct rte_ipsec_session *ips; iv_length = 16; sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AEAD; @@ -946,11 +954,12 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], sa->xforms = &sa_ctx->xf[idx].a; - if (sa->type == + ips = ipsec_get_session(sa); + if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || - sa->type == + ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { - rc = create_inline_session(skt_ctx, sa); + rc = create_inline_session(skt_ctx, sa, ips); if (rc != 0) { RTE_LOG(ERR, IPSEC_ESP, "create_inline_session() failed\n"); @@ -1108,23 +1117,11 @@ fill_ipsec_sa_prm(struct rte_ipsec_sa_prm *prm, const struct ipsec_sa *ss, } static int -fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa, - const struct ipsec_sa *lsa) +fill_ipsec_session(struct rte_ipsec_session *ss, struct rte_ipsec_sa *sa) { int32_t rc = 0; ss->sa = sa; - ss->type = lsa->type; - - /* setup crypto section */ - if (ss->type == RTE_SECURITY_ACTION_TYPE_NONE) { - ss->crypto.ses = lsa->crypto_session; - /* setup session action type */ - } else { - ss->security.ses = lsa->sec_session; - ss->security.ctx = lsa->security_ctx; - ss->security.ol_flags = lsa->ol_flags; - } if (ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { @@ -1146,6 +1143,7 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size) { int rc; struct rte_ipsec_sa_prm prm; + struct rte_ipsec_session *ips; struct rte_ipv4_hdr v4 = { .version_ihl = IPVERSION << 4 | sizeof(v4) / RTE_IPV4_IHL_MULTIPLIER, @@ -1170,7 +1168,10 @@ ipsec_sa_init(struct ipsec_sa *lsa, struct rte_ipsec_sa *sa, uint32_t sa_size) if (rc < 0) return rc; - rc = fill_ipsec_session(&lsa->ips, sa, lsa); + /* init processing session */ + ips = ipsec_get_session(lsa); + rc = fill_ipsec_session(ips, sa); + return rc; } @@ -1394,6 +1395,7 @@ sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads, { struct ipsec_sa *rule; uint32_t idx_sa; + enum rte_security_session_action_type rule_type; *rx_offloads = 0; *tx_offloads = 0; @@ -1401,8 +1403,9 @@ sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads, /* Check for inbound rules that use offloads and use this port */ for (idx_sa = 0; idx_sa < nb_sa_in; idx_sa++) { rule = &sa_in[idx_sa]; - if ((rule->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || - rule->type == + rule_type = ipsec_get_action_type(rule); + if ((rule_type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || + rule_type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) && rule->portid == port_id) *rx_offloads |= DEV_RX_OFFLOAD_SECURITY; @@ -1411,8 +1414,9 @@ sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads, /* Check for outbound rules that use offloads and use this port */ for (idx_sa = 0; idx_sa < nb_sa_out; idx_sa++) { rule = &sa_out[idx_sa]; - if ((rule->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || - rule->type == + rule_type = ipsec_get_action_type(rule); + if ((rule_type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || + rule_type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) && rule->portid == port_id) *tx_offloads |= DEV_TX_OFFLOAD_SECURITY; -- 2.20.1