#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>
#include "ipsec.h"
#include "esp.h"
#include "parser.h"
#include "sad.h"
#define IPDEFTTL 64
#define IP4_FULL_MASK (sizeof(((struct ip_addr *)NULL)->ip.ip4) * CHAR_BIT)
#define IP6_FULL_MASK (sizeof(((struct ip_addr *)NULL)->ip.ip6.ip6) * CHAR_BIT)
#define MBUF_NO_SEC_OFFLOAD(m) ((m->ol_flags & RTE_MBUF_F_RX_SEC_OFFLOAD) == 0)
struct supported_cipher_algo {
const char *keyword;
uint16_t iv_len;
uint16_t block_size;
uint16_t key_len;
};
struct supported_auth_algo {
const char *keyword;
uint16_t iv_len;
uint16_t digest_len;
uint16_t key_len;
uint8_t key_not_req;
};
struct supported_aead_algo {
const char *keyword;
uint16_t iv_len;
uint16_t block_size;
uint16_t digest_len;
uint16_t key_len;
uint8_t aad_len;
};
const struct supported_cipher_algo cipher_algos[] = {
{
.keyword = "null",
.iv_len = 0,
.block_size = 4,
.key_len = 0
},
{
.keyword = "aes-128-cbc",
.iv_len = 16,
.block_size = 16,
.key_len = 16
},
{
.keyword = "aes-192-cbc",
.iv_len = 16,
.block_size = 16,
.key_len = 24
},
{
.keyword = "aes-256-cbc",
.iv_len = 16,
.block_size = 16,
.key_len = 32
},
{
.keyword = "aes-128-ctr",
.iv_len = 8,
.block_size = 4,
.key_len = 20
},
{
.keyword = "aes-192-ctr",
.iv_len = 16,
.block_size = 16,
.key_len = 28
},
{
.keyword = "aes-256-ctr",
.iv_len = 16,
.block_size = 16,
.key_len = 36
},
{
.keyword = "3des-cbc",
.iv_len = 8,
.block_size = 8,
.key_len = 24
}
};
const struct supported_auth_algo auth_algos[] = {
{
.keyword = "null",
.digest_len = 0,
.key_len = 0,
.key_not_req = 1
},
{
.keyword = "sha1-hmac",
.digest_len = 12,
.key_len = 20
},
{
.keyword = "sha256-hmac",
.digest_len = 16,
.key_len = 32
},
{
.keyword = "sha384-hmac",
.digest_len = 24,
.key_len = 48
},
{
.keyword = "sha512-hmac",
.digest_len = 32,
.key_len = 64
},
{
.keyword = "aes-gmac",
.iv_len = 8,
.digest_len = 16,
.key_len = 20
},
{
.keyword = "aes-xcbc-mac-96",
.digest_len = 12,
.key_len = 16
}
};
const struct supported_aead_algo aead_algos[] = {
{
.keyword = "aes-128-gcm",
.iv_len = 8,
.block_size = 4,
.key_len = 20,
.digest_len = 16,
.aad_len = 8,
},
{
.keyword = "aes-192-gcm",
.iv_len = 8,
.block_size = 4,
.key_len = 28,
.digest_len = 16,
.aad_len = 8,
},
{
.keyword = "aes-256-gcm",
.iv_len = 8,
.block_size = 4,
.key_len = 36,
.digest_len = 16,
.aad_len = 8,
},
{
.keyword = "aes-128-ccm",
.iv_len = 8,
.block_size = 4,
.key_len = 20,
.digest_len = 16,
.aad_len = 8,
},
{
.keyword = "aes-192-ccm",
.iv_len = 8,
.block_size = 4,
.key_len = 28,
.digest_len = 16,
.aad_len = 8,
},
{
.keyword = "aes-256-ccm",
.iv_len = 8,
.block_size = 4,
.key_len = 36,
.digest_len = 16,
.aad_len = 8,
},
{
.keyword = "chacha20-poly1305",
.iv_len = 12,
.block_size = 64,
.key_len = 36,
.digest_len = 16,
.aad_len = 8,
}
};
#define SA_INIT_NB 128
static uint32_t nb_crypto_sessions;
struct ipsec_sa *sa_out;
uint32_t nb_sa_out;
static uint32_t sa_out_sz;
static struct ipsec_sa_cnt sa_out_cnt;
struct ipsec_sa *sa_in;
uint32_t nb_sa_in;
static uint32_t sa_in_sz;
static struct ipsec_sa_cnt sa_in_cnt;
static const struct supported_cipher_algo *
find_match_cipher_algo(const char *cipher_keyword)
{
size_t i;
for (i = 0; i <
RTE_DIM(cipher_algos); i++) {
const struct supported_cipher_algo *algo =
&cipher_algos[i];
if (strcmp(cipher_keyword, algo->keyword) == 0)
return algo;
}
return NULL;
}
static const struct supported_auth_algo *
find_match_auth_algo(const char *auth_keyword)
{
size_t i;
for (i = 0; i <
RTE_DIM(auth_algos); i++) {
const struct supported_auth_algo *algo =
&auth_algos[i];
if (strcmp(auth_keyword, algo->keyword) == 0)
return algo;
}
return NULL;
}
static const struct supported_aead_algo *
find_match_aead_algo(const char *aead_keyword)
{
size_t i;
for (i = 0; i <
RTE_DIM(aead_algos); i++) {
const struct supported_aead_algo *algo =
&aead_algos[i];
if (strcmp(aead_keyword, algo->keyword) == 0)
return algo;
}
return NULL;
}
static uint32_t
parse_key_string(const char *key_str, uint8_t *key)
{
const char *pt_start = key_str, *pt_end = key_str;
uint32_t nb_bytes = 0;
while (pt_end != NULL) {
char sub_str[3] = {0};
pt_end = strchr(pt_start, ':');
if (pt_end == NULL) {
if (strlen(pt_start) > 2)
return 0;
strncpy(sub_str, pt_start, 2);
} else {
if (pt_end - pt_start > 2)
return 0;
strncpy(sub_str, pt_start, pt_end - pt_start);
pt_start = pt_end + 1;
}
key[nb_bytes++] = strtol(sub_str, NULL, 16);
}
return nb_bytes;
}
static int
extend_sa_arr(struct ipsec_sa **sa_tbl, uint32_t cur_cnt, uint32_t *cur_sz)
{
if (*sa_tbl == NULL) {
*sa_tbl = calloc(SA_INIT_NB, sizeof(struct ipsec_sa));
if (*sa_tbl == NULL)
return -1;
*cur_sz = SA_INIT_NB;
return 0;
}
if (cur_cnt >= *cur_sz) {
*sa_tbl = realloc(*sa_tbl,
*cur_sz * sizeof(struct ipsec_sa) * 2);
if (*sa_tbl == NULL)
return -1;
memset(&(*sa_tbl)[*cur_sz], 0,
*cur_sz * sizeof(struct ipsec_sa));
*cur_sz *= 2;
}
return 0;
}
void
parse_sa_tokens(char **tokens, uint32_t n_tokens,
struct parse_status *status)
{
struct ipsec_sa *rule = NULL;
uint32_t ti;
uint32_t *ri ;
struct ipsec_sa_cnt *sa_cnt;
uint32_t cipher_algo_p = 0;
uint32_t auth_algo_p = 0;
uint32_t aead_algo_p = 0;
uint32_t src_p = 0;
uint32_t dst_p = 0;
uint32_t mode_p = 0;
uint32_t type_p = 0;
uint32_t portid_p = 0;
uint32_t fallback_p = 0;
int16_t status_p = 0;
uint16_t udp_encap_p = 0;
if (strcmp(tokens[0], "in") == 0) {
ri = &nb_sa_in;
sa_cnt = &sa_in_cnt;
if (extend_sa_arr(&sa_in, nb_sa_in, &sa_in_sz) < 0)
return;
rule = &sa_in[*ri];
} else {
ri = &nb_sa_out;
sa_cnt = &sa_out_cnt;
if (extend_sa_arr(&sa_out, nb_sa_out, &sa_out_sz) < 0)
return;
rule = &sa_out[*ri];
}
APP_CHECK_TOKEN_IS_NUM(tokens, 1, status);
if (status->status < 0)
return;
if (atoi(tokens[1]) == INVALID_SPI)
return;
rule->flags = 0;
rule->spi = atoi(tokens[1]);
rule->portid = UINT16_MAX;
ips = ipsec_get_primary_session(rule);
for (ti = 2; ti < n_tokens; ti++) {
if (strcmp(tokens[ti], "mode") == 0) {
APP_CHECK_PRESENCE(mode_p, tokens[ti], status);
if (status->status < 0)
return;
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
if (strcmp(tokens[ti], "ipv4-tunnel") == 0) {
sa_cnt->nb_v4++;
rule->flags |= IP4_TUNNEL;
} else if (strcmp(tokens[ti], "ipv6-tunnel") == 0) {
sa_cnt->nb_v6++;
rule->flags |= IP6_TUNNEL;
} else if (strcmp(tokens[ti], "transport") == 0) {
sa_cnt->nb_v4++;
sa_cnt->nb_v6++;
rule->flags |= TRANSPORT;
} else {
APP_CHECK(0, status, "unrecognized "
"input \"%s\"", tokens[ti]);
return;
}
mode_p = 1;
continue;
}
if (strcmp(tokens[ti], "telemetry") == 0) {
rule->flags |= SA_TELEMETRY_ENABLE;
continue;
}
if (strcmp(tokens[ti], "cipher_algo") == 0) {
const struct supported_cipher_algo *algo;
uint32_t key_len;
APP_CHECK_PRESENCE(cipher_algo_p, tokens[ti],
status);
if (status->status < 0)
return;
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
algo = find_match_cipher_algo(tokens[ti]);
APP_CHECK(algo != NULL, status, "unrecognized "
"input \"%s\"", tokens[ti]);
if (status->status < 0)
return;
rule->cipher_algo = algo->algo;
rule->block_size = algo->block_size;
rule->iv_len = algo->iv_len;
rule->cipher_key_len = algo->key_len;
cipher_algo_p = 1;
continue;
}
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
APP_CHECK(strcmp(tokens[ti], "cipher_key") == 0,
status, "unrecognized input \"%s\", "
"expect \"cipher_key\"", tokens[ti]);
if (status->status < 0)
return;
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
key_len = parse_key_string(tokens[ti],
rule->cipher_key);
APP_CHECK(key_len == rule->cipher_key_len, status,
"unrecognized input \"%s\"", tokens[ti]);
if (status->status < 0)
return;
key_len -= 4;
rule->cipher_key_len = key_len;
memcpy(&rule->salt,
&rule->cipher_key[key_len], 4);
}
cipher_algo_p = 1;
continue;
}
if (strcmp(tokens[ti], "auth_algo") == 0) {
const struct supported_auth_algo *algo;
uint32_t key_len;
APP_CHECK_PRESENCE(auth_algo_p, tokens[ti],
status);
if (status->status < 0)
return;
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
algo = find_match_auth_algo(tokens[ti]);
APP_CHECK(algo != NULL, status, "unrecognized "
"input \"%s\"", tokens[ti]);
if (status->status < 0)
return;
rule->auth_algo = algo->algo;
rule->auth_key_len = algo->key_len;
rule->digest_len = algo->digest_len;
if (algo->key_not_req) {
auth_algo_p = 1;
continue;
}
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
APP_CHECK(strcmp(tokens[ti], "auth_key") == 0,
status, "unrecognized input \"%s\", "
"expect \"auth_key\"", tokens[ti]);
if (status->status < 0)
return;
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
key_len = parse_key_string(tokens[ti],
rule->auth_key);
APP_CHECK(key_len == rule->auth_key_len, status,
"unrecognized input \"%s\"", tokens[ti]);
if (status->status < 0)
return;
key_len -= 4;
rule->auth_key_len = key_len;
rule->iv_len = algo->iv_len;
memcpy(&rule->salt,
&rule->auth_key[key_len], 4);
}
auth_algo_p = 1;
continue;
}
if (strcmp(tokens[ti], "aead_algo") == 0) {
const struct supported_aead_algo *algo;
uint32_t key_len;
APP_CHECK_PRESENCE(aead_algo_p, tokens[ti],
status);
if (status->status < 0)
return;
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
algo = find_match_aead_algo(tokens[ti]);
APP_CHECK(algo != NULL, status, "unrecognized "
"input \"%s\"", tokens[ti]);
if (status->status < 0)
return;
rule->aead_algo = algo->algo;
rule->cipher_key_len = algo->key_len;
rule->digest_len = algo->digest_len;
rule->aad_len = algo->aad_len;
rule->block_size = algo->block_size;
rule->iv_len = algo->iv_len;
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
APP_CHECK(strcmp(tokens[ti], "aead_key") == 0,
status, "unrecognized input \"%s\", "
"expect \"aead_key\"", tokens[ti]);
if (status->status < 0)
return;
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
key_len = parse_key_string(tokens[ti],
rule->cipher_key);
APP_CHECK(key_len == rule->cipher_key_len, status,
"unrecognized input \"%s\"", tokens[ti]);
if (status->status < 0)
return;
key_len -= 4;
rule->cipher_key_len = key_len;
memcpy(&rule->salt,
&rule->cipher_key[key_len], 4);
aead_algo_p = 1;
continue;
}
if (strcmp(tokens[ti], "src") == 0) {
APP_CHECK_PRESENCE(src_p, tokens[ti], status);
if (status->status < 0)
return;
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
if (IS_IP4_TUNNEL(rule->flags)) {
struct in_addr ip;
APP_CHECK(parse_ipv4_addr(tokens[ti],
&ip, NULL) == 0, status,
"unrecognized input \"%s\", "
"expect valid ipv4 addr",
tokens[ti]);
if (status->status < 0)
return;
(uint32_t)ip.s_addr);
} else if (IS_IP6_TUNNEL(rule->flags)) {
struct in6_addr ip;
APP_CHECK(parse_ipv6_addr(tokens[ti], &ip,
NULL) == 0, status,
"unrecognized input \"%s\", "
"expect valid ipv6 addr",
tokens[ti]);
if (status->status < 0)
return;
memcpy(rule->src.ip.ip6.ip6_b,
ip.s6_addr, 16);
} else if (IS_TRANSPORT(rule->flags)) {
APP_CHECK(0, status, "unrecognized input "
"\"%s\"", tokens[ti]);
return;
}
src_p = 1;
continue;
}
if (strcmp(tokens[ti], "dst") == 0) {
APP_CHECK_PRESENCE(dst_p, tokens[ti], status);
if (status->status < 0)
return;
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
if (IS_IP4_TUNNEL(rule->flags)) {
struct in_addr ip;
APP_CHECK(parse_ipv4_addr(tokens[ti],
&ip, NULL) == 0, status,
"unrecognized input \"%s\", "
"expect valid ipv4 addr",
tokens[ti]);
if (status->status < 0)
return;
(uint32_t)ip.s_addr);
} else if (IS_IP6_TUNNEL(rule->flags)) {
struct in6_addr ip;
APP_CHECK(parse_ipv6_addr(tokens[ti], &ip,
NULL) == 0, status,
"unrecognized input \"%s\", "
"expect valid ipv6 addr",
tokens[ti]);
if (status->status < 0)
return;
memcpy(rule->dst.ip.ip6.ip6_b, ip.s6_addr, 16);
} else if (IS_TRANSPORT(rule->flags)) {
APP_CHECK(0, status, "unrecognized "
"input \"%s\"", tokens[ti]);
return;
}
dst_p = 1;
continue;
}
if (strcmp(tokens[ti], "type") == 0) {
APP_CHECK_PRESENCE(type_p, tokens[ti], status);
if (status->status < 0)
return;
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
if (strcmp(tokens[ti], "inline-crypto-offload") == 0)
else if (strcmp(tokens[ti],
"inline-protocol-offload") == 0)
else if (strcmp(tokens[ti],
"lookaside-protocol-offload") == 0)
else if (strcmp(tokens[ti], "no-offload") == 0)
else if (strcmp(tokens[ti], "cpu-crypto") == 0)
else {
APP_CHECK(0, status, "Invalid input \"%s\"",
tokens[ti]);
return;
}
type_p = 1;
continue;
}
if (strcmp(tokens[ti], "port_id") == 0) {
APP_CHECK_PRESENCE(portid_p, tokens[ti], status);
if (status->status < 0)
return;
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
if (rule->portid == UINT16_MAX)
rule->portid = atoi(tokens[ti]);
else if (rule->portid != atoi(tokens[ti])) {
APP_CHECK(0, status,
"portid %s not matching with already assigned portid %u",
tokens[ti], rule->portid);
return;
}
portid_p = 1;
continue;
}
if (strcmp(tokens[ti], "mss") == 0) {
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
rule->mss = atoi(tokens[ti]);
if (status->status < 0)
return;
continue;
}
if (strcmp(tokens[ti], "esn") == 0) {
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
rule->esn = atoll(tokens[ti]);
if (status->status < 0)
return;
continue;
}
if (strcmp(tokens[ti], "fallback") == 0) {
APP_CHECK(app_sa_prm.enable, status, "Fallback session "
"not allowed for legacy mode.");
if (status->status < 0)
return;
"Fallback session allowed if primary session "
"is of type inline-crypto-offload only.");
if (status->status < 0)
return;
APP_CHECK(rule->direction ==
"Fallback session not allowed for egress "
"rule");
if (status->status < 0)
return;
APP_CHECK_PRESENCE(fallback_p, tokens[ti], status);
if (status->status < 0)
return;
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
fb = ipsec_get_fallback_session(rule);
if (strcmp(tokens[ti], "lookaside-none") == 0)
else if (strcmp(tokens[ti], "cpu-crypto") == 0)
else {
APP_CHECK(0, status, "unrecognized fallback "
"type %s.", tokens[ti]);
return;
}
rule->fallback_sessions = 1;
nb_crypto_sessions++;
fallback_p = 1;
continue;
}
if (strcmp(tokens[ti], "flow-direction") == 0) {
rule->fdir_flag = 1;
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
if (rule->portid == UINT16_MAX)
rule->portid = atoi(tokens[ti]);
else if (rule->portid != atoi(tokens[ti])) {
APP_CHECK(0, status,
"portid %s not matching with already assigned portid %u",
tokens[ti], rule->portid);
return;
}
INCREMENT_TOKEN_INDEX(ti, n_tokens, status);
if (status->status < 0)
return;
rule->fdir_qid = atoi(tokens[ti]);
status_p = check_flow_params(rule->portid,
rule->fdir_qid);
if (status_p < 0) {
printf("port id %u / queue id %u is "
"not valid\n", rule->portid,
rule->fdir_qid);
}
break;
default:
APP_CHECK(0, status,
"flow director not supported for security session type %d",
return;
}
continue;
}
if (strcmp(tokens[ti], "udp-encap") == 0) {
APP_CHECK_PRESENCE(udp_encap_p, tokens[ti],
status);
if (status->status < 0)
return;
rule->udp_encap = 1;
app_sa_prm.udp_encap = 1;
udp_encap_p = 1;
break;
rule->udp_encap = 1;
rule->udp.sport = 0;
rule->udp.dport = 4500;
break;
default:
APP_CHECK(0, status,
"UDP encapsulation not supported for "
"security session type %d",
return;
}
continue;
}
APP_CHECK(0, status, "unrecognized input \"%s\"",
tokens[ti]);
return;
}
if (aead_algo_p) {
APP_CHECK(cipher_algo_p == 0, status,
"AEAD used, no need for cipher options");
if (status->status < 0)
return;
APP_CHECK(auth_algo_p == 0, status,
"AEAD used, no need for auth options");
if (status->status < 0)
return;
} else {
APP_CHECK(cipher_algo_p == 1, status, "missing cipher or AEAD options");
if (status->status < 0)
return;
APP_CHECK(auth_algo_p == 1, status, "missing auth or AEAD options");
if (status->status < 0)
return;
}
APP_CHECK(mode_p == 1, status, "missing mode option");
if (status->status < 0)
return;
printf("Missing portid option, falling back to non-offload\n");
if (!type_p || (!portid_p && ips->
type !=
}
nb_crypto_sessions++;
*ri = *ri + 1;
}
static void
print_one_sa_rule(
const struct ipsec_sa *
sa,
int inbound)
{
uint32_t i;
uint8_t a, b, c, d;
printf(
"\tspi_%s(%3u):", inbound?
"in":
"out",
sa->spi);
for (i = 0; i <
RTE_DIM(cipher_algos); i++) {
if (cipher_algos[i].algo ==
sa->cipher_algo &&
cipher_algos[i].key_len ==
sa->cipher_key_len) {
printf("%s ", cipher_algos[i].keyword);
break;
}
}
for (i = 0; i <
RTE_DIM(auth_algos); i++) {
if (auth_algos[i].algo ==
sa->auth_algo) {
printf("%s ", auth_algos[i].keyword);
break;
}
}
for (i = 0; i <
RTE_DIM(aead_algos); i++) {
if (aead_algos[i].algo ==
sa->aead_algo &&
aead_algos[i].key_len-4 ==
sa->cipher_key_len) {
printf("%s ", aead_algos[i].keyword);
break;
}
}
printf("mode:");
printf("UDP encapsulated ");
switch (WITHOUT_TRANSPORT_VERSION(
sa->flags)) {
case IP4_TUNNEL:
printf("IP4Tunnel ");
uint32_t_to_char(
sa->src.ip.ip4, &a, &b, &c, &d);
printf("%hhu.%hhu.%hhu.%hhu ", d, c, b, a);
uint32_t_to_char(
sa->dst.ip.ip4, &a, &b, &c, &d);
printf("%hhu.%hhu.%hhu.%hhu", d, c, b, a);
break;
case IP6_TUNNEL:
printf("IP6Tunnel ");
for (i = 0; i < 16; i++) {
if (i % 2 && i != 15)
printf(
"%.2x:",
sa->src.ip.ip6.ip6_b[i]);
else
printf(
"%.2x",
sa->src.ip.ip6.ip6_b[i]);
}
printf(" ");
for (i = 0; i < 16; i++) {
if (i % 2 && i != 15)
printf(
"%.2x:",
sa->dst.ip.ip6.ip6_b[i]);
else
printf(
"%.2x",
sa->dst.ip.ip6.ip6_b[i]);
}
break;
case TRANSPORT:
printf("Transport ");
break;
}
ips = &
sa->sessions[IPSEC_SESSION_PRIMARY];
printf(" type:");
printf("no-offload ");
break;
printf("inline-crypto-offload ");
break;
printf("inline-protocol-offload ");
break;
printf("lookaside-protocol-offload ");
break;
printf("cpu-crypto-accelerated ");
break;
}
fallback_ips = &
sa->sessions[IPSEC_SESSION_FALLBACK];
if (fallback_ips != NULL &&
sa->fallback_sessions > 0) {
printf("inline fallback: ");
switch (fallback_ips->
type) {
printf("lookaside-none");
break;
printf("cpu-crypto-accelerated");
break;
default:
printf("invalid");
break;
}
}
printf(
"flow-direction port %d queue %d",
sa->portid,
printf("\n");
}
static struct sa_ctx *
sa_create(const char *name, int32_t socket_id, uint32_t nb_sa)
{
char s[PATH_MAX];
struct sa_ctx *sa_ctx;
uint32_t mz_size;
printf("Creating SA context with %u maximum entries on socket %d\n",
mz_size = sizeof(struct ipsec_xf) * nb_sa;
if (mz == NULL) {
printf("Failed to allocate SA XFORM memory\n");
return NULL;
}
sizeof(struct ipsec_sa) * nb_sa, RTE_CACHE_LINE_SIZE);
if (sa_ctx == NULL) {
printf("Failed to allocate SA CTX memory\n");
return NULL;
}
sa_ctx->xf = (
struct ipsec_xf *)mz->
addr;
sa_ctx->nb_sa = nb_sa;
return sa_ctx;
}
static int
check_eth_dev_caps(uint16_t portid, uint32_t inbound, uint32_t tso)
{
int retval;
if (retval != 0) {
"Error during getting device (port %u) info: %s\n",
portid, strerror(-retval));
return retval;
}
if (inbound) {
if ((dev_info.rx_offload_capa &
RTE_ETH_RX_OFFLOAD_SECURITY) == 0) {
"hardware RX IPSec offload is not supported\n");
return -EINVAL;
}
} else {
if ((dev_info.tx_offload_capa &
RTE_ETH_TX_OFFLOAD_SECURITY) == 0) {
"hardware TX IPSec offload is not supported\n");
return -EINVAL;
}
if (tso && (dev_info.tx_offload_capa &
RTE_ETH_TX_OFFLOAD_TCP_TSO) == 0) {
"hardware TCP TSO offload is not supported\n");
return -EINVAL;
}
}
return 0;
}
static int
struct ip_addr ip_addr[2], uint32_t mask[2])
{
int32_t rc4, rc6;
ip_addr, mask);
ip_addr, mask);
if (rc4 >= 0) {
if (rc6 >= 0) {
"%s: SPI %u used simultaneously by "
"IPv4(%d) and IPv6 (%d) SP rules\n",
__func__, spi, rc4, rc6);
return -EINVAL;
} else
return IPPROTO_IPIP;
} else if (rc6 < 0) {
"%s: SPI %u is not used by any SP rule\n",
__func__, spi);
return -EINVAL;
} else
return IPPROTO_IPV6;
}
static int
sa_add_address_inline_crypto(struct ipsec_sa *sa)
{
int protocol;
struct ip_addr ip_addr[2];
uint32_t mask[2];
protocol = get_spi_proto(sa->spi, sa->direction, ip_addr, mask);
if (protocol < 0)
return protocol;
else if (protocol == IPPROTO_IPIP) {
sa->flags |= IP4_TRANSPORT;
if (mask[0] == IP4_FULL_MASK &&
mask[1] == IP4_FULL_MASK &&
ip_addr[0].ip.ip4 != 0 &&
ip_addr[1].ip.ip4 != 0) {
sa->src.ip.ip4 = ip_addr[0].ip.ip4;
sa->dst.ip.ip4 = ip_addr[1].ip.ip4;
} else {
"%s: No valid address or mask entry in"
" IPv4 SP rule for SPI %u\n",
__func__, sa->spi);
return -EINVAL;
}
} else if (protocol == IPPROTO_IPV6) {
sa->flags |= IP6_TRANSPORT;
if (mask[0] == IP6_FULL_MASK &&
mask[1] == IP6_FULL_MASK &&
(ip_addr[0].ip.ip6.ip6[0] != 0 ||
ip_addr[0].ip.ip6.ip6[1] != 0) &&
(ip_addr[1].ip.ip6.ip6[0] != 0 ||
ip_addr[1].ip.ip6.ip6[1] != 0)) {
sa->src.ip.ip6 = ip_addr[0].ip.ip6;
sa->dst.ip.ip6 = ip_addr[1].ip.ip6;
} else {
"%s: No valid address or mask entry in"
" IPv6 SP rule for SPI %u\n",
__func__, sa->spi);
return -EINVAL;
}
}
return 0;
}
static int
sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
uint32_t nb_entries, uint32_t inbound,
struct socket_ctx *skt_ctx)
{
struct ipsec_sa *sa;
uint32_t i, idx;
uint16_t iv_length, aad_length;
uint16_t auth_iv_length = 0;
int inline_status;
int32_t rc;
aad_length = (app_sa_prm.enable_esn != 0) ? sizeof(uint32_t) : 0;
for (i = 0; i < nb_entries; i++) {
idx = i;
printf("Index %u already in use by SPI %u\n",
return -EINVAL;
}
if (inbound) {
rc = ipsec_sad_add(&sa_ctx->sad,
sa);
if (rc != 0)
return rc;
}
ips = ipsec_get_primary_session(
sa);
if (check_eth_dev_caps(
sa->portid, inbound,
sa->mss))
return -EINVAL;
}
switch (WITHOUT_TRANSPORT_VERSION(
sa->flags)) {
case IP4_TUNNEL:
break;
case TRANSPORT:
inline_status =
sa_add_address_inline_crypto(
sa);
if (inline_status < 0)
return inline_status;
}
break;
}
iv_length = 11;
else
iv_length = 12;
sa_ctx->xf[idx].a.aead.algo =
sa->aead_algo;
sa_ctx->xf[idx].a.aead.key.data =
sa->cipher_key;
sa_ctx->xf[idx].a.aead.key.length =
sa_ctx->xf[idx].a.aead.op = (inbound == 1) ?
sa_ctx->xf[idx].a.next = NULL;
sa_ctx->xf[idx].a.aead.iv.offset = IV_OFFSET;
sa_ctx->xf[idx].a.aead.iv.length = iv_length;
sa_ctx->xf[idx].a.aead.aad_length =
sa->aad_len + aad_length;
sa_ctx->xf[idx].a.aead.digest_length =
sa->xforms = &sa_ctx->xf[idx].a;
} else {
switch (
sa->cipher_algo) {
break;
default:
"unsupported cipher algorithm %u\n",
return -EINVAL;
}
auth_iv_length = 12;
if (inbound) {
sa_ctx->xf[idx].b.cipher.algo =
sa->cipher_algo;
sa_ctx->xf[idx].b.cipher.key.data =
sa->cipher_key;
sa_ctx->xf[idx].b.cipher.key.length =
sa_ctx->xf[idx].b.cipher.op =
sa_ctx->xf[idx].b.next = NULL;
sa_ctx->xf[idx].b.cipher.iv.offset = IV_OFFSET;
sa_ctx->xf[idx].b.cipher.iv.length = iv_length;
sa_ctx->xf[idx].a.auth.algo =
sa->auth_algo;
sa_ctx->xf[idx].a.auth.key.data =
sa->auth_key;
sa_ctx->xf[idx].a.auth.key.length =
sa_ctx->xf[idx].a.auth.digest_length =
sa_ctx->xf[idx].a.auth.op =
sa_ctx->xf[idx].a.auth.iv.offset = IV_OFFSET;
sa_ctx->xf[idx].a.auth.iv.length = auth_iv_length;
} else {
sa_ctx->xf[idx].a.cipher.algo =
sa->cipher_algo;
sa_ctx->xf[idx].a.cipher.key.data =
sa->cipher_key;
sa_ctx->xf[idx].a.cipher.key.length =
sa_ctx->xf[idx].a.cipher.op =
sa_ctx->xf[idx].a.next = NULL;
sa_ctx->xf[idx].a.cipher.iv.offset = IV_OFFSET;
sa_ctx->xf[idx].a.cipher.iv.length = iv_length;
sa_ctx->xf[idx].b.auth.algo =
sa->auth_algo;
sa_ctx->xf[idx].b.auth.key.data =
sa->auth_key;
sa_ctx->xf[idx].b.auth.key.length =
sa_ctx->xf[idx].b.auth.digest_length =
sa_ctx->xf[idx].b.auth.op =
sa_ctx->xf[idx].b.auth.iv.offset = IV_OFFSET;
sa_ctx->xf[idx].b.auth.iv.length = auth_iv_length;
}
&sa_ctx->xf[idx].a : &sa_ctx->xf[idx].b;
} else {
sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
sa_ctx->xf[idx].b.next = NULL;
sa->xforms = &sa_ctx->xf[idx].a;
}
}
rc = create_inline_session(skt_ctx,
sa, ips);
if (rc != 0) {
"create_inline_session() failed\n");
return -EINVAL;
}
}
if (
sa->fdir_flag && inbound) {
rc = create_ipsec_esp_flow(
sa);
if (rc != 0)
"create_ipsec_esp_flow() failed\n");
}
print_one_sa_rule(
sa, inbound);
}
return 0;
}
static inline int
sa_out_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
uint32_t nb_entries, struct socket_ctx *skt_ctx)
{
return sa_add_rules(sa_ctx, entries, nb_entries, 0, skt_ctx);
}
static inline int
sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
uint32_t nb_entries, struct socket_ctx *skt_ctx)
{
return sa_add_rules(sa_ctx, entries, nb_entries, 1, skt_ctx);
}
static void
const struct app_sa_prm *app_prm)
{
memset(prm, 0, sizeof(*prm));
prm->
flags = app_prm->flags;
}
static int
{
int32_t rc;
rc = get_spi_proto(ss->spi, ss->direction, NULL, NULL);
if (rc < 0)
return rc;
fill_ipsec_app_sa_prm(prm, &app_sa_prm);
if (ss->esn > 0) {
}
if (IS_IP4_TUNNEL(ss->flags)) {
} else if (IS_IP6_TUNNEL(ss->flags)) {
} else {
}
return 0;
}
static int
{
int32_t rc = 0;
if (ss->
security.
ses != NULL) {
if (rc != 0)
memset(ss, 0, sizeof(*ss));
}
}
return rc;
}
static int
ipsec_sa_init(
struct ipsec_sa *lsa,
struct rte_ipsec_sa *
sa, uint32_t sa_size)
{
int rc;
.src_addr = lsa->src.ip.ip4,
.dst_addr = lsa->dst.ip.ip4,
};
.proto = lsa->udp_encap ? IPPROTO_UDP : IPPROTO_ESP,
};
if (IS_IP6_TUNNEL(lsa->flags)) {
}
rc = fill_ipsec_sa_prm(&prm, lsa, &v4, &v6);
if (rc == 0)
if (rc < 0)
return rc;
if (lsa->flags & SA_TELEMETRY_ENABLE)
ips = ipsec_get_primary_session(lsa);
rc = fill_ipsec_session(ips, sa);
if (rc != 0)
return rc;
if (lsa->fallback_sessions == 1)
rc = fill_ipsec_session(ipsec_get_fallback_session(lsa), sa);
return rc;
}
static int
ipsec_satbl_init(struct sa_ctx *ctx, uint32_t nb_ent, int32_t socket)
{
int32_t rc, sz;
uint32_t i, idx;
size_t tsz;
struct rte_ipsec_sa *sa;
struct ipsec_sa *lsa;
idx = 0;
fill_ipsec_sa_prm(&prm, ctx->sa + idx, NULL, NULL);
if (sz < 0) {
RTE_LOG(ERR, IPSEC,
"%s(%p, %u, %d): "
"failed to determine SA size, error code: %d\n",
__func__, ctx, nb_ent, socket, sz);
return sz;
}
tsz = sz * nb_ent;
if (ctx->satbl == NULL) {
"%s(%p, %u, %d): failed to allocate %zu bytes\n",
__func__, ctx, nb_ent, socket, tsz);
return -ENOMEM;
}
rc = 0;
for (i = 0; i != nb_ent && rc == 0; i++) {
idx = i;
sa = (struct rte_ipsec_sa *)((uintptr_t)ctx->satbl + sz * i);
lsa = ctx->sa + idx;
rc = ipsec_sa_init(lsa, sa, sz);
}
return rc;
}
static int
sa_cmp(const void *p, const void *q)
{
uint32_t spi1 = ((const struct ipsec_sa *)p)->spi;
uint32_t spi2 = ((const struct ipsec_sa *)q)->spi;
return (int)(spi1 - spi2);
}
int
sa_spi_present(struct sa_ctx *sa_ctx, uint32_t spi, int inbound)
{
uint32_t num;
struct ipsec_sa *sa;
struct ipsec_sa tmpl;
const struct ipsec_sa *sar;
sar = sa_ctx->sa;
if (inbound != 0)
num = nb_sa_in;
else
num = nb_sa_out;
tmpl.spi = spi;
sa = bsearch(&tmpl, sar, num, sizeof(struct ipsec_sa), sa_cmp);
if (sa != NULL)
return -ENOENT;
}
void
sa_init(struct socket_ctx *ctx, int32_t socket_id)
{
int32_t rc;
const char *name;
if (ctx == NULL)
rte_exit(EXIT_FAILURE,
"NULL context.\n");
if (ctx->sa_in != NULL)
rte_exit(EXIT_FAILURE,
"Inbound SA DB for socket %u already "
"initialized\n", socket_id);
if (ctx->sa_out != NULL)
rte_exit(EXIT_FAILURE,
"Outbound SA DB for socket %u already "
"initialized\n", socket_id);
if (nb_sa_in > 0) {
name = "sa_in";
ctx->sa_in = sa_create(name, socket_id, nb_sa_in);
if (ctx->sa_in == NULL)
rte_exit(EXIT_FAILURE,
"Error [%d] creating SA "
name, socket_id);
rc = ipsec_sad_create(name, &ctx->sa_in->sad, socket_id,
&sa_in_cnt);
if (rc != 0)
rte_exit(EXIT_FAILURE,
"failed to init SAD\n");
sa_in_add_rules(ctx->sa_in, sa_in, nb_sa_in, ctx);
if (app_sa_prm.enable != 0) {
rc = ipsec_satbl_init(ctx->sa_in, nb_sa_in,
socket_id);
if (rc != 0)
"failed to init inbound SAs\n");
}
} else
RTE_LOG(WARNING, IPSEC,
"No SA Inbound rule specified\n");
if (nb_sa_out > 0) {
name = "sa_out";
ctx->sa_out = sa_create(name, socket_id, nb_sa_out);
if (ctx->sa_out == NULL)
rte_exit(EXIT_FAILURE,
"Error [%d] creating SA "
name, socket_id);
sa_out_add_rules(ctx->sa_out, sa_out, nb_sa_out, ctx);
if (app_sa_prm.enable != 0) {
rc = ipsec_satbl_init(ctx->sa_out, nb_sa_out,
socket_id);
if (rc != 0)
"failed to init outbound SAs\n");
}
} else
RTE_LOG(WARNING, IPSEC,
"No SA Outbound rule "
"specified\n");
}
int
inbound_sa_check(
struct sa_ctx *sa_ctx,
struct rte_mbuf *m, uint32_t sa_idx)
{
struct ipsec_mbuf_metadata *priv;
struct ipsec_sa *sa;
priv = get_priv(m);
sa = priv->sa;
if (sa != NULL)
return (sa_ctx->sa[sa_idx].spi == sa->spi);
RTE_LOG(ERR, IPSEC,
"SA not saved in private data\n");
return 0;
}
void
inbound_sa_lookup(
struct sa_ctx *sa_ctx,
struct rte_mbuf *pkts[],
void *sa_arr[], uint16_t nb_pkts)
{
uint32_t i;
void *result_sa;
struct ipsec_sa *sa;
sad_lookup(&sa_ctx->sad, pkts, sa_arr, nb_pkts);
for (i = 0; i < nb_pkts; i++) {
if (sa_arr[i] == NULL)
continue;
result_sa = sa = sa_arr[i];
if (MBUF_NO_SEC_OFFLOAD(pkts[i]) &&
sa->fallback_sessions > 0) {
uintptr_t intsa = (uintptr_t)sa;
intsa |= IPSEC_SA_OFFLOAD_FALLBACK_FLAG;
result_sa = (void *)intsa;
}
sa_arr[i] = result_sa;
}
}
void
outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
void *sa[], uint16_t nb_pkts)
{
uint32_t i;
for (i = 0; i < nb_pkts; i++)
sa[i] = &sa_ctx->sa[sa_idx[i]];
}
int
sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads,
uint64_t *tx_offloads)
{
struct ipsec_sa *rule;
uint32_t idx_sa;
int ret;
*rx_offloads = 0;
*tx_offloads = 0;
if (ret != 0)
"Error during getting device (port %u) info: %s\n",
port_id, strerror(-ret));
for (idx_sa = 0; idx_sa < nb_sa_in; idx_sa++) {
rule = &sa_in[idx_sa];
rule_type = ipsec_get_action_type(rule);
rule_type ==
&& rule->portid == port_id)
*rx_offloads |= RTE_ETH_RX_OFFLOAD_SECURITY;
}
for (idx_sa = 0; idx_sa < nb_sa_out; idx_sa++) {
rule = &sa_out[idx_sa];
rule_type = ipsec_get_action_type(rule);
if (rule->portid == port_id) {
switch (rule_type) {
*tx_offloads |= RTE_ETH_TX_OFFLOAD_SECURITY;
if (rule->mss)
*tx_offloads |= (RTE_ETH_TX_OFFLOAD_TCP_TSO |
RTE_ETH_TX_OFFLOAD_IPV4_CKSUM);
break;
*tx_offloads |= RTE_ETH_TX_OFFLOAD_SECURITY;
if (rule->mss)
*tx_offloads |=
RTE_ETH_TX_OFFLOAD_TCP_TSO;
if (dev_info.tx_offload_capa &
RTE_ETH_TX_OFFLOAD_IPV4_CKSUM)
*tx_offloads |=
RTE_ETH_TX_OFFLOAD_IPV4_CKSUM;
break;
default:
if (dev_info.tx_offload_capa &
RTE_ETH_TX_OFFLOAD_IPV4_CKSUM)
*tx_offloads |= RTE_ETH_TX_OFFLOAD_IPV4_CKSUM;
break;
}
} else {
if (dev_info.tx_offload_capa &
RTE_ETH_TX_OFFLOAD_IPV4_CKSUM)
*tx_offloads |= RTE_ETH_TX_OFFLOAD_IPV4_CKSUM;
}
}
return 0;
}
void
sa_sort_arr(void)
{
qsort(sa_in, nb_sa_in, sizeof(struct ipsec_sa), sa_cmp);
qsort(sa_out, nb_sa_out, sizeof(struct ipsec_sa), sa_cmp);
}
uint32_t
get_nb_crypto_sessions(void)
{
return nb_crypto_sessions;
}
static rte_be32_t rte_cpu_to_be_32(uint32_t x)
static uint32_t rte_bswap32(uint32_t x)
#define RTE_PTR_DIFF(ptr1, ptr2)
__rte_noreturn void rte_exit(int exit_code, const char *format,...) __rte_format_printf(2
rte_crypto_auth_algorithm
@ RTE_CRYPTO_AUTH_SHA512_HMAC
@ RTE_CRYPTO_AUTH_AES_XCBC_MAC
@ RTE_CRYPTO_AUTH_SHA384_HMAC
@ RTE_CRYPTO_AUTH_SHA1_HMAC
@ RTE_CRYPTO_AUTH_SHA256_HMAC
@ RTE_CRYPTO_AUTH_AES_GMAC
@ RTE_CRYPTO_CIPHER_OP_DECRYPT
@ RTE_CRYPTO_CIPHER_OP_ENCRYPT
@ RTE_CRYPTO_SYM_XFORM_AUTH
@ RTE_CRYPTO_SYM_XFORM_AEAD
@ RTE_CRYPTO_SYM_XFORM_CIPHER
rte_crypto_aead_algorithm
@ RTE_CRYPTO_AEAD_AES_CCM
@ RTE_CRYPTO_AEAD_AES_GCM
@ RTE_CRYPTO_AEAD_CHACHA20_POLY1305
rte_crypto_cipher_algorithm
@ RTE_CRYPTO_CIPHER_AES_CTR
@ RTE_CRYPTO_CIPHER_AES_CBC
@ RTE_CRYPTO_CIPHER_3DES_CBC
@ RTE_CRYPTO_AUTH_OP_VERIFY
@ RTE_CRYPTO_AUTH_OP_GENERATE
@ RTE_CRYPTO_AEAD_OP_DECRYPT
@ RTE_CRYPTO_AEAD_OP_ENCRYPT
int rte_eth_dev_info_get(uint16_t port_id, struct rte_eth_dev_info *dev_info)
#define RTE_IPV4_IHL_MULTIPLIER
int rte_ipsec_session_prepare(struct rte_ipsec_session *ss)
__rte_experimental int rte_ipsec_telemetry_sa_add(const struct rte_ipsec_sa *sa)
int rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, uint32_t size)
int rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm)
#define RTE_LOG(l, t,...)
void * rte_zmalloc(const char *type, size_t size, unsigned align) __rte_alloc_size(2)
void * rte_zmalloc_socket(const char *type, size_t size, unsigned align, int socket) __rte_alloc_size(2)
const struct rte_memzone * rte_memzone_reserve(const char *name, size_t len, int socket_id, unsigned flags)
#define RTE_MEMZONE_SIZE_HINT_ONLY
int rte_memzone_free(const struct rte_memzone *mz)
@ RTE_SECURITY_IPSEC_SA_PROTO_ESP
rte_security_session_action_type
@ RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
@ RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL
@ RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
@ RTE_SECURITY_ACTION_TYPE_NONE
@ RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO
rte_security_ipsec_sa_direction
@ RTE_SECURITY_IPSEC_SA_DIR_INGRESS
@ RTE_SECURITY_IPSEC_SA_DIR_EGRESS
@ RTE_SECURITY_IPSEC_SA_MODE_TUNNEL
@ RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT
@ RTE_SECURITY_IPSEC_TUNNEL_IPV6
@ RTE_SECURITY_IPSEC_TUNNEL_IPV4
struct rte_crypto_sym_xform * crypto_xform
struct rte_ipsec_sa_prm::@242::@244 tun
struct rte_security_ipsec_xform ipsec_xform
struct rte_ipsec_sa_prm::@242::@245 trs
enum rte_security_session_action_type type
char name[RTE_MEMZONE_NAMESIZE]
enum rte_security_ipsec_tunnel_type type