aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSzymon Sliwa <szs@semihalf.com>2017-08-23 17:42:22 +0200
committerSzymon Sliwa <szs@semihalf.com>2018-02-05 11:01:09 +0100
commit11959b50936026a43106f9079b1df0d9b67e674a (patch)
tree5f7a0e00e210e301c75c5af4327fb9296b2305ce
parent130c8f744801d71982e30993b884c76d9d97d309 (diff)
plugins: odp: Add ODP-IPsec node
Based heavily on the src/vnet/ipsec. Reuses the pure software VPP IPsec implementation CLI command. To use enable-odp-crypto needs to be present in the odp section of startup configuration, like this: odp { enable-odp-crypto } Currenlty only IPv4 is supported, and only in transport mode. Authentication headers are not supported, this limitation is inherited from VPP. Supported crypto algorithms are aes-cbc-128 for encryption, and sha-512-256, sha-256-128, sha1-96 for authentication Change-Id: I08c66f96a73d8cb4ef1095f181ddf47506abc39a Signed-off-by: Szymon Sliwa <szs@semihalf.com>
-rw-r--r--src/plugins/odp.am19
-rw-r--r--src/plugins/odp/ipsec/esp.h288
-rw-r--r--src/plugins/odp/ipsec/esp_decrypt.c472
-rw-r--r--src/plugins/odp/ipsec/esp_encrypt.c445
-rw-r--r--src/plugins/odp/ipsec/ipsec.c263
-rw-r--r--src/plugins/odp/ipsec/ipsec.h57
-rwxr-xr-xsrc/plugins/odp/odp_packet.c9
-rwxr-xr-xsrc/plugins/odp/odp_packet.h1
-rw-r--r--src/vpp/conf/startup.conf3
9 files changed, 1550 insertions, 7 deletions
diff --git a/src/plugins/odp.am b/src/plugins/odp.am
index 10c8e27..fb874f7 100644
--- a/src/plugins/odp.am
+++ b/src/plugins/odp.am
@@ -15,13 +15,18 @@ vppplugins_LTLIBRARIES += odp_plugin.la
odp_plugin_la_LDFLAGS = $(AM_LDFLAGS) $(ODP_LIBS)
-odp_plugin_la_SOURCES = odp/cli.c \
- odp/node.c \
- odp/odp_packet.c \
- odp/device.c \
- odp/buffer.c \
- odp/thread.c
+odp_plugin_la_SOURCES = odp/cli.c \
+ odp/node.c \
+ odp/odp_packet.c \
+ odp/device.c \
+ odp/buffer.c \
+ odp/thread.c \
+ odp/ipsec/ipsec.c \
+ odp/ipsec/esp_encrypt.c \
+ odp/ipsec/esp_decrypt.c
-noinst_HEADERS += odp/odp_packet.h
+noinst_HEADERS += odp/odp_packet.h \
+ odp/ipsec/ipsec.h \
+ odp/ipsec/esp.h
# vi:syntax=automake
diff --git a/src/plugins/odp/ipsec/esp.h b/src/plugins/odp/ipsec/esp.h
new file mode 100644
index 0000000..b7cc468
--- /dev/null
+++ b/src/plugins/odp/ipsec/esp.h
@@ -0,0 +1,288 @@
+/*
+ * Copyright (c) 2015 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __ESP_H__
+#define __ESP_H__
+
+#include <openssl/hmac.h>
+#include <openssl/rand.h>
+#include <openssl/evp.h>
+
+#include <odp_api.h>
+
+typedef struct
+{
+ u32 spi;
+ u32 seq;
+ u8 data[0];
+} esp_header_t;
+
+typedef struct
+{
+ u8 pad_length;
+ u8 next_header;
+} esp_footer_t;
+
+/* *INDENT-OFF* */
+typedef CLIB_PACKED (struct {
+ ip4_header_t ip4;
+ esp_header_t esp;
+}) ip4_and_esp_header_t;
+/* *INDENT-ON* */
+
+/* *INDENT-OFF* */
+typedef CLIB_PACKED (struct {
+ ip6_header_t ip6;
+ esp_header_t esp;
+}) ip6_and_esp_header_t;
+/* *INDENT-ON* */
+
+typedef struct
+{
+ const EVP_CIPHER *type;
+} esp_crypto_alg_t;
+
+typedef struct
+{
+ const EVP_MD *md;
+ u8 trunc_size;
+} esp_integ_alg_t;
+
+typedef struct
+{
+ CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
+ EVP_CIPHER_CTX encrypt_ctx;
+ CLIB_CACHE_LINE_ALIGN_MARK (cacheline1);
+ EVP_CIPHER_CTX decrypt_ctx;
+ CLIB_CACHE_LINE_ALIGN_MARK (cacheline2);
+ HMAC_CTX hmac_ctx;
+ ipsec_crypto_alg_t last_encrypt_alg;
+ ipsec_crypto_alg_t last_decrypt_alg;
+ ipsec_integ_alg_t last_integ_alg;
+} esp_main_per_thread_data_t;
+
+typedef struct
+{
+ esp_crypto_alg_t *esp_crypto_algs;
+ esp_integ_alg_t *esp_integ_algs;
+ esp_main_per_thread_data_t *per_thread_data;
+} esp_main_t;
+
+esp_main_t odp_esp_main;
+
+#define ESP_WINDOW_SIZE (64)
+#define ESP_SEQ_MAX (4294967295UL)
+
+
+always_inline int
+esp_replay_check (ipsec_sa_t * sa, u32 seq)
+{
+ u32 diff;
+
+ if (PREDICT_TRUE (seq > sa->last_seq))
+ return 0;
+
+ diff = sa->last_seq - seq;
+
+ if (ESP_WINDOW_SIZE > diff)
+ return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
+ else
+ return 1;
+
+ return 0;
+}
+
+always_inline int
+esp_replay_check_esn (ipsec_sa_t * sa, u32 seq)
+{
+ u32 tl = sa->last_seq;
+ u32 th = sa->last_seq_hi;
+ u32 diff = tl - seq;
+
+ if (PREDICT_TRUE (tl >= (ESP_WINDOW_SIZE - 1)))
+ {
+ if (seq >= (tl - ESP_WINDOW_SIZE + 1))
+ {
+ sa->seq_hi = th;
+ if (seq <= tl)
+ return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
+ else
+ return 0;
+ }
+ else
+ {
+ sa->seq_hi = th + 1;
+ return 0;
+ }
+ }
+ else
+ {
+ if (seq >= (tl - ESP_WINDOW_SIZE + 1))
+ {
+ sa->seq_hi = th - 1;
+ return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
+ }
+ else
+ {
+ sa->seq_hi = th;
+ if (seq <= tl)
+ return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
+ else
+ return 0;
+ }
+ }
+
+ return 0;
+}
+
+/* TODO seq increment should be atomic to be accessed by multiple workers */
+always_inline void
+esp_replay_advance (ipsec_sa_t * sa, u32 seq)
+{
+ u32 pos;
+
+ if (seq > sa->last_seq)
+ {
+ pos = seq - sa->last_seq;
+ if (pos < ESP_WINDOW_SIZE)
+ sa->replay_window = ((sa->replay_window) << pos) | 1;
+ else
+ sa->replay_window = 1;
+ sa->last_seq = seq;
+ }
+ else
+ {
+ pos = sa->last_seq - seq;
+ sa->replay_window |= (1ULL << pos);
+ }
+}
+
+always_inline void
+esp_replay_advance_esn (ipsec_sa_t * sa, u32 seq)
+{
+ int wrap = sa->seq_hi - sa->last_seq_hi;
+ u32 pos;
+
+ if (wrap == 0 && seq > sa->last_seq)
+ {
+ pos = seq - sa->last_seq;
+ if (pos < ESP_WINDOW_SIZE)
+ sa->replay_window = ((sa->replay_window) << pos) | 1;
+ else
+ sa->replay_window = 1;
+ sa->last_seq = seq;
+ }
+ else if (wrap > 0)
+ {
+ pos = ~seq + sa->last_seq + 1;
+ if (pos < ESP_WINDOW_SIZE)
+ sa->replay_window = ((sa->replay_window) << pos) | 1;
+ else
+ sa->replay_window = 1;
+ sa->last_seq = seq;
+ sa->last_seq_hi = sa->seq_hi;
+ }
+ else if (wrap < 0)
+ {
+ pos = ~seq + sa->last_seq + 1;
+ sa->replay_window |= (1ULL << pos);
+ }
+ else
+ {
+ pos = sa->last_seq - seq;
+ sa->replay_window |= (1ULL << pos);
+ }
+}
+
+always_inline int
+esp_seq_advance (ipsec_sa_t * sa)
+{
+ if (PREDICT_TRUE (sa->use_esn))
+ {
+ if (PREDICT_FALSE (sa->seq == ESP_SEQ_MAX))
+ {
+ if (PREDICT_FALSE
+ (sa->use_anti_replay && sa->seq_hi == ESP_SEQ_MAX))
+ return 1;
+ sa->seq_hi++;
+ }
+ sa->seq++;
+ }
+ else
+ {
+ if (PREDICT_FALSE (sa->use_anti_replay && sa->seq == ESP_SEQ_MAX))
+ return 1;
+ sa->seq++;
+ }
+
+ return 0;
+}
+
+always_inline void
+esp_init ()
+{
+ esp_main_t *em = &odp_esp_main;
+ vlib_thread_main_t *tm = vlib_get_thread_main ();
+
+ memset (em, 0, sizeof (em[0]));
+
+ vec_validate (em->esp_crypto_algs, IPSEC_CRYPTO_N_ALG - 1);
+ em->esp_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_128].type = EVP_aes_128_cbc ();
+ em->esp_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_192].type = EVP_aes_192_cbc ();
+ em->esp_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_256].type = EVP_aes_256_cbc ();
+
+ vec_validate (em->esp_integ_algs, IPSEC_INTEG_N_ALG - 1);
+ esp_integ_alg_t *i;
+
+ i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA1_96];
+ i->md = EVP_sha1 ();
+ i->trunc_size = 12;
+
+ i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA_256_96];
+ i->md = EVP_sha256 ();
+ i->trunc_size = 12;
+
+ i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA_256_128];
+ i->md = EVP_sha256 ();
+ i->trunc_size = 16;
+
+ i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA_384_192];
+ i->md = EVP_sha384 ();
+ i->trunc_size = 24;
+
+ i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA_512_256];
+ i->md = EVP_sha512 ();
+ i->trunc_size = 32;
+
+ vec_validate_aligned (em->per_thread_data, tm->n_vlib_mains - 1,
+ CLIB_CACHE_LINE_BYTES);
+ int thread_id;
+
+ for (thread_id = 0; thread_id < tm->n_vlib_mains - 1; thread_id++)
+ {
+ EVP_CIPHER_CTX_init (&(em->per_thread_data[thread_id].encrypt_ctx));
+ EVP_CIPHER_CTX_init (&(em->per_thread_data[thread_id].decrypt_ctx));
+ HMAC_CTX_init (&(em->per_thread_data[thread_id].hmac_ctx));
+ }
+}
+
+#endif /* __ESP_H__ */
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/plugins/odp/ipsec/esp_decrypt.c b/src/plugins/odp/ipsec/esp_decrypt.c
new file mode 100644
index 0000000..728d1c5
--- /dev/null
+++ b/src/plugins/odp/ipsec/esp_decrypt.c
@@ -0,0 +1,472 @@
+/*
+ * esp_decrypt.c : IPSec ESP decrypt node
+ *
+ * Copyright (c) 2015 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <vnet/vnet.h>
+#include <vnet/api_errno.h>
+#include <vnet/ip/ip.h>
+
+#include <odp/ipsec/ipsec.h>
+#include <odp/ipsec/esp.h>
+
+#define foreach_esp_decrypt_next \
+_(DROP, "error-drop") \
+_(IP4_INPUT, "ip4-input") \
+_(IP6_INPUT, "ip6-input") \
+_(IPSEC_GRE_INPUT, "ipsec-gre-input")
+
+#define _(v, s) ESP_DECRYPT_NEXT_##v,
+typedef enum
+{
+ foreach_esp_decrypt_next
+#undef _
+ ESP_DECRYPT_N_NEXT,
+} esp_decrypt_next_t;
+
+
+#define foreach_esp_decrypt_error \
+ _(RX_PKTS, "ESP pkts received") \
+ _(NO_BUFFER, "No buffer (packed dropped)") \
+ _(DECRYPTION_FAILED, "ESP decryption failed") \
+ _(INTEG_ERROR, "Integrity check failed") \
+ _(REPLAY, "SA replayed packet") \
+ _(NOT_IP, "Not IP packet (dropped)")
+
+
+typedef enum
+{
+#define _(sym,str) ESP_DECRYPT_ERROR_##sym,
+ foreach_esp_decrypt_error
+#undef _
+ ESP_DECRYPT_N_ERROR,
+} esp_decrypt_error_t;
+
+static char *esp_decrypt_error_strings[] = {
+#define _(sym,string) string,
+ foreach_esp_decrypt_error
+#undef _
+};
+
+typedef struct
+{
+ ipsec_crypto_alg_t crypto_alg;
+ ipsec_integ_alg_t integ_alg;
+} esp_decrypt_trace_t;
+
+vlib_node_registration_t odp_crypto_esp_decrypt_node;
+
+/* packet trace format function */
+static u8 *
+format_esp_decrypt_trace (u8 * s, va_list * args)
+{
+ CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
+ CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
+ esp_decrypt_trace_t *t = va_arg (*args, esp_decrypt_trace_t *);
+
+ s = format (s, "(ODP) esp: crypto %U integrity %U",
+ format_ipsec_crypto_alg, t->crypto_alg,
+ format_ipsec_integ_alg, t->integ_alg);
+ return s;
+}
+
+always_inline void
+esp_decrypt_aes_cbc (ipsec_crypto_alg_t alg,
+ u8 * in, u8 * out, size_t in_len, u8 * key, u8 * iv)
+{
+ esp_main_t *em = &odp_esp_main;
+ u32 thread_index = vlib_get_thread_index ();
+ EVP_CIPHER_CTX *ctx = &(em->per_thread_data[thread_index].decrypt_ctx);
+ const EVP_CIPHER *cipher = NULL;
+ int out_len;
+
+ ASSERT (alg < IPSEC_CRYPTO_N_ALG);
+
+ if (PREDICT_FALSE (em->esp_crypto_algs[alg].type == 0))
+ return;
+
+ if (PREDICT_FALSE
+ (alg != em->per_thread_data[thread_index].last_decrypt_alg))
+ {
+ cipher = em->esp_crypto_algs[alg].type;
+ em->per_thread_data[thread_index].last_decrypt_alg = alg;
+ }
+
+ EVP_DecryptInit_ex (ctx, cipher, NULL, key, iv);
+
+ EVP_DecryptUpdate (ctx, out, &out_len, in, in_len);
+ EVP_DecryptFinal_ex (ctx, out + out_len, &out_len);
+}
+
+static uword
+esp_decrypt_node_fn (vlib_main_t * vm,
+ vlib_node_runtime_t * node, vlib_frame_t * from_frame)
+{
+ u32 n_left_from, *from, next_index, *to_next;
+ ipsec_main_t *im = &ipsec_main;
+ esp_main_t *em = &odp_esp_main;
+ u32 *recycle = 0;
+ from = vlib_frame_vector_args (from_frame);
+ n_left_from = from_frame->n_vectors;
+ odp_crypto_main_t *ocm = &odp_crypto_main;
+ u32 thread_index = vlib_get_thread_index ();
+
+ ipsec_alloc_empty_buffers (vm, im);
+
+ u32 *empty_buffers = im->empty_buffers[thread_index];
+
+ odp_crypto_worker_main_t *cwm =
+ vec_elt_at_index (ocm->workers, thread_index);
+
+ if (PREDICT_FALSE (vec_len (empty_buffers) < n_left_from))
+ {
+ vlib_node_increment_counter (vm, odp_crypto_esp_decrypt_node.index,
+ ESP_DECRYPT_ERROR_NO_BUFFER, n_left_from);
+ goto free_buffers_and_exit;
+ }
+
+ next_index = node->cached_next_index;
+
+ while (n_left_from > 0)
+ {
+ u32 n_left_to_next;
+
+ vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
+
+ while (n_left_from > 0 && n_left_to_next > 0)
+ {
+ u32 i_bi0, o_bi0 = (u32) ~ 0, next0;
+ vlib_buffer_t *i_b0;
+ vlib_buffer_t *o_b0 = 0;
+ esp_header_t *esp0;
+ ipsec_sa_t *sa0;
+ u32 sa_index0 = ~0;
+ u32 seq;
+ ip4_header_t *ih4 = 0, *oh4 = 0;
+ ip6_header_t *ih6 = 0, *oh6 = 0;
+ u8 tunnel_mode = 1;
+ u8 transport_ip6 = 0;
+ sa_data_t *sa_sess_data;
+
+
+ i_bi0 = from[0];
+ from += 1;
+ n_left_from -= 1;
+ n_left_to_next -= 1;
+
+ next0 = ESP_DECRYPT_NEXT_DROP;
+
+ i_b0 = vlib_get_buffer (vm, i_bi0);
+ esp0 = vlib_buffer_get_current (i_b0);
+
+ sa_index0 = vnet_buffer (i_b0)->ipsec.sad_index;
+ sa0 = pool_elt_at_index (im->sad, sa_index0);
+
+ seq = clib_host_to_net_u32 (esp0->seq);
+
+ /* anti-replay check */
+ if (sa0->use_anti_replay)
+ {
+ int rv = 0;
+
+ if (PREDICT_TRUE (sa0->use_esn))
+ rv = esp_replay_check_esn (sa0, seq);
+ else
+ rv = esp_replay_check (sa0, seq);
+
+ if (PREDICT_FALSE (rv))
+ {
+ clib_warning ("anti-replay SPI %u seq %u", sa0->spi, seq);
+ vlib_node_increment_counter (vm, odp_crypto_esp_decrypt_node.index,
+ ESP_DECRYPT_ERROR_REPLAY, 1);
+ o_bi0 = i_bi0;
+ to_next[0] = o_bi0;
+ to_next += 1;
+ goto trace;
+ }
+ }
+
+ sa0->total_data_size += i_b0->current_length;
+ int icv_size = em->esp_integ_algs[sa0->integ_alg].trunc_size;
+
+ sa_sess_data = pool_elt_at_index (cwm->sa_sess_d[0], sa_index0);
+ if (PREDICT_FALSE (!(sa_sess_data->sess)))
+ {
+ int ret = create_sess (sa0, sa_sess_data, 0);
+
+ if (ret)
+ {
+ to_next[0] = i_bi0;
+ to_next += 1;
+ goto trace;
+ }
+ }
+
+ odp_crypto_op_param_t crypto_op_params;
+ odp_bool_t posted = 0;
+ odp_crypto_op_result_t result;
+
+ crypto_op_params.session = sa_sess_data->sess;
+ crypto_op_params.ctx = NULL;
+ crypto_op_params.aad.ptr = NULL;
+ crypto_op_params.aad.length = 0;
+ crypto_op_params.pkt = (odp_packet_t) ((u8 *) i_b0 -
+ (u8 *)
+ odp_packet_user_area ((odp_packet_t) 0x0));
+ crypto_op_params.out_pkt = crypto_op_params.pkt;
+
+ crypto_op_params.override_iv_ptr = sa_sess_data->iv_data;
+
+
+ if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE))
+ {
+ i_b0->current_length -= icv_size;
+
+ crypto_op_params.auth_range.offset = (u32) i_b0->current_data;
+ crypto_op_params.auth_range.length = i_b0->current_length;
+
+ crypto_op_params.hash_result_offset =
+ (u32) (i_b0->current_data + i_b0->current_length);
+ }
+
+ if (PREDICT_TRUE (sa0->use_anti_replay))
+ {
+ if (PREDICT_TRUE (sa0->use_esn))
+ esp_replay_advance_esn (sa0, seq);
+ else
+ esp_replay_advance (sa0, seq);
+ }
+
+ /* grab free buffer */
+ uword last_empty_buffer = vec_len (empty_buffers) - 1;
+ o_bi0 = empty_buffers[last_empty_buffer];
+ to_next[0] = o_bi0;
+ to_next += 1;
+ o_b0 = vlib_get_buffer (vm, o_bi0);
+ vlib_prefetch_buffer_with_index (vm,
+ empty_buffers[last_empty_buffer -
+ 1], STORE);
+ _vec_len (empty_buffers) = last_empty_buffer;
+
+ /* add old buffer to the recycle list */
+ vec_add1 (recycle, i_bi0);
+
+ if (sa0->crypto_alg >= IPSEC_CRYPTO_ALG_AES_CBC_128 &&
+ sa0->crypto_alg <= IPSEC_CRYPTO_ALG_AES_CBC_256)
+ {
+ const int BLOCK_SIZE = 16;
+ const int IV_SIZE = 16;
+ esp_footer_t *f0;
+ u8 ip_hdr_size = 0;
+
+ int blocks =
+ (i_b0->current_length - sizeof (esp_header_t) -
+ IV_SIZE) / BLOCK_SIZE;
+
+ o_b0->current_data = sizeof (ethernet_header_t);
+
+ /* transport mode */
+ if (PREDICT_FALSE (!sa0->is_tunnel && !sa0->is_tunnel_ip6))
+ {
+ tunnel_mode = 0;
+ ih4 =
+ (ip4_header_t *) (i_b0->data +
+ sizeof (ethernet_header_t));
+ if (PREDICT_TRUE
+ ((ih4->ip_version_and_header_length & 0xF0) != 0x40))
+ {
+ if (PREDICT_TRUE
+ ((ih4->ip_version_and_header_length & 0xF0) ==
+ 0x60))
+ {
+ transport_ip6 = 1;
+ ip_hdr_size = sizeof (ip6_header_t);
+ ih6 =
+ (ip6_header_t *) (i_b0->data +
+ sizeof (ethernet_header_t));
+ oh6 = vlib_buffer_get_current (o_b0);
+ }
+ else
+ {
+ vlib_node_increment_counter (vm,
+ odp_crypto_esp_decrypt_node.index,
+ ESP_DECRYPT_ERROR_NOT_IP,
+ 1);
+ o_b0 = 0;
+ goto trace;
+ }
+ }
+ else
+ {
+ oh4 = vlib_buffer_get_current (o_b0);
+ ip_hdr_size = sizeof (ip4_header_t);
+ }
+ }
+
+ crypto_op_params.cipher_range.offset =
+ (u32) ((u8 *) vlib_buffer_get_current (i_b0) - (u8 *) i_b0) -
+ sizeof (vlib_buffer_t) + sizeof (esp_header_t) + IV_SIZE;
+ crypto_op_params.cipher_range.length = BLOCK_SIZE * blocks;
+ crypto_op_params.override_iv_ptr =
+ (u8 *) vlib_buffer_get_current (i_b0) + sizeof (esp_header_t);
+
+ odp_crypto_operation (&crypto_op_params, &posted, &result);
+
+ if (PREDICT_FALSE (!result.ok))
+ {
+ vlib_node_increment_counter (vm, odp_crypto_esp_decrypt_node.index,
+ ESP_DECRYPT_ERROR_INTEG_ERROR,
+ 1);
+ o_b0 = 0;
+ goto trace;
+ }
+
+ clib_memcpy ((u8 *) vlib_buffer_get_current (o_b0) +
+ ip_hdr_size, esp0->data + IV_SIZE,
+ BLOCK_SIZE * blocks);
+
+ o_b0->current_length = (blocks * 16) - 2 + ip_hdr_size;
+ o_b0->flags = VLIB_BUFFER_TOTAL_LENGTH_VALID;
+ f0 =
+ (esp_footer_t *) ((u8 *) vlib_buffer_get_current (o_b0) +
+ o_b0->current_length);
+ o_b0->current_length -= f0->pad_length;
+
+ /* tunnel mode */
+ if (PREDICT_TRUE (tunnel_mode))
+ {
+ if (PREDICT_TRUE (f0->next_header == IP_PROTOCOL_IP_IN_IP))
+ {
+ next0 = ESP_DECRYPT_NEXT_IP4_INPUT;
+ oh4 = vlib_buffer_get_current (o_b0);
+ }
+ else if (f0->next_header == IP_PROTOCOL_IPV6)
+ next0 = ESP_DECRYPT_NEXT_IP6_INPUT;
+ else
+ {
+ clib_warning ("next header: 0x%x", f0->next_header);
+ vlib_node_increment_counter (vm,
+ odp_crypto_esp_decrypt_node.index,
+ ESP_DECRYPT_ERROR_DECRYPTION_FAILED,
+ 1);
+ o_b0 = 0;
+ goto trace;
+ }
+ }
+ /* transport mode */
+ else
+ {
+ if (PREDICT_FALSE (transport_ip6))
+ {
+ next0 = ESP_DECRYPT_NEXT_IP6_INPUT;
+ oh6->ip_version_traffic_class_and_flow_label =
+ ih6->ip_version_traffic_class_and_flow_label;
+ oh6->protocol = f0->next_header;
+ oh6->hop_limit = ih6->hop_limit;
+ oh6->src_address.as_u64[0] = ih6->src_address.as_u64[0];
+ oh6->src_address.as_u64[1] = ih6->src_address.as_u64[1];
+ oh6->dst_address.as_u64[0] = ih6->dst_address.as_u64[0];
+ oh6->dst_address.as_u64[1] = ih6->dst_address.as_u64[1];
+ oh6->payload_length =
+ clib_host_to_net_u16 (vlib_buffer_length_in_chain
+ (vm,
+ o_b0) - sizeof (ip6_header_t));
+ }
+ else
+ {
+ next0 = ESP_DECRYPT_NEXT_IP4_INPUT;
+ oh4->ip_version_and_header_length = 0x45;
+ oh4->tos = ih4->tos;
+ oh4->fragment_id = 0;
+ oh4->flags_and_fragment_offset = 0;
+ oh4->ttl = ih4->ttl;
+ oh4->protocol = f0->next_header;
+ oh4->src_address.as_u32 = ih4->src_address.as_u32;
+ oh4->dst_address.as_u32 = ih4->dst_address.as_u32;
+ oh4->length =
+ clib_host_to_net_u16 (vlib_buffer_length_in_chain
+ (vm, o_b0));
+ oh4->checksum = ip4_header_checksum (oh4);
+ }
+ }
+
+ /* for IPSec-GRE tunnel next node is ipsec-gre-input */
+ if (PREDICT_FALSE
+ ((vnet_buffer (i_b0)->ipsec.flags) &
+ IPSEC_FLAG_IPSEC_GRE_TUNNEL))
+ next0 = ESP_DECRYPT_NEXT_IPSEC_GRE_INPUT;
+
+ vnet_buffer (o_b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
+ }
+
+ trace:
+ if (PREDICT_FALSE (i_b0->flags & VLIB_BUFFER_IS_TRACED))
+ {
+ if (o_b0)
+ {
+ o_b0->flags |= VLIB_BUFFER_IS_TRACED;
+ o_b0->trace_index = i_b0->trace_index;
+ esp_decrypt_trace_t *tr =
+ vlib_add_trace (vm, node, o_b0, sizeof (*tr));
+ tr->crypto_alg = sa0->crypto_alg;
+ tr->integ_alg = sa0->integ_alg;
+ }
+ }
+
+ vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
+ n_left_to_next, o_bi0, next0);
+ }
+ vlib_put_next_frame (vm, node, next_index, n_left_to_next);
+ }
+ vlib_node_increment_counter (vm, odp_crypto_esp_decrypt_node.index,
+ ESP_DECRYPT_ERROR_RX_PKTS,
+ from_frame->n_vectors);
+
+free_buffers_and_exit:
+ if (recycle)
+ vlib_buffer_free (vm, recycle, vec_len (recycle));
+ vec_free (recycle);
+ return from_frame->n_vectors;
+}
+
+
+/* *INDENT-OFF* */
+VLIB_REGISTER_NODE (odp_crypto_esp_decrypt_node) = {
+ .function = esp_decrypt_node_fn,
+ .name = "odp-crypto-esp-decrypt",
+ .vector_size = sizeof (u32),
+ .format_trace = format_esp_decrypt_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+
+ .n_errors = ARRAY_LEN(esp_decrypt_error_strings),
+ .error_strings = esp_decrypt_error_strings,
+
+ .n_next_nodes = ESP_DECRYPT_N_NEXT,
+ .next_nodes = {
+#define _(s,n) [ESP_DECRYPT_NEXT_##s] = n,
+ foreach_esp_decrypt_next
+#undef _
+ },
+};
+/* *INDENT-ON* */
+
+VLIB_NODE_FUNCTION_MULTIARCH (odp_crypto_esp_decrypt_node, esp_decrypt_node_fn)
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/plugins/odp/ipsec/esp_encrypt.c b/src/plugins/odp/ipsec/esp_encrypt.c
new file mode 100644
index 0000000..38cffea
--- /dev/null
+++ b/src/plugins/odp/ipsec/esp_encrypt.c
@@ -0,0 +1,445 @@
+/*
+ * esp_encrypt.c : IPSec ESP encrypt node
+ *
+ * Copyright (c) 2015 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <vnet/vnet.h>
+#include <vnet/api_errno.h>
+#include <vnet/ip/ip.h>
+
+#include <odp/ipsec/ipsec.h>
+#include <odp/ipsec/esp.h>
+
+
+#define foreach_esp_encrypt_next \
+_(DROP, "error-drop") \
+_(IP4_LOOKUP, "ip4-lookup") \
+_(IP6_LOOKUP, "ip6-lookup") \
+_(INTERFACE_OUTPUT, "interface-output")
+
+#define _(v, s) ESP_ENCRYPT_NEXT_##v,
+typedef enum
+{
+ foreach_esp_encrypt_next
+#undef _
+ ESP_ENCRYPT_N_NEXT,
+} esp_encrypt_next_t;
+
+#define foreach_esp_encrypt_error \
+ _(RX_PKTS, "ESP pkts received") \
+ _(NO_BUFFER, "No buffer (packet dropped)") \
+ _(DECRYPTION_FAILED, "ESP encryption failed") \
+ _(SEQ_CYCLED, "sequence number cycled")
+
+
+typedef enum
+{
+#define _(sym,str) ESP_ENCRYPT_ERROR_##sym,
+ foreach_esp_encrypt_error
+#undef _
+ ESP_ENCRYPT_N_ERROR,
+} esp_encrypt_error_t;
+
+static char *esp_encrypt_error_strings[] = {
+#define _(sym,string) string,
+ foreach_esp_encrypt_error
+#undef _
+};
+
+typedef struct
+{
+ u32 spi;
+ u32 seq;
+ ipsec_crypto_alg_t crypto_alg;
+ ipsec_integ_alg_t integ_alg;
+} esp_encrypt_trace_t;
+
+vlib_node_registration_t odp_crypto_esp_encrypt_node;
+
+/* packet trace format function */
+static u8 *
+format_esp_encrypt_trace (u8 * s, va_list * args)
+{
+ CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
+ CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
+ esp_encrypt_trace_t *t = va_arg (*args, esp_encrypt_trace_t *);
+
+ s = format (s, "(ODP) esp: spi %u seq %u crypto %U integrity %U",
+ t->spi, t->seq,
+ format_ipsec_crypto_alg, t->crypto_alg,
+ format_ipsec_integ_alg, t->integ_alg);
+ return s;
+}
+
+static uword
+esp_encrypt_node_fn (vlib_main_t * vm,
+ vlib_node_runtime_t * node, vlib_frame_t * from_frame)
+{
+ u32 n_left_from, *from, *to_next = 0, next_index;
+ from = vlib_frame_vector_args (from_frame);
+ n_left_from = from_frame->n_vectors;
+ ipsec_main_t *im = &ipsec_main;
+ u32 *recycle = 0;
+ odp_crypto_main_t *ocm = &odp_crypto_main;
+ u32 thread_index = vlib_get_thread_index ();
+ esp_main_t *em = &odp_esp_main;
+
+ ipsec_alloc_empty_buffers (vm, im);
+
+ u32 *empty_buffers = im->empty_buffers[thread_index];
+
+ odp_crypto_worker_main_t *cwm =
+ vec_elt_at_index (ocm->workers, thread_index);
+
+ if (PREDICT_FALSE (vec_len (empty_buffers) < n_left_from))
+ {
+ vlib_node_increment_counter (vm, odp_crypto_esp_encrypt_node.index,
+ ESP_ENCRYPT_ERROR_NO_BUFFER, n_left_from);
+ clib_warning ("no enough empty buffers. discarding frame");
+ goto free_buffers_and_exit;
+ }
+
+ next_index = node->cached_next_index;
+
+ while (n_left_from > 0)
+ {
+ u32 n_left_to_next;
+
+ vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
+
+ while (n_left_from > 0 && n_left_to_next > 0)
+ {
+ u32 i_bi0, o_bi0, next0;
+ vlib_buffer_t *i_b0, *o_b0 = 0;
+ u32 sa_index0;
+ ipsec_sa_t *sa0;
+ ip4_and_esp_header_t *ih0, *oh0 = 0;
+ ip6_and_esp_header_t *ih6_0, *oh6_0 = 0;
+ uword last_empty_buffer;
+ esp_footer_t *f0;
+ u8 is_ipv6;
+ u8 ip_hdr_size;
+ u8 next_hdr_type;
+ u32 ip_proto = 0;
+ u8 transport_mode = 0;
+ sa_data_t *sa_sess_data;
+
+ i_bi0 = from[0];
+ from += 1;
+ n_left_from -= 1;
+ n_left_to_next -= 1;
+
+ next0 = ESP_ENCRYPT_NEXT_DROP;
+
+ i_b0 = vlib_get_buffer (vm, i_bi0);
+ sa_index0 = vnet_buffer (i_b0)->ipsec.sad_index;
+ sa0 = pool_elt_at_index (im->sad, sa_index0);
+
+ if (PREDICT_FALSE (esp_seq_advance (sa0)))
+ {
+ clib_warning ("sequence number counter has cycled SPI %u",
+ sa0->spi);
+ vlib_node_increment_counter (vm, odp_crypto_esp_encrypt_node.index,
+ ESP_ENCRYPT_ERROR_SEQ_CYCLED, 1);
+ //TODO: rekey SA
+ o_bi0 = i_bi0;
+ to_next[0] = o_bi0;
+ to_next += 1;
+ goto trace;
+ }
+
+ sa0->total_data_size += i_b0->current_length;
+
+ /* grab free buffer */
+ last_empty_buffer = vec_len (empty_buffers) - 1;
+ o_bi0 = empty_buffers[last_empty_buffer];
+ o_b0 = vlib_get_buffer (vm, o_bi0);
+ o_b0->flags = VLIB_BUFFER_TOTAL_LENGTH_VALID;
+ o_b0->current_data = sizeof (ethernet_header_t);
+ ih0 = vlib_buffer_get_current (i_b0);
+ vlib_prefetch_buffer_with_index (vm,
+ empty_buffers[last_empty_buffer -
+ 1], STORE);
+ _vec_len (empty_buffers) = last_empty_buffer;
+ to_next[0] = o_bi0;
+ to_next += 1;
+
+ sa_sess_data = pool_elt_at_index (cwm->sa_sess_d[1], sa_index0);
+ if (PREDICT_FALSE (!(sa_sess_data->sess)))
+ {
+ int ret = create_sess (sa0, sa_sess_data, 1);
+
+ if (ret)
+ {
+ to_next[0] = i_bi0;
+ to_next += 1;
+ goto trace;
+ }
+ }
+
+ /* add old buffer to the recycle list */
+ vec_add1 (recycle, i_bi0);
+
+ /* is ipv6 */
+ if (PREDICT_FALSE
+ ((ih0->ip4.ip_version_and_header_length & 0xF0) == 0x60))
+ {
+ is_ipv6 = 1;
+ ih6_0 = vlib_buffer_get_current (i_b0);
+ ip_hdr_size = sizeof (ip6_header_t);
+ next_hdr_type = IP_PROTOCOL_IPV6;
+ oh6_0 = vlib_buffer_get_current (o_b0);
+
+ oh6_0->ip6.ip_version_traffic_class_and_flow_label =
+ ih6_0->ip6.ip_version_traffic_class_and_flow_label;
+ oh6_0->ip6.protocol = IP_PROTOCOL_IPSEC_ESP;
+ oh6_0->ip6.hop_limit = 254;
+ oh6_0->ip6.src_address.as_u64[0] =
+ ih6_0->ip6.src_address.as_u64[0];
+ oh6_0->ip6.src_address.as_u64[1] =
+ ih6_0->ip6.src_address.as_u64[1];
+ oh6_0->ip6.dst_address.as_u64[0] =
+ ih6_0->ip6.dst_address.as_u64[0];
+ oh6_0->ip6.dst_address.as_u64[1] =
+ ih6_0->ip6.dst_address.as_u64[1];
+ oh6_0->esp.spi = clib_net_to_host_u32 (sa0->spi);
+ oh6_0->esp.seq = clib_net_to_host_u32 (sa0->seq);
+ ip_proto = ih6_0->ip6.protocol;
+
+ next0 = ESP_ENCRYPT_NEXT_IP6_LOOKUP;
+ }
+ else
+ {
+ is_ipv6 = 0;
+ ip_hdr_size = sizeof (ip4_header_t);
+ next_hdr_type = IP_PROTOCOL_IP_IN_IP;
+ oh0 = vlib_buffer_get_current (o_b0);
+
+ oh0->ip4.ip_version_and_header_length = 0x45;
+ oh0->ip4.tos = ih0->ip4.tos;
+ oh0->ip4.fragment_id = 0;
+ oh0->ip4.flags_and_fragment_offset = 0;
+ oh0->ip4.ttl = 254;
+ oh0->ip4.protocol = IP_PROTOCOL_IPSEC_ESP;
+ oh0->ip4.src_address.as_u32 = ih0->ip4.src_address.as_u32;
+ oh0->ip4.dst_address.as_u32 = ih0->ip4.dst_address.as_u32;
+ oh0->esp.spi = clib_net_to_host_u32 (sa0->spi);
+ oh0->esp.seq = clib_net_to_host_u32 (sa0->seq);
+ ip_proto = ih0->ip4.protocol;
+
+ next0 = ESP_ENCRYPT_NEXT_IP4_LOOKUP;
+ }
+
+ if (PREDICT_TRUE
+ (!is_ipv6 && sa0->is_tunnel && !sa0->is_tunnel_ip6))
+ {
+ oh0->ip4.src_address.as_u32 = sa0->tunnel_src_addr.ip4.as_u32;
+ oh0->ip4.dst_address.as_u32 = sa0->tunnel_dst_addr.ip4.as_u32;
+
+ vnet_buffer (o_b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
+ }
+ else if (is_ipv6 && sa0->is_tunnel && sa0->is_tunnel_ip6)
+ {
+ oh6_0->ip6.src_address.as_u64[0] =
+ sa0->tunnel_src_addr.ip6.as_u64[0];
+ oh6_0->ip6.src_address.as_u64[1] =
+ sa0->tunnel_src_addr.ip6.as_u64[1];
+ oh6_0->ip6.dst_address.as_u64[0] =
+ sa0->tunnel_dst_addr.ip6.as_u64[0];
+ oh6_0->ip6.dst_address.as_u64[1] =
+ sa0->tunnel_dst_addr.ip6.as_u64[1];
+
+ vnet_buffer (o_b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
+ }
+ else
+ {
+ next_hdr_type = ip_proto;
+ if (vnet_buffer (i_b0)->sw_if_index[VLIB_TX] != ~0)
+ {
+ transport_mode = 1;
+ ethernet_header_t *ieh0, *oeh0;
+ ieh0 =
+ (ethernet_header_t *) ((u8 *)
+ vlib_buffer_get_current (i_b0) -
+ sizeof (ethernet_header_t));
+ oeh0 = (ethernet_header_t *) o_b0->data;
+ clib_memcpy (oeh0, ieh0, sizeof (ethernet_header_t));
+ next0 = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT;
+ vnet_buffer (o_b0)->sw_if_index[VLIB_TX] =
+ vnet_buffer (i_b0)->sw_if_index[VLIB_TX];
+ }
+ vlib_buffer_advance (i_b0, ip_hdr_size);
+ }
+
+ ASSERT (sa0->crypto_alg < IPSEC_CRYPTO_N_ALG);
+
+ if (PREDICT_TRUE (sa0->crypto_alg != IPSEC_CRYPTO_ALG_NONE))
+ {
+
+ const int BLOCK_SIZE = 16;
+ const int IV_SIZE = 16;
+ int blocks = 1 + (i_b0->current_length + 1) / BLOCK_SIZE;
+
+ /* pad packet in input buffer */
+ u8 pad_bytes = BLOCK_SIZE * blocks - 2 - i_b0->current_length;
+ u8 i;
+ u8 *padding =
+ vlib_buffer_get_current (i_b0) + i_b0->current_length;
+ i_b0->current_length = BLOCK_SIZE * blocks;
+ for (i = 0; i < pad_bytes; ++i)
+ {
+ padding[i] = i + 1;
+ }
+ f0 = vlib_buffer_get_current (i_b0) + i_b0->current_length - 2;
+ f0->pad_length = pad_bytes;
+ f0->next_header = next_hdr_type;
+
+ o_b0->current_length = ip_hdr_size + sizeof (esp_header_t) +
+ BLOCK_SIZE * blocks + IV_SIZE;
+
+ vnet_buffer (o_b0)->sw_if_index[VLIB_RX] =
+ vnet_buffer (i_b0)->sw_if_index[VLIB_RX];
+
+ odp_crypto_op_param_t crypto_op_params;
+ odp_bool_t posted = 0;
+ odp_crypto_op_result_t result;
+
+ crypto_op_params.session = sa_sess_data->sess;
+ crypto_op_params.ctx = NULL;
+ crypto_op_params.aad.ptr = NULL;
+ crypto_op_params.aad.length = 0;
+ crypto_op_params.pkt =
+ (odp_packet_t) ((u8 *) o_b0 -
+ (u8 *) odp_packet_user_area ((odp_packet_t)
+ 0x0));
+ crypto_op_params.out_pkt = crypto_op_params.pkt;
+
+ crypto_op_params.override_iv_ptr = sa_sess_data->iv_data;
+
+ crypto_op_params.cipher_range.offset =
+ (u32) ((u8 *) vlib_buffer_get_current (o_b0) - (u8 *) o_b0) -
+ sizeof (vlib_buffer_t) + ip_hdr_size + sizeof (esp_header_t) +
+ IV_SIZE;
+
+ crypto_op_params.cipher_range.length = BLOCK_SIZE * blocks;
+
+ crypto_op_params.auth_range.offset =
+ (u32) ((u8 *) vlib_buffer_get_current (o_b0) - (u8 *) o_b0) -
+ sizeof (vlib_buffer_t) + ip_hdr_size;
+ crypto_op_params.auth_range.length =
+ o_b0->current_length - ip_hdr_size;
+ crypto_op_params.hash_result_offset =
+ (u32) ((u8 *) vlib_buffer_get_current (o_b0) - (u8 *) o_b0) -
+ sizeof (vlib_buffer_t) + o_b0->current_length;
+
+ clib_memcpy ((u8 *) vlib_buffer_get_current (o_b0) +
+ ip_hdr_size + sizeof (esp_header_t) + IV_SIZE,
+ (u8 *) vlib_buffer_get_current (i_b0),
+ BLOCK_SIZE * blocks);
+
+ clib_memcpy ((u8 *) vlib_buffer_get_current (o_b0) +
+ ip_hdr_size + sizeof (esp_header_t),
+ sa_sess_data->iv_data,
+ sizeof (sa_sess_data->iv_data));
+
+ o_b0->current_length +=
+ em->esp_integ_algs[sa0->integ_alg].trunc_size;
+ int ret =
+ odp_crypto_operation (&crypto_op_params, &posted, &result);
+ if (ret != 0)
+ {
+ clib_error ("Crypto operation not sucessful\n");
+ goto trace;
+ }
+ }
+
+ if (PREDICT_FALSE (is_ipv6))
+ {
+ oh6_0->ip6.payload_length =
+ clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, o_b0) -
+ sizeof (ip6_header_t));
+ }
+ else
+ {
+ oh0->ip4.length =
+ clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, o_b0));
+ oh0->ip4.checksum = ip4_header_checksum (&oh0->ip4);
+ }
+
+ if (transport_mode)
+ vlib_buffer_reset (o_b0);
+
+ trace:
+ if (PREDICT_FALSE (i_b0->flags & VLIB_BUFFER_IS_TRACED))
+ {
+ if (o_b0)
+ {
+ o_b0->flags |= VLIB_BUFFER_IS_TRACED;
+ o_b0->trace_index = i_b0->trace_index;
+ esp_encrypt_trace_t *tr =
+ vlib_add_trace (vm, node, o_b0, sizeof (*tr));
+ tr->spi = sa0->spi;
+ tr->seq = sa0->seq - 1;
+ tr->crypto_alg = sa0->crypto_alg;
+ tr->integ_alg = sa0->integ_alg;
+ }
+ }
+
+ vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
+ to_next, n_left_to_next, o_bi0,
+ next0);
+ }
+ vlib_put_next_frame (vm, node, next_index, n_left_to_next);
+ }
+ vlib_node_increment_counter (vm, odp_crypto_esp_encrypt_node.index,
+ ESP_ENCRYPT_ERROR_RX_PKTS,
+ from_frame->n_vectors);
+
+free_buffers_and_exit:
+ if (recycle)
+ vlib_buffer_free (vm, recycle, vec_len (recycle));
+ vec_free (recycle);
+ return from_frame->n_vectors;
+}
+
+
+/* *INDENT-OFF* */
+VLIB_REGISTER_NODE (odp_crypto_esp_encrypt_node) = {
+ .function = esp_encrypt_node_fn,
+ .name = "odp-crypto-esp-encrypt",
+ .vector_size = sizeof (u32),
+ .format_trace = format_esp_encrypt_trace,
+ .type = VLIB_NODE_TYPE_INTERNAL,
+
+ .n_errors = ARRAY_LEN(esp_encrypt_error_strings),
+ .error_strings = esp_encrypt_error_strings,
+
+ .n_next_nodes = ESP_ENCRYPT_N_NEXT,
+ .next_nodes = {
+#define _(s,n) [ESP_ENCRYPT_NEXT_##s] = n,
+ foreach_esp_encrypt_next
+#undef _
+ },
+};
+/* *INDENT-ON* */
+
+VLIB_NODE_FUNCTION_MULTIARCH (odp_crypto_esp_encrypt_node, esp_encrypt_node_fn)
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/plugins/odp/ipsec/ipsec.c b/src/plugins/odp/ipsec/ipsec.c
new file mode 100644
index 0000000..339240f
--- /dev/null
+++ b/src/plugins/odp/ipsec/ipsec.c
@@ -0,0 +1,263 @@
+/*
+ * decap.c : IPSec tunnel support
+ *
+ * Copyright (c) 2015 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <vnet/vnet.h>
+#include <vnet/api_errno.h>
+#include <vnet/ip/ip.h>
+#include <vnet/interface.h>
+
+#include <odp/ipsec/ipsec.h>
+#include <odp/ipsec/esp.h>
+
+static int
+add_del_sa_sess (u32 sa_index, u8 is_add)
+{
+ odp_crypto_main_t *ocm = &odp_crypto_main;
+ odp_crypto_worker_main_t *cwm;
+
+ vec_foreach (cwm, ocm->workers)
+ {
+ sa_data_t *sa_sess_data;
+ u8 is_outbound;
+
+ for (is_outbound = 0; is_outbound < 2; is_outbound++)
+ {
+ if (is_add)
+ {
+ pool_get (cwm->sa_sess_d[is_outbound], sa_sess_data);
+ memset (sa_sess_data, 0, sizeof (sa_sess_data[0]));
+ }
+ else
+ {
+
+ sa_sess_data =
+ pool_elt_at_index (cwm->sa_sess_d[is_outbound], sa_index);
+
+ if (sa_sess_data->sess)
+ {
+ if (odp_crypto_session_destroy (sa_sess_data->sess))
+ {
+ clib_warning ("failed to free session");
+ return -1;
+ }
+ }
+
+ pool_put (cwm->sa_sess_d[is_outbound], sa_sess_data);
+ }
+ }
+ }
+
+ return 0;
+}
+
+int
+create_sess (ipsec_sa_t * sa, sa_data_t * sa_sess_data, int is_outbound)
+{
+ odp_crypto_ses_create_err_t ses_create_rc;
+ odp_crypto_session_param_t crypto_params;
+ odp_crypto_session_param_init (&crypto_params);
+
+ esp_main_t *em = &odp_esp_main;
+ int trunc_size = em->esp_integ_algs[sa->integ_alg].trunc_size;
+
+ const int max_auth_capa_amount = 8;
+ odp_crypto_auth_capability_t capa[max_auth_capa_amount];
+ int actual_capa_amount;
+
+ crypto_params.auth_cipher_text = 1;
+
+ /* Synchronous mode */
+ crypto_params.pref_mode = ODP_CRYPTO_SYNC;
+ crypto_params.compl_queue = ODP_QUEUE_INVALID;
+ crypto_params.output_pool = ODP_POOL_INVALID;
+
+ if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_CBC_128)
+ {
+ crypto_params.cipher_alg = ODP_CIPHER_ALG_AES_CBC;
+ crypto_params.cipher_key.length = sa->crypto_key_len;
+ }
+ else
+ {
+ crypto_params.cipher_alg = ODP_CIPHER_ALG_NULL;
+ }
+
+ switch (sa->integ_alg)
+ {
+ case IPSEC_INTEG_ALG_SHA_512_256:
+ crypto_params.auth_alg = ODP_AUTH_ALG_SHA512_HMAC;
+ break;
+ case IPSEC_INTEG_ALG_SHA_256_128:
+ crypto_params.auth_alg = ODP_AUTH_ALG_SHA256_HMAC;
+ break;
+ case IPSEC_INTEG_ALG_SHA1_96:
+ crypto_params.auth_alg = ODP_AUTH_ALG_SHA1_HMAC;
+ break;
+ default:
+ crypto_params.auth_alg = ODP_AUTH_ALG_NULL;
+ break;
+ }
+
+ actual_capa_amount = odp_crypto_auth_capability (crypto_params.auth_alg,
+ capa,
+ max_auth_capa_amount);
+ int picked_capa = -1;
+ int i;
+
+ for (i = 0; i < actual_capa_amount; i++)
+ {
+ if (capa[i].digest_len >= trunc_size &&
+ capa[i].key_len >= sa->crypto_key_len)
+ {
+ picked_capa = i;
+ break;
+ }
+ }
+
+ if (picked_capa == -1)
+ {
+ if (actual_capa_amount)
+ clib_warning
+ ("Failed to get matching capabilities, algorithm appears to be supported but key or digest length incompatible\n");
+ else
+ clib_warning
+ ("Failed to get matching capabilities, algorithm probably not supported\n");
+ return -1;
+ }
+
+ sa_sess_data->key_size = capa[picked_capa].key_len;
+ sa_sess_data->digest_size = capa[picked_capa].digest_len;
+ crypto_params.auth_key.length = sa_sess_data->key_size;
+ crypto_params.auth_digest_len = sa_sess_data->digest_size;
+
+ memset (sa->integ_key + sa->integ_key_len, 0,
+ sa_sess_data->key_size - sa->integ_key_len);
+
+ if (is_outbound)
+ crypto_params.op = ODP_CRYPTO_OP_ENCODE;
+ else
+ crypto_params.op = ODP_CRYPTO_OP_DECODE;
+
+ crypto_params.cipher_key.data = sa->crypto_key;
+ crypto_params.auth_key.data = sa->integ_key;
+ crypto_params.iv.data = sa_sess_data->iv_data;
+ const int IV_LEN = 16;
+ sa_sess_data->iv_len = IV_LEN;
+ crypto_params.iv.length = IV_LEN;
+
+ {
+ int size = crypto_params.iv.length;
+ int ret =
+ odp_random_data (crypto_params.iv.data, size, ODP_RANDOM_CRYPTO);
+
+ if (ret != size)
+ {
+ clib_error_return (0, "failed to get random from ODP");
+ return -1;
+ }
+ }
+
+ if (odp_crypto_session_create
+ (&crypto_params, &sa_sess_data->sess, &ses_create_rc))
+ {
+ clib_warning ("Unable to create session\n");
+ clib_warning ("%d\n", ses_create_rc);
+ return VNET_API_ERROR_SYSCALL_ERROR_1;
+ }
+
+ if (ODP_CRYPTO_SESSION_INVALID == sa_sess_data->sess)
+ {
+ clib_warning ("ODP_CRYPTO_SESSION_INVALID\n");
+ return VNET_API_ERROR_SYSCALL_ERROR_1;
+ }
+
+ if (ODP_CRYPTO_SES_CREATE_ERR_NONE != ses_create_rc)
+ {
+ clib_warning ("Session creation returned some errors\n");
+ return VNET_API_ERROR_SYSCALL_ERROR_1;
+ }
+
+ return 0;
+}
+
+clib_error_t *
+odp_ipsec_check_support (ipsec_sa_t * sa)
+{
+ // TODO maybe we should check what crypto is available or something?
+ return 0;
+}
+
+clib_error_t *
+ipsec_init (vlib_main_t * vm)
+{
+ if (!enable_odp_crypto)
+ return 0;
+ ipsec_main_t *im = &ipsec_main;
+ odp_crypto_main_t *ocm = &odp_crypto_main;
+ vlib_thread_main_t *tm = vlib_get_thread_main ();
+ vlib_node_t *ipsec_node, *crypto_node, *error_node;
+
+ memset (im, 0, sizeof (im[0]));
+
+ im->vnet_main = vnet_get_main ();
+ im->vlib_main = vm;
+
+ im->spd_index_by_spd_id = hash_create (0, sizeof (uword));
+ im->sa_index_by_sa_id = hash_create (0, sizeof (uword));
+ im->spd_index_by_sw_if_index = hash_create (0, sizeof (uword));
+
+ vec_validate_aligned (im->empty_buffers, tm->n_vlib_mains - 1,
+ CLIB_CACHE_LINE_BYTES);
+
+ error_node = vlib_get_node_by_name (vm, (u8 *) "error-drop");
+ ASSERT (error_node);
+ im->error_drop_node_index = error_node->index;
+
+
+ ipsec_node = vlib_get_node_by_name (vm, (u8 *) "ipsec-output-ip4");
+ ASSERT (ipsec_node);
+ crypto_node = vlib_get_node_by_name (vm, (u8 *) "odp-crypto-esp-encrypt");
+ ASSERT (crypto_node);
+ im->esp_encrypt_node_index = crypto_node->index;
+ im->esp_encrypt_next_index =
+ vlib_node_add_next (vm, ipsec_node->index, crypto_node->index);
+
+ ipsec_node = vlib_get_node_by_name (vm, (u8 *) "ipsec-input-ip4");
+ ASSERT (ipsec_node);
+ crypto_node = vlib_get_node_by_name (vm, (u8 *) "odp-crypto-esp-decrypt");
+ ASSERT (crypto_node);
+ im->esp_decrypt_node_index = crypto_node->index;
+ im->esp_decrypt_next_index =
+ vlib_node_add_next (vm, ipsec_node->index, crypto_node->index);
+
+ im->cb.check_support_cb = odp_ipsec_check_support;
+ im->cb.add_del_sa_sess_cb = add_del_sa_sess;
+
+ vec_alloc (ocm->workers, tm->n_vlib_mains);
+ _vec_len (ocm->workers) = tm->n_vlib_mains;
+
+ esp_init ();
+
+ return 0;
+}
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/plugins/odp/ipsec/ipsec.h b/src/plugins/odp/ipsec/ipsec.h
new file mode 100644
index 0000000..0f3ceb8
--- /dev/null
+++ b/src/plugins/odp/ipsec/ipsec.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2015 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef __ODP_IPSEC_H__
+#define __ODP_IPSEC_H__
+
+#include <odp_api.h>
+#include <vnet/ipsec/ipsec.h>
+
+typedef struct
+{
+ odp_crypto_session_t sess;
+ u32 digest_size;
+ u8 iv_data[16];
+ u32 iv_len;
+ u32 key_size;
+} sa_data_t;
+
+typedef struct
+{
+ sa_data_t *sa_sess_d[2];
+ odp_queue_t post_encrypt, post_decrypt;
+} odp_crypto_worker_main_t;
+
+typedef struct
+{
+ odp_crypto_worker_main_t *workers;
+} odp_crypto_main_t;
+
+extern vlib_node_registration_t odp_crypto_input_node;
+extern odp_crypto_main_t odp_crypto_main;
+extern u8 enable_odp_crypto;
+
+int create_sess (ipsec_sa_t * sa, sa_data_t * sess, int is_outbound);
+
+clib_error_t *ipsec_init (vlib_main_t * vm);
+
+#endif /* __IPSEC_H__ */
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/plugins/odp/odp_packet.c b/src/plugins/odp/odp_packet.c
index 840a7e9..fb9ab19 100755
--- a/src/plugins/odp/odp_packet.c
+++ b/src/plugins/odp/odp_packet.c
@@ -13,6 +13,7 @@
#include <vnet/plugin/plugin.h>
#include <vpp/app/version.h>
#include <odp/odp_packet.h>
+#include <odp/ipsec/ipsec.h>
odp_packet_main_t *odp_packet_main;
u32 rx_sched_wait;
@@ -20,6 +21,8 @@ u32 tx_burst_size;
u32 num_pkts_in_pool = SHM_PKT_POOL_NB_PKTS;
odp_if_mode_t def_if_mode;
odp_if_config_t *if_config;
+odp_crypto_main_t odp_crypto_main;
+u8 enable_odp_crypto;
static u32
odp_packet_eth_flag_change (vnet_main_t * vnm, vnet_hw_interface_t * hi,
@@ -422,6 +425,10 @@ odp_config (vlib_main_t * vm, unformat_input_t * input)
odp_device_config (param, NULL);
vec_free (param);
}
+ else if (unformat (input, "enable-odp-crypto"))
+ {
+ enable_odp_crypto = 1;
+ }
else if (unformat (input, "%s", &param))
{
clib_warning ("%s: Unknown option %s\n", __func__, param);
@@ -464,6 +471,8 @@ odp_process (vlib_main_t * vm, vlib_node_runtime_t * rt, vlib_frame_t * f)
/* Initialization complete and worker threads can start */
tm->worker_thread_release = 1;
+ ipsec_init (vlib_get_main ());
+
return 0;
}
diff --git a/src/plugins/odp/odp_packet.h b/src/plugins/odp/odp_packet.h
index 57b651e..73972cb 100755
--- a/src/plugins/odp/odp_packet.h
+++ b/src/plugins/odp/odp_packet.h
@@ -80,6 +80,7 @@ extern u32 rx_sched_wait;
extern u32 tx_burst_size;
extern u32 num_pkts_in_pool;
extern odp_if_mode_t def_if_mode;
+extern u8 enable_odp_crypto;
u32 odp_packet_create_if (vlib_main_t * vm, u8 * host_if_name,
u8 * hw_addr_set, u32 * sw_if_index,
diff --git a/src/vpp/conf/startup.conf b/src/vpp/conf/startup.conf
index 15c9086..6947d37 100644
--- a/src/vpp/conf/startup.conf
+++ b/src/vpp/conf/startup.conf
@@ -129,6 +129,9 @@ cpu {
# num-rx-queues 2
# hw-addr 3c:fd:fe:a4:37:99
# }
+
+ ## Make use of ODP crypto API to accelerate IPsec
+ # enable-odp-crypto
# }
# Adjusting the plugin path depending on where the VPP plugins are: