From 11959b50936026a43106f9079b1df0d9b67e674a Mon Sep 17 00:00:00 2001 From: Szymon Sliwa Date: Wed, 23 Aug 2017 17:42:22 +0200 Subject: plugins: odp: Add ODP-IPsec node Based heavily on the src/vnet/ipsec. Reuses the pure software VPP IPsec implementation CLI command. To use enable-odp-crypto needs to be present in the odp section of startup configuration, like this: odp { enable-odp-crypto } Currenlty only IPv4 is supported, and only in transport mode. Authentication headers are not supported, this limitation is inherited from VPP. Supported crypto algorithms are aes-cbc-128 for encryption, and sha-512-256, sha-256-128, sha1-96 for authentication Change-Id: I08c66f96a73d8cb4ef1095f181ddf47506abc39a Signed-off-by: Szymon Sliwa --- src/plugins/odp.am | 19 +- src/plugins/odp/ipsec/esp.h | 288 ++++++++++++++++++++++ src/plugins/odp/ipsec/esp_decrypt.c | 472 ++++++++++++++++++++++++++++++++++++ src/plugins/odp/ipsec/esp_encrypt.c | 445 +++++++++++++++++++++++++++++++++ src/plugins/odp/ipsec/ipsec.c | 263 ++++++++++++++++++++ src/plugins/odp/ipsec/ipsec.h | 57 +++++ src/plugins/odp/odp_packet.c | 9 + src/plugins/odp/odp_packet.h | 1 + src/vpp/conf/startup.conf | 3 + 9 files changed, 1550 insertions(+), 7 deletions(-) create mode 100644 src/plugins/odp/ipsec/esp.h create mode 100644 src/plugins/odp/ipsec/esp_decrypt.c create mode 100644 src/plugins/odp/ipsec/esp_encrypt.c create mode 100644 src/plugins/odp/ipsec/ipsec.c create mode 100644 src/plugins/odp/ipsec/ipsec.h diff --git a/src/plugins/odp.am b/src/plugins/odp.am index 10c8e273..fb874f71 100644 --- a/src/plugins/odp.am +++ b/src/plugins/odp.am @@ -15,13 +15,18 @@ vppplugins_LTLIBRARIES += odp_plugin.la odp_plugin_la_LDFLAGS = $(AM_LDFLAGS) $(ODP_LIBS) -odp_plugin_la_SOURCES = odp/cli.c \ - odp/node.c \ - odp/odp_packet.c \ - odp/device.c \ - odp/buffer.c \ - odp/thread.c +odp_plugin_la_SOURCES = odp/cli.c \ + odp/node.c \ + odp/odp_packet.c \ + odp/device.c \ + odp/buffer.c \ + odp/thread.c \ + odp/ipsec/ipsec.c \ + odp/ipsec/esp_encrypt.c \ + odp/ipsec/esp_decrypt.c -noinst_HEADERS += odp/odp_packet.h +noinst_HEADERS += odp/odp_packet.h \ + odp/ipsec/ipsec.h \ + odp/ipsec/esp.h # vi:syntax=automake diff --git a/src/plugins/odp/ipsec/esp.h b/src/plugins/odp/ipsec/esp.h new file mode 100644 index 00000000..b7cc4689 --- /dev/null +++ b/src/plugins/odp/ipsec/esp.h @@ -0,0 +1,288 @@ +/* + * Copyright (c) 2015 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef __ESP_H__ +#define __ESP_H__ + +#include +#include +#include + +#include + +typedef struct +{ + u32 spi; + u32 seq; + u8 data[0]; +} esp_header_t; + +typedef struct +{ + u8 pad_length; + u8 next_header; +} esp_footer_t; + +/* *INDENT-OFF* */ +typedef CLIB_PACKED (struct { + ip4_header_t ip4; + esp_header_t esp; +}) ip4_and_esp_header_t; +/* *INDENT-ON* */ + +/* *INDENT-OFF* */ +typedef CLIB_PACKED (struct { + ip6_header_t ip6; + esp_header_t esp; +}) ip6_and_esp_header_t; +/* *INDENT-ON* */ + +typedef struct +{ + const EVP_CIPHER *type; +} esp_crypto_alg_t; + +typedef struct +{ + const EVP_MD *md; + u8 trunc_size; +} esp_integ_alg_t; + +typedef struct +{ + CLIB_CACHE_LINE_ALIGN_MARK (cacheline0); + EVP_CIPHER_CTX encrypt_ctx; + CLIB_CACHE_LINE_ALIGN_MARK (cacheline1); + EVP_CIPHER_CTX decrypt_ctx; + CLIB_CACHE_LINE_ALIGN_MARK (cacheline2); + HMAC_CTX hmac_ctx; + ipsec_crypto_alg_t last_encrypt_alg; + ipsec_crypto_alg_t last_decrypt_alg; + ipsec_integ_alg_t last_integ_alg; +} esp_main_per_thread_data_t; + +typedef struct +{ + esp_crypto_alg_t *esp_crypto_algs; + esp_integ_alg_t *esp_integ_algs; + esp_main_per_thread_data_t *per_thread_data; +} esp_main_t; + +esp_main_t odp_esp_main; + +#define ESP_WINDOW_SIZE (64) +#define ESP_SEQ_MAX (4294967295UL) + + +always_inline int +esp_replay_check (ipsec_sa_t * sa, u32 seq) +{ + u32 diff; + + if (PREDICT_TRUE (seq > sa->last_seq)) + return 0; + + diff = sa->last_seq - seq; + + if (ESP_WINDOW_SIZE > diff) + return (sa->replay_window & (1ULL << diff)) ? 1 : 0; + else + return 1; + + return 0; +} + +always_inline int +esp_replay_check_esn (ipsec_sa_t * sa, u32 seq) +{ + u32 tl = sa->last_seq; + u32 th = sa->last_seq_hi; + u32 diff = tl - seq; + + if (PREDICT_TRUE (tl >= (ESP_WINDOW_SIZE - 1))) + { + if (seq >= (tl - ESP_WINDOW_SIZE + 1)) + { + sa->seq_hi = th; + if (seq <= tl) + return (sa->replay_window & (1ULL << diff)) ? 1 : 0; + else + return 0; + } + else + { + sa->seq_hi = th + 1; + return 0; + } + } + else + { + if (seq >= (tl - ESP_WINDOW_SIZE + 1)) + { + sa->seq_hi = th - 1; + return (sa->replay_window & (1ULL << diff)) ? 1 : 0; + } + else + { + sa->seq_hi = th; + if (seq <= tl) + return (sa->replay_window & (1ULL << diff)) ? 1 : 0; + else + return 0; + } + } + + return 0; +} + +/* TODO seq increment should be atomic to be accessed by multiple workers */ +always_inline void +esp_replay_advance (ipsec_sa_t * sa, u32 seq) +{ + u32 pos; + + if (seq > sa->last_seq) + { + pos = seq - sa->last_seq; + if (pos < ESP_WINDOW_SIZE) + sa->replay_window = ((sa->replay_window) << pos) | 1; + else + sa->replay_window = 1; + sa->last_seq = seq; + } + else + { + pos = sa->last_seq - seq; + sa->replay_window |= (1ULL << pos); + } +} + +always_inline void +esp_replay_advance_esn (ipsec_sa_t * sa, u32 seq) +{ + int wrap = sa->seq_hi - sa->last_seq_hi; + u32 pos; + + if (wrap == 0 && seq > sa->last_seq) + { + pos = seq - sa->last_seq; + if (pos < ESP_WINDOW_SIZE) + sa->replay_window = ((sa->replay_window) << pos) | 1; + else + sa->replay_window = 1; + sa->last_seq = seq; + } + else if (wrap > 0) + { + pos = ~seq + sa->last_seq + 1; + if (pos < ESP_WINDOW_SIZE) + sa->replay_window = ((sa->replay_window) << pos) | 1; + else + sa->replay_window = 1; + sa->last_seq = seq; + sa->last_seq_hi = sa->seq_hi; + } + else if (wrap < 0) + { + pos = ~seq + sa->last_seq + 1; + sa->replay_window |= (1ULL << pos); + } + else + { + pos = sa->last_seq - seq; + sa->replay_window |= (1ULL << pos); + } +} + +always_inline int +esp_seq_advance (ipsec_sa_t * sa) +{ + if (PREDICT_TRUE (sa->use_esn)) + { + if (PREDICT_FALSE (sa->seq == ESP_SEQ_MAX)) + { + if (PREDICT_FALSE + (sa->use_anti_replay && sa->seq_hi == ESP_SEQ_MAX)) + return 1; + sa->seq_hi++; + } + sa->seq++; + } + else + { + if (PREDICT_FALSE (sa->use_anti_replay && sa->seq == ESP_SEQ_MAX)) + return 1; + sa->seq++; + } + + return 0; +} + +always_inline void +esp_init () +{ + esp_main_t *em = &odp_esp_main; + vlib_thread_main_t *tm = vlib_get_thread_main (); + + memset (em, 0, sizeof (em[0])); + + vec_validate (em->esp_crypto_algs, IPSEC_CRYPTO_N_ALG - 1); + em->esp_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_128].type = EVP_aes_128_cbc (); + em->esp_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_192].type = EVP_aes_192_cbc (); + em->esp_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_256].type = EVP_aes_256_cbc (); + + vec_validate (em->esp_integ_algs, IPSEC_INTEG_N_ALG - 1); + esp_integ_alg_t *i; + + i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA1_96]; + i->md = EVP_sha1 (); + i->trunc_size = 12; + + i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA_256_96]; + i->md = EVP_sha256 (); + i->trunc_size = 12; + + i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA_256_128]; + i->md = EVP_sha256 (); + i->trunc_size = 16; + + i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA_384_192]; + i->md = EVP_sha384 (); + i->trunc_size = 24; + + i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA_512_256]; + i->md = EVP_sha512 (); + i->trunc_size = 32; + + vec_validate_aligned (em->per_thread_data, tm->n_vlib_mains - 1, + CLIB_CACHE_LINE_BYTES); + int thread_id; + + for (thread_id = 0; thread_id < tm->n_vlib_mains - 1; thread_id++) + { + EVP_CIPHER_CTX_init (&(em->per_thread_data[thread_id].encrypt_ctx)); + EVP_CIPHER_CTX_init (&(em->per_thread_data[thread_id].decrypt_ctx)); + HMAC_CTX_init (&(em->per_thread_data[thread_id].hmac_ctx)); + } +} + +#endif /* __ESP_H__ */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/odp/ipsec/esp_decrypt.c b/src/plugins/odp/ipsec/esp_decrypt.c new file mode 100644 index 00000000..728d1c5e --- /dev/null +++ b/src/plugins/odp/ipsec/esp_decrypt.c @@ -0,0 +1,472 @@ +/* + * esp_decrypt.c : IPSec ESP decrypt node + * + * Copyright (c) 2015 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include + +#include +#include + +#define foreach_esp_decrypt_next \ +_(DROP, "error-drop") \ +_(IP4_INPUT, "ip4-input") \ +_(IP6_INPUT, "ip6-input") \ +_(IPSEC_GRE_INPUT, "ipsec-gre-input") + +#define _(v, s) ESP_DECRYPT_NEXT_##v, +typedef enum +{ + foreach_esp_decrypt_next +#undef _ + ESP_DECRYPT_N_NEXT, +} esp_decrypt_next_t; + + +#define foreach_esp_decrypt_error \ + _(RX_PKTS, "ESP pkts received") \ + _(NO_BUFFER, "No buffer (packed dropped)") \ + _(DECRYPTION_FAILED, "ESP decryption failed") \ + _(INTEG_ERROR, "Integrity check failed") \ + _(REPLAY, "SA replayed packet") \ + _(NOT_IP, "Not IP packet (dropped)") + + +typedef enum +{ +#define _(sym,str) ESP_DECRYPT_ERROR_##sym, + foreach_esp_decrypt_error +#undef _ + ESP_DECRYPT_N_ERROR, +} esp_decrypt_error_t; + +static char *esp_decrypt_error_strings[] = { +#define _(sym,string) string, + foreach_esp_decrypt_error +#undef _ +}; + +typedef struct +{ + ipsec_crypto_alg_t crypto_alg; + ipsec_integ_alg_t integ_alg; +} esp_decrypt_trace_t; + +vlib_node_registration_t odp_crypto_esp_decrypt_node; + +/* packet trace format function */ +static u8 * +format_esp_decrypt_trace (u8 * s, va_list * args) +{ + CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); + CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); + esp_decrypt_trace_t *t = va_arg (*args, esp_decrypt_trace_t *); + + s = format (s, "(ODP) esp: crypto %U integrity %U", + format_ipsec_crypto_alg, t->crypto_alg, + format_ipsec_integ_alg, t->integ_alg); + return s; +} + +always_inline void +esp_decrypt_aes_cbc (ipsec_crypto_alg_t alg, + u8 * in, u8 * out, size_t in_len, u8 * key, u8 * iv) +{ + esp_main_t *em = &odp_esp_main; + u32 thread_index = vlib_get_thread_index (); + EVP_CIPHER_CTX *ctx = &(em->per_thread_data[thread_index].decrypt_ctx); + const EVP_CIPHER *cipher = NULL; + int out_len; + + ASSERT (alg < IPSEC_CRYPTO_N_ALG); + + if (PREDICT_FALSE (em->esp_crypto_algs[alg].type == 0)) + return; + + if (PREDICT_FALSE + (alg != em->per_thread_data[thread_index].last_decrypt_alg)) + { + cipher = em->esp_crypto_algs[alg].type; + em->per_thread_data[thread_index].last_decrypt_alg = alg; + } + + EVP_DecryptInit_ex (ctx, cipher, NULL, key, iv); + + EVP_DecryptUpdate (ctx, out, &out_len, in, in_len); + EVP_DecryptFinal_ex (ctx, out + out_len, &out_len); +} + +static uword +esp_decrypt_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, vlib_frame_t * from_frame) +{ + u32 n_left_from, *from, next_index, *to_next; + ipsec_main_t *im = &ipsec_main; + esp_main_t *em = &odp_esp_main; + u32 *recycle = 0; + from = vlib_frame_vector_args (from_frame); + n_left_from = from_frame->n_vectors; + odp_crypto_main_t *ocm = &odp_crypto_main; + u32 thread_index = vlib_get_thread_index (); + + ipsec_alloc_empty_buffers (vm, im); + + u32 *empty_buffers = im->empty_buffers[thread_index]; + + odp_crypto_worker_main_t *cwm = + vec_elt_at_index (ocm->workers, thread_index); + + if (PREDICT_FALSE (vec_len (empty_buffers) < n_left_from)) + { + vlib_node_increment_counter (vm, odp_crypto_esp_decrypt_node.index, + ESP_DECRYPT_ERROR_NO_BUFFER, n_left_from); + goto free_buffers_and_exit; + } + + next_index = node->cached_next_index; + + while (n_left_from > 0) + { + u32 n_left_to_next; + + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); + + while (n_left_from > 0 && n_left_to_next > 0) + { + u32 i_bi0, o_bi0 = (u32) ~ 0, next0; + vlib_buffer_t *i_b0; + vlib_buffer_t *o_b0 = 0; + esp_header_t *esp0; + ipsec_sa_t *sa0; + u32 sa_index0 = ~0; + u32 seq; + ip4_header_t *ih4 = 0, *oh4 = 0; + ip6_header_t *ih6 = 0, *oh6 = 0; + u8 tunnel_mode = 1; + u8 transport_ip6 = 0; + sa_data_t *sa_sess_data; + + + i_bi0 = from[0]; + from += 1; + n_left_from -= 1; + n_left_to_next -= 1; + + next0 = ESP_DECRYPT_NEXT_DROP; + + i_b0 = vlib_get_buffer (vm, i_bi0); + esp0 = vlib_buffer_get_current (i_b0); + + sa_index0 = vnet_buffer (i_b0)->ipsec.sad_index; + sa0 = pool_elt_at_index (im->sad, sa_index0); + + seq = clib_host_to_net_u32 (esp0->seq); + + /* anti-replay check */ + if (sa0->use_anti_replay) + { + int rv = 0; + + if (PREDICT_TRUE (sa0->use_esn)) + rv = esp_replay_check_esn (sa0, seq); + else + rv = esp_replay_check (sa0, seq); + + if (PREDICT_FALSE (rv)) + { + clib_warning ("anti-replay SPI %u seq %u", sa0->spi, seq); + vlib_node_increment_counter (vm, odp_crypto_esp_decrypt_node.index, + ESP_DECRYPT_ERROR_REPLAY, 1); + o_bi0 = i_bi0; + to_next[0] = o_bi0; + to_next += 1; + goto trace; + } + } + + sa0->total_data_size += i_b0->current_length; + int icv_size = em->esp_integ_algs[sa0->integ_alg].trunc_size; + + sa_sess_data = pool_elt_at_index (cwm->sa_sess_d[0], sa_index0); + if (PREDICT_FALSE (!(sa_sess_data->sess))) + { + int ret = create_sess (sa0, sa_sess_data, 0); + + if (ret) + { + to_next[0] = i_bi0; + to_next += 1; + goto trace; + } + } + + odp_crypto_op_param_t crypto_op_params; + odp_bool_t posted = 0; + odp_crypto_op_result_t result; + + crypto_op_params.session = sa_sess_data->sess; + crypto_op_params.ctx = NULL; + crypto_op_params.aad.ptr = NULL; + crypto_op_params.aad.length = 0; + crypto_op_params.pkt = (odp_packet_t) ((u8 *) i_b0 - + (u8 *) + odp_packet_user_area ((odp_packet_t) 0x0)); + crypto_op_params.out_pkt = crypto_op_params.pkt; + + crypto_op_params.override_iv_ptr = sa_sess_data->iv_data; + + + if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE)) + { + i_b0->current_length -= icv_size; + + crypto_op_params.auth_range.offset = (u32) i_b0->current_data; + crypto_op_params.auth_range.length = i_b0->current_length; + + crypto_op_params.hash_result_offset = + (u32) (i_b0->current_data + i_b0->current_length); + } + + if (PREDICT_TRUE (sa0->use_anti_replay)) + { + if (PREDICT_TRUE (sa0->use_esn)) + esp_replay_advance_esn (sa0, seq); + else + esp_replay_advance (sa0, seq); + } + + /* grab free buffer */ + uword last_empty_buffer = vec_len (empty_buffers) - 1; + o_bi0 = empty_buffers[last_empty_buffer]; + to_next[0] = o_bi0; + to_next += 1; + o_b0 = vlib_get_buffer (vm, o_bi0); + vlib_prefetch_buffer_with_index (vm, + empty_buffers[last_empty_buffer - + 1], STORE); + _vec_len (empty_buffers) = last_empty_buffer; + + /* add old buffer to the recycle list */ + vec_add1 (recycle, i_bi0); + + if (sa0->crypto_alg >= IPSEC_CRYPTO_ALG_AES_CBC_128 && + sa0->crypto_alg <= IPSEC_CRYPTO_ALG_AES_CBC_256) + { + const int BLOCK_SIZE = 16; + const int IV_SIZE = 16; + esp_footer_t *f0; + u8 ip_hdr_size = 0; + + int blocks = + (i_b0->current_length - sizeof (esp_header_t) - + IV_SIZE) / BLOCK_SIZE; + + o_b0->current_data = sizeof (ethernet_header_t); + + /* transport mode */ + if (PREDICT_FALSE (!sa0->is_tunnel && !sa0->is_tunnel_ip6)) + { + tunnel_mode = 0; + ih4 = + (ip4_header_t *) (i_b0->data + + sizeof (ethernet_header_t)); + if (PREDICT_TRUE + ((ih4->ip_version_and_header_length & 0xF0) != 0x40)) + { + if (PREDICT_TRUE + ((ih4->ip_version_and_header_length & 0xF0) == + 0x60)) + { + transport_ip6 = 1; + ip_hdr_size = sizeof (ip6_header_t); + ih6 = + (ip6_header_t *) (i_b0->data + + sizeof (ethernet_header_t)); + oh6 = vlib_buffer_get_current (o_b0); + } + else + { + vlib_node_increment_counter (vm, + odp_crypto_esp_decrypt_node.index, + ESP_DECRYPT_ERROR_NOT_IP, + 1); + o_b0 = 0; + goto trace; + } + } + else + { + oh4 = vlib_buffer_get_current (o_b0); + ip_hdr_size = sizeof (ip4_header_t); + } + } + + crypto_op_params.cipher_range.offset = + (u32) ((u8 *) vlib_buffer_get_current (i_b0) - (u8 *) i_b0) - + sizeof (vlib_buffer_t) + sizeof (esp_header_t) + IV_SIZE; + crypto_op_params.cipher_range.length = BLOCK_SIZE * blocks; + crypto_op_params.override_iv_ptr = + (u8 *) vlib_buffer_get_current (i_b0) + sizeof (esp_header_t); + + odp_crypto_operation (&crypto_op_params, &posted, &result); + + if (PREDICT_FALSE (!result.ok)) + { + vlib_node_increment_counter (vm, odp_crypto_esp_decrypt_node.index, + ESP_DECRYPT_ERROR_INTEG_ERROR, + 1); + o_b0 = 0; + goto trace; + } + + clib_memcpy ((u8 *) vlib_buffer_get_current (o_b0) + + ip_hdr_size, esp0->data + IV_SIZE, + BLOCK_SIZE * blocks); + + o_b0->current_length = (blocks * 16) - 2 + ip_hdr_size; + o_b0->flags = VLIB_BUFFER_TOTAL_LENGTH_VALID; + f0 = + (esp_footer_t *) ((u8 *) vlib_buffer_get_current (o_b0) + + o_b0->current_length); + o_b0->current_length -= f0->pad_length; + + /* tunnel mode */ + if (PREDICT_TRUE (tunnel_mode)) + { + if (PREDICT_TRUE (f0->next_header == IP_PROTOCOL_IP_IN_IP)) + { + next0 = ESP_DECRYPT_NEXT_IP4_INPUT; + oh4 = vlib_buffer_get_current (o_b0); + } + else if (f0->next_header == IP_PROTOCOL_IPV6) + next0 = ESP_DECRYPT_NEXT_IP6_INPUT; + else + { + clib_warning ("next header: 0x%x", f0->next_header); + vlib_node_increment_counter (vm, + odp_crypto_esp_decrypt_node.index, + ESP_DECRYPT_ERROR_DECRYPTION_FAILED, + 1); + o_b0 = 0; + goto trace; + } + } + /* transport mode */ + else + { + if (PREDICT_FALSE (transport_ip6)) + { + next0 = ESP_DECRYPT_NEXT_IP6_INPUT; + oh6->ip_version_traffic_class_and_flow_label = + ih6->ip_version_traffic_class_and_flow_label; + oh6->protocol = f0->next_header; + oh6->hop_limit = ih6->hop_limit; + oh6->src_address.as_u64[0] = ih6->src_address.as_u64[0]; + oh6->src_address.as_u64[1] = ih6->src_address.as_u64[1]; + oh6->dst_address.as_u64[0] = ih6->dst_address.as_u64[0]; + oh6->dst_address.as_u64[1] = ih6->dst_address.as_u64[1]; + oh6->payload_length = + clib_host_to_net_u16 (vlib_buffer_length_in_chain + (vm, + o_b0) - sizeof (ip6_header_t)); + } + else + { + next0 = ESP_DECRYPT_NEXT_IP4_INPUT; + oh4->ip_version_and_header_length = 0x45; + oh4->tos = ih4->tos; + oh4->fragment_id = 0; + oh4->flags_and_fragment_offset = 0; + oh4->ttl = ih4->ttl; + oh4->protocol = f0->next_header; + oh4->src_address.as_u32 = ih4->src_address.as_u32; + oh4->dst_address.as_u32 = ih4->dst_address.as_u32; + oh4->length = + clib_host_to_net_u16 (vlib_buffer_length_in_chain + (vm, o_b0)); + oh4->checksum = ip4_header_checksum (oh4); + } + } + + /* for IPSec-GRE tunnel next node is ipsec-gre-input */ + if (PREDICT_FALSE + ((vnet_buffer (i_b0)->ipsec.flags) & + IPSEC_FLAG_IPSEC_GRE_TUNNEL)) + next0 = ESP_DECRYPT_NEXT_IPSEC_GRE_INPUT; + + vnet_buffer (o_b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + } + + trace: + if (PREDICT_FALSE (i_b0->flags & VLIB_BUFFER_IS_TRACED)) + { + if (o_b0) + { + o_b0->flags |= VLIB_BUFFER_IS_TRACED; + o_b0->trace_index = i_b0->trace_index; + esp_decrypt_trace_t *tr = + vlib_add_trace (vm, node, o_b0, sizeof (*tr)); + tr->crypto_alg = sa0->crypto_alg; + tr->integ_alg = sa0->integ_alg; + } + } + + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, + n_left_to_next, o_bi0, next0); + } + vlib_put_next_frame (vm, node, next_index, n_left_to_next); + } + vlib_node_increment_counter (vm, odp_crypto_esp_decrypt_node.index, + ESP_DECRYPT_ERROR_RX_PKTS, + from_frame->n_vectors); + +free_buffers_and_exit: + if (recycle) + vlib_buffer_free (vm, recycle, vec_len (recycle)); + vec_free (recycle); + return from_frame->n_vectors; +} + + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (odp_crypto_esp_decrypt_node) = { + .function = esp_decrypt_node_fn, + .name = "odp-crypto-esp-decrypt", + .vector_size = sizeof (u32), + .format_trace = format_esp_decrypt_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + + .n_errors = ARRAY_LEN(esp_decrypt_error_strings), + .error_strings = esp_decrypt_error_strings, + + .n_next_nodes = ESP_DECRYPT_N_NEXT, + .next_nodes = { +#define _(s,n) [ESP_DECRYPT_NEXT_##s] = n, + foreach_esp_decrypt_next +#undef _ + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (odp_crypto_esp_decrypt_node, esp_decrypt_node_fn) +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/odp/ipsec/esp_encrypt.c b/src/plugins/odp/ipsec/esp_encrypt.c new file mode 100644 index 00000000..38cffea2 --- /dev/null +++ b/src/plugins/odp/ipsec/esp_encrypt.c @@ -0,0 +1,445 @@ +/* + * esp_encrypt.c : IPSec ESP encrypt node + * + * Copyright (c) 2015 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include + +#include +#include + + +#define foreach_esp_encrypt_next \ +_(DROP, "error-drop") \ +_(IP4_LOOKUP, "ip4-lookup") \ +_(IP6_LOOKUP, "ip6-lookup") \ +_(INTERFACE_OUTPUT, "interface-output") + +#define _(v, s) ESP_ENCRYPT_NEXT_##v, +typedef enum +{ + foreach_esp_encrypt_next +#undef _ + ESP_ENCRYPT_N_NEXT, +} esp_encrypt_next_t; + +#define foreach_esp_encrypt_error \ + _(RX_PKTS, "ESP pkts received") \ + _(NO_BUFFER, "No buffer (packet dropped)") \ + _(DECRYPTION_FAILED, "ESP encryption failed") \ + _(SEQ_CYCLED, "sequence number cycled") + + +typedef enum +{ +#define _(sym,str) ESP_ENCRYPT_ERROR_##sym, + foreach_esp_encrypt_error +#undef _ + ESP_ENCRYPT_N_ERROR, +} esp_encrypt_error_t; + +static char *esp_encrypt_error_strings[] = { +#define _(sym,string) string, + foreach_esp_encrypt_error +#undef _ +}; + +typedef struct +{ + u32 spi; + u32 seq; + ipsec_crypto_alg_t crypto_alg; + ipsec_integ_alg_t integ_alg; +} esp_encrypt_trace_t; + +vlib_node_registration_t odp_crypto_esp_encrypt_node; + +/* packet trace format function */ +static u8 * +format_esp_encrypt_trace (u8 * s, va_list * args) +{ + CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); + CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); + esp_encrypt_trace_t *t = va_arg (*args, esp_encrypt_trace_t *); + + s = format (s, "(ODP) esp: spi %u seq %u crypto %U integrity %U", + t->spi, t->seq, + format_ipsec_crypto_alg, t->crypto_alg, + format_ipsec_integ_alg, t->integ_alg); + return s; +} + +static uword +esp_encrypt_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, vlib_frame_t * from_frame) +{ + u32 n_left_from, *from, *to_next = 0, next_index; + from = vlib_frame_vector_args (from_frame); + n_left_from = from_frame->n_vectors; + ipsec_main_t *im = &ipsec_main; + u32 *recycle = 0; + odp_crypto_main_t *ocm = &odp_crypto_main; + u32 thread_index = vlib_get_thread_index (); + esp_main_t *em = &odp_esp_main; + + ipsec_alloc_empty_buffers (vm, im); + + u32 *empty_buffers = im->empty_buffers[thread_index]; + + odp_crypto_worker_main_t *cwm = + vec_elt_at_index (ocm->workers, thread_index); + + if (PREDICT_FALSE (vec_len (empty_buffers) < n_left_from)) + { + vlib_node_increment_counter (vm, odp_crypto_esp_encrypt_node.index, + ESP_ENCRYPT_ERROR_NO_BUFFER, n_left_from); + clib_warning ("no enough empty buffers. discarding frame"); + goto free_buffers_and_exit; + } + + next_index = node->cached_next_index; + + while (n_left_from > 0) + { + u32 n_left_to_next; + + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); + + while (n_left_from > 0 && n_left_to_next > 0) + { + u32 i_bi0, o_bi0, next0; + vlib_buffer_t *i_b0, *o_b0 = 0; + u32 sa_index0; + ipsec_sa_t *sa0; + ip4_and_esp_header_t *ih0, *oh0 = 0; + ip6_and_esp_header_t *ih6_0, *oh6_0 = 0; + uword last_empty_buffer; + esp_footer_t *f0; + u8 is_ipv6; + u8 ip_hdr_size; + u8 next_hdr_type; + u32 ip_proto = 0; + u8 transport_mode = 0; + sa_data_t *sa_sess_data; + + i_bi0 = from[0]; + from += 1; + n_left_from -= 1; + n_left_to_next -= 1; + + next0 = ESP_ENCRYPT_NEXT_DROP; + + i_b0 = vlib_get_buffer (vm, i_bi0); + sa_index0 = vnet_buffer (i_b0)->ipsec.sad_index; + sa0 = pool_elt_at_index (im->sad, sa_index0); + + if (PREDICT_FALSE (esp_seq_advance (sa0))) + { + clib_warning ("sequence number counter has cycled SPI %u", + sa0->spi); + vlib_node_increment_counter (vm, odp_crypto_esp_encrypt_node.index, + ESP_ENCRYPT_ERROR_SEQ_CYCLED, 1); + //TODO: rekey SA + o_bi0 = i_bi0; + to_next[0] = o_bi0; + to_next += 1; + goto trace; + } + + sa0->total_data_size += i_b0->current_length; + + /* grab free buffer */ + last_empty_buffer = vec_len (empty_buffers) - 1; + o_bi0 = empty_buffers[last_empty_buffer]; + o_b0 = vlib_get_buffer (vm, o_bi0); + o_b0->flags = VLIB_BUFFER_TOTAL_LENGTH_VALID; + o_b0->current_data = sizeof (ethernet_header_t); + ih0 = vlib_buffer_get_current (i_b0); + vlib_prefetch_buffer_with_index (vm, + empty_buffers[last_empty_buffer - + 1], STORE); + _vec_len (empty_buffers) = last_empty_buffer; + to_next[0] = o_bi0; + to_next += 1; + + sa_sess_data = pool_elt_at_index (cwm->sa_sess_d[1], sa_index0); + if (PREDICT_FALSE (!(sa_sess_data->sess))) + { + int ret = create_sess (sa0, sa_sess_data, 1); + + if (ret) + { + to_next[0] = i_bi0; + to_next += 1; + goto trace; + } + } + + /* add old buffer to the recycle list */ + vec_add1 (recycle, i_bi0); + + /* is ipv6 */ + if (PREDICT_FALSE + ((ih0->ip4.ip_version_and_header_length & 0xF0) == 0x60)) + { + is_ipv6 = 1; + ih6_0 = vlib_buffer_get_current (i_b0); + ip_hdr_size = sizeof (ip6_header_t); + next_hdr_type = IP_PROTOCOL_IPV6; + oh6_0 = vlib_buffer_get_current (o_b0); + + oh6_0->ip6.ip_version_traffic_class_and_flow_label = + ih6_0->ip6.ip_version_traffic_class_and_flow_label; + oh6_0->ip6.protocol = IP_PROTOCOL_IPSEC_ESP; + oh6_0->ip6.hop_limit = 254; + oh6_0->ip6.src_address.as_u64[0] = + ih6_0->ip6.src_address.as_u64[0]; + oh6_0->ip6.src_address.as_u64[1] = + ih6_0->ip6.src_address.as_u64[1]; + oh6_0->ip6.dst_address.as_u64[0] = + ih6_0->ip6.dst_address.as_u64[0]; + oh6_0->ip6.dst_address.as_u64[1] = + ih6_0->ip6.dst_address.as_u64[1]; + oh6_0->esp.spi = clib_net_to_host_u32 (sa0->spi); + oh6_0->esp.seq = clib_net_to_host_u32 (sa0->seq); + ip_proto = ih6_0->ip6.protocol; + + next0 = ESP_ENCRYPT_NEXT_IP6_LOOKUP; + } + else + { + is_ipv6 = 0; + ip_hdr_size = sizeof (ip4_header_t); + next_hdr_type = IP_PROTOCOL_IP_IN_IP; + oh0 = vlib_buffer_get_current (o_b0); + + oh0->ip4.ip_version_and_header_length = 0x45; + oh0->ip4.tos = ih0->ip4.tos; + oh0->ip4.fragment_id = 0; + oh0->ip4.flags_and_fragment_offset = 0; + oh0->ip4.ttl = 254; + oh0->ip4.protocol = IP_PROTOCOL_IPSEC_ESP; + oh0->ip4.src_address.as_u32 = ih0->ip4.src_address.as_u32; + oh0->ip4.dst_address.as_u32 = ih0->ip4.dst_address.as_u32; + oh0->esp.spi = clib_net_to_host_u32 (sa0->spi); + oh0->esp.seq = clib_net_to_host_u32 (sa0->seq); + ip_proto = ih0->ip4.protocol; + + next0 = ESP_ENCRYPT_NEXT_IP4_LOOKUP; + } + + if (PREDICT_TRUE + (!is_ipv6 && sa0->is_tunnel && !sa0->is_tunnel_ip6)) + { + oh0->ip4.src_address.as_u32 = sa0->tunnel_src_addr.ip4.as_u32; + oh0->ip4.dst_address.as_u32 = sa0->tunnel_dst_addr.ip4.as_u32; + + vnet_buffer (o_b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + } + else if (is_ipv6 && sa0->is_tunnel && sa0->is_tunnel_ip6) + { + oh6_0->ip6.src_address.as_u64[0] = + sa0->tunnel_src_addr.ip6.as_u64[0]; + oh6_0->ip6.src_address.as_u64[1] = + sa0->tunnel_src_addr.ip6.as_u64[1]; + oh6_0->ip6.dst_address.as_u64[0] = + sa0->tunnel_dst_addr.ip6.as_u64[0]; + oh6_0->ip6.dst_address.as_u64[1] = + sa0->tunnel_dst_addr.ip6.as_u64[1]; + + vnet_buffer (o_b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + } + else + { + next_hdr_type = ip_proto; + if (vnet_buffer (i_b0)->sw_if_index[VLIB_TX] != ~0) + { + transport_mode = 1; + ethernet_header_t *ieh0, *oeh0; + ieh0 = + (ethernet_header_t *) ((u8 *) + vlib_buffer_get_current (i_b0) - + sizeof (ethernet_header_t)); + oeh0 = (ethernet_header_t *) o_b0->data; + clib_memcpy (oeh0, ieh0, sizeof (ethernet_header_t)); + next0 = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT; + vnet_buffer (o_b0)->sw_if_index[VLIB_TX] = + vnet_buffer (i_b0)->sw_if_index[VLIB_TX]; + } + vlib_buffer_advance (i_b0, ip_hdr_size); + } + + ASSERT (sa0->crypto_alg < IPSEC_CRYPTO_N_ALG); + + if (PREDICT_TRUE (sa0->crypto_alg != IPSEC_CRYPTO_ALG_NONE)) + { + + const int BLOCK_SIZE = 16; + const int IV_SIZE = 16; + int blocks = 1 + (i_b0->current_length + 1) / BLOCK_SIZE; + + /* pad packet in input buffer */ + u8 pad_bytes = BLOCK_SIZE * blocks - 2 - i_b0->current_length; + u8 i; + u8 *padding = + vlib_buffer_get_current (i_b0) + i_b0->current_length; + i_b0->current_length = BLOCK_SIZE * blocks; + for (i = 0; i < pad_bytes; ++i) + { + padding[i] = i + 1; + } + f0 = vlib_buffer_get_current (i_b0) + i_b0->current_length - 2; + f0->pad_length = pad_bytes; + f0->next_header = next_hdr_type; + + o_b0->current_length = ip_hdr_size + sizeof (esp_header_t) + + BLOCK_SIZE * blocks + IV_SIZE; + + vnet_buffer (o_b0)->sw_if_index[VLIB_RX] = + vnet_buffer (i_b0)->sw_if_index[VLIB_RX]; + + odp_crypto_op_param_t crypto_op_params; + odp_bool_t posted = 0; + odp_crypto_op_result_t result; + + crypto_op_params.session = sa_sess_data->sess; + crypto_op_params.ctx = NULL; + crypto_op_params.aad.ptr = NULL; + crypto_op_params.aad.length = 0; + crypto_op_params.pkt = + (odp_packet_t) ((u8 *) o_b0 - + (u8 *) odp_packet_user_area ((odp_packet_t) + 0x0)); + crypto_op_params.out_pkt = crypto_op_params.pkt; + + crypto_op_params.override_iv_ptr = sa_sess_data->iv_data; + + crypto_op_params.cipher_range.offset = + (u32) ((u8 *) vlib_buffer_get_current (o_b0) - (u8 *) o_b0) - + sizeof (vlib_buffer_t) + ip_hdr_size + sizeof (esp_header_t) + + IV_SIZE; + + crypto_op_params.cipher_range.length = BLOCK_SIZE * blocks; + + crypto_op_params.auth_range.offset = + (u32) ((u8 *) vlib_buffer_get_current (o_b0) - (u8 *) o_b0) - + sizeof (vlib_buffer_t) + ip_hdr_size; + crypto_op_params.auth_range.length = + o_b0->current_length - ip_hdr_size; + crypto_op_params.hash_result_offset = + (u32) ((u8 *) vlib_buffer_get_current (o_b0) - (u8 *) o_b0) - + sizeof (vlib_buffer_t) + o_b0->current_length; + + clib_memcpy ((u8 *) vlib_buffer_get_current (o_b0) + + ip_hdr_size + sizeof (esp_header_t) + IV_SIZE, + (u8 *) vlib_buffer_get_current (i_b0), + BLOCK_SIZE * blocks); + + clib_memcpy ((u8 *) vlib_buffer_get_current (o_b0) + + ip_hdr_size + sizeof (esp_header_t), + sa_sess_data->iv_data, + sizeof (sa_sess_data->iv_data)); + + o_b0->current_length += + em->esp_integ_algs[sa0->integ_alg].trunc_size; + int ret = + odp_crypto_operation (&crypto_op_params, &posted, &result); + if (ret != 0) + { + clib_error ("Crypto operation not sucessful\n"); + goto trace; + } + } + + if (PREDICT_FALSE (is_ipv6)) + { + oh6_0->ip6.payload_length = + clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, o_b0) - + sizeof (ip6_header_t)); + } + else + { + oh0->ip4.length = + clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, o_b0)); + oh0->ip4.checksum = ip4_header_checksum (&oh0->ip4); + } + + if (transport_mode) + vlib_buffer_reset (o_b0); + + trace: + if (PREDICT_FALSE (i_b0->flags & VLIB_BUFFER_IS_TRACED)) + { + if (o_b0) + { + o_b0->flags |= VLIB_BUFFER_IS_TRACED; + o_b0->trace_index = i_b0->trace_index; + esp_encrypt_trace_t *tr = + vlib_add_trace (vm, node, o_b0, sizeof (*tr)); + tr->spi = sa0->spi; + tr->seq = sa0->seq - 1; + tr->crypto_alg = sa0->crypto_alg; + tr->integ_alg = sa0->integ_alg; + } + } + + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, + to_next, n_left_to_next, o_bi0, + next0); + } + vlib_put_next_frame (vm, node, next_index, n_left_to_next); + } + vlib_node_increment_counter (vm, odp_crypto_esp_encrypt_node.index, + ESP_ENCRYPT_ERROR_RX_PKTS, + from_frame->n_vectors); + +free_buffers_and_exit: + if (recycle) + vlib_buffer_free (vm, recycle, vec_len (recycle)); + vec_free (recycle); + return from_frame->n_vectors; +} + + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (odp_crypto_esp_encrypt_node) = { + .function = esp_encrypt_node_fn, + .name = "odp-crypto-esp-encrypt", + .vector_size = sizeof (u32), + .format_trace = format_esp_encrypt_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + + .n_errors = ARRAY_LEN(esp_encrypt_error_strings), + .error_strings = esp_encrypt_error_strings, + + .n_next_nodes = ESP_ENCRYPT_N_NEXT, + .next_nodes = { +#define _(s,n) [ESP_ENCRYPT_NEXT_##s] = n, + foreach_esp_encrypt_next +#undef _ + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (odp_crypto_esp_encrypt_node, esp_encrypt_node_fn) +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/odp/ipsec/ipsec.c b/src/plugins/odp/ipsec/ipsec.c new file mode 100644 index 00000000..339240f6 --- /dev/null +++ b/src/plugins/odp/ipsec/ipsec.c @@ -0,0 +1,263 @@ +/* + * decap.c : IPSec tunnel support + * + * Copyright (c) 2015 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include +#include + +#include +#include + +static int +add_del_sa_sess (u32 sa_index, u8 is_add) +{ + odp_crypto_main_t *ocm = &odp_crypto_main; + odp_crypto_worker_main_t *cwm; + + vec_foreach (cwm, ocm->workers) + { + sa_data_t *sa_sess_data; + u8 is_outbound; + + for (is_outbound = 0; is_outbound < 2; is_outbound++) + { + if (is_add) + { + pool_get (cwm->sa_sess_d[is_outbound], sa_sess_data); + memset (sa_sess_data, 0, sizeof (sa_sess_data[0])); + } + else + { + + sa_sess_data = + pool_elt_at_index (cwm->sa_sess_d[is_outbound], sa_index); + + if (sa_sess_data->sess) + { + if (odp_crypto_session_destroy (sa_sess_data->sess)) + { + clib_warning ("failed to free session"); + return -1; + } + } + + pool_put (cwm->sa_sess_d[is_outbound], sa_sess_data); + } + } + } + + return 0; +} + +int +create_sess (ipsec_sa_t * sa, sa_data_t * sa_sess_data, int is_outbound) +{ + odp_crypto_ses_create_err_t ses_create_rc; + odp_crypto_session_param_t crypto_params; + odp_crypto_session_param_init (&crypto_params); + + esp_main_t *em = &odp_esp_main; + int trunc_size = em->esp_integ_algs[sa->integ_alg].trunc_size; + + const int max_auth_capa_amount = 8; + odp_crypto_auth_capability_t capa[max_auth_capa_amount]; + int actual_capa_amount; + + crypto_params.auth_cipher_text = 1; + + /* Synchronous mode */ + crypto_params.pref_mode = ODP_CRYPTO_SYNC; + crypto_params.compl_queue = ODP_QUEUE_INVALID; + crypto_params.output_pool = ODP_POOL_INVALID; + + if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_CBC_128) + { + crypto_params.cipher_alg = ODP_CIPHER_ALG_AES_CBC; + crypto_params.cipher_key.length = sa->crypto_key_len; + } + else + { + crypto_params.cipher_alg = ODP_CIPHER_ALG_NULL; + } + + switch (sa->integ_alg) + { + case IPSEC_INTEG_ALG_SHA_512_256: + crypto_params.auth_alg = ODP_AUTH_ALG_SHA512_HMAC; + break; + case IPSEC_INTEG_ALG_SHA_256_128: + crypto_params.auth_alg = ODP_AUTH_ALG_SHA256_HMAC; + break; + case IPSEC_INTEG_ALG_SHA1_96: + crypto_params.auth_alg = ODP_AUTH_ALG_SHA1_HMAC; + break; + default: + crypto_params.auth_alg = ODP_AUTH_ALG_NULL; + break; + } + + actual_capa_amount = odp_crypto_auth_capability (crypto_params.auth_alg, + capa, + max_auth_capa_amount); + int picked_capa = -1; + int i; + + for (i = 0; i < actual_capa_amount; i++) + { + if (capa[i].digest_len >= trunc_size && + capa[i].key_len >= sa->crypto_key_len) + { + picked_capa = i; + break; + } + } + + if (picked_capa == -1) + { + if (actual_capa_amount) + clib_warning + ("Failed to get matching capabilities, algorithm appears to be supported but key or digest length incompatible\n"); + else + clib_warning + ("Failed to get matching capabilities, algorithm probably not supported\n"); + return -1; + } + + sa_sess_data->key_size = capa[picked_capa].key_len; + sa_sess_data->digest_size = capa[picked_capa].digest_len; + crypto_params.auth_key.length = sa_sess_data->key_size; + crypto_params.auth_digest_len = sa_sess_data->digest_size; + + memset (sa->integ_key + sa->integ_key_len, 0, + sa_sess_data->key_size - sa->integ_key_len); + + if (is_outbound) + crypto_params.op = ODP_CRYPTO_OP_ENCODE; + else + crypto_params.op = ODP_CRYPTO_OP_DECODE; + + crypto_params.cipher_key.data = sa->crypto_key; + crypto_params.auth_key.data = sa->integ_key; + crypto_params.iv.data = sa_sess_data->iv_data; + const int IV_LEN = 16; + sa_sess_data->iv_len = IV_LEN; + crypto_params.iv.length = IV_LEN; + + { + int size = crypto_params.iv.length; + int ret = + odp_random_data (crypto_params.iv.data, size, ODP_RANDOM_CRYPTO); + + if (ret != size) + { + clib_error_return (0, "failed to get random from ODP"); + return -1; + } + } + + if (odp_crypto_session_create + (&crypto_params, &sa_sess_data->sess, &ses_create_rc)) + { + clib_warning ("Unable to create session\n"); + clib_warning ("%d\n", ses_create_rc); + return VNET_API_ERROR_SYSCALL_ERROR_1; + } + + if (ODP_CRYPTO_SESSION_INVALID == sa_sess_data->sess) + { + clib_warning ("ODP_CRYPTO_SESSION_INVALID\n"); + return VNET_API_ERROR_SYSCALL_ERROR_1; + } + + if (ODP_CRYPTO_SES_CREATE_ERR_NONE != ses_create_rc) + { + clib_warning ("Session creation returned some errors\n"); + return VNET_API_ERROR_SYSCALL_ERROR_1; + } + + return 0; +} + +clib_error_t * +odp_ipsec_check_support (ipsec_sa_t * sa) +{ + // TODO maybe we should check what crypto is available or something? + return 0; +} + +clib_error_t * +ipsec_init (vlib_main_t * vm) +{ + if (!enable_odp_crypto) + return 0; + ipsec_main_t *im = &ipsec_main; + odp_crypto_main_t *ocm = &odp_crypto_main; + vlib_thread_main_t *tm = vlib_get_thread_main (); + vlib_node_t *ipsec_node, *crypto_node, *error_node; + + memset (im, 0, sizeof (im[0])); + + im->vnet_main = vnet_get_main (); + im->vlib_main = vm; + + im->spd_index_by_spd_id = hash_create (0, sizeof (uword)); + im->sa_index_by_sa_id = hash_create (0, sizeof (uword)); + im->spd_index_by_sw_if_index = hash_create (0, sizeof (uword)); + + vec_validate_aligned (im->empty_buffers, tm->n_vlib_mains - 1, + CLIB_CACHE_LINE_BYTES); + + error_node = vlib_get_node_by_name (vm, (u8 *) "error-drop"); + ASSERT (error_node); + im->error_drop_node_index = error_node->index; + + + ipsec_node = vlib_get_node_by_name (vm, (u8 *) "ipsec-output-ip4"); + ASSERT (ipsec_node); + crypto_node = vlib_get_node_by_name (vm, (u8 *) "odp-crypto-esp-encrypt"); + ASSERT (crypto_node); + im->esp_encrypt_node_index = crypto_node->index; + im->esp_encrypt_next_index = + vlib_node_add_next (vm, ipsec_node->index, crypto_node->index); + + ipsec_node = vlib_get_node_by_name (vm, (u8 *) "ipsec-input-ip4"); + ASSERT (ipsec_node); + crypto_node = vlib_get_node_by_name (vm, (u8 *) "odp-crypto-esp-decrypt"); + ASSERT (crypto_node); + im->esp_decrypt_node_index = crypto_node->index; + im->esp_decrypt_next_index = + vlib_node_add_next (vm, ipsec_node->index, crypto_node->index); + + im->cb.check_support_cb = odp_ipsec_check_support; + im->cb.add_del_sa_sess_cb = add_del_sa_sess; + + vec_alloc (ocm->workers, tm->n_vlib_mains); + _vec_len (ocm->workers) = tm->n_vlib_mains; + + esp_init (); + + return 0; +} + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/odp/ipsec/ipsec.h b/src/plugins/odp/ipsec/ipsec.h new file mode 100644 index 00000000..0f3ceb86 --- /dev/null +++ b/src/plugins/odp/ipsec/ipsec.h @@ -0,0 +1,57 @@ +/* + * Copyright (c) 2015 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef __ODP_IPSEC_H__ +#define __ODP_IPSEC_H__ + +#include +#include + +typedef struct +{ + odp_crypto_session_t sess; + u32 digest_size; + u8 iv_data[16]; + u32 iv_len; + u32 key_size; +} sa_data_t; + +typedef struct +{ + sa_data_t *sa_sess_d[2]; + odp_queue_t post_encrypt, post_decrypt; +} odp_crypto_worker_main_t; + +typedef struct +{ + odp_crypto_worker_main_t *workers; +} odp_crypto_main_t; + +extern vlib_node_registration_t odp_crypto_input_node; +extern odp_crypto_main_t odp_crypto_main; +extern u8 enable_odp_crypto; + +int create_sess (ipsec_sa_t * sa, sa_data_t * sess, int is_outbound); + +clib_error_t *ipsec_init (vlib_main_t * vm); + +#endif /* __IPSEC_H__ */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/odp/odp_packet.c b/src/plugins/odp/odp_packet.c index 840a7e91..fb9ab192 100755 --- a/src/plugins/odp/odp_packet.c +++ b/src/plugins/odp/odp_packet.c @@ -13,6 +13,7 @@ #include #include #include +#include odp_packet_main_t *odp_packet_main; u32 rx_sched_wait; @@ -20,6 +21,8 @@ u32 tx_burst_size; u32 num_pkts_in_pool = SHM_PKT_POOL_NB_PKTS; odp_if_mode_t def_if_mode; odp_if_config_t *if_config; +odp_crypto_main_t odp_crypto_main; +u8 enable_odp_crypto; static u32 odp_packet_eth_flag_change (vnet_main_t * vnm, vnet_hw_interface_t * hi, @@ -422,6 +425,10 @@ odp_config (vlib_main_t * vm, unformat_input_t * input) odp_device_config (param, NULL); vec_free (param); } + else if (unformat (input, "enable-odp-crypto")) + { + enable_odp_crypto = 1; + } else if (unformat (input, "%s", ¶m)) { clib_warning ("%s: Unknown option %s\n", __func__, param); @@ -464,6 +471,8 @@ odp_process (vlib_main_t * vm, vlib_node_runtime_t * rt, vlib_frame_t * f) /* Initialization complete and worker threads can start */ tm->worker_thread_release = 1; + ipsec_init (vlib_get_main ()); + return 0; } diff --git a/src/plugins/odp/odp_packet.h b/src/plugins/odp/odp_packet.h index 57b651ef..73972cbb 100755 --- a/src/plugins/odp/odp_packet.h +++ b/src/plugins/odp/odp_packet.h @@ -80,6 +80,7 @@ extern u32 rx_sched_wait; extern u32 tx_burst_size; extern u32 num_pkts_in_pool; extern odp_if_mode_t def_if_mode; +extern u8 enable_odp_crypto; u32 odp_packet_create_if (vlib_main_t * vm, u8 * host_if_name, u8 * hw_addr_set, u32 * sw_if_index, diff --git a/src/vpp/conf/startup.conf b/src/vpp/conf/startup.conf index 15c9086d..6947d378 100644 --- a/src/vpp/conf/startup.conf +++ b/src/vpp/conf/startup.conf @@ -129,6 +129,9 @@ cpu { # num-rx-queues 2 # hw-addr 3c:fd:fe:a4:37:99 # } + + ## Make use of ODP crypto API to accelerate IPsec + # enable-odp-crypto # } # Adjusting the plugin path depending on where the VPP plugins are: -- cgit 1.2.3-korg