From db93cd971320301eb21403caabada7a3ec6a4cce Mon Sep 17 00:00:00 2001 From: Sergio Gonzalez Monroy Date: Sat, 26 Aug 2017 15:22:05 +0100 Subject: dpdk/ipsec: rework plus improved cli commands This patch reworks the DPDK ipsec implementation including the cryptodev management as well as replacing new cli commands for better usability. For the data path: - The dpdk-esp-encrypt-post node is not necessary anymore. - IPv4 packets in the decrypt path are sent to ip4-input-no-checksum instead of ip4-input. The DPDK cryptodev cli commands are replaced by the following new commands: - show dpdk crypto devices - show dpdk crypto placement [verbose] - set dpdk crypto placement ( | auto) - clear dpdk crypto placement [] - show dpdk crypto pools Change-Id: I47324517ede82d3e6e0e9f9c71c1a3433714b27b Signed-off-by: Sergio Gonzalez Monroy --- src/plugins/dpdk/ipsec/esp_encrypt.c | 646 ++++++++++++++++------------------- 1 file changed, 287 insertions(+), 359 deletions(-) (limited to 'src/plugins/dpdk/ipsec/esp_encrypt.c') diff --git a/src/plugins/dpdk/ipsec/esp_encrypt.c b/src/plugins/dpdk/ipsec/esp_encrypt.c index 6de444fd3bc..3ce22843289 100644 --- a/src/plugins/dpdk/ipsec/esp_encrypt.c +++ b/src/plugins/dpdk/ipsec/esp_encrypt.c @@ -1,7 +1,7 @@ /* * esp_encrypt.c : IPSec ESP encrypt node using DPDK Cryptodev * - * Copyright (c) 2016 Intel and/or its affiliates. + * Copyright (c) 2017 Intel and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: @@ -20,8 +20,8 @@ #include #include +#include #include -#include #include #include @@ -41,9 +41,11 @@ typedef enum #define foreach_esp_encrypt_error \ _(RX_PKTS, "ESP pkts received") \ - _(SEQ_CYCLED, "sequence number cycled") \ - _(ENQ_FAIL, "Enqueue failed (buffer full)") \ - _(NO_CRYPTODEV, "Cryptodev not configured") + _(SEQ_CYCLED, "Sequence number cycled") \ + _(ENQ_FAIL, "Enqueue failed to crypto device") \ + _(DISCARD, "Not enough crypto operations, discarding frame") \ + _(SESSION, "Failed to get crypto session") \ + _(NOSUP, "Cipher/Auth not supported") typedef enum @@ -64,10 +66,9 @@ vlib_node_registration_t dpdk_esp_encrypt_node; typedef struct { - u32 spi; - u32 seq; ipsec_crypto_alg_t crypto_alg; ipsec_integ_alg_t integ_alg; + u8 packet_data[64]; } esp_encrypt_trace_t; /* packet trace format function */ @@ -77,11 +78,29 @@ format_esp_encrypt_trace (u8 * s, va_list * args) CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); esp_encrypt_trace_t *t = va_arg (*args, esp_encrypt_trace_t *); + ip4_header_t *ih4 = (ip4_header_t *) t->packet_data; + uword indent = format_get_indent (s), offset; - s = format (s, "esp: spi %u seq %u crypto %U integrity %U", - t->spi, t->seq, + s = format (s, "cipher %U auth %U\n", format_ipsec_crypto_alg, t->crypto_alg, format_ipsec_integ_alg, t->integ_alg); + + if ((ih4->ip_version_and_header_length & 0xF0) == 0x60) + { + s = format (s, "%U%U", format_white_space, indent, + format_ip6_header, ih4); + offset = sizeof (ip6_header_t); + } + else + { + s = format (s, "%U%U", format_white_space, indent, + format_ip4_header, ih4); + offset = ip4_header_bytes (ih4); + } + + s = format (s, "\n%U%U", format_white_space, indent, + format_esp_header, t->packet_data + offset); + return s; } @@ -92,30 +111,31 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm, { u32 n_left_from, *from, *to_next, next_index; ipsec_main_t *im = &ipsec_main; - u32 thread_index = vlib_get_thread_index (); + u32 thread_idx = vlib_get_thread_index (); dpdk_crypto_main_t *dcm = &dpdk_crypto_main; - dpdk_esp_main_t *em = &dpdk_esp_main; - u32 i; + crypto_resource_t *res = 0; + ipsec_sa_t *sa0 = 0; + crypto_alg_t *cipher_alg = 0, *auth_alg = 0; + struct rte_cryptodev_sym_session *session = 0; + u32 ret, last_sa_index = ~0; + u8 numa = rte_socket_id (); + u8 is_aead = 0; + crypto_worker_main_t *cwm = + vec_elt_at_index (dcm->workers_main, thread_idx); + struct rte_crypto_op **ops = cwm->ops; from = vlib_frame_vector_args (from_frame); n_left_from = from_frame->n_vectors; - crypto_worker_main_t *cwm = - vec_elt_at_index (dcm->workers_main, thread_index); - u32 n_qps = vec_len (cwm->qp_data); - struct rte_crypto_op **cops_to_enq[n_qps]; - u32 n_cop_qp[n_qps], *bi_to_enq[n_qps]; - - for (i = 0; i < n_qps; i++) + ret = crypto_alloc_ops (numa, ops, n_left_from); + if (ret) { - bi_to_enq[i] = cwm->qp_data[i].bi; - cops_to_enq[i] = cwm->qp_data[i].cops; + vlib_node_increment_counter (vm, dpdk_esp_encrypt_node.index, + ESP_ENCRYPT_ERROR_DISCARD, 1); + /* Discard whole frame */ + return n_left_from; } - memset (n_cop_qp, 0, n_qps * sizeof (u32)); - - crypto_alloc_cops (); - next_index = ESP_ENCRYPT_NEXT_DROP; while (n_left_from > 0) @@ -126,34 +146,99 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm, while (n_left_from > 0 && n_left_to_next > 0) { - u32 bi0, next0; + clib_error_t *error; + u32 bi0; vlib_buffer_t *b0 = 0; u32 sa_index0; - ipsec_sa_t *sa0; ip4_and_esp_header_t *ih0, *oh0 = 0; ip6_and_esp_header_t *ih6_0, *oh6_0 = 0; - struct rte_mbuf *mb0 = 0; + esp_header_t *esp0; esp_footer_t *f0; - u8 is_ipv6; - u8 ip_hdr_size; - u8 next_hdr_type; - u8 transport_mode = 0; - const int BLOCK_SIZE = 16; + u8 is_ipv6, next_hdr_type; u32 iv_size; u16 orig_sz; u8 trunc_size; - crypto_sa_session_t *sa_sess; - void *sess; - struct rte_crypto_op *cop = 0; - u16 qp_index; + struct rte_mbuf *mb0 = 0; + struct rte_crypto_op *op; + u16 res_idx; bi0 = from[0]; from += 1; n_left_from -= 1; b0 = vlib_get_buffer (vm, bi0); + ih0 = vlib_buffer_get_current (b0); + mb0 = rte_mbuf_from_vlib_buffer (b0); + + /* ih0/ih6_0 */ + CLIB_PREFETCH (ih0, sizeof (ih6_0[0]), LOAD); + /* f0 */ + CLIB_PREFETCH (vlib_buffer_get_tail (b0), 20, STORE); + /* mb0 */ + CLIB_PREFETCH (mb0, CLIB_CACHE_LINE_BYTES, STORE); + + op = ops[0]; + ops += 1; + ASSERT (op->status == RTE_CRYPTO_OP_STATUS_NOT_PROCESSED); + + dpdk_op_priv_t *priv = crypto_op_get_priv (op); + + u16 op_len = + sizeof (op[0]) + sizeof (op[0].sym[0]) + sizeof (priv[0]); + CLIB_PREFETCH (op, op_len, STORE); + sa_index0 = vnet_buffer (b0)->ipsec.sad_index; - sa0 = pool_elt_at_index (im->sad, sa_index0); + + if (sa_index0 != last_sa_index) + { + last_sa_index = sa_index0; + + sa0 = pool_elt_at_index (im->sad, sa_index0); + + cipher_alg = + vec_elt_at_index (dcm->cipher_algs, sa0->crypto_alg); + auth_alg = vec_elt_at_index (dcm->auth_algs, sa0->integ_alg); + +#if DPDK_NO_AEAD + is_aead = ((sa0->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128) || + (sa0->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_192) || + (sa0->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_256)); +#else + is_aead = (cipher_alg->type == RTE_CRYPTO_SYM_XFORM_AEAD); +#endif + + if (is_aead) + auth_alg = cipher_alg; + + res_idx = get_resource (cwm, sa0); + + if (PREDICT_FALSE (res_idx == (u16) ~ 0)) + { + clib_warning ("unsupported SA by thread index %u", + thread_idx); + vlib_node_increment_counter (vm, + dpdk_esp_encrypt_node.index, + ESP_ENCRYPT_ERROR_NOSUP, 1); + to_next[0] = bi0; + to_next += 1; + n_left_to_next -= 1; + goto trace; + } + res = vec_elt_at_index (dcm->resource, res_idx); + + error = crypto_get_session (&session, sa_index0, res, cwm, 1); + if (PREDICT_FALSE (error || !session)) + { + clib_warning ("failed to get crypto session"); + vlib_node_increment_counter (vm, + dpdk_esp_encrypt_node.index, + ESP_ENCRYPT_ERROR_SESSION, 1); + to_next[0] = bi0; + to_next += 1; + n_left_to_next -= 1; + goto trace; + } + } if (PREDICT_FALSE (esp_seq_advance (sa0))) { @@ -168,272 +253,232 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm, goto trace; } - sa0->total_data_size += b0->current_length; - - sa_sess = pool_elt_at_index (cwm->sa_sess_d[1], sa_index0); - if (PREDICT_FALSE (!sa_sess->sess)) - { - int ret = create_sym_sess (sa0, sa_sess, 1); - - if (PREDICT_FALSE (ret)) - { - to_next[0] = bi0; - to_next += 1; - n_left_to_next -= 1; - goto trace; - } - } + orig_sz = b0->current_length; - qp_index = sa_sess->qp_index; - sess = sa_sess->sess; + /* TODO multi-seg support - total_length_not_including_first_buffer */ + sa0->total_data_size += b0->current_length; - ASSERT (vec_len (vec_elt (cwm->qp_data, qp_index).free_cops) > 0); - cop = vec_pop (vec_elt (cwm->qp_data, qp_index).free_cops); - ASSERT (cop->status == RTE_CRYPTO_OP_STATUS_NOT_PROCESSED); + res->ops[res->n_ops] = op; + res->bi[res->n_ops] = bi0; + res->n_ops += 1; - cops_to_enq[qp_index][0] = cop; - cops_to_enq[qp_index] += 1; - n_cop_qp[qp_index] += 1; - bi_to_enq[qp_index][0] = bi0; - bi_to_enq[qp_index] += 1; + dpdk_gcm_cnt_blk *icb = &priv->cb; - ssize_t adv; - iv_size = em->esp_crypto_algs[sa0->crypto_alg].iv_len; - if (sa0->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128) - trunc_size = 16; - else - trunc_size = em->esp_integ_algs[sa0->integ_alg].trunc_size; + crypto_set_icb (icb, sa0->salt, sa0->seq, sa0->seq_hi); - ih0 = vlib_buffer_get_current (b0); - orig_sz = b0->current_length; is_ipv6 = (ih0->ip4.ip_version_and_header_length & 0xF0) == 0x60; - /* is ipv6 */ - if (PREDICT_TRUE (sa0->is_tunnel)) - { - if (PREDICT_TRUE (!is_ipv6)) - adv = -sizeof (ip4_and_esp_header_t); - else - adv = -sizeof (ip6_and_esp_header_t); - } - else - { - adv = -sizeof (esp_header_t); - if (PREDICT_TRUE (!is_ipv6)) - orig_sz -= sizeof (ip4_header_t); - else - orig_sz -= sizeof (ip6_header_t); - } - - /*transport mode save the eth header before it is overwritten */ - if (PREDICT_FALSE (!sa0->is_tunnel)) - { - ethernet_header_t *ieh0 = (ethernet_header_t *) - ((u8 *) vlib_buffer_get_current (b0) - - sizeof (ethernet_header_t)); - ethernet_header_t *oeh0 = - (ethernet_header_t *) ((u8 *) ieh0 + (adv - iv_size)); - clib_memcpy (oeh0, ieh0, sizeof (ethernet_header_t)); - } - - vlib_buffer_advance (b0, adv - iv_size); - /* XXX IP6/ip4 and IP4/IP6 not supported, only IP4/IP4 and IP6/IP6 */ + iv_size = cipher_alg->iv_len; + trunc_size = auth_alg->trunc_size; - /* is ipv6 */ - if (PREDICT_FALSE (is_ipv6)) + if (sa0->is_tunnel) { - ih6_0 = (ip6_and_esp_header_t *) ih0; - ip_hdr_size = sizeof (ip6_header_t); - oh6_0 = vlib_buffer_get_current (b0); - - if (PREDICT_TRUE (sa0->is_tunnel)) + if (!is_ipv6 && !sa0->is_tunnel_ip6) /* ip4inip4 */ + { + /* in tunnel mode send it back to FIB */ + priv->next = DPDK_CRYPTO_INPUT_NEXT_IP4_LOOKUP; + u8 adv = + sizeof (ip4_header_t) + sizeof (esp_header_t) + iv_size; + vlib_buffer_advance (b0, -adv); + oh0 = vlib_buffer_get_current (b0); + next_hdr_type = IP_PROTOCOL_IP_IN_IP; + /* + * oh0->ip4.ip_version_and_header_length = 0x45; + * oh0->ip4.tos = ih0->ip4.tos; + * oh0->ip4.fragment_id = 0; + * oh0->ip4.flags_and_fragment_offset = 0; + */ + oh0->ip4.checksum_data_64[0] = + clib_host_to_net_u64 (0x45ULL << 56); + /* + * oh0->ip4.ttl = 254; + * oh0->ip4.protocol = IP_PROTOCOL_IPSEC_ESP; + */ + oh0->ip4.checksum_data_32[2] = + clib_host_to_net_u32 (0xfe320000); + + oh0->ip4.src_address.as_u32 = + sa0->tunnel_src_addr.ip4.as_u32; + oh0->ip4.dst_address.as_u32 = + sa0->tunnel_dst_addr.ip4.as_u32; + esp0 = &oh0->esp; + oh0->esp.spi = clib_host_to_net_u32 (sa0->spi); + oh0->esp.seq = clib_host_to_net_u32 (sa0->seq); + } + else if (is_ipv6 && sa0->is_tunnel_ip6) /* ip6inip6 */ { + /* in tunnel mode send it back to FIB */ + priv->next = DPDK_CRYPTO_INPUT_NEXT_IP6_LOOKUP; + + u8 adv = + sizeof (ip6_header_t) + sizeof (esp_header_t) + iv_size; + vlib_buffer_advance (b0, -adv); + ih6_0 = (ip6_and_esp_header_t *) ih0; + oh6_0 = vlib_buffer_get_current (b0); + next_hdr_type = IP_PROTOCOL_IPV6; + oh6_0->ip6.ip_version_traffic_class_and_flow_label = ih6_0->ip6.ip_version_traffic_class_and_flow_label; + + oh6_0->ip6.protocol = IP_PROTOCOL_IPSEC_ESP; + oh6_0->ip6.hop_limit = 254; + oh6_0->ip6.src_address.as_u64[0] = + sa0->tunnel_src_addr.ip6.as_u64[0]; + oh6_0->ip6.src_address.as_u64[1] = + sa0->tunnel_src_addr.ip6.as_u64[1]; + oh6_0->ip6.dst_address.as_u64[0] = + sa0->tunnel_dst_addr.ip6.as_u64[0]; + oh6_0->ip6.dst_address.as_u64[1] = + sa0->tunnel_dst_addr.ip6.as_u64[1]; + esp0 = &oh6_0->esp; + oh6_0->esp.spi = clib_host_to_net_u32 (sa0->spi); + oh6_0->esp.seq = clib_host_to_net_u32 (sa0->seq); } - else + else /* unsupported ip4inip6, ip6inip4 */ { - next_hdr_type = ih6_0->ip6.protocol; - memmove (oh6_0, ih6_0, sizeof (ip6_header_t)); + vlib_node_increment_counter (vm, + dpdk_esp_encrypt_node.index, + ESP_ENCRYPT_ERROR_NOSUP, 1); + to_next[0] = bi0; + to_next += 1; + n_left_to_next -= 1; + goto trace; } - - oh6_0->ip6.protocol = IP_PROTOCOL_IPSEC_ESP; - oh6_0->ip6.hop_limit = 254; - oh6_0->esp.spi = clib_net_to_host_u32 (sa0->spi); - oh6_0->esp.seq = clib_net_to_host_u32 (sa0->seq); + vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; } - else + else /* transport mode */ { - ip_hdr_size = sizeof (ip4_header_t); - oh0 = vlib_buffer_get_current (b0); - - if (PREDICT_TRUE (sa0->is_tunnel)) + priv->next = DPDK_CRYPTO_INPUT_NEXT_INTERFACE_OUTPUT; + u16 rewrite_len = vnet_buffer (b0)->ip.save_rewrite_length; + u16 adv = sizeof (esp_header_t) + iv_size; + vlib_buffer_advance (b0, -rewrite_len - adv); + u8 *src = ((u8 *) ih0) - rewrite_len; + u8 *dst = vlib_buffer_get_current (b0); + oh0 = (ip4_and_esp_header_t *) (dst + rewrite_len); + + if (is_ipv6) { - next_hdr_type = IP_PROTOCOL_IP_IN_IP; - oh0->ip4.tos = ih0->ip4.tos; + orig_sz -= sizeof (ip6_header_t); + ih6_0 = (ip6_and_esp_header_t *) ih0; + next_hdr_type = ih6_0->ip6.protocol; + memmove (dst, src, rewrite_len + sizeof (ip6_header_t)); + oh6_0 = (ip6_and_esp_header_t *) oh0; + oh6_0->ip6.protocol = IP_PROTOCOL_IPSEC_ESP; + esp0 = &oh6_0->esp; } - else + else /* ipv4 */ { + orig_sz -= ip4_header_bytes (&ih0->ip4); next_hdr_type = ih0->ip4.protocol; - memmove (oh0, ih0, sizeof (ip4_header_t)); + memmove (dst, src, + rewrite_len + ip4_header_bytes (&ih0->ip4)); + oh0->ip4.protocol = IP_PROTOCOL_IPSEC_ESP; + esp0 = + (esp_header_t *) (oh6_0 + ip4_header_bytes (&ih0->ip4)); } - - oh0->ip4.ip_version_and_header_length = 0x45; - oh0->ip4.fragment_id = 0; - oh0->ip4.flags_and_fragment_offset = 0; - oh0->ip4.ttl = 254; - oh0->ip4.protocol = IP_PROTOCOL_IPSEC_ESP; - oh0->esp.spi = clib_net_to_host_u32 (sa0->spi); - oh0->esp.seq = clib_net_to_host_u32 (sa0->seq); + esp0->spi = clib_host_to_net_u32 (sa0->spi); + esp0->seq = clib_host_to_net_u32 (sa0->seq); } - if (PREDICT_TRUE - (!is_ipv6 && sa0->is_tunnel && !sa0->is_tunnel_ip6)) - { - oh0->ip4.src_address.as_u32 = sa0->tunnel_src_addr.ip4.as_u32; - oh0->ip4.dst_address.as_u32 = sa0->tunnel_dst_addr.ip4.as_u32; + ASSERT (is_pow2 (cipher_alg->boundary)); + u16 mask = cipher_alg->boundary - 1; + u16 pad_payload_len = ((orig_sz + 2) + mask) & ~mask; + u8 pad_bytes = pad_payload_len - 2 - orig_sz; - /* in tunnel mode send it back to FIB */ - next0 = ESP_ENCRYPT_NEXT_IP4_LOOKUP; - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - } - else if (is_ipv6 && sa0->is_tunnel && sa0->is_tunnel_ip6) + u8 *padding = + vlib_buffer_put_uninit (b0, pad_bytes + 2 + trunc_size); + + if (pad_bytes) + clib_memcpy (padding, pad_data, 16); + + f0 = (esp_footer_t *) (padding + pad_bytes); + f0->pad_length = pad_bytes; + f0->next_header = next_hdr_type; + + if (is_ipv6) { - oh6_0->ip6.src_address.as_u64[0] = - sa0->tunnel_src_addr.ip6.as_u64[0]; - oh6_0->ip6.src_address.as_u64[1] = - sa0->tunnel_src_addr.ip6.as_u64[1]; - oh6_0->ip6.dst_address.as_u64[0] = - sa0->tunnel_dst_addr.ip6.as_u64[0]; - oh6_0->ip6.dst_address.as_u64[1] = - sa0->tunnel_dst_addr.ip6.as_u64[1]; - - /* in tunnel mode send it back to FIB */ - next0 = ESP_ENCRYPT_NEXT_IP6_LOOKUP; - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + u16 len = b0->current_length - sizeof (ip6_header_t); + oh6_0->ip6.payload_length = clib_host_to_net_u16 (len); } else { - next0 = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT; - transport_mode = 1; + oh0->ip4.length = clib_host_to_net_u16 (b0->current_length); + oh0->ip4.checksum = ip4_header_checksum (&oh0->ip4); } - int blocks = 1 + (orig_sz + 1) / BLOCK_SIZE; - - /* pad packet in input buffer */ - u8 pad_bytes = BLOCK_SIZE * blocks - 2 - orig_sz; - u8 i; - u8 *padding = vlib_buffer_get_current (b0) + b0->current_length; - - for (i = 0; i < pad_bytes; ++i) - padding[i] = i + 1; - - f0 = vlib_buffer_get_current (b0) + b0->current_length + pad_bytes; - f0->pad_length = pad_bytes; - f0->next_header = next_hdr_type; - b0->current_length += pad_bytes + 2 + trunc_size; - vnet_buffer (b0)->sw_if_index[VLIB_RX] = vnet_buffer (b0)->sw_if_index[VLIB_RX]; b0->flags |= VLIB_BUFFER_TOTAL_LENGTH_VALID; - struct rte_crypto_sym_op *sym_cop; - sym_cop = (struct rte_crypto_sym_op *) (cop + 1); + /* mbuf packet starts at ESP header */ + mb0->data_len = vlib_buffer_get_tail (b0) - ((u8 *) esp0); + mb0->pkt_len = vlib_buffer_get_tail (b0) - ((u8 *) esp0); + mb0->data_off = ((void *) esp0) - mb0->buf_addr; - dpdk_cop_priv_t *priv = (dpdk_cop_priv_t *) (sym_cop + 1); - - vnet_buffer (b0)->unused[0] = next0; - - mb0 = rte_mbuf_from_vlib_buffer (b0); - mb0->data_len = b0->current_length; - mb0->pkt_len = b0->current_length; - mb0->data_off = RTE_PKTMBUF_HEADROOM + b0->current_data; - - dpdk_gcm_cnt_blk *icb = &priv->cb; - - crypto_set_icb (icb, sa0->salt, sa0->seq, sa0->seq_hi); - - u8 is_aead = sa0->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128; u32 cipher_off, cipher_len; - u32 auth_off = 0, auth_len = 0, aad_size = 0; - u8 *aad = NULL, *digest = NULL; + u32 auth_len = 0, aad_size = 0; + u32 *aad = NULL; + u8 *digest = vlib_buffer_get_tail (b0) - trunc_size; - if (is_aead) + if (cipher_alg->alg == RTE_CRYPTO_CIPHER_AES_CBC) { - u32 *esp_iv = - (u32 *) (b0->data + b0->current_data + ip_hdr_size + - sizeof (esp_header_t)); + cipher_off = sizeof (esp_header_t); + cipher_len = iv_size + pad_payload_len; + } + else /* CTR/GCM */ + { + u32 *esp_iv = (u32 *) (esp0 + 1); esp_iv[0] = sa0->seq; esp_iv[1] = sa0->seq_hi; - cipher_off = ip_hdr_size + sizeof (esp_header_t) + iv_size; - cipher_len = BLOCK_SIZE * blocks; - iv_size = 16; /* GCM IV size, not ESP IV size */ + cipher_off = sizeof (esp_header_t) + iv_size; + cipher_len = pad_payload_len; + + iv_size = 12; /* CTR/GCM IV size, not ESP IV size */ + } + + if (is_aead) + { + aad = (u32 *) priv->aad; + aad[0] = clib_host_to_net_u32 (sa0->spi); + aad[1] = clib_host_to_net_u32 (sa0->seq); - aad = priv->aad; - clib_memcpy (aad, vlib_buffer_get_current (b0) + ip_hdr_size, - 8); - aad_size = 8; - if (PREDICT_FALSE (sa0->use_esn)) + if (sa0->use_esn) { - *((u32 *) & aad[8]) = sa0->seq_hi; + aad[2] = clib_host_to_net_u32 (sa0->seq_hi); aad_size = 12; } - - digest = - vlib_buffer_get_current (b0) + b0->current_length - - trunc_size; + else + aad_size = 8; } else { - cipher_off = ip_hdr_size + sizeof (esp_header_t); - cipher_len = BLOCK_SIZE * blocks + iv_size; - - auth_off = ip_hdr_size; - auth_len = b0->current_length - ip_hdr_size - trunc_size; - - digest = - vlib_buffer_get_current (b0) + b0->current_length - - trunc_size; - - if (PREDICT_FALSE (sa0->use_esn)) + auth_len = + vlib_buffer_get_tail (b0) - ((u8 *) esp0) - trunc_size; + if (sa0->use_esn) { *((u32 *) digest) = sa0->seq_hi; - auth_len += sizeof (sa0->seq_hi); + auth_len += 4; } } - crypto_op_setup (is_aead, mb0, cop, sess, + crypto_op_setup (is_aead, mb0, op, session, cipher_off, cipher_len, (u8 *) icb, iv_size, - auth_off, auth_len, aad, aad_size, + 0, auth_len, (u8 *) aad, aad_size, digest, 0, trunc_size); - if (PREDICT_FALSE (is_ipv6)) - { - oh6_0->ip6.payload_length = - clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b0) - - sizeof (ip6_header_t)); - } - else - { - oh0->ip4.length = - clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b0)); - oh0->ip4.checksum = ip4_header_checksum (&oh0->ip4); - } - - if (transport_mode) - vlib_buffer_advance (b0, -sizeof (ethernet_header_t)); - trace: if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED)) { esp_encrypt_trace_t *tr = vlib_add_trace (vm, node, b0, sizeof (*tr)); - tr->spi = sa0->spi; - tr->seq = sa0->seq - 1; tr->crypto_alg = sa0->crypto_alg; tr->integ_alg = sa0->integ_alg; + u8 *p = vlib_buffer_get_current (b0); + if (!sa0->is_tunnel) + p += vnet_buffer (b0)->ip.save_rewrite_length; + clib_memcpy (tr->packet_data, p, sizeof (tr->packet_data)); } } vlib_put_next_frame (vm, node, next_index, n_left_to_next); @@ -441,31 +486,11 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm, vlib_node_increment_counter (vm, dpdk_esp_encrypt_node.index, ESP_ENCRYPT_ERROR_RX_PKTS, from_frame->n_vectors); - crypto_qp_data_t *qpd; - /* *INDENT-OFF* */ - vec_foreach_index (i, cwm->qp_data) - { - u32 enq; - - if (!n_cop_qp[i]) - continue; - qpd = vec_elt_at_index(cwm->qp_data, i); - enq = rte_cryptodev_enqueue_burst(qpd->dev_id, qpd->qp_id, - qpd->cops, n_cop_qp[i]); - qpd->inflights += enq; + crypto_enqueue_ops (vm, cwm, 1, dpdk_esp_encrypt_node.index, + ESP_ENCRYPT_ERROR_ENQ_FAIL, numa); - if (PREDICT_FALSE(enq < n_cop_qp[i])) - { - crypto_free_cop (qpd, &qpd->cops[enq], n_cop_qp[i] - enq); - vlib_buffer_free (vm, &qpd->bi[enq], n_cop_qp[i] - enq); - - vlib_node_increment_counter (vm, dpdk_esp_encrypt_node.index, - ESP_ENCRYPT_ERROR_ENQ_FAIL, - n_cop_qp[i] - enq); - } - } - /* *INDENT-ON* */ + crypto_free_ops (numa, ops, cwm->ops + from_frame->n_vectors - ops); return from_frame->n_vectors; } @@ -488,103 +513,6 @@ VLIB_REGISTER_NODE (dpdk_esp_encrypt_node) = { /* *INDENT-ON* */ VLIB_NODE_FUNCTION_MULTIARCH (dpdk_esp_encrypt_node, dpdk_esp_encrypt_node_fn) -/* - * ESP Encrypt Post Node - */ -#define foreach_esp_encrypt_post_error \ - _(PKTS, "ESP post pkts") - typedef enum - { -#define _(sym,str) ESP_ENCRYPT_POST_ERROR_##sym, - foreach_esp_encrypt_post_error -#undef _ - ESP_ENCRYPT_POST_N_ERROR, - } esp_encrypt_post_error_t; - - static char *esp_encrypt_post_error_strings[] = { -#define _(sym,string) string, - foreach_esp_encrypt_post_error -#undef _ - }; - -vlib_node_registration_t dpdk_esp_encrypt_post_node; - -static u8 * -format_esp_encrypt_post_trace (u8 * s, va_list * args) -{ - return s; -} - -static uword -dpdk_esp_encrypt_post_node_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * from_frame) -{ - u32 n_left_from, *from, *to_next = 0, next_index; - - from = vlib_frame_vector_args (from_frame); - n_left_from = from_frame->n_vectors; - - next_index = node->cached_next_index; - - while (n_left_from > 0) - { - u32 n_left_to_next; - - vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0, next0; - vlib_buffer_t *b0 = 0; - - bi0 = from[0]; - from += 1; - n_left_from -= 1; - n_left_to_next -= 1; - - b0 = vlib_get_buffer (vm, bi0); - - to_next[0] = bi0; - to_next += 1; - - next0 = vnet_buffer (b0)->unused[0]; - - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, - to_next, n_left_to_next, bi0, - next0); - } - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - - vlib_node_increment_counter (vm, dpdk_esp_encrypt_post_node.index, - ESP_ENCRYPT_POST_ERROR_PKTS, - from_frame->n_vectors); - - return from_frame->n_vectors; -} - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (dpdk_esp_encrypt_post_node) = { - .function = dpdk_esp_encrypt_post_node_fn, - .name = "dpdk-esp-encrypt-post", - .vector_size = sizeof (u32), - .format_trace = format_esp_encrypt_post_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN (esp_encrypt_post_error_strings), - .error_strings = esp_encrypt_post_error_strings, - .n_next_nodes = ESP_ENCRYPT_N_NEXT, - .next_nodes = - { -#define _(s,n) [ESP_ENCRYPT_NEXT_##s] = n, - foreach_esp_encrypt_next -#undef _ - } -}; -/* *INDENT-ON* */ - -VLIB_NODE_FUNCTION_MULTIARCH (dpdk_esp_encrypt_post_node, - dpdk_esp_encrypt_post_node_fn) /* * fd.io coding-style-patch-verification: ON * -- cgit 1.2.3-korg