FD.io VPP  v17.07.01-10-g3be13f0
Vector Packet Processing
esp.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2016 Intel and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 #ifndef __DPDK_ESP_H__
16 #define __DPDK_ESP_H__
17 
18 #include <dpdk/ipsec/ipsec.h>
19 #include <vnet/ipsec/ipsec.h>
20 #include <vnet/ipsec/esp.h>
21 
22 typedef struct
23 {
24  enum rte_crypto_cipher_algorithm algo;
25  u8 key_len;
26  u8 iv_len;
27 } dpdk_esp_crypto_alg_t;
28 
29 typedef struct
30 {
31  enum rte_crypto_auth_algorithm algo;
32  u8 trunc_size;
33 } dpdk_esp_integ_alg_t;
34 
35 typedef struct
36 {
37  dpdk_esp_crypto_alg_t *esp_crypto_algs;
38  dpdk_esp_integ_alg_t *esp_integ_algs;
39 } dpdk_esp_main_t;
40 
41 dpdk_esp_main_t dpdk_esp_main;
42 
43 static_always_inline void
44 dpdk_esp_init ()
45 {
46  dpdk_esp_main_t *em = &dpdk_esp_main;
47  dpdk_esp_integ_alg_t *i;
48  dpdk_esp_crypto_alg_t *c;
49 
50  vec_validate (em->esp_crypto_algs, IPSEC_CRYPTO_N_ALG - 1);
51 
52  c = &em->esp_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_128];
53  c->algo = RTE_CRYPTO_CIPHER_AES_CBC;
54  c->key_len = 16;
55  c->iv_len = 16;
56 
57  c = &em->esp_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_192];
58  c->algo = RTE_CRYPTO_CIPHER_AES_CBC;
59  c->key_len = 24;
60  c->iv_len = 16;
61 
62  c = &em->esp_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_256];
63  c->algo = RTE_CRYPTO_CIPHER_AES_CBC;
64  c->key_len = 32;
65  c->iv_len = 16;
66 
67  c = &em->esp_crypto_algs[IPSEC_CRYPTO_ALG_AES_GCM_128];
68  c->algo = RTE_CRYPTO_CIPHER_AES_GCM;
69  c->key_len = 16;
70  c->iv_len = 8;
71 
72  vec_validate (em->esp_integ_algs, IPSEC_INTEG_N_ALG - 1);
73 
74  i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA1_96];
75  i->algo = RTE_CRYPTO_AUTH_SHA1_HMAC;
76  i->trunc_size = 12;
77 
78  i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA_256_96];
79  i->algo = RTE_CRYPTO_AUTH_SHA256_HMAC;
80  i->trunc_size = 12;
81 
82  i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA_256_128];
83  i->algo = RTE_CRYPTO_AUTH_SHA256_HMAC;
84  i->trunc_size = 16;
85 
86  i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA_384_192];
87  i->algo = RTE_CRYPTO_AUTH_SHA384_HMAC;
88  i->trunc_size = 24;
89 
90  i = &em->esp_integ_algs[IPSEC_INTEG_ALG_SHA_512_256];
91  i->algo = RTE_CRYPTO_AUTH_SHA512_HMAC;
92  i->trunc_size = 32;
93 
94  i = &em->esp_integ_algs[IPSEC_INTEG_ALG_AES_GCM_128];
95  i->algo = RTE_CRYPTO_AUTH_AES_GCM;
96  i->trunc_size = 16;
97 }
98 
99 static_always_inline int
100 translate_crypto_algo (ipsec_crypto_alg_t crypto_algo,
101  struct rte_crypto_sym_xform *cipher_xform)
102 {
103  switch (crypto_algo)
104  {
105  case IPSEC_CRYPTO_ALG_NONE:
106  cipher_xform->cipher.algo = RTE_CRYPTO_CIPHER_NULL;
107  break;
108  case IPSEC_CRYPTO_ALG_AES_CBC_128:
109  case IPSEC_CRYPTO_ALG_AES_CBC_192:
110  case IPSEC_CRYPTO_ALG_AES_CBC_256:
111  cipher_xform->cipher.algo = RTE_CRYPTO_CIPHER_AES_CBC;
112  break;
113  case IPSEC_CRYPTO_ALG_AES_GCM_128:
114  cipher_xform->cipher.algo = RTE_CRYPTO_CIPHER_AES_GCM;
115  break;
116  default:
117  return -1;
118  }
119 
120  cipher_xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
121 
122  return 0;
123 }
124 
125 static_always_inline int
126 translate_integ_algo (ipsec_integ_alg_t integ_alg,
127  struct rte_crypto_sym_xform *auth_xform, int use_esn)
128 {
129  switch (integ_alg)
130  {
131  case IPSEC_INTEG_ALG_NONE:
132  auth_xform->auth.algo = RTE_CRYPTO_AUTH_NULL;
133  auth_xform->auth.digest_length = 0;
134  break;
135  case IPSEC_INTEG_ALG_SHA1_96:
136  auth_xform->auth.algo = RTE_CRYPTO_AUTH_SHA1_HMAC;
137  auth_xform->auth.digest_length = 12;
138  break;
139  case IPSEC_INTEG_ALG_SHA_256_96:
140  auth_xform->auth.algo = RTE_CRYPTO_AUTH_SHA256_HMAC;
141  auth_xform->auth.digest_length = 12;
142  break;
143  case IPSEC_INTEG_ALG_SHA_256_128:
144  auth_xform->auth.algo = RTE_CRYPTO_AUTH_SHA256_HMAC;
145  auth_xform->auth.digest_length = 16;
146  break;
147  case IPSEC_INTEG_ALG_SHA_384_192:
148  auth_xform->auth.algo = RTE_CRYPTO_AUTH_SHA384_HMAC;
149  auth_xform->auth.digest_length = 24;
150  break;
151  case IPSEC_INTEG_ALG_SHA_512_256:
152  auth_xform->auth.algo = RTE_CRYPTO_AUTH_SHA512_HMAC;
153  auth_xform->auth.digest_length = 32;
154  break;
155  case IPSEC_INTEG_ALG_AES_GCM_128:
156  auth_xform->auth.algo = RTE_CRYPTO_AUTH_AES_GCM;
157  auth_xform->auth.digest_length = 16;
158  auth_xform->auth.add_auth_data_length = use_esn ? 12 : 8;
159  break;
160  default:
161  return -1;
162  }
163 
164  auth_xform->type = RTE_CRYPTO_SYM_XFORM_AUTH;
165 
166  return 0;
167 }
168 
169 static_always_inline int
170 create_sym_sess (ipsec_sa_t * sa, crypto_sa_session_t * sa_sess,
171  u8 is_outbound)
172 {
173  u32 thread_index = vlib_get_thread_index ();
174  dpdk_crypto_main_t *dcm = &dpdk_crypto_main;
175  crypto_worker_main_t *cwm = &dcm->workers_main[thread_index];
176  struct rte_crypto_sym_xform cipher_xform = { 0 };
177  struct rte_crypto_sym_xform auth_xform = { 0 };
178  struct rte_crypto_sym_xform *xfs;
179  uword key = 0, *data;
180  crypto_worker_qp_key_t *p_key = (crypto_worker_qp_key_t *) & key;
181 
182  if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128)
183  {
184  sa->crypto_key_len -= 4;
185  clib_memcpy (&sa->salt, &sa->crypto_key[sa->crypto_key_len], 4);
186  }
187  else
188  {
189  u32 seed = (u32) clib_cpu_time_now ();
190  sa->salt = random_u32 (&seed);
191  }
192 
193  cipher_xform.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
194  cipher_xform.cipher.key.data = sa->crypto_key;
195  cipher_xform.cipher.key.length = sa->crypto_key_len;
196 
197  auth_xform.type = RTE_CRYPTO_SYM_XFORM_AUTH;
198  auth_xform.auth.key.data = sa->integ_key;
199  auth_xform.auth.key.length = sa->integ_key_len;
200 
201  if (translate_crypto_algo (sa->crypto_alg, &cipher_xform) < 0)
202  return -1;
203  p_key->cipher_algo = cipher_xform.cipher.algo;
204 
205  if (translate_integ_algo (sa->integ_alg, &auth_xform, sa->use_esn) < 0)
206  return -1;
207  p_key->auth_algo = auth_xform.auth.algo;
208 
209  if (is_outbound)
210  {
211  cipher_xform.cipher.op = RTE_CRYPTO_CIPHER_OP_ENCRYPT;
212  auth_xform.auth.op = RTE_CRYPTO_AUTH_OP_GENERATE;
213  cipher_xform.next = &auth_xform;
214  xfs = &cipher_xform;
215  }
216  else
217  {
218  cipher_xform.cipher.op = RTE_CRYPTO_CIPHER_OP_DECRYPT;
219  auth_xform.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY;
220  auth_xform.next = &cipher_xform;
221  xfs = &auth_xform;
222  }
223 
224  p_key->is_outbound = is_outbound;
225 
226  data = hash_get (cwm->algo_qp_map, key);
227  if (!data)
228  return -1;
229 
230  sa_sess->sess =
231  rte_cryptodev_sym_session_create (cwm->qp_data[*data].dev_id, xfs);
232 
233  if (!sa_sess->sess)
234  return -1;
235 
236  sa_sess->qp_index = (u8) * data;
237 
238  return 0;
239 }
240 
241 #endif /* __DPDK_ESP_H__ */
242 
243 /*
244  * fd.io coding-style-patch-verification: ON
245  *
246  * Local Variables:
247  * eval: (c-set-style "gnu")
248  * End:
249  */
vec_validate
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
Definition: vec.h:436
translate_crypto_algo
static_always_inline int translate_crypto_algo(ipsec_crypto_alg_t crypto_algo, struct rte_crypto_sym_xform *cipher_xform)
Definition: esp.h:100
dpdk_esp_integ_alg_t::trunc_size
u8 trunc_size
Definition: esp.h:32
i
sll srl srl sll sra u16x4 i
Definition: vector_sse2.h:337
crypto_worker_qp_key_t::auth_algo
u8 auth_algo
Definition: ipsec.h:54
ipsec_sa_t::integ_alg
ipsec_integ_alg_t integ_alg
Definition: ipsec.h:110
crypto_sa_session_t
Definition: ipsec.h:69
clib_cpu_time_now
static u64 clib_cpu_time_now(void)
Definition: time.h:73
ipsec_sa_t::crypto_key
u8 crypto_key[128]
Definition: ipsec.h:108
dpdk_crypto_main
dpdk_crypto_main_t dpdk_crypto_main
Definition: ipsec.h:89
dpdk_esp_init
static_always_inline void dpdk_esp_init()
Definition: esp.h:44
crypto_worker_qp_key_t::is_outbound
u8 is_outbound
Definition: ipsec.h:55
dpdk_esp_integ_alg_t
Definition: esp.h:29
crypto_worker_main_t::algo_qp_map
uword * algo_qp_map
Definition: ipsec.h:79
static_always_inline
#define static_always_inline
Definition: clib.h:85
ipsec_sa_t::integ_key
u8 integ_key[128]
Definition: ipsec.h:112
translate_integ_algo
static_always_inline int translate_integ_algo(ipsec_integ_alg_t integ_alg, struct rte_crypto_sym_xform *auth_xform, int use_esn)
Definition: esp.h:126
ipsec_sa_t::use_esn
u8 use_esn
Definition: ipsec.h:114
dpdk_esp_main
dpdk_esp_main_t dpdk_esp_main
Definition: esp.h:41
dpdk_esp_main_t::esp_integ_algs
dpdk_esp_integ_alg_t * esp_integ_algs
Definition: esp.h:38
crypto_sa_session_t::sess
void * sess
Definition: ipsec.h:72
dpdk_esp_main_t::esp_crypto_algs
dpdk_esp_crypto_alg_t * esp_crypto_algs
Definition: esp.h:37
hash_get
#define hash_get(h, key)
Definition: hash.h:248
dpdk_esp_main_t
Definition: esp.h:35
ipsec_integ_alg_t
ipsec_integ_alg_t
Definition: ipsec.h:86
ipsec_sa_t::salt
u32 salt
Definition: ipsec.h:122
ipsec_sa_t
Definition: ipsec.h:100
c
svmdb_client_t * c
Definition: vpp_get_metrics.c:49
vlib_get_thread_index
static_always_inline uword vlib_get_thread_index(void)
Definition: threads.h:185
clib_memcpy
#define clib_memcpy(a, b, c)
Definition: string.h:69
crypto_worker_main_t
Definition: ipsec.h:75
dpdk_esp_integ_alg_t::algo
enum rte_crypto_auth_algorithm algo
Definition: esp.h:31
u32
unsigned int u32
Definition: types.h:88
crypto_sa_session_t::qp_index
u8 qp_index
Definition: ipsec.h:71
ipsec_crypto_alg_t
ipsec_crypto_alg_t
Definition: ipsec.h:68
dpdk_crypto_main_t::workers_main
crypto_worker_main_t * workers_main
Definition: ipsec.h:85
ipsec_sa_t::integ_key_len
u8 integ_key_len
Definition: ipsec.h:111
dpdk_crypto_main_t
Definition: ipsec.h:82
crypto_worker_main_t::qp_data
crypto_qp_data_t * qp_data
Definition: ipsec.h:78
dpdk_esp_crypto_alg_t::key_len
u8 key_len
Definition: esp.h:25
uword
u64 uword
Definition: types.h:112
ipsec_sa_t::crypto_key_len
u8 crypto_key_len
Definition: ipsec.h:107
crypto_worker_qp_key_t::cipher_algo
u8 cipher_algo
Definition: ipsec.h:53
u8
unsigned char u8
Definition: types.h:56
crypto_worker_qp_key_t
Definition: ipsec.h:51
dpdk_esp_crypto_alg_t::iv_len
u8 iv_len
Definition: esp.h:26
random_u32
static u32 random_u32(u32 *seed)
32-bit random number generator
Definition: random.h:69
ipsec_sa_t::crypto_alg
ipsec_crypto_alg_t crypto_alg
Definition: ipsec.h:106
dpdk_esp_crypto_alg_t::algo
enum rte_crypto_cipher_algorithm algo
Definition: esp.h:24
crypto_qp_data_t::dev_id
u16 dev_id
Definition: ipsec.h:60
dpdk_esp_crypto_alg_t
Definition: esp.h:22
create_sym_sess
static_always_inline int create_sym_sess(ipsec_sa_t *sa, crypto_sa_session_t *sa_sess, u8 is_outbound)
Definition: esp.h:170