summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorXavier Simonart <xavier.simonart@intel.com>2019-10-23 12:38:51 +0200
committerXavier Simonart <xavier.simonart@intel.com>2019-10-23 12:49:35 +0200
commitf456ab65201f5fa6b7bad2f0f95ec15d5c3827e1 (patch)
tree43880ee0249094dd7e7f4c74ea88cbe7e83c6a38
parentb2a34639125dde4c6da7fc840d25a20c3f5caa90 (diff)
Added support for DPDK 19.05 / IPSec
Note that since 6073b359 (April 2018) IPsec PROX support requires at least DPDK 17.11. Hence README has been updated. Change-Id: I34b7a968c16db5c3a3fc7bb6af111fdb49ad6b91 Signed-off-by: Xavier Simonart <xavier.simonart@intel.com>
-rw-r--r--VNFs/DPPD-PROX/README2
-rw-r--r--VNFs/DPPD-PROX/handle_esp.c46
-rw-r--r--VNFs/DPPD-PROX/prox_compat.h32
3 files changed, 52 insertions, 28 deletions
diff --git a/VNFs/DPPD-PROX/README b/VNFs/DPPD-PROX/README
index 8f2b775..b4ccc2e 100644
--- a/VNFs/DPPD-PROX/README
+++ b/VNFs/DPPD-PROX/README
@@ -32,7 +32,7 @@ The following commands assume that the following variables have been set:
export RTE_SDK=/path/to/dpdk
export RTE_TARGET=x86_64-native-linuxapp-gcc
-IPSec is only supported in PROX starting from DPDK 17.02
+IPSec is only supported in PROX starting from DPDK 17.11
It will only be compiled if CONFIG_RTE_LIBRTE_PMD_AESNI_MB is
set in DPDK .config. This also requires AESNI_MULTI_BUFFER_LIB_PATH to point to
the multi-buffer library which can be downloaded from
diff --git a/VNFs/DPPD-PROX/handle_esp.c b/VNFs/DPPD-PROX/handle_esp.c
index 0d359c6..31969de 100644
--- a/VNFs/DPPD-PROX/handle_esp.c
+++ b/VNFs/DPPD-PROX/handle_esp.c
@@ -99,12 +99,6 @@ static uint8_t aes_cbc_iv[] = {
0xE4, 0x23, 0x33, 0x8A, 0x35, 0x64, 0x61, 0xE2,
0x49, 0x03, 0xDD, 0xC6, 0xB8, 0xCA, 0x55, 0x7A };
-//RFC4303
-struct esp_hdr {
- uint32_t spi;
- uint32_t sn;
-};
-
static void printf_cdev_info(uint8_t cdev_id)
{
struct rte_cryptodev_info dev_info;
@@ -194,11 +188,10 @@ static void init_task_esp_enc(struct task_base *tbase, struct task_args *targ)
task->qp_id=0;
plog_info("enc: task->qp_id=%u\n", task->qp_id);
- struct rte_cryptodev_qp_conf qp_conf;
- //qp_conf.nb_descriptors = 4096;
+ struct prox_rte_cryptodev_qp_conf qp_conf;
qp_conf.nb_descriptors = 128;
- rte_cryptodev_queue_pair_setup(task->cdev_id, task->qp_id,
- &qp_conf, rte_cryptodev_socket_id(task->cdev_id), task->session_pool);
+ qp_conf.mp_session = task->session_pool;
+ prox_rte_cryptodev_queue_pair_setup(task->cdev_id, task->qp_id, &qp_conf, rte_cryptodev_socket_id(task->cdev_id));
int ret = rte_cryptodev_start(task->cdev_id);
PROX_PANIC(ret < 0, "Failed to start device\n");
@@ -295,11 +288,10 @@ static void init_task_esp_dec(struct task_base *tbase, struct task_args *targ)
task->qp_id=0;
plog_info("dec: task->qp_id=%u\n", task->qp_id);
- struct rte_cryptodev_qp_conf qp_conf;
- //qp_conf.nb_descriptors = 4096;
+ struct prox_rte_cryptodev_qp_conf qp_conf;
qp_conf.nb_descriptors = 128;
- rte_cryptodev_queue_pair_setup(task->cdev_id, task->qp_id,
- &qp_conf, rte_cryptodev_socket_id(task->cdev_id), task->session_pool);
+ qp_conf.mp_session = task->session_pool;
+ prox_rte_cryptodev_queue_pair_setup(task->cdev_id, task->qp_id, &qp_conf, rte_cryptodev_socket_id(task->cdev_id));
int ret = rte_cryptodev_start(task->cdev_id);
PROX_PANIC(ret < 0, "Failed to start device\n");
@@ -397,7 +389,7 @@ static inline uint8_t handle_esp_ah_enc(struct task_esp_enc *task, struct rte_mb
encrypt_len += padding;
}
- const int extra_space = sizeof(struct ipv4_hdr) + sizeof(struct esp_hdr) + CIPHER_IV_LENGTH_AES_CBC;
+ const int extra_space = sizeof(struct ipv4_hdr) + sizeof(struct prox_esp_hdr) + CIPHER_IV_LENGTH_AES_CBC;
struct ether_addr src_mac = peth->s_addr;
struct ether_addr dst_mac = peth->d_addr;
@@ -427,7 +419,7 @@ static inline uint8_t handle_esp_ah_enc(struct task_esp_enc *task, struct rte_mb
pip4->time_to_live = ttl;
pip4->next_proto_id = IPPROTO_ESP; // 50 for ESP, ip in ip next proto trailer
pip4->version_ihl = version_ihl; // 20 bytes, ipv4
- pip4->total_length = rte_cpu_to_be_16(ipv4_length + sizeof(struct ipv4_hdr) + sizeof(struct esp_hdr) + CIPHER_IV_LENGTH_AES_CBC + padding + 1 + 1 + DIGEST_BYTE_LENGTH_SHA1); // iphdr+SPI+SN+IV+payload+padding+padlen+next header + crc + auth
+ pip4->total_length = rte_cpu_to_be_16(ipv4_length + sizeof(struct ipv4_hdr) + sizeof(struct prox_esp_hdr) + CIPHER_IV_LENGTH_AES_CBC + padding + 1 + 1 + DIGEST_BYTE_LENGTH_SHA1); // iphdr+SPI+SN+IV+payload+padding+padlen+next header + crc + auth
pip4->packet_id = 0x0101;
pip4->type_of_service = 0;
pip4->time_to_live = 64;
@@ -438,12 +430,12 @@ static inline uint8_t handle_esp_ah_enc(struct task_esp_enc *task, struct rte_mb
*((u32*) data) = 0x2016; // FIXME SPI
*((u32*) data + 1) = 0x2; // FIXME SN
#else
- struct esp_hdr *pesp = (struct esp_hdr*)(pip4+1);
+ struct prox_esp_hdr *pesp = (struct prox_esp_hdr*)(pip4+1);
pesp->spi = src_addr;//for simplicity assume 1 tunnel per source ip
static u32 sn = 0;
- pesp->sn = ++sn;
+ pesp->seq = ++sn;
pesp->spi=0xAAAAAAAA;//debug
- pesp->sn =0xBBBBBBBB;//debug
+ pesp->seq =0xBBBBBBBB;//debug
#endif
u8 *padl = (u8*)data + (8 + encrypt_len - 2 + CIPHER_IV_LENGTH_AES_CBC); // No ESN yet. (-2 means NH is crypted)
//padl += CIPHER_IV_LENGTH_AES_CBC;
@@ -473,12 +465,12 @@ static inline uint8_t handle_esp_ah_enc(struct task_esp_enc *task, struct rte_mb
#else
//uint64_t *iv = (uint64_t *)(pesp + 1);
//memset(iv, 0, CIPHER_IV_LENGTH_AES_CBC);
- sym_cop->cipher.data.offset = sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr) + sizeof(struct esp_hdr);
+ sym_cop->cipher.data.offset = sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr) + sizeof(struct prox_esp_hdr);
sym_cop->cipher.data.length = encrypt_len + CIPHER_IV_LENGTH_AES_CBC;
#endif
sym_cop->auth.data.offset = sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr);
- sym_cop->auth.data.length = sizeof(struct esp_hdr) + CIPHER_IV_LENGTH_AES_CBC + encrypt_len;// + 4;// FIXME
+ sym_cop->auth.data.length = sizeof(struct prox_esp_hdr) + CIPHER_IV_LENGTH_AES_CBC + encrypt_len;// + 4;// FIXME
sym_cop->m_src = mbuf;
rte_crypto_op_attach_sym_session(cop, task->sess);
@@ -505,8 +497,8 @@ static inline uint8_t handle_esp_ah_dec(struct task_esp_dec *task, struct rte_mb
rte_crypto_op_attach_sym_session(cop, task->sess);
sym_cop->auth.digest.data = (unsigned char *)((unsigned char*)pip4 + ipv4_length - DIGEST_BYTE_LENGTH_SHA1);
- //sym_cop->auth.digest.phys_addr = rte_pktmbuf_mtophys_offset(mbuf, sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr) + sizeof(struct esp_hdr)); // FIXME
- sym_cop->auth.digest.phys_addr = rte_pktmbuf_iova_offset(mbuf, sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr) + sizeof(struct esp_hdr));
+ //sym_cop->auth.digest.phys_addr = rte_pktmbuf_mtophys_offset(mbuf, sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr) + sizeof(struct prox_esp_hdr)); // FIXME
+ sym_cop->auth.digest.phys_addr = rte_pktmbuf_iova_offset(mbuf, sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr) + sizeof(struct prox_esp_hdr));
//sym_cop->auth.digest.length = DIGEST_BYTE_LENGTH_SHA1;
//sym_cop->cipher.iv.data = (uint8_t *)data + 8;
@@ -518,7 +510,7 @@ static inline uint8_t handle_esp_ah_dec(struct task_esp_dec *task, struct rte_mb
aes_cbc_iv,
CIPHER_IV_LENGTH_AES_CBC);
#else
- uint8_t * iv = (uint8_t *)(pip4 + 1) + sizeof(struct esp_hdr);
+ uint8_t * iv = (uint8_t *)(pip4 + 1) + sizeof(struct prox_esp_hdr);
rte_memcpy(rte_crypto_op_ctod_offset(cop, uint8_t *, IV_OFFSET),
iv,
CIPHER_IV_LENGTH_AES_CBC);
@@ -527,7 +519,7 @@ static inline uint8_t handle_esp_ah_dec(struct task_esp_dec *task, struct rte_mb
sym_cop->auth.data.offset = sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr);
sym_cop->auth.data.length = ipv4_length - sizeof(struct ipv4_hdr) - 4 - CIPHER_IV_LENGTH_AES_CBC;
- sym_cop->cipher.data.offset = sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr) + sizeof(struct esp_hdr) + CIPHER_IV_LENGTH_AES_CBC;
+ sym_cop->cipher.data.offset = sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr) + sizeof(struct prox_esp_hdr) + CIPHER_IV_LENGTH_AES_CBC;
sym_cop->cipher.data.length = ipv4_length - sizeof(struct ipv4_hdr) - CIPHER_IV_LENGTH_AES_CBC - 28; // FIXME
sym_cop->m_src = mbuf;
@@ -595,9 +587,9 @@ static inline uint8_t handle_esp_ah_dec_finish(struct task_esp_dec *task, struct
static inline uint8_t handle_esp_ah_dec_finish2(struct task_esp_dec *task, struct rte_mbuf *mbuf)
{
u8* m = rte_pktmbuf_mtod(mbuf, u8*);
- rte_memcpy(m+sizeof(struct ipv4_hdr)+sizeof(struct esp_hdr)+CIPHER_IV_LENGTH_AES_CBC,
+ rte_memcpy(m+sizeof(struct ipv4_hdr)+sizeof(struct prox_esp_hdr)+CIPHER_IV_LENGTH_AES_CBC,
m, sizeof(struct ether_hdr));
- m = (u8*)rte_pktmbuf_adj(mbuf, sizeof(struct ipv4_hdr)+sizeof(struct esp_hdr)+CIPHER_IV_LENGTH_AES_CBC);
+ m = (u8*)rte_pktmbuf_adj(mbuf, sizeof(struct ipv4_hdr)+sizeof(struct prox_esp_hdr)+CIPHER_IV_LENGTH_AES_CBC);
struct ipv4_hdr* pip4 = (struct ipv4_hdr *)(m+sizeof(struct ether_hdr));
if (unlikely((pip4->version_ihl >> 4) != 4)) {
diff --git a/VNFs/DPPD-PROX/prox_compat.h b/VNFs/DPPD-PROX/prox_compat.h
index 65bba65..001caa6 100644
--- a/VNFs/DPPD-PROX/prox_compat.h
+++ b/VNFs/DPPD-PROX/prox_compat.h
@@ -19,6 +19,7 @@
#include <rte_common.h>
#include <rte_table_hash.h>
#include <rte_hash_crc.h>
+#include <rte_cryptodev.h>
#include "hash_utils.h"
#include "quit.h"
@@ -159,4 +160,35 @@ static inline char *prox_strncpy(char * dest, const char * src, size_t count)
PROX_PANIC(dest[count - 1] != 0, "\t\tError in strncpy: buffer overrun (%lu bytes)", count);
return dest;
}
+#ifdef RTE_LIBRTE_PMD_AESNI_MB
+#if RTE_VERSION < RTE_VERSION_NUM(19,5,0,0)
+//RFC4303
+struct prox_esp_hdr {
+ uint32_t spi;
+ uint32_t seq;
+};
+struct prox_rte_cryptodev_qp_conf {
+ uint32_t nb_descriptors; /**< Number of descriptors per queue pair */
+ struct rte_mempool * mp_session;
+ struct rte_mempool * mp_session_private;
+};
+
+static int prox_rte_cryptodev_queue_pair_setup(uint8_t dev_id, uint16_t queue_pair_id, struct prox_rte_cryptodev_qp_conf *qp_conf, int socket_id)
+{
+ struct rte_mempool *session_pool = qp_conf->mp_session;
+ return rte_cryptodev_queue_pair_setup(dev_id, queue_pair_id, (struct rte_cryptodev_qp_conf *)qp_conf, socket_id, session_pool);
+}
+
+#else
+#define prox_esp_hdr esp_hdr
+#define prox_rte_cryptodev_qp_conf rte_cryptodev_qp_conf
+
+static int prox_rte_cryptodev_queue_pair_setup(uint8_t dev_id, uint16_t queue_pair_id, struct prox_rte_cryptodev_qp_conf *qp_conf, int socket_id)
+{
+ return rte_cryptodev_queue_pair_setup(dev_id, queue_pair_id, (struct rte_cryptodev_qp_conf *)qp_conf, socket_id);
+}
+
+#endif
+#endif // CONFIG_RTE_LIBRTE_PMD_AESNI_MB
+
#endif // _PROX_COMPAT_H