From f456ab65201f5fa6b7bad2f0f95ec15d5c3827e1 Mon Sep 17 00:00:00 2001 From: Xavier Simonart Date: Wed, 23 Oct 2019 12:38:51 +0200 Subject: Added support for DPDK 19.05 / IPSec Note that since 6073b359 (April 2018) IPsec PROX support requires at least DPDK 17.11. Hence README has been updated. Change-Id: I34b7a968c16db5c3a3fc7bb6af111fdb49ad6b91 Signed-off-by: Xavier Simonart --- VNFs/DPPD-PROX/README | 2 +- VNFs/DPPD-PROX/handle_esp.c | 46 ++++++++++++++++++-------------------------- VNFs/DPPD-PROX/prox_compat.h | 32 ++++++++++++++++++++++++++++++ 3 files changed, 52 insertions(+), 28 deletions(-) diff --git a/VNFs/DPPD-PROX/README b/VNFs/DPPD-PROX/README index 8f2b775b..b4ccc2ea 100644 --- a/VNFs/DPPD-PROX/README +++ b/VNFs/DPPD-PROX/README @@ -32,7 +32,7 @@ The following commands assume that the following variables have been set: export RTE_SDK=/path/to/dpdk export RTE_TARGET=x86_64-native-linuxapp-gcc -IPSec is only supported in PROX starting from DPDK 17.02 +IPSec is only supported in PROX starting from DPDK 17.11 It will only be compiled if CONFIG_RTE_LIBRTE_PMD_AESNI_MB is set in DPDK .config. This also requires AESNI_MULTI_BUFFER_LIB_PATH to point to the multi-buffer library which can be downloaded from diff --git a/VNFs/DPPD-PROX/handle_esp.c b/VNFs/DPPD-PROX/handle_esp.c index 0d359c6a..31969de3 100644 --- a/VNFs/DPPD-PROX/handle_esp.c +++ b/VNFs/DPPD-PROX/handle_esp.c @@ -99,12 +99,6 @@ static uint8_t aes_cbc_iv[] = { 0xE4, 0x23, 0x33, 0x8A, 0x35, 0x64, 0x61, 0xE2, 0x49, 0x03, 0xDD, 0xC6, 0xB8, 0xCA, 0x55, 0x7A }; -//RFC4303 -struct esp_hdr { - uint32_t spi; - uint32_t sn; -}; - static void printf_cdev_info(uint8_t cdev_id) { struct rte_cryptodev_info dev_info; @@ -194,11 +188,10 @@ static void init_task_esp_enc(struct task_base *tbase, struct task_args *targ) task->qp_id=0; plog_info("enc: task->qp_id=%u\n", task->qp_id); - struct rte_cryptodev_qp_conf qp_conf; - //qp_conf.nb_descriptors = 4096; + struct prox_rte_cryptodev_qp_conf qp_conf; qp_conf.nb_descriptors = 128; - rte_cryptodev_queue_pair_setup(task->cdev_id, task->qp_id, - &qp_conf, rte_cryptodev_socket_id(task->cdev_id), task->session_pool); + qp_conf.mp_session = task->session_pool; + prox_rte_cryptodev_queue_pair_setup(task->cdev_id, task->qp_id, &qp_conf, rte_cryptodev_socket_id(task->cdev_id)); int ret = rte_cryptodev_start(task->cdev_id); PROX_PANIC(ret < 0, "Failed to start device\n"); @@ -295,11 +288,10 @@ static void init_task_esp_dec(struct task_base *tbase, struct task_args *targ) task->qp_id=0; plog_info("dec: task->qp_id=%u\n", task->qp_id); - struct rte_cryptodev_qp_conf qp_conf; - //qp_conf.nb_descriptors = 4096; + struct prox_rte_cryptodev_qp_conf qp_conf; qp_conf.nb_descriptors = 128; - rte_cryptodev_queue_pair_setup(task->cdev_id, task->qp_id, - &qp_conf, rte_cryptodev_socket_id(task->cdev_id), task->session_pool); + qp_conf.mp_session = task->session_pool; + prox_rte_cryptodev_queue_pair_setup(task->cdev_id, task->qp_id, &qp_conf, rte_cryptodev_socket_id(task->cdev_id)); int ret = rte_cryptodev_start(task->cdev_id); PROX_PANIC(ret < 0, "Failed to start device\n"); @@ -397,7 +389,7 @@ static inline uint8_t handle_esp_ah_enc(struct task_esp_enc *task, struct rte_mb encrypt_len += padding; } - const int extra_space = sizeof(struct ipv4_hdr) + sizeof(struct esp_hdr) + CIPHER_IV_LENGTH_AES_CBC; + const int extra_space = sizeof(struct ipv4_hdr) + sizeof(struct prox_esp_hdr) + CIPHER_IV_LENGTH_AES_CBC; struct ether_addr src_mac = peth->s_addr; struct ether_addr dst_mac = peth->d_addr; @@ -427,7 +419,7 @@ static inline uint8_t handle_esp_ah_enc(struct task_esp_enc *task, struct rte_mb pip4->time_to_live = ttl; pip4->next_proto_id = IPPROTO_ESP; // 50 for ESP, ip in ip next proto trailer pip4->version_ihl = version_ihl; // 20 bytes, ipv4 - pip4->total_length = rte_cpu_to_be_16(ipv4_length + sizeof(struct ipv4_hdr) + sizeof(struct esp_hdr) + CIPHER_IV_LENGTH_AES_CBC + padding + 1 + 1 + DIGEST_BYTE_LENGTH_SHA1); // iphdr+SPI+SN+IV+payload+padding+padlen+next header + crc + auth + pip4->total_length = rte_cpu_to_be_16(ipv4_length + sizeof(struct ipv4_hdr) + sizeof(struct prox_esp_hdr) + CIPHER_IV_LENGTH_AES_CBC + padding + 1 + 1 + DIGEST_BYTE_LENGTH_SHA1); // iphdr+SPI+SN+IV+payload+padding+padlen+next header + crc + auth pip4->packet_id = 0x0101; pip4->type_of_service = 0; pip4->time_to_live = 64; @@ -438,12 +430,12 @@ static inline uint8_t handle_esp_ah_enc(struct task_esp_enc *task, struct rte_mb *((u32*) data) = 0x2016; // FIXME SPI *((u32*) data + 1) = 0x2; // FIXME SN #else - struct esp_hdr *pesp = (struct esp_hdr*)(pip4+1); + struct prox_esp_hdr *pesp = (struct prox_esp_hdr*)(pip4+1); pesp->spi = src_addr;//for simplicity assume 1 tunnel per source ip static u32 sn = 0; - pesp->sn = ++sn; + pesp->seq = ++sn; pesp->spi=0xAAAAAAAA;//debug - pesp->sn =0xBBBBBBBB;//debug + pesp->seq =0xBBBBBBBB;//debug #endif u8 *padl = (u8*)data + (8 + encrypt_len - 2 + CIPHER_IV_LENGTH_AES_CBC); // No ESN yet. (-2 means NH is crypted) //padl += CIPHER_IV_LENGTH_AES_CBC; @@ -473,12 +465,12 @@ static inline uint8_t handle_esp_ah_enc(struct task_esp_enc *task, struct rte_mb #else //uint64_t *iv = (uint64_t *)(pesp + 1); //memset(iv, 0, CIPHER_IV_LENGTH_AES_CBC); - sym_cop->cipher.data.offset = sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr) + sizeof(struct esp_hdr); + sym_cop->cipher.data.offset = sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr) + sizeof(struct prox_esp_hdr); sym_cop->cipher.data.length = encrypt_len + CIPHER_IV_LENGTH_AES_CBC; #endif sym_cop->auth.data.offset = sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr); - sym_cop->auth.data.length = sizeof(struct esp_hdr) + CIPHER_IV_LENGTH_AES_CBC + encrypt_len;// + 4;// FIXME + sym_cop->auth.data.length = sizeof(struct prox_esp_hdr) + CIPHER_IV_LENGTH_AES_CBC + encrypt_len;// + 4;// FIXME sym_cop->m_src = mbuf; rte_crypto_op_attach_sym_session(cop, task->sess); @@ -505,8 +497,8 @@ static inline uint8_t handle_esp_ah_dec(struct task_esp_dec *task, struct rte_mb rte_crypto_op_attach_sym_session(cop, task->sess); sym_cop->auth.digest.data = (unsigned char *)((unsigned char*)pip4 + ipv4_length - DIGEST_BYTE_LENGTH_SHA1); - //sym_cop->auth.digest.phys_addr = rte_pktmbuf_mtophys_offset(mbuf, sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr) + sizeof(struct esp_hdr)); // FIXME - sym_cop->auth.digest.phys_addr = rte_pktmbuf_iova_offset(mbuf, sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr) + sizeof(struct esp_hdr)); + //sym_cop->auth.digest.phys_addr = rte_pktmbuf_mtophys_offset(mbuf, sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr) + sizeof(struct prox_esp_hdr)); // FIXME + sym_cop->auth.digest.phys_addr = rte_pktmbuf_iova_offset(mbuf, sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr) + sizeof(struct prox_esp_hdr)); //sym_cop->auth.digest.length = DIGEST_BYTE_LENGTH_SHA1; //sym_cop->cipher.iv.data = (uint8_t *)data + 8; @@ -518,7 +510,7 @@ static inline uint8_t handle_esp_ah_dec(struct task_esp_dec *task, struct rte_mb aes_cbc_iv, CIPHER_IV_LENGTH_AES_CBC); #else - uint8_t * iv = (uint8_t *)(pip4 + 1) + sizeof(struct esp_hdr); + uint8_t * iv = (uint8_t *)(pip4 + 1) + sizeof(struct prox_esp_hdr); rte_memcpy(rte_crypto_op_ctod_offset(cop, uint8_t *, IV_OFFSET), iv, CIPHER_IV_LENGTH_AES_CBC); @@ -527,7 +519,7 @@ static inline uint8_t handle_esp_ah_dec(struct task_esp_dec *task, struct rte_mb sym_cop->auth.data.offset = sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr); sym_cop->auth.data.length = ipv4_length - sizeof(struct ipv4_hdr) - 4 - CIPHER_IV_LENGTH_AES_CBC; - sym_cop->cipher.data.offset = sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr) + sizeof(struct esp_hdr) + CIPHER_IV_LENGTH_AES_CBC; + sym_cop->cipher.data.offset = sizeof(struct ether_hdr) + sizeof(struct ipv4_hdr) + sizeof(struct prox_esp_hdr) + CIPHER_IV_LENGTH_AES_CBC; sym_cop->cipher.data.length = ipv4_length - sizeof(struct ipv4_hdr) - CIPHER_IV_LENGTH_AES_CBC - 28; // FIXME sym_cop->m_src = mbuf; @@ -595,9 +587,9 @@ static inline uint8_t handle_esp_ah_dec_finish(struct task_esp_dec *task, struct static inline uint8_t handle_esp_ah_dec_finish2(struct task_esp_dec *task, struct rte_mbuf *mbuf) { u8* m = rte_pktmbuf_mtod(mbuf, u8*); - rte_memcpy(m+sizeof(struct ipv4_hdr)+sizeof(struct esp_hdr)+CIPHER_IV_LENGTH_AES_CBC, + rte_memcpy(m+sizeof(struct ipv4_hdr)+sizeof(struct prox_esp_hdr)+CIPHER_IV_LENGTH_AES_CBC, m, sizeof(struct ether_hdr)); - m = (u8*)rte_pktmbuf_adj(mbuf, sizeof(struct ipv4_hdr)+sizeof(struct esp_hdr)+CIPHER_IV_LENGTH_AES_CBC); + m = (u8*)rte_pktmbuf_adj(mbuf, sizeof(struct ipv4_hdr)+sizeof(struct prox_esp_hdr)+CIPHER_IV_LENGTH_AES_CBC); struct ipv4_hdr* pip4 = (struct ipv4_hdr *)(m+sizeof(struct ether_hdr)); if (unlikely((pip4->version_ihl >> 4) != 4)) { diff --git a/VNFs/DPPD-PROX/prox_compat.h b/VNFs/DPPD-PROX/prox_compat.h index 65bba65d..001caa6d 100644 --- a/VNFs/DPPD-PROX/prox_compat.h +++ b/VNFs/DPPD-PROX/prox_compat.h @@ -19,6 +19,7 @@ #include #include #include +#include #include "hash_utils.h" #include "quit.h" @@ -159,4 +160,35 @@ static inline char *prox_strncpy(char * dest, const char * src, size_t count) PROX_PANIC(dest[count - 1] != 0, "\t\tError in strncpy: buffer overrun (%lu bytes)", count); return dest; } +#ifdef RTE_LIBRTE_PMD_AESNI_MB +#if RTE_VERSION < RTE_VERSION_NUM(19,5,0,0) +//RFC4303 +struct prox_esp_hdr { + uint32_t spi; + uint32_t seq; +}; +struct prox_rte_cryptodev_qp_conf { + uint32_t nb_descriptors; /**< Number of descriptors per queue pair */ + struct rte_mempool * mp_session; + struct rte_mempool * mp_session_private; +}; + +static int prox_rte_cryptodev_queue_pair_setup(uint8_t dev_id, uint16_t queue_pair_id, struct prox_rte_cryptodev_qp_conf *qp_conf, int socket_id) +{ + struct rte_mempool *session_pool = qp_conf->mp_session; + return rte_cryptodev_queue_pair_setup(dev_id, queue_pair_id, (struct rte_cryptodev_qp_conf *)qp_conf, socket_id, session_pool); +} + +#else +#define prox_esp_hdr esp_hdr +#define prox_rte_cryptodev_qp_conf rte_cryptodev_qp_conf + +static int prox_rte_cryptodev_queue_pair_setup(uint8_t dev_id, uint16_t queue_pair_id, struct prox_rte_cryptodev_qp_conf *qp_conf, int socket_id) +{ + return rte_cryptodev_queue_pair_setup(dev_id, queue_pair_id, (struct rte_cryptodev_qp_conf *)qp_conf, socket_id); +} + +#endif +#endif // CONFIG_RTE_LIBRTE_PMD_AESNI_MB + #endif // _PROX_COMPAT_H -- cgit 1.2.3-korg