#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/esp.h>
+#include <vnet/udp/udp.h>
#include <dpdk/ipsec/ipsec.h>
#include <dpdk/device/dpdk.h>
#include <dpdk/device/dpdk_priv.h>
#undef _
};
-vlib_node_registration_t dpdk_esp_encrypt_node;
+vlib_node_registration_t dpdk_esp4_encrypt_node;
+vlib_node_registration_t dpdk_esp6_encrypt_node;
typedef struct
{
CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
esp_encrypt_trace_t *t = va_arg (*args, esp_encrypt_trace_t *);
ip4_header_t *ih4 = (ip4_header_t *) t->packet_data;
- uword indent = format_get_indent (s), offset;
+ u32 indent = format_get_indent (s), offset;
s = format (s, "cipher %U auth %U\n",
format_ipsec_crypto_alg, t->crypto_alg,
return s;
}
-static uword
-dpdk_esp_encrypt_node_fn (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * from_frame)
+always_inline uword
+dpdk_esp_encrypt_inline (vlib_main_t * vm,
+ vlib_node_runtime_t * node,
+ vlib_frame_t * from_frame, int is_ip6)
{
u32 n_left_from, *from, *to_next, next_index;
ipsec_main_t *im = &ipsec_main;
ret = crypto_alloc_ops (numa, ops, n_left_from);
if (ret)
{
- vlib_node_increment_counter (vm, dpdk_esp_encrypt_node.index,
- ESP_ENCRYPT_ERROR_DISCARD, 1);
+ if (is_ip6)
+ vlib_node_increment_counter (vm, dpdk_esp6_encrypt_node.index,
+ ESP_ENCRYPT_ERROR_DISCARD, 1);
+ else
+ vlib_node_increment_counter (vm, dpdk_esp4_encrypt_node.index,
+ ESP_ENCRYPT_ERROR_DISCARD, 1);
/* Discard whole frame */
return n_left_from;
}
u32 sa_index0;
ip4_and_esp_header_t *ih0, *oh0 = 0;
ip6_and_esp_header_t *ih6_0, *oh6_0 = 0;
+ ip4_and_udp_and_esp_header_t *ouh0 = 0;
esp_header_t *esp0;
esp_footer_t *f0;
- u8 is_ipv6, next_hdr_type;
+ u8 next_hdr_type;
u32 iv_size;
u16 orig_sz;
u8 trunc_size;
+ u16 rewrite_len;
+ u16 udp_encap_adv = 0;
struct rte_mbuf *mb0 = 0;
struct rte_crypto_op *op;
u16 res_idx;
if (sa_index0 != last_sa_index)
{
- last_sa_index = sa_index0;
-
sa0 = pool_elt_at_index (im->sad, sa_index0);
cipher_alg =
vec_elt_at_index (dcm->cipher_algs, sa0->crypto_alg);
auth_alg = vec_elt_at_index (dcm->auth_algs, sa0->integ_alg);
-#if DPDK_NO_AEAD
- is_aead = ((sa0->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128) ||
- (sa0->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_192) ||
- (sa0->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_256));
-#else
is_aead = (cipher_alg->type == RTE_CRYPTO_SYM_XFORM_AEAD);
-#endif
if (is_aead)
auth_alg = cipher_alg;
{
clib_warning ("unsupported SA by thread index %u",
thread_idx);
- vlib_node_increment_counter (vm,
- dpdk_esp_encrypt_node.index,
- ESP_ENCRYPT_ERROR_NOSUP, 1);
+ if (is_ip6)
+ vlib_node_increment_counter (vm,
+ dpdk_esp6_encrypt_node.index,
+ ESP_ENCRYPT_ERROR_NOSUP, 1);
+ else
+ vlib_node_increment_counter (vm,
+ dpdk_esp4_encrypt_node.index,
+ ESP_ENCRYPT_ERROR_NOSUP, 1);
to_next[0] = bi0;
to_next += 1;
n_left_to_next -= 1;
if (PREDICT_FALSE (error || !session))
{
clib_warning ("failed to get crypto session");
- vlib_node_increment_counter (vm,
- dpdk_esp_encrypt_node.index,
- ESP_ENCRYPT_ERROR_SESSION, 1);
+ if (is_ip6)
+ vlib_node_increment_counter (vm,
+ dpdk_esp6_encrypt_node.index,
+ ESP_ENCRYPT_ERROR_SESSION,
+ 1);
+ else
+ vlib_node_increment_counter (vm,
+ dpdk_esp4_encrypt_node.index,
+ ESP_ENCRYPT_ERROR_SESSION,
+ 1);
to_next[0] = bi0;
to_next += 1;
n_left_to_next -= 1;
goto trace;
}
+
+ last_sa_index = sa_index0;
}
if (PREDICT_FALSE (esp_seq_advance (sa0)))
{
clib_warning ("sequence number counter has cycled SPI %u",
sa0->spi);
- vlib_node_increment_counter (vm, dpdk_esp_encrypt_node.index,
- ESP_ENCRYPT_ERROR_SEQ_CYCLED, 1);
+ if (is_ip6)
+ vlib_node_increment_counter (vm,
+ dpdk_esp6_encrypt_node.index,
+ ESP_ENCRYPT_ERROR_SEQ_CYCLED, 1);
+ else
+ vlib_node_increment_counter (vm,
+ dpdk_esp4_encrypt_node.index,
+ ESP_ENCRYPT_ERROR_SEQ_CYCLED, 1);
//TODO: rekey SA
to_next[0] = bi0;
to_next += 1;
crypto_set_icb (icb, sa0->salt, sa0->seq, sa0->seq_hi);
- is_ipv6 = (ih0->ip4.ip_version_and_header_length & 0xF0) == 0x60;
-
iv_size = cipher_alg->iv_len;
trunc_size = auth_alg->trunc_size;
+ /* if UDP encapsulation is used adjust the address of the IP header */
+ if (sa0->udp_encap && !is_ip6)
+ udp_encap_adv = sizeof (udp_header_t);
+
if (sa0->is_tunnel)
{
- if (!is_ipv6 && !sa0->is_tunnel_ip6) /* ip4inip4 */
+ rewrite_len = 0;
+ if (!is_ip6 && !sa0->is_tunnel_ip6) /* ip4inip4 */
{
/* in tunnel mode send it back to FIB */
priv->next = DPDK_CRYPTO_INPUT_NEXT_IP4_LOOKUP;
- u8 adv =
- sizeof (ip4_header_t) + sizeof (esp_header_t) + iv_size;
+ u8 adv = sizeof (ip4_header_t) + udp_encap_adv +
+ sizeof (esp_header_t) + iv_size;
vlib_buffer_advance (b0, -adv);
oh0 = vlib_buffer_get_current (b0);
+ ouh0 = vlib_buffer_get_current (b0);
next_hdr_type = IP_PROTOCOL_IP_IN_IP;
/*
* oh0->ip4.ip_version_and_header_length = 0x45;
sa0->tunnel_src_addr.ip4.as_u32;
oh0->ip4.dst_address.as_u32 =
sa0->tunnel_dst_addr.ip4.as_u32;
- esp0 = &oh0->esp;
- oh0->esp.spi = clib_host_to_net_u32 (sa0->spi);
- oh0->esp.seq = clib_host_to_net_u32 (sa0->seq);
+
+ if (sa0->udp_encap)
+ {
+ oh0->ip4.protocol = IP_PROTOCOL_UDP;
+ esp0 = &ouh0->esp;
+ }
+ else
+ esp0 = &oh0->esp;
+ esp0->spi = clib_host_to_net_u32 (sa0->spi);
+ esp0->seq = clib_host_to_net_u32 (sa0->seq);
}
- else if (is_ipv6 && sa0->is_tunnel_ip6) /* ip6inip6 */
+ else if (is_ip6 && sa0->is_tunnel_ip6) /* ip6inip6 */
{
/* in tunnel mode send it back to FIB */
priv->next = DPDK_CRYPTO_INPUT_NEXT_IP6_LOOKUP;
}
else /* unsupported ip4inip6, ip6inip4 */
{
- vlib_node_increment_counter (vm,
- dpdk_esp_encrypt_node.index,
- ESP_ENCRYPT_ERROR_NOSUP, 1);
+ if (is_ip6)
+ vlib_node_increment_counter (vm,
+ dpdk_esp6_encrypt_node.index,
+ ESP_ENCRYPT_ERROR_NOSUP, 1);
+ else
+ vlib_node_increment_counter (vm,
+ dpdk_esp4_encrypt_node.index,
+ ESP_ENCRYPT_ERROR_NOSUP, 1);
to_next[0] = bi0;
to_next += 1;
n_left_to_next -= 1;
else /* transport mode */
{
priv->next = DPDK_CRYPTO_INPUT_NEXT_INTERFACE_OUTPUT;
- u16 rewrite_len = vnet_buffer (b0)->ip.save_rewrite_length;
- u16 adv = sizeof (esp_header_t) + iv_size;
- vlib_buffer_advance (b0, -rewrite_len - adv);
+ rewrite_len = vnet_buffer (b0)->ip.save_rewrite_length;
+ u16 adv = sizeof (esp_header_t) + iv_size + udp_encap_adv;
+ vlib_buffer_advance (b0, -adv - rewrite_len);
u8 *src = ((u8 *) ih0) - rewrite_len;
u8 *dst = vlib_buffer_get_current (b0);
- oh0 = (ip4_and_esp_header_t *) (dst + rewrite_len);
+ oh0 = vlib_buffer_get_current (b0) + rewrite_len;
- if (is_ipv6)
+ if (is_ip6)
{
orig_sz -= sizeof (ip6_header_t);
ih6_0 = (ip6_and_esp_header_t *) ih0;
}
else /* ipv4 */
{
- orig_sz -= ip4_header_bytes (&ih0->ip4);
+ u16 ip_size = ip4_header_bytes (&ih0->ip4);
+ orig_sz -= ip_size;
next_hdr_type = ih0->ip4.protocol;
- memmove (dst, src,
- rewrite_len + ip4_header_bytes (&ih0->ip4));
+ memmove (dst, src, rewrite_len + ip_size);
oh0->ip4.protocol = IP_PROTOCOL_IPSEC_ESP;
- esp0 =
- (esp_header_t *) (oh6_0 + ip4_header_bytes (&ih0->ip4));
+ esp0 = (esp_header_t *) (((u8 *) oh0) + ip_size);
+ if (sa0->udp_encap)
+ {
+ oh0->ip4.protocol = IP_PROTOCOL_UDP;
+ esp0 = (esp_header_t *)
+ (((u8 *) oh0) + ip_size + udp_encap_adv);
+ }
+ else
+ {
+ oh0->ip4.protocol = IP_PROTOCOL_IPSEC_ESP;
+ esp0 = (esp_header_t *) (((u8 *) oh0) + ip_size);
+ }
}
esp0->spi = clib_host_to_net_u32 (sa0->spi);
esp0->seq = clib_host_to_net_u32 (sa0->seq);
}
+ if (sa0->udp_encap && ouh0)
+ {
+ ouh0->udp.src_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
+ ouh0->udp.dst_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
+ ouh0->udp.checksum = 0;
+ }
ASSERT (is_pow2 (cipher_alg->boundary));
u16 mask = cipher_alg->boundary - 1;
u16 pad_payload_len = ((orig_sz + 2) + mask) & ~mask;
u8 *padding =
vlib_buffer_put_uninit (b0, pad_bytes + 2 + trunc_size);
+ /* The extra pad bytes would be overwritten by the digest */
if (pad_bytes)
clib_memcpy (padding, pad_data, 16);
f0->pad_length = pad_bytes;
f0->next_header = next_hdr_type;
- if (is_ipv6)
+ if (is_ip6)
{
u16 len = b0->current_length - sizeof (ip6_header_t);
- oh6_0->ip6.payload_length = clib_host_to_net_u16 (len);
+ oh6_0->ip6.payload_length =
+ clib_host_to_net_u16 (len - rewrite_len);
}
else
{
- oh0->ip4.length = clib_host_to_net_u16 (b0->current_length);
+ oh0->ip4.length =
+ clib_host_to_net_u16 (b0->current_length - rewrite_len);
oh0->ip4.checksum = ip4_header_checksum (&oh0->ip4);
+ if (sa0->udp_encap && ouh0)
+ {
+ ouh0->udp.length =
+ clib_host_to_net_u16 (clib_net_to_host_u16
+ (ouh0->ip4.length) -
+ ip4_header_bytes (&ouh0->ip4));
+ }
}
vnet_buffer (b0)->sw_if_index[VLIB_RX] =
mb0->pkt_len = vlib_buffer_get_tail (b0) - ((u8 *) esp0);
mb0->data_off = ((void *) esp0) - mb0->buf_addr;
- u32 cipher_off, cipher_len;
- u32 auth_len = 0, aad_size = 0;
+ u32 cipher_off, cipher_len, auth_len = 0;
u32 *aad = NULL;
+
u8 *digest = vlib_buffer_get_tail (b0) - trunc_size;
+ u64 digest_paddr =
+ mb0->buf_physaddr + digest - ((u8 *) mb0->buf_addr);
- if (cipher_alg->alg == RTE_CRYPTO_CIPHER_AES_CBC)
+ if (!is_aead && cipher_alg->alg == RTE_CRYPTO_CIPHER_AES_CBC)
{
cipher_off = sizeof (esp_header_t);
cipher_len = iv_size + pad_payload_len;
cipher_off = sizeof (esp_header_t) + iv_size;
cipher_len = pad_payload_len;
-
- iv_size = 12; /* CTR/GCM IV size, not ESP IV size */
}
if (is_aead)
aad[0] = clib_host_to_net_u32 (sa0->spi);
aad[1] = clib_host_to_net_u32 (sa0->seq);
- if (sa0->use_esn)
- {
- aad[2] = clib_host_to_net_u32 (sa0->seq_hi);
- aad_size = 12;
- }
+ /* aad[3] should always be 0 */
+ if (PREDICT_FALSE (sa0->use_esn))
+ aad[2] = clib_host_to_net_u32 (sa0->seq_hi);
else
- aad_size = 8;
+ aad[2] = 0;
}
else
{
vlib_buffer_get_tail (b0) - ((u8 *) esp0) - trunc_size;
if (sa0->use_esn)
{
- *((u32 *) digest) = sa0->seq_hi;
+ u32 *_digest = (u32 *) digest;
+ _digest[0] = clib_host_to_net_u32 (sa0->seq_hi);
auth_len += 4;
}
}
- crypto_op_setup (is_aead, mb0, op, session,
- cipher_off, cipher_len, (u8 *) icb, iv_size,
- 0, auth_len, (u8 *) aad, aad_size,
- digest, 0, trunc_size);
+ crypto_op_setup (is_aead, mb0, op, session, cipher_off, cipher_len,
+ 0, auth_len, (u8 *) aad, digest, digest_paddr);
trace:
if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
}
vlib_put_next_frame (vm, node, next_index, n_left_to_next);
}
- vlib_node_increment_counter (vm, dpdk_esp_encrypt_node.index,
- ESP_ENCRYPT_ERROR_RX_PKTS,
- from_frame->n_vectors);
+ if (is_ip6)
+ {
+ vlib_node_increment_counter (vm, dpdk_esp6_encrypt_node.index,
+ ESP_ENCRYPT_ERROR_RX_PKTS,
+ from_frame->n_vectors);
+
+ crypto_enqueue_ops (vm, cwm, 1, dpdk_esp6_encrypt_node.index,
+ ESP_ENCRYPT_ERROR_ENQ_FAIL, numa);
+ }
+ else
+ {
+ vlib_node_increment_counter (vm, dpdk_esp4_encrypt_node.index,
+ ESP_ENCRYPT_ERROR_RX_PKTS,
+ from_frame->n_vectors);
- crypto_enqueue_ops (vm, cwm, 1, dpdk_esp_encrypt_node.index,
- ESP_ENCRYPT_ERROR_ENQ_FAIL, numa);
+ crypto_enqueue_ops (vm, cwm, 1, dpdk_esp4_encrypt_node.index,
+ ESP_ENCRYPT_ERROR_ENQ_FAIL, numa);
+ }
crypto_free_ops (numa, ops, cwm->ops + from_frame->n_vectors - ops);
return from_frame->n_vectors;
}
+static uword
+dpdk_esp4_encrypt_node_fn (vlib_main_t * vm,
+ vlib_node_runtime_t * node,
+ vlib_frame_t * from_frame)
+{
+ return dpdk_esp_encrypt_inline (vm, node, from_frame, 0 /*is_ip6 */ );
+}
+
+/* *INDENT-OFF* */
+VLIB_REGISTER_NODE (dpdk_esp4_encrypt_node) = {
+ .function = dpdk_esp4_encrypt_node_fn,
+ .name = "dpdk4-esp-encrypt",
+ .flags = VLIB_NODE_FLAG_IS_OUTPUT,
+ .vector_size = sizeof (u32),
+ .format_trace = format_esp_encrypt_trace,
+ .n_errors = ARRAY_LEN (esp_encrypt_error_strings),
+ .error_strings = esp_encrypt_error_strings,
+ .n_next_nodes = 1,
+ .next_nodes =
+ {
+ [ESP_ENCRYPT_NEXT_DROP] = "error-drop",
+ }
+};
+/* *INDENT-ON* */
+
+VLIB_NODE_FUNCTION_MULTIARCH (dpdk_esp4_encrypt_node,
+ dpdk_esp4_encrypt_node_fn);
+
+static uword
+dpdk_esp6_encrypt_node_fn (vlib_main_t * vm,
+ vlib_node_runtime_t * node,
+ vlib_frame_t * from_frame)
+{
+ return dpdk_esp_encrypt_inline (vm, node, from_frame, 1 /*is_ip6 */ );
+}
+
/* *INDENT-OFF* */
-VLIB_REGISTER_NODE (dpdk_esp_encrypt_node) = {
- .function = dpdk_esp_encrypt_node_fn,
- .name = "dpdk-esp-encrypt",
+VLIB_REGISTER_NODE (dpdk_esp6_encrypt_node) = {
+ .function = dpdk_esp6_encrypt_node_fn,
+ .name = "dpdk6-esp-encrypt",
.flags = VLIB_NODE_FLAG_IS_OUTPUT,
.vector_size = sizeof (u32),
.format_trace = format_esp_encrypt_trace,
};
/* *INDENT-ON* */
-VLIB_NODE_FUNCTION_MULTIARCH (dpdk_esp_encrypt_node, dpdk_esp_encrypt_node_fn)
+VLIB_NODE_FUNCTION_MULTIARCH (dpdk_esp6_encrypt_node,
+ dpdk_esp6_encrypt_node_fn);
/*
* fd.io coding-style-patch-verification: ON
*