summaryrefslogtreecommitdiff
path: root/lib/librte_ipsec
AgeCommit message (Collapse)Author
2019-11-20build: remove individual library versionsAnatoly Burakov
Since the library versioning for both stable and experimental ABI's is now managed globally, the LIBABIVER and version variables no longer serve any useful purpose, and can be removed. The replacement in Makefiles was done using the following regex: ^(#.*\n)?LIBABIVER\s*:=\s*\d+\n(\s*\n)? (LIBABIVER := numbers, optionally preceded by a comment and optionally succeeded by an empty line) The replacement for meson files was done using the following regex: ^(#.*\n)?version\s*=\s*\d+\n(\s*\n)? (version = numbers, optionally preceded by a comment and optionally succeeded by an empty line) [David]: those variables are manually removed for the files: - drivers/common/qat/Makefile - lib/librte_eal/meson.build [David]: the LIBABIVER is restored for the external ethtool example library. Signed-off-by: Anatoly Burakov <anatoly.burakov@intel.com> Signed-off-by: David Marchand <david.marchand@redhat.com> Acked-by: Thomas Monjalon <thomas@monjalon.net>
2019-11-08ipsec: remove redundant replay window sizeHemant Agrawal
The rte_security lib has introduced replay_win_sz, so it can be removed from the rte_ipsec lib. The relevant tests, app are also update to reflect the usages. Note that esn and anti-replay fileds were earlier used only for ipsec library, they were enabling the libipsec by default. With this change esn and anti-replay setting will not automatically enabled libipsec. Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-10-23ipsec: add SAD add/delete/lookup implementationVladimir Medvedkin
Replace rte_ipsec_sad_add(), rte_ipsec_sad_del() and rte_ipsec_sad_lookup() stubs with actual implementation. It uses three librte_hash tables each of which contains an entries for a specific SA type (either it is addressed by SPI only or SPI+DIP or SPI+DIP+SIP) Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-10-23ipsec: add SAD create/destroy implementationVladimir Medvedkin
Replace rte_ipsec_sad_create(), rte_ipsec_sad_destroy() and rte_ipsec_sad_find_existing() API stubs with actual implementation. Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-10-23ipsec: add inbound SAD APIVladimir Medvedkin
According to RFC 4301 IPSec implementation needs an inbound SA database (SAD). For each incoming inbound IPSec-protected packet (ESP or AH) it has to perform a lookup within it's SAD. Lookup should be performed by: Security Parameters Index (SPI) + destination IP (DIP) + source IP (SIP) or SPI + DIP or SPI only and an implementation has to return the 'longest' existing match. This patch extend DPDK IPsec library with inbound security association database (SAD) API implementation that: - conforms to the RFC requirements above - can scale up to millions of entries - supports fast lookups - supports incremental updates Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-10-08net: add missing rte prefix for ESP tailDavid Marchand
This structure has been missed during the big rework. Fixes: 5ef254676752 ("net: add rte prefix to ESP structure") Cc: stable@dpdk.org Signed-off-by: David Marchand <david.marchand@redhat.com> Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
2019-07-05ipsec: support header constructionFan Zhang
Add support for RFC 4301(5.1.2) to update of Type of service field and Traffic class field bits inside ipv4/ipv6 packets for outbound cases and inbound cases which deals with the update of the DSCP/ENC bits inside each of the fields. Signed-off-by: Marko Kovacevic <marko.kovacevic@intel.com> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-07-05ipsec: include high order bytes of ESN in packet lengthLukasz Bartosik
When esn is used then high-order 32 bits are included in ICV calculation however are not transmitted. Update packet length to be consistent with auth data offset and length before crypto operation. High-order 32 bits of esn will be removed from packet length in crypto post processing. Signed-off-by: Lukasz Bartosik <lbartosik@marvell.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-07-05ipsec: support multi-segment packetsKonstantin Ananyev
Add support for packets that consist of multiple segments. Take into account that trailer bytes (padding, ESP tail, ICV) can spawn across multiple segments. Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-07-05ipsec: fix transport mode for IPv6 with extensionsMarcin Smoczynski
Reconstructing IPv6 header after encryption or decryption requires updating 'next header' value in the preceding protocol header, which is determined by parsing IPv6 header and iteratively looking for next IPv6 header extension. It is required that 'l3_len' in the mbuf metadata contains a total length of the IPv6 header with header extensions up to ESP header. Fixes: 4d7ea3e1459b ("ipsec: implement SA data-path API") Cc: stable@dpdk.org Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-06-29enforce experimental tag at beginning of declarationsDavid Marchand
Putting a '__attribute__((deprecated))' in the middle of a function prototype does not result in the expected result with gcc (while clang is fine with this syntax). $ cat deprecated.c void * __attribute__((deprecated)) incorrect() { return 0; } __attribute__((deprecated)) void *correct(void) { return 0; } int main(int argc, char *argv[]) { incorrect(); correct(); return 0; } $ gcc -o deprecated.o -c deprecated.c deprecated.c: In function ‘main’: deprecated.c:3:1: warning: ‘correct’ is deprecated (declared at deprecated.c:2) [-Wdeprecated-declarations] int main(int argc, char *argv[]) { incorrect(); correct(); return 0; } ^ Move the tag on a separate line and make it the first thing of function prototypes. This is not perfect but we will trust reviewers to catch the other not so easy to detect patterns. sed -i \ -e '/^\([^#].*\)\?__rte_experimental */{' \ -e 's//\1/; s/ *$//; i\' \ -e __rte_experimental \ -e '/^$/d}' \ $(git grep -l __rte_experimental -- '*.h') Special mention for rte_mbuf_data_addr_default(): There is either a bug or a (not yet understood) issue with gcc. gcc won't drop this inline when unused and rte_mbuf_data_addr_default() calls rte_mbuf_buf_addr() which itself is experimental. This results in a build warning when not accepting experimental apis from sources just including rte_mbuf.h. For this specific case, we hide the call to rte_mbuf_buf_addr() under the ALLOW_EXPERIMENTAL_API flag. Signed-off-by: Adrien Mazarguil <adrien.mazarguil@6wind.com> Signed-off-by: David Marchand <david.marchand@redhat.com>
2019-06-29remove experimental tags from all symbol definitionsDavid Marchand
We had some inconsistencies between functions prototypes and actual definitions. Let's avoid this by only adding the experimental tag to the prototypes. Tests with gcc and clang show it is enough. git grep -l __rte_experimental |grep \.c$ |while read file; do sed -i -e '/^__rte_experimental$/d' $file; sed -i -e 's/ *__rte_experimental//' $file; sed -i -e 's/__rte_experimental *//' $file; done Signed-off-by: David Marchand <david.marchand@redhat.com> Acked-by: Adrien Mazarguil <adrien.mazarguil@6wind.com> Acked-by: Neil Horman <nhorman@tuxdriver.com>
2019-05-24net: add rte prefix to IP structureOlivier Matz
Add 'rte_' prefix to structures: - rename struct ipv4_hdr as struct rte_ipv4_hdr. - rename struct ipv6_hdr as struct rte_ipv6_hdr. Signed-off-by: Olivier Matz <olivier.matz@6wind.com> Reviewed-by: Stephen Hemminger <stephen@networkplumber.org> Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com> Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
2019-05-24net: add rte prefix to ESP structureOlivier Matz
Add 'rte_' prefix to structures: - rename struct esp_hdr as struct rte_esp_hdr. Signed-off-by: Olivier Matz <olivier.matz@6wind.com> Reviewed-by: Stephen Hemminger <stephen@networkplumber.org> Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com> Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
2019-05-09ipsec: fix headers installMarcin Smoczynski
Invalid statement is used to indicate header files to install. Fixed the statement and reformatted recipe file. Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com> Acked-by: Bruce Richardson <bruce.richardson@intel.com>
2019-05-03doc: fix spelling reported by aspell in commentsJohn McNamara
Fix spelling errors in the doxygen docs. Signed-off-by: John McNamara <john.mcnamara@intel.com>
2019-04-02ipsec: de-duplicate crypto op prepareKonstantin Ananyev
For sym_crypto_op prepare move common code into a separate function(s). Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-04-02ipsec: reorder packet process for ESP inboundKonstantin Ananyev
Change the order of operations for esp inbound post-process: - read mbuf metadata and esp tail first for all packets in the burst first to minimize stalls due to load latency. - move code that is common for both transport and tunnel modes into separate functions to reduce code duplication. - add extra check for packet consitency Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-04-02ipsec: reorder packet check for ESP inboundKonstantin Ananyev
Right now check for packet length and padding is done inside cop_prepare(). It makes sense to have all necessary checks in one place at early stage: inside pkt_prepare(). That allows to simplify (and later hopefully) optimize cop_prepare() part. Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-04-02ipsec: move inbound and outbound codeKonstantin Ananyev
sa.c becomes too big, so decided to split it into 3 chunks: - sa.c - control path related functions (init/fini, etc.) - esp_inb.c - ESP inbound packet processing - esp_outb.c - ESP outbound packet processing Plus few changes in internal function names to follow the same code convention. No functional changes introduced. Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-04-02ipsec: change the way unprocessed mbufs are accountedKonstantin Ananyev
As was pointed in one of previous reviews - we can avoid updating contents of mbuf array for successfully processed packets. Instead store indexes of failed packets, to move them beyond the good ones later. Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-04-02ipsec: change order in filling crypto opKonstantin Ananyev
Right now we first fill crypto_sym_op part of crypto_op, then in a separate cycle we fill crypto op fields. It makes more sense to fill whole crypto-op in one go instead. Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-04-02ipsec: add Tx offload template into SAKonstantin Ananyev
Operations to set/update bit-fields often cause compilers to generate suboptimal code. To avoid such negative effect, use tx_offload raw value and mask to update l2_len and l3_len fields within mbufs. Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-03-22ipsec: support 3DES-CBCFan Zhang
This patch adds triple-des CBC mode cipher algorithm to ipsec library. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-03-22ipsec: support AES-CTRFan Zhang
This patch adds AES-CTR cipher algorithm support to ipsec library. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-01-15ipsec: fix build with gcc 6Konstantin Ananyev
gcc 6.2 and 6.4 fails to compile lib/librte_ipsec/sa.c with the following errors: lib/librte_ipsec/sa.c: In function inline_outb_tun_pkt_process: x86_64-native-linuxapp-gcc/include/rte_memcpy.h:337:2: error: array subscript is above array bounds [-Werror=array-bounds] rte_mov32((uint8_t *)dst + 1 * 32, (const uint8_t *)src + 1 * 32); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ... It complains about the following lines of code: esp_outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t .... /* update spi, seqn and iv */ esph = (struct esp_hdr *)(ph + sa->hdr_len); iv = (uint64_t *)(esph + 1); rte_memcpy(iv, ivp, sa->iv_len); While I believe it is a false positive, it is too excessive to use rte_memcpy() here, as IV length could be only 0/8/16 bytes. So introduce small helper function to copy IV and use it instead of rte_memcpy(). Fixes: 4d7ea3e1459b ("ipsec: implement SA data-path API") Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
2019-01-14ipsec: fix assert conditionKonstantin Ananyev
fix invalid RTE_ASSERT condition in rsn_update_finish() Fixes: c0308cd89554 ("ipsec: rework SA replay window/SQN for MT environment") Reported-by: Ferruh Yigit <ferruh.yigit@intel.com> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>
2019-01-10ipsec: add helpers to group completed crypto-opsKonstantin Ananyev
Introduce helper functions to process completed crypto-ops and group related packets by sessions they belong to. Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Declan Doherty <declan.doherty@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10ipsec: rework SA replay window/SQN for MT environmentKonstantin Ananyev
With these changes functions: - rte_ipsec_pkt_crypto_prepare - rte_ipsec_pkt_process can be safely used in MT environment, as long as the user can guarantee that they obey multiple readers/single writer model for SQN+replay_window operations. To be more specific: for outbound SA there are no restrictions. for inbound SA the caller has to guarantee that at any given moment only one thread is executing rte_ipsec_pkt_process() for given SA. Note that it is caller responsibility to maintain correct order of packets to be processed. Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Declan Doherty <declan.doherty@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10ipsec: implement SA data-path APIKonstantin Ananyev
Provide implementation for rte_ipsec_pkt_crypto_prepare() and rte_ipsec_pkt_process(). Current implementation: - supports ESP protocol tunnel mode. - supports ESP protocol transport mode. - supports ESN and replay window. - supports algorithms: AES-CBC, AES-GCM, HMAC-SHA1, NULL. - covers all currently defined security session types: - RTE_SECURITY_ACTION_TYPE_NONE - RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO - RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL - RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL For first two types SQN check/update is done by SW (inside the library). For last two type it is HW/PMD responsibility. Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Declan Doherty <declan.doherty@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10ipsec: add SA data-path APIKonstantin Ananyev
Introduce Security Association (SA-level) data-path API Operates at SA level, provides functions to: - initialize/teardown SA object - process inbound/outbound ESP/AH packets associated with the given SA (decrypt/encrypt, authenticate, check integrity, add/remove ESP/AH related headers and data, etc.). Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Declan Doherty <declan.doherty@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
2019-01-10lib: introduce IPsec libraryKonstantin Ananyev
Introduce librte_ipsec library. The library is supposed to utilize existing DPDK crypto-dev and security API to provide application with transparent IPsec processing API. That initial commit provides some base API to manage IPsec Security Association (SA) object. Signed-off-by: Mohammad Abdul Awal <mohammad.abdul.awal@intel.com> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Declan Doherty <declan.doherty@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>