From patchwork Tue May  9 14:57:59 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Radu Nicolau <radu.nicolau@intel.com>
X-Patchwork-Id: 24172
X-Patchwork-Delegate: pablo.de.lara.guarch@intel.com
Return-Path: <dev-bounces@dpdk.org>
X-Original-To: patchwork@dpdk.org
Delivered-To: patchwork@dpdk.org
Received: from [92.243.14.124] (localhost [IPv6:::1])
	by dpdk.org (Postfix) with ESMTP id 5484F7CB6;
	Tue,  9 May 2017 17:01:15 +0200 (CEST)
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
	by dpdk.org (Postfix) with ESMTP id 032BC7C98
	for <dev@dpdk.org>; Tue,  9 May 2017 17:01:09 +0200 (CEST)
Received: from orsmga005.jf.intel.com ([10.7.209.41])
	by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	09 May 2017 08:01:03 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.38,315,1491289200"; d="scan'208";a="97610353"
Received: from silpixa00383879.ir.intel.com (HELO
	silpixa00383879.ger.corp.intel.com) ([10.237.223.127])
	by orsmga005.jf.intel.com with ESMTP; 09 May 2017 08:01:02 -0700
From: Radu Nicolau <radu.nicolau@intel.com>
To: dev@dpdk.org
Cc: Radu Nicolau <radu.nicolau@intel.com>
Date: Tue,  9 May 2017 15:57:59 +0100
Message-Id: <1494341879-18718-6-git-send-email-radu.nicolau@intel.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1494341879-18718-1-git-send-email-radu.nicolau@intel.com>
References: <1494341879-18718-1-git-send-email-radu.nicolau@intel.com>
Subject: [dpdk-dev] [RFC][PATCH 5/5] examples: updated IPSec sample app to
	support inline IPSec
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
	<mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
	<mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

Added new SA types: ipv4-inline and ipv6-inline.

Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
---
 examples/ipsec-secgw/esp.c   |   7 +-
 examples/ipsec-secgw/ipsec.h |   2 +
 examples/ipsec-secgw/sa.c    | 165 ++++++++++++++++++++++++++++---------------
 3 files changed, 117 insertions(+), 57 deletions(-)

diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index e77afa0..f1dfac4 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -253,11 +253,12 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 	pad_len = pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m);
 
 	RTE_ASSERT(sa->flags == IP4_TUNNEL || sa->flags == IP6_TUNNEL ||
+	           sa->flags == IP4_INLINE || sa->flags == IP6_INLINE ||
 			sa->flags == TRANSPORT);
 
-	if (likely(sa->flags == IP4_TUNNEL))
+	if (likely(sa->flags == IP4_TUNNEL || sa->flags == IP4_INLINE))
 		ip_hdr_len = sizeof(struct ip);
-	else if (sa->flags == IP6_TUNNEL)
+	else if (sa->flags == IP6_TUNNEL || sa->flags == IP6_INLINE)
 		ip_hdr_len = sizeof(struct ip6_hdr);
 	else if (sa->flags != TRANSPORT) {
 		RTE_LOG(ERR, IPSEC_ESP, "Unsupported SA flags: 0x%x\n",
@@ -281,11 +282,13 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 
 	switch (sa->flags) {
 	case IP4_TUNNEL:
+	case IP4_INLINE:
 		ip4 = ip4ip_outbound(m, sizeof(struct esp_hdr) + sa->iv_len,
 				&sa->src, &sa->dst);
 		esp = (struct esp_hdr *)(ip4 + 1);
 		break;
 	case IP6_TUNNEL:
+	case IP6_INLINE:
 		ip6 = ip6ip_outbound(m, sizeof(struct esp_hdr) + sa->iv_len,
 				&sa->src, &sa->dst);
 		esp = (struct esp_hdr *)(ip6 + 1);
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index fe42661..502c182 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -107,6 +107,8 @@ struct ipsec_sa {
 #define IP4_TUNNEL (1 << 0)
 #define IP6_TUNNEL (1 << 1)
 #define TRANSPORT  (1 << 2)
+#define IP4_INLINE (1 << 3)
+#define IP6_INLINE (1 << 4)
 	struct ip_addr src;
 	struct ip_addr dst;
 	uint8_t cipher_key[MAX_KEY_SIZE];
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 39624c4..b58bca7 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -256,6 +256,10 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 				rule->flags = IP6_TUNNEL;
 			else if (strcmp(tokens[ti], "transport") == 0)
 				rule->flags = TRANSPORT;
+                        else if (strcmp(tokens[ti], "ipv4-inline") == 0)
+                                rule->flags = IP4_INLINE;
+                        else if (strcmp(tokens[ti], "ipv6-inline") == 0)
+                                rule->flags = IP6_INLINE;
 			else {
 				APP_CHECK(0, status, "unrecognized "
 					"input \"%s\"", tokens[ti]);
@@ -395,7 +399,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 			if (status->status < 0)
 				return;
 
-			if (rule->flags == IP4_TUNNEL) {
+			if (rule->flags == IP4_TUNNEL || rule->flags == IP4_INLINE) {
 				struct in_addr ip;
 
 				APP_CHECK(parse_ipv4_addr(tokens[ti],
@@ -407,7 +411,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 					return;
 				rule->src.ip.ip4 = rte_bswap32(
 					(uint32_t)ip.s_addr);
-			} else if (rule->flags == IP6_TUNNEL) {
+			} else if (rule->flags == IP6_TUNNEL || rule->flags == IP6_INLINE) {
 				struct in6_addr ip;
 
 				APP_CHECK(parse_ipv6_addr(tokens[ti], &ip,
@@ -438,7 +442,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 			if (status->status < 0)
 				return;
 
-			if (rule->flags == IP4_TUNNEL) {
+			if (rule->flags == IP4_TUNNEL || rule->flags == IP4_INLINE) {
 				struct in_addr ip;
 
 				APP_CHECK(parse_ipv4_addr(tokens[ti],
@@ -450,7 +454,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 					return;
 				rule->dst.ip.ip4 = rte_bswap32(
 					(uint32_t)ip.s_addr);
-			} else if (rule->flags == IP6_TUNNEL) {
+			} else if (rule->flags == IP6_TUNNEL || rule->flags == IP6_INLINE) {
 				struct in6_addr ip;
 
 				APP_CHECK(parse_ipv6_addr(tokens[ti], &ip,
@@ -518,14 +522,16 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound)
 
 	switch (sa->flags) {
 	case IP4_TUNNEL:
-		printf("IP4Tunnel ");
+	case IP4_INLINE:
+		printf(sa->flags == IP4_TUNNEL? "IP4Tunnel " : "IP4Inline ");
 		uint32_t_to_char(sa->src.ip.ip4, &a, &b, &c, &d);
 		printf("%hhu.%hhu.%hhu.%hhu ", d, c, b, a);
 		uint32_t_to_char(sa->dst.ip.ip4, &a, &b, &c, &d);
 		printf("%hhu.%hhu.%hhu.%hhu", d, c, b, a);
 		break;
 	case IP6_TUNNEL:
-		printf("IP6Tunnel ");
+	case IP6_INLINE:
+	        printf(sa->flags == IP6_TUNNEL? "IP6Tunnel " : "IP6Inline ");
 		for (i = 0; i < 16; i++) {
 			if (i % 2 && i != 15)
 				printf("%.2x:", sa->src.ip.ip6.ip6_b[i]);
@@ -603,60 +609,107 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
 
 		switch (sa->flags) {
 		case IP4_TUNNEL:
+		case IP4_INLINE:
 			sa->src.ip.ip4 = rte_cpu_to_be_32(sa->src.ip.ip4);
 			sa->dst.ip.ip4 = rte_cpu_to_be_32(sa->dst.ip.ip4);
 		}
 
-		if (inbound) {
-			sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
-			sa_ctx->xf[idx].b.cipher.algo = sa->cipher_algo;
-			sa_ctx->xf[idx].b.cipher.key.data = sa->cipher_key;
-			sa_ctx->xf[idx].b.cipher.key.length =
-				sa->cipher_key_len;
-			sa_ctx->xf[idx].b.cipher.op =
-				RTE_CRYPTO_CIPHER_OP_DECRYPT;
-			sa_ctx->xf[idx].b.next = NULL;
-
-			sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AUTH;
-			sa_ctx->xf[idx].a.auth.algo = sa->auth_algo;
-			sa_ctx->xf[idx].a.auth.add_auth_data_length =
-				sa->aad_len;
-			sa_ctx->xf[idx].a.auth.key.data = sa->auth_key;
-			sa_ctx->xf[idx].a.auth.key.length =
-				sa->auth_key_len;
-			sa_ctx->xf[idx].a.auth.digest_length =
-				sa->digest_len;
-			sa_ctx->xf[idx].a.auth.op =
-				RTE_CRYPTO_AUTH_OP_VERIFY;
-
-		} else { /* outbound */
-			sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
-			sa_ctx->xf[idx].a.cipher.algo = sa->cipher_algo;
-			sa_ctx->xf[idx].a.cipher.key.data = sa->cipher_key;
-			sa_ctx->xf[idx].a.cipher.key.length =
-				sa->cipher_key_len;
-			sa_ctx->xf[idx].a.cipher.op =
-				RTE_CRYPTO_CIPHER_OP_ENCRYPT;
-			sa_ctx->xf[idx].a.next = NULL;
-
-			sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_AUTH;
-			sa_ctx->xf[idx].b.auth.algo = sa->auth_algo;
-			sa_ctx->xf[idx].b.auth.add_auth_data_length =
-				sa->aad_len;
-			sa_ctx->xf[idx].b.auth.key.data = sa->auth_key;
-			sa_ctx->xf[idx].b.auth.key.length =
-				sa->auth_key_len;
-			sa_ctx->xf[idx].b.auth.digest_length =
-				sa->digest_len;
-			sa_ctx->xf[idx].b.auth.op =
-				RTE_CRYPTO_AUTH_OP_GENERATE;
+		if (sa->flags == IP4_INLINE || sa->flags == IP6_INLINE) {
+
+                    if (inbound) {
+                            sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
+                            sa_ctx->xf[idx].b.cipher.algo = sa->cipher_algo;
+                            sa_ctx->xf[idx].b.cipher.key.data = sa->cipher_key;
+                            sa_ctx->xf[idx].b.cipher.key.length =
+                                    sa->cipher_key_len;
+                            sa_ctx->xf[idx].b.cipher.op =
+                                    RTE_CRYPTO_CIPHER_OP_DECRYPT;
+                            sa_ctx->xf[idx].b.next = NULL;
+
+                            sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_IPSEC;
+                            sa_ctx->xf[idx].a.ipsec.dir = RTE_CRYPTO_INBOUND;
+                            sa_ctx->xf[idx].a.ipsec.spi = sa->spi;
+                            sa_ctx->xf[idx].a.ipsec.salt = sa->salt;
+                            sa_ctx->xf[idx].a.ipsec.src_ip.ipv4 = rte_cpu_to_be_32(sa->src.ip.ip4);
+                            sa_ctx->xf[idx].a.ipsec.dst_ip.ipv4 = rte_cpu_to_be_32(sa->dst.ip.ip4);
+
+                    } else { /* outbound */
+                            sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
+                            sa_ctx->xf[idx].a.cipher.algo = sa->cipher_algo;
+                            sa_ctx->xf[idx].a.cipher.key.data = sa->cipher_key;
+                            sa_ctx->xf[idx].a.cipher.key.length =
+                                    sa->cipher_key_len;
+                            sa_ctx->xf[idx].a.cipher.op =
+                                    RTE_CRYPTO_CIPHER_OP_ENCRYPT;
+                            sa_ctx->xf[idx].a.next = NULL;
+
+                            sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_IPSEC;
+                            sa_ctx->xf[idx].b.ipsec.dir = RTE_CRYPTO_OUTBOUND;
+                            sa_ctx->xf[idx].b.ipsec.spi = sa->spi;
+                            sa_ctx->xf[idx].b.ipsec.salt = sa->salt;
+                            sa_ctx->xf[idx].b.ipsec.src_ip.ipv4 = rte_cpu_to_be_32(sa->src.ip.ip4);
+                            sa_ctx->xf[idx].b.ipsec.dst_ip.ipv4 = rte_cpu_to_be_32(sa->dst.ip.ip4);
+                    }
+
+                    sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
+                    sa_ctx->xf[idx].b.next = NULL;
+                    sa->xforms = &sa_ctx->xf[idx].a;
+
+                    print_one_sa_rule(sa, inbound);
+		}
+		else {
+
+	                if (inbound) {
+	                        sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
+	                        sa_ctx->xf[idx].b.cipher.algo = sa->cipher_algo;
+	                        sa_ctx->xf[idx].b.cipher.key.data = sa->cipher_key;
+	                        sa_ctx->xf[idx].b.cipher.key.length =
+	                                sa->cipher_key_len;
+	                        sa_ctx->xf[idx].b.cipher.op =
+	                                RTE_CRYPTO_CIPHER_OP_DECRYPT;
+	                        sa_ctx->xf[idx].b.next = NULL;
+
+	                        sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AUTH;
+	                        sa_ctx->xf[idx].a.auth.algo = sa->auth_algo;
+	                        sa_ctx->xf[idx].a.auth.add_auth_data_length =
+	                                sa->aad_len;
+	                        sa_ctx->xf[idx].a.auth.key.data = sa->auth_key;
+	                        sa_ctx->xf[idx].a.auth.key.length =
+	                                sa->auth_key_len;
+	                        sa_ctx->xf[idx].a.auth.digest_length =
+	                                sa->digest_len;
+	                        sa_ctx->xf[idx].a.auth.op =
+	                                RTE_CRYPTO_AUTH_OP_VERIFY;
+
+	                } else { /* outbound */
+	                        sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
+	                        sa_ctx->xf[idx].a.cipher.algo = sa->cipher_algo;
+	                        sa_ctx->xf[idx].a.cipher.key.data = sa->cipher_key;
+	                        sa_ctx->xf[idx].a.cipher.key.length =
+	                                sa->cipher_key_len;
+	                        sa_ctx->xf[idx].a.cipher.op =
+	                                RTE_CRYPTO_CIPHER_OP_ENCRYPT;
+	                        sa_ctx->xf[idx].a.next = NULL;
+
+	                        sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_AUTH;
+	                        sa_ctx->xf[idx].b.auth.algo = sa->auth_algo;
+	                        sa_ctx->xf[idx].b.auth.add_auth_data_length =
+	                                sa->aad_len;
+	                        sa_ctx->xf[idx].b.auth.key.data = sa->auth_key;
+	                        sa_ctx->xf[idx].b.auth.key.length =
+	                                sa->auth_key_len;
+	                        sa_ctx->xf[idx].b.auth.digest_length =
+	                                sa->digest_len;
+	                        sa_ctx->xf[idx].b.auth.op =
+	                                RTE_CRYPTO_AUTH_OP_GENERATE;
+	                }
+
+	                sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
+	                sa_ctx->xf[idx].b.next = NULL;
+	                sa->xforms = &sa_ctx->xf[idx].a;
+
+	                print_one_sa_rule(sa, inbound);
 		}
-
-		sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
-		sa_ctx->xf[idx].b.next = NULL;
-		sa->xforms = &sa_ctx->xf[idx].a;
-
-		print_one_sa_rule(sa, inbound);
 	}
 
 	return 0;
@@ -755,6 +808,7 @@ single_inbound_lookup(struct ipsec_sa *sadb, struct rte_mbuf *pkt,
 
 	switch (sa->flags) {
 	case IP4_TUNNEL:
+	case IP4_INLINE:
 		src4_addr = RTE_PTR_ADD(ip, offsetof(struct ip, ip_src));
 		if ((ip->ip_v == IPVERSION) &&
 				(sa->src.ip.ip4 == *src4_addr) &&
@@ -762,6 +816,7 @@ single_inbound_lookup(struct ipsec_sa *sadb, struct rte_mbuf *pkt,
 			*sa_ret = sa;
 		break;
 	case IP6_TUNNEL:
+	case IP6_INLINE:
 		src6_addr = RTE_PTR_ADD(ip, offsetof(struct ip6_hdr, ip6_src));
 		if ((ip->ip_v == IP6_VERSION) &&
 				!memcmp(&sa->src.ip.ip6.ip6, src6_addr, 16) &&