[ceph.git] / ceph / src / dpdk / examples / ipsec-secgw / ipsec.h

/*-
 *   BSD LICENSE
 *
 *   Copyright(c) 2016 Intel Corporation. All rights reserved.
 *   All rights reserved.
 *
 *   Redistribution and use in source and binary forms, with or without
 *   modification, are permitted provided that the following conditions
 *   are met:
 *
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *     * Redistributions in binary form must reproduce the above copyright
 *       notice, this list of conditions and the following disclaimer in
 *       the documentation and/or other materials provided with the
 *       distribution.
 *     * Neither the name of Intel Corporation nor the names of its
 *       contributors may be used to endorse or promote products derived
 *       from this software without specific prior written permission.
 *
 *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef __IPSEC_H__
#define __IPSEC_H__

#include <stdint.h>

#include <rte_byteorder.h>
#include <rte_crypto.h>

#define RTE_LOGTYPE_IPSEC       RTE_LOGTYPE_USER1
#define RTE_LOGTYPE_IPSEC_ESP   RTE_LOGTYPE_USER2
#define RTE_LOGTYPE_IPSEC_IPIP  RTE_LOGTYPE_USER3

#define MAX_PKT_BURST 32
#define MAX_QP_PER_LCORE 256

#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */

#define uint32_t_to_char(ip, a, b, c, d) do {\
		*a = (uint8_t)(ip >> 24 & 0xff);\
		*b = (uint8_t)(ip >> 16 & 0xff);\
		*c = (uint8_t)(ip >> 8 & 0xff);\
		*d = (uint8_t)(ip & 0xff);\
	} while (0)

#define DEFAULT_MAX_CATEGORIES	1

#define IPSEC_SA_MAX_ENTRIES (128) /* must be power of 2, max 2 power 30 */
#define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1))
#define INVALID_SPI (0)

#define DISCARD (0x80000000)
#define BYPASS (0x40000000)
#define PROTECT_MASK (0x3fffffff)
#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */

#define IPSEC_XFORM_MAX 2

#define IP6_VERSION (6)

struct rte_crypto_xform;
struct ipsec_xform;
struct rte_cryptodev_session;
struct rte_mbuf;

struct ipsec_sa;

typedef int32_t (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa,
		struct rte_crypto_op *cop);

struct ip_addr {
	union {
		uint32_t ip4;
		union {
			uint64_t ip6[2];
			uint8_t ip6_b[16];
		} ip6;
	} ip;
};

#define MAX_KEY_SIZE		20

struct ipsec_sa {
	uint32_t spi;
	uint32_t cdev_id_qp;
	uint64_t seq;
	uint32_t salt;
	struct rte_cryptodev_sym_session *crypto_session;
	enum rte_crypto_cipher_algorithm cipher_algo;
	enum rte_crypto_auth_algorithm auth_algo;
	uint16_t digest_len;
	uint16_t iv_len;
	uint16_t block_size;
	uint16_t flags;
#define IP4_TUNNEL (1 << 0)
#define IP6_TUNNEL (1 << 1)
#define TRANSPORT  (1 << 2)
	struct ip_addr src;
	struct ip_addr dst;
	uint8_t cipher_key[MAX_KEY_SIZE];
	uint16_t cipher_key_len;
	uint8_t auth_key[MAX_KEY_SIZE];
	uint16_t auth_key_len;
	uint16_t aad_len;
	struct rte_crypto_sym_xform *xforms;
} __rte_cache_aligned;

struct ipsec_mbuf_metadata {
	uint8_t buf[32];
	struct ipsec_sa *sa;
	struct rte_crypto_op cop;
	struct rte_crypto_sym_op sym_cop;
} __rte_cache_aligned;

struct cdev_qp {
	uint16_t id;
	uint16_t qp;
	uint16_t in_flight;
	uint16_t len;
	struct rte_crypto_op *buf[MAX_PKT_BURST] __rte_aligned(sizeof(void *));
};

struct ipsec_ctx {
	struct rte_hash *cdev_map;
	struct sp_ctx *sp4_ctx;
	struct sp_ctx *sp6_ctx;
	struct sa_ctx *sa_ctx;
	uint16_t nb_qps;
	uint16_t last_qp;
	struct cdev_qp tbl[MAX_QP_PER_LCORE];
};

struct cdev_key {
	uint16_t lcore_id;
	uint8_t cipher_algo;
	uint8_t auth_algo;
};

struct socket_ctx {
	struct sa_ctx *sa_in;
	struct sa_ctx *sa_out;
	struct sp_ctx *sp_ip4_in;
	struct sp_ctx *sp_ip4_out;
	struct sp_ctx *sp_ip6_in;
	struct sp_ctx *sp_ip6_out;
	struct rt_ctx *rt_ip4;
	struct rt_ctx *rt_ip6;
	struct rte_mempool *mbuf_pool;
};

struct cnt_blk {
	uint32_t salt;
	uint64_t iv;
	uint32_t cnt;
} __attribute__((packed));

uint16_t
ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
		uint16_t nb_pkts, uint16_t len);

uint16_t
ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
		uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len);

static inline uint16_t
ipsec_metadata_size(void)
{
	return sizeof(struct ipsec_mbuf_metadata);
}

static inline struct ipsec_mbuf_metadata *
get_priv(struct rte_mbuf *m)
{
	return RTE_PTR_ADD(m, sizeof(struct rte_mbuf));
}

static inline void *
get_cnt_blk(struct rte_mbuf *m)
{
	struct ipsec_mbuf_metadata *priv = get_priv(m);

	return &priv->buf[0];
}

static inline void *
get_aad(struct rte_mbuf *m)
{
	struct ipsec_mbuf_metadata *priv = get_priv(m);

	return &priv->buf[16];
}

static inline void *
get_sym_cop(struct rte_crypto_op *cop)
{
	return (cop + 1);
}

int
inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx);

void
inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
		struct ipsec_sa *sa[], uint16_t nb_pkts);

void
outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
		struct ipsec_sa *sa[], uint16_t nb_pkts);

void
sp4_init(struct socket_ctx *ctx, int32_t socket_id);

void
sp6_init(struct socket_ctx *ctx, int32_t socket_id);

void
sa_init(struct socket_ctx *ctx, int32_t socket_id);

void
rt_init(struct socket_ctx *ctx, int32_t socket_id);

#endif /* __IPSEC_H__ */
Commit	Line	Data
7c673cae FG	1	/*-
	2	* BSD LICENSE
	3	*
	4	* Copyright(c) 2016 Intel Corporation. All rights reserved.
	5	* All rights reserved.
	6	*
	7	* Redistribution and use in source and binary forms, with or without
	8	* modification, are permitted provided that the following conditions
	9	* are met:
	10	*
	11	* * Redistributions of source code must retain the above copyright
	12	* notice, this list of conditions and the following disclaimer.
	13	* * Redistributions in binary form must reproduce the above copyright
	14	* notice, this list of conditions and the following disclaimer in
	15	* the documentation and/or other materials provided with the
	16	* distribution.
	17	* * Neither the name of Intel Corporation nor the names of its
	18	* contributors may be used to endorse or promote products derived
	19	* from this software without specific prior written permission.
	20	*
	21	* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
	22	* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
	23	* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
	24	* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
	25	* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	26	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
	27	* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	28	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	29	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	30	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
	31	* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	32	*/
	33
	34	#ifndef __IPSEC_H__
	35	#define __IPSEC_H__
	36
	37	#include <stdint.h>
	38
	39	#include <rte_byteorder.h>
	40	#include <rte_crypto.h>
	41
	42	#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1
	43	#define RTE_LOGTYPE_IPSEC_ESP RTE_LOGTYPE_USER2
	44	#define RTE_LOGTYPE_IPSEC_IPIP RTE_LOGTYPE_USER3
	45
	46	#define MAX_PKT_BURST 32
	47	#define MAX_QP_PER_LCORE 256
	48
	49	#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
	50
	51	#define uint32_t_to_char(ip, a, b, c, d) do {\
	52	*a = (uint8_t)(ip >> 24 & 0xff);\
	53	*b = (uint8_t)(ip >> 16 & 0xff);\
	54	*c = (uint8_t)(ip >> 8 & 0xff);\
	55	*d = (uint8_t)(ip & 0xff);\
	56	} while (0)
	57
	58	#define DEFAULT_MAX_CATEGORIES 1
	59
	60	#define IPSEC_SA_MAX_ENTRIES (128) /* must be power of 2, max 2 power 30 */
	61	#define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1))
	62	#define INVALID_SPI (0)
	63
	64	#define DISCARD (0x80000000)
65	#define BYPASS (0x40000000)
66	#define PROTECT_MASK (0x3fffffff)
67	#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */
68
69	#define IPSEC_XFORM_MAX 2
70
71	#define IP6_VERSION (6)
72
73	struct rte_crypto_xform;
74	struct ipsec_xform;
75	struct rte_cryptodev_session;
76	struct rte_mbuf;
77
78	struct ipsec_sa;
79
80	typedef int32_t (ipsec_xform_fn)(struct rte_mbuf m, struct ipsec_sa *sa,
81	struct rte_crypto_op *cop);
82
83	struct ip_addr {
84	union {
85	uint32_t ip4;
86	union {
87	uint64_t ip6[2];
88	uint8_t ip6_b[16];
89	} ip6;
90	} ip;
91	};
92
93	#define MAX_KEY_SIZE 20
94
95	struct ipsec_sa {
96	uint32_t spi;
97	uint32_t cdev_id_qp;
98	uint64_t seq;
99	uint32_t salt;
100	struct rte_cryptodev_sym_session *crypto_session;
101	enum rte_crypto_cipher_algorithm cipher_algo;
102	enum rte_crypto_auth_algorithm auth_algo;
103	uint16_t digest_len;
104	uint16_t iv_len;
105	uint16_t block_size;
106	uint16_t flags;
107	#define IP4_TUNNEL (1 << 0)
108	#define IP6_TUNNEL (1 << 1)
109	#define TRANSPORT (1 << 2)
110	struct ip_addr src;
111	struct ip_addr dst;
112	uint8_t cipher_key[MAX_KEY_SIZE];
113	uint16_t cipher_key_len;
114	uint8_t auth_key[MAX_KEY_SIZE];
115	uint16_t auth_key_len;
116	uint16_t aad_len;
117	struct rte_crypto_sym_xform *xforms;
118	} __rte_cache_aligned;
119
120	struct ipsec_mbuf_metadata {
121	uint8_t buf[32];
122	struct ipsec_sa *sa;
123	struct rte_crypto_op cop;
124	struct rte_crypto_sym_op sym_cop;
125	} __rte_cache_aligned;
126
127	struct cdev_qp {
128	uint16_t id;
129	uint16_t qp;
130	uint16_t in_flight;
131	uint16_t len;
132	struct rte_crypto_op buf[MAX_PKT_BURST] __rte_aligned(sizeof(void ));
133	};
134
135	struct ipsec_ctx {
136	struct rte_hash *cdev_map;
137	struct sp_ctx *sp4_ctx;
138	struct sp_ctx *sp6_ctx;
139	struct sa_ctx *sa_ctx;
140	uint16_t nb_qps;
141	uint16_t last_qp;
142	struct cdev_qp tbl[MAX_QP_PER_LCORE];
143	};
144
145	struct cdev_key {
146	uint16_t lcore_id;
147	uint8_t cipher_algo;
148	uint8_t auth_algo;
149	};
150
151	struct socket_ctx {
152	struct sa_ctx *sa_in;
153	struct sa_ctx *sa_out;
154	struct sp_ctx *sp_ip4_in;
155	struct sp_ctx *sp_ip4_out;
156	struct sp_ctx *sp_ip6_in;
157	struct sp_ctx *sp_ip6_out;
158	struct rt_ctx *rt_ip4;
159	struct rt_ctx *rt_ip6;
160	struct rte_mempool *mbuf_pool;
161	};
162
163	struct cnt_blk {
164	uint32_t salt;
165	uint64_t iv;
166	uint32_t cnt;
167	} __attribute__((packed));
168
169	uint16_t
170	ipsec_inbound(struct ipsec_ctx ctx, struct rte_mbuf pkts[],
171	uint16_t nb_pkts, uint16_t len);
172
173	uint16_t
174	ipsec_outbound(struct ipsec_ctx ctx, struct rte_mbuf pkts[],
175	uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len);
176
177	static inline uint16_t
178	ipsec_metadata_size(void)
179	{
180	return sizeof(struct ipsec_mbuf_metadata);
181	}
182
183	static inline struct ipsec_mbuf_metadata *
184	get_priv(struct rte_mbuf *m)
185	{
186	return RTE_PTR_ADD(m, sizeof(struct rte_mbuf));
187	}
188
189	static inline void *
190	get_cnt_blk(struct rte_mbuf *m)
191	{
192	struct ipsec_mbuf_metadata *priv = get_priv(m);
193
194	return &priv->buf[0];
195	}
196
197	static inline void *
198	get_aad(struct rte_mbuf *m)
199	{
200	struct ipsec_mbuf_metadata *priv = get_priv(m);
201
202	return &priv->buf[16];
203	}
204
205	static inline void *
206	get_sym_cop(struct rte_crypto_op *cop)
207	{
208	return (cop + 1);
209	}
210
211	int
212	inbound_sa_check(struct sa_ctx sa_ctx, struct rte_mbuf m, uint32_t sa_idx);
213
214	void
215	inbound_sa_lookup(struct sa_ctx sa_ctx, struct rte_mbuf pkts[],
216	struct ipsec_sa *sa[], uint16_t nb_pkts);
217
218	void
219	outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
220	struct ipsec_sa *sa[], uint16_t nb_pkts);
221
222	void
223	sp4_init(struct socket_ctx *ctx, int32_t socket_id);
224
225	void
226	sp6_init(struct socket_ctx *ctx, int32_t socket_id);
227
228	void
229	sa_init(struct socket_ctx *ctx, int32_t socket_id);
230
231	void
232	rt_init(struct socket_ctx *ctx, int32_t socket_id);
233
234	#endif /* __IPSEC_H__ */