From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 62DD4A2F6B for ; Tue, 8 Oct 2019 18:56:10 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 392531DF95; Tue, 8 Oct 2019 18:56:04 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by dpdk.org (Postfix) with ESMTP id B79A21D453 for ; Tue, 8 Oct 2019 18:56:00 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 Oct 2019 09:56:00 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.67,270,1566889200"; d="scan'208";a="205468235" Received: from silpixa00400072.ir.intel.com ([10.237.222.213]) by orsmga002.jf.intel.com with ESMTP; 08 Oct 2019 09:55:58 -0700 From: Vladimir Medvedkin To: dev@dpdk.org Cc: konstantin.ananyev@intel.com, bernard.iremonger@intel.com, akhil.goyal@nxp.com Date: Tue, 8 Oct 2019 17:55:51 +0100 Message-Id: X-Mailer: git-send-email 2.7.4 In-Reply-To: References: In-Reply-To: References: Subject: [dpdk-dev] [PATCH v4 1/5] ipsec: add inbound SAD API X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add inbound security association database (SAD) API and stub implementation. Signed-off-by: Vladimir Medvedkin --- lib/librte_ipsec/Makefile | 2 + lib/librte_ipsec/ipsec_sad.c | 50 ++++++++++ lib/librte_ipsec/meson.build | 4 +- lib/librte_ipsec/rte_ipsec_sad.h | 173 +++++++++++++++++++++++++++++++++ lib/librte_ipsec/rte_ipsec_version.map | 7 ++ 5 files changed, 234 insertions(+), 2 deletions(-) create mode 100644 lib/librte_ipsec/ipsec_sad.c create mode 100644 lib/librte_ipsec/rte_ipsec_sad.h diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile index 22f29d9..5aaab72 100644 --- a/lib/librte_ipsec/Makefile +++ b/lib/librte_ipsec/Makefile @@ -21,10 +21,12 @@ SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_outb.c SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += sa.c SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += ses.c +SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += ipsec_sad.c # install header files SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec.h SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec_group.h SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec_sa.h +SYMLINK-$(CONFIG_RTE_LIBRTE_IPSEC)-include += rte_ipsec_sad.h include $(RTE_SDK)/mk/rte.lib.mk diff --git a/lib/librte_ipsec/ipsec_sad.c b/lib/librte_ipsec/ipsec_sad.c new file mode 100644 index 0000000..703be65 --- /dev/null +++ b/lib/librte_ipsec/ipsec_sad.c @@ -0,0 +1,50 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(c) 2019 Intel Corporation + */ + +#include + +#include "rte_ipsec_sad.h" + +int +rte_ipsec_sad_add(__rte_unused struct rte_ipsec_sad *sad, + __rte_unused const union rte_ipsec_sad_key *key, + __rte_unused int key_type, __rte_unused void *sa) +{ + return -ENOTSUP; +} + +int +rte_ipsec_sad_del(__rte_unused struct rte_ipsec_sad *sad, + __rte_unused const union rte_ipsec_sad_key *key, + __rte_unused int key_type) +{ + return -ENOTSUP; +} + +struct rte_ipsec_sad * +rte_ipsec_sad_create(__rte_unused const char *name, + __rte_unused const struct rte_ipsec_sad_conf *conf) +{ + return NULL; +} + +struct rte_ipsec_sad * +rte_ipsec_sad_find_existing(__rte_unused const char *name) +{ + return NULL; +} + +void +rte_ipsec_sad_destroy(__rte_unused struct rte_ipsec_sad *sad) +{ + return; +} + +int +rte_ipsec_sad_lookup(__rte_unused const struct rte_ipsec_sad *sad, + __rte_unused const union rte_ipsec_sad_key *keys[], + __rte_unused void *sa[], __rte_unused uint32_t n) +{ + return -ENOTSUP; +} diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build index 7ea0c7d..91b9867 100644 --- a/lib/librte_ipsec/meson.build +++ b/lib/librte_ipsec/meson.build @@ -3,8 +3,8 @@ allow_experimental_apis = true -sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c') +sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') -headers = files('rte_ipsec.h', 'rte_ipsec_group.h', 'rte_ipsec_sa.h') +headers = files('rte_ipsec.h', 'rte_ipsec_group.h', 'rte_ipsec_sa.h', 'rte_ipsec_sad.h') deps += ['mbuf', 'net', 'cryptodev', 'security'] diff --git a/lib/librte_ipsec/rte_ipsec_sad.h b/lib/librte_ipsec/rte_ipsec_sad.h new file mode 100644 index 0000000..2cd9b52 --- /dev/null +++ b/lib/librte_ipsec/rte_ipsec_sad.h @@ -0,0 +1,173 @@ + +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(c) 2019 Intel Corporation + */ + +#ifndef _RTE_IPSEC_SAD_H_ +#define _RTE_IPSEC_SAD_H_ + +#include + +/** + * @file rte_ipsec_sad.h + * @b EXPERIMENTAL: this API may change without prior notice + * + * RTE IPsec security association database (SAD) support. + * Contains helper functions to lookup and maintain SAD + */ + +#ifdef __cplusplus +extern "C" { +#endif + +struct rte_ipsec_sad; + +/** Type of key */ +enum { + RTE_IPSEC_SAD_SPI_ONLY = 0, + RTE_IPSEC_SAD_SPI_DIP, + RTE_IPSEC_SAD_SPI_DIP_SIP, + RTE_IPSEC_SAD_KEY_TYPE_MASK, +}; + +struct rte_ipsec_sadv4_key { + uint32_t spi; + uint32_t dip; + uint32_t sip; +}; + +struct rte_ipsec_sadv6_key { + uint32_t spi; + uint8_t dip[16]; + uint8_t sip[16]; +}; + +union rte_ipsec_sad_key { + struct rte_ipsec_sadv4_key v4; + struct rte_ipsec_sadv6_key v6; +}; + +#define RTE_IPSEC_SAD_FLAG_IPV6 0x1 +/** Flag to support reader writer concurrency */ +#define RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY 0x2 + +/** IPsec SAD configuration structure */ +struct rte_ipsec_sad_conf { + int socket_id; + /** maximum number of SA for each type key */ + uint32_t max_sa[RTE_IPSEC_SAD_KEY_TYPE_MASK]; + uint32_t flags; +}; + +/** + * Add a rule into the SAD. Could be safely called with concurrent lookups + * if RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY flag was configured on creation time. + * While with this flag multi-reader - one-writer model Is MT safe, + * multi-writer model is not and required extra synchronisation. + * + * @param sad + * SAD object handle + * @param key + * pointer to the key + * @param key_type + * key type (spi only/spi+dip/spi+dip+sip) + * @param sa + * Pointer associated with the key to save in a SAD + * Must be 4 bytes aligned. + * @return + * 0 on success, negative value otherwise + */ +__rte_experimental +int +rte_ipsec_sad_add(struct rte_ipsec_sad *sad, + const union rte_ipsec_sad_key *key, + int key_type, void *sa); + +/** + * Delete a rule from the SAD. Could be safely called with concurrent lookups + * if RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY flag was configured on creation time. + * While with this flag multi-reader - one-writer model Is MT safe, + * multi-writer model is not and required extra synchronisation. + * + * @param sad + * SAD object handle + * @param key + * pointer to the key + * @param key_type + * key type (spi only/spi+dip/spi+dip+sip) + * @return + * 0 on success, negative value otherwise + */ +__rte_experimental +int +rte_ipsec_sad_del(struct rte_ipsec_sad *sad, + const union rte_ipsec_sad_key *key, + int key_type); +/* + * Create SAD + * + * @param name + * SAD name + * @param conf + * Structure containing the configuration + * @return + * Handle to SAD object on success + * NULL otherwise with rte_errno set to an appropriate values. + */ +__rte_experimental +struct rte_ipsec_sad * +rte_ipsec_sad_create(const char *name, const struct rte_ipsec_sad_conf *conf); + +/** + * Find an existing SAD object and return a pointer to it. + * + * @param name + * Name of the SAD object as passed to rte_ipsec_sad_create() + * @return + * Pointer to sad object or NULL if object not found with rte_errno + * set appropriately. Possible rte_errno values include: + * - ENOENT - required entry not available to return. + */ +__rte_experimental +struct rte_ipsec_sad * +rte_ipsec_sad_find_existing(const char *name); + +/** + * Destroy SAD object. + * + * @param sad + * pointer to the SAD object + * @return + * None + */ +__rte_experimental +void +rte_ipsec_sad_destroy(struct rte_ipsec_sad *sad); + +/** + * Lookup multiple keys in the SAD. + * + * @param sad + * SAD object handle + * @param keys + * Array of keys to be looked up in the SAD + * @param sa + * Pointer assocoated with the keys. + * If the lookup for the given key failed, then corresponding sa + * will be NULL + * @param n + * Number of elements in keys array to lookup. + * @return + * -EINVAL for incorrect arguments, otherwise 0 + */ +__rte_experimental +int +rte_ipsec_sad_lookup(const struct rte_ipsec_sad *sad, + const union rte_ipsec_sad_key *keys[], + void *sa[], uint32_t n); + +#ifdef __cplusplus +} +#endif + +#endif /* _RTE_IPSEC_SAD_H_ */ diff --git a/lib/librte_ipsec/rte_ipsec_version.map b/lib/librte_ipsec/rte_ipsec_version.map index ee9f196..3c6c630 100644 --- a/lib/librte_ipsec/rte_ipsec_version.map +++ b/lib/librte_ipsec/rte_ipsec_version.map @@ -11,5 +11,12 @@ EXPERIMENTAL { rte_ipsec_ses_from_crypto; rte_ipsec_session_prepare; + rte_ipsec_sad_add; + rte_ipsec_sad_create; + rte_ipsec_sad_del; + rte_ipsec_sad_find_existing; + rte_ipsec_sad_destroy; + rte_ipsec_sad_lookup; + local: *; }; -- 2.7.4