Commit Graph

34 Commits

Author SHA1 Message Date
Zbigniew Bodek
b5350285ce examples/ipsec-secgw: support SHA256 HMAC
Add minor adjustments to support SHA256 HMAC:
- extend maximum key length to match SHA256 HMAC
- add SHA256 HMAC parameters and configuration string
- add SHA256 HMAC to inbound and outbound cases

Signed-off-by: Zbigniew Bodek <zbigniew.bodek@caviumnetworks.com>
Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2017-01-18 21:48:56 +01:00
Olivier Matz
5d8f0baf69 log: do not drop debug logs at compile time
Today, all logs whose level is lower than INFO are dropped at
compile-time. This prevents from enabling debug logs at runtime using
--log-level=8.

The rationale was to remove debug logs from the data path at
compile-time, avoiding a test at run-time.

This patch changes the behavior of RTE_LOG() to avoid the compile-time
optimization, and introduces the RTE_LOG_DP() macro that has the same
behavior than the previous RTE_LOG(), for the rare cases where debug
logs are in the data path.

So it is now possible to enable debug logs at run-time by just
specifying --log-level=8. Some drivers still have special compile-time
options to enable more debug log. Maintainers may consider to
remove/reduce them.

Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
2016-12-01 18:09:13 +01:00
Fan Zhang
a1469c319f examples/ipsec-secgw: fix configuration parsing
Fix pointer to local outside scope.

Coverity issue: 137871
Fixes: 0d547ed037 ("examples/ipsec-secgw: support configuration file")

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Ferruh Yigit <ferruh.yigit@intel.com>
2016-11-07 21:44:42 +01:00
Fan Zhang
63e8c07c72 examples/ipsec-secgw: fix configuration parsing
Fix copy into fixed size buffer issue.

Coverity issue: 137875
Fixes: 0d547ed0 ("examples/ipsec-secgw: support configuration file")

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Ferruh Yigit <ferruh.yigit@intel.com>
2016-11-07 21:38:45 +01:00
Fan Zhang
07b156199f examples/ipsec-secgw: fix configuration string termination
Coverity issue: 137854, 137855
Fixes: 0d547ed037 ("examples/ipsec-secgw: support configuration file")

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Ferruh Yigit <ferruh.yigit@intel.com>
2016-11-07 00:35:43 +01:00
Sergio Gonzalez Monroy
50d75cae2a examples/ipsec-secgw: initialize SA salt
This patch initializes the salt value used by the following cipher
algorithms:
- CBC: random salt
- GCM/CTR: the key required is 20B, and the last 4B are used as salt.

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-10-08 17:54:38 +02:00
Sergio Gonzalez Monroy
e715ca2892 examples/ipsec-secgw: add cryptodev queue size constant
Introduce a specific cryptodev queue size macro.

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-10-08 17:54:38 +02:00
Sergio Gonzalez Monroy
6e1892a698 examples/ipsec-secgw: check SP only when setup
Application will segfault if there is IPv4 or IPv6 and no SP/ACL rules
for IPv4 or IPv6 respectively.

Avoid checking the ACL/SP in such cases.

Fixes: 906257e965 ("examples/ipsec-secgw: support IPv6")

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-10-08 17:54:38 +02:00
Sergio Gonzalez Monroy
4470c22de2 examples/ipsec-secgw: add AES-CTR
RFC3686: Using AES Counter (CTR) Mode With IPsec ESP.`

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-10-08 17:54:38 +02:00
Sergio Gonzalez Monroy
a9121c4001 examples/ipsec-secgw: add AES-GCM
Add support for AES-GCM (Galois-Counter Mode).

RFC4106: The Use of Galois-Counter Mode (GCM) in IPSec ESP.

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-10-08 17:54:38 +02:00
Sergio Gonzalez Monroy
a60c05b540 examples/ipsec-secgw: reset crypto operation status
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-10-08 17:54:38 +02:00
Sergio Gonzalez Monroy
cef50fc6f1 examples/ipsec-secgw: change CBC IV generation
NIST SP800-38A recommends two methods to generate unpredictable IVs
(Initilisation Vector) for CBC mode:
1) Apply the forward function to a nonce (ie. counter)
2) Use a FIPS-approved random number generator

This patch implements the first recommended method by using the forward
function to generate the IV.

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-10-08 17:54:38 +02:00
Fan Zhang
60a94afefc examples/ipsec-secgw: add sample configuration files
This patch adds two sample configuration files to ipsec-secgw sample
application. The sample configuration files show how to setup
back-to-back systems that would forward traffic through an IPsec
tunnel.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2016-10-04 20:41:09 +02:00
Fan Zhang
0d547ed037 examples/ipsec-secgw: support configuration file
This patch adds the configuration file support to ipsec_secgw
sample application. Instead of hard-coded rules, the users can
specify their own SP, SA, and routing rules in the configuration
file. A command line option "-f" is added to pass the
configuration file location to the application.

Configuration item formats:

SP rule format:
sp <ip_ver> <dir> esp <action> <priority> <src_ip> <dst_ip> \
<proto> <sport> <dport>

SA rule format:
sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key> \
<mode> <src_ip> <dst_ip>

Routing rule format:
rt <ip_ver> <src_ip> <dst_ip> <port>

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2016-10-04 20:41:09 +02:00
Hemant Agrawal
b86eeb2aba examples/ipsec-secgw: call start function
The usual device sequence is configure, queue setup and start.
Crypto device should be started before use.

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Signed-off-by: Thomas Monjalon <thomas.monjalon@6wind.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-07-22 12:40:21 +02:00
Sergio Gonzalez Monroy
96362fadd1 examples/ipsec-secgw: fix build with gcc 4.5
GCC 4.5.x does not handle well initializing anonymous union and/or
structs.

To make the compiler happy we name those anonymous union/struct.

Fixes: 906257e965 ("examples/ipsec-secgw: support IPv6")

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2016-07-22 11:53:32 +02:00
Sergio Gonzalez Monroy
0a08ab548d examples/ipsec-secgw: fix inbound crash
When sending Inbound non IPSec traffic that matches an Inbound Security
Policy set to Protect, the code will check that the SPI of the packet
and the associated Security Association match.

That check should only be done for IPSec packets and results in SEGFAULT
when done on non IPSec packets.

Fixes: 906257e965 ("examples/ipsec-secgw: support IPv6")

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2016-07-16 00:11:51 +02:00
Sergio Gonzalez Monroy
f159e70b09 examples/ipsec-secgw: support transport mode
IPSec transport mode support.

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-06-21 12:12:09 +02:00
Sergio Gonzalez Monroy
906257e965 examples/ipsec-secgw: support IPv6
Support IPSec IPv6 allowing IPv4/IPv6 traffic in IPv4 or IPv6 tunnel.

We need separate Routing (LPM) and SP (ACL) tables for IPv4 and IPv6,
but a common SA table.

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-06-21 12:11:27 +02:00
Sergio Gonzalez Monroy
54526a5375 examples/ipsec-secgw: rename SP config
Modify the default SP config variables names to be consistent with SA.

The resulting naming convention is that variables with suffixes _out/_in
are the default for ep0 and the reverse for ep1.

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-06-21 12:10:04 +02:00
Sergio Gonzalez Monroy
85f8476727 examples/ipsec-secgw: fix no SA found case
The application only ASSERTS that an SA is not NULL (only when debugging
is enabled) without properly dealing with the case of not having an SA
for the processed packet.

Behavior should be such as if no SA is found, drop the packet.

Fixes: d299106e8e ("examples/ipsec-secgw: add IPsec sample application")

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-06-21 12:09:18 +02:00
Sergio Gonzalez Monroy
c64278c0c1 examples/ipsec-secgw: rework processing loop
Rework implementation moving from function pointers approach, where each
function implements very specific functionality, to a generic function
approach.

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-06-21 12:07:25 +02:00
Sergio Gonzalez Monroy
973d3d8285 examples/ipsec-secgw: add debug build option
Add support for building the application with DEBUG=1.
This option adds the compiler stack protection flag and enables extra
output in the application.

Also remove unnecessary VPATH setup.

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-06-21 12:06:09 +02:00
Sergio Gonzalez Monroy
4e94250019 examples/ipsec-secgw: fix stack smashing
Building the application with -O3 and -fstack-protection (default in
Ubuntu) results in the following error:

*** stack smashing detected ***: ./build/ipsec-secgw terminated

The error is caused by storing an 8B value in a 4B variable.

Fixes: d299106e8e ("examples/ipsec-secgw: add IPsec sample application")

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-06-21 12:05:07 +02:00
Sergio Gonzalez Monroy
6723ea61ac examples/ipsec-secgw: fix esp padding check
Current code fails to correctly check padding sequence for inbound
packets.
Padding sequence starts on 1 but it checks for 0.

Fixes: d299106e8e ("examples/ipsec-secgw: add IPsec sample application")

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-06-21 11:38:51 +02:00
Olivier Matz
e89880957f mbuf: add prefetch helpers
Some architectures (ex: Power8) have a cache line size of 128 bytes,
so the drivers should not expect that prefetching the second part of
the mbuf with rte_prefetch0(&m->cacheline1) is valid.

This commit add helpers that can be used by drivers to prefetch the
rx or tx part of the mbuf, whatever the cache line size.

Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
Reviewed-by: Jerin Jacob <jerin.jacob@caviumnetworks.com>
2016-05-24 11:21:14 +02:00
Mauricio Vasquez B
b4e0f64ff2 examples: remove useless check of port count
The rte_eth_dev_count() function will never return a value greater
than RTE_MAX_ETHPORTS, so that checking is useless.

Signed-off-by: Mauricio Vasquez B <mauricio.vasquezbernal@studenti.polito.it>
Acked-by: Ferruh Yigit <ferruh.yigit@intel.com>
2016-05-16 21:01:51 +02:00
Thomas Monjalon
50705e8e3c eal: add assert macro for debug
The macro RTE_VERIFY always checks a condition.
It is optimized with "unlikely" hint.
While this macro is well suited for test applications, it is preferred
in libraries and examples to enable such check in debug mode.
That's why the macro RTE_ASSERT is introduced to call RTE_VERIFY only
if built with debug logs enabled.

A lot of assert macros were duplicated and enabled with a specific flag.
Removing these #ifdef allows to test these code branches more easily
and avoid dead code pitfalls.

The ENA_ASSERT is kept (in debug mode only) because it has more
parameters to log.

Signed-off-by: Thomas Monjalon <thomas.monjalon@6wind.com>
2016-05-02 15:31:17 +02:00
Thomas Monjalon
1f49ec153c examples: remove useless debug flags
The debug logs must be enabled at compile-time and run-time.
There are also some internal flags in some examples to enable the debug
logs of the applications. They are now enabled in debug configs and
can be disabled thanks to the more generic logtype mechanism:
	rte_set_log_type(RTE_LOGTYPE_USER1, 0);

Removing these #ifdef allows to test these code branches more easily
and avoid dead code pitfalls.

Signed-off-by: Thomas Monjalon <thomas.monjalon@6wind.com>
Acked-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
2016-05-02 15:31:17 +02:00
Pablo de Lara
6608522447 examples/ipsec-secgw: fix anonymous union initialization
In icc 14.0, compilation was broken:

examples/ipsec-secgw/sa.c(212): error: a designator for an anonymous
union member can only appear within braces corresponding to that anonymous union
        .cipher = { RTE_CRYPTO_CIPHER_OP_ENCRYPT, RTE_CRYPTO_CIPHER_AES_CBC,
         ^

The member in anonymous union initialization should be inside '{}',
otherwise it will report an error.

Fixes: d299106e8e ("examples/ipsec-secgw: add IPsec sample application")

Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-04-08 22:28:39 +02:00
Daniel Mrzyglod
9cd3ddfb82 examples: fix build with icc 15.0.1
error: loops in this subroutine are not good vectorization candidates
 (try compiling with O3 and/or IPO).

this error occurs in icc 15.0.1

Solution to disable this diagnostic message
https://software.intel.com/en-us/forums/intel-c-compiler/topic/537688

Fixes: d299106e8e ("examples/ipsec-secgw: add IPsec sample application")
Fixes: 8cc72f2814 ("examples/vmdq_dcb: support X710")

Signed-off-by: Daniel Mrzyglod <danielx.t.mrzyglod@intel.com>
2016-04-04 15:05:40 +02:00
Thomas Monjalon
09419f235e ethdev: use constants for link state
Define and use ETH_LINK_UP and ETH_LINK_DOWN where appropriate.

Signed-off-by: Marc Sune <marcdevel@gmail.com>
Signed-off-by: Thomas Monjalon <thomas.monjalon@6wind.com>
2016-04-01 21:38:34 +02:00
Daniel Mrzyglod
55d4c7756c examples/ipsec-secgw: fix build on FreeBSD
In FreeBSD, sys/types.h and netinet/in.h need to be included before
netinet/ip.h

There were missed typedef for u_char - <sys/types.h>
There were missed network definitions - <netinet/in.h>

Failure #13: http://dpdk.org/ml/archives/test-report/2016-March/001896.html

Fixes: d299106e8e ("examples/ipsec-secgw: add IPsec sample application")

Signed-off-by: Daniel Mrzyglod <danielx.t.mrzyglod@intel.com>
Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
2016-03-31 22:27:41 +02:00
Sergio Gonzalez Monroy
d299106e8e examples/ipsec-secgw: add IPsec sample application
Sample app implementing an IPsec Security Geteway.
The main goal of this app is to show the use of cryptodev framework
in a "real world" application.

Currently only supported static IPv4 ESP IPsec tunnels for the following
algorithms:
- Cipher: AES-CBC, NULL
- Authentication: HMAC-SHA1, NULL

Not supported:
- SA auto negotiation (No IKE implementation)
- chained mbufs

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
2016-03-11 11:06:29 +01:00