add ipsecmb plugin

Change-Id: I99c0737dfeeec2db267773625ddc9b55324fd237
Signed-off-by: Klement Sekera <ksekera@cisco.com>

src/plugins/ipsecmb/CMakeLists.txt

@@ -0,0 +1,46 @@
+# Copyright (c) 2018 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+find_path(IPSECMB_INCLUDE_DIR NAMES intel-ipsec-mb.h HINTS ${IPSECMB_INCLUDE_DIR_HINT})
+find_library(IPSECMB_LIB NAMES libIPSec_MB.a HINTS ${IPSECMB_LIB_DIR_HINT})
+
+if(IPSECMB_INCLUDE_DIR AND IPSECMB_LIB)
+
+	get_filename_component(IPSECMB_LIB_DIR ${IPSECMB_LIB} DIRECTORY)
+	set(IPSECMB_LINK_FLAGS "${IPSECMB_LINK_FLAGS} -L${IPSECMB_LIB_DIR} -Wl,--whole-archive ${IPSECMB_LIB} -Wl,--no-whole-archive")
+	set(IPSECMB_LINK_FLAGS "${IPSECMB_LINK_FLAGS} -Wl,--exclude-libs,libIPSec_MB.a,-l:libIPSec_MB.a")
+	include_directories(${IPSECMB_INCLUDE_DIR})
+	add_vpp_plugin(ipsecmb
+		SOURCES
+		ipsecmb.c
+		ah_encrypt.c
+		ah_decrypt.c
+		esp_encrypt.c
+		esp_decrypt.c
+
+		MULTIARCH_SOURCES
+		ah_encrypt.c
+		ah_decrypt.c
+		esp_encrypt.c
+		esp_decrypt.c
+
+		LINK_FLAGS
+		${IPSECMB_LINK_FLAGS}
+		)
+
+	message(STATUS "Intel IPSecMB found: ${IPSECMB_INCLUDE_DIR}")
+else()
+	message(STATUS "Intel IPSecMB not found")
+endif()
+
+

src/plugins/ipsecmb/ipsecmb.h

@@ -0,0 +1,97 @@
+#ifndef __included_ipsecmb_h__
+#define __included_ipsecmb_h__
+
+#include <vppinfra/types.h>
+#include <vppinfra/vec.h>
+#include <vppinfra/clib.h>
+#include <vppinfra/warnings.h>
+#include <vnet/ipsec/ipsec.h>
+
+WARN_OFF (attributes);
+
+#ifdef always_inline
+#undef always_inline
+#define __need_redefine__
+#endif
+
+#include <intel-ipsec-mb.h>
+
+#ifdef __need_redefine__
+#if CLIB_DEBUG > 0
+#define always_inline static inline
+#else
+#define always_inline static inline __attribute__ ((__always_inline__))
+#endif
+#endif // __need_redefine__
+WARN_ON (attributes);
+
+typedef struct
+{
+  keyexp_t keyexp_fn;
+  JOB_CIPHER_MODE cipher_mode;
+  u8 key_len;
+  u8 iv_size;
+  u8 block_size;
+} ipsecmb_crypto_alg_t;
+
+typedef struct
+{
+  hash_one_block_t hash_one_block_fn;
+  u8 block_size;
+  JOB_HASH_ALG hash_alg;
+  u8 hash_output_length;
+} ipsecmb_integ_alg_t;
+
+typedef struct
+{
+  u8 aes_enc_key_expanded[16 * 15] __attribute__ ((aligned (16)));
+  u8 aes_dec_key_expanded[16 * 15] __attribute__ ((aligned (16)));
+  u8 ipad_hash[256] __attribute__ ((aligned (16)));
+  u8 opad_hash[256] __attribute__ ((aligned (16)));
+} ipsecmb_sa_t;
+
+typedef struct
+{
+  u8 data[16];
+} random_bytes_t;
+
+typedef u8 urandom_buffer_t[4096];
+
+typedef struct
+{
+  /** read buffer for random data from /dev/urandom */
+  urandom_buffer_t urandom_buffer;
+  /** pool of all the random_bytes_t objects ever allocated */
+  random_bytes_t *rb_pool;
+  /** vector of random_bytes_t objects containing random bytes */
+  u32 *rb_from_dev_urandom;
+  /** vector of used random_bytes_t objects */
+  u32 *rb_recycle_list;
+  /** vector of random bytes collected from encrypted data */
+  u32 *rb_from_traffic;
+} ipsecmb_per_thread_data_t;
+
+typedef struct
+{
+  ipsecmb_crypto_alg_t *crypto_algs;
+  ipsecmb_integ_alg_t *integ_algs;
+  MB_MGR **mb_mgr;
+  ipsecmb_sa_t *sad;
+  ipsecmb_per_thread_data_t *per_thread_data;
+  int dev_urandom_fd;
+} ipsecmb_main_t;
+
+extern ipsecmb_main_t ipsecmb_main;
+
+#define P(x,y) x ## _ ## y
+#define E(x,y) P(x,y)
+#define IPSECMB_FUNC(f) E(f,CLIB_MARCH_VARIANT)
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
+
+#endif /* __included_ipsecmb_h__ */

src/vnet/buffer.h

@@ -274,6 +274,10 @@ typedef struct
     {
       u32 flags;
       u32 sad_index;
+      u32 ip_version_traffic_class_and_flow_label;
+      u8 tos;
+      u8 ttl_or_hop_limit;
+      u32 seq;
     } ipsec;
 
     /* MAP */

test/test_ipsec_nat.py

@@ -9,7 +9,7 @@ from util import ppp, ppc
 from template_ipsec import TemplateIpsec
 
 
-class IPSecNATTestCase(TemplateIpsec):
+class TemplateIPSecNAT(TemplateIpsec):
     """ IPSec/NAT
     TUNNEL MODE:
 
@@ -33,7 +33,7 @@ class IPSecNATTestCase(TemplateIpsec):
 
     @classmethod
     def setUpClass(cls):
-        super(IPSecNATTestCase, cls).setUpClass()
+        super(TemplateIPSecNAT, cls).setUpClass()
         cls.tun_if = cls.pg0
         cls.vapi.ipsec_spd_add_del(cls.tun_spd_id)
         cls.vapi.ipsec_interface_add_del_spd(cls.tun_spd_id,
@@ -236,3 +236,8 @@ class IPSecNATTestCase(TemplateIpsec):
         self.pg_start()
         capture = self.pg1.get_capture(len(pkts))
         self.verify_capture_plain(capture)
+
+
+class IPSecNAT(TemplateIPSecNAT):
+    """ IPSec/NAT """
+    pass

test/test_ipsecmb_ah.py

@@ -0,0 +1,31 @@
+from test_ipsec_ah import TemplateIpsecAh
+from template_ipsec import IpsecTraTests, IpsecTunTests, IpsecTcpTests
+
+
+class TestIpsecMBAh1(TemplateIpsecAh, IpsecTraTests, IpsecTunTests):
+    """ IpsecMB AH - TUN & TRA tests """
+    extra_vpp_plugin_config = [
+        "plugin", "ipsecmb_plugin.so", "{", "enable", "}"]
+
+    tra4_encrypt_node_name = "ah4-encrypt-ipsecmb"
+    tra4_decrypt_node_name = "ah4-decrypt-ipsecmb"
+    tra6_encrypt_node_name = "ah6-encrypt-ipsecmb"
+    tra6_decrypt_node_name = "ah6-decrypt-ipsecmb"
+    tun4_encrypt_node_name = "ah4-encrypt-ipsecmb"
+    tun4_decrypt_node_name = "ah4-decrypt-ipsecmb"
+    tun6_encrypt_node_name = "ah6-encrypt-ipsecmb"
+    tun6_decrypt_node_name = "ah6-decrypt-ipsecmb"
+
+    @classmethod
+    def ipsec_select_backend(cls):
+        cls.vapi.ipsec_select_backend(protocol=cls.vpp_ah_protocol, index=1)
+
+
+class TestIpsecMBAh2(TemplateIpsecAh, IpsecTcpTests):
+    """ IpsecMB AH - TCP tests """
+    extra_vpp_plugin_config = [
+        "plugin", "ipsecmb_plugin.so", "{", "enable", "}"]
+
+    @classmethod
+    def ipsec_select_backend(cls):
+        cls.vapi.ipsec_select_backend(protocol=cls.vpp_ah_protocol, index=1)

test/test_ipsecmb_esp.py

@@ -0,0 +1,30 @@
+from test_ipsec_esp import TemplateIpsecEsp
+from template_ipsec import IpsecTraTests, IpsecTunTests, IpsecTcpTests
+
+
+class TestIpsecMBEsp1(TemplateIpsecEsp, IpsecTraTests, IpsecTunTests):
+    """ IpsecMB ESP - TUN & TRA tests """
+    extra_vpp_plugin_config = [
+        "plugin", "ipsecmb_plugin.so", "{", "enable", "}"]
+    tra4_encrypt_node_name = "esp4-encrypt-ipsecmb"
+    tra4_decrypt_node_name = "esp4-decrypt-ipsecmb"
+    tra6_encrypt_node_name = "esp6-encrypt-ipsecmb"
+    tra6_decrypt_node_name = "esp6-decrypt-ipsecmb"
+    tun4_encrypt_node_name = "esp4-encrypt-ipsecmb"
+    tun4_decrypt_node_name = "esp4-decrypt-ipsecmb"
+    tun6_encrypt_node_name = "esp6-encrypt-ipsecmb"
+    tun6_decrypt_node_name = "esp6-decrypt-ipsecmb"
+
+    @classmethod
+    def ipsec_select_backend(cls):
+        cls.vapi.ipsec_select_backend(protocol=cls.vpp_esp_protocol, index=1)
+
+
+class TestIpsecMBEsp2(TemplateIpsecEsp, IpsecTcpTests):
+    """ IpsecMB ESP - TCP tests """
+    extra_vpp_plugin_config = [
+        "plugin", "ipsecmb_plugin.so", "{", "enable", "}"]
+
+    @classmethod
+    def ipsec_select_backend(cls):
+        cls.vapi.ipsec_select_backend(protocol=cls.vpp_esp_protocol, index=1)

test/test_ipsecmb_nat.py

@@ -0,0 +1,13 @@
+#!/usr/bin/env python
+
+from test_ipsec_nat import TemplateIPSecNAT
+
+
+class IPSecMBNATTestCase(TemplateIPSecNAT):
+    """ IPSecMB/NAT """
+    extra_vpp_plugin_config = [
+        "plugin", "ipsecmb_plugin.so", "{", "enable", "}"]
+
+    @classmethod
+    def ipsec_select_backend(cls):
+        cls.vapi.ipsec_select_backend(protocol=cls.vpp_ah_protocol, index=1)