ipsec: Support async mode per-SA

Type: feature This feautre only applies to ESP not AH SAs. As well as the gobal switch for ayncs mode, allow individual SAs to be async. If global async is on, all SAs are async. If global async mode is off, then if then an SA can be individually set to async. This preserves the global switch behaviour. the stratergy in the esp encrypt.decrypt nodes is to separate the frame into, 1) sync buffers, 2) async buffers and 3) no-op buffers. Sync buffer will undergo a cyrpto/ath operation, no-op will not, they are dropped or handed-off. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ifc15b10b870b19413ad030ce7f92ed56275d6791
2021-02-25 19:09:24 +00:00
parent fc81134a26
commit f16e9a5507
12 changed files with 397 additions and 244 deletions
--- a/src/vnet/devices/pipe/pipe.c
+++ b/src/vnet/devices/pipe/pipe.c
@@ -167,7 +167,7 @@ pipe_tx (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
      vlib_put_next_frame (vm, node, next_index, n_left_to_next);
    }

-  return n_left_from;
+  return frame->n_vectors;
 }

 static u8 *
--- a/src/vnet/ipsec/esp.h
+++ b/src/vnet/ipsec/esp.h
@@ -146,38 +146,33 @@ esp_aad_fill (u8 * data, const esp_header_t * esp, const ipsec_sa_t * sa)
 * to next nodes.
 */
 always_inline void
-esp_set_next_index (int is_async, u32 * from, u16 * nexts, u32 bi,
-		    u16 * drop_index, u16 drop_next, u16 * next)
+esp_set_next_index (vlib_buffer_t *b, vlib_node_runtime_t *node, u32 err,
+		    u16 index, u16 *nexts, u16 drop_next)
 {
-  if (is_async)
-    {
-      from[*drop_index] = bi;
-      nexts[*drop_index] = drop_next;
-      *drop_index += 1;
-    }
-  else
-    next[0] = drop_next;
+  nexts[index] = drop_next;
+  b->error = node->errors[err];
 }

 /* when submitting a frame is failed, drop all buffers in the frame */
-always_inline void
-esp_async_recycle_failed_submit (vnet_crypto_async_frame_t * f,
-				 vlib_buffer_t ** b, u32 * from, u16 * nexts,
-				 u16 * n_dropped, u16 drop_next_index,
-				 vlib_error_t err)
+always_inline u32
+esp_async_recycle_failed_submit (vlib_main_t *vm, vnet_crypto_async_frame_t *f,
+				 vlib_node_runtime_t *node, u32 err, u16 index,
+				 u32 *from, u16 *nexts, u16 drop_next_index)
 {
  u32 n_drop = f->n_elts;
  u32 *bi = f->buffer_indices;
-  b -= n_drop;
+
  while (n_drop--)
    {
-      b[0]->error = err;
-      esp_set_next_index (1, from, nexts, bi[0], n_dropped, drop_next_index,
-			  NULL);
+      from[index] = bi[0];
+      esp_set_next_index (vlib_get_buffer (vm, bi[0]), node, err, index, nexts,
+			  drop_next_index);
      bi++;
-      b++;
+      index++;
    }
  vnet_crypto_async_reset_frame (f);
+
+  return (f->n_elts);
 }

 /**
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
--- a/src/vnet/ipsec/ipsec.c
+++ b/src/vnet/ipsec/ipsec.c
@@ -329,20 +329,15 @@ ipsec_set_async_mode (u32 is_enabled)
  ipsec_main_t *im = &ipsec_main;
  ipsec_sa_t *sa;

-  /* lock all SAs before change im->async_mode */
-  pool_foreach (sa, ipsec_sa_pool)
-    {
-      fib_node_lock (&sa->node);
-    }
+  vnet_crypto_request_async_mode (is_enabled);

  im->async_mode = is_enabled;

-  /* change SA crypto op data before unlock them */
+  /* change SA crypto op data */
  pool_foreach (sa, ipsec_sa_pool)
    {
      sa->crypto_op_data =
-	is_enabled ? sa->async_op_data.data : sa->sync_op_data.data;
-      fib_node_unlock (&sa->node);
+	(is_enabled ? sa->async_op_data.data : sa->sync_op_data.data);
    }
 }

--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -1154,7 +1154,6 @@ vl_api_ipsec_set_async_mode_t_handler (vl_api_ipsec_set_async_mode_t * mp)
  vl_api_ipsec_set_async_mode_reply_t *rmp;
  int rv = 0;

-  vnet_crypto_request_async_mode (mp->async_enable);
  ipsec_set_async_mode (mp->async_enable);

  REPLY_MACRO (VL_API_IPSEC_SET_ASYNC_MODE_REPLY);
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -98,7 +98,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
  u16 udp_src, udp_dst;
  int is_add, rv;
  u32 m_args = 0;
-  tunnel_t tun;
+  tunnel_t tun = {};

  salt = 0;
  error = NULL;
@@ -161,6 +161,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
 	flags |= IPSEC_SA_FLAG_USE_ESN;
      else if (unformat (line_input, "udp-encap"))
 	flags |= IPSEC_SA_FLAG_UDP_ENCAP;
+      else if (unformat (line_input, "async"))
+	flags |= IPSEC_SA_FLAG_IS_ASYNC;
      else
 	{
 	  error = clib_error_return (0, "parse error: '%U'",
@@ -198,7 +200,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
    }

  if (rv)
-    error = clib_error_return (0, "failed");
+    error = clib_error_return (0, "failed: %d", rv);

 done:
  unformat_free (line_input);
@@ -940,7 +942,6 @@ set_async_mode_command_fn (vlib_main_t * vm, unformat_input_t * input,
 				   format_unformat_error, line_input));
    }

-  vnet_crypto_request_async_mode (async_enable);
  ipsec_set_async_mode (async_enable);

  unformat_free (line_input);
--- a/src/vnet/ipsec/ipsec_sa.c
+++ b/src/vnet/ipsec/ipsec_sa.c
@@ -245,7 +245,15 @@ ipsec_sa_add_and_lock (u32 id, u32 spi, ipsec_protocol_t proto,
  if (im->async_mode)
    sa->crypto_op_data = sa->async_op_data.data;
  else
-    sa->crypto_op_data = sa->sync_op_data.data;
+    {
+      if (ipsec_sa_is_set_IS_ASYNC (sa))
+	{
+	  vnet_crypto_request_async_mode (1);
+	  sa->crypto_op_data = sa->async_op_data.data;
+	}
+      else
+	sa->crypto_op_data = sa->sync_op_data.data;
+    }

  err = ipsec_check_support_cb (im, sa);
  if (err)
@@ -332,6 +340,8 @@ ipsec_sa_del (ipsec_sa_t * sa)
  /* no recovery possible when deleting an SA */
  (void) ipsec_call_add_del_callbacks (im, sa, sa_index, 0);

+  if (ipsec_sa_is_set_IS_ASYNC (sa))
+    vnet_crypto_request_async_mode (0);
  if (ipsec_sa_is_set_UDP_ENCAP (sa) && ipsec_sa_is_set_IS_INBOUND (sa))
    ipsec_unregister_udp_port (clib_net_to_host_u16 (sa->udp_hdr.dst_port));

--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -101,7 +101,8 @@ typedef struct ipsec_key_t_
  _ (32, IS_PROTECT, "Protect")                                               \
  _ (64, IS_INBOUND, "inbound")                                               \
  _ (128, IS_AEAD, "aead")                                                    \
-  _ (256, IS_CTR, "ctr")
+  _ (256, IS_CTR, "ctr")                                                      \
+  _ (512, IS_ASYNC, "async")

 typedef enum ipsec_sad_flags_t_
 {
--- a/src/vnet/ipsec/ipsec_types.api
+++ b/src/vnet/ipsec/ipsec_types.api
@@ -74,6 +74,8 @@ enum ipsec_sad_flags
  IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10,
  /* IPsec SA is for inbound traffic */
  IPSEC_API_SAD_FLAG_IS_INBOUND = 0x40,
+  /* IPsec SA uses an Async driver */
+  IPSEC_API_SAD_FLAG_ASYNC = 0x80 [backwards_compatible],
 };

 enum ipsec_proto
--- a/src/vnet/ipsec/ipsec_types_api.c
+++ b/src/vnet/ipsec/ipsec_types_api.c
@@ -147,6 +147,8 @@ ipsec_sa_flags_decode (vl_api_ipsec_sad_flags_t in)
    flags |= IPSEC_SA_FLAG_UDP_ENCAP;
  if (in & IPSEC_API_SAD_FLAG_IS_INBOUND)
    flags |= IPSEC_SA_FLAG_IS_INBOUND;
+  if (in & IPSEC_API_SAD_FLAG_ASYNC)
+    flags |= IPSEC_SA_FLAG_IS_ASYNC;

  return (flags);
 }
@@ -168,6 +170,8 @@ ipsec_sad_flags_encode (const ipsec_sa_t * sa)
    flags |= IPSEC_API_SAD_FLAG_UDP_ENCAP;
  if (ipsec_sa_is_set_IS_INBOUND (sa))
    flags |= IPSEC_API_SAD_FLAG_IS_INBOUND;
+  if (ipsec_sa_is_set_IS_ASYNC (sa))
+    flags |= IPSEC_API_SAD_FLAG_ASYNC;

  return clib_host_to_net_u32 (flags);
 }
--- a/test/test_ipsec_esp.py
+++ b/test/test_ipsec_esp.py
@@ -22,6 +22,7 @@ from vpp_papi import VppEnum

 NUM_PKTS = 67
 engines_supporting_chain_bufs = ["openssl"]
+engines = ["ia32", "ipsecmb", "openssl"]


 class ConfigIpsecESP(TemplateIpsec):
@@ -474,56 +475,112 @@ class TestIpsecEspAsync(TemplateIpsecEsp):
    def setUp(self):
        super(TestIpsecEspAsync, self).setUp()

-        self.vapi.ipsec_set_async_mode(async_enable=True)
-        self.p4 = IPsecIPv4Params()
+        self.p_sync = IPsecIPv4Params()

-        self.p4.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
-                                     IPSEC_API_CRYPTO_ALG_AES_CBC_256)
-        self.p4.crypt_algo = 'AES-CBC'  # scapy name
-        self.p4.crypt_key = b'JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h'
+        self.p_sync.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
+                                         IPSEC_API_CRYPTO_ALG_AES_CBC_256)
+        self.p_sync.crypt_algo = 'AES-CBC'  # scapy name
+        self.p_sync.crypt_key = b'JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h'

-        self.p4.scapy_tun_sa_id += 0xf0000
-        self.p4.scapy_tun_spi += 0xf0000
-        self.p4.vpp_tun_sa_id += 0xf0000
-        self.p4.vpp_tun_spi += 0xf0000
-        self.p4.remote_tun_if_host = "2.2.2.2"
+        self.p_sync.scapy_tun_sa_id += 0xf0000
+        self.p_sync.scapy_tun_spi += 0xf0000
+        self.p_sync.vpp_tun_sa_id += 0xf0000
+        self.p_sync.vpp_tun_spi += 0xf0000
+        self.p_sync.remote_tun_if_host = "2.2.2.2"
        e = VppEnum.vl_api_ipsec_spd_action_t

-        self.p4.sa = VppIpsecSA(
+        self.p_sync.sa = VppIpsecSA(
            self,
-            self.p4.vpp_tun_sa_id,
-            self.p4.vpp_tun_spi,
-            self.p4.auth_algo_vpp_id,
-            self.p4.auth_key,
-            self.p4.crypt_algo_vpp_id,
-            self.p4.crypt_key,
+            self.p_sync.vpp_tun_sa_id,
+            self.p_sync.vpp_tun_spi,
+            self.p_sync.auth_algo_vpp_id,
+            self.p_sync.auth_key,
+            self.p_sync.crypt_algo_vpp_id,
+            self.p_sync.crypt_key,
            self.vpp_esp_protocol,
-            self.tun_if.local_addr[self.p4.addr_type],
-            self.tun_if.remote_addr[self.p4.addr_type]).add_vpp_config()
-        self.p4.spd = VppIpsecSpdEntry(
+            self.tun_if.local_addr[self.p_sync.addr_type],
+            self.tun_if.remote_addr[self.p_sync.addr_type]).add_vpp_config()
+        self.p_sync.spd = VppIpsecSpdEntry(
            self,
            self.tun_spd,
-            self.p4.vpp_tun_sa_id,
-            self.pg1.remote_addr[self.p4.addr_type],
-            self.pg1.remote_addr[self.p4.addr_type],
-            self.p4.remote_tun_if_host,
-            self.p4.remote_tun_if_host,
+            self.p_sync.vpp_tun_sa_id,
+            self.pg1.remote_addr[self.p_sync.addr_type],
+            self.pg1.remote_addr[self.p_sync.addr_type],
+            self.p_sync.remote_tun_if_host,
+            self.p_sync.remote_tun_if_host,
            0,
            priority=1,
            policy=e.IPSEC_API_SPD_ACTION_PROTECT,
            is_outbound=1).add_vpp_config()
-        VppIpRoute(self,  self.p4.remote_tun_if_host, self.p4.addr_len,
-                   [VppRoutePath(self.tun_if.remote_addr[self.p4.addr_type],
-                                 0xffffffff)]).add_vpp_config()
-        config_tun_params(self.p4, self.encryption_type, self.tun_if)
+        VppIpRoute(self,
+                   self.p_sync.remote_tun_if_host,
+                   self.p_sync.addr_len,
+                   [VppRoutePath(
+                       self.tun_if.remote_addr[self.p_sync.addr_type],
+                       0xffffffff)]).add_vpp_config()
+        config_tun_params(self.p_sync, self.encryption_type, self.tun_if)
+
+        self.p_async = IPsecIPv4Params()
+
+        self.p_async.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
+                                          IPSEC_API_CRYPTO_ALG_AES_GCM_256)
+        self.p_async.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
+                                         IPSEC_API_INTEG_ALG_NONE)
+        self.p_async.crypt_algo = 'AES-GCM'  # scapy name
+        self.p_async.crypt_key = b'JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h'
+        self.p_async.auth_algo = 'NULL'
+
+        self.p_async.scapy_tun_sa_id += 0xe0000
+        self.p_async.scapy_tun_spi += 0xe0000
+        self.p_async.vpp_tun_sa_id += 0xe0000
+        self.p_async.vpp_tun_spi += 0xe0000
+        self.p_async.remote_tun_if_host = "2.2.2.3"
+
+        iflags = VppEnum.vl_api_ipsec_sad_flags_t
+        self.p_async.flags = (iflags.IPSEC_API_SAD_FLAG_USE_ESN |
+                              iflags.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY |
+                              iflags.IPSEC_API_SAD_FLAG_ASYNC)
+
+        self.p_async.sa = VppIpsecSA(
+            self,
+            self.p_async.vpp_tun_sa_id,
+            self.p_async.vpp_tun_spi,
+            self.p_async.auth_algo_vpp_id,
+            self.p_async.auth_key,
+            self.p_async.crypt_algo_vpp_id,
+            self.p_async.crypt_key,
+            self.vpp_esp_protocol,
+            self.tun_if.local_addr[self.p_async.addr_type],
+            self.tun_if.remote_addr[self.p_async.addr_type],
+            flags=self.p_async.flags).add_vpp_config()
+        self.p_async.spd = VppIpsecSpdEntry(
+            self,
+            self.tun_spd,
+            self.p_async.vpp_tun_sa_id,
+            self.pg1.remote_addr[self.p_async.addr_type],
+            self.pg1.remote_addr[self.p_async.addr_type],
+            self.p_async.remote_tun_if_host,
+            self.p_async.remote_tun_if_host,
+            0,
+            priority=2,
+            policy=e.IPSEC_API_SPD_ACTION_PROTECT,
+            is_outbound=1).add_vpp_config()
+        VppIpRoute(self,
+                   self.p_async.remote_tun_if_host,
+                   self.p_async.addr_len,
+                   [VppRoutePath(
+                       self.tun_if.remote_addr[self.p_async.addr_type],
+                       0xffffffff)]).add_vpp_config()
+        config_tun_params(self.p_async, self.encryption_type, self.tun_if)

    def test_dual_stream(self):
        """ Alternating SAs """
-        p = self.params[self.p4.addr_type]
+        p = self.params[self.p_sync.addr_type]
+        self.vapi.ipsec_set_async_mode(async_enable=True)

        pkts = [(Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
                 IP(src=self.pg1.remote_ip4,
-                    dst=self.p4.remote_tun_if_host) /
+                    dst=self.p_sync.remote_tun_if_host) /
                 UDP(sport=4444, dport=4444) /
                 Raw(b'0x0' * 200)),
                (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
@@ -540,14 +597,76 @@ class TestIpsecEspAsync(TemplateIpsecEsp):
        for rx in rxs:
            if rx[ESP].spi == p.scapy_tun_spi:
                decrypted = p.vpp_tun_sa.decrypt(rx[IP])
-            elif rx[ESP].spi == self.p4.vpp_tun_spi:
-                decrypted = self.p4.scapy_tun_sa.decrypt(rx[IP])
+            elif rx[ESP].spi == self.p_sync.vpp_tun_spi:
+                decrypted = self.p_sync.scapy_tun_sa.decrypt(rx[IP])
            else:
                rx.show()
                self.assertTrue(False)

-        self.p4.spd.remove_vpp_config()
-        self.p4.sa.remove_vpp_config()
+        self.p_sync.spd.remove_vpp_config()
+        self.p_sync.sa.remove_vpp_config()
+        self.p_async.spd.remove_vpp_config()
+        self.p_async.sa.remove_vpp_config()
+        self.vapi.ipsec_set_async_mode(async_enable=False)
+
+    def test_sync_async_noop_stream(self):
+        """ Alternating SAs sync/async/noop """
+        p = self.params[self.p_sync.addr_type]
+
+        # first pin the default/noop SA to worker 0
+        pkts = [(Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+                 IP(src=self.pg1.remote_ip4,
+                    dst=p.remote_tun_if_host) /
+                 UDP(sport=4444, dport=4444) /
+                 Raw(b'0x0' * 200))]
+        rxs = self.send_and_expect(self.pg1, pkts, self.pg0, worker=0)
+
+        self.logger.info(self.vapi.cli("sh ipsec sa"))
+        self.logger.info(self.vapi.cli("sh crypto async status"))
+
+        # then use all the other SAs on worker 1.
+        # some will handoff, other take the sync and async paths
+        pkts = [(Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+                 IP(src=self.pg1.remote_ip4,
+                    dst=self.p_sync.remote_tun_if_host) /
+                 UDP(sport=4444, dport=4444) /
+                 Raw(b'0x0' * 200)),
+                (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+                 IP(src=self.pg1.remote_ip4,
+                    dst=p.remote_tun_if_host) /
+                 UDP(sport=4444, dport=4444) /
+                 Raw(b'0x0' * 200)),
+                (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+                 IP(src=self.pg1.remote_ip4,
+                    dst=self.p_async.remote_tun_if_host) /
+                 UDP(sport=4444, dport=4444) /
+                 Raw(b'0x0' * 200))]
+        pkts *= 1023
+
+        rxs = self.send_and_expect(self.pg1, pkts, self.pg0, worker=1)
+
+        self.assertEqual(len(rxs), len(pkts))
+
+        for rx in rxs:
+            if rx[ESP].spi == p.scapy_tun_spi:
+                decrypted = p.vpp_tun_sa.decrypt(rx[IP])
+            elif rx[ESP].spi == self.p_sync.vpp_tun_spi:
+                decrypted = self.p_sync.scapy_tun_sa.decrypt(rx[IP])
+            elif rx[ESP].spi == self.p_async.vpp_tun_spi:
+                decrypted = self.p_async.scapy_tun_sa.decrypt(rx[IP])
+            else:
+                rx.show()
+                self.assertTrue(False)
+
+        self.p_sync.spd.remove_vpp_config()
+        self.p_sync.sa.remove_vpp_config()
+        self.p_async.spd.remove_vpp_config()
+        self.p_async.sa.remove_vpp_config()
+
+        # async mode should have been disabled now that there are
+        # no async SAs. there's no API for this, so a reluctant
+        # screen scrape.
+        self.assertTrue("DISABLED" in self.vapi.cli("sh crypto async status"))


 class TestIpsecEspHandoff(TemplateIpsecEsp,
@@ -618,7 +737,6 @@ class TestIpsecEspUdp(TemplateIpsecEspUdp, IpsecTra4Tests):

 class MyParameters():
    def __init__(self):
-        self.engines = ["ia32", "ipsecmb", "openssl"]
        flag_esn = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN
        self.flags = [0, flag_esn]
        # foreach crypto algorithm
@@ -828,6 +946,14 @@ class RunTestIpsecEspAll(ConfigIpsecESP,
                self.verify_tun_44(self.params[socket.AF_INET],
                                   count=NUM_PKTS, payload_size=sz)

+        #
+        # swap the handlers while SAs are up
+        #
+        for e in engines:
+            if e != engine:
+                self.vapi.cli("set crypto handler all %s" % e)
+                self.verify_tra_basic4(count=NUM_PKTS)
+
        #
        # remove the SPDs, SAs, etc
        #