199a2dd95SBruce Richardson /* SPDX-License-Identifier: BSD-3-Clause 299a2dd95SBruce Richardson * Copyright(c) 2018 Intel Corporation 399a2dd95SBruce Richardson */ 499a2dd95SBruce Richardson 599a2dd95SBruce Richardson #ifndef _RTE_IPSEC_SA_H_ 699a2dd95SBruce Richardson #define _RTE_IPSEC_SA_H_ 799a2dd95SBruce Richardson 899a2dd95SBruce Richardson /** 999a2dd95SBruce Richardson * @file rte_ipsec_sa.h 1099a2dd95SBruce Richardson * 1199a2dd95SBruce Richardson * Defines API to manage IPsec Security Association (SA) objects. 1299a2dd95SBruce Richardson */ 1399a2dd95SBruce Richardson 1499a2dd95SBruce Richardson #include <rte_common.h> 1599a2dd95SBruce Richardson #include <rte_cryptodev.h> 1699a2dd95SBruce Richardson #include <rte_security.h> 1799a2dd95SBruce Richardson 1899a2dd95SBruce Richardson #ifdef __cplusplus 1999a2dd95SBruce Richardson extern "C" { 2099a2dd95SBruce Richardson #endif 2199a2dd95SBruce Richardson 2299a2dd95SBruce Richardson /** 2399a2dd95SBruce Richardson * An opaque structure to represent Security Association (SA). 2499a2dd95SBruce Richardson */ 2599a2dd95SBruce Richardson struct rte_ipsec_sa; 2699a2dd95SBruce Richardson 2799a2dd95SBruce Richardson /** 2899a2dd95SBruce Richardson * SA initialization parameters. 2999a2dd95SBruce Richardson */ 3099a2dd95SBruce Richardson struct rte_ipsec_sa_prm { 3199a2dd95SBruce Richardson 3299a2dd95SBruce Richardson uint64_t userdata; /**< provided and interpreted by user */ 3399a2dd95SBruce Richardson uint64_t flags; /**< see RTE_IPSEC_SAFLAG_* below */ 3499a2dd95SBruce Richardson /** ipsec configuration */ 3599a2dd95SBruce Richardson struct rte_security_ipsec_xform ipsec_xform; 3699a2dd95SBruce Richardson /** crypto session configuration */ 3799a2dd95SBruce Richardson struct rte_crypto_sym_xform *crypto_xform; 3899a2dd95SBruce Richardson union { 3999a2dd95SBruce Richardson struct { 4099a2dd95SBruce Richardson uint8_t hdr_len; /**< tunnel header len */ 4199a2dd95SBruce Richardson uint8_t hdr_l3_off; /**< offset for IPv4/IPv6 header */ 4299a2dd95SBruce Richardson uint8_t next_proto; /**< next header protocol */ 4399a2dd95SBruce Richardson const void *hdr; /**< tunnel header template */ 4499a2dd95SBruce Richardson } tun; /**< tunnel mode related parameters */ 4599a2dd95SBruce Richardson struct { 4699a2dd95SBruce Richardson uint8_t proto; /**< next header protocol */ 4799a2dd95SBruce Richardson } trs; /**< transport mode related parameters */ 4899a2dd95SBruce Richardson }; 4999a2dd95SBruce Richardson }; 5099a2dd95SBruce Richardson 5199a2dd95SBruce Richardson /** 5299a2dd95SBruce Richardson * Indicates that SA will(/will not) need an 'atomic' access 5399a2dd95SBruce Richardson * to sequence number and replay window. 5499a2dd95SBruce Richardson * 'atomic' here means: 5599a2dd95SBruce Richardson * functions: 5699a2dd95SBruce Richardson * - rte_ipsec_pkt_crypto_prepare 5799a2dd95SBruce Richardson * - rte_ipsec_pkt_process 5899a2dd95SBruce Richardson * can be safely used in MT environment, as long as the user can guarantee 5999a2dd95SBruce Richardson * that they obey multiple readers/single writer model for SQN+replay_window 6099a2dd95SBruce Richardson * operations. 6199a2dd95SBruce Richardson * To be more specific: 6299a2dd95SBruce Richardson * for outbound SA there are no restrictions. 6399a2dd95SBruce Richardson * for inbound SA the caller has to guarantee that at any given moment 6499a2dd95SBruce Richardson * only one thread is executing rte_ipsec_pkt_process() for given SA. 6599a2dd95SBruce Richardson * Note that it is caller responsibility to maintain correct order 6699a2dd95SBruce Richardson * of packets to be processed. 6799a2dd95SBruce Richardson * In other words - it is a caller responsibility to serialize process() 6899a2dd95SBruce Richardson * invocations. 6999a2dd95SBruce Richardson */ 7099a2dd95SBruce Richardson #define RTE_IPSEC_SAFLAG_SQN_ATOM (1ULL << 0) 7199a2dd95SBruce Richardson 7299a2dd95SBruce Richardson /** 7399a2dd95SBruce Richardson * SA type is an 64-bit value that contain the following information: 7499a2dd95SBruce Richardson * - IP version (IPv4/IPv6) 7599a2dd95SBruce Richardson * - IPsec proto (ESP/AH) 7699a2dd95SBruce Richardson * - inbound/outbound 7799a2dd95SBruce Richardson * - mode (TRANSPORT/TUNNEL) 7899a2dd95SBruce Richardson * - for TUNNEL outer IP version (IPv4/IPv6) 7999a2dd95SBruce Richardson * - are SA SQN operations 'atomic' 8099a2dd95SBruce Richardson * - ESN enabled/disabled 81*01eef590SRadu Nicolau * - NAT-T UDP encapsulated (TUNNEL mode only) 8299a2dd95SBruce Richardson * ... 8399a2dd95SBruce Richardson */ 8499a2dd95SBruce Richardson 8599a2dd95SBruce Richardson enum { 8699a2dd95SBruce Richardson RTE_SATP_LOG2_IPV, 8799a2dd95SBruce Richardson RTE_SATP_LOG2_PROTO, 8899a2dd95SBruce Richardson RTE_SATP_LOG2_DIR, 8999a2dd95SBruce Richardson RTE_SATP_LOG2_MODE, 9099a2dd95SBruce Richardson RTE_SATP_LOG2_SQN = RTE_SATP_LOG2_MODE + 2, 9199a2dd95SBruce Richardson RTE_SATP_LOG2_ESN, 9299a2dd95SBruce Richardson RTE_SATP_LOG2_ECN, 93*01eef590SRadu Nicolau RTE_SATP_LOG2_DSCP, 94*01eef590SRadu Nicolau RTE_SATP_LOG2_NATT 9599a2dd95SBruce Richardson }; 9699a2dd95SBruce Richardson 9799a2dd95SBruce Richardson #define RTE_IPSEC_SATP_IPV_MASK (1ULL << RTE_SATP_LOG2_IPV) 9899a2dd95SBruce Richardson #define RTE_IPSEC_SATP_IPV4 (0ULL << RTE_SATP_LOG2_IPV) 9999a2dd95SBruce Richardson #define RTE_IPSEC_SATP_IPV6 (1ULL << RTE_SATP_LOG2_IPV) 10099a2dd95SBruce Richardson 10199a2dd95SBruce Richardson #define RTE_IPSEC_SATP_PROTO_MASK (1ULL << RTE_SATP_LOG2_PROTO) 10299a2dd95SBruce Richardson #define RTE_IPSEC_SATP_PROTO_AH (0ULL << RTE_SATP_LOG2_PROTO) 10399a2dd95SBruce Richardson #define RTE_IPSEC_SATP_PROTO_ESP (1ULL << RTE_SATP_LOG2_PROTO) 10499a2dd95SBruce Richardson 10599a2dd95SBruce Richardson #define RTE_IPSEC_SATP_DIR_MASK (1ULL << RTE_SATP_LOG2_DIR) 10699a2dd95SBruce Richardson #define RTE_IPSEC_SATP_DIR_IB (0ULL << RTE_SATP_LOG2_DIR) 10799a2dd95SBruce Richardson #define RTE_IPSEC_SATP_DIR_OB (1ULL << RTE_SATP_LOG2_DIR) 10899a2dd95SBruce Richardson 10999a2dd95SBruce Richardson #define RTE_IPSEC_SATP_MODE_MASK (3ULL << RTE_SATP_LOG2_MODE) 11099a2dd95SBruce Richardson #define RTE_IPSEC_SATP_MODE_TRANS (0ULL << RTE_SATP_LOG2_MODE) 11199a2dd95SBruce Richardson #define RTE_IPSEC_SATP_MODE_TUNLV4 (1ULL << RTE_SATP_LOG2_MODE) 11299a2dd95SBruce Richardson #define RTE_IPSEC_SATP_MODE_TUNLV6 (2ULL << RTE_SATP_LOG2_MODE) 11399a2dd95SBruce Richardson 11499a2dd95SBruce Richardson #define RTE_IPSEC_SATP_SQN_MASK (1ULL << RTE_SATP_LOG2_SQN) 11599a2dd95SBruce Richardson #define RTE_IPSEC_SATP_SQN_RAW (0ULL << RTE_SATP_LOG2_SQN) 11699a2dd95SBruce Richardson #define RTE_IPSEC_SATP_SQN_ATOM (1ULL << RTE_SATP_LOG2_SQN) 11799a2dd95SBruce Richardson 11899a2dd95SBruce Richardson #define RTE_IPSEC_SATP_ESN_MASK (1ULL << RTE_SATP_LOG2_ESN) 11999a2dd95SBruce Richardson #define RTE_IPSEC_SATP_ESN_DISABLE (0ULL << RTE_SATP_LOG2_ESN) 12099a2dd95SBruce Richardson #define RTE_IPSEC_SATP_ESN_ENABLE (1ULL << RTE_SATP_LOG2_ESN) 12199a2dd95SBruce Richardson 12299a2dd95SBruce Richardson #define RTE_IPSEC_SATP_ECN_MASK (1ULL << RTE_SATP_LOG2_ECN) 12399a2dd95SBruce Richardson #define RTE_IPSEC_SATP_ECN_DISABLE (0ULL << RTE_SATP_LOG2_ECN) 12499a2dd95SBruce Richardson #define RTE_IPSEC_SATP_ECN_ENABLE (1ULL << RTE_SATP_LOG2_ECN) 12599a2dd95SBruce Richardson 12699a2dd95SBruce Richardson #define RTE_IPSEC_SATP_DSCP_MASK (1ULL << RTE_SATP_LOG2_DSCP) 12799a2dd95SBruce Richardson #define RTE_IPSEC_SATP_DSCP_DISABLE (0ULL << RTE_SATP_LOG2_DSCP) 12899a2dd95SBruce Richardson #define RTE_IPSEC_SATP_DSCP_ENABLE (1ULL << RTE_SATP_LOG2_DSCP) 12999a2dd95SBruce Richardson 130*01eef590SRadu Nicolau #define RTE_IPSEC_SATP_NATT_MASK (1ULL << RTE_SATP_LOG2_NATT) 131*01eef590SRadu Nicolau #define RTE_IPSEC_SATP_NATT_DISABLE (0ULL << RTE_SATP_LOG2_NATT) 132*01eef590SRadu Nicolau #define RTE_IPSEC_SATP_NATT_ENABLE (1ULL << RTE_SATP_LOG2_NATT) 133*01eef590SRadu Nicolau 134*01eef590SRadu Nicolau 13599a2dd95SBruce Richardson /** 13699a2dd95SBruce Richardson * get type of given SA 13799a2dd95SBruce Richardson * @return 13899a2dd95SBruce Richardson * SA type value. 13999a2dd95SBruce Richardson */ 14099a2dd95SBruce Richardson uint64_t 14199a2dd95SBruce Richardson rte_ipsec_sa_type(const struct rte_ipsec_sa *sa); 14299a2dd95SBruce Richardson 14399a2dd95SBruce Richardson /** 14499a2dd95SBruce Richardson * Calculate required SA size based on provided input parameters. 14599a2dd95SBruce Richardson * @param prm 14699a2dd95SBruce Richardson * Parameters that will be used to initialise SA object. 14799a2dd95SBruce Richardson * @return 14899a2dd95SBruce Richardson * - Actual size required for SA with given parameters. 14999a2dd95SBruce Richardson * - -EINVAL if the parameters are invalid. 15099a2dd95SBruce Richardson */ 15199a2dd95SBruce Richardson int 15299a2dd95SBruce Richardson rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm); 15399a2dd95SBruce Richardson 15499a2dd95SBruce Richardson /** 15599a2dd95SBruce Richardson * initialise SA based on provided input parameters. 15699a2dd95SBruce Richardson * @param sa 15799a2dd95SBruce Richardson * SA object to initialise. 15899a2dd95SBruce Richardson * @param prm 15999a2dd95SBruce Richardson * Parameters used to initialise given SA object. 16099a2dd95SBruce Richardson * @param size 16199a2dd95SBruce Richardson * size of the provided buffer for SA. 16299a2dd95SBruce Richardson * @return 16399a2dd95SBruce Richardson * - Actual size of SA object if operation completed successfully. 16499a2dd95SBruce Richardson * - -EINVAL if the parameters are invalid. 16599a2dd95SBruce Richardson * - -ENOSPC if the size of the provided buffer is not big enough. 16699a2dd95SBruce Richardson */ 16799a2dd95SBruce Richardson int 16899a2dd95SBruce Richardson rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, 16999a2dd95SBruce Richardson uint32_t size); 17099a2dd95SBruce Richardson 17199a2dd95SBruce Richardson /** 17299a2dd95SBruce Richardson * cleanup SA 17399a2dd95SBruce Richardson * @param sa 17499a2dd95SBruce Richardson * Pointer to SA object to de-initialize. 17599a2dd95SBruce Richardson */ 17699a2dd95SBruce Richardson void 17799a2dd95SBruce Richardson rte_ipsec_sa_fini(struct rte_ipsec_sa *sa); 17899a2dd95SBruce Richardson 17999a2dd95SBruce Richardson #ifdef __cplusplus 18099a2dd95SBruce Richardson } 18199a2dd95SBruce Richardson #endif 18299a2dd95SBruce Richardson 18399a2dd95SBruce Richardson #endif /* _RTE_IPSEC_SA_H_ */ 184