1 /* SPDX-License-Identifier: BSD-3-Clause 2 * Copyright(c) 2018-2020 Intel Corporation 3 */ 4 5 #ifndef _SA_H_ 6 #define _SA_H_ 7 8 9 #define IPSEC_MAX_HDR_SIZE 64 10 #define IPSEC_MAX_IV_SIZE 16 11 #define IPSEC_MAX_IV_QWORD (IPSEC_MAX_IV_SIZE / sizeof(uint64_t)) 12 #define TUN_HDR_MSK (RTE_IPSEC_SATP_ECN_MASK | RTE_IPSEC_SATP_DSCP_MASK) 13 14 /* padding alignment for different algorithms */ 15 enum { 16 IPSEC_PAD_DEFAULT = 4, 17 IPSEC_PAD_3DES_CBC = 8, 18 IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, 19 IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, 20 IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, 21 IPSEC_PAD_AES_CCM = IPSEC_PAD_DEFAULT, 22 IPSEC_PAD_CHACHA20_POLY1305 = IPSEC_PAD_DEFAULT, 23 IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT, 24 IPSEC_PAD_AES_GMAC = IPSEC_PAD_DEFAULT, 25 }; 26 27 /* iv sizes for different algorithms */ 28 enum { 29 IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, 30 IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), 31 /* TripleDES supports IV size of 32bits or 64bits but he library 32 * only supports 64bits. 33 */ 34 IPSEC_3DES_IV_SIZE = sizeof(uint64_t), 35 }; 36 37 /* these definitions probably has to be in rte_crypto_sym.h */ 38 union sym_op_ofslen { 39 uint64_t raw; 40 struct { 41 uint32_t offset; 42 uint32_t length; 43 }; 44 }; 45 46 union sym_op_data { 47 #ifdef __SIZEOF_INT128__ 48 __uint128_t raw; 49 #endif 50 struct { 51 uint8_t *va; 52 rte_iova_t pa; 53 }; 54 }; 55 56 #define REPLAY_SQN_NUM 2 57 #define REPLAY_SQN_NEXT(n) ((n) ^ 1) 58 59 struct replay_sqn { 60 rte_rwlock_t rwl; 61 uint64_t sqn; 62 uint64_t window[]; 63 }; 64 65 /*IPSEC SA supported algorithms */ 66 enum sa_algo_type { 67 ALGO_TYPE_NULL = 0, 68 ALGO_TYPE_3DES_CBC, 69 ALGO_TYPE_AES_CBC, 70 ALGO_TYPE_AES_CTR, 71 ALGO_TYPE_AES_GCM, 72 ALGO_TYPE_AES_CCM, 73 ALGO_TYPE_CHACHA20_POLY1305, 74 ALGO_TYPE_AES_GMAC, 75 ALGO_TYPE_MAX 76 }; 77 78 struct __rte_cache_aligned rte_ipsec_sa { 79 80 uint64_t type; /* type of given SA */ 81 uint64_t udata; /* user defined */ 82 uint32_t size; /* size of given sa object */ 83 uint32_t spi; 84 /* sqn calculations related */ 85 uint64_t sqn_mask; 86 struct { 87 uint32_t win_sz; 88 uint16_t nb_bucket; 89 uint16_t bucket_index_mask; 90 } replay; 91 /* template for crypto op fields */ 92 struct { 93 union sym_op_ofslen cipher; 94 union sym_op_ofslen auth; 95 } ctp; 96 /* cpu-crypto offsets */ 97 union rte_crypto_sym_ofs cofs; 98 /* tx_offload template for tunnel mbuf */ 99 struct { 100 uint64_t msk; 101 uint64_t val; 102 } tx_offload; 103 uint32_t salt; 104 uint8_t algo_type; 105 uint8_t proto; /* next proto */ 106 uint8_t aad_len; 107 uint8_t hdr_len; 108 uint8_t hdr_l3_off; 109 uint8_t icv_len; 110 uint8_t sqh_len; 111 uint8_t iv_ofs; /* offset for algo-specific IV inside crypto op */ 112 uint8_t iv_len; 113 uint8_t pad_align; 114 uint8_t tos_mask; 115 116 /* template for tunnel header */ 117 uint8_t hdr[IPSEC_MAX_HDR_SIZE]; 118 119 /* 120 * sqn and replay window 121 * In case of SA handled by multiple threads *sqn* cacheline 122 * could be shared by multiple cores. 123 * To minimise performance impact, we try to locate in a separate 124 * place from other frequently accessed data. 125 */ 126 union { 127 RTE_ATOMIC(uint64_t) outb; 128 struct { 129 uint32_t rdidx; /* read index */ 130 uint32_t wridx; /* write index */ 131 struct replay_sqn *rsn[REPLAY_SQN_NUM]; 132 } inb; 133 } sqn; 134 /* Statistics */ 135 struct { 136 uint64_t count; 137 uint64_t bytes; 138 struct { 139 uint64_t count; 140 uint64_t authentication_failed; 141 } errors; 142 } statistics; 143 144 }; 145 146 int 147 ipsec_sa_pkt_func_select(const struct rte_ipsec_session *ss, 148 const struct rte_ipsec_sa *sa, struct rte_ipsec_sa_pkt_func *pf); 149 150 /* inbound processing */ 151 152 uint16_t 153 esp_inb_pkt_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], 154 struct rte_crypto_op *cop[], uint16_t num); 155 156 uint16_t 157 esp_inb_tun_pkt_process(const struct rte_ipsec_session *ss, 158 struct rte_mbuf *mb[], uint16_t num); 159 160 uint16_t 161 inline_inb_tun_pkt_process(const struct rte_ipsec_session *ss, 162 struct rte_mbuf *mb[], uint16_t num); 163 164 uint16_t 165 esp_inb_trs_pkt_process(const struct rte_ipsec_session *ss, 166 struct rte_mbuf *mb[], uint16_t num); 167 168 uint16_t 169 inline_inb_trs_pkt_process(const struct rte_ipsec_session *ss, 170 struct rte_mbuf *mb[], uint16_t num); 171 172 uint16_t 173 cpu_inb_pkt_prepare(const struct rte_ipsec_session *ss, 174 struct rte_mbuf *mb[], uint16_t num); 175 176 /* outbound processing */ 177 178 uint16_t 179 esp_outb_tun_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], 180 struct rte_crypto_op *cop[], uint16_t num); 181 182 uint16_t 183 esp_outb_tun_prepare_stateless(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], 184 struct rte_crypto_op *cop[], uint16_t num, struct rte_ipsec_state *state); 185 186 uint16_t 187 esp_outb_trs_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], 188 struct rte_crypto_op *cop[], uint16_t num); 189 190 uint16_t 191 esp_outb_sqh_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], 192 uint16_t num); 193 194 uint16_t 195 pkt_flag_process(const struct rte_ipsec_session *ss, 196 struct rte_mbuf *mb[], uint16_t num); 197 198 uint16_t 199 inline_outb_tun_pkt_process(const struct rte_ipsec_session *ss, 200 struct rte_mbuf *mb[], uint16_t num); 201 202 uint16_t 203 inline_outb_trs_pkt_process(const struct rte_ipsec_session *ss, 204 struct rte_mbuf *mb[], uint16_t num); 205 206 uint16_t 207 inline_proto_outb_pkt_process(const struct rte_ipsec_session *ss, 208 struct rte_mbuf *mb[], uint16_t num); 209 210 uint16_t 211 cpu_outb_tun_pkt_prepare(const struct rte_ipsec_session *ss, 212 struct rte_mbuf *mb[], uint16_t num); 213 uint16_t 214 cpu_outb_tun_pkt_prepare_stateless(const struct rte_ipsec_session *ss, 215 struct rte_mbuf *mb[], uint16_t num, struct rte_ipsec_state *state); 216 217 uint16_t 218 cpu_outb_trs_pkt_prepare(const struct rte_ipsec_session *ss, 219 struct rte_mbuf *mb[], uint16_t num); 220 221 #endif /* _SA_H_ */ 222