1 /* SPDX-License-Identifier: BSD-3-Clause 2 * Copyright(c) 2018-2020 Intel Corporation 3 */ 4 5 #ifndef _SA_H_ 6 #define _SA_H_ 7 8 #include <rte_rwlock.h> 9 10 #define IPSEC_MAX_HDR_SIZE 64 11 #define IPSEC_MAX_IV_SIZE 16 12 #define IPSEC_MAX_IV_QWORD (IPSEC_MAX_IV_SIZE / sizeof(uint64_t)) 13 #define TUN_HDR_MSK (RTE_IPSEC_SATP_ECN_MASK | RTE_IPSEC_SATP_DSCP_MASK) 14 15 /* padding alignment for different algorithms */ 16 enum { 17 IPSEC_PAD_DEFAULT = 4, 18 IPSEC_PAD_3DES_CBC = 8, 19 IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, 20 IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, 21 IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, 22 IPSEC_PAD_AES_CCM = IPSEC_PAD_DEFAULT, 23 IPSEC_PAD_CHACHA20_POLY1305 = IPSEC_PAD_DEFAULT, 24 IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT, 25 IPSEC_PAD_AES_GMAC = IPSEC_PAD_DEFAULT, 26 }; 27 28 /* iv sizes for different algorithms */ 29 enum { 30 IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, 31 IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), 32 /* TripleDES supports IV size of 32bits or 64bits but he library 33 * only supports 64bits. 34 */ 35 IPSEC_3DES_IV_SIZE = sizeof(uint64_t), 36 }; 37 38 /* these definitions probably has to be in rte_crypto_sym.h */ 39 union sym_op_ofslen { 40 uint64_t raw; 41 struct { 42 uint32_t offset; 43 uint32_t length; 44 }; 45 }; 46 47 union sym_op_data { 48 #ifdef __SIZEOF_INT128__ 49 __uint128_t raw; 50 #endif 51 struct { 52 uint8_t *va; 53 rte_iova_t pa; 54 }; 55 }; 56 57 #define REPLAY_SQN_NUM 2 58 #define REPLAY_SQN_NEXT(n) ((n) ^ 1) 59 60 struct replay_sqn { 61 rte_rwlock_t rwl; 62 uint64_t sqn; 63 __extension__ uint64_t window[0]; 64 }; 65 66 /*IPSEC SA supported algorithms */ 67 enum sa_algo_type { 68 ALGO_TYPE_NULL = 0, 69 ALGO_TYPE_3DES_CBC, 70 ALGO_TYPE_AES_CBC, 71 ALGO_TYPE_AES_CTR, 72 ALGO_TYPE_AES_GCM, 73 ALGO_TYPE_AES_CCM, 74 ALGO_TYPE_CHACHA20_POLY1305, 75 ALGO_TYPE_AES_GMAC, 76 ALGO_TYPE_MAX 77 }; 78 79 struct rte_ipsec_sa { 80 81 uint64_t type; /* type of given SA */ 82 uint64_t udata; /* user defined */ 83 uint32_t size; /* size of given sa object */ 84 uint32_t spi; 85 /* sqn calculations related */ 86 uint64_t sqn_mask; 87 struct { 88 uint32_t win_sz; 89 uint16_t nb_bucket; 90 uint16_t bucket_index_mask; 91 } replay; 92 /* template for crypto op fields */ 93 struct { 94 union sym_op_ofslen cipher; 95 union sym_op_ofslen auth; 96 } ctp; 97 /* cpu-crypto offsets */ 98 union rte_crypto_sym_ofs cofs; 99 /* tx_offload template for tunnel mbuf */ 100 struct { 101 uint64_t msk; 102 uint64_t val; 103 } tx_offload; 104 uint32_t salt; 105 uint8_t algo_type; 106 uint8_t proto; /* next proto */ 107 uint8_t aad_len; 108 uint8_t hdr_len; 109 uint8_t hdr_l3_off; 110 uint8_t icv_len; 111 uint8_t sqh_len; 112 uint8_t iv_ofs; /* offset for algo-specific IV inside crypto op */ 113 uint8_t iv_len; 114 uint8_t pad_align; 115 uint8_t tos_mask; 116 117 /* template for tunnel header */ 118 uint8_t hdr[IPSEC_MAX_HDR_SIZE]; 119 120 /* 121 * sqn and replay window 122 * In case of SA handled by multiple threads *sqn* cacheline 123 * could be shared by multiple cores. 124 * To minimise performance impact, we try to locate in a separate 125 * place from other frequently accesed data. 126 */ 127 union { 128 uint64_t outb; 129 struct { 130 uint32_t rdidx; /* read index */ 131 uint32_t wridx; /* write index */ 132 struct replay_sqn *rsn[REPLAY_SQN_NUM]; 133 } inb; 134 } sqn; 135 /* Statistics */ 136 struct { 137 uint64_t count; 138 uint64_t bytes; 139 struct { 140 uint64_t count; 141 uint64_t authentication_failed; 142 } errors; 143 } statistics; 144 145 } __rte_cache_aligned; 146 147 int 148 ipsec_sa_pkt_func_select(const struct rte_ipsec_session *ss, 149 const struct rte_ipsec_sa *sa, struct rte_ipsec_sa_pkt_func *pf); 150 151 /* inbound processing */ 152 153 uint16_t 154 esp_inb_pkt_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], 155 struct rte_crypto_op *cop[], uint16_t num); 156 157 uint16_t 158 esp_inb_tun_pkt_process(const struct rte_ipsec_session *ss, 159 struct rte_mbuf *mb[], uint16_t num); 160 161 uint16_t 162 inline_inb_tun_pkt_process(const struct rte_ipsec_session *ss, 163 struct rte_mbuf *mb[], uint16_t num); 164 165 uint16_t 166 esp_inb_trs_pkt_process(const struct rte_ipsec_session *ss, 167 struct rte_mbuf *mb[], uint16_t num); 168 169 uint16_t 170 inline_inb_trs_pkt_process(const struct rte_ipsec_session *ss, 171 struct rte_mbuf *mb[], uint16_t num); 172 173 uint16_t 174 cpu_inb_pkt_prepare(const struct rte_ipsec_session *ss, 175 struct rte_mbuf *mb[], uint16_t num); 176 177 /* outbound processing */ 178 179 uint16_t 180 esp_outb_tun_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], 181 struct rte_crypto_op *cop[], uint16_t num); 182 183 uint16_t 184 esp_outb_trs_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], 185 struct rte_crypto_op *cop[], uint16_t num); 186 187 uint16_t 188 esp_outb_sqh_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], 189 uint16_t num); 190 191 uint16_t 192 pkt_flag_process(const struct rte_ipsec_session *ss, 193 struct rte_mbuf *mb[], uint16_t num); 194 195 uint16_t 196 inline_outb_tun_pkt_process(const struct rte_ipsec_session *ss, 197 struct rte_mbuf *mb[], uint16_t num); 198 199 uint16_t 200 inline_outb_trs_pkt_process(const struct rte_ipsec_session *ss, 201 struct rte_mbuf *mb[], uint16_t num); 202 203 uint16_t 204 inline_proto_outb_pkt_process(const struct rte_ipsec_session *ss, 205 struct rte_mbuf *mb[], uint16_t num); 206 207 uint16_t 208 cpu_outb_tun_pkt_prepare(const struct rte_ipsec_session *ss, 209 struct rte_mbuf *mb[], uint16_t num); 210 uint16_t 211 cpu_outb_trs_pkt_prepare(const struct rte_ipsec_session *ss, 212 struct rte_mbuf *mb[], uint16_t num); 213 214 #endif /* _SA_H_ */ 215