1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(c) 2018-2020 Intel Corporation
15 * All functions in this file may be changed or removed without prior notice.
17 * librte_ipsec provides a framework for data-path IPsec protocol
18 * processing (ESP/AH).
21 #include <rte_ipsec_sa.h>
28 struct rte_ipsec_session;
31 * IPsec session specific functions that will be used to:
32 * - prepare - for input mbufs and given IPsec session prepare crypto ops
33 * that can be enqueued into the cryptodev associated with given session
34 * (see *rte_ipsec_pkt_crypto_prepare* below for more details).
35 * - process - finalize processing of packets after crypto-dev finished
36 * with them or process packets that are subjects to inline IPsec offload
37 * (see rte_ipsec_pkt_process for more details).
39 struct rte_ipsec_sa_pkt_func {
41 uint16_t (*async)(const struct rte_ipsec_session *ss,
42 struct rte_mbuf *mb[],
43 struct rte_crypto_op *cop[],
45 uint16_t (*sync)(const struct rte_ipsec_session *ss,
46 struct rte_mbuf *mb[],
49 uint16_t (*process)(const struct rte_ipsec_session *ss,
50 struct rte_mbuf *mb[],
55 * rte_ipsec_session is an aggregate structure that defines particular
56 * IPsec Security Association IPsec (SA) on given security/crypto device:
57 * - pointer to the SA object
58 * - security session action type
59 * - pointer to security/crypto session, plus other related data
60 * - session/device specific functions to prepare/process IPsec packets.
62 struct rte_ipsec_session {
64 * SA that session belongs to.
65 * Note that multiple sessions can belong to the same SA.
67 struct rte_ipsec_sa *sa;
68 /** session action type */
69 enum rte_security_session_action_type type;
70 /** session and related data */
73 struct rte_cryptodev_sym_session *ses;
77 struct rte_security_session *ses;
78 struct rte_security_ctx *ctx;
82 /** functions to prepare/process IPsec packets */
83 struct rte_ipsec_sa_pkt_func pkt_func;
84 } __rte_cache_aligned;
87 * Checks that inside given rte_ipsec_session crypto/security fields
88 * are filled correctly and setups function pointers based on these values.
89 * Expects that all fields except IPsec processing function pointers
90 * (*pkt_func*) will be filled correctly by caller.
92 * Pointer to the *rte_ipsec_session* object
94 * - Zero if operation completed successfully.
95 * - -EINVAL if the parameters are invalid.
99 rte_ipsec_session_prepare(struct rte_ipsec_session *ss);
102 * For input mbufs and given IPsec session prepare crypto ops that can be
103 * enqueued into the cryptodev associated with given session.
104 * expects that for each input packet:
105 * - l2_len, l3_len are setup correctly
106 * Note that erroneous mbufs are not freed by the function,
107 * but are placed beyond last valid mbuf in the *mb* array.
108 * It is a user responsibility to handle them further.
110 * Pointer to the *rte_ipsec_session* object the packets belong to.
112 * The address of an array of *num* pointers to *rte_mbuf* structures
113 * which contain the input packets.
115 * The address of an array of *num* pointers to the output *rte_crypto_op*
118 * The maximum number of packets to process.
120 * Number of successfully processed packets, with error code set in rte_errno.
123 static inline uint16_t
124 rte_ipsec_pkt_crypto_prepare(const struct rte_ipsec_session *ss,
125 struct rte_mbuf *mb[], struct rte_crypto_op *cop[], uint16_t num)
127 return ss->pkt_func.prepare.async(ss, mb, cop, num);
131 static inline uint16_t
132 rte_ipsec_pkt_cpu_prepare(const struct rte_ipsec_session *ss,
133 struct rte_mbuf *mb[], uint16_t num)
135 return ss->pkt_func.prepare.sync(ss, mb, num);
139 * Finalise processing of packets after crypto-dev finished with them or
140 * process packets that are subjects to inline IPsec offload.
141 * Expects that for each input packet:
142 * - l2_len, l3_len are setup correctly
143 * Output mbufs will be:
144 * inbound - decrypted & authenticated, ESP(AH) related headers removed,
145 * *l2_len* and *l3_len* fields are updated.
146 * outbound - appropriate mbuf fields (ol_flags, tx_offloads, etc.)
147 * properly setup, if necessary - IP headers updated, ESP(AH) fields added,
148 * Note that erroneous mbufs are not freed by the function,
149 * but are placed beyond last valid mbuf in the *mb* array.
150 * It is a user responsibility to handle them further.
152 * Pointer to the *rte_ipsec_session* object the packets belong to.
154 * The address of an array of *num* pointers to *rte_mbuf* structures
155 * which contain the input packets.
157 * The maximum number of packets to process.
159 * Number of successfully processed packets, with error code set in rte_errno.
162 static inline uint16_t
163 rte_ipsec_pkt_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],
166 return ss->pkt_func.process(ss, mb, num);
169 #include <rte_ipsec_group.h>
175 #endif /* _RTE_IPSEC_H_ */