1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(c) 2018-2020 Intel Corporation
12 #include "ipsec_sqn.h"
16 #define MBUF_MAX_L2_LEN RTE_LEN2MASK(RTE_MBUF_L2_LEN_BITS, uint64_t)
17 #define MBUF_MAX_L3_LEN RTE_LEN2MASK(RTE_MBUF_L3_LEN_BITS, uint64_t)
19 /* some helper structures */
21 struct rte_crypto_auth_xform *auth;
22 struct rte_crypto_cipher_xform *cipher;
23 struct rte_crypto_aead_xform *aead;
27 * helper routine, fills internal crypto_xform structure.
30 fill_crypto_xform(struct crypto_xform *xform, uint64_t type,
31 const struct rte_ipsec_sa_prm *prm)
33 struct rte_crypto_sym_xform *xf, *xfn;
35 memset(xform, 0, sizeof(*xform));
37 xf = prm->crypto_xform;
43 /* for AEAD just one xform required */
44 if (xf->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
47 xform->aead = &xf->aead;
49 /* GMAC has only auth */
50 } else if (xf->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
51 xf->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
54 xform->auth = &xf->auth;
55 xform->cipher = &xfn->cipher;
58 * CIPHER+AUTH xforms are expected in strict order,
59 * depending on SA direction:
60 * inbound: AUTH+CIPHER
61 * outbound: CIPHER+AUTH
63 } else if ((type & RTE_IPSEC_SATP_DIR_MASK) == RTE_IPSEC_SATP_DIR_IB) {
65 /* wrong order or no cipher */
66 if (xfn == NULL || xf->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
67 xfn->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
70 xform->auth = &xf->auth;
71 xform->cipher = &xfn->cipher;
75 /* wrong order or no auth */
76 if (xfn == NULL || xf->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
77 xfn->type != RTE_CRYPTO_SYM_XFORM_AUTH)
80 xform->cipher = &xf->cipher;
81 xform->auth = &xfn->auth;
88 rte_ipsec_sa_type(const struct rte_ipsec_sa *sa)
94 * Based on number of buckets calculated required size for the
95 * structure that holds replay window and sequence number (RSN) information.
98 rsn_size(uint32_t nb_bucket)
101 struct replay_sqn *rsn;
103 sz = sizeof(*rsn) + nb_bucket * sizeof(rsn->window[0]);
104 sz = RTE_ALIGN_CEIL(sz, RTE_CACHE_LINE_SIZE);
109 * for given size, calculate required number of buckets.
112 replay_num_bucket(uint32_t wsz)
116 nb = rte_align32pow2(RTE_ALIGN_MUL_CEIL(wsz, WINDOW_BUCKET_SIZE) /
118 nb = RTE_MAX(nb, (uint32_t)WINDOW_BUCKET_MIN);
124 ipsec_sa_size(uint64_t type, uint32_t *wnd_sz, uint32_t *nb_bucket)
131 if ((type & RTE_IPSEC_SATP_DIR_MASK) == RTE_IPSEC_SATP_DIR_IB) {
134 * RFC 4303 recommends 64 as minimum window size.
135 * there is no point to use ESN mode without SQN window,
136 * so make sure we have at least 64 window when ESN is enabled.
138 wsz = ((type & RTE_IPSEC_SATP_ESN_MASK) ==
139 RTE_IPSEC_SATP_ESN_DISABLE) ?
140 wsz : RTE_MAX(wsz, (uint32_t)WINDOW_BUCKET_SIZE);
142 n = replay_num_bucket(wsz);
145 if (n > WINDOW_BUCKET_MAX)
152 if ((type & RTE_IPSEC_SATP_SQN_MASK) == RTE_IPSEC_SATP_SQN_ATOM)
153 sz *= REPLAY_SQN_NUM;
155 sz += sizeof(struct rte_ipsec_sa);
160 rte_ipsec_sa_fini(struct rte_ipsec_sa *sa)
162 memset(sa, 0, sa->size);
166 * Determine expected SA type based on input parameters.
169 fill_sa_type(const struct rte_ipsec_sa_prm *prm, uint64_t *type)
175 if (prm->ipsec_xform.proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
176 tp |= RTE_IPSEC_SATP_PROTO_AH;
177 else if (prm->ipsec_xform.proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP)
178 tp |= RTE_IPSEC_SATP_PROTO_ESP;
182 if (prm->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
183 tp |= RTE_IPSEC_SATP_DIR_OB;
184 else if (prm->ipsec_xform.direction ==
185 RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
186 tp |= RTE_IPSEC_SATP_DIR_IB;
190 if (prm->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
191 if (prm->ipsec_xform.tunnel.type ==
192 RTE_SECURITY_IPSEC_TUNNEL_IPV4)
193 tp |= RTE_IPSEC_SATP_MODE_TUNLV4;
194 else if (prm->ipsec_xform.tunnel.type ==
195 RTE_SECURITY_IPSEC_TUNNEL_IPV6)
196 tp |= RTE_IPSEC_SATP_MODE_TUNLV6;
200 if (prm->tun.next_proto == IPPROTO_IPIP)
201 tp |= RTE_IPSEC_SATP_IPV4;
202 else if (prm->tun.next_proto == IPPROTO_IPV6)
203 tp |= RTE_IPSEC_SATP_IPV6;
206 } else if (prm->ipsec_xform.mode ==
207 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) {
208 tp |= RTE_IPSEC_SATP_MODE_TRANS;
209 if (prm->trs.proto == IPPROTO_IPIP)
210 tp |= RTE_IPSEC_SATP_IPV4;
211 else if (prm->trs.proto == IPPROTO_IPV6)
212 tp |= RTE_IPSEC_SATP_IPV6;
218 /* check for UDP encapsulation flag */
219 if (prm->ipsec_xform.options.udp_encap == 1)
220 tp |= RTE_IPSEC_SATP_NATT_ENABLE;
222 /* check for ESN flag */
223 if (prm->ipsec_xform.options.esn == 0)
224 tp |= RTE_IPSEC_SATP_ESN_DISABLE;
226 tp |= RTE_IPSEC_SATP_ESN_ENABLE;
228 /* check for ECN flag */
229 if (prm->ipsec_xform.options.ecn == 0)
230 tp |= RTE_IPSEC_SATP_ECN_DISABLE;
232 tp |= RTE_IPSEC_SATP_ECN_ENABLE;
234 /* check for DSCP flag */
235 if (prm->ipsec_xform.options.copy_dscp == 0)
236 tp |= RTE_IPSEC_SATP_DSCP_DISABLE;
238 tp |= RTE_IPSEC_SATP_DSCP_ENABLE;
240 /* interpret flags */
241 if (prm->flags & RTE_IPSEC_SAFLAG_SQN_ATOM)
242 tp |= RTE_IPSEC_SATP_SQN_ATOM;
244 tp |= RTE_IPSEC_SATP_SQN_RAW;
251 * Init ESP inbound specific things.
254 esp_inb_init(struct rte_ipsec_sa *sa)
256 /* these params may differ with new algorithms support */
257 sa->ctp.cipher.offset = sizeof(struct rte_esp_hdr) + sa->iv_len;
258 sa->ctp.cipher.length = sa->icv_len + sa->ctp.cipher.offset;
261 * for AEAD algorithms we can assume that
262 * auth and cipher offsets would be equal.
264 switch (sa->algo_type) {
265 case ALGO_TYPE_AES_GCM:
266 case ALGO_TYPE_AES_CCM:
267 case ALGO_TYPE_CHACHA20_POLY1305:
268 sa->ctp.auth.raw = sa->ctp.cipher.raw;
271 sa->ctp.auth.offset = 0;
272 sa->ctp.auth.length = sa->icv_len - sa->sqh_len;
273 sa->cofs.ofs.cipher.tail = sa->sqh_len;
277 sa->cofs.ofs.cipher.head = sa->ctp.cipher.offset - sa->ctp.auth.offset;
281 * Init ESP inbound tunnel specific things.
284 esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm)
286 sa->proto = prm->tun.next_proto;
291 * Init ESP outbound specific things.
294 esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen, uint64_t sqn)
298 sa->sqn.outb = sqn > 1 ? sqn : 1;
300 algo_type = sa->algo_type;
303 * Setup auth and cipher length and offset.
304 * these params may differ with new algorithms support
308 case ALGO_TYPE_AES_GCM:
309 case ALGO_TYPE_AES_CCM:
310 case ALGO_TYPE_CHACHA20_POLY1305:
311 case ALGO_TYPE_AES_CTR:
313 sa->ctp.cipher.offset = hlen + sizeof(struct rte_esp_hdr) +
315 sa->ctp.cipher.length = 0;
317 case ALGO_TYPE_AES_CBC:
318 case ALGO_TYPE_3DES_CBC:
319 sa->ctp.cipher.offset = hlen + sizeof(struct rte_esp_hdr);
320 sa->ctp.cipher.length = sa->iv_len;
322 case ALGO_TYPE_AES_GMAC:
323 sa->ctp.cipher.offset = 0;
324 sa->ctp.cipher.length = 0;
329 * for AEAD algorithms we can assume that
330 * auth and cipher offsets would be equal.
333 case ALGO_TYPE_AES_GCM:
334 case ALGO_TYPE_AES_CCM:
335 case ALGO_TYPE_CHACHA20_POLY1305:
336 sa->ctp.auth.raw = sa->ctp.cipher.raw;
339 sa->ctp.auth.offset = hlen;
340 sa->ctp.auth.length = sizeof(struct rte_esp_hdr) +
341 sa->iv_len + sa->sqh_len;
345 sa->cofs.ofs.cipher.head = sa->ctp.cipher.offset - sa->ctp.auth.offset;
346 sa->cofs.ofs.cipher.tail = (sa->ctp.auth.offset + sa->ctp.auth.length) -
347 (sa->ctp.cipher.offset + sa->ctp.cipher.length);
351 * Init ESP outbound tunnel specific things.
354 esp_outb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm)
356 sa->proto = prm->tun.next_proto;
357 sa->hdr_len = prm->tun.hdr_len;
358 sa->hdr_l3_off = prm->tun.hdr_l3_off;
360 memcpy(sa->hdr, prm->tun.hdr, prm->tun.hdr_len);
362 /* insert UDP header if UDP encapsulation is enabled */
363 if (sa->type & RTE_IPSEC_SATP_NATT_ENABLE) {
364 struct rte_udp_hdr *udph = (struct rte_udp_hdr *)
365 &sa->hdr[prm->tun.hdr_len];
366 sa->hdr_len += sizeof(struct rte_udp_hdr);
367 udph->src_port = rte_cpu_to_be_16(prm->ipsec_xform.udp.sport);
368 udph->dst_port = rte_cpu_to_be_16(prm->ipsec_xform.udp.dport);
369 udph->dgram_cksum = 0;
372 /* update l2_len and l3_len fields for outbound mbuf */
373 sa->tx_offload.val = rte_mbuf_tx_offload(sa->hdr_l3_off,
374 sa->hdr_len - sa->hdr_l3_off, 0, 0, 0, 0, 0);
376 esp_outb_init(sa, sa->hdr_len, prm->ipsec_xform.esn.value);
380 * helper function, init SA structure.
383 esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
384 const struct crypto_xform *cxf)
386 static const uint64_t msk = RTE_IPSEC_SATP_DIR_MASK |
387 RTE_IPSEC_SATP_MODE_MASK |
388 RTE_IPSEC_SATP_NATT_MASK;
390 if (prm->ipsec_xform.options.ecn)
391 sa->tos_mask |= RTE_IPV4_HDR_ECN_MASK;
393 if (prm->ipsec_xform.options.copy_dscp)
394 sa->tos_mask |= RTE_IPV4_HDR_DSCP_MASK;
396 if (cxf->aead != NULL) {
397 switch (cxf->aead->algo) {
398 case RTE_CRYPTO_AEAD_AES_GCM:
400 sa->aad_len = sizeof(struct aead_gcm_aad);
401 sa->icv_len = cxf->aead->digest_length;
402 sa->iv_ofs = cxf->aead->iv.offset;
403 sa->iv_len = sizeof(uint64_t);
404 sa->pad_align = IPSEC_PAD_AES_GCM;
405 sa->algo_type = ALGO_TYPE_AES_GCM;
407 case RTE_CRYPTO_AEAD_AES_CCM:
409 sa->aad_len = sizeof(struct aead_ccm_aad);
410 sa->icv_len = cxf->aead->digest_length;
411 sa->iv_ofs = cxf->aead->iv.offset;
412 sa->iv_len = sizeof(uint64_t);
413 sa->pad_align = IPSEC_PAD_AES_CCM;
414 sa->algo_type = ALGO_TYPE_AES_CCM;
416 case RTE_CRYPTO_AEAD_CHACHA20_POLY1305:
418 sa->aad_len = sizeof(struct aead_chacha20_poly1305_aad);
419 sa->icv_len = cxf->aead->digest_length;
420 sa->iv_ofs = cxf->aead->iv.offset;
421 sa->iv_len = sizeof(uint64_t);
422 sa->pad_align = IPSEC_PAD_CHACHA20_POLY1305;
423 sa->algo_type = ALGO_TYPE_CHACHA20_POLY1305;
428 } else if (cxf->auth->algo == RTE_CRYPTO_AUTH_AES_GMAC) {
430 /* AES-GMAC is a special case of auth that needs IV */
431 sa->pad_align = IPSEC_PAD_AES_GMAC;
432 sa->iv_len = sizeof(uint64_t);
433 sa->icv_len = cxf->auth->digest_length;
434 sa->iv_ofs = cxf->auth->iv.offset;
435 sa->algo_type = ALGO_TYPE_AES_GMAC;
438 sa->icv_len = cxf->auth->digest_length;
439 sa->iv_ofs = cxf->cipher->iv.offset;
441 switch (cxf->cipher->algo) {
442 case RTE_CRYPTO_CIPHER_NULL:
443 sa->pad_align = IPSEC_PAD_NULL;
445 sa->algo_type = ALGO_TYPE_NULL;
448 case RTE_CRYPTO_CIPHER_AES_CBC:
449 sa->pad_align = IPSEC_PAD_AES_CBC;
450 sa->iv_len = IPSEC_MAX_IV_SIZE;
451 sa->algo_type = ALGO_TYPE_AES_CBC;
454 case RTE_CRYPTO_CIPHER_AES_CTR:
456 sa->pad_align = IPSEC_PAD_AES_CTR;
457 sa->iv_len = IPSEC_AES_CTR_IV_SIZE;
458 sa->algo_type = ALGO_TYPE_AES_CTR;
461 case RTE_CRYPTO_CIPHER_3DES_CBC:
463 sa->pad_align = IPSEC_PAD_3DES_CBC;
464 sa->iv_len = IPSEC_3DES_IV_SIZE;
465 sa->algo_type = ALGO_TYPE_3DES_CBC;
473 sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0;
474 sa->udata = prm->userdata;
475 sa->spi = rte_cpu_to_be_32(prm->ipsec_xform.spi);
476 sa->salt = prm->ipsec_xform.salt;
478 /* preserve all values except l2_len and l3_len */
480 ~rte_mbuf_tx_offload(MBUF_MAX_L2_LEN, MBUF_MAX_L3_LEN,
483 switch (sa->type & msk) {
484 case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TUNLV4):
485 case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TUNLV6):
486 esp_inb_tun_init(sa, prm);
488 case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TRANS):
491 case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV4 |
492 RTE_IPSEC_SATP_NATT_ENABLE):
493 case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6 |
494 RTE_IPSEC_SATP_NATT_ENABLE):
495 case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV4):
496 case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6):
497 esp_outb_tun_init(sa, prm);
499 case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS |
500 RTE_IPSEC_SATP_NATT_ENABLE):
501 case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS):
502 esp_outb_init(sa, 0, prm->ipsec_xform.esn.value);
510 * helper function, init SA replay structure.
513 fill_sa_replay(struct rte_ipsec_sa *sa, uint32_t wnd_sz, uint32_t nb_bucket,
516 sa->replay.win_sz = wnd_sz;
517 sa->replay.nb_bucket = nb_bucket;
518 sa->replay.bucket_index_mask = nb_bucket - 1;
519 sa->sqn.inb.rsn[0] = (struct replay_sqn *)(sa + 1);
520 sa->sqn.inb.rsn[0]->sqn = sqn;
521 if ((sa->type & RTE_IPSEC_SATP_SQN_MASK) == RTE_IPSEC_SATP_SQN_ATOM) {
522 sa->sqn.inb.rsn[1] = (struct replay_sqn *)
523 ((uintptr_t)sa->sqn.inb.rsn[0] + rsn_size(nb_bucket));
524 sa->sqn.inb.rsn[1]->sqn = sqn;
529 rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm)
538 /* determine SA type */
539 rc = fill_sa_type(prm, &type);
543 /* determine required size */
544 wsz = prm->ipsec_xform.replay_win_sz;
545 return ipsec_sa_size(type, &wsz, &nb);
549 rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
555 struct crypto_xform cxf;
557 if (sa == NULL || prm == NULL)
560 /* determine SA type */
561 rc = fill_sa_type(prm, &type);
565 /* determine required size */
566 wsz = prm->ipsec_xform.replay_win_sz;
567 sz = ipsec_sa_size(type, &wsz, &nb);
570 else if (size < (uint32_t)sz)
573 /* only esp is supported right now */
574 if (prm->ipsec_xform.proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP)
577 if (prm->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
578 uint32_t hlen = prm->tun.hdr_len;
579 if (sa->type & RTE_IPSEC_SATP_NATT_ENABLE)
580 hlen += sizeof(struct rte_udp_hdr);
581 if (hlen > sizeof(sa->hdr))
585 rc = fill_crypto_xform(&cxf, type, prm);
595 /* check for ESN flag */
596 sa->sqn_mask = (prm->ipsec_xform.options.esn == 0) ?
597 UINT32_MAX : UINT64_MAX;
599 rc = esp_sa_init(sa, prm, &cxf);
601 rte_ipsec_sa_fini(sa);
603 /* fill replay window related fields */
605 fill_sa_replay(sa, wsz, nb, prm->ipsec_xform.esn.value);
611 * setup crypto ops for LOOKASIDE_PROTO type of devices.
614 lksd_proto_cop_prepare(const struct rte_ipsec_session *ss,
615 struct rte_mbuf *mb[], struct rte_crypto_op *cop[], uint16_t num)
618 struct rte_crypto_sym_op *sop;
620 for (i = 0; i != num; i++) {
622 cop[i]->type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
623 cop[i]->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
624 cop[i]->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION;
626 __rte_security_attach_session(sop, ss->security.ses);
631 * setup packets and crypto ops for LOOKASIDE_PROTO type of devices.
632 * Note that for LOOKASIDE_PROTO all packet modifications will be
633 * performed by PMD/HW.
634 * SW has only to prepare crypto op.
637 lksd_proto_prepare(const struct rte_ipsec_session *ss,
638 struct rte_mbuf *mb[], struct rte_crypto_op *cop[], uint16_t num)
640 lksd_proto_cop_prepare(ss, mb, cop, num);
645 * simplest pkt process routine:
646 * all actual processing is already done by HW/PMD,
647 * just check mbuf ol_flags.
649 * - inbound for RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL
650 * - inbound/outbound for RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
651 * - outbound for RTE_SECURITY_ACTION_TYPE_NONE when ESN is disabled
654 pkt_flag_process(const struct rte_ipsec_session *ss,
655 struct rte_mbuf *mb[], uint16_t num)
657 uint32_t i, k, bytes;
664 for (i = 0; i != num; i++) {
665 if ((mb[i]->ol_flags & RTE_MBUF_F_RX_SEC_OFFLOAD_FAILED) == 0) {
667 bytes += mb[i]->pkt_len;
673 ss->sa->statistics.count += k;
674 ss->sa->statistics.bytes += bytes;
676 /* handle unprocessed mbufs */
680 move_bad_mbufs(mb, dr, num, num - k);
687 * Select packet processing function for session on LOOKASIDE_NONE
691 lksd_none_pkt_func_select(const struct rte_ipsec_sa *sa,
692 struct rte_ipsec_sa_pkt_func *pf)
696 static const uint64_t msk = RTE_IPSEC_SATP_DIR_MASK |
697 RTE_IPSEC_SATP_MODE_MASK;
700 switch (sa->type & msk) {
701 case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TUNLV4):
702 case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TUNLV6):
703 pf->prepare.async = esp_inb_pkt_prepare;
704 pf->process = esp_inb_tun_pkt_process;
706 case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TRANS):
707 pf->prepare.async = esp_inb_pkt_prepare;
708 pf->process = esp_inb_trs_pkt_process;
710 case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV4):
711 case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6):
712 pf->prepare.async = esp_outb_tun_prepare;
713 pf->process = (sa->sqh_len != 0) ?
714 esp_outb_sqh_process : pkt_flag_process;
716 case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS):
717 pf->prepare.async = esp_outb_trs_prepare;
718 pf->process = (sa->sqh_len != 0) ?
719 esp_outb_sqh_process : pkt_flag_process;
729 cpu_crypto_pkt_func_select(const struct rte_ipsec_sa *sa,
730 struct rte_ipsec_sa_pkt_func *pf)
734 static const uint64_t msk = RTE_IPSEC_SATP_DIR_MASK |
735 RTE_IPSEC_SATP_MODE_MASK;
738 switch (sa->type & msk) {
739 case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TUNLV4):
740 case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TUNLV6):
741 pf->prepare.sync = cpu_inb_pkt_prepare;
742 pf->process = esp_inb_tun_pkt_process;
744 case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TRANS):
745 pf->prepare.sync = cpu_inb_pkt_prepare;
746 pf->process = esp_inb_trs_pkt_process;
748 case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV4):
749 case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6):
750 pf->prepare.sync = cpu_outb_tun_pkt_prepare;
751 pf->process = (sa->sqh_len != 0) ?
752 esp_outb_sqh_process : pkt_flag_process;
754 case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS):
755 pf->prepare.sync = cpu_outb_trs_pkt_prepare;
756 pf->process = (sa->sqh_len != 0) ?
757 esp_outb_sqh_process : pkt_flag_process;
767 * Select packet processing function for session on INLINE_CRYPTO
771 inline_crypto_pkt_func_select(const struct rte_ipsec_sa *sa,
772 struct rte_ipsec_sa_pkt_func *pf)
776 static const uint64_t msk = RTE_IPSEC_SATP_DIR_MASK |
777 RTE_IPSEC_SATP_MODE_MASK;
780 switch (sa->type & msk) {
781 case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TUNLV4):
782 case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TUNLV6):
783 pf->process = inline_inb_tun_pkt_process;
785 case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TRANS):
786 pf->process = inline_inb_trs_pkt_process;
788 case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV4):
789 case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6):
790 pf->process = inline_outb_tun_pkt_process;
792 case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS):
793 pf->process = inline_outb_trs_pkt_process;
803 * Select packet processing function for given session based on SA parameters
804 * and type of associated with the session device.
807 ipsec_sa_pkt_func_select(const struct rte_ipsec_session *ss,
808 const struct rte_ipsec_sa *sa, struct rte_ipsec_sa_pkt_func *pf)
813 pf[0] = (struct rte_ipsec_sa_pkt_func) { {NULL}, NULL };
816 case RTE_SECURITY_ACTION_TYPE_NONE:
817 rc = lksd_none_pkt_func_select(sa, pf);
819 case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO:
820 rc = inline_crypto_pkt_func_select(sa, pf);
822 case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL:
823 if ((sa->type & RTE_IPSEC_SATP_DIR_MASK) ==
824 RTE_IPSEC_SATP_DIR_IB)
825 pf->process = pkt_flag_process;
827 pf->process = inline_proto_outb_pkt_process;
829 case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL:
830 pf->prepare.async = lksd_proto_prepare;
831 pf->process = pkt_flag_process;
833 case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
834 rc = cpu_crypto_pkt_func_select(sa, pf);