{
struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
- if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
- lp->partial_len = sizeof(struct rte_ipv4_hdr);
- else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
- lp->partial_len = sizeof(struct rte_ipv6_hdr);
- else
- return -EINVAL;
+ lp->partial_len = 0;
+ if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+ if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
+ lp->partial_len = sizeof(struct rte_ipv4_hdr);
+ else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
+ lp->partial_len = sizeof(struct rte_ipv6_hdr);
+ else
+ return -EINVAL;
+ }
if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) {
lp->partial_len += sizeof(struct rte_esp_hdr);
struct rte_security_session *sec_sess)
{
struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+ struct otx2_ipsec_po_ip_template *template = NULL;
const uint8_t *cipher_key, *auth_key;
struct otx2_sec_session_ipsec_lp *lp;
struct otx2_ipsec_po_sa_ctl *ctl;
memset(sa, 0, sizeof(struct otx2_ipsec_po_out_sa));
/* Initialize lookaside ipsec private data */
+ lp->mode_type = OTX2_IPSEC_PO_TRANSPORT;
lp->ip_id = 0;
lp->seq_lo = 1;
lp->seq_hi = 0;
- lp->tunnel_type = ipsec->tunnel.type;
ret = ipsec_po_sa_ctl_set(ipsec, crypto_xform, ctl);
if (ret)
if (ret)
return ret;
- if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
- /* Start ip id from 1 */
- lp->ip_id = 1;
+ /* Start ip id from 1 */
+ lp->ip_id = 1;
+
+ if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
+ template = &sa->aes_gcm.template;
+ ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+ aes_gcm.template) + sizeof(
+ sa->aes_gcm.template.ip4);
+ ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+ lp->ctx_len = ctx_len >> 3;
+ } else if (ctl->auth_type ==
+ OTX2_IPSEC_PO_SA_AUTH_SHA1) {
+ template = &sa->sha1.template;
+ ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+ sha1.template) + sizeof(
+ sa->sha1.template.ip4);
+ ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+ lp->ctx_len = ctx_len >> 3;
+ } else if (ctl->auth_type ==
+ OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
+ template = &sa->sha2.template;
+ ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
+ sha2.template) + sizeof(
+ sa->sha2.template.ip4);
+ ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
+ lp->ctx_len = ctx_len >> 3;
+ } else {
+ return -EINVAL;
+ }
+ ip = &template->ip4.ipv4_hdr;
+ if (ipsec->options.udp_encap) {
+ ip->next_proto_id = IPPROTO_UDP;
+ template->ip4.udp_src = rte_be_to_cpu_16(4500);
+ template->ip4.udp_dst = rte_be_to_cpu_16(4500);
+ } else {
+ ip->next_proto_id = IPPROTO_ESP;
+ }
+ if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
-
- if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
- if (ipsec->options.udp_encap) {
- sa->aes_gcm.template.ip4.udp_src = 4500;
- sa->aes_gcm.template.ip4.udp_dst = 4500;
- }
- ip = &sa->aes_gcm.template.ip4.ipv4_hdr;
- ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
- aes_gcm.template) + sizeof(
- sa->aes_gcm.template.ip4);
- ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
- lp->ctx_len = ctx_len >> 3;
- } else if (ctl->auth_type ==
- OTX2_IPSEC_PO_SA_AUTH_SHA1) {
- if (ipsec->options.udp_encap) {
- sa->sha1.template.ip4.udp_src = 4500;
- sa->sha1.template.ip4.udp_dst = 4500;
- }
- ip = &sa->sha1.template.ip4.ipv4_hdr;
- ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
- sha1.template) + sizeof(
- sa->sha1.template.ip4);
- ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
- lp->ctx_len = ctx_len >> 3;
- } else if (ctl->auth_type ==
- OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
- if (ipsec->options.udp_encap) {
- sa->sha2.template.ip4.udp_src = 4500;
- sa->sha2.template.ip4.udp_dst = 4500;
- }
- ip = &sa->sha2.template.ip4.ipv4_hdr;
- ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
- sha2.template) + sizeof(
- sa->sha2.template.ip4);
- ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
- lp->ctx_len = ctx_len >> 3;
- } else {
- return -EINVAL;
- }
+ lp->mode_type = OTX2_IPSEC_PO_TUNNEL_IPV4;
ip->version_ihl = RTE_IPV4_VHL_DEF;
- ip->next_proto_id = IPPROTO_ESP;
ip->time_to_live = ipsec->tunnel.ipv4.ttl;
ip->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2);
if (ipsec->tunnel.ipv4.df)
} else if (ipsec->tunnel.type ==
RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
+ lp->mode_type = OTX2_IPSEC_PO_TUNNEL_IPV6;
if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
- if (ipsec->options.udp_encap) {
- sa->aes_gcm.template.ip6.udp_src = 4500;
- sa->aes_gcm.template.ip6.udp_dst = 4500;
- }
- ip6 = &sa->aes_gcm.template.ip6.ipv6_hdr;
+ template = &sa->aes_gcm.template;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
aes_gcm.template) + sizeof(
sa->aes_gcm.template.ip6);
lp->ctx_len = ctx_len >> 3;
} else if (ctl->auth_type ==
OTX2_IPSEC_PO_SA_AUTH_SHA1) {
- if (ipsec->options.udp_encap) {
- sa->sha1.template.ip6.udp_src = 4500;
- sa->sha1.template.ip6.udp_dst = 4500;
- }
- ip6 = &sa->sha1.template.ip6.ipv6_hdr;
+ template = &sa->sha1.template;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
sha1.template) + sizeof(
sa->sha1.template.ip6);
lp->ctx_len = ctx_len >> 3;
} else if (ctl->auth_type ==
OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
- if (ipsec->options.udp_encap) {
- sa->sha2.template.ip6.udp_src = 4500;
- sa->sha2.template.ip6.udp_dst = 4500;
- }
- ip6 = &sa->sha2.template.ip6.ipv6_hdr;
+ template = &sa->sha2.template;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
sha2.template) + sizeof(
sa->sha2.template.ip6);
return -EINVAL;
}
+ ip6 = &template->ip6.ipv6_hdr;
+ if (ipsec->options.udp_encap) {
+ ip6->proto = IPPROTO_UDP;
+ template->ip6.udp_src = rte_be_to_cpu_16(4500);
+ template->ip6.udp_dst = rte_be_to_cpu_16(4500);
+ } else {
+ ip6->proto = (ipsec->proto ==
+ RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?
+ IPPROTO_ESP : IPPROTO_AH;
+ }
ip6->vtc_flow = rte_cpu_to_be_32(0x60000000 |
((ipsec->tunnel.ipv6.dscp <<
RTE_IPV6_HDR_TC_SHIFT) &
RTE_IPV6_HDR_FL_SHIFT) &
RTE_IPV6_HDR_FL_MASK));
ip6->hop_limits = ipsec->tunnel.ipv6.hlimit;
- ip6->proto = (ipsec->proto ==
- RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?
- IPPROTO_ESP : IPPROTO_AH;
memcpy(&ip6->src_addr, &ipsec->tunnel.ipv6.src_addr,
sizeof(struct in6_addr));
memcpy(&ip6->dst_addr, &ipsec->tunnel.ipv6.dst_addr,
sizeof(struct in6_addr));
- } else {
- return -EINVAL;
}
- } else {
- return -EINVAL;
}
cipher_xform = crypto_xform;
if (ret)
return ret;
- lp->tunnel_type = ipsec->tunnel.type;
+ lp->mode_type = OTX2_IPSEC_PO_TRANSPORT;
+
auth_xform = crypto_xform;
cipher_xform = crypto_xform->next;
cipher_key_len = 0;
auth_key_len = 0;
+ if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+ lp->mode_type = (ipsec->tunnel.type ==
+ RTE_SECURITY_IPSEC_TUNNEL_IPV4) ?
+ OTX2_IPSEC_PO_TUNNEL_IPV4 :
+ OTX2_IPSEC_PO_TUNNEL_IPV6;
+
if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
memcpy(sa->iv.gcm.nonce, &ipsec->salt, 4);
sess_mp = rte_mempool_from_obj(priv);
+ memset(priv, 0, sizeof(*priv));
+
set_sec_session_private_data(sess, NULL);
rte_mempool_put(sess_mp, priv);
git.droids-corp.org / dpdk.git / blobdiff