-/*-
- * BSD LICENSE
- *
- * Copyright 2017 NXP.
- * Copyright(c) 2017 Intel Corporation. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- * * Neither the name of NXP nor the names of its
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright 2017 NXP.
+ * Copyright(c) 2017 Intel Corporation.
*/
#ifndef _RTE_SECURITY_H_
#include <netinet/ip.h>
#include <netinet/ip6.h>
+#include <rte_compat.h>
#include <rte_common.h>
#include <rte_crypto.h>
#include <rte_mbuf.h>
/**< IPsec SA Mode - transport/tunnel */
struct rte_security_ipsec_tunnel_param tunnel;
/**< Tunnel parameters, NULL for transport mode */
+ uint64_t esn_soft_limit;
+ /**< ESN for which the overflow event need to be raised */
};
/**
* - On success, pointer to session
* - On failure, NULL
*/
-struct rte_security_session *
+struct rte_security_session * __rte_experimental
rte_security_session_create(struct rte_security_ctx *instance,
struct rte_security_session_conf *conf,
struct rte_mempool *mp);
* - On success returns 0
* - On failure return errno
*/
-int
+int __rte_experimental
rte_security_session_update(struct rte_security_ctx *instance,
struct rte_security_session *sess,
struct rte_security_session_conf *conf);
+/**
+ * Get the size of the security session data for a device.
+ *
+ * @param instance security instance.
+ *
+ * @return
+ * - Size of the private data, if successful
+ * - 0 if device is invalid or does not support the operation.
+ */
+unsigned int __rte_experimental
+rte_security_session_get_size(struct rte_security_ctx *instance);
+
/**
* Free security session header and the session private data and
* return it to its original mempool.
* - -EINVAL if session is NULL.
* - -EBUSY if not all device private data has been freed.
*/
-int
+int __rte_experimental
rte_security_session_destroy(struct rte_security_ctx *instance,
struct rte_security_session *sess);
* - On success, zero.
* - On failure, a negative value.
*/
-int
+int __rte_experimental
rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
struct rte_security_session *sess,
struct rte_mbuf *mb, void *params);
/**
- * Get userdata associated with the security session which processed the
- * packet. This userdata would be registered while creating the session, and
- * application can use this to identify the SA etc. Device-specific metadata
- * in the mbuf would be used for this.
+ * Get userdata associated with the security session. Device specific metadata
+ * provided would be used to uniquely identify the security session being
+ * referred to. This userdata would be registered while creating the session,
+ * and application can use this to identify the SA etc.
*
- * This is valid only for inline processed ingress packets.
+ * Device specific metadata would be set in mbuf for inline processed inbound
+ * packets. In addition, the same metadata would be set for IPsec events
+ * reported by rte_eth_event framework.
*
* @param instance security instance
- * @param md device-specific metadata set in mbuf
+ * @param md device-specific metadata
*
* @return
* - On success, userdata
* - On failure, NULL
*/
-void *
+void * __rte_experimental
rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md);
/**
* @param sym_op crypto operation
* @param sess security session
*/
-static inline int
+static inline int __rte_experimental
__rte_security_attach_session(struct rte_crypto_sym_op *sym_op,
struct rte_security_session *sess)
{
return 0;
}
-static inline void *
+static inline void * __rte_experimental
get_sec_session_private_data(const struct rte_security_session *sess)
{
return sess->sess_private_data;
}
-static inline void
+static inline void __rte_experimental
set_sec_session_private_data(struct rte_security_session *sess,
void *private_data)
{
* @param op crypto operation
* @param sess security session
*/
-static inline int
+static inline int __rte_experimental
rte_security_attach_session(struct rte_crypto_op *op,
struct rte_security_session *sess)
{
* - On success return 0
* - On failure errno
*/
-int
+int __rte_experimental
rte_security_session_stats_get(struct rte_security_ctx *instance,
struct rte_security_session *sess,
struct rte_security_stats *stats);
* - Returns array of security capabilities.
* - Return NULL if no capabilities available.
*/
-const struct rte_security_capability *
+const struct rte_security_capability * __rte_experimental
rte_security_capabilities_get(struct rte_security_ctx *instance);
/**
* index criteria.
* - Return NULL if the capability not matched on security instance.
*/
-const struct rte_security_capability *
+const struct rte_security_capability * __rte_experimental
rte_security_capability_get(struct rte_security_ctx *instance,
struct rte_security_capability_idx *idx);