From: Tejasree Kondoj Date: Thu, 15 Apr 2021 07:22:03 +0000 (+0530) Subject: crypto/octeontx2: support UDP encapsulation X-Git-Url: http://git.droids-corp.org/?a=commitdiff_plain;h=0ff065d096407649b6a8eb56537f517fe4fecb7e;p=dpdk.git crypto/octeontx2: support UDP encapsulation Adding UDP encapsulation support for IPsec in lookaside protocol mode. Signed-off-by: Tejasree Kondoj Acked-by: Akhil Goyal --- diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst index 8c7df065b3..00226a8c77 100644 --- a/doc/guides/cryptodevs/octeontx2.rst +++ b/doc/guides/cryptodevs/octeontx2.rst @@ -181,6 +181,7 @@ Features supported * Tunnel mode * ESN * Anti-replay +* UDP Encapsulation * AES-128/192/256-GCM * AES-128/192/256-CBC-SHA1-HMAC * AES-128/192/256-CBC-SHA256-128-HMAC diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst index 96eaa64a26..9d68a7066f 100644 --- a/doc/guides/rel_notes/release_21_05.rst +++ b/doc/guides/rel_notes/release_21_05.rst @@ -163,6 +163,8 @@ New Features * **Updated the OCTEON TX2 crypto PMD.** * Added support for DIGEST_ENCRYPTED mode in OCTEON TX2 crypto PMD. + * Added support in lookaside protocol offload mode for IPsec with + UDP encapsulation support for NAT Traversal. * **Updated Mellanox RegEx PMD.** diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c index 342f089df8..210c53aa0a 100644 --- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c +++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c @@ -203,6 +203,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, struct rte_security_session *sec_sess) { struct rte_crypto_sym_xform *auth_xform, *cipher_xform; + struct otx2_ipsec_po_ip_template *template; const uint8_t *cipher_key, *auth_key; struct otx2_sec_session_ipsec_lp *lp; struct otx2_ipsec_po_sa_ctl *ctl; @@ -248,11 +249,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) { if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) { - if (ipsec->options.udp_encap) { - sa->aes_gcm.template.ip4.udp_src = 4500; - sa->aes_gcm.template.ip4.udp_dst = 4500; - } - ip = &sa->aes_gcm.template.ip4.ipv4_hdr; + template = &sa->aes_gcm.template; ctx_len = offsetof(struct otx2_ipsec_po_out_sa, aes_gcm.template) + sizeof( sa->aes_gcm.template.ip4); @@ -260,11 +257,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, lp->ctx_len = ctx_len >> 3; } else if (ctl->auth_type == OTX2_IPSEC_PO_SA_AUTH_SHA1) { - if (ipsec->options.udp_encap) { - sa->sha1.template.ip4.udp_src = 4500; - sa->sha1.template.ip4.udp_dst = 4500; - } - ip = &sa->sha1.template.ip4.ipv4_hdr; + template = &sa->sha1.template; ctx_len = offsetof(struct otx2_ipsec_po_out_sa, sha1.template) + sizeof( sa->sha1.template.ip4); @@ -272,11 +265,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, lp->ctx_len = ctx_len >> 3; } else if (ctl->auth_type == OTX2_IPSEC_PO_SA_AUTH_SHA2_256) { - if (ipsec->options.udp_encap) { - sa->sha2.template.ip4.udp_src = 4500; - sa->sha2.template.ip4.udp_dst = 4500; - } - ip = &sa->sha2.template.ip4.ipv4_hdr; + template = &sa->sha2.template; ctx_len = offsetof(struct otx2_ipsec_po_out_sa, sha2.template) + sizeof( sa->sha2.template.ip4); @@ -285,8 +274,15 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, } else { return -EINVAL; } + ip = &template->ip4.ipv4_hdr; + if (ipsec->options.udp_encap) { + ip->next_proto_id = IPPROTO_UDP; + template->ip4.udp_src = rte_be_to_cpu_16(4500); + template->ip4.udp_dst = rte_be_to_cpu_16(4500); + } else { + ip->next_proto_id = IPPROTO_ESP; + } ip->version_ihl = RTE_IPV4_VHL_DEF; - ip->next_proto_id = IPPROTO_ESP; ip->time_to_live = ipsec->tunnel.ipv4.ttl; ip->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2); if (ipsec->tunnel.ipv4.df) @@ -299,11 +295,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, RTE_SECURITY_IPSEC_TUNNEL_IPV6) { if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) { - if (ipsec->options.udp_encap) { - sa->aes_gcm.template.ip6.udp_src = 4500; - sa->aes_gcm.template.ip6.udp_dst = 4500; - } - ip6 = &sa->aes_gcm.template.ip6.ipv6_hdr; + template = &sa->aes_gcm.template; ctx_len = offsetof(struct otx2_ipsec_po_out_sa, aes_gcm.template) + sizeof( sa->aes_gcm.template.ip6); @@ -311,11 +303,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, lp->ctx_len = ctx_len >> 3; } else if (ctl->auth_type == OTX2_IPSEC_PO_SA_AUTH_SHA1) { - if (ipsec->options.udp_encap) { - sa->sha1.template.ip6.udp_src = 4500; - sa->sha1.template.ip6.udp_dst = 4500; - } - ip6 = &sa->sha1.template.ip6.ipv6_hdr; + template = &sa->sha1.template; ctx_len = offsetof(struct otx2_ipsec_po_out_sa, sha1.template) + sizeof( sa->sha1.template.ip6); @@ -323,11 +311,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, lp->ctx_len = ctx_len >> 3; } else if (ctl->auth_type == OTX2_IPSEC_PO_SA_AUTH_SHA2_256) { - if (ipsec->options.udp_encap) { - sa->sha2.template.ip6.udp_src = 4500; - sa->sha2.template.ip6.udp_dst = 4500; - } - ip6 = &sa->sha2.template.ip6.ipv6_hdr; + template = &sa->sha2.template; ctx_len = offsetof(struct otx2_ipsec_po_out_sa, sha2.template) + sizeof( sa->sha2.template.ip6); @@ -337,6 +321,16 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, return -EINVAL; } + ip6 = &template->ip6.ipv6_hdr; + if (ipsec->options.udp_encap) { + ip6->proto = IPPROTO_UDP; + template->ip6.udp_src = rte_be_to_cpu_16(4500); + template->ip6.udp_dst = rte_be_to_cpu_16(4500); + } else { + ip6->proto = (ipsec->proto == + RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? + IPPROTO_ESP : IPPROTO_AH; + } ip6->vtc_flow = rte_cpu_to_be_32(0x60000000 | ((ipsec->tunnel.ipv6.dscp << RTE_IPV6_HDR_TC_SHIFT) & @@ -345,9 +339,6 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev, RTE_IPV6_HDR_FL_SHIFT) & RTE_IPV6_HDR_FL_MASK)); ip6->hop_limits = ipsec->tunnel.ipv6.hlimit; - ip6->proto = (ipsec->proto == - RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? - IPPROTO_ESP : IPPROTO_AH; memcpy(&ip6->src_addr, &ipsec->tunnel.ipv6.src_addr, sizeof(struct in6_addr)); memcpy(&ip6->dst_addr, &ipsec->tunnel.ipv6.dst_addr,