f901d9c826
Introduce helper functions to process completed crypto-ops and group related packets by sessions they belong to. Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Declan Doherty <declan.doherty@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
155 lines
5.0 KiB
C
155 lines
5.0 KiB
C
/* SPDX-License-Identifier: BSD-3-Clause
|
|
* Copyright(c) 2018 Intel Corporation
|
|
*/
|
|
|
|
#ifndef _RTE_IPSEC_H_
|
|
#define _RTE_IPSEC_H_
|
|
|
|
/**
|
|
* @file rte_ipsec.h
|
|
* @b EXPERIMENTAL: this API may change without prior notice
|
|
*
|
|
* RTE IPsec support.
|
|
* librte_ipsec provides a framework for data-path IPsec protocol
|
|
* processing (ESP/AH).
|
|
*/
|
|
|
|
#include <rte_ipsec_sa.h>
|
|
#include <rte_mbuf.h>
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
struct rte_ipsec_session;
|
|
|
|
/**
|
|
* IPsec session specific functions that will be used to:
|
|
* - prepare - for input mbufs and given IPsec session prepare crypto ops
|
|
* that can be enqueued into the cryptodev associated with given session
|
|
* (see *rte_ipsec_pkt_crypto_prepare* below for more details).
|
|
* - process - finalize processing of packets after crypto-dev finished
|
|
* with them or process packets that are subjects to inline IPsec offload
|
|
* (see rte_ipsec_pkt_process for more details).
|
|
*/
|
|
struct rte_ipsec_sa_pkt_func {
|
|
uint16_t (*prepare)(const struct rte_ipsec_session *ss,
|
|
struct rte_mbuf *mb[],
|
|
struct rte_crypto_op *cop[],
|
|
uint16_t num);
|
|
uint16_t (*process)(const struct rte_ipsec_session *ss,
|
|
struct rte_mbuf *mb[],
|
|
uint16_t num);
|
|
};
|
|
|
|
/**
|
|
* rte_ipsec_session is an aggregate structure that defines particular
|
|
* IPsec Security Association IPsec (SA) on given security/crypto device:
|
|
* - pointer to the SA object
|
|
* - security session action type
|
|
* - pointer to security/crypto session, plus other related data
|
|
* - session/device specific functions to prepare/process IPsec packets.
|
|
*/
|
|
struct rte_ipsec_session {
|
|
/**
|
|
* SA that session belongs to.
|
|
* Note that multiple sessions can belong to the same SA.
|
|
*/
|
|
struct rte_ipsec_sa *sa;
|
|
/** session action type */
|
|
enum rte_security_session_action_type type;
|
|
/** session and related data */
|
|
union {
|
|
struct {
|
|
struct rte_cryptodev_sym_session *ses;
|
|
} crypto;
|
|
struct {
|
|
struct rte_security_session *ses;
|
|
struct rte_security_ctx *ctx;
|
|
uint32_t ol_flags;
|
|
} security;
|
|
};
|
|
/** functions to prepare/process IPsec packets */
|
|
struct rte_ipsec_sa_pkt_func pkt_func;
|
|
} __rte_cache_aligned;
|
|
|
|
/**
|
|
* Checks that inside given rte_ipsec_session crypto/security fields
|
|
* are filled correctly and setups function pointers based on these values.
|
|
* Expects that all fields except IPsec processing function pointers
|
|
* (*pkt_func*) will be filled correctly by caller.
|
|
* @param ss
|
|
* Pointer to the *rte_ipsec_session* object
|
|
* @return
|
|
* - Zero if operation completed successfully.
|
|
* - -EINVAL if the parameters are invalid.
|
|
*/
|
|
int __rte_experimental
|
|
rte_ipsec_session_prepare(struct rte_ipsec_session *ss);
|
|
|
|
/**
|
|
* For input mbufs and given IPsec session prepare crypto ops that can be
|
|
* enqueued into the cryptodev associated with given session.
|
|
* expects that for each input packet:
|
|
* - l2_len, l3_len are setup correctly
|
|
* Note that erroneous mbufs are not freed by the function,
|
|
* but are placed beyond last valid mbuf in the *mb* array.
|
|
* It is a user responsibility to handle them further.
|
|
* @param ss
|
|
* Pointer to the *rte_ipsec_session* object the packets belong to.
|
|
* @param mb
|
|
* The address of an array of *num* pointers to *rte_mbuf* structures
|
|
* which contain the input packets.
|
|
* @param cop
|
|
* The address of an array of *num* pointers to the output *rte_crypto_op*
|
|
* structures.
|
|
* @param num
|
|
* The maximum number of packets to process.
|
|
* @return
|
|
* Number of successfully processed packets, with error code set in rte_errno.
|
|
*/
|
|
static inline uint16_t __rte_experimental
|
|
rte_ipsec_pkt_crypto_prepare(const struct rte_ipsec_session *ss,
|
|
struct rte_mbuf *mb[], struct rte_crypto_op *cop[], uint16_t num)
|
|
{
|
|
return ss->pkt_func.prepare(ss, mb, cop, num);
|
|
}
|
|
|
|
/**
|
|
* Finalise processing of packets after crypto-dev finished with them or
|
|
* process packets that are subjects to inline IPsec offload.
|
|
* Expects that for each input packet:
|
|
* - l2_len, l3_len are setup correctly
|
|
* Output mbufs will be:
|
|
* inbound - decrypted & authenticated, ESP(AH) related headers removed,
|
|
* *l2_len* and *l3_len* fields are updated.
|
|
* outbound - appropriate mbuf fields (ol_flags, tx_offloads, etc.)
|
|
* properly setup, if necessary - IP headers updated, ESP(AH) fields added,
|
|
* Note that erroneous mbufs are not freed by the function,
|
|
* but are placed beyond last valid mbuf in the *mb* array.
|
|
* It is a user responsibility to handle them further.
|
|
* @param ss
|
|
* Pointer to the *rte_ipsec_session* object the packets belong to.
|
|
* @param mb
|
|
* The address of an array of *num* pointers to *rte_mbuf* structures
|
|
* which contain the input packets.
|
|
* @param num
|
|
* The maximum number of packets to process.
|
|
* @return
|
|
* Number of successfully processed packets, with error code set in rte_errno.
|
|
*/
|
|
static inline uint16_t __rte_experimental
|
|
rte_ipsec_pkt_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],
|
|
uint16_t num)
|
|
{
|
|
return ss->pkt_func.process(ss, mb, num);
|
|
}
|
|
|
|
#include <rte_ipsec_group.h>
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
|
|
#endif /* _RTE_IPSEC_H_ */
|