TODO items:
- Event Notification(Eg. Seq Number overflow, SA not found, SA hard/soft expiry)
- statistics APIs
- Encrpt and send APIs
Signed-off-by: Nikhil Agarwal <[email protected]>
---
include/odp/api/spec/crypto.h | 29 +++
include/odp/api/spec/crypto_ipsec.h | 345 ++++++++++++++++++++++++++++++++++++
2 files changed, 374 insertions(+)
create mode 100644 include/odp/api/spec/crypto_ipsec.h
diff --git a/include/odp/api/spec/crypto.h b/include/odp/api/spec/crypto.h
index dea1fe9..b629b82 100644
--- a/include/odp/api/spec/crypto.h
+++ b/include/odp/api/spec/crypto.h
@@ -144,6 +144,27 @@ typedef union odp_crypto_auth_algos_t {
uint32_t all_bits;
} odp_crypto_auth_algos_t;
+
+/**
+ * Network security protocols in bit field structure
+ */
+typedef union odp_crypto_protocol_t {
+ /** Network security protocols */
+ struct {
+ /** ODP_AUTH_ALG_NULL */
+ uint32_t ipsec_esp : 1;
+
+ /** ODP_AUTH_ALG_MD5_96 */
+ uint32_t ipsec_ah : 1;
+
+ } bit;
+
+ /** All bits of the bit field structure
+ *
+ * This field can be used to set/clear all flags, or bitwise
+ * operations over the entire structure. */
+ uint32_t all_bits;
+} odp_crypto_protocol_t;
/**
* Crypto API key structure
*/
@@ -264,6 +285,8 @@ typedef enum {
ODP_CRYPTO_SES_CREATE_ERR_INV_CIPHER,
/** Creation failed, bad auth params */
ODP_CRYPTO_SES_CREATE_ERR_INV_AUTH,
+ /** Creation failed, bad protocol params */
+ ODP_CRYPTO_SES_CREATE_ERR_INV_PROTO,
} odp_crypto_ses_create_err_t;
/**
@@ -332,6 +355,12 @@ typedef struct odp_crypto_capability_t {
/** Authentication algorithms implemented with HW offload */
odp_crypto_auth_algos_t hw_auths;
+ /** Supported authentication algorithms */
+ odp_crypto_protocol_t protocols;
+
+ /** Authentication algorithms implemented with HW offload */
+ odp_crypto_protocol_t hw_protocols;
+
} odp_crypto_capability_t;
/**
diff --git a/include/odp/api/spec/crypto_ipsec.h
b/include/odp/api/spec/crypto_ipsec.h
new file mode 100644
index 0000000..6a0cee0
--- /dev/null
+++ b/include/odp/api/spec/crypto_ipsec.h
@@ -0,0 +1,345 @@
+/* Copyright (c) 2014, Linaro Limited
+ * Copyright (c) 2015 - 2016 Freescale Semiconductor, Inc.
+ * All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+/**
+ * @file
+ *
+ * ODP crypto IPSec extension
+ */
+
+#ifndef ODP_API_CRYPTO_IPSEC_H_
+#define ODP_API_CRYPTO_IPSEC_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+typedef enum odp_ipsec_mode {
+ ODP_IPSEC_MODE_TUNNEL, /**< IPSec tunnel mode */
+ ODP_IPSEC_MODE_TRANSPORT, /**< IPSec transport mode */
+} odp_ipsec_mode_t;
+
+typedef enum odp_ipsec_proto {
+ ODP_IPSEC_ESP, /**< ESP protocol */
+} odp_ipsec_proto_t;
+
+typedef enum odp_ipsec_outhdr_type {
+ ODP_IPSEC_OUTHDR_IPV4, /**< Outer header is IPv4 */
+ ODP_IPSEC_OUTHDR_IPV6, /**< Outer header is IPv6 */
+} odp_ipsec_outhdr_type_t;
+
+typedef enum odp_ipsec_ar_ws {
+ ODP_IPSEC_AR_WS_NONE, /**< Anti-replay is not enabled */
+ ODP_IPSEC_AR_WS_32, /**< Anti-replay window size 32 */
+ ODP_IPSEC_AR_WS_64, /**< Anti-replay window size 64 */
+ ODP_IPSEC_AR_WS_128, /**< Anti-replay window size 128 */
+} odp_ipsec_ar_ws_t;
+
+typedef struct odp_ipsec_params {
+ odp_ipsec_mode_t ipsec_mode; /** Transport or Tunnel */
+ uint32_t spi; /** SPI value */
+ uint32_t seq; /** Initial SEQ number */
+ odp_ipsec_ar_ws_t ar_ws; /** Anti-replay window size -
+ inbound session with authentication */
+ odp_bool_t esn; /** Use extended sequence numbers */
+ odp_bool_t auto_iv; /** Auto IV generation for each operation. */
+ uint16_t out_hdr_size; /** outer header size - tunnel mode */
+ uint8_t *out_hdr; /** outer header - tunnel mode */
+ odp_ipsec_outhdr_type_t out_hdr_type; /* outer header type -
+ tunnel mode */
+ odp_bool_t ip_csum; /** update/verify ip header checksum */
+ odp_bool_t ip_dttl; /** decrement ttl - tunnel mode encap & decap */
+ odp_bool_t remove_outer_hdr; /** remove outer header - tunnel mode
decap */
+ odp_bool_t copy_dscp; /** DiffServ Copy - Copy the IPv4 TOS or
+ IPv6 Traffic Class byte from the inner/outer
+ IP header to the outer/inner IP header -
+ tunnel mode encap & decap */
+ odp_bool_t copy_df; /** Copy DF bit - copy the DF bit from
+ the inner IP header to the
+ outer IP header - tunnel mode encap */
+ odp_bool_t nat_t; /** NAT-T encapsulation enabled - tunnel mode */
+ odp_bool_t udp_csum; /** Update/verify UDP csum when NAT-T enabled */
+
+} odp_ipsec_esp_params_t;
+
+/**
+ * Configure crypto session for IPsec processing
+ *
+ * Configures a crypto session for IPSec protocol processing.
+ * Packets submitted to an IPSec enabled session will have
+ * relevant IPSec headers/trailers and tunnel headers
+ * added/removed by the crypto implementation.
+ * For example, the input packet for an IPSec ESP transport
+ * enabled session should be the clear text packet with
+ * no ESP headers/trailers prepared in advance for crypto operation.
+ * The output packet will have ESP header, IV, trailer and the ESP ICV
+ * added by crypto implementation.
+ * Depending on the particular capabilities of an implementation and
+ * the parameters enabled by application, the application may be
+ * partially or completely offloaded from IPSec protocol processing.
+ * For example, if an implementation does not support checksum
+ * update for IP header after adding ESP header the application
+ * should update after crypto IPSec operation.
+ *
+ * If an implementation does not support a particular set of
+ * arguments it should return error.
+ *
+ * @param session Session handle
+ * @param ipsec_proto IPSec protocol
+ * @param ipsec_params IPSec parameters. Parameters which are not
+ * relevant for selected protocol & mode are ignored -
+ * e.g. outer_hdr/size set for ESP transport mode.
+ * @retval 0 on success
+ * @retval <0 on failure
+ */
+int odp_crypto_ipsec_session_create(odp_crypto_session_params_t *ses_params,
+ odp_ipsec_proto_t ipsec_proto,
+ odp_ipsec_params_t *ipsec_params,
+ odp_crypto_session_t *session_out,
+ odp_crypto_ses_create_err_t *status);
+
+
+/*!
+ * SPD Policy/SA direction information
+ */
+enum odp_ipsec_direction {
+ ODP_IPSEC_INBOUND =1, /**< Inbound Direction */
+ ODP_IPSEC_OUTBOUND /**< Outbound Direction */
+};
+
+
+/*!
+ * DSCP Range information
+ */
+struct odp_ipsec_policy_rule_dscprange {
+ uint8_t start; /**< Start value in Range */
+ uint8_t end; /**< End value in Range */
+};
+
+/*!
+ * Fragmentation Before Encapsulation (Redside Fragmentation)
+ */
+enum odp_ipsec_policy_redside_fragmentation {
+ ODP_IPSEC_POLICY_REDSIDE_FRAGMENTATION_DISABLE = 0,
+ /**< Diasable Redside fragmentation in IPSec Policy */
+ ODP_IPSEC_POLICY_REDSIDE_FRAGMENTATION_ENABLE
+ /**< Enable Redside fragmentation in IPSec Policy */
+};
+
+/*!
+ * Input parameters to SPD Policy addition
+ */
+struct odp_ipsec_spd_params{
+ uint32_t tunnel_id;
+ /**< Tunnel ID */
+ enum odp_ipsec_direction dir;
+ /**< Direction: Inbound or Outbound */
+ uint32_t n_dscp_ranges;
+ /**< Number of DSCP Ranges */
+ struct odp_ipsec_policy_rule_dscprange *dscp_ranges;
+ /**< Array of DSCP Ranges */
+ enum odp_ipsec_policy_redside_fragmentation redside;
+ /**< Fragmentation before Encapsulation option: TRUE/FALSE */
+ uint32_t n_selectors;
+ /**< Number of selectors */
+ const odp_pmr_param_t *selectors;
+ /**< Array of Selectors */
+};
+
+/*!
+ * Output parameters to SPD Policy addition
+ */
+typedef struct odp_ipsec_spd_add_err{
+ int32_t result;
+ /**< 0:Success; Non Zero value: Error code indicating failure */
+}odp_ipsec_pol_add_err_t;
+
+/*!
+ * @brief This API is used to add Inbound/Outbound SPD policy to SPD policy
+ * database. This database is maintained per Name Space and Tunnel instance.
+ * This function first validates the incoming parameters
+ * and if all validations succeed, new SPD policy is added to the database.
+ *
+ * @param[in] params Pointer to input param structure which contains
+ * spd policy information.
+ * @param[out] policy Handle to the IPSEC policy.
+ * @param[out] resp Failure code if unsuccessful.
+ *
+ * @returns 0 on Success or negative value on failure.
+ *
+ */
+int32_t odp_ipsec_spd_add(
+ const struct odp_ipsec_spd_params *params,
+ odp_ipsec_policy_t *policy,
+ odp_ipsec_pol_add_err_t *resp);
+
+/*!
+ * @brief This API is used to delete Inbound/Outbound SPD policy from SPD
policy
+ * database.
+ *
+ * @param[in] policy Handle to the IPSEC policy.
+ *
+ * @returns 0 on Success or negative value on failure.
+ *
+ */
+int32_t odp_ipsec_spd_del(odp_ipsec_policy_t policy);
+
+/*!
+ * @brief This API is used to flush/delete all Inbound and Outbound SPD
+ * policies.
+ *
+ * @returns 0 on Success or negative value on failure.
+ *
+ */
+int32_t odp_ipsec_spd_flush();
+
+/*!
+ * @brief This API maps an IPSEC policy to an IPSEC crypto session.
+ *
+ * @param[in] policy - Handle to the IPSEC policy.
+ * @param[in] session - Handle to the IPSEC session(SA).
+ *
+ * @returns SUCCESS on success; FAILURE otherwise
+ *
+ */
+int32_t odp_ipsec_map_pol_session(odp_ipsec_policy_t policy
+ odp_crypto_session_t session);
+
+/*!
+ * @brief This API unmaps an IPSEC policy to an IPSEC crypto session.
+ *
+ * @param[in] policy - Handle to the IPSEC policy.
+ * @param[in] session - Handle to the IPSEC session(SA).
+ *
+ * @returns SUCCESS on success; FAILURE otherwise
+ *
+ */
+int32_t odp_ipsec_unmap_pol_session(odp_ipsec_policy_t policy
+ odp_crypto_session_t session);
+
+/*!
+ * SPD Policy Statistics information structure
+ */
+typedef struct odp_ipsec_spd_stats {
+ uint64_t received_pkts;
+ /**< Received Outbound/Inbound packets */
+ uint64_t processed_pkts;
+ /**< Processed Outbound/Inbound packets */
+ uint64_t processed_bytes;
+ /**< Number of bytes processed on Inbound/Outbound policy */
+
+ /*! Struct details
+ */
+ struct {
+ uint32_t crypto_op_failed;
+ /**< Crypto operations failed */
+ }protocol_violation_errors;
+ /**< Protocol violation errors */
+
+ /*! Struct details
+ */
+ struct {
+ uint32_t no_matching_dscp_range;
+ /**< Matching dscp range not found in the SPD policy */
+
+ uint32_t submit_to_sec_failed;
+ /**< Submission to SEC failed for crypto operations */
+ uint32_t no_outb_sa;
+ /**< Outbound SA not found */
+ uint32_t frag_failed;
+ /**< Fragmentation failed */
+ uint32_t mem_alloc_failed;
+ /**< Memory allocation failed for SA/SPD/descriptor etc.*/
+ uint32_t internal_error;
+ /**< All other errors locally encountered */
+ }local_errors;
+ /**< Local/internal errors */
+
+}odp_ipsec_spd_stats_t;
+
+/*!
+ * @brief This API fetches global statistics.
+ *
+ * @param[out] stats Pointer to statistics structure filled by this API.
+ *
+ * @returns 0 on Success or negative value on failure.
+ *
+ */
+int32_t odp_ipsec_global_stats_get(odp_ipsec_spd_stats_t *stats);
+
+/*!
+ * IPSec Module Capabilities
+ */
+struct odp_ipsec_capabilities {
+ /*! This parameter indicates if IPSec-DP is capable of doing SPD
+ * rule search for incoming or outgoing datagrams
+ */
+
+ uint32_t sel_store_in_spd : 1,
+
+ /*! Authentication Header processing */
+ ah_protocol:1,
+
+ /*! ESP Header processing */
+ esp_protocol:1,
+
+ /*! IPComp related processing */
+ ipcomp_protocol:1,
+
+ /*! IPSec Tunnel Mode processing */
+ tunnel_mode:1,
+
+ /*! IPSec Tunnel Mode processing */
+ transport_mode:1,
+
+ /*! This indicates if IPSec has capability to generate
+ * (for Outbound) and verify (for Inbound) extended sequence
numbers.
+ */
+ esn:1,
+
+ /*! This option indicates whether IPSec can
+ * handle the necessary UDP Encapsulation required at
+ * IPSec level for traversing NAT boxes.
+ */
+ udp_encap:1,
+
+ /*! This option indicates whether IPSec can fragment packets
+ * before IPSec encryption, so that the resulting IPSec
encrypted
+ * fragments do not exceed MTU
+ */
+ redside_frag:1,
+
+
+ /*! Indicates the maximum number of IN and OUT SPD policies. */
+ uint32_t max_spd_policies;
+
+ /*! Indicates the maximum number of IN and OUT IPSec SAs. */
+ uint32_t max_sas;
+}odp_ipsec_capabilities_t;
+
+/*!
+ * @brief This API fetches IPSec module Capabilities
+ *
+ * @param[out] capa - capabilities structure filled by API.
+ *
+ * @returns SUCCESS on success; FAILURE otherwise
+ *
+ */
+int32_t odp_ipsec_capabilities_get(odp_ipsec_capabilities_t *capa);
+
+
+#endif /* __IPSEC_API_H */
+/**
+ * @}
+ */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
