On Fri, Sep 23, 2016 at 8:38 AM, Maxim Uvarov <[email protected]> wrote:
> patch prefix has to be API-NEXT > It should also be marked RFC, since this isn't a complete patch, but that's fine for review purposes > and comments <*! - looks very stange. At least we did not have such styled > comments before. The ODP doxygen convention is to use comments that begin /**, not /*!. Again a small point for the review. Thanks, Nikhil. We'll include this in Monday's discussions. > > > Maxim. > > > On 09/23/16 18:42, Nikhil Agarwal wrote: > >> TODO items: >> - Event Notification(Eg. Seq Number overflow, SA not found, SA hard/soft >> expiry) >> - statistics APIs >> - Encrpt and send APIs >> >> Signed-off-by: Nikhil Agarwal <[email protected]> >> --- >> include/odp/api/spec/crypto.h | 29 +++ >> include/odp/api/spec/crypto_ipsec.h | 345 >> ++++++++++++++++++++++++++++++++++++ >> 2 files changed, 374 insertions(+) >> create mode 100644 include/odp/api/spec/crypto_ipsec.h >> >> diff --git a/include/odp/api/spec/crypto.h b/include/odp/api/spec/crypto. >> h >> index dea1fe9..b629b82 100644 >> --- a/include/odp/api/spec/crypto.h >> +++ b/include/odp/api/spec/crypto.h >> @@ -144,6 +144,27 @@ typedef union odp_crypto_auth_algos_t { >> uint32_t all_bits; >> } odp_crypto_auth_algos_t; >> + >> +/** >> + * Network security protocols in bit field structure >> + */ >> +typedef union odp_crypto_protocol_t { >> + /** Network security protocols */ >> + struct { >> + /** ODP_AUTH_ALG_NULL */ >> + uint32_t ipsec_esp : 1; >> + >> + /** ODP_AUTH_ALG_MD5_96 */ >> + uint32_t ipsec_ah : 1; >> + >> + } bit; >> + >> + /** All bits of the bit field structure >> + * >> + * This field can be used to set/clear all flags, or bitwise >> + * operations over the entire structure. */ >> + uint32_t all_bits; >> +} odp_crypto_protocol_t; >> /** >> * Crypto API key structure >> */ >> @@ -264,6 +285,8 @@ typedef enum { >> ODP_CRYPTO_SES_CREATE_ERR_INV_CIPHER, >> /** Creation failed, bad auth params */ >> ODP_CRYPTO_SES_CREATE_ERR_INV_AUTH, >> + /** Creation failed, bad protocol params */ >> + ODP_CRYPTO_SES_CREATE_ERR_INV_PROTO, >> } odp_crypto_ses_create_err_t; >> /** >> @@ -332,6 +355,12 @@ typedef struct odp_crypto_capability_t { >> /** Authentication algorithms implemented with HW offload */ >> odp_crypto_auth_algos_t hw_auths; >> + /** Supported authentication algorithms */ >> + odp_crypto_protocol_t protocols; >> + >> + /** Authentication algorithms implemented with HW offload */ >> + odp_crypto_protocol_t hw_protocols; >> + >> } odp_crypto_capability_t; >> /** >> diff --git a/include/odp/api/spec/crypto_ipsec.h >> b/include/odp/api/spec/crypto_ipsec.h >> new file mode 100644 >> index 0000000..6a0cee0 >> --- /dev/null >> +++ b/include/odp/api/spec/crypto_ipsec.h >> @@ -0,0 +1,345 @@ >> +/* Copyright (c) 2014, Linaro Limited >> + * Copyright (c) 2015 - 2016 Freescale Semiconductor, Inc. >> + * All rights reserved. >> + * >> + * SPDX-License-Identifier: BSD-3-Clause >> + */ >> + >> +/** >> + * @file >> + * >> + * ODP crypto IPSec extension >> + */ >> + >> +#ifndef ODP_API_CRYPTO_IPSEC_H_ >> +#define ODP_API_CRYPTO_IPSEC_H_ >> + >> +#ifdef __cplusplus >> +extern "C" { >> +#endif >> + >> + >> +typedef enum odp_ipsec_mode { >> + ODP_IPSEC_MODE_TUNNEL, /**< IPSec tunnel mode */ >> + ODP_IPSEC_MODE_TRANSPORT, /**< IPSec transport mode */ >> +} odp_ipsec_mode_t; >> + >> +typedef enum odp_ipsec_proto { >> + ODP_IPSEC_ESP, /**< ESP protocol */ >> +} odp_ipsec_proto_t; >> + >> +typedef enum odp_ipsec_outhdr_type { >> + ODP_IPSEC_OUTHDR_IPV4, /**< Outer header is IPv4 */ >> + ODP_IPSEC_OUTHDR_IPV6, /**< Outer header is IPv6 */ >> +} odp_ipsec_outhdr_type_t; >> + >> +typedef enum odp_ipsec_ar_ws { >> + ODP_IPSEC_AR_WS_NONE, /**< Anti-replay is not enabled */ >> + ODP_IPSEC_AR_WS_32, /**< Anti-replay window size 32 */ >> + ODP_IPSEC_AR_WS_64, /**< Anti-replay window size 64 */ >> + ODP_IPSEC_AR_WS_128, /**< Anti-replay window size 128 */ >> +} odp_ipsec_ar_ws_t; >> + >> +typedef struct odp_ipsec_params { >> + odp_ipsec_mode_t ipsec_mode; /** Transport or Tunnel */ >> + uint32_t spi; /** SPI value */ >> + uint32_t seq; /** Initial SEQ number */ >> + odp_ipsec_ar_ws_t ar_ws; /** Anti-replay window size - >> + inbound session with >> authentication */ >> + odp_bool_t esn; /** Use extended sequence numbers */ >> + odp_bool_t auto_iv; /** Auto IV generation for each >> operation. */ >> + uint16_t out_hdr_size; /** outer header size - tunnel mode */ >> + uint8_t *out_hdr; /** outer header - tunnel mode */ >> + odp_ipsec_outhdr_type_t out_hdr_type; /* outer header type - >> + tunnel mode */ >> + odp_bool_t ip_csum; /** update/verify ip header checksum */ >> + odp_bool_t ip_dttl; /** decrement ttl - tunnel mode encap & >> decap */ >> + odp_bool_t remove_outer_hdr; /** remove outer header - tunnel >> mode decap */ >> + odp_bool_t copy_dscp; /** DiffServ Copy - Copy the IPv4 TOS or >> + IPv6 Traffic Class byte from the >> inner/outer >> + IP header to the outer/inner IP >> header - >> + tunnel mode encap & decap */ >> + odp_bool_t copy_df; /** Copy DF bit - copy the DF bit from >> + the inner IP header to the >> + outer IP header - tunnel mode encap */ >> + odp_bool_t nat_t; /** NAT-T encapsulation enabled - tunnel >> mode */ >> + odp_bool_t udp_csum; /** Update/verify UDP csum when NAT-T >> enabled */ >> + >> +} odp_ipsec_esp_params_t; >> + >> +/** >> + * Configure crypto session for IPsec processing >> + * >> + * Configures a crypto session for IPSec protocol processing. >> + * Packets submitted to an IPSec enabled session will have >> + * relevant IPSec headers/trailers and tunnel headers >> + * added/removed by the crypto implementation. >> + * For example, the input packet for an IPSec ESP transport >> + * enabled session should be the clear text packet with >> + * no ESP headers/trailers prepared in advance for crypto operation. >> + * The output packet will have ESP header, IV, trailer and the ESP ICV >> + * added by crypto implementation. >> + * Depending on the particular capabilities of an implementation and >> + * the parameters enabled by application, the application may be >> + * partially or completely offloaded from IPSec protocol processing. >> + * For example, if an implementation does not support checksum >> + * update for IP header after adding ESP header the application >> + * should update after crypto IPSec operation. >> + * >> + * If an implementation does not support a particular set of >> + * arguments it should return error. >> + * >> + * @param session Session handle >> + * @param ipsec_proto IPSec protocol >> + * @param ipsec_params IPSec parameters. Parameters which are not >> + * relevant for selected protocol & mode are >> ignored - >> + * e.g. outer_hdr/size set for ESP transport >> mode. >> + * @retval 0 on success >> + * @retval <0 on failure >> + */ >> +int odp_crypto_ipsec_session_create(odp_crypto_session_params_t >> *ses_params, >> + odp_ipsec_proto_t ipsec_proto, >> + odp_ipsec_params_t *ipsec_params, >> + odp_crypto_session_t *session_out, >> + odp_crypto_ses_create_err_t *status); >> + >> + >> +/*! >> + * SPD Policy/SA direction information >> + */ >> +enum odp_ipsec_direction { >> + ODP_IPSEC_INBOUND =1, /**< Inbound Direction */ >> + ODP_IPSEC_OUTBOUND /**< Outbound Direction */ >> +}; >> + >> + >> +/*! >> + * DSCP Range information >> + */ >> +struct odp_ipsec_policy_rule_dscprange { >> + uint8_t start; /**< Start value in Range */ >> + uint8_t end; /**< End value in Range */ >> +}; >> + >> +/*! >> + * Fragmentation Before Encapsulation (Redside Fragmentation) >> + */ >> +enum odp_ipsec_policy_redside_fragmentation { >> + ODP_IPSEC_POLICY_REDSIDE_FRAGMENTATION_DISABLE = 0, >> + /**< Diasable Redside fragmentation in IPSec Policy */ >> + ODP_IPSEC_POLICY_REDSIDE_FRAGMENTATION_ENABLE >> + /**< Enable Redside fragmentation in IPSec Policy */ >> +}; >> + >> +/*! >> + * Input parameters to SPD Policy addition >> + */ >> +struct odp_ipsec_spd_params{ >> + uint32_t tunnel_id; >> + /**< Tunnel ID */ >> + enum odp_ipsec_direction dir; >> + /**< Direction: Inbound or Outbound */ >> + uint32_t n_dscp_ranges; >> + /**< Number of DSCP Ranges */ >> + struct odp_ipsec_policy_rule_dscprange *dscp_ranges; >> + /**< Array of DSCP Ranges */ >> + enum odp_ipsec_policy_redside_fragmentation redside; >> + /**< Fragmentation before Encapsulation option: TRUE/FALSE */ >> + uint32_t n_selectors; >> + /**< Number of selectors */ >> + const odp_pmr_param_t *selectors; >> + /**< Array of Selectors */ >> +}; >> + >> +/*! >> + * Output parameters to SPD Policy addition >> + */ >> +typedef struct odp_ipsec_spd_add_err{ >> + int32_t result; >> + /**< 0:Success; Non Zero value: Error code indicating failure */ >> +}odp_ipsec_pol_add_err_t; >> + >> +/*! >> + * @brief This API is used to add Inbound/Outbound SPD policy to SPD >> policy >> + * database. This database is maintained per Name Space and Tunnel >> instance. >> + * This function first validates the incoming parameters >> + * and if all validations succeed, new SPD policy is added to the >> database. >> + * >> + * @param[in] params Pointer to input param structure which contains >> + * spd policy information. >> + * @param[out] policy Handle to the IPSEC policy. >> + * @param[out] resp Failure code if unsuccessful. >> + * >> + * @returns 0 on Success or negative value on failure. >> + * >> + */ >> +int32_t odp_ipsec_spd_add( >> + const struct odp_ipsec_spd_params *params, >> + odp_ipsec_policy_t *policy, >> + odp_ipsec_pol_add_err_t *resp); >> + >> +/*! >> + * @brief This API is used to delete Inbound/Outbound SPD policy from >> SPD policy >> + * database. >> + * >> + * @param[in] policy Handle to the IPSEC policy. >> + * >> + * @returns 0 on Success or negative value on failure. >> + * >> + */ >> +int32_t odp_ipsec_spd_del(odp_ipsec_policy_t policy); >> + >> +/*! >> + * @brief This API is used to flush/delete all Inbound and Outbound SPD >> + * policies. >> + * >> + * @returns 0 on Success or negative value on failure. >> + * >> + */ >> +int32_t odp_ipsec_spd_flush(); >> + >> +/*! >> + * @brief This API maps an IPSEC policy to an IPSEC crypto session. >> + * >> + * @param[in] policy - Handle to the IPSEC policy. >> + * @param[in] session - Handle to the IPSEC session(SA). >> + * >> + * @returns SUCCESS on success; FAILURE otherwise >> + * >> + */ >> +int32_t odp_ipsec_map_pol_session(odp_ipsec_policy_t policy >> + odp_crypto_session_t session); >> + >> +/*! >> + * @brief This API unmaps an IPSEC policy to an IPSEC crypto session. >> + * >> + * @param[in] policy - Handle to the IPSEC policy. >> + * @param[in] session - Handle to the IPSEC session(SA). >> + * >> + * @returns SUCCESS on success; FAILURE otherwise >> + * >> + */ >> +int32_t odp_ipsec_unmap_pol_session(odp_ipsec_policy_t policy >> + odp_crypto_session_t session); >> + >> +/*! >> + * SPD Policy Statistics information structure >> + */ >> +typedef struct odp_ipsec_spd_stats { >> + uint64_t received_pkts; >> + /**< Received Outbound/Inbound packets */ >> + uint64_t processed_pkts; >> + /**< Processed Outbound/Inbound packets */ >> + uint64_t processed_bytes; >> + /**< Number of bytes processed on Inbound/Outbound policy */ >> + >> + /*! Struct details >> + */ >> + struct { >> + uint32_t crypto_op_failed; >> + /**< Crypto operations failed */ >> + }protocol_violation_errors; >> + /**< Protocol violation errors */ >> + >> + /*! Struct details >> + */ >> + struct { >> + uint32_t no_matching_dscp_range; >> + /**< Matching dscp range not found in the SPD policy */ >> + >> + uint32_t submit_to_sec_failed; >> + /**< Submission to SEC failed for crypto operations */ >> + uint32_t no_outb_sa; >> + /**< Outbound SA not found */ >> + uint32_t frag_failed; >> + /**< Fragmentation failed */ >> + uint32_t mem_alloc_failed; >> + /**< Memory allocation failed for SA/SPD/descriptor etc.*/ >> + uint32_t internal_error; >> + /**< All other errors locally encountered */ >> + }local_errors; >> + /**< Local/internal errors */ >> + >> +}odp_ipsec_spd_stats_t; >> + >> +/*! >> + * @brief This API fetches global statistics. >> + * >> + * @param[out] stats Pointer to statistics structure filled by this API. >> + * >> + * @returns 0 on Success or negative value on failure. >> + * >> + */ >> +int32_t odp_ipsec_global_stats_get(odp_ipsec_spd_stats_t *stats); >> + >> +/*! >> + * IPSec Module Capabilities >> + */ >> +struct odp_ipsec_capabilities { >> + /*! This parameter indicates if IPSec-DP is capable of doing SPD >> + * rule search for incoming or outgoing datagrams >> + */ >> + >> + uint32_t sel_store_in_spd : 1, >> + >> + /*! Authentication Header processing */ >> + ah_protocol:1, >> + >> + /*! ESP Header processing */ >> + esp_protocol:1, >> + >> + /*! IPComp related processing */ >> + ipcomp_protocol:1, >> + >> + /*! IPSec Tunnel Mode processing */ >> + tunnel_mode:1, >> + >> + /*! IPSec Tunnel Mode processing */ >> + transport_mode:1, >> + >> + /*! This indicates if IPSec has capability to generate >> + * (for Outbound) and verify (for Inbound) extended >> sequence numbers. >> + */ >> + esn:1, >> + >> + /*! This option indicates whether IPSec can >> + * handle the necessary UDP Encapsulation required at >> + * IPSec level for traversing NAT boxes. >> + */ >> + udp_encap:1, >> + >> + /*! This option indicates whether IPSec can fragment >> packets >> + * before IPSec encryption, so that the resulting IPSec >> encrypted >> + * fragments do not exceed MTU >> + */ >> + redside_frag:1, >> + >> + >> + /*! Indicates the maximum number of IN and OUT SPD policies. */ >> + uint32_t max_spd_policies; >> + >> + /*! Indicates the maximum number of IN and OUT IPSec SAs. */ >> + uint32_t max_sas; >> +}odp_ipsec_capabilities_t; >> + >> +/*! >> + * @brief This API fetches IPSec module Capabilities >> + * >> + * @param[out] capa - capabilities structure filled by API. >> + * >> + * @returns SUCCESS on success; FAILURE otherwise >> + * >> + */ >> +int32_t odp_ipsec_capabilities_get(odp_ipsec_capabilities_t *capa); >> + >> + >> +#endif /* __IPSEC_API_H */ >> +/** >> + * @} >> + */ >> + >> +#ifdef __cplusplus >> +} >> +#endif >> + >> +#endif >> > > >
