DPDK patches and discussions
 help / color / mirror / Atom feed
From: Tejasree Kondoj <ktejasree@marvell.com>
To: Akhil Goyal <gakhil@marvell.com>, Radu Nicolau <radu.nicolau@intel.com>
Cc: Tejasree Kondoj <ktejasree@marvell.com>,
	Anoob Joseph <anoobj@marvell.com>,
	Ankur Dwivedi <adwivedi@marvell.com>,
	Jerin Jacob <jerinj@marvell.com>, <dev@dpdk.org>
Subject: [dpdk-dev] [PATCH v3 1/4] crypto/octeontx2: add UDP encapsulation support
Date: Thu, 8 Apr 2021 13:47:17 +0530	[thread overview]
Message-ID: <20210408081720.23314-2-ktejasree@marvell.com> (raw)
In-Reply-To: <20210408081720.23314-1-ktejasree@marvell.com>

Adding UDP encapsulation support for IPsec in
lookaside protocol mode.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 doc/guides/cryptodevs/octeontx2.rst           |  1 +
 doc/guides/rel_notes/release_21_05.rst        |  2 +
 drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 59 ++++++++-----------
 3 files changed, 28 insertions(+), 34 deletions(-)

diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst
index 8c7df065b3..00226a8c77 100644
--- a/doc/guides/cryptodevs/octeontx2.rst
+++ b/doc/guides/cryptodevs/octeontx2.rst
@@ -181,6 +181,7 @@ Features supported
 * Tunnel mode
 * ESN
 * Anti-replay
+* UDP Encapsulation
 * AES-128/192/256-GCM
 * AES-128/192/256-CBC-SHA1-HMAC
 * AES-128/192/256-CBC-SHA256-128-HMAC
diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst
index a80ce8ca12..5565c7637c 100644
--- a/doc/guides/rel_notes/release_21_05.rst
+++ b/doc/guides/rel_notes/release_21_05.rst
@@ -126,6 +126,8 @@ New Features
 * **Updated the OCTEON TX2 crypto PMD.**
 
   * Added support for DIGEST_ENCRYPTED mode in OCTEON TX2 crypto PMD.
+  * Updated the OCTEON TX2 crypto PMD lookaside protocol offload for IPsec with
+    UDP encapsulation support for NAT Traversal.
 
 * **Updated testpmd.**
 
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
index 342f089df8..210c53aa0a 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
@@ -203,6 +203,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				     struct rte_security_session *sec_sess)
 {
 	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	struct otx2_ipsec_po_ip_template *template;
 	const uint8_t *cipher_key, *auth_key;
 	struct otx2_sec_session_ipsec_lp *lp;
 	struct otx2_ipsec_po_sa_ctl *ctl;
@@ -248,11 +249,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
 
 			if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
-				if (ipsec->options.udp_encap) {
-					sa->aes_gcm.template.ip4.udp_src = 4500;
-					sa->aes_gcm.template.ip4.udp_dst = 4500;
-				}
-				ip = &sa->aes_gcm.template.ip4.ipv4_hdr;
+				template = &sa->aes_gcm.template;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
 						aes_gcm.template) + sizeof(
 						sa->aes_gcm.template.ip4);
@@ -260,11 +257,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				lp->ctx_len = ctx_len >> 3;
 			} else if (ctl->auth_type ==
 					OTX2_IPSEC_PO_SA_AUTH_SHA1) {
-				if (ipsec->options.udp_encap) {
-					sa->sha1.template.ip4.udp_src = 4500;
-					sa->sha1.template.ip4.udp_dst = 4500;
-				}
-				ip = &sa->sha1.template.ip4.ipv4_hdr;
+				template = &sa->sha1.template;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
 						sha1.template) + sizeof(
 						sa->sha1.template.ip4);
@@ -272,11 +265,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				lp->ctx_len = ctx_len >> 3;
 			} else if (ctl->auth_type ==
 					OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
-				if (ipsec->options.udp_encap) {
-					sa->sha2.template.ip4.udp_src = 4500;
-					sa->sha2.template.ip4.udp_dst = 4500;
-				}
-				ip = &sa->sha2.template.ip4.ipv4_hdr;
+				template = &sa->sha2.template;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
 						sha2.template) + sizeof(
 						sa->sha2.template.ip4);
@@ -285,8 +274,15 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 			} else {
 				return -EINVAL;
 			}
+			ip = &template->ip4.ipv4_hdr;
+			if (ipsec->options.udp_encap) {
+				ip->next_proto_id = IPPROTO_UDP;
+				template->ip4.udp_src = rte_be_to_cpu_16(4500);
+				template->ip4.udp_dst = rte_be_to_cpu_16(4500);
+			} else {
+				ip->next_proto_id = IPPROTO_ESP;
+			}
 			ip->version_ihl = RTE_IPV4_VHL_DEF;
-			ip->next_proto_id = IPPROTO_ESP;
 			ip->time_to_live = ipsec->tunnel.ipv4.ttl;
 			ip->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2);
 			if (ipsec->tunnel.ipv4.df)
@@ -299,11 +295,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
 
 			if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
-				if (ipsec->options.udp_encap) {
-					sa->aes_gcm.template.ip6.udp_src = 4500;
-					sa->aes_gcm.template.ip6.udp_dst = 4500;
-				}
-				ip6 = &sa->aes_gcm.template.ip6.ipv6_hdr;
+				template = &sa->aes_gcm.template;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
 						aes_gcm.template) + sizeof(
 						sa->aes_gcm.template.ip6);
@@ -311,11 +303,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				lp->ctx_len = ctx_len >> 3;
 			} else if (ctl->auth_type ==
 					OTX2_IPSEC_PO_SA_AUTH_SHA1) {
-				if (ipsec->options.udp_encap) {
-					sa->sha1.template.ip6.udp_src = 4500;
-					sa->sha1.template.ip6.udp_dst = 4500;
-				}
-				ip6 = &sa->sha1.template.ip6.ipv6_hdr;
+				template = &sa->sha1.template;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
 						sha1.template) + sizeof(
 						sa->sha1.template.ip6);
@@ -323,11 +311,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				lp->ctx_len = ctx_len >> 3;
 			} else if (ctl->auth_type ==
 					OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
-				if (ipsec->options.udp_encap) {
-					sa->sha2.template.ip6.udp_src = 4500;
-					sa->sha2.template.ip6.udp_dst = 4500;
-				}
-				ip6 = &sa->sha2.template.ip6.ipv6_hdr;
+				template = &sa->sha2.template;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
 						sha2.template) + sizeof(
 						sa->sha2.template.ip6);
@@ -337,6 +321,16 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				return -EINVAL;
 			}
 
+			ip6 = &template->ip6.ipv6_hdr;
+			if (ipsec->options.udp_encap) {
+				ip6->proto = IPPROTO_UDP;
+				template->ip6.udp_src = rte_be_to_cpu_16(4500);
+				template->ip6.udp_dst = rte_be_to_cpu_16(4500);
+			} else {
+				ip6->proto = (ipsec->proto ==
+					RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?
+					IPPROTO_ESP : IPPROTO_AH;
+			}
 			ip6->vtc_flow = rte_cpu_to_be_32(0x60000000 |
 				((ipsec->tunnel.ipv6.dscp <<
 					RTE_IPV6_HDR_TC_SHIFT) &
@@ -345,9 +339,6 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 					RTE_IPV6_HDR_FL_SHIFT) &
 					RTE_IPV6_HDR_FL_MASK));
 			ip6->hop_limits = ipsec->tunnel.ipv6.hlimit;
-			ip6->proto = (ipsec->proto ==
-					RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?
-					IPPROTO_ESP : IPPROTO_AH;
 			memcpy(&ip6->src_addr, &ipsec->tunnel.ipv6.src_addr,
 				sizeof(struct in6_addr));
 			memcpy(&ip6->dst_addr, &ipsec->tunnel.ipv6.dst_addr,
-- 
2.27.0


  reply	other threads:[~2021-04-08  7:54 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-08  8:17 [dpdk-dev] [PATCH v3 0/4] add lookaside IPsec UDP encapsulation and transport mode Tejasree Kondoj
2021-04-08  8:17 ` Tejasree Kondoj [this message]
2021-04-08  8:17 ` [dpdk-dev] [PATCH v3 2/4] mbuf: add packet type for UDP-ESP tunnel packets Tejasree Kondoj
2021-04-08  8:33   ` Tejasree Kondoj
2021-04-08 11:10   ` Olivier Matz
2021-04-09 10:56     ` [dpdk-dev] [EXT] " Akhil Goyal
2021-04-13 13:03       ` Akhil Goyal
2021-04-13 15:46         ` Ananyev, Konstantin
2021-04-08  8:17 ` [dpdk-dev] [PATCH v3 3/4] examples/ipsec-secgw: add UDP encapsulation support Tejasree Kondoj
2021-04-08 10:45   ` Ananyev, Konstantin
2021-04-08  8:17 ` [dpdk-dev] [PATCH v3 4/4] crypto/octeontx2: support lookaside IPv4 transport mode Tejasree Kondoj

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210408081720.23314-2-ktejasree@marvell.com \
    --to=ktejasree@marvell.com \
    --cc=adwivedi@marvell.com \
    --cc=anoobj@marvell.com \
    --cc=dev@dpdk.org \
    --cc=gakhil@marvell.com \
    --cc=jerinj@marvell.com \
    --cc=radu.nicolau@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).