From: Tejasree Kondoj <ktejasree@marvell.com>
To: Akhil Goyal <gakhil@marvell.com>
Cc: Vidya Sagar Velumuri <vvelumuri@marvell.com>,
Anoob Joseph <anoobj@marvell.com>,
Gowrishankar Muthukrishnan <gmuthukrishn@marvell.com>,
Volodymyr Fialko <vfialko@marvell.com>,
Aakash Sasidharan <asasidharan@marvell.com>, <dev@dpdk.org>
Subject: [PATCH 03/17] crypto/cnxk: update resp len calculation for IPv6
Date: Tue, 20 Dec 2022 20:02:18 +0530 [thread overview]
Message-ID: <20221220143232.2519650-4-ktejasree@marvell.com> (raw)
In-Reply-To: <20221220143232.2519650-1-ktejasree@marvell.com>
From: Vidya Sagar Velumuri <vvelumuri@marvell.com>
In IPsec lookaside path, response length for an encryption is pre
calculated and updated in the mbuf as the packet length.
Response length dpepends on the layer-3 header length.
As IPsec security context does not provide any information about the IP
version, the layer-3 header length is calculated in data path based on IP
version and extension headers.
Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
drivers/common/cnxk/cnxk_security.c | 4 +--
drivers/crypto/cnxk/cn9k_ipsec_la_ops.h | 36 ++++++++++++++++++++++---
2 files changed, 35 insertions(+), 5 deletions(-)
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index 5034c76938..79427d48fe 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -19,7 +19,7 @@ ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform *auth_xform,
uint32_t i;
/* HMAC OPAD and IPAD */
- for (i = 0; i < 127 && i < length; i++) {
+ for (i = 0; i < 128 && i < length; i++) {
opad[i] = opad[i] ^ key[i];
ipad[i] = ipad[i] ^ key[i];
}
@@ -1344,7 +1344,7 @@ cnxk_on_ipsec_outb_sa_create(struct rte_security_ipsec_xform *ipsec,
} else
ctx_len += sizeof(template->ip4);
- ctx_len += RTE_ALIGN_CEIL(ctx_len, 8);
+ ctx_len = RTE_ALIGN_CEIL(ctx_len, 8);
if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {
uint8_t *hmac_opad_ipad = (uint8_t *)&out_sa->sha2;
diff --git a/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h
index 724fc525ad..f1298017ce 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn9k_ipsec_la_ops.h
@@ -13,14 +13,44 @@
#include "cnxk_security_ar.h"
static __rte_always_inline int32_t
-ipsec_po_out_rlen_get(struct cn9k_sec_session *sess, uint32_t plen)
+ipsec_po_out_rlen_get(struct cn9k_sec_session *sess, uint32_t plen, struct rte_mbuf *m_src)
{
uint32_t enc_payload_len;
int adj_len = 0;
- if (sess->sa.out_sa.common_sa.ctl.ipsec_mode == ROC_IE_SA_MODE_TRANSPORT)
+ if (sess->sa.out_sa.common_sa.ctl.ipsec_mode == ROC_IE_SA_MODE_TRANSPORT) {
adj_len = ROC_CPT_TUNNEL_IPV4_HDR_LEN;
+ uintptr_t data = (uintptr_t)m_src->buf_addr + m_src->data_off;
+ struct rte_ipv4_hdr *ip = (struct rte_ipv4_hdr *)data;
+
+ if (unlikely(((ip->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER) != IPVERSION)) {
+ struct rte_ipv6_hdr *ip6 = (struct rte_ipv6_hdr *)ip;
+ uint8_t *nxt_hdr = (uint8_t *)ip6;
+ uint8_t dest_op_cnt = 0;
+ int nh = ip6->proto;
+
+ PLT_ASSERT(((ip->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER) == 6);
+
+ adj_len = ROC_CPT_TUNNEL_IPV6_HDR_LEN;
+ nxt_hdr += ROC_CPT_TUNNEL_IPV6_HDR_LEN;
+ while (nh != -EINVAL) {
+ size_t ext_len = 0;
+
+ nh = rte_ipv6_get_next_ext(nxt_hdr, nh, &ext_len);
+ /* With multiple dest ops headers, the ESP hdr will be before
+ * the 2nd dest ops and after the first dest ops header
+ */
+ if ((nh == IPPROTO_DSTOPTS) && dest_op_cnt)
+ break;
+ else if (nh == IPPROTO_DSTOPTS)
+ dest_op_cnt++;
+ adj_len += ext_len;
+ nxt_hdr += ext_len;
+ }
+ }
+ }
+
enc_payload_len =
RTE_ALIGN_CEIL(plen + sess->rlens.roundup_len - adj_len, sess->rlens.roundup_byte);
@@ -41,7 +71,7 @@ process_outb_sa(struct rte_crypto_op *cop, struct cn9k_sec_session *sess, struct
pkt_len = rte_pktmbuf_pkt_len(m_src);
dlen = pkt_len + hdr_len;
- rlen = ipsec_po_out_rlen_get(sess, pkt_len);
+ rlen = ipsec_po_out_rlen_get(sess, pkt_len, m_src);
extend_tail = rlen - dlen;
if (unlikely(extend_tail > rte_pktmbuf_tailroom(m_src))) {
--
2.25.1
next prev parent reply other threads:[~2022-12-20 14:33 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-20 14:32 [PATCH 00/17] fixes and improvements to cnxk crytpo PMD Tejasree Kondoj
2022-12-20 14:32 ` [PATCH 01/17] common/cnxk: perform LF fini ops only when allocated Tejasree Kondoj
2022-12-20 14:32 ` [PATCH 02/17] common/cnxk: generate opad and ipad in driver Tejasree Kondoj
2022-12-20 14:32 ` Tejasree Kondoj [this message]
2022-12-20 14:32 ` [PATCH 04/17] crypto/cnxk: add context to passthrough instruction Tejasree Kondoj
2022-12-20 14:32 ` [PATCH 05/17] crypto/cnxk: support truncated digest length Tejasree Kondoj
2022-12-20 14:32 ` [PATCH 06/17] crypto/cnxk: add queue pair check to meta set Tejasree Kondoj
2022-12-20 14:32 ` [PATCH 07/17] crypto/cnxk: update crypto completion code handling Tejasree Kondoj
2022-12-20 14:32 ` [PATCH 08/17] crypto/cnxk: fix incorrect digest for an empty input data Tejasree Kondoj
2022-12-20 14:32 ` [PATCH 09/17] crypto/cnxk: add CN9K IPsec SG support Tejasree Kondoj
2022-12-20 14:32 ` [PATCH 10/17] crypto/cnxk: add support for SHA3 hash Tejasree Kondoj
2022-12-20 14:32 ` [PATCH 11/17] common/cnxk: skip hmac hash precomputation Tejasree Kondoj
2022-12-20 14:32 ` [PATCH 12/17] crypto/octeontx: support truncated digest size Tejasree Kondoj
2022-12-20 14:32 ` [PATCH 13/17] crypto/cnxk: set device ops to null in PCI remove Tejasree Kondoj
2022-12-20 14:32 ` [PATCH 14/17] crypto/cnxk: add CTX for non IPsec operations Tejasree Kondoj
2022-12-20 14:32 ` [PATCH 15/17] crypto/cnxk: set salt in dptr as part of IV Tejasree Kondoj
2022-12-20 14:32 ` [PATCH 16/17] crypto/cnxk: remove null check of session priv Tejasree Kondoj
2022-12-20 14:32 ` [PATCH 17/17] common/cnxk: remove salt from session Tejasree Kondoj
2023-01-04 10:11 ` [PATCH 00/17] fixes and improvements to cnxk crytpo PMD Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221220143232.2519650-4-ktejasree@marvell.com \
--to=ktejasree@marvell.com \
--cc=anoobj@marvell.com \
--cc=asasidharan@marvell.com \
--cc=dev@dpdk.org \
--cc=gakhil@marvell.com \
--cc=gmuthukrishn@marvell.com \
--cc=vfialko@marvell.com \
--cc=vvelumuri@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).