api:crypto: Adding IPSEC protocol APIs.

Message ID	20160923154219.28000-1-nikhil.agarwal@linaro.org
State	New
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.225.227.206 as permitted sender) client-ip=54.225.227.206; Received-SPF: SoftFail (protection.outlook.com: domain of transitioning linaro.org discourages use of 192.88.168.50 as permitted sender) From: Nikhil Agarwal <nikhil.agarwal@linaro.org> To: <lng-odp@lists.linaro.org> Date: Fri, 23 Sep 2016 21:12:19 +0530 Message-ID: <20160923154219.28000-1-nikhil.agarwal@linaro.org> MIME-Version: 1.0 Content-Type: text/plain X-MS-Office365-Filtering-Correlation-Id: b5aa2c4c-bd82-4dc3-cbaa-08d3e39a6392 X-Microsoft-Exchange-Diagnostics: 1; SN2PR03MB2239; 2:E6246Q09m21vKdPwSecrly6Ui/Nns36woopTQeCBZXTPS7k27GeKaMKpf+A+SyurkSZe+kbv+HhifhkeF6M3g4PYqllhHuEky7hI5g6mmrRtdSFa1XPCfMwFnfZ/H5G6xIZhOsRwVBkJNuPZWDnfKc6J0NAhlis4hVhx8BTpleAeL5uLpo8/KU9Oy7UewNjY; 3:910dq86DqhaDGtzYiIynoFpAJepTJNCmgDlbmit15eFi7mn64i7o9e9q6OYb90MKdJSF3R9cDa+KuRW1goq2FiiTCf/5eOUeyw9MYXEsDuI/vd1G4IQ6rPEMWaioWzYCYR4xRSM0e2MMrdQ8WAda/pPFVxMomulgsX0RBVDnsBWRUlvqiMxvsQ080SLKXyErPTzRt8IOShPlw8I4c3A46pAoHkRSegzE3q23lLwiDPM=; 25:soQWs4OJ9nXIRDACrLtjTE7D9nbiTXZRril3IHR9IkKMLaiWJ5QbmjLPR2dqwRus8bckcjjV/X0KPewGZz/u0BquQ1HRgadVOqYyS0hurZUjg7atq/m11ueguCVvw2XcIOh9ak+0QEnytufLVTOXlnH7D5pr4S4Qtrb2ajsMR4JDt8rU3ICTEmtvSmEBAGmsQZLqU7HQ0TsRE9bhC6HjRSigYVkdr3XHXnQsJ52p+5/G3aPnVxvigov6n4EyoNVCgDwZGjIrkBIoHM6tgMzMSIus7G7zg5DTWy7ilI8S+9SLoGhjF7iJGk8muGDTKA9VOkr+EBz5cHKgjqpgas2ItIxGscws+QoDJuk+aZrLgaWFYj941iUlGkF8xc2kkG8Hh96d6Rgua62bcAIDhxKSYe1tmS8eV2CJffDE8NwXKSc= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Sep 2016 10:14:22.2533 (UTC) Subject: [lng-odp] [PATCH] api:crypto: Adding IPSEC protocol APIs. Precedence: list Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" <lng-odp-bounces@lists.linaro.org>

Message ID

20160923154219.28000-1-nikhil.agarwal@linaro.org

State

New

Headers

Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org
	designates 54.225.227.206 as permitted sender)
	client-ip=54.225.227.206; 
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning
	linaro.org discourages use of 192.88.168.50 as permitted sender)
From: Nikhil Agarwal <nikhil.agarwal@linaro.org>
To: <lng-odp@lists.linaro.org>
Date: Fri, 23 Sep 2016 21:12:19 +0530
Message-ID: <20160923154219.28000-1-nikhil.agarwal@linaro.org>
MIME-Version: 1.0
Content-Type: text/plain
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Sep 2016 10:14:22.2533
	(UTC)
X-MS-Exchange-CrossTenant-Id: 5afe0b00-7697-4969-b663-5eab37d5f47e
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5afe0b00-7697-4969-b663-5eab37d5f47e;
	Ip=[192.88.168.50]; 
	Helo=[tx30smr01.am.freescale.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR03MB2239
X-Topics: crypto
	patch
Subject: [lng-odp] [PATCH] api:crypto: Adding IPSEC protocol APIs.
X-BeenThere: lng-odp@lists.linaro.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: "The OpenDataPlane \(ODP\) List" <lng-odp.lists.linaro.org>
List-Unsubscribe: <https://lists.linaro.org/mailman/options/lng-odp>,
	<mailto:lng-odp-request@lists.linaro.org?subject=unsubscribe>
List-Archive: <http://lists.linaro.org/pipermail/lng-odp/>
List-Post: <mailto:lng-odp@lists.linaro.org>
List-Help: <mailto:lng-odp-request@lists.linaro.org?subject=help>
List-Subscribe: <https://lists.linaro.org/mailman/listinfo/lng-odp>,
	<mailto:lng-odp-request@lists.linaro.org?subject=subscribe>
Errors-To: lng-odp-bounces@lists.linaro.org
Sender: "lng-odp" <lng-odp-bounces@lists.linaro.org>

Commit Message

Nikhil Agarwal Sept. 23, 2016, 3:42 p.m. UTC

TODO items:
- Event Notification(Eg. Seq Number overflow, SA not found, SA hard/soft expiry)
- statistics APIs
- Encrpt and send APIs

Signed-off-by: Nikhil Agarwal <nikhil.agarwal@linaro.org>

---
 include/odp/api/spec/crypto.h       |  29 +++
 include/odp/api/spec/crypto_ipsec.h | 345 ++++++++++++++++++++++++++++++++++++
 2 files changed, 374 insertions(+)
 create mode 100644 include/odp/api/spec/crypto_ipsec.h

-- 
2.9.3

Comments

Maxim Uvarov Sept. 23, 2016, 1:38 p.m. UTC | #1

patch prefix has to be API-NEXT
and comments <*! - looks very stange. At least we did not have such 
styled comments before.

Maxim.

On 09/23/16 18:42, Nikhil Agarwal wrote:
> TODO items:

> - Event Notification(Eg. Seq Number overflow, SA not found, SA hard/soft expiry)

> - statistics APIs

> - Encrpt and send APIs

>

> Signed-off-by: Nikhil Agarwal <nikhil.agarwal@linaro.org>

> ---

>   include/odp/api/spec/crypto.h       |  29 +++

>   include/odp/api/spec/crypto_ipsec.h | 345 ++++++++++++++++++++++++++++++++++++

>   2 files changed, 374 insertions(+)

>   create mode 100644 include/odp/api/spec/crypto_ipsec.h

>

> diff --git a/include/odp/api/spec/crypto.h b/include/odp/api/spec/crypto.h

> index dea1fe9..b629b82 100644

> --- a/include/odp/api/spec/crypto.h

> +++ b/include/odp/api/spec/crypto.h

> @@ -144,6 +144,27 @@ typedef union odp_crypto_auth_algos_t {

>   	uint32_t all_bits;

>   } odp_crypto_auth_algos_t;

>   

> +

> +/**

> + * Network security protocols in bit field structure

> + */

> +typedef union odp_crypto_protocol_t {

> +	/** Network security protocols */

> +	struct {

> +		/** ODP_AUTH_ALG_NULL */

> +		uint32_t ipsec_esp    : 1;

> +

> +		/** ODP_AUTH_ALG_MD5_96 */

> +		uint32_t ipsec_ah     : 1;

> +

> +	} bit;

> +

> +	/** All bits of the bit field structure

> +	  *

> +	  * This field can be used to set/clear all flags, or bitwise

> +	  * operations over the entire structure. */

> +	uint32_t all_bits;

> +} odp_crypto_protocol_t;

>   /**

>    * Crypto API key structure

>    */

> @@ -264,6 +285,8 @@ typedef enum {

>   	ODP_CRYPTO_SES_CREATE_ERR_INV_CIPHER,

>   	/** Creation failed, bad auth params */

>   	ODP_CRYPTO_SES_CREATE_ERR_INV_AUTH,

> +	/** Creation failed, bad protocol params */

> +	ODP_CRYPTO_SES_CREATE_ERR_INV_PROTO,

>   } odp_crypto_ses_create_err_t;

>   

>   /**

> @@ -332,6 +355,12 @@ typedef struct odp_crypto_capability_t {

>   	/** Authentication algorithms implemented with HW offload */

>   	odp_crypto_auth_algos_t   hw_auths;

>   

> +	/** Supported authentication algorithms */

> +	odp_crypto_protocol_t   protocols;

> +

> +	/** Authentication algorithms implemented with HW offload */

> +	odp_crypto_protocol_t   hw_protocols;

> +

>   } odp_crypto_capability_t;

>   

>   /**

> diff --git a/include/odp/api/spec/crypto_ipsec.h b/include/odp/api/spec/crypto_ipsec.h

> new file mode 100644

> index 0000000..6a0cee0

> --- /dev/null

> +++ b/include/odp/api/spec/crypto_ipsec.h

> @@ -0,0 +1,345 @@

> +/* Copyright (c) 2014, Linaro Limited

> + * Copyright (c) 2015 - 2016 Freescale Semiconductor, Inc.

> + * All rights reserved.

> + *

> + * SPDX-License-Identifier:	BSD-3-Clause

> + */

> +

> +/**

> + * @file

> + *

> + * ODP crypto IPSec extension

> + */

> +

> +#ifndef ODP_API_CRYPTO_IPSEC_H_

> +#define ODP_API_CRYPTO_IPSEC_H_

> +

> +#ifdef __cplusplus

> +extern "C" {

> +#endif

> +

> +

> +typedef enum odp_ipsec_mode {

> +	ODP_IPSEC_MODE_TUNNEL,	    /**< IPSec tunnel mode */

> +	ODP_IPSEC_MODE_TRANSPORT,   /**< IPSec transport mode */

> +} odp_ipsec_mode_t;

> +

> +typedef enum odp_ipsec_proto {

> +	ODP_IPSEC_ESP,		   /**< ESP protocol */

> +} odp_ipsec_proto_t;

> +

> +typedef enum odp_ipsec_outhdr_type {

> +	ODP_IPSEC_OUTHDR_IPV4,	  /**< Outer header is IPv4 */

> +	ODP_IPSEC_OUTHDR_IPV6,	  /**< Outer header is IPv6 */

> +} odp_ipsec_outhdr_type_t;

> +

> +typedef enum odp_ipsec_ar_ws {

> +	ODP_IPSEC_AR_WS_NONE,	   /**< Anti-replay is not enabled */

> +	ODP_IPSEC_AR_WS_32,	   /**< Anti-replay window size 32 */

> +	ODP_IPSEC_AR_WS_64,	   /**< Anti-replay window size 64 */

> +	ODP_IPSEC_AR_WS_128,	   /**< Anti-replay window size 128 */

> +} odp_ipsec_ar_ws_t;

> +

> +typedef struct odp_ipsec_params {

> +	odp_ipsec_mode_t ipsec_mode; /** Transport or Tunnel */

> +	uint32_t spi;		 /** SPI value */

> +	uint32_t seq;		 /** Initial SEQ number */

> +	odp_ipsec_ar_ws_t ar_ws; /** Anti-replay window size -

> +					inbound session with authentication */

> +	odp_bool_t esn;		/** Use extended sequence numbers */

> +	odp_bool_t auto_iv;	/** Auto IV generation for each operation. */

> +	uint16_t out_hdr_size;	 /** outer header size - tunnel mode */

> +	uint8_t *out_hdr;	 /** outer header - tunnel mode */

> +	odp_ipsec_outhdr_type_t out_hdr_type; /* outer header type -

> +						    tunnel mode */

> +	odp_bool_t ip_csum;	/** update/verify ip header checksum */

> +	odp_bool_t ip_dttl;	/** decrement ttl - tunnel mode encap & decap */

> +	odp_bool_t remove_outer_hdr; /** remove outer header - tunnel mode decap */

> +	odp_bool_t copy_dscp;	/** DiffServ Copy - Copy the IPv4 TOS or

> +				    IPv6 Traffic Class byte from the inner/outer

> +				    IP header to the outer/inner IP header -

> +				    tunnel mode encap & decap */

> +	odp_bool_t copy_df;	/** Copy DF bit - copy the DF bit from

> +				    the inner IP header to the

> +				    outer IP header - tunnel mode encap */

> +	odp_bool_t nat_t;	/** NAT-T encapsulation enabled - tunnel mode */

> +	odp_bool_t udp_csum;    /** Update/verify UDP csum when NAT-T enabled */

> +

> +} odp_ipsec_esp_params_t;

> +

> +/**

> + * Configure crypto session for IPsec processing

> + *

> + * Configures a crypto session for IPSec protocol processing.

> + * Packets submitted to an IPSec enabled session will have

> + * relevant IPSec headers/trailers and tunnel headers

> + * added/removed by the crypto implementation.

> + * For example, the input packet for an IPSec ESP transport

> + * enabled session should be the clear text packet with

> + * no ESP headers/trailers prepared in advance for crypto operation.

> + * The output packet will have ESP header, IV, trailer and the ESP ICV

> + * added by crypto implementation.

> + * Depending on the particular capabilities of an implementation and

> + * the parameters enabled by application, the application may be

> + * partially or completely offloaded from IPSec protocol processing.

> + * For example, if an implementation does not support checksum

> + * update for IP header after adding ESP header the application

> + * should update after crypto IPSec operation.

> + *

> + * If an implementation does not support a particular set of

> + * arguments it should return error.

> + *

> + * @param session	    Session handle

> + * @param ipsec_proto	    IPSec protocol

> + * @param ipsec_params	    IPSec parameters. Parameters which are not

> + *			    relevant for selected protocol & mode are ignored -

> + *			    e.g. outer_hdr/size set for ESP transport mode.

> + * @retval 0 on success

> + * @retval <0 on failure

> + */

> +int odp_crypto_ipsec_session_create(odp_crypto_session_params_t *ses_params,

> +				    odp_ipsec_proto_t ipsec_proto,

> +				    odp_ipsec_params_t *ipsec_params,

> +				    odp_crypto_session_t *session_out,

> +				    odp_crypto_ses_create_err_t *status);

> +

> +

> +/*!

> + * SPD Policy/SA direction information

> + */

> +enum odp_ipsec_direction {

> +	ODP_IPSEC_INBOUND =1, 	/**< Inbound Direction */

> +	ODP_IPSEC_OUTBOUND 	/**< Outbound Direction */

> +};

> +

> +

> +/*!

> + * DSCP Range information

> + */

> +struct odp_ipsec_policy_rule_dscprange {

> +	uint8_t start; 	/**< Start value in Range */

> +	uint8_t end; 	/**< End value  in Range */

> +};

> +

> +/*!

> + * Fragmentation Before Encapsulation (Redside Fragmentation)

> + */

> +enum odp_ipsec_policy_redside_fragmentation {

> +	ODP_IPSEC_POLICY_REDSIDE_FRAGMENTATION_DISABLE = 0,

> +	/**< Diasable Redside fragmentation in IPSec Policy */

> +	ODP_IPSEC_POLICY_REDSIDE_FRAGMENTATION_ENABLE

> +		/**< Enable Redside fragmentation in IPSec Policy */

> +};

> +

> +/*!

> + * Input parameters to SPD Policy addition

> + */

> +struct odp_ipsec_spd_params{

> +	uint32_t tunnel_id;

> +	/**< Tunnel ID */

> +	enum odp_ipsec_direction dir;

> +	/**< Direction: Inbound or Outbound */

> +	uint32_t n_dscp_ranges;

> +	/**< Number of DSCP Ranges */

> +	struct odp_ipsec_policy_rule_dscprange *dscp_ranges;

> +	/**< Array of DSCP Ranges */

> +	enum odp_ipsec_policy_redside_fragmentation redside;

> +	/**< Fragmentation before Encapsulation option: TRUE/FALSE */

> +	uint32_t n_selectors;

> +	/**< Number of selectors */

> +	const odp_pmr_param_t *selectors;

> +	/**< Array of Selectors */

> +};

> +

> +/*!

> + * Output parameters to SPD Policy addition

> + */

> +typedef struct odp_ipsec_spd_add_err{

> +	int32_t result;

> +	/**< 0:Success; Non Zero value: Error code indicating failure */

> +}odp_ipsec_pol_add_err_t;

> +

> +/*!

> + * @brief This API is used to add Inbound/Outbound SPD policy to SPD policy

> + * database.  This database is maintained per Name Space and Tunnel instance.

> + * This function first validates the incoming parameters

> + * and if all validations succeed, new SPD policy is added to the database.

> + *

> + * @param[in] params	Pointer to input param structure which contains

> + *			spd policy information.

> + * @param[out] policy 	Handle to the IPSEC policy.

> + * @param[out] resp	Failure code if unsuccessful.

> + *

> + * @returns 0 on Success or negative value on failure.

> + *

> + */

> +int32_t odp_ipsec_spd_add(

> +		const struct odp_ipsec_spd_params *params,

> +		odp_ipsec_policy_t *policy,

> +		odp_ipsec_pol_add_err_t *resp);

> +

> +/*!

> + * @brief This API is used to delete Inbound/Outbound SPD policy from SPD policy

> + * database.

> + *

> + * @param[in] policy 	Handle to the IPSEC policy.

> + *

> + * @returns 0 on Success or negative value on failure.

> + *

> + */

> +int32_t odp_ipsec_spd_del(odp_ipsec_policy_t policy);

> +

> +/*!

> + * @brief This API is used to flush/delete all Inbound and Outbound SPD

> + * policies.

> + *

> + * @returns 0 on Success or negative value on failure.

> + *

> + */

> +int32_t odp_ipsec_spd_flush();

> +

> +/*!

> + * @brief This API maps an IPSEC policy to an IPSEC crypto session.

> + *

> + * @param[in] policy - Handle to the IPSEC policy.

> + * @param[in] session - Handle to the IPSEC session(SA).

> + *

> + * @returns SUCCESS on success; FAILURE otherwise

> + *

> + */

> +int32_t odp_ipsec_map_pol_session(odp_ipsec_policy_t policy

> +				odp_crypto_session_t session);

> +

> +/*!

> + * @brief This API unmaps an IPSEC policy to an IPSEC crypto session.

> + *

> + * @param[in] policy - Handle to the IPSEC policy.

> + * @param[in] session - Handle to the IPSEC session(SA).

> + *

> + * @returns SUCCESS on success; FAILURE otherwise

> + *

> + */

> +int32_t odp_ipsec_unmap_pol_session(odp_ipsec_policy_t policy

> +				odp_crypto_session_t session);

> +

> +/*!

> + * SPD Policy Statistics information structure

> + */

> +typedef struct odp_ipsec_spd_stats {

> +	uint64_t received_pkts;

> +	/**< Received Outbound/Inbound packets */

> +	uint64_t processed_pkts;

> +	/**< Processed Outbound/Inbound packets */

> +	uint64_t processed_bytes;

> +	/**< Number of bytes processed on Inbound/Outbound policy */

> +

> +	/*! Struct details

> +	 */

> +	struct {

> +		uint32_t crypto_op_failed;

> +		/**< Crypto operations failed */

> +	}protocol_violation_errors;

> +	/**< Protocol violation errors */

> +

> +	/*! Struct details

> +	 */

> +	struct {

> +		uint32_t no_matching_dscp_range;

> +		/**< Matching dscp range not found in the SPD policy */

> +

> +		uint32_t submit_to_sec_failed;

> +		/**< Submission to SEC failed for crypto operations */

> +		uint32_t no_outb_sa;

> +		/**< Outbound SA not found */

> +		uint32_t frag_failed;

> +		/**< Fragmentation failed */

> +		uint32_t mem_alloc_failed;

> +		/**< Memory allocation failed for SA/SPD/descriptor etc.*/

> +		uint32_t internal_error;

> +		/**< All other errors locally encountered */

> +	}local_errors;

> +	/**< Local/internal errors */

> +

> +}odp_ipsec_spd_stats_t;

> +

> +/*!

> + * @brief This API fetches global statistics.

> + *

> + * @param[out] stats  Pointer to statistics structure filled by this API.

> + *

> + * @returns 0 on Success or negative value on failure.

> + *

> + */

> +int32_t odp_ipsec_global_stats_get(odp_ipsec_spd_stats_t *stats);

> +

> +/*!

> + * IPSec Module Capabilities

> + */

> +struct odp_ipsec_capabilities {

> +	/*! This parameter indicates if IPSec-DP is capable of doing SPD

> +	 * rule search for incoming or outgoing datagrams

> +	 */

> +

> +	uint32_t sel_store_in_spd : 1,

> +

> +		 /*! Authentication Header processing */

> +		 ah_protocol:1,

> +

> +		 /*! ESP Header processing */

> +		 esp_protocol:1,

> +

> +		 /*! IPComp related processing */

> +		 ipcomp_protocol:1,

> +

> +		 /*! IPSec Tunnel Mode processing */

> +		 tunnel_mode:1,

> +

> +		 /*! IPSec Tunnel Mode processing */

> +		 transport_mode:1,

> +

> +		 /*! This indicates if IPSec has capability to generate

> +		  * (for Outbound) and verify (for Inbound) extended sequence numbers.

> +		  */

> +		 esn:1,

> +

> +		 /*! This option indicates whether IPSec can

> +		  * handle the necessary UDP Encapsulation required at

> +		  * IPSec level for traversing NAT boxes.

> +		  */

> +		 udp_encap:1,

> +

> +		 /*! This option indicates whether IPSec can fragment packets

> +		  * before IPSec encryption, so that the resulting IPSec encrypted

> +		  * fragments do not exceed MTU

> +		  */

> +		 redside_frag:1,

> +

> +

> +	/*! Indicates the maximum number of IN and OUT SPD policies. */

> +	uint32_t	    max_spd_policies;

> +

> +	/*! Indicates the maximum number of IN and OUT IPSec SAs. */

> +	uint32_t	     max_sas;

> +}odp_ipsec_capabilities_t;

> +

> +/*!

> + * @brief This API fetches IPSec module Capabilities

> + *

> + * @param[out] capa - capabilities structure filled by API.

> + *

> + * @returns SUCCESS on success; FAILURE otherwise

> + *

> + */

> +int32_t odp_ipsec_capabilities_get(odp_ipsec_capabilities_t *capa);

> +

> +

> +#endif /* __IPSEC_API_H */

> +/**

> + * @}

> + */

> +

> +#ifdef __cplusplus

> +}

> +#endif

> +

> +#endif

Bill Fischofer Sept. 23, 2016, 7:09 p.m. UTC | #2

On Fri, Sep 23, 2016 at 8:38 AM, Maxim Uvarov <maxim.uvarov@linaro.org>
wrote:

> patch prefix has to be API-NEXT

>


It should also be marked RFC, since this isn't a complete patch, but that's
fine for review purposes


> and comments <*! - looks very stange. At least we did not have such styled

> comments before.



The ODP doxygen convention is to use comments that begin /**, not /*!.
Again a small point for the review.

Thanks, Nikhil. We'll include this in Monday's discussions.


>

>

> Maxim.

>

>

> On 09/23/16 18:42, Nikhil Agarwal wrote:

>

>> TODO items:

>> - Event Notification(Eg. Seq Number overflow, SA not found, SA hard/soft

>> expiry)

>> - statistics APIs

>> - Encrpt and send APIs

>>

>> Signed-off-by: Nikhil Agarwal <nikhil.agarwal@linaro.org>

>> ---

>>   include/odp/api/spec/crypto.h       |  29 +++

>>   include/odp/api/spec/crypto_ipsec.h | 345

>> ++++++++++++++++++++++++++++++++++++

>>   2 files changed, 374 insertions(+)

>>   create mode 100644 include/odp/api/spec/crypto_ipsec.h

>>

>> diff --git a/include/odp/api/spec/crypto.h b/include/odp/api/spec/crypto.

>> h

>> index dea1fe9..b629b82 100644

>> --- a/include/odp/api/spec/crypto.h

>> +++ b/include/odp/api/spec/crypto.h

>> @@ -144,6 +144,27 @@ typedef union odp_crypto_auth_algos_t {

>>         uint32_t all_bits;

>>   } odp_crypto_auth_algos_t;

>>   +

>> +/**

>> + * Network security protocols in bit field structure

>> + */

>> +typedef union odp_crypto_protocol_t {

>> +       /** Network security protocols */

>> +       struct {

>> +               /** ODP_AUTH_ALG_NULL */

>> +               uint32_t ipsec_esp    : 1;

>> +

>> +               /** ODP_AUTH_ALG_MD5_96 */

>> +               uint32_t ipsec_ah     : 1;

>> +

>> +       } bit;

>> +

>> +       /** All bits of the bit field structure

>> +         *

>> +         * This field can be used to set/clear all flags, or bitwise

>> +         * operations over the entire structure. */

>> +       uint32_t all_bits;

>> +} odp_crypto_protocol_t;

>>   /**

>>    * Crypto API key structure

>>    */

>> @@ -264,6 +285,8 @@ typedef enum {

>>         ODP_CRYPTO_SES_CREATE_ERR_INV_CIPHER,

>>         /** Creation failed, bad auth params */

>>         ODP_CRYPTO_SES_CREATE_ERR_INV_AUTH,

>> +       /** Creation failed, bad protocol params */

>> +       ODP_CRYPTO_SES_CREATE_ERR_INV_PROTO,

>>   } odp_crypto_ses_create_err_t;

>>     /**

>> @@ -332,6 +355,12 @@ typedef struct odp_crypto_capability_t {

>>         /** Authentication algorithms implemented with HW offload */

>>         odp_crypto_auth_algos_t   hw_auths;

>>   +     /** Supported authentication algorithms */

>> +       odp_crypto_protocol_t   protocols;

>> +

>> +       /** Authentication algorithms implemented with HW offload */

>> +       odp_crypto_protocol_t   hw_protocols;

>> +

>>   } odp_crypto_capability_t;

>>     /**

>> diff --git a/include/odp/api/spec/crypto_ipsec.h

>> b/include/odp/api/spec/crypto_ipsec.h

>> new file mode 100644

>> index 0000000..6a0cee0

>> --- /dev/null

>> +++ b/include/odp/api/spec/crypto_ipsec.h

>> @@ -0,0 +1,345 @@

>> +/* Copyright (c) 2014, Linaro Limited

>> + * Copyright (c) 2015 - 2016 Freescale Semiconductor, Inc.

>> + * All rights reserved.

>> + *

>> + * SPDX-License-Identifier:    BSD-3-Clause

>> + */

>> +

>> +/**

>> + * @file

>> + *

>> + * ODP crypto IPSec extension

>> + */

>> +

>> +#ifndef ODP_API_CRYPTO_IPSEC_H_

>> +#define ODP_API_CRYPTO_IPSEC_H_

>> +

>> +#ifdef __cplusplus

>> +extern "C" {

>> +#endif

>> +

>> +

>> +typedef enum odp_ipsec_mode {

>> +       ODP_IPSEC_MODE_TUNNEL,      /**< IPSec tunnel mode */

>> +       ODP_IPSEC_MODE_TRANSPORT,   /**< IPSec transport mode */

>> +} odp_ipsec_mode_t;

>> +

>> +typedef enum odp_ipsec_proto {

>> +       ODP_IPSEC_ESP,             /**< ESP protocol */

>> +} odp_ipsec_proto_t;

>> +

>> +typedef enum odp_ipsec_outhdr_type {

>> +       ODP_IPSEC_OUTHDR_IPV4,    /**< Outer header is IPv4 */

>> +       ODP_IPSEC_OUTHDR_IPV6,    /**< Outer header is IPv6 */

>> +} odp_ipsec_outhdr_type_t;

>> +

>> +typedef enum odp_ipsec_ar_ws {

>> +       ODP_IPSEC_AR_WS_NONE,      /**< Anti-replay is not enabled */

>> +       ODP_IPSEC_AR_WS_32,        /**< Anti-replay window size 32 */

>> +       ODP_IPSEC_AR_WS_64,        /**< Anti-replay window size 64 */

>> +       ODP_IPSEC_AR_WS_128,       /**< Anti-replay window size 128 */

>> +} odp_ipsec_ar_ws_t;

>> +

>> +typedef struct odp_ipsec_params {

>> +       odp_ipsec_mode_t ipsec_mode; /** Transport or Tunnel */

>> +       uint32_t spi;            /** SPI value */

>> +       uint32_t seq;            /** Initial SEQ number */

>> +       odp_ipsec_ar_ws_t ar_ws; /** Anti-replay window size -

>> +                                       inbound session with

>> authentication */

>> +       odp_bool_t esn;         /** Use extended sequence numbers */

>> +       odp_bool_t auto_iv;     /** Auto IV generation for each

>> operation. */

>> +       uint16_t out_hdr_size;   /** outer header size - tunnel mode */

>> +       uint8_t *out_hdr;        /** outer header - tunnel mode */

>> +       odp_ipsec_outhdr_type_t out_hdr_type; /* outer header type -

>> +                                                   tunnel mode */

>> +       odp_bool_t ip_csum;     /** update/verify ip header checksum */

>> +       odp_bool_t ip_dttl;     /** decrement ttl - tunnel mode encap &

>> decap */

>> +       odp_bool_t remove_outer_hdr; /** remove outer header - tunnel

>> mode decap */

>> +       odp_bool_t copy_dscp;   /** DiffServ Copy - Copy the IPv4 TOS or

>> +                                   IPv6 Traffic Class byte from the

>> inner/outer

>> +                                   IP header to the outer/inner IP

>> header -

>> +                                   tunnel mode encap & decap */

>> +       odp_bool_t copy_df;     /** Copy DF bit - copy the DF bit from

>> +                                   the inner IP header to the

>> +                                   outer IP header - tunnel mode encap */

>> +       odp_bool_t nat_t;       /** NAT-T encapsulation enabled - tunnel

>> mode */

>> +       odp_bool_t udp_csum;    /** Update/verify UDP csum when NAT-T

>> enabled */

>> +

>> +} odp_ipsec_esp_params_t;

>> +

>> +/**

>> + * Configure crypto session for IPsec processing

>> + *

>> + * Configures a crypto session for IPSec protocol processing.

>> + * Packets submitted to an IPSec enabled session will have

>> + * relevant IPSec headers/trailers and tunnel headers

>> + * added/removed by the crypto implementation.

>> + * For example, the input packet for an IPSec ESP transport

>> + * enabled session should be the clear text packet with

>> + * no ESP headers/trailers prepared in advance for crypto operation.

>> + * The output packet will have ESP header, IV, trailer and the ESP ICV

>> + * added by crypto implementation.

>> + * Depending on the particular capabilities of an implementation and

>> + * the parameters enabled by application, the application may be

>> + * partially or completely offloaded from IPSec protocol processing.

>> + * For example, if an implementation does not support checksum

>> + * update for IP header after adding ESP header the application

>> + * should update after crypto IPSec operation.

>> + *

>> + * If an implementation does not support a particular set of

>> + * arguments it should return error.

>> + *

>> + * @param session          Session handle

>> + * @param ipsec_proto      IPSec protocol

>> + * @param ipsec_params     IPSec parameters. Parameters which are not

>> + *                         relevant for selected protocol & mode are

>> ignored -

>> + *                         e.g. outer_hdr/size set for ESP transport

>> mode.

>> + * @retval 0 on success

>> + * @retval <0 on failure

>> + */

>> +int odp_crypto_ipsec_session_create(odp_crypto_session_params_t

>> *ses_params,

>> +                                   odp_ipsec_proto_t ipsec_proto,

>> +                                   odp_ipsec_params_t *ipsec_params,

>> +                                   odp_crypto_session_t *session_out,

>> +                                   odp_crypto_ses_create_err_t *status);

>> +

>> +

>> +/*!

>> + * SPD Policy/SA direction information

>> + */

>> +enum odp_ipsec_direction {

>> +       ODP_IPSEC_INBOUND =1,   /**< Inbound Direction */

>> +       ODP_IPSEC_OUTBOUND      /**< Outbound Direction */

>> +};

>> +

>> +

>> +/*!

>> + * DSCP Range information

>> + */

>> +struct odp_ipsec_policy_rule_dscprange {

>> +       uint8_t start;  /**< Start value in Range */

>> +       uint8_t end;    /**< End value  in Range */

>> +};

>> +

>> +/*!

>> + * Fragmentation Before Encapsulation (Redside Fragmentation)

>> + */

>> +enum odp_ipsec_policy_redside_fragmentation {

>> +       ODP_IPSEC_POLICY_REDSIDE_FRAGMENTATION_DISABLE = 0,

>> +       /**< Diasable Redside fragmentation in IPSec Policy */

>> +       ODP_IPSEC_POLICY_REDSIDE_FRAGMENTATION_ENABLE

>> +               /**< Enable Redside fragmentation in IPSec Policy */

>> +};

>> +

>> +/*!

>> + * Input parameters to SPD Policy addition

>> + */

>> +struct odp_ipsec_spd_params{

>> +       uint32_t tunnel_id;

>> +       /**< Tunnel ID */

>> +       enum odp_ipsec_direction dir;

>> +       /**< Direction: Inbound or Outbound */

>> +       uint32_t n_dscp_ranges;

>> +       /**< Number of DSCP Ranges */

>> +       struct odp_ipsec_policy_rule_dscprange *dscp_ranges;

>> +       /**< Array of DSCP Ranges */

>> +       enum odp_ipsec_policy_redside_fragmentation redside;

>> +       /**< Fragmentation before Encapsulation option: TRUE/FALSE */

>> +       uint32_t n_selectors;

>> +       /**< Number of selectors */

>> +       const odp_pmr_param_t *selectors;

>> +       /**< Array of Selectors */

>> +};

>> +

>> +/*!

>> + * Output parameters to SPD Policy addition

>> + */

>> +typedef struct odp_ipsec_spd_add_err{

>> +       int32_t result;

>> +       /**< 0:Success; Non Zero value: Error code indicating failure */

>> +}odp_ipsec_pol_add_err_t;

>> +

>> +/*!

>> + * @brief This API is used to add Inbound/Outbound SPD policy to SPD

>> policy

>> + * database.  This database is maintained per Name Space and Tunnel

>> instance.

>> + * This function first validates the incoming parameters

>> + * and if all validations succeed, new SPD policy is added to the

>> database.

>> + *

>> + * @param[in] params   Pointer to input param structure which contains

>> + *                     spd policy information.

>> + * @param[out] policy  Handle to the IPSEC policy.

>> + * @param[out] resp    Failure code if unsuccessful.

>> + *

>> + * @returns 0 on Success or negative value on failure.

>> + *

>> + */

>> +int32_t odp_ipsec_spd_add(

>> +               const struct odp_ipsec_spd_params *params,

>> +               odp_ipsec_policy_t *policy,

>> +               odp_ipsec_pol_add_err_t *resp);

>> +

>> +/*!

>> + * @brief This API is used to delete Inbound/Outbound SPD policy from

>> SPD policy

>> + * database.

>> + *

>> + * @param[in] policy   Handle to the IPSEC policy.

>> + *

>> + * @returns 0 on Success or negative value on failure.

>> + *

>> + */

>> +int32_t odp_ipsec_spd_del(odp_ipsec_policy_t policy);

>> +

>> +/*!

>> + * @brief This API is used to flush/delete all Inbound and Outbound SPD

>> + * policies.

>> + *

>> + * @returns 0 on Success or negative value on failure.

>> + *

>> + */

>> +int32_t odp_ipsec_spd_flush();

>> +

>> +/*!

>> + * @brief This API maps an IPSEC policy to an IPSEC crypto session.

>> + *

>> + * @param[in] policy - Handle to the IPSEC policy.

>> + * @param[in] session - Handle to the IPSEC session(SA).

>> + *

>> + * @returns SUCCESS on success; FAILURE otherwise

>> + *

>> + */

>> +int32_t odp_ipsec_map_pol_session(odp_ipsec_policy_t policy

>> +                               odp_crypto_session_t session);

>> +

>> +/*!

>> + * @brief This API unmaps an IPSEC policy to an IPSEC crypto session.

>> + *

>> + * @param[in] policy - Handle to the IPSEC policy.

>> + * @param[in] session - Handle to the IPSEC session(SA).

>> + *

>> + * @returns SUCCESS on success; FAILURE otherwise

>> + *

>> + */

>> +int32_t odp_ipsec_unmap_pol_session(odp_ipsec_policy_t policy

>> +                               odp_crypto_session_t session);

>> +

>> +/*!

>> + * SPD Policy Statistics information structure

>> + */

>> +typedef struct odp_ipsec_spd_stats {

>> +       uint64_t received_pkts;

>> +       /**< Received Outbound/Inbound packets */

>> +       uint64_t processed_pkts;

>> +       /**< Processed Outbound/Inbound packets */

>> +       uint64_t processed_bytes;

>> +       /**< Number of bytes processed on Inbound/Outbound policy */

>> +

>> +       /*! Struct details

>> +        */

>> +       struct {

>> +               uint32_t crypto_op_failed;

>> +               /**< Crypto operations failed */

>> +       }protocol_violation_errors;

>> +       /**< Protocol violation errors */

>> +

>> +       /*! Struct details

>> +        */

>> +       struct {

>> +               uint32_t no_matching_dscp_range;

>> +               /**< Matching dscp range not found in the SPD policy */

>> +

>> +               uint32_t submit_to_sec_failed;

>> +               /**< Submission to SEC failed for crypto operations */

>> +               uint32_t no_outb_sa;

>> +               /**< Outbound SA not found */

>> +               uint32_t frag_failed;

>> +               /**< Fragmentation failed */

>> +               uint32_t mem_alloc_failed;

>> +               /**< Memory allocation failed for SA/SPD/descriptor etc.*/

>> +               uint32_t internal_error;

>> +               /**< All other errors locally encountered */

>> +       }local_errors;

>> +       /**< Local/internal errors */

>> +

>> +}odp_ipsec_spd_stats_t;

>> +

>> +/*!

>> + * @brief This API fetches global statistics.

>> + *

>> + * @param[out] stats  Pointer to statistics structure filled by this API.

>> + *

>> + * @returns 0 on Success or negative value on failure.

>> + *

>> + */

>> +int32_t odp_ipsec_global_stats_get(odp_ipsec_spd_stats_t *stats);

>> +

>> +/*!

>> + * IPSec Module Capabilities

>> + */

>> +struct odp_ipsec_capabilities {

>> +       /*! This parameter indicates if IPSec-DP is capable of doing SPD

>> +        * rule search for incoming or outgoing datagrams

>> +        */

>> +

>> +       uint32_t sel_store_in_spd : 1,

>> +

>> +                /*! Authentication Header processing */

>> +                ah_protocol:1,

>> +

>> +                /*! ESP Header processing */

>> +                esp_protocol:1,

>> +

>> +                /*! IPComp related processing */

>> +                ipcomp_protocol:1,

>> +

>> +                /*! IPSec Tunnel Mode processing */

>> +                tunnel_mode:1,

>> +

>> +                /*! IPSec Tunnel Mode processing */

>> +                transport_mode:1,

>> +

>> +                /*! This indicates if IPSec has capability to generate

>> +                 * (for Outbound) and verify (for Inbound) extended

>> sequence numbers.

>> +                 */

>> +                esn:1,

>> +

>> +                /*! This option indicates whether IPSec can

>> +                 * handle the necessary UDP Encapsulation required at

>> +                 * IPSec level for traversing NAT boxes.

>> +                 */

>> +                udp_encap:1,

>> +

>> +                /*! This option indicates whether IPSec can fragment

>> packets

>> +                 * before IPSec encryption, so that the resulting IPSec

>> encrypted

>> +                 * fragments do not exceed MTU

>> +                 */

>> +                redside_frag:1,

>> +

>> +

>> +       /*! Indicates the maximum number of IN and OUT SPD policies. */

>> +       uint32_t            max_spd_policies;

>> +

>> +       /*! Indicates the maximum number of IN and OUT IPSec SAs. */

>> +       uint32_t             max_sas;

>> +}odp_ipsec_capabilities_t;

>> +

>> +/*!

>> + * @brief This API fetches IPSec module Capabilities

>> + *

>> + * @param[out] capa - capabilities structure filled by API.

>> + *

>> + * @returns SUCCESS on success; FAILURE otherwise

>> + *

>> + */

>> +int32_t odp_ipsec_capabilities_get(odp_ipsec_capabilities_t *capa);

>> +

>> +

>> +#endif /* __IPSEC_API_H */

>> +/**

>> + * @}

>> + */

>> +

>> +#ifdef __cplusplus

>> +}

>> +#endif

>> +

>> +#endif

>>

>

>

>

diff --git a/include/odp/api/spec/crypto.h b/include/odp/api/spec/crypto.h
index dea1fe9..b629b82 100644
--- a/include/odp/api/spec/crypto.h
+++ b/include/odp/api/spec/crypto.h
@@ -144,6 +144,27 @@  typedef union odp_crypto_auth_algos_t {
 	uint32_t all_bits;
 } odp_crypto_auth_algos_t;
 
+
+/**
+ * Network security protocols in bit field structure
+ */
+typedef union odp_crypto_protocol_t {
+	/** Network security protocols */
+	struct {
+		/** ODP_AUTH_ALG_NULL */
+		uint32_t ipsec_esp    : 1;
+
+		/** ODP_AUTH_ALG_MD5_96 */
+		uint32_t ipsec_ah     : 1;
+
+	} bit;
+
+	/** All bits of the bit field structure
+	  *
+	  * This field can be used to set/clear all flags, or bitwise
+	  * operations over the entire structure. */
+	uint32_t all_bits;
+} odp_crypto_protocol_t;
 /**
  * Crypto API key structure
  */
@@ -264,6 +285,8 @@  typedef enum {
 	ODP_CRYPTO_SES_CREATE_ERR_INV_CIPHER,
 	/** Creation failed, bad auth params */
 	ODP_CRYPTO_SES_CREATE_ERR_INV_AUTH,
+	/** Creation failed, bad protocol params */
+	ODP_CRYPTO_SES_CREATE_ERR_INV_PROTO,
 } odp_crypto_ses_create_err_t;
 
 /**
@@ -332,6 +355,12 @@  typedef struct odp_crypto_capability_t {
 	/** Authentication algorithms implemented with HW offload */
 	odp_crypto_auth_algos_t   hw_auths;
 
+	/** Supported authentication algorithms */
+	odp_crypto_protocol_t   protocols;
+
+	/** Authentication algorithms implemented with HW offload */
+	odp_crypto_protocol_t   hw_protocols;
+
 } odp_crypto_capability_t;
 
 /**
diff --git a/include/odp/api/spec/crypto_ipsec.h b/include/odp/api/spec/crypto_ipsec.h
new file mode 100644
index 0000000..6a0cee0
--- /dev/null
+++ b/include/odp/api/spec/crypto_ipsec.h
@@ -0,0 +1,345 @@ 
+/* Copyright (c) 2014, Linaro Limited
+ * Copyright (c) 2015 - 2016 Freescale Semiconductor, Inc.
+ * All rights reserved.
+ *
+ * SPDX-License-Identifier:	BSD-3-Clause
+ */
+
+/**
+ * @file
+ *
+ * ODP crypto IPSec extension
+ */
+
+#ifndef ODP_API_CRYPTO_IPSEC_H_
+#define ODP_API_CRYPTO_IPSEC_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+typedef enum odp_ipsec_mode {
+	ODP_IPSEC_MODE_TUNNEL,	    /**< IPSec tunnel mode */
+	ODP_IPSEC_MODE_TRANSPORT,   /**< IPSec transport mode */
+} odp_ipsec_mode_t;
+
+typedef enum odp_ipsec_proto {
+	ODP_IPSEC_ESP,		   /**< ESP protocol */
+} odp_ipsec_proto_t;
+
+typedef enum odp_ipsec_outhdr_type {
+	ODP_IPSEC_OUTHDR_IPV4,	  /**< Outer header is IPv4 */
+	ODP_IPSEC_OUTHDR_IPV6,	  /**< Outer header is IPv6 */
+} odp_ipsec_outhdr_type_t;
+
+typedef enum odp_ipsec_ar_ws {
+	ODP_IPSEC_AR_WS_NONE,	   /**< Anti-replay is not enabled */
+	ODP_IPSEC_AR_WS_32,	   /**< Anti-replay window size 32 */
+	ODP_IPSEC_AR_WS_64,	   /**< Anti-replay window size 64 */
+	ODP_IPSEC_AR_WS_128,	   /**< Anti-replay window size 128 */
+} odp_ipsec_ar_ws_t;
+
+typedef struct odp_ipsec_params {
+	odp_ipsec_mode_t ipsec_mode; /** Transport or Tunnel */
+	uint32_t spi;		 /** SPI value */
+	uint32_t seq;		 /** Initial SEQ number */
+	odp_ipsec_ar_ws_t ar_ws; /** Anti-replay window size -
+					inbound session with authentication */
+	odp_bool_t esn;		/** Use extended sequence numbers */
+	odp_bool_t auto_iv;	/** Auto IV generation for each operation. */
+	uint16_t out_hdr_size;	 /** outer header size - tunnel mode */
+	uint8_t *out_hdr;	 /** outer header - tunnel mode */
+	odp_ipsec_outhdr_type_t out_hdr_type; /* outer header type -
+						    tunnel mode */
+	odp_bool_t ip_csum;	/** update/verify ip header checksum */
+	odp_bool_t ip_dttl;	/** decrement ttl - tunnel mode encap & decap */
+	odp_bool_t remove_outer_hdr; /** remove outer header - tunnel mode decap */
+	odp_bool_t copy_dscp;	/** DiffServ Copy - Copy the IPv4 TOS or
+				    IPv6 Traffic Class byte from the inner/outer
+				    IP header to the outer/inner IP header -
+				    tunnel mode encap & decap */
+	odp_bool_t copy_df;	/** Copy DF bit - copy the DF bit from
+				    the inner IP header to the
+				    outer IP header - tunnel mode encap */
+	odp_bool_t nat_t;	/** NAT-T encapsulation enabled - tunnel mode */
+	odp_bool_t udp_csum;    /** Update/verify UDP csum when NAT-T enabled */
+
+} odp_ipsec_esp_params_t;
+
+/**
+ * Configure crypto session for IPsec processing
+ *
+ * Configures a crypto session for IPSec protocol processing.
+ * Packets submitted to an IPSec enabled session will have
+ * relevant IPSec headers/trailers and tunnel headers
+ * added/removed by the crypto implementation.
+ * For example, the input packet for an IPSec ESP transport
+ * enabled session should be the clear text packet with
+ * no ESP headers/trailers prepared in advance for crypto operation.
+ * The output packet will have ESP header, IV, trailer and the ESP ICV
+ * added by crypto implementation.
+ * Depending on the particular capabilities of an implementation and
+ * the parameters enabled by application, the application may be
+ * partially or completely offloaded from IPSec protocol processing.
+ * For example, if an implementation does not support checksum
+ * update for IP header after adding ESP header the application
+ * should update after crypto IPSec operation.
+ *
+ * If an implementation does not support a particular set of
+ * arguments it should return error.
+ *
+ * @param session	    Session handle
+ * @param ipsec_proto	    IPSec protocol
+ * @param ipsec_params	    IPSec parameters. Parameters which are not
+ *			    relevant for selected protocol & mode are ignored -
+ *			    e.g. outer_hdr/size set for ESP transport mode.
+ * @retval 0 on success
+ * @retval <0 on failure
+ */
+int odp_crypto_ipsec_session_create(odp_crypto_session_params_t *ses_params,
+				    odp_ipsec_proto_t ipsec_proto,
+				    odp_ipsec_params_t *ipsec_params,
+				    odp_crypto_session_t *session_out,
+				    odp_crypto_ses_create_err_t *status);
+
+
+/*!
+ * SPD Policy/SA direction information
+ */
+enum odp_ipsec_direction {
+	ODP_IPSEC_INBOUND =1, 	/**< Inbound Direction */
+	ODP_IPSEC_OUTBOUND 	/**< Outbound Direction */
+};
+
+
+/*!
+ * DSCP Range information
+ */
+struct odp_ipsec_policy_rule_dscprange {
+	uint8_t start; 	/**< Start value in Range */
+	uint8_t end; 	/**< End value  in Range */
+};
+
+/*!
+ * Fragmentation Before Encapsulation (Redside Fragmentation)
+ */
+enum odp_ipsec_policy_redside_fragmentation {
+	ODP_IPSEC_POLICY_REDSIDE_FRAGMENTATION_DISABLE = 0,
+	/**< Diasable Redside fragmentation in IPSec Policy */
+	ODP_IPSEC_POLICY_REDSIDE_FRAGMENTATION_ENABLE
+		/**< Enable Redside fragmentation in IPSec Policy */
+};
+
+/*!
+ * Input parameters to SPD Policy addition
+ */
+struct odp_ipsec_spd_params{
+	uint32_t tunnel_id;
+	/**< Tunnel ID */
+	enum odp_ipsec_direction dir;
+	/**< Direction: Inbound or Outbound */
+	uint32_t n_dscp_ranges;
+	/**< Number of DSCP Ranges */
+	struct odp_ipsec_policy_rule_dscprange *dscp_ranges;
+	/**< Array of DSCP Ranges */
+	enum odp_ipsec_policy_redside_fragmentation redside;
+	/**< Fragmentation before Encapsulation option: TRUE/FALSE */
+	uint32_t n_selectors;
+	/**< Number of selectors */
+	const odp_pmr_param_t *selectors;
+	/**< Array of Selectors */
+};
+
+/*!
+ * Output parameters to SPD Policy addition
+ */
+typedef struct odp_ipsec_spd_add_err{
+	int32_t result;
+	/**< 0:Success; Non Zero value: Error code indicating failure */
+}odp_ipsec_pol_add_err_t;
+
+/*!
+ * @brief This API is used to add Inbound/Outbound SPD policy to SPD policy
+ * database.  This database is maintained per Name Space and Tunnel instance.
+ * This function first validates the incoming parameters
+ * and if all validations succeed, new SPD policy is added to the database.
+ *
+ * @param[in] params	Pointer to input param structure which contains
+ *			spd policy information.
+ * @param[out] policy 	Handle to the IPSEC policy.
+ * @param[out] resp	Failure code if unsuccessful.
+ *
+ * @returns 0 on Success or negative value on failure.
+ *
+ */
+int32_t odp_ipsec_spd_add(
+		const struct odp_ipsec_spd_params *params,
+		odp_ipsec_policy_t *policy,
+		odp_ipsec_pol_add_err_t *resp);
+
+/*!
+ * @brief This API is used to delete Inbound/Outbound SPD policy from SPD policy
+ * database.
+ *
+ * @param[in] policy 	Handle to the IPSEC policy.
+ *
+ * @returns 0 on Success or negative value on failure.
+ *
+ */
+int32_t odp_ipsec_spd_del(odp_ipsec_policy_t policy);
+
+/*!
+ * @brief This API is used to flush/delete all Inbound and Outbound SPD
+ * policies.
+ *
+ * @returns 0 on Success or negative value on failure.
+ *
+ */
+int32_t odp_ipsec_spd_flush();
+
+/*!
+ * @brief This API maps an IPSEC policy to an IPSEC crypto session.
+ *
+ * @param[in] policy - Handle to the IPSEC policy.
+ * @param[in] session - Handle to the IPSEC session(SA).
+ *
+ * @returns SUCCESS on success; FAILURE otherwise
+ *
+ */
+int32_t odp_ipsec_map_pol_session(odp_ipsec_policy_t policy
+				odp_crypto_session_t session);
+
+/*!
+ * @brief This API unmaps an IPSEC policy to an IPSEC crypto session.
+ *
+ * @param[in] policy - Handle to the IPSEC policy.
+ * @param[in] session - Handle to the IPSEC session(SA).
+ *
+ * @returns SUCCESS on success; FAILURE otherwise
+ *
+ */
+int32_t odp_ipsec_unmap_pol_session(odp_ipsec_policy_t policy
+				odp_crypto_session_t session);
+
+/*!
+ * SPD Policy Statistics information structure
+ */
+typedef struct odp_ipsec_spd_stats {
+	uint64_t received_pkts;
+	/**< Received Outbound/Inbound packets */
+	uint64_t processed_pkts;
+	/**< Processed Outbound/Inbound packets */
+	uint64_t processed_bytes;
+	/**< Number of bytes processed on Inbound/Outbound policy */
+
+	/*! Struct details
+	 */
+	struct {
+		uint32_t crypto_op_failed;
+		/**< Crypto operations failed */
+	}protocol_violation_errors;
+	/**< Protocol violation errors */
+
+	/*! Struct details
+	 */
+	struct {
+		uint32_t no_matching_dscp_range;
+		/**< Matching dscp range not found in the SPD policy */
+
+		uint32_t submit_to_sec_failed;
+		/**< Submission to SEC failed for crypto operations */
+		uint32_t no_outb_sa;
+		/**< Outbound SA not found */
+		uint32_t frag_failed;
+		/**< Fragmentation failed */
+		uint32_t mem_alloc_failed;
+		/**< Memory allocation failed for SA/SPD/descriptor etc.*/
+		uint32_t internal_error;
+		/**< All other errors locally encountered */
+	}local_errors;
+	/**< Local/internal errors */
+
+}odp_ipsec_spd_stats_t;
+
+/*!
+ * @brief This API fetches global statistics.
+ *
+ * @param[out] stats  Pointer to statistics structure filled by this API.
+ *
+ * @returns 0 on Success or negative value on failure.
+ *
+ */
+int32_t odp_ipsec_global_stats_get(odp_ipsec_spd_stats_t *stats);
+
+/*!
+ * IPSec Module Capabilities
+ */
+struct odp_ipsec_capabilities {
+	/*! This parameter indicates if IPSec-DP is capable of doing SPD
+	 * rule search for incoming or outgoing datagrams
+	 */
+
+	uint32_t sel_store_in_spd : 1,
+
+		 /*! Authentication Header processing */
+		 ah_protocol:1,
+
+		 /*! ESP Header processing */
+		 esp_protocol:1,
+
+		 /*! IPComp related processing */
+		 ipcomp_protocol:1,
+
+		 /*! IPSec Tunnel Mode processing */
+		 tunnel_mode:1,
+
+		 /*! IPSec Tunnel Mode processing */
+		 transport_mode:1,
+
+		 /*! This indicates if IPSec has capability to generate
+		  * (for Outbound) and verify (for Inbound) extended sequence numbers.
+		  */
+		 esn:1,
+
+		 /*! This option indicates whether IPSec can
+		  * handle the necessary UDP Encapsulation required at
+		  * IPSec level for traversing NAT boxes.
+		  */
+		 udp_encap:1,
+
+		 /*! This option indicates whether IPSec can fragment packets
+		  * before IPSec encryption, so that the resulting IPSec encrypted
+		  * fragments do not exceed MTU
+		  */
+		 redside_frag:1,
+
+
+	/*! Indicates the maximum number of IN and OUT SPD policies. */
+	uint32_t	    max_spd_policies;
+
+	/*! Indicates the maximum number of IN and OUT IPSec SAs. */
+	uint32_t	     max_sas;
+}odp_ipsec_capabilities_t;
+
+/*!
+ * @brief This API fetches IPSec module Capabilities
+ *
+ * @param[out] capa - capabilities structure filled by API.
+ *
+ * @returns SUCCESS on success; FAILURE otherwise
+ *
+ */
+int32_t odp_ipsec_capabilities_get(odp_ipsec_capabilities_t *capa);
+
+
+#endif /* __IPSEC_API_H */
+/**
+ * @}
+ */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

api:crypto: Adding IPSEC protocol APIs.

Commit Message

Comments

Patch