TODO items: - Event Notification(Eg. Seq Number overflow, SA not found, SA hard/soft expiry) - statistics APIs - Encrpt and send APIs
Signed-off-by: Nikhil Agarwal <nikhil.agar...@linaro.org> --- include/odp/api/spec/crypto.h | 29 +++ include/odp/api/spec/crypto_ipsec.h | 345 ++++++++++++++++++++++++++++++++++++ 2 files changed, 374 insertions(+) create mode 100644 include/odp/api/spec/crypto_ipsec.h diff --git a/include/odp/api/spec/crypto.h b/include/odp/api/spec/crypto.h index dea1fe9..b629b82 100644 --- a/include/odp/api/spec/crypto.h +++ b/include/odp/api/spec/crypto.h @@ -144,6 +144,27 @@ typedef union odp_crypto_auth_algos_t { uint32_t all_bits; } odp_crypto_auth_algos_t; + +/** + * Network security protocols in bit field structure + */ +typedef union odp_crypto_protocol_t { + /** Network security protocols */ + struct { + /** ODP_AUTH_ALG_NULL */ + uint32_t ipsec_esp : 1; + + /** ODP_AUTH_ALG_MD5_96 */ + uint32_t ipsec_ah : 1; + + } bit; + + /** All bits of the bit field structure + * + * This field can be used to set/clear all flags, or bitwise + * operations over the entire structure. */ + uint32_t all_bits; +} odp_crypto_protocol_t; /** * Crypto API key structure */ @@ -264,6 +285,8 @@ typedef enum { ODP_CRYPTO_SES_CREATE_ERR_INV_CIPHER, /** Creation failed, bad auth params */ ODP_CRYPTO_SES_CREATE_ERR_INV_AUTH, + /** Creation failed, bad protocol params */ + ODP_CRYPTO_SES_CREATE_ERR_INV_PROTO, } odp_crypto_ses_create_err_t; /** @@ -332,6 +355,12 @@ typedef struct odp_crypto_capability_t { /** Authentication algorithms implemented with HW offload */ odp_crypto_auth_algos_t hw_auths; + /** Supported authentication algorithms */ + odp_crypto_protocol_t protocols; + + /** Authentication algorithms implemented with HW offload */ + odp_crypto_protocol_t hw_protocols; + } odp_crypto_capability_t; /** diff --git a/include/odp/api/spec/crypto_ipsec.h b/include/odp/api/spec/crypto_ipsec.h new file mode 100644 index 0000000..6a0cee0 --- /dev/null +++ b/include/odp/api/spec/crypto_ipsec.h @@ -0,0 +1,345 @@ +/* Copyright (c) 2014, Linaro Limited + * Copyright (c) 2015 - 2016 Freescale Semiconductor, Inc. + * All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +/** + * @file + * + * ODP crypto IPSec extension + */ + +#ifndef ODP_API_CRYPTO_IPSEC_H_ +#define ODP_API_CRYPTO_IPSEC_H_ + +#ifdef __cplusplus +extern "C" { +#endif + + +typedef enum odp_ipsec_mode { + ODP_IPSEC_MODE_TUNNEL, /**< IPSec tunnel mode */ + ODP_IPSEC_MODE_TRANSPORT, /**< IPSec transport mode */ +} odp_ipsec_mode_t; + +typedef enum odp_ipsec_proto { + ODP_IPSEC_ESP, /**< ESP protocol */ +} odp_ipsec_proto_t; + +typedef enum odp_ipsec_outhdr_type { + ODP_IPSEC_OUTHDR_IPV4, /**< Outer header is IPv4 */ + ODP_IPSEC_OUTHDR_IPV6, /**< Outer header is IPv6 */ +} odp_ipsec_outhdr_type_t; + +typedef enum odp_ipsec_ar_ws { + ODP_IPSEC_AR_WS_NONE, /**< Anti-replay is not enabled */ + ODP_IPSEC_AR_WS_32, /**< Anti-replay window size 32 */ + ODP_IPSEC_AR_WS_64, /**< Anti-replay window size 64 */ + ODP_IPSEC_AR_WS_128, /**< Anti-replay window size 128 */ +} odp_ipsec_ar_ws_t; + +typedef struct odp_ipsec_params { + odp_ipsec_mode_t ipsec_mode; /** Transport or Tunnel */ + uint32_t spi; /** SPI value */ + uint32_t seq; /** Initial SEQ number */ + odp_ipsec_ar_ws_t ar_ws; /** Anti-replay window size - + inbound session with authentication */ + odp_bool_t esn; /** Use extended sequence numbers */ + odp_bool_t auto_iv; /** Auto IV generation for each operation. */ + uint16_t out_hdr_size; /** outer header size - tunnel mode */ + uint8_t *out_hdr; /** outer header - tunnel mode */ + odp_ipsec_outhdr_type_t out_hdr_type; /* outer header type - + tunnel mode */ + odp_bool_t ip_csum; /** update/verify ip header checksum */ + odp_bool_t ip_dttl; /** decrement ttl - tunnel mode encap & decap */ + odp_bool_t remove_outer_hdr; /** remove outer header - tunnel mode decap */ + odp_bool_t copy_dscp; /** DiffServ Copy - Copy the IPv4 TOS or + IPv6 Traffic Class byte from the inner/outer + IP header to the outer/inner IP header - + tunnel mode encap & decap */ + odp_bool_t copy_df; /** Copy DF bit - copy the DF bit from + the inner IP header to the + outer IP header - tunnel mode encap */ + odp_bool_t nat_t; /** NAT-T encapsulation enabled - tunnel mode */ + odp_bool_t udp_csum; /** Update/verify UDP csum when NAT-T enabled */ + +} odp_ipsec_esp_params_t; + +/** + * Configure crypto session for IPsec processing + * + * Configures a crypto session for IPSec protocol processing. + * Packets submitted to an IPSec enabled session will have + * relevant IPSec headers/trailers and tunnel headers + * added/removed by the crypto implementation. + * For example, the input packet for an IPSec ESP transport + * enabled session should be the clear text packet with + * no ESP headers/trailers prepared in advance for crypto operation. + * The output packet will have ESP header, IV, trailer and the ESP ICV + * added by crypto implementation. + * Depending on the particular capabilities of an implementation and + * the parameters enabled by application, the application may be + * partially or completely offloaded from IPSec protocol processing. + * For example, if an implementation does not support checksum + * update for IP header after adding ESP header the application + * should update after crypto IPSec operation. + * + * If an implementation does not support a particular set of + * arguments it should return error. + * + * @param session Session handle + * @param ipsec_proto IPSec protocol + * @param ipsec_params IPSec parameters. Parameters which are not + * relevant for selected protocol & mode are ignored - + * e.g. outer_hdr/size set for ESP transport mode. + * @retval 0 on success + * @retval <0 on failure + */ +int odp_crypto_ipsec_session_create(odp_crypto_session_params_t *ses_params, + odp_ipsec_proto_t ipsec_proto, + odp_ipsec_params_t *ipsec_params, + odp_crypto_session_t *session_out, + odp_crypto_ses_create_err_t *status); + + +/*! + * SPD Policy/SA direction information + */ +enum odp_ipsec_direction { + ODP_IPSEC_INBOUND =1, /**< Inbound Direction */ + ODP_IPSEC_OUTBOUND /**< Outbound Direction */ +}; + + +/*! + * DSCP Range information + */ +struct odp_ipsec_policy_rule_dscprange { + uint8_t start; /**< Start value in Range */ + uint8_t end; /**< End value in Range */ +}; + +/*! + * Fragmentation Before Encapsulation (Redside Fragmentation) + */ +enum odp_ipsec_policy_redside_fragmentation { + ODP_IPSEC_POLICY_REDSIDE_FRAGMENTATION_DISABLE = 0, + /**< Diasable Redside fragmentation in IPSec Policy */ + ODP_IPSEC_POLICY_REDSIDE_FRAGMENTATION_ENABLE + /**< Enable Redside fragmentation in IPSec Policy */ +}; + +/*! + * Input parameters to SPD Policy addition + */ +struct odp_ipsec_spd_params{ + uint32_t tunnel_id; + /**< Tunnel ID */ + enum odp_ipsec_direction dir; + /**< Direction: Inbound or Outbound */ + uint32_t n_dscp_ranges; + /**< Number of DSCP Ranges */ + struct odp_ipsec_policy_rule_dscprange *dscp_ranges; + /**< Array of DSCP Ranges */ + enum odp_ipsec_policy_redside_fragmentation redside; + /**< Fragmentation before Encapsulation option: TRUE/FALSE */ + uint32_t n_selectors; + /**< Number of selectors */ + const odp_pmr_param_t *selectors; + /**< Array of Selectors */ +}; + +/*! + * Output parameters to SPD Policy addition + */ +typedef struct odp_ipsec_spd_add_err{ + int32_t result; + /**< 0:Success; Non Zero value: Error code indicating failure */ +}odp_ipsec_pol_add_err_t; + +/*! + * @brief This API is used to add Inbound/Outbound SPD policy to SPD policy + * database. This database is maintained per Name Space and Tunnel instance. + * This function first validates the incoming parameters + * and if all validations succeed, new SPD policy is added to the database. + * + * @param[in] params Pointer to input param structure which contains + * spd policy information. + * @param[out] policy Handle to the IPSEC policy. + * @param[out] resp Failure code if unsuccessful. + * + * @returns 0 on Success or negative value on failure. + * + */ +int32_t odp_ipsec_spd_add( + const struct odp_ipsec_spd_params *params, + odp_ipsec_policy_t *policy, + odp_ipsec_pol_add_err_t *resp); + +/*! + * @brief This API is used to delete Inbound/Outbound SPD policy from SPD policy + * database. + * + * @param[in] policy Handle to the IPSEC policy. + * + * @returns 0 on Success or negative value on failure. + * + */ +int32_t odp_ipsec_spd_del(odp_ipsec_policy_t policy); + +/*! + * @brief This API is used to flush/delete all Inbound and Outbound SPD + * policies. + * + * @returns 0 on Success or negative value on failure. + * + */ +int32_t odp_ipsec_spd_flush(); + +/*! + * @brief This API maps an IPSEC policy to an IPSEC crypto session. + * + * @param[in] policy - Handle to the IPSEC policy. + * @param[in] session - Handle to the IPSEC session(SA). + * + * @returns SUCCESS on success; FAILURE otherwise + * + */ +int32_t odp_ipsec_map_pol_session(odp_ipsec_policy_t policy + odp_crypto_session_t session); + +/*! + * @brief This API unmaps an IPSEC policy to an IPSEC crypto session. + * + * @param[in] policy - Handle to the IPSEC policy. + * @param[in] session - Handle to the IPSEC session(SA). + * + * @returns SUCCESS on success; FAILURE otherwise + * + */ +int32_t odp_ipsec_unmap_pol_session(odp_ipsec_policy_t policy + odp_crypto_session_t session); + +/*! + * SPD Policy Statistics information structure + */ +typedef struct odp_ipsec_spd_stats { + uint64_t received_pkts; + /**< Received Outbound/Inbound packets */ + uint64_t processed_pkts; + /**< Processed Outbound/Inbound packets */ + uint64_t processed_bytes; + /**< Number of bytes processed on Inbound/Outbound policy */ + + /*! Struct details + */ + struct { + uint32_t crypto_op_failed; + /**< Crypto operations failed */ + }protocol_violation_errors; + /**< Protocol violation errors */ + + /*! Struct details + */ + struct { + uint32_t no_matching_dscp_range; + /**< Matching dscp range not found in the SPD policy */ + + uint32_t submit_to_sec_failed; + /**< Submission to SEC failed for crypto operations */ + uint32_t no_outb_sa; + /**< Outbound SA not found */ + uint32_t frag_failed; + /**< Fragmentation failed */ + uint32_t mem_alloc_failed; + /**< Memory allocation failed for SA/SPD/descriptor etc.*/ + uint32_t internal_error; + /**< All other errors locally encountered */ + }local_errors; + /**< Local/internal errors */ + +}odp_ipsec_spd_stats_t; + +/*! + * @brief This API fetches global statistics. + * + * @param[out] stats Pointer to statistics structure filled by this API. + * + * @returns 0 on Success or negative value on failure. + * + */ +int32_t odp_ipsec_global_stats_get(odp_ipsec_spd_stats_t *stats); + +/*! + * IPSec Module Capabilities + */ +struct odp_ipsec_capabilities { + /*! This parameter indicates if IPSec-DP is capable of doing SPD + * rule search for incoming or outgoing datagrams + */ + + uint32_t sel_store_in_spd : 1, + + /*! Authentication Header processing */ + ah_protocol:1, + + /*! ESP Header processing */ + esp_protocol:1, + + /*! IPComp related processing */ + ipcomp_protocol:1, + + /*! IPSec Tunnel Mode processing */ + tunnel_mode:1, + + /*! IPSec Tunnel Mode processing */ + transport_mode:1, + + /*! This indicates if IPSec has capability to generate + * (for Outbound) and verify (for Inbound) extended sequence numbers. + */ + esn:1, + + /*! This option indicates whether IPSec can + * handle the necessary UDP Encapsulation required at + * IPSec level for traversing NAT boxes. + */ + udp_encap:1, + + /*! This option indicates whether IPSec can fragment packets + * before IPSec encryption, so that the resulting IPSec encrypted + * fragments do not exceed MTU + */ + redside_frag:1, + + + /*! Indicates the maximum number of IN and OUT SPD policies. */ + uint32_t max_spd_policies; + + /*! Indicates the maximum number of IN and OUT IPSec SAs. */ + uint32_t max_sas; +}odp_ipsec_capabilities_t; + +/*! + * @brief This API fetches IPSec module Capabilities + * + * @param[out] capa - capabilities structure filled by API. + * + * @returns SUCCESS on success; FAILURE otherwise + * + */ +int32_t odp_ipsec_capabilities_get(odp_ipsec_capabilities_t *capa); + + +#endif /* __IPSEC_API_H */ +/** + * @} + */ + +#ifdef __cplusplus +} +#endif + +#endif -- 2.9.3