For the v4 series: Reviewed-by: Bill Fischofer <bill.fischo...@linaro.org>
On Thu, Mar 30, 2017 at 5:29 AM, Petri Savolainen <petri.savolai...@linaro.org> wrote: > Added configuration option for inbound SPI range (for > lookups). Removed unique SPI requirement and added config > option for overlap. Added default queue for lookup misses. > Added SA disable function and status event for the response > from it. The same event may be used for e.g. IPSEC > statistics, etc queries. Improved outbound fragmentation > documentation. > > Signed-off-by: Petri Savolainen <petri.savolai...@linaro.org> > --- > include/odp/api/spec/event.h | 2 +- > include/odp/api/spec/ipsec.h | 198 > ++++++++++++++++++++++++++++++++++--------- > 2 files changed, 158 insertions(+), 42 deletions(-) > > diff --git a/include/odp/api/spec/event.h b/include/odp/api/spec/event.h > index 75c0bbc..f22efce 100644 > --- a/include/odp/api/spec/event.h > +++ b/include/odp/api/spec/event.h > @@ -39,7 +39,7 @@ extern "C" { > * @typedef odp_event_type_t > * ODP event types: > * ODP_EVENT_BUFFER, ODP_EVENT_PACKET, ODP_EVENT_TIMEOUT, > - * ODP_EVENT_CRYPTO_COMPL, ODP_EVENT_IPSEC_RESULT > + * ODP_EVENT_CRYPTO_COMPL, ODP_EVENT_IPSEC_RESULT, ODP_EVENT_IPSEC_STATUS > */ > > /** > diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h > index 66222d8..118363e 100644 > --- a/include/odp/api/spec/ipsec.h > +++ b/include/odp/api/spec/ipsec.h > @@ -56,6 +56,41 @@ typedef enum odp_ipsec_op_mode_t { > } odp_ipsec_op_mode_t; > > /** > + * Configuration options for IPSEC inbound processing > + */ > +typedef struct odp_ipsec_inbound_config_t { > + /** Default destination queue for IPSEC events > + * > + * When inbound SA lookup fails in the asynchronous mode, > + * resulting IPSEC events are enqueued into this queue. > + */ > + odp_queue_t default_queue; > + > + /** Constraints for SPI values used with inbound SA lookup. Minimal > + * SPI range and unique values may improve performance. */ > + struct { > + /** Minimum SPI value for SA lookup. Default value is 0. */ > + uint32_t min_spi; > + > + /** Maximum SPI value for SA lookup. Default value is > + * UINT32_MAX. */ > + uint32_t max_spi; > + > + /** Select if SPI values for SA lookup are unique or may > contain > + * the same value multiple times. This configuration is not > + * relevant in ODP_IPSEC_LOOKUP_SPI mode. The default value > + * is 0. > + * > + * 0: All SAs in SA lookup have unique SPI value > + * 1: The same SPI value may be used for multiple SAs > + */ > + odp_bool_t spi_overlap; > + > + } lookup; > + > +} odp_ipsec_inbound_config_t; > + > +/** > * IPSEC capability > */ > typedef struct odp_ipsec_capability_t { > @@ -111,6 +146,13 @@ typedef struct odp_ipsec_config_t { > */ > odp_ipsec_op_mode_t op_mode; > > + /** Maximum number of IPSEC SAs that application will use > + * simultaneously */ > + uint32_t max_num_sa; > + > + /** IPSEC inbound processing configuration */ > + odp_ipsec_inbound_config_t inbound; > + > } odp_ipsec_config_t; > > /** > @@ -349,8 +391,10 @@ typedef enum odp_ipsec_lookup_mode_t { > /** Inbound SA lookup is disabled. */ > ODP_IPSEC_LOOKUP_DISABLED = 0, > > - /** Inbound SA lookup is enabled. Used SPI values must be unique. */ > - ODP_IPSEC_LOOKUP_IN_UNIQUE_SA > + /** Inbound SA lookup is enabled. Lookup matches only SPI value. > + * SA lookup failure status (error.sa_lookup) is reported through > + * odp_ipsec_packet_result_t. */ > + ODP_IPSEC_LOOKUP_SPI > > } odp_ipsec_lookup_mode_t; > > @@ -529,6 +573,29 @@ void odp_ipsec_sa_param_init(odp_ipsec_sa_param_t > *param); > odp_ipsec_sa_t odp_ipsec_sa_create(odp_ipsec_sa_param_t *param); > > /** > + * Disable IPSEC SA > + * > + * Application must use this call to disable a SA before destroying it. The > call > + * marks the SA disabled, so that IPSEC implementation stops using it. For > + * example, inbound SPI lookups will not match any more. Application must > + * stop providing the SA as parameter to new IPSEC input/output operations > + * before calling disable. Packets in progress during the call may still > match > + * the SA and be processed successfully. > + * > + * When in synchronous operation mode, the call will return when it's > possible > + * to destroy the SA. In asynchronous mode, the same is indicated by an > + * ODP_EVENT_IPSEC_STATUS event sent to the queue specified for the SA. > + * > + * @param sa IPSEC SA to be disabled > + * > + * @retval 0 On success > + * @retval <0 On failure > + * > + * @see odp_ipsec_sa_destroy() > + */ > +int odp_ipsec_sa_disable(odp_ipsec_sa_t sa); > + > +/** > * Destroy IPSEC SA > * > * Destroy an unused IPSEC SA. Result is undefined if the SA is being used > @@ -567,55 +634,59 @@ typedef struct odp_ipsec_op_opt_t { > #define ODP_IPSEC_OK 0 > > /** IPSEC operation status */ > -typedef union odp_ipsec_status_t { > - /** Error flags */ > - struct { > - /** Protocol error. Not a valid ESP or AH packet. */ > - uint32_t proto : 1; > +typedef struct odp_ipsec_op_status_t { > + union { > + /** Error flags */ > + struct { > + /** Protocol error. Not a valid ESP or AH packet. */ > + uint32_t proto : 1; > > - /** SA lookup failed */ > - uint32_t sa_lookup : 1; > + /** SA lookup failed */ > + uint32_t sa_lookup : 1; > > - /** Authentication failed */ > - uint32_t auth : 1; > + /** Authentication failed */ > + uint32_t auth : 1; > > - /** Anti-replay check failed */ > - uint32_t antireplay : 1; > + /** Anti-replay check failed */ > + uint32_t antireplay : 1; > > - /** Other algorithm error */ > - uint32_t alg : 1; > + /** Other algorithm error */ > + uint32_t alg : 1; > > - /** Packet does not fit into the given MTU size */ > - uint32_t mtu : 1; > + /** Packet does not fit into the given MTU size */ > + uint32_t mtu : 1; > > - /** Soft lifetime expired: seconds */ > - uint32_t soft_exp_sec : 1; > + /** Soft lifetime expired: seconds */ > + uint32_t soft_exp_sec : 1; > > - /** Soft lifetime expired: bytes */ > - uint32_t soft_exp_bytes : 1; > + /** Soft lifetime expired: bytes */ > + uint32_t soft_exp_bytes : 1; > > - /** Soft lifetime expired: packets */ > - uint32_t soft_exp_packets : 1; > + /** Soft lifetime expired: packets */ > + uint32_t soft_exp_packets : 1; > > - /** Hard lifetime expired: seconds */ > - uint32_t hard_exp_sec : 1; > + /** Hard lifetime expired: seconds */ > + uint32_t hard_exp_sec : 1; > > - /** Hard lifetime expired: bytes */ > - uint32_t hard_exp_bytes : 1; > + /** Hard lifetime expired: bytes */ > + uint32_t hard_exp_bytes : 1; > > - /** Hard lifetime expired: packets */ > - uint32_t hard_exp_packets : 1; > - } error; > + /** Hard lifetime expired: packets */ > + uint32_t hard_exp_packets : 1; > > - /** All bits of the bit field structure > - * > - * This field can be used to set, clear or compare multiple flags. > - * For example, 'status.all != ODP_IPSEC_OK' checks if there are any > - * errors. > - */ > - uint32_t all; > + } error; > > -} odp_ipsec_status_t; > + /** All error bits > + * > + * This field can be used to set, clear or compare multiple > + * flags. For example, 'status.all_error != ODP_IPSEC_OK' > + * checks if there are > + * any errors. > + */ > + uint32_t all_error; > + }; > + > +} odp_ipsec_op_status_t; > > /** > * IPSEC operation input parameters > @@ -673,14 +744,15 @@ typedef struct odp_ipsec_op_param_t { > */ > typedef struct odp_ipsec_packet_result_t { > /** IPSEC operation status */ > - odp_ipsec_status_t status; > + odp_ipsec_op_status_t status; > > /** Number of output packets created from the corresponding input > packet > * > * Without fragmentation offload this is always one. However, if the > * input packet was fragmented during the operation this is larger > than > - * one for the first fragment and zero for the rest of the fragments > - * (following the first one in the 'pkt' array). > + * one for the first returned fragment and zero for the rest of the > + * fragments. All the fragments (of the same source packet) are > stored > + * consecutively in the 'pkt' array. > */ > int num_out; > > @@ -745,6 +817,34 @@ typedef struct odp_ipsec_op_result_t { > } odp_ipsec_op_result_t; > > /** > + * IPSEC status ID > + */ > +typedef enum odp_ipsec_status_id_t { > + /** Response to SA disable command */ > + ODP_IPSEC_STATUS_SA_DISABLE = 0 > + > +} odp_ipsec_status_id_t; > + > +/** > + * IPSEC status content > + */ > +typedef struct odp_ipsec_status_t { > + /** IPSEC status ID */ > + odp_ipsec_status_id_t id; > + > + /** Return value from the operation > + * > + * 0: Success > + * <0: Failure > + */ > + int ret; > + > + /** IPSEC SA that was target of the operation */ > + odp_ipsec_sa_t sa; > + > +} odp_ipsec_status_t; > + > +/** > * Inbound synchronous IPSEC operation > * > * This operation does inbound IPSEC processing in synchronous mode > @@ -897,6 +997,22 @@ int odp_ipsec_out_enq(const odp_ipsec_op_param_t *input); > int odp_ipsec_result(odp_ipsec_op_result_t *result, odp_event_t event); > > /** > + * Get IPSEC status information from an ODP_EVENT_IPSEC_STATUS event > + * > + * Copies IPSEC status information from an event. The event must be of > + * type ODP_EVENT_IPSEC_STATUS. > + * > + * @param[out] status Pointer to status information structure for output. > + * @param event An ODP_EVENT_IPSEC_STATUS event > + * > + * @retval 0 On success > + * @retval <0 On failure > + * > + * @see odp_ipsec_sa_disable() > + */ > +int odp_ipsec_status(odp_ipsec_status_t *status, odp_event_t event); > + > +/** > * Update MTU for outbound IP fragmentation > * > * When IP fragmentation offload is enabled, the SA is created with an MTU. > -- > 2.8.1 >