Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/58870/?format=api
{ "id": 58870, "url": "http://patches.dpdk.org/api/patches/58870/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/patch/20190906131330.40185-9-roy.fan.zhang@intel.com/", "project": { "id": 1, "url": "http://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20190906131330.40185-9-roy.fan.zhang@intel.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20190906131330.40185-9-roy.fan.zhang@intel.com", "date": "2019-09-06T13:13:28", "name": "[08/10] ipsec: add rte_security cpu_crypto action support", "commit_ref": null, "pull_url": null, "state": "changes-requested", "archived": true, "hash": "8a21ad8e5abb0936ee43c09fad345a80f8939fea", "submitter": { "id": 304, "url": "http://patches.dpdk.org/api/people/304/?format=api", "name": "Fan Zhang", "email": "roy.fan.zhang@intel.com" }, "delegate": { "id": 6690, "url": "http://patches.dpdk.org/api/users/6690/?format=api", "username": "akhil", "first_name": "akhil", "last_name": "goyal", "email": "gakhil@marvell.com" }, "mbox": "http://patches.dpdk.org/project/dpdk/patch/20190906131330.40185-9-roy.fan.zhang@intel.com/mbox/", "series": [ { "id": 6303, "url": "http://patches.dpdk.org/api/series/6303/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/list/?series=6303", "date": "2019-09-06T13:13:20", "name": "security: add software synchronous crypto process", "version": 1, "mbox": "http://patches.dpdk.org/series/6303/mbox/" } ], "comments": "http://patches.dpdk.org/api/patches/58870/comments/", "check": "success", "checks": "http://patches.dpdk.org/api/patches/58870/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@dpdk.org", "Delivered-To": "patchwork@dpdk.org", "Received": [ "from [92.243.14.124] (localhost [127.0.0.1])\n\tby dpdk.org (Postfix) with ESMTP id 43D041F3BC;\n\tFri, 6 Sep 2019 15:14:04 +0200 (CEST)", "from mga18.intel.com (mga18.intel.com [134.134.136.126])\n\tby dpdk.org (Postfix) with ESMTP id A5E291F39F\n\tfor <dev@dpdk.org>; Fri, 6 Sep 2019 15:13:49 +0200 (CEST)", "from fmsmga002.fm.intel.com ([10.253.24.26])\n\tby orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;\n\t06 Sep 2019 06:13:47 -0700", "from silpixa00398673.ir.intel.com (HELO\n\tsilpixa00398673.ger.corp.intel.com) ([10.237.223.136])\n\tby fmsmga002.fm.intel.com with ESMTP; 06 Sep 2019 06:13:45 -0700" ], "X-Amp-Result": "SKIPPED(no attachment in message)", "X-Amp-File-Uploaded": "False", "X-ExtLoop1": "1", "X-IronPort-AV": "E=Sophos;i=\"5.64,473,1559545200\"; d=\"scan'208\";a=\"213140778\"", "From": "Fan Zhang <roy.fan.zhang@intel.com>", "To": "dev@dpdk.org", "Cc": "konstantin.ananyev@intel.com, declan.doherty@intel.com,\n\takhil.goyal@nxp.com, Fan Zhang <roy.fan.zhang@intel.com>", "Date": "Fri, 6 Sep 2019 14:13:28 +0100", "Message-Id": "<20190906131330.40185-9-roy.fan.zhang@intel.com>", "X-Mailer": "git-send-email 2.14.5", "In-Reply-To": "<20190906131330.40185-1-roy.fan.zhang@intel.com>", "References": "<20190903154046.55992-1-roy.fan.zhang@intel.com>\n\t<20190906131330.40185-1-roy.fan.zhang@intel.com>", "Subject": "[dpdk-dev] [PATCH 08/10] ipsec: add rte_security cpu_crypto action\n\tsupport", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.15", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n\t<mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n\t<mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org", "Sender": "\"dev\" <dev-bounces@dpdk.org>" }, "content": "This patch updates the ipsec library to handle the newly introduced\nRTE_SECURITY_ACTION_TYPE_CPU_CRYPTO action.\n\nSigned-off-by: Fan Zhang <roy.fan.zhang@intel.com>\n---\n lib/librte_ipsec/esp_inb.c | 174 +++++++++++++++++++++++++-\n lib/librte_ipsec/esp_outb.c | 290 +++++++++++++++++++++++++++++++++++++++++++-\n lib/librte_ipsec/sa.c | 53 ++++++--\n lib/librte_ipsec/sa.h | 29 +++++\n lib/librte_ipsec/ses.c | 4 +-\n 5 files changed, 539 insertions(+), 11 deletions(-)", "diff": "diff --git a/lib/librte_ipsec/esp_inb.c b/lib/librte_ipsec/esp_inb.c\nindex 8e3ecbc64..6077dcb1e 100644\n--- a/lib/librte_ipsec/esp_inb.c\n+++ b/lib/librte_ipsec/esp_inb.c\n@@ -105,6 +105,73 @@ inb_cop_prepare(struct rte_crypto_op *cop,\n \t}\n }\n \n+static inline int\n+inb_sync_crypto_proc_prepare(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb,\n+\tconst union sym_op_data *icv, uint32_t pofs, uint32_t plen,\n+\tstruct rte_security_vec *buf, struct iovec *cur_vec,\n+\tvoid *iv, void **aad, void **digest)\n+{\n+\tstruct rte_mbuf *ms;\n+\tstruct iovec *vec = cur_vec;\n+\tstruct aead_gcm_iv *gcm;\n+\tstruct aesctr_cnt_blk *ctr;\n+\tuint64_t *ivp;\n+\tuint32_t algo, left, off = 0, n_seg = 0;\n+\n+\tivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,\n+\t\tpofs + sizeof(struct rte_esp_hdr));\n+\talgo = sa->algo_type;\n+\n+\tswitch (algo) {\n+\tcase ALGO_TYPE_AES_GCM:\n+\t\tgcm = (struct aead_gcm_iv *)iv;\n+\t\taead_gcm_iv_fill(gcm, ivp[0], sa->salt);\n+\t\t*aad = icv->va + sa->icv_len;\n+\t\toff = sa->ctp.cipher.offset + pofs;\n+\t\tbreak;\n+\tcase ALGO_TYPE_AES_CBC:\n+\tcase ALGO_TYPE_3DES_CBC:\n+\t\toff = sa->ctp.auth.offset + pofs;\n+\t\tbreak;\n+\tcase ALGO_TYPE_AES_CTR:\n+\t\toff = sa->ctp.auth.offset + pofs;\n+\t\tctr = (struct aesctr_cnt_blk *)iv;\n+\t\taes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);\n+\t\tbreak;\n+\tcase ALGO_TYPE_NULL:\n+\t\tbreak;\n+\t}\n+\n+\t*digest = icv->va;\n+\n+\tleft = plen - sa->ctp.cipher.length;\n+\n+\tms = mbuf_get_seg_ofs(mb, &off);\n+\tif (!ms)\n+\t\treturn -1;\n+\n+\twhile (n_seg < RTE_LIBRTE_IP_FRAG_MAX_FRAG && left && ms) {\n+\t\tuint32_t len = RTE_MIN(left, ms->data_len - off);\n+\n+\t\tvec->iov_base = rte_pktmbuf_mtod_offset(ms, void *, off);\n+\t\tvec->iov_len = len;\n+\n+\t\tleft -= len;\n+\t\tvec++;\n+\t\tn_seg++;\n+\t\tms = ms->next;\n+\t\toff = 0;\n+\t}\n+\n+\tif (left)\n+\t\treturn -1;\n+\n+\tbuf->vec = cur_vec;\n+\tbuf->num = n_seg;\n+\n+\treturn n_seg;\n+}\n+\n /*\n * Helper function for prepare() to deal with situation when\n * ICV is spread by two segments. Tries to move ICV completely into the\n@@ -512,7 +579,6 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],\n \treturn k;\n }\n \n-\n /*\n * *process* function for tunnel packets\n */\n@@ -625,6 +691,112 @@ esp_inb_pkt_process(struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],\n \treturn n;\n }\n \n+/*\n+ * process packets using sync crypto engine\n+ */\n+static uint16_t\n+esp_inb_sync_crypto_pkt_process(const struct rte_ipsec_session *ss,\n+\t\tstruct rte_mbuf *mb[], uint16_t num, uint8_t sqh_len,\n+\t\tesp_inb_process_t process)\n+{\n+\tint32_t rc;\n+\tuint32_t i, k, hl, n, p;\n+\tstruct rte_ipsec_sa *sa;\n+\tstruct replay_sqn *rsn;\n+\tunion sym_op_data icv;\n+\tuint32_t sqn[num];\n+\tuint32_t dr[num];\n+\tstruct rte_security_vec buf[num];\n+\tstruct iovec vec[RTE_LIBRTE_IP_FRAG_MAX_FRAG * num];\n+\tuint32_t vec_idx = 0;\n+\tuint8_t ivs[num][IPSEC_MAX_IV_SIZE];\n+\tvoid *iv[num];\n+\tvoid *aad[num];\n+\tvoid *digest[num];\n+\tint status[num];\n+\n+\tsa = ss->sa;\n+\trsn = rsn_acquire(sa);\n+\n+\tk = 0;\n+\tfor (i = 0; i != num; i++) {\n+\t\thl = mb[i]->l2_len + mb[i]->l3_len;\n+\t\trc = inb_pkt_prepare(sa, rsn, mb[i], hl, &icv);\n+\t\tif (rc >= 0) {\n+\t\t\tiv[k] = (void *)ivs[k];\n+\t\t\trc = inb_sync_crypto_proc_prepare(sa, mb[i], &icv, hl,\n+\t\t\t\t\trc, &buf[k], &vec[vec_idx], iv[k],\n+\t\t\t\t\t&aad[k], &digest[k]);\n+\t\t\tif (rc < 0) {\n+\t\t\t\tdr[i - k] = i;\n+\t\t\t\tcontinue;\n+\t\t\t}\n+\n+\t\t\tvec_idx += rc;\n+\t\t\tk++;\n+\t\t} else\n+\t\t\tdr[i - k] = i;\n+\t}\n+\n+\t/* copy not prepared mbufs beyond good ones */\n+\tif (k != num) {\n+\t\trte_errno = EBADMSG;\n+\n+\t\tif (unlikely(k == 0))\n+\t\t\treturn 0;\n+\n+\t\tmove_bad_mbufs(mb, dr, num, num - k);\n+\t}\n+\n+\t/* process the packets */\n+\tn = 0;\n+\trte_security_process_cpu_crypto_bulk(ss->security.ctx,\n+\t\t\tss->security.ses, buf, iv, aad, digest, status,\n+\t\t\tk);\n+\t/* move failed process packets to dr */\n+\tfor (i = 0; i < k; i++) {\n+\t\tif (status[i]) {\n+\t\t\tdr[n++] = i;\n+\t\t\trte_errno = EBADMSG;\n+\t\t}\n+\t}\n+\n+\t/* move bad packets to the back */\n+\tif (n)\n+\t\tmove_bad_mbufs(mb, dr, k, n);\n+\n+\t/* process packets */\n+\tp = process(sa, mb, sqn, dr, k - n, sqh_len);\n+\n+\tif (p != k - n && p != 0)\n+\t\tmove_bad_mbufs(mb, dr, k - n, k - n - p);\n+\n+\tif (p != num)\n+\t\trte_errno = EBADMSG;\n+\n+\treturn p;\n+}\n+\n+uint16_t\n+esp_inb_tun_sync_crypto_pkt_process(const struct rte_ipsec_session *ss,\n+\t\tstruct rte_mbuf *mb[], uint16_t num)\n+{\n+\tstruct rte_ipsec_sa *sa = ss->sa;\n+\n+\treturn esp_inb_sync_crypto_pkt_process(ss, mb, num, sa->sqh_len,\n+\t\t\ttun_process);\n+}\n+\n+uint16_t\n+esp_inb_trs_sync_crypto_pkt_process(const struct rte_ipsec_session *ss,\n+\t\tstruct rte_mbuf *mb[], uint16_t num)\n+{\n+\tstruct rte_ipsec_sa *sa = ss->sa;\n+\n+\treturn esp_inb_sync_crypto_pkt_process(ss, mb, num, sa->sqh_len,\n+\t\t\ttrs_process);\n+}\n+\n /*\n * process group of ESP inbound tunnel packets.\n */\ndiff --git a/lib/librte_ipsec/esp_outb.c b/lib/librte_ipsec/esp_outb.c\nindex 55799a867..097cb663f 100644\n--- a/lib/librte_ipsec/esp_outb.c\n+++ b/lib/librte_ipsec/esp_outb.c\n@@ -403,6 +403,292 @@ esp_outb_trs_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],\n \treturn k;\n }\n \n+\n+static inline int\n+outb_sync_crypto_proc_prepare(struct rte_mbuf *m, const struct rte_ipsec_sa *sa,\n+\t\tconst uint64_t ivp[IPSEC_MAX_IV_QWORD],\n+\t\tconst union sym_op_data *icv, uint32_t hlen, uint32_t plen,\n+\t\tstruct rte_security_vec *buf, struct iovec *cur_vec, void *iv,\n+\t\tvoid **aad, void **digest)\n+{\n+\tstruct rte_mbuf *ms;\n+\tstruct aead_gcm_iv *gcm;\n+\tstruct aesctr_cnt_blk *ctr;\n+\tstruct iovec *vec = cur_vec;\n+\tuint32_t left, off = 0, n_seg = 0;\n+\tuint32_t algo;\n+\n+\talgo = sa->algo_type;\n+\n+\tswitch (algo) {\n+\tcase ALGO_TYPE_AES_GCM:\n+\t\tgcm = iv;\n+\t\taead_gcm_iv_fill(gcm, ivp[0], sa->salt);\n+\t\t*aad = (void *)(icv->va + sa->icv_len);\n+\t\toff = sa->ctp.cipher.offset + hlen;\n+\t\tbreak;\n+\tcase ALGO_TYPE_AES_CBC:\n+\tcase ALGO_TYPE_3DES_CBC:\n+\t\toff = sa->ctp.auth.offset + hlen;\n+\t\tbreak;\n+\tcase ALGO_TYPE_AES_CTR:\n+\t\tctr = iv;\n+\t\taes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);\n+\t\tbreak;\n+\tcase ALGO_TYPE_NULL:\n+\t\tbreak;\n+\t}\n+\n+\t*digest = (void *)icv->va;\n+\n+\tleft = sa->ctp.cipher.length + plen;\n+\n+\tms = mbuf_get_seg_ofs(m, &off);\n+\tif (!ms)\n+\t\treturn -1;\n+\n+\twhile (n_seg < RTE_LIBRTE_IP_FRAG_MAX_FRAG && left && ms) {\n+\t\tuint32_t len = RTE_MIN(left, ms->data_len - off);\n+\n+\t\tvec->iov_base = rte_pktmbuf_mtod_offset(ms, void *, off);\n+\t\tvec->iov_len = len;\n+\n+\t\tleft -= len;\n+\t\tvec++;\n+\t\tn_seg++;\n+\t\tms = ms->next;\n+\t\toff = 0;\n+\t}\n+\n+\tif (left)\n+\t\treturn -1;\n+\n+\tbuf->vec = cur_vec;\n+\tbuf->num = n_seg;\n+\n+\treturn n_seg;\n+}\n+\n+/**\n+ * Local post process function prototype that same as process function prototype\n+ * as rte_ipsec_sa_pkt_func's process().\n+ */\n+typedef uint16_t (*sync_crypto_post_process)(const struct rte_ipsec_session *ss,\n+\t\t\t\tstruct rte_mbuf *mb[],\n+\t\t\t\tuint16_t num);\n+static uint16_t\n+esp_outb_tun_sync_crypto_process(const struct rte_ipsec_session *ss,\n+\t\tstruct rte_mbuf *mb[], uint16_t num,\n+\t\tsync_crypto_post_process post_process)\n+{\n+\tuint64_t sqn;\n+\trte_be64_t sqc;\n+\tstruct rte_ipsec_sa *sa;\n+\tstruct rte_security_ctx *ctx;\n+\tstruct rte_security_session *rss;\n+\tunion sym_op_data icv;\n+\tstruct rte_security_vec buf[num];\n+\tstruct iovec vec[RTE_LIBRTE_IP_FRAG_MAX_FRAG * num];\n+\tuint32_t vec_idx = 0;\n+\tvoid *aad[num];\n+\tvoid *digest[num];\n+\tvoid *iv[num];\n+\tuint8_t ivs[num][IPSEC_MAX_IV_SIZE];\n+\tuint64_t ivp[IPSEC_MAX_IV_QWORD];\n+\tint status[num];\n+\tuint32_t dr[num];\n+\tuint32_t i, n, k;\n+\tint32_t rc;\n+\n+\tsa = ss->sa;\n+\tctx = ss->security.ctx;\n+\trss = ss->security.ses;\n+\n+\tk = 0;\n+\tn = num;\n+\tsqn = esn_outb_update_sqn(sa, &n);\n+\tif (n != num)\n+\t\trte_errno = EOVERFLOW;\n+\n+\tfor (i = 0; i != n; i++) {\n+\t\tsqc = rte_cpu_to_be_64(sqn + i);\n+\t\tgen_iv(ivp, sqc);\n+\n+\t\t/* try to update the packet itself */\n+\t\trc = outb_tun_pkt_prepare(sa, sqc, ivp, mb[i], &icv,\n+\t\t\t\tsa->sqh_len);\n+\n+\t\t/* success, setup crypto op */\n+\t\tif (rc >= 0) {\n+\t\t\toutb_pkt_xprepare(sa, sqc, &icv);\n+\n+\t\t\tiv[k] = (void *)ivs[k];\n+\t\t\trc = outb_sync_crypto_proc_prepare(mb[i], sa, ivp, &icv,\n+\t\t\t\t\t0, rc, &buf[k], &vec[vec_idx], iv[k],\n+\t\t\t\t\t&aad[k], &digest[k]);\n+\t\t\tif (rc < 0) {\n+\t\t\t\tdr[i - k] = i;\n+\t\t\t\trte_errno = -rc;\n+\t\t\t\tcontinue;\n+\t\t\t}\n+\n+\t\t\tvec_idx += rc;\n+\t\t\tk++;\n+\t\t/* failure, put packet into the death-row */\n+\t\t} else {\n+\t\t\tdr[i - k] = i;\n+\t\t\trte_errno = -rc;\n+\t\t}\n+\t}\n+\n+\t /* copy not prepared mbufs beyond good ones */\n+\tif (k != n && k != 0)\n+\t\tmove_bad_mbufs(mb, dr, n, n - k);\n+\n+\tif (unlikely(k == 0)) {\n+\t\trte_errno = EBADMSG;\n+\t\treturn 0;\n+\t}\n+\n+\t/* process the packets */\n+\tn = 0;\n+\trte_security_process_cpu_crypto_bulk(ctx, rss, buf, iv, aad, digest,\n+\t\t\tstatus, k);\n+\t/* move failed process packets to dr */\n+\tfor (i = 0; i < n; i++) {\n+\t\tif (status[i])\n+\t\t\tdr[n++] = i;\n+\t}\n+\n+\tif (n)\n+\t\tmove_bad_mbufs(mb, dr, k, n);\n+\n+\treturn post_process(ss, mb, k - n);\n+}\n+\n+static uint16_t\n+esp_outb_trs_sync_crypto_process(const struct rte_ipsec_session *ss,\n+\t\tstruct rte_mbuf *mb[], uint16_t num,\n+\t\tsync_crypto_post_process post_process)\n+\n+{\n+\tuint64_t sqn;\n+\trte_be64_t sqc;\n+\tstruct rte_ipsec_sa *sa;\n+\tstruct rte_security_ctx *ctx;\n+\tstruct rte_security_session *rss;\n+\tunion sym_op_data icv;\n+\tstruct rte_security_vec buf[num];\n+\tstruct iovec vec[RTE_LIBRTE_IP_FRAG_MAX_FRAG * num];\n+\tuint32_t vec_idx = 0;\n+\tvoid *aad[num];\n+\tvoid *digest[num];\n+\tuint8_t ivs[num][IPSEC_MAX_IV_SIZE];\n+\tvoid *iv[num];\n+\tint status[num];\n+\tuint64_t ivp[IPSEC_MAX_IV_QWORD];\n+\tuint32_t dr[num];\n+\tuint32_t i, n, k;\n+\tuint32_t l2, l3;\n+\tint32_t rc;\n+\n+\tsa = ss->sa;\n+\tctx = ss->security.ctx;\n+\trss = ss->security.ses;\n+\n+\tk = 0;\n+\tn = num;\n+\tsqn = esn_outb_update_sqn(sa, &n);\n+\tif (n != num)\n+\t\trte_errno = EOVERFLOW;\n+\n+\tfor (i = 0; i != n; i++) {\n+\t\tl2 = mb[i]->l2_len;\n+\t\tl3 = mb[i]->l3_len;\n+\n+\t\tsqc = rte_cpu_to_be_64(sqn + i);\n+\t\tgen_iv(ivp, sqc);\n+\n+\t\t/* try to update the packet itself */\n+\t\trc = outb_trs_pkt_prepare(sa, sqc, ivp, mb[i], l2, l3, &icv,\n+\t\t\t\tsa->sqh_len);\n+\n+\t\t/* success, setup crypto op */\n+\t\tif (rc >= 0) {\n+\t\t\toutb_pkt_xprepare(sa, sqc, &icv);\n+\n+\t\t\tiv[k] = (void *)ivs[k];\n+\n+\t\t\trc = outb_sync_crypto_proc_prepare(mb[i], sa, ivp, &icv,\n+\t\t\t\t\tl2 + l3, rc, &buf[k], &vec[vec_idx],\n+\t\t\t\t\tiv[k], &aad[k], &digest[k]);\n+\t\t\tif (rc < 0) {\n+\t\t\t\tdr[i - k] = i;\n+\t\t\t\trte_errno = -rc;\n+\t\t\t\tcontinue;\n+\t\t\t}\n+\n+\t\t\tvec_idx += rc;\n+\t\t\tk++;\n+\t\t/* failure, put packet into the death-row */\n+\t\t} else {\n+\t\t\tdr[i - k] = i;\n+\t\t\trte_errno = -rc;\n+\t\t}\n+\t}\n+\n+\t /* copy not prepared mbufs beyond good ones */\n+\tif (k != n && k != 0)\n+\t\tmove_bad_mbufs(mb, dr, n, n - k);\n+\n+\t/* process the packets */\n+\tn = 0;\n+\trte_security_process_cpu_crypto_bulk(ctx, rss, buf, iv, aad, digest,\n+\t\t\tstatus, k);\n+\t/* move failed process packets to dr */\n+\tfor (i = 0; i < k; i++) {\n+\t\tif (status[i])\n+\t\t\tdr[n++] = i;\n+\t}\n+\n+\tif (n)\n+\t\tmove_bad_mbufs(mb, dr, k, n);\n+\n+\treturn post_process(ss, mb, k - n);\n+}\n+\n+uint16_t\n+esp_outb_tun_sync_crpyto_sqh_process(const struct rte_ipsec_session *ss,\n+\t\tstruct rte_mbuf *mb[], uint16_t num)\n+{\n+\treturn esp_outb_tun_sync_crypto_process(ss, mb, num,\n+\t\t\tesp_outb_sqh_process);\n+}\n+\n+uint16_t\n+esp_outb_tun_sync_crpyto_flag_process(const struct rte_ipsec_session *ss,\n+\t\tstruct rte_mbuf *mb[], uint16_t num)\n+{\n+\treturn esp_outb_tun_sync_crypto_process(ss, mb, num,\n+\t\t\tesp_outb_pkt_flag_process);\n+}\n+\n+uint16_t\n+esp_outb_trs_sync_crpyto_sqh_process(const struct rte_ipsec_session *ss,\n+\t\tstruct rte_mbuf *mb[], uint16_t num)\n+{\n+\treturn esp_outb_trs_sync_crypto_process(ss, mb, num,\n+\t\t\tesp_outb_sqh_process);\n+}\n+\n+uint16_t\n+esp_outb_trs_sync_crpyto_flag_process(const struct rte_ipsec_session *ss,\n+\t\tstruct rte_mbuf *mb[], uint16_t num)\n+{\n+\treturn esp_outb_trs_sync_crypto_process(ss, mb, num,\n+\t\t\tesp_outb_pkt_flag_process);\n+}\n+\n /*\n * process outbound packets for SA with ESN support,\n * for algorithms that require SQN.hibits to be implictly included\n@@ -410,8 +696,8 @@ esp_outb_trs_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],\n * In that case we have to move ICV bytes back to their proper place.\n */\n uint16_t\n-esp_outb_sqh_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],\n-\tuint16_t num)\n+esp_outb_sqh_process(const struct rte_ipsec_session *ss,\n+\tstruct rte_mbuf *mb[], uint16_t num)\n {\n \tuint32_t i, k, icv_len, *icv;\n \tstruct rte_mbuf *ml;\ndiff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c\nindex 23d394b46..31ffbce2c 100644\n--- a/lib/librte_ipsec/sa.c\n+++ b/lib/librte_ipsec/sa.c\n@@ -544,9 +544,9 @@ lksd_proto_prepare(const struct rte_ipsec_session *ss,\n * - inbound/outbound for RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL\n * - outbound for RTE_SECURITY_ACTION_TYPE_NONE when ESN is disabled\n */\n-static uint16_t\n-pkt_flag_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],\n-\tuint16_t num)\n+uint16_t\n+esp_outb_pkt_flag_process(const struct rte_ipsec_session *ss,\n+\t\tstruct rte_mbuf *mb[], uint16_t num)\n {\n \tuint32_t i, k;\n \tuint32_t dr[num];\n@@ -599,12 +599,48 @@ lksd_none_pkt_func_select(const struct rte_ipsec_sa *sa,\n \tcase (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6):\n \t\tpf->prepare = esp_outb_tun_prepare;\n \t\tpf->process = (sa->sqh_len != 0) ?\n-\t\t\tesp_outb_sqh_process : pkt_flag_process;\n+\t\t\tesp_outb_sqh_process : esp_outb_pkt_flag_process;\n \t\tbreak;\n \tcase (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS):\n \t\tpf->prepare = esp_outb_trs_prepare;\n \t\tpf->process = (sa->sqh_len != 0) ?\n-\t\t\tesp_outb_sqh_process : pkt_flag_process;\n+\t\t\tesp_outb_sqh_process : esp_outb_pkt_flag_process;\n+\t\tbreak;\n+\tdefault:\n+\t\trc = -ENOTSUP;\n+\t}\n+\n+\treturn rc;\n+}\n+\n+static int\n+lksd_sync_crypto_pkt_func_select(const struct rte_ipsec_sa *sa,\n+\t\tstruct rte_ipsec_sa_pkt_func *pf)\n+{\n+\tint32_t rc;\n+\n+\tstatic const uint64_t msk = RTE_IPSEC_SATP_DIR_MASK |\n+\t\t\tRTE_IPSEC_SATP_MODE_MASK;\n+\n+\trc = 0;\n+\tswitch (sa->type & msk) {\n+\tcase (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TUNLV4):\n+\tcase (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TUNLV6):\n+\t\tpf->process = esp_inb_tun_sync_crypto_pkt_process;\n+\t\tbreak;\n+\tcase (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TRANS):\n+\t\tpf->process = esp_inb_trs_sync_crypto_pkt_process;\n+\t\tbreak;\n+\tcase (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV4):\n+\tcase (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6):\n+\t\tpf->process = (sa->sqh_len != 0) ?\n+\t\t\tesp_outb_tun_sync_crpyto_sqh_process :\n+\t\t\tesp_outb_tun_sync_crpyto_flag_process;\n+\t\tbreak;\n+\tcase (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TRANS):\n+\t\tpf->process = (sa->sqh_len != 0) ?\n+\t\t\tesp_outb_trs_sync_crpyto_sqh_process :\n+\t\t\tesp_outb_trs_sync_crpyto_flag_process;\n \t\tbreak;\n \tdefault:\n \t\trc = -ENOTSUP;\n@@ -672,13 +708,16 @@ ipsec_sa_pkt_func_select(const struct rte_ipsec_session *ss,\n \tcase RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL:\n \t\tif ((sa->type & RTE_IPSEC_SATP_DIR_MASK) ==\n \t\t\t\tRTE_IPSEC_SATP_DIR_IB)\n-\t\t\tpf->process = pkt_flag_process;\n+\t\t\tpf->process = esp_outb_pkt_flag_process;\n \t\telse\n \t\t\tpf->process = inline_proto_outb_pkt_process;\n \t\tbreak;\n \tcase RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL:\n \t\tpf->prepare = lksd_proto_prepare;\n-\t\tpf->process = pkt_flag_process;\n+\t\tpf->process = esp_outb_pkt_flag_process;\n+\t\tbreak;\n+\tcase RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:\n+\t\trc = lksd_sync_crypto_pkt_func_select(sa, pf);\n \t\tbreak;\n \tdefault:\n \t\trc = -ENOTSUP;\ndiff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h\nindex 51e69ad05..02c7abc60 100644\n--- a/lib/librte_ipsec/sa.h\n+++ b/lib/librte_ipsec/sa.h\n@@ -156,6 +156,14 @@ uint16_t\n inline_inb_trs_pkt_process(const struct rte_ipsec_session *ss,\n \tstruct rte_mbuf *mb[], uint16_t num);\n \n+uint16_t\n+esp_inb_tun_sync_crypto_pkt_process(const struct rte_ipsec_session *ss,\n+\t\tstruct rte_mbuf *mb[], uint16_t num);\n+\n+uint16_t\n+esp_inb_trs_sync_crypto_pkt_process(const struct rte_ipsec_session *ss,\n+\t\tstruct rte_mbuf *mb[], uint16_t num);\n+\n /* outbound processing */\n \n uint16_t\n@@ -170,6 +178,10 @@ uint16_t\n esp_outb_sqh_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],\n \tuint16_t num);\n \n+uint16_t\n+esp_outb_pkt_flag_process(const struct rte_ipsec_session *ss,\n+\tstruct rte_mbuf *mb[], uint16_t num);\n+\n uint16_t\n inline_outb_tun_pkt_process(const struct rte_ipsec_session *ss,\n \tstruct rte_mbuf *mb[], uint16_t num);\n@@ -182,4 +194,21 @@ uint16_t\n inline_proto_outb_pkt_process(const struct rte_ipsec_session *ss,\n \tstruct rte_mbuf *mb[], uint16_t num);\n \n+uint16_t\n+esp_outb_tun_sync_crpyto_sqh_process(const struct rte_ipsec_session *ss,\n+\t\tstruct rte_mbuf *mb[], uint16_t num);\n+\n+uint16_t\n+esp_outb_tun_sync_crpyto_flag_process(const struct rte_ipsec_session *ss,\n+\t\tstruct rte_mbuf *mb[], uint16_t num);\n+\n+uint16_t\n+esp_outb_trs_sync_crpyto_sqh_process(const struct rte_ipsec_session *ss,\n+\t\tstruct rte_mbuf *mb[], uint16_t num);\n+\n+uint16_t\n+esp_outb_trs_sync_crpyto_flag_process(const struct rte_ipsec_session *ss,\n+\t\tstruct rte_mbuf *mb[], uint16_t num);\n+\n+\n #endif /* _SA_H_ */\ndiff --git a/lib/librte_ipsec/ses.c b/lib/librte_ipsec/ses.c\nindex 82c765a33..eaa8c17b7 100644\n--- a/lib/librte_ipsec/ses.c\n+++ b/lib/librte_ipsec/ses.c\n@@ -19,7 +19,9 @@ session_check(struct rte_ipsec_session *ss)\n \t\t\treturn -EINVAL;\n \t\tif ((ss->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||\n \t\t\t\tss->type ==\n-\t\t\t\tRTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) &&\n+\t\t\t\tRTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL ||\n+\t\t\t\tss->type ==\n+\t\t\t\tRTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) &&\n \t\t\t\tss->security.ctx == NULL)\n \t\t\treturn -EINVAL;\n \t}\n", "prefixes": [ "08/10" ] }