From patchwork Fri Aug 11 07:17:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 130110 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 9672C4302F; Fri, 11 Aug 2023 09:17:54 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 0D8BB4325C; Fri, 11 Aug 2023 09:17:43 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 1A8A340F16 for ; Fri, 11 Aug 2023 09:17:40 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 37AMjl1W001550; Fri, 11 Aug 2023 00:17:36 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=w4VJfOMxxpVnMxfsxLI8ivJp9+LF5RTixfIhZu+4nDU=; b=A/yyotvFHMimTp4MRQm/orxxjjrIIoZ/1CIJ6MMFmEG2ZZcCPlUHsxs3M1bgbW16xR0B avNqew5N1uGb0y9x2ba/dhON+LLgXzMx9F2XxRgXkdXrXCbblUeJc0JV291ytiu4p6d6 3A/TrLDnlSxqVm5/+aYdorWCwmvkayH2EenuwDBCa9ywZUxDdsxcAtlQek5PDi1WvtuZ uTcok0V8Qb5MMAxnkvJDSoHuUkqG12Q6KS3PypjKUckX947VPu50JnjO7ffiAzAtCf53 czQi2xd7imOkOWLCcNk0E0NcLcATne4wBpLMb+Ff1gKg2xg5rVc1hex68CGrDfKhN+xn EQ== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3sd8yp9f1b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 11 Aug 2023 00:17:36 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Fri, 11 Aug 2023 00:17:35 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Fri, 11 Aug 2023 00:17:35 -0700 Received: from BG-LT92004.corp.innovium.com (unknown [10.28.163.189]) by maili.marvell.com (Postfix) with ESMTP id 9ADA43F70D5; Fri, 11 Aug 2023 00:17:20 -0700 (PDT) From: Anoob Joseph To: Thomas Monjalon , Akhil Goyal , Jerin Jacob , Konstantin Ananyev CC: Hemant Agrawal , , Olivier Matz , Vidya Sagar Velumuri Subject: [RFC PATCH 1/3] net: add headers for TLS/DTLS packets Date: Fri, 11 Aug 2023 12:47:10 +0530 Message-ID: <20230811071712.240-2-anoobj@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230811071712.240-1-anoobj@marvell.com> References: <20230811071712.240-1-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: 8FQ0FEO9jZnYAbdU8-pTlf9HOKCSH6UN X-Proofpoint-GUID: 8FQ0FEO9jZnYAbdU8-pTlf9HOKCSH6UN X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-08-10_20,2023-08-10_01,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Akhil Goyal Added TLS and DTLS packet headers for L4 security applications. Signed-off-by: Akhil Goyal Signed-off-by: Anoob Joseph Signed-off-by: Vidya Sagar Velumuri --- doc/api/doxy-api-index.md | 2 ++ lib/net/meson.build | 2 ++ lib/net/rte_dtls.h | 61 +++++++++++++++++++++++++++++++++++++++ lib/net/rte_tls.h | 48 ++++++++++++++++++++++++++++++ 4 files changed, 113 insertions(+) create mode 100644 lib/net/rte_dtls.h create mode 100644 lib/net/rte_tls.h diff --git a/doc/api/doxy-api-index.md b/doc/api/doxy-api-index.md index fdeda13932..03e2445bb1 100644 --- a/doc/api/doxy-api-index.md +++ b/doc/api/doxy-api-index.md @@ -128,6 +128,8 @@ The public API headers are grouped by topics: [eCPRI](@ref rte_ecpri.h), [PDCP hdr](@ref rte_pdcp_hdr.h), [PDCP](@ref rte_pdcp.h), + [TLS](@ref rte_tls.h), + [DTLS](@ref rte_dtls.h), [L2TPv2](@ref rte_l2tpv2.h), [PPP](@ref rte_ppp.h), [IB](@ref rte_ib.h) diff --git a/lib/net/meson.build b/lib/net/meson.build index b1bc27bad5..0b69138949 100644 --- a/lib/net/meson.build +++ b/lib/net/meson.build @@ -5,6 +5,8 @@ headers = files( 'rte_ip.h', 'rte_tcp.h', 'rte_udp.h', + 'rte_tls.h', + 'rte_dtls.h', 'rte_esp.h', 'rte_sctp.h', 'rte_icmp.h', diff --git a/lib/net/rte_dtls.h b/lib/net/rte_dtls.h new file mode 100644 index 0000000000..1455c07a92 --- /dev/null +++ b/lib/net/rte_dtls.h @@ -0,0 +1,61 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2023 Marvell. + */ + +#ifndef RTE_DTLS_H +#define RTE_DTLS_H + +/** + * @file + * + * Datagram transport layer security(DTLS) related defines. + */ + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +#define RTE_DTLS_TYPE_INVALID 0 /**< Invalid DTLS message type. */ +#define RTE_DTLS_TYPE_CCS 20 /**< Change cipher message. */ +#define RTE_DTLS_TYPE_ALERT 21 /**< Alert message. */ +#define RTE_DTLS_TYPE_HANDSHAKE 22 /**< Handshake message for DTLS. */ +#define RTE_DTLS_TYPE_APPDATA 23 /**< DTLS application data message. */ +#define RTE_DTLS_TYPE_HEARTBEAT 24 /**< DTLS 1.3 heartbeat message. */ +#define RTE_DTLS_TYPE_CIPHERTEXT_WITH_CID 25 /**< DTLS 1.3 ciphertext with CID message. */ +#define RTE_DTLS_TYPE_ACK 26 /**< DTLS 1.3 ACK message. */ +#define RTE_DTLS_TYPE_MAX 255 /**< Maximum value as DTLS content type. */ + +#define RTE_DTLS_VERSION_1_2 0xFEFD /**< DTLS 1.2 version. 1's complement of 1.2. */ +#define RTE_DTLS_VERSION_1_3 0xFEFC /**< DTLS 1.3 version. 1's complement of 1.3. */ + +/** + * DTLS Header + */ +__extension__ +struct rte_dtls_hdr { + /** Content type of DTLS packet. Defined as RTE_DTLS_TYPE_*. */ + uint8_t type; + /** DTLS Version defined as RTE_DTLS_VERSION*. */ + rte_be16_t version; +#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN + /** The sequence number for the DTLS record. */ + uint64_t sequence_number : 48; + /** A counter value that is incremented on every cipher state change. */ + uint64_t epoch : 16; +#elif RTE_BYTE_ORDER == RTE_BIG_ENDIAN + /** A counter value that is incremented on every cipher state change. */ + uint64_t epoch : 16; + /** The sequence number for the DTLS record. */ + uint64_t sequence_number : 48; +#endif + /** The length (in bytes) of the following DTLS packet. */ + rte_be16_t length; +} __rte_packed; + +#ifdef __cplusplus +} +#endif + +#endif /* RTE_DTLS_H */ diff --git a/lib/net/rte_tls.h b/lib/net/rte_tls.h new file mode 100644 index 0000000000..d708d06014 --- /dev/null +++ b/lib/net/rte_tls.h @@ -0,0 +1,48 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2023 Marvell. + */ + +#ifndef RTE_TLS_H +#define RTE_TLS_H + +/** + * @file + * + * Transport layer security(TLS) related defines. + */ + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +#define RTE_TLS_TYPE_INVALID 0 /**< Invalid TLS message type. */ +#define RTE_TLS_TYPE_CCS 20 /**< Change cipher message. */ +#define RTE_TLS_TYPE_ALERT 21 /**< Alert message. */ +#define RTE_TLS_TYPE_HANDSHAKE 22 /**< Handshake message for TLS. */ +#define RTE_TLS_TYPE_APPDATA 23 /**< TLS application data message. */ +#define RTE_TLS_TYPE_HEARTBEAT 24 /**< TLS 1.3 heartbeat message. */ +#define RTE_TLS_TYPE_MAX 255 /**< Maximum value as TLS content type. */ + +#define RTE_TLS_VERSION_1_2 0x0303 /**< TLS 1.2 version. */ +#define RTE_TLS_VERSION_1_3 0x0304 /**< TLS 1.3 version. */ + +/** + * TLS Header + */ +__extension__ +struct rte_tls_hdr { + /** Content type of TLS packet. Defined as RTE_TLS_TYPE_*. */ + uint8_t type; + /** TLS Version defined as RTE_TLS_VERSION*. */ + rte_be16_t version; + /** The length (in bytes) of the following TLS packet. */ + rte_be16_t length; +} __rte_packed; + +#ifdef __cplusplus +} +#endif + +#endif /* RTE_TLS_H */ From patchwork Fri Aug 11 07:17:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 130109 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id BD5684302F; Fri, 11 Aug 2023 09:17:47 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 26ECF4323A; Fri, 11 Aug 2023 09:17:42 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 1502240E03 for ; Fri, 11 Aug 2023 09:17:40 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 37AMjxvU001610; Fri, 11 Aug 2023 00:17:36 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=cfeYzbE85m6tHh44esonP8TJs1ZgyxhIITIxasLHpAY=; b=lT1gXk9xf1vg2cs5+o/xR2RwZ/g+gktGytNi1thwMS0qaOFduWBqHWWg/U9vcXK/dyjt wLADcKREhRuCZVE+qwLTNRXN2gaiu6u47V1wCBHWYiYcSncZtIuFFNytL2NRSWPG48c/ Px5QCdzbSR3PERKSlHobfvdKHG/YyY2AyU8rZ54zPbOHA2YGWxot6MK11ErfrDuDDaM2 n2KnykjuukIwyzbz45acDnHFHI0zvulOsMvwsKII4nnMeQ68FXSPRm6E+IvSL3TI0EQC ZvDfnF4P2miCLZ+Jx1nVWaMMh795rUdTV+jJdM71yrLGWGXL7i12mQDw5cCcTkCgEBgB Xg== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3sd8yp9f1c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 11 Aug 2023 00:17:36 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Fri, 11 Aug 2023 00:17:35 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Fri, 11 Aug 2023 00:17:35 -0700 Received: from BG-LT92004.corp.innovium.com (unknown [10.28.163.189]) by maili.marvell.com (Postfix) with ESMTP id 974203F706C; Fri, 11 Aug 2023 00:17:24 -0700 (PDT) From: Anoob Joseph To: Thomas Monjalon , Akhil Goyal , Jerin Jacob , Konstantin Ananyev CC: Hemant Agrawal , , Olivier Matz , Vidya Sagar Velumuri Subject: [RFC PATCH 2/3] security: add TLS record processing Date: Fri, 11 Aug 2023 12:47:11 +0530 Message-ID: <20230811071712.240-3-anoobj@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230811071712.240-1-anoobj@marvell.com> References: <20230811071712.240-1-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: iR5Cq7j5i2SaQnft5UffUR2CXLLOZgnA X-Proofpoint-GUID: iR5Cq7j5i2SaQnft5UffUR2CXLLOZgnA X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-08-10_20,2023-08-10_01,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Add Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). The protocols provide communications privacy for L4 protocols such as TCP & UDP. TLS (and DTLS) protocol is composed of two layers, 1. TLS Record Protocol 2. TLS Handshake Protocol While TLS Handshake Protocol helps in establishing security parameters by which client and server can communicate, TLS Record Protocol provides the connection security. TLS Record Protocol leverages symmetric cryptographic operations such as data encryption and authentication for providing security to the communications. Cryptodevs that are capable of offloading TLS Record Protocol may perform other operations like IV generation, header insertion, atomic sequence number updates and anti-replay window check in addition to cryptographic transformations. The support is added for TLS 1.2, TLS 1.3 and DTLS 1.2. Signed-off-by: Akhil Goyal Signed-off-by: Anoob Joseph Signed-off-by: Vidya Sagar Velumuri --- doc/guides/prog_guide/rte_security.rst | 58 +++++++++++++ lib/security/rte_security.c | 4 + lib/security/rte_security.h | 110 +++++++++++++++++++++++++ 3 files changed, 172 insertions(+) diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst index 7418e35c1b..7716d7239f 100644 --- a/doc/guides/prog_guide/rte_security.rst +++ b/doc/guides/prog_guide/rte_security.rst @@ -399,6 +399,64 @@ The API ``rte_security_macsec_sc_create`` returns a handle for SC, and this handle is set in ``rte_security_macsec_xform`` to create a MACsec session using ``rte_security_session_create``. +TLS-Record Protocol +~~~~~~~~~~~~~~~~~~~ + +The Transport Layer Protocol provides communications security over the Internet. The protocol +allows client/server applications to communicate in a way that is designed to prevent eavesdropping, +tampering, or message forgery. + +TLS protocol is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol. At +the lowest level, layered on top of some reliable transport protocol (e.g., TCP), is the TLS Record +Protocol. The TLS Record Protocol provides connection security that has two basic properties: + + - The connection is private. Symmetric cryptography is used for data + encryption (e.g., AES, DES, etc.). The keys for this symmetric encryption + are generated uniquely for each connection and are based on a secret + negotiated by another protocol (such as the TLS Handshake Protocol). The + Record Protocol can also be used without encryption. + + - The connection is reliable. Message transport includes a message + integrity check using a keyed MAC. Secure hash functions (e.g., + SHA-1, etc.) are used for MAC computations. The Record Protocol + can operate without a MAC, but is generally only used in this mode + while another protocol is using the Record Protocol as a transport + for negotiating security parameters. + +.. code-block:: c + + Record Write Record Read + ------------ ----------- + + TLSPlaintext TLSCiphertext + | | + ~ ~ + | | + V V + +---------|----------+ +----------|---------+ + | Seq. no generation | | Seq. no generation | + +---------|----------+ +----------|---------+ + | | + +---------|----------+ +----------|---------+ + | Header insertion | | Decryption & | + +---------|----------+ | MAC verification | + | +----------|---------+ + +---------|----------+ | + | MAC generation & | +----------|---------+ + | Encryption | | TLS Header removal | + +---------|----------+ +----------|---------+ + | | + ~ ~ + | | + V V + TLSCiphertext TLSPlaintext + +Supported Versions +^^^^^^^^^^^^^^^^^^ + +* TLS 1.2 +* TLS 1.3 +* DTLS 1.2 Device Features and Capabilities --------------------------------- diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c index c4d64bb8e9..bd7b026547 100644 --- a/lib/security/rte_security.c +++ b/lib/security/rte_security.c @@ -282,6 +282,10 @@ rte_security_capability_get(struct rte_security_ctx *instance, if (capability->docsis.direction == idx->docsis.direction) return capability; + } else if (idx->protocol == RTE_SECURITY_PROTOCOL_TLS_RECORD) { + if (capability->tls_record.ver == idx->tls_record.ver && + capability->tls_record.type == idx->tls_record.type) + return capability; } } } diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index 3b2df526ba..b9d064ed84 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -620,6 +620,99 @@ struct rte_security_docsis_xform { /**< DOCSIS direction */ }; +/** Salt len to be used with AEAD algos in TLS 1.2 */ +#define RTE_SECURITY_TLS_1_2_SALT_LEN 4 +/** Salt len to be used with AEAD algos in TLS 1.3 */ +#define RTE_SECURITY_TLS_1_3_SALT_LEN 12 +/** Salt len to be used with AEAD algos in DTLS 1.2 */ +#define RTE_SECURITY_DTLS_1_2_SALT_LEN 4 + +/** TLS version */ +enum rte_security_tls_version { + RTE_SECURITY_VERSION_TLS_1_2, /**< TLS 1.2 */ + RTE_SECURITY_VERSION_TLS_1_3, /**< TLS 1.3 */ + RTE_SECURITY_VERSION_DTLS_1_2, /**< DTLS 1.2 */ +}; + +/** TLS session type */ +enum rte_security_tls_sess_type { + /** Record read session + * - Decrypt & digest verification. + */ + RTE_SECURITY_TLS_SESS_TYPE_READ, + /** Record write session + * - Encrypt & digest generation. + */ + RTE_SECURITY_TLS_SESS_TYPE_WRITE, +}; + +/** + * Configure soft and hard lifetime of a TLS record session + * + * Lifetime of a TLS record session would specify the maximum number of packets that can be + * processed. TLS record processing operations would start failing once hard limit is reached. + * + * Soft limits can be specified to generate notification when the TLS record session is approaching + * hard limits for lifetime. This would result in a warning returned in ``rte_crypto_op.aux_flags``. + */ +struct rte_security_tls_record_lifetime { + /** Soft expiry limit in number of packets */ + uint64_t packets_soft_limit; + /** Hard expiry limit in number of packets */ + uint64_t packets_hard_limit; +}; + +/** + * TLS record protocol session configuration. + * + * This structure contains data required to create a TLS record security session. + */ +struct rte_security_tls_record_xform { + /** TLS record version. */ + enum rte_security_tls_version ver; + /** TLS record session type. */ + enum rte_security_tls_sess_type type; + /** TLS record session lifetime. */ + struct rte_security_tls_record_lifetime life; + union { + /** TLS 1.2 parameters. */ + struct { + /** Starting sequence number. */ + uint64_t seq_no; + /** Salt to be used for AEAD algos. */ + uint8_t salt[RTE_SECURITY_TLS_1_2_SALT_LEN]; + } tls_1_2; + + /** TLS 1.3 parameters. */ + struct { + /** Starting sequence number. */ + uint64_t seq_no; + /** Salt to be used for AEAD algos. */ + uint8_t salt[RTE_SECURITY_TLS_1_3_SALT_LEN]; + /** + * Minimum payload length (in case of write sessions). For shorter inputs, + * the payload would be padded appropriately before performing crypto + * transformations. + */ + uint32_t min_payload_len; + } tls_1_3; + + /** DTLS 1.2 parameters */ + struct { + /** Epoch value to be used. */ + uint16_t epoch; + /** 6B starting sequence number to be used. */ + uint64_t seq_no; + /** Salt to be used for AEAD algos. */ + uint8_t salt[RTE_SECURITY_DTLS_1_2_SALT_LEN]; + /** Anti replay window size to enable sequence replay attack handling. + * Anti replay check is disabled if the window size is 0. + */ + uint32_t ar_win_sz; + } dtls_1_2; + }; +}; + /** * Security session action type. */ @@ -654,6 +747,8 @@ enum rte_security_session_protocol { /**< PDCP Protocol */ RTE_SECURITY_PROTOCOL_DOCSIS, /**< DOCSIS Protocol */ + RTE_SECURITY_PROTOCOL_TLS_RECORD, + /**< TLS Record Protocol */ }; /** @@ -670,6 +765,7 @@ struct rte_security_session_conf { struct rte_security_macsec_xform macsec; struct rte_security_pdcp_xform pdcp; struct rte_security_docsis_xform docsis; + struct rte_security_tls_record_xform tls; }; /**< Configuration parameters for security session */ struct rte_crypto_sym_xform *crypto_xform; @@ -1190,6 +1286,16 @@ struct rte_security_capability { /**< DOCSIS direction */ } docsis; /**< DOCSIS capability */ + struct { + enum rte_security_tls_version ver; + /**< TLS record version. */ + enum rte_security_tls_sess_type type; + /**< TLS record session type. */ + uint32_t ar_win_size; + /**< Maximum anti replay window size supported for DTLS 1.2 record read + * operation. Value of 0 means anti replay check is not supported. + */ + } tls_record; }; const struct rte_cryptodev_capabilities *crypto_capabilities; @@ -1251,6 +1357,10 @@ struct rte_security_capability_idx { struct { enum rte_security_docsis_direction direction; } docsis; + struct { + enum rte_security_tls_version ver; + enum rte_security_tls_sess_type type; + } tls_record; }; }; From patchwork Fri Aug 11 07:17:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 130111 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 7DCF84302F; Fri, 11 Aug 2023 09:18:00 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 0C52943262; Fri, 11 Aug 2023 09:17:44 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 710184323A for ; Fri, 11 Aug 2023 09:17:41 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 37AMjxvV001610; Fri, 11 Aug 2023 00:17:37 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=i6/UL2lCKsP8YK+U/3Jc0ne/Vv2olWVSakqORNnyS34=; b=BjnOC7sxD3FjWbdmwqIY+rQYfxpRInM2IYf6cOcTaIGXj/OYWZhSCWhU9wO3c/kvhrs2 yEMd8W3ZQI4D3lxmWddFpZII1mQ9YEa8J/FMZ8CaUxECt1tXv3vBZEXGtg3gd4yKYXbM KqNfXtPX5Yk7o3tQXsyDALu65ZeRjRdhwPaAh6P+8QXA+ay+F0H6jmMDXfl3APTkDTOb NZpSeHfIUDla6SFWcmwRwrW1JVGhf9NTQNbGyrn9gVzyujAEnC3nTPFcLdGJFoFfiOyV Da/fKGwSiwaZyUffjFtc+USr1d/tVEL6B6Gx/1RCRIOe0cmYKoHKjRmOfnZqG7sUNzRf 4A== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3sd8yp9f1c-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 11 Aug 2023 00:17:37 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Fri, 11 Aug 2023 00:17:35 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Fri, 11 Aug 2023 00:17:35 -0700 Received: from BG-LT92004.corp.innovium.com (unknown [10.28.163.189]) by maili.marvell.com (Postfix) with ESMTP id 12EE63F70B1; Fri, 11 Aug 2023 00:17:27 -0700 (PDT) From: Anoob Joseph To: Thomas Monjalon , Akhil Goyal , Jerin Jacob , Konstantin Ananyev CC: Hemant Agrawal , , Olivier Matz , Vidya Sagar Velumuri Subject: [RFC PATCH 3/3] cryptodev: add details of datapath handling of TLS records Date: Fri, 11 Aug 2023 12:47:12 +0530 Message-ID: <20230811071712.240-4-anoobj@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230811071712.240-1-anoobj@marvell.com> References: <20230811071712.240-1-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: Jgin3iiI7udYZeLQv6Aw521Bmqbzlzo2 X-Proofpoint-GUID: Jgin3iiI7udYZeLQv6Aw521Bmqbzlzo2 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-08-10_20,2023-08-10_01,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org TLS/DTLS record processing requires content type to be provided per packet (for record write operation). Extend usage of rte_crypto_op.aux_flags for the same purpose. Signed-off-by: Akhil Goyal Signed-off-by: Anoob Joseph Signed-off-by: Vidya Sagar Velumuri --- doc/guides/prog_guide/rte_security.rst | 10 ++++++++++ lib/cryptodev/rte_crypto.h | 6 ++++++ 2 files changed, 16 insertions(+) diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst index 7716d7239f..6cb69bc949 100644 --- a/doc/guides/prog_guide/rte_security.rst +++ b/doc/guides/prog_guide/rte_security.rst @@ -451,6 +451,16 @@ Protocol. The TLS Record Protocol provides connection security that has two basi V V TLSCiphertext TLSPlaintext +TLS and DTLS header formation (in record write operation) would depend on the +type of content. It is a per packet variable and would need to be handled by +the same session. Application may pass this info to a cryptodev performing +lookaside protocol offload by passing the same in ``rte_crypto_op.aux_flags``. + +In record read operation, application is required to preserve any info it may +need from the TLS/DTLS header (such as content type and sequence number) as the +cryptodev would remove the header and padding as part of the lookaside protocol +processing. + Supported Versions ^^^^^^^^^^^^^^^^^^ diff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h index 9b8d0331a4..7c12a2b705 100644 --- a/lib/cryptodev/rte_crypto.h +++ b/lib/cryptodev/rte_crypto.h @@ -101,6 +101,12 @@ struct rte_crypto_op { /**< Operation specific auxiliary/additional flags. * These flags carry additional information from the * operation. Processing of the same is optional. + * + * With TLS record offload (RTE_SECURITY_PROTOCOL_TLS_RECORD), + * application would be required to provide the message + * type of the input provided. The 'aux_flags' field + * can be used for passing the same. Message types are + * listed as RTE_TLS_TYPE_* and RTE_DTLS_TYPE_*. */ uint8_t reserved[2]; /**< Reserved bytes to fill 64 bits for