From patchwork Tue Oct 3 10:48:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 132276 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 9D015426AE; Tue, 3 Oct 2023 12:49:04 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 714AE40608; Tue, 3 Oct 2023 12:49:01 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id B89C24026B for ; Tue, 3 Oct 2023 12:48:58 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3932IwEP028322; Tue, 3 Oct 2023 03:48:57 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=KBj+K/00EDZ+zSDIyByWYcjepY2Lay2UQmP/8C4ANlI=; b=B/0Yuwccso1a/YUUrxGWzQBWNm7CEn4JDp2bTMbhOf4348ifwYKKuN2q2B9wremqGaQ9 UGyai6YfpSt/mq+eApzbIFyBzlS8r9KXOyWuv3wfl32NQTT1itv4YL3ibp+AfM6hj+xd k7AC6e/RL+benGOnRiyhfkwVlj0mHfPZXrpA3Brr5R4EIXqeuKGfA00rYBzCL0+MZAK6 aqoj+cZfPm6ebJeeBA42GD6hpdUBA2SUBRCPtdP4h8ly7Zhnqz4QJ1aDp0fMa2E8rVNl r6/oPX8H53tcoaD/5Efrze/Tr38h9yCf1gufVZXWKhIRyKQtm58UzoGIAgG7xqdNZL/f Gw== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3tek6myvxm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 03 Oct 2023 03:48:57 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Tue, 3 Oct 2023 03:48:55 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Tue, 3 Oct 2023 03:48:55 -0700 Received: from BG-LT92004.corp.innovium.com (unknown [10.28.163.189]) by maili.marvell.com (Postfix) with ESMTP id 881B23F7080; Tue, 3 Oct 2023 03:48:50 -0700 (PDT) From: Anoob Joseph To: Thomas Monjalon , Akhil Goyal , Jerin Jacob , Harry van Haaren CC: Konstantin Ananyev , Hemant Agrawal , , Olivier Matz , Vidya Sagar Velumuri Subject: [PATCH v2 1/5] net: add headers for TLS/DTLS packets Date: Tue, 3 Oct 2023 16:18:50 +0530 Message-ID: <20231003104854.1381-2-anoobj@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20231003104854.1381-1-anoobj@marvell.com> References: <20230811071712.240-1-anoobj@marvell.com> <20231003104854.1381-1-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: JytaERQ7y3XtIIV6Qz8c27Rrav8LkNwA X-Proofpoint-GUID: JytaERQ7y3XtIIV6Qz8c27Rrav8LkNwA X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-03_07,2023-10-02_01,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Akhil Goyal Added TLS and DTLS packet headers for L4 security applications. Signed-off-by: Akhil Goyal Signed-off-by: Anoob Joseph Signed-off-by: Vidya Sagar Velumuri --- doc/api/doxy-api-index.md | 2 ++ lib/net/meson.build | 2 ++ lib/net/rte_dtls.h | 61 +++++++++++++++++++++++++++++++++++++++ lib/net/rte_tls.h | 48 ++++++++++++++++++++++++++++++ 4 files changed, 113 insertions(+) create mode 100644 lib/net/rte_dtls.h create mode 100644 lib/net/rte_tls.h diff --git a/doc/api/doxy-api-index.md b/doc/api/doxy-api-index.md index fdeda13932..03e2445bb1 100644 --- a/doc/api/doxy-api-index.md +++ b/doc/api/doxy-api-index.md @@ -128,6 +128,8 @@ The public API headers are grouped by topics: [eCPRI](@ref rte_ecpri.h), [PDCP hdr](@ref rte_pdcp_hdr.h), [PDCP](@ref rte_pdcp.h), + [TLS](@ref rte_tls.h), + [DTLS](@ref rte_dtls.h), [L2TPv2](@ref rte_l2tpv2.h), [PPP](@ref rte_ppp.h), [IB](@ref rte_ib.h) diff --git a/lib/net/meson.build b/lib/net/meson.build index b1bc27bad5..0b69138949 100644 --- a/lib/net/meson.build +++ b/lib/net/meson.build @@ -5,6 +5,8 @@ headers = files( 'rte_ip.h', 'rte_tcp.h', 'rte_udp.h', + 'rte_tls.h', + 'rte_dtls.h', 'rte_esp.h', 'rte_sctp.h', 'rte_icmp.h', diff --git a/lib/net/rte_dtls.h b/lib/net/rte_dtls.h new file mode 100644 index 0000000000..49bded1d96 --- /dev/null +++ b/lib/net/rte_dtls.h @@ -0,0 +1,61 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2023 Marvell. + */ + +#ifndef RTE_DTLS_H +#define RTE_DTLS_H + +/** + * @file + * + * Datagram transport layer security(DTLS) related defines. + */ + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +#define RTE_DTLS_TYPE_INVALID 0 /**< Invalid DTLS message type. */ +#define RTE_DTLS_TYPE_CHANGE_CIPHER_SPEC 20 /**< Change cipher spec message. */ +#define RTE_DTLS_TYPE_ALERT 21 /**< Alert message. */ +#define RTE_DTLS_TYPE_HANDSHAKE 22 /**< Handshake message for DTLS. */ +#define RTE_DTLS_TYPE_APPDATA 23 /**< DTLS application data message. */ +#define RTE_DTLS_TYPE_HEARTBEAT 24 /**< DTLS 1.3 heartbeat message. */ +#define RTE_DTLS_TYPE_CIPHERTEXT_WITH_CID 25 /**< DTLS 1.3 ciphertext with CID message. */ +#define RTE_DTLS_TYPE_ACK 26 /**< DTLS 1.3 ACK message. */ +#define RTE_DTLS_TYPE_MAX 255 /**< Maximum value as DTLS content type. */ + +#define RTE_DTLS_VERSION_1_2 0xFEFD /**< DTLS 1.2 version. 1's complement of 1.2. */ +#define RTE_DTLS_VERSION_1_3 0xFEFC /**< DTLS 1.3 version. 1's complement of 1.3. */ + +/** + * DTLS Header + */ +__extension__ +struct rte_dtls_hdr { + /** Content type of DTLS packet. Defined as RTE_DTLS_TYPE_*. */ + uint8_t type; + /** DTLS Version defined as RTE_DTLS_VERSION*. */ + rte_be16_t version; +#if RTE_BYTE_ORDER == RTE_LITTLE_ENDIAN + /** The sequence number for the DTLS record. */ + uint64_t sequence_number : 48; + /** A counter value that is incremented on every cipher state change. */ + uint64_t epoch : 16; +#elif RTE_BYTE_ORDER == RTE_BIG_ENDIAN + /** A counter value that is incremented on every cipher state change. */ + uint64_t epoch : 16; + /** The sequence number for the DTLS record. */ + uint64_t sequence_number : 48; +#endif + /** The length (in bytes) of the following DTLS packet. */ + rte_be16_t length; +} __rte_packed; + +#ifdef __cplusplus +} +#endif + +#endif /* RTE_DTLS_H */ diff --git a/lib/net/rte_tls.h b/lib/net/rte_tls.h new file mode 100644 index 0000000000..ee1e3aa249 --- /dev/null +++ b/lib/net/rte_tls.h @@ -0,0 +1,48 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2023 Marvell. + */ + +#ifndef RTE_TLS_H +#define RTE_TLS_H + +/** + * @file + * + * Transport layer security(TLS) related defines. + */ + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +#define RTE_TLS_TYPE_INVALID 0 /**< Invalid TLS message type. */ +#define RTE_TLS_TYPE_CHANGE_CIPHER_SPEC 20 /**< Change cipher spec message. */ +#define RTE_TLS_TYPE_ALERT 21 /**< Alert message. */ +#define RTE_TLS_TYPE_HANDSHAKE 22 /**< Handshake message for TLS. */ +#define RTE_TLS_TYPE_APPDATA 23 /**< TLS application data message. */ +#define RTE_TLS_TYPE_HEARTBEAT 24 /**< TLS 1.3 heartbeat message. */ +#define RTE_TLS_TYPE_MAX 255 /**< Maximum value as TLS content type. */ + +#define RTE_TLS_VERSION_1_2 0x0303 /**< TLS 1.2 version. */ +#define RTE_TLS_VERSION_1_3 0x0304 /**< TLS 1.3 version. */ + +/** + * TLS Header + */ +__extension__ +struct rte_tls_hdr { + /** Content type of TLS packet. Defined as RTE_TLS_TYPE_*. */ + uint8_t type; + /** TLS Version defined as RTE_TLS_VERSION*. */ + rte_be16_t version; + /** The length (in bytes) of the following TLS packet. */ + rte_be16_t length; +} __rte_packed; + +#ifdef __cplusplus +} +#endif + +#endif /* RTE_TLS_H */ From patchwork Tue Oct 3 10:48:51 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 132277 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 8D236426AE; Tue, 3 Oct 2023 12:49:10 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 6DA6D40685; Tue, 3 Oct 2023 12:49:07 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 9CC074067D for ; Tue, 3 Oct 2023 12:49:05 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3933ikxS022252; Tue, 3 Oct 2023 03:49:01 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=l/GP9WBFnpCPgEi4TGcbx/osCbyYrXMBJXM7DuAxsVo=; b=lPyQ00N7tvaO17xeezgzGiw8akoniMK/aBolNkccik3pqf0nXG/NIW/Ti3Up81EyoXbc 9l0zfZiGHYLS7NSCKGz2F3WS4zUtpjwEhgcIAoy2U0plCxg/SCdxgKR/YOcN1ITsyDzs cPGckHSYxT8z0zHxr1OcBz1MCmahyYDOJ27QgqnRIamhTEqlRyGpCyFYeooMOnYu3eQM losrWGN76EHmUF4WhKYJ6BmFAqb90CFGah5FrG7qNgrE7Hv8D/rFOEPpqrxUHSRSg4nU w2kek09/Alv7Pgk1wStpe+TtdL6Qz4iRbWTM2Q6E0hiVzrt2SMal9tucVekte95uxUFg Gg== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3tgbas98vr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 03 Oct 2023 03:49:01 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Tue, 3 Oct 2023 03:48:59 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Tue, 3 Oct 2023 03:48:59 -0700 Received: from BG-LT92004.corp.innovium.com (unknown [10.28.163.189]) by maili.marvell.com (Postfix) with ESMTP id 2CAE33F7082; Tue, 3 Oct 2023 03:48:53 -0700 (PDT) From: Anoob Joseph To: Thomas Monjalon , Akhil Goyal , Jerin Jacob , Harry van Haaren CC: Konstantin Ananyev , Hemant Agrawal , , Olivier Matz , Vidya Sagar Velumuri Subject: [PATCH v2 2/5] security: add TLS record processing Date: Tue, 3 Oct 2023 16:18:51 +0530 Message-ID: <20231003104854.1381-3-anoobj@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20231003104854.1381-1-anoobj@marvell.com> References: <20230811071712.240-1-anoobj@marvell.com> <20231003104854.1381-1-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: fy3gdiF6CrLA2ETBY_YP3bfWce_OctSC X-Proofpoint-GUID: fy3gdiF6CrLA2ETBY_YP3bfWce_OctSC X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-03_07,2023-10-02_01,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Add Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). The protocols provide communications privacy for L4 protocols such as TCP & UDP. TLS (and DTLS) protocol is composed of two layers, 1. TLS Record Protocol 2. TLS Handshake Protocol While TLS Handshake Protocol helps in establishing security parameters by which client and server can communicate, TLS Record Protocol provides the connection security. TLS Record Protocol leverages symmetric cryptographic operations such as data encryption and authentication for providing security to the communications. Cryptodevs that are capable of offloading TLS Record Protocol may perform other operations like IV generation, header insertion, atomic sequence number updates and anti-replay window check in addition to cryptographic transformations. Support for TLS record protocol is added for TLS 1.2, TLS 1.3 and DTLS 1.2. Signed-off-by: Akhil Goyal Signed-off-by: Anoob Joseph Signed-off-by: Vidya Sagar Velumuri --- doc/guides/prog_guide/rte_security.rst | 62 ++++++++++++++ lib/security/rte_security.c | 4 + lib/security/rte_security.h | 110 +++++++++++++++++++++++++ 3 files changed, 176 insertions(+) diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst index ad8c6374bd..f90dee5df0 100644 --- a/doc/guides/prog_guide/rte_security.rst +++ b/doc/guides/prog_guide/rte_security.rst @@ -399,6 +399,66 @@ The API ``rte_security_macsec_sc_create`` returns a handle for SC, and this handle is set in ``rte_security_macsec_xform`` to create a MACsec session using ``rte_security_session_create``. +TLS-Record Protocol +~~~~~~~~~~~~~~~~~~~ + +The Transport Layer Protocol provides communications security over the Internet. The protocol +allows client/server applications to communicate in a way that is designed to prevent eavesdropping, +tampering, or message forgery. + +TLS protocol is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol. At +the lowest level, layered on top of some reliable transport protocol (e.g., TCP), is the TLS Record +Protocol. The TLS Record Protocol provides connection security that has two basic properties: + + - The connection is private. Symmetric cryptography is used for data + encryption (e.g., AES, DES, etc.). The keys for this symmetric encryption + are generated uniquely for each connection and are based on a secret + negotiated during TLS Handshake Protocol. The Record Protocol can also be + used without encryption. + + - The connection is reliable. Message transport includes a message + integrity check using a keyed MAC. Secure hash functions (e.g., + SHA-1, etc.) are used for MAC computations. The Record Protocol can + operate without a MAC when it is being used as a transport for negotiating + security parameters by another protocol. + +.. code-block:: c + + Record Write Record Read + ------------ ----------- + + TLSPlaintext TLSCiphertext + | | + ~ ~ + | | + V V + +----------|-----------+ +----------|-----------+ + | Generate sequence no.| | Generate sequence no.| + +----------|-----------+ +----------------------+ + | | AR check (DTLS) | + +----------|-----------+ +----------|-----------+ + | Insert TLS header | | + | & trailer. | +----------|-----------+ + | (including padding) | | Decrypt & MAC verify | + +----------|-----------+ +----------|-----------+ + | | + +---------|-----------+ +----------|-----------+ + | MAC generate & | | Remove TLS header | + | Encrypt | | & trailer. | + +---------|-----------+ | (including padding) | + | +----------|-----------+ + | | + ~ ~ + | | + V V + TLSCiphertext TLSPlaintext + +Supported Versions +^^^^^^^^^^^^^^^^^^ + +* TLS 1.2 +* TLS 1.3 +* DTLS 1.2 Device Features and Capabilities --------------------------------- @@ -701,6 +761,8 @@ PDCP related configuration parameters are defined in ``rte_security_pdcp_xform`` DOCSIS related configuration parameters are defined in ``rte_security_docsis_xform`` +TLS record related configuration parameters are defined in ``rte_security_tls_record_xform`` + Security API ~~~~~~~~~~~~ diff --git a/lib/security/rte_security.c b/lib/security/rte_security.c index ab44bbe0f0..04872ec1a0 100644 --- a/lib/security/rte_security.c +++ b/lib/security/rte_security.c @@ -314,6 +314,10 @@ rte_security_capability_get(void *ctx, struct rte_security_capability_idx *idx) RTE_SECURITY_PROTOCOL_MACSEC) { if (idx->macsec.alg == capability->macsec.alg) return capability; + } else if (idx->protocol == RTE_SECURITY_PROTOCOL_TLS_RECORD) { + if (capability->tls_record.ver == idx->tls_record.ver && + capability->tls_record.type == idx->tls_record.type) + return capability; } } } diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index c9cc7a45a6..54c32c1147 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -597,6 +597,98 @@ struct rte_security_docsis_xform { /**< DOCSIS direction */ }; +/** Implicit nonce length to be used with AEAD algos in TLS 1.2 */ +#define RTE_SECURITY_TLS_1_2_IMP_NONCE_LEN 4 +/** Implicit nonce length to be used with AEAD algos in TLS 1.3 */ +#define RTE_SECURITY_TLS_1_3_IMP_NONCE_LEN 12 +/** Implicit nonce length to be used with AEAD algos in DTLS 1.2 */ +#define RTE_SECURITY_DTLS_1_2_IMP_NONCE_LEN 4 + +/** TLS version */ +enum rte_security_tls_version { + RTE_SECURITY_VERSION_TLS_1_2, /**< TLS 1.2 */ + RTE_SECURITY_VERSION_TLS_1_3, /**< TLS 1.3 */ + RTE_SECURITY_VERSION_DTLS_1_2, /**< DTLS 1.2 */ +}; + +/** TLS session type */ +enum rte_security_tls_sess_type { + /** Record read session + * - Decrypt & digest verification. + */ + RTE_SECURITY_TLS_SESS_TYPE_READ, + /** Record write session + * - Encrypt & digest generation. + */ + RTE_SECURITY_TLS_SESS_TYPE_WRITE, +}; + +/** + * TLS record session options + */ +struct rte_security_tls_record_sess_options { + /** Disable IV generation in PMD + * + * * 1: Disable IV generation in PMD. When disabled, IV provided in rte_crypto_op will be + * used by the PMD. + * + * * 0: Enable IV generation in PMD. When enabled, PMD generated random value would be used + * and application is not required to provide IV. + */ + uint32_t iv_gen_disable : 1; +}; + +/** + * TLS record protocol session configuration. + * + * This structure contains data required to create a TLS record security session. + */ +struct rte_security_tls_record_xform { + /** TLS record version. */ + enum rte_security_tls_version ver; + /** TLS record session type. */ + enum rte_security_tls_sess_type type; + /** TLS record session options. */ + struct rte_security_tls_record_sess_options options; + union { + /** TLS 1.2 parameters. */ + struct { + /** Starting sequence number. */ + uint64_t seq_no; + /** Implicit nonce to be used for AEAD algos. */ + uint8_t imp_nonce[RTE_SECURITY_TLS_1_2_IMP_NONCE_LEN]; + } tls_1_2; + + /** TLS 1.3 parameters. */ + struct { + /** Starting sequence number. */ + uint64_t seq_no; + /** Implicit nonce to be used for AEAD algos. */ + uint8_t imp_nonce[RTE_SECURITY_TLS_1_3_IMP_NONCE_LEN]; + /** + * Minimum payload length (in case of write sessions). For shorter inputs, + * the payload would be padded appropriately before performing crypto + * transformations. + */ + uint32_t min_payload_len; + } tls_1_3; + + /** DTLS 1.2 parameters */ + struct { + /** Epoch value to be used. */ + uint16_t epoch; + /** 6B starting sequence number to be used. */ + uint64_t seq_no; + /** Implicit nonce to be used for AEAD algos. */ + uint8_t imp_nonce[RTE_SECURITY_DTLS_1_2_IMP_NONCE_LEN]; + /** Anti replay window size to enable sequence replay attack handling. + * Anti replay check is disabled if the window size is 0. + */ + uint32_t ar_win_sz; + } dtls_1_2; + }; +}; + /** * Security session action type. */ @@ -634,6 +726,8 @@ enum rte_security_session_protocol { /**< PDCP Protocol */ RTE_SECURITY_PROTOCOL_DOCSIS, /**< DOCSIS Protocol */ + RTE_SECURITY_PROTOCOL_TLS_RECORD, + /**< TLS Record Protocol */ }; /* >8 End enumeration of rte_security_session_protocol. */ @@ -651,6 +745,7 @@ struct rte_security_session_conf { struct rte_security_macsec_xform macsec; struct rte_security_pdcp_xform pdcp; struct rte_security_docsis_xform docsis; + struct rte_security_tls_record_xform tls_record; }; /**< Configuration parameters for security session */ struct rte_crypto_sym_xform *crypto_xform; @@ -1217,6 +1312,17 @@ struct rte_security_capability { /**< DOCSIS direction */ } docsis; /**< DOCSIS capability */ + struct { + enum rte_security_tls_version ver; + /**< TLS record version. */ + enum rte_security_tls_sess_type type; + /**< TLS record session type. */ + uint32_t ar_win_size; + /**< Maximum anti replay window size supported for DTLS 1.2 record read + * operation. Value of 0 means anti replay check is not supported. + */ + } tls_record; + /**< TLS record capability */ }; const struct rte_cryptodev_capabilities *crypto_capabilities; @@ -1280,6 +1386,10 @@ struct rte_security_capability_idx { struct { enum rte_security_macsec_alg alg; } macsec; + struct { + enum rte_security_tls_version ver; + enum rte_security_tls_sess_type type; + } tls_record; }; }; From patchwork Tue Oct 3 10:48:52 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 132278 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 81AB5426AE; Tue, 3 Oct 2023 12:49:17 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 769CF40695; Tue, 3 Oct 2023 12:49:10 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id A517640693 for ; Tue, 3 Oct 2023 12:49:08 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3933ikxU022252; Tue, 3 Oct 2023 03:49:04 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=sVvTxRIk1I3suIFsiEOnSlSCKVRAcW96FtcmnAJzPqM=; b=Jxpdo8yQLzw1aTFOFnTY1Fz5gY0lAQNfGsFvObvVk+e3nA4nf+7gfOHtM7gxaFLp19yJ dL+wDbtfvS5MSohLge9yTD3JQAY4k2eTBD7d1yi/k7aZcIAxyKxOBC2aFLHbJ9XPlOqx uqHlcu8jOWsMMO4XX4anpN93xM1ynkSYLsewL9pEVeFgA1lLyD1eGj/SqOrFOkjyk4Wi T7syFbkoonlDlIJYpb6szJeZc762w2HM08o26o6QW3xYRkN6WXU9AEIUMoFf3RqsmxIU 4jB8IQv6aJqo5U74boH1mgVz4sxFC6Z5hI8jWpZF289YLUaUXXZWYC8tTWNRViB9A2WK +w== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3tgbas98w1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 03 Oct 2023 03:49:04 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Tue, 3 Oct 2023 03:49:02 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Tue, 3 Oct 2023 03:49:02 -0700 Received: from BG-LT92004.corp.innovium.com (unknown [10.28.163.189]) by maili.marvell.com (Postfix) with ESMTP id B3A933F7043; Tue, 3 Oct 2023 03:48:57 -0700 (PDT) From: Anoob Joseph To: Thomas Monjalon , Akhil Goyal , Jerin Jacob , Harry van Haaren CC: Konstantin Ananyev , Hemant Agrawal , , Olivier Matz , Vidya Sagar Velumuri Subject: [PATCH v2 3/5] security: support extra padding with TLS Date: Tue, 3 Oct 2023 16:18:52 +0530 Message-ID: <20231003104854.1381-4-anoobj@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20231003104854.1381-1-anoobj@marvell.com> References: <20230811071712.240-1-anoobj@marvell.com> <20231003104854.1381-1-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: NXBGUl7rcvRnL7PYg6eiCu8i2UlDZy4Q X-Proofpoint-GUID: NXBGUl7rcvRnL7PYg6eiCu8i2UlDZy4Q X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-03_07,2023-10-02_01,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org In TLS record write protocol (encrypt), application may request for extra padding in addition to the default padding which ensures that crypto payload is aligned to block size. This is required to hide the size of the traffic from an observer. Extend the usage of ``rte_crypto_op.aux_flags`` to allow users to provide extra padding in units of 8B. It is an optional feature and any device that supports the same can declare so by making use of corresponding capability. Signed-off-by: Anoob Joseph Signed-off-by: Vidya Sagar Velumuri --- lib/cryptodev/rte_crypto.h | 14 +++++++++++++- lib/security/rte_security.h | 16 ++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h index 9b8d0331a4..7b8f2bdc6d 100644 --- a/lib/cryptodev/rte_crypto.h +++ b/lib/cryptodev/rte_crypto.h @@ -99,8 +99,20 @@ struct rte_crypto_op { /**< operation session type */ uint8_t aux_flags; /**< Operation specific auxiliary/additional flags. - * These flags carry additional information from the + * These flags carry additional information from/to the * operation. Processing of the same is optional. + * + * The flags are defined as RTE_CRYPTO_OP_AUX_FLAGS_* and would be set by + * PMD for application consumption when the status is + * RTE_CRYPTO_OP_STATUS_SUCCESS. In case of errors, the value of this + * field is undefined. + * + * With TLS record offload (RTE_SECURITY_PROTOCOL_TLS_RECORD), + * application may provide the extra padding required for the plaintext + * provided. This field can be used for passing the same in units of 8B. The + * value would be set by application for PMD consumption. + * + * @see struct rte_security_tls_record_sess_options */ uint8_t reserved[2]; /**< Reserved bytes to fill 64 bits for diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index 54c32c1147..89e61e10ad 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -636,6 +636,22 @@ struct rte_security_tls_record_sess_options { * and application is not required to provide IV. */ uint32_t iv_gen_disable : 1; + /** Enable extra padding + * + * TLS allows user to pad the plain text to hide the actual size of the record. This is + * required to achieve traffic flow confidentiality in case of TLS/DTLS flows. This padding + * is in addition to the default padding performed by PMD (which ensures ciphertext is + * aligned to block size). + * + * On supported devices, application may pass the required additional padding via + * ``rte_crypto_op.aux_flags`` field. + * + * 1 : Enable extra padding of the plain text provided. The extra padding value would be + * read from ``rte_crypto_op.aux_flags``. + * + * 0 : Disable extra padding + */ + uint32_t extra_padding_enable : 1; }; /** From patchwork Tue Oct 3 10:48:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 132279 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 3A239426AE; Tue, 3 Oct 2023 12:49:26 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id C78AE4069D; Tue, 3 Oct 2023 12:49:13 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 415DE406BA for ; Tue, 3 Oct 2023 12:49:12 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3933ifTI022105; Tue, 3 Oct 2023 03:49:07 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=eEuKQ/zjBWhv+s3EjmCO0ws4GpnR4otYTSOF7fPGLG0=; b=XJdF8b8QZz6iap8CrobApxEH9okXxe2Wjql94yiQL//mm+HiH/Q9Az3ag7iusED14dCZ cn0DcbCHGDzh71j5Zm7k0A5v4Jyje4OnT7TQ+RsmsfKCKN9ixjvpHmRoADVCfeXuMTk5 vqsjyl7IDm43NvoIAmULXlrtLofYeRYXQYc9blwi0zzg4RlXd26c6IKNGSBXlQKLtleG bq4WCcb//UMTWHBaYKIVbqROcEnV01VsxfXIvZE9X1LgOrhWGDA3+Z8Gjr9g0+3azjPd r3DbzhzszwKAw3pQtBvxjUIm7Y+h1IUBcYPEwDRYhdqblaV3YZVtzWOmK4JbdFYFY7/V DQ== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3tgbas98we-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 03 Oct 2023 03:49:07 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Tue, 3 Oct 2023 03:49:06 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Tue, 3 Oct 2023 03:49:06 -0700 Received: from BG-LT92004.corp.innovium.com (unknown [10.28.163.189]) by maili.marvell.com (Postfix) with ESMTP id 45AEB3F7089; Tue, 3 Oct 2023 03:49:01 -0700 (PDT) From: Anoob Joseph To: Thomas Monjalon , Akhil Goyal , Jerin Jacob , Harry van Haaren CC: Vidya Sagar Velumuri , Konstantin Ananyev , Hemant Agrawal , , Olivier Matz Subject: [PATCH v2 4/5] security: support TLS record lifetime notification Date: Tue, 3 Oct 2023 16:18:53 +0530 Message-ID: <20231003104854.1381-5-anoobj@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20231003104854.1381-1-anoobj@marvell.com> References: <20230811071712.240-1-anoobj@marvell.com> <20231003104854.1381-1-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: -cmZ7A6sKwNnfYrWrvZFzcmet3EvSNRD X-Proofpoint-GUID: -cmZ7A6sKwNnfYrWrvZFzcmet3EvSNRD X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-03_07,2023-10-02_01,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Vidya Sagar Velumuri Support TLS record lifetime notification. TLS record sessions may need to be renegotiated after a specific number of records are processed. For devices that are capable of tracking lifetime, application may request to do so by configuring the lifetime parameters in session. Upon soft expiry, PMD will set the notification in `rte_crypto_op.aux_flags` field. Hard expiration of the session would mean any subsequent crypto operation would fail. Extend `rte_crypto_op.aux_flags` to support all sessions that may have a lifetime notification and include TLS record lifetime under the same. Signed-off-by: Anoob Joseph Signed-off-by: Vidya Sagar Velumuri --- lib/cryptodev/rte_crypto.h | 11 ++++++++++- lib/security/rte_security.h | 18 ++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h index 7b8f2bdc6d..9fe3e3d529 100644 --- a/lib/cryptodev/rte_crypto.h +++ b/lib/cryptodev/rte_crypto.h @@ -64,9 +64,18 @@ enum rte_crypto_op_sess_type { RTE_CRYPTO_OP_SECURITY_SESSION /**< Security session crypto operation */ }; +/* Auxiliary flags related to crypto operation */ +#define RTE_CRYPTO_OP_AUX_FLAGS_SESS_SOFT_EXPIRY (1 << 0) +/**< Session soft expiry limit has been reached. Applicable for any session that has a soft lifetime + * feature supported. + * + * @see rte_security_ipsec_lifetime + * @see rte_security_tls_record_lifetime + */ + /* Auxiliary flags related to IPsec offload with RTE_SECURITY */ -#define RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY (1 << 0) +#define RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY RTE_CRYPTO_OP_AUX_FLAGS_SESS_SOFT_EXPIRY /**< SA soft expiry limit has been reached */ /** diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index 89e61e10ad..00d2a29a01 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -654,6 +654,22 @@ struct rte_security_tls_record_sess_options { uint32_t extra_padding_enable : 1; }; +/** + * Configure soft and hard lifetime of a TLS record session + * + * Lifetime of a TLS record session would specify the maximum number of packets that can be + * processed. TLS record processing operations would start failing once hard limit is reached. + * + * Soft limits can be specified to generate notification when the TLS record session is approaching + * hard limits for lifetime. This would result in a warning returned in ``rte_crypto_op.aux_flags``. + */ +struct rte_security_tls_record_lifetime { + /** Soft expiry limit in number of packets */ + uint64_t packets_soft_limit; + /** Hard expiry limit in number of packets */ + uint64_t packets_hard_limit; +}; + /** * TLS record protocol session configuration. * @@ -666,6 +682,8 @@ struct rte_security_tls_record_xform { enum rte_security_tls_sess_type type; /** TLS record session options. */ struct rte_security_tls_record_sess_options options; + /** TLS record session lifetime. */ + struct rte_security_tls_record_lifetime life; union { /** TLS 1.2 parameters. */ struct { From patchwork Tue Oct 3 10:48:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 132280 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 0464C426AE; Tue, 3 Oct 2023 12:49:33 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 1171B4069F; Tue, 3 Oct 2023 12:49:17 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id EF338406A2 for ; Tue, 3 Oct 2023 12:49:15 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3933ipKh022325; Tue, 3 Oct 2023 03:49:11 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=scfcSlhvWqF1BFRX6opQ67fHkZJujyj3zOVG1kJ6VsY=; b=ifqc4WAhavD0gpzk22esTfgF1flu3sA3nZTxS7lGIW/3q8E0IojPq8gWlB1qaZV7XLxA BgiL8KRyJdA/nN8SEsMuzA14SnWuPv13ICrN/2XrYKaZeK+nNBsWp2Ks3/9mIw10gQmL /T8iogm3GcJjmSIDRU0Uzbt7QAK+HCmzOWJ/FrwZ24DRtRG6cRLF607SfuzW4pcg+rbt hGMnZVSKcPDdezHpkSZeFBVHjK1WEgkLZis731TSlHYdF4fJArQqatm/FdPAvxzhFIBG xlHAyKK3XptCCqHcaGpEYRPFQQJ8wYyZKOBhbe802SMZjpeNvex8XG62RzX5rkSqdGGN pQ== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3tgbas98wp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 03 Oct 2023 03:49:11 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Tue, 3 Oct 2023 03:49:09 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Tue, 3 Oct 2023 03:49:09 -0700 Received: from BG-LT92004.corp.innovium.com (unknown [10.28.163.189]) by maili.marvell.com (Postfix) with ESMTP id CDF153F7080; Tue, 3 Oct 2023 03:49:04 -0700 (PDT) From: Anoob Joseph To: Thomas Monjalon , Akhil Goyal , Jerin Jacob , Harry van Haaren CC: Vidya Sagar Velumuri , Konstantin Ananyev , Hemant Agrawal , , Olivier Matz Subject: [PATCH v2 5/5] cryptodev: add details of datapath handling of TLS records Date: Tue, 3 Oct 2023 16:18:54 +0530 Message-ID: <20231003104854.1381-6-anoobj@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20231003104854.1381-1-anoobj@marvell.com> References: <20230811071712.240-1-anoobj@marvell.com> <20231003104854.1381-1-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: MiWsZNC9ENLN-TTgqfyArIwRnPANkJlf X-Proofpoint-GUID: MiWsZNC9ENLN-TTgqfyArIwRnPANkJlf X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-03_07,2023-10-02_01,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Vidya Sagar Velumuri TLS/DTLS record processing requires content type to be provided per packet (for record write operation). Extend usage of reserved fields in rte_crypto_op for the same purpose. Signed-off-by: Anoob Joseph Signed-off-by: Vidya Sagar Velumuri --- doc/guides/prog_guide/rte_security.rst | 12 ++++++++++++ doc/guides/rel_notes/release_23_11.rst | 6 ++++++ lib/cryptodev/rte_crypto.h | 25 ++++++++++++++++++++++++- 3 files changed, 42 insertions(+), 1 deletion(-) diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst index f90dee5df0..7a25a7e649 100644 --- a/doc/guides/prog_guide/rte_security.rst +++ b/doc/guides/prog_guide/rte_security.rst @@ -453,6 +453,18 @@ Protocol. The TLS Record Protocol provides connection security that has two basi V V TLSCiphertext TLSPlaintext +TLS and DTLS header formation (in record write operation) would depend on +type of content. It is a per packet variable and would need to be handled by +the same session. Application may pass this info to a cryptodev performing +lookaside protocol offload by passing the same in ``rte_crypto_op.param1``. + +In record read operation, application is required to preserve any info it may +need from the TLS/DTLS header (such as content type and sequence number) as the +cryptodev would remove the header and padding as part of the lookaside protocol +processing. With TLS 1.3, the actual content type is part of the trailer (before +padding) and would be stripped by the PMD. For applications that may need this +info, PMD would return the value in ``rte_crypto_op.param1`` field. + Supported Versions ^^^^^^^^^^^^^^^^^^ diff --git a/doc/guides/rel_notes/release_23_11.rst b/doc/guides/rel_notes/release_23_11.rst index 250735efa9..663d1e9cf9 100644 --- a/doc/guides/rel_notes/release_23_11.rst +++ b/doc/guides/rel_notes/release_23_11.rst @@ -83,6 +83,12 @@ New Features Similar to out of place processing support for lookaside security session, added the same support for inline ingress security session. +* **Added support for TLS and DTLS record in rte_security.** + + Added TLS and DTLS record transform for rte_security session and added + enhancements to ``rte_crypto_op`` fields to handle all datapath requirements + of TLS and DTLS. The support is added for TLS 1.2, TLS 1.3 and DTLS 1.2. + * **Updated ipsec_mb crypto driver.** Added support for digest encrypted to AESNI_MB asynchronous crypto driver. diff --git a/lib/cryptodev/rte_crypto.h b/lib/cryptodev/rte_crypto.h index 9fe3e3d529..34aacd9312 100644 --- a/lib/cryptodev/rte_crypto.h +++ b/lib/cryptodev/rte_crypto.h @@ -123,7 +123,30 @@ struct rte_crypto_op { * * @see struct rte_security_tls_record_sess_options */ - uint8_t reserved[2]; + union { + struct { + uint8_t content_type; + /**< Content type. The field can act both as input + * and output. + * + * As input, for passing message type in case of record + * write (encrypt) operation. Applicable for, + * 1. TLS 1.2 + * 2. TLS 1.3 + * 3. DTLS 1.2 + * + * As output, for returning message type in case of record + * read (decrypt) operation. Applicable for, + * 1. TLS 1.3 + * + * Message types are listed as RTE_TLS_TYPE_* and + * RTE_DTLS_TYPE_*. + */ + } tls_record; + /**< TLS record */ + } param1; + /**< Additional per operation parameter 1. */ + uint8_t reserved[1]; /**< Reserved bytes to fill 64 bits for * future additions */