Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/138360/?format=api
{ "id": 138360, "url": "https://patches.dpdk.org/api/patches/138360/?format=api", "web_url": "https://patches.dpdk.org/project/dpdk/patch/20240314083844.3319506-8-vvelumuri@marvell.com/", "project": { "id": 1, "url": "https://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20240314083844.3319506-8-vvelumuri@marvell.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20240314083844.3319506-8-vvelumuri@marvell.com", "date": "2024-03-14T08:38:39", "name": "[07/12] crypto/cnxk: add support for padding verification in TLS", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": true, "hash": "94b38687fe0a592129219989ae374067004a4fc4", "submitter": { "id": 2363, "url": "https://patches.dpdk.org/api/people/2363/?format=api", "name": "Vidya Sagar Velumuri", "email": "vvelumuri@marvell.com" }, "delegate": { "id": 6690, "url": "https://patches.dpdk.org/api/users/6690/?format=api", "username": "akhil", "first_name": "akhil", "last_name": "goyal", "email": "gakhil@marvell.com" }, "mbox": "https://patches.dpdk.org/project/dpdk/patch/20240314083844.3319506-8-vvelumuri@marvell.com/mbox/", "series": [ { "id": 31505, "url": "https://patches.dpdk.org/api/series/31505/?format=api", "web_url": "https://patches.dpdk.org/project/dpdk/list/?series=31505", "date": "2024-03-14T08:38:32", "name": "Add TLS features", "version": 1, "mbox": "https://patches.dpdk.org/series/31505/mbox/" } ], "comments": "https://patches.dpdk.org/api/patches/138360/comments/", "check": "success", "checks": "https://patches.dpdk.org/api/patches/138360/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from mails.dpdk.org (mails.dpdk.org [217.70.189.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id F069F43CAE;\n\tThu, 14 Mar 2024 09:40:03 +0100 (CET)", "from mails.dpdk.org (localhost [127.0.0.1])\n\tby mails.dpdk.org (Postfix) with ESMTP id CA8AA42E85;\n\tThu, 14 Mar 2024 09:39:28 +0100 (CET)", "from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com\n [67.231.156.173])\n by mails.dpdk.org (Postfix) with ESMTP id 2383342E7B\n for <dev@dpdk.org>; Thu, 14 Mar 2024 09:39:27 +0100 (CET)", "from pps.filterd (m0045851.ppops.net [127.0.0.1])\n by mx0b-0016f401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id\n 42DN4rEY016105 for <dev@dpdk.org>; Thu, 14 Mar 2024 01:39:26 -0700", "from dc6wp-exch02.marvell.com ([4.21.29.225])\n by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3wucg2uwv6-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)\n for <dev@dpdk.org>; Thu, 14 Mar 2024 01:39:25 -0700 (PDT)", "from DC6WP-EXCH02.marvell.com (10.76.176.209) by\n DC6WP-EXCH02.marvell.com (10.76.176.209) with Microsoft SMTP Server\n (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id\n 15.2.1258.12; Thu, 14 Mar 2024 01:39:25 -0700", "from maili.marvell.com (10.69.176.80) by DC6WP-EXCH02.marvell.com\n (10.76.176.209) with Microsoft SMTP Server id 15.2.1258.12 via Frontend\n Transport; Thu, 14 Mar 2024 01:39:25 -0700", "from localhost.localdomain (unknown [10.28.36.179])\n by maili.marvell.com (Postfix) with ESMTP id 043E75B6928;\n Thu, 14 Mar 2024 01:39:20 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=\n from:to:cc:subject:date:message-id:in-reply-to:references\n :mime-version:content-transfer-encoding:content-type; s=\n pfpt0220; bh=WfB4BYOJIsMBpaYBDgiKz/ovsKN55xlp8nfpVG/UyCA=; b=KFr\n aigYsONR0nKMVhRmo1Y8Ud/cK92ka3k7tPKqlWnqKnY0w+SP6uYiW2RpDf6FIZir\n qsFNo47hkXIvamuXDDNKL7IBXUWDiYuvAAqoLa8uwAzlB+jnamf+ONC6OJvr/AE0\n /10kvOBLJ3Nu+jneTyiSdpS2f5Q+6SEbvSI761zp0AhaE/D0yMae/9JUSP/paJFR\n ENZRr4K5K2RjqkiXweQ/EzEHaDbLdVKB2/Wdw6iFnyNSZilXbPD9Au4pHZRBNHZC\n CBJv2GGuurqSKq+A+k7pvTEwjX8rxuQsVmW1u4cP/mT4NS8rm7SP8+ZlBZONziPH\n K8iInGp6pvGMAlS7MAQ==", "From": "Vidya Sagar Velumuri <vvelumuri@marvell.com>", "To": "Nithin Dabilpuram <ndabilpuram@marvell.com>, Kiran Kumar K\n <kirankumark@marvell.com>, Sunil Kumar Kori <skori@marvell.com>, Satha Rao\n <skoteshwar@marvell.com>, Harman Kalra <hkalra@marvell.com>, Ankur Dwivedi\n <adwivedi@marvell.com>, Anoob Joseph <anoobj@marvell.com>, Tejasree Kondoj\n <ktejasree@marvell.com>", "CC": "<gakhil@marvell.com>, <jerinj@marvell.com>, <vvelumuri@marvell.com>,\n <asasidharan@marvell.com>, <dev@dpdk.org>", "Subject": "[PATCH 07/12] crypto/cnxk: add support for padding verification in\n TLS", "Date": "Thu, 14 Mar 2024 01:38:39 -0700", "Message-ID": "<20240314083844.3319506-8-vvelumuri@marvell.com>", "X-Mailer": "git-send-email 2.25.1", "In-Reply-To": "<20240314083844.3319506-1-vvelumuri@marvell.com>", "References": "<20240314083844.3319506-1-vvelumuri@marvell.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Content-Type": "text/plain", "X-Proofpoint-ORIG-GUID": "Vu96k0DgkXizYnIONC0FXcmIHQmYen4B", "X-Proofpoint-GUID": "Vu96k0DgkXizYnIONC0FXcmIHQmYen4B", "X-Proofpoint-Virus-Version": "vendor=baseguard\n engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26\n definitions=2024-03-14_07,2024-03-13_01,2023-05-22_02", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org" }, "content": "For TLS-1.2:\n- Verify that the padding bytes are having pad len as the\n value.\n- Report error in case of discrepancies.\n- Trim the padding and MAC from the tls-1.2 records\n\nFor TLS-1.3:\n- Find the content type as the last non-zero byte in the record.\n- Return the content type as the inner content type.\n\nSigned-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>\n---\n drivers/common/cnxk/roc_se.h | 1 +\n drivers/crypto/cnxk/cn10k_cryptodev_ops.c | 146 +++++++++++++++++++++-\n drivers/crypto/cnxk/cn10k_cryptodev_sec.h | 18 +--\n drivers/crypto/cnxk/cn10k_tls.c | 65 ++++++----\n drivers/crypto/cnxk/cn10k_tls_ops.h | 19 +--\n 5 files changed, 210 insertions(+), 39 deletions(-)", "diff": "diff --git a/drivers/common/cnxk/roc_se.h b/drivers/common/cnxk/roc_se.h\nindex ddcf6bdb44..50741a0b81 100644\n--- a/drivers/common/cnxk/roc_se.h\n+++ b/drivers/common/cnxk/roc_se.h\n@@ -169,6 +169,7 @@ typedef enum {\n \tROC_SE_ERR_SSL_CIPHER_UNSUPPORTED = 0x84,\n \tROC_SE_ERR_SSL_MAC_UNSUPPORTED = 0x85,\n \tROC_SE_ERR_SSL_VERSION_UNSUPPORTED = 0x86,\n+\tROC_SE_ERR_SSL_POST_PROCESS = 0x88,\n \tROC_SE_ERR_SSL_MAC_MISMATCH = 0x89,\n \tROC_SE_ERR_SSL_PKT_REPLAY_SEQ_OUT_OF_WINDOW = 0xC1,\n \tROC_SE_ERR_SSL_PKT_REPLAY_SEQ = 0xC9,\ndiff --git a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c\nindex f385550f68..5f0cf1b1f8 100644\n--- a/drivers/crypto/cnxk/cn10k_cryptodev_ops.c\n+++ b/drivers/crypto/cnxk/cn10k_cryptodev_ops.c\n@@ -207,7 +207,7 @@ cpt_sec_tls_inst_fill(struct cnxk_cpt_qp *qp, struct rte_crypto_op *op,\n \t\t struct cn10k_sec_session *sess, struct cpt_inst_s *inst,\n \t\t struct cpt_inflight_req *infl_req, const bool is_sg_ver2)\n {\n-\tif (sess->tls.is_write)\n+\tif (sess->tls_opt.is_write)\n \t\treturn process_tls_write(&qp->lf, op, sess, &qp->meta_info, infl_req, inst,\n \t\t\t\t\t is_sg_ver2);\n \telse\n@@ -988,24 +988,164 @@ cn10k_cpt_ipsec_post_process(struct rte_crypto_op *cop, struct cpt_cn10k_res_s *\n \tmbuf->pkt_len = m_len;\n }\n \n+static inline void\n+cn10k_cpt_tls12_trim_mac(struct rte_crypto_op *cop, struct cpt_cn10k_res_s *res, uint8_t mac_len)\n+{\n+\tstruct rte_mbuf *mac_prev_seg = NULL, *mac_seg = NULL, *seg;\n+\tuint32_t pad_len, trim_len, mac_offset, pad_offset;\n+\tstruct rte_mbuf *mbuf = cop->sym->m_src;\n+\tuint16_t m_len = res->rlen;\n+\tuint32_t i, nb_segs = 1;\n+\tuint8_t pad_res = 0;\n+\tuint8_t pad_val;\n+\n+\tpad_val = ((res->spi >> 16) & 0xff);\n+\tpad_len = pad_val + 1;\n+\ttrim_len = pad_len + mac_len;\n+\tmac_offset = m_len - trim_len;\n+\tpad_offset = mac_offset + mac_len;\n+\n+\t/* Handle Direct Mode */\n+\tif (mbuf->next == NULL) {\n+\t\tuint8_t *ptr = rte_pktmbuf_mtod_offset(mbuf, uint8_t *, pad_offset);\n+\n+\t\tfor (i = 0; i < pad_len; i++)\n+\t\t\tpad_res |= ptr[i] ^ pad_val;\n+\n+\t\tif (pad_res) {\n+\t\t\tcop->status = RTE_CRYPTO_OP_STATUS_ERROR;\n+\t\t\tcop->aux_flags = res->uc_compcode;\n+\t\t}\n+\t\tmbuf->pkt_len = m_len - trim_len;\n+\t\tmbuf->data_len = m_len - trim_len;\n+\n+\t\treturn;\n+\t}\n+\n+\t/* Handle SG mode */\n+\tseg = mbuf;\n+\twhile (mac_offset >= seg->data_len) {\n+\t\tmac_offset -= seg->data_len;\n+\t\tmac_prev_seg = seg;\n+\t\tseg = seg->next;\n+\t\tnb_segs++;\n+\t}\n+\tmac_seg = seg;\n+\n+\tpad_offset = mac_offset + mac_len;\n+\twhile (pad_offset >= seg->data_len) {\n+\t\tpad_offset -= seg->data_len;\n+\t\tseg = seg->next;\n+\t}\n+\n+\twhile (pad_len != 0) {\n+\t\tuint8_t *ptr = rte_pktmbuf_mtod_offset(seg, uint8_t *, pad_offset);\n+\t\tuint8_t len = RTE_MIN(seg->data_len - pad_offset, pad_len);\n+\n+\t\tfor (i = 0; i < len; i++)\n+\t\t\tpad_res |= ptr[i] ^ pad_val;\n+\n+\t\tpad_offset = 0;\n+\t\tpad_len -= len;\n+\t\tseg = seg->next;\n+\t}\n+\n+\tif (pad_res) {\n+\t\tcop->status = RTE_CRYPTO_OP_STATUS_ERROR;\n+\t\tcop->aux_flags = res->uc_compcode;\n+\t}\n+\n+\tmbuf->pkt_len = m_len - trim_len;\n+\tif (mac_offset) {\n+\t\trte_pktmbuf_free(mac_seg->next);\n+\t\tmac_seg->next = NULL;\n+\t\tmac_seg->data_len = mac_offset;\n+\t\tmbuf->nb_segs = nb_segs;\n+\t} else {\n+\t\trte_pktmbuf_free(mac_seg);\n+\t\tmac_prev_seg->next = NULL;\n+\t\tmbuf->nb_segs = nb_segs - 1;\n+\t}\n+}\n+\n+/* TLS-1.3:\n+ * Read from last until a non-zero value is encountered.\n+ * Return the non zero value as the content type.\n+ * Remove the MAC and content type and padding bytes.\n+ */\n+static inline void\n+cn10k_cpt_tls13_trim_mac(struct rte_crypto_op *cop, struct cpt_cn10k_res_s *res)\n+{\n+\tstruct rte_mbuf *mbuf = cop->sym->m_src;\n+\tstruct rte_mbuf *seg = mbuf;\n+\tuint16_t m_len = res->rlen;\n+\tuint8_t *ptr, type = 0x0;\n+\tint len, i, nb_segs = 1;\n+\n+\twhile (m_len && !type) {\n+\t\tlen = m_len;\n+\t\tseg = mbuf;\n+\n+\t\t/* get the last seg */\n+\t\twhile (len > seg->data_len) {\n+\t\t\tlen -= seg->data_len;\n+\t\t\tseg = seg->next;\n+\t\t\tnb_segs++;\n+\t\t}\n+\n+\t\t/* walkthrough from last until a non zero value is found */\n+\t\tptr = rte_pktmbuf_mtod(seg, uint8_t *);\n+\t\ti = len;\n+\t\twhile (i && (ptr[--i] == 0))\n+\t\t\t;\n+\n+\t\ttype = ptr[i];\n+\t\tm_len -= len;\n+\t}\n+\n+\tif (type) {\n+\t\tcop->param1.tls_record.content_type = type;\n+\t\tmbuf->pkt_len = m_len + i;\n+\t\tmbuf->nb_segs = nb_segs;\n+\t\tseg->data_len = i;\n+\t\trte_pktmbuf_free(seg->next);\n+\t\tseg->next = NULL;\n+\t} else {\n+\t\tcop->status = RTE_CRYPTO_OP_STATUS_ERROR;\n+\t}\n+}\n+\n static inline void\n cn10k_cpt_tls_post_process(struct rte_crypto_op *cop, struct cpt_cn10k_res_s *res,\n \t\t\t struct cn10k_sec_session *sess)\n {\n+\tstruct cn10k_tls_opt tls_opt = sess->tls_opt;\n \tstruct rte_mbuf *mbuf = cop->sym->m_src;\n \tuint16_t m_len = res->rlen;\n \n \tif (!res->uc_compcode) {\n-\t\tif ((sess->tls.tls_ver == RTE_SECURITY_VERSION_TLS_1_3) && (!sess->tls.is_write))\n+\t\tif ((tls_opt.tls_ver == RTE_SECURITY_VERSION_TLS_1_3) && (!tls_opt.is_write))\n \t\t\tm_len -= 1;\n \t\tif (mbuf->next == NULL)\n \t\t\tmbuf->data_len = m_len;\n \t\tmbuf->pkt_len = m_len;\n-\t} else {\n+\t\tcop->param1.tls_record.content_type = (res->spi >> 24) & 0xff;\n+\t\treturn;\n+\t}\n+\n+\t/* Any error other than post process */\n+\tif (res->uc_compcode != ROC_SE_ERR_SSL_POST_PROCESS) {\n \t\tcop->status = RTE_CRYPTO_OP_STATUS_ERROR;\n \t\tcop->aux_flags = res->uc_compcode;\n \t\tplt_err(\"crypto op failed with UC compcode: 0x%x\", res->uc_compcode);\n+\t\treturn;\n \t}\n+\n+\t/* Extra padding scenario: Verify padding. Remove padding and MAC */\n+\tif (tls_opt.tls_ver != RTE_SECURITY_VERSION_TLS_1_3)\n+\t\tcn10k_cpt_tls12_trim_mac(cop, res, (uint8_t)tls_opt.mac_len);\n+\telse\n+\t\tcn10k_cpt_tls13_trim_mac(cop, res);\n }\n \n static inline void\ndiff --git a/drivers/crypto/cnxk/cn10k_cryptodev_sec.h b/drivers/crypto/cnxk/cn10k_cryptodev_sec.h\nindex 7e175119c3..4daf32cc78 100644\n--- a/drivers/crypto/cnxk/cn10k_cryptodev_sec.h\n+++ b/drivers/crypto/cnxk/cn10k_cryptodev_sec.h\n@@ -16,6 +16,15 @@\n \n #define SEC_SESS_SIZE sizeof(struct rte_security_session)\n \n+struct cn10k_tls_opt {\n+\tuint16_t pad_shift : 3;\n+\tuint16_t enable_padding : 1;\n+\tuint16_t tail_fetch_len : 2;\n+\tuint16_t tls_ver : 2;\n+\tuint16_t is_write : 1;\n+\tuint16_t mac_len : 7;\n+};\n+\n struct cn10k_sec_session {\n \tuint8_t rte_sess[SEC_SESS_SIZE];\n \n@@ -29,17 +38,12 @@ struct cn10k_sec_session {\n \tuint8_t proto;\n \tuint8_t iv_length;\n \tunion {\n+\t\tuint16_t u16;\n+\t\tstruct cn10k_tls_opt tls_opt;\n \t\tstruct {\n \t\t\tuint8_t ip_csum;\n \t\t\tuint8_t is_outbound : 1;\n \t\t} ipsec;\n-\t\tstruct {\n-\t\t\tuint8_t enable_padding : 1;\n-\t\t\tuint8_t tail_fetch_len : 2;\n-\t\t\tuint8_t is_write : 1;\n-\t\t\tuint8_t tls_ver : 2;\n-\t\t\tuint8_t rvsd : 2;\n-\t\t} tls;\n \t};\n \t/** Queue pair */\n \tstruct cnxk_cpt_qp *qp;\ndiff --git a/drivers/crypto/cnxk/cn10k_tls.c b/drivers/crypto/cnxk/cn10k_tls.c\nindex fe4da8d2a0..dea4e501f3 100644\n--- a/drivers/crypto/cnxk/cn10k_tls.c\n+++ b/drivers/crypto/cnxk/cn10k_tls.c\n@@ -116,8 +116,14 @@ cnxk_tls_xform_verify(struct rte_security_tls_record_xform *tls_xform,\n \t (tls_xform->type != RTE_SECURITY_TLS_SESS_TYPE_WRITE))\n \t\treturn -EINVAL;\n \n-\tif (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)\n+\tif (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {\n+\t\t/* optional padding is not allowed in TLS-1.2 for AEAD */\n+\t\tif ((tls_xform->ver == RTE_SECURITY_VERSION_TLS_1_2) &&\n+\t\t (tls_xform->options.extra_padding_enable == 1))\n+\t\t\treturn -EINVAL;\n+\n \t\treturn tls_xform_aead_verify(tls_xform, crypto_xform);\n+\t}\n \n \t/* TLS-1.3 only support AEAD.\n \t * Control should not reach here for TLS-1.3\n@@ -318,7 +324,7 @@ tls_read_ctx_size(struct roc_ie_ot_tls_read_sa *sa, enum rte_security_tls_versio\n static int\n tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa,\n \t\t struct rte_security_tls_record_xform *tls_xfrm,\n-\t\t struct rte_crypto_sym_xform *crypto_xfrm)\n+\t\t struct rte_crypto_sym_xform *crypto_xfrm, struct cn10k_tls_opt *tls_opt)\n {\n \tenum rte_security_tls_version tls_ver = tls_xfrm->ver;\n \tstruct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm;\n@@ -397,16 +403,26 @@ tls_read_sa_fill(struct roc_ie_ot_tls_read_sa *read_sa,\n \t\tmemcpy(cipher_key, key, length);\n \t}\n \n-\tif (auth_xfrm->auth.algo == RTE_CRYPTO_AUTH_MD5_HMAC)\n+\tswitch (auth_xfrm->auth.algo) {\n+\tcase RTE_CRYPTO_AUTH_MD5_HMAC:\n \t\tread_sa->w2.s.mac_select = ROC_IE_OT_TLS_MAC_MD5;\n-\telse if (auth_xfrm->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)\n+\t\ttls_opt->mac_len = 0;\n+\t\tbreak;\n+\tcase RTE_CRYPTO_AUTH_SHA1_HMAC:\n \t\tread_sa->w2.s.mac_select = ROC_IE_OT_TLS_MAC_SHA1;\n-\telse if (auth_xfrm->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)\n+\t\ttls_opt->mac_len = 20;\n+\t\tbreak;\n+\tcase RTE_CRYPTO_AUTH_SHA256_HMAC:\n \t\tread_sa->w2.s.mac_select = ROC_IE_OT_TLS_MAC_SHA2_256;\n-\telse if (auth_xfrm->auth.algo == RTE_CRYPTO_AUTH_SHA384_HMAC)\n+\t\ttls_opt->mac_len = 32;\n+\t\tbreak;\n+\tcase RTE_CRYPTO_AUTH_SHA384_HMAC:\n \t\tread_sa->w2.s.mac_select = ROC_IE_OT_TLS_MAC_SHA2_384;\n-\telse\n+\t\ttls_opt->mac_len = 48;\n+\t\tbreak;\n+\tdefault:\n \t\treturn -EINVAL;\n+\t}\n \n \troc_se_hmac_opad_ipad_gen(read_sa->w2.s.mac_select, auth_xfrm->auth.key.data,\n \t\t\t\t auth_xfrm->auth.key.length, read_sa->tls_12.opad_ipad,\n@@ -627,7 +643,7 @@ cn10k_tls_read_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,\n \t}\n \n \t/* Translate security parameters to SA */\n-\tret = tls_read_sa_fill(sa_dptr, tls_xfrm, crypto_xfrm);\n+\tret = tls_read_sa_fill(sa_dptr, tls_xfrm, crypto_xfrm, &sec_sess->tls_opt);\n \tif (ret) {\n \t\tplt_err(\"Could not fill read session parameters\");\n \t\tgoto sa_dptr_free;\n@@ -647,20 +663,20 @@ cn10k_tls_read_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,\n \n \t/* pre-populate CPT INST word 4 */\n \tinst_w4.u64 = 0;\n-\tif ((sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_12) ||\n-\t (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_DTLS_12)) {\n+\tif ((tls_ver == RTE_SECURITY_VERSION_TLS_1_2) ||\n+\t (tls_ver == RTE_SECURITY_VERSION_DTLS_1_2)) {\n \t\tinst_w4.s.opcode_major = ROC_IE_OT_TLS_MAJOR_OP_RECORD_DEC | ROC_IE_OT_INPLACE_BIT;\n-\t\tsec_sess->tls.tail_fetch_len = 0;\n+\t\tsec_sess->tls_opt.tail_fetch_len = 0;\n \t\tif (sa_dptr->w2.s.cipher_select == ROC_IE_OT_TLS_CIPHER_3DES)\n-\t\t\tsec_sess->tls.tail_fetch_len = 1;\n+\t\t\tsec_sess->tls_opt.tail_fetch_len = 1;\n \t\telse if (sa_dptr->w2.s.cipher_select == ROC_IE_OT_TLS_CIPHER_AES_CBC)\n-\t\t\tsec_sess->tls.tail_fetch_len = 2;\n-\t} else if (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_13) {\n+\t\t\tsec_sess->tls_opt.tail_fetch_len = 2;\n+\t} else if (tls_xfrm->ver == RTE_SECURITY_VERSION_TLS_1_3) {\n \t\tinst_w4.s.opcode_major =\n \t\t\tROC_IE_OT_TLS13_MAJOR_OP_RECORD_DEC | ROC_IE_OT_INPLACE_BIT;\n \t}\n \n-\tsec_sess->tls.tls_ver = tls_ver;\n+\tsec_sess->tls_opt.tls_ver = tls_ver;\n \tsec_sess->inst.w4 = inst_w4.u64;\n \tsec_sess->inst.w7 = cpt_inst_w7_get(roc_cpt, read_sa);\n \n@@ -730,18 +746,23 @@ cn10k_tls_write_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,\n \t\tsec_sess->iv_length = crypto_xfrm->next->cipher.iv.length;\n \t}\n \n-\tsec_sess->tls.tls_ver = tls_ver;\n-\tsec_sess->tls.is_write = 1;\n-\tsec_sess->tls.enable_padding = tls_xfrm->options.extra_padding_enable;\n+\tsec_sess->tls_opt.is_write = 1;\n+\tsec_sess->tls_opt.pad_shift = 0;\n+\tsec_sess->tls_opt.tls_ver = tls_ver;\n+\tsec_sess->tls_opt.enable_padding = tls_xfrm->options.extra_padding_enable;\n \tsec_sess->max_extended_len = tls_write_rlens_get(tls_xfrm, crypto_xfrm);\n \tsec_sess->proto = RTE_SECURITY_PROTOCOL_TLS_RECORD;\n \n \t/* pre-populate CPT INST word 4 */\n \tinst_w4.u64 = 0;\n-\tif ((sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_12) ||\n-\t (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_DTLS_12)) {\n+\tif ((tls_ver == RTE_SECURITY_VERSION_TLS_1_2) ||\n+\t (tls_ver == RTE_SECURITY_VERSION_DTLS_1_2)) {\n \t\tinst_w4.s.opcode_major = ROC_IE_OT_TLS_MAJOR_OP_RECORD_ENC | ROC_IE_OT_INPLACE_BIT;\n-\t} else if (sa_dptr->w2.s.version_select == ROC_IE_OT_TLS_VERSION_TLS_13) {\n+\t\tif (sa_dptr->w2.s.cipher_select == ROC_IE_OT_TLS_CIPHER_3DES)\n+\t\t\tsec_sess->tls_opt.pad_shift = 3;\n+\t\telse\n+\t\t\tsec_sess->tls_opt.pad_shift = 4;\n+\t} else if (tls_ver == RTE_SECURITY_VERSION_TLS_1_3) {\n \t\tinst_w4.s.opcode_major =\n \t\t\tROC_IE_OT_TLS13_MAJOR_OP_RECORD_ENC | ROC_IE_OT_INPLACE_BIT;\n \t}\n@@ -830,7 +851,7 @@ cn10k_sec_tls_session_destroy(struct cnxk_cpt_qp *qp, struct cn10k_sec_session *\n \n \tret = -1;\n \n-\tif (sess->tls.is_write) {\n+\tif (sess->tls_opt.is_write) {\n \t\tsa_dptr = plt_zmalloc(sizeof(struct roc_ie_ot_tls_write_sa), 8);\n \t\tif (sa_dptr != NULL) {\n \t\t\ttls_write_sa_init(sa_dptr);\ndiff --git a/drivers/crypto/cnxk/cn10k_tls_ops.h b/drivers/crypto/cnxk/cn10k_tls_ops.h\nindex 6fd74927ee..64f94a4e8b 100644\n--- a/drivers/crypto/cnxk/cn10k_tls_ops.h\n+++ b/drivers/crypto/cnxk/cn10k_tls_ops.h\n@@ -21,16 +21,21 @@ process_tls_write(struct roc_cpt_lf *lf, struct rte_crypto_op *cop, struct cn10k\n \t\t struct cpt_qp_meta_info *m_info, struct cpt_inflight_req *infl_req,\n \t\t struct cpt_inst_s *inst, const bool is_sg_ver2)\n {\n+\tstruct cn10k_tls_opt tls_opt = sess->tls_opt;\n \tstruct rte_crypto_sym_op *sym_op = cop->sym;\n #ifdef LA_IPSEC_DEBUG\n \tstruct roc_ie_ot_tls_write_sa *write_sa;\n #endif\n \tstruct rte_mbuf *m_src = sym_op->m_src;\n+\tuint32_t pad_len, pad_bytes;\n \tstruct rte_mbuf *last_seg;\n \tunion cpt_inst_w4 w4;\n \tvoid *m_data = NULL;\n \tuint8_t *in_buffer;\n \n+\tpad_bytes = (cop->aux_flags * 8) > 0xff ? 0xff : (cop->aux_flags * 8);\n+\tpad_len = (pad_bytes >> tls_opt.pad_shift) * tls_opt.enable_padding;\n+\n #ifdef LA_IPSEC_DEBUG\n \twrite_sa = &sess->tls_rec.write_sa;\n \tif (write_sa->w2.s.iv_at_cptr == ROC_IE_OT_TLS_IV_SRC_FROM_SA) {\n@@ -94,7 +99,7 @@ process_tls_write(struct roc_cpt_lf *lf, struct rte_crypto_op *cop, struct cn10k\n \t\tw4.s.dlen = m_src->data_len;\n \n \t\tw4.s.param2 = cop->param1.tls_record.content_type;\n-\t\tw4.s.opcode_minor = sess->tls.enable_padding * cop->aux_flags * 8;\n+\t\tw4.s.opcode_minor = pad_len;\n \n \t\tinst->w4.u64 = w4.u64;\n \t} else if (is_sg_ver2 == false) {\n@@ -148,10 +153,10 @@ process_tls_write(struct roc_cpt_lf *lf, struct rte_crypto_op *cop, struct cn10k\n \t\tw4.s.param1 = rte_pktmbuf_pkt_len(m_src);\n \t\tw4.s.param2 = cop->param1.tls_record.content_type;\n \t\tw4.s.opcode_major |= (uint64_t)ROC_DMA_MODE_SG;\n-\t\tw4.s.opcode_minor = sess->tls.enable_padding * cop->aux_flags * 8;\n+\t\tw4.s.opcode_minor = pad_len;\n \n \t\t/* Output Scatter List */\n-\t\tlast_seg->data_len += sess->max_extended_len;\n+\t\tlast_seg->data_len += sess->max_extended_len + pad_bytes;\n \t\tinst->w4.u64 = w4.u64;\n \t} else {\n \t\tstruct roc_sg2list_comp *scatter_comp, *gather_comp;\n@@ -198,11 +203,11 @@ process_tls_write(struct roc_cpt_lf *lf, struct rte_crypto_op *cop, struct cn10k\n \t\tw4.u64 = sess->inst.w4;\n \t\tw4.s.dlen = rte_pktmbuf_pkt_len(m_src);\n \t\tw4.s.opcode_major &= (~(ROC_IE_OT_INPLACE_BIT));\n-\t\tw4.s.opcode_minor = sess->tls.enable_padding * cop->aux_flags * 8;\n+\t\tw4.s.opcode_minor = pad_len;\n \t\tw4.s.param1 = w4.s.dlen;\n \t\tw4.s.param2 = cop->param1.tls_record.content_type;\n \t\t/* Output Scatter List */\n-\t\tlast_seg->data_len += sess->max_extended_len;\n+\t\tlast_seg->data_len += sess->max_extended_len + pad_bytes;\n \t\tinst->w4.u64 = w4.u64;\n \t}\n \n@@ -234,7 +239,7 @@ process_tls_read(struct rte_crypto_op *cop, struct cn10k_sec_session *sess,\n \t\tinst->w4.u64 = w4.u64;\n \t} else if (is_sg_ver2 == false) {\n \t\tstruct roc_sglist_comp *scatter_comp, *gather_comp;\n-\t\tint tail_len = sess->tls.tail_fetch_len * 16;\n+\t\tint tail_len = sess->tls_opt.tail_fetch_len * 16;\n \t\tint pkt_len = rte_pktmbuf_pkt_len(m_src);\n \t\tuint32_t g_size_bytes, s_size_bytes;\n \t\tuint16_t *sg_hdr;\n@@ -289,7 +294,7 @@ process_tls_read(struct rte_crypto_op *cop, struct cn10k_sec_session *sess,\n \t\tinst->w4.u64 = w4.u64;\n \t} else {\n \t\tstruct roc_sg2list_comp *scatter_comp, *gather_comp;\n-\t\tint tail_len = sess->tls.tail_fetch_len * 16;\n+\t\tint tail_len = sess->tls_opt.tail_fetch_len * 16;\n \t\tint pkt_len = rte_pktmbuf_pkt_len(m_src);\n \t\tunion cpt_inst_w5 cpt_inst_w5;\n \t\tunion cpt_inst_w6 cpt_inst_w6;\n", "prefixes": [ "07/12" ] }