diff mbox series

[1/3] crypto/octeontx2: add UDP encapsulation support

Message ID 20210315103616.31364-2-ktejasree@marvell.com (mailing list archive)
State Superseded, archived
Delegated to: akhil goyal
Headers show
Series add lookaside IPsec UDP encapsulation and transport mode | expand

Checks

Context Check Description
ci/checkpatch success coding style OK

Commit Message

Tejasree Kondoj March 15, 2021, 10:36 a.m. UTC
Adding UDP encapsulation support for IPsec in
lookaside protocol mode.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 doc/guides/cryptodevs/octeontx2.rst           |  1 +
 doc/guides/rel_notes/release_21_05.rst        |  5 +++
 drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 40 ++++++-------------
 3 files changed, 18 insertions(+), 28 deletions(-)
diff mbox series

Patch

diff --git a/doc/guides/cryptodevs/octeontx2.rst b/doc/guides/cryptodevs/octeontx2.rst
index d312eeb74c..b30f98180a 100644
--- a/doc/guides/cryptodevs/octeontx2.rst
+++ b/doc/guides/cryptodevs/octeontx2.rst
@@ -181,6 +181,7 @@  Features supported
 * Tunnel mode
 * ESN
 * Anti-replay
+* UDP Encapsulation
 * AES-128/192/256-GCM
 * AES-128/192/256-CBC-SHA1-HMAC
 * AES-128/192/256-CBC-SHA256-128-HMAC
diff --git a/doc/guides/rel_notes/release_21_05.rst b/doc/guides/rel_notes/release_21_05.rst
index 23f7f0bff9..66e28e21be 100644
--- a/doc/guides/rel_notes/release_21_05.rst
+++ b/doc/guides/rel_notes/release_21_05.rst
@@ -65,6 +65,11 @@  New Features
 
   * Added support for txgbevf PMD.
 
+* **Updated the OCTEON TX2 crypto PMD.**
+
+  * Updated the OCTEON TX2 crypto PMD lookaside protocol offload for IPsec with
+    UDP encapsulation support for NAT Traversal.
+
 * **Updated testpmd.**
 
   * Added command to display Rx queue used descriptor count.
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
index 342f089df8..8942ff1fac 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
@@ -203,6 +203,7 @@  crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				     struct rte_security_session *sec_sess)
 {
 	struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+	struct otx2_ipsec_po_ip_template *template;
 	const uint8_t *cipher_key, *auth_key;
 	struct otx2_sec_session_ipsec_lp *lp;
 	struct otx2_ipsec_po_sa_ctl *ctl;
@@ -248,11 +249,7 @@  crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 		if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
 
 			if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
-				if (ipsec->options.udp_encap) {
-					sa->aes_gcm.template.ip4.udp_src = 4500;
-					sa->aes_gcm.template.ip4.udp_dst = 4500;
-				}
-				ip = &sa->aes_gcm.template.ip4.ipv4_hdr;
+				template = &sa->aes_gcm.template;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
 						aes_gcm.template) + sizeof(
 						sa->aes_gcm.template.ip4);
@@ -260,11 +257,7 @@  crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				lp->ctx_len = ctx_len >> 3;
 			} else if (ctl->auth_type ==
 					OTX2_IPSEC_PO_SA_AUTH_SHA1) {
-				if (ipsec->options.udp_encap) {
-					sa->sha1.template.ip4.udp_src = 4500;
-					sa->sha1.template.ip4.udp_dst = 4500;
-				}
-				ip = &sa->sha1.template.ip4.ipv4_hdr;
+				template = &sa->sha1.template;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
 						sha1.template) + sizeof(
 						sa->sha1.template.ip4);
@@ -272,11 +265,7 @@  crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				lp->ctx_len = ctx_len >> 3;
 			} else if (ctl->auth_type ==
 					OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
-				if (ipsec->options.udp_encap) {
-					sa->sha2.template.ip4.udp_src = 4500;
-					sa->sha2.template.ip4.udp_dst = 4500;
-				}
-				ip = &sa->sha2.template.ip4.ipv4_hdr;
+				template = &sa->sha2.template;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
 						sha2.template) + sizeof(
 						sa->sha2.template.ip4);
@@ -285,8 +274,15 @@  crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 			} else {
 				return -EINVAL;
 			}
+			ip = &template->ip4.ipv4_hdr;
+			if (ipsec->options.udp_encap) {
+				ip->next_proto_id = IPPROTO_UDP;
+				template->ip4.udp_src = rte_be_to_cpu_16(4500);
+				template->ip4.udp_dst = rte_be_to_cpu_16(4500);
+			} else {
+				ip->next_proto_id = IPPROTO_ESP;
+			}
 			ip->version_ihl = RTE_IPV4_VHL_DEF;
-			ip->next_proto_id = IPPROTO_ESP;
 			ip->time_to_live = ipsec->tunnel.ipv4.ttl;
 			ip->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2);
 			if (ipsec->tunnel.ipv4.df)
@@ -299,10 +295,6 @@  crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
 
 			if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
-				if (ipsec->options.udp_encap) {
-					sa->aes_gcm.template.ip6.udp_src = 4500;
-					sa->aes_gcm.template.ip6.udp_dst = 4500;
-				}
 				ip6 = &sa->aes_gcm.template.ip6.ipv6_hdr;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
 						aes_gcm.template) + sizeof(
@@ -311,10 +303,6 @@  crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				lp->ctx_len = ctx_len >> 3;
 			} else if (ctl->auth_type ==
 					OTX2_IPSEC_PO_SA_AUTH_SHA1) {
-				if (ipsec->options.udp_encap) {
-					sa->sha1.template.ip6.udp_src = 4500;
-					sa->sha1.template.ip6.udp_dst = 4500;
-				}
 				ip6 = &sa->sha1.template.ip6.ipv6_hdr;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
 						sha1.template) + sizeof(
@@ -323,10 +311,6 @@  crypto_sec_ipsec_outb_session_create(struct rte_cryptodev *crypto_dev,
 				lp->ctx_len = ctx_len >> 3;
 			} else if (ctl->auth_type ==
 					OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
-				if (ipsec->options.udp_encap) {
-					sa->sha2.template.ip6.udp_src = 4500;
-					sa->sha2.template.ip6.udp_dst = 4500;
-				}
 				ip6 = &sa->sha2.template.ip6.ipv6_hdr;
 				ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
 						sha2.template) + sizeof(