[ceph.git] / ceph / src / spdk / dpdk / examples / ipsec-secgw / esp.c

/* SPDX-License-Identifier: BSD-3-Clause
 * Copyright(c) 2016-2017 Intel Corporation
 */

#include <stdint.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>
#include <fcntl.h>
#include <unistd.h>

#include <rte_common.h>
#include <rte_crypto.h>
#include <rte_cryptodev.h>
#include <rte_random.h>

#include "ipsec.h"
#include "esp.h"
#include "ipip.h"

int
esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
		struct rte_crypto_op *cop)
{
	struct ip *ip4;
	struct rte_crypto_sym_op *sym_cop;
	int32_t payload_len, ip_hdr_len;

	RTE_ASSERT(sa != NULL);
	if (ipsec_get_action_type(sa) ==
			RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
		return 0;

	RTE_ASSERT(m != NULL);
	RTE_ASSERT(cop != NULL);

	ip4 = rte_pktmbuf_mtod(m, struct ip *);
	if (likely(ip4->ip_v == IPVERSION))
		ip_hdr_len = ip4->ip_hl * 4;
	else if (ip4->ip_v == IP6_VERSION)
		/* XXX No option headers supported */
		ip_hdr_len = sizeof(struct ip6_hdr);
	else {
		RTE_LOG(ERR, IPSEC_ESP, "invalid IP packet type %d\n",
				ip4->ip_v);
		return -EINVAL;
	}

	payload_len = rte_pktmbuf_pkt_len(m) - ip_hdr_len -
		sizeof(struct rte_esp_hdr) - sa->iv_len - sa->digest_len;

	if ((payload_len & (sa->block_size - 1)) || (payload_len <= 0)) {
		RTE_LOG_DP(DEBUG, IPSEC_ESP, "payload %d not multiple of %u\n",
				payload_len, sa->block_size);
		return -EINVAL;
	}

	sym_cop = get_sym_cop(cop);
	sym_cop->m_src = m;

	if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
		sym_cop->aead.data.offset =
			ip_hdr_len + sizeof(struct rte_esp_hdr) + sa->iv_len;
		sym_cop->aead.data.length = payload_len;

		struct cnt_blk *icb;
		uint8_t *aad;
		uint8_t *iv = RTE_PTR_ADD(ip4, ip_hdr_len +
					sizeof(struct rte_esp_hdr));

		icb = get_cnt_blk(m);
		icb->salt = sa->salt;
		memcpy(&icb->iv, iv, 8);
		icb->cnt = rte_cpu_to_be_32(1);

		aad = get_aad(m);
		memcpy(aad, iv - sizeof(struct rte_esp_hdr), 8);
		sym_cop->aead.aad.data = aad;
		sym_cop->aead.aad.phys_addr = rte_pktmbuf_iova_offset(m,
				aad - rte_pktmbuf_mtod(m, uint8_t *));

		sym_cop->aead.digest.data = rte_pktmbuf_mtod_offset(m, void*,
				rte_pktmbuf_pkt_len(m) - sa->digest_len);
		sym_cop->aead.digest.phys_addr = rte_pktmbuf_iova_offset(m,
				rte_pktmbuf_pkt_len(m) - sa->digest_len);
	} else {
		sym_cop->cipher.data.offset =  ip_hdr_len +
			sizeof(struct rte_esp_hdr) +
			sa->iv_len;
		sym_cop->cipher.data.length = payload_len;

		struct cnt_blk *icb;
		uint8_t *iv = RTE_PTR_ADD(ip4, ip_hdr_len +
					sizeof(struct rte_esp_hdr));
		uint8_t *iv_ptr = rte_crypto_op_ctod_offset(cop,
					uint8_t *, IV_OFFSET);

		switch (sa->cipher_algo) {
		case RTE_CRYPTO_CIPHER_NULL:
		case RTE_CRYPTO_CIPHER_3DES_CBC:
		case RTE_CRYPTO_CIPHER_AES_CBC:
			/* Copy IV at the end of crypto operation */
			rte_memcpy(iv_ptr, iv, sa->iv_len);
			break;
		case RTE_CRYPTO_CIPHER_AES_CTR:
			icb = get_cnt_blk(m);
			icb->salt = sa->salt;
			memcpy(&icb->iv, iv, 8);
			icb->cnt = rte_cpu_to_be_32(1);
			break;
		default:
			RTE_LOG(ERR, IPSEC_ESP, "unsupported cipher algorithm %u\n",
					sa->cipher_algo);
			return -EINVAL;
		}

		switch (sa->auth_algo) {
		case RTE_CRYPTO_AUTH_NULL:
		case RTE_CRYPTO_AUTH_SHA1_HMAC:
		case RTE_CRYPTO_AUTH_SHA256_HMAC:
			sym_cop->auth.data.offset = ip_hdr_len;
			sym_cop->auth.data.length = sizeof(struct rte_esp_hdr) +
				sa->iv_len + payload_len;
			break;
		default:
			RTE_LOG(ERR, IPSEC_ESP, "unsupported auth algorithm %u\n",
					sa->auth_algo);
			return -EINVAL;
		}

		sym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, void*,
				rte_pktmbuf_pkt_len(m) - sa->digest_len);
		sym_cop->auth.digest.phys_addr = rte_pktmbuf_iova_offset(m,
				rte_pktmbuf_pkt_len(m) - sa->digest_len);
	}

	return 0;
}

int
esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa,
		struct rte_crypto_op *cop)
{
	struct ip *ip4, *ip;
	struct ip6_hdr *ip6;
	uint8_t *nexthdr, *pad_len;
	uint8_t *padding;
	uint16_t i;
	struct rte_ipsec_session *ips;

	RTE_ASSERT(m != NULL);
	RTE_ASSERT(sa != NULL);
	RTE_ASSERT(cop != NULL);

	ips = ipsec_get_primary_session(sa);

	if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
			(ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
		if (m->ol_flags & PKT_RX_SEC_OFFLOAD) {
			if (m->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED)
				cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
			else
				cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
		} else
			cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
	}

	if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
		RTE_LOG(ERR, IPSEC_ESP, "%s() failed crypto op\n", __func__);
		return -1;
	}

	if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
		ips->security.ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
		nexthdr = &m->inner_esp_next_proto;
	} else {
		nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
				rte_pktmbuf_pkt_len(m) - sa->digest_len - 1);
		pad_len = nexthdr - 1;

		padding = pad_len - *pad_len;
		for (i = 0; i < *pad_len; i++) {
			if (padding[i] != i + 1) {
				RTE_LOG(ERR, IPSEC_ESP, "invalid padding\n");
				return -EINVAL;
			}
		}

		if (rte_pktmbuf_trim(m, *pad_len + 2 + sa->digest_len)) {
			RTE_LOG(ERR, IPSEC_ESP,
					"failed to remove pad_len + digest\n");
			return -EINVAL;
		}
	}

	if (unlikely(IS_TRANSPORT(sa->flags))) {
		ip = rte_pktmbuf_mtod(m, struct ip *);
		ip4 = (struct ip *)rte_pktmbuf_adj(m,
				sizeof(struct rte_esp_hdr) + sa->iv_len);
		if (likely(ip->ip_v == IPVERSION)) {
			memmove(ip4, ip, ip->ip_hl * 4);
			ip4->ip_p = *nexthdr;
			ip4->ip_len = htons(rte_pktmbuf_data_len(m));
		} else {
			ip6 = (struct ip6_hdr *)ip4;
			/* XXX No option headers supported */
			memmove(ip6, ip, sizeof(struct ip6_hdr));
			ip6->ip6_nxt = *nexthdr;
			ip6->ip6_plen = htons(rte_pktmbuf_data_len(m) -
					      sizeof(struct ip6_hdr));
		}
	} else
		ipip_inbound(m, sizeof(struct rte_esp_hdr) + sa->iv_len);

	return 0;
}

int
esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
		struct rte_crypto_op *cop)
{
	struct ip *ip4;
	struct ip6_hdr *ip6;
	struct rte_esp_hdr *esp = NULL;
	uint8_t *padding = NULL, *new_ip, nlp;
	struct rte_crypto_sym_op *sym_cop;
	int32_t i;
	uint16_t pad_payload_len, pad_len, ip_hdr_len;
	struct rte_ipsec_session *ips;

	RTE_ASSERT(m != NULL);
	RTE_ASSERT(sa != NULL);

	ips = ipsec_get_primary_session(sa);
	ip_hdr_len = 0;

	ip4 = rte_pktmbuf_mtod(m, struct ip *);
	if (likely(ip4->ip_v == IPVERSION)) {
		if (unlikely(IS_TRANSPORT(sa->flags))) {
			ip_hdr_len = ip4->ip_hl * 4;
			nlp = ip4->ip_p;
		} else
			nlp = IPPROTO_IPIP;
	} else if (ip4->ip_v == IP6_VERSION) {
		if (unlikely(IS_TRANSPORT(sa->flags))) {
			/* XXX No option headers supported */
			ip_hdr_len = sizeof(struct ip6_hdr);
			ip6 = (struct ip6_hdr *)ip4;
			nlp = ip6->ip6_nxt;
		} else
			nlp = IPPROTO_IPV6;
	} else {
		RTE_LOG(ERR, IPSEC_ESP, "invalid IP packet type %d\n",
				ip4->ip_v);
		return -EINVAL;
	}

	/* Padded payload length */
	pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) -
			ip_hdr_len + 2, sa->block_size);
	pad_len = pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m);

	RTE_ASSERT(IS_TUNNEL(sa->flags) || IS_TRANSPORT(sa->flags));

	if (likely(IS_IP4_TUNNEL(sa->flags)))
		ip_hdr_len = sizeof(struct ip);
	else if (IS_IP6_TUNNEL(sa->flags))
		ip_hdr_len = sizeof(struct ip6_hdr);
	else if (!IS_TRANSPORT(sa->flags)) {
		RTE_LOG(ERR, IPSEC_ESP, "Unsupported SA flags: 0x%x\n",
				sa->flags);
		return -EINVAL;
	}

	/* Check maximum packet size */
	if (unlikely(ip_hdr_len + sizeof(struct rte_esp_hdr) + sa->iv_len +
			pad_payload_len + sa->digest_len > IP_MAXPACKET)) {
		RTE_LOG(ERR, IPSEC_ESP, "ipsec packet is too big\n");
		return -EINVAL;
	}

	/* Add trailer padding if it is not constructed by HW */
	if (ips->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO ||
		(ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
		 !(ips->security.ol_flags &
			 RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
		padding = (uint8_t *)rte_pktmbuf_append(m, pad_len +
							sa->digest_len);
		if (unlikely(padding == NULL)) {
			RTE_LOG(ERR, IPSEC_ESP,
					"not enough mbuf trailing space\n");
			return -ENOSPC;
		}
		rte_prefetch0(padding);
	}

	switch (WITHOUT_TRANSPORT_VERSION(sa->flags)) {
	case IP4_TUNNEL:
		ip4 = ip4ip_outbound(m, sizeof(struct rte_esp_hdr) + sa->iv_len,
				&sa->src, &sa->dst);
		esp = (struct rte_esp_hdr *)(ip4 + 1);
		break;
	case IP6_TUNNEL:
		ip6 = ip6ip_outbound(m, sizeof(struct rte_esp_hdr) + sa->iv_len,
				&sa->src, &sa->dst);
		esp = (struct rte_esp_hdr *)(ip6 + 1);
		break;
	case TRANSPORT:
		new_ip = (uint8_t *)rte_pktmbuf_prepend(m,
				sizeof(struct rte_esp_hdr) + sa->iv_len);
		memmove(new_ip, ip4, ip_hdr_len);
		esp = (struct rte_esp_hdr *)(new_ip + ip_hdr_len);
		ip4 = (struct ip *)new_ip;
		if (likely(ip4->ip_v == IPVERSION)) {
			ip4->ip_p = IPPROTO_ESP;
			ip4->ip_len = htons(rte_pktmbuf_data_len(m));
		} else {
			ip6 = (struct ip6_hdr *)new_ip;
			ip6->ip6_nxt = IPPROTO_ESP;
			ip6->ip6_plen = htons(rte_pktmbuf_data_len(m) -
					      sizeof(struct ip6_hdr));
		}
	}

	sa->seq++;
	esp->spi = rte_cpu_to_be_32(sa->spi);
	esp->seq = rte_cpu_to_be_32((uint32_t)sa->seq);

	/* set iv */
	uint64_t *iv = (uint64_t *)(esp + 1);
	if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
		*iv = rte_cpu_to_be_64(sa->seq);
	} else {
		switch (sa->cipher_algo) {
		case RTE_CRYPTO_CIPHER_NULL:
		case RTE_CRYPTO_CIPHER_3DES_CBC:
		case RTE_CRYPTO_CIPHER_AES_CBC:
			memset(iv, 0, sa->iv_len);
			break;
		case RTE_CRYPTO_CIPHER_AES_CTR:
			*iv = rte_cpu_to_be_64(sa->seq);
			break;
		default:
			RTE_LOG(ERR, IPSEC_ESP,
				"unsupported cipher algorithm %u\n",
				sa->cipher_algo);
			return -EINVAL;
		}
	}

	if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
		if (ips->security.ol_flags &
				RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
			/* Set the inner esp next protocol for HW trailer */
			m->inner_esp_next_proto = nlp;
			m->packet_type |= RTE_PTYPE_TUNNEL_ESP;
		} else {
			padding[pad_len - 2] = pad_len - 2;
			padding[pad_len - 1] = nlp;
		}
		goto done;
	}

	RTE_ASSERT(cop != NULL);
	sym_cop = get_sym_cop(cop);
	sym_cop->m_src = m;

	if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
		uint8_t *aad;

		sym_cop->aead.data.offset = ip_hdr_len +
			sizeof(struct rte_esp_hdr) + sa->iv_len;
		sym_cop->aead.data.length = pad_payload_len;

		/* Fill pad_len using default sequential scheme */
		for (i = 0; i < pad_len - 2; i++)
			padding[i] = i + 1;
		padding[pad_len - 2] = pad_len - 2;
		padding[pad_len - 1] = nlp;

		struct cnt_blk *icb = get_cnt_blk(m);
		icb->salt = sa->salt;
		icb->iv = rte_cpu_to_be_64(sa->seq);
		icb->cnt = rte_cpu_to_be_32(1);

		aad = get_aad(m);
		memcpy(aad, esp, 8);
		sym_cop->aead.aad.data = aad;
		sym_cop->aead.aad.phys_addr = rte_pktmbuf_iova_offset(m,
				aad - rte_pktmbuf_mtod(m, uint8_t *));

		sym_cop->aead.digest.data = rte_pktmbuf_mtod_offset(m, uint8_t *,
			rte_pktmbuf_pkt_len(m) - sa->digest_len);
		sym_cop->aead.digest.phys_addr = rte_pktmbuf_iova_offset(m,
			rte_pktmbuf_pkt_len(m) - sa->digest_len);
	} else {
		switch (sa->cipher_algo) {
		case RTE_CRYPTO_CIPHER_NULL:
		case RTE_CRYPTO_CIPHER_3DES_CBC:
		case RTE_CRYPTO_CIPHER_AES_CBC:
			sym_cop->cipher.data.offset = ip_hdr_len +
				sizeof(struct rte_esp_hdr);
			sym_cop->cipher.data.length = pad_payload_len + sa->iv_len;
			break;
		case RTE_CRYPTO_CIPHER_AES_CTR:
			sym_cop->cipher.data.offset = ip_hdr_len +
				sizeof(struct rte_esp_hdr) + sa->iv_len;
			sym_cop->cipher.data.length = pad_payload_len;
			break;
		default:
			RTE_LOG(ERR, IPSEC_ESP, "unsupported cipher algorithm %u\n",
					sa->cipher_algo);
			return -EINVAL;
		}

		/* Fill pad_len using default sequential scheme */
		for (i = 0; i < pad_len - 2; i++)
			padding[i] = i + 1;
		padding[pad_len - 2] = pad_len - 2;
		padding[pad_len - 1] = nlp;

		struct cnt_blk *icb = get_cnt_blk(m);
		icb->salt = sa->salt;
		icb->iv = rte_cpu_to_be_64(sa->seq);
		icb->cnt = rte_cpu_to_be_32(1);

		switch (sa->auth_algo) {
		case RTE_CRYPTO_AUTH_NULL:
		case RTE_CRYPTO_AUTH_SHA1_HMAC:
		case RTE_CRYPTO_AUTH_SHA256_HMAC:
			sym_cop->auth.data.offset = ip_hdr_len;
			sym_cop->auth.data.length = sizeof(struct rte_esp_hdr) +
				sa->iv_len + pad_payload_len;
			break;
		default:
			RTE_LOG(ERR, IPSEC_ESP, "unsupported auth algorithm %u\n",
					sa->auth_algo);
			return -EINVAL;
		}

		sym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, uint8_t *,
				rte_pktmbuf_pkt_len(m) - sa->digest_len);
		sym_cop->auth.digest.phys_addr = rte_pktmbuf_iova_offset(m,
				rte_pktmbuf_pkt_len(m) - sa->digest_len);
	}

done:
	return 0;
}

int
esp_outbound_post(struct rte_mbuf *m,
		  struct ipsec_sa *sa,
		  struct rte_crypto_op *cop)
{
	enum rte_security_session_action_type type;
	RTE_ASSERT(m != NULL);
	RTE_ASSERT(sa != NULL);

	type = ipsec_get_action_type(sa);

	if ((type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) ||
			(type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
		m->ol_flags |= PKT_TX_SEC_OFFLOAD;
	} else {
		RTE_ASSERT(cop != NULL);
		if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
			RTE_LOG(ERR, IPSEC_ESP, "%s() failed crypto op\n",
				__func__);
			return -1;
		}
	}

	return 0;
}
Commit	Line	Data
11fdf7f2 TL	1	/* SPDX-License-Identifier: BSD-3-Clause
	2	* Copyright(c) 2016-2017 Intel Corporation
	3	*/
	4
	5	#include <stdint.h>
	6	#include <stdlib.h>
	7	#include <sys/types.h>
	8	#include <sys/stat.h>
	9	#include <netinet/in.h>
	10	#include <netinet/ip.h>
	11	#include <netinet/ip6.h>
	12	#include <fcntl.h>
	13	#include <unistd.h>
	14
	15	#include <rte_common.h>
	16	#include <rte_crypto.h>
	17	#include <rte_cryptodev.h>
	18	#include <rte_random.h>
	19
	20	#include "ipsec.h"
	21	#include "esp.h"
	22	#include "ipip.h"
	23
	24	int
	25	esp_inbound(struct rte_mbuf m, struct ipsec_sa sa,
	26	struct rte_crypto_op *cop)
	27	{
	28	struct ip *ip4;
	29	struct rte_crypto_sym_op *sym_cop;
	30	int32_t payload_len, ip_hdr_len;
	31
	32	RTE_ASSERT(sa != NULL);
f67539c2 TL	33	if (ipsec_get_action_type(sa) ==
f67539c2 TL	34	RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)
11fdf7f2 TL	35	return 0;
	36
	37	RTE_ASSERT(m != NULL);
	38	RTE_ASSERT(cop != NULL);
	39
	40	ip4 = rte_pktmbuf_mtod(m, struct ip *);
	41	if (likely(ip4->ip_v == IPVERSION))
	42	ip_hdr_len = ip4->ip_hl * 4;
	43	else if (ip4->ip_v == IP6_VERSION)
	44	/* XXX No option headers supported */
	45	ip_hdr_len = sizeof(struct ip6_hdr);
	46	else {
	47	RTE_LOG(ERR, IPSEC_ESP, "invalid IP packet type %d\n",
	48	ip4->ip_v);
	49	return -EINVAL;
	50	}
	51
	52	payload_len = rte_pktmbuf_pkt_len(m) - ip_hdr_len -
f67539c2	53	sizeof(struct rte_esp_hdr) - sa->iv_len - sa->digest_len;
11fdf7f2 TL	54
	55	if ((payload_len & (sa->block_size - 1)) \|\| (payload_len <= 0)) {
	56	RTE_LOG_DP(DEBUG, IPSEC_ESP, "payload %d not multiple of %u\n",
	57	payload_len, sa->block_size);
	58	return -EINVAL;
	59	}
	60
	61	sym_cop = get_sym_cop(cop);
	62	sym_cop->m_src = m;
	63
	64	if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
f67539c2 TL	65	sym_cop->aead.data.offset =
f67539c2 TL	66	ip_hdr_len + sizeof(struct rte_esp_hdr) + sa->iv_len;
11fdf7f2 TL	67	sym_cop->aead.data.length = payload_len;
	68
	69	struct cnt_blk *icb;
	70	uint8_t *aad;
f67539c2 TL	71	uint8_t *iv = RTE_PTR_ADD(ip4, ip_hdr_len +
f67539c2 TL	72	sizeof(struct rte_esp_hdr));
11fdf7f2 TL	73
	74	icb = get_cnt_blk(m);
	75	icb->salt = sa->salt;
	76	memcpy(&icb->iv, iv, 8);
	77	icb->cnt = rte_cpu_to_be_32(1);
	78
	79	aad = get_aad(m);
f67539c2	80	memcpy(aad, iv - sizeof(struct rte_esp_hdr), 8);
11fdf7f2 TL	81	sym_cop->aead.aad.data = aad;
	82	sym_cop->aead.aad.phys_addr = rte_pktmbuf_iova_offset(m,
	83	aad - rte_pktmbuf_mtod(m, uint8_t *));
	84
	85	sym_cop->aead.digest.data = rte_pktmbuf_mtod_offset(m, void*,
	86	rte_pktmbuf_pkt_len(m) - sa->digest_len);
	87	sym_cop->aead.digest.phys_addr = rte_pktmbuf_iova_offset(m,
	88	rte_pktmbuf_pkt_len(m) - sa->digest_len);
	89	} else {
f67539c2 TL	90	sym_cop->cipher.data.offset = ip_hdr_len +
f67539c2 TL	91	sizeof(struct rte_esp_hdr) +
11fdf7f2 TL	92	sa->iv_len;
	93	sym_cop->cipher.data.length = payload_len;
	94
	95	struct cnt_blk *icb;
f67539c2 TL	96	uint8_t *iv = RTE_PTR_ADD(ip4, ip_hdr_len +
f67539c2 TL	97	sizeof(struct rte_esp_hdr));
11fdf7f2 TL	98	uint8_t *iv_ptr = rte_crypto_op_ctod_offset(cop,
	99	uint8_t *, IV_OFFSET);
	100
	101	switch (sa->cipher_algo) {
	102	case RTE_CRYPTO_CIPHER_NULL:
9f95a23c	103	case RTE_CRYPTO_CIPHER_3DES_CBC:
11fdf7f2 TL	104	case RTE_CRYPTO_CIPHER_AES_CBC:
	105	/* Copy IV at the end of crypto operation */
	106	rte_memcpy(iv_ptr, iv, sa->iv_len);
	107	break;
	108	case RTE_CRYPTO_CIPHER_AES_CTR:
	109	icb = get_cnt_blk(m);
	110	icb->salt = sa->salt;
	111	memcpy(&icb->iv, iv, 8);
	112	icb->cnt = rte_cpu_to_be_32(1);
	113	break;
	114	default:
	115	RTE_LOG(ERR, IPSEC_ESP, "unsupported cipher algorithm %u\n",
	116	sa->cipher_algo);
	117	return -EINVAL;
	118	}
	119
	120	switch (sa->auth_algo) {
	121	case RTE_CRYPTO_AUTH_NULL:
	122	case RTE_CRYPTO_AUTH_SHA1_HMAC:
	123	case RTE_CRYPTO_AUTH_SHA256_HMAC:
	124	sym_cop->auth.data.offset = ip_hdr_len;
f67539c2	125	sym_cop->auth.data.length = sizeof(struct rte_esp_hdr) +
11fdf7f2 TL	126	sa->iv_len + payload_len;
	127	break;
	128	default:
	129	RTE_LOG(ERR, IPSEC_ESP, "unsupported auth algorithm %u\n",
	130	sa->auth_algo);
	131	return -EINVAL;
	132	}
	133
	134	sym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, void*,
	135	rte_pktmbuf_pkt_len(m) - sa->digest_len);
	136	sym_cop->auth.digest.phys_addr = rte_pktmbuf_iova_offset(m,
	137	rte_pktmbuf_pkt_len(m) - sa->digest_len);
	138	}
	139
	140	return 0;
	141	}
	142
	143	int
	144	esp_inbound_post(struct rte_mbuf m, struct ipsec_sa sa,
	145	struct rte_crypto_op *cop)
	146	{
	147	struct ip ip4, ip;
	148	struct ip6_hdr *ip6;
	149	uint8_t nexthdr, pad_len;
	150	uint8_t *padding;
	151	uint16_t i;
f67539c2	152	struct rte_ipsec_session *ips;
11fdf7f2 TL	153
	154	RTE_ASSERT(m != NULL);
	155	RTE_ASSERT(sa != NULL);
	156	RTE_ASSERT(cop != NULL);
	157
f67539c2 TL	158	ips = ipsec_get_primary_session(sa);
	159
	160	if ((ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) \|\|
	161	(ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
11fdf7f2 TL	162	if (m->ol_flags & PKT_RX_SEC_OFFLOAD) {
	163	if (m->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED)
	164	cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
	165	else
	166	cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
	167	} else
	168	cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
	169	}
	170
	171	if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
9f95a23c	172	RTE_LOG(ERR, IPSEC_ESP, "%s() failed crypto op\n", __func__);
11fdf7f2 TL	173	return -1;
	174	}
	175
f67539c2 TL	176	if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
f67539c2 TL	177	ips->security.ol_flags & RTE_SECURITY_RX_HW_TRAILER_OFFLOAD) {
11fdf7f2 TL	178	nexthdr = &m->inner_esp_next_proto;
	179	} else {
	180	nexthdr = rte_pktmbuf_mtod_offset(m, uint8_t*,
	181	rte_pktmbuf_pkt_len(m) - sa->digest_len - 1);
	182	pad_len = nexthdr - 1;
	183
	184	padding = pad_len - *pad_len;
	185	for (i = 0; i < *pad_len; i++) {
	186	if (padding[i] != i + 1) {
	187	RTE_LOG(ERR, IPSEC_ESP, "invalid padding\n");
	188	return -EINVAL;
	189	}
	190	}
	191
	192	if (rte_pktmbuf_trim(m, *pad_len + 2 + sa->digest_len)) {
	193	RTE_LOG(ERR, IPSEC_ESP,
	194	"failed to remove pad_len + digest\n");
	195	return -EINVAL;
	196	}
	197	}
	198
f67539c2	199	if (unlikely(IS_TRANSPORT(sa->flags))) {
11fdf7f2 TL	200	ip = rte_pktmbuf_mtod(m, struct ip *);
11fdf7f2 TL	201	ip4 = (struct ip *)rte_pktmbuf_adj(m,
f67539c2	202	sizeof(struct rte_esp_hdr) + sa->iv_len);
11fdf7f2 TL	203	if (likely(ip->ip_v == IPVERSION)) {
	204	memmove(ip4, ip, ip->ip_hl * 4);
	205	ip4->ip_p = *nexthdr;
	206	ip4->ip_len = htons(rte_pktmbuf_data_len(m));
	207	} else {
	208	ip6 = (struct ip6_hdr *)ip4;
	209	/* XXX No option headers supported */
	210	memmove(ip6, ip, sizeof(struct ip6_hdr));
	211	ip6->ip6_nxt = *nexthdr;
	212	ip6->ip6_plen = htons(rte_pktmbuf_data_len(m) -
	213	sizeof(struct ip6_hdr));
	214	}
	215	} else
f67539c2	216	ipip_inbound(m, sizeof(struct rte_esp_hdr) + sa->iv_len);
11fdf7f2 TL	217
	218	return 0;
	219	}
	220
	221	int
	222	esp_outbound(struct rte_mbuf m, struct ipsec_sa sa,
	223	struct rte_crypto_op *cop)
	224	{
	225	struct ip *ip4;
	226	struct ip6_hdr *ip6;
f67539c2	227	struct rte_esp_hdr *esp = NULL;
11fdf7f2 TL	228	uint8_t padding = NULL, new_ip, nlp;
	229	struct rte_crypto_sym_op *sym_cop;
	230	int32_t i;
	231	uint16_t pad_payload_len, pad_len, ip_hdr_len;
f67539c2	232	struct rte_ipsec_session *ips;
11fdf7f2 TL	233
	234	RTE_ASSERT(m != NULL);
	235	RTE_ASSERT(sa != NULL);
	236
f67539c2	237	ips = ipsec_get_primary_session(sa);
11fdf7f2 TL	238	ip_hdr_len = 0;
	239
	240	ip4 = rte_pktmbuf_mtod(m, struct ip *);
	241	if (likely(ip4->ip_v == IPVERSION)) {
f67539c2	242	if (unlikely(IS_TRANSPORT(sa->flags))) {
11fdf7f2 TL	243	ip_hdr_len = ip4->ip_hl * 4;
	244	nlp = ip4->ip_p;
	245	} else
	246	nlp = IPPROTO_IPIP;
	247	} else if (ip4->ip_v == IP6_VERSION) {
f67539c2	248	if (unlikely(IS_TRANSPORT(sa->flags))) {
11fdf7f2 TL	249	/* XXX No option headers supported */
	250	ip_hdr_len = sizeof(struct ip6_hdr);
	251	ip6 = (struct ip6_hdr *)ip4;
	252	nlp = ip6->ip6_nxt;
	253	} else
	254	nlp = IPPROTO_IPV6;
	255	} else {
	256	RTE_LOG(ERR, IPSEC_ESP, "invalid IP packet type %d\n",
	257	ip4->ip_v);
	258	return -EINVAL;
	259	}
	260
	261	/* Padded payload length */
	262	pad_payload_len = RTE_ALIGN_CEIL(rte_pktmbuf_pkt_len(m) -
	263	ip_hdr_len + 2, sa->block_size);
	264	pad_len = pad_payload_len + ip_hdr_len - rte_pktmbuf_pkt_len(m);
	265
f67539c2	266	RTE_ASSERT(IS_TUNNEL(sa->flags) \|\| IS_TRANSPORT(sa->flags));
11fdf7f2	267
f67539c2	268	if (likely(IS_IP4_TUNNEL(sa->flags)))
11fdf7f2	269	ip_hdr_len = sizeof(struct ip);
f67539c2	270	else if (IS_IP6_TUNNEL(sa->flags))
11fdf7f2	271	ip_hdr_len = sizeof(struct ip6_hdr);
f67539c2	272	else if (!IS_TRANSPORT(sa->flags)) {
11fdf7f2 TL	273	RTE_LOG(ERR, IPSEC_ESP, "Unsupported SA flags: 0x%x\n",
	274	sa->flags);
	275	return -EINVAL;
	276	}
	277
	278	/* Check maximum packet size */
f67539c2	279	if (unlikely(ip_hdr_len + sizeof(struct rte_esp_hdr) + sa->iv_len +
11fdf7f2 TL	280	pad_payload_len + sa->digest_len > IP_MAXPACKET)) {
	281	RTE_LOG(ERR, IPSEC_ESP, "ipsec packet is too big\n");
	282	return -EINVAL;
	283	}
	284
	285	/* Add trailer padding if it is not constructed by HW */
f67539c2 TL	286	if (ips->type != RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO \|\|
	287	(ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO &&
	288	!(ips->security.ol_flags &
	289	RTE_SECURITY_TX_HW_TRAILER_OFFLOAD))) {
11fdf7f2 TL	290	padding = (uint8_t *)rte_pktmbuf_append(m, pad_len +
	291	sa->digest_len);
	292	if (unlikely(padding == NULL)) {
	293	RTE_LOG(ERR, IPSEC_ESP,
	294	"not enough mbuf trailing space\n");
	295	return -ENOSPC;
	296	}
	297	rte_prefetch0(padding);
	298	}
	299
f67539c2	300	switch (WITHOUT_TRANSPORT_VERSION(sa->flags)) {
11fdf7f2	301	case IP4_TUNNEL:
f67539c2	302	ip4 = ip4ip_outbound(m, sizeof(struct rte_esp_hdr) + sa->iv_len,
11fdf7f2	303	&sa->src, &sa->dst);
f67539c2	304	esp = (struct rte_esp_hdr *)(ip4 + 1);
11fdf7f2 TL	305	break;
11fdf7f2 TL	306	case IP6_TUNNEL:
f67539c2	307	ip6 = ip6ip_outbound(m, sizeof(struct rte_esp_hdr) + sa->iv_len,
11fdf7f2	308	&sa->src, &sa->dst);
f67539c2	309	esp = (struct rte_esp_hdr *)(ip6 + 1);
11fdf7f2 TL	310	break;
	311	case TRANSPORT:
	312	new_ip = (uint8_t *)rte_pktmbuf_prepend(m,
f67539c2	313	sizeof(struct rte_esp_hdr) + sa->iv_len);
11fdf7f2	314	memmove(new_ip, ip4, ip_hdr_len);
f67539c2	315	esp = (struct rte_esp_hdr *)(new_ip + ip_hdr_len);
11fdf7f2 TL	316	ip4 = (struct ip *)new_ip;
	317	if (likely(ip4->ip_v == IPVERSION)) {
	318	ip4->ip_p = IPPROTO_ESP;
	319	ip4->ip_len = htons(rte_pktmbuf_data_len(m));
	320	} else {
	321	ip6 = (struct ip6_hdr *)new_ip;
	322	ip6->ip6_nxt = IPPROTO_ESP;
	323	ip6->ip6_plen = htons(rte_pktmbuf_data_len(m) -
	324	sizeof(struct ip6_hdr));
	325	}
	326	}
	327
	328	sa->seq++;
	329	esp->spi = rte_cpu_to_be_32(sa->spi);
	330	esp->seq = rte_cpu_to_be_32((uint32_t)sa->seq);
	331
	332	/* set iv */
	333	uint64_t iv = (uint64_t )(esp + 1);
	334	if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
	335	*iv = rte_cpu_to_be_64(sa->seq);
	336	} else {
	337	switch (sa->cipher_algo) {
	338	case RTE_CRYPTO_CIPHER_NULL:
9f95a23c	339	case RTE_CRYPTO_CIPHER_3DES_CBC:
11fdf7f2 TL	340	case RTE_CRYPTO_CIPHER_AES_CBC:
	341	memset(iv, 0, sa->iv_len);
	342	break;
	343	case RTE_CRYPTO_CIPHER_AES_CTR:
	344	*iv = rte_cpu_to_be_64(sa->seq);
	345	break;
	346	default:
	347	RTE_LOG(ERR, IPSEC_ESP,
	348	"unsupported cipher algorithm %u\n",
	349	sa->cipher_algo);
	350	return -EINVAL;
	351	}
	352	}
	353
f67539c2 TL	354	if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
	355	if (ips->security.ol_flags &
	356	RTE_SECURITY_TX_HW_TRAILER_OFFLOAD) {
11fdf7f2 TL	357	/* Set the inner esp next protocol for HW trailer */
	358	m->inner_esp_next_proto = nlp;
	359	m->packet_type \|= RTE_PTYPE_TUNNEL_ESP;
	360	} else {
	361	padding[pad_len - 2] = pad_len - 2;
	362	padding[pad_len - 1] = nlp;
	363	}
	364	goto done;
	365	}
	366
	367	RTE_ASSERT(cop != NULL);
	368	sym_cop = get_sym_cop(cop);
	369	sym_cop->m_src = m;
	370
	371	if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
	372	uint8_t *aad;
	373
	374	sym_cop->aead.data.offset = ip_hdr_len +
f67539c2	375	sizeof(struct rte_esp_hdr) + sa->iv_len;
11fdf7f2 TL	376	sym_cop->aead.data.length = pad_payload_len;
	377
	378	/* Fill pad_len using default sequential scheme */
	379	for (i = 0; i < pad_len - 2; i++)
	380	padding[i] = i + 1;
	381	padding[pad_len - 2] = pad_len - 2;
	382	padding[pad_len - 1] = nlp;
	383
	384	struct cnt_blk *icb = get_cnt_blk(m);
	385	icb->salt = sa->salt;
	386	icb->iv = rte_cpu_to_be_64(sa->seq);
	387	icb->cnt = rte_cpu_to_be_32(1);
	388
	389	aad = get_aad(m);
	390	memcpy(aad, esp, 8);
	391	sym_cop->aead.aad.data = aad;
	392	sym_cop->aead.aad.phys_addr = rte_pktmbuf_iova_offset(m,
	393	aad - rte_pktmbuf_mtod(m, uint8_t *));
	394
	395	sym_cop->aead.digest.data = rte_pktmbuf_mtod_offset(m, uint8_t *,
	396	rte_pktmbuf_pkt_len(m) - sa->digest_len);
	397	sym_cop->aead.digest.phys_addr = rte_pktmbuf_iova_offset(m,
	398	rte_pktmbuf_pkt_len(m) - sa->digest_len);
	399	} else {
	400	switch (sa->cipher_algo) {
	401	case RTE_CRYPTO_CIPHER_NULL:
9f95a23c	402	case RTE_CRYPTO_CIPHER_3DES_CBC:
11fdf7f2 TL	403	case RTE_CRYPTO_CIPHER_AES_CBC:
11fdf7f2 TL	404	sym_cop->cipher.data.offset = ip_hdr_len +
f67539c2	405	sizeof(struct rte_esp_hdr);
11fdf7f2 TL	406	sym_cop->cipher.data.length = pad_payload_len + sa->iv_len;
	407	break;
	408	case RTE_CRYPTO_CIPHER_AES_CTR:
	409	sym_cop->cipher.data.offset = ip_hdr_len +
f67539c2	410	sizeof(struct rte_esp_hdr) + sa->iv_len;
11fdf7f2 TL	411	sym_cop->cipher.data.length = pad_payload_len;
	412	break;
	413	default:
	414	RTE_LOG(ERR, IPSEC_ESP, "unsupported cipher algorithm %u\n",
	415	sa->cipher_algo);
	416	return -EINVAL;
	417	}
	418
	419	/* Fill pad_len using default sequential scheme */
	420	for (i = 0; i < pad_len - 2; i++)
	421	padding[i] = i + 1;
	422	padding[pad_len - 2] = pad_len - 2;
	423	padding[pad_len - 1] = nlp;
	424
	425	struct cnt_blk *icb = get_cnt_blk(m);
	426	icb->salt = sa->salt;
	427	icb->iv = rte_cpu_to_be_64(sa->seq);
	428	icb->cnt = rte_cpu_to_be_32(1);
	429
	430	switch (sa->auth_algo) {
	431	case RTE_CRYPTO_AUTH_NULL:
	432	case RTE_CRYPTO_AUTH_SHA1_HMAC:
	433	case RTE_CRYPTO_AUTH_SHA256_HMAC:
	434	sym_cop->auth.data.offset = ip_hdr_len;
f67539c2	435	sym_cop->auth.data.length = sizeof(struct rte_esp_hdr) +
11fdf7f2 TL	436	sa->iv_len + pad_payload_len;
	437	break;
	438	default:
	439	RTE_LOG(ERR, IPSEC_ESP, "unsupported auth algorithm %u\n",
	440	sa->auth_algo);
	441	return -EINVAL;
	442	}
	443
	444	sym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, uint8_t *,
	445	rte_pktmbuf_pkt_len(m) - sa->digest_len);
	446	sym_cop->auth.digest.phys_addr = rte_pktmbuf_iova_offset(m,
	447	rte_pktmbuf_pkt_len(m) - sa->digest_len);
	448	}
	449
	450	done:
	451	return 0;
	452	}
	453
	454	int
	455	esp_outbound_post(struct rte_mbuf *m,
	456	struct ipsec_sa *sa,
	457	struct rte_crypto_op *cop)
	458	{
f67539c2	459	enum rte_security_session_action_type type;
11fdf7f2 TL	460	RTE_ASSERT(m != NULL);
	461	RTE_ASSERT(sa != NULL);
	462
f67539c2 TL	463	type = ipsec_get_action_type(sa);
	464
	465	if ((type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) \|\|
	466	(type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO)) {
11fdf7f2 TL	467	m->ol_flags \|= PKT_TX_SEC_OFFLOAD;
	468	} else {
	469	RTE_ASSERT(cop != NULL);
	470	if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
9f95a23c TL	471	RTE_LOG(ERR, IPSEC_ESP, "%s() failed crypto op\n",
9f95a23c TL	472	__func__);
11fdf7f2 TL	473	return -1;
	474	}
	475	}
	476
	477	return 0;
	478	}