Adding UDP encapsulation support for IPsec in
lookaside protocol mode.
Signed-off-by: Tejasree Kondoj <ktejas...@marvell.com>
---
doc/guides/cryptodevs/octeontx2.rst | 1 +
doc/guides/rel_notes/release_21_05.rst | 5 +++
drivers/crypto/octeontx2/otx2_cryptodev_sec.c | 40 ++++++-------------
3 files changed, 18 insertions(+), 28 deletions(-)
diff --git a/doc/guides/cryptodevs/octeontx2.rst
b/doc/guides/cryptodevs/octeontx2.rst
index d312eeb74c..b30f98180a 100644
--- a/doc/guides/cryptodevs/octeontx2.rst
+++ b/doc/guides/cryptodevs/octeontx2.rst
@@ -181,6 +181,7 @@ Features supported
* Tunnel mode
* ESN
* Anti-replay
+* UDP Encapsulation
* AES-128/192/256-GCM
* AES-128/192/256-CBC-SHA1-HMAC
* AES-128/192/256-CBC-SHA256-128-HMAC
diff --git a/doc/guides/rel_notes/release_21_05.rst
b/doc/guides/rel_notes/release_21_05.rst
index 8e686cc627..8065b3daf8 100644
--- a/doc/guides/rel_notes/release_21_05.rst
+++ b/doc/guides/rel_notes/release_21_05.rst
@@ -94,6 +94,11 @@ New Features
* Added support for preferred busy polling.
+* **Updated the OCTEON TX2 crypto PMD.**
+
+ * Updated the OCTEON TX2 crypto PMD lookaside protocol offload for IPsec with
+ UDP encapsulation support for NAT Traversal.
+
* **Updated testpmd.**
* Added a command line option to configure forced speed for Ethernet port.
diff --git a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
index 342f089df8..8942ff1fac 100644
--- a/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
+++ b/drivers/crypto/octeontx2/otx2_cryptodev_sec.c
@@ -203,6 +203,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev
*crypto_dev,
struct rte_security_session *sec_sess)
{
struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+ struct otx2_ipsec_po_ip_template *template;
const uint8_t *cipher_key, *auth_key;
struct otx2_sec_session_ipsec_lp *lp;
struct otx2_ipsec_po_sa_ctl *ctl;
@@ -248,11 +249,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev
*crypto_dev,
if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
- if (ipsec->options.udp_encap) {
- sa->aes_gcm.template.ip4.udp_src = 4500;
- sa->aes_gcm.template.ip4.udp_dst = 4500;
- }
- ip = &sa->aes_gcm.template.ip4.ipv4_hdr;
+ template = &sa->aes_gcm.template;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
aes_gcm.template) + sizeof(
sa->aes_gcm.template.ip4);
@@ -260,11 +257,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev
*crypto_dev,
lp->ctx_len = ctx_len >> 3;
} else if (ctl->auth_type ==
OTX2_IPSEC_PO_SA_AUTH_SHA1) {
- if (ipsec->options.udp_encap) {
- sa->sha1.template.ip4.udp_src = 4500;
- sa->sha1.template.ip4.udp_dst = 4500;
- }
- ip = &sa->sha1.template.ip4.ipv4_hdr;
+ template = &sa->sha1.template;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
sha1.template) + sizeof(
sa->sha1.template.ip4);
@@ -272,11 +265,7 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev
*crypto_dev,
lp->ctx_len = ctx_len >> 3;
} else if (ctl->auth_type ==
OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
- if (ipsec->options.udp_encap) {
- sa->sha2.template.ip4.udp_src = 4500;
- sa->sha2.template.ip4.udp_dst = 4500;
- }
- ip = &sa->sha2.template.ip4.ipv4_hdr;
+ template = &sa->sha2.template;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
sha2.template) + sizeof(
sa->sha2.template.ip4);
@@ -285,8 +274,15 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev
*crypto_dev,
} else {
return -EINVAL;
}
+ ip = &template->ip4.ipv4_hdr;
+ if (ipsec->options.udp_encap) {
+ ip->next_proto_id = IPPROTO_UDP;
+ template->ip4.udp_src = rte_be_to_cpu_16(4500);
+ template->ip4.udp_dst = rte_be_to_cpu_16(4500);
+ } else {
+ ip->next_proto_id = IPPROTO_ESP;
+ }
ip->version_ihl = RTE_IPV4_VHL_DEF;
- ip->next_proto_id = IPPROTO_ESP;
ip->time_to_live = ipsec->tunnel.ipv4.ttl;
ip->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2);
if (ipsec->tunnel.ipv4.df)
@@ -299,10 +295,6 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev
*crypto_dev,
RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
if (ctl->enc_type == OTX2_IPSEC_PO_SA_ENC_AES_GCM) {
- if (ipsec->options.udp_encap) {
- sa->aes_gcm.template.ip6.udp_src = 4500;
- sa->aes_gcm.template.ip6.udp_dst = 4500;
- }
ip6 = &sa->aes_gcm.template.ip6.ipv6_hdr;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
aes_gcm.template) + sizeof(
@@ -311,10 +303,6 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev
*crypto_dev,
lp->ctx_len = ctx_len >> 3;
} else if (ctl->auth_type ==
OTX2_IPSEC_PO_SA_AUTH_SHA1) {
- if (ipsec->options.udp_encap) {
- sa->sha1.template.ip6.udp_src = 4500;
- sa->sha1.template.ip6.udp_dst = 4500;
- }
ip6 = &sa->sha1.template.ip6.ipv6_hdr;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
sha1.template) + sizeof(
@@ -323,10 +311,6 @@ crypto_sec_ipsec_outb_session_create(struct rte_cryptodev
*crypto_dev,
lp->ctx_len = ctx_len >> 3;
} else if (ctl->auth_type ==
OTX2_IPSEC_PO_SA_AUTH_SHA2_256) {
- if (ipsec->options.udp_encap) {
- sa->sha2.template.ip6.udp_src = 4500;
- sa->sha2.template.ip6.udp_dst = 4500;
- }
ip6 = &sa->sha2.template.ip6.ipv6_hdr;
ctx_len = offsetof(struct otx2_ipsec_po_out_sa,
sha2.template) + sizeof(
--
2.27.0
