From: Tejasree Kondoj <ktejasree@marvell.com>
To: Akhil Goyal <gakhil@marvell.com>
Cc: Archana Muniganti <marchana@marvell.com>,
Anoob Joseph <anoobj@marvell.com>,
Ankur Dwivedi <adwivedi@marvell.com>,
Srujana Challa <schalla@marvell.com>,
Nithin Dabilpuram <ndabilpuram@marvell.com>,
"Jerin Jacob" <jerinj@marvell.com>,
Tejasree Kondoj <ktejasree@marvell.com>, <dev@dpdk.org>
Subject: [dpdk-dev] [PATCH 5/8] crypto/cnxk: make IPsec verify functions common
Date: Tue, 31 Aug 2021 19:31:24 +0530 [thread overview]
Message-ID: <20210831140127.31775-6-ktejasree@marvell.com> (raw)
In-Reply-To: <20210831140127.31775-1-ktejasree@marvell.com>
From: Archana Muniganti <marchana@marvell.com>
IPsec verify functions can be made common
Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
drivers/crypto/cnxk/cn10k_ipsec.c | 116 +-----------------------------
drivers/crypto/cnxk/cnxk_ipsec.h | 113 +++++++++++++++++++++++++++++
2 files changed, 114 insertions(+), 115 deletions(-)
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 98110872a3..5c57cf2818 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -17,120 +17,6 @@
#include "roc_api.h"
-static int
-ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
-{
- if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
- switch (xform->cipher.key.length) {
- case 16:
- case 24:
- case 32:
- break;
- default:
- return -ENOTSUP;
- }
- return 0;
- }
-
- return -ENOTSUP;
-}
-
-static int
-ipsec_xform_auth_verify(struct rte_crypto_sym_xform *xform)
-{
- uint16_t keylen = xform->auth.key.length;
-
- if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
- if (keylen >= 20 && keylen <= 64)
- return 0;
- }
-
- return -ENOTSUP;
-}
-
-static int
-ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
- struct rte_crypto_sym_xform *crypto_xfrm)
-{
- if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
- crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
- return -EINVAL;
-
- if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
- crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
- return -EINVAL;
-
- if (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
- switch (crypto_xfrm->aead.key.length) {
- case ROC_CPT_AES128_KEY_LEN:
- case ROC_CPT_AES192_KEY_LEN:
- case ROC_CPT_AES256_KEY_LEN:
- break;
- default:
- return -EINVAL;
- }
- return 0;
- }
-
- return -ENOTSUP;
-}
-
-static int
-cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
- struct rte_crypto_sym_xform *crypto_xfrm)
-{
- struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
- int ret;
-
- if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
- (ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
- return -EINVAL;
-
- if ((ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) &&
- (ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH))
- return -EINVAL;
-
- if ((ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) &&
- (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL))
- return -EINVAL;
-
- if ((ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
- (ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6))
- return -EINVAL;
-
- if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD)
- return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm);
-
- if (crypto_xfrm->next == NULL)
- return -EINVAL;
-
- if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
- /* Ingress */
- if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
- crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
- return -EINVAL;
- auth_xform = crypto_xfrm;
- cipher_xform = crypto_xfrm->next;
- } else {
- /* Egress */
- if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
- crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
- return -EINVAL;
- cipher_xform = crypto_xfrm;
- auth_xform = crypto_xfrm->next;
- }
-
- ret = ipsec_xform_cipher_verify(cipher_xform);
- if (ret)
- return ret;
-
- ret = ipsec_xform_auth_verify(auth_xform);
- if (ret)
- return ret;
-
- return 0;
-}
-
static uint64_t
ipsec_cpt_inst_w7_get(struct roc_cpt *roc_cpt, void *sa)
{
@@ -245,7 +131,7 @@ cn10k_ipsec_session_create(void *dev,
return -EPERM;
}
- ret = cn10k_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm);
+ ret = cnxk_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm);
if (ret)
return ret;
diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h
index f6897a0e14..d1eb74ebbe 100644
--- a/drivers/crypto/cnxk/cnxk_ipsec.h
+++ b/drivers/crypto/cnxk/cnxk_ipsec.h
@@ -17,4 +17,117 @@ struct cnxk_cpt_inst_tmpl {
uint64_t w7;
};
+static inline int
+ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *crypto_xform)
+{
+ if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+ switch (crypto_xform->cipher.key.length) {
+ case 16:
+ case 24:
+ case 32:
+ break;
+ default:
+ return -ENOTSUP;
+ }
+ return 0;
+ }
+
+ return -ENOTSUP;
+}
+
+static inline int
+ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform)
+{
+ uint16_t keylen = crypto_xform->auth.key.length;
+
+ if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
+ if (keylen >= 20 && keylen <= 64)
+ return 0;
+ } else if (roc_model_is_cn9k() &&
+ (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)) {
+ if (keylen >= 32 && keylen <= 64)
+ return 0;
+ }
+
+ return -ENOTSUP;
+}
+
+static inline int
+ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xform,
+ struct rte_crypto_sym_xform *crypto_xform)
+{
+ if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+ crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
+ return -EINVAL;
+
+ if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+ crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
+ return -EINVAL;
+
+ if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+ switch (crypto_xform->aead.key.length) {
+ case 16:
+ case 24:
+ case 32:
+ break;
+ default:
+ return -EINVAL;
+ }
+ return 0;
+ }
+
+ return -ENOTSUP;
+}
+
+static inline int
+cnxk_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xform,
+ struct rte_crypto_sym_xform *crypto_xform)
+{
+ struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+ int ret;
+
+ if ((ipsec_xform->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+ (ipsec_xform->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
+ return -EINVAL;
+
+ if ((ipsec_xform->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) &&
+ (ipsec_xform->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH))
+ return -EINVAL;
+
+ if ((ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) &&
+ (ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL))
+ return -EINVAL;
+
+ if ((ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
+ (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6))
+ return -EINVAL;
+
+ if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+ return ipsec_xform_aead_verify(ipsec_xform, crypto_xform);
+
+ if (crypto_xform->next == NULL)
+ return -EINVAL;
+
+ if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+ /* Ingress */
+ if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+ crypto_xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+ return -EINVAL;
+ auth_xform = crypto_xform;
+ cipher_xform = crypto_xform->next;
+ } else {
+ /* Egress */
+ if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+ crypto_xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+ return -EINVAL;
+ cipher_xform = crypto_xform;
+ auth_xform = crypto_xform->next;
+ }
+
+ ret = ipsec_xform_cipher_verify(cipher_xform);
+ if (ret)
+ return ret;
+
+ return ipsec_xform_auth_verify(auth_xform);
+}
#endif /* __CNXK_IPSEC_H__ */
--
2.27.0
next prev parent reply other threads:[~2021-08-31 13:08 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-31 14:01 [dpdk-dev] [PATCH 0/8] add lookaside IPsec additional features Tejasree Kondoj
2021-08-31 14:01 ` [dpdk-dev] [PATCH 1/8] common/cnxk: add hash generation APIs Tejasree Kondoj
2021-08-31 14:01 ` [dpdk-dev] [PATCH 2/8] crypto/cnxk: add lookaside IPsec AES-CBC-HMAC-SHA1 support Tejasree Kondoj
2021-08-31 14:01 ` [dpdk-dev] [PATCH 3/8] crypto/cnxk: remove redundant code Tejasree Kondoj
2021-08-31 14:01 ` [dpdk-dev] [PATCH 4/8] crypto/cnxk: use rlen from CPT result with lookaside Tejasree Kondoj
2021-08-31 14:01 ` Tejasree Kondoj [this message]
2021-08-31 14:01 ` [dpdk-dev] [PATCH 6/8] crypto/cnxk: support cn10k transport mode Tejasree Kondoj
2021-08-31 14:01 ` [dpdk-dev] [PATCH 7/8] crypto/cnxk: support UDP encap with lookaside IPsec Tejasree Kondoj
2021-08-31 14:01 ` [dpdk-dev] [PATCH 8/8] common/cnxk: make IPsec defines common Tejasree Kondoj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210831140127.31775-6-ktejasree@marvell.com \
--to=ktejasree@marvell.com \
--cc=adwivedi@marvell.com \
--cc=anoobj@marvell.com \
--cc=dev@dpdk.org \
--cc=gakhil@marvell.com \
--cc=jerinj@marvell.com \
--cc=marchana@marvell.com \
--cc=ndabilpuram@marvell.com \
--cc=schalla@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).