From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 62F7042B8C; Wed, 24 May 2023 12:08:18 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id C2E2A42D88; Wed, 24 May 2023 12:05:59 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id DB80E42DA8 for ; Wed, 24 May 2023 12:05:51 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 34O4qitU025791 for ; Wed, 24 May 2023 03:05:51 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=t+dbgs7XkhEwxUbAkCfvm5gtvH78te1drlYCqir6PmM=; b=bvb9ASzYxUJLVujYqou2wYp/j4VreIZ4v6m2v53CwYY/HJIT9O8ll+N7EIVFJ3doKeOZ HgJ6rKpmSnp8C+Enz8ABDf2p+IEzpNfyoq8S44uWIHR4VMWO+ZYN9ugCHhv6JYbbtGTD QYf16DMqzvueAimFfh2Be5HgB8AVY8BSb2hWlHHUZK8WK4WBlINSyqvX3wnujYePvH/O fec6tGhPanAp8x2bEvaMlvP2wK8n9Ty4SWviPIxDSR71ojsNIDiNWLilxF1IHfUnxied JtasMA+po65S/11LZkaczD0fUzY2AIZ/z7cOtjlrA6Y+/YNu/pq1TLEsNhQzrZiQ+yvP ew== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3qsbxes2y3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Wed, 24 May 2023 03:05:50 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Wed, 24 May 2023 03:05:49 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Wed, 24 May 2023 03:05:49 -0700 Received: from hyd1588t430.caveonetworks.com (unknown [10.29.52.204]) by maili.marvell.com (Postfix) with ESMTP id 10AE83F7043; Wed, 24 May 2023 03:05:46 -0700 (PDT) From: Nithin Dabilpuram To: Nithin Kumar Dabilpuram , Kiran Kumar K , Sunil Kumar Kori , Satha Rao CC: , , Srujana Challa Subject: [PATCH v2 32/32] common/cnxk: add check for null auth and anti-replay Date: Wed, 24 May 2023 15:34:07 +0530 Message-ID: <20230524100407.3796139-32-ndabilpuram@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230524100407.3796139-1-ndabilpuram@marvell.com> References: <20230411091144.1087887-1-ndabilpuram@marvell.com> <20230524100407.3796139-1-ndabilpuram@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-ORIG-GUID: RFIbq3tuH0WNVd_iuvNP8ucMRdt5d5ax X-Proofpoint-GUID: RFIbq3tuH0WNVd_iuvNP8ucMRdt5d5ax X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-05-24_05,2023-05-23_02,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Srujana Challa As per IPsec RFC, the anti-replay service can be selected for an SA only if the integrity service is selected for that SA. This patch adds the validation check for the same. Signed-off-by: Srujana Challa --- drivers/common/cnxk/cnxk_security.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index 13ca2c7791..a8c3ba90cd 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -155,6 +155,10 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, switch (auth_xfrm->auth.algo) { case RTE_CRYPTO_AUTH_NULL: + if (w2->s.dir == ROC_IE_SA_DIR_INBOUND && ipsec_xfrm->replay_win_sz) { + plt_err("anti-replay can't be supported with integrity service disabled"); + return -EINVAL; + } w2->s.auth_type = ROC_IE_OT_SA_AUTH_NULL; break; case RTE_CRYPTO_AUTH_SHA1_HMAC: @@ -1392,6 +1396,11 @@ cnxk_on_ipsec_inb_sa_create(struct rte_security_ipsec_xform *ipsec, if (ret) return ret; + if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AEAD && + crypto_xform->auth.algo == RTE_CRYPTO_AUTH_NULL && ipsec->replay_win_sz) { + plt_err("anti-replay can't be supported with integrity service disabled"); + return -EINVAL; + } if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD || auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL || auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) { -- 2.25.1