From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 6824C42B9A; Thu, 25 May 2023 12:11:53 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id DE09142F92; Thu, 25 May 2023 12:10:23 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id AC9FA42DAF for ; Thu, 25 May 2023 12:10:16 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 34PA2W0S020284 for ; Thu, 25 May 2023 03:10:15 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=t+dbgs7XkhEwxUbAkCfvm5gtvH78te1drlYCqir6PmM=; b=LLK34JS4ikaXTvBwnUKz2xq/z/fmRsRcrXotpscjGmXc+VXKx67wE3ft9a0y6RwJvA/V e0P/QRHMFpqB22roNVc7CISzDSUt5LMEN9YfSzrS/J5vv/HbKPZKQKQlaxtcVm2B2anl d8NVIZ2GG2wQAHtqOB+hVGRf4D21/awbJYk3fuEJEgHIutwQA6fXcuwdRnKXA2SM0seZ L8zqkX5ysougbMHTRwgPvGYLDSIlxiAOXD1iNtjpU77YOAf0UZXszAHhcCDE3mUtUsx+ YORKcL+3Ia94umMOUq9KS9fyg8fdrIHjoGJWyFbPLUNlcXjptEZ5HqLT5kyh4FJIC14J kQ== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3qt5jng0pa-17 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Thu, 25 May 2023 03:10:15 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Thu, 25 May 2023 03:09:49 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.48 via Frontend Transport; Thu, 25 May 2023 03:09:49 -0700 Received: from hyd1588t430.caveonetworks.com (unknown [10.29.52.204]) by maili.marvell.com (Postfix) with ESMTP id 9A63C5B6D86; Thu, 25 May 2023 03:00:52 -0700 (PDT) From: Nithin Dabilpuram To: Nithin Kumar Dabilpuram , Kiran Kumar K , Sunil Kumar Kori , Satha Rao CC: , , Srujana Challa Subject: [PATCH v3 32/32] common/cnxk: add check for null auth and anti-replay Date: Thu, 25 May 2023 15:29:04 +0530 Message-ID: <20230525095904.3967080-32-ndabilpuram@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230525095904.3967080-1-ndabilpuram@marvell.com> References: <20230411091144.1087887-1-ndabilpuram@marvell.com> <20230525095904.3967080-1-ndabilpuram@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-ORIG-GUID: cD5PFDNiRQM_DzVTdQg1ESwnTvumrL1l X-Proofpoint-GUID: cD5PFDNiRQM_DzVTdQg1ESwnTvumrL1l X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-05-25_06,2023-05-24_01,2023-05-22_02 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Srujana Challa As per IPsec RFC, the anti-replay service can be selected for an SA only if the integrity service is selected for that SA. This patch adds the validation check for the same. Signed-off-by: Srujana Challa --- drivers/common/cnxk/cnxk_security.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index 13ca2c7791..a8c3ba90cd 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -155,6 +155,10 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, switch (auth_xfrm->auth.algo) { case RTE_CRYPTO_AUTH_NULL: + if (w2->s.dir == ROC_IE_SA_DIR_INBOUND && ipsec_xfrm->replay_win_sz) { + plt_err("anti-replay can't be supported with integrity service disabled"); + return -EINVAL; + } w2->s.auth_type = ROC_IE_OT_SA_AUTH_NULL; break; case RTE_CRYPTO_AUTH_SHA1_HMAC: @@ -1392,6 +1396,11 @@ cnxk_on_ipsec_inb_sa_create(struct rte_security_ipsec_xform *ipsec, if (ret) return ret; + if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AEAD && + crypto_xform->auth.algo == RTE_CRYPTO_AUTH_NULL && ipsec->replay_win_sz) { + plt_err("anti-replay can't be supported with integrity service disabled"); + return -EINVAL; + } if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD || auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL || auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) { -- 2.25.1