From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 7BA1C42BA9;
	Fri, 26 May 2023 10:55:57 +0200 (CEST)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 6D14A40DDA;
	Fri, 26 May 2023 10:55:57 +0200 (CEST)
Received: from mail-vk1-f181.google.com (mail-vk1-f181.google.com
 [209.85.221.181])
 by mails.dpdk.org (Postfix) with ESMTP id D009540A89
 for <dev@dpdk.org>; Fri, 26 May 2023 10:55:55 +0200 (CEST)
Received: by mail-vk1-f181.google.com with SMTP id
 71dfb90a1353d-456ea0974bcso478183e0c.1
 for <dev@dpdk.org>; Fri, 26 May 2023 01:55:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1685091355; x=1687683355;
 h=content-transfer-encoding:cc:to:subject:message-id:date:from
 :in-reply-to:references:mime-version:from:to:cc:subject:date
 :message-id:reply-to;
 bh=q5tg+pOWU8FBJrfad4Z6Q2WI7/Nd4M6jz1oYhGGVQTU=;
 b=XdlcbMO5Airk+fHSR+DBHV/sJ0VjPgGMZBkwKbHxlEeygN9wffXXXyoJw6reXv6HQN
 btP52RC5g5iQSzUoWEKHWGkoQ5DKNYsLTO9Ah6H11YyJAaBNgnOyWuyPlVjIX2ljIvbg
 1z1cIhTB6Oe41E9Wb1ox4kCrEVFTg2LOAuPl7T515ic/8OxyjZtxiCisZRM36eTERpfZ
 wLyI1HvfF7N4PUDgsW4PnnCg6KU51gm+0nJGmBQWXfel87ZqSkmJ5M1dthsvg0ZPsQix
 2R6N5BZMp2FnrNtG8wZhpq6F7vRHd6fHCUZSJmoxG77hVx8+KUJnQiBcugcpb9RFr93t
 wXqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1685091355; x=1687683355;
 h=content-transfer-encoding:cc:to:subject:message-id:date:from
 :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=q5tg+pOWU8FBJrfad4Z6Q2WI7/Nd4M6jz1oYhGGVQTU=;
 b=dpdKHJhq3hhDdkQltNEJODUqceKyjwrrEhaqek/Azbm3+NO+54u0RNcxTKm3nwhoLf
 2IuofKec4PUZIQiSSaIFd5YTkOMsLmDsPfj1dGsF6FKxyfpeoH9Zm4bS7/Og1AexGm/o
 PA/7dCZxK+CBusbpXgX12kkutrsv5WiEP9/tLAxFaWz7q3U4xA4Bs7A6xFl1xP21QNhn
 dTAEgqOiHjf6KgrlvZLc4S+Kw0ZsTBEXQB2shh/dD1VqYYNFr/WKaB8OLT4v7nMrKp1J
 /Je9J0jgYeMTJcz5+C0+NOqj4HNxh2wF559qhuoxcYtoLVZipmEIQkeEP4ks8FIdZ+hz
 vc8A==
X-Gm-Message-State: AC+VfDxjiDV0QpQDYTe5aEYNj8YhVtftAuXT1TJDBUf5YJF1qioUmgwV
 ewO7ZEVoFGGeLG6wDlNb1gZ+uc7sFtSvQduxx7Lhha1kQnDeWZOn1so=
X-Google-Smtp-Source: ACHHUZ5FjqqW0wQvtoJ4LH6sDLuM4TgU3hYaaJQxsyHO2+JiOR4IwFw9/61b5RYkH3Hu8+E1WJSxmg4/xN6dNVPIS9A=
X-Received: by 2002:a1f:2a57:0:b0:450:31d9:e5f5 with SMTP id
 q84-20020a1f2a57000000b0045031d9e5f5mr1847380vkq.2.1685091354567; Fri, 26 May
 2023 01:55:54 -0700 (PDT)
MIME-Version: 1.0
References: <20230411091144.1087887-1-ndabilpuram@marvell.com>
 <20230525095904.3967080-1-ndabilpuram@marvell.com>
 <20230525095904.3967080-32-ndabilpuram@marvell.com>
In-Reply-To: <20230525095904.3967080-32-ndabilpuram@marvell.com>
From: Jerin Jacob <jerinjacobk@gmail.com>
Date: Fri, 26 May 2023 14:25:28 +0530
Message-ID: <CALBAE1MU3OY4uGKpQcxMa1kyeuwgwHbS18v1aRPCL6Ymi+Gn_g@mail.gmail.com>
Subject: Re: [PATCH v3 32/32] common/cnxk: add check for null auth and
 anti-replay
To: Nithin Dabilpuram <ndabilpuram@marvell.com>
Cc: Kiran Kumar K <kirankumark@marvell.com>,
 Sunil Kumar Kori <skori@marvell.com>, 
 Satha Rao <skoteshwar@marvell.com>, jerinj@marvell.com, dev@dpdk.org, 
 Srujana Challa <schalla@marvell.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

On Thu, May 25, 2023 at 3:41=E2=80=AFPM Nithin Dabilpuram
<ndabilpuram@marvell.com> wrote:
>
> From: Srujana Challa <schalla@marvell.com>
>
> As per IPsec RFC, the anti-replay service can be selected for
> an SA only if the integrity service is selected for that SA.
> This patch adds the validation check for the same.
>
> Signed-off-by: Srujana Challa <schalla@marvell.com>


Series applied to dpdk-next-net-mrvl/for-next-net. Thanks


> ---
>  drivers/common/cnxk/cnxk_security.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cn=
xk_security.c
> index 13ca2c7791..a8c3ba90cd 100644
> --- a/drivers/common/cnxk/cnxk_security.c
> +++ b/drivers/common/cnxk/cnxk_security.c
> @@ -155,6 +155,10 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_=
word2 *w2,
>
>                 switch (auth_xfrm->auth.algo) {
>                 case RTE_CRYPTO_AUTH_NULL:
> +                       if (w2->s.dir =3D=3D ROC_IE_SA_DIR_INBOUND && ips=
ec_xfrm->replay_win_sz) {
> +                               plt_err("anti-replay can't be supported w=
ith integrity service disabled");
> +                               return -EINVAL;
> +                       }
>                         w2->s.auth_type =3D ROC_IE_OT_SA_AUTH_NULL;
>                         break;
>                 case RTE_CRYPTO_AUTH_SHA1_HMAC:
> @@ -1392,6 +1396,11 @@ cnxk_on_ipsec_inb_sa_create(struct rte_security_ip=
sec_xform *ipsec,
>         if (ret)
>                 return ret;
>
> +       if (crypto_xform->type !=3D RTE_CRYPTO_SYM_XFORM_AEAD &&
> +           crypto_xform->auth.algo =3D=3D RTE_CRYPTO_AUTH_NULL && ipsec-=
>replay_win_sz) {
> +               plt_err("anti-replay can't be supported with integrity se=
rvice disabled");
> +               return -EINVAL;
> +       }
>         if (crypto_xform->type =3D=3D RTE_CRYPTO_SYM_XFORM_AEAD ||
>             auth_xform->auth.algo =3D=3D RTE_CRYPTO_AUTH_NULL ||
>             auth_xform->auth.algo =3D=3D RTE_CRYPTO_AUTH_AES_GMAC) {
> --
> 2.25.1
>