From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 7BA1C42BA9; Fri, 26 May 2023 10:55:57 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 6D14A40DDA; Fri, 26 May 2023 10:55:57 +0200 (CEST) Received: from mail-vk1-f181.google.com (mail-vk1-f181.google.com [209.85.221.181]) by mails.dpdk.org (Postfix) with ESMTP id D009540A89 for ; Fri, 26 May 2023 10:55:55 +0200 (CEST) Received: by mail-vk1-f181.google.com with SMTP id 71dfb90a1353d-456ea0974bcso478183e0c.1 for ; Fri, 26 May 2023 01:55:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1685091355; x=1687683355; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=q5tg+pOWU8FBJrfad4Z6Q2WI7/Nd4M6jz1oYhGGVQTU=; b=XdlcbMO5Airk+fHSR+DBHV/sJ0VjPgGMZBkwKbHxlEeygN9wffXXXyoJw6reXv6HQN btP52RC5g5iQSzUoWEKHWGkoQ5DKNYsLTO9Ah6H11YyJAaBNgnOyWuyPlVjIX2ljIvbg 1z1cIhTB6Oe41E9Wb1ox4kCrEVFTg2LOAuPl7T515ic/8OxyjZtxiCisZRM36eTERpfZ wLyI1HvfF7N4PUDgsW4PnnCg6KU51gm+0nJGmBQWXfel87ZqSkmJ5M1dthsvg0ZPsQix 2R6N5BZMp2FnrNtG8wZhpq6F7vRHd6fHCUZSJmoxG77hVx8+KUJnQiBcugcpb9RFr93t wXqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685091355; x=1687683355; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=q5tg+pOWU8FBJrfad4Z6Q2WI7/Nd4M6jz1oYhGGVQTU=; b=dpdKHJhq3hhDdkQltNEJODUqceKyjwrrEhaqek/Azbm3+NO+54u0RNcxTKm3nwhoLf 2IuofKec4PUZIQiSSaIFd5YTkOMsLmDsPfj1dGsF6FKxyfpeoH9Zm4bS7/Og1AexGm/o PA/7dCZxK+CBusbpXgX12kkutrsv5WiEP9/tLAxFaWz7q3U4xA4Bs7A6xFl1xP21QNhn dTAEgqOiHjf6KgrlvZLc4S+Kw0ZsTBEXQB2shh/dD1VqYYNFr/WKaB8OLT4v7nMrKp1J /Je9J0jgYeMTJcz5+C0+NOqj4HNxh2wF559qhuoxcYtoLVZipmEIQkeEP4ks8FIdZ+hz vc8A== X-Gm-Message-State: AC+VfDxjiDV0QpQDYTe5aEYNj8YhVtftAuXT1TJDBUf5YJF1qioUmgwV ewO7ZEVoFGGeLG6wDlNb1gZ+uc7sFtSvQduxx7Lhha1kQnDeWZOn1so= X-Google-Smtp-Source: ACHHUZ5FjqqW0wQvtoJ4LH6sDLuM4TgU3hYaaJQxsyHO2+JiOR4IwFw9/61b5RYkH3Hu8+E1WJSxmg4/xN6dNVPIS9A= X-Received: by 2002:a1f:2a57:0:b0:450:31d9:e5f5 with SMTP id q84-20020a1f2a57000000b0045031d9e5f5mr1847380vkq.2.1685091354567; Fri, 26 May 2023 01:55:54 -0700 (PDT) MIME-Version: 1.0 References: <20230411091144.1087887-1-ndabilpuram@marvell.com> <20230525095904.3967080-1-ndabilpuram@marvell.com> <20230525095904.3967080-32-ndabilpuram@marvell.com> In-Reply-To: <20230525095904.3967080-32-ndabilpuram@marvell.com> From: Jerin Jacob Date: Fri, 26 May 2023 14:25:28 +0530 Message-ID: Subject: Re: [PATCH v3 32/32] common/cnxk: add check for null auth and anti-replay To: Nithin Dabilpuram Cc: Kiran Kumar K , Sunil Kumar Kori , Satha Rao , jerinj@marvell.com, dev@dpdk.org, Srujana Challa Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org On Thu, May 25, 2023 at 3:41=E2=80=AFPM Nithin Dabilpuram wrote: > > From: Srujana Challa > > As per IPsec RFC, the anti-replay service can be selected for > an SA only if the integrity service is selected for that SA. > This patch adds the validation check for the same. > > Signed-off-by: Srujana Challa Series applied to dpdk-next-net-mrvl/for-next-net. Thanks > --- > drivers/common/cnxk/cnxk_security.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cn= xk_security.c > index 13ca2c7791..a8c3ba90cd 100644 > --- a/drivers/common/cnxk/cnxk_security.c > +++ b/drivers/common/cnxk/cnxk_security.c > @@ -155,6 +155,10 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_= word2 *w2, > > switch (auth_xfrm->auth.algo) { > case RTE_CRYPTO_AUTH_NULL: > + if (w2->s.dir =3D=3D ROC_IE_SA_DIR_INBOUND && ips= ec_xfrm->replay_win_sz) { > + plt_err("anti-replay can't be supported w= ith integrity service disabled"); > + return -EINVAL; > + } > w2->s.auth_type =3D ROC_IE_OT_SA_AUTH_NULL; > break; > case RTE_CRYPTO_AUTH_SHA1_HMAC: > @@ -1392,6 +1396,11 @@ cnxk_on_ipsec_inb_sa_create(struct rte_security_ip= sec_xform *ipsec, > if (ret) > return ret; > > + if (crypto_xform->type !=3D RTE_CRYPTO_SYM_XFORM_AEAD && > + crypto_xform->auth.algo =3D=3D RTE_CRYPTO_AUTH_NULL && ipsec-= >replay_win_sz) { > + plt_err("anti-replay can't be supported with integrity se= rvice disabled"); > + return -EINVAL; > + } > if (crypto_xform->type =3D=3D RTE_CRYPTO_SYM_XFORM_AEAD || > auth_xform->auth.algo =3D=3D RTE_CRYPTO_AUTH_NULL || > auth_xform->auth.algo =3D=3D RTE_CRYPTO_AUTH_AES_GMAC) { > -- > 2.25.1 >