From: Tejasree Kondoj <ktejasree@marvell.com>
To: Akhil Goyal <gakhil@marvell.com>
Cc: Archana Muniganti <marchana@marvell.com>,
Anoob Joseph <anoobj@marvell.com>,
Ankur Dwivedi <adwivedi@marvell.com>,
Srujana Challa <schalla@marvell.com>,
Nithin Dabilpuram <ndabilpuram@marvell.com>,
"Jerin Jacob" <jerinj@marvell.com>,
Tejasree Kondoj <ktejasree@marvell.com>, <dev@dpdk.org>
Subject: [dpdk-dev] [PATCH v2 5/8] crypto/cnxk: make IPsec verify functions common
Date: Wed, 1 Sep 2021 15:49:27 +0530 [thread overview]
Message-ID: <20210901101930.29333-6-ktejasree@marvell.com> (raw)
In-Reply-To: <20210901101930.29333-1-ktejasree@marvell.com>
From: Archana Muniganti <marchana@marvell.com>
IPsec verify functions can be made common
Signed-off-by: Archana Muniganti <marchana@marvell.com>
---
drivers/crypto/cnxk/cn10k_ipsec.c | 116 +-----------------------------
drivers/crypto/cnxk/cnxk_ipsec.h | 113 +++++++++++++++++++++++++++++
2 files changed, 114 insertions(+), 115 deletions(-)
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 98110872a3..5c57cf2818 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -17,120 +17,6 @@
#include "roc_api.h"
-static int
-ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
-{
- if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
- switch (xform->cipher.key.length) {
- case 16:
- case 24:
- case 32:
- break;
- default:
- return -ENOTSUP;
- }
- return 0;
- }
-
- return -ENOTSUP;
-}
-
-static int
-ipsec_xform_auth_verify(struct rte_crypto_sym_xform *xform)
-{
- uint16_t keylen = xform->auth.key.length;
-
- if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
- if (keylen >= 20 && keylen <= 64)
- return 0;
- }
-
- return -ENOTSUP;
-}
-
-static int
-ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
- struct rte_crypto_sym_xform *crypto_xfrm)
-{
- if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
- crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
- return -EINVAL;
-
- if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
- crypto_xfrm->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
- return -EINVAL;
-
- if (crypto_xfrm->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
- switch (crypto_xfrm->aead.key.length) {
- case ROC_CPT_AES128_KEY_LEN:
- case ROC_CPT_AES192_KEY_LEN:
- case ROC_CPT_AES256_KEY_LEN:
- break;
- default:
- return -EINVAL;
- }
- return 0;
- }
-
- return -ENOTSUP;
-}
-
-static int
-cn10k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xfrm,
- struct rte_crypto_sym_xform *crypto_xfrm)
-{
- struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
- int ret;
-
- if ((ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
- (ipsec_xfrm->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
- return -EINVAL;
-
- if ((ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) &&
- (ipsec_xfrm->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH))
- return -EINVAL;
-
- if ((ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) &&
- (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL))
- return -EINVAL;
-
- if ((ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
- (ipsec_xfrm->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6))
- return -EINVAL;
-
- if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD)
- return ipsec_xform_aead_verify(ipsec_xfrm, crypto_xfrm);
-
- if (crypto_xfrm->next == NULL)
- return -EINVAL;
-
- if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
- /* Ingress */
- if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
- crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
- return -EINVAL;
- auth_xform = crypto_xfrm;
- cipher_xform = crypto_xfrm->next;
- } else {
- /* Egress */
- if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
- crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
- return -EINVAL;
- cipher_xform = crypto_xfrm;
- auth_xform = crypto_xfrm->next;
- }
-
- ret = ipsec_xform_cipher_verify(cipher_xform);
- if (ret)
- return ret;
-
- ret = ipsec_xform_auth_verify(auth_xform);
- if (ret)
- return ret;
-
- return 0;
-}
-
static uint64_t
ipsec_cpt_inst_w7_get(struct roc_cpt *roc_cpt, void *sa)
{
@@ -245,7 +131,7 @@ cn10k_ipsec_session_create(void *dev,
return -EPERM;
}
- ret = cn10k_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm);
+ ret = cnxk_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm);
if (ret)
return ret;
diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h
index f6897a0e14..d1eb74ebbe 100644
--- a/drivers/crypto/cnxk/cnxk_ipsec.h
+++ b/drivers/crypto/cnxk/cnxk_ipsec.h
@@ -17,4 +17,117 @@ struct cnxk_cpt_inst_tmpl {
uint64_t w7;
};
+static inline int
+ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *crypto_xform)
+{
+ if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+ switch (crypto_xform->cipher.key.length) {
+ case 16:
+ case 24:
+ case 32:
+ break;
+ default:
+ return -ENOTSUP;
+ }
+ return 0;
+ }
+
+ return -ENOTSUP;
+}
+
+static inline int
+ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform)
+{
+ uint16_t keylen = crypto_xform->auth.key.length;
+
+ if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
+ if (keylen >= 20 && keylen <= 64)
+ return 0;
+ } else if (roc_model_is_cn9k() &&
+ (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)) {
+ if (keylen >= 32 && keylen <= 64)
+ return 0;
+ }
+
+ return -ENOTSUP;
+}
+
+static inline int
+ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xform,
+ struct rte_crypto_sym_xform *crypto_xform)
+{
+ if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+ crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
+ return -EINVAL;
+
+ if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+ crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
+ return -EINVAL;
+
+ if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
+ switch (crypto_xform->aead.key.length) {
+ case 16:
+ case 24:
+ case 32:
+ break;
+ default:
+ return -EINVAL;
+ }
+ return 0;
+ }
+
+ return -ENOTSUP;
+}
+
+static inline int
+cnxk_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xform,
+ struct rte_crypto_sym_xform *crypto_xform)
+{
+ struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
+ int ret;
+
+ if ((ipsec_xform->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+ (ipsec_xform->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
+ return -EINVAL;
+
+ if ((ipsec_xform->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) &&
+ (ipsec_xform->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH))
+ return -EINVAL;
+
+ if ((ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) &&
+ (ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL))
+ return -EINVAL;
+
+ if ((ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
+ (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6))
+ return -EINVAL;
+
+ if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+ return ipsec_xform_aead_verify(ipsec_xform, crypto_xform);
+
+ if (crypto_xform->next == NULL)
+ return -EINVAL;
+
+ if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
+ /* Ingress */
+ if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
+ crypto_xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
+ return -EINVAL;
+ auth_xform = crypto_xform;
+ cipher_xform = crypto_xform->next;
+ } else {
+ /* Egress */
+ if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
+ crypto_xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
+ return -EINVAL;
+ cipher_xform = crypto_xform;
+ auth_xform = crypto_xform->next;
+ }
+
+ ret = ipsec_xform_cipher_verify(cipher_xform);
+ if (ret)
+ return ret;
+
+ return ipsec_xform_auth_verify(auth_xform);
+}
#endif /* __CNXK_IPSEC_H__ */
--
2.27.0
next prev parent reply other threads:[~2021-09-01 9:25 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-01 10:19 [dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features Tejasree Kondoj
2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 1/8] common/cnxk: add hash generation APIs Tejasree Kondoj
2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 2/8] crypto/cnxk: add lookaside IPsec AES-CBC-HMAC-SHA1 support Tejasree Kondoj
2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 3/8] crypto/cnxk: remove redundant code Tejasree Kondoj
2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 4/8] crypto/cnxk: use rlen from CPT result with lookaside Tejasree Kondoj
2021-09-01 10:19 ` Tejasree Kondoj [this message]
2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 6/8] crypto/cnxk: support cn10k transport mode Tejasree Kondoj
2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 7/8] crypto/cnxk: support UDP encap with lookaside IPsec Tejasree Kondoj
2021-09-01 10:19 ` [dpdk-dev] [PATCH v2 8/8] common/cnxk: make IPsec defines common Tejasree Kondoj
2021-09-02 9:12 ` [dpdk-dev] [PATCH v2 0/8] add lookaside IPsec additional features Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210901101930.29333-6-ktejasree@marvell.com \
--to=ktejasree@marvell.com \
--cc=adwivedi@marvell.com \
--cc=anoobj@marvell.com \
--cc=dev@dpdk.org \
--cc=gakhil@marvell.com \
--cc=jerinj@marvell.com \
--cc=marchana@marvell.com \
--cc=ndabilpuram@marvell.com \
--cc=schalla@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.