[v2,32/32] common/cnxk: add check for null auth and anti-replay
Checks
Commit Message
From: Srujana Challa <schalla@marvell.com>
As per IPsec RFC, the anti-replay service can be selected for
an SA only if the integrity service is selected for that SA.
This patch adds the validation check for the same.
Signed-off-by: Srujana Challa <schalla@marvell.com>
---
drivers/common/cnxk/cnxk_security.c | 9 +++++++++
1 file changed, 9 insertions(+)
Comments
On Wed, May 24, 2023 at 3:38 PM Nithin Dabilpuram
<ndabilpuram@marvell.com> wrote:
>
> From: Srujana Challa <schalla@marvell.com>
>
> As per IPsec RFC, the anti-replay service can be selected for
> an SA only if the integrity service is selected for that SA.
> This patch adds the validation check for the same.
Please fix the following in this series:
[for-next-net]dell[dpdk-next-net-mrvl] $ ./devtools/checkpatches.sh -n 32
### [PATCH] common/cnxk: add pool BPID to RQ while using common pool
WARNING:SPACING: space prohibited between function name and open parenthesis '('
#130: FILE: drivers/common/cnxk/roc_nix_fc.c:441:
+ TAILQ_FOREACH (roc_nix_tmp, roc_idev_nix_list_get(), next) {
total: 0 errors, 1 warnings, 347 lines checked
### [PATCH] common/cnxk: fix CPT backpressure disable on LBK
WARNING:BAD_FIXES_TAG: Please use correct Fixes: style 'Fixes: <12
chars of sha1> ("<title line>")' - ie: 'Fixes: 0663a84524e5
("common/cnxk: enable backpressure on CPT with inline inbound")'
#12:
Fixes: 0663a84524e ("common/cnxk: enable backpressure on CPT with
inline inbound")
total: 0 errors, 1 warnings, 27 lines checked
### [PATCH] common/nix: check for null derefernce
WARNING:TYPO_SPELLING: 'derefernce' may be misspelled - perhaps 'dereference'?
#4:
Subject: [PATCH] common/nix: check for null derefernce
^^^^^^^^^^
WARNING:SPACING: space prohibited between function name and open parenthesis '('
#56: FILE: drivers/common/cnxk/roc_nix_fc.c:445:
+ TAILQ_FOREACH (roc_nix_tmp, nix_list, next) {
total: 0 errors, 2 warnings, 39 lines checked
29/32 valid patches
[for-next-net]dell[dpdk-next-net-mrvl] $
>
> Signed-off-by: Srujana Challa <schalla@marvell.com>
> ---
> drivers/common/cnxk/cnxk_security.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
> index 13ca2c7791..a8c3ba90cd 100644
> --- a/drivers/common/cnxk/cnxk_security.c
> +++ b/drivers/common/cnxk/cnxk_security.c
> @@ -155,6 +155,10 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
>
> switch (auth_xfrm->auth.algo) {
> case RTE_CRYPTO_AUTH_NULL:
> + if (w2->s.dir == ROC_IE_SA_DIR_INBOUND && ipsec_xfrm->replay_win_sz) {
> + plt_err("anti-replay can't be supported with integrity service disabled");
> + return -EINVAL;
> + }
> w2->s.auth_type = ROC_IE_OT_SA_AUTH_NULL;
> break;
> case RTE_CRYPTO_AUTH_SHA1_HMAC:
> @@ -1392,6 +1396,11 @@ cnxk_on_ipsec_inb_sa_create(struct rte_security_ipsec_xform *ipsec,
> if (ret)
> return ret;
>
> + if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AEAD &&
> + crypto_xform->auth.algo == RTE_CRYPTO_AUTH_NULL && ipsec->replay_win_sz) {
> + plt_err("anti-replay can't be supported with integrity service disabled");
> + return -EINVAL;
> + }
> if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD ||
> auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL ||
> auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
> --
> 2.25.1
>
@@ -155,6 +155,10 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
switch (auth_xfrm->auth.algo) {
case RTE_CRYPTO_AUTH_NULL:
+ if (w2->s.dir == ROC_IE_SA_DIR_INBOUND && ipsec_xfrm->replay_win_sz) {
+ plt_err("anti-replay can't be supported with integrity service disabled");
+ return -EINVAL;
+ }
w2->s.auth_type = ROC_IE_OT_SA_AUTH_NULL;
break;
case RTE_CRYPTO_AUTH_SHA1_HMAC:
@@ -1392,6 +1396,11 @@ cnxk_on_ipsec_inb_sa_create(struct rte_security_ipsec_xform *ipsec,
if (ret)
return ret;
+ if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AEAD &&
+ crypto_xform->auth.algo == RTE_CRYPTO_AUTH_NULL && ipsec->replay_win_sz) {
+ plt_err("anti-replay can't be supported with integrity service disabled");
+ return -EINVAL;
+ }
if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD ||
auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL ||
auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {