1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(C) 2021 Marvell.
5 #ifndef __CNXK_SECURITY_AR_H__
6 #define __CNXK_SECURITY_AR_H__
10 #include "cnxk_security.h"
12 #define CNXK_ON_AR_WIN_SIZE_MAX 1024
14 /* u64 array size to fit anti replay window bits */
15 #define AR_WIN_ARR_SZ \
16 (PLT_ALIGN_CEIL(CNXK_ON_AR_WIN_SIZE_MAX, BITS_PER_LONG_LONG) / \
20 #define WORD_SIZE (1 << WORD_SHIFT)
21 #define WORD_MASK (WORD_SIZE - 1)
23 #define IPSEC_ANTI_REPLAY_FAILED (-1)
25 struct cnxk_on_ipsec_ar {
29 uint64_t base; /**< base of the anti-replay window */
30 uint64_t window[AR_WIN_ARR_SZ]; /**< anti-replay window */
34 cnxk_on_anti_replay_check(uint64_t seq, struct cnxk_on_ipsec_ar *ar,
37 uint64_t ex_winsz = winsz + WORD_SIZE;
38 uint64_t *window = &ar->window[0];
39 uint64_t seqword, shiftwords;
40 uint64_t base = ar->base;
41 uint32_t winb = ar->winb;
42 uint32_t wint = ar->wint;
49 winwords = ex_winsz >> WORD_SHIFT;
52 /* Check if the seq is the biggest one yet */
53 if (likely(seq > base)) {
55 if (shift < winsz) { /* In window */
57 * If more than 64-bit anti-replay window,
58 * use slow shift routine
60 wptr = window + (shift >> WORD_SHIFT);
64 /* No special handling of window size > 64 */
65 wptr = window + ((winsz - 1) >> WORD_SHIFT);
67 * Zero out the whole window (especially for
68 * bigger than 64b window) till the last 64b word
69 * as the incoming sequence number minus
70 * base sequence is more than the window size.
72 while (window != wptr)
75 * Set the last bit (of the window) to 1
76 * as that corresponds to the base sequence number.
77 * Now any incoming sequence number which is
78 * (base - window size - 1) will pass anti-replay check
83 * Set the base to incoming sequence number as
84 * that is the biggest sequence number seen yet
92 /* If seq falls behind the window, return failure */
94 return IPSEC_ANTI_REPLAY_FAILED;
96 /* seq is within anti-replay window */
97 wptr = window + ((winsz - bit_pos - 1) >> WORD_SHIFT);
100 /* Check if this is a replayed packet */
101 if (*wptr & ((1ull) << bit_pos))
102 return IPSEC_ANTI_REPLAY_FAILED;
105 *wptr |= ((1ull) << bit_pos);
109 if (likely(seq > base)) {
113 if (unlikely(shift >= winsz)) {
115 * shift is bigger than the window,
116 * so just zero out everything
118 for (i = 0; i < winwords; i++)
121 /* Find out the word */
122 seqword = ((seq - 1) % ex_winsz) >> WORD_SHIFT;
124 /* Find out the bit in the word */
125 bit_pos = (seq - 1) & WORD_MASK;
128 * Set the bit corresponding to sequence number
129 * in window to mark it as received
131 window[seqword] |= (1ull << (63 - bit_pos));
133 /* wint and winb range from 1 to ex_winsz */
134 ar->wint = ((wint + shift - 1) % ex_winsz) + 1;
135 ar->winb = ((winb + shift - 1) % ex_winsz) + 1;
142 * New sequence number is bigger than the base but
143 * it's not bigger than base + window size
146 shiftwords = ((wint + shift - 1) >> WORD_SHIFT) -
147 ((wint - 1) >> WORD_SHIFT);
148 if (unlikely(shiftwords)) {
149 tmp = (wint + WORD_SIZE - 1) / WORD_SIZE;
150 for (i = 0; i < shiftwords; i++) {
159 /* Sequence number is before the window */
160 if (unlikely((seq + winsz) <= base))
161 return IPSEC_ANTI_REPLAY_FAILED;
163 /* Sequence number is within the window */
165 /* Find out the word */
166 seqword = ((seq - 1) % ex_winsz) >> WORD_SHIFT;
168 /* Find out the bit in the word */
169 bit_pos = (seq - 1) & WORD_MASK;
171 /* Check if this is a replayed packet */
172 if (window[seqword] & (1ull << (63 - bit_pos)))
173 return IPSEC_ANTI_REPLAY_FAILED;
176 * Set the bit corresponding to sequence number
177 * in window to mark it as received
179 window[seqword] |= (1ull << (63 - bit_pos));
184 #endif /* __CNXK_SECURITY_AR_H__ */