1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(C) 2021 Marvell.
5 #ifndef __CNXK_SECURITY_AR_H__
6 #define __CNXK_SECURITY_AR_H__
10 #include "cnxk_security.h"
12 #define CNXK_ON_AR_WIN_SIZE_MAX 1024
14 /* u64 array size to fit anti replay window bits */
15 #define AR_WIN_ARR_SZ \
16 (PLT_ALIGN_CEIL(CNXK_ON_AR_WIN_SIZE_MAX + 1, BITS_PER_LONG_LONG) / \
20 #define WORD_SIZE (1 << WORD_SHIFT)
21 #define WORD_MASK (WORD_SIZE - 1)
23 #define IPSEC_ANTI_REPLAY_FAILED (-1)
25 struct cnxk_on_ipsec_ar {
29 uint64_t base; /**< base of the anti-replay window */
30 uint64_t window[AR_WIN_ARR_SZ]; /**< anti-replay window */
33 static inline uint32_t
34 cnxk_on_anti_replay_get_seqh(uint32_t winsz, uint32_t seql, uint32_t esn_hi,
37 uint32_t win_low = esn_low - winsz + 1;
39 if (esn_low > winsz - 1) {
40 /* Window is in one sequence number subspace */
46 /* Window is split across two sequence number subspaces */
55 cnxk_on_anti_replay_check(uint64_t seq, struct cnxk_on_ipsec_ar *ar,
58 uint64_t ex_winsz = winsz + WORD_SIZE;
59 uint64_t *window = &ar->window[0];
60 uint64_t seqword, shiftwords;
61 uint64_t base = ar->base;
62 uint32_t winb = ar->winb;
63 uint32_t wint = ar->wint;
70 winwords = ex_winsz >> WORD_SHIFT;
73 /* Check if the seq is the biggest one yet */
74 if (likely(seq > base)) {
76 if (shift < winsz) { /* In window */
78 * If more than 64-bit anti-replay window,
79 * use slow shift routine
81 wptr = window + (shift >> WORD_SHIFT);
85 /* No special handling of window size > 64 */
86 wptr = window + ((winsz - 1) >> WORD_SHIFT);
88 * Zero out the whole window (especially for
89 * bigger than 64b window) till the last 64b word
90 * as the incoming sequence number minus
91 * base sequence is more than the window size.
93 while (window != wptr)
96 * Set the last bit (of the window) to 1
97 * as that corresponds to the base sequence number.
98 * Now any incoming sequence number which is
99 * (base - window size - 1) will pass anti-replay check
104 * Set the base to incoming sequence number as
105 * that is the biggest sequence number seen yet
111 bit_pos = base - seq;
113 /* If seq falls behind the window, return failure */
114 if (bit_pos >= winsz)
115 return IPSEC_ANTI_REPLAY_FAILED;
117 /* seq is within anti-replay window */
118 wptr = window + ((winsz - bit_pos - 1) >> WORD_SHIFT);
119 bit_pos &= WORD_MASK;
121 /* Check if this is a replayed packet */
122 if (*wptr & ((1ull) << bit_pos))
123 return IPSEC_ANTI_REPLAY_FAILED;
126 *wptr |= ((1ull) << bit_pos);
130 if (likely(seq > base)) {
134 if (unlikely(shift >= winsz)) {
136 * shift is bigger than the window,
137 * so just zero out everything
139 for (i = 0; i < winwords; i++)
142 /* Find out the word */
143 seqword = ((seq - 1) % ex_winsz) >> WORD_SHIFT;
145 /* Find out the bit in the word */
146 bit_pos = (seq - 1) & WORD_MASK;
149 * Set the bit corresponding to sequence number
150 * in window to mark it as received
152 window[seqword] |= (1ull << (63 - bit_pos));
154 /* wint and winb range from 1 to ex_winsz */
155 ar->wint = ((wint + shift - 1) % ex_winsz) + 1;
156 ar->winb = ((winb + shift - 1) % ex_winsz) + 1;
163 * New sequence number is bigger than the base but
164 * it's not bigger than base + window size
167 shiftwords = ((wint + shift - 1) >> WORD_SHIFT) -
168 ((wint - 1) >> WORD_SHIFT);
169 if (unlikely(shiftwords)) {
170 tmp = (wint + WORD_SIZE - 1) / WORD_SIZE;
171 for (i = 0; i < shiftwords; i++) {
180 /* Sequence number is before the window */
181 if (unlikely((seq + winsz) <= base))
182 return IPSEC_ANTI_REPLAY_FAILED;
184 /* Sequence number is within the window */
186 /* Find out the word */
187 seqword = ((seq - 1) % ex_winsz) >> WORD_SHIFT;
189 /* Find out the bit in the word */
190 bit_pos = (seq - 1) & WORD_MASK;
192 /* Check if this is a replayed packet */
193 if (window[seqword] & (1ull << (63 - bit_pos)))
194 return IPSEC_ANTI_REPLAY_FAILED;
197 * Set the bit corresponding to sequence number
198 * in window to mark it as received
200 window[seqword] |= (1ull << (63 - bit_pos));
205 #endif /* __CNXK_SECURITY_AR_H__ */