1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(C) 2021 Marvell.
4 #ifndef __CNXK_IPSEC_H__
5 #define __CNXK_IPSEC_H__
7 #include <rte_security.h>
8 #include <rte_security_driver.h>
12 extern struct rte_security_ops cnxk_sec_ops;
14 struct cnxk_cpt_inst_tmpl {
21 ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *crypto_xform)
23 if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_NULL)
26 if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC ||
27 crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CTR) {
28 switch (crypto_xform->cipher.key.length) {
39 if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_3DES_CBC &&
40 crypto_xform->cipher.key.length == 24)
47 ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform)
49 uint16_t keylen = crypto_xform->auth.key.length;
51 if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_NULL)
54 if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
55 if (keylen >= 20 && keylen <= 64)
57 } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) {
58 if (keylen >= 32 && keylen <= 64)
60 } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA384_HMAC) {
63 } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA512_HMAC) {
66 } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
67 if (keylen >= 16 && keylen <= 32)
71 if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC &&
72 keylen == ROC_CPT_AES_XCBC_KEY_LENGTH)
79 ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xform,
80 struct rte_crypto_sym_xform *crypto_xform)
82 if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
83 crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
86 if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
87 crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
90 if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
91 switch (crypto_xform->aead.key.length) {
106 cnxk_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xform,
107 struct rte_crypto_sym_xform *crypto_xform)
109 struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
112 if ((ipsec_xform->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
113 (ipsec_xform->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
116 if ((ipsec_xform->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) &&
117 (ipsec_xform->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH))
120 if ((ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) &&
121 (ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL))
124 if ((ipsec_xform->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) &&
125 (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
126 (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6))
129 if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
130 return ipsec_xform_aead_verify(ipsec_xform, crypto_xform);
132 if (ipsec_xform->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) {
133 if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
135 auth_xform = crypto_xform;
136 cipher_xform = crypto_xform->next;
138 if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AUTH)
141 if ((cipher_xform != NULL) && ((cipher_xform->type !=
142 RTE_CRYPTO_SYM_XFORM_CIPHER) ||
143 (cipher_xform->cipher.algo !=
144 RTE_CRYPTO_CIPHER_NULL)))
148 if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
149 cipher_xform = crypto_xform;
150 auth_xform = crypto_xform->next;
152 if (auth_xform == NULL ||
153 cipher_xform->cipher.algo !=
154 RTE_CRYPTO_CIPHER_NULL)
156 } else if (crypto_xform->type ==
157 RTE_CRYPTO_SYM_XFORM_AUTH)
158 auth_xform = crypto_xform;
163 if (crypto_xform->next == NULL)
166 if (ipsec_xform->direction ==
167 RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
169 if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
170 crypto_xform->next->type !=
171 RTE_CRYPTO_SYM_XFORM_CIPHER)
173 auth_xform = crypto_xform;
174 cipher_xform = crypto_xform->next;
177 if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
178 crypto_xform->next->type !=
179 RTE_CRYPTO_SYM_XFORM_AUTH)
181 cipher_xform = crypto_xform;
182 auth_xform = crypto_xform->next;
185 ret = ipsec_xform_cipher_verify(cipher_xform);
190 return ipsec_xform_auth_verify(auth_xform);
192 #endif /* __CNXK_IPSEC_H__ */