1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(C) 2021 Marvell.
4 #ifndef __CNXK_IPSEC_H__
5 #define __CNXK_IPSEC_H__
7 #include <rte_security.h>
8 #include <rte_security_driver.h>
12 extern struct rte_security_ops cnxk_sec_ops;
14 struct cnxk_cpt_inst_tmpl {
21 ipsec_xform_cipher_verify(struct rte_crypto_sym_xform *crypto_xform)
23 if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_NULL)
26 if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC ||
27 crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CTR) {
28 switch (crypto_xform->cipher.key.length) {
43 ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform)
45 uint16_t keylen = crypto_xform->auth.key.length;
47 if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_NULL)
50 if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
51 if (keylen >= 20 && keylen <= 64)
53 } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) {
54 if (keylen >= 32 && keylen <= 64)
56 } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA384_HMAC) {
59 } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA512_HMAC) {
64 if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC &&
65 keylen == ROC_CPT_AES_XCBC_KEY_LENGTH)
72 ipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xform,
73 struct rte_crypto_sym_xform *crypto_xform)
75 if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
76 crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
79 if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
80 crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
83 if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
84 switch (crypto_xform->aead.key.length) {
99 cnxk_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xform,
100 struct rte_crypto_sym_xform *crypto_xform)
102 struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
105 if ((ipsec_xform->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
106 (ipsec_xform->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS))
109 if ((ipsec_xform->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) &&
110 (ipsec_xform->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH))
113 if ((ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) &&
114 (ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL))
117 if ((ipsec_xform->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) &&
118 (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) &&
119 (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6))
122 if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
123 return ipsec_xform_aead_verify(ipsec_xform, crypto_xform);
125 if (crypto_xform->next == NULL)
128 if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
130 if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
131 crypto_xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
133 auth_xform = crypto_xform;
134 cipher_xform = crypto_xform->next;
137 if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
138 crypto_xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
140 cipher_xform = crypto_xform;
141 auth_xform = crypto_xform->next;
144 ret = ipsec_xform_cipher_verify(cipher_xform);
148 return ipsec_xform_auth_verify(auth_xform);
150 #endif /* __CNXK_IPSEC_H__ */