#include "otx2_cryptodev_mbox.h"
#include "otx2_cryptodev_ops.h"
#include "otx2_cryptodev_ops_helper.h"
+#include "otx2_ipsec_anti_replay.h"
#include "otx2_ipsec_po_ops.h"
#include "otx2_mbox.h"
#include "otx2_sec_idev.h"
otx2_cpt_enqueue_sec(struct otx2_cpt_qp *qp, struct rte_crypto_op *op,
struct pending_queue *pend_q)
{
+ uint32_t winsz, esn_low = 0, esn_hi = 0, seql = 0, seqh = 0;
+ struct rte_mbuf *m_src = op->sym->m_src;
struct otx2_sec_session_ipsec_lp *sess;
struct otx2_ipsec_po_sa_ctl *ctl_wrd;
+ struct otx2_ipsec_po_in_sa *sa;
struct otx2_sec_session *priv;
struct cpt_request_info *req;
+ uint64_t seq_in_sa, seq = 0;
+ uint8_t esn;
int ret;
priv = get_sec_session_private_data(op->sym->sec_session);
sess = &priv->ipsec.lp;
+ sa = &sess->in_sa;
- ctl_wrd = &sess->in_sa.ctl;
+ ctl_wrd = &sa->ctl;
+ esn = ctl_wrd->esn_en;
+ winsz = sa->replay_win_sz;
if (ctl_wrd->direction == OTX2_IPSEC_PO_SA_DIRECTION_OUTBOUND)
ret = process_outb_sa(op, sess, &qp->meta_info, (void **)&req);
- else
+ else {
+ if (winsz) {
+ esn_low = rte_be_to_cpu_32(sa->esn_low);
+ esn_hi = rte_be_to_cpu_32(sa->esn_hi);
+ seql = *rte_pktmbuf_mtod_offset(m_src, uint32_t *,
+ sizeof(struct rte_ipv4_hdr) + 4);
+ seql = rte_be_to_cpu_32(seql);
+
+ if (!esn)
+ seq = (uint64_t)seql;
+ else {
+ seqh = anti_replay_get_seqh(winsz, seql, esn_hi,
+ esn_low);
+ seq = ((uint64_t)seqh << 32) | seql;
+ }
+
+ if (unlikely(seq == 0))
+ return IPSEC_ANTI_REPLAY_FAILED;
+
+ ret = anti_replay_check(sa->replay, seq, winsz);
+ if (unlikely(ret)) {
+ otx2_err("Anti replay check failed");
+ return IPSEC_ANTI_REPLAY_FAILED;
+ }
+ }
+
ret = process_inb_sa(op, sess, &qp->meta_info, (void **)&req);
+ }
if (unlikely(ret)) {
otx2_err("Crypto req : op %p, ret 0x%x", op, ret);
ret = otx2_cpt_enqueue_req(qp, pend_q, req, sess->cpt_inst_w7);
+ if (winsz && esn) {
+ seq_in_sa = ((uint64_t)esn_hi << 32) | esn_low;
+ if (seq > seq_in_sa) {
+ sa->esn_low = rte_cpu_to_be_32(seql);
+ sa->esn_hi = rte_cpu_to_be_32(seqh);
+ }
+ }
+
return ret;
}
int ret;
sess = get_sec_session_private_data(sec_sess);
+ sess->ipsec.dir = RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
lp = &sess->ipsec.lp;
sa = &lp->out_sa;
int ret;
sess = get_sec_session_private_data(sec_sess);
+ sess->ipsec.dir = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
lp = &sess->ipsec.lp;
sa = &lp->in_sa;
}
memset(sa, 0, sizeof(struct otx2_ipsec_po_in_sa));
+ sa->replay_win_sz = ipsec->replay_win_sz;
ret = ipsec_po_sa_ctl_set(ipsec, crypto_xform, ctl);
if (ret)
set_session_misc_attributes(lp, crypto_xform,
auth_xform, cipher_xform);
+ if (sa->replay_win_sz) {
+ if (sa->replay_win_sz > OTX2_IPSEC_MAX_REPLAY_WIN_SZ) {
+ otx2_err("Replay window size is not supported");
+ return -ENOTSUP;
+ }
+ sa->replay = rte_zmalloc(NULL, sizeof(struct otx2_ipsec_replay),
+ 0);
+ if (sa->replay == NULL)
+ return -ENOMEM;
+
+ /* Set window bottom to 1, base and top to size of window */
+ sa->replay->winb = 1;
+ sa->replay->wint = sa->replay_win_sz;
+ sa->replay->base = sa->replay_win_sz;
+ sa->esn_low = 0;
+ sa->esn_hi = 0;
+ }
+
return otx2_cpt_enq_sa_write(lp, crypto_dev->data->queue_pairs[0],
OTX2_IPSEC_PO_WRITE_IPSEC_INB);
}
git.droids-corp.org / dpdk.git / commitdiff