crypto/cnxk: skip unsupported cases

Add skip for transport mode tests that are not supported. Also,
updated the transport mode path to configure IP version as v4.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c
index 395b0d5d3743fe0657b23b2b8d8c66bf426baae6..c27845c681228d40cf2c8880956894a8d45bbe7e 100644 (file)
--- a/drivers/crypto/cnxk/cn9k_ipsec.c
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@@ -141,11 +141,10 @@ ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
                        return -EINVAL;
        }
 
-       ctl->inner_ip_ver = ctl->outer_ip_ver;
-
-       if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
+       if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) {
                ctl->ipsec_mode = ROC_IE_SA_MODE_TRANSPORT;
-       else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+               ctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_4;
+       } else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
                ctl->ipsec_mode = ROC_IE_SA_MODE_TUNNEL;
        else
                return -EINVAL;
@@ -548,7 +547,8 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
 }
 
 static inline int
-cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec)
+cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec,
+                       struct rte_crypto_sym_xform *crypto)
 {
        if (ipsec->life.bytes_hard_limit != 0 ||
            ipsec->life.bytes_soft_limit != 0 ||
@@ -556,6 +556,47 @@ cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec)
            ipsec->life.packets_soft_limit != 0)
                return -ENOTSUP;
 
+       if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) {
+               enum rte_crypto_sym_xform_type type = crypto->type;
+
+               if (type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+                       if ((crypto->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) &&
+                           (crypto->aead.key.length == 32)) {
+                               plt_err("Transport mode AES-256-GCM is not supported");
+                               return -ENOTSUP;
+                       }
+               } else {
+                       struct rte_crypto_cipher_xform *cipher;
+                       struct rte_crypto_auth_xform *auth;
+
+                       if (crypto->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
+                               cipher = &crypto->cipher;
+                               auth = &crypto->next->auth;
+                       } else {
+                               cipher = &crypto->next->cipher;
+                               auth = &crypto->auth;
+                       }
+
+                       if ((cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) &&
+                           (auth->algo == RTE_CRYPTO_AUTH_SHA256_HMAC)) {
+                               plt_err("Transport mode AES-CBC SHA2 HMAC 256 is not supported");
+                               return -ENOTSUP;
+                       }
+
+                       if ((cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) &&
+                           (auth->algo == RTE_CRYPTO_AUTH_SHA384_HMAC)) {
+                               plt_err("Transport mode AES-CBC SHA2 HMAC 384 is not supported");
+                               return -ENOTSUP;
+                       }
+
+                       if ((cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) &&
+                           (auth->algo == RTE_CRYPTO_AUTH_SHA512_HMAC)) {
+                               plt_err("Transport mode AES-CBC SHA2 HMAC 512 is not supported");
+                               return -ENOTSUP;
+                       }
+               }
+       }
+
        return 0;
 }
 
@@ -580,7 +621,7 @@ cn9k_ipsec_session_create(void *dev,
        if (ret)
                return ret;
 
-       ret = cn9k_ipsec_xform_verify(ipsec_xform);
+       ret = cn9k_ipsec_xform_verify(ipsec_xform, crypto_xform);
        if (ret)
                return ret;