From 5e94e71b1a689a8146fc792697c6c3aa7e3c7993 Mon Sep 17 00:00:00 2001 From: Anoob Joseph Date: Fri, 17 Dec 2021 14:49:58 +0530 Subject: [PATCH] crypto/cnxk: skip unsupported cases Add skip for transport mode tests that are not supported. Also, updated the transport mode path to configure IP version as v4. Signed-off-by: Anoob Joseph Acked-by: Akhil Goyal --- drivers/crypto/cnxk/cn9k_ipsec.c | 53 ++++++++++++++++++++++++++++---- 1 file changed, 47 insertions(+), 6 deletions(-) diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c index 395b0d5d37..c27845c681 100644 --- a/drivers/crypto/cnxk/cn9k_ipsec.c +++ b/drivers/crypto/cnxk/cn9k_ipsec.c @@ -141,11 +141,10 @@ ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec, return -EINVAL; } - ctl->inner_ip_ver = ctl->outer_ip_ver; - - if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) + if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) { ctl->ipsec_mode = ROC_IE_SA_MODE_TRANSPORT; - else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) + ctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_4; + } else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) ctl->ipsec_mode = ROC_IE_SA_MODE_TUNNEL; else return -EINVAL; @@ -548,7 +547,8 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp, } static inline int -cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec) +cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec, + struct rte_crypto_sym_xform *crypto) { if (ipsec->life.bytes_hard_limit != 0 || ipsec->life.bytes_soft_limit != 0 || @@ -556,6 +556,47 @@ cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec) ipsec->life.packets_soft_limit != 0) return -ENOTSUP; + if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) { + enum rte_crypto_sym_xform_type type = crypto->type; + + if (type == RTE_CRYPTO_SYM_XFORM_AEAD) { + if ((crypto->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) && + (crypto->aead.key.length == 32)) { + plt_err("Transport mode AES-256-GCM is not supported"); + return -ENOTSUP; + } + } else { + struct rte_crypto_cipher_xform *cipher; + struct rte_crypto_auth_xform *auth; + + if (crypto->type == RTE_CRYPTO_SYM_XFORM_CIPHER) { + cipher = &crypto->cipher; + auth = &crypto->next->auth; + } else { + cipher = &crypto->next->cipher; + auth = &crypto->auth; + } + + if ((cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) && + (auth->algo == RTE_CRYPTO_AUTH_SHA256_HMAC)) { + plt_err("Transport mode AES-CBC SHA2 HMAC 256 is not supported"); + return -ENOTSUP; + } + + if ((cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) && + (auth->algo == RTE_CRYPTO_AUTH_SHA384_HMAC)) { + plt_err("Transport mode AES-CBC SHA2 HMAC 384 is not supported"); + return -ENOTSUP; + } + + if ((cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) && + (auth->algo == RTE_CRYPTO_AUTH_SHA512_HMAC)) { + plt_err("Transport mode AES-CBC SHA2 HMAC 512 is not supported"); + return -ENOTSUP; + } + } + } + return 0; } @@ -580,7 +621,7 @@ cn9k_ipsec_session_create(void *dev, if (ret) return ret; - ret = cn9k_ipsec_xform_verify(ipsec_xform); + ret = cn9k_ipsec_xform_verify(ipsec_xform, crypto_xform); if (ret) return ret; -- 2.39.5