ixgbe: check for 128-bit authentication

Make sure the Security Association is using
a 128-bit authentication, since that's the only
size that the hardware offload supports.

Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
This commit is contained in:
Shannon Nelson 2018-02-22 11:09:55 -08:00 committed by Jeff Kirsher
parent 8b4c6ed2ed
commit 68c1fb2d30
2 changed files with 12 additions and 5 deletions

View File

@ -423,15 +423,21 @@ static int ixgbe_ipsec_parse_proto_keys(struct xfrm_state *xs,
const char aes_gcm_name[] = "rfc4106(gcm(aes))"; const char aes_gcm_name[] = "rfc4106(gcm(aes))";
int key_len; int key_len;
if (xs->aead) { if (!xs->aead) {
key_data = &xs->aead->alg_key[0];
key_len = xs->aead->alg_key_len;
alg_name = xs->aead->alg_name;
} else {
netdev_err(dev, "Unsupported IPsec algorithm\n"); netdev_err(dev, "Unsupported IPsec algorithm\n");
return -EINVAL; return -EINVAL;
} }
if (xs->aead->alg_icv_len != IXGBE_IPSEC_AUTH_BITS) {
netdev_err(dev, "IPsec offload requires %d bit authentication\n",
IXGBE_IPSEC_AUTH_BITS);
return -EINVAL;
}
key_data = &xs->aead->alg_key[0];
key_len = xs->aead->alg_key_len;
alg_name = xs->aead->alg_name;
if (strcmp(alg_name, aes_gcm_name)) { if (strcmp(alg_name, aes_gcm_name)) {
netdev_err(dev, "Unsupported IPsec algorithm - please use %s\n", netdev_err(dev, "Unsupported IPsec algorithm - please use %s\n",
aes_gcm_name); aes_gcm_name);

View File

@ -32,6 +32,7 @@
#define IXGBE_IPSEC_MAX_RX_IP_COUNT 128 #define IXGBE_IPSEC_MAX_RX_IP_COUNT 128
#define IXGBE_IPSEC_BASE_RX_INDEX 0 #define IXGBE_IPSEC_BASE_RX_INDEX 0
#define IXGBE_IPSEC_BASE_TX_INDEX IXGBE_IPSEC_MAX_SA_COUNT #define IXGBE_IPSEC_BASE_TX_INDEX IXGBE_IPSEC_MAX_SA_COUNT
#define IXGBE_IPSEC_AUTH_BITS 128
#define IXGBE_RXTXIDX_IPS_EN 0x00000001 #define IXGBE_RXTXIDX_IPS_EN 0x00000001
#define IXGBE_RXIDX_TBL_SHIFT 1 #define IXGBE_RXIDX_TBL_SHIFT 1