Commit 05ddf5f8 authored by Leon Romanovsky's avatar Leon Romanovsky Committed by Jakub Kicinski

nfp: fill IPsec state validation failure reason

Rely on extack to return failure reason.
Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
Signed-off-by: default avatarLeon Romanovsky <leonro@nvidia.com>
Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 6c486979
...@@ -282,7 +282,7 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x, ...@@ -282,7 +282,7 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x,
cfg->ctrl_word.mode = NFP_IPSEC_PROTMODE_TRANSPORT; cfg->ctrl_word.mode = NFP_IPSEC_PROTMODE_TRANSPORT;
break; break;
default: default:
nn_err(nn, "Unsupported mode for xfrm offload\n"); NL_SET_ERR_MSG_MOD(extack, "Unsupported mode for xfrm offload");
return -EINVAL; return -EINVAL;
} }
...@@ -294,17 +294,17 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x, ...@@ -294,17 +294,17 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x,
cfg->ctrl_word.proto = NFP_IPSEC_PROTOCOL_AH; cfg->ctrl_word.proto = NFP_IPSEC_PROTOCOL_AH;
break; break;
default: default:
nn_err(nn, "Unsupported protocol for xfrm offload\n"); NL_SET_ERR_MSG_MOD(extack, "Unsupported protocol for xfrm offload");
return -EINVAL; return -EINVAL;
} }
if (x->props.flags & XFRM_STATE_ESN) { if (x->props.flags & XFRM_STATE_ESN) {
nn_err(nn, "Unsupported XFRM_REPLAY_MODE_ESN for xfrm offload\n"); NL_SET_ERR_MSG_MOD(extack, "Unsupported XFRM_REPLAY_MODE_ESN for xfrm offload");
return -EINVAL; return -EINVAL;
} }
if (x->xso.type != XFRM_DEV_OFFLOAD_CRYPTO) { if (x->xso.type != XFRM_DEV_OFFLOAD_CRYPTO) {
nn_err(nn, "Unsupported xfrm offload tyoe\n"); NL_SET_ERR_MSG_MOD(extack, "Unsupported xfrm offload type");
return -EINVAL; return -EINVAL;
} }
...@@ -321,7 +321,7 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x, ...@@ -321,7 +321,7 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x,
if (x->aead) { if (x->aead) {
trunc_len = -1; trunc_len = -1;
} else { } else {
nn_err(nn, "Unsupported authentication algorithm\n"); NL_SET_ERR_MSG_MOD(extack, "Unsupported authentication algorithm");
return -EINVAL; return -EINVAL;
} }
break; break;
...@@ -345,19 +345,19 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x, ...@@ -345,19 +345,19 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x,
set_sha2_512hmac(cfg, &trunc_len); set_sha2_512hmac(cfg, &trunc_len);
break; break;
default: default:
nn_err(nn, "Unsupported authentication algorithm\n"); NL_SET_ERR_MSG_MOD(extack, "Unsupported authentication algorithm");
return -EINVAL; return -EINVAL;
} }
if (!trunc_len) { if (!trunc_len) {
nn_err(nn, "Unsupported authentication algorithm trunc length\n"); NL_SET_ERR_MSG_MOD(extack, "Unsupported authentication algorithm trunc length");
return -EINVAL; return -EINVAL;
} }
if (x->aalg) { if (x->aalg) {
key_len = DIV_ROUND_UP(x->aalg->alg_key_len, BITS_PER_BYTE); key_len = DIV_ROUND_UP(x->aalg->alg_key_len, BITS_PER_BYTE);
if (key_len > sizeof(cfg->auth_key)) { if (key_len > sizeof(cfg->auth_key)) {
nn_err(nn, "Insufficient space for offloaded auth key\n"); NL_SET_ERR_MSG_MOD(extack, "Insufficient space for offloaded auth key");
return -EINVAL; return -EINVAL;
} }
for (i = 0; i < key_len / sizeof(cfg->auth_key[0]) ; i++) for (i = 0; i < key_len / sizeof(cfg->auth_key[0]) ; i++)
...@@ -379,12 +379,12 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x, ...@@ -379,12 +379,12 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x,
case SADB_X_EALG_AES_GCM_ICV16: case SADB_X_EALG_AES_GCM_ICV16:
case SADB_X_EALG_NULL_AES_GMAC: case SADB_X_EALG_NULL_AES_GMAC:
if (!x->aead) { if (!x->aead) {
nn_err(nn, "Invalid AES key data\n"); NL_SET_ERR_MSG_MOD(extack, "Invalid AES key data");
return -EINVAL; return -EINVAL;
} }
if (x->aead->alg_icv_len != 128) { if (x->aead->alg_icv_len != 128) {
nn_err(nn, "ICV must be 128bit with SADB_X_EALG_AES_GCM_ICV16\n"); NL_SET_ERR_MSG_MOD(extack, "ICV must be 128bit with SADB_X_EALG_AES_GCM_ICV16");
return -EINVAL; return -EINVAL;
} }
cfg->ctrl_word.cimode = NFP_IPSEC_CIMODE_CTR; cfg->ctrl_word.cimode = NFP_IPSEC_CIMODE_CTR;
...@@ -392,23 +392,23 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x, ...@@ -392,23 +392,23 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x,
/* Aead->alg_key_len includes 32-bit salt */ /* Aead->alg_key_len includes 32-bit salt */
if (set_aes_keylen(cfg, x->props.ealgo, x->aead->alg_key_len - 32)) { if (set_aes_keylen(cfg, x->props.ealgo, x->aead->alg_key_len - 32)) {
nn_err(nn, "Unsupported AES key length %d\n", x->aead->alg_key_len); NL_SET_ERR_MSG_MOD(extack, "Unsupported AES key length");
return -EINVAL; return -EINVAL;
} }
break; break;
case SADB_X_EALG_AESCBC: case SADB_X_EALG_AESCBC:
cfg->ctrl_word.cimode = NFP_IPSEC_CIMODE_CBC; cfg->ctrl_word.cimode = NFP_IPSEC_CIMODE_CBC;
if (!x->ealg) { if (!x->ealg) {
nn_err(nn, "Invalid AES key data\n"); NL_SET_ERR_MSG_MOD(extack, "Invalid AES key data");
return -EINVAL; return -EINVAL;
} }
if (set_aes_keylen(cfg, x->props.ealgo, x->ealg->alg_key_len) < 0) { if (set_aes_keylen(cfg, x->props.ealgo, x->ealg->alg_key_len) < 0) {
nn_err(nn, "Unsupported AES key length %d\n", x->ealg->alg_key_len); NL_SET_ERR_MSG_MOD(extack, "Unsupported AES key length");
return -EINVAL; return -EINVAL;
} }
break; break;
default: default:
nn_err(nn, "Unsupported encryption algorithm for offload\n"); NL_SET_ERR_MSG_MOD(extack, "Unsupported encryption algorithm for offload");
return -EINVAL; return -EINVAL;
} }
...@@ -419,7 +419,7 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x, ...@@ -419,7 +419,7 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x,
key_len -= salt_len; key_len -= salt_len;
if (key_len > sizeof(cfg->ciph_key)) { if (key_len > sizeof(cfg->ciph_key)) {
nn_err(nn, "aead: Insufficient space for offloaded key\n"); NL_SET_ERR_MSG_MOD(extack, "aead: Insufficient space for offloaded key");
return -EINVAL; return -EINVAL;
} }
...@@ -435,7 +435,7 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x, ...@@ -435,7 +435,7 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x,
key_len = DIV_ROUND_UP(x->ealg->alg_key_len, BITS_PER_BYTE); key_len = DIV_ROUND_UP(x->ealg->alg_key_len, BITS_PER_BYTE);
if (key_len > sizeof(cfg->ciph_key)) { if (key_len > sizeof(cfg->ciph_key)) {
nn_err(nn, "ealg: Insufficient space for offloaded key\n"); NL_SET_ERR_MSG_MOD(extack, "ealg: Insufficient space for offloaded key");
return -EINVAL; return -EINVAL;
} }
for (i = 0; i < key_len / sizeof(cfg->ciph_key[0]) ; i++) for (i = 0; i < key_len / sizeof(cfg->ciph_key[0]) ; i++)
...@@ -458,7 +458,7 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x, ...@@ -458,7 +458,7 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x,
} }
break; break;
default: default:
nn_err(nn, "Unsupported address family\n"); NL_SET_ERR_MSG_MOD(extack, "Unsupported address family");
return -EINVAL; return -EINVAL;
} }
...@@ -473,7 +473,7 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x, ...@@ -473,7 +473,7 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x,
err = xa_alloc(&nn->xa_ipsec, &saidx, x, err = xa_alloc(&nn->xa_ipsec, &saidx, x,
XA_LIMIT(0, NFP_NET_IPSEC_MAX_SA_CNT - 1), GFP_KERNEL); XA_LIMIT(0, NFP_NET_IPSEC_MAX_SA_CNT - 1), GFP_KERNEL);
if (err < 0) { if (err < 0) {
nn_err(nn, "Unable to get sa_data number for IPsec\n"); NL_SET_ERR_MSG_MOD(extack, "Unable to get sa_data number for IPsec");
return err; return err;
} }
...@@ -481,7 +481,7 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x, ...@@ -481,7 +481,7 @@ static int nfp_net_xfrm_add_state(struct xfrm_state *x,
err = nfp_ipsec_cfg_cmd_issue(nn, NFP_IPSEC_CFG_MSSG_ADD_SA, saidx, &msg); err = nfp_ipsec_cfg_cmd_issue(nn, NFP_IPSEC_CFG_MSSG_ADD_SA, saidx, &msg);
if (err) { if (err) {
xa_erase(&nn->xa_ipsec, saidx); xa_erase(&nn->xa_ipsec, saidx);
nn_err(nn, "Failed to issue IPsec command err ret=%d\n", err); NL_SET_ERR_MSG_MOD(extack, "Failed to issue IPsec command");
return err; return err;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment