1 /* SPDX-License-Identifier: (BSD-3-Clause OR GPL-2.0)
2 *
3 * Copyright 2008-2016 Freescale Semiconductor Inc.
4 * Copyright 2016,2019 NXP
5 *
6 */
7
8 #ifndef __RTA_PROTOCOL_CMD_H__
9 #define __RTA_PROTOCOL_CMD_H__
10
11 extern enum rta_sec_era rta_sec_era;
12
13 static inline int
__rta_ssl_proto(uint16_t protoinfo)14 __rta_ssl_proto(uint16_t protoinfo)
15 {
16 switch (protoinfo) {
17 case OP_PCL_TLS_RSA_EXPORT_WITH_RC4_40_MD5:
18 case OP_PCL_TLS_RSA_WITH_RC4_128_MD5:
19 case OP_PCL_TLS_RSA_WITH_RC4_128_SHA:
20 case OP_PCL_TLS_DH_anon_EXPORT_WITH_RC4_40_MD5:
21 case OP_PCL_TLS_DH_anon_WITH_RC4_128_MD5:
22 case OP_PCL_TLS_KRB5_WITH_RC4_128_SHA:
23 case OP_PCL_TLS_KRB5_WITH_RC4_128_MD5:
24 case OP_PCL_TLS_KRB5_EXPORT_WITH_RC4_40_SHA:
25 case OP_PCL_TLS_KRB5_EXPORT_WITH_RC4_40_MD5:
26 case OP_PCL_TLS_PSK_WITH_RC4_128_SHA:
27 case OP_PCL_TLS_DHE_PSK_WITH_RC4_128_SHA:
28 case OP_PCL_TLS_RSA_PSK_WITH_RC4_128_SHA:
29 case OP_PCL_TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
30 case OP_PCL_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
31 case OP_PCL_TLS_ECDH_RSA_WITH_RC4_128_SHA:
32 case OP_PCL_TLS_ECDHE_RSA_WITH_RC4_128_SHA:
33 case OP_PCL_TLS_ECDH_anon_WITH_RC4_128_SHA:
34 case OP_PCL_TLS_ECDHE_PSK_WITH_RC4_128_SHA:
35 if (rta_sec_era == RTA_SEC_ERA_7)
36 return -EINVAL;
37 /* fall through if not Era 7 */
38 case OP_PCL_TLS_RSA_EXPORT_WITH_DES40_CBC_SHA:
39 case OP_PCL_TLS_RSA_WITH_DES_CBC_SHA:
40 case OP_PCL_TLS_RSA_WITH_3DES_EDE_CBC_SHA:
41 case OP_PCL_TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:
42 case OP_PCL_TLS_DH_DSS_WITH_DES_CBC_SHA:
43 case OP_PCL_TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
44 case OP_PCL_TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:
45 case OP_PCL_TLS_DH_RSA_WITH_DES_CBC_SHA:
46 case OP_PCL_TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
47 case OP_PCL_TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
48 case OP_PCL_TLS_DHE_DSS_WITH_DES_CBC_SHA:
49 case OP_PCL_TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
50 case OP_PCL_TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
51 case OP_PCL_TLS_DHE_RSA_WITH_DES_CBC_SHA:
52 case OP_PCL_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
53 case OP_PCL_TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA:
54 case OP_PCL_TLS_DH_anon_WITH_DES_CBC_SHA:
55 case OP_PCL_TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
56 case OP_PCL_TLS_KRB5_WITH_DES_CBC_SHA:
57 case OP_PCL_TLS_KRB5_WITH_3DES_EDE_CBC_SHA:
58 case OP_PCL_TLS_KRB5_WITH_DES_CBC_MD5:
59 case OP_PCL_TLS_KRB5_WITH_3DES_EDE_CBC_MD5:
60 case OP_PCL_TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA:
61 case OP_PCL_TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5:
62 case OP_PCL_TLS_RSA_WITH_AES_128_CBC_SHA:
63 case OP_PCL_TLS_DH_DSS_WITH_AES_128_CBC_SHA:
64 case OP_PCL_TLS_DH_RSA_WITH_AES_128_CBC_SHA:
65 case OP_PCL_TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
66 case OP_PCL_TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
67 case OP_PCL_TLS_DH_anon_WITH_AES_128_CBC_SHA:
68 case OP_PCL_TLS_RSA_WITH_AES_256_CBC_SHA:
69 case OP_PCL_TLS_DH_DSS_WITH_AES_256_CBC_SHA:
70 case OP_PCL_TLS_DH_RSA_WITH_AES_256_CBC_SHA:
71 case OP_PCL_TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
72 case OP_PCL_TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
73 case OP_PCL_TLS_DH_anon_WITH_AES_256_CBC_SHA:
74 case OP_PCL_TLS_DH_DSS_WITH_AES_128_CBC_SHA256:
75 case OP_PCL_TLS_DH_RSA_WITH_AES_128_CBC_SHA256:
76 case OP_PCL_TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:
77 case OP_PCL_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
78 case OP_PCL_TLS_DH_DSS_WITH_AES_256_CBC_SHA256:
79 case OP_PCL_TLS_DH_RSA_WITH_AES_256_CBC_SHA256:
80 case OP_PCL_TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:
81 case OP_PCL_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
82 case OP_PCL_TLS_DH_anon_WITH_AES_128_CBC_SHA256:
83 case OP_PCL_TLS_DH_anon_WITH_AES_256_CBC_SHA256:
84 case OP_PCL_TLS_PSK_WITH_3DES_EDE_CBC_SHA:
85 case OP_PCL_TLS_PSK_WITH_AES_128_CBC_SHA:
86 case OP_PCL_TLS_PSK_WITH_AES_256_CBC_SHA:
87 case OP_PCL_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA:
88 case OP_PCL_TLS_DHE_PSK_WITH_AES_128_CBC_SHA:
89 case OP_PCL_TLS_DHE_PSK_WITH_AES_256_CBC_SHA:
90 case OP_PCL_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA:
91 case OP_PCL_TLS_RSA_PSK_WITH_AES_128_CBC_SHA:
92 case OP_PCL_TLS_RSA_PSK_WITH_AES_256_CBC_SHA:
93 case OP_PCL_TLS_RSA_WITH_AES_128_GCM_SHA256:
94 case OP_PCL_TLS_RSA_WITH_AES_256_GCM_SHA384:
95 case OP_PCL_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
96 case OP_PCL_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
97 case OP_PCL_TLS_DH_RSA_WITH_AES_128_GCM_SHA256:
98 case OP_PCL_TLS_DH_RSA_WITH_AES_256_GCM_SHA384:
99 case OP_PCL_TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:
100 case OP_PCL_TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:
101 case OP_PCL_TLS_DH_DSS_WITH_AES_128_GCM_SHA256:
102 case OP_PCL_TLS_DH_DSS_WITH_AES_256_GCM_SHA384:
103 case OP_PCL_TLS_DH_anon_WITH_AES_128_GCM_SHA256:
104 case OP_PCL_TLS_DH_anon_WITH_AES_256_GCM_SHA384:
105 case OP_PCL_TLS_PSK_WITH_AES_128_GCM_SHA256:
106 case OP_PCL_TLS_PSK_WITH_AES_256_GCM_SHA384:
107 case OP_PCL_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256:
108 case OP_PCL_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384:
109 case OP_PCL_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256:
110 case OP_PCL_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384:
111 case OP_PCL_TLS_PSK_WITH_AES_128_CBC_SHA256:
112 case OP_PCL_TLS_PSK_WITH_AES_256_CBC_SHA384:
113 case OP_PCL_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256:
114 case OP_PCL_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384:
115 case OP_PCL_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256:
116 case OP_PCL_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384:
117 case OP_PCL_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
118 case OP_PCL_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
119 case OP_PCL_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
120 case OP_PCL_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
121 case OP_PCL_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
122 case OP_PCL_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
123 case OP_PCL_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
124 case OP_PCL_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
125 case OP_PCL_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
126 case OP_PCL_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
127 case OP_PCL_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
128 case OP_PCL_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
129 case OP_PCL_TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA:
130 case OP_PCL_TLS_ECDH_anon_WITH_AES_128_CBC_SHA:
131 case OP_PCL_TLS_ECDH_anon_WITH_AES_256_CBC_SHA:
132 case OP_PCL_TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA:
133 case OP_PCL_TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA:
134 case OP_PCL_TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA:
135 case OP_PCL_TLS_SRP_SHA_WITH_AES_128_CBC_SHA:
136 case OP_PCL_TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA:
137 case OP_PCL_TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA:
138 case OP_PCL_TLS_SRP_SHA_WITH_AES_256_CBC_SHA:
139 case OP_PCL_TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA:
140 case OP_PCL_TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA:
141 case OP_PCL_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
142 case OP_PCL_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
143 case OP_PCL_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
144 case OP_PCL_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
145 case OP_PCL_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
146 case OP_PCL_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
147 case OP_PCL_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
148 case OP_PCL_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
149 case OP_PCL_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
150 case OP_PCL_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
151 case OP_PCL_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
152 case OP_PCL_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
153 case OP_PCL_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
154 case OP_PCL_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
155 case OP_PCL_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
156 case OP_PCL_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
157 case OP_PCL_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA:
158 case OP_PCL_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA:
159 case OP_PCL_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA:
160 case OP_PCL_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256:
161 case OP_PCL_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384:
162 case OP_PCL_TLS_RSA_WITH_AES_128_CBC_SHA256:
163 case OP_PCL_TLS_RSA_WITH_AES_256_CBC_SHA256:
164 case OP_PCL_PVT_TLS_3DES_EDE_CBC_MD5:
165 case OP_PCL_PVT_TLS_3DES_EDE_CBC_SHA160:
166 case OP_PCL_PVT_TLS_3DES_EDE_CBC_SHA224:
167 case OP_PCL_PVT_TLS_3DES_EDE_CBC_SHA256:
168 case OP_PCL_PVT_TLS_3DES_EDE_CBC_SHA384:
169 case OP_PCL_PVT_TLS_3DES_EDE_CBC_SHA512:
170 case OP_PCL_PVT_TLS_AES_128_CBC_SHA160:
171 case OP_PCL_PVT_TLS_AES_128_CBC_SHA224:
172 case OP_PCL_PVT_TLS_AES_128_CBC_SHA256:
173 case OP_PCL_PVT_TLS_AES_128_CBC_SHA384:
174 case OP_PCL_PVT_TLS_AES_128_CBC_SHA512:
175 case OP_PCL_PVT_TLS_AES_192_CBC_SHA160:
176 case OP_PCL_PVT_TLS_AES_192_CBC_SHA224:
177 case OP_PCL_PVT_TLS_AES_192_CBC_SHA256:
178 case OP_PCL_PVT_TLS_AES_192_CBC_SHA512:
179 case OP_PCL_PVT_TLS_AES_256_CBC_SHA160:
180 case OP_PCL_PVT_TLS_AES_256_CBC_SHA224:
181 case OP_PCL_PVT_TLS_AES_256_CBC_SHA384:
182 case OP_PCL_PVT_TLS_AES_256_CBC_SHA512:
183 case OP_PCL_PVT_TLS_AES_256_CBC_SHA256:
184 case OP_PCL_PVT_TLS_AES_192_CBC_SHA384:
185 case OP_PCL_PVT_TLS_MASTER_SECRET_PRF_FE:
186 case OP_PCL_PVT_TLS_MASTER_SECRET_PRF_FF:
187 return 0;
188 }
189
190 return -EINVAL;
191 }
192
193 static inline int
__rta_ike_proto(uint16_t protoinfo)194 __rta_ike_proto(uint16_t protoinfo)
195 {
196 switch (protoinfo) {
197 case OP_PCL_IKE_HMAC_MD5:
198 case OP_PCL_IKE_HMAC_SHA1:
199 case OP_PCL_IKE_HMAC_AES128_CBC:
200 case OP_PCL_IKE_HMAC_SHA256:
201 case OP_PCL_IKE_HMAC_SHA384:
202 case OP_PCL_IKE_HMAC_SHA512:
203 case OP_PCL_IKE_HMAC_AES128_CMAC:
204 return 0;
205 }
206
207 return -EINVAL;
208 }
209
210 static inline int
__rta_ipsec_proto(uint16_t protoinfo)211 __rta_ipsec_proto(uint16_t protoinfo)
212 {
213 uint16_t proto_cls1 = protoinfo & OP_PCL_IPSEC_CIPHER_MASK;
214 uint16_t proto_cls2 = protoinfo & OP_PCL_IPSEC_AUTH_MASK;
215
216 switch (proto_cls1) {
217 case OP_PCL_IPSEC_AES_NULL_WITH_GMAC:
218 if (rta_sec_era < RTA_SEC_ERA_2)
219 return -EINVAL;
220 /* no break */
221 case OP_PCL_IPSEC_AES_CCM8:
222 case OP_PCL_IPSEC_AES_CCM12:
223 case OP_PCL_IPSEC_AES_CCM16:
224 case OP_PCL_IPSEC_AES_GCM8:
225 case OP_PCL_IPSEC_AES_GCM12:
226 case OP_PCL_IPSEC_AES_GCM16:
227 /* CCM, GCM, GMAC require PROTINFO[7:0] = 0 */
228 if (proto_cls2 == OP_PCL_IPSEC_HMAC_NULL)
229 return 0;
230 return -EINVAL;
231 case OP_PCL_IPSEC_NULL:
232 if (rta_sec_era < RTA_SEC_ERA_2)
233 return -EINVAL;
234 /* no break */
235 case OP_PCL_IPSEC_DES_IV64:
236 case OP_PCL_IPSEC_DES:
237 case OP_PCL_IPSEC_3DES:
238 case OP_PCL_IPSEC_AES_CBC:
239 case OP_PCL_IPSEC_AES_CTR:
240 break;
241 default:
242 return -EINVAL;
243 }
244
245 switch (proto_cls2) {
246 case OP_PCL_IPSEC_HMAC_NULL:
247 case OP_PCL_IPSEC_HMAC_MD5_96:
248 case OP_PCL_IPSEC_HMAC_SHA1_96:
249 case OP_PCL_IPSEC_AES_XCBC_MAC_96:
250 case OP_PCL_IPSEC_HMAC_MD5_128:
251 case OP_PCL_IPSEC_HMAC_SHA1_160:
252 case OP_PCL_IPSEC_AES_CMAC_96:
253 case OP_PCL_IPSEC_HMAC_SHA2_256_128:
254 case OP_PCL_IPSEC_HMAC_SHA2_384_192:
255 case OP_PCL_IPSEC_HMAC_SHA2_512_256:
256 return 0;
257 }
258
259 return -EINVAL;
260 }
261
262 static inline int
__rta_srtp_proto(uint16_t protoinfo)263 __rta_srtp_proto(uint16_t protoinfo)
264 {
265 uint16_t proto_cls1 = protoinfo & OP_PCL_SRTP_CIPHER_MASK;
266 uint16_t proto_cls2 = protoinfo & OP_PCL_SRTP_AUTH_MASK;
267
268 switch (proto_cls1) {
269 case OP_PCL_SRTP_AES_CTR:
270 switch (proto_cls2) {
271 case OP_PCL_SRTP_HMAC_SHA1_160:
272 return 0;
273 }
274 /* no break */
275 }
276
277 return -EINVAL;
278 }
279
280 static inline int
__rta_macsec_proto(uint16_t protoinfo)281 __rta_macsec_proto(uint16_t protoinfo)
282 {
283 switch (protoinfo) {
284 case OP_PCL_MACSEC:
285 return 0;
286 }
287
288 return -EINVAL;
289 }
290
291 static inline int
__rta_wifi_proto(uint16_t protoinfo)292 __rta_wifi_proto(uint16_t protoinfo)
293 {
294 switch (protoinfo) {
295 case OP_PCL_WIFI:
296 return 0;
297 }
298
299 return -EINVAL;
300 }
301
302 static inline int
__rta_wimax_proto(uint16_t protoinfo)303 __rta_wimax_proto(uint16_t protoinfo)
304 {
305 switch (protoinfo) {
306 case OP_PCL_WIMAX_OFDM:
307 case OP_PCL_WIMAX_OFDMA:
308 return 0;
309 }
310
311 return -EINVAL;
312 }
313
314 /* Allowed blob proto flags for each SEC Era */
315 static const uint32_t proto_blob_flags[] = {
316 OP_PCL_BLOB_FORMAT_MASK | OP_PCL_BLOB_BLACK,
317 OP_PCL_BLOB_FORMAT_MASK | OP_PCL_BLOB_BLACK | OP_PCL_BLOB_TKEK |
318 OP_PCL_BLOB_EKT | OP_PCL_BLOB_REG_MASK,
319 OP_PCL_BLOB_FORMAT_MASK | OP_PCL_BLOB_BLACK | OP_PCL_BLOB_TKEK |
320 OP_PCL_BLOB_EKT | OP_PCL_BLOB_REG_MASK,
321 OP_PCL_BLOB_FORMAT_MASK | OP_PCL_BLOB_BLACK | OP_PCL_BLOB_TKEK |
322 OP_PCL_BLOB_EKT | OP_PCL_BLOB_REG_MASK | OP_PCL_BLOB_SEC_MEM,
323 OP_PCL_BLOB_FORMAT_MASK | OP_PCL_BLOB_BLACK | OP_PCL_BLOB_TKEK |
324 OP_PCL_BLOB_EKT | OP_PCL_BLOB_REG_MASK | OP_PCL_BLOB_SEC_MEM,
325 OP_PCL_BLOB_FORMAT_MASK | OP_PCL_BLOB_BLACK | OP_PCL_BLOB_TKEK |
326 OP_PCL_BLOB_EKT | OP_PCL_BLOB_REG_MASK | OP_PCL_BLOB_SEC_MEM,
327 OP_PCL_BLOB_FORMAT_MASK | OP_PCL_BLOB_BLACK | OP_PCL_BLOB_TKEK |
328 OP_PCL_BLOB_EKT | OP_PCL_BLOB_REG_MASK | OP_PCL_BLOB_SEC_MEM,
329 OP_PCL_BLOB_FORMAT_MASK | OP_PCL_BLOB_BLACK | OP_PCL_BLOB_TKEK |
330 OP_PCL_BLOB_EKT | OP_PCL_BLOB_REG_MASK | OP_PCL_BLOB_SEC_MEM,
331 OP_PCL_BLOB_FORMAT_MASK | OP_PCL_BLOB_BLACK | OP_PCL_BLOB_TKEK |
332 OP_PCL_BLOB_EKT | OP_PCL_BLOB_REG_MASK | OP_PCL_BLOB_SEC_MEM,
333 OP_PCL_BLOB_FORMAT_MASK | OP_PCL_BLOB_BLACK | OP_PCL_BLOB_TKEK |
334 OP_PCL_BLOB_EKT | OP_PCL_BLOB_REG_MASK | OP_PCL_BLOB_SEC_MEM
335 };
336
337 static inline int
__rta_blob_proto(uint16_t protoinfo)338 __rta_blob_proto(uint16_t protoinfo)
339 {
340 if (protoinfo & ~proto_blob_flags[rta_sec_era])
341 return -EINVAL;
342
343 switch (protoinfo & OP_PCL_BLOB_FORMAT_MASK) {
344 case OP_PCL_BLOB_FORMAT_NORMAL:
345 case OP_PCL_BLOB_FORMAT_MASTER_VER:
346 case OP_PCL_BLOB_FORMAT_TEST:
347 break;
348 default:
349 return -EINVAL;
350 }
351
352 switch (protoinfo & OP_PCL_BLOB_REG_MASK) {
353 case OP_PCL_BLOB_AFHA_SBOX:
354 if (rta_sec_era < RTA_SEC_ERA_3)
355 return -EINVAL;
356 /* no break */
357 case OP_PCL_BLOB_REG_MEMORY:
358 case OP_PCL_BLOB_REG_KEY1:
359 case OP_PCL_BLOB_REG_KEY2:
360 case OP_PCL_BLOB_REG_SPLIT:
361 case OP_PCL_BLOB_REG_PKE:
362 return 0;
363 }
364
365 return -EINVAL;
366 }
367
368 static inline int
__rta_dlc_proto(uint16_t protoinfo)369 __rta_dlc_proto(uint16_t protoinfo)
370 {
371 if ((rta_sec_era < RTA_SEC_ERA_2) &&
372 (protoinfo & (OP_PCL_PKPROT_DSA_MSG | OP_PCL_PKPROT_HASH_MASK |
373 OP_PCL_PKPROT_EKT_Z | OP_PCL_PKPROT_DECRYPT_Z |
374 OP_PCL_PKPROT_DECRYPT_PRI)))
375 return -EINVAL;
376
377 switch (protoinfo & OP_PCL_PKPROT_HASH_MASK) {
378 case OP_PCL_PKPROT_HASH_MD5:
379 case OP_PCL_PKPROT_HASH_SHA1:
380 case OP_PCL_PKPROT_HASH_SHA224:
381 case OP_PCL_PKPROT_HASH_SHA256:
382 case OP_PCL_PKPROT_HASH_SHA384:
383 case OP_PCL_PKPROT_HASH_SHA512:
384 break;
385 default:
386 return -EINVAL;
387 }
388
389 return 0;
390 }
391
392 static inline int
__rta_rsa_enc_proto(uint16_t protoinfo)393 __rta_rsa_enc_proto(uint16_t protoinfo)
394 {
395 switch (protoinfo & OP_PCL_RSAPROT_OP_MASK) {
396 case OP_PCL_RSAPROT_OP_ENC_F_IN:
397 if ((protoinfo & OP_PCL_RSAPROT_FFF_MASK) !=
398 OP_PCL_RSAPROT_FFF_RED)
399 return -EINVAL;
400 break;
401 case OP_PCL_RSAPROT_OP_ENC_F_OUT:
402 switch (protoinfo & OP_PCL_RSAPROT_FFF_MASK) {
403 case OP_PCL_RSAPROT_FFF_RED:
404 case OP_PCL_RSAPROT_FFF_ENC:
405 case OP_PCL_RSAPROT_FFF_EKT:
406 case OP_PCL_RSAPROT_FFF_TK_ENC:
407 case OP_PCL_RSAPROT_FFF_TK_EKT:
408 break;
409 default:
410 return -EINVAL;
411 }
412 break;
413 default:
414 return -EINVAL;
415 }
416
417 return 0;
418 }
419
420 static inline int
__rta_rsa_dec_proto(uint16_t protoinfo)421 __rta_rsa_dec_proto(uint16_t protoinfo)
422 {
423 switch (protoinfo & OP_PCL_RSAPROT_OP_MASK) {
424 case OP_PCL_RSAPROT_OP_DEC_ND:
425 case OP_PCL_RSAPROT_OP_DEC_PQD:
426 case OP_PCL_RSAPROT_OP_DEC_PQDPDQC:
427 break;
428 default:
429 return -EINVAL;
430 }
431
432 switch (protoinfo & OP_PCL_RSAPROT_PPP_MASK) {
433 case OP_PCL_RSAPROT_PPP_RED:
434 case OP_PCL_RSAPROT_PPP_ENC:
435 case OP_PCL_RSAPROT_PPP_EKT:
436 case OP_PCL_RSAPROT_PPP_TK_ENC:
437 case OP_PCL_RSAPROT_PPP_TK_EKT:
438 break;
439 default:
440 return -EINVAL;
441 }
442
443 if (protoinfo & OP_PCL_RSAPROT_FMT_PKCSV15)
444 switch (protoinfo & OP_PCL_RSAPROT_FFF_MASK) {
445 case OP_PCL_RSAPROT_FFF_RED:
446 case OP_PCL_RSAPROT_FFF_ENC:
447 case OP_PCL_RSAPROT_FFF_EKT:
448 case OP_PCL_RSAPROT_FFF_TK_ENC:
449 case OP_PCL_RSAPROT_FFF_TK_EKT:
450 break;
451 default:
452 return -EINVAL;
453 }
454
455 return 0;
456 }
457
458 /*
459 * DKP Protocol - Restrictions on key (SRC,DST) combinations
460 * For e.g. key_in_out[0][0] = 1 means (SRC=IMM,DST=IMM) combination is allowed
461 */
462 static const uint8_t key_in_out[4][4] = { {1, 0, 0, 0},
463 {1, 1, 1, 1},
464 {1, 0, 1, 0},
465 {1, 0, 0, 1} };
466
467 static inline int
__rta_dkp_proto(uint16_t protoinfo)468 __rta_dkp_proto(uint16_t protoinfo)
469 {
470 int key_src = (protoinfo & OP_PCL_DKP_SRC_MASK) >> OP_PCL_DKP_SRC_SHIFT;
471 int key_dst = (protoinfo & OP_PCL_DKP_DST_MASK) >> OP_PCL_DKP_DST_SHIFT;
472
473 if (!key_in_out[key_src][key_dst]) {
474 pr_err("PROTO_DESC: Invalid DKP key (SRC,DST)\n");
475 return -EINVAL;
476 }
477
478 return 0;
479 }
480
481
482 static inline int
__rta_3g_dcrc_proto(uint16_t protoinfo)483 __rta_3g_dcrc_proto(uint16_t protoinfo)
484 {
485 if (rta_sec_era == RTA_SEC_ERA_7)
486 return -EINVAL;
487
488 switch (protoinfo) {
489 case OP_PCL_3G_DCRC_CRC7:
490 case OP_PCL_3G_DCRC_CRC11:
491 return 0;
492 }
493
494 return -EINVAL;
495 }
496
497 static inline int
__rta_3g_rlc_proto(uint16_t protoinfo)498 __rta_3g_rlc_proto(uint16_t protoinfo)
499 {
500 if (rta_sec_era == RTA_SEC_ERA_7)
501 return -EINVAL;
502
503 switch (protoinfo) {
504 case OP_PCL_3G_RLC_NULL:
505 case OP_PCL_3G_RLC_KASUMI:
506 case OP_PCL_3G_RLC_SNOW:
507 return 0;
508 }
509
510 return -EINVAL;
511 }
512
513 static inline int
__rta_lte_pdcp_proto(uint16_t protoinfo)514 __rta_lte_pdcp_proto(uint16_t protoinfo)
515 {
516 if (rta_sec_era == RTA_SEC_ERA_7)
517 return -EINVAL;
518
519 switch (protoinfo) {
520 case OP_PCL_LTE_ZUC:
521 if (rta_sec_era < RTA_SEC_ERA_5)
522 break;
523 case OP_PCL_LTE_NULL:
524 case OP_PCL_LTE_SNOW:
525 case OP_PCL_LTE_AES:
526 return 0;
527 }
528
529 return -EINVAL;
530 }
531
532 static inline int
__rta_lte_pdcp_mixed_proto(uint16_t protoinfo)533 __rta_lte_pdcp_mixed_proto(uint16_t protoinfo)
534 {
535 switch (protoinfo & OP_PCL_LTE_MIXED_AUTH_MASK) {
536 case OP_PCL_LTE_MIXED_AUTH_NULL:
537 case OP_PCL_LTE_MIXED_AUTH_SNOW:
538 case OP_PCL_LTE_MIXED_AUTH_AES:
539 case OP_PCL_LTE_MIXED_AUTH_ZUC:
540 break;
541 default:
542 return -EINVAL;
543 }
544
545 switch (protoinfo & OP_PCL_LTE_MIXED_ENC_MASK) {
546 case OP_PCL_LTE_MIXED_ENC_NULL:
547 case OP_PCL_LTE_MIXED_ENC_SNOW:
548 case OP_PCL_LTE_MIXED_ENC_AES:
549 case OP_PCL_LTE_MIXED_ENC_ZUC:
550 return 0;
551 }
552
553 return -EINVAL;
554 }
555
556 struct proto_map {
557 uint32_t optype;
558 uint32_t protid;
559 int (*protoinfo_func)(uint16_t);
560 };
561
562 static const struct proto_map proto_table[] = {
563 /*1*/ {OP_TYPE_UNI_PROTOCOL, OP_PCLID_SSL30_PRF, __rta_ssl_proto},
564 {OP_TYPE_UNI_PROTOCOL, OP_PCLID_TLS10_PRF, __rta_ssl_proto},
565 {OP_TYPE_UNI_PROTOCOL, OP_PCLID_TLS11_PRF, __rta_ssl_proto},
566 {OP_TYPE_UNI_PROTOCOL, OP_PCLID_TLS12_PRF, __rta_ssl_proto},
567 {OP_TYPE_UNI_PROTOCOL, OP_PCLID_DTLS_PRF, __rta_ssl_proto},
568 {OP_TYPE_UNI_PROTOCOL, OP_PCLID_IKEV1_PRF, __rta_ike_proto},
569 {OP_TYPE_UNI_PROTOCOL, OP_PCLID_IKEV2_PRF, __rta_ike_proto},
570 {OP_TYPE_UNI_PROTOCOL, OP_PCLID_PUBLICKEYPAIR, __rta_dlc_proto},
571 {OP_TYPE_UNI_PROTOCOL, OP_PCLID_DSASIGN, __rta_dlc_proto},
572 {OP_TYPE_UNI_PROTOCOL, OP_PCLID_DSAVERIFY, __rta_dlc_proto},
573 {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_IPSEC, __rta_ipsec_proto},
574 {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_SRTP, __rta_srtp_proto},
575 {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_SSL30, __rta_ssl_proto},
576 {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_TLS10, __rta_ssl_proto},
577 {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_TLS11, __rta_ssl_proto},
578 {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_TLS12, __rta_ssl_proto},
579 {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_DTLS, __rta_ssl_proto},
580 {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_MACSEC, __rta_macsec_proto},
581 {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_WIFI, __rta_wifi_proto},
582 {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_WIMAX, __rta_wimax_proto},
583 /*21*/ {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_BLOB, __rta_blob_proto},
584 {OP_TYPE_UNI_PROTOCOL, OP_PCLID_DIFFIEHELLMAN, __rta_dlc_proto},
585 {OP_TYPE_UNI_PROTOCOL, OP_PCLID_RSAENCRYPT, __rta_rsa_enc_proto},
586 {OP_TYPE_UNI_PROTOCOL, OP_PCLID_RSADECRYPT, __rta_rsa_dec_proto},
587 {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_3G_DCRC, __rta_3g_dcrc_proto},
588 {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_3G_RLC_PDU, __rta_3g_rlc_proto},
589 {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_3G_RLC_SDU, __rta_3g_rlc_proto},
590 {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_LTE_PDCP_USER, __rta_lte_pdcp_proto},
591 /*29*/ {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_LTE_PDCP_CTRL, __rta_lte_pdcp_proto},
592 {OP_TYPE_UNI_PROTOCOL, OP_PCLID_DKP_MD5, __rta_dkp_proto},
593 {OP_TYPE_UNI_PROTOCOL, OP_PCLID_DKP_SHA1, __rta_dkp_proto},
594 {OP_TYPE_UNI_PROTOCOL, OP_PCLID_DKP_SHA224, __rta_dkp_proto},
595 {OP_TYPE_UNI_PROTOCOL, OP_PCLID_DKP_SHA256, __rta_dkp_proto},
596 {OP_TYPE_UNI_PROTOCOL, OP_PCLID_DKP_SHA384, __rta_dkp_proto},
597 /*35*/ {OP_TYPE_UNI_PROTOCOL, OP_PCLID_DKP_SHA512, __rta_dkp_proto},
598 {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_PUBLICKEYPAIR, __rta_dlc_proto},
599 /*37*/ {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_DSASIGN, __rta_dlc_proto},
600 /*38*/ {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_LTE_PDCP_CTRL_MIXED,
601 __rta_lte_pdcp_mixed_proto},
602 {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_IPSEC_NEW, __rta_ipsec_proto},
603 /*40*/ {OP_TYPE_DECAP_PROTOCOL, OP_PCLID_LTE_PDCP_USER_RN,
604 __rta_lte_pdcp_mixed_proto},
605 };
606
607 /*
608 * Allowed OPERATION protocols for each SEC Era.
609 * Values represent the number of entries from proto_table[] that are supported.
610 */
611 static const unsigned int proto_table_sz[] = {21, 29, 29, 29, 29, 35, 37,
612 40, 40, 40};
613
614 static inline int
rta_proto_operation(struct program * program,uint32_t optype,uint32_t protid,uint16_t protoinfo)615 rta_proto_operation(struct program *program, uint32_t optype,
616 uint32_t protid, uint16_t protoinfo)
617 {
618 uint32_t opcode = CMD_OPERATION;
619 unsigned int i, found = 0;
620 uint32_t optype_tmp = optype;
621 unsigned int start_pc = program->current_pc;
622 int ret = -EINVAL;
623
624 for (i = 0; i < proto_table_sz[rta_sec_era]; i++) {
625 /* clear last bit in optype to match also decap proto */
626 optype_tmp &= (uint32_t)~(1 << OP_TYPE_SHIFT);
627 if (optype_tmp == proto_table[i].optype) {
628 if (proto_table[i].protid == protid) {
629 /* nothing else to verify */
630 if (proto_table[i].protoinfo_func == NULL) {
631 found = 1;
632 break;
633 }
634 /* check protoinfo */
635 ret = (*proto_table[i].protoinfo_func)
636 (protoinfo);
637 if (ret < 0) {
638 pr_err("PROTO_DESC: Bad PROTO Type. SEC Program Line: %d\n",
639 program->current_pc);
640 goto err;
641 }
642 found = 1;
643 break;
644 }
645 }
646 }
647 if (!found) {
648 pr_err("PROTO_DESC: Operation Type Mismatch. SEC Program Line: %d\n",
649 program->current_pc);
650 goto err;
651 }
652
653 __rta_out32(program, opcode | optype | protid | protoinfo);
654 program->current_instruction++;
655 return (int)start_pc;
656
657 err:
658 program->first_error_pc = start_pc;
659 program->current_instruction++;
660 return ret;
661 }
662
663 static inline int
rta_dkp_proto(struct program * program,uint32_t protid,uint16_t key_src,uint16_t key_dst,uint16_t keylen,uint64_t key,enum rta_data_type key_type)664 rta_dkp_proto(struct program *program, uint32_t protid,
665 uint16_t key_src, uint16_t key_dst,
666 uint16_t keylen, uint64_t key,
667 enum rta_data_type key_type)
668 {
669 unsigned int start_pc = program->current_pc;
670 unsigned int in_words = 0, out_words = 0;
671 int ret;
672
673 key_src &= OP_PCL_DKP_SRC_MASK;
674 key_dst &= OP_PCL_DKP_DST_MASK;
675 keylen &= OP_PCL_DKP_KEY_MASK;
676
677 ret = rta_proto_operation(program, OP_TYPE_UNI_PROTOCOL, protid,
678 key_src | key_dst | keylen);
679 if (ret < 0)
680 return ret;
681
682 if ((key_src == OP_PCL_DKP_SRC_PTR) ||
683 (key_src == OP_PCL_DKP_SRC_SGF)) {
684 __rta_out64(program, program->ps, key);
685 in_words = program->ps ? 2 : 1;
686 } else if (key_src == OP_PCL_DKP_SRC_IMM) {
687 __rta_inline_data(program, key, inline_flags(key_type), keylen);
688 in_words = (unsigned int)((keylen + 3) / 4);
689 }
690
691 if ((key_dst == OP_PCL_DKP_DST_PTR) ||
692 (key_dst == OP_PCL_DKP_DST_SGF)) {
693 out_words = in_words;
694 } else if (key_dst == OP_PCL_DKP_DST_IMM) {
695 out_words = split_key_len(protid) / 4;
696 }
697
698 if (out_words < in_words) {
699 pr_err("PROTO_DESC: DKP doesn't currently support a smaller descriptor\n");
700 program->first_error_pc = start_pc;
701 return -EINVAL;
702 }
703
704 /* If needed, reserve space in resulting descriptor for derived key */
705 program->current_pc += (out_words - in_words);
706
707 return (int)start_pc;
708 }
709
710 #endif /* __RTA_PROTOCOL_CMD_H__ */
711