From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by dpdk.org (Postfix) with ESMTP id DFABF37AF for ; Tue, 30 Apr 2019 17:40:08 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x3UFdikx010768; Tue, 30 Apr 2019 08:40:08 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=pfpt0818; bh=tapsU6u0kCFIdfA5o9s1Jcs0Wu3WM5oVNq7oexB+aDo=; b=w80H5ncsifXpQlCC29ndddUSnOCVO0qhhksGOTAZMiFOR3917SVXDXD7O5rRcO3HPpkO c3S1ljUS3Sjo6atbEJjcDA4p8sLUu9IdaY02k9y47AbHY6p+VmHNlPlqC3f1JXa6hyj+ bg1ik5vP69b3b0G3rnIDxUkyYhB1Okvxd++KyV0tSMWSHssg82YcdtUFAKIP+RkOZaRY lfzM1aGRjFzF2Cm30pUcHzu1e5J40D/qHhYeVfVLX9VjkXzAH9OQ1RU6l7UByzduoduM xr6A0d3VSRmau3nkSR1JPIwCZqmZNJDZ4WrASr8fEDSuhRo0n5AlQafH/HjLdvz/SI3w rg== Received: from sc-exch02.marvell.com ([199.233.58.182]) by mx0b-0016f401.pphosted.com with ESMTP id 2s68rt3ftf-17 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 30 Apr 2019 08:40:08 -0700 Received: from SC-EXCH02.marvell.com (10.93.176.82) by SC-EXCH02.marvell.com (10.93.176.82) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 30 Apr 2019 08:38:57 -0700 Received: from NAM02-SN1-obe.outbound.protection.outlook.com (104.47.36.50) by SC-EXCH02.marvell.com (10.93.176.82) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Tue, 30 Apr 2019 08:38:57 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.onmicrosoft.com; s=selector1-marvell-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tapsU6u0kCFIdfA5o9s1Jcs0Wu3WM5oVNq7oexB+aDo=; b=O8vy+SgF4SsYZf01OFDaPygZ4I344HLfyL/tbaU5L/0+JlQhyTP6poFjc+NXNRuDwB860xHa18xw+C/pWSYVeYdentMQVd8Z81nIIno5ikve8cE115cHRNI0Maalcf6B81rIesrvnovp2nyBOFA1dAkkAbj44SkfsO/a/B10DCk= Received: from BN8PR18MB2580.namprd18.prod.outlook.com (20.179.67.158) by BN8PR18MB2578.namprd18.prod.outlook.com (20.179.67.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1835.13; Tue, 30 Apr 2019 15:38:52 +0000 Received: from BN8PR18MB2580.namprd18.prod.outlook.com ([fe80::bc70:4829:b0d2:ba20]) by BN8PR18MB2580.namprd18.prod.outlook.com ([fe80::bc70:4829:b0d2:ba20%6]) with mapi id 15.20.1835.010; Tue, 30 Apr 2019 15:38:52 +0000 From: Lukas Bartosik To: "Ananyev, Konstantin" CC: "dev@dpdk.org" , Anoob Joseph Thread-Topic: [PATCH] ipsec: include high order bytes of esn in pkt len Thread-Index: AQHU/2TUHUWfnIXK1EmxywaUF5PLy6ZUzYKAgAAIL3Q= Date: Tue, 30 Apr 2019 15:38:52 +0000 Message-ID: References: <1556636155-26299-1-git-send-email-lbartosik@marvell.com>, <2601191342CEEE43887BDE71AB9772580148A9DA2D@irsmsx105.ger.corp.intel.com> In-Reply-To: <2601191342CEEE43887BDE71AB9772580148A9DA2D@irsmsx105.ger.corp.intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [199.233.58.37] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: ff49bd8b-948b-4cbc-5250-08d6cd81f2b4 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:BN8PR18MB2578; x-ms-traffictypediagnostic: BN8PR18MB2578: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8882; x-forefront-prvs: 00235A1EEF x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(39860400002)(376002)(366004)(136003)(346002)(13464003)(189003)(199004)(236005)(66476007)(55016002)(107886003)(73956011)(9686003)(6506007)(64756008)(66556008)(256004)(66446008)(19627405001)(54896002)(53546011)(102836004)(76116006)(14454004)(66946007)(30864003)(478600001)(26005)(14444005)(91956017)(97736004)(86362001)(71200400001)(71190400001)(66066001)(229853002)(8936002)(186003)(486006)(33656002)(99286004)(25786009)(5660300002)(6606003)(11346002)(446003)(6916009)(4326008)(2906002)(6436002)(8676002)(81166006)(476003)(316002)(6246003)(53936002)(6116002)(3846002)(54906003)(7696005)(7736002)(74316002)(81156014)(68736007)(76176011)(52536014); DIR:OUT; SFP:1101; SCL:1; SRVR:BN8PR18MB2578; H:BN8PR18MB2580.namprd18.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: marvell.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: SkYhPBoLV7QLF643wRzR6YIWoGcUunWdZPH6eTix8XUx1mrTQZbp0ddi6zUVRz5B+0ln1J0ycCJNkvm4ALQO+wmpS24geFOcR1kcnh0Mfhg4x58y3evgiMrN3Qy3MYF8EK7tgAa/oGA6FS9aKsS5arUf02iYwirq3AHCqzmWWT8D2L+fJUQ+bAF2SJMpdir71/e75ufbZq9JVUG083JWTQBy2++/I4WFuVpXmmbzy9VNhiPXwTi3PUq6I/cfrEap/ZD35/bF8sl6XwXUizi7OnNwfpsmL0sHqddjEHMj0TmHy+RR6OJ/6WMbdeSzU6P7qYsdJvoD+rvpZUj7Hw7UwzUxayRlRdpn4A4zcM6LdY0QYvuFs81KlNtWAExuwtmC+SaWLfua8Zf1IkQDK9kOlcSyVYX/n8wzp+N5XjXVlXc= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: ff49bd8b-948b-4cbc-5250-08d6cd81f2b4 X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Apr 2019 15:38:52.4121 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 70e1fb47-1155-421d-87fc-2e58f638b6e0 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR18MB2578 X-OriginatorOrg: marvell.com X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-04-30_08:, , signatures=0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.15 Subject: Re: [dpdk-dev] [PATCH] ipsec: include high order bytes of esn in pkt len X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Apr 2019 15:40:09 -0000 ________________________________ From: Ananyev, Konstantin Sent: Tuesday, April 30, 2019 5:05 PM To: Lukas Bartosik Cc: dev@dpdk.org; Anoob Joseph Subject: RE: [PATCH] ipsec: include high order bytes of esn in pkt len > -----Original Message----- > From: Lukasz Bartosik [mailto:lbartosik@marvell.com] > Sent: Tuesday, April 30, 2019 3:56 PM > To: Ananyev, Konstantin > Cc: dev@dpdk.org; anoobj@marvell.com; Lukasz Bartosik > Subject: [PATCH] ipsec: include high order bytes of esn in pkt len > > When esn is used then high-order 32 bits are included in ICV > calculation however are not transmitted. Update packet length > to be consistent with auth data offset and length before crypto > operation. High-order 32 bits of esn will be removed from packet > length in crypto post processing. Hi Lukasz, Why you want to do it? I deliberately didn't include SQH bits into the pkt_len/data_len, because it is a temporary data and we are going to drop it anyway. Konstantin Hi Konstantin, Our OcteonTx crypto driver validates pkt_len with auth data length/offset a= nd it complains because it is told to authenticate more data that a packet holds (according= to pkt_len). I came across this when running IPSec tests which use esn. I understand that sqh 32 bits are temporary and included only for ICV calcu= lation however not including them in pkt_len for crypto processing is inconsistent in my o= pinion. Thanks, Lukasz > > Change-Id: I5ba50e341059a8d6a5e4ce7c626dfe7b9173740b > Signed-off-by: Lukasz Bartosik > --- > lib/librte_ipsec/esp_inb.c | 56 +++++++++++++++++++++++++++++++++++++--= ------ > lib/librte_ipsec/esp_outb.c | 31 +++++++++++++++++++++++++ > lib/librte_ipsec/sa.c | 4 ++-- > lib/librte_ipsec/sa.h | 8 +++++++ > 4 files changed, 87 insertions(+), 12 deletions(-) > > diff --git a/lib/librte_ipsec/esp_inb.c b/lib/librte_ipsec/esp_inb.c > index 4e0e12a..eb899e3 100644 > --- a/lib/librte_ipsec/esp_inb.c > +++ b/lib/librte_ipsec/esp_inb.c > @@ -16,7 +16,8 @@ > #include "pad.h" > > typedef uint16_t (*esp_inb_process_t)(const struct rte_ipsec_sa *sa, > - struct rte_mbuf *mb[], uint32_t sqn[], uint32_t dr[], uint16_t num)= ; > + struct rte_mbuf *mb[], uint32_t sqn[], uint32_t dr[], uint16_t num, > + uint8_t is_inline); > > /* > * helper function to fill crypto_sym op for cipher+auth algorithms. > @@ -181,6 +182,15 @@ inb_pkt_prepare(const struct rte_ipsec_sa *sa, const= struct replay_sqn *rsn, > icv->va =3D rte_pktmbuf_mtod_offset(ml, void *, icv_ofs); > icv->pa =3D rte_pktmbuf_iova_offset(ml, icv_ofs); > > + /* > + * if esn is used then high-order 32 bits are also used in ICV > + * calculation but are not transmitted, update packet length > + * to be consistent with auth data length and offset, this will > + * be subtracted from packet length in post crypto processing > + */ > + mb->pkt_len +=3D sa->sqh_len; > + ml->data_len +=3D sa->sqh_len; > + > inb_pkt_xprepare(sa, sqn, icv); > return plen; > } > @@ -373,14 +383,20 @@ tun_process_step3(struct rte_mbuf *mb, uint64_t txo= f_msk, uint64_t txof_val) > */ > static inline uint16_t > tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], > - uint32_t sqn[], uint32_t dr[], uint16_t num) > + uint32_t sqn[], uint32_t dr[], uint16_t num, uint8_t is_inline) > { > uint32_t adj, i, k, tl; > uint32_t hl[num]; > struct esp_tail espt[num]; > struct rte_mbuf *ml[num]; > > - const uint32_t tlen =3D sa->icv_len + sizeof(espt[0]); > + /* > + * remove high-order 32 bits of esn from packet length > + * which was added before crypto processing, this doesn't > + * apply to inline case > + */ > + const uint32_t tlen =3D sa->icv_len + sizeof(espt[0]) + > + (is_inline ? 0 : sa->sqh_len); > const uint32_t cofs =3D sa->ctp.cipher.offset; > > /* > @@ -420,7 +436,7 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte= _mbuf *mb[], > */ > static inline uint16_t > trs_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], > - uint32_t sqn[], uint32_t dr[], uint16_t num) > + uint32_t sqn[], uint32_t dr[], uint16_t num, uint8_t is_inline) > { > char *np; > uint32_t i, k, l2, tl; > @@ -428,7 +444,13 @@ trs_process(const struct rte_ipsec_sa *sa, struct rt= e_mbuf *mb[], > struct esp_tail espt[num]; > struct rte_mbuf *ml[num]; > > - const uint32_t tlen =3D sa->icv_len + sizeof(espt[0]); > + /* > + * remove high-order 32 bits of esn from packet length > + * which was added before crypto processing, this doesn't > + * apply to inline case > + */ > + const uint32_t tlen =3D sa->icv_len + sizeof(espt[0]) + > + (is_inline ? 0 : sa->sqh_len); > const uint32_t cofs =3D sa->ctp.cipher.offset; > > /* > @@ -496,8 +518,8 @@ esp_inb_rsn_update(struct rte_ipsec_sa *sa, const uin= t32_t sqn[], > * process group of ESP inbound packets. > */ > static inline uint16_t > -esp_inb_pkt_process(const struct rte_ipsec_session *ss, > - struct rte_mbuf *mb[], uint16_t num, esp_inb_process_t process) > +esp_inb_pkt_process(const struct rte_ipsec_session *ss, struct rte_mbuf = *mb[], > + uint16_t num, uint8_t is_inline, esp_inb_process_t process) > { > uint32_t k, n; > struct rte_ipsec_sa *sa; > @@ -507,7 +529,7 @@ esp_inb_pkt_process(const struct rte_ipsec_session *s= s, > sa =3D ss->sa; > > /* process packets, extract seq numbers */ > - k =3D process(sa, mb, sqn, dr, num); > + k =3D process(sa, mb, sqn, dr, num, is_inline); > > /* handle unprocessed mbufs */ > if (k !=3D num && k !=3D 0) > @@ -533,7 +555,14 @@ uint16_t > esp_inb_tun_pkt_process(const struct rte_ipsec_session *ss, > struct rte_mbuf *mb[], uint16_t num) > { > - return esp_inb_pkt_process(ss, mb, num, tun_process); > + return esp_inb_pkt_process(ss, mb, num, 0, tun_process); > +} > + > +uint16_t > +inline_inb_tun_pkt_process(const struct rte_ipsec_session *ss, > + struct rte_mbuf *mb[], uint16_t num) > +{ > + return esp_inb_pkt_process(ss, mb, num, 1, tun_process); > } > > /* > @@ -543,5 +572,12 @@ uint16_t > esp_inb_trs_pkt_process(const struct rte_ipsec_session *ss, > struct rte_mbuf *mb[], uint16_t num) > { > - return esp_inb_pkt_process(ss, mb, num, trs_process); > + return esp_inb_pkt_process(ss, mb, num, 0, trs_process); > +} > + > +uint16_t > +inline_inb_trs_pkt_process(const struct rte_ipsec_session *ss, > + struct rte_mbuf *mb[], uint16_t num) > +{ > + return esp_inb_pkt_process(ss, mb, num, 1, trs_process); > } > diff --git a/lib/librte_ipsec/esp_outb.c b/lib/librte_ipsec/esp_outb.c > index c798bc4..71a595e 100644 > --- a/lib/librte_ipsec/esp_outb.c > +++ b/lib/librte_ipsec/esp_outb.c > @@ -221,6 +221,7 @@ esp_outb_tun_prepare(const struct rte_ipsec_session *= ss, struct rte_mbuf *mb[], > uint32_t i, k, n; > uint64_t sqn; > rte_be64_t sqc; > + struct rte_mbuf *ml; > struct rte_ipsec_sa *sa; > struct rte_cryptodev_sym_session *cs; > union sym_op_data icv; > @@ -246,6 +247,19 @@ esp_outb_tun_prepare(const struct rte_ipsec_session = *ss, struct rte_mbuf *mb[], > > /* success, setup crypto op */ > if (rc >=3D 0) { > + /* > + * if esn is used then high-order 32 bits are also > + * used in ICV calculation but are not transmitted, > + * update packet length to be consistent with auth > + * data length and offset, this will be subtracted > + * from packet length in post crypto processing > + */ > + if (sa->sqh_len) { > + mb[i]->pkt_len +=3D sa->sqh_len; > + ml =3D rte_pktmbuf_lastseg(mb[i]); > + ml->data_len +=3D sa->sqh_len; > + } > + > outb_pkt_xprepare(sa, sqc, &icv); > lksd_none_cop_prepare(cop[k], cs, mb[i]); > outb_cop_prepare(cop[k], sa, iv, &icv, 0, rc); > @@ -356,6 +370,7 @@ esp_outb_trs_prepare(const struct rte_ipsec_session *= ss, struct rte_mbuf *mb[], > uint32_t i, k, n, l2, l3; > uint64_t sqn; > rte_be64_t sqc; > + struct rte_mbuf *ml; > struct rte_ipsec_sa *sa; > struct rte_cryptodev_sym_session *cs; > union sym_op_data icv; > @@ -384,6 +399,19 @@ esp_outb_trs_prepare(const struct rte_ipsec_session = *ss, struct rte_mbuf *mb[], > > /* success, setup crypto op */ > if (rc >=3D 0) { > + /* > + * if esn is used then high-order 32 bits are also > + * used in ICV calculation but are not transmitted, > + * update packet length to be consistent with auth > + * data length and offset, this will be subtracted > + * from packet length in post crypto processing > + */ > + if (sa->sqh_len) { > + mb[i]->pkt_len +=3D sa->sqh_len; > + ml =3D rte_pktmbuf_lastseg(mb[i]); > + ml->data_len +=3D sa->sqh_len; > + } > + > outb_pkt_xprepare(sa, sqc, &icv); > lksd_none_cop_prepare(cop[k], cs, mb[i]); > outb_cop_prepare(cop[k], sa, iv, &icv, l2 + l3, rc= ); > @@ -425,6 +453,9 @@ esp_outb_sqh_process(const struct rte_ipsec_session *= ss, struct rte_mbuf *mb[], > for (i =3D 0; i !=3D num; i++) { > if ((mb[i]->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED) =3D=3D 0= ) { > ml =3D rte_pktmbuf_lastseg(mb[i]); > + /* remove high-order 32 bits of esn from packet len= */ > + mb[i]->pkt_len -=3D sa->sqh_len; > + ml->data_len -=3D sa->sqh_len; > icv =3D rte_pktmbuf_mtod_offset(ml, void *, > ml->data_len - icv_len); > remove_sqh(icv, icv_len); > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > index 846e317..ff01358 100644 > --- a/lib/librte_ipsec/sa.c > +++ b/lib/librte_ipsec/sa.c > @@ -610,10 +610,10 @@ inline_crypto_pkt_func_select(const struct rte_ipse= c_sa *sa, > switch (sa->type & msk) { > case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TUNLV4): > case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TUNLV6): > - pf->process =3D esp_inb_tun_pkt_process; > + pf->process =3D inline_inb_tun_pkt_process; > break; > case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TRANS): > - pf->process =3D esp_inb_trs_pkt_process; > + pf->process =3D inline_inb_trs_pkt_process; > break; > case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV4): > case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6): > diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h > index ffb5fb4..20c0a65 100644 > --- a/lib/librte_ipsec/sa.h > +++ b/lib/librte_ipsec/sa.h > @@ -143,9 +143,17 @@ esp_inb_tun_pkt_process(const struct rte_ipsec_sessi= on *ss, > struct rte_mbuf *mb[], uint16_t num); > > uint16_t > +inline_inb_tun_pkt_process(const struct rte_ipsec_session *ss, > + struct rte_mbuf *mb[], uint16_t num); > + > +uint16_t > esp_inb_trs_pkt_process(const struct rte_ipsec_session *ss, > struct rte_mbuf *mb[], uint16_t num); > > +uint16_t > +inline_inb_trs_pkt_process(const struct rte_ipsec_session *ss, > + struct rte_mbuf *mb[], uint16_t num); > + > /* outbound processing */ > > uint16_t > -- > 2.7.4 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by dpdk.space (Postfix) with ESMTP id 44C23A0679 for ; Tue, 30 Apr 2019 17:40:11 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 0F87E4CC3; Tue, 30 Apr 2019 17:40:11 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by dpdk.org (Postfix) with ESMTP id DFABF37AF for ; Tue, 30 Apr 2019 17:40:08 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x3UFdikx010768; Tue, 30 Apr 2019 08:40:08 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=pfpt0818; bh=tapsU6u0kCFIdfA5o9s1Jcs0Wu3WM5oVNq7oexB+aDo=; b=w80H5ncsifXpQlCC29ndddUSnOCVO0qhhksGOTAZMiFOR3917SVXDXD7O5rRcO3HPpkO c3S1ljUS3Sjo6atbEJjcDA4p8sLUu9IdaY02k9y47AbHY6p+VmHNlPlqC3f1JXa6hyj+ bg1ik5vP69b3b0G3rnIDxUkyYhB1Okvxd++KyV0tSMWSHssg82YcdtUFAKIP+RkOZaRY lfzM1aGRjFzF2Cm30pUcHzu1e5J40D/qHhYeVfVLX9VjkXzAH9OQ1RU6l7UByzduoduM xr6A0d3VSRmau3nkSR1JPIwCZqmZNJDZ4WrASr8fEDSuhRo0n5AlQafH/HjLdvz/SI3w rg== Received: from sc-exch02.marvell.com ([199.233.58.182]) by mx0b-0016f401.pphosted.com with ESMTP id 2s68rt3ftf-17 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 30 Apr 2019 08:40:08 -0700 Received: from SC-EXCH02.marvell.com (10.93.176.82) by SC-EXCH02.marvell.com (10.93.176.82) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 30 Apr 2019 08:38:57 -0700 Received: from NAM02-SN1-obe.outbound.protection.outlook.com (104.47.36.50) by SC-EXCH02.marvell.com (10.93.176.82) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Tue, 30 Apr 2019 08:38:57 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.onmicrosoft.com; s=selector1-marvell-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tapsU6u0kCFIdfA5o9s1Jcs0Wu3WM5oVNq7oexB+aDo=; b=O8vy+SgF4SsYZf01OFDaPygZ4I344HLfyL/tbaU5L/0+JlQhyTP6poFjc+NXNRuDwB860xHa18xw+C/pWSYVeYdentMQVd8Z81nIIno5ikve8cE115cHRNI0Maalcf6B81rIesrvnovp2nyBOFA1dAkkAbj44SkfsO/a/B10DCk= Received: from BN8PR18MB2580.namprd18.prod.outlook.com (20.179.67.158) by BN8PR18MB2578.namprd18.prod.outlook.com (20.179.67.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1835.13; Tue, 30 Apr 2019 15:38:52 +0000 Received: from BN8PR18MB2580.namprd18.prod.outlook.com ([fe80::bc70:4829:b0d2:ba20]) by BN8PR18MB2580.namprd18.prod.outlook.com ([fe80::bc70:4829:b0d2:ba20%6]) with mapi id 15.20.1835.010; Tue, 30 Apr 2019 15:38:52 +0000 From: Lukas Bartosik To: "Ananyev, Konstantin" CC: "dev@dpdk.org" , Anoob Joseph Thread-Topic: [PATCH] ipsec: include high order bytes of esn in pkt len Thread-Index: AQHU/2TUHUWfnIXK1EmxywaUF5PLy6ZUzYKAgAAIL3Q= Date: Tue, 30 Apr 2019 15:38:52 +0000 Message-ID: References: <1556636155-26299-1-git-send-email-lbartosik@marvell.com>, <2601191342CEEE43887BDE71AB9772580148A9DA2D@irsmsx105.ger.corp.intel.com> In-Reply-To: <2601191342CEEE43887BDE71AB9772580148A9DA2D@irsmsx105.ger.corp.intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [199.233.58.37] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: ff49bd8b-948b-4cbc-5250-08d6cd81f2b4 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:BN8PR18MB2578; x-ms-traffictypediagnostic: BN8PR18MB2578: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8882; x-forefront-prvs: 00235A1EEF x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(39860400002)(376002)(366004)(136003)(346002)(13464003)(189003)(199004)(236005)(66476007)(55016002)(107886003)(73956011)(9686003)(6506007)(64756008)(66556008)(256004)(66446008)(19627405001)(54896002)(53546011)(102836004)(76116006)(14454004)(66946007)(30864003)(478600001)(26005)(14444005)(91956017)(97736004)(86362001)(71200400001)(71190400001)(66066001)(229853002)(8936002)(186003)(486006)(33656002)(99286004)(25786009)(5660300002)(6606003)(11346002)(446003)(6916009)(4326008)(2906002)(6436002)(8676002)(81166006)(476003)(316002)(6246003)(53936002)(6116002)(3846002)(54906003)(7696005)(7736002)(74316002)(81156014)(68736007)(76176011)(52536014); DIR:OUT; SFP:1101; SCL:1; SRVR:BN8PR18MB2578; H:BN8PR18MB2580.namprd18.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: marvell.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: SkYhPBoLV7QLF643wRzR6YIWoGcUunWdZPH6eTix8XUx1mrTQZbp0ddi6zUVRz5B+0ln1J0ycCJNkvm4ALQO+wmpS24geFOcR1kcnh0Mfhg4x58y3evgiMrN3Qy3MYF8EK7tgAa/oGA6FS9aKsS5arUf02iYwirq3AHCqzmWWT8D2L+fJUQ+bAF2SJMpdir71/e75ufbZq9JVUG083JWTQBy2++/I4WFuVpXmmbzy9VNhiPXwTi3PUq6I/cfrEap/ZD35/bF8sl6XwXUizi7OnNwfpsmL0sHqddjEHMj0TmHy+RR6OJ/6WMbdeSzU6P7qYsdJvoD+rvpZUj7Hw7UwzUxayRlRdpn4A4zcM6LdY0QYvuFs81KlNtWAExuwtmC+SaWLfua8Zf1IkQDK9kOlcSyVYX/n8wzp+N5XjXVlXc= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: ff49bd8b-948b-4cbc-5250-08d6cd81f2b4 X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Apr 2019 15:38:52.4121 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 70e1fb47-1155-421d-87fc-2e58f638b6e0 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR18MB2578 X-OriginatorOrg: marvell.com X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-04-30_08:, , signatures=0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.15 Subject: Re: [dpdk-dev] [PATCH] ipsec: include high order bytes of esn in pkt len X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Message-ID: <20190430153852.F7AYvp6Q0A8bErzUF7pDF1UctKILaZYeaKLTCFtK53E@z> ________________________________ From: Ananyev, Konstantin Sent: Tuesday, April 30, 2019 5:05 PM To: Lukas Bartosik Cc: dev@dpdk.org; Anoob Joseph Subject: RE: [PATCH] ipsec: include high order bytes of esn in pkt len > -----Original Message----- > From: Lukasz Bartosik [mailto:lbartosik@marvell.com] > Sent: Tuesday, April 30, 2019 3:56 PM > To: Ananyev, Konstantin > Cc: dev@dpdk.org; anoobj@marvell.com; Lukasz Bartosik > Subject: [PATCH] ipsec: include high order bytes of esn in pkt len > > When esn is used then high-order 32 bits are included in ICV > calculation however are not transmitted. Update packet length > to be consistent with auth data offset and length before crypto > operation. High-order 32 bits of esn will be removed from packet > length in crypto post processing. Hi Lukasz, Why you want to do it? I deliberately didn't include SQH bits into the pkt_len/data_len, because it is a temporary data and we are going to drop it anyway. Konstantin Hi Konstantin, Our OcteonTx crypto driver validates pkt_len with auth data length/offset a= nd it complains because it is told to authenticate more data that a packet holds (according= to pkt_len). I came across this when running IPSec tests which use esn. I understand that sqh 32 bits are temporary and included only for ICV calcu= lation however not including them in pkt_len for crypto processing is inconsistent in my o= pinion. Thanks, Lukasz > > Change-Id: I5ba50e341059a8d6a5e4ce7c626dfe7b9173740b > Signed-off-by: Lukasz Bartosik > --- > lib/librte_ipsec/esp_inb.c | 56 +++++++++++++++++++++++++++++++++++++--= ------ > lib/librte_ipsec/esp_outb.c | 31 +++++++++++++++++++++++++ > lib/librte_ipsec/sa.c | 4 ++-- > lib/librte_ipsec/sa.h | 8 +++++++ > 4 files changed, 87 insertions(+), 12 deletions(-) > > diff --git a/lib/librte_ipsec/esp_inb.c b/lib/librte_ipsec/esp_inb.c > index 4e0e12a..eb899e3 100644 > --- a/lib/librte_ipsec/esp_inb.c > +++ b/lib/librte_ipsec/esp_inb.c > @@ -16,7 +16,8 @@ > #include "pad.h" > > typedef uint16_t (*esp_inb_process_t)(const struct rte_ipsec_sa *sa, > - struct rte_mbuf *mb[], uint32_t sqn[], uint32_t dr[], uint16_t num)= ; > + struct rte_mbuf *mb[], uint32_t sqn[], uint32_t dr[], uint16_t num, > + uint8_t is_inline); > > /* > * helper function to fill crypto_sym op for cipher+auth algorithms. > @@ -181,6 +182,15 @@ inb_pkt_prepare(const struct rte_ipsec_sa *sa, const= struct replay_sqn *rsn, > icv->va =3D rte_pktmbuf_mtod_offset(ml, void *, icv_ofs); > icv->pa =3D rte_pktmbuf_iova_offset(ml, icv_ofs); > > + /* > + * if esn is used then high-order 32 bits are also used in ICV > + * calculation but are not transmitted, update packet length > + * to be consistent with auth data length and offset, this will > + * be subtracted from packet length in post crypto processing > + */ > + mb->pkt_len +=3D sa->sqh_len; > + ml->data_len +=3D sa->sqh_len; > + > inb_pkt_xprepare(sa, sqn, icv); > return plen; > } > @@ -373,14 +383,20 @@ tun_process_step3(struct rte_mbuf *mb, uint64_t txo= f_msk, uint64_t txof_val) > */ > static inline uint16_t > tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], > - uint32_t sqn[], uint32_t dr[], uint16_t num) > + uint32_t sqn[], uint32_t dr[], uint16_t num, uint8_t is_inline) > { > uint32_t adj, i, k, tl; > uint32_t hl[num]; > struct esp_tail espt[num]; > struct rte_mbuf *ml[num]; > > - const uint32_t tlen =3D sa->icv_len + sizeof(espt[0]); > + /* > + * remove high-order 32 bits of esn from packet length > + * which was added before crypto processing, this doesn't > + * apply to inline case > + */ > + const uint32_t tlen =3D sa->icv_len + sizeof(espt[0]) + > + (is_inline ? 0 : sa->sqh_len); > const uint32_t cofs =3D sa->ctp.cipher.offset; > > /* > @@ -420,7 +436,7 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte= _mbuf *mb[], > */ > static inline uint16_t > trs_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], > - uint32_t sqn[], uint32_t dr[], uint16_t num) > + uint32_t sqn[], uint32_t dr[], uint16_t num, uint8_t is_inline) > { > char *np; > uint32_t i, k, l2, tl; > @@ -428,7 +444,13 @@ trs_process(const struct rte_ipsec_sa *sa, struct rt= e_mbuf *mb[], > struct esp_tail espt[num]; > struct rte_mbuf *ml[num]; > > - const uint32_t tlen =3D sa->icv_len + sizeof(espt[0]); > + /* > + * remove high-order 32 bits of esn from packet length > + * which was added before crypto processing, this doesn't > + * apply to inline case > + */ > + const uint32_t tlen =3D sa->icv_len + sizeof(espt[0]) + > + (is_inline ? 0 : sa->sqh_len); > const uint32_t cofs =3D sa->ctp.cipher.offset; > > /* > @@ -496,8 +518,8 @@ esp_inb_rsn_update(struct rte_ipsec_sa *sa, const uin= t32_t sqn[], > * process group of ESP inbound packets. > */ > static inline uint16_t > -esp_inb_pkt_process(const struct rte_ipsec_session *ss, > - struct rte_mbuf *mb[], uint16_t num, esp_inb_process_t process) > +esp_inb_pkt_process(const struct rte_ipsec_session *ss, struct rte_mbuf = *mb[], > + uint16_t num, uint8_t is_inline, esp_inb_process_t process) > { > uint32_t k, n; > struct rte_ipsec_sa *sa; > @@ -507,7 +529,7 @@ esp_inb_pkt_process(const struct rte_ipsec_session *s= s, > sa =3D ss->sa; > > /* process packets, extract seq numbers */ > - k =3D process(sa, mb, sqn, dr, num); > + k =3D process(sa, mb, sqn, dr, num, is_inline); > > /* handle unprocessed mbufs */ > if (k !=3D num && k !=3D 0) > @@ -533,7 +555,14 @@ uint16_t > esp_inb_tun_pkt_process(const struct rte_ipsec_session *ss, > struct rte_mbuf *mb[], uint16_t num) > { > - return esp_inb_pkt_process(ss, mb, num, tun_process); > + return esp_inb_pkt_process(ss, mb, num, 0, tun_process); > +} > + > +uint16_t > +inline_inb_tun_pkt_process(const struct rte_ipsec_session *ss, > + struct rte_mbuf *mb[], uint16_t num) > +{ > + return esp_inb_pkt_process(ss, mb, num, 1, tun_process); > } > > /* > @@ -543,5 +572,12 @@ uint16_t > esp_inb_trs_pkt_process(const struct rte_ipsec_session *ss, > struct rte_mbuf *mb[], uint16_t num) > { > - return esp_inb_pkt_process(ss, mb, num, trs_process); > + return esp_inb_pkt_process(ss, mb, num, 0, trs_process); > +} > + > +uint16_t > +inline_inb_trs_pkt_process(const struct rte_ipsec_session *ss, > + struct rte_mbuf *mb[], uint16_t num) > +{ > + return esp_inb_pkt_process(ss, mb, num, 1, trs_process); > } > diff --git a/lib/librte_ipsec/esp_outb.c b/lib/librte_ipsec/esp_outb.c > index c798bc4..71a595e 100644 > --- a/lib/librte_ipsec/esp_outb.c > +++ b/lib/librte_ipsec/esp_outb.c > @@ -221,6 +221,7 @@ esp_outb_tun_prepare(const struct rte_ipsec_session *= ss, struct rte_mbuf *mb[], > uint32_t i, k, n; > uint64_t sqn; > rte_be64_t sqc; > + struct rte_mbuf *ml; > struct rte_ipsec_sa *sa; > struct rte_cryptodev_sym_session *cs; > union sym_op_data icv; > @@ -246,6 +247,19 @@ esp_outb_tun_prepare(const struct rte_ipsec_session = *ss, struct rte_mbuf *mb[], > > /* success, setup crypto op */ > if (rc >=3D 0) { > + /* > + * if esn is used then high-order 32 bits are also > + * used in ICV calculation but are not transmitted, > + * update packet length to be consistent with auth > + * data length and offset, this will be subtracted > + * from packet length in post crypto processing > + */ > + if (sa->sqh_len) { > + mb[i]->pkt_len +=3D sa->sqh_len; > + ml =3D rte_pktmbuf_lastseg(mb[i]); > + ml->data_len +=3D sa->sqh_len; > + } > + > outb_pkt_xprepare(sa, sqc, &icv); > lksd_none_cop_prepare(cop[k], cs, mb[i]); > outb_cop_prepare(cop[k], sa, iv, &icv, 0, rc); > @@ -356,6 +370,7 @@ esp_outb_trs_prepare(const struct rte_ipsec_session *= ss, struct rte_mbuf *mb[], > uint32_t i, k, n, l2, l3; > uint64_t sqn; > rte_be64_t sqc; > + struct rte_mbuf *ml; > struct rte_ipsec_sa *sa; > struct rte_cryptodev_sym_session *cs; > union sym_op_data icv; > @@ -384,6 +399,19 @@ esp_outb_trs_prepare(const struct rte_ipsec_session = *ss, struct rte_mbuf *mb[], > > /* success, setup crypto op */ > if (rc >=3D 0) { > + /* > + * if esn is used then high-order 32 bits are also > + * used in ICV calculation but are not transmitted, > + * update packet length to be consistent with auth > + * data length and offset, this will be subtracted > + * from packet length in post crypto processing > + */ > + if (sa->sqh_len) { > + mb[i]->pkt_len +=3D sa->sqh_len; > + ml =3D rte_pktmbuf_lastseg(mb[i]); > + ml->data_len +=3D sa->sqh_len; > + } > + > outb_pkt_xprepare(sa, sqc, &icv); > lksd_none_cop_prepare(cop[k], cs, mb[i]); > outb_cop_prepare(cop[k], sa, iv, &icv, l2 + l3, rc= ); > @@ -425,6 +453,9 @@ esp_outb_sqh_process(const struct rte_ipsec_session *= ss, struct rte_mbuf *mb[], > for (i =3D 0; i !=3D num; i++) { > if ((mb[i]->ol_flags & PKT_RX_SEC_OFFLOAD_FAILED) =3D=3D 0= ) { > ml =3D rte_pktmbuf_lastseg(mb[i]); > + /* remove high-order 32 bits of esn from packet len= */ > + mb[i]->pkt_len -=3D sa->sqh_len; > + ml->data_len -=3D sa->sqh_len; > icv =3D rte_pktmbuf_mtod_offset(ml, void *, > ml->data_len - icv_len); > remove_sqh(icv, icv_len); > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > index 846e317..ff01358 100644 > --- a/lib/librte_ipsec/sa.c > +++ b/lib/librte_ipsec/sa.c > @@ -610,10 +610,10 @@ inline_crypto_pkt_func_select(const struct rte_ipse= c_sa *sa, > switch (sa->type & msk) { > case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TUNLV4): > case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TUNLV6): > - pf->process =3D esp_inb_tun_pkt_process; > + pf->process =3D inline_inb_tun_pkt_process; > break; > case (RTE_IPSEC_SATP_DIR_IB | RTE_IPSEC_SATP_MODE_TRANS): > - pf->process =3D esp_inb_trs_pkt_process; > + pf->process =3D inline_inb_trs_pkt_process; > break; > case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV4): > case (RTE_IPSEC_SATP_DIR_OB | RTE_IPSEC_SATP_MODE_TUNLV6): > diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h > index ffb5fb4..20c0a65 100644 > --- a/lib/librte_ipsec/sa.h > +++ b/lib/librte_ipsec/sa.h > @@ -143,9 +143,17 @@ esp_inb_tun_pkt_process(const struct rte_ipsec_sessi= on *ss, > struct rte_mbuf *mb[], uint16_t num); > > uint16_t > +inline_inb_tun_pkt_process(const struct rte_ipsec_session *ss, > + struct rte_mbuf *mb[], uint16_t num); > + > +uint16_t > esp_inb_trs_pkt_process(const struct rte_ipsec_session *ss, > struct rte_mbuf *mb[], uint16_t num); > > +uint16_t > +inline_inb_trs_pkt_process(const struct rte_ipsec_session *ss, > + struct rte_mbuf *mb[], uint16_t num); > + > /* outbound processing */ > > uint16_t > -- > 2.7.4