From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by dpdk.space (Postfix) with ESMTP id BB0A5A0096 for ; Wed, 8 May 2019 13:12:46 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 9A538378B; Wed, 8 May 2019 13:12:46 +0200 (CEST) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by dpdk.org (Postfix) with ESMTP id BD5A2378B for ; Wed, 8 May 2019 13:12:44 +0200 (CEST) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 239A330992AA; Wed, 8 May 2019 11:12:44 +0000 (UTC) Received: from rh.redhat.com (ovpn-117-210.ams2.redhat.com [10.36.117.210]) by smtp.corp.redhat.com (Postfix) with ESMTP id 873501A267; Wed, 8 May 2019 11:12:41 +0000 (UTC) From: Kevin Traynor To: Konstantin Ananyev Cc: Fan Zhang , Akhil Goyal , dpdk stable Date: Wed, 8 May 2019 12:12:35 +0100 Message-Id: <20190508111235.746-1-ktraynor@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Wed, 08 May 2019 11:12:44 +0000 (UTC) Subject: [dpdk-stable] patch 'examples/ipsec-secgw: fix SPD no-match case' has been queued to LTS release 18.11.2 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" Hi Konstantin, I could rebase this patch but there is a lot of new code in master now, so can you check the diff and ack if it looks ok or if not, send a backport for 18.11 branch, or let me know it's not needed on stable. This queued commit can be viewed at: https://github.com/kevintraynor/dpdk-stable-queue/commit/25df4326290ef72eb23d74c121a947c911376380 Thanks. Kevin Traynor --- >From 25df4326290ef72eb23d74c121a947c911376380 Mon Sep 17 00:00:00 2001 From: Konstantin Ananyev Date: Thu, 4 Apr 2019 13:13:26 +0100 Subject: [PATCH] examples/ipsec-secgw: fix SPD no-match case [ upstream commit 49757b6845835394d1a9a6efad9356a6da58fd85 ] acl_classify() returns zero value when no matching rule was found. Currently ipsec-secgw treats it as a valid SPI value, though it has to discard such packets. Error could be easily observed by sending outbound unmatched packets, user will see something like that in the log: IPSEC: No cryptodev: core 7, cipher_algo 0, auth_algo 0, aead_algo 0 To fix it we need to treat packets with zero result from acl_classify() as invalid ones. Also we can change DISCARD and BYPASS values to simplify checks and save some extra space for valid SPI values. To summarize the approach: 1. have special SPI values for DISCARD and BYPASS. 2. store in SPD full SPI value. 3. after acl_classify(), first check SPI value for DISCARD and BYPASS, then convert it in SA index. 4. add check at initilisation time that for each SPD rule there is a corresponding SA entry (with the same SPI). Also marked few global variables as *static*. Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6") Fixes: 2a5106af132b ("examples/ipsec-secgw: fix corner case for SPI value") Signed-off-by: Konstantin Ananyev Acked-by: Fan Zhang Acked-by: Akhil Goyal --- examples/ipsec-secgw/ipsec-secgw.c | 20 ++++++------- examples/ipsec-secgw/ipsec.h | 14 ++++++--- examples/ipsec-secgw/sa.c | 35 ++++++++++++++++++---- examples/ipsec-secgw/sp4.c | 47 ++++++++++++++++++++++++++++-- examples/ipsec-secgw/sp6.c | 47 ++++++++++++++++++++++++++++-- 5 files changed, 139 insertions(+), 24 deletions(-) diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index 84fd4de12..dfb93375a 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -427,9 +427,9 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip, m = ip->pkts[i]; res = ip->res[i]; - if (res & BYPASS) { + if (res == BYPASS) { ip->pkts[j++] = m; continue; } - if (res & DISCARD) { + if (res == DISCARD) { rte_pktmbuf_free(m); continue; @@ -442,7 +442,6 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip, } - sa_idx = ip->res[i] & PROTECT_MASK; - if (sa_idx >= IPSEC_SA_MAX_ENTRIES || - !inbound_sa_check(sa, m, sa_idx)) { + sa_idx = SPI2IDX(res); + if (!inbound_sa_check(sa, m, sa_idx)) { rte_pktmbuf_free(m); continue; @@ -525,14 +524,13 @@ outbound_sp(struct sp_ctx *sp, struct traffic_type *ip, for (i = 0; i < ip->num; i++) { m = ip->pkts[i]; - sa_idx = ip->res[i] & PROTECT_MASK; - if (ip->res[i] & DISCARD) + sa_idx = SPI2IDX(ip->res[i]); + if (ip->res[i] == DISCARD) rte_pktmbuf_free(m); - else if (ip->res[i] & BYPASS) + else if (ip->res[i] == BYPASS) ip->pkts[j++] = m; - else if (sa_idx < IPSEC_SA_MAX_ENTRIES) { + else { ipsec->res[ipsec->num] = sa_idx; ipsec->pkts[ipsec->num++] = m; - } else /* invalid SA idx */ - rte_pktmbuf_free(m); + } } ip->num = j; diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index 508d87af3..86d8f7df4 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -41,8 +41,6 @@ #define INVALID_SPI (0) -#define DISCARD (0x80000000) -#define BYPASS (0x40000000) -#define PROTECT_MASK (0x3fffffff) -#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */ +#define DISCARD INVALID_SPI +#define BYPASS UINT32_MAX #define IPSEC_XFORM_MAX 2 @@ -242,4 +240,12 @@ void sp6_init(struct socket_ctx *ctx, int32_t socket_id); +/* + * Search through SA entries for given SPI. + * Returns first entry index if found(greater or equal then zero), + * or -ENOENT otherwise. + */ +int +sa_spi_present(uint32_t spi, int inbound); + void sa_init(struct socket_ctx *ctx, int32_t socket_id); diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index cd4f369f3..f7b6eb0bb 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -126,9 +126,9 @@ const struct supported_aead_algo aead_algos[] = { }; -struct ipsec_sa sa_out[IPSEC_SA_MAX_ENTRIES]; -uint32_t nb_sa_out; +static struct ipsec_sa sa_out[IPSEC_SA_MAX_ENTRIES]; +static uint32_t nb_sa_out; -struct ipsec_sa sa_in[IPSEC_SA_MAX_ENTRIES]; -uint32_t nb_sa_in; +static struct ipsec_sa sa_in[IPSEC_SA_MAX_ENTRIES]; +static uint32_t nb_sa_in; static const struct supported_cipher_algo * @@ -631,5 +631,5 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, } -static inline void +static void print_one_sa_rule(const struct ipsec_sa *sa, int inbound) { @@ -917,4 +917,29 @@ sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], } +/* + * Walk through all SA rules to find an SA with given SPI + */ +int +sa_spi_present(uint32_t spi, int inbound) +{ + uint32_t i, num; + const struct ipsec_sa *sar; + + if (inbound != 0) { + sar = sa_in; + num = nb_sa_in; + } else { + sar = sa_out; + num = nb_sa_out; + } + + for (i = 0; i != num; i++) { + if (sar[i].spi == spi) + return i; + } + + return -ENOENT; +} + void sa_init(struct socket_ctx *ctx, int32_t socket_id) diff --git a/examples/ipsec-secgw/sp4.c b/examples/ipsec-secgw/sp4.c index 6b05daaa9..99362a684 100644 --- a/examples/ipsec-secgw/sp4.c +++ b/examples/ipsec-secgw/sp4.c @@ -100,4 +100,5 @@ parse_sp4_tokens(char **tokens, uint32_t n_tokens, uint32_t *ri = NULL; /* rule index */ uint32_t ti = 0; /* token index */ + uint32_t tv; uint32_t esp_p = 0; @@ -170,6 +171,10 @@ parse_sp4_tokens(char **tokens, uint32_t n_tokens, return; - rule_ipv4->data.userdata = - PROTECT(atoi(tokens[ti])); + tv = atoi(tokens[ti]); + APP_CHECK(tv != DISCARD && tv != BYPASS, status, + "invalid SPI: %s", tokens[ti]); + if (status->status < 0) + return; + rule_ipv4->data.userdata = tv; protect_p = 1; @@ -473,4 +478,34 @@ acl4_init(const char *name, int32_t socketid, const struct acl4_rules *rules, } +/* + * check that for each rule it's SPI has a correspondent entry in SAD + */ +static int +check_spi_value(int inbound) +{ + uint32_t i, num, spi; + const struct acl4_rules *acr; + + if (inbound != 0) { + acr = acl4_rules_in; + num = nb_acl4_rules_in; + } else { + acr = acl4_rules_out; + num = nb_acl4_rules_out; + } + + for (i = 0; i != num; i++) { + spi = acr[i].data.userdata; + if (spi != DISCARD && spi != BYPASS && + sa_spi_present(spi, inbound) < 0) { + RTE_LOG(ERR, IPSEC, "SPI %u is not present in SAD\n", + spi); + return -ENOENT; + } + } + + return 0; +} + void sp4_init(struct socket_ctx *ctx, int32_t socket_id) @@ -489,4 +524,12 @@ sp4_init(struct socket_ctx *ctx, int32_t socket_id) "initialized\n", socket_id); + if (check_spi_value(1) < 0) + rte_exit(EXIT_FAILURE, + "Inbound IPv4 SP DB has unmatched in SAD SPIs\n"); + + if (check_spi_value(0) < 0) + rte_exit(EXIT_FAILURE, + "Outbound IPv4 SP DB has unmatched in SAD SPIs\n"); + if (nb_acl4_rules_in > 0) { name = "sp_ip4_in"; diff --git a/examples/ipsec-secgw/sp6.c b/examples/ipsec-secgw/sp6.c index dc5b94c6a..bfcabf39c 100644 --- a/examples/ipsec-secgw/sp6.c +++ b/examples/ipsec-secgw/sp6.c @@ -131,4 +131,5 @@ parse_sp6_tokens(char **tokens, uint32_t n_tokens, uint32_t *ri = NULL; /* rule index */ uint32_t ti = 0; /* token index */ + uint32_t tv; uint32_t esp_p = 0; @@ -203,6 +204,10 @@ parse_sp6_tokens(char **tokens, uint32_t n_tokens, return; - rule_ipv6->data.userdata = - PROTECT(atoi(tokens[ti])); + tv = atoi(tokens[ti]); + APP_CHECK(tv != DISCARD && tv != BYPASS, status, + "invalid SPI: %s", tokens[ti]); + if (status->status < 0) + return; + rule_ipv6->data.userdata = tv; protect_p = 1; @@ -587,4 +592,34 @@ acl6_init(const char *name, int32_t socketid, const struct acl6_rules *rules, } +/* + * check that for each rule it's SPI has a correspondent entry in SAD + */ +static int +check_spi_value(int inbound) +{ + uint32_t i, num, spi; + const struct acl6_rules *acr; + + if (inbound != 0) { + acr = acl6_rules_in; + num = nb_acl6_rules_in; + } else { + acr = acl6_rules_out; + num = nb_acl6_rules_out; + } + + for (i = 0; i != num; i++) { + spi = acr[i].data.userdata; + if (spi != DISCARD && spi != BYPASS && + sa_spi_present(spi, inbound) < 0) { + RTE_LOG(ERR, IPSEC, "SPI %u is not present in SAD\n", + spi); + return -ENOENT; + } + } + + return 0; +} + void sp6_init(struct socket_ctx *ctx, int32_t socket_id) @@ -603,4 +638,12 @@ sp6_init(struct socket_ctx *ctx, int32_t socket_id) "already initialized\n", socket_id); + if (check_spi_value(1) < 0) + rte_exit(EXIT_FAILURE, + "Inbound IPv6 SP DB has unmatched in SAD SPIs\n"); + + if (check_spi_value(0) < 0) + rte_exit(EXIT_FAILURE, + "Outbound IPv6 SP DB has unmatched in SAD SPIs\n"); + if (nb_acl6_rules_in > 0) { name = "sp_ip6_in"; -- 2.20.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2019-05-08 11:56:59.988734912 +0100 +++ 0001-examples-ipsec-secgw-fix-SPD-no-match-case.patch 2019-05-08 11:56:59.945803452 +0100 @@ -1 +1 @@ -From 49757b6845835394d1a9a6efad9356a6da58fd85 Mon Sep 17 00:00:00 2001 +From 25df4326290ef72eb23d74c121a947c911376380 Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit 49757b6845835394d1a9a6efad9356a6da58fd85 ] + @@ -28 +29,0 @@ -Cc: stable@dpdk.org @@ -34 +35 @@ - examples/ipsec-secgw/ipsec-secgw.c | 20 ++++++------ + examples/ipsec-secgw/ipsec-secgw.c | 20 ++++++------- @@ -36,4 +37,4 @@ - examples/ipsec-secgw/sa.c | 35 ++++++++++++++++++--- - examples/ipsec-secgw/sp4.c | 49 ++++++++++++++++++++++++++++-- - examples/ipsec-secgw/sp6.c | 49 ++++++++++++++++++++++++++++-- - 5 files changed, 141 insertions(+), 26 deletions(-) + examples/ipsec-secgw/sa.c | 35 ++++++++++++++++++---- + examples/ipsec-secgw/sp4.c | 47 ++++++++++++++++++++++++++++-- + examples/ipsec-secgw/sp6.c | 47 ++++++++++++++++++++++++++++-- + 5 files changed, 139 insertions(+), 24 deletions(-) @@ -42 +43 @@ -index ffbd00b08..2e203393d 100644 +index 84fd4de12..dfb93375a 100644 @@ -45 +46 @@ -@@ -439,9 +439,9 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip, +@@ -427,9 +427,9 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip, @@ -57 +58 @@ -@@ -454,7 +454,6 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip, +@@ -442,7 +442,6 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip, @@ -67 +68 @@ -@@ -542,14 +541,13 @@ outbound_sp(struct sp_ctx *sp, struct traffic_type *ip, +@@ -525,14 +524,13 @@ outbound_sp(struct sp_ctx *sp, struct traffic_type *ip, @@ -88 +89 @@ -index 99f49d65f..589398f6f 100644 +index 508d87af3..86d8f7df4 100644 @@ -91 +92 @@ -@@ -42,8 +42,6 @@ +@@ -41,8 +41,6 @@ @@ -102,2 +103,2 @@ -@@ -290,4 +288,12 @@ int - sp6_spi_present(uint32_t spi, int inbound); +@@ -242,4 +240,12 @@ void + sp6_init(struct socket_ctx *ctx, int32_t socket_id); @@ -116 +117 @@ -index a7298a30c..b850e9839 100644 +index cd4f369f3..f7b6eb0bb 100644 @@ -119 +120 @@ -@@ -127,9 +127,9 @@ const struct supported_aead_algo aead_algos[] = { +@@ -126,9 +126,9 @@ const struct supported_aead_algo aead_algos[] = { @@ -133 +134 @@ -@@ -632,5 +632,5 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, +@@ -631,5 +631,5 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, @@ -140 +141 @@ -@@ -1117,4 +1117,29 @@ ipsec_satbl_init(struct sa_ctx *ctx, const struct ipsec_sa *ent, +@@ -917,4 +917,29 @@ sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], @@ -171 +172 @@ -index d1dc64bad..ca9ee7f24 100644 +index 6b05daaa9..99362a684 100644 @@ -241,7 +241,0 @@ -@@ -524,5 +567,5 @@ sp4_spi_present(uint32_t spi, int inbound) - - for (i = 0; i != num; i++) { -- if (acr[i].data.userdata == PROTECT(spi)) -+ if (acr[i].data.userdata == spi) - return i; - } @@ -249 +243 @@ -index e67d85aaf..76be3d3e9 100644 +index dc5b94c6a..bfcabf39c 100644 @@ -319,7 +312,0 @@ -@@ -638,5 +681,5 @@ sp6_spi_present(uint32_t spi, int inbound) - - for (i = 0; i != num; i++) { -- if (acr[i].data.userdata == PROTECT(spi)) -+ if (acr[i].data.userdata == spi) - return i; - }