From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by dpdk.org (Postfix) with ESMTP id F3C324C9F for ; Tue, 2 Apr 2019 10:35:18 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 Apr 2019 01:35:14 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,300,1549958400"; d="scan'208";a="332938751" Received: from sivswdev08.ir.intel.com ([10.237.217.47]) by fmsmga006.fm.intel.com with ESMTP; 02 Apr 2019 01:35:13 -0700 From: Konstantin Ananyev To: dev@dpdk.org Cc: akhil.goyal@nxp.com, olivier.matz@6wind.com, Konstantin Ananyev Date: Tue, 2 Apr 2019 09:34:41 +0100 Message-Id: <20190402083444.24755-7-konstantin.ananyev@intel.com> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20190402083444.24755-1-konstantin.ananyev@intel.com> References: <20190401125656.7636-1-konstantin.ananyev@intel.com> <20190402083444.24755-1-konstantin.ananyev@intel.com> Subject: [dpdk-dev] [PATCH v6 6/9] ipsec: reorder packet check for esp inbound X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2019 08:35:19 -0000 Right now check for packet length and padding is done inside cop_prepare(). It makes sense to have all necessary checks in one place at early stage: inside pkt_prepare(). That allows to simplify (and later hopefully) optimize cop_prepare() part. Signed-off-by: Konstantin Ananyev Acked-by: Akhil Goyal --- lib/librte_ipsec/esp_inb.c | 41 +++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 23 deletions(-) diff --git a/lib/librte_ipsec/esp_inb.c b/lib/librte_ipsec/esp_inb.c index a775c7b0b..8d1171556 100644 --- a/lib/librte_ipsec/esp_inb.c +++ b/lib/librte_ipsec/esp_inb.c @@ -18,7 +18,7 @@ /* * setup crypto op and crypto sym op for ESP inbound tunnel packet. */ -static inline int32_t +static inline void inb_cop_prepare(struct rte_crypto_op *cop, const struct rte_ipsec_sa *sa, struct rte_mbuf *mb, const union sym_op_data *icv, uint32_t pofs, uint32_t plen) @@ -27,11 +27,7 @@ inb_cop_prepare(struct rte_crypto_op *cop, struct aead_gcm_iv *gcm; struct aesctr_cnt_blk *ctr; uint64_t *ivc, *ivp; - uint32_t algo, clen; - - clen = plen - sa->ctp.cipher.length; - if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0) - return -EINVAL; + uint32_t algo; algo = sa->algo_type; @@ -41,7 +37,7 @@ inb_cop_prepare(struct rte_crypto_op *cop, switch (algo) { case ALGO_TYPE_AES_GCM: sop->aead.data.offset = pofs + sa->ctp.cipher.offset; - sop->aead.data.length = clen; + sop->aead.data.length = plen - sa->ctp.cipher.length; sop->aead.digest.data = icv->va; sop->aead.digest.phys_addr = icv->pa; sop->aead.aad.data = icv->va + sa->icv_len; @@ -57,7 +53,7 @@ inb_cop_prepare(struct rte_crypto_op *cop, case ALGO_TYPE_AES_CBC: case ALGO_TYPE_3DES_CBC: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; - sop->cipher.data.length = clen; + sop->cipher.data.length = plen - sa->ctp.cipher.length; sop->auth.data.offset = pofs + sa->ctp.auth.offset; sop->auth.data.length = plen - sa->ctp.auth.length; sop->auth.digest.data = icv->va; @@ -71,7 +67,7 @@ inb_cop_prepare(struct rte_crypto_op *cop, break; case ALGO_TYPE_AES_CTR: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; - sop->cipher.data.length = clen; + sop->cipher.data.length = plen - sa->ctp.cipher.length; sop->auth.data.offset = pofs + sa->ctp.auth.offset; sop->auth.data.length = plen - sa->ctp.auth.length; sop->auth.digest.data = icv->va; @@ -86,17 +82,13 @@ inb_cop_prepare(struct rte_crypto_op *cop, break; case ALGO_TYPE_NULL: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; - sop->cipher.data.length = clen; + sop->cipher.data.length = plen - sa->ctp.cipher.length; sop->auth.data.offset = pofs + sa->ctp.auth.offset; sop->auth.data.length = plen - sa->ctp.auth.length; sop->auth.digest.data = icv->va; sop->auth.digest.phys_addr = icv->pa; break; - default: - return -EINVAL; } - - return 0; } /* @@ -132,7 +124,7 @@ inb_pkt_prepare(const struct rte_ipsec_sa *sa, const struct replay_sqn *rsn, { int32_t rc; uint64_t sqn; - uint32_t icv_ofs, plen; + uint32_t clen, icv_ofs, plen; struct rte_mbuf *ml; struct esp_hdr *esph; @@ -159,6 +151,11 @@ inb_pkt_prepare(const struct rte_ipsec_sa *sa, const struct replay_sqn *rsn, ml = rte_pktmbuf_lastseg(mb); icv_ofs = ml->data_len - sa->icv_len + sa->sqh_len; + /* check that packet has a valid length */ + clen = plen - sa->ctp.cipher.length; + if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0) + return -EBADMSG; + /* we have to allocate space for AAD somewhere, * right now - just use free trailing space at the last segment. * Would probably be more convenient to reserve space for AAD @@ -201,21 +198,19 @@ esp_inb_pkt_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], rc = inb_pkt_prepare(sa, rsn, mb[i], hl, &icv); if (rc >= 0) { lksd_none_cop_prepare(cop[k], cs, mb[i]); - rc = inb_cop_prepare(cop[k], sa, mb[i], &icv, hl, rc); - } - - k += (rc == 0); - if (rc != 0) { + inb_cop_prepare(cop[k], sa, mb[i], &icv, hl, rc); + k++; + } else dr[i - k] = i; - rte_errno = -rc; - } } rsn_release(sa, rsn); /* copy not prepared mbufs beyond good ones */ - if (k != num && k != 0) + if (k != num && k != 0) { move_bad_mbufs(mb, dr, num, num - k); + rte_errno = EBADMSG; + } return k; } -- 2.17.1 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by dpdk.space (Postfix) with ESMTP id B7222A0679 for ; Tue, 2 Apr 2019 10:35:54 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 798435689; Tue, 2 Apr 2019 10:35:29 +0200 (CEST) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by dpdk.org (Postfix) with ESMTP id F3C324C9F for ; Tue, 2 Apr 2019 10:35:18 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 Apr 2019 01:35:14 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,300,1549958400"; d="scan'208";a="332938751" Received: from sivswdev08.ir.intel.com ([10.237.217.47]) by fmsmga006.fm.intel.com with ESMTP; 02 Apr 2019 01:35:13 -0700 From: Konstantin Ananyev To: dev@dpdk.org Cc: akhil.goyal@nxp.com, olivier.matz@6wind.com, Konstantin Ananyev Date: Tue, 2 Apr 2019 09:34:41 +0100 Message-Id: <20190402083444.24755-7-konstantin.ananyev@intel.com> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20190402083444.24755-1-konstantin.ananyev@intel.com> References: <20190401125656.7636-1-konstantin.ananyev@intel.com> <20190402083444.24755-1-konstantin.ananyev@intel.com> Subject: [dpdk-dev] [PATCH v6 6/9] ipsec: reorder packet check for esp inbound X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Content-Type: text/plain; charset="UTF-8" Message-ID: <20190402083441.lNU3NHBHHTJXhUHVVvAdYUB7hrjYETFjq87ahWaL3xA@z> Right now check for packet length and padding is done inside cop_prepare(). It makes sense to have all necessary checks in one place at early stage: inside pkt_prepare(). That allows to simplify (and later hopefully) optimize cop_prepare() part. Signed-off-by: Konstantin Ananyev Acked-by: Akhil Goyal --- lib/librte_ipsec/esp_inb.c | 41 +++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 23 deletions(-) diff --git a/lib/librte_ipsec/esp_inb.c b/lib/librte_ipsec/esp_inb.c index a775c7b0b..8d1171556 100644 --- a/lib/librte_ipsec/esp_inb.c +++ b/lib/librte_ipsec/esp_inb.c @@ -18,7 +18,7 @@ /* * setup crypto op and crypto sym op for ESP inbound tunnel packet. */ -static inline int32_t +static inline void inb_cop_prepare(struct rte_crypto_op *cop, const struct rte_ipsec_sa *sa, struct rte_mbuf *mb, const union sym_op_data *icv, uint32_t pofs, uint32_t plen) @@ -27,11 +27,7 @@ inb_cop_prepare(struct rte_crypto_op *cop, struct aead_gcm_iv *gcm; struct aesctr_cnt_blk *ctr; uint64_t *ivc, *ivp; - uint32_t algo, clen; - - clen = plen - sa->ctp.cipher.length; - if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0) - return -EINVAL; + uint32_t algo; algo = sa->algo_type; @@ -41,7 +37,7 @@ inb_cop_prepare(struct rte_crypto_op *cop, switch (algo) { case ALGO_TYPE_AES_GCM: sop->aead.data.offset = pofs + sa->ctp.cipher.offset; - sop->aead.data.length = clen; + sop->aead.data.length = plen - sa->ctp.cipher.length; sop->aead.digest.data = icv->va; sop->aead.digest.phys_addr = icv->pa; sop->aead.aad.data = icv->va + sa->icv_len; @@ -57,7 +53,7 @@ inb_cop_prepare(struct rte_crypto_op *cop, case ALGO_TYPE_AES_CBC: case ALGO_TYPE_3DES_CBC: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; - sop->cipher.data.length = clen; + sop->cipher.data.length = plen - sa->ctp.cipher.length; sop->auth.data.offset = pofs + sa->ctp.auth.offset; sop->auth.data.length = plen - sa->ctp.auth.length; sop->auth.digest.data = icv->va; @@ -71,7 +67,7 @@ inb_cop_prepare(struct rte_crypto_op *cop, break; case ALGO_TYPE_AES_CTR: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; - sop->cipher.data.length = clen; + sop->cipher.data.length = plen - sa->ctp.cipher.length; sop->auth.data.offset = pofs + sa->ctp.auth.offset; sop->auth.data.length = plen - sa->ctp.auth.length; sop->auth.digest.data = icv->va; @@ -86,17 +82,13 @@ inb_cop_prepare(struct rte_crypto_op *cop, break; case ALGO_TYPE_NULL: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; - sop->cipher.data.length = clen; + sop->cipher.data.length = plen - sa->ctp.cipher.length; sop->auth.data.offset = pofs + sa->ctp.auth.offset; sop->auth.data.length = plen - sa->ctp.auth.length; sop->auth.digest.data = icv->va; sop->auth.digest.phys_addr = icv->pa; break; - default: - return -EINVAL; } - - return 0; } /* @@ -132,7 +124,7 @@ inb_pkt_prepare(const struct rte_ipsec_sa *sa, const struct replay_sqn *rsn, { int32_t rc; uint64_t sqn; - uint32_t icv_ofs, plen; + uint32_t clen, icv_ofs, plen; struct rte_mbuf *ml; struct esp_hdr *esph; @@ -159,6 +151,11 @@ inb_pkt_prepare(const struct rte_ipsec_sa *sa, const struct replay_sqn *rsn, ml = rte_pktmbuf_lastseg(mb); icv_ofs = ml->data_len - sa->icv_len + sa->sqh_len; + /* check that packet has a valid length */ + clen = plen - sa->ctp.cipher.length; + if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0) + return -EBADMSG; + /* we have to allocate space for AAD somewhere, * right now - just use free trailing space at the last segment. * Would probably be more convenient to reserve space for AAD @@ -201,21 +198,19 @@ esp_inb_pkt_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[], rc = inb_pkt_prepare(sa, rsn, mb[i], hl, &icv); if (rc >= 0) { lksd_none_cop_prepare(cop[k], cs, mb[i]); - rc = inb_cop_prepare(cop[k], sa, mb[i], &icv, hl, rc); - } - - k += (rc == 0); - if (rc != 0) { + inb_cop_prepare(cop[k], sa, mb[i], &icv, hl, rc); + k++; + } else dr[i - k] = i; - rte_errno = -rc; - } } rsn_release(sa, rsn); /* copy not prepared mbufs beyond good ones */ - if (k != num && k != 0) + if (k != num && k != 0) { move_bad_mbufs(mb, dr, num, num - k); + rte_errno = EBADMSG; + } return k; } -- 2.17.1