DPDK patches and discussions
 help / color / mirror / Atom feed
From: Ankur Dwivedi <adwivedi@marvell.com>
To: <dev@dpdk.org>
Cc: <jerinj@marvell.com>, <akhil.goyal@nxp.com>,
	<radu.nicolau@intel.com>, <anoobj@marvell.com>,
	Ankur Dwivedi <adwivedi@marvell.com>
Subject: [dpdk-dev] [PATCH v2 2/2] net/octeontx2: add replay check for inline inbound packets
Date: Fri, 18 Sep 2020 16:39:43 +0530
Message-ID: <20200918110943.14553-3-adwivedi@marvell.com> (raw)
In-Reply-To: <20200918110943.14553-1-adwivedi@marvell.com>

The function handling anti replay is added. If replay window
is enabled the rx packets will be validated against the window. The
rx offload fails in case of error.

Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com>
---
 .../crypto/octeontx2/otx2_ipsec_anti_replay.h | 208 ++++++++++++++++++
 drivers/net/octeontx2/otx2_rx.h               |   7 +
 2 files changed, 215 insertions(+)
 create mode 100644 drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h

diff --git a/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h b/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h
new file mode 100644
index 000000000..858ce5b15
--- /dev/null
+++ b/drivers/crypto/octeontx2/otx2_ipsec_anti_replay.h
@@ -0,0 +1,208 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright (C) 2020 Marvell International Ltd.
+ */
+
+#ifndef __OTX2_IPSEC_ANTI_REPLAY_H__
+#define __OTX2_IPSEC_ANTI_REPLAY_H__
+
+#include <rte_mbuf.h>
+
+#include "otx2_ipsec_fp.h"
+
+#define WORD_SHIFT	6
+#define WORD_SIZE	(1 << WORD_SHIFT)
+#define WORD_MASK	(WORD_SIZE - 1)
+
+#define IPSEC_ANTI_REPLAY_FAILED	(-1)
+
+static inline int
+anti_replay_check(uint64_t seq, struct otx2_ipsec_fp_in_sa *sa)
+{
+	struct otx2_ipsec_replay *replay = sa->replay;
+	uint64_t *window = &replay->window[0];
+	uint64_t winsz = sa->replay_win_sz;
+	uint64_t ex_winsz = winsz + WORD_SIZE;
+	uint64_t winwords = ex_winsz >> WORD_SHIFT;
+	uint64_t base = replay->base;
+	uint32_t winb = replay->winb;
+	uint32_t wint = replay->wint;
+	uint64_t seqword, shiftwords;
+	uint64_t bit_pos;
+	uint64_t shift;
+	uint64_t *wptr;
+	uint64_t tmp;
+
+	if (winsz > 64)
+		goto slow_shift;
+	/* Check if the seq is the biggest one yet */
+	if (likely(seq > base)) {
+		shift = seq - base;
+		if (shift < winsz) {  /* In window */
+			/*
+			 * If more than 64-bit anti-replay window,
+			 * use slow shift routine
+			 */
+			wptr = window + (shift >> WORD_SHIFT);
+			*wptr <<= shift;
+			*wptr |= 1ull;
+		} else {
+			/* No special handling of window size > 64 */
+			wptr = window + ((winsz - 1) >> WORD_SHIFT);
+			/*
+			 * Zero out the whole window (especially for
+			 * bigger than 64b window) till the last 64b word
+			 * as the incoming sequence number minus
+			 * base sequence is more than the window size.
+			 */
+			while (window != wptr)
+				*window++ = 0ull;
+			/*
+			 * Set the last bit (of the window) to 1
+			 * as that corresponds to the base sequence number.
+			 * Now any incoming sequence number which is
+			 * (base - window size - 1) will pass anti-replay check
+			 */
+			*wptr = 1ull;
+		}
+		/*
+		 * Set the base to incoming sequence number as
+		 * that is the biggest sequence number seen yet
+		 */
+		replay->base = seq;
+		return 0;
+	}
+
+	bit_pos = base - seq;
+
+	/* If seq falls behind the window, return failure */
+	if (bit_pos >= winsz)
+		return IPSEC_ANTI_REPLAY_FAILED;
+
+	/* seq is within anti-replay window */
+	wptr = window + ((winsz - bit_pos - 1) >> WORD_SHIFT);
+	bit_pos &= WORD_MASK;
+
+	/* Check if this is a replayed packet */
+	if (*wptr & ((1ull) << bit_pos))
+		return IPSEC_ANTI_REPLAY_FAILED;
+
+	/* mark as seen */
+	*wptr |= ((1ull) << bit_pos);
+	return 0;
+
+slow_shift:
+	if (likely(seq > base)) {
+		uint32_t i;
+
+		shift = seq - base;
+		if (unlikely(shift >= winsz)) {
+			/*
+			 * shift is bigger than the window,
+			 * so just zero out everything
+			 */
+			for (i = 0; i < winwords; i++)
+				window[i] = 0;
+winupdate:
+			/* Find out the word */
+			seqword = ((seq - 1) % ex_winsz) >> WORD_SHIFT;
+
+			/* Find out the bit in the word */
+			bit_pos = (seq - 1) & WORD_MASK;
+
+			/*
+			 * Set the bit corresponding to sequence number
+			 * in window to mark it as received
+			 */
+			window[seqword] |= (1ull << (63 - bit_pos));
+
+			/* wint and winb range from 1 to ex_winsz */
+			replay->wint = ((wint + shift - 1) % ex_winsz) + 1;
+			replay->winb = ((winb + shift - 1) % ex_winsz) + 1;
+
+			replay->base = seq;
+			return 0;
+		}
+
+		/*
+		 * New sequence number is bigger than the base but
+		 * it's not bigger than base + window size
+		 */
+
+		shiftwords = ((wint + shift - 1) >> WORD_SHIFT) -
+			     ((wint - 1) >> WORD_SHIFT);
+		if (unlikely(shiftwords)) {
+			tmp = (wint + WORD_SIZE - 1) / WORD_SIZE;
+			for (i = 0; i < shiftwords; i++) {
+				tmp %= winwords;
+				window[tmp++] = 0;
+			}
+		}
+
+		goto winupdate;
+	}
+
+	/* Sequence number is before the window */
+	if (unlikely((seq + winsz) <= base))
+		return IPSEC_ANTI_REPLAY_FAILED;
+
+	/* Sequence number is within the window */
+
+	/* Find out the word */
+	seqword = ((seq - 1) % ex_winsz) >> WORD_SHIFT;
+
+	/* Find out the bit in the word */
+	bit_pos = (seq - 1) & WORD_MASK;
+
+	/* Check if this is a replayed packet */
+	if (window[seqword] & (1ull << (63 - bit_pos)))
+		return IPSEC_ANTI_REPLAY_FAILED;
+
+	/*
+	 * Set the bit corresponding to sequence number
+	 * in window to mark it as received
+	 */
+	window[seqword] |= (1ull << (63 - bit_pos));
+
+	return 0;
+}
+
+static int
+cpt_ipsec_antireplay_check(struct otx2_ipsec_fp_in_sa *sa, char *data)
+{
+	uint64_t seq_in_sa;
+	uint32_t seqh = 0;
+	uint32_t seql;
+	uint64_t seq;
+	uint8_t esn;
+	int ret;
+
+	esn = sa->ctl.esn_en;
+	seql = rte_be_to_cpu_32(*((uint32_t *)(data +
+			OTX2_IPSEC_SEQNO_LO_INDEX)));
+
+	if (!esn)
+		seq = (uint64_t)seql;
+	else {
+		seqh = rte_be_to_cpu_32(*((uint32_t *)(data +
+				OTX2_IPSEC_SEQNO_HI_INDEX)));
+		seq = ((uint64_t)seqh << 32) | seql;
+	}
+
+	if (unlikely(seq == 0))
+		return IPSEC_ANTI_REPLAY_FAILED;
+
+	rte_spinlock_lock(&sa->replay->lock);
+	ret = anti_replay_check(seq, sa);
+	if (esn && (ret == 0)) {
+		seq_in_sa = ((uint64_t)rte_be_to_cpu_32(sa->esn_hi) << 32) |
+				rte_be_to_cpu_32(sa->esn_low);
+		if (seq > seq_in_sa) {
+			sa->esn_low = rte_cpu_to_be_32(seql);
+			sa->esn_hi = rte_cpu_to_be_32(seqh);
+		}
+	}
+	rte_spinlock_unlock(&sa->replay->lock);
+
+	return ret;
+}
+#endif /* __OTX2_IPSEC_ANTI_REPLAY_H__ */
diff --git a/drivers/net/octeontx2/otx2_rx.h b/drivers/net/octeontx2/otx2_rx.h
index d8648b692..f29a0542f 100644
--- a/drivers/net/octeontx2/otx2_rx.h
+++ b/drivers/net/octeontx2/otx2_rx.h
@@ -9,6 +9,7 @@
 
 #include "otx2_common.h"
 #include "otx2_ethdev_sec.h"
+#include "otx2_ipsec_anti_replay.h"
 #include "otx2_ipsec_fp.h"
 
 /* Default mark value used when none is provided. */
@@ -243,6 +244,12 @@ nix_rx_sec_mbuf_update(const struct nix_cqe_hdr_s *cq, struct rte_mbuf *m,
 	m->udata64 = (uint64_t)sa->userdata;
 
 	data = rte_pktmbuf_mtod(m, char *);
+
+	if (sa->replay_win_sz) {
+		if (cpt_ipsec_antireplay_check(sa, data) < 0)
+			return PKT_RX_SEC_OFFLOAD | PKT_RX_SEC_OFFLOAD_FAILED;
+	}
+
 	memcpy(data + INLINE_INB_RPTR_HDR, data, RTE_ETHER_HDR_LEN);
 
 	m->data_off += INLINE_INB_RPTR_HDR;
-- 
2.28.0


  parent reply	other threads:[~2020-09-18 11:11 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-03 11:18 [dpdk-dev] [PATCH 0/2] add anti replay support in OCTEON TX2 security Ankur Dwivedi
2020-09-03 11:18 ` [dpdk-dev] [PATCH 1/2] net/octeontx2: add anti replay support in security session Ankur Dwivedi
2020-09-03 11:18 ` [dpdk-dev] [PATCH 2/2] net/octeontx2: add replay check for inline inbound packets Ankur Dwivedi
2020-09-18  4:31 ` [dpdk-dev] [PATCH 0/2] add anti replay support in OCTEON TX2 security Anoob Joseph
2020-09-27 12:31   ` Jerin Jacob
2020-09-18 11:09 ` [dpdk-dev] [PATCH v2 " Ankur Dwivedi
2020-09-18 11:09   ` [dpdk-dev] [PATCH v2 1/2] net/octeontx2: add anti replay support in security session Ankur Dwivedi
2020-09-18 11:09   ` Ankur Dwivedi [this message]
2020-10-09 13:46   ` [dpdk-dev] [PATCH v2 0/2] add anti replay support in OCTEON TX2 security Ankur Dwivedi
2020-10-09 14:50     ` Ankur Dwivedi
2020-10-09 14:54       ` Akhil Goyal
2020-10-09 15:13         ` Ankur Dwivedi
2020-10-09 18:54           ` Akhil Goyal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200918110943.14553-3-adwivedi@marvell.com \
    --to=adwivedi@marvell.com \
    --cc=akhil.goyal@nxp.com \
    --cc=anoobj@marvell.com \
    --cc=dev@dpdk.org \
    --cc=jerinj@marvell.com \
    --cc=radu.nicolau@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

DPDK patches and discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.dpdk.org/dev/0 dev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 dev dev/ https://inbox.dpdk.org/dev \
		dev@dpdk.org
	public-inbox-index dev

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.dev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git