From patchwork Thu Feb 16 14:24:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 124080 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id DC06C41CB2; Thu, 16 Feb 2023 15:25:09 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id CA3CC40E03; Thu, 16 Feb 2023 15:25:06 +0100 (CET) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id A618542D81 for ; Thu, 16 Feb 2023 15:25:04 +0100 (CET) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 31G7ZLHL007453; Thu, 16 Feb 2023 06:24:59 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=vWtwNcFlfWEwsTTBTJ1yFmzKG02rqIFc41o0Nj6QIoU=; b=DKN/6V/dlo69Ap6MW9d/YI+QLCwyhPe/hCpDGLn23A7NeCPZZvTjhiXXFI2zv4gmRX1+ rg1UIvYEnlMEOXODFd0Dg/JSn35+o+G/UZK+4/sFMCJdyzQIBzwWGorpQ6MBxMofTT2Q fRS3WkgFdsR4UNTNouyb2yE+CoJQ2R54n05Xlglbp24NikG012V3e2AG3zubCLPMzf9A Rj84glGWFC9ayIHWxak+FCJurKXFHjvzZf6RFUysRip1FJZOSS6Kk/xDHbeN+R1DRwfj aFjj/E2G1FXpeqQQqm14g7FV/oceHYMlgLMMoimiu9fYdLWxWlWZG9bpra6zJ7A+fcJn Rg== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3nsg6w9rd7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 16 Feb 2023 06:24:59 -0800 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Thu, 16 Feb 2023 06:24:57 -0800 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.42 via Frontend Transport; Thu, 16 Feb 2023 06:24:57 -0800 Received: from localhost.localdomain (unknown [10.28.36.102]) by maili.marvell.com (Postfix) with ESMTP id 293343F7096; Thu, 16 Feb 2023 06:24:53 -0800 (PST) From: Akhil Goyal To: CC: , , , , , , , , , Akhil Goyal Subject: [PATCH 2/3] examples/ipsec-secgw: check capabilities before session create Date: Thu, 16 Feb 2023 19:54:41 +0530 Message-ID: <20230216142442.3657742-2-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230216142442.3657742-1-gakhil@marvell.com> References: <20230216142442.3657742-1-gakhil@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: Ua8Iaq_Uh4L9QULYuzUOgvAVFUe-jRAA X-Proofpoint-GUID: Ua8Iaq_Uh4L9QULYuzUOgvAVFUe-jRAA X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.170.22 definitions=2023-02-16_10,2023-02-16_01,2023-02-09_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Currently, sessions are created without checking the device capabilities, which may result in failure at a later stage. Device capabilities are now checked before creating the security/crypto session. Signed-off-by: Akhil Goyal Acked-by: Kai Ji --- examples/ipsec-secgw/ipsec.c | 208 ++++++++++++++++++++++++++++++++++- 1 file changed, 205 insertions(+), 3 deletions(-) diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 9b52d37b81..c51f1b7eb2 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -57,6 +57,182 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) ipsec->options.ip_reassembly_en = 1; } +static inline int +verify_crypto_xform(const struct rte_cryptodev_capabilities *capabilities, + struct rte_crypto_sym_xform *crypto_xform) +{ + const struct rte_cryptodev_capabilities *crypto_cap; + int j = 0; + + while ((crypto_cap = &capabilities[j++])->op != RTE_CRYPTO_OP_TYPE_UNDEFINED) { + if (crypto_cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC && + crypto_cap->sym.xform_type == crypto_xform->type) { + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD && + crypto_cap->sym.aead.algo == crypto_xform->aead.algo) { + if (rte_cryptodev_sym_capability_check_aead(&crypto_cap->sym, + crypto_xform->aead.key.length, + crypto_xform->aead.digest_length, + crypto_xform->aead.aad_length, + crypto_xform->aead.iv.length) == 0) + return 0; + } + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && + crypto_cap->sym.cipher.algo == crypto_xform->cipher.algo) { + if (rte_cryptodev_sym_capability_check_cipher(&crypto_cap->sym, + crypto_xform->cipher.key.length, + crypto_xform->cipher.iv.length) == 0) + return 0; + } + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH && + crypto_cap->sym.auth.algo == crypto_xform->auth.algo) { + if (rte_cryptodev_sym_capability_check_auth(&crypto_cap->sym, + crypto_xform->auth.key.length, + crypto_xform->auth.digest_length, + crypto_xform->auth.iv.length) == 0) + return 0; + } + } + } + + return -ENOTSUP; +} + +static inline int +verify_crypto_capabilities(const struct rte_cryptodev_capabilities *capabilities, + struct rte_crypto_sym_xform *crypto_xform) +{ + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) + return verify_crypto_xform(capabilities, crypto_xform); + else if (crypto_xform->next != NULL) + return (verify_crypto_xform(capabilities, crypto_xform) || + verify_crypto_xform(capabilities, crypto_xform->next)); + else + return -ENOTSUP; +} + +static inline int +verify_ipsec_capabilities(struct rte_security_ipsec_xform *ipsec_xform, + const struct rte_security_capability *sec_cap) +{ + /* Verify security capabilities */ + + if (ipsec_xform->options.esn == 1 && sec_cap->ipsec.options.esn == 0) { + RTE_LOG(INFO, USER1, "ESN is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.udp_encap == 1 && + sec_cap->ipsec.options.udp_encap == 0) { + RTE_LOG(INFO, USER1, "UDP encapsulation is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.udp_ports_verify == 1 && + sec_cap->ipsec.options.udp_ports_verify == 0) { + RTE_LOG(DEBUG, USER1, + "UDP encapsulation ports verification is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.copy_dscp == 1 && + sec_cap->ipsec.options.copy_dscp == 0) { + RTE_LOG(DEBUG, USER1, "Copy DSCP is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.copy_flabel == 1 && + sec_cap->ipsec.options.copy_flabel == 0) { + RTE_LOG(DEBUG, USER1, "Copy Flow Label is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.copy_df == 1 && + sec_cap->ipsec.options.copy_df == 0) { + RTE_LOG(DEBUG, USER1, "Copy DP bit is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.dec_ttl == 1 && + sec_cap->ipsec.options.dec_ttl == 0) { + RTE_LOG(DEBUG, USER1, "Decrement TTL is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.ecn == 1 && sec_cap->ipsec.options.ecn == 0) { + RTE_LOG(DEBUG, USER1, "ECN is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.stats == 1 && + sec_cap->ipsec.options.stats == 0) { + RTE_LOG(DEBUG, USER1, "Stats is not supported\n"); + return -ENOTSUP; + } + + if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) && + (ipsec_xform->options.iv_gen_disable == 1) && + (sec_cap->ipsec.options.iv_gen_disable != 1)) { + RTE_LOG(DEBUG, USER1, "Application provided IV is not supported\n"); + return -ENOTSUP; + } + + if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + (ipsec_xform->options.tunnel_hdr_verify > + sec_cap->ipsec.options.tunnel_hdr_verify)) { + RTE_LOG(DEBUG, USER1, "Tunnel header verify is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.ip_csum_enable == 1 && + sec_cap->ipsec.options.ip_csum_enable == 0) { + RTE_LOG(DEBUG, USER1, "Inner IP checksum is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.l4_csum_enable == 1 && + sec_cap->ipsec.options.l4_csum_enable == 0) { + RTE_LOG(DEBUG, USER1, "Inner L4 checksum is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { + if (ipsec_xform->replay_win_sz > sec_cap->ipsec.replay_win_sz_max) { + RTE_LOG(DEBUG, USER1, "Replay window size is not supported\n"); + return -ENOTSUP; + } + } + + return 0; +} + + +static inline int +verify_security_capabilities(struct rte_security_ctx *ctx, + struct rte_security_session_conf *sess_conf) +{ + struct rte_security_capability_idx sec_cap_idx; + const struct rte_security_capability *sec_cap; + + sec_cap_idx.action = sess_conf->action_type; + sec_cap_idx.protocol = sess_conf->protocol; + sec_cap_idx.ipsec.proto = sess_conf->ipsec.proto; + sec_cap_idx.ipsec.mode = sess_conf->ipsec.mode; + sec_cap_idx.ipsec.direction = sess_conf->ipsec.direction; + + sec_cap = rte_security_capability_get(ctx, &sec_cap_idx); + if (sec_cap == NULL) + return -ENOTSUP; + + if (verify_crypto_capabilities(sec_cap->crypto_capabilities, + sess_conf->crypto_xform)) + return -ENOTSUP; + + if (verify_ipsec_capabilities(&sess_conf->ipsec, sec_cap)) + return -ENOTSUP; + + return 0; +} + int create_lookaside_session(struct ipsec_ctx *ipsec_ctx_lcore[], struct socket_ctx *skt_ctx, const struct eventmode_conf *em_conf, @@ -156,6 +332,12 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx_lcore[], /* Set IPsec parameters in conf */ set_ipsec_conf(sa, &(sess_conf.ipsec)); + if (verify_security_capabilities(ctx, &sess_conf)) { + RTE_LOG(ERR, IPSEC, + "Requested security session config not supported\n"); + return -1; + } + ips->security.ses = rte_security_session_create(ctx, &sess_conf, skt_ctx->session_pool); if (ips->security.ses == NULL) { @@ -173,15 +355,23 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx_lcore[], return -1; } } else { + struct rte_cryptodev_info info; + + rte_cryptodev_info_get(cdev_id, &info); + if (ips->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) { - struct rte_cryptodev_info info; - - rte_cryptodev_info_get(cdev_id, &info); if (!(info.feature_flags & RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO)) return -ENOTSUP; } + + if (verify_crypto_capabilities(info.capabilities, sa->xforms)) { + RTE_LOG(ERR, IPSEC, + "Requested crypto session config not supported\n"); + return -1; + } + ips->crypto.dev_id = cdev_id; ips->crypto.ses = rte_cryptodev_sym_session_create(cdev_id, sa->xforms, skt_ctx->session_pool); @@ -308,6 +498,12 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, return -1; } + if (verify_security_capabilities(sec_ctx, &sess_conf)) { + RTE_LOG(ERR, IPSEC, + "Requested security session config not supported\n"); + return -1; + } + ips->security.ses = rte_security_session_create(sec_ctx, &sess_conf, skt_ctx->session_pool); if (ips->security.ses == NULL) { @@ -507,6 +703,12 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, sess_conf.userdata = (void *) sa; + if (verify_security_capabilities(sec_ctx, &sess_conf)) { + RTE_LOG(ERR, IPSEC, + "Requested security session config not supported\n"); + return -1; + } + ips->security.ses = rte_security_session_create(sec_ctx, &sess_conf, skt_ctx->session_pool); if (ips->security.ses == NULL) {