From patchwork Wed Sep 8 08:21:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tejasree Kondoj X-Patchwork-Id: 98271 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id AC798A0C56; Wed, 8 Sep 2021 09:28:00 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id CEC844112E; Wed, 8 Sep 2021 09:27:58 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id B92ED41124 for ; Wed, 8 Sep 2021 09:27:57 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18838Kc3016089; Wed, 8 Sep 2021 00:27:56 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=M0Z25k8MCdE8K5Eybb0OJ4AbNPuxuQLnGUapc09u6P8=; b=YBMHKonP8C34KpMwwU80de2ymvtS2hP99+gXtBX4Hu+W3ZgNzwaLQSwLnPMU2y6jp/V8 o5FTQiU64ClbFXp1U88vGGgxkPakpr1gbjw9Na7aJyxvwmC2OtS24zz6rEfqcI/DjXUp tvAcdDWEaaY4De3XSvWtsnmWiLJEvyfxJc1r8YY3z/5QnifGlqAOeS0KuWY3PzeGIG8W 4N/tPYlVcsFCaFW3HslUIeYdCInQwSLn9/4bowU7ZAhtzp8Zm6UJfS5HbKthGeqCsjsR 1ygxOfe3bvh7BqB18dR0GHJKHYD2D2Ju+/hPtqWFsXtOLs8istog3r58NU/Wrc3CpxGk nA== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com with ESMTP id 3axcm7tfep-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 08 Sep 2021 00:27:56 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Wed, 8 Sep 2021 00:27:55 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Wed, 8 Sep 2021 00:27:55 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id 161903F705E; Wed, 8 Sep 2021 00:27:50 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau , Declan Doherty CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob , Konstantin Ananyev , Ciara Power , Hemant Agrawal , Gagandeep Singh , Fan Zhang , Archana Muniganti , Date: Wed, 8 Sep 2021 13:51:09 +0530 Message-ID: <20210908082111.27396-2-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210908082111.27396-1-ktejasree@marvell.com> References: <20210908082111.27396-1-ktejasree@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: zA1ILF365Qwewz5t7zBQJzNwnVrMLRS5 X-Proofpoint-ORIG-GUID: zA1ILF365Qwewz5t7zBQJzNwnVrMLRS5 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-08_02,2021-09-07_02,2020-04-07_01 Subject: [dpdk-dev] [PATCH 1/3] security: add option to configure tunnel header verification X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add option to indicate whether outer header verification need to be done as part of inbound IPsec processing. With inline IPsec processing, SA lookup would be happening in the Rx path of rte_ethdev. When rte_flow is configured to support more than one SA, SPI would be used to lookup SA. In such cases, additional verification would be required to ensure duplicate SPIs are not getting processed in the inline path. For lookaside cases, the same option can be used by application to offload tunnel verification to the PMD. These verifications would help in averting possible DoS attacks. Signed-off-by: Tejasree Kondoj Acked-by: Hemant Agrawal Acked-by: Akhil Goyal --- doc/guides/rel_notes/release_21_11.rst | 5 +++++ lib/security/rte_security.h | 17 +++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index 0e3ed28378..b0606cb542 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -136,6 +136,11 @@ ABI Changes soft and hard SA expiry limits. Limits can be either in units of packets or bytes. +* security: add IPsec SA option to configure tunnel header verification + + * Added SA option to indicate whether outer header verification need to be + done as part of inbound IPsec processing. + Known Issues ------------ diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index 95c169d6cf..2a61cad885 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -55,6 +55,14 @@ enum rte_security_ipsec_tunnel_type { /**< Outer header is IPv6 */ }; +/** + * IPSEC tunnel header verification mode + * + * Controls how outer IP header is verified in inbound. + */ +#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1 +#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2 + /** * Security context for crypto/eth devices * @@ -195,6 +203,15 @@ struct rte_security_ipsec_sa_options { * by the PMD. */ uint32_t iv_gen_disable : 1; + + /** Verify tunnel header in inbound + * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination + * IP address. + * + * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both + * source and destination IP addresses. + */ + uint32_t tunnel_hdr_verify : 2; }; /** IPSec security association direction */ From patchwork Wed Sep 8 08:21:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tejasree Kondoj X-Patchwork-Id: 98272 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id ED408A0C56; Wed, 8 Sep 2021 09:28:05 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id F34804013F; Wed, 8 Sep 2021 09:28:04 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 758D54003C for ; Wed, 8 Sep 2021 09:28:03 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1883X1DX016086; Wed, 8 Sep 2021 00:28:01 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=UY03JMet7z2Gjx+Zo4HcaitELFeywRWffFwUytw3OBU=; b=YBgk37IHYcKXQzPbXO19N+wgsBCQ2hWASdXfwN6llKhMVCqYjCF0s6FLhRZZKa16/YpN DQ7oYJRyc/Ql6Wjz2y2C6TO0rBlraj8xZdq2+LakH1Mcy9yvj6Dzdo7Nj5guxyAZxpYv D/Xge7uhzmIML0fMFNq2VQ7nYiS8CATdKovlQ14kuS9BC3K0dOvC9Pd/BYcYKu2Su7Ww FSO9lWwGnKjRVjZmBbK+0gn8h4fdJz3nOeRxduA56IJUPKkKjmfjx/m4IfbwL+5JStfD 7EpJyA83lG8z4F66e+HQFlpOPnvR1t9q7JEXb8n6B/PtIO2VdP9SqWXVz+ilTmpRySY7 wg== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com with ESMTP id 3axcm7tffj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 08 Sep 2021 00:28:01 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Wed, 8 Sep 2021 00:28:00 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Wed, 8 Sep 2021 00:28:00 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id C0F7D3F705B; Wed, 8 Sep 2021 00:27:55 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau , Declan Doherty CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob , Konstantin Ananyev , Ciara Power , Hemant Agrawal , Gagandeep Singh , Fan Zhang , Archana Muniganti , Date: Wed, 8 Sep 2021 13:51:10 +0530 Message-ID: <20210908082111.27396-3-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210908082111.27396-1-ktejasree@marvell.com> References: <20210908082111.27396-1-ktejasree@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: qjxbwN_dIY-E0iQjVTTh-Jcanld9hYhA X-Proofpoint-ORIG-GUID: qjxbwN_dIY-E0iQjVTTh-Jcanld9hYhA X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-08_02,2021-09-07_02,2020-04-07_01 Subject: [dpdk-dev] [PATCH 2/3] common/cnxk: add support for tunnel header verification X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Adding support to verify tunnel header in IPsec inbound. Signed-off-by: Tejasree Kondoj --- drivers/common/cnxk/cnxk_security.c | 60 +++++++++++++++++++ drivers/common/cnxk/roc_ie_ot.h | 6 +- .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 4 ++ 3 files changed, 69 insertions(+), 1 deletion(-) diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index 215d9fd4d1..cc5daf333c 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -199,6 +199,62 @@ ot_ipsec_inb_ctx_size(struct roc_ot_ipsec_inb_sa *sa) return size; } +static int +ot_ipsec_inb_tunnel_hdr_fill(struct roc_ot_ipsec_inb_sa *sa, + struct rte_security_ipsec_xform *ipsec_xfrm) +{ + struct rte_security_ipsec_tunnel_param *tunnel; + + if (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) + return 0; + + if (ipsec_xfrm->options.tunnel_hdr_verify == 0) + return 0; + + tunnel = &ipsec_xfrm->tunnel; + + switch (tunnel->type) { + case RTE_SECURITY_IPSEC_TUNNEL_IPV4: + sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_4; + memcpy(&sa->outer_hdr.ipv4.src_addr, &tunnel->ipv4.src_ip, + sizeof(struct in_addr)); + memcpy(&sa->outer_hdr.ipv4.dst_addr, &tunnel->ipv4.dst_ip, + sizeof(struct in_addr)); + + /* IP Source and Dest are in LE/CPU endian */ + sa->outer_hdr.ipv4.src_addr = + rte_be_to_cpu_32(sa->outer_hdr.ipv4.src_addr); + sa->outer_hdr.ipv4.dst_addr = + rte_be_to_cpu_32(sa->outer_hdr.ipv4.dst_addr); + + break; + case RTE_SECURITY_IPSEC_TUNNEL_IPV6: + sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_6; + memcpy(&sa->outer_hdr.ipv6.src_addr, &tunnel->ipv6.src_addr, + sizeof(struct in6_addr)); + memcpy(&sa->outer_hdr.ipv6.dst_addr, &tunnel->ipv6.dst_addr, + sizeof(struct in6_addr)); + + break; + default: + return -EINVAL; + } + + switch (ipsec_xfrm->options.tunnel_hdr_verify) { + case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR: + sa->w2.s.ip_hdr_verify = ROC_IE_OT_SA_IP_HDR_VERIFY_DST_ADDR; + break; + case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR: + sa->w2.s.ip_hdr_verify = + ROC_IE_OT_SA_IP_HDR_VERIFY_SRC_DST_ADDR; + break; + default: + return -ENOTSUP; + } + + return 0; +} + int cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, struct rte_security_ipsec_xform *ipsec_xfrm, @@ -229,6 +285,10 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, sa->w0.s.ar_win = rte_log2_u32(replay_win_sz) - 5; } + rc = ot_ipsec_inb_tunnel_hdr_fill(sa, ipsec_xfrm); + if (rc) + return rc; + /* Default options for pkt_out and pkt_fmt are with * second pass meta and no defrag. */ diff --git a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h index 1ff468841d..12c75afac2 100644 --- a/drivers/common/cnxk/roc_ie_ot.h +++ b/drivers/common/cnxk/roc_ie_ot.h @@ -180,7 +180,11 @@ union roc_ot_ipsec_sa_word2 { uint64_t auth_type : 4; uint64_t encap_type : 2; - uint64_t rsvd1 : 6; + uint64_t et_ovrwr_ddr_en : 1; + uint64_t esn_en : 1; + uint64_t tport_l4_incr_csum : 1; + uint64_t ip_hdr_verify : 2; + uint64_t rsvd5 : 1; uint64_t rsvd2 : 7; uint64_t async_mode : 1; diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index 4b97639e56..8a0cf289fd 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -920,6 +920,10 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap) #ifdef LA_IPSEC_DEBUG sec_cap->ipsec.options.iv_gen_disable = 1; #endif + } else { + if (sec_cap->ipsec.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) + sec_cap->ipsec.options.tunnel_hdr_verify = + RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR; } } From patchwork Wed Sep 8 08:21:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tejasree Kondoj X-Patchwork-Id: 98273 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id BBE65A0C56; Wed, 8 Sep 2021 09:28:13 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 7F3BC41130; Wed, 8 Sep 2021 09:28:08 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 0DC9141123 for ; Wed, 8 Sep 2021 09:28:06 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1883l5t8016067; Wed, 8 Sep 2021 00:28:06 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=qVkos/jkefJ2dhEH4hxuFABGUe7oDmW1avqCZNW+5vg=; b=XoWAXaJ30fpwFfiv5nIOVTLGY2WrPZqfOXpBkgfdYR8uAjxRTBN14NTCBbxPik+2EQwW 2qrdfCw8v1L3t/2801g/r2ocvwr9SfVToXcFvk7mDVVgGySl7vWclnZTgkVvg4GLs4wu e64HJ9tivdt/3A0JbKvn+tPV4NHGE0ChDbw1OmTwc61jveV9rD6FCW2zBx8GSEVgfKzJ ypG5zXoqM1fl+l9BBCdAUk9zchySxN5kZeA7q/e+XNcI1pr7LqZWoDvUGMeNvRdJ1CO9 FT78a/3MjxdK857TaMLCYol6MwwzTXc+i1G4sD+8ZpM00vbDXWNt7M22Pab/6+7P2QPR kg== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com with ESMTP id 3axcm7tffy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 08 Sep 2021 00:28:06 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Wed, 8 Sep 2021 00:28:04 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Wed, 8 Sep 2021 00:28:04 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id 68AAD3F7095; Wed, 8 Sep 2021 00:28:00 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau , Declan Doherty CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob , Konstantin Ananyev , Ciara Power , Hemant Agrawal , Gagandeep Singh , Fan Zhang , Archana Muniganti , Date: Wed, 8 Sep 2021 13:51:11 +0530 Message-ID: <20210908082111.27396-4-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210908082111.27396-1-ktejasree@marvell.com> References: <20210908082111.27396-1-ktejasree@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: 8Hb4h7-8gg0iNI6UVa0bzRWZDTFEUYn2 X-Proofpoint-ORIG-GUID: 8Hb4h7-8gg0iNI6UVa0bzRWZDTFEUYn2 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-08_02,2021-09-07_02,2020-04-07_01 Subject: [dpdk-dev] [PATCH 3/3] test/crypto: add tunnel header verification tests X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add test cases to verify tunnel header in IPsec inbound. Signed-off-by: Tejasree Kondoj --- app/test/test_cryptodev.c | 45 ++++++++++++++++++- app/test/test_cryptodev_security_ipsec.c | 25 ++++++++++- app/test/test_cryptodev_security_ipsec.h | 1 + ...st_cryptodev_security_ipsec_test_vectors.h | 3 ++ 4 files changed, 71 insertions(+), 3 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index e513f38765..ab7b63f37f 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -8876,6 +8876,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], int salt_len, i, ret = TEST_SUCCESS; struct rte_security_ctx *ctx; uint8_t *input_text; + uint32_t verify; ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; @@ -8885,11 +8886,19 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], /* Copy IPsec xform */ memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform)); + dir = ipsec_xform.direction; + verify = flags->tunnel_hdr_verify; + + if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && verify) { + if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR) + src += 1; + else if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR) + dst += 1; + } + memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src)); memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst)); - dir = ipsec_xform.direction; - ctx = rte_cryptodev_get_sec_ctx(dev_id); sec_cap_idx.action = ut_params->type; @@ -9181,6 +9190,30 @@ test_ipsec_proto_udp_encap(const void *data __rte_unused) return test_ipsec_proto_all(&flags); } +static int +test_ipsec_proto_tunnel_src_dst_addr_verify(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_tunnel_dst_addr_verify(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR; + + return test_ipsec_proto_all(&flags); +} + static int test_PDCP_PROTO_all(void) { @@ -14124,6 +14157,14 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Negative test: ICV corruption", ut_setup_security, ut_teardown, test_ipsec_proto_err_icv_corrupt), + TEST_CASE_NAMED_ST( + "Tunnel dst addr verification", + ut_setup_security, ut_teardown, + test_ipsec_proto_tunnel_dst_addr_verify), + TEST_CASE_NAMED_ST( + "Tunnel src and dst addr verification", + ut_setup_security, ut_teardown, + test_ipsec_proto_tunnel_src_dst_addr_verify), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 046536cc9c..f040630655 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -86,6 +86,15 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, return -ENOTSUP; } + if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + (ipsec_xform->options.tunnel_hdr_verify > + sec_cap->ipsec.options.tunnel_hdr_verify)) { + if (!silent) + RTE_LOG(INFO, USER1, + "Tunnel header verify is not supported\n"); + return -ENOTSUP; + } + return 0; } @@ -207,6 +216,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[], if (flags->udp_encap) td_inb[i].ipsec_xform.options.udp_encap = 1; + td_inb[i].ipsec_xform.options.tunnel_hdr_verify = + flags->tunnel_hdr_verify; + /* Clear outbound specific flags */ td_inb[i].ipsec_xform.options.iv_gen_disable = 0; } @@ -292,7 +304,8 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, /* For tests with status as error for test success, skip verification */ if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && (flags->icv_corrupt || - flags->sa_expiry_pkts_hard)) + flags->sa_expiry_pkts_hard || + flags->tunnel_hdr_verify)) return TEST_SUCCESS; if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && @@ -420,6 +433,16 @@ test_ipsec_status_check(struct rte_crypto_op *op, } } + if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + flags->tunnel_hdr_verify) { + if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) { + printf("Tunnel header verify test case failed\n"); + return TEST_FAILED; + } else { + return TEST_SUCCESS; + } + } + if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) { if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) { printf("ICV corruption test case failed\n"); diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 18f3c64bb7..a65cb54eae 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -53,6 +53,7 @@ struct ipsec_test_flags { bool sa_expiry_pkts_hard; bool icv_corrupt; bool iv_gen; + uint32_t tunnel_hdr_verify; bool udp_encap; }; diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index 38ea43d157..4e147ec19c 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -94,6 +94,7 @@ struct ipsec_test_data pkt_aes_128_gcm = { .options.dec_ttl = 0, .options.ecn = 0, .options.stats = 0, + .options.tunnel_hdr_verify = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, @@ -190,6 +191,7 @@ struct ipsec_test_data pkt_aes_192_gcm = { .options.dec_ttl = 0, .options.ecn = 0, .options.stats = 0, + .options.tunnel_hdr_verify = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, @@ -289,6 +291,7 @@ struct ipsec_test_data pkt_aes_256_gcm = { .options.dec_ttl = 0, .options.ecn = 0, .options.stats = 0, + .options.tunnel_hdr_verify = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,