From patchwork Tue Sep 28 12:07:39 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tejasree Kondoj X-Patchwork-Id: 99901 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id A30B1A0032; Tue, 28 Sep 2021 13:14:14 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 5D229410F4; Tue, 28 Sep 2021 13:14:13 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 9DE44410EF for ; Tue, 28 Sep 2021 13:14:08 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18SAIJVD020820; Tue, 28 Sep 2021 04:14:07 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=EGvcVk+ezziEkWI/agKM8ykGXRy9K0u9cFzLks7XGlo=; b=J8Eph9+haCl+eJ9YNaJyIBHlKoeP0FuZI8IkIA23gzToRvpscZkP9Og/HGYtEBZGgMWm A0QmQ4ypf+jUfc//xrToNGDY9rrOvAfABDIknKmleMsJxG5k2oaXkbnC2bM3e913PZ0c qBS2Gq5teVYn7EILRACMqoyj2awVjlW8lolmbZWBK/YMv3pbSNpKK09/9dvXru8skYO+ 4aWE8hucuH/irZChJlHIXbCPJQgBrIvH+0Pnozj56ShkxN9QcllkhTHyF4c0FQQLv7KC pnUfy4DT0JGvuqhRgU2cUPFsU0YSiBxK+LWHt4N4wu1Mi7HE6EElmkQGE4NqpIE9m439 Yg== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com with ESMTP id 3bc16205vp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 28 Sep 2021 04:14:07 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Tue, 28 Sep 2021 04:14:06 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Tue, 28 Sep 2021 04:14:06 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id 7B2973F70BC; Tue, 28 Sep 2021 04:14:02 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau , Declan Doherty CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob , Konstantin Ananyev , Ciara Power , Hemant Agrawal , Gagandeep Singh , Fan Zhang , Archana Muniganti , Date: Tue, 28 Sep 2021 17:37:39 +0530 Message-ID: <20210928120741.16674-2-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210928120741.16674-1-ktejasree@marvell.com> References: <20210928120741.16674-1-ktejasree@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: qNn4B_GkKpOVorJqh4MEtDZD8zW6xyy6 X-Proofpoint-GUID: qNn4B_GkKpOVorJqh4MEtDZD8zW6xyy6 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-28_05,2021-09-28_01,2020-04-07_01 Subject: [dpdk-dev] [PATCH v2 1/3] security: add option to configure tunnel header verification X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add option to indicate whether outer header verification need to be done as part of inbound IPsec processing. With inline IPsec processing, SA lookup would be happening in the Rx path of rte_ethdev. When rte_flow is configured to support more than one SA, SPI would be used to lookup SA. In such cases, additional verification would be required to ensure duplicate SPIs are not getting processed in the inline path. For lookaside cases, the same option can be used by application to offload tunnel verification to the PMD. These verifications would help in averting possible DoS attacks. Signed-off-by: Tejasree Kondoj Acked-by: Akhil Goyal --- doc/guides/rel_notes/deprecation.rst | 2 +- doc/guides/rel_notes/release_21_11.rst | 5 +++++ lib/security/rte_security.h | 17 +++++++++++++++++ 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/doc/guides/rel_notes/deprecation.rst b/doc/guides/rel_notes/deprecation.rst index 69fbde0c70..80ae9a6372 100644 --- a/doc/guides/rel_notes/deprecation.rst +++ b/doc/guides/rel_notes/deprecation.rst @@ -238,7 +238,7 @@ Deprecation Notices * security: The IPsec SA config options ``struct rte_security_ipsec_sa_options`` will be updated with new fields to support new features like IPsec inner - checksum, tunnel header verification, TSO in case of protocol offload. + checksum, TSO in case of protocol offload. * ipsec: The structure ``rte_ipsec_sa_prm`` will be extended with a new field ``hdr_l3_len`` to configure tunnel L3 header length. diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index 0b7ffa5e50..623b52d9c9 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -181,6 +181,11 @@ ABI Changes soft and hard SA expiry limits. Limits can be either in units of packets or bytes. +* security: add IPsec SA option to configure tunnel header verification + + * Added SA option to indicate whether outer header verification need to be + done as part of inbound IPsec processing. + Known Issues ------------ diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h index 88147e1f57..a10c9b5f00 100644 --- a/lib/security/rte_security.h +++ b/lib/security/rte_security.h @@ -55,6 +55,14 @@ enum rte_security_ipsec_tunnel_type { /**< Outer header is IPv6 */ }; +/** + * IPSEC tunnel header verification mode + * + * Controls how outer IP header is verified in inbound. + */ +#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1 +#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2 + /** * Security context for crypto/eth devices * @@ -206,6 +214,15 @@ struct rte_security_ipsec_sa_options { * by the PMD. */ uint32_t iv_gen_disable : 1; + + /** Verify tunnel header in inbound + * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination + * IP address. + * + * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both + * source and destination IP addresses. + */ + uint32_t tunnel_hdr_verify : 2; }; /** IPSec security association direction */ From patchwork Tue Sep 28 12:07:40 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tejasree Kondoj X-Patchwork-Id: 99902 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 33388A0032; Tue, 28 Sep 2021 13:14:20 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 68ED441100; Tue, 28 Sep 2021 13:14:15 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 1931F410FE for ; Tue, 28 Sep 2021 13:14:13 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18SAFB8t019512; Tue, 28 Sep 2021 04:14:13 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=UY03JMet7z2Gjx+Zo4HcaitELFeywRWffFwUytw3OBU=; b=SK66fl3tTdEDlZpGJjWHNsCLVj97Ebi46wjsdilpRUeJ67qjpf6l4z+DFCZg+XAr0sK+ OQz3PSGaoKj6AV+Daz1/XnfN4Rjig9mQ/Ahs6yqwcX77eApV0E++CKx+39fz6ESrCCNX wRX6HBJwL0xdeAlgEq/u9OiW+DHclChUR5foaaDbhLNS6OIRX/FVe5o3PUWzi7XIybl9 DIn/7doooEnQIdzT7K2ANYSDX43fFYxCIGtMmO3gNxE6uKN4k1QuiYUpwR1ziT2w7YeB yrQDkJJMblt33OwMbp1vTlmjWMvl/BJXdXOCxr4iY4pK6fEVlh7G7EAJb2SvPvhBd0d7 kQ== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com with ESMTP id 3bc14pr6hs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 28 Sep 2021 04:14:13 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Tue, 28 Sep 2021 04:14:11 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Tue, 28 Sep 2021 04:14:10 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id D69333F7099; Tue, 28 Sep 2021 04:14:06 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau , Declan Doherty CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob , Konstantin Ananyev , Ciara Power , Hemant Agrawal , Gagandeep Singh , Fan Zhang , Archana Muniganti , Date: Tue, 28 Sep 2021 17:37:40 +0530 Message-ID: <20210928120741.16674-3-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210928120741.16674-1-ktejasree@marvell.com> References: <20210928120741.16674-1-ktejasree@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: piww3fv_2zuKXhIm4VLXik9cpjlsF-3G X-Proofpoint-GUID: piww3fv_2zuKXhIm4VLXik9cpjlsF-3G X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-28_05,2021-09-28_01,2020-04-07_01 Subject: [dpdk-dev] [PATCH v2 2/3] common/cnxk: add support for tunnel header verification X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Adding support to verify tunnel header in IPsec inbound. Signed-off-by: Tejasree Kondoj --- drivers/common/cnxk/cnxk_security.c | 60 +++++++++++++++++++ drivers/common/cnxk/roc_ie_ot.h | 6 +- .../crypto/cnxk/cnxk_cryptodev_capabilities.c | 4 ++ 3 files changed, 69 insertions(+), 1 deletion(-) diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c index 215d9fd4d1..cc5daf333c 100644 --- a/drivers/common/cnxk/cnxk_security.c +++ b/drivers/common/cnxk/cnxk_security.c @@ -199,6 +199,62 @@ ot_ipsec_inb_ctx_size(struct roc_ot_ipsec_inb_sa *sa) return size; } +static int +ot_ipsec_inb_tunnel_hdr_fill(struct roc_ot_ipsec_inb_sa *sa, + struct rte_security_ipsec_xform *ipsec_xfrm) +{ + struct rte_security_ipsec_tunnel_param *tunnel; + + if (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) + return 0; + + if (ipsec_xfrm->options.tunnel_hdr_verify == 0) + return 0; + + tunnel = &ipsec_xfrm->tunnel; + + switch (tunnel->type) { + case RTE_SECURITY_IPSEC_TUNNEL_IPV4: + sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_4; + memcpy(&sa->outer_hdr.ipv4.src_addr, &tunnel->ipv4.src_ip, + sizeof(struct in_addr)); + memcpy(&sa->outer_hdr.ipv4.dst_addr, &tunnel->ipv4.dst_ip, + sizeof(struct in_addr)); + + /* IP Source and Dest are in LE/CPU endian */ + sa->outer_hdr.ipv4.src_addr = + rte_be_to_cpu_32(sa->outer_hdr.ipv4.src_addr); + sa->outer_hdr.ipv4.dst_addr = + rte_be_to_cpu_32(sa->outer_hdr.ipv4.dst_addr); + + break; + case RTE_SECURITY_IPSEC_TUNNEL_IPV6: + sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_6; + memcpy(&sa->outer_hdr.ipv6.src_addr, &tunnel->ipv6.src_addr, + sizeof(struct in6_addr)); + memcpy(&sa->outer_hdr.ipv6.dst_addr, &tunnel->ipv6.dst_addr, + sizeof(struct in6_addr)); + + break; + default: + return -EINVAL; + } + + switch (ipsec_xfrm->options.tunnel_hdr_verify) { + case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR: + sa->w2.s.ip_hdr_verify = ROC_IE_OT_SA_IP_HDR_VERIFY_DST_ADDR; + break; + case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR: + sa->w2.s.ip_hdr_verify = + ROC_IE_OT_SA_IP_HDR_VERIFY_SRC_DST_ADDR; + break; + default: + return -ENOTSUP; + } + + return 0; +} + int cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, struct rte_security_ipsec_xform *ipsec_xfrm, @@ -229,6 +285,10 @@ cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, sa->w0.s.ar_win = rte_log2_u32(replay_win_sz) - 5; } + rc = ot_ipsec_inb_tunnel_hdr_fill(sa, ipsec_xfrm); + if (rc) + return rc; + /* Default options for pkt_out and pkt_fmt are with * second pass meta and no defrag. */ diff --git a/drivers/common/cnxk/roc_ie_ot.h b/drivers/common/cnxk/roc_ie_ot.h index 1ff468841d..12c75afac2 100644 --- a/drivers/common/cnxk/roc_ie_ot.h +++ b/drivers/common/cnxk/roc_ie_ot.h @@ -180,7 +180,11 @@ union roc_ot_ipsec_sa_word2 { uint64_t auth_type : 4; uint64_t encap_type : 2; - uint64_t rsvd1 : 6; + uint64_t et_ovrwr_ddr_en : 1; + uint64_t esn_en : 1; + uint64_t tport_l4_incr_csum : 1; + uint64_t ip_hdr_verify : 2; + uint64_t rsvd5 : 1; uint64_t rsvd2 : 7; uint64_t async_mode : 1; diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c index 4b97639e56..8a0cf289fd 100644 --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c @@ -920,6 +920,10 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap) #ifdef LA_IPSEC_DEBUG sec_cap->ipsec.options.iv_gen_disable = 1; #endif + } else { + if (sec_cap->ipsec.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) + sec_cap->ipsec.options.tunnel_hdr_verify = + RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR; } } From patchwork Tue Sep 28 12:07:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tejasree Kondoj X-Patchwork-Id: 99903 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id BBF15A0032; Tue, 28 Sep 2021 13:14:25 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 72A5F410FE; Tue, 28 Sep 2021 13:14:21 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id A9681410FE for ; Tue, 28 Sep 2021 13:14:19 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18SAF4ct019479; Tue, 28 Sep 2021 04:14:19 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=FDB4BfAUgHi7gc6sLEhn0JQ+aRAHQUKkzEC9DwXyVtk=; b=iS3dmubxQ6JA9iXGRsHEtdmJF1ZKi+PX8LbMQjpIJLfB2DS8PlHTwd/Rvfqe/F0W6hqR ZcizgVLgsj+q2O7B38iG1DdguGM5azHVpzq1dIUjqoofcBbnK68n1HCU7scjO5xOBiVU PP4U9CksZ2IHezdLKauHzBeoyjgXeyySzb6HXOZXMM6Dfu0RvJKduQbjxV/1XpXb3FN/ oI9ExQPeRTrkVfvJ7qBOTdSA5mITyuPlokHzzEc1ECLbLfp1Stq7qYVeLo1ygOTQKtK+ kGpBGXObAPqNmy5netehDKoQPWp8XGnqxg6W3VrR7z5XTgXcBhDm4A4yxgZQBCEHrDAy sQ== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com with ESMTP id 3bc14pr6jb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 28 Sep 2021 04:14:18 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Tue, 28 Sep 2021 04:14:15 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Tue, 28 Sep 2021 04:14:15 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id 881C33F7098; Tue, 28 Sep 2021 04:14:11 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau , Declan Doherty CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob , Konstantin Ananyev , Ciara Power , Hemant Agrawal , Gagandeep Singh , Fan Zhang , Archana Muniganti , Date: Tue, 28 Sep 2021 17:37:41 +0530 Message-ID: <20210928120741.16674-4-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210928120741.16674-1-ktejasree@marvell.com> References: <20210928120741.16674-1-ktejasree@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: Bkt2z0b2MC4k9yNu5xfeVTeuCtUTBqzZ X-Proofpoint-GUID: Bkt2z0b2MC4k9yNu5xfeVTeuCtUTBqzZ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-28_05,2021-09-28_01,2020-04-07_01 Subject: [dpdk-dev] [PATCH v2 3/3] test/crypto: add tunnel header verification tests X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add test cases to verify tunnel header in IPsec inbound. Signed-off-by: Tejasree Kondoj --- app/test/test_cryptodev.c | 45 ++++++++++++++++++- app/test/test_cryptodev_security_ipsec.c | 25 ++++++++++- app/test/test_cryptodev_security_ipsec.h | 1 + ...st_cryptodev_security_ipsec_test_vectors.h | 3 ++ 4 files changed, 71 insertions(+), 3 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 34b55a952e..665d19c0a4 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -8924,6 +8924,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], int salt_len, i, ret = TEST_SUCCESS; struct rte_security_ctx *ctx; uint8_t *input_text; + uint32_t verify; ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; @@ -8933,11 +8934,19 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], /* Copy IPsec xform */ memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform)); + dir = ipsec_xform.direction; + verify = flags->tunnel_hdr_verify; + + if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && verify) { + if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR) + src += 1; + else if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR) + dst += 1; + } + memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src)); memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst)); - dir = ipsec_xform.direction; - ctx = rte_cryptodev_get_sec_ctx(dev_id); sec_cap_idx.action = ut_params->type; @@ -9229,6 +9238,30 @@ test_ipsec_proto_udp_encap(const void *data __rte_unused) return test_ipsec_proto_all(&flags); } +static int +test_ipsec_proto_tunnel_src_dst_addr_verify(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_tunnel_dst_addr_verify(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR; + + return test_ipsec_proto_all(&flags); +} + static int test_PDCP_PROTO_all(void) { @@ -14173,6 +14206,14 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Negative test: ICV corruption", ut_setup_security, ut_teardown, test_ipsec_proto_err_icv_corrupt), + TEST_CASE_NAMED_ST( + "Tunnel dst addr verification", + ut_setup_security, ut_teardown, + test_ipsec_proto_tunnel_dst_addr_verify), + TEST_CASE_NAMED_ST( + "Tunnel src and dst addr verification", + ut_setup_security, ut_teardown, + test_ipsec_proto_tunnel_src_dst_addr_verify), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 046536cc9c..f040630655 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -86,6 +86,15 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, return -ENOTSUP; } + if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + (ipsec_xform->options.tunnel_hdr_verify > + sec_cap->ipsec.options.tunnel_hdr_verify)) { + if (!silent) + RTE_LOG(INFO, USER1, + "Tunnel header verify is not supported\n"); + return -ENOTSUP; + } + return 0; } @@ -207,6 +216,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[], if (flags->udp_encap) td_inb[i].ipsec_xform.options.udp_encap = 1; + td_inb[i].ipsec_xform.options.tunnel_hdr_verify = + flags->tunnel_hdr_verify; + /* Clear outbound specific flags */ td_inb[i].ipsec_xform.options.iv_gen_disable = 0; } @@ -292,7 +304,8 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, /* For tests with status as error for test success, skip verification */ if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && (flags->icv_corrupt || - flags->sa_expiry_pkts_hard)) + flags->sa_expiry_pkts_hard || + flags->tunnel_hdr_verify)) return TEST_SUCCESS; if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && @@ -420,6 +433,16 @@ test_ipsec_status_check(struct rte_crypto_op *op, } } + if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + flags->tunnel_hdr_verify) { + if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) { + printf("Tunnel header verify test case failed\n"); + return TEST_FAILED; + } else { + return TEST_SUCCESS; + } + } + if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) { if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) { printf("ICV corruption test case failed\n"); diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 18f3c64bb7..a65cb54eae 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -53,6 +53,7 @@ struct ipsec_test_flags { bool sa_expiry_pkts_hard; bool icv_corrupt; bool iv_gen; + uint32_t tunnel_hdr_verify; bool udp_encap; }; diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index 38ea43d157..4e147ec19c 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -94,6 +94,7 @@ struct ipsec_test_data pkt_aes_128_gcm = { .options.dec_ttl = 0, .options.ecn = 0, .options.stats = 0, + .options.tunnel_hdr_verify = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, @@ -190,6 +191,7 @@ struct ipsec_test_data pkt_aes_192_gcm = { .options.dec_ttl = 0, .options.ecn = 0, .options.stats = 0, + .options.tunnel_hdr_verify = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, @@ -289,6 +291,7 @@ struct ipsec_test_data pkt_aes_256_gcm = { .options.dec_ttl = 0, .options.ecn = 0, .options.stats = 0, + .options.tunnel_hdr_verify = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,