From patchwork Thu Feb 16 14:24:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 124079 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 680FB41CB2; Thu, 16 Feb 2023 15:25:02 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 545AD40EE3; Thu, 16 Feb 2023 15:25:02 +0100 (CET) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id BEB2340E03; Thu, 16 Feb 2023 15:25:00 +0100 (CET) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 31GEMgH3027452; Thu, 16 Feb 2023 06:24:55 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=D4/OLIKlLHHKVCjVrwarg6peUWebbvBFDaiBXaFjaoY=; b=jEjwbTvKlL4x130m7h1eoXNsSjk3N4e+FDfWkKd9MCSXnc+Pv2bG8cSvMZEDcRX2+1Gs kOFEsC2SGP1rNcCrOACGBgccY4GT3d03OGg4wJ5SnVhIrje3yFCekqiBzqj5UFwDOSFU lHWwYglAVJjnu1kTaY0p7u6BzBvTvU/n+dbKUrIWjj8ShH5r2NZ1b8fO5ImOq3XzLHdp yWfsH3j24VRz9zFDeE8QKlw+gJty6QCRQ131qTndonWePTa7wIqCnS0GG6Gtt+DIsSmg fSLE6w+/F6PVG28DXVjhX5dVbaMf5GcUF86hFYaWz4jx4k1Xgo7Upb1lt1/TGS0LNZ1x tw== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3nsg888xmu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 16 Feb 2023 06:24:55 -0800 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Thu, 16 Feb 2023 06:24:53 -0800 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.42 via Frontend Transport; Thu, 16 Feb 2023 06:24:53 -0800 Received: from localhost.localdomain (unknown [10.28.36.102]) by maili.marvell.com (Postfix) with ESMTP id 242443F7089; Thu, 16 Feb 2023 06:24:49 -0800 (PST) From: Akhil Goyal To: CC: , , , , , , , , , Akhil Goyal , Subject: [PATCH 1/3] examples/ipsec-secgw: fix auth IV length Date: Thu, 16 Feb 2023 19:54:40 +0530 Message-ID: <20230216142442.3657742-1-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: oEN7bJP3BZVtlkOpgHO1DLukuS7o23mP X-Proofpoint-GUID: oEN7bJP3BZVtlkOpgHO1DLukuS7o23mP X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.170.22 definitions=2023-02-16_10,2023-02-16_01,2023-02-09_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Currently, cipher IV length is getting used to set auth xform IV length. Auth IV is needed for AES-GMAC case, and in all other cases, auth IV should be 0. Used a separate auth IV length to separate out cipher and auth cases. Fixes: 9413c3901f31 ("examples/ipsec-secgw: support additional algorithms") Cc: stable@dpdk.org Signed-off-by: Akhil Goyal Acked-by: Kai Ji --- examples/ipsec-secgw/sa.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 7da9444a7b..001762bea9 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -1247,6 +1247,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], struct ipsec_sa *sa; uint32_t i, idx; uint16_t iv_length, aad_length; + uint16_t auth_iv_length = 0; int inline_status; int32_t rc; struct rte_ipsec_session *ips; @@ -1340,7 +1341,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], /* AES_GMAC uses salt like AEAD algorithms */ if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GMAC) - iv_length = 12; + auth_iv_length = 12; if (inbound) { sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_CIPHER; @@ -1364,7 +1365,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], sa_ctx->xf[idx].a.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY; sa_ctx->xf[idx].a.auth.iv.offset = IV_OFFSET; - sa_ctx->xf[idx].a.auth.iv.length = iv_length; + sa_ctx->xf[idx].a.auth.iv.length = auth_iv_length; } else { /* outbound */ sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_CIPHER; @@ -1388,7 +1389,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], sa_ctx->xf[idx].b.auth.op = RTE_CRYPTO_AUTH_OP_GENERATE; sa_ctx->xf[idx].b.auth.iv.offset = IV_OFFSET; - sa_ctx->xf[idx].b.auth.iv.length = iv_length; + sa_ctx->xf[idx].b.auth.iv.length = auth_iv_length; } From patchwork Thu Feb 16 14:24:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 124080 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id DC06C41CB2; Thu, 16 Feb 2023 15:25:09 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id CA3CC40E03; Thu, 16 Feb 2023 15:25:06 +0100 (CET) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id A618542D81 for ; Thu, 16 Feb 2023 15:25:04 +0100 (CET) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 31G7ZLHL007453; Thu, 16 Feb 2023 06:24:59 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=vWtwNcFlfWEwsTTBTJ1yFmzKG02rqIFc41o0Nj6QIoU=; b=DKN/6V/dlo69Ap6MW9d/YI+QLCwyhPe/hCpDGLn23A7NeCPZZvTjhiXXFI2zv4gmRX1+ rg1UIvYEnlMEOXODFd0Dg/JSn35+o+G/UZK+4/sFMCJdyzQIBzwWGorpQ6MBxMofTT2Q fRS3WkgFdsR4UNTNouyb2yE+CoJQ2R54n05Xlglbp24NikG012V3e2AG3zubCLPMzf9A Rj84glGWFC9ayIHWxak+FCJurKXFHjvzZf6RFUysRip1FJZOSS6Kk/xDHbeN+R1DRwfj aFjj/E2G1FXpeqQQqm14g7FV/oceHYMlgLMMoimiu9fYdLWxWlWZG9bpra6zJ7A+fcJn Rg== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3nsg6w9rd7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 16 Feb 2023 06:24:59 -0800 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Thu, 16 Feb 2023 06:24:57 -0800 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.42 via Frontend Transport; Thu, 16 Feb 2023 06:24:57 -0800 Received: from localhost.localdomain (unknown [10.28.36.102]) by maili.marvell.com (Postfix) with ESMTP id 293343F7096; Thu, 16 Feb 2023 06:24:53 -0800 (PST) From: Akhil Goyal To: CC: , , , , , , , , , Akhil Goyal Subject: [PATCH 2/3] examples/ipsec-secgw: check capabilities before session create Date: Thu, 16 Feb 2023 19:54:41 +0530 Message-ID: <20230216142442.3657742-2-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230216142442.3657742-1-gakhil@marvell.com> References: <20230216142442.3657742-1-gakhil@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: Ua8Iaq_Uh4L9QULYuzUOgvAVFUe-jRAA X-Proofpoint-GUID: Ua8Iaq_Uh4L9QULYuzUOgvAVFUe-jRAA X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.170.22 definitions=2023-02-16_10,2023-02-16_01,2023-02-09_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Currently, sessions are created without checking the device capabilities, which may result in failure at a later stage. Device capabilities are now checked before creating the security/crypto session. Signed-off-by: Akhil Goyal Acked-by: Kai Ji --- examples/ipsec-secgw/ipsec.c | 208 ++++++++++++++++++++++++++++++++++- 1 file changed, 205 insertions(+), 3 deletions(-) diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 9b52d37b81..c51f1b7eb2 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -57,6 +57,182 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) ipsec->options.ip_reassembly_en = 1; } +static inline int +verify_crypto_xform(const struct rte_cryptodev_capabilities *capabilities, + struct rte_crypto_sym_xform *crypto_xform) +{ + const struct rte_cryptodev_capabilities *crypto_cap; + int j = 0; + + while ((crypto_cap = &capabilities[j++])->op != RTE_CRYPTO_OP_TYPE_UNDEFINED) { + if (crypto_cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC && + crypto_cap->sym.xform_type == crypto_xform->type) { + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD && + crypto_cap->sym.aead.algo == crypto_xform->aead.algo) { + if (rte_cryptodev_sym_capability_check_aead(&crypto_cap->sym, + crypto_xform->aead.key.length, + crypto_xform->aead.digest_length, + crypto_xform->aead.aad_length, + crypto_xform->aead.iv.length) == 0) + return 0; + } + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && + crypto_cap->sym.cipher.algo == crypto_xform->cipher.algo) { + if (rte_cryptodev_sym_capability_check_cipher(&crypto_cap->sym, + crypto_xform->cipher.key.length, + crypto_xform->cipher.iv.length) == 0) + return 0; + } + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH && + crypto_cap->sym.auth.algo == crypto_xform->auth.algo) { + if (rte_cryptodev_sym_capability_check_auth(&crypto_cap->sym, + crypto_xform->auth.key.length, + crypto_xform->auth.digest_length, + crypto_xform->auth.iv.length) == 0) + return 0; + } + } + } + + return -ENOTSUP; +} + +static inline int +verify_crypto_capabilities(const struct rte_cryptodev_capabilities *capabilities, + struct rte_crypto_sym_xform *crypto_xform) +{ + if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) + return verify_crypto_xform(capabilities, crypto_xform); + else if (crypto_xform->next != NULL) + return (verify_crypto_xform(capabilities, crypto_xform) || + verify_crypto_xform(capabilities, crypto_xform->next)); + else + return -ENOTSUP; +} + +static inline int +verify_ipsec_capabilities(struct rte_security_ipsec_xform *ipsec_xform, + const struct rte_security_capability *sec_cap) +{ + /* Verify security capabilities */ + + if (ipsec_xform->options.esn == 1 && sec_cap->ipsec.options.esn == 0) { + RTE_LOG(INFO, USER1, "ESN is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.udp_encap == 1 && + sec_cap->ipsec.options.udp_encap == 0) { + RTE_LOG(INFO, USER1, "UDP encapsulation is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.udp_ports_verify == 1 && + sec_cap->ipsec.options.udp_ports_verify == 0) { + RTE_LOG(DEBUG, USER1, + "UDP encapsulation ports verification is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.copy_dscp == 1 && + sec_cap->ipsec.options.copy_dscp == 0) { + RTE_LOG(DEBUG, USER1, "Copy DSCP is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.copy_flabel == 1 && + sec_cap->ipsec.options.copy_flabel == 0) { + RTE_LOG(DEBUG, USER1, "Copy Flow Label is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.copy_df == 1 && + sec_cap->ipsec.options.copy_df == 0) { + RTE_LOG(DEBUG, USER1, "Copy DP bit is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.dec_ttl == 1 && + sec_cap->ipsec.options.dec_ttl == 0) { + RTE_LOG(DEBUG, USER1, "Decrement TTL is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.ecn == 1 && sec_cap->ipsec.options.ecn == 0) { + RTE_LOG(DEBUG, USER1, "ECN is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.stats == 1 && + sec_cap->ipsec.options.stats == 0) { + RTE_LOG(DEBUG, USER1, "Stats is not supported\n"); + return -ENOTSUP; + } + + if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) && + (ipsec_xform->options.iv_gen_disable == 1) && + (sec_cap->ipsec.options.iv_gen_disable != 1)) { + RTE_LOG(DEBUG, USER1, "Application provided IV is not supported\n"); + return -ENOTSUP; + } + + if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + (ipsec_xform->options.tunnel_hdr_verify > + sec_cap->ipsec.options.tunnel_hdr_verify)) { + RTE_LOG(DEBUG, USER1, "Tunnel header verify is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.ip_csum_enable == 1 && + sec_cap->ipsec.options.ip_csum_enable == 0) { + RTE_LOG(DEBUG, USER1, "Inner IP checksum is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.l4_csum_enable == 1 && + sec_cap->ipsec.options.l4_csum_enable == 0) { + RTE_LOG(DEBUG, USER1, "Inner L4 checksum is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { + if (ipsec_xform->replay_win_sz > sec_cap->ipsec.replay_win_sz_max) { + RTE_LOG(DEBUG, USER1, "Replay window size is not supported\n"); + return -ENOTSUP; + } + } + + return 0; +} + + +static inline int +verify_security_capabilities(struct rte_security_ctx *ctx, + struct rte_security_session_conf *sess_conf) +{ + struct rte_security_capability_idx sec_cap_idx; + const struct rte_security_capability *sec_cap; + + sec_cap_idx.action = sess_conf->action_type; + sec_cap_idx.protocol = sess_conf->protocol; + sec_cap_idx.ipsec.proto = sess_conf->ipsec.proto; + sec_cap_idx.ipsec.mode = sess_conf->ipsec.mode; + sec_cap_idx.ipsec.direction = sess_conf->ipsec.direction; + + sec_cap = rte_security_capability_get(ctx, &sec_cap_idx); + if (sec_cap == NULL) + return -ENOTSUP; + + if (verify_crypto_capabilities(sec_cap->crypto_capabilities, + sess_conf->crypto_xform)) + return -ENOTSUP; + + if (verify_ipsec_capabilities(&sess_conf->ipsec, sec_cap)) + return -ENOTSUP; + + return 0; +} + int create_lookaside_session(struct ipsec_ctx *ipsec_ctx_lcore[], struct socket_ctx *skt_ctx, const struct eventmode_conf *em_conf, @@ -156,6 +332,12 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx_lcore[], /* Set IPsec parameters in conf */ set_ipsec_conf(sa, &(sess_conf.ipsec)); + if (verify_security_capabilities(ctx, &sess_conf)) { + RTE_LOG(ERR, IPSEC, + "Requested security session config not supported\n"); + return -1; + } + ips->security.ses = rte_security_session_create(ctx, &sess_conf, skt_ctx->session_pool); if (ips->security.ses == NULL) { @@ -173,15 +355,23 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx_lcore[], return -1; } } else { + struct rte_cryptodev_info info; + + rte_cryptodev_info_get(cdev_id, &info); + if (ips->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) { - struct rte_cryptodev_info info; - - rte_cryptodev_info_get(cdev_id, &info); if (!(info.feature_flags & RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO)) return -ENOTSUP; } + + if (verify_crypto_capabilities(info.capabilities, sa->xforms)) { + RTE_LOG(ERR, IPSEC, + "Requested crypto session config not supported\n"); + return -1; + } + ips->crypto.dev_id = cdev_id; ips->crypto.ses = rte_cryptodev_sym_session_create(cdev_id, sa->xforms, skt_ctx->session_pool); @@ -308,6 +498,12 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, return -1; } + if (verify_security_capabilities(sec_ctx, &sess_conf)) { + RTE_LOG(ERR, IPSEC, + "Requested security session config not supported\n"); + return -1; + } + ips->security.ses = rte_security_session_create(sec_ctx, &sess_conf, skt_ctx->session_pool); if (ips->security.ses == NULL) { @@ -507,6 +703,12 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, sess_conf.userdata = (void *) sa; + if (verify_security_capabilities(sec_ctx, &sess_conf)) { + RTE_LOG(ERR, IPSEC, + "Requested security session config not supported\n"); + return -1; + } + ips->security.ses = rte_security_session_create(sec_ctx, &sess_conf, skt_ctx->session_pool); if (ips->security.ses == NULL) { From patchwork Thu Feb 16 14:24:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 124081 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 68D7A41CB2; Thu, 16 Feb 2023 15:25:15 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id E743F42D74; Thu, 16 Feb 2023 15:25:10 +0100 (CET) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 60D6342D70 for ; Thu, 16 Feb 2023 15:25:09 +0100 (CET) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 31GDe2Qk007429; Thu, 16 Feb 2023 06:25:03 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=XjW9CptDGT4Hb3xE44LZCXJ7bl3IDxmrqYnyUL11nu0=; b=RqgCCuGf5l+47XONnTwzYmd/5ZqQAXSoYHvRI349WVX8V2rtBev17vM3bDfaxgmdGeGE wkM5Wwlh8rOE3JFVNyiE9e/PkC9Rk4eB7bVpRP5tnQCKPL5sGdkLU3xGHxt7dV6s3jIG sCR6n+eZ9yh/Mab1KdU1lJeJNEB7ilPVLnDAmtO4Aep4gia2wl2iZwOLnASPcqhv3HmK BezigPUQRhBhQe3C5j/XMj/f/YGXJo4oZfrdlTGDAQLTP8mXiNNh0D6vu6trzVj3zNwz 7+1IApNrusz5rZONrFnMrFjf8Auo9EjUbqYwqi3u/RkZujO/MQVJz4FFUwpIU5oqG4dz VQ== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3nsg888xnd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 16 Feb 2023 06:25:02 -0800 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Thu, 16 Feb 2023 06:25:01 -0800 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.42 via Frontend Transport; Thu, 16 Feb 2023 06:25:01 -0800 Received: from localhost.localdomain (unknown [10.28.36.102]) by maili.marvell.com (Postfix) with ESMTP id E4C6A3F7089; Thu, 16 Feb 2023 06:24:57 -0800 (PST) From: Akhil Goyal To: CC: , , , , , , , , , Akhil Goyal Subject: [PATCH 3/3] examples/ipsec-secgw: refactor inline capability check Date: Thu, 16 Feb 2023 19:54:42 +0530 Message-ID: <20230216142442.3657742-3-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230216142442.3657742-1-gakhil@marvell.com> References: <20230216142442.3657742-1-gakhil@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: mUsg4NQttmnKTeUtyXinxnm_UGcYmb7k X-Proofpoint-GUID: mUsg4NQttmnKTeUtyXinxnm_UGcYmb7k X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.170.22 definitions=2023-02-16_10,2023-02-16_01,2023-02-09_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org In cases of inline IPsec, the supported ol_flags are retrieved from security capability of device. Now that capability checks are added before creating the session, ol_flags can be retrieved from the same function call. Signed-off-by: Akhil Goyal Acked-by: Kai Ji --- examples/ipsec-secgw/ipsec.c | 65 ++++++------------------------------ 1 file changed, 10 insertions(+), 55 deletions(-) diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index c51f1b7eb2..a5c2b524a7 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -208,7 +208,8 @@ verify_ipsec_capabilities(struct rte_security_ipsec_xform *ipsec_xform, static inline int verify_security_capabilities(struct rte_security_ctx *ctx, - struct rte_security_session_conf *sess_conf) + struct rte_security_session_conf *sess_conf, + uint32_t *ol_flags) { struct rte_security_capability_idx sec_cap_idx; const struct rte_security_capability *sec_cap; @@ -230,6 +231,9 @@ verify_security_capabilities(struct rte_security_ctx *ctx, if (verify_ipsec_capabilities(&sess_conf->ipsec, sec_cap)) return -ENOTSUP; + if (ol_flags != NULL) + *ol_flags = sec_cap->ol_flags; + return 0; } @@ -332,7 +336,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx_lcore[], /* Set IPsec parameters in conf */ set_ipsec_conf(sa, &(sess_conf.ipsec)); - if (verify_security_capabilities(ctx, &sess_conf)) { + if (verify_security_capabilities(ctx, &sess_conf, NULL)) { RTE_LOG(ERR, IPSEC, "Requested security session config not supported\n"); return -1; @@ -486,7 +490,6 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) { struct rte_flow_error err; - const struct rte_security_capability *sec_cap; int ret = 0; sec_ctx = (struct rte_security_ctx *) @@ -498,7 +501,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, return -1; } - if (verify_security_capabilities(sec_ctx, &sess_conf)) { + if (verify_security_capabilities(sec_ctx, &sess_conf, + &ips->security.ol_flags)) { RTE_LOG(ERR, IPSEC, "Requested security session config not supported\n"); return -1; @@ -512,27 +516,6 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, return -1; } - sec_cap = rte_security_capabilities_get(sec_ctx); - - /* iterate until ESP tunnel*/ - while (sec_cap->action != RTE_SECURITY_ACTION_TYPE_NONE) { - if (sec_cap->action == ips->type && - sec_cap->protocol == - RTE_SECURITY_PROTOCOL_IPSEC && - sec_cap->ipsec.mode == - RTE_SECURITY_IPSEC_SA_MODE_TUNNEL && - sec_cap->ipsec.direction == sa->direction) - break; - sec_cap++; - } - - if (sec_cap->action == RTE_SECURITY_ACTION_TYPE_NONE) { - RTE_LOG(ERR, IPSEC, - "No suitable security capability found\n"); - return -1; - } - - ips->security.ol_flags = sec_cap->ol_flags; ips->security.ctx = sec_ctx; sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH; @@ -676,8 +659,6 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, return -1; } } else if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { - const struct rte_security_capability *sec_cap; - sec_ctx = (struct rte_security_ctx *) rte_eth_dev_get_sec_ctx(sa->portid); @@ -703,7 +684,8 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, sess_conf.userdata = (void *) sa; - if (verify_security_capabilities(sec_ctx, &sess_conf)) { + if (verify_security_capabilities(sec_ctx, &sess_conf, + &ips->security.ol_flags)) { RTE_LOG(ERR, IPSEC, "Requested security session config not supported\n"); return -1; @@ -717,33 +699,6 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, return -1; } - sec_cap = rte_security_capabilities_get(sec_ctx); - if (sec_cap == NULL) { - RTE_LOG(ERR, IPSEC, - "No capabilities registered\n"); - return -1; - } - - /* iterate until ESP tunnel*/ - while (sec_cap->action != - RTE_SECURITY_ACTION_TYPE_NONE) { - if (sec_cap->action == ips->type && - sec_cap->protocol == - RTE_SECURITY_PROTOCOL_IPSEC && - sec_cap->ipsec.mode == - sess_conf.ipsec.mode && - sec_cap->ipsec.direction == sa->direction) - break; - sec_cap++; - } - - if (sec_cap->action == RTE_SECURITY_ACTION_TYPE_NONE) { - RTE_LOG(ERR, IPSEC, - "No suitable security capability found\n"); - return -1; - } - - ips->security.ol_flags = sec_cap->ol_flags; ips->security.ctx = sec_ctx; }