From patchwork Wed Jan 24 16:00:08 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Github ODP bot <odpbot@yandex.ru>
X-Patchwork-Id: 125682
Delivered-To: patch@linaro.org
Received: by 10.46.66.141 with SMTP id h13csp506961ljf;
 Wed, 24 Jan 2018 08:03:30 -0800 (PST)
X-Google-Smtp-Source: AH8x225svolQv4gUOzqFhpOb8a3rl1T09kHCs5IBY45nTJZ0XbBtybKmx5LixZiDC57liRwMa/Op
X-Received: by 10.37.217.144 with SMTP id q138mr5905592ybg.519.1516809810668; 
 Wed, 24 Jan 2018 08:03:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516809810; cv=none;
 d=google.com; s=arc-20160816;
 b=vo4k88cKnhXs1pH2BrQjX0eLkrVK3p6iODdjF+uZIdzhYPvU4T1W+Dxqzqtzy7Yr2p
 7Ckepm2tTM21DjzwbGHPLvSQwPt8eVVca3qGD+mh+fdfFYvPoSZ6qWKNk8oJofPk5rpW
 WU7WlfUadYO5RDV+68ct8u394lFZpOg7aBAvhFVsWJo7XdUcebp/r3VFQydZs9i92k01
 lRtPodb75fb8GSrgu3lo0Hin2KQqoqaAA+cJoez4EovTaCsNMMGJXXPThmz9dPPbWF2W
 GofeouFaSR77t9qZLb7PnuaVg26kgaKEP2I9Ah9QhgezZzdZhQgUmWI8JzHjIsjb1Nct
 HAng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:subject:github-pr-num
 :references:in-reply-to:message-id:date:to:from:delivered-to
 :arc-authentication-results;
 bh=RTCmcXs4QmNWwYRQUmnOWK244FegK/LdA/I3aDaRC5w=;
 b=h14EffDccSq4eip+ydXc1+KqTvVCAz4NI4neaVVzSDRXgiK7f6Pn+Vw+QXy6T5pFzj
 tfVh3aOz54AfVgchwUziDlG1XD7jBrqd3xM7meJ3PpNoUbkdnJKwXuD8/AI7swFcQkks
 P9C88SBXfE7O4qhvaTG9nDX+g9L1vzLgRRX0hd0umQxJHMk78CeZ8hsRCQzmbnxYCCx3
 6NhJXsxLPe1S/UgAR0aYfL1NR42wnTbbVmkHa+UJYbSsqUsHcHHBbPwcn+iVj+6uUeOE
 7N5Uxep4VA4TvC6ggfMQWZTD+g3VntH+GaikxWN6qaV6O7l/+a5ZV4su3mGKkEusNfoC
 R29w==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 smtp.mailfrom=lng-odp-bounces@lists.linaro.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Return-Path: <lng-odp-bounces@lists.linaro.org>
Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com.
 [54.197.127.237])
 by mx.google.com with ESMTP id d77si490040qke.237.2018.01.24.08.03.30;
 Wed, 24 Jan 2018 08:03:30 -0800 (PST)
Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 client-ip=54.197.127.237; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 smtp.mailfrom=lng-odp-bounces@lists.linaro.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Received: by lists.linaro.org (Postfix, from userid 109)
 id 4F240617E4; Wed, 24 Jan 2018 16:03:30 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
 RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2 autolearn=disabled version=3.4.0
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by lists.linaro.org (Postfix) with ESMTP id 71607617B3;
 Wed, 24 Jan 2018 16:00:39 +0000 (UTC)
X-Original-To: lng-odp@lists.linaro.org
Delivered-To: lng-odp@lists.linaro.org
Received: by lists.linaro.org (Postfix, from userid 109)
 id 884CC61726; Wed, 24 Jan 2018 16:00:23 +0000 (UTC)
Received: from forward103p.mail.yandex.net (forward103p.mail.yandex.net
 [77.88.28.106])
 by lists.linaro.org (Postfix) with ESMTPS id E345B60903
 for <lng-odp@lists.linaro.org>; Wed, 24 Jan 2018 16:00:13 +0000 (UTC)
Received: from mxback9j.mail.yandex.net (mxback9j.mail.yandex.net
 [IPv6:2a02:6b8:0:1619::112])
 by forward103p.mail.yandex.net (Yandex) with ESMTP id 3BED52182E20
 for <lng-odp@lists.linaro.org>; Wed, 24 Jan 2018 19:00:12 +0300 (MSK)
Received: from smtp1j.mail.yandex.net (smtp1j.mail.yandex.net
 [2a02:6b8:0:801::ab])
 by mxback9j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id
 B1YKpQlPlu-0C1eY8nK; Wed, 24 Jan 2018 19:00:12 +0300
Received: by smtp1j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id
 Q8SBLojAvI-0BsaY72j; Wed, 24 Jan 2018 19:00:11 +0300
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
 (Client certificate not present)
From: Github ODP bot <odpbot@yandex.ru>
To: lng-odp@lists.linaro.org
Date: Wed, 24 Jan 2018 19:00:08 +0300
Message-Id: <1516809608-18061-5-git-send-email-odpbot@yandex.ru>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1516809608-18061-1-git-send-email-odpbot@yandex.ru>
References: <1516809608-18061-1-git-send-email-odpbot@yandex.ru>
Github-pr-num: 427
Subject: [lng-odp] [PATCH v1 4/4] linux-gen: ipsec: prevent sa_lookup from
 matching outbound SAs
X-BeenThere: lng-odp@lists.linaro.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: "The OpenDataPlane \(ODP\) List" <lng-odp.lists.linaro.org>
List-Unsubscribe: <https://lists.linaro.org/mailman/options/lng-odp>,
 <mailto:lng-odp-request@lists.linaro.org?subject=unsubscribe>
List-Archive: <http://lists.linaro.org/pipermail/lng-odp/>
List-Post: <mailto:lng-odp@lists.linaro.org>
List-Help: <mailto:lng-odp-request@lists.linaro.org?subject=help>
List-Subscribe: <https://lists.linaro.org/mailman/listinfo/lng-odp>,
 <mailto:lng-odp-request@lists.linaro.org?subject=subscribe>
Errors-To: lng-odp-bounces@lists.linaro.org
Sender: "lng-odp" <lng-odp-bounces@lists.linaro.org>

From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

lookup_mode was valid only for inbound SAs but contained garbage for
outbound SAs. Thus it was possible for lookup to match SA with outbound
SA. Prevent that by marking all outbound SAs as
ODP_IPSEC_LOOKUP_DISABLED.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>
---
/** Email created from pull request 427 (lumag:ipsec-fix-sad)
 ** https://github.com/Linaro/odp/pull/427
 ** Patch: https://github.com/Linaro/odp/pull/427.patch
 ** Base sha: 27480d82bd93a881ae683a3c314c11042a68ce29
 ** Merge commit sha: 83482dc460d8a076de317029373e2c8bf3178974
 **/
 platform/linux-generic/include/odp_ipsec_internal.h |  2 +-
 platform/linux-generic/odp_ipsec_sad.c              | 14 ++++++--------
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/platform/linux-generic/include/odp_ipsec_internal.h b/platform/linux-generic/include/odp_ipsec_internal.h
index dbdcbb917..bdb86c400 100644
--- a/platform/linux-generic/include/odp_ipsec_internal.h
+++ b/platform/linux-generic/include/odp_ipsec_internal.h
@@ -122,6 +122,7 @@ struct ipsec_sa_s {
 
 	uint8_t		salt[IPSEC_MAX_SALT_LEN];
 	uint32_t	salt_length;
+	odp_ipsec_lookup_mode_t lookup_mode;
 
 	union {
 		unsigned flags;
@@ -144,7 +145,6 @@ struct ipsec_sa_s {
 
 	union {
 		struct {
-			odp_ipsec_lookup_mode_t lookup_mode;
 			odp_ipsec_ip_version_t lookup_ver;
 			union {
 				odp_u32be_t	lookup_dst_ipv4;
diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c
index ad229e754..2af72bbb5 100644
--- a/platform/linux-generic/odp_ipsec_sad.c
+++ b/platform/linux-generic/odp_ipsec_sad.c
@@ -274,8 +274,8 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
 	ipsec_sa->mode = param->mode;
 	ipsec_sa->flags = 0;
 	if (ODP_IPSEC_DIR_INBOUND == param->dir) {
-		ipsec_sa->in.lookup_mode = param->inbound.lookup_mode;
-		if (ODP_IPSEC_LOOKUP_DSTADDR_SPI == ipsec_sa->in.lookup_mode) {
+		ipsec_sa->lookup_mode = param->inbound.lookup_mode;
+		if (ODP_IPSEC_LOOKUP_DSTADDR_SPI == ipsec_sa->lookup_mode) {
 			ipsec_sa->in.lookup_ver =
 				param->inbound.lookup_param.ip_version;
 			if (ODP_IPSEC_IPV4 == ipsec_sa->in.lookup_ver)
@@ -293,6 +293,7 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
 		ipsec_sa->antireplay = (param->inbound.antireplay_ws != 0);
 		odp_atomic_init_u64(&ipsec_sa->in.antireplay, 0);
 	} else {
+		ipsec_sa->lookup_mode = ODP_IPSEC_LOOKUP_DISABLED;
 		odp_atomic_store_u32(&ipsec_sa->out.seq, 1);
 		ipsec_sa->out.frag_mode = param->outbound.frag_mode;
 		ipsec_sa->out.mtu = param->outbound.mtu;
@@ -552,19 +553,16 @@ int odp_ipsec_sa_mtu_update(odp_ipsec_sa_t sa, uint32_t mtu)
 
 ipsec_sa_t *_odp_ipsec_sa_lookup(const ipsec_sa_lookup_t *lookup)
 {
-	(void)lookup;
-
 	int i;
-	ipsec_sa_t *ipsec_sa;
 	ipsec_sa_t *best = NULL;
 
 	for (i = 0; i < ODP_CONFIG_IPSEC_SAS; i++) {
-		ipsec_sa = ipsec_sa_entry(i);
+		ipsec_sa_t *ipsec_sa = ipsec_sa_entry(i);
 
 		if (ipsec_sa_lock(ipsec_sa) < 0)
 			continue;
 
-		if (ODP_IPSEC_LOOKUP_DSTADDR_SPI == ipsec_sa->in.lookup_mode &&
+		if (ODP_IPSEC_LOOKUP_DSTADDR_SPI == ipsec_sa->lookup_mode &&
 		    lookup->proto == ipsec_sa->proto &&
 		    lookup->spi == ipsec_sa->spi &&
 		    lookup->ver == ipsec_sa->in.lookup_ver &&
@@ -576,7 +574,7 @@ ipsec_sa_t *_odp_ipsec_sa_lookup(const ipsec_sa_lookup_t *lookup)
 				_odp_ipsec_sa_unuse(best);
 			return ipsec_sa;
 		} else if (NULL == best &&
-			   ODP_IPSEC_LOOKUP_SPI == ipsec_sa->in.lookup_mode &&
+			   ODP_IPSEC_LOOKUP_SPI == ipsec_sa->lookup_mode &&
 			   lookup->proto == ipsec_sa->proto &&
 			   lookup->spi == ipsec_sa->spi) {
 			best = ipsec_sa;