From patchwork Mon Nov 13 02:00:06 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 118709 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp1272967qgn; Sun, 12 Nov 2017 18:11:55 -0800 (PST) X-Google-Smtp-Source: AGs4zMayF5KgsF/0J7NDqKAdsIuYIwcjZVVwZB4j35TbaARbD3h3v8Xus6pcgkjiryhcdqcPn+7j X-Received: by 10.200.47.105 with SMTP id k38mr2582753qta.195.1510539115263; Sun, 12 Nov 2017 18:11:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510539115; cv=none; d=google.com; s=arc-20160816; b=Ocq1SJ39fNuY8BmLNh/S7coOHPLOSEE2xK3rYDdqyeBPOOYLUQ0XFl/HlgVM1Kulxs sPvyS44NxppzsU75fPWf/2IMNyekknqZq1w1WJg7pho+5osIwc7vQBSNmhoa5CzaP2uv OWpYEL4Jozdc6WsemxSx2JgQn+xlcyawxWGgUuCEVNvvcM8pVqO9GY3+BVzNAQ/pl23l gG2zZZ+n/XFD07wLZ3zPPrvlDsoj1DNDJjLQJ+EIrmmDut4TA8qWIojbxxczJxZhcz26 a6DcKvX8Clx5Op+X0SGaTgxyurj9bE5nNKgIN5cA5ArU/9K8K7bArFqYjVxqbBjehZ/r 5IbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=pF1M2/rL49VVX8dfm1qQ4QNSv7sc+o663ZcdJ3SfI7o=; b=UnYihc2mtxFuV3yJWvSkuS9kVKctE+UcSn0RzElO1XCV4I1rCgXj+AXUjv+wrXAszb pRdCbiiVAgFje/or9VQ8xN5oU9Tf1/o3Oro/6bigKNE9HMz3zbLPAu+F2phmV5b1uLMf t7QBoOylVicCuu/zVvfoeLGpk3MihApfuM32gi3fNyioE0gmYQVu8k0Hpwo4R81od/el bx1BqHZlWJNP3k6UCyrq6F135dNUns1OYh2RXWaOuvT2Dl+RB8haHpoY/E33Rz0ZDfjO Hhpe/hLwu/unAe+kB9O4sG5cmT7SobieHw1qs0mQEHlLQDQwWaA3pKv65hrkQ/DJEGj/ Xsvg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id x204si5873995qka.135.2017.11.12.18.11.54; Sun, 12 Nov 2017 18:11:55 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id E0AC460D70; Mon, 13 Nov 2017 02:11:54 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,URIBL_BLOCKED autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id EA5DA60BFF; Mon, 13 Nov 2017 02:03:39 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id BF30360BFF; Mon, 13 Nov 2017 02:03:35 +0000 (UTC) Received: from forward103j.mail.yandex.net (forward103j.mail.yandex.net [5.45.198.246]) by lists.linaro.org (Postfix) with ESMTPS id 3B3E060BFF for ; Mon, 13 Nov 2017 02:00:40 +0000 (UTC) Received: from mxback13g.mail.yandex.net (mxback13g.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:92]) by forward103j.mail.yandex.net (Yandex) with ESMTP id 0418534DD110 for ; Mon, 13 Nov 2017 05:00:21 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback13g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id Wk4xcXs5uh-0KEKbxvV; Mon, 13 Nov 2017 05:00:20 +0300 Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id uZeq9OjDfk-0KvW8bQ9; Mon, 13 Nov 2017 05:00:20 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 13 Nov 2017 05:00:06 +0300 Message-Id: <1510538419-566-2-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1510538419-566-1-git-send-email-odpbot@yandex.ru> References: <1510538419-566-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 243 Subject: [lng-odp] [PATCH API-NEXT v15 1/14] linux-gen: ipsec: use counter instead of random IV for GCM X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov Reusing IV block with GCM results in disastrous consequences. Use counter instead of random-generated IV to remove possibility for IV reuse. Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 243 (lumag:ipsec-packet-impl-3) ** https://github.com/Linaro/odp/pull/243 ** Patch: https://github.com/Linaro/odp/pull/243.patch ** Base sha: a908a4dead95321e84d6a8a23de060051dcd8969 ** Merge commit sha: 44a6636daa5f976c8aac76116e80e0c764352072 **/ .../linux-generic/include/odp_ipsec_internal.h | 16 ++++++++++--- platform/linux-generic/odp_ipsec.c | 28 +++++++++++++++------- platform/linux-generic/odp_ipsec_sad.c | 9 +++++++ 3 files changed, 42 insertions(+), 11 deletions(-) diff --git a/platform/linux-generic/include/odp_ipsec_internal.h b/platform/linux-generic/include/odp_ipsec_internal.h index 1340ca7bd..afc2f686e 100644 --- a/platform/linux-generic/include/odp_ipsec_internal.h +++ b/platform/linux-generic/include/odp_ipsec_internal.h @@ -118,9 +118,17 @@ struct ipsec_sa_s { uint8_t salt[IPSEC_MAX_SALT_LEN]; uint32_t salt_length; - unsigned dec_ttl : 1; - unsigned copy_dscp : 1; - unsigned copy_df : 1; + union { + unsigned flags; + struct { + unsigned dec_ttl : 1; + unsigned copy_dscp : 1; + unsigned copy_df : 1; + + /* Only for outbound */ + unsigned use_counter_iv : 1; + }; + }; union { struct { @@ -136,6 +144,8 @@ struct ipsec_sa_s { odp_atomic_u32_t tun_hdr_id; odp_atomic_u32_t seq; + odp_atomic_u64_t counter; /* for CTR/GCM */ + uint8_t tun_ttl; uint8_t tun_dscp; uint8_t tun_df; diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c index e57736c2a..6a731e999 100644 --- a/platform/linux-generic/odp_ipsec.c +++ b/platform/linux-generic/odp_ipsec.c @@ -676,23 +676,36 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt, ip_data_len + ipsec_sa->icv_len; - if (ipsec_sa->esp_iv_len) { + if (ipsec_sa->use_counter_iv) { + uint64_t ctr; + + /* Both GCM and CTR use 8-bit counters */ + ODP_ASSERT(sizeof(ctr) == ipsec_sa->esp_iv_len); + + ctr = odp_atomic_fetch_add_u64(&ipsec_sa->out.counter, + 1); + /* Check for overrun */ + if (ctr == 0) + goto out; + + memcpy(iv, ipsec_sa->salt, ipsec_sa->salt_length); + memcpy(iv + ipsec_sa->salt_length, &ctr, + ipsec_sa->esp_iv_len); + + } else if (ipsec_sa->esp_iv_len) { uint32_t len; - len = odp_random_data(iv + ipsec_sa->salt_length, - ipsec_sa->esp_iv_len, + len = odp_random_data(iv, ipsec_sa->esp_iv_len, ODP_RANDOM_CRYPTO); if (len != ipsec_sa->esp_iv_len) { status->error.alg = 1; goto out; } - - memcpy(iv, ipsec_sa->salt, ipsec_sa->salt_length); - - param.override_iv_ptr = iv; } + param.override_iv_ptr = iv; + if (odp_packet_extend_tail(&pkt, trl_len, NULL, NULL) < 0) { status->error.alg = 1; goto out; @@ -734,7 +747,6 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt, odp_packet_copy_from_mem(pkt, ipsec_offset, _ODP_ESPHDR_LEN, &esp); - memcpy(iv, ipsec_sa->salt, ipsec_sa->salt_length); odp_packet_copy_from_mem(pkt, ipsec_offset + _ODP_ESPHDR_LEN, ipsec_sa->esp_iv_len, diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c index f0b5b9e4a..dc338bfcd 100644 --- a/platform/linux-generic/odp_ipsec_sad.c +++ b/platform/linux-generic/odp_ipsec_sad.c @@ -207,6 +207,7 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) ipsec_sa->context = param->context; ipsec_sa->queue = param->dest_queue; ipsec_sa->mode = param->mode; + ipsec_sa->flags = 0; if (ODP_IPSEC_DIR_INBOUND == param->dir) { ipsec_sa->in.lookup_mode = param->inbound.lookup_mode; if (ODP_IPSEC_LOOKUP_DSTADDR_SPI == ipsec_sa->in.lookup_mode) @@ -298,11 +299,13 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) case ODP_CIPHER_ALG_NULL: ipsec_sa->esp_iv_len = 0; ipsec_sa->esp_block_len = 1; + crypto_param.iv.length = 0; break; case ODP_CIPHER_ALG_DES: case ODP_CIPHER_ALG_3DES_CBC: ipsec_sa->esp_iv_len = 8; ipsec_sa->esp_block_len = 8; + crypto_param.iv.length = 8; break; #if ODP_DEPRECATED_API case ODP_CIPHER_ALG_AES128_CBC: @@ -310,11 +313,13 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) case ODP_CIPHER_ALG_AES_CBC: ipsec_sa->esp_iv_len = 16; ipsec_sa->esp_block_len = 16; + crypto_param.iv.length = 16; break; #if ODP_DEPRECATED_API case ODP_CIPHER_ALG_AES128_GCM: #endif case ODP_CIPHER_ALG_AES_GCM: + ipsec_sa->use_counter_iv = 1; ipsec_sa->esp_iv_len = 8; ipsec_sa->esp_block_len = 16; crypto_param.iv.length = 12; @@ -323,6 +328,10 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) return ODP_IPSEC_SA_INVALID; } + if (1 == ipsec_sa->use_counter_iv && + ODP_IPSEC_DIR_OUTBOUND == param->dir) + odp_atomic_init_u64(&ipsec_sa->out.counter, 1); + crypto_param.auth_digest_len = ipsec_sa->icv_len; if (param->crypto.cipher_key_extra.length) { From patchwork Mon Nov 13 02:00:07 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 118697 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp1266974qgn; Sun, 12 Nov 2017 18:03:53 -0800 (PST) X-Google-Smtp-Source: AGs4zMa2nbjgiLP67d0hG3S/9RCMzd8+Nc+pYKRxX3FU+l8XsKtcNMIWL+Q6ed91UFYZGaPJPKNO X-Received: by 10.200.37.43 with SMTP id 40mr12031340qtm.78.1510538632968; Sun, 12 Nov 2017 18:03:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510538632; cv=none; d=google.com; s=arc-20160816; b=ph0AkPFYcRuEHFDoCSytBcSKNSf3iDezwX+SOgNjDsHIR57aHCy/8Z883HGZ2IkaQB +U1MUfiyxh1UJpkHi2AFwtJBFROP8fU1M45Ztd+4PwWAXFrJThDj6UCybEUr1RVxRx0/ 36JsdMJ31mK9PUEe+3cg5/SvxwKd3Kk6Gtm9s6w0CdRJ0IQTQsc4sqiLb5OlG5Zb62Wo wjOy3Ym0LobCDxzXN6gGG8JkVuCHkjyeIXTm4TkT1hklnoqLzeYh86a00cwIwph6MVZM qf7qnilfTP7tATwMwK3A52BNx/jultOLW+2TOLFbhlycBgC9pITdS/Enr7HxKxCcvjjz SLlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=AyDs4BgsU/IBLuP0SwegGrCDpzlW/TPTehb9v1gfGrM=; b=egPG/WHX7DSz08RW9RVcGg6Lypn+L/IdQDweZq7yWcu4bPNmMQu+OXoKWH533UFzzt vSEy9iDygi+1k+mcl/3e0JXD/2o/MMMjPqronBSd3ReZM9JOwjGupLI5sN2HR1A7iMaj rAW9SMMTXuFGN4Elb/ZmK/AcnWQoxefJJg+yj09BIjZrkl5JSscfz1dHSS2uoCmr7bmC ylkPHEBDpXmQ90VU4O/6/Yk5vzdxJPi8Jtpbmmy3rCSqKwc3So47gVfmOJK3sGPTcqwC 3MO6Uzw8xmgivWQIxWEXh+N/Nfc2gZbk/aT9EdIxHTNDhQlPyiSOM2rbfEVgi6rFubg1 3CqQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id h127si1335464qkc.320.2017.11.12.18.03.52; Sun, 12 Nov 2017 18:03:52 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id A8DCF60BFA; Mon, 13 Nov 2017 02:03:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-5.4 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, URIBL_BLOCKED autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id 8F44460B5E; Mon, 13 Nov 2017 02:01:26 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id D0F6260C88; Mon, 13 Nov 2017 02:01:21 +0000 (UTC) Received: from forward103o.mail.yandex.net (forward103o.mail.yandex.net [37.140.190.177]) by lists.linaro.org (Postfix) with ESMTPS id 43AAA60C1B for ; Mon, 13 Nov 2017 02:00:23 +0000 (UTC) Received: from mxback2g.mail.yandex.net (mxback2g.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:163]) by forward103o.mail.yandex.net (Yandex) with ESMTP id 84146588EAEC for ; Mon, 13 Nov 2017 05:00:21 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback2g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id JKTGMGEPl8-0LIKdZIQ; Mon, 13 Nov 2017 05:00:21 +0300 Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id uZeq9OjDfk-0LvixGbv; Mon, 13 Nov 2017 05:00:21 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 13 Nov 2017 05:00:07 +0300 Message-Id: <1510538419-566-3-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1510538419-566-1-git-send-email-odpbot@yandex.ru> References: <1510538419-566-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 243 Subject: [lng-odp] [PATCH API-NEXT v15 2/14] validation: ipsec: drop unused file X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 243 (lumag:ipsec-packet-impl-3) ** https://github.com/Linaro/odp/pull/243 ** Patch: https://github.com/Linaro/odp/pull/243.patch ** Base sha: a908a4dead95321e84d6a8a23de060051dcd8969 ** Merge commit sha: 44a6636daa5f976c8aac76116e80e0c764352072 **/ test/validation/api/ipsec/ipsec_sync_in.c | 27 --------------------------- 1 file changed, 27 deletions(-) delete mode 100644 test/validation/api/ipsec/ipsec_sync_in.c diff --git a/test/validation/api/ipsec/ipsec_sync_in.c b/test/validation/api/ipsec/ipsec_sync_in.c deleted file mode 100644 index 8a7fc4680..000000000 --- a/test/validation/api/ipsec/ipsec_sync_in.c +++ /dev/null @@ -1,27 +0,0 @@ -/* Copyright (c) 2017, Linaro Limited - * All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -#include "config.h" - -#include "ipsec.h" - -int main(int argc, char *argv[]) -{ - int ret; - - /* parse common options: */ - if (odp_cunit_parse_options(argc, argv)) - return -1; - - odp_cunit_register_global_init(ipsec_init); - odp_cunit_register_global_term(ipsec_term); - - ret = odp_cunit_register(ipsec_suites); - if (ret == 0) - ret = odp_cunit_run(); - - return ret; -} From patchwork Mon Nov 13 02:00:08 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 118698 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp1267465qgn; Sun, 12 Nov 2017 18:04:29 -0800 (PST) X-Google-Smtp-Source: AGs4zMY8zjHp30jcP42LD91kVCXQIEm5a9D3zxnTFpKPVRUecfxMhtwgdlKlFo9ecztDz0ne/F3S X-Received: by 10.237.59.90 with SMTP id q26mr11565114qte.153.1510538669146; Sun, 12 Nov 2017 18:04:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510538669; cv=none; d=google.com; s=arc-20160816; b=f7cMfD1MvLjkjtiuYtJ1MVYoJl5YXazC/hXEqusVVWHiCw6hHMxF9aO7HW+4ZL6y4F XINNJtHgndDW2UQ8DyeipRWMQ+ZZifumLs7TXO5uBLxRc+tCfjojYoXueq4oKfTJMt1S Oc+C+wyewIWIMqclj3oWKgx1JDiZXpyVK60WqTStI7cSiFVZo8zSGNYT3DK7r6sGgyyy KnGsai5DAFVE5vm2tySSPydhresNfcbhWQqXQVPlbBp6OlzqLszModzc8/N8VQQO+d11 cDGnuBir17H3G4jH8xJy5TqQaMs/evOg+dluc1Uo6QUKY/OolpZSe/SGNu68HZepFTRB d2MA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=EJ3GA+XcegPtbDYFnFeOp82OD+GrsLSghPHomjvdFqk=; b=XYRSJJPIMkRhWq+EV7gGrngSO2fYBViA1G3NSk5/Zr4wPia+F2UcgrUfh3ANoMgStG xDr8xwlf0HuoI9DvDnJ4iQuzAyseedhmzAYnppkEm8W/BR8RlM8xX8yPeXY3tkbPjKad yyPLQdcmT7Ghm3bzJ2hM5o1X8xz9K69vdBNRPzRLd06b3I/A7cOF0L8K/GPugLkbZeps SDWDKOw8ogFP7P9WQJX9QLO/3iU4Vyfg4B9+SsvnQ20V2frCCygTYWlfOUKF0HHz3Q5r +c58XcTT78yniFi2f9Bzq80rsMUVnyncN5w3l6EC4UCHmQXkZi9vAvgPcgZr3+j7LT0o +H7w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id q33si3070074qtj.263.2017.11.12.18.04.28; Sun, 12 Nov 2017 18:04:29 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id CBB5E60C24; Mon, 13 Nov 2017 02:04:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,URIBL_BLOCKED autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id D72F460CB2; Mon, 13 Nov 2017 02:01:32 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id EA7B760CD2; Mon, 13 Nov 2017 02:01:26 +0000 (UTC) Received: from forward104j.mail.yandex.net (forward104j.mail.yandex.net [5.45.198.247]) by lists.linaro.org (Postfix) with ESMTPS id 7584260C24 for ; Mon, 13 Nov 2017 02:00:23 +0000 (UTC) Received: from mxback6j.mail.yandex.net (mxback6j.mail.yandex.net [IPv6:2a02:6b8:0:1619::10f]) by forward104j.mail.yandex.net (Yandex) with ESMTP id 0D0314F4EF for ; Mon, 13 Nov 2017 05:00:22 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback6j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id CLnPEbeDg3-0Ll8kkLs; Mon, 13 Nov 2017 05:00:21 +0300 Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id uZeq9OjDfk-0Lv8q0da; Mon, 13 Nov 2017 05:00:21 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 13 Nov 2017 05:00:08 +0300 Message-Id: <1510538419-566-4-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1510538419-566-1-git-send-email-odpbot@yandex.ru> References: <1510538419-566-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 243 Subject: [lng-odp] [PATCH API-NEXT v15 3/14] validation: ipsec: verify odp_ipsec_sa_context X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 243 (lumag:ipsec-packet-impl-3) ** https://github.com/Linaro/odp/pull/243 ** Patch: https://github.com/Linaro/odp/pull/243.patch ** Base sha: a908a4dead95321e84d6a8a23de060051dcd8969 ** Merge commit sha: 44a6636daa5f976c8aac76116e80e0c764352072 **/ test/validation/api/ipsec/ipsec.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/test/validation/api/ipsec/ipsec.c b/test/validation/api/ipsec/ipsec.c index a8fdf2b14..853bd88a9 100644 --- a/test/validation/api/ipsec/ipsec.c +++ b/test/validation/api/ipsec/ipsec.c @@ -19,6 +19,9 @@ struct suite_context_s suite_context; #define PKT_POOL_NUM 64 #define PKT_POOL_LEN (1 * 1024) +#define PACKET_USER_PTR ((void *)0x1212fefe) +#define IPSEC_SA_CTX ((void *)0xfefefafa) + static odp_pktio_t pktio_create(odp_pool_t pool) { odp_pktio_t pktio; @@ -300,6 +303,8 @@ void ipsec_sa_param_fill(odp_ipsec_sa_param_t *param, param->dest_queue = suite_context.queue; + param->context = IPSEC_SA_CTX; + param->crypto.cipher_alg = cipher_alg; if (cipher_key) param->crypto.cipher_key = *cipher_key; @@ -317,6 +322,8 @@ void ipsec_sa_destroy(odp_ipsec_sa_t sa) odp_event_t event; odp_ipsec_status_t status; + CU_ASSERT_EQUAL(IPSEC_SA_CTX, odp_ipsec_sa_context(sa)); + CU_ASSERT_EQUAL(ODP_IPSEC_OK, odp_ipsec_sa_disable(sa)); if (ODP_QUEUE_INVALID != suite_context.queue) { @@ -339,8 +346,6 @@ void ipsec_sa_destroy(odp_ipsec_sa_t sa) CU_ASSERT_EQUAL(ODP_IPSEC_OK, odp_ipsec_sa_destroy(sa)); } -#define PACKET_USER_PTR ((void *)0x1212fefe) - odp_packet_t ipsec_packet(const ipsec_test_packet *itp) { odp_packet_t pkt = odp_packet_alloc(suite_context.pool, itp->len); @@ -608,7 +613,13 @@ void ipsec_check_in_one(const ipsec_test_part *part, odp_ipsec_sa_t sa) CU_ASSERT_EQUAL(0, odp_ipsec_result(&result, pkto[i])); CU_ASSERT_EQUAL(part->out[i].status.error.all, result.status.error.all); + CU_ASSERT_EQUAL(suite_context.inbound_op_mode == + ODP_IPSEC_OP_MODE_INLINE, + result.flag.inline_mode); CU_ASSERT_EQUAL(sa, result.sa); + if (ODP_IPSEC_SA_INVALID != sa) + CU_ASSERT_EQUAL(IPSEC_SA_CTX, + odp_ipsec_sa_context(sa)); } ipsec_check_packet(part->out[i].pkt_out, pkto[i]); @@ -642,6 +653,8 @@ void ipsec_check_out_one(const ipsec_test_part *part, odp_ipsec_sa_t sa) CU_ASSERT_EQUAL(part->out[i].status.error.all, result.status.error.all); CU_ASSERT_EQUAL(sa, result.sa); + CU_ASSERT_EQUAL(IPSEC_SA_CTX, + odp_ipsec_sa_context(sa)); } ipsec_check_packet(part->out[i].pkt_out, pkto[i]); @@ -679,6 +692,8 @@ void ipsec_check_out_in_one(const ipsec_test_part *part, CU_ASSERT_EQUAL(part->out[i].status.error.all, result.status.error.all); CU_ASSERT_EQUAL(sa, result.sa); + CU_ASSERT_EQUAL(IPSEC_SA_CTX, + odp_ipsec_sa_context(sa)); } CU_ASSERT_FATAL(odp_packet_len(pkto[i]) <= sizeof(pkt_in.data)); From patchwork Mon Nov 13 02:00:09 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 118699 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp1268010qgn; Sun, 12 Nov 2017 18:05:13 -0800 (PST) X-Google-Smtp-Source: AGs4zMa7EbU/VogpftHx9adZt156B0bOGhw3VL1xVIslTSkLLEtZjUw3Zs23DZJHKoIhmJlrjwPp X-Received: by 10.55.198.80 with SMTP id b77mr11245413qkj.138.1510538713065; Sun, 12 Nov 2017 18:05:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510538713; cv=none; d=google.com; s=arc-20160816; b=pCGq4xs21Ox1epiRpM6ADzMDIvcewDk2Yvrp3T9JY0cFnZ1bupOn/sPImYJapWQ5K/ eRx4Yepj2wv2LZpD3gkWwl23ABHu4aUdUybr6WGisUIHCMaMyMs7kDwnxT1LxS60zCwW 5k0B38IV6qM3h0Ysswj1lvy6o+T3pPwHFztUunrrQfanZ76jbPam7GfPcjCDxf/pZoTg VDlY47rxy1Vg5Z1XXc9Crpg/alFGgs7s7yW2SKVhO6lECI5aURXDU/FSUASNacqb0Mpf UYRwKcb/4JrlVvJEt9VeUEL5S8oiBnvCAdpO/K0eLlZ0KEXtbku9CmXh7veOuU/JVNoU WGFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=PmQc3z7npcyj1hX6PMy4MgBPNm0M+yJQBEkB0X/erEw=; b=unoF9rEcBajcDoNzsl3npF7AAVGqj/kdysfCgNhj5VoRq7EQiEhspYTwjlFJ75INeZ b5436RZWoIX2jxoCrwmpOt+Ll1xr0+8DxMNRlCRI2zeDR/gZcP/ojfgR4P0Q23ePm/yD FmwuTh6fYIVIXJ+IjgQfoUs7GtJZPywP+S03Zc6CXkewWAN2jeaoVtTZKWm9m6y44Fw+ rFbhpypgiUgZjV1YbdYAJUrUI7GkMT5L4WJZZyoA/bnNzx+CxAyEhR7t09vcZ+RfnWs1 3HEz9s79hm3J3D4JPHwceHVy+l+l49gZ0tXeAU52lu84D4Z67ecWGl7lcehovEdenYwd fQzw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id 20si98585qkv.301.2017.11.12.18.05.12; Sun, 12 Nov 2017 18:05:13 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id B0EAC60BDF; Mon, 13 Nov 2017 02:05:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,URIBL_BLOCKED autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id 23BA960CE8; Mon, 13 Nov 2017 02:01:37 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id 1813E60D1A; Mon, 13 Nov 2017 02:01:31 +0000 (UTC) Received: from forward103p.mail.yandex.net (forward103p.mail.yandex.net [77.88.28.106]) by lists.linaro.org (Postfix) with ESMTPS id EA80460C12 for ; Mon, 13 Nov 2017 02:00:23 +0000 (UTC) Received: from mxback17j.mail.yandex.net (mxback17j.mail.yandex.net [IPv6:2a02:6b8:0:1619::93]) by forward103p.mail.yandex.net (Yandex) with ESMTP id 9EC63218D52E for ; Mon, 13 Nov 2017 05:00:22 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback17j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id i0AFzJcVgQ-0MTGEvwD; Mon, 13 Nov 2017 05:00:22 +0300 Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id uZeq9OjDfk-0Mv8W3Xx; Mon, 13 Nov 2017 05:00:22 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 13 Nov 2017 05:00:09 +0300 Message-Id: <1510538419-566-5-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1510538419-566-1-git-send-email-odpbot@yandex.ru> References: <1510538419-566-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 243 Subject: [lng-odp] [PATCH API-NEXT v15 4/14] linux-gen: ipsec: fix soft/hard limits check X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov Split count expiration check into two phases: - optional precheck, run before crypto, which fails only if hard limit is already breached - update, run after crypto in INBOUND case, so that limits will not be updated for packets failing ICV check. Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 243 (lumag:ipsec-packet-impl-3) ** https://github.com/Linaro/odp/pull/243 ** Patch: https://github.com/Linaro/odp/pull/243.patch ** Base sha: a908a4dead95321e84d6a8a23de060051dcd8969 ** Merge commit sha: 44a6636daa5f976c8aac76116e80e0c764352072 **/ .../linux-generic/include/odp_ipsec_internal.h | 10 +++++++++- platform/linux-generic/odp_ipsec.c | 12 +++++------ platform/linux-generic/odp_ipsec_sad.c | 23 +++++++++++++++++++++- 3 files changed, 37 insertions(+), 8 deletions(-) diff --git a/platform/linux-generic/include/odp_ipsec_internal.h b/platform/linux-generic/include/odp_ipsec_internal.h index afc2f686e..68ab195c7 100644 --- a/platform/linux-generic/include/odp_ipsec_internal.h +++ b/platform/linux-generic/include/odp_ipsec_internal.h @@ -185,11 +185,19 @@ void _odp_ipsec_sa_unuse(ipsec_sa_t *ipsec_sa); ipsec_sa_t *_odp_ipsec_sa_lookup(const ipsec_sa_lookup_t *lookup); /** + * Run pre-check on SA usage statistics. + * + * @retval <0 if hard limits were breached + */ +int _odp_ipsec_sa_stats_precheck(ipsec_sa_t *ipsec_sa, + odp_ipsec_op_status_t *status); + +/** * Update SA usage statistics, filling respective status for the packet. * * @retval <0 if hard limits were breached */ -int _odp_ipsec_sa_update_stats(ipsec_sa_t *ipsec_sa, uint32_t len, +int _odp_ipsec_sa_stats_update(ipsec_sa_t *ipsec_sa, uint32_t len, odp_ipsec_op_status_t *status); /** diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c index 6a731e999..8810d73be 100644 --- a/platform/linux-generic/odp_ipsec.c +++ b/platform/linux-generic/odp_ipsec.c @@ -412,9 +412,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, goto out; } - if (_odp_ipsec_sa_update_stats(ipsec_sa, - stats_length, - status) < 0) + if (_odp_ipsec_sa_stats_precheck(ipsec_sa, status) < 0) goto out; param.session = ipsec_sa->session; @@ -449,6 +447,9 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, goto out; } + if (_odp_ipsec_sa_stats_update(ipsec_sa, stats_length, status) < 0) + goto out; + ip_offset = odp_packet_l3_offset(pkt); ip = odp_packet_l3_ptr(pkt, NULL); ip_hdr_len = ipv4_hdr_len(ip); @@ -830,9 +831,8 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt, goto out; } - if (_odp_ipsec_sa_update_stats(ipsec_sa, - stats_length, - status) < 0) + /* No need to run precheck here, we know that packet is authentic */ + if (_odp_ipsec_sa_stats_update(ipsec_sa, stats_length, status) < 0) goto out; param.session = ipsec_sa->session; diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c index dc338bfcd..e42bf94ef 100644 --- a/platform/linux-generic/odp_ipsec_sad.c +++ b/platform/linux-generic/odp_ipsec_sad.c @@ -479,7 +479,28 @@ ipsec_sa_t *_odp_ipsec_sa_lookup(const ipsec_sa_lookup_t *lookup) return best; } -int _odp_ipsec_sa_update_stats(ipsec_sa_t *ipsec_sa, uint32_t len, +int _odp_ipsec_sa_stats_precheck(ipsec_sa_t *ipsec_sa, + odp_ipsec_op_status_t *status) +{ + int rc = 0; + + if (ipsec_sa->hard_limit_bytes > 0 && + odp_atomic_load_u64(&ipsec_sa->bytes) > + ipsec_sa->hard_limit_bytes) { + status->error.hard_exp_bytes = 1; + rc = -1; + } + if (ipsec_sa->hard_limit_packets > 0 && + odp_atomic_load_u64(&ipsec_sa->packets) > + ipsec_sa->hard_limit_packets) { + status->error.hard_exp_packets = 1; + rc = -1; + } + + return rc; +} + +int _odp_ipsec_sa_stats_update(ipsec_sa_t *ipsec_sa, uint32_t len, odp_ipsec_op_status_t *status) { uint64_t bytes = odp_atomic_fetch_add_u64(&ipsec_sa->bytes, len) + len; From patchwork Mon Nov 13 02:00:10 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 118700 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp1268688qgn; Sun, 12 Nov 2017 18:06:00 -0800 (PST) X-Google-Smtp-Source: AGs4zMaDDEwu8AGf41CZb2oeG7zMp4jY3U91qZujKiMubowuS+hlQetNdXsxfWc9MzCDHCGOfNyy X-Received: by 10.55.168.79 with SMTP id r76mr7679036qke.268.1510538760184; Sun, 12 Nov 2017 18:06:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510538760; cv=none; d=google.com; s=arc-20160816; b=dHV3410Pnkd51uV4H+SpoJEuvEaTBPt1WqYOGlU63MtHLZeVNHZP75ejeoM2NK2JLD tc9xGqEKDEZ5A0Ui355JHijEBs3nDSI0scmEomJcWXiJROnRvVliXVSbP56qsjKHez4t zT316LTzoFQcPHn5VeXE7IwWqsDp9hFqsp2Ep+pUtaQAHyqamBMbJPcrSeEjFzWg8KnI MWGYxPqlDLFZspLEInwJmprCOkvOrshIaUOiAvHzKs8d0UxmWxMAUg1QqMfR3ZCGTfaH VYkdRa+WrQMD7HR2FI8Nno9aWL/4wonXqY+mzdi7yLxIOO+gw4mJiPx0Wt8CfU7ZaOq/ PXYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=hbtyHK473dj7c+CNYJethlZeEMCvmA2TflTsJyK2RlU=; b=BtGnL0OJcRtyR8LjOL4VoD4tYQA4oHgraAYwohV8vSEIxRxVBdCzxWjIwhjtX4xIuE iXNwL4gym8Nezdr5DA00Tjn0WN3ljH6o2y+oI5tf7awfJDxLxDfoxvhFAiNsXwQFgzhA +8hAzAeYqRNprl1WE/V5vUVoLOGrfVnv/nIpgZ+cuDnLft/B9zMW+IEIblt2IdAyL7KB 1fZTnVJn5FSYDkedDhiKOBeQkAECL9GR3ElBos/B2cGf7MvdOXBJfnbmkO3G4hYLPTSZ YSXQLOKMghyEx697EcuAnsvuvyLnGWwOaGjxhwj0+8v64PlZ6sVwRbHXZ2mN7xZVcOmE J37A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id v9si2194109qkl.202.2017.11.12.18.05.59; Sun, 12 Nov 2017 18:06:00 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id D532C60CBA; Mon, 13 Nov 2017 02:05:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,URIBL_BLOCKED autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id 9D0FA60CDF; Mon, 13 Nov 2017 02:02:08 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id 8E75F60D36; Mon, 13 Nov 2017 02:02:02 +0000 (UTC) Received: from forward103p.mail.yandex.net (forward103p.mail.yandex.net [77.88.28.106]) by lists.linaro.org (Postfix) with ESMTPS id 506A460C0F for ; Mon, 13 Nov 2017 02:00:24 +0000 (UTC) Received: from mxback6g.mail.yandex.net (mxback6g.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:167]) by forward103p.mail.yandex.net (Yandex) with ESMTP id 2B437218E830 for ; Mon, 13 Nov 2017 05:00:23 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback6g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id wp8x48075g-0NCqu43d; Mon, 13 Nov 2017 05:00:23 +0300 Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id uZeq9OjDfk-0MviH16e; Mon, 13 Nov 2017 05:00:22 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 13 Nov 2017 05:00:10 +0300 Message-Id: <1510538419-566-6-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1510538419-566-1-git-send-email-odpbot@yandex.ru> References: <1510538419-566-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 243 Subject: [lng-odp] [PATCH API-NEXT v15 5/14] linux-gen: ipsec: add replay window support to SAD X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 243 (lumag:ipsec-packet-impl-3) ** https://github.com/Linaro/odp/pull/243 ** Patch: https://github.com/Linaro/odp/pull/243.patch ** Base sha: a908a4dead95321e84d6a8a23de060051dcd8969 ** Merge commit sha: 44a6636daa5f976c8aac76116e80e0c764352072 **/ .../linux-generic/include/odp_ipsec_internal.h | 20 ++++++++ platform/linux-generic/odp_ipsec_sad.c | 60 ++++++++++++++++++++++ 2 files changed, 80 insertions(+) diff --git a/platform/linux-generic/include/odp_ipsec_internal.h b/platform/linux-generic/include/odp_ipsec_internal.h index 68ab195c7..0a7f96256 100644 --- a/platform/linux-generic/include/odp_ipsec_internal.h +++ b/platform/linux-generic/include/odp_ipsec_internal.h @@ -81,6 +81,9 @@ int _odp_ipsec_status_send(odp_queue_t queue, #define IPSEC_MAX_SALT_LEN 4 /**< Maximum salt length in bytes */ +/* 32 is minimum required by the standard. We do not support more */ +#define IPSEC_ANTIREPLAY_WS 32 + /** * Maximum number of available SAs */ @@ -127,6 +130,9 @@ struct ipsec_sa_s { /* Only for outbound */ unsigned use_counter_iv : 1; + + /* Only for inbound */ + unsigned antireplay : 1; }; }; @@ -134,6 +140,7 @@ struct ipsec_sa_s { struct { odp_ipsec_lookup_mode_t lookup_mode; odp_u32be_t lookup_dst_ip; + odp_atomic_u64_t antireplay; } in; struct { @@ -200,6 +207,19 @@ int _odp_ipsec_sa_stats_precheck(ipsec_sa_t *ipsec_sa, int _odp_ipsec_sa_stats_update(ipsec_sa_t *ipsec_sa, uint32_t len, odp_ipsec_op_status_t *status); +/* Run pre-check on sequence number of the packet. + * + * @retval <0 if the packet falls out of window + */ +int _odp_ipsec_sa_replay_precheck(ipsec_sa_t *ipsec_sa, uint32_t seq, + odp_ipsec_op_status_t *status); + +/* Run check on sequence number of the packet and update window if necessary. + * + * @retval <0 if the packet falls out of window + */ +int _odp_ipsec_sa_replay_update(ipsec_sa_t *ipsec_sa, uint32_t seq, + odp_ipsec_op_status_t *status); /** * Try inline IPsec processing of provided packet. * diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c index e42bf94ef..c30119249 100644 --- a/platform/linux-generic/odp_ipsec_sad.c +++ b/platform/linux-generic/odp_ipsec_sad.c @@ -215,6 +215,10 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) param->inbound.lookup_param.dst_addr, sizeof(ipsec_sa->in.lookup_dst_ip)); + if (param->inbound.antireplay_ws > IPSEC_ANTIREPLAY_WS) + return ODP_IPSEC_SA_INVALID; + ipsec_sa->antireplay = (param->inbound.antireplay_ws != 0); + odp_atomic_init_u64(&ipsec_sa->in.antireplay, 0); } else { odp_atomic_store_u32(&ipsec_sa->out.seq, 1); } @@ -528,3 +532,59 @@ int _odp_ipsec_sa_stats_update(ipsec_sa_t *ipsec_sa, uint32_t len, return rc; } + +int _odp_ipsec_sa_replay_precheck(ipsec_sa_t *ipsec_sa, uint32_t seq, + odp_ipsec_op_status_t *status) +{ + /* Try to be as quick as possible, we will discard packets later */ + if (ipsec_sa->antireplay && + seq + IPSEC_ANTIREPLAY_WS <= + (odp_atomic_load_u64(&ipsec_sa->in.antireplay) & 0xffffffff)) { + status->error.antireplay = 1; + return -1; + } + + return 0; +} + +int _odp_ipsec_sa_replay_update(ipsec_sa_t *ipsec_sa, uint32_t seq, + odp_ipsec_op_status_t *status) +{ + int cas = 0; + uint64_t state, new_state; + + if (!ipsec_sa->antireplay) + return 0; + + state = odp_atomic_load_u64(&ipsec_sa->in.antireplay); + + while (0 == cas) { + uint32_t max_seq = state & 0xffffffff; + uint32_t mask = state >> 32; + + if (seq + IPSEC_ANTIREPLAY_WS <= max_seq) { + status->error.antireplay = 1; + return -1; + } + + if (seq > max_seq) { + mask <<= seq - max_seq; + mask |= 1; + max_seq = seq; + } else { + if (mask & (1U << (max_seq - seq))) { + status->error.antireplay = 1; + return -1; + } + + mask |= (1U << (max_seq - seq)); + } + + new_state = (((uint64_t)mask) << 32) | max_seq; + + cas = odp_atomic_cas_acq_rel_u64(&ipsec_sa->in.antireplay, + &state, new_state); + } + + return 0; +} From patchwork Mon Nov 13 02:00:11 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 118702 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp1269481qgn; Sun, 12 Nov 2017 18:07:00 -0800 (PST) X-Google-Smtp-Source: AGs4zMYa0OZpUD0pDCIiShqj8XG2AK6yHYydlYLVUvsVtJ/0PBISWHH2npFqrQqkNfBgVbDBMZct X-Received: by 10.200.55.75 with SMTP id p11mr12002715qtb.298.1510538820601; Sun, 12 Nov 2017 18:07:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510538820; cv=none; d=google.com; s=arc-20160816; b=qdlIC6ZCVDRAJ0j7WeiwBeIdTnvs9Xe3B6vOtg7W6VPpXoy82qvGu2tSrr100Z5oyo ke5fBrYycikXmI3XL55nj5ed5UE9KJQeyPviC4Qb66qOZx+3l4Fd8vAr0toKY3mpusPB zHEicB1ivnpZZDYZpYHtkLoUVaZerug4HSflGXt0ccoXCg5V41KKO6a0fuC4PY9ZWQdG O/JqAsgmafzG1mzG+9P1qcqgaih+DxYjzr6oXf4fctSF7khgcXCwEO6A/wnPb294hTkG arrlHr8esYISNjd4PmchaB99cnU/stkokWgPuCmsnG01UqrotB6p9L/MpeEOu2aDmvzS J6CA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=7zt7w/gko13F7TVh4KOoXmIN6SvYnFy29iMupOwCW2I=; b=JJm95adHhWQ6/ztTj9fn2vdfqzvj8GyKNYsBu77GR11+HG0oo8DHSRJ/+fzqcG/tiO SujpdxMQTtDt11OjwD3za1xsI7fTSnOYRrj+LfdlhJUdmymqO0NR1YoPcVtAQj7A/hW1 VKXkiTrVZBeUtnNMJKe31BtpHD6TahjkLDXZy/c1XjbiPwNMv76KVJH4QSci4xur/PTp b2YPpB4gqxpJaIJMwkRx5nUkbXYt6ii7Z55n41oTGzD2cufINbpc9thlkUWhgWpa3tnT 1sprwPJmQjEH+qenaiED9ILcwlK10Mt1XXIXdLCDDud/+DEM3O5xjo5zQ0K9QCdf5Ioh hphQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id i11si3398317qtc.23.2017.11.12.18.07.00; Sun, 12 Nov 2017 18:07:00 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id 4755E60CD2; Mon, 13 Nov 2017 02:07:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,URIBL_BLOCKED autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id 871B060D77; Mon, 13 Nov 2017 02:02:21 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id 8267560D3C; Mon, 13 Nov 2017 02:02:16 +0000 (UTC) Received: from forward15o.cmail.yandex.net (forward15o.cmail.yandex.net [37.9.109.212]) by lists.linaro.org (Postfix) with ESMTPS id 6042560C16 for ; Mon, 13 Nov 2017 02:00:26 +0000 (UTC) Received: from mxback1g.mail.yandex.net (mxback1g.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:162]) by forward15o.cmail.yandex.net (Yandex) with ESMTP id EB4602AD25 for ; Mon, 13 Nov 2017 05:00:23 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback1g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id SwSbxsfyS9-0NmqDwT9; Mon, 13 Nov 2017 05:00:23 +0300 Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id uZeq9OjDfk-0NvuXCCi; Mon, 13 Nov 2017 05:00:23 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 13 Nov 2017 05:00:11 +0300 Message-Id: <1510538419-566-7-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1510538419-566-1-git-send-email-odpbot@yandex.ru> References: <1510538419-566-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 243 Subject: [lng-odp] [PATCH API-NEXT v15 6/14] linux-gen: ipsec: support replay window checks X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 243 (lumag:ipsec-packet-impl-3) ** https://github.com/Linaro/odp/pull/243 ** Patch: https://github.com/Linaro/odp/pull/243.patch ** Base sha: a908a4dead95321e84d6a8a23de060051dcd8969 ** Merge commit sha: 44a6636daa5f976c8aac76116e80e0c764352072 **/ platform/linux-generic/odp_ipsec.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c index 8810d73be..ef6a60249 100644 --- a/platform/linux-generic/odp_ipsec.c +++ b/platform/linux-generic/odp_ipsec.c @@ -42,6 +42,8 @@ int odp_ipsec_capability(odp_ipsec_capability_t *capa) capa->max_num_sa = ODP_CONFIG_IPSEC_SAS; + capa->max_antireplay_ws = IPSEC_ANTIREPLAY_WS; + rc = odp_crypto_capability(&crypto_capa); if (rc < 0) return rc; @@ -402,6 +404,12 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, ip->frag_offset = 0; ip->ttl = 0; + aad.spi = ah.spi; + aad.seq_no = ah.seq_no; + + param.aad.ptr = (uint8_t *)&aad; + param.aad.length = sizeof(aad); + param.auth_range.offset = ip_offset; param.auth_range.length = odp_be_to_cpu_16(ip->tot_len); param.hash_result_offset = ipsec_offset + _ODP_AHHDR_LEN; @@ -412,6 +420,11 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, goto out; } + if (_odp_ipsec_sa_replay_precheck(ipsec_sa, + odp_be_to_cpu_32(aad.seq_no), + status) < 0) + goto out; + if (_odp_ipsec_sa_stats_precheck(ipsec_sa, status) < 0) goto out; @@ -450,6 +463,11 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, if (_odp_ipsec_sa_stats_update(ipsec_sa, stats_length, status) < 0) goto out; + if (_odp_ipsec_sa_replay_update(ipsec_sa, + odp_be_to_cpu_32(aad.seq_no), + status) < 0) + goto out; + ip_offset = odp_packet_l3_offset(pkt); ip = odp_packet_l3_ptr(pkt, NULL); ip_hdr_len = ipv4_hdr_len(ip); @@ -809,6 +827,12 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt, ah.next_header = ip->proto; ip->proto = _ODP_IPPROTO_AH; + aad.spi = ah.spi; + aad.seq_no = ah.seq_no; + + param.aad.ptr = (uint8_t *)&aad; + param.aad.length = sizeof(aad); + odp_packet_copy_from_mem(pkt, ipsec_offset, _ODP_AHHDR_LEN, &ah); From patchwork Mon Nov 13 02:00:12 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 118701 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp1268969qgn; Sun, 12 Nov 2017 18:06:18 -0800 (PST) X-Google-Smtp-Source: AGs4zMYkiTnKhojHNlCM4wRlGxJzS4KgeTwaXWQ+iQt6eW3tUmODCjymFaamShVQ2G497mm9VAAB X-Received: by 10.200.57.80 with SMTP id t16mr530235qtb.98.1510538778373; Sun, 12 Nov 2017 18:06:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510538778; cv=none; d=google.com; s=arc-20160816; b=yaBG+AlTVNpxnGu4oMQIoV1XmDK+DkZyxj4dUUSxXYww7bWZxWIKZnqD5CrAvXjw59 L5XAu6KyQnFtsBxdqpOe8p84I95IRdLy8GcqqP/FodB7sIA7FzKUjjtdRqREPtl4Vd3T 4zkOZ8X/eBbgQroKJqdzKrih9H2d0ktNY1qucPZmo+WRN7rSPVeSc53X7SyyQdPzNlkE rXcWE66rYs7CdbvY7GAtZaRZnONQX0rq/nNJ4xPO1nFXmceWhWP0J8HUwP8P5AOkMU8d Dq4UwQNVg3MZXumuaWXEgs4fxhk1AInFdqM4kWEZDuYhm5K9bPXCOIVkubKPlnyefJyS qjdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=uQz/B6qucwhgWp87rQN/1BTO0Fnk3wUsgJjp0BLIV6U=; b=ExG0NvUzQ/D2R0ocxxQj3o9Xs0e3/yEbT6t0D4WUH1/q6JW3aHL1JE7gGT1/rawpQ8 g4axL3Qcl2yr2oqPUn4Bfh1USEXsiB/7aQILeWbthP5OfphTRRndm46erseyu8ud4O0u 9dR7L4BWZl9C50+fyBln0iRH5ckT3HSywQFon9JzHWZzcCUYxnaD6Vf/nQR2GytlRm68 kk8jQp9JIZ9L+0w1mJ1J4lgK9d1nEoDfkRjk/z2+qkjQrBcOM5behGhENCyJLLJru+81 sWpMRavvvF4HL+5xokeAm7xJpI1psGpco00qPSj8hdMkjaj5XfjeX9bX7BuFfuB+ucYY WJ3g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id d140si2565072qkc.131.2017.11.12.18.06.18; Sun, 12 Nov 2017 18:06:18 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id F048260CCA; Mon, 13 Nov 2017 02:06:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-5.4 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, URIBL_BLOCKED autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id DF09B60C0F; Mon, 13 Nov 2017 02:02:13 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id ED79660C1A; Mon, 13 Nov 2017 02:02:04 +0000 (UTC) Received: from forward103o.mail.yandex.net (forward103o.mail.yandex.net [37.140.190.177]) by lists.linaro.org (Postfix) with ESMTPS id C1B6760C05 for ; Mon, 13 Nov 2017 02:00:25 +0000 (UTC) Received: from mxback20j.mail.yandex.net (mxback20j.mail.yandex.net [IPv6:2a02:6b8:0:1619::114]) by forward103o.mail.yandex.net (Yandex) with ESMTP id AA011588EAEC for ; Mon, 13 Nov 2017 05:00:24 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback20j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id JBlwKnFqEE-0OBeXsEd; Mon, 13 Nov 2017 05:00:24 +0300 Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id uZeq9OjDfk-0Nv8QWXj; Mon, 13 Nov 2017 05:00:24 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 13 Nov 2017 05:00:12 +0300 Message-Id: <1510538419-566-8-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1510538419-566-1-git-send-email-odpbot@yandex.ru> References: <1510538419-566-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 243 Subject: [lng-odp] [PATCH API-NEXT v15 7/14] validation: ipsec: add replay window checks X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 243 (lumag:ipsec-packet-impl-3) ** https://github.com/Linaro/odp/pull/243 ** Patch: https://github.com/Linaro/odp/pull/243.patch ** Base sha: a908a4dead95321e84d6a8a23de060051dcd8969 ** Merge commit sha: 44a6636daa5f976c8aac76116e80e0c764352072 **/ test/validation/api/ipsec/ipsec_test_in.c | 204 ++++++++++++++++++++++++++++++ test/validation/api/ipsec/test_vectors.h | 87 +++++++++++++ 2 files changed, 291 insertions(+) diff --git a/test/validation/api/ipsec/ipsec_test_in.c b/test/validation/api/ipsec/ipsec_test_in.c index 25fc00e11..598a83e3f 100644 --- a/test/validation/api/ipsec/ipsec_test_in.c +++ b/test/validation/api/ipsec/ipsec_test_in.c @@ -284,6 +284,202 @@ static void test_in_esp_null_sha256_tun(void) ipsec_sa_destroy(sa); } +static void test_in_ah_sha256_noreplay(void) +{ + odp_ipsec_sa_param_t param; + odp_ipsec_sa_t sa; + + ipsec_sa_param_fill(¶m, + true, true, 123, NULL, + ODP_CIPHER_ALG_NULL, NULL, + ODP_AUTH_ALG_SHA256_HMAC, &key_5a_256, + NULL); + param.inbound.antireplay_ws = 0; + + sa = odp_ipsec_sa_create(¶m); + + CU_ASSERT_NOT_EQUAL_FATAL(ODP_IPSEC_SA_INVALID, sa); + + ipsec_test_part test = { + .pkt_in = &pkt_icmp_0_ah_sha256_1, + .out_pkt = 1, + .out = { + { .status.warn.all = 0, + .status.error.all = 0, + .pkt_out = &pkt_icmp_0 }, + }, + }; + + ipsec_test_part test_1235 = { + .pkt_in = &pkt_icmp_0_ah_sha256_1235, + .out_pkt = 1, + .out = { + { .status.warn.all = 0, + .status.error.all = 0, + .pkt_out = &pkt_icmp_0 }, + }, + }; + + ipsec_check_in_one(&test, sa); + ipsec_check_in_one(&test, sa); + ipsec_check_in_one(&test_1235, sa); + ipsec_check_in_one(&test, sa); + + ipsec_sa_destroy(sa); +} + +static void test_in_ah_sha256_replay(void) +{ + odp_ipsec_sa_param_t param; + odp_ipsec_sa_t sa; + + ipsec_sa_param_fill(¶m, + true, true, 123, NULL, + ODP_CIPHER_ALG_NULL, NULL, + ODP_AUTH_ALG_SHA256_HMAC, &key_5a_256, + NULL); + param.inbound.antireplay_ws = 32; + + sa = odp_ipsec_sa_create(¶m); + + CU_ASSERT_NOT_EQUAL_FATAL(ODP_IPSEC_SA_INVALID, sa); + + ipsec_test_part test = { + .pkt_in = &pkt_icmp_0_ah_sha256_1, + .out_pkt = 1, + .out = { + { .status.warn.all = 0, + .status.error.all = 0, + .pkt_out = &pkt_icmp_0 }, + }, + }; + + ipsec_test_part test_repl = { + .pkt_in = &pkt_icmp_0_ah_sha256_1, + .out_pkt = 1, + .out = { + { .status.warn.all = 0, + .status.error.antireplay = 1, + .pkt_out = NULL }, + }, + }; + + ipsec_test_part test_1235 = { + .pkt_in = &pkt_icmp_0_ah_sha256_1235, + .out_pkt = 1, + .out = { + { .status.warn.all = 0, + .status.error.all = 0, + .pkt_out = &pkt_icmp_0 }, + }, + }; + + ipsec_check_in_one(&test, sa); + ipsec_check_in_one(&test_repl, sa); + ipsec_check_in_one(&test_1235, sa); + ipsec_check_in_one(&test_repl, sa); + + ipsec_sa_destroy(sa); +} + +static void test_in_esp_null_sha256_noreplay(void) +{ + odp_ipsec_sa_param_t param; + odp_ipsec_sa_t sa; + + ipsec_sa_param_fill(¶m, + true, false, 123, NULL, + ODP_CIPHER_ALG_NULL, NULL, + ODP_AUTH_ALG_SHA256_HMAC, &key_5a_256, + NULL); + param.inbound.antireplay_ws = 0; + + sa = odp_ipsec_sa_create(¶m); + + CU_ASSERT_NOT_EQUAL_FATAL(ODP_IPSEC_SA_INVALID, sa); + + ipsec_test_part test = { + .pkt_in = &pkt_icmp_0_esp_null_sha256_1, + .out_pkt = 1, + .out = { + { .status.warn.all = 0, + .status.error.all = 0, + .pkt_out = &pkt_icmp_0 }, + }, + }; + + ipsec_test_part test_1235 = { + .pkt_in = &pkt_icmp_0_esp_null_sha256_1235, + .out_pkt = 1, + .out = { + { .status.warn.all = 0, + .status.error.all = 0, + .pkt_out = &pkt_icmp_0 }, + }, + }; + + ipsec_check_in_one(&test, sa); + ipsec_check_in_one(&test, sa); + ipsec_check_in_one(&test_1235, sa); + ipsec_check_in_one(&test, sa); + + ipsec_sa_destroy(sa); +} + +static void test_in_esp_null_sha256_replay(void) +{ + odp_ipsec_sa_param_t param; + odp_ipsec_sa_t sa; + + ipsec_sa_param_fill(¶m, + true, false, 123, NULL, + ODP_CIPHER_ALG_NULL, NULL, + ODP_AUTH_ALG_SHA256_HMAC, &key_5a_256, + NULL); + param.inbound.antireplay_ws = 32; + + sa = odp_ipsec_sa_create(¶m); + + CU_ASSERT_NOT_EQUAL_FATAL(ODP_IPSEC_SA_INVALID, sa); + + ipsec_test_part test = { + .pkt_in = &pkt_icmp_0_esp_null_sha256_1, + .out_pkt = 1, + .out = { + { .status.warn.all = 0, + .status.error.all = 0, + .pkt_out = &pkt_icmp_0 }, + }, + }; + + ipsec_test_part test_repl = { + .pkt_in = &pkt_icmp_0_esp_null_sha256_1, + .out_pkt = 1, + .out = { + { .status.warn.all = 0, + .status.error.antireplay = 1, + .pkt_out = NULL }, + }, + }; + + ipsec_test_part test_1235 = { + .pkt_in = &pkt_icmp_0_esp_null_sha256_1235, + .out_pkt = 1, + .out = { + { .status.warn.all = 0, + .status.error.all = 0, + .pkt_out = &pkt_icmp_0 }, + }, + }; + + ipsec_check_in_one(&test, sa); + ipsec_check_in_one(&test_repl, sa); + ipsec_check_in_one(&test_1235, sa); + ipsec_check_in_one(&test_repl, sa); + + ipsec_sa_destroy(sa); +} + static void test_in_ah_esp_pkt(void) { odp_ipsec_sa_param_t param; @@ -797,6 +993,14 @@ odp_testinfo_t ipsec_in_suite[] = { ipsec_check_esp_null_sha256), ODP_TEST_INFO_CONDITIONAL(test_in_esp_null_sha256_tun, ipsec_check_esp_null_sha256), + ODP_TEST_INFO_CONDITIONAL(test_in_ah_sha256_noreplay, + ipsec_check_ah_sha256), + ODP_TEST_INFO_CONDITIONAL(test_in_ah_sha256_replay, + ipsec_check_ah_sha256), + ODP_TEST_INFO_CONDITIONAL(test_in_esp_null_sha256_noreplay, + ipsec_check_esp_null_sha256), + ODP_TEST_INFO_CONDITIONAL(test_in_esp_null_sha256_replay, + ipsec_check_esp_null_sha256), ODP_TEST_INFO_CONDITIONAL(test_in_ah_esp_pkt, ipsec_check_ah_sha256), ODP_TEST_INFO_CONDITIONAL(test_in_esp_ah_pkt, diff --git a/test/validation/api/ipsec/test_vectors.h b/test/validation/api/ipsec/test_vectors.h index 2fb06b2b7..593a8f450 100644 --- a/test/validation/api/ipsec/test_vectors.h +++ b/test/validation/api/ipsec/test_vectors.h @@ -278,6 +278,50 @@ static const ODP_UNUSED ipsec_test_packet pkt_icmp_0_ah_sha256_1_bad2 = { }, }; +static const ODP_UNUSED ipsec_test_packet pkt_icmp_0_ah_sha256_1235 = { + .len = 170, + .l2_offset = 0, + .l3_offset = 14, + .l4_offset = 34, + .data = { + /* ETH */ + 0xf1, 0xf1, 0xf1, 0xf1, 0xf1, 0xf1, + 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0x08, 0x00, + + /* IP */ + 0x45, 0x00, 0x00, 0x9c, 0x00, 0x00, 0x00, 0x00, + 0x40, 0x33, 0xab, 0xd9, 0xc0, 0xa8, 0x6f, 0x02, + 0xc0, 0xa8, 0xde, 0x02, + + /* AH */ + 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, + 0x00, 0x00, 0x12, 0x35, + 0x04, 0xef, 0x71, 0x73, 0xa1, 0xd4, 0x71, 0x3f, + 0xd6, 0x78, 0xfe, 0xa2, 0x59, 0xe9, 0x93, 0x70, + + /* ICMP */ + 0x08, 0x00, 0xfb, 0x37, + + /* ICMP echo */ + 0x12, 0x34, 0x00, 0x00, + + /* data */ + 0xba, 0xbe, 0x01, 0x23, 0x45, 0x67, 0xca, 0xfe, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, + 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, + 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, + 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, + 0x58, 0x59, 0x5a, 0x5b + }, +}; + static const ODP_UNUSED ipsec_test_packet pkt_icmp_0_esp_null_sha256_1 = { .len = 170, .l2_offset = 0, @@ -412,6 +456,49 @@ static const ODP_UNUSED ipsec_test_packet pkt_icmp_0_esp_null_sha256_1_bad1 = { }, }; +static const ODP_UNUSED ipsec_test_packet pkt_icmp_0_esp_null_sha256_1235 = { + .len = 170, + .l2_offset = 0, + .l3_offset = 14, + .l4_offset = 34, + .data = { + /* ETH */ + 0xf1, 0xf1, 0xf1, 0xf1, 0xf1, 0xf1, + 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0x08, 0x00, + + /* IP */ + 0x45, 0x00, 0x00, 0x9c, 0x00, 0x00, 0x00, 0x00, + 0x40, 0x32, 0xab, 0xda, 0xc0, 0xa8, 0x6f, 0x02, + 0xc0, 0xa8, 0xde, 0x02, + + /* ESP */ + 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x12, 0x35, + + /* ICMP */ + 0x08, 0x00, 0xfb, 0x37, 0x12, 0x34, 0x00, 0x00, + 0xba, 0xbe, 0x01, 0x23, 0x45, 0x67, 0xca, 0xfe, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, + 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, + 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, + 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, + 0x58, 0x59, 0x5a, 0x5b, + + /* ESP TRL */ + 0x01, 0x02, 0x02, 0x01, + + /* ICV */ + 0x2f, 0xfb, 0xdd, 0x9d, 0xc0, 0xca, 0xb8, 0x0a, + 0xaa, 0xf1, 0x59, 0x31, 0x4e, 0xef, 0x62, 0x50, + }, +}; + static const ODP_UNUSED ipsec_test_packet pkt_icmp_0_esp_aes_cbc_null_1 = { .len = 170, .l2_offset = 0, From patchwork Mon Nov 13 02:00:13 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 118703 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp1270462qgn; Sun, 12 Nov 2017 18:08:21 -0800 (PST) X-Google-Smtp-Source: AGs4zMYpXZNSf/XIot+f8Rsqmb6BRDUxt3/Fp83rkCaQgY9uIsVjuXyzZCkZwtZ0KoWMzWuaU/lg X-Received: by 10.237.62.4 with SMTP id l4mr3444366qtf.331.1510538901001; Sun, 12 Nov 2017 18:08:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510538900; cv=none; d=google.com; s=arc-20160816; b=MVr6ik7RG0jDnYYw0xIZxX5SCXyXZstjp+j5h2Y5euAZaaV+AyenXqw4JOYxynniDY zfWmCP24zONatz74SXW+2wXgp2S7rYL0vQgtWgJNN1Pf0I8TKB/sQvOpwkv/mu8H6GQN DjEyPG0Cbe4UiqYbVTEw9E3QcgVyeV4+MxfEy7liJKlEeRrtaf7xJGMzvVLkddG0Df4U 55I13iOjzEmCrHV/tIFZV+VNU7nrwvzhA+UItSnhrJ1JV8kr/jQTe7itVmbmPT0Poux5 rQygIf+2O8eHRfJ5yT+4OJFneOqt4PFrpo3545d8UgDKA6iw0Dvy7Z8Qjo0pCuOiTiDi wMXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=nZRbPcal6ig655tGVirHR1gFOkajhiNgCIbERIdN7p0=; b=hlTfYG6AKmZ9gjggJoVpcpuCUCgGEHRm56RFoSRsXpF6OHX85kcxjsoPmQlqXL7TAZ My8mP3iEOOk6b1/esDx/X8t+Kz0I9+Ct5vkZH9aJfnwMOxTsiqqieEerrOdD91aGmVpL uFKMfHcD039V+2V2oXcHuX7mMOQZFp0/HF2IEBCH9vgIaWJLK5Jg0aVTGHjUFaHkHCZg u0ErB0HTgmBVnSElpx97mhZB9i+wA9+QOJ3x8V5kN9vBtw8KzQz7SlvM9mOdCdQipAJP jWJXJQbgw1Vla9U1R6EU1/tcE5YKIbyfG4KWsutHWF2J7/a56aKkT12NnzlvmrGgwaIm MPfA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id p34si1302482qtb.271.2017.11.12.18.08.20; Sun, 12 Nov 2017 18:08:20 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id AB24060CCE; Mon, 13 Nov 2017 02:08:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,URIBL_BLOCKED autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id C46D360C2E; Mon, 13 Nov 2017 02:02:26 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id 4DC1460D73; Mon, 13 Nov 2017 02:02:19 +0000 (UTC) Received: from forward101o.mail.yandex.net (forward101o.mail.yandex.net [37.140.190.181]) by lists.linaro.org (Postfix) with ESMTPS id D3BFD60C28 for ; Mon, 13 Nov 2017 02:00:26 +0000 (UTC) Received: from mxback3j.mail.yandex.net (mxback3j.mail.yandex.net [IPv6:2a02:6b8:0:1619::10c]) by forward101o.mail.yandex.net (Yandex) with ESMTP id 5E568134E3B3 for ; Mon, 13 Nov 2017 05:00:25 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback3j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id r16kYJcNjB-0PMCsg2Y; Mon, 13 Nov 2017 05:00:25 +0300 Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id uZeq9OjDfk-0Ov83cuG; Mon, 13 Nov 2017 05:00:24 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 13 Nov 2017 05:00:13 +0300 Message-Id: <1510538419-566-9-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1510538419-566-1-git-send-email-odpbot@yandex.ru> References: <1510538419-566-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 243 Subject: [lng-odp] [PATCH API-NEXT v15 8/14] linux-gen: ipsec: mark IPsec packets with errors with error flag X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov Add new ipsec_err error flag, which is set by IPsec code if there was an error during IPsec packet processing. This allow application code to quickly check packets using odp_packet_has_error() function and use fast path if there was none. Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 243 (lumag:ipsec-packet-impl-3) ** https://github.com/Linaro/odp/pull/243 ** Patch: https://github.com/Linaro/odp/pull/243.patch ** Base sha: a908a4dead95321e84d6a8a23de060051dcd8969 ** Merge commit sha: 44a6636daa5f976c8aac76116e80e0c764352072 **/ .../linux-generic/include/odp_packet_internal.h | 1 + platform/linux-generic/odp_ipsec.c | 104 ++++++++++++--------- 2 files changed, 60 insertions(+), 45 deletions(-) diff --git a/platform/linux-generic/include/odp_packet_internal.h b/platform/linux-generic/include/odp_packet_internal.h index fc10d61c8..e62854b1e 100644 --- a/platform/linux-generic/include/odp_packet_internal.h +++ b/platform/linux-generic/include/odp_packet_internal.h @@ -55,6 +55,7 @@ typedef union { uint32_t tcp_err:1; /**< TCP error, checks TBD */ uint32_t udp_err:1; /**< UDP error, checks TBD */ uint32_t l4_chksum:1; /**< L4 checksum error */ + uint32_t ipsec_err:1; /**< IPsec error */ }; } error_flags_t; diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c index ef6a60249..61f2dc51d 100644 --- a/platform/linux-generic/odp_ipsec.c +++ b/platform/linux-generic/odp_ipsec.c @@ -272,6 +272,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, uint8_t ip_ttl; /**< Saved IP TTL value */ uint16_t ip_frag_offset; /**< Saved IP flags value */ odp_crypto_packet_result_t crypto; /**< Crypto operation result */ + odp_packet_hdr_t *pkt_hdr; ODP_ASSERT(ODP_PACKET_OFFSET_INVALID != ip_offset); ODP_ASSERT(NULL != ip); @@ -287,7 +288,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, if (_ODP_IPV4HDR_IS_FRAGMENT(odp_be_to_cpu_16(ip->frag_offset))) { status->error.proto = 1; - goto out; + goto err; } /* Check IP header for IPSec protocols and look it up */ @@ -297,7 +298,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, if (odp_packet_copy_to_mem(pkt, ipsec_offset, sizeof(esp), &esp) < 0) { status->error.alg = 1; - goto out; + goto err; } if (ODP_IPSEC_SA_INVALID == sa) { @@ -310,7 +311,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, ipsec_sa = _odp_ipsec_sa_lookup(&lookup); if (NULL == ipsec_sa) { status->error.sa_lookup = 1; - goto out; + goto err; } } else { ipsec_sa = _odp_ipsec_sa_use(sa); @@ -318,7 +319,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, if (ipsec_sa->proto != ODP_IPSEC_ESP || ipsec_sa->spi != odp_be_to_cpu_32(esp.spi)) { status->error.proto = 1; - goto out; + goto err; } } @@ -328,7 +329,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, ipsec_sa->esp_iv_len, iv + ipsec_sa->salt_length) < 0) { status->error.alg = 1; - goto out; + goto err; } hdr_len = _ODP_ESPHDR_LEN + ipsec_sa->esp_iv_len; @@ -362,7 +363,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, if (odp_packet_copy_to_mem(pkt, ipsec_offset, sizeof(ah), &ah) < 0) { status->error.alg = 1; - goto out; + goto err; } if (ODP_IPSEC_SA_INVALID == sa) { @@ -375,7 +376,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, ipsec_sa = _odp_ipsec_sa_lookup(&lookup); if (NULL == ipsec_sa) { status->error.sa_lookup = 1; - goto out; + goto err; } } else { ipsec_sa = _odp_ipsec_sa_use(sa); @@ -383,7 +384,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, if (ipsec_sa->proto != ODP_IPSEC_AH || ipsec_sa->spi != odp_be_to_cpu_32(ah.spi)) { status->error.proto = 1; - goto out; + goto err; } } @@ -417,16 +418,16 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, stats_length = param.auth_range.length; } else { status->error.proto = 1; - goto out; + goto err; } if (_odp_ipsec_sa_replay_precheck(ipsec_sa, odp_be_to_cpu_32(aad.seq_no), status) < 0) - goto out; + goto err; if (_odp_ipsec_sa_stats_precheck(ipsec_sa, status) < 0) - goto out; + goto err; param.session = ipsec_sa->session; @@ -434,14 +435,14 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, if (rc < 0) { ODP_DBG("Crypto failed\n"); status->error.alg = 1; - goto out; + goto err; } rc = odp_crypto_result(&crypto, pkt); if (rc < 0) { ODP_DBG("Crypto failed\n"); status->error.alg = 1; - goto out; + goto err; } if (!crypto.ok) { @@ -457,16 +458,16 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, ODP_CRYPTO_HW_ERR_NONE)) status->error.auth = 1; - goto out; + goto err; } if (_odp_ipsec_sa_stats_update(ipsec_sa, stats_length, status) < 0) - goto out; + goto err; if (_odp_ipsec_sa_replay_update(ipsec_sa, odp_be_to_cpu_32(aad.seq_no), status) < 0) - goto out; + goto err; ip_offset = odp_packet_l3_offset(pkt); ip = odp_packet_l3_ptr(pkt, NULL); @@ -484,18 +485,18 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, if (odp_packet_copy_to_mem(pkt, esptrl_offset, sizeof(esptrl), &esptrl) < 0) { status->error.proto = 1; - goto out; + goto err; } if (ip_offset + esptrl.pad_len > esptrl_offset) { status->error.proto = 1; - goto out; + goto err; } if (_odp_packet_cmp_data(pkt, esptrl_offset - esptrl.pad_len, ipsec_padding, esptrl.pad_len) != 0) { status->error.proto = 1; - goto out; + goto err; } ip->proto = esptrl.next_header; @@ -509,7 +510,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, if (odp_packet_copy_to_mem(pkt, ipsec_offset, sizeof(ah), &ah) < 0) { status->error.alg = 1; - goto out; + goto err; } ip->proto = ah.next_header; @@ -520,12 +521,12 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, ip->frag_offset = odp_cpu_to_be_16(ip_frag_offset); } else { status->error.proto = 1; - goto out; + goto err; } if (odp_packet_trunc_tail(&pkt, trl_len, NULL, NULL) < 0) { status->error.alg = 1; - goto out; + goto err; } if (ODP_IPSEC_MODE_TUNNEL == ipsec_sa->mode) { @@ -536,7 +537,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, if (odp_packet_trunc_head(&pkt, ip_hdr_len + hdr_len, NULL, NULL) < 0) { status->error.alg = 1; - goto out; + goto err; } } else { odp_packet_move_data(pkt, hdr_len, 0, @@ -544,7 +545,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, if (odp_packet_trunc_head(&pkt, hdr_len, NULL, NULL) < 0) { status->error.alg = 1; - goto out; + goto err; } } @@ -559,15 +560,21 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, _odp_ipv4_csum_update(pkt); } - if (!status->error.all) { - odp_packet_hdr_t *pkt_hdr = odp_packet_hdr(pkt); + pkt_hdr = odp_packet_hdr(pkt); + + packet_parse_reset(pkt_hdr); - packet_parse_reset(pkt_hdr); + packet_parse_l3_l4(pkt_hdr, parse_layer(ipsec_config.inbound.parse), + ip_offset, _ODP_ETHTYPE_IPV4); + + *pkt_out = pkt; + + return ipsec_sa; + +err: + pkt_hdr = odp_packet_hdr(pkt); + pkt_hdr->p.error_flags.ipsec_err = 1; - packet_parse_l3_l4(pkt_hdr, parse_layer(ipsec_config.inbound.parse), - ip_offset, _ODP_ETHTYPE_IPV4); - } -out: *pkt_out = pkt; return ipsec_sa; @@ -606,6 +613,7 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt, uint8_t ip_ttl; /**< Saved IP TTL value */ uint16_t ip_frag_offset; /**< Saved IP flags value */ odp_crypto_packet_result_t crypto; /**< Crypto operation result */ + odp_packet_hdr_t *pkt_hdr; ODP_ASSERT(ODP_PACKET_OFFSET_INVALID != ip_offset); ODP_ASSERT(NULL != ip); @@ -623,7 +631,7 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt, if (ODP_IPSEC_MODE_TRANSPORT == ipsec_sa->mode && _ODP_IPV4HDR_IS_FRAGMENT(odp_be_to_cpu_16(ip->frag_offset))) { status->error.alg = 1; - goto out; + goto err; } if (ODP_IPSEC_MODE_TUNNEL == ipsec_sa->mode) { @@ -659,7 +667,7 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt, if (odp_packet_extend_head(&pkt, _ODP_IPV4HDR_LEN, NULL, NULL) < 0) { status->error.alg = 1; - goto out; + goto err; } odp_packet_move_data(pkt, 0, _ODP_IPV4HDR_LEN, ip_offset); @@ -705,7 +713,7 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt, 1); /* Check for overrun */ if (ctr == 0) - goto out; + goto err; memcpy(iv, ipsec_sa->salt, ipsec_sa->salt_length); memcpy(iv + ipsec_sa->salt_length, &ctr, @@ -719,7 +727,7 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt, if (len != ipsec_sa->esp_iv_len) { status->error.alg = 1; - goto out; + goto err; } } @@ -727,12 +735,12 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt, if (odp_packet_extend_tail(&pkt, trl_len, NULL, NULL) < 0) { status->error.alg = 1; - goto out; + goto err; } if (odp_packet_extend_head(&pkt, hdr_len, NULL, NULL) < 0) { status->error.alg = 1; - goto out; + goto err; } odp_packet_move_data(pkt, 0, hdr_len, ipsec_offset); @@ -805,12 +813,12 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt, if (odp_packet_extend_tail(&pkt, trl_len, NULL, NULL) < 0) { status->error.alg = 1; - goto out; + goto err; } if (odp_packet_extend_head(&pkt, hdr_len, NULL, NULL) < 0) { status->error.alg = 1; - goto out; + goto err; } odp_packet_move_data(pkt, 0, hdr_len, ipsec_offset); @@ -852,12 +860,12 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt, stats_length = param.auth_range.length; } else { status->error.alg = 1; - goto out; + goto err; } /* No need to run precheck here, we know that packet is authentic */ if (_odp_ipsec_sa_stats_update(ipsec_sa, stats_length, status) < 0) - goto out; + goto err; param.session = ipsec_sa->session; @@ -865,14 +873,14 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt, if (rc < 0) { ODP_DBG("Crypto failed\n"); status->error.alg = 1; - goto out; + goto err; } rc = odp_crypto_result(&crypto, pkt); if (rc < 0) { ODP_DBG("Crypto failed\n"); status->error.alg = 1; - goto out; + goto err; } if (!crypto.ok) { @@ -888,7 +896,7 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt, ODP_CRYPTO_HW_ERR_NONE)) status->error.auth = 1; - goto out; + goto err; } ip = odp_packet_l3_ptr(pkt, NULL); @@ -902,7 +910,13 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt, _odp_ipv4_csum_update(pkt); -out: + *pkt_out = pkt; + return ipsec_sa; + +err: + pkt_hdr = odp_packet_hdr(pkt); + + pkt_hdr->p.error_flags.ipsec_err = 1; *pkt_out = pkt; return ipsec_sa; From patchwork Mon Nov 13 02:00:14 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 118704 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp1270712qgn; Sun, 12 Nov 2017 18:08:45 -0800 (PST) X-Google-Smtp-Source: AGs4zMb1yF4YXDA9J9bOVC2N30Zo2Zx0HbbXOYYuGHgKypST1DezLg/udCejj7u276hkkNGnGDia X-Received: by 10.55.129.70 with SMTP id c67mr12320615qkd.230.1510538925688; Sun, 12 Nov 2017 18:08:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510538925; cv=none; d=google.com; s=arc-20160816; b=bD4hymC+h2yWmEsNJqFIVJjhByUuHZmMz4rJyaub76cCAOwQi7SAWlcIxaOY/Y/HtG fDb+5+FOQoF1GGz6p9D4JhUhYShpkas/zimBvQHU1GTegjyiOSmfNiQGECBml+uz8w/Q 1ByZUKT4ePjiNAoHy/oIMHBU0ASTwOstPuev2hW0IRi2WgI2GhSDp3dyVcigH8ghTCfN e8HRIRem7CAw9AKfAj9EBhMpgKTl66KUvSqkB4t6xzNmCt/UAPqj5l5XdBc/kG5e4x1a GHO3yL8js+objnkDv1mW9BWEbiebKfHMd/2oDOoK/msNnCSYUg4AWnmvVNUJZOgVE8mT +Idg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=FLdb2eyeb99jcwBdo1ML9rsJdwoiZ0rqBeZTk/Mf0zU=; b=XPMrEHstUJdkW8qvPdhBaQWKAqEuqpwXojoWKpk3krAmULHcxkihqlZt4Ee6qQqUJg qpdj8ddQA6KNQPJ1XFEgFJIb9/b66jS79wbT7sI61eiXXex/SdOabB7rv9mJLk7RNVLg AguXtipdpc+r7PRBLKmjvEwSa7mTgZYAup9bHirarnRNozFYN0YidRleIlfPYfufImPq D2jH5B7249RHZNRcV1X+oVadKTalt5xvjnWqAt5Ujm7tDgm8qcACuaaiRAzuNpnT1+Kn ZYtpJi/3fiUq/xWFa3+nTU2loj8UQXljZI8BuEH2hZEdiGopNNK40mFFLz4aJJcvvtRK hk6A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id q42si1153741qtc.106.2017.11.12.18.08.45; Sun, 12 Nov 2017 18:08:45 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id 68FFB60D35; Mon, 13 Nov 2017 02:08:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,URIBL_BLOCKED autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id 1D25B60C36; Mon, 13 Nov 2017 02:02:36 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id 5F2DF60C3E; Mon, 13 Nov 2017 02:02:24 +0000 (UTC) Received: from forward105j.mail.yandex.net (forward105j.mail.yandex.net [5.45.198.248]) by lists.linaro.org (Postfix) with ESMTPS id 66EB060C2F for ; Mon, 13 Nov 2017 02:00:27 +0000 (UTC) Received: from mxback10j.mail.yandex.net (mxback10j.mail.yandex.net [IPv6:2a02:6b8:0:1619::113]) by forward105j.mail.yandex.net (Yandex) with ESMTP id CDFA918E4C5 for ; Mon, 13 Nov 2017 05:00:25 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback10j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id wyP0Kybize-0PbuSt6f; Mon, 13 Nov 2017 05:00:25 +0300 Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id uZeq9OjDfk-0PvKeKpD; Mon, 13 Nov 2017 05:00:25 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 13 Nov 2017 05:00:14 +0300 Message-Id: <1510538419-566-10-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1510538419-566-1-git-send-email-odpbot@yandex.ru> References: <1510538419-566-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 243 Subject: [lng-odp] [PATCH API-NEXT v15 9/14] validation: check that erroneous IPsec packets have error flag set X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov Verify that odp_packet_has_error() returns true for IPsec packets with error status in result. Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 243 (lumag:ipsec-packet-impl-3) ** https://github.com/Linaro/odp/pull/243 ** Patch: https://github.com/Linaro/odp/pull/243.patch ** Base sha: a908a4dead95321e84d6a8a23de060051dcd8969 ** Merge commit sha: 44a6636daa5f976c8aac76116e80e0c764352072 **/ test/validation/api/ipsec/ipsec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/validation/api/ipsec/ipsec.c b/test/validation/api/ipsec/ipsec.c index 853bd88a9..6c5623580 100644 --- a/test/validation/api/ipsec/ipsec.c +++ b/test/validation/api/ipsec/ipsec.c @@ -613,6 +613,8 @@ void ipsec_check_in_one(const ipsec_test_part *part, odp_ipsec_sa_t sa) CU_ASSERT_EQUAL(0, odp_ipsec_result(&result, pkto[i])); CU_ASSERT_EQUAL(part->out[i].status.error.all, result.status.error.all); + CU_ASSERT(!result.status.error.all == + !odp_packet_has_error(pkto[i])); CU_ASSERT_EQUAL(suite_context.inbound_op_mode == ODP_IPSEC_OP_MODE_INLINE, result.flag.inline_mode); @@ -652,6 +654,8 @@ void ipsec_check_out_one(const ipsec_test_part *part, odp_ipsec_sa_t sa) CU_ASSERT_EQUAL(0, odp_ipsec_result(&result, pkto[i])); CU_ASSERT_EQUAL(part->out[i].status.error.all, result.status.error.all); + CU_ASSERT(!result.status.error.all == + !odp_packet_has_error(pkto[i])); CU_ASSERT_EQUAL(sa, result.sa); CU_ASSERT_EQUAL(IPSEC_SA_CTX, odp_ipsec_sa_context(sa)); From patchwork Mon Nov 13 02:00:15 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 118710 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp1273764qgn; Sun, 12 Nov 2017 18:13:04 -0800 (PST) X-Google-Smtp-Source: AGs4zMbXhNM1Gln02WH71I2Bm9CAc6FZ8YmRTUvzIRhoAoMfQAHlFYS89KCHukwc0QK++MIfVVrC X-Received: by 10.55.195.216 with SMTP id r85mr10982765qkl.218.1510539184522; Sun, 12 Nov 2017 18:13:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510539184; cv=none; d=google.com; s=arc-20160816; b=CLlPyyJ1pirloRTuPqOAKlC6FHMnQW6qw7e48JZhslHuddRJ0uKPFRuR1sT3NQQ655 3QeqriGbHsO+xYN3ZtKYvFCpa5Z4PJZYqU7bVqaH3SVE1mAQZz9yks8kwb5inZ/+lxon XD9fuW4oVZd7hm71AVugPA6xpjW2Z7t/s4b15m/QHx+AL3V3jW359LK4C46ztLng51jh zLzLuULir/GLqIv6sDnLv6S+0nzHyOHxL1G3fz7MP9T37/Yq/9XGShvi26yPD+cQiJpE 1h+OVdz1WZziRZgmoq9B+4d+bFPf7ynEhHkPJLnST4gKeSYzPGF+Du+4DDgMQmtnTLBn 6cFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=UCdAV3h/BfmurQ0mVp+AobjFZTzgu4YkPjgbH/QO880=; b=Ojts4j1jlUEPCNHyWjxZLkMVYVnpQi9wLtvdT2GeH0+8yq1eNogEHWIFYbOjnsZ86H YBoMcJLutnsEDhW72mqs/RL/LcwjjlETh+xDmb4gboK+lJXPtXhbozx4qdsYTJynB9zj DyB+jBwAAU/NLfP8+QDM9fivj11V7SjXWj6a2urTOI4A8KIxiK1wkcyfx39yGGaQTSr+ 3nQZE5IH/Qc2peAPvW4d+KDFVU+5Qtkafj7FLNUIZQO3lSTttTfWCRe7PIPnQrgnmzfI flYLHUz19Gvmd4mZzFCQRbkHCQn5mkKJQ/eDsALKRNDsmTwfMOydLPhfVv1Z55N0UkVg g3zw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id b58si14141651qtb.246.2017.11.12.18.13.04; Sun, 12 Nov 2017 18:13:04 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id 0B8FD60DC1; Mon, 13 Nov 2017 02:13:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,URIBL_BLOCKED autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id 5050160C1B; Mon, 13 Nov 2017 02:03:43 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id 9FF8C60BFF; Mon, 13 Nov 2017 02:03:37 +0000 (UTC) Received: from forward103j.mail.yandex.net (forward103j.mail.yandex.net [5.45.198.246]) by lists.linaro.org (Postfix) with ESMTPS id 7701D60BDF for ; Mon, 13 Nov 2017 02:00:51 +0000 (UTC) Received: from mxback6g.mail.yandex.net (mxback6g.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:167]) by forward103j.mail.yandex.net (Yandex) with ESMTP id 4ADE734D35D6 for ; Mon, 13 Nov 2017 05:00:26 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback6g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id 05KoknnTcM-0QC4dnjt; Mon, 13 Nov 2017 05:00:26 +0300 Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id uZeq9OjDfk-0PvuoY9h; Mon, 13 Nov 2017 05:00:25 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 13 Nov 2017 05:00:15 +0300 Message-Id: <1510538419-566-11-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1510538419-566-1-git-send-email-odpbot@yandex.ru> References: <1510538419-566-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 243 Subject: [lng-odp] [PATCH API-NEXT v15 10/14] linux-gen: ipsec: validate ip header total length X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov Check that IP packet length from the header is not bogus. Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 243 (lumag:ipsec-packet-impl-3) ** https://github.com/Linaro/odp/pull/243 ** Patch: https://github.com/Linaro/odp/pull/243.patch ** Base sha: a908a4dead95321e84d6a8a23de060051dcd8969 ** Merge commit sha: 44a6636daa5f976c8aac76116e80e0c764352072 **/ platform/linux-generic/odp_ipsec.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c index 61f2dc51d..400ef2958 100644 --- a/platform/linux-generic/odp_ipsec.c +++ b/platform/linux-generic/odp_ipsec.c @@ -286,6 +286,11 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, ipsec_offset = ip_offset + ip_hdr_len; + if (odp_be_to_cpu_16(ip->tot_len) + ip_offset > odp_packet_len(pkt)) { + status->error.alg = 1; + goto err; + } + if (_ODP_IPV4HDR_IS_FRAGMENT(odp_be_to_cpu_16(ip->frag_offset))) { status->error.proto = 1; goto err; @@ -634,6 +639,11 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt, goto err; } + if (odp_be_to_cpu_16(ip->tot_len) + ip_offset > odp_packet_len(pkt)) { + status->error.alg = 1; + goto err; + } + if (ODP_IPSEC_MODE_TUNNEL == ipsec_sa->mode) { _odp_ipv4hdr_t out_ip; uint16_t tot_len; From patchwork Mon Nov 13 02:00:16 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 118706 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp1271719qgn; Sun, 12 Nov 2017 18:10:09 -0800 (PST) X-Google-Smtp-Source: AGs4zMZ39RaYQlD4EyRvKOLz+L9oxFXXoqTHz7syI2/i22IbEEEfUvy6BotYtYkk6rBVGj9/DbTy X-Received: by 10.200.56.75 with SMTP id r11mr11966385qtb.65.1510539009090; Sun, 12 Nov 2017 18:10:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510539009; cv=none; d=google.com; s=arc-20160816; b=u2eVfI1BUYQbqLwNCqNYkcnKZKaxjZrIBVFKJaWmg7D1ghYF13O09mKTT6jsF5fLdJ lEoafoiN9MAosRxEQQIFD7T/M6pJCJolOgQ4UudWiwI1NyNBnfI1c/uee6zRavY/h8aM Va1vIMa22wh/8hAFDRIF5lvMpaeXQz89UAJnTbPF9GTNSYsad72lpa5fJel+xtpJcnEA RMQATMHOMGY09qSXcNe78mqpjhLhMvfh1YfB7ZOKk7GbBXcB2Xly5x5j8Kg15JXVuGHE IzvPwq1vXfyJG0Da9jOv8f+SyFUJ2Rmqjlv3HDE9PTJgNgRlV/UF35XRHHGTU5pEqvwL XKzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=c9QC44CVoCeGDNsFN8ZdxYNsRuMIQvZKd/XNOZ0EDGE=; b=HQGVCMUKqK6CG4saGlCybrC45XaAk+fdtMtBQ6cP3EWRDw/Fnz2rqSk4KcMFt0KH4x qtEsxcYAMdihhykT5tYseFGZo3SBlPBgZtWy22Eq+7ODWBTrYDEpyjyjOWG+ljDB5cOW AKHZfN5Rj3qqOmomJ3i+Ump9QNf4DgWb0WAw+64n4JinY8Wf0Ta3RMTPPVPi22hFE2Zd YCSrqYCi3SVGI/b2XArU2eusN47jF7YSpUp0Ltj1h1iyTVEP/Is9WUkRwXybD1CBpVgs 0R+YOll2Zf0CemlPnsCSaoOjCoZdAVl3+XHI9pefY2S0Tbl/5BqeGtw74aO2zUd6iaAP 317w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id k6si7258010qkl.50.2017.11.12.18.10.08; Sun, 12 Nov 2017 18:10:09 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id C89F460D6F; Mon, 13 Nov 2017 02:10:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-5.4 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, URIBL_BLOCKED autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id 9758A60FFE; Mon, 13 Nov 2017 02:02:42 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id 1E5F460D70; Mon, 13 Nov 2017 02:02:29 +0000 (UTC) Received: from forward101p.mail.yandex.net (forward101p.mail.yandex.net [77.88.28.101]) by lists.linaro.org (Postfix) with ESMTPS id 6A96C60C36 for ; Mon, 13 Nov 2017 02:00:28 +0000 (UTC) Received: from mxback16j.mail.yandex.net (mxback16j.mail.yandex.net [IPv6:2a02:6b8:0:1619::92]) by forward101p.mail.yandex.net (Yandex) with ESMTP id BF8006A8D7BA for ; Mon, 13 Nov 2017 05:00:26 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback16j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id A24mbtSVxU-0QiaHxND; Mon, 13 Nov 2017 05:00:26 +0300 Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id uZeq9OjDfk-0QvicoTT; Mon, 13 Nov 2017 05:00:26 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 13 Nov 2017 05:00:16 +0300 Message-Id: <1510538419-566-12-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1510538419-566-1-git-send-email-odpbot@yandex.ru> References: <1510538419-566-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 243 Subject: [lng-odp] [PATCH API-NEXT v15 11/14] linux-gen: ipsec: correct frag_offset for tunneled packets X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov Generated outer header should have frag_offset = 0, MF = 0. Change code accordingly. Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 243 (lumag:ipsec-packet-impl-3) ** https://github.com/Linaro/odp/pull/243 ** Patch: https://github.com/Linaro/odp/pull/243.patch ** Base sha: a908a4dead95321e84d6a8a23de060051dcd8969 ** Merge commit sha: 44a6636daa5f976c8aac76116e80e0c764352072 **/ platform/linux-generic/odp_ipsec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c index 400ef2958..ca02549ea 100644 --- a/platform/linux-generic/odp_ipsec.c +++ b/platform/linux-generic/odp_ipsec.c @@ -663,10 +663,10 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt, out_ip.id = odp_atomic_fetch_add_u32(&ipsec_sa->out.tun_hdr_id, 1); if (ipsec_sa->copy_df) - out_ip.frag_offset = ip->frag_offset; + out_ip.frag_offset = ip->frag_offset & 0x4000; else - out_ip.frag_offset = (ip->frag_offset & ~0x4000) | - (ipsec_sa->out.tun_df << 14); + out_ip.frag_offset = + ((uint16_t)ipsec_sa->out.tun_df) << 14; out_ip.ttl = ipsec_sa->out.tun_ttl; out_ip.proto = _ODP_IPV4; /* Will be filled later by packet checksum update */ From patchwork Mon Nov 13 02:00:17 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 118705 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp1271352qgn; Sun, 12 Nov 2017 18:09:37 -0800 (PST) X-Google-Smtp-Source: AGs4zMa4DcjJNhubIAtCmWgsglbVjaV2njin/VH3iD1xzLCHlmSeUfSyF6GfwEcn/jweHRbSPXWP X-Received: by 10.200.43.26 with SMTP id 26mr12875716qtu.51.1510538977279; Sun, 12 Nov 2017 18:09:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510538977; cv=none; d=google.com; s=arc-20160816; b=ZWDjkU0v/Sc6dxqVMVYGu0p3VJ2/6bFiJZ56/EbZxGNQnRH3OM+iKrkD856ILkoiDe GwGgkjqE6TZk6pjRvLyWSKA7zKmWZz4pV07KOTiTDQ+/VJEA5zN/LbK2G7ytg/bo0DWg lbowvkcRMXNXkaQZpE7y53QnyDFomf0aYvQwg34MX0KsnbWwwHIROdIS0CYiW3d3/RSO LIVv7nwfl30zj1JExOwGKAJGPQo6Dktsq1B9YKF/bBuH8tMdpiFMTKncJ4MxWW7JcfkN V2pad6f6ixveVteXr/+4IJzszvJE9CA5k31duYQKwPrDpvmmkSenFeLBupAKXdJypcpt vVvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=VPrR4MH4PbUCh8DBTMk3wnpSSlGeYEvdeW7lN5Nt/Bw=; b=zNDxgrT4NuqkCXeiwuU9jQ6WpwG73kQLlIx3Mw08fWhUhEL/UXScPMNEqeRYAUaWUK ipICqyIMlVVKOuDI+WTm3hlhPnJ0rj3Kwbz4xAXGSnixYz4ZqIcRfcIe/lvc8037Qi+B bTRLxy4ZFxOV6abJ4G5Dk4uhmgqnobfpGMPH8QN6brSYVG8HgXxOvFX1z2+DQ7d5boP5 Yy3ep4M6Tny1o1WLESvI8UV8P35R8V9s/ASlpRqz5yLCdXmb+OvzVMI9m1LXAozatjDR LveNKfegY+m+AKpCd2HirJFnT+1YSBq93Z+ZTj/zAEznyyjUFQGRC08ttpERCautfF/3 1PIg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id e64si2466611qkc.73.2017.11.12.18.09.37; Sun, 12 Nov 2017 18:09:37 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id F0E8760D37; Mon, 13 Nov 2017 02:09:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,URIBL_BLOCKED autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id 536B660FFA; Mon, 13 Nov 2017 02:02:39 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id 915A060C2F; Mon, 13 Nov 2017 02:02:24 +0000 (UTC) Received: from forward105j.mail.yandex.net (forward105j.mail.yandex.net [5.45.198.248]) by lists.linaro.org (Postfix) with ESMTPS id 5942960C19 for ; Mon, 13 Nov 2017 02:00:28 +0000 (UTC) Received: from mxback19j.mail.yandex.net (mxback19j.mail.yandex.net [IPv6:2a02:6b8:0:1619::95]) by forward105j.mail.yandex.net (Yandex) with ESMTP id 50DCA18E4EF for ; Mon, 13 Nov 2017 05:00:27 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback19j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id 7ESuoCr9k5-0RZCEduS; Mon, 13 Nov 2017 05:00:27 +0300 Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id uZeq9OjDfk-0Qvu2CP6; Mon, 13 Nov 2017 05:00:26 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 13 Nov 2017 05:00:17 +0300 Message-Id: <1510538419-566-13-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1510538419-566-1-git-send-email-odpbot@yandex.ru> References: <1510538419-566-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 243 Subject: [lng-odp] [PATCH API-NEXT v15 12/14] linux-gen: ipsec: don't leak SA on creation error X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov Some paths during odp_ipsec_sa_create() can lead to SA leakage. Fix them by always releasing SA in error case. Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 243 (lumag:ipsec-packet-impl-3) ** https://github.com/Linaro/odp/pull/243 ** Patch: https://github.com/Linaro/odp/pull/243.patch ** Base sha: a908a4dead95321e84d6a8a23de060051dcd8969 ** Merge commit sha: 44a6636daa5f976c8aac76116e80e0c764352072 **/ platform/linux-generic/odp_ipsec_sad.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c index c30119249..425175692 100644 --- a/platform/linux-generic/odp_ipsec_sad.c +++ b/platform/linux-generic/odp_ipsec_sad.c @@ -296,7 +296,7 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) ipsec_sa->icv_len = 16; break; default: - return ODP_IPSEC_SA_INVALID; + goto error; } switch (crypto_param.cipher_alg) { @@ -329,7 +329,7 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) crypto_param.iv.length = 12; break; default: - return ODP_IPSEC_SA_INVALID; + goto error; } if (1 == ipsec_sa->use_counter_iv && From patchwork Mon Nov 13 02:00:18 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 118708 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp1272392qgn; Sun, 12 Nov 2017 18:11:07 -0800 (PST) X-Google-Smtp-Source: AGs4zMZ0jD4kR1hzLCJnAdkOozokHX0vqMM/V77GEtgCv0e7tPwADZ4ebPrXc+6ifZyKSNJ4fBSe X-Received: by 10.200.53.171 with SMTP id k40mr12399560qtb.264.1510539067293; Sun, 12 Nov 2017 18:11:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510539067; cv=none; d=google.com; s=arc-20160816; b=if4CVCUhr9eD8gY7S/tXGHVP4lo/DR57YgjQeq+aGPG1z+IUC63S2wpMC6rfaCNJrL xmHPhbmtMmUy1FzpqPK72WwDK7kwqeq/k7qqqbXnuh/ONkRLvwl8BQT6lalCT6D0aj95 PkLpwJfQJxZzZdGJIs2culjDI341vgBVdao0i3FpepaXfE4x7Jby8PmlUziV/MzvBE6p 17nahMp6TMw445ukNqs22QZtSERNKsvIE87OwDZWfHSVpUsb8zaJEypUc/EBZ83xasEU v/36+N3TyeGDk6+8uxUj6OCFJh38J/fQBTmmp10y4kOLtus4wo3JLHpg5VM6rCEIo1qd 9v4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=dorOV8r/pf73CkUXRms3UfwWXhS6VyeKSCzjmKIQMRM=; b=NVr+n4A1qaqpgv3ioR5L9Cdj7D6S/s+DivEi8Du3Kbt3mOJlrP/u8OYpTyI0OImKIJ AjQos68o0yFtH9tixxSQVS9pB9e4yxSkCKTiq+rcs2Z1PgRKJ6gY2xWrDt+D/vWVD6Bb jiMjg0rB20LLKDzUF9sPrWWAnB3D4nytH6MUMKcz3qi1O0dcPoJHe0uCoKR/u+F61+EY GzY0x7wanqPL+LtOH0cLXl6qXaauv7naxRnXvG/T7buMjXYxw/LklnUrGJVxvR2PvhHF cDdc7Tqdz2xCkCIYMuNZ/NvrWkPZI0h1qWnKoZY3VWWXOygIBO27dWYHYkx5xXysZgHQ iJog== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id k66si276741qkf.457.2017.11.12.18.11.07; Sun, 12 Nov 2017 18:11:07 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id EA2FB60CDF; Mon, 13 Nov 2017 02:11:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,URIBL_BLOCKED autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id 1723961005; Mon, 13 Nov 2017 02:02:50 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id 9E6DA61002; Mon, 13 Nov 2017 02:02:44 +0000 (UTC) Received: from forward100o.mail.yandex.net (forward100o.mail.yandex.net [37.140.190.180]) by lists.linaro.org (Postfix) with ESMTPS id 1FF6160C35 for ; Mon, 13 Nov 2017 02:00:30 +0000 (UTC) Received: from mxback7j.mail.yandex.net (mxback7j.mail.yandex.net [IPv6:2a02:6b8:0:1619::110]) by forward100o.mail.yandex.net (Yandex) with ESMTP id CE8012A250E8 for ; Mon, 13 Nov 2017 05:00:27 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback7j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id csqS13N25N-0RJi98tF; Mon, 13 Nov 2017 05:00:27 +0300 Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id uZeq9OjDfk-0Rv8o5OW; Mon, 13 Nov 2017 05:00:27 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 13 Nov 2017 05:00:18 +0300 Message-Id: <1510538419-566-14-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1510538419-566-1-git-send-email-odpbot@yandex.ru> References: <1510538419-566-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 243 Subject: [lng-odp] [PATCH API-NEXT v15 13/14] linux-gen: ipsec: add AES-CTR cipher support X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov Add support for encrypting packets with AES-CTR cipher. Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 243 (lumag:ipsec-packet-impl-3) ** https://github.com/Linaro/odp/pull/243 ** Patch: https://github.com/Linaro/odp/pull/243.patch ** Base sha: a908a4dead95321e84d6a8a23de060051dcd8969 ** Merge commit sha: 44a6636daa5f976c8aac76116e80e0c764352072 **/ platform/linux-generic/include/odp_ipsec_internal.h | 1 + platform/linux-generic/odp_ipsec.c | 13 +++++++++++++ platform/linux-generic/odp_ipsec_sad.c | 7 +++++++ 3 files changed, 21 insertions(+) diff --git a/platform/linux-generic/include/odp_ipsec_internal.h b/platform/linux-generic/include/odp_ipsec_internal.h index 0a7f96256..b50b65be6 100644 --- a/platform/linux-generic/include/odp_ipsec_internal.h +++ b/platform/linux-generic/include/odp_ipsec_internal.h @@ -127,6 +127,7 @@ struct ipsec_sa_s { unsigned dec_ttl : 1; unsigned copy_dscp : 1; unsigned copy_df : 1; + unsigned aes_ctr_iv : 1; /* Only for outbound */ unsigned use_counter_iv : 1; diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c index ca02549ea..092592266 100644 --- a/platform/linux-generic/odp_ipsec.c +++ b/platform/linux-generic/odp_ipsec.c @@ -337,6 +337,13 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt, goto err; } + if (ipsec_sa->aes_ctr_iv) { + iv[12] = 0; + iv[13] = 0; + iv[14] = 0; + iv[15] = 1; + } + hdr_len = _ODP_ESPHDR_LEN + ipsec_sa->esp_iv_len; trl_len = _ODP_ESPTRL_LEN + ipsec_sa->icv_len; @@ -729,6 +736,12 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt, memcpy(iv + ipsec_sa->salt_length, &ctr, ipsec_sa->esp_iv_len); + if (ipsec_sa->aes_ctr_iv) { + iv[12] = 0; + iv[13] = 0; + iv[14] = 0; + iv[15] = 1; + } } else if (ipsec_sa->esp_iv_len) { uint32_t len; diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c index 425175692..8eaa4f902 100644 --- a/platform/linux-generic/odp_ipsec_sad.c +++ b/platform/linux-generic/odp_ipsec_sad.c @@ -319,6 +319,13 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) ipsec_sa->esp_block_len = 16; crypto_param.iv.length = 16; break; + case ODP_CIPHER_ALG_AES_CTR: + ipsec_sa->use_counter_iv = 1; + ipsec_sa->aes_ctr_iv = 1; + ipsec_sa->esp_iv_len = 8; + ipsec_sa->esp_block_len = 16; + crypto_param.iv.length = 16; + break; #if ODP_DEPRECATED_API case ODP_CIPHER_ALG_AES128_GCM: #endif From patchwork Mon Nov 13 02:00:19 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 118707 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp1272042qgn; Sun, 12 Nov 2017 18:10:37 -0800 (PST) X-Google-Smtp-Source: AGs4zMbxU5dYN5lVTWeWA+4shHzE2Y2M/yWjXSY7rkBnLuDGFxF0A23aC1gxWoXHGLIzRKJ0yH3j X-Received: by 10.237.58.225 with SMTP id o88mr11328989qte.190.1510539037797; Sun, 12 Nov 2017 18:10:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510539037; cv=none; d=google.com; s=arc-20160816; b=bTZVWMPoxsBbOMSoOu7nWqQVOSeiuZxbbiQlTaQ177q0SP3tUvLgs4zdqwWjSp3SG+ /NfOV3r/1B5x1VkvJd+qTiaLk2BOIXtGeKr05FfOSDt4WreUqdiVCMXdxOhB5ZfN+dRs 4B8Y7cVc9qlswtIPRmM3yU7CnHrYec7cxv6Jz0Uea9G6aOHoYH+QmZaj3/dJniRKAQzO NGdJmULuYe++2ytSqjzCffHzYOUBf8ote0ukaEBAm/d/UnUFGqIkX5yvCf6K8u5bagow /0GiIzdpfZTWeMMDtgNOIOL/QAn9sGT+QaKrr4iAr8Pvo5SUQMIo0/L118KR3qWHTx8V 9Igw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=OhppzvzU5CnOdD3xOYxkmCKIMXkOLFZZ6WdHy3nGUlk=; b=g4ii/fgfL8Q18PCLrAVq48NRc764jNkuMiALh902FbPxROBKIgPm+c3uMA1dXdbja3 wiKqBBbkvM/p9IdcJdXkTVvpQHjF6oosIHZ43cy1AgFeClhTS6+b2msuueOj9CqIbUDC EApHAozMaFOB9Gm5WiGSiu9k28r72F6ZhxIFCrD3OWRldKIA8g+UFp08vGzUCZNl2uT0 RUhTKLeY6X9Q+4PsZ3ftVQivgHenbRJhU0/z2DGGf5aHVFSIuKbBOjMhvDyndWT9hsnh Hosq+Ga0IVm8MdQib1tJ5oONx5DTXpDI5aI6WZJRusQjp03YNS/GBJNlkgBOcULzazi/ HcDw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id f13si274864qtj.438.2017.11.12.18.10.37; Sun, 12 Nov 2017 18:10:37 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id 78F776071A; Mon, 13 Nov 2017 02:10:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-5.4 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, URIBL_BLOCKED autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id CFC4361002; Mon, 13 Nov 2017 02:02:46 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id B213A60C36; Mon, 13 Nov 2017 02:02:31 +0000 (UTC) Received: from forward105o.mail.yandex.net (forward105o.mail.yandex.net [37.140.190.183]) by lists.linaro.org (Postfix) with ESMTPS id CF63460C10 for ; Mon, 13 Nov 2017 02:00:29 +0000 (UTC) Received: from mxback8g.mail.yandex.net (mxback8g.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:169]) by forward105o.mail.yandex.net (Yandex) with ESMTP id 57B39444E608 for ; Mon, 13 Nov 2017 05:00:28 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback8g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id pvmiMUS3F4-0SpKEL5v; Mon, 13 Nov 2017 05:00:28 +0300 Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id uZeq9OjDfk-0Rv84IEM; Mon, 13 Nov 2017 05:00:27 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 13 Nov 2017 05:00:19 +0300 Message-Id: <1510538419-566-15-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1510538419-566-1-git-send-email-odpbot@yandex.ru> References: <1510538419-566-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 243 Subject: [lng-odp] [PATCH API-NEXT v15 14/14] validation: ipsec: add AES-CTR tests X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 243 (lumag:ipsec-packet-impl-3) ** https://github.com/Linaro/odp/pull/243 ** Patch: https://github.com/Linaro/odp/pull/243.patch ** Base sha: a908a4dead95321e84d6a8a23de060051dcd8969 ** Merge commit sha: 44a6636daa5f976c8aac76116e80e0c764352072 **/ test/validation/api/ipsec/ipsec.c | 10 +++++++ test/validation/api/ipsec/ipsec.h | 1 + test/validation/api/ipsec/ipsec_test_in.c | 32 ++++++++++++++++++++++ test/validation/api/ipsec/ipsec_test_out.c | 44 ++++++++++++++++++++++++++++++ test/validation/api/ipsec/test_vectors.h | 39 ++++++++++++++++++++++++++ 5 files changed, 126 insertions(+) diff --git a/test/validation/api/ipsec/ipsec.c b/test/validation/api/ipsec/ipsec.c index 6c5623580..277d393ab 100644 --- a/test/validation/api/ipsec/ipsec.c +++ b/test/validation/api/ipsec/ipsec.c @@ -168,6 +168,10 @@ int ipsec_check(odp_bool_t ah, if (!capa.ciphers.bit.aes_cbc) return ODP_TEST_INACTIVE; break; + case ODP_CIPHER_ALG_AES_CTR: + if (!capa.ciphers.bit.aes_ctr) + return ODP_TEST_INACTIVE; + break; case ODP_CIPHER_ALG_AES_GCM: if (!capa.ciphers.bit.aes_gcm) return ODP_TEST_INACTIVE; @@ -259,6 +263,12 @@ int ipsec_check_esp_aes_cbc_128_sha256(void) ODP_AUTH_ALG_SHA256_HMAC); } +int ipsec_check_esp_aes_ctr_128_null(void) +{ + return ipsec_check_esp(ODP_CIPHER_ALG_AES_CTR, 128, + ODP_AUTH_ALG_NULL); +} + int ipsec_check_esp_aes_gcm_128(void) { return ipsec_check_esp(ODP_CIPHER_ALG_AES_GCM, 128, diff --git a/test/validation/api/ipsec/ipsec.h b/test/validation/api/ipsec/ipsec.h index d1c6854b7..d45063672 100644 --- a/test/validation/api/ipsec/ipsec.h +++ b/test/validation/api/ipsec/ipsec.h @@ -83,6 +83,7 @@ int ipsec_check_ah_sha256(void); int ipsec_check_esp_null_sha256(void); int ipsec_check_esp_aes_cbc_128_null(void); int ipsec_check_esp_aes_cbc_128_sha256(void); +int ipsec_check_esp_aes_ctr_128_null(void); int ipsec_check_esp_aes_gcm_128(void); int ipsec_check_esp_aes_gcm_256(void); diff --git a/test/validation/api/ipsec/ipsec_test_in.c b/test/validation/api/ipsec/ipsec_test_in.c index 598a83e3f..8c883262a 100644 --- a/test/validation/api/ipsec/ipsec_test_in.c +++ b/test/validation/api/ipsec/ipsec_test_in.c @@ -191,6 +191,36 @@ static void test_in_esp_aes_cbc_sha256(void) ipsec_sa_destroy(sa); } +static void test_in_esp_aes_ctr_null(void) +{ + odp_ipsec_sa_param_t param; + odp_ipsec_sa_t sa; + + ipsec_sa_param_fill(¶m, + true, false, 123, NULL, + ODP_CIPHER_ALG_AES_CTR, &key_a5_128, + ODP_AUTH_ALG_NULL, NULL, + &key_mcgrew_gcm_salt_3); + + sa = odp_ipsec_sa_create(¶m); + + CU_ASSERT_NOT_EQUAL_FATAL(ODP_IPSEC_SA_INVALID, sa); + + ipsec_test_part test = { + .pkt_in = &pkt_icmp_0_esp_aes_ctr_null_1, + .out_pkt = 1, + .out = { + { .status.warn.all = 0, + .status.error.all = 0, + .pkt_out = &pkt_icmp_0 }, + }, + }; + + ipsec_check_in_one(&test, sa); + + ipsec_sa_destroy(sa); +} + static void test_in_lookup_ah_sha256(void) { odp_ipsec_sa_param_t param; @@ -987,6 +1017,8 @@ odp_testinfo_t ipsec_in_suite[] = { ipsec_check_esp_aes_cbc_128_null), ODP_TEST_INFO_CONDITIONAL(test_in_esp_aes_cbc_sha256, ipsec_check_esp_aes_cbc_128_sha256), + ODP_TEST_INFO_CONDITIONAL(test_in_esp_aes_ctr_null, + ipsec_check_esp_aes_ctr_128_null), ODP_TEST_INFO_CONDITIONAL(test_in_lookup_ah_sha256, ipsec_check_ah_sha256), ODP_TEST_INFO_CONDITIONAL(test_in_lookup_esp_null_sha256, diff --git a/test/validation/api/ipsec/ipsec_test_out.c b/test/validation/api/ipsec/ipsec_test_out.c index 39a3c30ff..b543271bf 100644 --- a/test/validation/api/ipsec/ipsec_test_out.c +++ b/test/validation/api/ipsec/ipsec_test_out.c @@ -277,6 +277,48 @@ static void test_out_esp_aes_cbc_sha256(void) ipsec_sa_destroy(sa); } +static void test_out_esp_aes_ctr_null(void) +{ + odp_ipsec_sa_param_t param; + odp_ipsec_sa_t sa; + odp_ipsec_sa_t sa2; + + ipsec_sa_param_fill(¶m, + false, false, 123, NULL, + ODP_CIPHER_ALG_AES_CTR, &key_a5_128, + ODP_AUTH_ALG_NULL, NULL, + &key_mcgrew_gcm_salt_3); + + sa = odp_ipsec_sa_create(¶m); + + CU_ASSERT_NOT_EQUAL_FATAL(ODP_IPSEC_SA_INVALID, sa); + + ipsec_sa_param_fill(¶m, + true, false, 123, NULL, + ODP_CIPHER_ALG_AES_CTR, &key_a5_128, + ODP_AUTH_ALG_NULL, NULL, + &key_mcgrew_gcm_salt_3); + + sa2 = odp_ipsec_sa_create(¶m); + + CU_ASSERT_NOT_EQUAL_FATAL(ODP_IPSEC_SA_INVALID, sa2); + + ipsec_test_part test = { + .pkt_in = &pkt_icmp_0, + .out_pkt = 1, + .out = { + { .status.warn.all = 0, + .status.error.all = 0, + .pkt_out = &pkt_icmp_0 }, + }, + }; + + ipsec_check_out_in_one(&test, sa, sa2); + + ipsec_sa_destroy(sa2); + ipsec_sa_destroy(sa); +} + static void test_out_esp_aes_gcm128(void) { odp_ipsec_sa_param_t param; @@ -342,6 +384,8 @@ odp_testinfo_t ipsec_out_suite[] = { ipsec_check_esp_aes_cbc_128_null), ODP_TEST_INFO_CONDITIONAL(test_out_esp_aes_cbc_sha256, ipsec_check_esp_aes_cbc_128_sha256), + ODP_TEST_INFO_CONDITIONAL(test_out_esp_aes_ctr_null, + ipsec_check_esp_aes_ctr_128_null), ODP_TEST_INFO_CONDITIONAL(test_out_esp_aes_gcm128, ipsec_check_esp_aes_gcm_128), ODP_TEST_INFO_NULL, diff --git a/test/validation/api/ipsec/test_vectors.h b/test/validation/api/ipsec/test_vectors.h index 593a8f450..fbf7d366c 100644 --- a/test/validation/api/ipsec/test_vectors.h +++ b/test/validation/api/ipsec/test_vectors.h @@ -583,6 +583,45 @@ static const ODP_UNUSED ipsec_test_packet pkt_icmp_0_esp_aes_cbc_sha256_1 = { }, }; +static const ODP_UNUSED ipsec_test_packet pkt_icmp_0_esp_aes_ctr_null_1 = { + .len = 162, + .l2_offset = 0, + .l3_offset = 14, + .l4_offset = 34, + .data = { + /* ETH */ + 0xf1, 0xf1, 0xf1, 0xf1, 0xf1, 0xf1, + 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0x08, 0x00, + + /* IP */ + 0x45, 0x00, 0x00, 0x94, 0x00, 0x00, 0x00, 0x00, + 0x40, 0x32, 0xab, 0xe2, 0xc0, 0xa8, 0x6f, 0x02, + 0xc0, 0xa8, 0xde, 0x02, + + /* ESP */ + 0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x01, + + /* IV */ + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + + /* data */ + 0x39, 0xab, 0xe5, 0xae, 0x74, 0x57, 0x76, 0x7f, + 0x1d, 0x1f, 0xce, 0xe8, 0xca, 0xf1, 0x87, 0xf5, + 0xfd, 0x9e, 0x1d, 0x20, 0x38, 0x30, 0x8a, 0xe5, + 0xb9, 0x55, 0x80, 0x7b, 0xfd, 0x9d, 0xb9, 0x99, + 0x85, 0xcd, 0xb5, 0x30, 0x86, 0xaa, 0xe1, 0x7a, + 0x69, 0xe5, 0xfa, 0x38, 0xf3, 0x0f, 0x91, 0x18, + 0x75, 0x7b, 0x5f, 0x4e, 0x69, 0x17, 0xaa, 0xe7, + 0x84, 0x6c, 0x40, 0x31, 0xec, 0x87, 0x4c, 0x8c, + 0xb3, 0xb4, 0x9f, 0x7e, 0xea, 0x83, 0x6f, 0xc6, + 0x11, 0xd5, 0xce, 0xbe, 0x65, 0x37, 0x1c, 0xb6, + 0xd3, 0xcb, 0x51, 0xa8, 0xa4, 0x0e, 0x3e, 0xe6, + 0x26, 0xd8, 0x17, 0xec, 0x8b, 0xca, 0x79, 0x96, + 0xa0, 0xcd, 0x6f, 0xdd, 0x9e, 0xe9, 0x6a, 0xc0, + 0xf2, 0x6c, 0xdb, 0xfd, 0x99, 0xa2, 0xb5, 0xbf, + }, +}; + static const ODP_UNUSED ipsec_test_packet pkt_rfc3602_5 = { .len = 98, .l2_offset = 0,