From patchwork Mon Jan 29 15:00:13 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Github ODP bot <odpbot@yandex.ru>
X-Patchwork-Id: 126168
Delivered-To: patch@linaro.org
Received: by 10.46.84.92 with SMTP id y28csp2511771ljd;
 Mon, 29 Jan 2018 07:04:41 -0800 (PST)
X-Google-Smtp-Source: AH8x225gApdTqahgSzQJQ+5tYa/SVW3uxIt/8M+vgfSXjHhVjwAdAPJ+JqHBK0ZDA/0d9/qOqfaN
X-Received: by 10.200.3.150 with SMTP id t22mr38416048qtg.19.1517238280906; 
 Mon, 29 Jan 2018 07:04:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517238280; cv=none;
 d=google.com; s=arc-20160816;
 b=0HscXauJmDc8fxeX3O6dkRVOCryqxPG+UYrXfpAl5JOwYpWvtNzJoiPiwJVTiv8ukK
 pYqTFD139u7SVkhaQkQHdJ7ZKCPZS6C8AjliAM+CG0AO5jSAEsaPzmD/mfv6a7O1n95D
 v+MHu4qBEE22WvAF1/y+X/hvpBzlZ3U84OQPX+AlVrofeBjbXyUPtV7yDauAIQbhYlsr
 Wno33QsGd39EG4ET4tl34ZJ2IZ5KGmJD8aTHZGbt9lY2H6dAP6HqItBjA5XDj/DLSA1D
 YTO/d6fLSDNLxNy367G2xAph0rKxY2ZNkGnxUQb0P1xgKLFF+7uhHdMykxJEnaK+sMRG
 gTbg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:subject:github-pr-num
 :references:in-reply-to:message-id:date:to:from:delivered-to
 :arc-authentication-results;
 bh=i+zyTw8pqVogSepfd9F4BGqNGSQFwYZdJFoa1tx8MtA=;
 b=Oqeg8K7juOYYYVBuev1qcLgYtQK+dwGDDWXIdsCAPAlm4iAR5R2eSw13Y/+bBpAhxK
 AgsdF+hdQMKDxqPyC+zat/v9fNyqqeU4w9YYDvcVSYDsXIUUOhdhuChK9irHuBdMhrkG
 tSgPr0htrkWKHGMVN7yMwl85LKJ1KBPPRHVZBoDGs3uif23oTeerW/kmtJ7z4pLlLk7l
 rH1o6Kd7uV03UlS9d+jOdibS47ioLvNyaxMFpxDl/xQuKTB/X9jux9VkYERQnoN6+pIx
 CoR1EixtDxoQvZEikQ1cgRI/3sAi7J+BwKFs11y2u3hnyc5h0mkGMgv/1STlxFWif2vV
 2WeQ==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 smtp.mailfrom=lng-odp-bounces@lists.linaro.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Return-Path: <lng-odp-bounces@lists.linaro.org>
Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com.
 [54.197.127.237])
 by mx.google.com with ESMTP id 48si7540042qtu.321.2018.01.29.07.04.40;
 Mon, 29 Jan 2018 07:04:40 -0800 (PST)
Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 client-ip=54.197.127.237; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org
 designates 54.197.127.237 as permitted sender)
 smtp.mailfrom=lng-odp-bounces@lists.linaro.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Received: by lists.linaro.org (Postfix, from userid 109)
 id 90E1561735; Mon, 29 Jan 2018 15:04:40 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
 RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2 autolearn=disabled version=3.4.0
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by lists.linaro.org (Postfix) with ESMTP id 1350B61741;
 Mon, 29 Jan 2018 15:00:49 +0000 (UTC)
X-Original-To: lng-odp@lists.linaro.org
Delivered-To: lng-odp@lists.linaro.org
Received: by lists.linaro.org (Postfix, from userid 109)
 id 47E6260813; Mon, 29 Jan 2018 15:00:30 +0000 (UTC)
Received: from forward100o.mail.yandex.net (forward100o.mail.yandex.net
 [37.140.190.180])
 by lists.linaro.org (Postfix) with ESMTPS id 6353F60855
 for <lng-odp@lists.linaro.org>; Mon, 29 Jan 2018 15:00:21 +0000 (UTC)
Received: from mxback9g.mail.yandex.net (mxback9g.mail.yandex.net
 [IPv6:2a02:6b8:0:1472:2741:0:8b7:170])
 by forward100o.mail.yandex.net (Yandex) with ESMTP id CDC8B2A216E7
 for <lng-odp@lists.linaro.org>; Mon, 29 Jan 2018 18:00:19 +0300 (MSK)
Received: from smtp1o.mail.yandex.net (smtp1o.mail.yandex.net
 [2a02:6b8:0:1a2d::25])
 by mxback9g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id
 2Yb1v53TeZ-0JE8febi; Mon, 29 Jan 2018 18:00:19 +0300
Received: by smtp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id
 ZIlIkHp1bF-0JUGwlHb; Mon, 29 Jan 2018 18:00:19 +0300
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
 (Client certificate not present)
From: Github ODP bot <odpbot@yandex.ru>
To: lng-odp@lists.linaro.org
Date: Mon, 29 Jan 2018 18:00:13 +0300
Message-Id: <1517238014-22220-5-git-send-email-odpbot@yandex.ru>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1517238014-22220-1-git-send-email-odpbot@yandex.ru>
References: <1517238014-22220-1-git-send-email-odpbot@yandex.ru>
Github-pr-num: 427
Subject: [lng-odp] [PATCH v2 4/5] linux-gen: ipsec: prevent sa_lookup from
 matching outbound SAs
X-BeenThere: lng-odp@lists.linaro.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: "The OpenDataPlane \(ODP\) List" <lng-odp.lists.linaro.org>
List-Unsubscribe: <https://lists.linaro.org/mailman/options/lng-odp>,
 <mailto:lng-odp-request@lists.linaro.org?subject=unsubscribe>
List-Archive: <http://lists.linaro.org/pipermail/lng-odp/>
List-Post: <mailto:lng-odp@lists.linaro.org>
List-Help: <mailto:lng-odp-request@lists.linaro.org?subject=help>
List-Subscribe: <https://lists.linaro.org/mailman/listinfo/lng-odp>,
 <mailto:lng-odp-request@lists.linaro.org?subject=subscribe>
Errors-To: lng-odp-bounces@lists.linaro.org
Sender: "lng-odp" <lng-odp-bounces@lists.linaro.org>

From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

lookup_mode was valid only for inbound SAs but contained garbage for
outbound SAs. Thus it was possible for lookup to match SA with outbound
SA. Prevent that by marking all outbound SAs as
ODP_IPSEC_LOOKUP_DISABLED.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>
---
/** Email created from pull request 427 (lumag:ipsec-fix-sad)
 ** https://github.com/Linaro/odp/pull/427
 ** Patch: https://github.com/Linaro/odp/pull/427.patch
 ** Base sha: 27480d82bd93a881ae683a3c314c11042a68ce29
 ** Merge commit sha: 67c9dbf28c41ea7a53782ba841276b03f154c4ef
 **/
 platform/linux-generic/include/odp_ipsec_internal.h |  2 +-
 platform/linux-generic/odp_ipsec_sad.c              | 14 ++++++--------
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/platform/linux-generic/include/odp_ipsec_internal.h b/platform/linux-generic/include/odp_ipsec_internal.h
index dbdcbb917..bdb86c400 100644
--- a/platform/linux-generic/include/odp_ipsec_internal.h
+++ b/platform/linux-generic/include/odp_ipsec_internal.h
@@ -122,6 +122,7 @@ struct ipsec_sa_s {
 
 	uint8_t		salt[IPSEC_MAX_SALT_LEN];
 	uint32_t	salt_length;
+	odp_ipsec_lookup_mode_t lookup_mode;
 
 	union {
 		unsigned flags;
@@ -144,7 +145,6 @@ struct ipsec_sa_s {
 
 	union {
 		struct {
-			odp_ipsec_lookup_mode_t lookup_mode;
 			odp_ipsec_ip_version_t lookup_ver;
 			union {
 				odp_u32be_t	lookup_dst_ipv4;
diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c
index ad229e754..2af72bbb5 100644
--- a/platform/linux-generic/odp_ipsec_sad.c
+++ b/platform/linux-generic/odp_ipsec_sad.c
@@ -274,8 +274,8 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
 	ipsec_sa->mode = param->mode;
 	ipsec_sa->flags = 0;
 	if (ODP_IPSEC_DIR_INBOUND == param->dir) {
-		ipsec_sa->in.lookup_mode = param->inbound.lookup_mode;
-		if (ODP_IPSEC_LOOKUP_DSTADDR_SPI == ipsec_sa->in.lookup_mode) {
+		ipsec_sa->lookup_mode = param->inbound.lookup_mode;
+		if (ODP_IPSEC_LOOKUP_DSTADDR_SPI == ipsec_sa->lookup_mode) {
 			ipsec_sa->in.lookup_ver =
 				param->inbound.lookup_param.ip_version;
 			if (ODP_IPSEC_IPV4 == ipsec_sa->in.lookup_ver)
@@ -293,6 +293,7 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
 		ipsec_sa->antireplay = (param->inbound.antireplay_ws != 0);
 		odp_atomic_init_u64(&ipsec_sa->in.antireplay, 0);
 	} else {
+		ipsec_sa->lookup_mode = ODP_IPSEC_LOOKUP_DISABLED;
 		odp_atomic_store_u32(&ipsec_sa->out.seq, 1);
 		ipsec_sa->out.frag_mode = param->outbound.frag_mode;
 		ipsec_sa->out.mtu = param->outbound.mtu;
@@ -552,19 +553,16 @@ int odp_ipsec_sa_mtu_update(odp_ipsec_sa_t sa, uint32_t mtu)
 
 ipsec_sa_t *_odp_ipsec_sa_lookup(const ipsec_sa_lookup_t *lookup)
 {
-	(void)lookup;
-
 	int i;
-	ipsec_sa_t *ipsec_sa;
 	ipsec_sa_t *best = NULL;
 
 	for (i = 0; i < ODP_CONFIG_IPSEC_SAS; i++) {
-		ipsec_sa = ipsec_sa_entry(i);
+		ipsec_sa_t *ipsec_sa = ipsec_sa_entry(i);
 
 		if (ipsec_sa_lock(ipsec_sa) < 0)
 			continue;
 
-		if (ODP_IPSEC_LOOKUP_DSTADDR_SPI == ipsec_sa->in.lookup_mode &&
+		if (ODP_IPSEC_LOOKUP_DSTADDR_SPI == ipsec_sa->lookup_mode &&
 		    lookup->proto == ipsec_sa->proto &&
 		    lookup->spi == ipsec_sa->spi &&
 		    lookup->ver == ipsec_sa->in.lookup_ver &&
@@ -576,7 +574,7 @@ ipsec_sa_t *_odp_ipsec_sa_lookup(const ipsec_sa_lookup_t *lookup)
 				_odp_ipsec_sa_unuse(best);
 			return ipsec_sa;
 		} else if (NULL == best &&
-			   ODP_IPSEC_LOOKUP_SPI == ipsec_sa->in.lookup_mode &&
+			   ODP_IPSEC_LOOKUP_SPI == ipsec_sa->lookup_mode &&
 			   lookup->proto == ipsec_sa->proto &&
 			   lookup->spi == ipsec_sa->spi) {
 			best = ipsec_sa;