ipsec: fix transport mode for IPv6 with extensions

Reconstructing IPv6 header after encryption or decryption requires
updating 'next header' value in the preceding protocol header, which
is determined by parsing IPv6 header and iteratively looking for
next IPv6 header extension.

It is required that 'l3_len' in the mbuf metadata contains a total
length of the IPv6 header with header extensions up to ESP header.

Fixes: 4d7ea3e1459b ("ipsec: implement SA data-path API")
Cc: stable@dpdk.org
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

diff --git a/lib/Makefile b/lib/Makefile
index 791e0d9911d69593e9de590c804f4554ef053691..3ad579f682542c33b2dc219860f990934fe87def 100644 (file)
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -108,7 +108,8 @@ DEPDIRS-librte_gso += librte_mempool
 DIRS-$(CONFIG_RTE_LIBRTE_BPF) += librte_bpf
 DEPDIRS-librte_bpf := librte_eal librte_mempool librte_mbuf librte_ethdev
 DIRS-$(CONFIG_RTE_LIBRTE_IPSEC) += librte_ipsec
-DEPDIRS-librte_ipsec := librte_eal librte_mbuf librte_cryptodev librte_security
+DEPDIRS-librte_ipsec := librte_eal librte_mbuf librte_cryptodev librte_security \
+                       librte_net
 DIRS-$(CONFIG_RTE_LIBRTE_TELEMETRY) += librte_telemetry
 DEPDIRS-librte_telemetry := librte_eal librte_metrics librte_ethdev
 DIRS-$(CONFIG_RTE_LIBRTE_RCU) += librte_rcu

diff --git a/lib/librte_ipsec/iph.h b/lib/librte_ipsec/iph.h
index a0ca41d51b502f0e0e90a0e2ffb99279150a7528..62d78b7b176c43f226f4560bec464bc100cb62ff 100644 (file)
--- a/lib/librte_ipsec/iph.h
+++ b/lib/librte_ipsec/iph.h
@@ -5,6 +5,8 @@
 #ifndef _IPH_H_
 #define _IPH_H_
 
+#include <rte_ip.h>
+
 /**
  * @file iph.h
  * Contains functions/structures/macros to manipulate IPv4/IPv6 headers
@@ -40,24 +42,61 @@ static inline int
 update_trs_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
                uint32_t l2len, uint32_t l3len, uint8_t proto)
 {
-       struct rte_ipv4_hdr *v4h;
-       struct rte_ipv6_hdr *v6h;
        int32_t rc;
 
+       /* IPv4 */
        if ((sa->type & RTE_IPSEC_SATP_IPV_MASK) == RTE_IPSEC_SATP_IPV4) {
+               struct rte_ipv4_hdr *v4h;
+
                v4h = p;
                rc = v4h->next_proto_id;
                v4h->next_proto_id = proto;
                v4h->total_length = rte_cpu_to_be_16(plen - l2len);
-       } else if (l3len == sizeof(*v6h)) {
+       /* IPv6 */
+       } else {
+               struct rte_ipv6_hdr *v6h;
+               uint8_t *p_nh;
+
                v6h = p;
-               rc = v6h->proto;
-               v6h->proto = proto;
+
+               /* basic IPv6 header with no extensions */
+               if (l3len == sizeof(struct rte_ipv6_hdr))
+                       p_nh = &v6h->proto;
+
+               /* IPv6 with extensions */
+               else {
+                       size_t ext_len;
+                       int nh;
+                       uint8_t *pd, *plimit;
+
+                       /* locate last extension within l3len bytes */
+                       pd = (uint8_t *)p;
+                       plimit = pd + l3len;
+                       ext_len = sizeof(struct rte_ipv6_hdr);
+                       nh = v6h->proto;
+                       while (pd + ext_len < plimit) {
+                               pd += ext_len;
+                               nh = rte_ipv6_get_next_ext(pd, nh, &ext_len);
+                               if (unlikely(nh < 0))
+                                       return -EINVAL;
+                       }
+
+                       /* invalid l3len - extension exceeds header length */
+                       if (unlikely(pd + ext_len != plimit))
+                               return -EINVAL;
+
+                       /* save last extension offset */
+                       p_nh = pd;
+               }
+
+               /* update header type; return original value */
+               rc = *p_nh;
+               *p_nh = proto;
+
+               /* fix packet length */
                v6h->payload_len = rte_cpu_to_be_16(plen - l2len -
                                sizeof(*v6h));
-       /* need to add support for IPv6 with options */
-       } else
-               rc = -ENOTSUP;
+       }
 
        return rc;
 }

diff --git a/lib/meson.build b/lib/meson.build
index 5ddf1ca116e51211a0261aedeea9176adf54abd2..3d77b1f9014a8310bc4876023967534e335e6cda 100644 (file)
--- a/lib/meson.build
+++ b/lib/meson.build
@@ -23,7 +23,7 @@ libraries = [
        'kni', 'latencystats', 'lpm', 'member',
        'power', 'pdump', 'rawdev',
        'rcu', 'reorder', 'sched', 'security', 'stack', 'vhost',
-       #ipsec lib depends on crypto and security
+       # ipsec lib depends on net, crypto and security
        'ipsec',
        # add pkt framework libs which use other libs from above
        'port', 'table', 'pipeline',