From: Hemant Agrawal <hemant.agrawal@nxp.com>
To: dev@dpdk.org
Cc: akhil.goyal@nxp.com
Subject: [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz
Date: Wed, 6 Nov 2019 12:24:13 +0530 [thread overview]
Message-ID: <20191106065414.4311-2-hemant.agrawal@nxp.com> (raw)
In-Reply-To: <20191106065414.4311-1-hemant.agrawal@nxp.com>
The rte_security lib has introduced replay_win_sz,
so it can be removed from the rte_ipsec lib.
The relaved tests,app are also update to reflect
the usages.
Note that esn and anti-replay fileds were earlier used
only for ipsec library, they were enabling the libipsec
by default. With this change esn and anti-replay setting
will not automatically enabled libipsec.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
app/test/test_ipsec.c | 2 +-
doc/guides/rel_notes/release_19_11.rst | 7 +++++--
examples/ipsec-secgw/ipsec-secgw.c | 5 -----
examples/ipsec-secgw/ipsec.c | 4 ++++
examples/ipsec-secgw/sa.c | 2 +-
lib/librte_ipsec/Makefile | 2 +-
lib/librte_ipsec/meson.build | 1 +
lib/librte_ipsec/rte_ipsec_sa.h | 6 ------
lib/librte_ipsec/sa.c | 4 ++--
9 files changed, 15 insertions(+), 18 deletions(-)
diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
index 4007eff19..7dc83fee7 100644
--- a/app/test/test_ipsec.c
+++ b/app/test/test_ipsec.c
@@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags)
prm->userdata = 1;
prm->flags = flags;
- prm->replay_win_sz = replay_win_sz;
/* setup ipsec xform */
prm->ipsec_xform = ut_params->ipsec_xform;
prm->ipsec_xform.salt = (uint32_t)rte_rand();
+ prm->ipsec_xform.replay_win_sz = replay_win_sz;
/* setup tunnel related fields */
prm->tun.hdr_len = sizeof(ipv4_outer);
diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst
index dcae08002..0504a3443 100644
--- a/doc/guides/rel_notes/release_19_11.rst
+++ b/doc/guides/rel_notes/release_19_11.rst
@@ -369,10 +369,13 @@ ABI Changes
align the Ethernet header on receive and all known encapsulations
preserve the alignment of the header.
-* security: A new field ''replay_win_sz'' has been added to the structure
+* security: The field ''replay_win_sz'' has been moved from ipsec library
+ based ''rte_ipsec_sa_prm'' structure to security library based structure
``rte_security_ipsec_xform``, which specify the Anti replay window size
to enable sequence replay attack handling.
+* ipsec: The field ''replay_win_sz'' has been removed from the structure
+ ''rte_ipsec_sa_prm'' as it has been added to the security library.
Shared Library Versions
-----------------------
@@ -415,7 +418,7 @@ The libraries prepended with a plus sign were incremented in this version.
librte_gso.so.1
librte_hash.so.2
librte_ip_frag.so.1
- librte_ipsec.so.1
+ + librte_ipsec.so.2
librte_jobstats.so.1
librte_kni.so.2
librte_kvargs.so.1
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index b12936470..3b5aaf683 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm)
printf("librte_ipsec usage: %s\n",
(prm->enable == 0) ? "disabled" : "enabled");
- if (prm->enable == 0)
- return;
-
printf("replay window size: %u\n", prm->window_size);
printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled");
printf("SA flags: %#" PRIx64 "\n", prm->flags);
@@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv)
app_sa_prm.enable = 1;
break;
case 'w':
- app_sa_prm.enable = 1;
app_sa_prm.window_size = parse_decimal(optarg);
break;
case 'e':
- app_sa_prm.enable = 1;
app_sa_prm.enable_esn = 1;
break;
case 'a':
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index d7761e966..d4b57121a 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
/* TODO support for Transport */
}
ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
+ ipsec->replay_win_sz = app_sa_prm.window_size;
+ ipsec->options.esn = app_sa_prm.enable_esn;
}
int
@@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
.spi = sa->spi,
.salt = sa->salt,
.options = { 0 },
+ .replay_win_sz = 0,
.direction = sa->direction,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = (IS_TUNNEL(sa->flags)) ?
@@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
.spi = sa->spi,
.salt = sa->salt,
.options = { 0 },
+ .replay_win_sz = 0,
.direction = sa->direction,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = (sa->flags == IP4_TUNNEL ||
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index a8dee342e..4605a3a6c 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm,
prm->flags = app_prm->flags;
prm->ipsec_xform.options.esn = app_prm->enable_esn;
- prm->replay_win_sz = app_prm->window_size;
+ prm->ipsec_xform.replay_win_sz = app_prm->window_size;
}
static int
diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile
index 81fb99980..161ea9e3d 100644
--- a/lib/librte_ipsec/Makefile
+++ b/lib/librte_ipsec/Makefile
@@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash
EXPORT_MAP := rte_ipsec_version.map
-LIBABIVER := 1
+LIBABIVER := 2
# all source are stored in SRCS-y
SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c
diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build
index 70358526b..e8604dadd 100644
--- a/lib/librte_ipsec/meson.build
+++ b/lib/librte_ipsec/meson.build
@@ -1,6 +1,7 @@
# SPDX-License-Identifier: BSD-3-Clause
# Copyright(c) 2018 Intel Corporation
+version = 2
allow_experimental_apis = true
sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c')
diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h
index 47ce169d2..1cfde5874 100644
--- a/lib/librte_ipsec/rte_ipsec_sa.h
+++ b/lib/librte_ipsec/rte_ipsec_sa.h
@@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm {
uint8_t proto; /**< next header protocol */
} trs; /**< transport mode related parameters */
};
-
- /**
- * window size to enable sequence replay attack handling.
- * replay checking is disabled if the window size is 0.
- */
- uint32_t replay_win_sz;
};
/**
diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
index 23d394b46..6f1d92c3c 100644
--- a/lib/librte_ipsec/sa.c
+++ b/lib/librte_ipsec/sa.c
@@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm)
return rc;
/* determine required size */
- wsz = prm->replay_win_sz;
+ wsz = prm->ipsec_xform.replay_win_sz;
return ipsec_sa_size(type, &wsz, &nb);
}
@@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
return rc;
/* determine required size */
- wsz = prm->replay_win_sz;
+ wsz = prm->ipsec_xform.replay_win_sz;
sz = ipsec_sa_size(type, &wsz, &nb);
if (sz < 0)
return sz;
--
2.17.1
next prev parent reply other threads:[~2019-11-06 6:57 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-25 6:20 [dpdk-dev] [PATCH 1/2] security: add anti replay window size Hemant Agrawal
2019-10-25 6:20 ` [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: add support for replay win for lookaside Hemant Agrawal
2019-10-25 10:00 ` [dpdk-dev] [PATCH 1/2] security: add anti replay window size Ananyev, Konstantin
2019-10-25 15:56 ` Hemant Agrawal
2019-10-30 6:57 ` [dpdk-dev] [PATCH v2 " Hemant Agrawal
2019-10-30 6:57 ` [dpdk-dev] [PATCH v2 2/2] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-10-30 8:57 ` [dpdk-dev] [PATCH v3 1/2] security: add anti replay window size Hemant Agrawal
2019-10-30 8:57 ` [dpdk-dev] [PATCH v3 2/2] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-10-30 13:08 ` Ananyev, Konstantin
2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Hemant Agrawal
2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-10-31 10:21 ` Ananyev, Konstantin
2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal
2019-10-31 6:29 ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Anoob Joseph
2019-10-31 7:30 ` Hemant Agrawal
2019-10-31 10:20 ` Ananyev, Konstantin
2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 " Hemant Agrawal
2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal
2019-11-05 22:01 ` Akhil Goyal
2019-11-06 5:16 ` Hemant Agrawal
2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal
2019-11-05 22:07 ` Akhil Goyal
2019-11-06 5:16 ` Hemant Agrawal
2019-11-01 6:16 ` [dpdk-dev] [EXT] [PATCH v5 1/3] security: add anti replay window size Anoob Joseph
2019-11-01 9:48 ` Hemant Agrawal
2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 " Hemant Agrawal
2019-11-06 6:54 ` Hemant Agrawal [this message]
2019-11-06 7:00 ` [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz Akhil Goyal
2019-11-06 13:31 ` Ananyev, Konstantin
2019-11-06 13:40 ` Akhil Goyal
2019-11-06 14:27 ` Ananyev, Konstantin
2019-11-06 14:29 ` Akhil Goyal
2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal
2019-11-06 7:02 ` Akhil Goyal
2019-11-06 13:15 ` [dpdk-dev] [PATCH v6 1/3] security: add anti replay window size Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191106065414.4311-2-hemant.agrawal@nxp.com \
--to=hemant.agrawal@nxp.com \
--cc=akhil.goyal@nxp.com \
--cc=dev@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).