From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 196F9A04AB; Wed, 6 Nov 2019 14:31:27 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 5F9BF1C1AB; Wed, 6 Nov 2019 14:31:26 +0100 (CET) Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by dpdk.org (Postfix) with ESMTP id 2D5D51C1A9 for ; Wed, 6 Nov 2019 14:31:23 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Nov 2019 05:31:22 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,274,1569308400"; d="scan'208";a="377047287" Received: from irsmsx106.ger.corp.intel.com ([163.33.3.31]) by orsmga005.jf.intel.com with ESMTP; 06 Nov 2019 05:31:21 -0800 Received: from irsmsx111.ger.corp.intel.com (10.108.20.4) by IRSMSX106.ger.corp.intel.com (163.33.3.31) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 6 Nov 2019 13:31:20 +0000 Received: from irsmsx104.ger.corp.intel.com ([169.254.5.252]) by irsmsx111.ger.corp.intel.com ([169.254.2.205]) with mapi id 14.03.0439.000; Wed, 6 Nov 2019 13:31:20 +0000 From: "Ananyev, Konstantin" To: Hemant Agrawal , "dev@dpdk.org" CC: "akhil.goyal@nxp.com" Thread-Topic: [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz Thread-Index: AQHVlG+A262S/Xyyw0etHDPnYvAebKd+IY/w Date: Wed, 6 Nov 2019 13:31:20 +0000 Message-ID: <2601191342CEEE43887BDE71AB97725801A8C810FD@IRSMSX104.ger.corp.intel.com> References: <20191031131502.12504-1-hemant.agrawal@nxp.com> <20191106065414.4311-1-hemant.agrawal@nxp.com> <20191106065414.4311-2-hemant.agrawal@nxp.com> In-Reply-To: <20191106065414.4311-2-hemant.agrawal@nxp.com> Accept-Language: en-IE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMmE1YjJhNmYtNWRmNy00OWY1LWJmMTMtY2YyNWQ1NWI1NTIzIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoidFF5RGlOOWJZdllING1FSDBIVzVFTFBncVFUK2lTc3dJMlRYODEreEE1ZnJscUUrYVA3Rk1EQ3BnZDhcLzRIUjQifQ== x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [163.33.239.180] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi guys, > The rte_security lib has introduced replay_win_sz, > so it can be removed from the rte_ipsec lib. >=20 > The relaved tests,app are also update to reflect > the usages. >=20 > Note that esn and anti-replay fileds were earlier used > only for ipsec library, they were enabling the libipsec > by default. With this change esn and anti-replay setting > will not automatically enabled libipsec. >=20 > Signed-off-by: Hemant Agrawal > Acked-by: Konstantin Ananyev > --- > app/test/test_ipsec.c | 2 +- > doc/guides/rel_notes/release_19_11.rst | 7 +++++-- > examples/ipsec-secgw/ipsec-secgw.c | 5 ----- > examples/ipsec-secgw/ipsec.c | 4 ++++ > examples/ipsec-secgw/sa.c | 2 +- > lib/librte_ipsec/Makefile | 2 +- > lib/librte_ipsec/meson.build | 1 + > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ > lib/librte_ipsec/sa.c | 4 ++-- > 9 files changed, 15 insertions(+), 18 deletions(-) >=20 > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c > index 4007eff19..7dc83fee7 100644 > --- a/app/test/test_ipsec.c > +++ b/app/test/test_ipsec.c > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t f= lags) >=20 > prm->userdata =3D 1; > prm->flags =3D flags; > - prm->replay_win_sz =3D replay_win_sz; >=20 > /* setup ipsec xform */ > prm->ipsec_xform =3D ut_params->ipsec_xform; > prm->ipsec_xform.salt =3D (uint32_t)rte_rand(); > + prm->ipsec_xform.replay_win_sz =3D replay_win_sz; >=20 > /* setup tunnel related fields */ > prm->tun.hdr_len =3D sizeof(ipv4_outer); > diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_note= s/release_19_11.rst > index dcae08002..0504a3443 100644 > --- a/doc/guides/rel_notes/release_19_11.rst > +++ b/doc/guides/rel_notes/release_19_11.rst > @@ -369,10 +369,13 @@ ABI Changes > align the Ethernet header on receive and all known encapsulations > preserve the alignment of the header. >=20 > -* security: A new field ''replay_win_sz'' has been added to the structur= e > +* security: The field ''replay_win_sz'' has been moved from ipsec librar= y > + based ''rte_ipsec_sa_prm'' structure to security library based structu= re > ``rte_security_ipsec_xform``, which specify the Anti replay window siz= e > to enable sequence replay attack handling. >=20 > +* ipsec: The field ''replay_win_sz'' has been removed from the structure > + ''rte_ipsec_sa_prm'' as it has been added to the security library. >=20 > Shared Library Versions > ----------------------- > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were increme= nted in this version. > librte_gso.so.1 > librte_hash.so.2 > librte_ip_frag.so.1 > - librte_ipsec.so.1 > + + librte_ipsec.so.2 > librte_jobstats.so.1 > librte_kni.so.2 > librte_kvargs.so.1 > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ip= sec-secgw.c > index b12936470..3b5aaf683 100644 > --- a/examples/ipsec-secgw/ipsec-secgw.c > +++ b/examples/ipsec-secgw/ipsec-secgw.c > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm) > printf("librte_ipsec usage: %s\n", > (prm->enable =3D=3D 0) ? "disabled" : "enabled"); >=20 > - if (prm->enable =3D=3D 0) > - return; > - > printf("replay window size: %u\n", prm->window_size); > printf("ESN: %s\n", (prm->enable_esn =3D=3D 0) ? "disabled" : "enabled"= ); > printf("SA flags: %#" PRIx64 "\n", prm->flags); > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv) > app_sa_prm.enable =3D 1; > break; > case 'w': > - app_sa_prm.enable =3D 1; That actually will break lib-mode functional tests at: examples/ipsec-secgw/test/ Due to my laziness I enabled in them library mode via '-w' option, as that moment legacy mode didn't support replay window... As these patches already applied, I'll send the fix in a new one in next fe= w.=20 > app_sa_prm.window_size =3D parse_decimal(optarg); > break; > case 'e': > - app_sa_prm.enable =3D 1; > app_sa_prm.enable_esn =3D 1; > break; > case 'a': > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > index d7761e966..d4b57121a 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security= _ipsec_xform *ipsec) > /* TODO support for Transport */ > } > ipsec->esn_soft_limit =3D IPSEC_OFFLOAD_ESN_SOFTLIMIT; > + ipsec->replay_win_sz =3D app_sa_prm.window_size; > + ipsec->options.esn =3D app_sa_prm.enable_esn; Ok, but what to do for the devices that don't support esn or replay_win_sz? Should we add some check? Either to the app, or preferably into rte_securit= y level at rte_security_session_create()? > } >=20 > int > @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, s= truct ipsec_sa *sa, > .spi =3D sa->spi, > .salt =3D sa->salt, > .options =3D { 0 }, > + .replay_win_sz =3D 0, > .direction =3D sa->direction, > .proto =3D RTE_SECURITY_IPSEC_SA_PROTO_ESP, > .mode =3D (IS_TUNNEL(sa->flags)) ? > @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, str= uct ipsec_sa *sa, > .spi =3D sa->spi, > .salt =3D sa->salt, > .options =3D { 0 }, > + .replay_win_sz =3D 0, > .direction =3D sa->direction, > .proto =3D RTE_SECURITY_IPSEC_SA_PROTO_ESP, > .mode =3D (sa->flags =3D=3D IP4_TUNNEL || > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > index a8dee342e..4605a3a6c 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, >=20 > prm->flags =3D app_prm->flags; > prm->ipsec_xform.options.esn =3D app_prm->enable_esn; > - prm->replay_win_sz =3D app_prm->window_size; > + prm->ipsec_xform.replay_win_sz =3D app_prm->window_size; > } >=20 > static int > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile > index 81fb99980..161ea9e3d 100644 > --- a/lib/librte_ipsec/Makefile > +++ b/lib/librte_ipsec/Makefile > @@ -14,7 +14,7 @@ LDLIBS +=3D -lrte_cryptodev -lrte_security -lrte_hash >=20 > EXPORT_MAP :=3D rte_ipsec_version.map >=20 > -LIBABIVER :=3D 1 > +LIBABIVER :=3D 2 >=20 > # all source are stored in SRCS-y > SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) +=3D esp_inb.c > diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build > index 70358526b..e8604dadd 100644 > --- a/lib/librte_ipsec/meson.build > +++ b/lib/librte_ipsec/meson.build > @@ -1,6 +1,7 @@ > # SPDX-License-Identifier: BSD-3-Clause > # Copyright(c) 2018 Intel Corporation >=20 > +version =3D 2 > allow_experimental_apis =3D true >=20 > sources =3D files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad= .c') > diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec= _sa.h > index 47ce169d2..1cfde5874 100644 > --- a/lib/librte_ipsec/rte_ipsec_sa.h > +++ b/lib/librte_ipsec/rte_ipsec_sa.h > @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { > uint8_t proto; /**< next header protocol */ > } trs; /**< transport mode related parameters */ > }; > - > - /** > - * window size to enable sequence replay attack handling. > - * replay checking is disabled if the window size is 0. > - */ > - uint32_t replay_win_sz; > }; >=20 > /** > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > index 23d394b46..6f1d92c3c 100644 > --- a/lib/librte_ipsec/sa.c > +++ b/lib/librte_ipsec/sa.c > @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) > return rc; >=20 > /* determine required size */ > - wsz =3D prm->replay_win_sz; > + wsz =3D prm->ipsec_xform.replay_win_sz; > return ipsec_sa_size(type, &wsz, &nb); > } >=20 > @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const stru= ct rte_ipsec_sa_prm *prm, > return rc; >=20 > /* determine required size */ > - wsz =3D prm->replay_win_sz; > + wsz =3D prm->ipsec_xform.replay_win_sz; > sz =3D ipsec_sa_size(type, &wsz, &nb); > if (sz < 0) > return sz; > -- > 2.17.1