Re: [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz

["Ananyev, Konstantin" <konstantin.ananyev@intel.com>]

> > > The rte_security lib has introduced replay_win_sz,
> > > so it can be removed from the rte_ipsec lib.
> > >
> > > The relaved tests,app are also update to reflect
> > > the usages.
> > >
> > > Note that esn and anti-replay fileds were earlier used
> > > only for ipsec library, they were enabling the libipsec
> > > by default. With this change esn and anti-replay setting
> > > will not automatically enabled libipsec.
> > >
> > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> > > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> > > ---
> > >  app/test/test_ipsec.c                  | 2 +-
> > >  doc/guides/rel_notes/release_19_11.rst | 7 +++++--
> > >  examples/ipsec-secgw/ipsec-secgw.c     | 5 -----
> > >  examples/ipsec-secgw/ipsec.c           | 4 ++++
> > >  examples/ipsec-secgw/sa.c              | 2 +-
> > >  lib/librte_ipsec/Makefile              | 2 +-
> > >  lib/librte_ipsec/meson.build           | 1 +
> > >  lib/librte_ipsec/rte_ipsec_sa.h        | 6 ------
> > >  lib/librte_ipsec/sa.c                  | 4 ++--
> > >  9 files changed, 15 insertions(+), 18 deletions(-)
> > >
> > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
> > > index 4007eff19..7dc83fee7 100644
> > > --- a/app/test/test_ipsec.c
> > > +++ b/app/test/test_ipsec.c
> > > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t
> > flags)
> > >
> > >  	prm->userdata = 1;
> > >  	prm->flags = flags;
> > > -	prm->replay_win_sz = replay_win_sz;
> > >
> > >  	/* setup ipsec xform */
> > >  	prm->ipsec_xform = ut_params->ipsec_xform;
> > >  	prm->ipsec_xform.salt = (uint32_t)rte_rand();
> > > +	prm->ipsec_xform.replay_win_sz = replay_win_sz;
> > >
> > >  	/* setup tunnel related fields */
> > >  	prm->tun.hdr_len = sizeof(ipv4_outer);
> > > diff --git a/doc/guides/rel_notes/release_19_11.rst
> > b/doc/guides/rel_notes/release_19_11.rst
> > > index dcae08002..0504a3443 100644
> > > --- a/doc/guides/rel_notes/release_19_11.rst
> > > +++ b/doc/guides/rel_notes/release_19_11.rst
> > > @@ -369,10 +369,13 @@ ABI Changes
> > >    align the Ethernet header on receive and all known encapsulations
> > >    preserve the alignment of the header.
> > >
> > > -* security: A new field ''replay_win_sz'' has been added to the structure
> > > +* security: The field ''replay_win_sz'' has been moved from ipsec library
> > > +  based ''rte_ipsec_sa_prm'' structure to security library based structure
> > >    ``rte_security_ipsec_xform``, which specify the Anti replay window size
> > >    to enable sequence replay attack handling.
> > >
> > > +* ipsec: The field ''replay_win_sz'' has been removed from the structure
> > > +  ''rte_ipsec_sa_prm'' as it has been added to the security library.
> > >
> > >  Shared Library Versions
> > >  -----------------------
> > > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were
> > incremented in this version.
> > >       librte_gso.so.1
> > >       librte_hash.so.2
> > >       librte_ip_frag.so.1
> > > -     librte_ipsec.so.1
> > > +   + librte_ipsec.so.2
> > >       librte_jobstats.so.1
> > >       librte_kni.so.2
> > >       librte_kvargs.so.1
> > > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-
> > secgw/ipsec-secgw.c
> > > index b12936470..3b5aaf683 100644
> > > --- a/examples/ipsec-secgw/ipsec-secgw.c
> > > +++ b/examples/ipsec-secgw/ipsec-secgw.c
> > > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm)
> > >  	printf("librte_ipsec usage: %s\n",
> > >  		(prm->enable == 0) ? "disabled" : "enabled");
> > >
> > > -	if (prm->enable == 0)
> > > -		return;
> > > -
> > >  	printf("replay window size: %u\n", prm->window_size);
> > >  	printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled");
> > >  	printf("SA flags: %#" PRIx64 "\n", prm->flags);
> > > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv)
> > >  			app_sa_prm.enable = 1;
> > >  			break;
> > >  		case 'w':
> > > -			app_sa_prm.enable = 1;
> >
> > That actually will break lib-mode functional tests at:
> > examples/ipsec-secgw/test/
> > Due to my laziness I enabled in them library mode via '-w' option,
> > as that moment legacy mode didn't support replay window...
> > As these patches already applied, I'll send the fix in a new one in next few.
> 
> No issues, I will squash your changes with the original patch as it is not applied
> On master.

Ok, thanks.
Patch at:
http://patches.dpdk.org/patch/62540/

> 
> >
> > >  			app_sa_prm.window_size = parse_decimal(optarg);
> > >  			break;
> > >  		case 'e':
> > > -			app_sa_prm.enable = 1;
> > >  			app_sa_prm.enable_esn = 1;
> > >  			break;
> > >  		case 'a':
> > > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> > > index d7761e966..d4b57121a 100644
> > > --- a/examples/ipsec-secgw/ipsec.c
> > > +++ b/examples/ipsec-secgw/ipsec.c
> > > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct
> > rte_security_ipsec_xform *ipsec)
> > >  		/* TODO support for Transport */
> > >  	}
> > >  	ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
> > > +	ipsec->replay_win_sz = app_sa_prm.window_size;
> > > +	ipsec->options.esn = app_sa_prm.enable_esn;
> >
> > Ok, but what to do for the devices that don't support esn or replay_win_sz?
> > Should we add some check? Either to the app, or preferably into rte_security
> > level at  rte_security_session_create()?
> 
> Ideally app should check the capability of the device before setting it.

Yes... after another thought - as right now we do create session at run-time,
probably we need to check these device capabilities at init stage and report an error.   
Konstantin

> 
> 
> > >  }
> > >
> > >  int
> > > @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx,
> > struct ipsec_sa *sa,
> > >  				.spi = sa->spi,
> > >  				.salt = sa->salt,
> > >  				.options = { 0 },
> > > +				.replay_win_sz = 0,
> > >  				.direction = sa->direction,
> > >  				.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> > >  				.mode = (IS_TUNNEL(sa->flags)) ?
> > > @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx,
> > struct ipsec_sa *sa,
> > >  			.spi = sa->spi,
> > >  			.salt = sa->salt,
> > >  			.options = { 0 },
> > > +			.replay_win_sz = 0,
> > >  			.direction = sa->direction,
> > >  			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> > >  			.mode = (sa->flags == IP4_TUNNEL ||
> > > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
> > > index a8dee342e..4605a3a6c 100644
> > > --- a/examples/ipsec-secgw/sa.c
> > > +++ b/examples/ipsec-secgw/sa.c
> > > @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm
> > *prm,
> > >
> > >  	prm->flags = app_prm->flags;
> > >  	prm->ipsec_xform.options.esn = app_prm->enable_esn;
> > > -	prm->replay_win_sz = app_prm->window_size;
> > > +	prm->ipsec_xform.replay_win_sz = app_prm->window_size;
> > >  }
> > >
> > >  static int
> > > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile
> > > index 81fb99980..161ea9e3d 100644
> > > --- a/lib/librte_ipsec/Makefile
> > > +++ b/lib/librte_ipsec/Makefile
> > > @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash
> > >
> > >  EXPORT_MAP := rte_ipsec_version.map
> > >
> > > -LIBABIVER := 1
> > > +LIBABIVER := 2
> > >
> > >  # all source are stored in SRCS-y
> > >  SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c
> > > diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build
> > > index 70358526b..e8604dadd 100644
> > > --- a/lib/librte_ipsec/meson.build
> > > +++ b/lib/librte_ipsec/meson.build
> > > @@ -1,6 +1,7 @@
> > >  # SPDX-License-Identifier: BSD-3-Clause
> > >  # Copyright(c) 2018 Intel Corporation
> > >
> > > +version = 2
> > >  allow_experimental_apis = true
> > >
> > >  sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c')
> > > diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h
> > > index 47ce169d2..1cfde5874 100644
> > > --- a/lib/librte_ipsec/rte_ipsec_sa.h
> > > +++ b/lib/librte_ipsec/rte_ipsec_sa.h
> > > @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm {
> > >  			uint8_t proto;  /**< next header protocol */
> > >  		} trs; /**< transport mode related parameters */
> > >  	};
> > > -
> > > -	/**
> > > -	 * window size to enable sequence replay attack handling.
> > > -	 * replay checking is disabled if the window size is 0.
> > > -	 */
> > > -	uint32_t replay_win_sz;
> > >  };
> > >
> > >  /**
> > > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
> > > index 23d394b46..6f1d92c3c 100644
> > > --- a/lib/librte_ipsec/sa.c
> > > +++ b/lib/librte_ipsec/sa.c
> > > @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm)
> > >  		return rc;
> > >
> > >  	/* determine required size */
> > > -	wsz = prm->replay_win_sz;
> > > +	wsz = prm->ipsec_xform.replay_win_sz;
> > >  	return ipsec_sa_size(type, &wsz, &nb);
> > >  }
> > >
> > > @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct
> > rte_ipsec_sa_prm *prm,
> > >  		return rc;
> > >
> > >  	/* determine required size */
> > > -	wsz = prm->replay_win_sz;
> > > +	wsz = prm->ipsec_xform.replay_win_sz;
> > >  	sz = ipsec_sa_size(type, &wsz, &nb);
> > >  	if (sz < 0)
> > >  		return sz;
> > > --
> > > 2.17.1