From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id CFE50A04AB; Wed, 6 Nov 2019 15:27:10 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 906141C1F5; Wed, 6 Nov 2019 15:27:10 +0100 (CET) Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by dpdk.org (Postfix) with ESMTP id 5FB9A1C1C4 for ; Wed, 6 Nov 2019 15:27:09 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Nov 2019 06:27:08 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,275,1569308400"; d="scan'208";a="205340259" Received: from irsmsx102.ger.corp.intel.com ([163.33.3.155]) by orsmga003.jf.intel.com with ESMTP; 06 Nov 2019 06:27:06 -0800 Received: from irsmsx104.ger.corp.intel.com ([169.254.5.252]) by IRSMSX102.ger.corp.intel.com ([169.254.2.40]) with mapi id 14.03.0439.000; Wed, 6 Nov 2019 14:27:06 +0000 From: "Ananyev, Konstantin" To: Akhil Goyal , Hemant Agrawal , "dev@dpdk.org" Thread-Topic: [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz Thread-Index: AQHVlG+A262S/Xyyw0etHDPnYvAebKd+IY/wgAAE+YCAAAwfMA== Date: Wed, 6 Nov 2019 14:27:05 +0000 Message-ID: <2601191342CEEE43887BDE71AB97725801A8C811FB@IRSMSX104.ger.corp.intel.com> References: <20191031131502.12504-1-hemant.agrawal@nxp.com> <20191106065414.4311-1-hemant.agrawal@nxp.com> <20191106065414.4311-2-hemant.agrawal@nxp.com> <2601191342CEEE43887BDE71AB97725801A8C810FD@IRSMSX104.ger.corp.intel.com> In-Reply-To: Accept-Language: en-IE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZGMwZmJlODUtMjZjNC00ZjEyLWExZmMtYzhmYjgxY2Y5ZDYyIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoieXJCeWhmTURWdXB4SUhNVFAzRmtTcFBnNWo5V3VEWmVsbXBsODZ2MUNKRTBRMkY1MGlRdFFDNE5KZUhrbVQ4YSJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [163.33.239.180] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" > > > The rte_security lib has introduced replay_win_sz, > > > so it can be removed from the rte_ipsec lib. > > > > > > The relaved tests,app are also update to reflect > > > the usages. > > > > > > Note that esn and anti-replay fileds were earlier used > > > only for ipsec library, they were enabling the libipsec > > > by default. With this change esn and anti-replay setting > > > will not automatically enabled libipsec. > > > > > > Signed-off-by: Hemant Agrawal > > > Acked-by: Konstantin Ananyev > > > --- > > > app/test/test_ipsec.c | 2 +- > > > doc/guides/rel_notes/release_19_11.rst | 7 +++++-- > > > examples/ipsec-secgw/ipsec-secgw.c | 5 ----- > > > examples/ipsec-secgw/ipsec.c | 4 ++++ > > > examples/ipsec-secgw/sa.c | 2 +- > > > lib/librte_ipsec/Makefile | 2 +- > > > lib/librte_ipsec/meson.build | 1 + > > > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ > > > lib/librte_ipsec/sa.c | 4 ++-- > > > 9 files changed, 15 insertions(+), 18 deletions(-) > > > > > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c > > > index 4007eff19..7dc83fee7 100644 > > > --- a/app/test/test_ipsec.c > > > +++ b/app/test/test_ipsec.c > > > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64= _t > > flags) > > > > > > prm->userdata =3D 1; > > > prm->flags =3D flags; > > > - prm->replay_win_sz =3D replay_win_sz; > > > > > > /* setup ipsec xform */ > > > prm->ipsec_xform =3D ut_params->ipsec_xform; > > > prm->ipsec_xform.salt =3D (uint32_t)rte_rand(); > > > + prm->ipsec_xform.replay_win_sz =3D replay_win_sz; > > > > > > /* setup tunnel related fields */ > > > prm->tun.hdr_len =3D sizeof(ipv4_outer); > > > diff --git a/doc/guides/rel_notes/release_19_11.rst > > b/doc/guides/rel_notes/release_19_11.rst > > > index dcae08002..0504a3443 100644 > > > --- a/doc/guides/rel_notes/release_19_11.rst > > > +++ b/doc/guides/rel_notes/release_19_11.rst > > > @@ -369,10 +369,13 @@ ABI Changes > > > align the Ethernet header on receive and all known encapsulations > > > preserve the alignment of the header. > > > > > > -* security: A new field ''replay_win_sz'' has been added to the stru= cture > > > +* security: The field ''replay_win_sz'' has been moved from ipsec li= brary > > > + based ''rte_ipsec_sa_prm'' structure to security library based str= ucture > > > ``rte_security_ipsec_xform``, which specify the Anti replay window= size > > > to enable sequence replay attack handling. > > > > > > +* ipsec: The field ''replay_win_sz'' has been removed from the struc= ture > > > + ''rte_ipsec_sa_prm'' as it has been added to the security library. > > > > > > Shared Library Versions > > > ----------------------- > > > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were > > incremented in this version. > > > librte_gso.so.1 > > > librte_hash.so.2 > > > librte_ip_frag.so.1 > > > - librte_ipsec.so.1 > > > + + librte_ipsec.so.2 > > > librte_jobstats.so.1 > > > librte_kni.so.2 > > > librte_kvargs.so.1 > > > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec- > > secgw/ipsec-secgw.c > > > index b12936470..3b5aaf683 100644 > > > --- a/examples/ipsec-secgw/ipsec-secgw.c > > > +++ b/examples/ipsec-secgw/ipsec-secgw.c > > > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm) > > > printf("librte_ipsec usage: %s\n", > > > (prm->enable =3D=3D 0) ? "disabled" : "enabled"); > > > > > > - if (prm->enable =3D=3D 0) > > > - return; > > > - > > > printf("replay window size: %u\n", prm->window_size); > > > printf("ESN: %s\n", (prm->enable_esn =3D=3D 0) ? "disabled" : "enab= led"); > > > printf("SA flags: %#" PRIx64 "\n", prm->flags); > > > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv) > > > app_sa_prm.enable =3D 1; > > > break; > > > case 'w': > > > - app_sa_prm.enable =3D 1; > > > > That actually will break lib-mode functional tests at: > > examples/ipsec-secgw/test/ > > Due to my laziness I enabled in them library mode via '-w' option, > > as that moment legacy mode didn't support replay window... > > As these patches already applied, I'll send the fix in a new one in nex= t few. >=20 > No issues, I will squash your changes with the original patch as it is no= t applied > On master. Ok, thanks. Patch at: http://patches.dpdk.org/patch/62540/ >=20 > > > > > app_sa_prm.window_size =3D parse_decimal(optarg); > > > break; > > > case 'e': > > > - app_sa_prm.enable =3D 1; > > > app_sa_prm.enable_esn =3D 1; > > > break; > > > case 'a': > > > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipse= c.c > > > index d7761e966..d4b57121a 100644 > > > --- a/examples/ipsec-secgw/ipsec.c > > > +++ b/examples/ipsec-secgw/ipsec.c > > > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > > rte_security_ipsec_xform *ipsec) > > > /* TODO support for Transport */ > > > } > > > ipsec->esn_soft_limit =3D IPSEC_OFFLOAD_ESN_SOFTLIMIT; > > > + ipsec->replay_win_sz =3D app_sa_prm.window_size; > > > + ipsec->options.esn =3D app_sa_prm.enable_esn; > > > > Ok, but what to do for the devices that don't support esn or replay_win= _sz? > > Should we add some check? Either to the app, or preferably into rte_sec= urity > > level at rte_security_session_create()? >=20 > Ideally app should check the capability of the device before setting it. Yes... after another thought - as right now we do create session at run-tim= e, probably we need to check these device capabilities at init stage and repor= t an error. =20 Konstantin >=20 >=20 > > > } > > > > > > int > > > @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ct= x, > > struct ipsec_sa *sa, > > > .spi =3D sa->spi, > > > .salt =3D sa->salt, > > > .options =3D { 0 }, > > > + .replay_win_sz =3D 0, > > > .direction =3D sa->direction, > > > .proto =3D RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > > .mode =3D (IS_TUNNEL(sa->flags)) ? > > > @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, > > struct ipsec_sa *sa, > > > .spi =3D sa->spi, > > > .salt =3D sa->salt, > > > .options =3D { 0 }, > > > + .replay_win_sz =3D 0, > > > .direction =3D sa->direction, > > > .proto =3D RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > > .mode =3D (sa->flags =3D=3D IP4_TUNNEL || > > > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > > > index a8dee342e..4605a3a6c 100644 > > > --- a/examples/ipsec-secgw/sa.c > > > +++ b/examples/ipsec-secgw/sa.c > > > @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm > > *prm, > > > > > > prm->flags =3D app_prm->flags; > > > prm->ipsec_xform.options.esn =3D app_prm->enable_esn; > > > - prm->replay_win_sz =3D app_prm->window_size; > > > + prm->ipsec_xform.replay_win_sz =3D app_prm->window_size; > > > } > > > > > > static int > > > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile > > > index 81fb99980..161ea9e3d 100644 > > > --- a/lib/librte_ipsec/Makefile > > > +++ b/lib/librte_ipsec/Makefile > > > @@ -14,7 +14,7 @@ LDLIBS +=3D -lrte_cryptodev -lrte_security -lrte_ha= sh > > > > > > EXPORT_MAP :=3D rte_ipsec_version.map > > > > > > -LIBABIVER :=3D 1 > > > +LIBABIVER :=3D 2 > > > > > > # all source are stored in SRCS-y > > > SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) +=3D esp_inb.c > > > diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.bu= ild > > > index 70358526b..e8604dadd 100644 > > > --- a/lib/librte_ipsec/meson.build > > > +++ b/lib/librte_ipsec/meson.build > > > @@ -1,6 +1,7 @@ > > > # SPDX-License-Identifier: BSD-3-Clause > > > # Copyright(c) 2018 Intel Corporation > > > > > > +version =3D 2 > > > allow_experimental_apis =3D true > > > > > > sources =3D files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec= _sad.c') > > > diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_i= psec_sa.h > > > index 47ce169d2..1cfde5874 100644 > > > --- a/lib/librte_ipsec/rte_ipsec_sa.h > > > +++ b/lib/librte_ipsec/rte_ipsec_sa.h > > > @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { > > > uint8_t proto; /**< next header protocol */ > > > } trs; /**< transport mode related parameters */ > > > }; > > > - > > > - /** > > > - * window size to enable sequence replay attack handling. > > > - * replay checking is disabled if the window size is 0. > > > - */ > > > - uint32_t replay_win_sz; > > > }; > > > > > > /** > > > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > > > index 23d394b46..6f1d92c3c 100644 > > > --- a/lib/librte_ipsec/sa.c > > > +++ b/lib/librte_ipsec/sa.c > > > @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *= prm) > > > return rc; > > > > > > /* determine required size */ > > > - wsz =3D prm->replay_win_sz; > > > + wsz =3D prm->ipsec_xform.replay_win_sz; > > > return ipsec_sa_size(type, &wsz, &nb); > > > } > > > > > > @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const = struct > > rte_ipsec_sa_prm *prm, > > > return rc; > > > > > > /* determine required size */ > > > - wsz =3D prm->replay_win_sz; > > > + wsz =3D prm->ipsec_xform.replay_win_sz; > > > sz =3D ipsec_sa_size(type, &wsz, &nb); > > > if (sz < 0) > > > return sz; > > > -- > > > 2.17.1