From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 9EC49A04AB;
	Wed,  6 Nov 2019 14:40:11 +0100 (CET)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id A39B51C1A9;
	Wed,  6 Nov 2019 14:40:10 +0100 (CET)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com
 (mail-eopbgr30079.outbound.protection.outlook.com [40.107.3.79])
 by dpdk.org (Postfix) with ESMTP id 1CE951C139
 for <dev@dpdk.org>; Wed,  6 Nov 2019 14:40:09 +0100 (CET)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=Udcj41zFtiO7aMbVneXpHmQmcZjnZahmBrEH8YIk8Q6P8fEtBfnEtyDI+9pqDNOjf3M4IWTepcLkhhvK0vNHmwCfrQYI3htm8nBiaYnGXCgTVp+MBpjs6XZiddFkVMCTdaHGdAblcm4EnTJDgWeVH5e0lNycDX0CuGMkYvDej+H04gytAqFf5ol1fBFtfqvY+czLfSJ1WCMLTTK8JDRPVz8W1mN6iSi2UUsghMQn7dpsL9XMEoHmdl+ed4O240NhvD/n+tKd+yK8U2Z0KccjaC6LFefhpdk8CVuzw9y1RND7vrphgTmXLJusGGELGjuf9mKfAytRkI0vsgT0hmL4Ig==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=rUzHvu0DKw9qZbHTBriV6KUqETyqvQA5okn6FP8Xv2k=;
 b=jyKSaQu9USlDJ58YHPNlxQhAcnCG5ApEw37Ito+zNaEcuGLypwGe8/1lbi3gLHeF3iyVTsMbMrM69QxZv0NddVCEoC3Ic/RlP4mrsOABXVSWETKjJI1v/7yvGIJ01YRIEymeznGzqSFn0UjGlEvKtLdipX3knoOswD8Ya382S+3pQ1fMpuhjUIPFQFM8uwlhen5M4muzx/UH2HovzGPT/0e8Iomb0x93wFQ1YUPOYdMp3xYpK4uCGGPHviUMB+HVUAY1HN+gUjyrccUrcjSQA+YajMvY4EjlWo8ncOy79UShJATz6KxdR+3v6aXK5xpy7OEdQlzjiCP1TMwy/c4hZQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass
 header.d=nxp.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector2; 
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=rUzHvu0DKw9qZbHTBriV6KUqETyqvQA5okn6FP8Xv2k=;
 b=jxhx9aIpGK5p56BKpAU/C4WRaV+46fNYjX8FMMdrluuNYf+jd5o0a1UyFXUqIDzbO1AOgmCX1axAGgWAbbPuqscLHjJw1I+5507a6CFqIbTNyEQVD5kRonPaPkTlg+e0bpYK9F0y5IauU3j9wv/kWVA/IjVwtVgzIXB06Ne/TB8=
Received: from VE1PR04MB6639.eurprd04.prod.outlook.com (10.255.118.11) by
 VE1PR04MB6638.eurprd04.prod.outlook.com (20.179.232.15) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2408.24; Wed, 6 Nov 2019 13:40:08 +0000
Received: from VE1PR04MB6639.eurprd04.prod.outlook.com
 ([fe80::9dc:aa5c:2bb8:b561]) by VE1PR04MB6639.eurprd04.prod.outlook.com
 ([fe80::9dc:aa5c:2bb8:b561%6]) with mapi id 15.20.2408.025; Wed, 6 Nov 2019
 13:40:08 +0000
From: Akhil Goyal <akhil.goyal@nxp.com>
To: "Ananyev, Konstantin" <konstantin.ananyev@intel.com>, Hemant Agrawal
 <hemant.agrawal@nxp.com>, "dev@dpdk.org" <dev@dpdk.org>
Thread-Topic: [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz
Thread-Index: AQHVlG9xtT/ZqM3zQUKftRhp9vKDcad+JBMAgAAAY9A=
Date: Wed, 6 Nov 2019 13:40:07 +0000
Message-ID: <VE1PR04MB6639255B8A3E2479FE685F4DE6790@VE1PR04MB6639.eurprd04.prod.outlook.com>
References: <20191031131502.12504-1-hemant.agrawal@nxp.com>
 <20191106065414.4311-1-hemant.agrawal@nxp.com>
 <20191106065414.4311-2-hemant.agrawal@nxp.com>
 <2601191342CEEE43887BDE71AB97725801A8C810FD@IRSMSX104.ger.corp.intel.com>
In-Reply-To: <2601191342CEEE43887BDE71AB97725801A8C810FD@IRSMSX104.ger.corp.intel.com>
Accept-Language: en-IN, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=akhil.goyal@nxp.com; 
x-originating-ip: [92.120.1.65]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: fb30fd78-9ff5-4d1a-441b-08d762bed6a5
x-ms-traffictypediagnostic: VE1PR04MB6638:|VE1PR04MB6638:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <VE1PR04MB66384BA1997AEAA212D142B2E6790@VE1PR04MB6638.eurprd04.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:3383;
x-forefront-prvs: 02135EB356
x-forefront-antispam-report: SFV:NSPM;
 SFS:(10009020)(4636009)(136003)(366004)(376002)(346002)(39860400002)(396003)(199004)(189003)(316002)(186003)(3846002)(6506007)(74316002)(305945005)(66476007)(81166006)(102836004)(8676002)(8936002)(81156014)(76176011)(26005)(6116002)(7696005)(66066001)(33656002)(14454004)(229853002)(64756008)(6436002)(66446008)(66556008)(55016002)(99286004)(478600001)(446003)(2501003)(25786009)(5660300002)(2906002)(76116006)(7736002)(52536014)(86362001)(66946007)(256004)(11346002)(14444005)(486006)(476003)(44832011)(71190400001)(9686003)(6246003)(110136005)(71200400001);
 DIR:OUT; SFP:1101; SCL:1; SRVR:VE1PR04MB6638;
 H:VE1PR04MB6639.eurprd04.prod.outlook.com; FPR:; SPF:None; LANG:en;
 PTR:InfoNoRecords; A:1; MX:1; 
received-spf: None (protection.outlook.com: nxp.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: f1Cvu+vn5Fn0GyOOCdrbAApKc/fSsDQAgb7gPl34f5gSqsZ3C8bAf6bMKKNkTqrMBzxh+6f0Q1SPShnWmI7gGy3ymiy1/6fFut3ZnC7ee2rzg/SkU0l1PNeeIah9H7gnPx5ZZ4HNDp00CyJchfFh+yXrEdXOg+k3XwlStN1HF/2H1ZGSi/Nr+IYYYlmmUnbSOZMVDeD/rhqMHqx6XcTg+B48cf7gws+Enp2//fWM27Mr9IpjmhZyTdIqNN9oRn10sso7va0m2min6yax9vcF0mxaI94oq2gnQONq/Bf4piNl0ThKX8W6CBKgmlQy+1HtoflG4cTHUOMZConqN+xNw6ZWGzIOTdRAJeDcGhifmRdWHU9IPmLCDZuASC804ugsWaHfAnavbaifNm/1wkjUSZ9W8TCQHd9NwcLzPKre/MZvwOZux+IWoOrfxFiWvVsD
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nxp.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fb30fd78-9ff5-4d1a-441b-08d762bed6a5
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Nov 2019 13:40:07.8699 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zJO+dOUx1IUAz8aptV5QNF9Gl4SUnkZVPI8hSL6kJ5oylkLJnw9ZvRu7rPL6f8up4ZgIsRR08ISk7Lhv2v76gg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR04MB6638
Subject: Re: [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

Hi Konstantin,

>=20
> Hi guys,
>=20
> > The rte_security lib has introduced replay_win_sz,
> > so it can be removed from the rte_ipsec lib.
> >
> > The relaved tests,app are also update to reflect
> > the usages.
> >
> > Note that esn and anti-replay fileds were earlier used
> > only for ipsec library, they were enabling the libipsec
> > by default. With this change esn and anti-replay setting
> > will not automatically enabled libipsec.
> >
> > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> > ---
> >  app/test/test_ipsec.c                  | 2 +-
> >  doc/guides/rel_notes/release_19_11.rst | 7 +++++--
> >  examples/ipsec-secgw/ipsec-secgw.c     | 5 -----
> >  examples/ipsec-secgw/ipsec.c           | 4 ++++
> >  examples/ipsec-secgw/sa.c              | 2 +-
> >  lib/librte_ipsec/Makefile              | 2 +-
> >  lib/librte_ipsec/meson.build           | 1 +
> >  lib/librte_ipsec/rte_ipsec_sa.h        | 6 ------
> >  lib/librte_ipsec/sa.c                  | 4 ++--
> >  9 files changed, 15 insertions(+), 18 deletions(-)
> >
> > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
> > index 4007eff19..7dc83fee7 100644
> > --- a/app/test/test_ipsec.c
> > +++ b/app/test/test_ipsec.c
> > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t
> flags)
> >
> >  	prm->userdata =3D 1;
> >  	prm->flags =3D flags;
> > -	prm->replay_win_sz =3D replay_win_sz;
> >
> >  	/* setup ipsec xform */
> >  	prm->ipsec_xform =3D ut_params->ipsec_xform;
> >  	prm->ipsec_xform.salt =3D (uint32_t)rte_rand();
> > +	prm->ipsec_xform.replay_win_sz =3D replay_win_sz;
> >
> >  	/* setup tunnel related fields */
> >  	prm->tun.hdr_len =3D sizeof(ipv4_outer);
> > diff --git a/doc/guides/rel_notes/release_19_11.rst
> b/doc/guides/rel_notes/release_19_11.rst
> > index dcae08002..0504a3443 100644
> > --- a/doc/guides/rel_notes/release_19_11.rst
> > +++ b/doc/guides/rel_notes/release_19_11.rst
> > @@ -369,10 +369,13 @@ ABI Changes
> >    align the Ethernet header on receive and all known encapsulations
> >    preserve the alignment of the header.
> >
> > -* security: A new field ''replay_win_sz'' has been added to the struct=
ure
> > +* security: The field ''replay_win_sz'' has been moved from ipsec libr=
ary
> > +  based ''rte_ipsec_sa_prm'' structure to security library based struc=
ture
> >    ``rte_security_ipsec_xform``, which specify the Anti replay window s=
ize
> >    to enable sequence replay attack handling.
> >
> > +* ipsec: The field ''replay_win_sz'' has been removed from the structu=
re
> > +  ''rte_ipsec_sa_prm'' as it has been added to the security library.
> >
> >  Shared Library Versions
> >  -----------------------
> > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were
> incremented in this version.
> >       librte_gso.so.1
> >       librte_hash.so.2
> >       librte_ip_frag.so.1
> > -     librte_ipsec.so.1
> > +   + librte_ipsec.so.2
> >       librte_jobstats.so.1
> >       librte_kni.so.2
> >       librte_kvargs.so.1
> > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-
> secgw/ipsec-secgw.c
> > index b12936470..3b5aaf683 100644
> > --- a/examples/ipsec-secgw/ipsec-secgw.c
> > +++ b/examples/ipsec-secgw/ipsec-secgw.c
> > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm)
> >  	printf("librte_ipsec usage: %s\n",
> >  		(prm->enable =3D=3D 0) ? "disabled" : "enabled");
> >
> > -	if (prm->enable =3D=3D 0)
> > -		return;
> > -
> >  	printf("replay window size: %u\n", prm->window_size);
> >  	printf("ESN: %s\n", (prm->enable_esn =3D=3D 0) ? "disabled" : "enable=
d");
> >  	printf("SA flags: %#" PRIx64 "\n", prm->flags);
> > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv)
> >  			app_sa_prm.enable =3D 1;
> >  			break;
> >  		case 'w':
> > -			app_sa_prm.enable =3D 1;
>=20
> That actually will break lib-mode functional tests at:
> examples/ipsec-secgw/test/
> Due to my laziness I enabled in them library mode via '-w' option,
> as that moment legacy mode didn't support replay window...
> As these patches already applied, I'll send the fix in a new one in next =
few.

No issues, I will squash your changes with the original patch as it is not =
applied=20
On master.

>=20
> >  			app_sa_prm.window_size =3D parse_decimal(optarg);
> >  			break;
> >  		case 'e':
> > -			app_sa_prm.enable =3D 1;
> >  			app_sa_prm.enable_esn =3D 1;
> >  			break;
> >  		case 'a':
> > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.=
c
> > index d7761e966..d4b57121a 100644
> > --- a/examples/ipsec-secgw/ipsec.c
> > +++ b/examples/ipsec-secgw/ipsec.c
> > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct
> rte_security_ipsec_xform *ipsec)
> >  		/* TODO support for Transport */
> >  	}
> >  	ipsec->esn_soft_limit =3D IPSEC_OFFLOAD_ESN_SOFTLIMIT;
> > +	ipsec->replay_win_sz =3D app_sa_prm.window_size;
> > +	ipsec->options.esn =3D app_sa_prm.enable_esn;
>=20
> Ok, but what to do for the devices that don't support esn or replay_win_s=
z?
> Should we add some check? Either to the app, or preferably into rte_secur=
ity
> level at  rte_security_session_create()?

Ideally app should check the capability of the device before setting it.

=20
> >  }
> >
> >  int
> > @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx,
> struct ipsec_sa *sa,
> >  				.spi =3D sa->spi,
> >  				.salt =3D sa->salt,
> >  				.options =3D { 0 },
> > +				.replay_win_sz =3D 0,
> >  				.direction =3D sa->direction,
> >  				.proto =3D RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> >  				.mode =3D (IS_TUNNEL(sa->flags)) ?
> > @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx,
> struct ipsec_sa *sa,
> >  			.spi =3D sa->spi,
> >  			.salt =3D sa->salt,
> >  			.options =3D { 0 },
> > +			.replay_win_sz =3D 0,
> >  			.direction =3D sa->direction,
> >  			.proto =3D RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> >  			.mode =3D (sa->flags =3D=3D IP4_TUNNEL ||
> > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
> > index a8dee342e..4605a3a6c 100644
> > --- a/examples/ipsec-secgw/sa.c
> > +++ b/examples/ipsec-secgw/sa.c
> > @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm
> *prm,
> >
> >  	prm->flags =3D app_prm->flags;
> >  	prm->ipsec_xform.options.esn =3D app_prm->enable_esn;
> > -	prm->replay_win_sz =3D app_prm->window_size;
> > +	prm->ipsec_xform.replay_win_sz =3D app_prm->window_size;
> >  }
> >
> >  static int
> > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile
> > index 81fb99980..161ea9e3d 100644
> > --- a/lib/librte_ipsec/Makefile
> > +++ b/lib/librte_ipsec/Makefile
> > @@ -14,7 +14,7 @@ LDLIBS +=3D -lrte_cryptodev -lrte_security -lrte_hash
> >
> >  EXPORT_MAP :=3D rte_ipsec_version.map
> >
> > -LIBABIVER :=3D 1
> > +LIBABIVER :=3D 2
> >
> >  # all source are stored in SRCS-y
> >  SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) +=3D esp_inb.c
> > diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.buil=
d
> > index 70358526b..e8604dadd 100644
> > --- a/lib/librte_ipsec/meson.build
> > +++ b/lib/librte_ipsec/meson.build
> > @@ -1,6 +1,7 @@
> >  # SPDX-License-Identifier: BSD-3-Clause
> >  # Copyright(c) 2018 Intel Corporation
> >
> > +version =3D 2
> >  allow_experimental_apis =3D true
> >
> >  sources =3D files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_s=
ad.c')
> > diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ips=
ec_sa.h
> > index 47ce169d2..1cfde5874 100644
> > --- a/lib/librte_ipsec/rte_ipsec_sa.h
> > +++ b/lib/librte_ipsec/rte_ipsec_sa.h
> > @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm {
> >  			uint8_t proto;  /**< next header protocol */
> >  		} trs; /**< transport mode related parameters */
> >  	};
> > -
> > -	/**
> > -	 * window size to enable sequence replay attack handling.
> > -	 * replay checking is disabled if the window size is 0.
> > -	 */
> > -	uint32_t replay_win_sz;
> >  };
> >
> >  /**
> > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
> > index 23d394b46..6f1d92c3c 100644
> > --- a/lib/librte_ipsec/sa.c
> > +++ b/lib/librte_ipsec/sa.c
> > @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *pr=
m)
> >  		return rc;
> >
> >  	/* determine required size */
> > -	wsz =3D prm->replay_win_sz;
> > +	wsz =3D prm->ipsec_xform.replay_win_sz;
> >  	return ipsec_sa_size(type, &wsz, &nb);
> >  }
> >
> > @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const st=
ruct
> rte_ipsec_sa_prm *prm,
> >  		return rc;
> >
> >  	/* determine required size */
> > -	wsz =3D prm->replay_win_sz;
> > +	wsz =3D prm->ipsec_xform.replay_win_sz;
> >  	sz =3D ipsec_sa_size(type, &wsz, &nb);
> >  	if (sz < 0)
> >  		return sz;
> > --
> > 2.17.1