From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 9EC49A04AB; Wed, 6 Nov 2019 14:40:11 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id A39B51C1A9; Wed, 6 Nov 2019 14:40:10 +0100 (CET) Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30079.outbound.protection.outlook.com [40.107.3.79]) by dpdk.org (Postfix) with ESMTP id 1CE951C139 for ; Wed, 6 Nov 2019 14:40:09 +0100 (CET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Udcj41zFtiO7aMbVneXpHmQmcZjnZahmBrEH8YIk8Q6P8fEtBfnEtyDI+9pqDNOjf3M4IWTepcLkhhvK0vNHmwCfrQYI3htm8nBiaYnGXCgTVp+MBpjs6XZiddFkVMCTdaHGdAblcm4EnTJDgWeVH5e0lNycDX0CuGMkYvDej+H04gytAqFf5ol1fBFtfqvY+czLfSJ1WCMLTTK8JDRPVz8W1mN6iSi2UUsghMQn7dpsL9XMEoHmdl+ed4O240NhvD/n+tKd+yK8U2Z0KccjaC6LFefhpdk8CVuzw9y1RND7vrphgTmXLJusGGELGjuf9mKfAytRkI0vsgT0hmL4Ig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rUzHvu0DKw9qZbHTBriV6KUqETyqvQA5okn6FP8Xv2k=; b=jyKSaQu9USlDJ58YHPNlxQhAcnCG5ApEw37Ito+zNaEcuGLypwGe8/1lbi3gLHeF3iyVTsMbMrM69QxZv0NddVCEoC3Ic/RlP4mrsOABXVSWETKjJI1v/7yvGIJ01YRIEymeznGzqSFn0UjGlEvKtLdipX3knoOswD8Ya382S+3pQ1fMpuhjUIPFQFM8uwlhen5M4muzx/UH2HovzGPT/0e8Iomb0x93wFQ1YUPOYdMp3xYpK4uCGGPHviUMB+HVUAY1HN+gUjyrccUrcjSQA+YajMvY4EjlWo8ncOy79UShJATz6KxdR+3v6aXK5xpy7OEdQlzjiCP1TMwy/c4hZQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rUzHvu0DKw9qZbHTBriV6KUqETyqvQA5okn6FP8Xv2k=; b=jxhx9aIpGK5p56BKpAU/C4WRaV+46fNYjX8FMMdrluuNYf+jd5o0a1UyFXUqIDzbO1AOgmCX1axAGgWAbbPuqscLHjJw1I+5507a6CFqIbTNyEQVD5kRonPaPkTlg+e0bpYK9F0y5IauU3j9wv/kWVA/IjVwtVgzIXB06Ne/TB8= Received: from VE1PR04MB6639.eurprd04.prod.outlook.com (10.255.118.11) by VE1PR04MB6638.eurprd04.prod.outlook.com (20.179.232.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2408.24; Wed, 6 Nov 2019 13:40:08 +0000 Received: from VE1PR04MB6639.eurprd04.prod.outlook.com ([fe80::9dc:aa5c:2bb8:b561]) by VE1PR04MB6639.eurprd04.prod.outlook.com ([fe80::9dc:aa5c:2bb8:b561%6]) with mapi id 15.20.2408.025; Wed, 6 Nov 2019 13:40:08 +0000 From: Akhil Goyal To: "Ananyev, Konstantin" , Hemant Agrawal , "dev@dpdk.org" Thread-Topic: [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz Thread-Index: AQHVlG9xtT/ZqM3zQUKftRhp9vKDcad+JBMAgAAAY9A= Date: Wed, 6 Nov 2019 13:40:07 +0000 Message-ID: References: <20191031131502.12504-1-hemant.agrawal@nxp.com> <20191106065414.4311-1-hemant.agrawal@nxp.com> <20191106065414.4311-2-hemant.agrawal@nxp.com> <2601191342CEEE43887BDE71AB97725801A8C810FD@IRSMSX104.ger.corp.intel.com> In-Reply-To: <2601191342CEEE43887BDE71AB97725801A8C810FD@IRSMSX104.ger.corp.intel.com> Accept-Language: en-IN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=akhil.goyal@nxp.com; x-originating-ip: [92.120.1.65] x-ms-publictraffictype: Email x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: fb30fd78-9ff5-4d1a-441b-08d762bed6a5 x-ms-traffictypediagnostic: VE1PR04MB6638:|VE1PR04MB6638: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:3383; x-forefront-prvs: 02135EB356 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(376002)(346002)(39860400002)(396003)(199004)(189003)(316002)(186003)(3846002)(6506007)(74316002)(305945005)(66476007)(81166006)(102836004)(8676002)(8936002)(81156014)(76176011)(26005)(6116002)(7696005)(66066001)(33656002)(14454004)(229853002)(64756008)(6436002)(66446008)(66556008)(55016002)(99286004)(478600001)(446003)(2501003)(25786009)(5660300002)(2906002)(76116006)(7736002)(52536014)(86362001)(66946007)(256004)(11346002)(14444005)(486006)(476003)(44832011)(71190400001)(9686003)(6246003)(110136005)(71200400001); DIR:OUT; SFP:1101; SCL:1; SRVR:VE1PR04MB6638; H:VE1PR04MB6639.eurprd04.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: nxp.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: f1Cvu+vn5Fn0GyOOCdrbAApKc/fSsDQAgb7gPl34f5gSqsZ3C8bAf6bMKKNkTqrMBzxh+6f0Q1SPShnWmI7gGy3ymiy1/6fFut3ZnC7ee2rzg/SkU0l1PNeeIah9H7gnPx5ZZ4HNDp00CyJchfFh+yXrEdXOg+k3XwlStN1HF/2H1ZGSi/Nr+IYYYlmmUnbSOZMVDeD/rhqMHqx6XcTg+B48cf7gws+Enp2//fWM27Mr9IpjmhZyTdIqNN9oRn10sso7va0m2min6yax9vcF0mxaI94oq2gnQONq/Bf4piNl0ThKX8W6CBKgmlQy+1HtoflG4cTHUOMZConqN+xNw6ZWGzIOTdRAJeDcGhifmRdWHU9IPmLCDZuASC804ugsWaHfAnavbaifNm/1wkjUSZ9W8TCQHd9NwcLzPKre/MZvwOZux+IWoOrfxFiWvVsD Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: fb30fd78-9ff5-4d1a-441b-08d762bed6a5 X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Nov 2019 13:40:07.8699 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: zJO+dOUx1IUAz8aptV5QNF9Gl4SUnkZVPI8hSL6kJ5oylkLJnw9ZvRu7rPL6f8up4ZgIsRR08ISk7Lhv2v76gg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR04MB6638 Subject: Re: [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Konstantin, >=20 > Hi guys, >=20 > > The rte_security lib has introduced replay_win_sz, > > so it can be removed from the rte_ipsec lib. > > > > The relaved tests,app are also update to reflect > > the usages. > > > > Note that esn and anti-replay fileds were earlier used > > only for ipsec library, they were enabling the libipsec > > by default. With this change esn and anti-replay setting > > will not automatically enabled libipsec. > > > > Signed-off-by: Hemant Agrawal > > Acked-by: Konstantin Ananyev > > --- > > app/test/test_ipsec.c | 2 +- > > doc/guides/rel_notes/release_19_11.rst | 7 +++++-- > > examples/ipsec-secgw/ipsec-secgw.c | 5 ----- > > examples/ipsec-secgw/ipsec.c | 4 ++++ > > examples/ipsec-secgw/sa.c | 2 +- > > lib/librte_ipsec/Makefile | 2 +- > > lib/librte_ipsec/meson.build | 1 + > > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ > > lib/librte_ipsec/sa.c | 4 ++-- > > 9 files changed, 15 insertions(+), 18 deletions(-) > > > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c > > index 4007eff19..7dc83fee7 100644 > > --- a/app/test/test_ipsec.c > > +++ b/app/test/test_ipsec.c > > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t > flags) > > > > prm->userdata =3D 1; > > prm->flags =3D flags; > > - prm->replay_win_sz =3D replay_win_sz; > > > > /* setup ipsec xform */ > > prm->ipsec_xform =3D ut_params->ipsec_xform; > > prm->ipsec_xform.salt =3D (uint32_t)rte_rand(); > > + prm->ipsec_xform.replay_win_sz =3D replay_win_sz; > > > > /* setup tunnel related fields */ > > prm->tun.hdr_len =3D sizeof(ipv4_outer); > > diff --git a/doc/guides/rel_notes/release_19_11.rst > b/doc/guides/rel_notes/release_19_11.rst > > index dcae08002..0504a3443 100644 > > --- a/doc/guides/rel_notes/release_19_11.rst > > +++ b/doc/guides/rel_notes/release_19_11.rst > > @@ -369,10 +369,13 @@ ABI Changes > > align the Ethernet header on receive and all known encapsulations > > preserve the alignment of the header. > > > > -* security: A new field ''replay_win_sz'' has been added to the struct= ure > > +* security: The field ''replay_win_sz'' has been moved from ipsec libr= ary > > + based ''rte_ipsec_sa_prm'' structure to security library based struc= ture > > ``rte_security_ipsec_xform``, which specify the Anti replay window s= ize > > to enable sequence replay attack handling. > > > > +* ipsec: The field ''replay_win_sz'' has been removed from the structu= re > > + ''rte_ipsec_sa_prm'' as it has been added to the security library. > > > > Shared Library Versions > > ----------------------- > > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were > incremented in this version. > > librte_gso.so.1 > > librte_hash.so.2 > > librte_ip_frag.so.1 > > - librte_ipsec.so.1 > > + + librte_ipsec.so.2 > > librte_jobstats.so.1 > > librte_kni.so.2 > > librte_kvargs.so.1 > > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec- > secgw/ipsec-secgw.c > > index b12936470..3b5aaf683 100644 > > --- a/examples/ipsec-secgw/ipsec-secgw.c > > +++ b/examples/ipsec-secgw/ipsec-secgw.c > > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm) > > printf("librte_ipsec usage: %s\n", > > (prm->enable =3D=3D 0) ? "disabled" : "enabled"); > > > > - if (prm->enable =3D=3D 0) > > - return; > > - > > printf("replay window size: %u\n", prm->window_size); > > printf("ESN: %s\n", (prm->enable_esn =3D=3D 0) ? "disabled" : "enable= d"); > > printf("SA flags: %#" PRIx64 "\n", prm->flags); > > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv) > > app_sa_prm.enable =3D 1; > > break; > > case 'w': > > - app_sa_prm.enable =3D 1; >=20 > That actually will break lib-mode functional tests at: > examples/ipsec-secgw/test/ > Due to my laziness I enabled in them library mode via '-w' option, > as that moment legacy mode didn't support replay window... > As these patches already applied, I'll send the fix in a new one in next = few. No issues, I will squash your changes with the original patch as it is not = applied=20 On master. >=20 > > app_sa_prm.window_size =3D parse_decimal(optarg); > > break; > > case 'e': > > - app_sa_prm.enable =3D 1; > > app_sa_prm.enable_esn =3D 1; > > break; > > case 'a': > > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.= c > > index d7761e966..d4b57121a 100644 > > --- a/examples/ipsec-secgw/ipsec.c > > +++ b/examples/ipsec-secgw/ipsec.c > > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > rte_security_ipsec_xform *ipsec) > > /* TODO support for Transport */ > > } > > ipsec->esn_soft_limit =3D IPSEC_OFFLOAD_ESN_SOFTLIMIT; > > + ipsec->replay_win_sz =3D app_sa_prm.window_size; > > + ipsec->options.esn =3D app_sa_prm.enable_esn; >=20 > Ok, but what to do for the devices that don't support esn or replay_win_s= z? > Should we add some check? Either to the app, or preferably into rte_secur= ity > level at rte_security_session_create()? Ideally app should check the capability of the device before setting it. =20 > > } > > > > int > > @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, > struct ipsec_sa *sa, > > .spi =3D sa->spi, > > .salt =3D sa->salt, > > .options =3D { 0 }, > > + .replay_win_sz =3D 0, > > .direction =3D sa->direction, > > .proto =3D RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > .mode =3D (IS_TUNNEL(sa->flags)) ? > > @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, > struct ipsec_sa *sa, > > .spi =3D sa->spi, > > .salt =3D sa->salt, > > .options =3D { 0 }, > > + .replay_win_sz =3D 0, > > .direction =3D sa->direction, > > .proto =3D RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > .mode =3D (sa->flags =3D=3D IP4_TUNNEL || > > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > > index a8dee342e..4605a3a6c 100644 > > --- a/examples/ipsec-secgw/sa.c > > +++ b/examples/ipsec-secgw/sa.c > > @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm > *prm, > > > > prm->flags =3D app_prm->flags; > > prm->ipsec_xform.options.esn =3D app_prm->enable_esn; > > - prm->replay_win_sz =3D app_prm->window_size; > > + prm->ipsec_xform.replay_win_sz =3D app_prm->window_size; > > } > > > > static int > > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile > > index 81fb99980..161ea9e3d 100644 > > --- a/lib/librte_ipsec/Makefile > > +++ b/lib/librte_ipsec/Makefile > > @@ -14,7 +14,7 @@ LDLIBS +=3D -lrte_cryptodev -lrte_security -lrte_hash > > > > EXPORT_MAP :=3D rte_ipsec_version.map > > > > -LIBABIVER :=3D 1 > > +LIBABIVER :=3D 2 > > > > # all source are stored in SRCS-y > > SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) +=3D esp_inb.c > > diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.buil= d > > index 70358526b..e8604dadd 100644 > > --- a/lib/librte_ipsec/meson.build > > +++ b/lib/librte_ipsec/meson.build > > @@ -1,6 +1,7 @@ > > # SPDX-License-Identifier: BSD-3-Clause > > # Copyright(c) 2018 Intel Corporation > > > > +version =3D 2 > > allow_experimental_apis =3D true > > > > sources =3D files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_s= ad.c') > > diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ips= ec_sa.h > > index 47ce169d2..1cfde5874 100644 > > --- a/lib/librte_ipsec/rte_ipsec_sa.h > > +++ b/lib/librte_ipsec/rte_ipsec_sa.h > > @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { > > uint8_t proto; /**< next header protocol */ > > } trs; /**< transport mode related parameters */ > > }; > > - > > - /** > > - * window size to enable sequence replay attack handling. > > - * replay checking is disabled if the window size is 0. > > - */ > > - uint32_t replay_win_sz; > > }; > > > > /** > > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > > index 23d394b46..6f1d92c3c 100644 > > --- a/lib/librte_ipsec/sa.c > > +++ b/lib/librte_ipsec/sa.c > > @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *pr= m) > > return rc; > > > > /* determine required size */ > > - wsz =3D prm->replay_win_sz; > > + wsz =3D prm->ipsec_xform.replay_win_sz; > > return ipsec_sa_size(type, &wsz, &nb); > > } > > > > @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const st= ruct > rte_ipsec_sa_prm *prm, > > return rc; > > > > /* determine required size */ > > - wsz =3D prm->replay_win_sz; > > + wsz =3D prm->ipsec_xform.replay_win_sz; > > sz =3D ipsec_sa_size(type, &wsz, &nb); > > if (sz < 0) > > return sz; > > -- > > 2.17.1