* [dpdk-dev] [PATCH 1/2] security: add anti replay window size @ 2019-10-25 6:20 Hemant Agrawal 2019-10-25 6:20 ` [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: add support for replay win for lookaside Hemant Agrawal ` (2 more replies) 0 siblings, 3 replies; 35+ messages in thread From: Hemant Agrawal @ 2019-10-25 6:20 UTC (permalink / raw) To: dev, akhil.goyal, declan.doherty; +Cc: Hemant Agrawal At present the ipsec xfrom is missing the important step to configure the anti replay window size. The newly added field will also help in to enable or disable the anti replay checking, if available in offload by means of non-zero or zero value. Currently similar field is available in rte_ipsec lib for software ipsec usage. The newly introduced filed can replace that field as well eventually. Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> --- lib/librte_security/rte_security.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h index aaafdfcd7..195ad5645 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform { /**< Tunnel parameters, NULL for transport mode */ uint64_t esn_soft_limit; /**< ESN for which the overflow event need to be raised */ + uint32_t replay_win_sz; + /**< Anti replay window size to enable sequence replay attack handling. + * replay checking is disabled if the window size is 0. + */ }; /** -- 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: add support for replay win for lookaside 2019-10-25 6:20 [dpdk-dev] [PATCH 1/2] security: add anti replay window size Hemant Agrawal @ 2019-10-25 6:20 ` Hemant Agrawal 2019-10-25 10:00 ` [dpdk-dev] [PATCH 1/2] security: add anti replay window size Ananyev, Konstantin 2019-10-30 6:57 ` [dpdk-dev] [PATCH v2 " Hemant Agrawal 2 siblings, 0 replies; 35+ messages in thread From: Hemant Agrawal @ 2019-10-25 6:20 UTC (permalink / raw) To: dev, akhil.goyal, declan.doherty; +Cc: Hemant Agrawal This patch extend the support for window size config to lookaside based ipsec offload as well. Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> --- examples/ipsec-secgw/ipsec.c | 1 + examples/ipsec-secgw/sa.c | 1 + 2 files changed, 2 insertions(+) diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 51fb22e8a..159e81f99 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -49,6 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) /* TODO support for Transport */ } ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; + ipsec->replay_win_sz = app_sa_prm.window_size; } int diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 14ee94731..9a57e3eac 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -1056,6 +1056,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, prm->flags = app_prm->flags; prm->ipsec_xform.options.esn = app_prm->enable_esn; prm->replay_win_sz = app_prm->window_size; + prm->ipsec_xform.replay_win_sz = prm->replay_win_sz; } static int -- 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [PATCH 1/2] security: add anti replay window size 2019-10-25 6:20 [dpdk-dev] [PATCH 1/2] security: add anti replay window size Hemant Agrawal 2019-10-25 6:20 ` [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: add support for replay win for lookaside Hemant Agrawal @ 2019-10-25 10:00 ` Ananyev, Konstantin 2019-10-25 15:56 ` Hemant Agrawal 2019-10-30 6:57 ` [dpdk-dev] [PATCH v2 " Hemant Agrawal 2 siblings, 1 reply; 35+ messages in thread From: Ananyev, Konstantin @ 2019-10-25 10:00 UTC (permalink / raw) To: Hemant Agrawal, dev, akhil.goyal, Doherty, Declan Hi Hemant, > > At present the ipsec xfrom is missing the important step > to configure the anti replay window size. > The newly added field will also help in to enable or disable > the anti replay checking, if available in offload by means > of non-zero or zero value. +1 for those changes. Though AFAIK, it will be an ABI breakage, right? So probably deserves changes in release notes. > > Currently similar field is available in rte_ipsec lib for > software ipsec usage. Yep, the only thing why it was put here - to avoid ABI breakage within rte_security. Having it in the rte_security_ipsec_xform makes much more sense. >The newly introduced filed can replace > that field as well eventually. My suggestion would be to update librte_ipsec as part of these patch series. > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > --- > lib/librte_security/rte_security.h | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h > index aaafdfcd7..195ad5645 100644 > --- a/lib/librte_security/rte_security.h > +++ b/lib/librte_security/rte_security.h > @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform { > /**< Tunnel parameters, NULL for transport mode */ > uint64_t esn_soft_limit; > /**< ESN for which the overflow event need to be raised */ > + uint32_t replay_win_sz; > + /**< Anti replay window size to enable sequence replay attack handling. > + * replay checking is disabled if the window size is 0. > + */ > }; ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [PATCH 1/2] security: add anti replay window size 2019-10-25 10:00 ` [dpdk-dev] [PATCH 1/2] security: add anti replay window size Ananyev, Konstantin @ 2019-10-25 15:56 ` Hemant Agrawal 0 siblings, 0 replies; 35+ messages in thread From: Hemant Agrawal @ 2019-10-25 15:56 UTC (permalink / raw) To: Ananyev, Konstantin, dev, Akhil Goyal, Doherty, Declan Hi Konstantin, > -----Original Message----- > From: Ananyev, Konstantin <konstantin.ananyev@intel.com> > Sent: Friday, October 25, 2019 3:30 PM > To: Hemant Agrawal <hemant.agrawal@nxp.com>; dev@dpdk.org; Akhil > Goyal <akhil.goyal@nxp.com>; Doherty, Declan <declan.doherty@intel.com> > Subject: RE: [dpdk-dev] [PATCH 1/2] security: add anti replay window size > Importance: High > > Hi Hemant, > > > > > At present the ipsec xfrom is missing the important step to configure > > the anti replay window size. > > The newly added field will also help in to enable or disable the anti > > replay checking, if available in offload by means of non-zero or zero > > value. > > +1 for those changes. > Though AFAIK, it will be an ABI breakage, right? > So probably deserves changes in release notes. [Hemant] ok > > > > > Currently similar field is available in rte_ipsec lib for software > > ipsec usage. > > Yep, the only thing why it was put here - to avoid ABI breakage within > rte_security. > Having it in the rte_security_ipsec_xform makes much more sense. > > >The newly introduced filed can replace > > that field as well eventually. > > My suggestion would be to update librte_ipsec as part of these patch series. > [Hemant] will do it in v2 > > > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > > --- > > lib/librte_security/rte_security.h | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/lib/librte_security/rte_security.h > > b/lib/librte_security/rte_security.h > > index aaafdfcd7..195ad5645 100644 > > --- a/lib/librte_security/rte_security.h > > +++ b/lib/librte_security/rte_security.h > > @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform { > > /**< Tunnel parameters, NULL for transport mode */ > > uint64_t esn_soft_limit; > > /**< ESN for which the overflow event need to be raised */ > > + uint32_t replay_win_sz; > > + /**< Anti replay window size to enable sequence replay attack > handling. > > + * replay checking is disabled if the window size is 0. > > + */ > > }; > > > ^ permalink raw reply [flat|nested] 35+ messages in thread
* [dpdk-dev] [PATCH v2 1/2] security: add anti replay window size 2019-10-25 6:20 [dpdk-dev] [PATCH 1/2] security: add anti replay window size Hemant Agrawal 2019-10-25 6:20 ` [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: add support for replay win for lookaside Hemant Agrawal 2019-10-25 10:00 ` [dpdk-dev] [PATCH 1/2] security: add anti replay window size Ananyev, Konstantin @ 2019-10-30 6:57 ` Hemant Agrawal 2019-10-30 6:57 ` [dpdk-dev] [PATCH v2 2/2] ipsec: remove redundant replay_win_sz Hemant Agrawal 2019-10-30 8:57 ` [dpdk-dev] [PATCH v3 1/2] security: add anti replay window size Hemant Agrawal 2 siblings, 2 replies; 35+ messages in thread From: Hemant Agrawal @ 2019-10-30 6:57 UTC (permalink / raw) To: dev, akhil.goyal; +Cc: konstantin.ananyev, Hemant Agrawal At present the ipsec xfrom is missing the important step to configure the anti replay window size. The newly added field will also help in to enable or disable the anti replay checking, if available in offload by means of non-zero or zero value. Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> --- lib/librte_security/Makefile | 2 +- lib/librte_security/meson.build | 2 +- lib/librte_security/rte_security.h | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile index 6708effdb..6a268ee2a 100644 --- a/lib/librte_security/Makefile +++ b/lib/librte_security/Makefile @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB = librte_security.a # library version -LIBABIVER := 2 +LIBABIVER := 3 # build flags CFLAGS += -O3 diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build index a5130d2f6..6fed01273 100644 --- a/lib/librte_security/meson.build +++ b/lib/librte_security/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2017-2019 Intel Corporation -version = 2 +version = 3 sources = files('rte_security.c') headers = files('rte_security.h', 'rte_security_driver.h') deps += ['mempool', 'cryptodev'] diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h index aaafdfcd7..195ad5645 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform { /**< Tunnel parameters, NULL for transport mode */ uint64_t esn_soft_limit; /**< ESN for which the overflow event need to be raised */ + uint32_t replay_win_sz; + /**< Anti replay window size to enable sequence replay attack handling. + * replay checking is disabled if the window size is 0. + */ }; /** -- 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* [dpdk-dev] [PATCH v2 2/2] ipsec: remove redundant replay_win_sz 2019-10-30 6:57 ` [dpdk-dev] [PATCH v2 " Hemant Agrawal @ 2019-10-30 6:57 ` Hemant Agrawal 2019-10-30 8:57 ` [dpdk-dev] [PATCH v3 1/2] security: add anti replay window size Hemant Agrawal 1 sibling, 0 replies; 35+ messages in thread From: Hemant Agrawal @ 2019-10-30 6:57 UTC (permalink / raw) To: dev, akhil.goyal; +Cc: konstantin.ananyev, Hemant Agrawal The rte_security lib has introduced replay_win_sz, so it can be removed from the rte_ipsec lib. Also, the relaved tests,app are also update to reflect the usages. Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> --- app/test/test_ipsec.c | 2 +- doc/guides/rel_notes/release_19_11.rst | 10 ++++++++-- examples/ipsec-secgw/ipsec.c | 1 + examples/ipsec-secgw/sa.c | 2 +- lib/librte_ipsec/Makefile | 2 +- lib/librte_ipsec/meson.build | 1 + lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ lib/librte_ipsec/sa.c | 4 ++-- 8 files changed, 15 insertions(+), 13 deletions(-) diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c index 4007eff19..9e3dabd93 100644 --- a/app/test/test_ipsec.c +++ b/app/test/test_ipsec.c @@ -689,7 +689,7 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags) prm->userdata = 1; prm->flags = flags; - prm->replay_win_sz = replay_win_sz; + prm->ipsec_xform.replay_win_sz = replay_win_sz; /* setup ipsec xform */ prm->ipsec_xform = ut_params->ipsec_xform; diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index ae8e7b2f0..aa16c8422 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -365,6 +365,12 @@ ABI Changes align the Ethernet header on receive and all known encapsulations preserve the alignment of the header. +* security: A new field ''replay_win_sz'' has been added to the structure + ``rte_security_ipsec_xform``, which specify the Anti replay window size + to enable sequence replay attack handling. + +* ipsec: The field ''replay_win_sz'' has been removed from the structure + ''rte_ipsec_sa_prm'' as it has been added to the security library. Shared Library Versions ----------------------- @@ -407,7 +413,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_gso.so.1 librte_hash.so.2 librte_ip_frag.so.1 - librte_ipsec.so.1 + + librte_ipsec.so.2 librte_jobstats.so.1 librte_kni.so.2 librte_kvargs.so.1 @@ -437,7 +443,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_reorder.so.1 librte_ring.so.2 + librte_sched.so.4 - librte_security.so.2 + + librte_security.so.3 librte_stack.so.1 librte_table.so.3 librte_timer.so.1 diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 51fb22e8a..159e81f99 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -49,6 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) /* TODO support for Transport */ } ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; + ipsec->replay_win_sz = app_sa_prm.window_size; } int diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 14ee94731..46cdc1241 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -1055,7 +1055,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, prm->flags = app_prm->flags; prm->ipsec_xform.options.esn = app_prm->enable_esn; - prm->replay_win_sz = app_prm->window_size; + prm->ipsec_xform.replay_win_sz = app_prm->replay_win_sz; } static int diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile index 81fb99980..161ea9e3d 100644 --- a/lib/librte_ipsec/Makefile +++ b/lib/librte_ipsec/Makefile @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash EXPORT_MAP := rte_ipsec_version.map -LIBABIVER := 1 +LIBABIVER := 2 # all source are stored in SRCS-y SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build index 70358526b..e8604dadd 100644 --- a/lib/librte_ipsec/meson.build +++ b/lib/librte_ipsec/meson.build @@ -1,6 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2018 Intel Corporation +version = 2 allow_experimental_apis = true sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h index 47ce169d2..1cfde5874 100644 --- a/lib/librte_ipsec/rte_ipsec_sa.h +++ b/lib/librte_ipsec/rte_ipsec_sa.h @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { uint8_t proto; /**< next header protocol */ } trs; /**< transport mode related parameters */ }; - - /** - * window size to enable sequence replay attack handling. - * replay checking is disabled if the window size is 0. - */ - uint32_t replay_win_sz; }; /** diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 23d394b46..6f1d92c3c 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; return ipsec_sa_size(type, &wsz, &nb); } @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; sz = ipsec_sa_size(type, &wsz, &nb); if (sz < 0) return sz; -- 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* [dpdk-dev] [PATCH v3 1/2] security: add anti replay window size 2019-10-30 6:57 ` [dpdk-dev] [PATCH v2 " Hemant Agrawal 2019-10-30 6:57 ` [dpdk-dev] [PATCH v2 2/2] ipsec: remove redundant replay_win_sz Hemant Agrawal @ 2019-10-30 8:57 ` Hemant Agrawal 2019-10-30 8:57 ` [dpdk-dev] [PATCH v3 2/2] ipsec: remove redundant replay_win_sz Hemant Agrawal 2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Hemant Agrawal 1 sibling, 2 replies; 35+ messages in thread From: Hemant Agrawal @ 2019-10-30 8:57 UTC (permalink / raw) To: dev, akhil.goyal; +Cc: konstantin.ananyev, Hemant Agrawal At present the ipsec xfrom is missing the important step to configure the anti replay window size. The newly added field will also help in to enable or disable the anti replay checking, if available in offload by means of non-zero or zero value. Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> --- lib/librte_security/Makefile | 2 +- lib/librte_security/meson.build | 2 +- lib/librte_security/rte_security.h | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile index 6708effdb..6a268ee2a 100644 --- a/lib/librte_security/Makefile +++ b/lib/librte_security/Makefile @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB = librte_security.a # library version -LIBABIVER := 2 +LIBABIVER := 3 # build flags CFLAGS += -O3 diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build index a5130d2f6..6fed01273 100644 --- a/lib/librte_security/meson.build +++ b/lib/librte_security/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2017-2019 Intel Corporation -version = 2 +version = 3 sources = files('rte_security.c') headers = files('rte_security.h', 'rte_security_driver.h') deps += ['mempool', 'cryptodev'] diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h index aaafdfcd7..195ad5645 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform { /**< Tunnel parameters, NULL for transport mode */ uint64_t esn_soft_limit; /**< ESN for which the overflow event need to be raised */ + uint32_t replay_win_sz; + /**< Anti replay window size to enable sequence replay attack handling. + * replay checking is disabled if the window size is 0. + */ }; /** -- 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* [dpdk-dev] [PATCH v3 2/2] ipsec: remove redundant replay_win_sz 2019-10-30 8:57 ` [dpdk-dev] [PATCH v3 1/2] security: add anti replay window size Hemant Agrawal @ 2019-10-30 8:57 ` Hemant Agrawal 2019-10-30 13:08 ` Ananyev, Konstantin 2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Hemant Agrawal 1 sibling, 1 reply; 35+ messages in thread From: Hemant Agrawal @ 2019-10-30 8:57 UTC (permalink / raw) To: dev, akhil.goyal; +Cc: konstantin.ananyev, Hemant Agrawal The rte_security lib has introduced replay_win_sz, so it can be removed from the rte_ipsec lib. Also, the relaved tests,app are also update to reflect the usages. Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> --- v3: fix the compilation issue app/test/test_ipsec.c | 2 +- doc/guides/rel_notes/release_19_11.rst | 10 ++++++++-- examples/ipsec-secgw/ipsec.c | 1 + examples/ipsec-secgw/sa.c | 2 +- lib/librte_ipsec/Makefile | 2 +- lib/librte_ipsec/meson.build | 1 + lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ lib/librte_ipsec/sa.c | 4 ++-- 8 files changed, 15 insertions(+), 13 deletions(-) diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c index 4007eff19..9e3dabd93 100644 --- a/app/test/test_ipsec.c +++ b/app/test/test_ipsec.c @@ -689,7 +689,7 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags) prm->userdata = 1; prm->flags = flags; - prm->replay_win_sz = replay_win_sz; + prm->ipsec_xform.replay_win_sz = replay_win_sz; /* setup ipsec xform */ prm->ipsec_xform = ut_params->ipsec_xform; diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index ae8e7b2f0..aa16c8422 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -365,6 +365,12 @@ ABI Changes align the Ethernet header on receive and all known encapsulations preserve the alignment of the header. +* security: A new field ''replay_win_sz'' has been added to the structure + ``rte_security_ipsec_xform``, which specify the Anti replay window size + to enable sequence replay attack handling. + +* ipsec: The field ''replay_win_sz'' has been removed from the structure + ''rte_ipsec_sa_prm'' as it has been added to the security library. Shared Library Versions ----------------------- @@ -407,7 +413,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_gso.so.1 librte_hash.so.2 librte_ip_frag.so.1 - librte_ipsec.so.1 + + librte_ipsec.so.2 librte_jobstats.so.1 librte_kni.so.2 librte_kvargs.so.1 @@ -437,7 +443,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_reorder.so.1 librte_ring.so.2 + librte_sched.so.4 - librte_security.so.2 + + librte_security.so.3 librte_stack.so.1 librte_table.so.3 librte_timer.so.1 diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 51fb22e8a..159e81f99 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -49,6 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) /* TODO support for Transport */ } ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; + ipsec->replay_win_sz = app_sa_prm.window_size; } int diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 14ee94731..3d687c459 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -1055,7 +1055,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, prm->flags = app_prm->flags; prm->ipsec_xform.options.esn = app_prm->enable_esn; - prm->replay_win_sz = app_prm->window_size; + prm->ipsec_xform.replay_win_sz = app_prm->window_size; } static int diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile index 81fb99980..161ea9e3d 100644 --- a/lib/librte_ipsec/Makefile +++ b/lib/librte_ipsec/Makefile @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash EXPORT_MAP := rte_ipsec_version.map -LIBABIVER := 1 +LIBABIVER := 2 # all source are stored in SRCS-y SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build index 70358526b..e8604dadd 100644 --- a/lib/librte_ipsec/meson.build +++ b/lib/librte_ipsec/meson.build @@ -1,6 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2018 Intel Corporation +version = 2 allow_experimental_apis = true sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h index 47ce169d2..1cfde5874 100644 --- a/lib/librte_ipsec/rte_ipsec_sa.h +++ b/lib/librte_ipsec/rte_ipsec_sa.h @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { uint8_t proto; /**< next header protocol */ } trs; /**< transport mode related parameters */ }; - - /** - * window size to enable sequence replay attack handling. - * replay checking is disabled if the window size is 0. - */ - uint32_t replay_win_sz; }; /** diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 23d394b46..6f1d92c3c 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; return ipsec_sa_size(type, &wsz, &nb); } @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; sz = ipsec_sa_size(type, &wsz, &nb); if (sz < 0) return sz; -- 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [PATCH v3 2/2] ipsec: remove redundant replay_win_sz 2019-10-30 8:57 ` [dpdk-dev] [PATCH v3 2/2] ipsec: remove redundant replay_win_sz Hemant Agrawal @ 2019-10-30 13:08 ` Ananyev, Konstantin 0 siblings, 0 replies; 35+ messages in thread From: Ananyev, Konstantin @ 2019-10-30 13:08 UTC (permalink / raw) To: Hemant Agrawal, dev, akhil.goyal Hi Hemant, > The rte_security lib has introduced replay_win_sz, > so it can be removed from the rte_ipsec lib. > > Also, the relaved tests,app are also update to reflect > the usages. > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > --- > v3: fix the compilation issue > > app/test/test_ipsec.c | 2 +- > doc/guides/rel_notes/release_19_11.rst | 10 ++++++++-- > examples/ipsec-secgw/ipsec.c | 1 + > examples/ipsec-secgw/sa.c | 2 +- > lib/librte_ipsec/Makefile | 2 +- > lib/librte_ipsec/meson.build | 1 + > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ > lib/librte_ipsec/sa.c | 4 ++-- > 8 files changed, 15 insertions(+), 13 deletions(-) > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c > index 4007eff19..9e3dabd93 100644 > --- a/app/test/test_ipsec.c > +++ b/app/test/test_ipsec.c > @@ -689,7 +689,7 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags) > > prm->userdata = 1; > prm->flags = flags; > - prm->replay_win_sz = replay_win_sz; > + prm->ipsec_xform.replay_win_sz = replay_win_sz; We need to do it later - as on the next line (see below), we'll overwrite whole ipsec_xform. > > /* setup ipsec xform */ > prm->ipsec_xform = ut_params->ipsec_xform; diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c index 9e3dabd93..7dc83fee7 100644 --- a/app/test/test_ipsec.c +++ b/app/test/test_ipsec.c @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags) prm->userdata = 1; prm->flags = flags; - prm->ipsec_xform.replay_win_sz = replay_win_sz; /* setup ipsec xform */ prm->ipsec_xform = ut_params->ipsec_xform; prm->ipsec_xform.salt = (uint32_t)rte_rand(); + prm->ipsec_xform.replay_win_sz = replay_win_sz; /* setup tunnel related fields */ prm->tun.hdr_len = sizeof(ipv4_outer); > diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst > index ae8e7b2f0..aa16c8422 100644 > --- a/doc/guides/rel_notes/release_19_11.rst > +++ b/doc/guides/rel_notes/release_19_11.rst > @@ -365,6 +365,12 @@ ABI Changes > align the Ethernet header on receive and all known encapsulations > preserve the alignment of the header. > > +* security: A new field ''replay_win_sz'' has been added to the structure > + ``rte_security_ipsec_xform``, which specify the Anti replay window size > + to enable sequence replay attack handling. > + > +* ipsec: The field ''replay_win_sz'' has been removed from the structure > + ''rte_ipsec_sa_prm'' as it has been added to the security library. > > Shared Library Versions > ----------------------- > @@ -407,7 +413,7 @@ The libraries prepended with a plus sign were incremented in this version. > librte_gso.so.1 > librte_hash.so.2 > librte_ip_frag.so.1 > - librte_ipsec.so.1 > + + librte_ipsec.so.2 > librte_jobstats.so.1 > librte_kni.so.2 > librte_kvargs.so.1 > @@ -437,7 +443,7 @@ The libraries prepended with a plus sign were incremented in this version. > librte_reorder.so.1 > librte_ring.so.2 > + librte_sched.so.4 > - librte_security.so.2 > + + librte_security.so.3 > librte_stack.so.1 > librte_table.so.3 > librte_timer.so.1 > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > index 51fb22e8a..159e81f99 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -49,6 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) > /* TODO support for Transport */ > } > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; > + ipsec->replay_win_sz = app_sa_prm.window_size; > } > > int > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > index 14ee94731..3d687c459 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -1055,7 +1055,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, > > prm->flags = app_prm->flags; > prm->ipsec_xform.options.esn = app_prm->enable_esn; > - prm->replay_win_sz = app_prm->window_size; > + prm->ipsec_xform.replay_win_sz = app_prm->window_size; > } > > static int > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile > index 81fb99980..161ea9e3d 100644 > --- a/lib/librte_ipsec/Makefile > +++ b/lib/librte_ipsec/Makefile > @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash > > EXPORT_MAP := rte_ipsec_version.map > > -LIBABIVER := 1 > +LIBABIVER := 2 > > # all source are stored in SRCS-y > SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c > diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build > index 70358526b..e8604dadd 100644 > --- a/lib/librte_ipsec/meson.build > +++ b/lib/librte_ipsec/meson.build > @@ -1,6 +1,7 @@ > # SPDX-License-Identifier: BSD-3-Clause > # Copyright(c) 2018 Intel Corporation > > +version = 2 > allow_experimental_apis = true > > sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') > diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h > index 47ce169d2..1cfde5874 100644 > --- a/lib/librte_ipsec/rte_ipsec_sa.h > +++ b/lib/librte_ipsec/rte_ipsec_sa.h > @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { > uint8_t proto; /**< next header protocol */ > } trs; /**< transport mode related parameters */ > }; > - > - /** > - * window size to enable sequence replay attack handling. > - * replay checking is disabled if the window size is 0. > - */ > - uint32_t replay_win_sz; > }; > > /** > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > index 23d394b46..6f1d92c3c 100644 > --- a/lib/librte_ipsec/sa.c > +++ b/lib/librte_ipsec/sa.c > @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) > return rc; > > /* determine required size */ > - wsz = prm->replay_win_sz; > + wsz = prm->ipsec_xform.replay_win_sz; > return ipsec_sa_size(type, &wsz, &nb); > } > > @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, > return rc; > > /* determine required size */ > - wsz = prm->replay_win_sz; > + wsz = prm->ipsec_xform.replay_win_sz; > sz = ipsec_sa_size(type, &wsz, &nb); > if (sz < 0) > return sz; > -- > 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size 2019-10-30 8:57 ` [dpdk-dev] [PATCH v3 1/2] security: add anti replay window size Hemant Agrawal 2019-10-30 8:57 ` [dpdk-dev] [PATCH v3 2/2] ipsec: remove redundant replay_win_sz Hemant Agrawal @ 2019-10-31 4:54 ` Hemant Agrawal 2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal ` (4 more replies) 1 sibling, 5 replies; 35+ messages in thread From: Hemant Agrawal @ 2019-10-31 4:54 UTC (permalink / raw) To: dev, akhil.goyal; +Cc: konstantin.ananyev, Hemant Agrawal At present the ipsec xfrom is missing the important step to configure the anti replay window size. The newly added field will also help in to enable or disable the anti replay checking, if available in offload by means of non-zero or zero value. Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> --- doc/guides/rel_notes/release_19_11.rst | 6 +++++- lib/librte_security/Makefile | 2 +- lib/librte_security/meson.build | 2 +- lib/librte_security/rte_security.h | 4 ++++ 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index ae8e7b2f0..0508ec545 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -365,6 +365,10 @@ ABI Changes align the Ethernet header on receive and all known encapsulations preserve the alignment of the header. +* security: A new field ''replay_win_sz'' has been added to the structure + ``rte_security_ipsec_xform``, which specify the Anti replay window size + to enable sequence replay attack handling. + Shared Library Versions ----------------------- @@ -437,7 +441,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_reorder.so.1 librte_ring.so.2 + librte_sched.so.4 - librte_security.so.2 + + librte_security.so.3 librte_stack.so.1 librte_table.so.3 librte_timer.so.1 diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile index 6708effdb..6a268ee2a 100644 --- a/lib/librte_security/Makefile +++ b/lib/librte_security/Makefile @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB = librte_security.a # library version -LIBABIVER := 2 +LIBABIVER := 3 # build flags CFLAGS += -O3 diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build index a5130d2f6..6fed01273 100644 --- a/lib/librte_security/meson.build +++ b/lib/librte_security/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2017-2019 Intel Corporation -version = 2 +version = 3 sources = files('rte_security.c') headers = files('rte_security.h', 'rte_security_driver.h') deps += ['mempool', 'cryptodev'] diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h index aaafdfcd7..195ad5645 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform { /**< Tunnel parameters, NULL for transport mode */ uint64_t esn_soft_limit; /**< ESN for which the overflow event need to be raised */ + uint32_t replay_win_sz; + /**< Anti replay window size to enable sequence replay attack handling. + * replay checking is disabled if the window size is 0. + */ }; /** -- 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* [dpdk-dev] [PATCH v4 2/3] ipsec: remove redundant replay_win_sz 2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Hemant Agrawal @ 2019-10-31 4:54 ` Hemant Agrawal 2019-10-31 10:21 ` Ananyev, Konstantin 2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal ` (3 subsequent siblings) 4 siblings, 1 reply; 35+ messages in thread From: Hemant Agrawal @ 2019-10-31 4:54 UTC (permalink / raw) To: dev, akhil.goyal; +Cc: konstantin.ananyev, Hemant Agrawal The rte_security lib has introduced replay_win_sz, so it can be removed from the rte_ipsec lib. Also, the relaved tests,app are also update to reflect the usages. Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> --- app/test/test_ipsec.c | 2 +- doc/guides/rel_notes/release_19_11.rst | 7 +++++-- examples/ipsec-secgw/ipsec.c | 1 + examples/ipsec-secgw/sa.c | 2 +- lib/librte_ipsec/Makefile | 2 +- lib/librte_ipsec/meson.build | 1 + lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ lib/librte_ipsec/sa.c | 4 ++-- 8 files changed, 12 insertions(+), 13 deletions(-) diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c index 4007eff19..7dc83fee7 100644 --- a/app/test/test_ipsec.c +++ b/app/test/test_ipsec.c @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags) prm->userdata = 1; prm->flags = flags; - prm->replay_win_sz = replay_win_sz; /* setup ipsec xform */ prm->ipsec_xform = ut_params->ipsec_xform; prm->ipsec_xform.salt = (uint32_t)rte_rand(); + prm->ipsec_xform.replay_win_sz = replay_win_sz; /* setup tunnel related fields */ prm->tun.hdr_len = sizeof(ipv4_outer); diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index 0508ec545..ca414edb5 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -365,10 +365,13 @@ ABI Changes align the Ethernet header on receive and all known encapsulations preserve the alignment of the header. -* security: A new field ''replay_win_sz'' has been added to the structure +* security: The field ''replay_win_sz'' has been moved from ipsec library + based ''rte_ipsec_sa_prm'' structure to security library based structure ``rte_security_ipsec_xform``, which specify the Anti replay window size to enable sequence replay attack handling. +* ipsec: The field ''replay_win_sz'' has been removed from the structure + ''rte_ipsec_sa_prm'' as it has been added to the security library. Shared Library Versions ----------------------- @@ -411,7 +414,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_gso.so.1 librte_hash.so.2 librte_ip_frag.so.1 - librte_ipsec.so.1 + + librte_ipsec.so.2 librte_jobstats.so.1 librte_kni.so.2 librte_kvargs.so.1 diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 51fb22e8a..159e81f99 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -49,6 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) /* TODO support for Transport */ } ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; + ipsec->replay_win_sz = app_sa_prm.window_size; } int diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 14ee94731..3d687c459 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -1055,7 +1055,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, prm->flags = app_prm->flags; prm->ipsec_xform.options.esn = app_prm->enable_esn; - prm->replay_win_sz = app_prm->window_size; + prm->ipsec_xform.replay_win_sz = app_prm->window_size; } static int diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile index 81fb99980..161ea9e3d 100644 --- a/lib/librte_ipsec/Makefile +++ b/lib/librte_ipsec/Makefile @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash EXPORT_MAP := rte_ipsec_version.map -LIBABIVER := 1 +LIBABIVER := 2 # all source are stored in SRCS-y SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build index 70358526b..e8604dadd 100644 --- a/lib/librte_ipsec/meson.build +++ b/lib/librte_ipsec/meson.build @@ -1,6 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2018 Intel Corporation +version = 2 allow_experimental_apis = true sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h index 47ce169d2..1cfde5874 100644 --- a/lib/librte_ipsec/rte_ipsec_sa.h +++ b/lib/librte_ipsec/rte_ipsec_sa.h @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { uint8_t proto; /**< next header protocol */ } trs; /**< transport mode related parameters */ }; - - /** - * window size to enable sequence replay attack handling. - * replay checking is disabled if the window size is 0. - */ - uint32_t replay_win_sz; }; /** diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 23d394b46..6f1d92c3c 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; return ipsec_sa_size(type, &wsz, &nb); } @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; sz = ipsec_sa_size(type, &wsz, &nb); if (sz < 0) return sz; -- 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [PATCH v4 2/3] ipsec: remove redundant replay_win_sz 2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal @ 2019-10-31 10:21 ` Ananyev, Konstantin 0 siblings, 0 replies; 35+ messages in thread From: Ananyev, Konstantin @ 2019-10-31 10:21 UTC (permalink / raw) To: Hemant Agrawal, dev, akhil.goyal > The rte_security lib has introduced replay_win_sz, > so it can be removed from the rte_ipsec lib. > > Also, the relaved tests,app are also update to reflect > the usages. > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > -- > 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* [dpdk-dev] [PATCH v4 3/3] crypto/dpaa2_sec: enable anti replay window config 2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Hemant Agrawal 2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal @ 2019-10-31 4:54 ` Hemant Agrawal 2019-10-31 6:29 ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Anoob Joseph ` (2 subsequent siblings) 4 siblings, 0 replies; 35+ messages in thread From: Hemant Agrawal @ 2019-10-31 4:54 UTC (permalink / raw) To: dev, akhil.goyal; +Cc: konstantin.ananyev, Hemant Agrawal This patch usages the anti replay window size to config the anti replay checking in decap path for lookaside IPSEC offload Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> --- drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 21 +++++++++++++++++ drivers/crypto/dpaa_sec/dpaa_sec.c | 26 +++++++++++++++++++++ 2 files changed, 47 insertions(+) diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c index 7364b78e7..d7d95bf80 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c @@ -2887,6 +2887,27 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, sizeof(struct rte_ipv6_hdr) << 16; if (ipsec_xform->options.esn) decap_pdb.options |= PDBOPTS_ESP_ESN; + + if (ipsec_xform->replay_win_sz) { + uint32_t win_sz; + win_sz = rte_align32pow2(ipsec_xform->replay_win_sz); + + switch (win_sz) { + case 1: + case 2: + case 4: + case 8: + case 16: + case 32: + decap_pdb.options |= PDBOPTS_ESP_ARS32; + break; + case 64: + decap_pdb.options |= PDBOPTS_ESP_ARS64; + break; + default: + decap_pdb.options |= PDBOPTS_ESP_ARS128; + } + } session->dir = DIR_DEC; bufsize = cnstr_shdsc_ipsec_new_decap(priv->flc_desc[0].desc, 1, 0, SHR_SERIAL, diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c index a828b23c7..f5f18457a 100644 --- a/drivers/crypto/dpaa_sec/dpaa_sec.c +++ b/drivers/crypto/dpaa_sec/dpaa_sec.c @@ -2832,6 +2832,32 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, sizeof(struct rte_ipv6_hdr) << 16; if (ipsec_xform->options.esn) session->decap_pdb.options |= PDBOPTS_ESP_ESN; + if (ipsec_xform->replay_win_sz) { + uint32_t win_sz; + win_sz = rte_align32pow2(ipsec_xform->replay_win_sz); + + switch (win_sz) { + case 1: + case 2: + case 4: + case 8: + case 16: + case 32: + if (ipsec_xform->options.esn) + session->decap_pdb.options |= + PDBOPTS_ESP_ARS64; + else + session->decap_pdb.options |= + PDBOPTS_ESP_ARS32; + break; + case 64: + session->decap_pdb.options |= PDBOPTS_ESP_ARS64; + break; + default: + session->decap_pdb.options |= + PDBOPTS_ESP_ARS128; + } + } session->dir = DIR_DEC; } else goto out; -- 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size 2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Hemant Agrawal 2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal 2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal @ 2019-10-31 6:29 ` Anoob Joseph 2019-10-31 7:30 ` Hemant Agrawal 2019-10-31 10:20 ` Ananyev, Konstantin 2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 " Hemant Agrawal 4 siblings, 1 reply; 35+ messages in thread From: Anoob Joseph @ 2019-10-31 6:29 UTC (permalink / raw) To: Hemant Agrawal, dev, akhil.goyal; +Cc: konstantin.ananyev Hi Hemant, How would the PMD specify whether anit-replay is supported or not? Do you have plans to introduce it as a capability? Or do you expect the session creation to fail if the feature is not supported by underlying PMD and the anti replay window size is set. Thanks, Anoob > -----Original Message----- > From: dev <dev-bounces@dpdk.org> On Behalf Of Hemant Agrawal > Sent: Thursday, October 31, 2019 10:25 AM > To: dev@dpdk.org; akhil.goyal@nxp.com > Cc: konstantin.ananyev@intel.com; Hemant Agrawal > <hemant.agrawal@nxp.com> > Subject: [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size > > At present the ipsec xfrom is missing the important step to configure the anti > replay window size. > The newly added field will also help in to enable or disable the anti replay > checking, if available in offload by means of non-zero or zero value. > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > --- > doc/guides/rel_notes/release_19_11.rst | 6 +++++- > lib/librte_security/Makefile | 2 +- > lib/librte_security/meson.build | 2 +- > lib/librte_security/rte_security.h | 4 ++++ > 4 files changed, 11 insertions(+), 3 deletions(-) > > diff --git a/doc/guides/rel_notes/release_19_11.rst > b/doc/guides/rel_notes/release_19_11.rst > index ae8e7b2f0..0508ec545 100644 > --- a/doc/guides/rel_notes/release_19_11.rst > +++ b/doc/guides/rel_notes/release_19_11.rst > @@ -365,6 +365,10 @@ ABI Changes > align the Ethernet header on receive and all known encapsulations > preserve the alignment of the header. > > +* security: A new field ''replay_win_sz'' has been added to the > +structure > + ``rte_security_ipsec_xform``, which specify the Anti replay window > +size > + to enable sequence replay attack handling. > + > > Shared Library Versions > ----------------------- > @@ -437,7 +441,7 @@ The libraries prepended with a plus sign were > incremented in this version. > librte_reorder.so.1 > librte_ring.so.2 > + librte_sched.so.4 > - librte_security.so.2 > + + librte_security.so.3 > librte_stack.so.1 > librte_table.so.3 > librte_timer.so.1 > diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile index > 6708effdb..6a268ee2a 100644 > --- a/lib/librte_security/Makefile > +++ b/lib/librte_security/Makefile > @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB = librte_security.a > > # library version > -LIBABIVER := 2 > +LIBABIVER := 3 > > # build flags > CFLAGS += -O3 > diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build > index a5130d2f6..6fed01273 100644 > --- a/lib/librte_security/meson.build > +++ b/lib/librte_security/meson.build > @@ -1,7 +1,7 @@ > # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2017-2019 Intel > Corporation > > -version = 2 > +version = 3 > sources = files('rte_security.c') > headers = files('rte_security.h', 'rte_security_driver.h') deps += ['mempool', > 'cryptodev'] diff --git a/lib/librte_security/rte_security.h > b/lib/librte_security/rte_security.h > index aaafdfcd7..195ad5645 100644 > --- a/lib/librte_security/rte_security.h > +++ b/lib/librte_security/rte_security.h > @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform { > /**< Tunnel parameters, NULL for transport mode */ > uint64_t esn_soft_limit; > /**< ESN for which the overflow event need to be raised */ > + uint32_t replay_win_sz; > + /**< Anti replay window size to enable sequence replay attack handling. > + * replay checking is disabled if the window size is 0. > + */ > }; > > /** > -- > 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size 2019-10-31 6:29 ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Anoob Joseph @ 2019-10-31 7:30 ` Hemant Agrawal 0 siblings, 0 replies; 35+ messages in thread From: Hemant Agrawal @ 2019-10-31 7:30 UTC (permalink / raw) To: Anoob Joseph, dev, Akhil Goyal; +Cc: konstantin.ananyev Hi Anoop, > -----Original Message----- > Hi Hemant, > > How would the PMD specify whether anit-replay is supported or not? Do you > have plans to introduce it as a capability? Or do you expect the session > creation to fail if the feature is not supported by underlying PMD and the anti > replay window size is set. [Hemant] We can add it as part of capability set. I believe following should help: uint32_t max_replay_win_sz; Sending it as 0 will indicate the app that replay_win is not support. > > Thanks, > Anoob > > > -----Original Message----- > > From: dev <dev-bounces@dpdk.org> On Behalf Of Hemant Agrawal > > Sent: Thursday, October 31, 2019 10:25 AM > > To: dev@dpdk.org; akhil.goyal@nxp.com > > Cc: konstantin.ananyev@intel.com; Hemant Agrawal > > <hemant.agrawal@nxp.com> > > Subject: [dpdk-dev] [PATCH v4 1/3] security: add anti replay window > > size > > > > At present the ipsec xfrom is missing the important step to configure > > the anti replay window size. > > The newly added field will also help in to enable or disable the anti > > replay checking, if available in offload by means of non-zero or zero value. > > > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > > --- > > doc/guides/rel_notes/release_19_11.rst | 6 +++++- > > lib/librte_security/Makefile | 2 +- > > lib/librte_security/meson.build | 2 +- > > lib/librte_security/rte_security.h | 4 ++++ > > 4 files changed, 11 insertions(+), 3 deletions(-) > > > > diff --git a/doc/guides/rel_notes/release_19_11.rst > > b/doc/guides/rel_notes/release_19_11.rst > > index ae8e7b2f0..0508ec545 100644 > > --- a/doc/guides/rel_notes/release_19_11.rst > > +++ b/doc/guides/rel_notes/release_19_11.rst > > @@ -365,6 +365,10 @@ ABI Changes > > align the Ethernet header on receive and all known encapsulations > > preserve the alignment of the header. > > > > +* security: A new field ''replay_win_sz'' has been added to the > > +structure > > + ``rte_security_ipsec_xform``, which specify the Anti replay window > > +size > > + to enable sequence replay attack handling. > > + > > > > Shared Library Versions > > ----------------------- > > @@ -437,7 +441,7 @@ The libraries prepended with a plus sign were > > incremented in this version. > > librte_reorder.so.1 > > librte_ring.so.2 > > + librte_sched.so.4 > > - librte_security.so.2 > > + + librte_security.so.3 > > librte_stack.so.1 > > librte_table.so.3 > > librte_timer.so.1 > > diff --git a/lib/librte_security/Makefile > > b/lib/librte_security/Makefile index 6708effdb..6a268ee2a 100644 > > --- a/lib/librte_security/Makefile > > +++ b/lib/librte_security/Makefile > > @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB = > > librte_security.a > > > > # library version > > -LIBABIVER := 2 > > +LIBABIVER := 3 > > > > # build flags > > CFLAGS += -O3 > > diff --git a/lib/librte_security/meson.build > > b/lib/librte_security/meson.build index a5130d2f6..6fed01273 100644 > > --- a/lib/librte_security/meson.build > > +++ b/lib/librte_security/meson.build > > @@ -1,7 +1,7 @@ > > # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2017-2019 > > Intel Corporation > > > > -version = 2 > > +version = 3 > > sources = files('rte_security.c') > > headers = files('rte_security.h', 'rte_security_driver.h') deps += > > ['mempool', 'cryptodev'] diff --git > > a/lib/librte_security/rte_security.h > > b/lib/librte_security/rte_security.h > > index aaafdfcd7..195ad5645 100644 > > --- a/lib/librte_security/rte_security.h > > +++ b/lib/librte_security/rte_security.h > > @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform { > > /**< Tunnel parameters, NULL for transport mode */ > > uint64_t esn_soft_limit; > > /**< ESN for which the overflow event need to be raised */ > > + uint32_t replay_win_sz; > > + /**< Anti replay window size to enable sequence replay attack > handling. > > + * replay checking is disabled if the window size is 0. > > + */ > > }; > > > > /** > > -- > > 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size 2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Hemant Agrawal ` (2 preceding siblings ...) 2019-10-31 6:29 ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Anoob Joseph @ 2019-10-31 10:20 ` Ananyev, Konstantin 2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 " Hemant Agrawal 4 siblings, 0 replies; 35+ messages in thread From: Ananyev, Konstantin @ 2019-10-31 10:20 UTC (permalink / raw) To: Hemant Agrawal, dev, akhil.goyal > At present the ipsec xfrom is missing the important step > to configure the anti replay window size. > The newly added field will also help in to enable or disable > the anti replay checking, if available in offload by means > of non-zero or zero value. > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > --- > doc/guides/rel_notes/release_19_11.rst | 6 +++++- > lib/librte_security/Makefile | 2 +- > lib/librte_security/meson.build | 2 +- > lib/librte_security/rte_security.h | 4 ++++ > 4 files changed, 11 insertions(+), 3 deletions(-) > > diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst > index ae8e7b2f0..0508ec545 100644 > --- a/doc/guides/rel_notes/release_19_11.rst > +++ b/doc/guides/rel_notes/release_19_11.rst > @@ -365,6 +365,10 @@ ABI Changes > align the Ethernet header on receive and all known encapsulations > preserve the alignment of the header. > > +* security: A new field ''replay_win_sz'' has been added to the structure > + ``rte_security_ipsec_xform``, which specify the Anti replay window size > + to enable sequence replay attack handling. > + > > Shared Library Versions > ----------------------- > @@ -437,7 +441,7 @@ The libraries prepended with a plus sign were incremented in this version. > librte_reorder.so.1 > librte_ring.so.2 > + librte_sched.so.4 > - librte_security.so.2 > + + librte_security.so.3 > librte_stack.so.1 > librte_table.so.3 > librte_timer.so.1 > diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile > index 6708effdb..6a268ee2a 100644 > --- a/lib/librte_security/Makefile > +++ b/lib/librte_security/Makefile > @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk > LIB = librte_security.a > > # library version > -LIBABIVER := 2 > +LIBABIVER := 3 > > # build flags > CFLAGS += -O3 > diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build > index a5130d2f6..6fed01273 100644 > --- a/lib/librte_security/meson.build > +++ b/lib/librte_security/meson.build > @@ -1,7 +1,7 @@ > # SPDX-License-Identifier: BSD-3-Clause > # Copyright(c) 2017-2019 Intel Corporation > > -version = 2 > +version = 3 > sources = files('rte_security.c') > headers = files('rte_security.h', 'rte_security_driver.h') > deps += ['mempool', 'cryptodev'] > diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h > index aaafdfcd7..195ad5645 100644 > --- a/lib/librte_security/rte_security.h > +++ b/lib/librte_security/rte_security.h > @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform { > /**< Tunnel parameters, NULL for transport mode */ > uint64_t esn_soft_limit; > /**< ESN for which the overflow event need to be raised */ > + uint32_t replay_win_sz; > + /**< Anti replay window size to enable sequence replay attack handling. > + * replay checking is disabled if the window size is 0. > + */ > }; > > /** > -- Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* [dpdk-dev] [PATCH v5 1/3] security: add anti replay window size 2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Hemant Agrawal ` (3 preceding siblings ...) 2019-10-31 10:20 ` Ananyev, Konstantin @ 2019-10-31 13:15 ` Hemant Agrawal 2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal ` (3 more replies) 4 siblings, 4 replies; 35+ messages in thread From: Hemant Agrawal @ 2019-10-31 13:15 UTC (permalink / raw) To: dev, akhil.goyal; +Cc: konstantin.ananyev, anoobj, Hemant Agrawal At present the ipsec xfrom is missing the important step to configure the anti replay window size. The newly added field will also help in to enable or disable the anti replay checking, if available in offload by means of non-zero or zero value. Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> --- doc/guides/rel_notes/release_19_11.rst | 6 +++++- lib/librte_security/Makefile | 2 +- lib/librte_security/meson.build | 2 +- lib/librte_security/rte_security.h | 8 ++++++++ 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index ae8e7b2f0..0508ec545 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -365,6 +365,10 @@ ABI Changes align the Ethernet header on receive and all known encapsulations preserve the alignment of the header. +* security: A new field ''replay_win_sz'' has been added to the structure + ``rte_security_ipsec_xform``, which specify the Anti replay window size + to enable sequence replay attack handling. + Shared Library Versions ----------------------- @@ -437,7 +441,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_reorder.so.1 librte_ring.so.2 + librte_sched.so.4 - librte_security.so.2 + + librte_security.so.3 librte_stack.so.1 librte_table.so.3 librte_timer.so.1 diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile index 6708effdb..6a268ee2a 100644 --- a/lib/librte_security/Makefile +++ b/lib/librte_security/Makefile @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB = librte_security.a # library version -LIBABIVER := 2 +LIBABIVER := 3 # build flags CFLAGS += -O3 diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build index a5130d2f6..6fed01273 100644 --- a/lib/librte_security/meson.build +++ b/lib/librte_security/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2017-2019 Intel Corporation -version = 2 +version = 3 sources = files('rte_security.c') headers = files('rte_security.h', 'rte_security_driver.h') deps += ['mempool', 'cryptodev'] diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h index aaafdfcd7..216e5370f 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform { /**< Tunnel parameters, NULL for transport mode */ uint64_t esn_soft_limit; /**< ESN for which the overflow event need to be raised */ + uint32_t replay_win_sz; + /**< Anti replay window size to enable sequence replay attack handling. + * replay checking is disabled if the window size is 0. + */ }; /** @@ -563,6 +567,10 @@ struct rte_security_capability { /**< IPsec SA direction */ struct rte_security_ipsec_sa_options options; /**< IPsec SA supported options */ + uint32_t replay_win_sz_max; + /**< IPsec Anti Replay Window Size. A '0' value + * indicates that Anti Replay Window is not supported. + */ } ipsec; /**< IPsec capability */ struct { -- 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* [dpdk-dev] [PATCH v5 2/3] ipsec: remove redundant replay_win_sz 2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 " Hemant Agrawal @ 2019-10-31 13:15 ` Hemant Agrawal 2019-11-05 22:01 ` Akhil Goyal 2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal ` (2 subsequent siblings) 3 siblings, 1 reply; 35+ messages in thread From: Hemant Agrawal @ 2019-10-31 13:15 UTC (permalink / raw) To: dev, akhil.goyal; +Cc: konstantin.ananyev, anoobj, Hemant Agrawal The rte_security lib has introduced replay_win_sz, so it can be removed from the rte_ipsec lib. Also, the relaved tests,app are also update to reflect the usages. Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> --- app/test/test_ipsec.c | 2 +- doc/guides/rel_notes/release_19_11.rst | 7 +++++-- examples/ipsec-secgw/ipsec.c | 1 + examples/ipsec-secgw/sa.c | 2 +- lib/librte_ipsec/Makefile | 2 +- lib/librte_ipsec/meson.build | 1 + lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ lib/librte_ipsec/sa.c | 4 ++-- 8 files changed, 12 insertions(+), 13 deletions(-) diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c index 4007eff19..7dc83fee7 100644 --- a/app/test/test_ipsec.c +++ b/app/test/test_ipsec.c @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags) prm->userdata = 1; prm->flags = flags; - prm->replay_win_sz = replay_win_sz; /* setup ipsec xform */ prm->ipsec_xform = ut_params->ipsec_xform; prm->ipsec_xform.salt = (uint32_t)rte_rand(); + prm->ipsec_xform.replay_win_sz = replay_win_sz; /* setup tunnel related fields */ prm->tun.hdr_len = sizeof(ipv4_outer); diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index 0508ec545..ca414edb5 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -365,10 +365,13 @@ ABI Changes align the Ethernet header on receive and all known encapsulations preserve the alignment of the header. -* security: A new field ''replay_win_sz'' has been added to the structure +* security: The field ''replay_win_sz'' has been moved from ipsec library + based ''rte_ipsec_sa_prm'' structure to security library based structure ``rte_security_ipsec_xform``, which specify the Anti replay window size to enable sequence replay attack handling. +* ipsec: The field ''replay_win_sz'' has been removed from the structure + ''rte_ipsec_sa_prm'' as it has been added to the security library. Shared Library Versions ----------------------- @@ -411,7 +414,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_gso.so.1 librte_hash.so.2 librte_ip_frag.so.1 - librte_ipsec.so.1 + + librte_ipsec.so.2 librte_jobstats.so.1 librte_kni.so.2 librte_kvargs.so.1 diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 51fb22e8a..159e81f99 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -49,6 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) /* TODO support for Transport */ } ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; + ipsec->replay_win_sz = app_sa_prm.window_size; } int diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 14ee94731..3d687c459 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -1055,7 +1055,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, prm->flags = app_prm->flags; prm->ipsec_xform.options.esn = app_prm->enable_esn; - prm->replay_win_sz = app_prm->window_size; + prm->ipsec_xform.replay_win_sz = app_prm->window_size; } static int diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile index 81fb99980..161ea9e3d 100644 --- a/lib/librte_ipsec/Makefile +++ b/lib/librte_ipsec/Makefile @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash EXPORT_MAP := rte_ipsec_version.map -LIBABIVER := 1 +LIBABIVER := 2 # all source are stored in SRCS-y SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build index 70358526b..e8604dadd 100644 --- a/lib/librte_ipsec/meson.build +++ b/lib/librte_ipsec/meson.build @@ -1,6 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2018 Intel Corporation +version = 2 allow_experimental_apis = true sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h index 47ce169d2..1cfde5874 100644 --- a/lib/librte_ipsec/rte_ipsec_sa.h +++ b/lib/librte_ipsec/rte_ipsec_sa.h @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { uint8_t proto; /**< next header protocol */ } trs; /**< transport mode related parameters */ }; - - /** - * window size to enable sequence replay attack handling. - * replay checking is disabled if the window size is 0. - */ - uint32_t replay_win_sz; }; /** diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 23d394b46..6f1d92c3c 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; return ipsec_sa_size(type, &wsz, &nb); } @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; sz = ipsec_sa_size(type, &wsz, &nb); if (sz < 0) return sz; -- 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [PATCH v5 2/3] ipsec: remove redundant replay_win_sz 2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal @ 2019-11-05 22:01 ` Akhil Goyal 2019-11-06 5:16 ` Hemant Agrawal 0 siblings, 1 reply; 35+ messages in thread From: Akhil Goyal @ 2019-11-05 22:01 UTC (permalink / raw) To: Hemant Agrawal, dev; +Cc: konstantin.ananyev, anoobj, Hemant Agrawal Hi Hemant, > > The rte_security lib has introduced replay_win_sz, > so it can be removed from the rte_ipsec lib. > > Also, the relaved tests,app are also update to reflect > the usages. > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > --- > app/test/test_ipsec.c | 2 +- > doc/guides/rel_notes/release_19_11.rst | 7 +++++-- > examples/ipsec-secgw/ipsec.c | 1 + > examples/ipsec-secgw/sa.c | 2 +- > lib/librte_ipsec/Makefile | 2 +- > lib/librte_ipsec/meson.build | 1 + > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ > lib/librte_ipsec/sa.c | 4 ++-- > 8 files changed, 12 insertions(+), 13 deletions(-) > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c > index 4007eff19..7dc83fee7 100644 > --- a/app/test/test_ipsec.c > +++ b/app/test/test_ipsec.c > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t > flags) > > prm->userdata = 1; > prm->flags = flags; > - prm->replay_win_sz = replay_win_sz; > > /* setup ipsec xform */ > prm->ipsec_xform = ut_params->ipsec_xform; > prm->ipsec_xform.salt = (uint32_t)rte_rand(); > + prm->ipsec_xform.replay_win_sz = replay_win_sz; > > /* setup tunnel related fields */ > prm->tun.hdr_len = sizeof(ipv4_outer); > diff --git a/doc/guides/rel_notes/release_19_11.rst > b/doc/guides/rel_notes/release_19_11.rst > index 0508ec545..ca414edb5 100644 > --- a/doc/guides/rel_notes/release_19_11.rst > +++ b/doc/guides/rel_notes/release_19_11.rst > @@ -365,10 +365,13 @@ ABI Changes > align the Ethernet header on receive and all known encapsulations > preserve the alignment of the header. > > -* security: A new field ''replay_win_sz'' has been added to the structure > +* security: The field ''replay_win_sz'' has been moved from ipsec library > + based ''rte_ipsec_sa_prm'' structure to security library based structure > ``rte_security_ipsec_xform``, which specify the Anti replay window size > to enable sequence replay attack handling. > > +* ipsec: The field ''replay_win_sz'' has been removed from the structure > + ''rte_ipsec_sa_prm'' as it has been added to the security library. > > Shared Library Versions > ----------------------- > @@ -411,7 +414,7 @@ The libraries prepended with a plus sign were > incremented in this version. > librte_gso.so.1 > librte_hash.so.2 > librte_ip_frag.so.1 > - librte_ipsec.so.1 > + + librte_ipsec.so.2 > librte_jobstats.so.1 > librte_kni.so.2 > librte_kvargs.so.1 > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > index 51fb22e8a..159e81f99 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -49,6 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > rte_security_ipsec_xform *ipsec) > /* TODO support for Transport */ > } > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; > + ipsec->replay_win_sz = app_sa_prm.window_size; The value of window_size is coming from command line and while parsing it, lib mode Is getting enabled, which means people can use anti replay only when lib mode is enabled which is not correct. Also there should be a way to disable anti replay. So when it is not given as command line It should not be enabled and default value should be 0. > } > > int > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > index 14ee94731..3d687c459 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -1055,7 +1055,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, > > prm->flags = app_prm->flags; > prm->ipsec_xform.options.esn = app_prm->enable_esn; > - prm->replay_win_sz = app_prm->window_size; > + prm->ipsec_xform.replay_win_sz = app_prm->window_size; > } > > static int > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile > index 81fb99980..161ea9e3d 100644 > --- a/lib/librte_ipsec/Makefile > +++ b/lib/librte_ipsec/Makefile > @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash > > EXPORT_MAP := rte_ipsec_version.map > > -LIBABIVER := 1 > +LIBABIVER := 2 > > # all source are stored in SRCS-y > SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c > diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build > index 70358526b..e8604dadd 100644 > --- a/lib/librte_ipsec/meson.build > +++ b/lib/librte_ipsec/meson.build > @@ -1,6 +1,7 @@ > # SPDX-License-Identifier: BSD-3-Clause > # Copyright(c) 2018 Intel Corporation > > +version = 2 > allow_experimental_apis = true > > sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') > diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h > index 47ce169d2..1cfde5874 100644 > --- a/lib/librte_ipsec/rte_ipsec_sa.h > +++ b/lib/librte_ipsec/rte_ipsec_sa.h > @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { > uint8_t proto; /**< next header protocol */ > } trs; /**< transport mode related parameters */ > }; > - > - /** > - * window size to enable sequence replay attack handling. > - * replay checking is disabled if the window size is 0. > - */ > - uint32_t replay_win_sz; > }; > > /** > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > index 23d394b46..6f1d92c3c 100644 > --- a/lib/librte_ipsec/sa.c > +++ b/lib/librte_ipsec/sa.c > @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) > return rc; > > /* determine required size */ > - wsz = prm->replay_win_sz; > + wsz = prm->ipsec_xform.replay_win_sz; > return ipsec_sa_size(type, &wsz, &nb); > } > > @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct > rte_ipsec_sa_prm *prm, > return rc; > > /* determine required size */ > - wsz = prm->replay_win_sz; > + wsz = prm->ipsec_xform.replay_win_sz; > sz = ipsec_sa_size(type, &wsz, &nb); > if (sz < 0) > return sz; > -- > 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [PATCH v5 2/3] ipsec: remove redundant replay_win_sz 2019-11-05 22:01 ` Akhil Goyal @ 2019-11-06 5:16 ` Hemant Agrawal 0 siblings, 0 replies; 35+ messages in thread From: Hemant Agrawal @ 2019-11-06 5:16 UTC (permalink / raw) To: Akhil Goyal, dev; +Cc: konstantin.ananyev, anoobj > -----Original Message----- > From: Akhil Goyal <akhil.goyal@nxp.com> > Sent: Wednesday, November 6, 2019 3:32 AM > To: Hemant Agrawal <hemant.agrawal@nxp.com>; dev@dpdk.org > Cc: konstantin.ananyev@intel.com; anoobj@marvell.com; Hemant Agrawal > <hemant.agrawal@nxp.com> > Subject: RE: [PATCH v5 2/3] ipsec: remove redundant replay_win_sz > Importance: High > > Hi Hemant, > > > > The rte_security lib has introduced replay_win_sz, so it can be > > removed from the rte_ipsec lib. > > > > Also, the relaved tests,app are also update to reflect the usages. > > > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > > --- > > app/test/test_ipsec.c | 2 +- > > doc/guides/rel_notes/release_19_11.rst | 7 +++++-- > > examples/ipsec-secgw/ipsec.c | 1 + > > examples/ipsec-secgw/sa.c | 2 +- > > lib/librte_ipsec/Makefile | 2 +- > > lib/librte_ipsec/meson.build | 1 + > > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ > > lib/librte_ipsec/sa.c | 4 ++-- > > 8 files changed, 12 insertions(+), 13 deletions(-) > > > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c index > > 4007eff19..7dc83fee7 100644 > > --- a/app/test/test_ipsec.c > > +++ b/app/test/test_ipsec.c > > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, > > uint64_t > > flags) > > > > prm->userdata = 1; > > prm->flags = flags; > > - prm->replay_win_sz = replay_win_sz; > > > > /* setup ipsec xform */ > > prm->ipsec_xform = ut_params->ipsec_xform; > > prm->ipsec_xform.salt = (uint32_t)rte_rand(); > > + prm->ipsec_xform.replay_win_sz = replay_win_sz; > > > > /* setup tunnel related fields */ > > prm->tun.hdr_len = sizeof(ipv4_outer); diff --git > > a/doc/guides/rel_notes/release_19_11.rst > > b/doc/guides/rel_notes/release_19_11.rst > > index 0508ec545..ca414edb5 100644 > > --- a/doc/guides/rel_notes/release_19_11.rst > > +++ b/doc/guides/rel_notes/release_19_11.rst > > @@ -365,10 +365,13 @@ ABI Changes > > align the Ethernet header on receive and all known encapsulations > > preserve the alignment of the header. > > > > -* security: A new field ''replay_win_sz'' has been added to the > > structure > > +* security: The field ''replay_win_sz'' has been moved from ipsec > > +library > > + based ''rte_ipsec_sa_prm'' structure to security library based > > +structure > > ``rte_security_ipsec_xform``, which specify the Anti replay window size > > to enable sequence replay attack handling. > > > > +* ipsec: The field ''replay_win_sz'' has been removed from the > > +structure > > + ''rte_ipsec_sa_prm'' as it has been added to the security library. > > > > Shared Library Versions > > ----------------------- > > @@ -411,7 +414,7 @@ The libraries prepended with a plus sign were > > incremented in this version. > > librte_gso.so.1 > > librte_hash.so.2 > > librte_ip_frag.so.1 > > - librte_ipsec.so.1 > > + + librte_ipsec.so.2 > > librte_jobstats.so.1 > > librte_kni.so.2 > > librte_kvargs.so.1 > > diff --git a/examples/ipsec-secgw/ipsec.c > > b/examples/ipsec-secgw/ipsec.c index 51fb22e8a..159e81f99 100644 > > --- a/examples/ipsec-secgw/ipsec.c > > +++ b/examples/ipsec-secgw/ipsec.c > > @@ -49,6 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > > rte_security_ipsec_xform *ipsec) > > /* TODO support for Transport */ > > } > > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; > > + ipsec->replay_win_sz = app_sa_prm.window_size; > > The value of window_size is coming from command line and while parsing it, > lib mode Is getting enabled, which means people can use anti replay only > when lib mode is enabled which is not correct. > Also there should be a way to disable anti replay. So when it is not given as > command line It should not be enabled and default value should be 0. > [Hemant] Ok. I will look into it. ^ permalink raw reply [flat|nested] 35+ messages in thread
* [dpdk-dev] [PATCH v5 3/3] crypto/dpaa2_sec: enable anti replay window config 2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 " Hemant Agrawal 2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal @ 2019-10-31 13:15 ` Hemant Agrawal 2019-11-05 22:07 ` Akhil Goyal 2019-11-01 6:16 ` [dpdk-dev] [EXT] [PATCH v5 1/3] security: add anti replay window size Anoob Joseph 2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 " Hemant Agrawal 3 siblings, 1 reply; 35+ messages in thread From: Hemant Agrawal @ 2019-10-31 13:15 UTC (permalink / raw) To: dev, akhil.goyal; +Cc: konstantin.ananyev, anoobj, Hemant Agrawal This patch usages the anti replay window size to config the anti replay checking in decap path for lookaside IPSEC offload Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> --- drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 24 +++++++++++++++++++ drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 6 +++-- drivers/crypto/dpaa_sec/dpaa_sec.c | 26 +++++++++++++++++++++ drivers/crypto/dpaa_sec/dpaa_sec.h | 6 +++-- 4 files changed, 58 insertions(+), 4 deletions(-) diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c index 52e522e4a..6d59e73e9 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c @@ -2836,6 +2836,30 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, sizeof(struct rte_ipv6_hdr) << 16; if (ipsec_xform->options.esn) decap_pdb.options |= PDBOPTS_ESP_ESN; + + if (ipsec_xform->replay_win_sz) { + uint32_t win_sz; + win_sz = rte_align32pow2(ipsec_xform->replay_win_sz); + + switch (win_sz) { + case 1: + case 2: + case 4: + case 8: + case 16: + case 32: + if (ipsec_xform->options.esn) + decap_pdb.options |= PDBOPTS_ESP_ARS64; + else + decap_pdb.options |= PDBOPTS_ESP_ARS32; + break; + case 64: + decap_pdb.options |= PDBOPTS_ESP_ARS64; + break; + default: + decap_pdb.options |= PDBOPTS_ESP_ARS128; + } + } session->dir = DIR_DEC; bufsize = cnstr_shdsc_ipsec_new_decap(priv->flc_desc[0].desc, 1, 0, SHR_SERIAL, diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h index 662559422..b97dacbcb 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h @@ -675,7 +675,8 @@ static const struct rte_security_capability dpaa2_sec_security_cap[] = { .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, - .options = { 0 } + .options = { 0 }, + .replay_win_sz_max = 128 }, .crypto_capabilities = dpaa2_sec_capabilities }, @@ -686,7 +687,8 @@ static const struct rte_security_capability dpaa2_sec_security_cap[] = { .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, - .options = { 0 } + .options = { 0 }, + .replay_win_sz_max = 128 }, .crypto_capabilities = dpaa2_sec_capabilities }, diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c index 6c186338f..7cfa5f6dc 100644 --- a/drivers/crypto/dpaa_sec/dpaa_sec.c +++ b/drivers/crypto/dpaa_sec/dpaa_sec.c @@ -2693,6 +2693,32 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, sizeof(struct rte_ipv6_hdr) << 16; if (ipsec_xform->options.esn) session->decap_pdb.options |= PDBOPTS_ESP_ESN; + if (ipsec_xform->replay_win_sz) { + uint32_t win_sz; + win_sz = rte_align32pow2(ipsec_xform->replay_win_sz); + + switch (win_sz) { + case 1: + case 2: + case 4: + case 8: + case 16: + case 32: + if (ipsec_xform->options.esn) + session->decap_pdb.options |= + PDBOPTS_ESP_ARS64; + else + session->decap_pdb.options |= + PDBOPTS_ESP_ARS32; + break; + case 64: + session->decap_pdb.options |= PDBOPTS_ESP_ARS64; + break; + default: + session->decap_pdb.options |= + PDBOPTS_ESP_ARS128; + } + } session->dir = DIR_DEC; } else goto out; diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h index c10ec1007..684950d6d 100644 --- a/drivers/crypto/dpaa_sec/dpaa_sec.h +++ b/drivers/crypto/dpaa_sec/dpaa_sec.h @@ -692,7 +692,8 @@ static const struct rte_security_capability dpaa_sec_security_cap[] = { .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, - .options = { 0 } + .options = { 0 }, + .replay_win_sz_max = 128 }, .crypto_capabilities = dpaa_sec_capabilities }, @@ -703,7 +704,8 @@ static const struct rte_security_capability dpaa_sec_security_cap[] = { .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, - .options = { 0 } + .options = { 0 }, + .replay_win_sz_max = 128 }, .crypto_capabilities = dpaa_sec_capabilities }, -- 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [PATCH v5 3/3] crypto/dpaa2_sec: enable anti replay window config 2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal @ 2019-11-05 22:07 ` Akhil Goyal 2019-11-06 5:16 ` Hemant Agrawal 0 siblings, 1 reply; 35+ messages in thread From: Akhil Goyal @ 2019-11-05 22:07 UTC (permalink / raw) To: Hemant Agrawal, dev; +Cc: konstantin.ananyev, anoobj, Hemant Agrawal Hi Hemant, > > This patch usages the anti replay window size to config > the anti replay checking in decap path for lookaside > IPSEC offload > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > --- > drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 24 +++++++++++++++++++ > drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 6 +++-- > drivers/crypto/dpaa_sec/dpaa_sec.c | 26 +++++++++++++++++++++ > drivers/crypto/dpaa_sec/dpaa_sec.h | 6 +++-- > 4 files changed, 58 insertions(+), 4 deletions(-) > > diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c > b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c > index 52e522e4a..6d59e73e9 100644 > --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c > +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c > @@ -2836,6 +2836,30 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev > *dev, > sizeof(struct rte_ipv6_hdr) << 16; > if (ipsec_xform->options.esn) > decap_pdb.options |= PDBOPTS_ESP_ESN; > + > + if (ipsec_xform->replay_win_sz) { > + uint32_t win_sz; > + win_sz = rte_align32pow2(ipsec_xform->replay_win_sz); > + > + switch (win_sz) { > + case 1: > + case 2: > + case 4: > + case 8: > + case 16: > + case 32: > + if (ipsec_xform->options.esn) > + decap_pdb.options |= > PDBOPTS_ESP_ARS64; Why is it dependent on ESN? > + else > + decap_pdb.options |= > PDBOPTS_ESP_ARS32; > + break; > + case 64: > + decap_pdb.options |= PDBOPTS_ESP_ARS64; > + break; > + default: > + decap_pdb.options |= PDBOPTS_ESP_ARS128; Default case should not set anti replay window like case 0 when we don't want anti replay. > + } > + } > session->dir = DIR_DEC; > bufsize = cnstr_shdsc_ipsec_new_decap(priv->flc_desc[0].desc, > 1, 0, SHR_SERIAL, > diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h > b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h > index 662559422..b97dacbcb 100644 > --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h > +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h > @@ -675,7 +675,8 @@ static const struct rte_security_capability > dpaa2_sec_security_cap[] = { > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, > .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, > - .options = { 0 } > + .options = { 0 }, > + .replay_win_sz_max = 128 > }, > .crypto_capabilities = dpaa2_sec_capabilities > }, > @@ -686,7 +687,8 @@ static const struct rte_security_capability > dpaa2_sec_security_cap[] = { > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, > .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, > - .options = { 0 } > + .options = { 0 }, > + .replay_win_sz_max = 128 > }, > .crypto_capabilities = dpaa2_sec_capabilities > }, > diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c > b/drivers/crypto/dpaa_sec/dpaa_sec.c > index 6c186338f..7cfa5f6dc 100644 > --- a/drivers/crypto/dpaa_sec/dpaa_sec.c > +++ b/drivers/crypto/dpaa_sec/dpaa_sec.c > @@ -2693,6 +2693,32 @@ dpaa_sec_set_ipsec_session(__rte_unused struct > rte_cryptodev *dev, > sizeof(struct rte_ipv6_hdr) << 16; > if (ipsec_xform->options.esn) > session->decap_pdb.options |= PDBOPTS_ESP_ESN; > + if (ipsec_xform->replay_win_sz) { > + uint32_t win_sz; > + win_sz = rte_align32pow2(ipsec_xform->replay_win_sz); > + > + switch (win_sz) { > + case 1: > + case 2: > + case 4: > + case 8: > + case 16: > + case 32: > + if (ipsec_xform->options.esn) > + session->decap_pdb.options |= > + PDBOPTS_ESP_ARS64; > + else > + session->decap_pdb.options |= > + PDBOPTS_ESP_ARS32; > + break; > + case 64: > + session->decap_pdb.options |= > PDBOPTS_ESP_ARS64; > + break; > + default: > + session->decap_pdb.options |= > + PDBOPTS_ESP_ARS128; > + } > + } > session->dir = DIR_DEC; > } else > goto out; > diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h > b/drivers/crypto/dpaa_sec/dpaa_sec.h > index c10ec1007..684950d6d 100644 > --- a/drivers/crypto/dpaa_sec/dpaa_sec.h > +++ b/drivers/crypto/dpaa_sec/dpaa_sec.h > @@ -692,7 +692,8 @@ static const struct rte_security_capability > dpaa_sec_security_cap[] = { > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, > .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, > - .options = { 0 } > + .options = { 0 }, > + .replay_win_sz_max = 128 > }, > .crypto_capabilities = dpaa_sec_capabilities > }, > @@ -703,7 +704,8 @@ static const struct rte_security_capability > dpaa_sec_security_cap[] = { > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, > .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, > - .options = { 0 } > + .options = { 0 }, > + .replay_win_sz_max = 128 > }, > .crypto_capabilities = dpaa_sec_capabilities > }, > -- > 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [PATCH v5 3/3] crypto/dpaa2_sec: enable anti replay window config 2019-11-05 22:07 ` Akhil Goyal @ 2019-11-06 5:16 ` Hemant Agrawal 0 siblings, 0 replies; 35+ messages in thread From: Hemant Agrawal @ 2019-11-06 5:16 UTC (permalink / raw) To: Akhil Goyal, dev; +Cc: konstantin.ananyev, anoobj Hi Akhil, > -----Original Message----- > From: Akhil Goyal <akhil.goyal@nxp.com> > Sent: Wednesday, November 6, 2019 3:38 AM > To: Hemant Agrawal <hemant.agrawal@nxp.com>; dev@dpdk.org > Cc: konstantin.ananyev@intel.com; anoobj@marvell.com; Hemant Agrawal > <hemant.agrawal@nxp.com> > Subject: RE: [PATCH v5 3/3] crypto/dpaa2_sec: enable anti replay window > config > Importance: High > > Hi Hemant, > > > > This patch usages the anti replay window size to config the anti > > replay checking in decap path for lookaside IPSEC offload > > > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > > --- > > drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 24 > +++++++++++++++++++ > > drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 6 +++-- > > drivers/crypto/dpaa_sec/dpaa_sec.c | 26 +++++++++++++++++++++ > > drivers/crypto/dpaa_sec/dpaa_sec.h | 6 +++-- > > 4 files changed, 58 insertions(+), 4 deletions(-) > > > > diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c > > b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c > > index 52e522e4a..6d59e73e9 100644 > > --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c > > +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c > > @@ -2836,6 +2836,30 @@ dpaa2_sec_set_ipsec_session(struct > > rte_cryptodev *dev, > > sizeof(struct rte_ipv6_hdr) << 16; > > if (ipsec_xform->options.esn) > > decap_pdb.options |= PDBOPTS_ESP_ESN; > > + > > + if (ipsec_xform->replay_win_sz) { > > + uint32_t win_sz; > > + win_sz = rte_align32pow2(ipsec_xform- > >replay_win_sz); > > + > > + switch (win_sz) { > > + case 1: > > + case 2: > > + case 4: > > + case 8: > > + case 16: > > + case 32: > > + if (ipsec_xform->options.esn) > > + decap_pdb.options |= > > PDBOPTS_ESP_ARS64; > > Why is it dependent on ESN? [Hemant] ESN requires to maintain the > 32 bit seq numbers. So there is no meaning of keeping the windows size as 32 for this case. > > > + else > > + decap_pdb.options |= > > PDBOPTS_ESP_ARS32; > > + break; > > + case 64: > > + decap_pdb.options |= PDBOPTS_ESP_ARS64; > > + break; > > + default: > > + decap_pdb.options |= > PDBOPTS_ESP_ARS128; > > Default case should not set anti replay window like case 0 when we don't > want anti replay. [Hemant] We are choosing to default to 128 bit AR, if the user chooses to set it > 128. It is implementation choice. > > > + } > > + } > > session->dir = DIR_DEC; > > bufsize = cnstr_shdsc_ipsec_new_decap(priv- > >flc_desc[0].desc, > > 1, 0, SHR_SERIAL, > > diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h > > b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h > > index 662559422..b97dacbcb 100644 > > --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h > > +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h > > @@ -675,7 +675,8 @@ static const struct rte_security_capability > > dpaa2_sec_security_cap[] = { > > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, > > .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, > > - .options = { 0 } > > + .options = { 0 }, > > + .replay_win_sz_max = 128 > > }, > > .crypto_capabilities = dpaa2_sec_capabilities > > }, > > @@ -686,7 +687,8 @@ static const struct rte_security_capability > > dpaa2_sec_security_cap[] = { > > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, > > .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, > > - .options = { 0 } > > + .options = { 0 }, > > + .replay_win_sz_max = 128 > > }, > > .crypto_capabilities = dpaa2_sec_capabilities > > }, > > diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c > > b/drivers/crypto/dpaa_sec/dpaa_sec.c > > index 6c186338f..7cfa5f6dc 100644 > > --- a/drivers/crypto/dpaa_sec/dpaa_sec.c > > +++ b/drivers/crypto/dpaa_sec/dpaa_sec.c > > @@ -2693,6 +2693,32 @@ dpaa_sec_set_ipsec_session(__rte_unused > struct > > rte_cryptodev *dev, > > sizeof(struct rte_ipv6_hdr) << 16; > > if (ipsec_xform->options.esn) > > session->decap_pdb.options |= PDBOPTS_ESP_ESN; > > + if (ipsec_xform->replay_win_sz) { > > + uint32_t win_sz; > > + win_sz = rte_align32pow2(ipsec_xform- > >replay_win_sz); > > + > > + switch (win_sz) { > > + case 1: > > + case 2: > > + case 4: > > + case 8: > > + case 16: > > + case 32: > > + if (ipsec_xform->options.esn) > > + session->decap_pdb.options |= > > + > PDBOPTS_ESP_ARS64; > > + else > > + session->decap_pdb.options |= > > + > PDBOPTS_ESP_ARS32; > > + break; > > + case 64: > > + session->decap_pdb.options |= > > PDBOPTS_ESP_ARS64; > > + break; > > + default: > > + session->decap_pdb.options |= > > + > PDBOPTS_ESP_ARS128; > > + } > > + } > > session->dir = DIR_DEC; > > } else > > goto out; > > diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h > > b/drivers/crypto/dpaa_sec/dpaa_sec.h > > index c10ec1007..684950d6d 100644 > > --- a/drivers/crypto/dpaa_sec/dpaa_sec.h > > +++ b/drivers/crypto/dpaa_sec/dpaa_sec.h > > @@ -692,7 +692,8 @@ static const struct rte_security_capability > > dpaa_sec_security_cap[] = { > > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, > > .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, > > - .options = { 0 } > > + .options = { 0 }, > > + .replay_win_sz_max = 128 > > }, > > .crypto_capabilities = dpaa_sec_capabilities > > }, > > @@ -703,7 +704,8 @@ static const struct rte_security_capability > > dpaa_sec_security_cap[] = { > > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, > > .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, > > - .options = { 0 } > > + .options = { 0 }, > > + .replay_win_sz_max = 128 > > }, > > .crypto_capabilities = dpaa_sec_capabilities > > }, > > -- > > 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [EXT] [PATCH v5 1/3] security: add anti replay window size 2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 " Hemant Agrawal 2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal 2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal @ 2019-11-01 6:16 ` Anoob Joseph 2019-11-01 9:48 ` Hemant Agrawal 2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 " Hemant Agrawal 3 siblings, 1 reply; 35+ messages in thread From: Anoob Joseph @ 2019-11-01 6:16 UTC (permalink / raw) To: Hemant Agrawal, dev, akhil.goyal; +Cc: konstantin.ananyev Hi Hemant, Please see inline. > -----Original Message----- > From: Hemant Agrawal <hemant.agrawal@nxp.com> > Sent: Thursday, October 31, 2019 6:45 PM > To: dev@dpdk.org; akhil.goyal@nxp.com > Cc: konstantin.ananyev@intel.com; Anoob Joseph <anoobj@marvell.com>; > Hemant Agrawal <hemant.agrawal@nxp.com> > Subject: [EXT] [PATCH v5 1/3] security: add anti replay window size > > External Email > > ---------------------------------------------------------------------- > At present the ipsec xfrom is missing the important step to configure the anti > replay window size. > The newly added field will also help in to enable or disable the anti replay > checking, if available in offload by means of non-zero or zero value. > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > --- > doc/guides/rel_notes/release_19_11.rst | 6 +++++- > lib/librte_security/Makefile | 2 +- > lib/librte_security/meson.build | 2 +- > lib/librte_security/rte_security.h | 8 ++++++++ > 4 files changed, 15 insertions(+), 3 deletions(-) > > diff --git a/doc/guides/rel_notes/release_19_11.rst > b/doc/guides/rel_notes/release_19_11.rst > index ae8e7b2f0..0508ec545 100644 > --- a/doc/guides/rel_notes/release_19_11.rst > +++ b/doc/guides/rel_notes/release_19_11.rst > @@ -365,6 +365,10 @@ ABI Changes > align the Ethernet header on receive and all known encapsulations > preserve the alignment of the header. > > +* security: A new field ''replay_win_sz'' has been added to the > +structure > + ``rte_security_ipsec_xform``, which specify the Anti replay window > +size > + to enable sequence replay attack handling. > + > > Shared Library Versions > ----------------------- > @@ -437,7 +441,7 @@ The libraries prepended with a plus sign were > incremented in this version. > librte_reorder.so.1 > librte_ring.so.2 > + librte_sched.so.4 > - librte_security.so.2 > + + librte_security.so.3 > librte_stack.so.1 > librte_table.so.3 > librte_timer.so.1 > diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile index > 6708effdb..6a268ee2a 100644 > --- a/lib/librte_security/Makefile > +++ b/lib/librte_security/Makefile > @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB = librte_security.a > > # library version > -LIBABIVER := 2 > +LIBABIVER := 3 > > # build flags > CFLAGS += -O3 > diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build > index a5130d2f6..6fed01273 100644 > --- a/lib/librte_security/meson.build > +++ b/lib/librte_security/meson.build > @@ -1,7 +1,7 @@ > # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2017-2019 Intel > Corporation > > -version = 2 > +version = 3 > sources = files('rte_security.c') > headers = files('rte_security.h', 'rte_security_driver.h') deps += ['mempool', > 'cryptodev'] diff --git a/lib/librte_security/rte_security.h > b/lib/librte_security/rte_security.h > index aaafdfcd7..216e5370f 100644 > --- a/lib/librte_security/rte_security.h > +++ b/lib/librte_security/rte_security.h > @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform { > /**< Tunnel parameters, NULL for transport mode */ > uint64_t esn_soft_limit; > /**< ESN for which the overflow event need to be raised */ > + uint32_t replay_win_sz; > + /**< Anti replay window size to enable sequence replay attack handling. > + * replay checking is disabled if the window size is 0. > + */ > }; > > /** > @@ -563,6 +567,10 @@ struct rte_security_capability { > /**< IPsec SA direction */ > struct rte_security_ipsec_sa_options options; > /**< IPsec SA supported options */ > + uint32_t replay_win_sz_max; > + /**< IPsec Anti Replay Window Size. A '0' value > + * indicates that Anti Replay Window is not supported. [Anoob] Minor comment. Should it be "Anti Replay is not supported."? > + */ > } ipsec; > /**< IPsec capability */ > struct { > -- > 2.17.1 Acked-by: Anoob Joseph <anoobj@marvell.com> ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [EXT] [PATCH v5 1/3] security: add anti replay window size 2019-11-01 6:16 ` [dpdk-dev] [EXT] [PATCH v5 1/3] security: add anti replay window size Anoob Joseph @ 2019-11-01 9:48 ` Hemant Agrawal 0 siblings, 0 replies; 35+ messages in thread From: Hemant Agrawal @ 2019-11-01 9:48 UTC (permalink / raw) To: Anoob Joseph, dev, Akhil Goyal; +Cc: konstantin.ananyev Hi Anoop, Thanks for the comment. > > + * indicates that Anti Replay Window is not > supported. > > [Anoob] Minor comment. Should it be "Anti Replay is not supported."? Akhil, will you please take care of it while applying? Regards, Hemant ^ permalink raw reply [flat|nested] 35+ messages in thread
* [dpdk-dev] [PATCH v6 1/3] security: add anti replay window size 2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 " Hemant Agrawal ` (2 preceding siblings ...) 2019-11-01 6:16 ` [dpdk-dev] [EXT] [PATCH v5 1/3] security: add anti replay window size Anoob Joseph @ 2019-11-06 6:54 ` Hemant Agrawal 2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal ` (2 more replies) 3 siblings, 3 replies; 35+ messages in thread From: Hemant Agrawal @ 2019-11-06 6:54 UTC (permalink / raw) To: dev; +Cc: akhil.goyal At present the ipsec xfrom is missing the important step to configure the anti replay window size. The newly added field will also help in to enable or disable the anti replay checking, if available in offload by means of non-zero or zero value. Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Anoob Joseph <anoobj@marvell.com> --- doc/guides/rel_notes/release_19_11.rst | 6 +++++- lib/librte_security/Makefile | 2 +- lib/librte_security/meson.build | 2 +- lib/librte_security/rte_security.h | 8 ++++++++ 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index 2eec0a2c1..dcae08002 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -369,6 +369,10 @@ ABI Changes align the Ethernet header on receive and all known encapsulations preserve the alignment of the header. +* security: A new field ''replay_win_sz'' has been added to the structure + ``rte_security_ipsec_xform``, which specify the Anti replay window size + to enable sequence replay attack handling. + Shared Library Versions ----------------------- @@ -441,7 +445,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_reorder.so.1 librte_ring.so.2 + librte_sched.so.4 - librte_security.so.2 + + librte_security.so.3 librte_stack.so.1 librte_table.so.3 librte_timer.so.1 diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile index 6708effdb..6a268ee2a 100644 --- a/lib/librte_security/Makefile +++ b/lib/librte_security/Makefile @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB = librte_security.a # library version -LIBABIVER := 2 +LIBABIVER := 3 # build flags CFLAGS += -O3 diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build index a5130d2f6..6fed01273 100644 --- a/lib/librte_security/meson.build +++ b/lib/librte_security/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2017-2019 Intel Corporation -version = 2 +version = 3 sources = files('rte_security.c') headers = files('rte_security.h', 'rte_security_driver.h') deps += ['mempool', 'cryptodev'] diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h index aaafdfcd7..216e5370f 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform { /**< Tunnel parameters, NULL for transport mode */ uint64_t esn_soft_limit; /**< ESN for which the overflow event need to be raised */ + uint32_t replay_win_sz; + /**< Anti replay window size to enable sequence replay attack handling. + * replay checking is disabled if the window size is 0. + */ }; /** @@ -563,6 +567,10 @@ struct rte_security_capability { /**< IPsec SA direction */ struct rte_security_ipsec_sa_options options; /**< IPsec SA supported options */ + uint32_t replay_win_sz_max; + /**< IPsec Anti Replay Window Size. A '0' value + * indicates that Anti Replay Window is not supported. + */ } ipsec; /**< IPsec capability */ struct { -- 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz 2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 " Hemant Agrawal @ 2019-11-06 6:54 ` Hemant Agrawal 2019-11-06 7:00 ` Akhil Goyal 2019-11-06 13:31 ` Ananyev, Konstantin 2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal 2019-11-06 13:15 ` [dpdk-dev] [PATCH v6 1/3] security: add anti replay window size Akhil Goyal 2 siblings, 2 replies; 35+ messages in thread From: Hemant Agrawal @ 2019-11-06 6:54 UTC (permalink / raw) To: dev; +Cc: akhil.goyal The rte_security lib has introduced replay_win_sz, so it can be removed from the rte_ipsec lib. The relaved tests,app are also update to reflect the usages. Note that esn and anti-replay fileds were earlier used only for ipsec library, they were enabling the libipsec by default. With this change esn and anti-replay setting will not automatically enabled libipsec. Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> --- app/test/test_ipsec.c | 2 +- doc/guides/rel_notes/release_19_11.rst | 7 +++++-- examples/ipsec-secgw/ipsec-secgw.c | 5 ----- examples/ipsec-secgw/ipsec.c | 4 ++++ examples/ipsec-secgw/sa.c | 2 +- lib/librte_ipsec/Makefile | 2 +- lib/librte_ipsec/meson.build | 1 + lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ lib/librte_ipsec/sa.c | 4 ++-- 9 files changed, 15 insertions(+), 18 deletions(-) diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c index 4007eff19..7dc83fee7 100644 --- a/app/test/test_ipsec.c +++ b/app/test/test_ipsec.c @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags) prm->userdata = 1; prm->flags = flags; - prm->replay_win_sz = replay_win_sz; /* setup ipsec xform */ prm->ipsec_xform = ut_params->ipsec_xform; prm->ipsec_xform.salt = (uint32_t)rte_rand(); + prm->ipsec_xform.replay_win_sz = replay_win_sz; /* setup tunnel related fields */ prm->tun.hdr_len = sizeof(ipv4_outer); diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index dcae08002..0504a3443 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -369,10 +369,13 @@ ABI Changes align the Ethernet header on receive and all known encapsulations preserve the alignment of the header. -* security: A new field ''replay_win_sz'' has been added to the structure +* security: The field ''replay_win_sz'' has been moved from ipsec library + based ''rte_ipsec_sa_prm'' structure to security library based structure ``rte_security_ipsec_xform``, which specify the Anti replay window size to enable sequence replay attack handling. +* ipsec: The field ''replay_win_sz'' has been removed from the structure + ''rte_ipsec_sa_prm'' as it has been added to the security library. Shared Library Versions ----------------------- @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_gso.so.1 librte_hash.so.2 librte_ip_frag.so.1 - librte_ipsec.so.1 + + librte_ipsec.so.2 librte_jobstats.so.1 librte_kni.so.2 librte_kvargs.so.1 diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index b12936470..3b5aaf683 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm) printf("librte_ipsec usage: %s\n", (prm->enable == 0) ? "disabled" : "enabled"); - if (prm->enable == 0) - return; - printf("replay window size: %u\n", prm->window_size); printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled"); printf("SA flags: %#" PRIx64 "\n", prm->flags); @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv) app_sa_prm.enable = 1; break; case 'w': - app_sa_prm.enable = 1; app_sa_prm.window_size = parse_decimal(optarg); break; case 'e': - app_sa_prm.enable = 1; app_sa_prm.enable_esn = 1; break; case 'a': diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index d7761e966..d4b57121a 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) /* TODO support for Transport */ } ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; + ipsec->replay_win_sz = app_sa_prm.window_size; + ipsec->options.esn = app_sa_prm.enable_esn; } int @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa, .spi = sa->spi, .salt = sa->salt, .options = { 0 }, + .replay_win_sz = 0, .direction = sa->direction, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = (IS_TUNNEL(sa->flags)) ? @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, .spi = sa->spi, .salt = sa->salt, .options = { 0 }, + .replay_win_sz = 0, .direction = sa->direction, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = (sa->flags == IP4_TUNNEL || diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index a8dee342e..4605a3a6c 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, prm->flags = app_prm->flags; prm->ipsec_xform.options.esn = app_prm->enable_esn; - prm->replay_win_sz = app_prm->window_size; + prm->ipsec_xform.replay_win_sz = app_prm->window_size; } static int diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile index 81fb99980..161ea9e3d 100644 --- a/lib/librte_ipsec/Makefile +++ b/lib/librte_ipsec/Makefile @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash EXPORT_MAP := rte_ipsec_version.map -LIBABIVER := 1 +LIBABIVER := 2 # all source are stored in SRCS-y SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build index 70358526b..e8604dadd 100644 --- a/lib/librte_ipsec/meson.build +++ b/lib/librte_ipsec/meson.build @@ -1,6 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2018 Intel Corporation +version = 2 allow_experimental_apis = true sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h index 47ce169d2..1cfde5874 100644 --- a/lib/librte_ipsec/rte_ipsec_sa.h +++ b/lib/librte_ipsec/rte_ipsec_sa.h @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { uint8_t proto; /**< next header protocol */ } trs; /**< transport mode related parameters */ }; - - /** - * window size to enable sequence replay attack handling. - * replay checking is disabled if the window size is 0. - */ - uint32_t replay_win_sz; }; /** diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 23d394b46..6f1d92c3c 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; return ipsec_sa_size(type, &wsz, &nb); } @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; sz = ipsec_sa_size(type, &wsz, &nb); if (sz < 0) return sz; -- 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz 2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal @ 2019-11-06 7:00 ` Akhil Goyal 2019-11-06 13:31 ` Ananyev, Konstantin 1 sibling, 0 replies; 35+ messages in thread From: Akhil Goyal @ 2019-11-06 7:00 UTC (permalink / raw) To: Hemant Agrawal, dev, konstantin.ananyev; +Cc: anoobj Hi Konstantin, I had requested some changes in v5 which are there in this patch. Could you please review this again? I plan to merge it today. Thanks, Akhil > The rte_security lib has introduced replay_win_sz, > so it can be removed from the rte_ipsec lib. > > The relaved tests,app are also update to reflect > the usages. > > Note that esn and anti-replay fileds were earlier used > only for ipsec library, they were enabling the libipsec > by default. With this change esn and anti-replay setting > will not automatically enabled libipsec. > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > --- > app/test/test_ipsec.c | 2 +- > doc/guides/rel_notes/release_19_11.rst | 7 +++++-- > examples/ipsec-secgw/ipsec-secgw.c | 5 ----- > examples/ipsec-secgw/ipsec.c | 4 ++++ > examples/ipsec-secgw/sa.c | 2 +- > lib/librte_ipsec/Makefile | 2 +- > lib/librte_ipsec/meson.build | 1 + > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ > lib/librte_ipsec/sa.c | 4 ++-- > 9 files changed, 15 insertions(+), 18 deletions(-) > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c > index 4007eff19..7dc83fee7 100644 > --- a/app/test/test_ipsec.c > +++ b/app/test/test_ipsec.c > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t > flags) > > prm->userdata = 1; > prm->flags = flags; > - prm->replay_win_sz = replay_win_sz; > > /* setup ipsec xform */ > prm->ipsec_xform = ut_params->ipsec_xform; > prm->ipsec_xform.salt = (uint32_t)rte_rand(); > + prm->ipsec_xform.replay_win_sz = replay_win_sz; > > /* setup tunnel related fields */ > prm->tun.hdr_len = sizeof(ipv4_outer); > diff --git a/doc/guides/rel_notes/release_19_11.rst > b/doc/guides/rel_notes/release_19_11.rst > index dcae08002..0504a3443 100644 > --- a/doc/guides/rel_notes/release_19_11.rst > +++ b/doc/guides/rel_notes/release_19_11.rst > @@ -369,10 +369,13 @@ ABI Changes > align the Ethernet header on receive and all known encapsulations > preserve the alignment of the header. > > -* security: A new field ''replay_win_sz'' has been added to the structure > +* security: The field ''replay_win_sz'' has been moved from ipsec library > + based ''rte_ipsec_sa_prm'' structure to security library based structure > ``rte_security_ipsec_xform``, which specify the Anti replay window size > to enable sequence replay attack handling. > > +* ipsec: The field ''replay_win_sz'' has been removed from the structure > + ''rte_ipsec_sa_prm'' as it has been added to the security library. > > Shared Library Versions > ----------------------- > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were > incremented in this version. > librte_gso.so.1 > librte_hash.so.2 > librte_ip_frag.so.1 > - librte_ipsec.so.1 > + + librte_ipsec.so.2 > librte_jobstats.so.1 > librte_kni.so.2 > librte_kvargs.so.1 > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec- > secgw/ipsec-secgw.c > index b12936470..3b5aaf683 100644 > --- a/examples/ipsec-secgw/ipsec-secgw.c > +++ b/examples/ipsec-secgw/ipsec-secgw.c > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm) > printf("librte_ipsec usage: %s\n", > (prm->enable == 0) ? "disabled" : "enabled"); > > - if (prm->enable == 0) > - return; > - > printf("replay window size: %u\n", prm->window_size); > printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled"); > printf("SA flags: %#" PRIx64 "\n", prm->flags); > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv) > app_sa_prm.enable = 1; > break; > case 'w': > - app_sa_prm.enable = 1; > app_sa_prm.window_size = parse_decimal(optarg); > break; > case 'e': > - app_sa_prm.enable = 1; > app_sa_prm.enable_esn = 1; > break; > case 'a': > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > index d7761e966..d4b57121a 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > rte_security_ipsec_xform *ipsec) > /* TODO support for Transport */ > } > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; > + ipsec->replay_win_sz = app_sa_prm.window_size; > + ipsec->options.esn = app_sa_prm.enable_esn; > } > > int > @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, > struct ipsec_sa *sa, > .spi = sa->spi, > .salt = sa->salt, > .options = { 0 }, > + .replay_win_sz = 0, > .direction = sa->direction, > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > .mode = (IS_TUNNEL(sa->flags)) ? > @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct > ipsec_sa *sa, > .spi = sa->spi, > .salt = sa->salt, > .options = { 0 }, > + .replay_win_sz = 0, > .direction = sa->direction, > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > .mode = (sa->flags == IP4_TUNNEL || > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > index a8dee342e..4605a3a6c 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, > > prm->flags = app_prm->flags; > prm->ipsec_xform.options.esn = app_prm->enable_esn; > - prm->replay_win_sz = app_prm->window_size; > + prm->ipsec_xform.replay_win_sz = app_prm->window_size; > } > > static int > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile > index 81fb99980..161ea9e3d 100644 > --- a/lib/librte_ipsec/Makefile > +++ b/lib/librte_ipsec/Makefile > @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash > > EXPORT_MAP := rte_ipsec_version.map > > -LIBABIVER := 1 > +LIBABIVER := 2 > > # all source are stored in SRCS-y > SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c > diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build > index 70358526b..e8604dadd 100644 > --- a/lib/librte_ipsec/meson.build > +++ b/lib/librte_ipsec/meson.build > @@ -1,6 +1,7 @@ > # SPDX-License-Identifier: BSD-3-Clause > # Copyright(c) 2018 Intel Corporation > > +version = 2 > allow_experimental_apis = true > > sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') > diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h > index 47ce169d2..1cfde5874 100644 > --- a/lib/librte_ipsec/rte_ipsec_sa.h > +++ b/lib/librte_ipsec/rte_ipsec_sa.h > @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { > uint8_t proto; /**< next header protocol */ > } trs; /**< transport mode related parameters */ > }; > - > - /** > - * window size to enable sequence replay attack handling. > - * replay checking is disabled if the window size is 0. > - */ > - uint32_t replay_win_sz; > }; > > /** > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > index 23d394b46..6f1d92c3c 100644 > --- a/lib/librte_ipsec/sa.c > +++ b/lib/librte_ipsec/sa.c > @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) > return rc; > > /* determine required size */ > - wsz = prm->replay_win_sz; > + wsz = prm->ipsec_xform.replay_win_sz; > return ipsec_sa_size(type, &wsz, &nb); > } > > @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct > rte_ipsec_sa_prm *prm, > return rc; > > /* determine required size */ > - wsz = prm->replay_win_sz; > + wsz = prm->ipsec_xform.replay_win_sz; > sz = ipsec_sa_size(type, &wsz, &nb); > if (sz < 0) > return sz; > -- > 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz 2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal 2019-11-06 7:00 ` Akhil Goyal @ 2019-11-06 13:31 ` Ananyev, Konstantin 2019-11-06 13:40 ` Akhil Goyal 1 sibling, 1 reply; 35+ messages in thread From: Ananyev, Konstantin @ 2019-11-06 13:31 UTC (permalink / raw) To: Hemant Agrawal, dev; +Cc: akhil.goyal Hi guys, > The rte_security lib has introduced replay_win_sz, > so it can be removed from the rte_ipsec lib. > > The relaved tests,app are also update to reflect > the usages. > > Note that esn and anti-replay fileds were earlier used > only for ipsec library, they were enabling the libipsec > by default. With this change esn and anti-replay setting > will not automatically enabled libipsec. > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > --- > app/test/test_ipsec.c | 2 +- > doc/guides/rel_notes/release_19_11.rst | 7 +++++-- > examples/ipsec-secgw/ipsec-secgw.c | 5 ----- > examples/ipsec-secgw/ipsec.c | 4 ++++ > examples/ipsec-secgw/sa.c | 2 +- > lib/librte_ipsec/Makefile | 2 +- > lib/librte_ipsec/meson.build | 1 + > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ > lib/librte_ipsec/sa.c | 4 ++-- > 9 files changed, 15 insertions(+), 18 deletions(-) > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c > index 4007eff19..7dc83fee7 100644 > --- a/app/test/test_ipsec.c > +++ b/app/test/test_ipsec.c > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags) > > prm->userdata = 1; > prm->flags = flags; > - prm->replay_win_sz = replay_win_sz; > > /* setup ipsec xform */ > prm->ipsec_xform = ut_params->ipsec_xform; > prm->ipsec_xform.salt = (uint32_t)rte_rand(); > + prm->ipsec_xform.replay_win_sz = replay_win_sz; > > /* setup tunnel related fields */ > prm->tun.hdr_len = sizeof(ipv4_outer); > diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst > index dcae08002..0504a3443 100644 > --- a/doc/guides/rel_notes/release_19_11.rst > +++ b/doc/guides/rel_notes/release_19_11.rst > @@ -369,10 +369,13 @@ ABI Changes > align the Ethernet header on receive and all known encapsulations > preserve the alignment of the header. > > -* security: A new field ''replay_win_sz'' has been added to the structure > +* security: The field ''replay_win_sz'' has been moved from ipsec library > + based ''rte_ipsec_sa_prm'' structure to security library based structure > ``rte_security_ipsec_xform``, which specify the Anti replay window size > to enable sequence replay attack handling. > > +* ipsec: The field ''replay_win_sz'' has been removed from the structure > + ''rte_ipsec_sa_prm'' as it has been added to the security library. > > Shared Library Versions > ----------------------- > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were incremented in this version. > librte_gso.so.1 > librte_hash.so.2 > librte_ip_frag.so.1 > - librte_ipsec.so.1 > + + librte_ipsec.so.2 > librte_jobstats.so.1 > librte_kni.so.2 > librte_kvargs.so.1 > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c > index b12936470..3b5aaf683 100644 > --- a/examples/ipsec-secgw/ipsec-secgw.c > +++ b/examples/ipsec-secgw/ipsec-secgw.c > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm) > printf("librte_ipsec usage: %s\n", > (prm->enable == 0) ? "disabled" : "enabled"); > > - if (prm->enable == 0) > - return; > - > printf("replay window size: %u\n", prm->window_size); > printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled"); > printf("SA flags: %#" PRIx64 "\n", prm->flags); > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv) > app_sa_prm.enable = 1; > break; > case 'w': > - app_sa_prm.enable = 1; That actually will break lib-mode functional tests at: examples/ipsec-secgw/test/ Due to my laziness I enabled in them library mode via '-w' option, as that moment legacy mode didn't support replay window... As these patches already applied, I'll send the fix in a new one in next few. > app_sa_prm.window_size = parse_decimal(optarg); > break; > case 'e': > - app_sa_prm.enable = 1; > app_sa_prm.enable_esn = 1; > break; > case 'a': > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > index d7761e966..d4b57121a 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) > /* TODO support for Transport */ > } > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; > + ipsec->replay_win_sz = app_sa_prm.window_size; > + ipsec->options.esn = app_sa_prm.enable_esn; Ok, but what to do for the devices that don't support esn or replay_win_sz? Should we add some check? Either to the app, or preferably into rte_security level at rte_security_session_create()? > } > > int > @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa, > .spi = sa->spi, > .salt = sa->salt, > .options = { 0 }, > + .replay_win_sz = 0, > .direction = sa->direction, > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > .mode = (IS_TUNNEL(sa->flags)) ? > @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, > .spi = sa->spi, > .salt = sa->salt, > .options = { 0 }, > + .replay_win_sz = 0, > .direction = sa->direction, > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > .mode = (sa->flags == IP4_TUNNEL || > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > index a8dee342e..4605a3a6c 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, > > prm->flags = app_prm->flags; > prm->ipsec_xform.options.esn = app_prm->enable_esn; > - prm->replay_win_sz = app_prm->window_size; > + prm->ipsec_xform.replay_win_sz = app_prm->window_size; > } > > static int > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile > index 81fb99980..161ea9e3d 100644 > --- a/lib/librte_ipsec/Makefile > +++ b/lib/librte_ipsec/Makefile > @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash > > EXPORT_MAP := rte_ipsec_version.map > > -LIBABIVER := 1 > +LIBABIVER := 2 > > # all source are stored in SRCS-y > SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c > diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build > index 70358526b..e8604dadd 100644 > --- a/lib/librte_ipsec/meson.build > +++ b/lib/librte_ipsec/meson.build > @@ -1,6 +1,7 @@ > # SPDX-License-Identifier: BSD-3-Clause > # Copyright(c) 2018 Intel Corporation > > +version = 2 > allow_experimental_apis = true > > sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') > diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h > index 47ce169d2..1cfde5874 100644 > --- a/lib/librte_ipsec/rte_ipsec_sa.h > +++ b/lib/librte_ipsec/rte_ipsec_sa.h > @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { > uint8_t proto; /**< next header protocol */ > } trs; /**< transport mode related parameters */ > }; > - > - /** > - * window size to enable sequence replay attack handling. > - * replay checking is disabled if the window size is 0. > - */ > - uint32_t replay_win_sz; > }; > > /** > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > index 23d394b46..6f1d92c3c 100644 > --- a/lib/librte_ipsec/sa.c > +++ b/lib/librte_ipsec/sa.c > @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) > return rc; > > /* determine required size */ > - wsz = prm->replay_win_sz; > + wsz = prm->ipsec_xform.replay_win_sz; > return ipsec_sa_size(type, &wsz, &nb); > } > > @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, > return rc; > > /* determine required size */ > - wsz = prm->replay_win_sz; > + wsz = prm->ipsec_xform.replay_win_sz; > sz = ipsec_sa_size(type, &wsz, &nb); > if (sz < 0) > return sz; > -- > 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz 2019-11-06 13:31 ` Ananyev, Konstantin @ 2019-11-06 13:40 ` Akhil Goyal 2019-11-06 14:27 ` Ananyev, Konstantin 0 siblings, 1 reply; 35+ messages in thread From: Akhil Goyal @ 2019-11-06 13:40 UTC (permalink / raw) To: Ananyev, Konstantin, Hemant Agrawal, dev Hi Konstantin, > > Hi guys, > > > The rte_security lib has introduced replay_win_sz, > > so it can be removed from the rte_ipsec lib. > > > > The relaved tests,app are also update to reflect > > the usages. > > > > Note that esn and anti-replay fileds were earlier used > > only for ipsec library, they were enabling the libipsec > > by default. With this change esn and anti-replay setting > > will not automatically enabled libipsec. > > > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > > --- > > app/test/test_ipsec.c | 2 +- > > doc/guides/rel_notes/release_19_11.rst | 7 +++++-- > > examples/ipsec-secgw/ipsec-secgw.c | 5 ----- > > examples/ipsec-secgw/ipsec.c | 4 ++++ > > examples/ipsec-secgw/sa.c | 2 +- > > lib/librte_ipsec/Makefile | 2 +- > > lib/librte_ipsec/meson.build | 1 + > > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ > > lib/librte_ipsec/sa.c | 4 ++-- > > 9 files changed, 15 insertions(+), 18 deletions(-) > > > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c > > index 4007eff19..7dc83fee7 100644 > > --- a/app/test/test_ipsec.c > > +++ b/app/test/test_ipsec.c > > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t > flags) > > > > prm->userdata = 1; > > prm->flags = flags; > > - prm->replay_win_sz = replay_win_sz; > > > > /* setup ipsec xform */ > > prm->ipsec_xform = ut_params->ipsec_xform; > > prm->ipsec_xform.salt = (uint32_t)rte_rand(); > > + prm->ipsec_xform.replay_win_sz = replay_win_sz; > > > > /* setup tunnel related fields */ > > prm->tun.hdr_len = sizeof(ipv4_outer); > > diff --git a/doc/guides/rel_notes/release_19_11.rst > b/doc/guides/rel_notes/release_19_11.rst > > index dcae08002..0504a3443 100644 > > --- a/doc/guides/rel_notes/release_19_11.rst > > +++ b/doc/guides/rel_notes/release_19_11.rst > > @@ -369,10 +369,13 @@ ABI Changes > > align the Ethernet header on receive and all known encapsulations > > preserve the alignment of the header. > > > > -* security: A new field ''replay_win_sz'' has been added to the structure > > +* security: The field ''replay_win_sz'' has been moved from ipsec library > > + based ''rte_ipsec_sa_prm'' structure to security library based structure > > ``rte_security_ipsec_xform``, which specify the Anti replay window size > > to enable sequence replay attack handling. > > > > +* ipsec: The field ''replay_win_sz'' has been removed from the structure > > + ''rte_ipsec_sa_prm'' as it has been added to the security library. > > > > Shared Library Versions > > ----------------------- > > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were > incremented in this version. > > librte_gso.so.1 > > librte_hash.so.2 > > librte_ip_frag.so.1 > > - librte_ipsec.so.1 > > + + librte_ipsec.so.2 > > librte_jobstats.so.1 > > librte_kni.so.2 > > librte_kvargs.so.1 > > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec- > secgw/ipsec-secgw.c > > index b12936470..3b5aaf683 100644 > > --- a/examples/ipsec-secgw/ipsec-secgw.c > > +++ b/examples/ipsec-secgw/ipsec-secgw.c > > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm) > > printf("librte_ipsec usage: %s\n", > > (prm->enable == 0) ? "disabled" : "enabled"); > > > > - if (prm->enable == 0) > > - return; > > - > > printf("replay window size: %u\n", prm->window_size); > > printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled"); > > printf("SA flags: %#" PRIx64 "\n", prm->flags); > > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv) > > app_sa_prm.enable = 1; > > break; > > case 'w': > > - app_sa_prm.enable = 1; > > That actually will break lib-mode functional tests at: > examples/ipsec-secgw/test/ > Due to my laziness I enabled in them library mode via '-w' option, > as that moment legacy mode didn't support replay window... > As these patches already applied, I'll send the fix in a new one in next few. No issues, I will squash your changes with the original patch as it is not applied On master. > > > app_sa_prm.window_size = parse_decimal(optarg); > > break; > > case 'e': > > - app_sa_prm.enable = 1; > > app_sa_prm.enable_esn = 1; > > break; > > case 'a': > > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > > index d7761e966..d4b57121a 100644 > > --- a/examples/ipsec-secgw/ipsec.c > > +++ b/examples/ipsec-secgw/ipsec.c > > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > rte_security_ipsec_xform *ipsec) > > /* TODO support for Transport */ > > } > > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; > > + ipsec->replay_win_sz = app_sa_prm.window_size; > > + ipsec->options.esn = app_sa_prm.enable_esn; > > Ok, but what to do for the devices that don't support esn or replay_win_sz? > Should we add some check? Either to the app, or preferably into rte_security > level at rte_security_session_create()? Ideally app should check the capability of the device before setting it. > > } > > > > int > > @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, > struct ipsec_sa *sa, > > .spi = sa->spi, > > .salt = sa->salt, > > .options = { 0 }, > > + .replay_win_sz = 0, > > .direction = sa->direction, > > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > .mode = (IS_TUNNEL(sa->flags)) ? > > @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, > struct ipsec_sa *sa, > > .spi = sa->spi, > > .salt = sa->salt, > > .options = { 0 }, > > + .replay_win_sz = 0, > > .direction = sa->direction, > > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > .mode = (sa->flags == IP4_TUNNEL || > > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > > index a8dee342e..4605a3a6c 100644 > > --- a/examples/ipsec-secgw/sa.c > > +++ b/examples/ipsec-secgw/sa.c > > @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm > *prm, > > > > prm->flags = app_prm->flags; > > prm->ipsec_xform.options.esn = app_prm->enable_esn; > > - prm->replay_win_sz = app_prm->window_size; > > + prm->ipsec_xform.replay_win_sz = app_prm->window_size; > > } > > > > static int > > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile > > index 81fb99980..161ea9e3d 100644 > > --- a/lib/librte_ipsec/Makefile > > +++ b/lib/librte_ipsec/Makefile > > @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash > > > > EXPORT_MAP := rte_ipsec_version.map > > > > -LIBABIVER := 1 > > +LIBABIVER := 2 > > > > # all source are stored in SRCS-y > > SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c > > diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build > > index 70358526b..e8604dadd 100644 > > --- a/lib/librte_ipsec/meson.build > > +++ b/lib/librte_ipsec/meson.build > > @@ -1,6 +1,7 @@ > > # SPDX-License-Identifier: BSD-3-Clause > > # Copyright(c) 2018 Intel Corporation > > > > +version = 2 > > allow_experimental_apis = true > > > > sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') > > diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h > > index 47ce169d2..1cfde5874 100644 > > --- a/lib/librte_ipsec/rte_ipsec_sa.h > > +++ b/lib/librte_ipsec/rte_ipsec_sa.h > > @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { > > uint8_t proto; /**< next header protocol */ > > } trs; /**< transport mode related parameters */ > > }; > > - > > - /** > > - * window size to enable sequence replay attack handling. > > - * replay checking is disabled if the window size is 0. > > - */ > > - uint32_t replay_win_sz; > > }; > > > > /** > > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > > index 23d394b46..6f1d92c3c 100644 > > --- a/lib/librte_ipsec/sa.c > > +++ b/lib/librte_ipsec/sa.c > > @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) > > return rc; > > > > /* determine required size */ > > - wsz = prm->replay_win_sz; > > + wsz = prm->ipsec_xform.replay_win_sz; > > return ipsec_sa_size(type, &wsz, &nb); > > } > > > > @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct > rte_ipsec_sa_prm *prm, > > return rc; > > > > /* determine required size */ > > - wsz = prm->replay_win_sz; > > + wsz = prm->ipsec_xform.replay_win_sz; > > sz = ipsec_sa_size(type, &wsz, &nb); > > if (sz < 0) > > return sz; > > -- > > 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz 2019-11-06 13:40 ` Akhil Goyal @ 2019-11-06 14:27 ` Ananyev, Konstantin 2019-11-06 14:29 ` Akhil Goyal 0 siblings, 1 reply; 35+ messages in thread From: Ananyev, Konstantin @ 2019-11-06 14:27 UTC (permalink / raw) To: Akhil Goyal, Hemant Agrawal, dev > > > The rte_security lib has introduced replay_win_sz, > > > so it can be removed from the rte_ipsec lib. > > > > > > The relaved tests,app are also update to reflect > > > the usages. > > > > > > Note that esn and anti-replay fileds were earlier used > > > only for ipsec library, they were enabling the libipsec > > > by default. With this change esn and anti-replay setting > > > will not automatically enabled libipsec. > > > > > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > > > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > > > --- > > > app/test/test_ipsec.c | 2 +- > > > doc/guides/rel_notes/release_19_11.rst | 7 +++++-- > > > examples/ipsec-secgw/ipsec-secgw.c | 5 ----- > > > examples/ipsec-secgw/ipsec.c | 4 ++++ > > > examples/ipsec-secgw/sa.c | 2 +- > > > lib/librte_ipsec/Makefile | 2 +- > > > lib/librte_ipsec/meson.build | 1 + > > > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ > > > lib/librte_ipsec/sa.c | 4 ++-- > > > 9 files changed, 15 insertions(+), 18 deletions(-) > > > > > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c > > > index 4007eff19..7dc83fee7 100644 > > > --- a/app/test/test_ipsec.c > > > +++ b/app/test/test_ipsec.c > > > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t > > flags) > > > > > > prm->userdata = 1; > > > prm->flags = flags; > > > - prm->replay_win_sz = replay_win_sz; > > > > > > /* setup ipsec xform */ > > > prm->ipsec_xform = ut_params->ipsec_xform; > > > prm->ipsec_xform.salt = (uint32_t)rte_rand(); > > > + prm->ipsec_xform.replay_win_sz = replay_win_sz; > > > > > > /* setup tunnel related fields */ > > > prm->tun.hdr_len = sizeof(ipv4_outer); > > > diff --git a/doc/guides/rel_notes/release_19_11.rst > > b/doc/guides/rel_notes/release_19_11.rst > > > index dcae08002..0504a3443 100644 > > > --- a/doc/guides/rel_notes/release_19_11.rst > > > +++ b/doc/guides/rel_notes/release_19_11.rst > > > @@ -369,10 +369,13 @@ ABI Changes > > > align the Ethernet header on receive and all known encapsulations > > > preserve the alignment of the header. > > > > > > -* security: A new field ''replay_win_sz'' has been added to the structure > > > +* security: The field ''replay_win_sz'' has been moved from ipsec library > > > + based ''rte_ipsec_sa_prm'' structure to security library based structure > > > ``rte_security_ipsec_xform``, which specify the Anti replay window size > > > to enable sequence replay attack handling. > > > > > > +* ipsec: The field ''replay_win_sz'' has been removed from the structure > > > + ''rte_ipsec_sa_prm'' as it has been added to the security library. > > > > > > Shared Library Versions > > > ----------------------- > > > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were > > incremented in this version. > > > librte_gso.so.1 > > > librte_hash.so.2 > > > librte_ip_frag.so.1 > > > - librte_ipsec.so.1 > > > + + librte_ipsec.so.2 > > > librte_jobstats.so.1 > > > librte_kni.so.2 > > > librte_kvargs.so.1 > > > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec- > > secgw/ipsec-secgw.c > > > index b12936470..3b5aaf683 100644 > > > --- a/examples/ipsec-secgw/ipsec-secgw.c > > > +++ b/examples/ipsec-secgw/ipsec-secgw.c > > > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm) > > > printf("librte_ipsec usage: %s\n", > > > (prm->enable == 0) ? "disabled" : "enabled"); > > > > > > - if (prm->enable == 0) > > > - return; > > > - > > > printf("replay window size: %u\n", prm->window_size); > > > printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled"); > > > printf("SA flags: %#" PRIx64 "\n", prm->flags); > > > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv) > > > app_sa_prm.enable = 1; > > > break; > > > case 'w': > > > - app_sa_prm.enable = 1; > > > > That actually will break lib-mode functional tests at: > > examples/ipsec-secgw/test/ > > Due to my laziness I enabled in them library mode via '-w' option, > > as that moment legacy mode didn't support replay window... > > As these patches already applied, I'll send the fix in a new one in next few. > > No issues, I will squash your changes with the original patch as it is not applied > On master. Ok, thanks. Patch at: http://patches.dpdk.org/patch/62540/ > > > > > > app_sa_prm.window_size = parse_decimal(optarg); > > > break; > > > case 'e': > > > - app_sa_prm.enable = 1; > > > app_sa_prm.enable_esn = 1; > > > break; > > > case 'a': > > > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > > > index d7761e966..d4b57121a 100644 > > > --- a/examples/ipsec-secgw/ipsec.c > > > +++ b/examples/ipsec-secgw/ipsec.c > > > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > > rte_security_ipsec_xform *ipsec) > > > /* TODO support for Transport */ > > > } > > > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; > > > + ipsec->replay_win_sz = app_sa_prm.window_size; > > > + ipsec->options.esn = app_sa_prm.enable_esn; > > > > Ok, but what to do for the devices that don't support esn or replay_win_sz? > > Should we add some check? Either to the app, or preferably into rte_security > > level at rte_security_session_create()? > > Ideally app should check the capability of the device before setting it. Yes... after another thought - as right now we do create session at run-time, probably we need to check these device capabilities at init stage and report an error. Konstantin > > > > > } > > > > > > int > > > @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, > > struct ipsec_sa *sa, > > > .spi = sa->spi, > > > .salt = sa->salt, > > > .options = { 0 }, > > > + .replay_win_sz = 0, > > > .direction = sa->direction, > > > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > > .mode = (IS_TUNNEL(sa->flags)) ? > > > @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, > > struct ipsec_sa *sa, > > > .spi = sa->spi, > > > .salt = sa->salt, > > > .options = { 0 }, > > > + .replay_win_sz = 0, > > > .direction = sa->direction, > > > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > > .mode = (sa->flags == IP4_TUNNEL || > > > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > > > index a8dee342e..4605a3a6c 100644 > > > --- a/examples/ipsec-secgw/sa.c > > > +++ b/examples/ipsec-secgw/sa.c > > > @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm > > *prm, > > > > > > prm->flags = app_prm->flags; > > > prm->ipsec_xform.options.esn = app_prm->enable_esn; > > > - prm->replay_win_sz = app_prm->window_size; > > > + prm->ipsec_xform.replay_win_sz = app_prm->window_size; > > > } > > > > > > static int > > > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile > > > index 81fb99980..161ea9e3d 100644 > > > --- a/lib/librte_ipsec/Makefile > > > +++ b/lib/librte_ipsec/Makefile > > > @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash > > > > > > EXPORT_MAP := rte_ipsec_version.map > > > > > > -LIBABIVER := 1 > > > +LIBABIVER := 2 > > > > > > # all source are stored in SRCS-y > > > SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c > > > diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build > > > index 70358526b..e8604dadd 100644 > > > --- a/lib/librte_ipsec/meson.build > > > +++ b/lib/librte_ipsec/meson.build > > > @@ -1,6 +1,7 @@ > > > # SPDX-License-Identifier: BSD-3-Clause > > > # Copyright(c) 2018 Intel Corporation > > > > > > +version = 2 > > > allow_experimental_apis = true > > > > > > sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') > > > diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h > > > index 47ce169d2..1cfde5874 100644 > > > --- a/lib/librte_ipsec/rte_ipsec_sa.h > > > +++ b/lib/librte_ipsec/rte_ipsec_sa.h > > > @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { > > > uint8_t proto; /**< next header protocol */ > > > } trs; /**< transport mode related parameters */ > > > }; > > > - > > > - /** > > > - * window size to enable sequence replay attack handling. > > > - * replay checking is disabled if the window size is 0. > > > - */ > > > - uint32_t replay_win_sz; > > > }; > > > > > > /** > > > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > > > index 23d394b46..6f1d92c3c 100644 > > > --- a/lib/librte_ipsec/sa.c > > > +++ b/lib/librte_ipsec/sa.c > > > @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) > > > return rc; > > > > > > /* determine required size */ > > > - wsz = prm->replay_win_sz; > > > + wsz = prm->ipsec_xform.replay_win_sz; > > > return ipsec_sa_size(type, &wsz, &nb); > > > } > > > > > > @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct > > rte_ipsec_sa_prm *prm, > > > return rc; > > > > > > /* determine required size */ > > > - wsz = prm->replay_win_sz; > > > + wsz = prm->ipsec_xform.replay_win_sz; > > > sz = ipsec_sa_size(type, &wsz, &nb); > > > if (sz < 0) > > > return sz; > > > -- > > > 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz 2019-11-06 14:27 ` Ananyev, Konstantin @ 2019-11-06 14:29 ` Akhil Goyal 0 siblings, 0 replies; 35+ messages in thread From: Akhil Goyal @ 2019-11-06 14:29 UTC (permalink / raw) To: Ananyev, Konstantin, Hemant Agrawal, dev > > > > > The rte_security lib has introduced replay_win_sz, > > > > so it can be removed from the rte_ipsec lib. > > > > > > > > The relaved tests,app are also update to reflect > > > > the usages. > > > > > > > > Note that esn and anti-replay fileds were earlier used > > > > only for ipsec library, they were enabling the libipsec > > > > by default. With this change esn and anti-replay setting > > > > will not automatically enabled libipsec. > > > > > > > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > > > > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > > > > --- > > > > app/test/test_ipsec.c | 2 +- > > > > doc/guides/rel_notes/release_19_11.rst | 7 +++++-- > > > > examples/ipsec-secgw/ipsec-secgw.c | 5 ----- > > > > examples/ipsec-secgw/ipsec.c | 4 ++++ > > > > examples/ipsec-secgw/sa.c | 2 +- > > > > lib/librte_ipsec/Makefile | 2 +- > > > > lib/librte_ipsec/meson.build | 1 + > > > > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ > > > > lib/librte_ipsec/sa.c | 4 ++-- > > > > 9 files changed, 15 insertions(+), 18 deletions(-) > > > > > > > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c > > > > index 4007eff19..7dc83fee7 100644 > > > > --- a/app/test/test_ipsec.c > > > > +++ b/app/test/test_ipsec.c > > > > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, > uint64_t > > > flags) > > > > > > > > prm->userdata = 1; > > > > prm->flags = flags; > > > > - prm->replay_win_sz = replay_win_sz; > > > > > > > > /* setup ipsec xform */ > > > > prm->ipsec_xform = ut_params->ipsec_xform; > > > > prm->ipsec_xform.salt = (uint32_t)rte_rand(); > > > > + prm->ipsec_xform.replay_win_sz = replay_win_sz; > > > > > > > > /* setup tunnel related fields */ > > > > prm->tun.hdr_len = sizeof(ipv4_outer); > > > > diff --git a/doc/guides/rel_notes/release_19_11.rst > > > b/doc/guides/rel_notes/release_19_11.rst > > > > index dcae08002..0504a3443 100644 > > > > --- a/doc/guides/rel_notes/release_19_11.rst > > > > +++ b/doc/guides/rel_notes/release_19_11.rst > > > > @@ -369,10 +369,13 @@ ABI Changes > > > > align the Ethernet header on receive and all known encapsulations > > > > preserve the alignment of the header. > > > > > > > > -* security: A new field ''replay_win_sz'' has been added to the structure > > > > +* security: The field ''replay_win_sz'' has been moved from ipsec library > > > > + based ''rte_ipsec_sa_prm'' structure to security library based structure > > > > ``rte_security_ipsec_xform``, which specify the Anti replay window size > > > > to enable sequence replay attack handling. > > > > > > > > +* ipsec: The field ''replay_win_sz'' has been removed from the structure > > > > + ''rte_ipsec_sa_prm'' as it has been added to the security library. > > > > > > > > Shared Library Versions > > > > ----------------------- > > > > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were > > > incremented in this version. > > > > librte_gso.so.1 > > > > librte_hash.so.2 > > > > librte_ip_frag.so.1 > > > > - librte_ipsec.so.1 > > > > + + librte_ipsec.so.2 > > > > librte_jobstats.so.1 > > > > librte_kni.so.2 > > > > librte_kvargs.so.1 > > > > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec- > > > secgw/ipsec-secgw.c > > > > index b12936470..3b5aaf683 100644 > > > > --- a/examples/ipsec-secgw/ipsec-secgw.c > > > > +++ b/examples/ipsec-secgw/ipsec-secgw.c > > > > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm > *prm) > > > > printf("librte_ipsec usage: %s\n", > > > > (prm->enable == 0) ? "disabled" : "enabled"); > > > > > > > > - if (prm->enable == 0) > > > > - return; > > > > - > > > > printf("replay window size: %u\n", prm->window_size); > > > > printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled"); > > > > printf("SA flags: %#" PRIx64 "\n", prm->flags); > > > > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv) > > > > app_sa_prm.enable = 1; > > > > break; > > > > case 'w': > > > > - app_sa_prm.enable = 1; > > > > > > That actually will break lib-mode functional tests at: > > > examples/ipsec-secgw/test/ > > > Due to my laziness I enabled in them library mode via '-w' option, > > > as that moment legacy mode didn't support replay window... > > > As these patches already applied, I'll send the fix in a new one in next few. > > > > No issues, I will squash your changes with the original patch as it is not applied > > On master. > > Ok, thanks. > Patch at: > http://patches.dpdk.org/patch/62540/ Removed the fixes line for this patch. Rebased the tree so that script patch is just after this patch. Applied > > > > > > > > > > app_sa_prm.window_size = parse_decimal(optarg); > > > > break; > > > > case 'e': > > > > - app_sa_prm.enable = 1; > > > > app_sa_prm.enable_esn = 1; > > > > break; > > > > case 'a': > > > > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > > > > index d7761e966..d4b57121a 100644 > > > > --- a/examples/ipsec-secgw/ipsec.c > > > > +++ b/examples/ipsec-secgw/ipsec.c > > > > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > > > rte_security_ipsec_xform *ipsec) > > > > /* TODO support for Transport */ > > > > } > > > > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; > > > > + ipsec->replay_win_sz = app_sa_prm.window_size; > > > > + ipsec->options.esn = app_sa_prm.enable_esn; > > > > > > Ok, but what to do for the devices that don't support esn or replay_win_sz? > > > Should we add some check? Either to the app, or preferably into rte_security > > > level at rte_security_session_create()? > > > > Ideally app should check the capability of the device before setting it. > > Yes... after another thought - as right now we do create session at run-time, > probably we need to check these device capabilities at init stage and report an > error. Agreed ^ permalink raw reply [flat|nested] 35+ messages in thread
* [dpdk-dev] [PATCH v6 3/3] crypto/dpaa2_sec: enable anti replay window config 2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 " Hemant Agrawal 2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal @ 2019-11-06 6:54 ` Hemant Agrawal 2019-11-06 7:02 ` Akhil Goyal 2019-11-06 13:15 ` [dpdk-dev] [PATCH v6 1/3] security: add anti replay window size Akhil Goyal 2 siblings, 1 reply; 35+ messages in thread From: Hemant Agrawal @ 2019-11-06 6:54 UTC (permalink / raw) To: dev; +Cc: akhil.goyal This patch usages the anti replay window size to config the anti replay checking in decap path for lookaside IPSEC offload Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> --- drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 21 +++++++++++++++++++++ drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h | 6 ++++-- drivers/crypto/dpaa_sec/dpaa_sec.c | 21 +++++++++++++++++++++ drivers/crypto/dpaa_sec/dpaa_sec.h | 6 ++++-- 4 files changed, 50 insertions(+), 4 deletions(-) diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c index 555730519..42b055cd8 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c @@ -2903,6 +2903,27 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev, sizeof(struct rte_ipv6_hdr) << 16; if (ipsec_xform->options.esn) decap_pdb.options |= PDBOPTS_ESP_ESN; + + if (ipsec_xform->replay_win_sz) { + uint32_t win_sz; + win_sz = rte_align32pow2(ipsec_xform->replay_win_sz); + + switch (win_sz) { + case 1: + case 2: + case 4: + case 8: + case 16: + case 32: + decap_pdb.options |= PDBOPTS_ESP_ARS32; + break; + case 64: + decap_pdb.options |= PDBOPTS_ESP_ARS64; + break; + default: + decap_pdb.options |= PDBOPTS_ESP_ARS128; + } + } session->dir = DIR_DEC; bufsize = cnstr_shdsc_ipsec_new_decap(priv->flc_desc[0].desc, 1, 0, SHR_SERIAL, diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h index c10fbf8dd..528b64ef8 100644 --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h @@ -716,7 +716,8 @@ static const struct rte_security_capability dpaa2_sec_security_cap[] = { .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, - .options = { 0 } + .options = { 0 }, + .replay_win_sz_max = 128 }, .crypto_capabilities = dpaa2_sec_capabilities }, @@ -727,7 +728,8 @@ static const struct rte_security_capability dpaa2_sec_security_cap[] = { .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, - .options = { 0 } + .options = { 0 }, + .replay_win_sz_max = 128 }, .crypto_capabilities = dpaa2_sec_capabilities }, diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c index b0fa74540..adf0c7a20 100644 --- a/drivers/crypto/dpaa_sec/dpaa_sec.c +++ b/drivers/crypto/dpaa_sec/dpaa_sec.c @@ -2844,6 +2844,27 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev, sizeof(struct rte_ipv6_hdr) << 16; if (ipsec_xform->options.esn) session->decap_pdb.options |= PDBOPTS_ESP_ESN; + if (ipsec_xform->replay_win_sz) { + uint32_t win_sz; + win_sz = rte_align32pow2(ipsec_xform->replay_win_sz); + + switch (win_sz) { + case 1: + case 2: + case 4: + case 8: + case 16: + case 32: + session->decap_pdb.options |= PDBOPTS_ESP_ARS32; + break; + case 64: + session->decap_pdb.options |= PDBOPTS_ESP_ARS64; + break; + default: + session->decap_pdb.options |= + PDBOPTS_ESP_ARS128; + } + } } else goto out; rte_spinlock_lock(&internals->lock); diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h index 039cce8e9..3ecc7eae5 100644 --- a/drivers/crypto/dpaa_sec/dpaa_sec.h +++ b/drivers/crypto/dpaa_sec/dpaa_sec.h @@ -733,7 +733,8 @@ static const struct rte_security_capability dpaa_sec_security_cap[] = { .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, - .options = { 0 } + .options = { 0 }, + .replay_win_sz_max = 128 }, .crypto_capabilities = dpaa_sec_capabilities }, @@ -744,7 +745,8 @@ static const struct rte_security_capability dpaa_sec_security_cap[] = { .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, - .options = { 0 } + .options = { 0 }, + .replay_win_sz_max = 128 }, .crypto_capabilities = dpaa_sec_capabilities }, -- 2.17.1 ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [PATCH v6 3/3] crypto/dpaa2_sec: enable anti replay window config 2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal @ 2019-11-06 7:02 ` Akhil Goyal 0 siblings, 0 replies; 35+ messages in thread From: Akhil Goyal @ 2019-11-06 7:02 UTC (permalink / raw) To: Hemant Agrawal, dev > > This patch usages the anti replay window size to config > the anti replay checking in decap path for lookaside > IPSEC offload > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > --- Acked-by: Akhil Goyal <akhil.goyal@nxp.com> ^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [dpdk-dev] [PATCH v6 1/3] security: add anti replay window size 2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 " Hemant Agrawal 2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal 2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal @ 2019-11-06 13:15 ` Akhil Goyal 2 siblings, 0 replies; 35+ messages in thread From: Akhil Goyal @ 2019-11-06 13:15 UTC (permalink / raw) To: Hemant Agrawal, dev; +Cc: konstantin.ananyev > At present the ipsec xfrom is missing the important step > to configure the anti replay window size. > The newly added field will also help in to enable or disable > the anti replay checking, if available in offload by means > of non-zero or zero value. > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > Acked-by: Anoob Joseph <anoobj@marvell.com> > --- Series Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Applied to dpdk-next-crypto Thanks. ^ permalink raw reply [flat|nested] 35+ messages in thread
end of thread, other threads:[~2019-11-06 14:29 UTC | newest] Thread overview: 35+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-10-25 6:20 [dpdk-dev] [PATCH 1/2] security: add anti replay window size Hemant Agrawal 2019-10-25 6:20 ` [dpdk-dev] [PATCH 2/2] examples/ipsec-secgw: add support for replay win for lookaside Hemant Agrawal 2019-10-25 10:00 ` [dpdk-dev] [PATCH 1/2] security: add anti replay window size Ananyev, Konstantin 2019-10-25 15:56 ` Hemant Agrawal 2019-10-30 6:57 ` [dpdk-dev] [PATCH v2 " Hemant Agrawal 2019-10-30 6:57 ` [dpdk-dev] [PATCH v2 2/2] ipsec: remove redundant replay_win_sz Hemant Agrawal 2019-10-30 8:57 ` [dpdk-dev] [PATCH v3 1/2] security: add anti replay window size Hemant Agrawal 2019-10-30 8:57 ` [dpdk-dev] [PATCH v3 2/2] ipsec: remove redundant replay_win_sz Hemant Agrawal 2019-10-30 13:08 ` Ananyev, Konstantin 2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Hemant Agrawal 2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal 2019-10-31 10:21 ` Ananyev, Konstantin 2019-10-31 4:54 ` [dpdk-dev] [PATCH v4 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal 2019-10-31 6:29 ` [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size Anoob Joseph 2019-10-31 7:30 ` Hemant Agrawal 2019-10-31 10:20 ` Ananyev, Konstantin 2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 " Hemant Agrawal 2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal 2019-11-05 22:01 ` Akhil Goyal 2019-11-06 5:16 ` Hemant Agrawal 2019-10-31 13:15 ` [dpdk-dev] [PATCH v5 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal 2019-11-05 22:07 ` Akhil Goyal 2019-11-06 5:16 ` Hemant Agrawal 2019-11-01 6:16 ` [dpdk-dev] [EXT] [PATCH v5 1/3] security: add anti replay window size Anoob Joseph 2019-11-01 9:48 ` Hemant Agrawal 2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 " Hemant Agrawal 2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz Hemant Agrawal 2019-11-06 7:00 ` Akhil Goyal 2019-11-06 13:31 ` Ananyev, Konstantin 2019-11-06 13:40 ` Akhil Goyal 2019-11-06 14:27 ` Ananyev, Konstantin 2019-11-06 14:29 ` Akhil Goyal 2019-11-06 6:54 ` [dpdk-dev] [PATCH v6 3/3] crypto/dpaa2_sec: enable anti replay window config Hemant Agrawal 2019-11-06 7:02 ` Akhil Goyal 2019-11-06 13:15 ` [dpdk-dev] [PATCH v6 1/3] security: add anti replay window size Akhil Goyal
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).