| Message ID | 20191106065414.4311-2-hemant.agrawal@nxp.com |
|---|---|
| State | Accepted |
| Commit | 0f56ca1aaeebfb94d68bad085f7b298f9c2c0b07 |
| Headers | show |
| Series | [v6,1/3] security: add anti replay window size | expand |
Hi Konstantin, I had requested some changes in v5 which are there in this patch. Could you please review this again? I plan to merge it today. Thanks, Akhil > The rte_security lib has introduced replay_win_sz, > so it can be removed from the rte_ipsec lib. > > The relaved tests,app are also update to reflect > the usages. > > Note that esn and anti-replay fileds were earlier used > only for ipsec library, they were enabling the libipsec > by default. With this change esn and anti-replay setting > will not automatically enabled libipsec. > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > --- > app/test/test_ipsec.c | 2 +- > doc/guides/rel_notes/release_19_11.rst | 7 +++++-- > examples/ipsec-secgw/ipsec-secgw.c | 5 ----- > examples/ipsec-secgw/ipsec.c | 4 ++++ > examples/ipsec-secgw/sa.c | 2 +- > lib/librte_ipsec/Makefile | 2 +- > lib/librte_ipsec/meson.build | 1 + > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ > lib/librte_ipsec/sa.c | 4 ++-- > 9 files changed, 15 insertions(+), 18 deletions(-) > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c > index 4007eff19..7dc83fee7 100644 > --- a/app/test/test_ipsec.c > +++ b/app/test/test_ipsec.c > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t > flags) > > prm->userdata = 1; > prm->flags = flags; > - prm->replay_win_sz = replay_win_sz; > > /* setup ipsec xform */ > prm->ipsec_xform = ut_params->ipsec_xform; > prm->ipsec_xform.salt = (uint32_t)rte_rand(); > + prm->ipsec_xform.replay_win_sz = replay_win_sz; > > /* setup tunnel related fields */ > prm->tun.hdr_len = sizeof(ipv4_outer); > diff --git a/doc/guides/rel_notes/release_19_11.rst > b/doc/guides/rel_notes/release_19_11.rst > index dcae08002..0504a3443 100644 > --- a/doc/guides/rel_notes/release_19_11.rst > +++ b/doc/guides/rel_notes/release_19_11.rst > @@ -369,10 +369,13 @@ ABI Changes > align the Ethernet header on receive and all known encapsulations > preserve the alignment of the header. > > -* security: A new field ''replay_win_sz'' has been added to the structure > +* security: The field ''replay_win_sz'' has been moved from ipsec library > + based ''rte_ipsec_sa_prm'' structure to security library based structure > ``rte_security_ipsec_xform``, which specify the Anti replay window size > to enable sequence replay attack handling. > > +* ipsec: The field ''replay_win_sz'' has been removed from the structure > + ''rte_ipsec_sa_prm'' as it has been added to the security library. > > Shared Library Versions > ----------------------- > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were > incremented in this version. > librte_gso.so.1 > librte_hash.so.2 > librte_ip_frag.so.1 > - librte_ipsec.so.1 > + + librte_ipsec.so.2 > librte_jobstats.so.1 > librte_kni.so.2 > librte_kvargs.so.1 > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec- > secgw/ipsec-secgw.c > index b12936470..3b5aaf683 100644 > --- a/examples/ipsec-secgw/ipsec-secgw.c > +++ b/examples/ipsec-secgw/ipsec-secgw.c > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm) > printf("librte_ipsec usage: %s\n", > (prm->enable == 0) ? "disabled" : "enabled"); > > - if (prm->enable == 0) > - return; > - > printf("replay window size: %u\n", prm->window_size); > printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled"); > printf("SA flags: %#" PRIx64 "\n", prm->flags); > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv) > app_sa_prm.enable = 1; > break; > case 'w': > - app_sa_prm.enable = 1; > app_sa_prm.window_size = parse_decimal(optarg); > break; > case 'e': > - app_sa_prm.enable = 1; > app_sa_prm.enable_esn = 1; > break; > case 'a': > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > index d7761e966..d4b57121a 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > rte_security_ipsec_xform *ipsec) > /* TODO support for Transport */ > } > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; > + ipsec->replay_win_sz = app_sa_prm.window_size; > + ipsec->options.esn = app_sa_prm.enable_esn; > } > > int > @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, > struct ipsec_sa *sa, > .spi = sa->spi, > .salt = sa->salt, > .options = { 0 }, > + .replay_win_sz = 0, > .direction = sa->direction, > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > .mode = (IS_TUNNEL(sa->flags)) ? > @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct > ipsec_sa *sa, > .spi = sa->spi, > .salt = sa->salt, > .options = { 0 }, > + .replay_win_sz = 0, > .direction = sa->direction, > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > .mode = (sa->flags == IP4_TUNNEL || > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > index a8dee342e..4605a3a6c 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, > > prm->flags = app_prm->flags; > prm->ipsec_xform.options.esn = app_prm->enable_esn; > - prm->replay_win_sz = app_prm->window_size; > + prm->ipsec_xform.replay_win_sz = app_prm->window_size; > } > > static int > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile > index 81fb99980..161ea9e3d 100644 > --- a/lib/librte_ipsec/Makefile > +++ b/lib/librte_ipsec/Makefile > @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash > > EXPORT_MAP := rte_ipsec_version.map > > -LIBABIVER := 1 > +LIBABIVER := 2 > > # all source are stored in SRCS-y > SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c > diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build > index 70358526b..e8604dadd 100644 > --- a/lib/librte_ipsec/meson.build > +++ b/lib/librte_ipsec/meson.build > @@ -1,6 +1,7 @@ > # SPDX-License-Identifier: BSD-3-Clause > # Copyright(c) 2018 Intel Corporation > > +version = 2 > allow_experimental_apis = true > > sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') > diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h > index 47ce169d2..1cfde5874 100644 > --- a/lib/librte_ipsec/rte_ipsec_sa.h > +++ b/lib/librte_ipsec/rte_ipsec_sa.h > @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { > uint8_t proto; /**< next header protocol */ > } trs; /**< transport mode related parameters */ > }; > - > - /** > - * window size to enable sequence replay attack handling. > - * replay checking is disabled if the window size is 0. > - */ > - uint32_t replay_win_sz; > }; > > /** > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > index 23d394b46..6f1d92c3c 100644 > --- a/lib/librte_ipsec/sa.c > +++ b/lib/librte_ipsec/sa.c > @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) > return rc; > > /* determine required size */ > - wsz = prm->replay_win_sz; > + wsz = prm->ipsec_xform.replay_win_sz; > return ipsec_sa_size(type, &wsz, &nb); > } > > @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct > rte_ipsec_sa_prm *prm, > return rc; > > /* determine required size */ > - wsz = prm->replay_win_sz; > + wsz = prm->ipsec_xform.replay_win_sz; > sz = ipsec_sa_size(type, &wsz, &nb); > if (sz < 0) > return sz; > -- > 2.17.1
Hi guys, > The rte_security lib has introduced replay_win_sz, > so it can be removed from the rte_ipsec lib. > > The relaved tests,app are also update to reflect > the usages. > > Note that esn and anti-replay fileds were earlier used > only for ipsec library, they were enabling the libipsec > by default. With this change esn and anti-replay setting > will not automatically enabled libipsec. > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > --- > app/test/test_ipsec.c | 2 +- > doc/guides/rel_notes/release_19_11.rst | 7 +++++-- > examples/ipsec-secgw/ipsec-secgw.c | 5 ----- > examples/ipsec-secgw/ipsec.c | 4 ++++ > examples/ipsec-secgw/sa.c | 2 +- > lib/librte_ipsec/Makefile | 2 +- > lib/librte_ipsec/meson.build | 1 + > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ > lib/librte_ipsec/sa.c | 4 ++-- > 9 files changed, 15 insertions(+), 18 deletions(-) > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c > index 4007eff19..7dc83fee7 100644 > --- a/app/test/test_ipsec.c > +++ b/app/test/test_ipsec.c > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags) > > prm->userdata = 1; > prm->flags = flags; > - prm->replay_win_sz = replay_win_sz; > > /* setup ipsec xform */ > prm->ipsec_xform = ut_params->ipsec_xform; > prm->ipsec_xform.salt = (uint32_t)rte_rand(); > + prm->ipsec_xform.replay_win_sz = replay_win_sz; > > /* setup tunnel related fields */ > prm->tun.hdr_len = sizeof(ipv4_outer); > diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst > index dcae08002..0504a3443 100644 > --- a/doc/guides/rel_notes/release_19_11.rst > +++ b/doc/guides/rel_notes/release_19_11.rst > @@ -369,10 +369,13 @@ ABI Changes > align the Ethernet header on receive and all known encapsulations > preserve the alignment of the header. > > -* security: A new field ''replay_win_sz'' has been added to the structure > +* security: The field ''replay_win_sz'' has been moved from ipsec library > + based ''rte_ipsec_sa_prm'' structure to security library based structure > ``rte_security_ipsec_xform``, which specify the Anti replay window size > to enable sequence replay attack handling. > > +* ipsec: The field ''replay_win_sz'' has been removed from the structure > + ''rte_ipsec_sa_prm'' as it has been added to the security library. > > Shared Library Versions > ----------------------- > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were incremented in this version. > librte_gso.so.1 > librte_hash.so.2 > librte_ip_frag.so.1 > - librte_ipsec.so.1 > + + librte_ipsec.so.2 > librte_jobstats.so.1 > librte_kni.so.2 > librte_kvargs.so.1 > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c > index b12936470..3b5aaf683 100644 > --- a/examples/ipsec-secgw/ipsec-secgw.c > +++ b/examples/ipsec-secgw/ipsec-secgw.c > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm) > printf("librte_ipsec usage: %s\n", > (prm->enable == 0) ? "disabled" : "enabled"); > > - if (prm->enable == 0) > - return; > - > printf("replay window size: %u\n", prm->window_size); > printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled"); > printf("SA flags: %#" PRIx64 "\n", prm->flags); > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv) > app_sa_prm.enable = 1; > break; > case 'w': > - app_sa_prm.enable = 1; That actually will break lib-mode functional tests at: examples/ipsec-secgw/test/ Due to my laziness I enabled in them library mode via '-w' option, as that moment legacy mode didn't support replay window... As these patches already applied, I'll send the fix in a new one in next few. > app_sa_prm.window_size = parse_decimal(optarg); > break; > case 'e': > - app_sa_prm.enable = 1; > app_sa_prm.enable_esn = 1; > break; > case 'a': > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > index d7761e966..d4b57121a 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) > /* TODO support for Transport */ > } > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; > + ipsec->replay_win_sz = app_sa_prm.window_size; > + ipsec->options.esn = app_sa_prm.enable_esn; Ok, but what to do for the devices that don't support esn or replay_win_sz? Should we add some check? Either to the app, or preferably into rte_security level at rte_security_session_create()? > } > > int > @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa, > .spi = sa->spi, > .salt = sa->salt, > .options = { 0 }, > + .replay_win_sz = 0, > .direction = sa->direction, > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > .mode = (IS_TUNNEL(sa->flags)) ? > @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, > .spi = sa->spi, > .salt = sa->salt, > .options = { 0 }, > + .replay_win_sz = 0, > .direction = sa->direction, > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > .mode = (sa->flags == IP4_TUNNEL || > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > index a8dee342e..4605a3a6c 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, > > prm->flags = app_prm->flags; > prm->ipsec_xform.options.esn = app_prm->enable_esn; > - prm->replay_win_sz = app_prm->window_size; > + prm->ipsec_xform.replay_win_sz = app_prm->window_size; > } > > static int > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile > index 81fb99980..161ea9e3d 100644 > --- a/lib/librte_ipsec/Makefile > +++ b/lib/librte_ipsec/Makefile > @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash > > EXPORT_MAP := rte_ipsec_version.map > > -LIBABIVER := 1 > +LIBABIVER := 2 > > # all source are stored in SRCS-y > SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c > diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build > index 70358526b..e8604dadd 100644 > --- a/lib/librte_ipsec/meson.build > +++ b/lib/librte_ipsec/meson.build > @@ -1,6 +1,7 @@ > # SPDX-License-Identifier: BSD-3-Clause > # Copyright(c) 2018 Intel Corporation > > +version = 2 > allow_experimental_apis = true > > sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') > diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h > index 47ce169d2..1cfde5874 100644 > --- a/lib/librte_ipsec/rte_ipsec_sa.h > +++ b/lib/librte_ipsec/rte_ipsec_sa.h > @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { > uint8_t proto; /**< next header protocol */ > } trs; /**< transport mode related parameters */ > }; > - > - /** > - * window size to enable sequence replay attack handling. > - * replay checking is disabled if the window size is 0. > - */ > - uint32_t replay_win_sz; > }; > > /** > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > index 23d394b46..6f1d92c3c 100644 > --- a/lib/librte_ipsec/sa.c > +++ b/lib/librte_ipsec/sa.c > @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) > return rc; > > /* determine required size */ > - wsz = prm->replay_win_sz; > + wsz = prm->ipsec_xform.replay_win_sz; > return ipsec_sa_size(type, &wsz, &nb); > } > > @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, > return rc; > > /* determine required size */ > - wsz = prm->replay_win_sz; > + wsz = prm->ipsec_xform.replay_win_sz; > sz = ipsec_sa_size(type, &wsz, &nb); > if (sz < 0) > return sz; > -- > 2.17.1
Hi Konstantin, > > Hi guys, > > > The rte_security lib has introduced replay_win_sz, > > so it can be removed from the rte_ipsec lib. > > > > The relaved tests,app are also update to reflect > > the usages. > > > > Note that esn and anti-replay fileds were earlier used > > only for ipsec library, they were enabling the libipsec > > by default. With this change esn and anti-replay setting > > will not automatically enabled libipsec. > > > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > > --- > > app/test/test_ipsec.c | 2 +- > > doc/guides/rel_notes/release_19_11.rst | 7 +++++-- > > examples/ipsec-secgw/ipsec-secgw.c | 5 ----- > > examples/ipsec-secgw/ipsec.c | 4 ++++ > > examples/ipsec-secgw/sa.c | 2 +- > > lib/librte_ipsec/Makefile | 2 +- > > lib/librte_ipsec/meson.build | 1 + > > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ > > lib/librte_ipsec/sa.c | 4 ++-- > > 9 files changed, 15 insertions(+), 18 deletions(-) > > > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c > > index 4007eff19..7dc83fee7 100644 > > --- a/app/test/test_ipsec.c > > +++ b/app/test/test_ipsec.c > > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t > flags) > > > > prm->userdata = 1; > > prm->flags = flags; > > - prm->replay_win_sz = replay_win_sz; > > > > /* setup ipsec xform */ > > prm->ipsec_xform = ut_params->ipsec_xform; > > prm->ipsec_xform.salt = (uint32_t)rte_rand(); > > + prm->ipsec_xform.replay_win_sz = replay_win_sz; > > > > /* setup tunnel related fields */ > > prm->tun.hdr_len = sizeof(ipv4_outer); > > diff --git a/doc/guides/rel_notes/release_19_11.rst > b/doc/guides/rel_notes/release_19_11.rst > > index dcae08002..0504a3443 100644 > > --- a/doc/guides/rel_notes/release_19_11.rst > > +++ b/doc/guides/rel_notes/release_19_11.rst > > @@ -369,10 +369,13 @@ ABI Changes > > align the Ethernet header on receive and all known encapsulations > > preserve the alignment of the header. > > > > -* security: A new field ''replay_win_sz'' has been added to the structure > > +* security: The field ''replay_win_sz'' has been moved from ipsec library > > + based ''rte_ipsec_sa_prm'' structure to security library based structure > > ``rte_security_ipsec_xform``, which specify the Anti replay window size > > to enable sequence replay attack handling. > > > > +* ipsec: The field ''replay_win_sz'' has been removed from the structure > > + ''rte_ipsec_sa_prm'' as it has been added to the security library. > > > > Shared Library Versions > > ----------------------- > > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were > incremented in this version. > > librte_gso.so.1 > > librte_hash.so.2 > > librte_ip_frag.so.1 > > - librte_ipsec.so.1 > > + + librte_ipsec.so.2 > > librte_jobstats.so.1 > > librte_kni.so.2 > > librte_kvargs.so.1 > > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec- > secgw/ipsec-secgw.c > > index b12936470..3b5aaf683 100644 > > --- a/examples/ipsec-secgw/ipsec-secgw.c > > +++ b/examples/ipsec-secgw/ipsec-secgw.c > > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm) > > printf("librte_ipsec usage: %s\n", > > (prm->enable == 0) ? "disabled" : "enabled"); > > > > - if (prm->enable == 0) > > - return; > > - > > printf("replay window size: %u\n", prm->window_size); > > printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled"); > > printf("SA flags: %#" PRIx64 "\n", prm->flags); > > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv) > > app_sa_prm.enable = 1; > > break; > > case 'w': > > - app_sa_prm.enable = 1; > > That actually will break lib-mode functional tests at: > examples/ipsec-secgw/test/ > Due to my laziness I enabled in them library mode via '-w' option, > as that moment legacy mode didn't support replay window... > As these patches already applied, I'll send the fix in a new one in next few. No issues, I will squash your changes with the original patch as it is not applied On master. > > > app_sa_prm.window_size = parse_decimal(optarg); > > break; > > case 'e': > > - app_sa_prm.enable = 1; > > app_sa_prm.enable_esn = 1; > > break; > > case 'a': > > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > > index d7761e966..d4b57121a 100644 > > --- a/examples/ipsec-secgw/ipsec.c > > +++ b/examples/ipsec-secgw/ipsec.c > > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > rte_security_ipsec_xform *ipsec) > > /* TODO support for Transport */ > > } > > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; > > + ipsec->replay_win_sz = app_sa_prm.window_size; > > + ipsec->options.esn = app_sa_prm.enable_esn; > > Ok, but what to do for the devices that don't support esn or replay_win_sz? > Should we add some check? Either to the app, or preferably into rte_security > level at rte_security_session_create()? Ideally app should check the capability of the device before setting it. > > } > > > > int > > @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, > struct ipsec_sa *sa, > > .spi = sa->spi, > > .salt = sa->salt, > > .options = { 0 }, > > + .replay_win_sz = 0, > > .direction = sa->direction, > > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > .mode = (IS_TUNNEL(sa->flags)) ? > > @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, > struct ipsec_sa *sa, > > .spi = sa->spi, > > .salt = sa->salt, > > .options = { 0 }, > > + .replay_win_sz = 0, > > .direction = sa->direction, > > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > .mode = (sa->flags == IP4_TUNNEL || > > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > > index a8dee342e..4605a3a6c 100644 > > --- a/examples/ipsec-secgw/sa.c > > +++ b/examples/ipsec-secgw/sa.c > > @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm > *prm, > > > > prm->flags = app_prm->flags; > > prm->ipsec_xform.options.esn = app_prm->enable_esn; > > - prm->replay_win_sz = app_prm->window_size; > > + prm->ipsec_xform.replay_win_sz = app_prm->window_size; > > } > > > > static int > > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile > > index 81fb99980..161ea9e3d 100644 > > --- a/lib/librte_ipsec/Makefile > > +++ b/lib/librte_ipsec/Makefile > > @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash > > > > EXPORT_MAP := rte_ipsec_version.map > > > > -LIBABIVER := 1 > > +LIBABIVER := 2 > > > > # all source are stored in SRCS-y > > SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c > > diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build > > index 70358526b..e8604dadd 100644 > > --- a/lib/librte_ipsec/meson.build > > +++ b/lib/librte_ipsec/meson.build > > @@ -1,6 +1,7 @@ > > # SPDX-License-Identifier: BSD-3-Clause > > # Copyright(c) 2018 Intel Corporation > > > > +version = 2 > > allow_experimental_apis = true > > > > sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') > > diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h > > index 47ce169d2..1cfde5874 100644 > > --- a/lib/librte_ipsec/rte_ipsec_sa.h > > +++ b/lib/librte_ipsec/rte_ipsec_sa.h > > @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { > > uint8_t proto; /**< next header protocol */ > > } trs; /**< transport mode related parameters */ > > }; > > - > > - /** > > - * window size to enable sequence replay attack handling. > > - * replay checking is disabled if the window size is 0. > > - */ > > - uint32_t replay_win_sz; > > }; > > > > /** > > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > > index 23d394b46..6f1d92c3c 100644 > > --- a/lib/librte_ipsec/sa.c > > +++ b/lib/librte_ipsec/sa.c > > @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) > > return rc; > > > > /* determine required size */ > > - wsz = prm->replay_win_sz; > > + wsz = prm->ipsec_xform.replay_win_sz; > > return ipsec_sa_size(type, &wsz, &nb); > > } > > > > @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct > rte_ipsec_sa_prm *prm, > > return rc; > > > > /* determine required size */ > > - wsz = prm->replay_win_sz; > > + wsz = prm->ipsec_xform.replay_win_sz; > > sz = ipsec_sa_size(type, &wsz, &nb); > > if (sz < 0) > > return sz; > > -- > > 2.17.1
> > > The rte_security lib has introduced replay_win_sz, > > > so it can be removed from the rte_ipsec lib. > > > > > > The relaved tests,app are also update to reflect > > > the usages. > > > > > > Note that esn and anti-replay fileds were earlier used > > > only for ipsec library, they were enabling the libipsec > > > by default. With this change esn and anti-replay setting > > > will not automatically enabled libipsec. > > > > > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > > > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > > > --- > > > app/test/test_ipsec.c | 2 +- > > > doc/guides/rel_notes/release_19_11.rst | 7 +++++-- > > > examples/ipsec-secgw/ipsec-secgw.c | 5 ----- > > > examples/ipsec-secgw/ipsec.c | 4 ++++ > > > examples/ipsec-secgw/sa.c | 2 +- > > > lib/librte_ipsec/Makefile | 2 +- > > > lib/librte_ipsec/meson.build | 1 + > > > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ > > > lib/librte_ipsec/sa.c | 4 ++-- > > > 9 files changed, 15 insertions(+), 18 deletions(-) > > > > > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c > > > index 4007eff19..7dc83fee7 100644 > > > --- a/app/test/test_ipsec.c > > > +++ b/app/test/test_ipsec.c > > > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t > > flags) > > > > > > prm->userdata = 1; > > > prm->flags = flags; > > > - prm->replay_win_sz = replay_win_sz; > > > > > > /* setup ipsec xform */ > > > prm->ipsec_xform = ut_params->ipsec_xform; > > > prm->ipsec_xform.salt = (uint32_t)rte_rand(); > > > + prm->ipsec_xform.replay_win_sz = replay_win_sz; > > > > > > /* setup tunnel related fields */ > > > prm->tun.hdr_len = sizeof(ipv4_outer); > > > diff --git a/doc/guides/rel_notes/release_19_11.rst > > b/doc/guides/rel_notes/release_19_11.rst > > > index dcae08002..0504a3443 100644 > > > --- a/doc/guides/rel_notes/release_19_11.rst > > > +++ b/doc/guides/rel_notes/release_19_11.rst > > > @@ -369,10 +369,13 @@ ABI Changes > > > align the Ethernet header on receive and all known encapsulations > > > preserve the alignment of the header. > > > > > > -* security: A new field ''replay_win_sz'' has been added to the structure > > > +* security: The field ''replay_win_sz'' has been moved from ipsec library > > > + based ''rte_ipsec_sa_prm'' structure to security library based structure > > > ``rte_security_ipsec_xform``, which specify the Anti replay window size > > > to enable sequence replay attack handling. > > > > > > +* ipsec: The field ''replay_win_sz'' has been removed from the structure > > > + ''rte_ipsec_sa_prm'' as it has been added to the security library. > > > > > > Shared Library Versions > > > ----------------------- > > > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were > > incremented in this version. > > > librte_gso.so.1 > > > librte_hash.so.2 > > > librte_ip_frag.so.1 > > > - librte_ipsec.so.1 > > > + + librte_ipsec.so.2 > > > librte_jobstats.so.1 > > > librte_kni.so.2 > > > librte_kvargs.so.1 > > > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec- > > secgw/ipsec-secgw.c > > > index b12936470..3b5aaf683 100644 > > > --- a/examples/ipsec-secgw/ipsec-secgw.c > > > +++ b/examples/ipsec-secgw/ipsec-secgw.c > > > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm) > > > printf("librte_ipsec usage: %s\n", > > > (prm->enable == 0) ? "disabled" : "enabled"); > > > > > > - if (prm->enable == 0) > > > - return; > > > - > > > printf("replay window size: %u\n", prm->window_size); > > > printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled"); > > > printf("SA flags: %#" PRIx64 "\n", prm->flags); > > > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv) > > > app_sa_prm.enable = 1; > > > break; > > > case 'w': > > > - app_sa_prm.enable = 1; > > > > That actually will break lib-mode functional tests at: > > examples/ipsec-secgw/test/ > > Due to my laziness I enabled in them library mode via '-w' option, > > as that moment legacy mode didn't support replay window... > > As these patches already applied, I'll send the fix in a new one in next few. > > No issues, I will squash your changes with the original patch as it is not applied > On master. Ok, thanks. Patch at: http://patches.dpdk.org/patch/62540/ > > > > > > app_sa_prm.window_size = parse_decimal(optarg); > > > break; > > > case 'e': > > > - app_sa_prm.enable = 1; > > > app_sa_prm.enable_esn = 1; > > > break; > > > case 'a': > > > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > > > index d7761e966..d4b57121a 100644 > > > --- a/examples/ipsec-secgw/ipsec.c > > > +++ b/examples/ipsec-secgw/ipsec.c > > > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > > rte_security_ipsec_xform *ipsec) > > > /* TODO support for Transport */ > > > } > > > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; > > > + ipsec->replay_win_sz = app_sa_prm.window_size; > > > + ipsec->options.esn = app_sa_prm.enable_esn; > > > > Ok, but what to do for the devices that don't support esn or replay_win_sz? > > Should we add some check? Either to the app, or preferably into rte_security > > level at rte_security_session_create()? > > Ideally app should check the capability of the device before setting it. Yes... after another thought - as right now we do create session at run-time, probably we need to check these device capabilities at init stage and report an error. Konstantin > > > > > } > > > > > > int > > > @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, > > struct ipsec_sa *sa, > > > .spi = sa->spi, > > > .salt = sa->salt, > > > .options = { 0 }, > > > + .replay_win_sz = 0, > > > .direction = sa->direction, > > > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > > .mode = (IS_TUNNEL(sa->flags)) ? > > > @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, > > struct ipsec_sa *sa, > > > .spi = sa->spi, > > > .salt = sa->salt, > > > .options = { 0 }, > > > + .replay_win_sz = 0, > > > .direction = sa->direction, > > > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, > > > .mode = (sa->flags == IP4_TUNNEL || > > > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > > > index a8dee342e..4605a3a6c 100644 > > > --- a/examples/ipsec-secgw/sa.c > > > +++ b/examples/ipsec-secgw/sa.c > > > @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm > > *prm, > > > > > > prm->flags = app_prm->flags; > > > prm->ipsec_xform.options.esn = app_prm->enable_esn; > > > - prm->replay_win_sz = app_prm->window_size; > > > + prm->ipsec_xform.replay_win_sz = app_prm->window_size; > > > } > > > > > > static int > > > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile > > > index 81fb99980..161ea9e3d 100644 > > > --- a/lib/librte_ipsec/Makefile > > > +++ b/lib/librte_ipsec/Makefile > > > @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash > > > > > > EXPORT_MAP := rte_ipsec_version.map > > > > > > -LIBABIVER := 1 > > > +LIBABIVER := 2 > > > > > > # all source are stored in SRCS-y > > > SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c > > > diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build > > > index 70358526b..e8604dadd 100644 > > > --- a/lib/librte_ipsec/meson.build > > > +++ b/lib/librte_ipsec/meson.build > > > @@ -1,6 +1,7 @@ > > > # SPDX-License-Identifier: BSD-3-Clause > > > # Copyright(c) 2018 Intel Corporation > > > > > > +version = 2 > > > allow_experimental_apis = true > > > > > > sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') > > > diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h > > > index 47ce169d2..1cfde5874 100644 > > > --- a/lib/librte_ipsec/rte_ipsec_sa.h > > > +++ b/lib/librte_ipsec/rte_ipsec_sa.h > > > @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { > > > uint8_t proto; /**< next header protocol */ > > > } trs; /**< transport mode related parameters */ > > > }; > > > - > > > - /** > > > - * window size to enable sequence replay attack handling. > > > - * replay checking is disabled if the window size is 0. > > > - */ > > > - uint32_t replay_win_sz; > > > }; > > > > > > /** > > > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > > > index 23d394b46..6f1d92c3c 100644 > > > --- a/lib/librte_ipsec/sa.c > > > +++ b/lib/librte_ipsec/sa.c > > > @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) > > > return rc; > > > > > > /* determine required size */ > > > - wsz = prm->replay_win_sz; > > > + wsz = prm->ipsec_xform.replay_win_sz; > > > return ipsec_sa_size(type, &wsz, &nb); > > > } > > > > > > @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct > > rte_ipsec_sa_prm *prm, > > > return rc; > > > > > > /* determine required size */ > > > - wsz = prm->replay_win_sz; > > > + wsz = prm->ipsec_xform.replay_win_sz; > > > sz = ipsec_sa_size(type, &wsz, &nb); > > > if (sz < 0) > > > return sz; > > > -- > > > 2.17.1
> > > > > The rte_security lib has introduced replay_win_sz, > > > > so it can be removed from the rte_ipsec lib. > > > > > > > > The relaved tests,app are also update to reflect > > > > the usages. > > > > > > > > Note that esn and anti-replay fileds were earlier used > > > > only for ipsec library, they were enabling the libipsec > > > > by default. With this change esn and anti-replay setting > > > > will not automatically enabled libipsec. > > > > > > > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > > > > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > > > > --- > > > > app/test/test_ipsec.c | 2 +- > > > > doc/guides/rel_notes/release_19_11.rst | 7 +++++-- > > > > examples/ipsec-secgw/ipsec-secgw.c | 5 ----- > > > > examples/ipsec-secgw/ipsec.c | 4 ++++ > > > > examples/ipsec-secgw/sa.c | 2 +- > > > > lib/librte_ipsec/Makefile | 2 +- > > > > lib/librte_ipsec/meson.build | 1 + > > > > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ > > > > lib/librte_ipsec/sa.c | 4 ++-- > > > > 9 files changed, 15 insertions(+), 18 deletions(-) > > > > > > > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c > > > > index 4007eff19..7dc83fee7 100644 > > > > --- a/app/test/test_ipsec.c > > > > +++ b/app/test/test_ipsec.c > > > > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, > uint64_t > > > flags) > > > > > > > > prm->userdata = 1; > > > > prm->flags = flags; > > > > - prm->replay_win_sz = replay_win_sz; > > > > > > > > /* setup ipsec xform */ > > > > prm->ipsec_xform = ut_params->ipsec_xform; > > > > prm->ipsec_xform.salt = (uint32_t)rte_rand(); > > > > + prm->ipsec_xform.replay_win_sz = replay_win_sz; > > > > > > > > /* setup tunnel related fields */ > > > > prm->tun.hdr_len = sizeof(ipv4_outer); > > > > diff --git a/doc/guides/rel_notes/release_19_11.rst > > > b/doc/guides/rel_notes/release_19_11.rst > > > > index dcae08002..0504a3443 100644 > > > > --- a/doc/guides/rel_notes/release_19_11.rst > > > > +++ b/doc/guides/rel_notes/release_19_11.rst > > > > @@ -369,10 +369,13 @@ ABI Changes > > > > align the Ethernet header on receive and all known encapsulations > > > > preserve the alignment of the header. > > > > > > > > -* security: A new field ''replay_win_sz'' has been added to the structure > > > > +* security: The field ''replay_win_sz'' has been moved from ipsec library > > > > + based ''rte_ipsec_sa_prm'' structure to security library based structure > > > > ``rte_security_ipsec_xform``, which specify the Anti replay window size > > > > to enable sequence replay attack handling. > > > > > > > > +* ipsec: The field ''replay_win_sz'' has been removed from the structure > > > > + ''rte_ipsec_sa_prm'' as it has been added to the security library. > > > > > > > > Shared Library Versions > > > > ----------------------- > > > > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were > > > incremented in this version. > > > > librte_gso.so.1 > > > > librte_hash.so.2 > > > > librte_ip_frag.so.1 > > > > - librte_ipsec.so.1 > > > > + + librte_ipsec.so.2 > > > > librte_jobstats.so.1 > > > > librte_kni.so.2 > > > > librte_kvargs.so.1 > > > > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec- > > > secgw/ipsec-secgw.c > > > > index b12936470..3b5aaf683 100644 > > > > --- a/examples/ipsec-secgw/ipsec-secgw.c > > > > +++ b/examples/ipsec-secgw/ipsec-secgw.c > > > > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm > *prm) > > > > printf("librte_ipsec usage: %s\n", > > > > (prm->enable == 0) ? "disabled" : "enabled"); > > > > > > > > - if (prm->enable == 0) > > > > - return; > > > > - > > > > printf("replay window size: %u\n", prm->window_size); > > > > printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled"); > > > > printf("SA flags: %#" PRIx64 "\n", prm->flags); > > > > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv) > > > > app_sa_prm.enable = 1; > > > > break; > > > > case 'w': > > > > - app_sa_prm.enable = 1; > > > > > > That actually will break lib-mode functional tests at: > > > examples/ipsec-secgw/test/ > > > Due to my laziness I enabled in them library mode via '-w' option, > > > as that moment legacy mode didn't support replay window... > > > As these patches already applied, I'll send the fix in a new one in next few. > > > > No issues, I will squash your changes with the original patch as it is not applied > > On master. > > Ok, thanks. > Patch at: > http://patches.dpdk.org/patch/62540/ Removed the fixes line for this patch. Rebased the tree so that script patch is just after this patch. Applied > > > > > > > > > > app_sa_prm.window_size = parse_decimal(optarg); > > > > break; > > > > case 'e': > > > > - app_sa_prm.enable = 1; > > > > app_sa_prm.enable_esn = 1; > > > > break; > > > > case 'a': > > > > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > > > > index d7761e966..d4b57121a 100644 > > > > --- a/examples/ipsec-secgw/ipsec.c > > > > +++ b/examples/ipsec-secgw/ipsec.c > > > > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > > > rte_security_ipsec_xform *ipsec) > > > > /* TODO support for Transport */ > > > > } > > > > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; > > > > + ipsec->replay_win_sz = app_sa_prm.window_size; > > > > + ipsec->options.esn = app_sa_prm.enable_esn; > > > > > > Ok, but what to do for the devices that don't support esn or replay_win_sz? > > > Should we add some check? Either to the app, or preferably into rte_security > > > level at rte_security_session_create()? > > > > Ideally app should check the capability of the device before setting it. > > Yes... after another thought - as right now we do create session at run-time, > probably we need to check these device capabilities at init stage and report an > error. Agreed
diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c index 4007eff19..7dc83fee7 100644 --- a/app/test/test_ipsec.c +++ b/app/test/test_ipsec.c @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags) prm->userdata = 1; prm->flags = flags; - prm->replay_win_sz = replay_win_sz; /* setup ipsec xform */ prm->ipsec_xform = ut_params->ipsec_xform; prm->ipsec_xform.salt = (uint32_t)rte_rand(); + prm->ipsec_xform.replay_win_sz = replay_win_sz; /* setup tunnel related fields */ prm->tun.hdr_len = sizeof(ipv4_outer); diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index dcae08002..0504a3443 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -369,10 +369,13 @@ ABI Changes align the Ethernet header on receive and all known encapsulations preserve the alignment of the header. -* security: A new field ''replay_win_sz'' has been added to the structure +* security: The field ''replay_win_sz'' has been moved from ipsec library + based ''rte_ipsec_sa_prm'' structure to security library based structure ``rte_security_ipsec_xform``, which specify the Anti replay window size to enable sequence replay attack handling. +* ipsec: The field ''replay_win_sz'' has been removed from the structure + ''rte_ipsec_sa_prm'' as it has been added to the security library. Shared Library Versions ----------------------- @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_gso.so.1 librte_hash.so.2 librte_ip_frag.so.1 - librte_ipsec.so.1 + + librte_ipsec.so.2 librte_jobstats.so.1 librte_kni.so.2 librte_kvargs.so.1 diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index b12936470..3b5aaf683 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm) printf("librte_ipsec usage: %s\n", (prm->enable == 0) ? "disabled" : "enabled"); - if (prm->enable == 0) - return; - printf("replay window size: %u\n", prm->window_size); printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled"); printf("SA flags: %#" PRIx64 "\n", prm->flags); @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv) app_sa_prm.enable = 1; break; case 'w': - app_sa_prm.enable = 1; app_sa_prm.window_size = parse_decimal(optarg); break; case 'e': - app_sa_prm.enable = 1; app_sa_prm.enable_esn = 1; break; case 'a': diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index d7761e966..d4b57121a 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) /* TODO support for Transport */ } ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; + ipsec->replay_win_sz = app_sa_prm.window_size; + ipsec->options.esn = app_sa_prm.enable_esn; } int @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa, .spi = sa->spi, .salt = sa->salt, .options = { 0 }, + .replay_win_sz = 0, .direction = sa->direction, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = (IS_TUNNEL(sa->flags)) ? @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa, .spi = sa->spi, .salt = sa->salt, .options = { 0 }, + .replay_win_sz = 0, .direction = sa->direction, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = (sa->flags == IP4_TUNNEL || diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index a8dee342e..4605a3a6c 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, prm->flags = app_prm->flags; prm->ipsec_xform.options.esn = app_prm->enable_esn; - prm->replay_win_sz = app_prm->window_size; + prm->ipsec_xform.replay_win_sz = app_prm->window_size; } static int diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile index 81fb99980..161ea9e3d 100644 --- a/lib/librte_ipsec/Makefile +++ b/lib/librte_ipsec/Makefile @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash EXPORT_MAP := rte_ipsec_version.map -LIBABIVER := 1 +LIBABIVER := 2 # all source are stored in SRCS-y SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build index 70358526b..e8604dadd 100644 --- a/lib/librte_ipsec/meson.build +++ b/lib/librte_ipsec/meson.build @@ -1,6 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2018 Intel Corporation +version = 2 allow_experimental_apis = true sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h index 47ce169d2..1cfde5874 100644 --- a/lib/librte_ipsec/rte_ipsec_sa.h +++ b/lib/librte_ipsec/rte_ipsec_sa.h @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { uint8_t proto; /**< next header protocol */ } trs; /**< transport mode related parameters */ }; - - /** - * window size to enable sequence replay attack handling. - * replay checking is disabled if the window size is 0. - */ - uint32_t replay_win_sz; }; /** diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 23d394b46..6f1d92c3c 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; return ipsec_sa_size(type, &wsz, &nb); } @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; sz = ipsec_sa_size(type, &wsz, &nb); if (sz < 0) return sz;