From patchwork Thu Oct 31 04:54:56 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hemant Agrawal <hemant.agrawal@nxp.com>
X-Patchwork-Id: 178135
Delivered-To: patch@linaro.org
Received: by 2002:a92:409a:0:0:0:0:0 with SMTP id d26csp2279855ill;
 Wed, 30 Oct 2019 21:58:05 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzVOUdvxmwBvUG15w3tjOuLYPkLkYLQ8zRLggqi2ydJM87wr7rabJmVambVN1M4Q7L2TUD1
X-Received: by 2002:aa7:d281:: with SMTP id w1mr3700750edq.154.1572497885351; 
 Wed, 30 Oct 2019 21:58:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1572497885; cv=none;
 d=google.com; s=arc-20160816;
 b=QegX6rqliSVppOfRsYLHcLSHQMwnKvSM4tj2WFhzsz1sSsHeO8eXVvh1OpFMcnQLqK
 fvhdj4N9hOK6XGdLnv1KBpngPAJgzJo+aXKChpTuPGkrrz9oFTjL82FLZtYJEtCzIK5C
 v/y26uwXqbP4Y0/WXnBL8Xz8jx0H3AS61cGnM+Mdtzb3qWt2P4OR1b4ANVa/ScNClD+l
 a1t+CFCnk+K4NJjrohgXPbTh6m9I8tfXVL/p1l82U+1sbPLLxKQcgOoM26PuDT0stPxt
 vgr7cLomOfGpnPY7TfLWafN/jP96mPTN7+dbhNsWTaQHq8Cko3HWWR6P3D2qMa/glhKM
 5WcA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:subject:references:in-reply-to
 :message-id:date:cc:to:from;
 bh=YU2BxtTodu4sd9SMdgfQ+RXg7rvfdMfMQXWV8ECbxf0=;
 b=0GvkTjCnsKwlzs2xnL1fcQ9TWQ9ac2kFS9eLvvdlisQZVYmGQ296RH6v8Tz1txuv1P
 fA2w9xe6NJoStMF5LAOu/8r3ro3q7cM47VzyUHADtuqjTHOMfdbEPtJ1g2QnDdjreKDk
 wGorMnKibdYCPOS24yz9Hbil5Sf9MhPNI99xpzObJ57pkOQrVPS4hLHVHZiA/uxhH4YI
 ORLprCRzKABqxC6Mi4B+5yr8op3NEm+d1ccwhsIXyLK+UVtrUIAQ4nvW2U5JzWFQjUOv
 NybCBW5m0DZNVSoRtvnXmYlC7jUeqona6OVWBn92mTDn8rnGG9g4g4vFEke7TJ34a4ki
 RvNg==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of dev-bounces@dpdk.org designates
 92.243.14.124 as permitted sender)
 smtp.mailfrom=dev-bounces@dpdk.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org. [92.243.14.124])
 by mx.google.com with ESMTP id
 bi17si3338769edb.430.2019.10.30.21.58.04; 
 Wed, 30 Oct 2019 21:58:05 -0700 (PDT)
Received-SPF: pass (google.com: domain of dev-bounces@dpdk.org designates
 92.243.14.124 as permitted sender) client-ip=92.243.14.124; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of dev-bounces@dpdk.org designates
 92.243.14.124 as permitted sender)
 smtp.mailfrom=dev-bounces@dpdk.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com
Received: from [92.243.14.124] (localhost [127.0.0.1])
 by dpdk.org (Postfix) with ESMTP id B6E0D1C19C;
 Thu, 31 Oct 2019 05:58:02 +0100 (CET)
Received: from inva020.nxp.com (inva020.nxp.com [92.121.34.13])
 by dpdk.org (Postfix) with ESMTP id CDCE41BFE4
 for <dev@dpdk.org>; Thu, 31 Oct 2019 05:58:01 +0100 (CET)
Received: from inva020.nxp.com (localhost [127.0.0.1])
 by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 37EC21A04CB;
 Thu, 31 Oct 2019 05:58:01 +0100 (CET)
Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com
 [165.114.16.14])
 by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 0A03A1A02EF;
 Thu, 31 Oct 2019 05:57:59 +0100 (CET)
Received: from bf-netperf1.ap.freescale.net (bf-netperf1.ap.freescale.net
 [10.232.133.63])
 by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id 290F8402E2;
 Thu, 31 Oct 2019 12:57:56 +0800 (SGT)
From: Hemant Agrawal <hemant.agrawal@nxp.com>
To: dev@dpdk.org,
	akhil.goyal@nxp.com
Cc: konstantin.ananyev@intel.com,
	Hemant Agrawal <hemant.agrawal@nxp.com>
Date: Thu, 31 Oct 2019 10:24:56 +0530
Message-Id: <20191031045458.29166-1-hemant.agrawal@nxp.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20191030085701.13815-1-hemant.agrawal@nxp.com>
References: <20191030085701.13815-1-hemant.agrawal@nxp.com>
X-Virus-Scanned: ClamAV using ClamSMTP
Subject: [dpdk-dev] [PATCH v4 1/3] security: add anti replay window size
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

At present the ipsec xfrom is missing the important step
to configure the anti replay window size.
The newly added field will also help in to enable or disable
the anti replay checking, if available in offload by means
of non-zero or zero value.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 doc/guides/rel_notes/release_19_11.rst | 6 +++++-
 lib/librte_security/Makefile           | 2 +-
 lib/librte_security/meson.build        | 2 +-
 lib/librte_security/rte_security.h     | 4 ++++
 4 files changed, 11 insertions(+), 3 deletions(-)

-- 
2.17.1
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst
index ae8e7b2f0..0508ec545 100644
--- a/doc/guides/rel_notes/release_19_11.rst
+++ b/doc/guides/rel_notes/release_19_11.rst
@@ -365,6 +365,10 @@ ABI Changes
   align the Ethernet header on receive and all known encapsulations
   preserve the alignment of the header.
 
+* security: A new field ''replay_win_sz'' has been added to the structure
+  ``rte_security_ipsec_xform``, which specify the Anti replay window size
+  to enable sequence replay attack handling.
+
 
 Shared Library Versions
 -----------------------
@@ -437,7 +441,7 @@ The libraries prepended with a plus sign were incremented in this version.
      librte_reorder.so.1
      librte_ring.so.2
    + librte_sched.so.4
-     librte_security.so.2
+   + librte_security.so.3
      librte_stack.so.1
      librte_table.so.3
      librte_timer.so.1
diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile
index 6708effdb..6a268ee2a 100644
--- a/lib/librte_security/Makefile
+++ b/lib/librte_security/Makefile
@@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk
 LIB = librte_security.a
 
 # library version
-LIBABIVER := 2
+LIBABIVER := 3
 
 # build flags
 CFLAGS += -O3
diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build
index a5130d2f6..6fed01273 100644
--- a/lib/librte_security/meson.build
+++ b/lib/librte_security/meson.build
@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: BSD-3-Clause
 # Copyright(c) 2017-2019 Intel Corporation
 
-version = 2
+version = 3
 sources = files('rte_security.c')
 headers = files('rte_security.h', 'rte_security_driver.h')
 deps += ['mempool', 'cryptodev']
diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
index aaafdfcd7..195ad5645 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -212,6 +212,10 @@ struct rte_security_ipsec_xform {
 	/**< Tunnel parameters, NULL for transport mode */
 	uint64_t esn_soft_limit;
 	/**< ESN for which the overflow event need to be raised */
+	uint32_t replay_win_sz;
+	/**< Anti replay window size to enable sequence replay attack handling.
+	 * replay checking is disabled if the window size is 0.
+	 */
 };
 
 /**