[v6,2/3] ipsec: remove redundant replay_win_sz
Checks
Commit Message
The rte_security lib has introduced replay_win_sz,
so it can be removed from the rte_ipsec lib.
The relaved tests,app are also update to reflect
the usages.
Note that esn and anti-replay fileds were earlier used
only for ipsec library, they were enabling the libipsec
by default. With this change esn and anti-replay setting
will not automatically enabled libipsec.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
app/test/test_ipsec.c | 2 +-
doc/guides/rel_notes/release_19_11.rst | 7 +++++--
examples/ipsec-secgw/ipsec-secgw.c | 5 -----
examples/ipsec-secgw/ipsec.c | 4 ++++
examples/ipsec-secgw/sa.c | 2 +-
lib/librte_ipsec/Makefile | 2 +-
lib/librte_ipsec/meson.build | 1 +
lib/librte_ipsec/rte_ipsec_sa.h | 6 ------
lib/librte_ipsec/sa.c | 4 ++--
9 files changed, 15 insertions(+), 18 deletions(-)
Comments
Hi Konstantin,
I had requested some changes in v5 which are there in this patch.
Could you please review this again? I plan to merge it today.
Thanks,
Akhil
> The rte_security lib has introduced replay_win_sz,
> so it can be removed from the rte_ipsec lib.
>
> The relaved tests,app are also update to reflect
> the usages.
>
> Note that esn and anti-replay fileds were earlier used
> only for ipsec library, they were enabling the libipsec
> by default. With this change esn and anti-replay setting
> will not automatically enabled libipsec.
>
> Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> ---
> app/test/test_ipsec.c | 2 +-
> doc/guides/rel_notes/release_19_11.rst | 7 +++++--
> examples/ipsec-secgw/ipsec-secgw.c | 5 -----
> examples/ipsec-secgw/ipsec.c | 4 ++++
> examples/ipsec-secgw/sa.c | 2 +-
> lib/librte_ipsec/Makefile | 2 +-
> lib/librte_ipsec/meson.build | 1 +
> lib/librte_ipsec/rte_ipsec_sa.h | 6 ------
> lib/librte_ipsec/sa.c | 4 ++--
> 9 files changed, 15 insertions(+), 18 deletions(-)
>
> diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
> index 4007eff19..7dc83fee7 100644
> --- a/app/test/test_ipsec.c
> +++ b/app/test/test_ipsec.c
> @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t
> flags)
>
> prm->userdata = 1;
> prm->flags = flags;
> - prm->replay_win_sz = replay_win_sz;
>
> /* setup ipsec xform */
> prm->ipsec_xform = ut_params->ipsec_xform;
> prm->ipsec_xform.salt = (uint32_t)rte_rand();
> + prm->ipsec_xform.replay_win_sz = replay_win_sz;
>
> /* setup tunnel related fields */
> prm->tun.hdr_len = sizeof(ipv4_outer);
> diff --git a/doc/guides/rel_notes/release_19_11.rst
> b/doc/guides/rel_notes/release_19_11.rst
> index dcae08002..0504a3443 100644
> --- a/doc/guides/rel_notes/release_19_11.rst
> +++ b/doc/guides/rel_notes/release_19_11.rst
> @@ -369,10 +369,13 @@ ABI Changes
> align the Ethernet header on receive and all known encapsulations
> preserve the alignment of the header.
>
> -* security: A new field ''replay_win_sz'' has been added to the structure
> +* security: The field ''replay_win_sz'' has been moved from ipsec library
> + based ''rte_ipsec_sa_prm'' structure to security library based structure
> ``rte_security_ipsec_xform``, which specify the Anti replay window size
> to enable sequence replay attack handling.
>
> +* ipsec: The field ''replay_win_sz'' has been removed from the structure
> + ''rte_ipsec_sa_prm'' as it has been added to the security library.
>
> Shared Library Versions
> -----------------------
> @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were
> incremented in this version.
> librte_gso.so.1
> librte_hash.so.2
> librte_ip_frag.so.1
> - librte_ipsec.so.1
> + + librte_ipsec.so.2
> librte_jobstats.so.1
> librte_kni.so.2
> librte_kvargs.so.1
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-
> secgw/ipsec-secgw.c
> index b12936470..3b5aaf683 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm)
> printf("librte_ipsec usage: %s\n",
> (prm->enable == 0) ? "disabled" : "enabled");
>
> - if (prm->enable == 0)
> - return;
> -
> printf("replay window size: %u\n", prm->window_size);
> printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled");
> printf("SA flags: %#" PRIx64 "\n", prm->flags);
> @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv)
> app_sa_prm.enable = 1;
> break;
> case 'w':
> - app_sa_prm.enable = 1;
> app_sa_prm.window_size = parse_decimal(optarg);
> break;
> case 'e':
> - app_sa_prm.enable = 1;
> app_sa_prm.enable_esn = 1;
> break;
> case 'a':
> diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> index d7761e966..d4b57121a 100644
> --- a/examples/ipsec-secgw/ipsec.c
> +++ b/examples/ipsec-secgw/ipsec.c
> @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct
> rte_security_ipsec_xform *ipsec)
> /* TODO support for Transport */
> }
> ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
> + ipsec->replay_win_sz = app_sa_prm.window_size;
> + ipsec->options.esn = app_sa_prm.enable_esn;
> }
>
> int
> @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx,
> struct ipsec_sa *sa,
> .spi = sa->spi,
> .salt = sa->salt,
> .options = { 0 },
> + .replay_win_sz = 0,
> .direction = sa->direction,
> .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> .mode = (IS_TUNNEL(sa->flags)) ?
> @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct
> ipsec_sa *sa,
> .spi = sa->spi,
> .salt = sa->salt,
> .options = { 0 },
> + .replay_win_sz = 0,
> .direction = sa->direction,
> .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> .mode = (sa->flags == IP4_TUNNEL ||
> diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
> index a8dee342e..4605a3a6c 100644
> --- a/examples/ipsec-secgw/sa.c
> +++ b/examples/ipsec-secgw/sa.c
> @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm,
>
> prm->flags = app_prm->flags;
> prm->ipsec_xform.options.esn = app_prm->enable_esn;
> - prm->replay_win_sz = app_prm->window_size;
> + prm->ipsec_xform.replay_win_sz = app_prm->window_size;
> }
>
> static int
> diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile
> index 81fb99980..161ea9e3d 100644
> --- a/lib/librte_ipsec/Makefile
> +++ b/lib/librte_ipsec/Makefile
> @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash
>
> EXPORT_MAP := rte_ipsec_version.map
>
> -LIBABIVER := 1
> +LIBABIVER := 2
>
> # all source are stored in SRCS-y
> SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c
> diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build
> index 70358526b..e8604dadd 100644
> --- a/lib/librte_ipsec/meson.build
> +++ b/lib/librte_ipsec/meson.build
> @@ -1,6 +1,7 @@
> # SPDX-License-Identifier: BSD-3-Clause
> # Copyright(c) 2018 Intel Corporation
>
> +version = 2
> allow_experimental_apis = true
>
> sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c')
> diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h
> index 47ce169d2..1cfde5874 100644
> --- a/lib/librte_ipsec/rte_ipsec_sa.h
> +++ b/lib/librte_ipsec/rte_ipsec_sa.h
> @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm {
> uint8_t proto; /**< next header protocol */
> } trs; /**< transport mode related parameters */
> };
> -
> - /**
> - * window size to enable sequence replay attack handling.
> - * replay checking is disabled if the window size is 0.
> - */
> - uint32_t replay_win_sz;
> };
>
> /**
> diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
> index 23d394b46..6f1d92c3c 100644
> --- a/lib/librte_ipsec/sa.c
> +++ b/lib/librte_ipsec/sa.c
> @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm)
> return rc;
>
> /* determine required size */
> - wsz = prm->replay_win_sz;
> + wsz = prm->ipsec_xform.replay_win_sz;
> return ipsec_sa_size(type, &wsz, &nb);
> }
>
> @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct
> rte_ipsec_sa_prm *prm,
> return rc;
>
> /* determine required size */
> - wsz = prm->replay_win_sz;
> + wsz = prm->ipsec_xform.replay_win_sz;
> sz = ipsec_sa_size(type, &wsz, &nb);
> if (sz < 0)
> return sz;
> --
> 2.17.1
Hi guys,
> The rte_security lib has introduced replay_win_sz,
> so it can be removed from the rte_ipsec lib.
>
> The relaved tests,app are also update to reflect
> the usages.
>
> Note that esn and anti-replay fileds were earlier used
> only for ipsec library, they were enabling the libipsec
> by default. With this change esn and anti-replay setting
> will not automatically enabled libipsec.
>
> Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> ---
> app/test/test_ipsec.c | 2 +-
> doc/guides/rel_notes/release_19_11.rst | 7 +++++--
> examples/ipsec-secgw/ipsec-secgw.c | 5 -----
> examples/ipsec-secgw/ipsec.c | 4 ++++
> examples/ipsec-secgw/sa.c | 2 +-
> lib/librte_ipsec/Makefile | 2 +-
> lib/librte_ipsec/meson.build | 1 +
> lib/librte_ipsec/rte_ipsec_sa.h | 6 ------
> lib/librte_ipsec/sa.c | 4 ++--
> 9 files changed, 15 insertions(+), 18 deletions(-)
>
> diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
> index 4007eff19..7dc83fee7 100644
> --- a/app/test/test_ipsec.c
> +++ b/app/test/test_ipsec.c
> @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags)
>
> prm->userdata = 1;
> prm->flags = flags;
> - prm->replay_win_sz = replay_win_sz;
>
> /* setup ipsec xform */
> prm->ipsec_xform = ut_params->ipsec_xform;
> prm->ipsec_xform.salt = (uint32_t)rte_rand();
> + prm->ipsec_xform.replay_win_sz = replay_win_sz;
>
> /* setup tunnel related fields */
> prm->tun.hdr_len = sizeof(ipv4_outer);
> diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst
> index dcae08002..0504a3443 100644
> --- a/doc/guides/rel_notes/release_19_11.rst
> +++ b/doc/guides/rel_notes/release_19_11.rst
> @@ -369,10 +369,13 @@ ABI Changes
> align the Ethernet header on receive and all known encapsulations
> preserve the alignment of the header.
>
> -* security: A new field ''replay_win_sz'' has been added to the structure
> +* security: The field ''replay_win_sz'' has been moved from ipsec library
> + based ''rte_ipsec_sa_prm'' structure to security library based structure
> ``rte_security_ipsec_xform``, which specify the Anti replay window size
> to enable sequence replay attack handling.
>
> +* ipsec: The field ''replay_win_sz'' has been removed from the structure
> + ''rte_ipsec_sa_prm'' as it has been added to the security library.
>
> Shared Library Versions
> -----------------------
> @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were incremented in this version.
> librte_gso.so.1
> librte_hash.so.2
> librte_ip_frag.so.1
> - librte_ipsec.so.1
> + + librte_ipsec.so.2
> librte_jobstats.so.1
> librte_kni.so.2
> librte_kvargs.so.1
> diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
> index b12936470..3b5aaf683 100644
> --- a/examples/ipsec-secgw/ipsec-secgw.c
> +++ b/examples/ipsec-secgw/ipsec-secgw.c
> @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm)
> printf("librte_ipsec usage: %s\n",
> (prm->enable == 0) ? "disabled" : "enabled");
>
> - if (prm->enable == 0)
> - return;
> -
> printf("replay window size: %u\n", prm->window_size);
> printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled");
> printf("SA flags: %#" PRIx64 "\n", prm->flags);
> @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv)
> app_sa_prm.enable = 1;
> break;
> case 'w':
> - app_sa_prm.enable = 1;
That actually will break lib-mode functional tests at:
examples/ipsec-secgw/test/
Due to my laziness I enabled in them library mode via '-w' option,
as that moment legacy mode didn't support replay window...
As these patches already applied, I'll send the fix in a new one in next few.
> app_sa_prm.window_size = parse_decimal(optarg);
> break;
> case 'e':
> - app_sa_prm.enable = 1;
> app_sa_prm.enable_esn = 1;
> break;
> case 'a':
> diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> index d7761e966..d4b57121a 100644
> --- a/examples/ipsec-secgw/ipsec.c
> +++ b/examples/ipsec-secgw/ipsec.c
> @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
> /* TODO support for Transport */
> }
> ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
> + ipsec->replay_win_sz = app_sa_prm.window_size;
> + ipsec->options.esn = app_sa_prm.enable_esn;
Ok, but what to do for the devices that don't support esn or replay_win_sz?
Should we add some check? Either to the app, or preferably into rte_security
level at rte_security_session_create()?
> }
>
> int
> @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
> .spi = sa->spi,
> .salt = sa->salt,
> .options = { 0 },
> + .replay_win_sz = 0,
> .direction = sa->direction,
> .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> .mode = (IS_TUNNEL(sa->flags)) ?
> @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
> .spi = sa->spi,
> .salt = sa->salt,
> .options = { 0 },
> + .replay_win_sz = 0,
> .direction = sa->direction,
> .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> .mode = (sa->flags == IP4_TUNNEL ||
> diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
> index a8dee342e..4605a3a6c 100644
> --- a/examples/ipsec-secgw/sa.c
> +++ b/examples/ipsec-secgw/sa.c
> @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm,
>
> prm->flags = app_prm->flags;
> prm->ipsec_xform.options.esn = app_prm->enable_esn;
> - prm->replay_win_sz = app_prm->window_size;
> + prm->ipsec_xform.replay_win_sz = app_prm->window_size;
> }
>
> static int
> diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile
> index 81fb99980..161ea9e3d 100644
> --- a/lib/librte_ipsec/Makefile
> +++ b/lib/librte_ipsec/Makefile
> @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash
>
> EXPORT_MAP := rte_ipsec_version.map
>
> -LIBABIVER := 1
> +LIBABIVER := 2
>
> # all source are stored in SRCS-y
> SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c
> diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build
> index 70358526b..e8604dadd 100644
> --- a/lib/librte_ipsec/meson.build
> +++ b/lib/librte_ipsec/meson.build
> @@ -1,6 +1,7 @@
> # SPDX-License-Identifier: BSD-3-Clause
> # Copyright(c) 2018 Intel Corporation
>
> +version = 2
> allow_experimental_apis = true
>
> sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c')
> diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h
> index 47ce169d2..1cfde5874 100644
> --- a/lib/librte_ipsec/rte_ipsec_sa.h
> +++ b/lib/librte_ipsec/rte_ipsec_sa.h
> @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm {
> uint8_t proto; /**< next header protocol */
> } trs; /**< transport mode related parameters */
> };
> -
> - /**
> - * window size to enable sequence replay attack handling.
> - * replay checking is disabled if the window size is 0.
> - */
> - uint32_t replay_win_sz;
> };
>
> /**
> diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
> index 23d394b46..6f1d92c3c 100644
> --- a/lib/librte_ipsec/sa.c
> +++ b/lib/librte_ipsec/sa.c
> @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm)
> return rc;
>
> /* determine required size */
> - wsz = prm->replay_win_sz;
> + wsz = prm->ipsec_xform.replay_win_sz;
> return ipsec_sa_size(type, &wsz, &nb);
> }
>
> @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
> return rc;
>
> /* determine required size */
> - wsz = prm->replay_win_sz;
> + wsz = prm->ipsec_xform.replay_win_sz;
> sz = ipsec_sa_size(type, &wsz, &nb);
> if (sz < 0)
> return sz;
> --
> 2.17.1
Hi Konstantin,
>
> Hi guys,
>
> > The rte_security lib has introduced replay_win_sz,
> > so it can be removed from the rte_ipsec lib.
> >
> > The relaved tests,app are also update to reflect
> > the usages.
> >
> > Note that esn and anti-replay fileds were earlier used
> > only for ipsec library, they were enabling the libipsec
> > by default. With this change esn and anti-replay setting
> > will not automatically enabled libipsec.
> >
> > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> > ---
> > app/test/test_ipsec.c | 2 +-
> > doc/guides/rel_notes/release_19_11.rst | 7 +++++--
> > examples/ipsec-secgw/ipsec-secgw.c | 5 -----
> > examples/ipsec-secgw/ipsec.c | 4 ++++
> > examples/ipsec-secgw/sa.c | 2 +-
> > lib/librte_ipsec/Makefile | 2 +-
> > lib/librte_ipsec/meson.build | 1 +
> > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------
> > lib/librte_ipsec/sa.c | 4 ++--
> > 9 files changed, 15 insertions(+), 18 deletions(-)
> >
> > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
> > index 4007eff19..7dc83fee7 100644
> > --- a/app/test/test_ipsec.c
> > +++ b/app/test/test_ipsec.c
> > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t
> flags)
> >
> > prm->userdata = 1;
> > prm->flags = flags;
> > - prm->replay_win_sz = replay_win_sz;
> >
> > /* setup ipsec xform */
> > prm->ipsec_xform = ut_params->ipsec_xform;
> > prm->ipsec_xform.salt = (uint32_t)rte_rand();
> > + prm->ipsec_xform.replay_win_sz = replay_win_sz;
> >
> > /* setup tunnel related fields */
> > prm->tun.hdr_len = sizeof(ipv4_outer);
> > diff --git a/doc/guides/rel_notes/release_19_11.rst
> b/doc/guides/rel_notes/release_19_11.rst
> > index dcae08002..0504a3443 100644
> > --- a/doc/guides/rel_notes/release_19_11.rst
> > +++ b/doc/guides/rel_notes/release_19_11.rst
> > @@ -369,10 +369,13 @@ ABI Changes
> > align the Ethernet header on receive and all known encapsulations
> > preserve the alignment of the header.
> >
> > -* security: A new field ''replay_win_sz'' has been added to the structure
> > +* security: The field ''replay_win_sz'' has been moved from ipsec library
> > + based ''rte_ipsec_sa_prm'' structure to security library based structure
> > ``rte_security_ipsec_xform``, which specify the Anti replay window size
> > to enable sequence replay attack handling.
> >
> > +* ipsec: The field ''replay_win_sz'' has been removed from the structure
> > + ''rte_ipsec_sa_prm'' as it has been added to the security library.
> >
> > Shared Library Versions
> > -----------------------
> > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were
> incremented in this version.
> > librte_gso.so.1
> > librte_hash.so.2
> > librte_ip_frag.so.1
> > - librte_ipsec.so.1
> > + + librte_ipsec.so.2
> > librte_jobstats.so.1
> > librte_kni.so.2
> > librte_kvargs.so.1
> > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-
> secgw/ipsec-secgw.c
> > index b12936470..3b5aaf683 100644
> > --- a/examples/ipsec-secgw/ipsec-secgw.c
> > +++ b/examples/ipsec-secgw/ipsec-secgw.c
> > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm)
> > printf("librte_ipsec usage: %s\n",
> > (prm->enable == 0) ? "disabled" : "enabled");
> >
> > - if (prm->enable == 0)
> > - return;
> > -
> > printf("replay window size: %u\n", prm->window_size);
> > printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled");
> > printf("SA flags: %#" PRIx64 "\n", prm->flags);
> > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv)
> > app_sa_prm.enable = 1;
> > break;
> > case 'w':
> > - app_sa_prm.enable = 1;
>
> That actually will break lib-mode functional tests at:
> examples/ipsec-secgw/test/
> Due to my laziness I enabled in them library mode via '-w' option,
> as that moment legacy mode didn't support replay window...
> As these patches already applied, I'll send the fix in a new one in next few.
No issues, I will squash your changes with the original patch as it is not applied
On master.
>
> > app_sa_prm.window_size = parse_decimal(optarg);
> > break;
> > case 'e':
> > - app_sa_prm.enable = 1;
> > app_sa_prm.enable_esn = 1;
> > break;
> > case 'a':
> > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> > index d7761e966..d4b57121a 100644
> > --- a/examples/ipsec-secgw/ipsec.c
> > +++ b/examples/ipsec-secgw/ipsec.c
> > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct
> rte_security_ipsec_xform *ipsec)
> > /* TODO support for Transport */
> > }
> > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
> > + ipsec->replay_win_sz = app_sa_prm.window_size;
> > + ipsec->options.esn = app_sa_prm.enable_esn;
>
> Ok, but what to do for the devices that don't support esn or replay_win_sz?
> Should we add some check? Either to the app, or preferably into rte_security
> level at rte_security_session_create()?
Ideally app should check the capability of the device before setting it.
> > }
> >
> > int
> > @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx,
> struct ipsec_sa *sa,
> > .spi = sa->spi,
> > .salt = sa->salt,
> > .options = { 0 },
> > + .replay_win_sz = 0,
> > .direction = sa->direction,
> > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> > .mode = (IS_TUNNEL(sa->flags)) ?
> > @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx,
> struct ipsec_sa *sa,
> > .spi = sa->spi,
> > .salt = sa->salt,
> > .options = { 0 },
> > + .replay_win_sz = 0,
> > .direction = sa->direction,
> > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> > .mode = (sa->flags == IP4_TUNNEL ||
> > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
> > index a8dee342e..4605a3a6c 100644
> > --- a/examples/ipsec-secgw/sa.c
> > +++ b/examples/ipsec-secgw/sa.c
> > @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm
> *prm,
> >
> > prm->flags = app_prm->flags;
> > prm->ipsec_xform.options.esn = app_prm->enable_esn;
> > - prm->replay_win_sz = app_prm->window_size;
> > + prm->ipsec_xform.replay_win_sz = app_prm->window_size;
> > }
> >
> > static int
> > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile
> > index 81fb99980..161ea9e3d 100644
> > --- a/lib/librte_ipsec/Makefile
> > +++ b/lib/librte_ipsec/Makefile
> > @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash
> >
> > EXPORT_MAP := rte_ipsec_version.map
> >
> > -LIBABIVER := 1
> > +LIBABIVER := 2
> >
> > # all source are stored in SRCS-y
> > SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c
> > diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build
> > index 70358526b..e8604dadd 100644
> > --- a/lib/librte_ipsec/meson.build
> > +++ b/lib/librte_ipsec/meson.build
> > @@ -1,6 +1,7 @@
> > # SPDX-License-Identifier: BSD-3-Clause
> > # Copyright(c) 2018 Intel Corporation
> >
> > +version = 2
> > allow_experimental_apis = true
> >
> > sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c')
> > diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h
> > index 47ce169d2..1cfde5874 100644
> > --- a/lib/librte_ipsec/rte_ipsec_sa.h
> > +++ b/lib/librte_ipsec/rte_ipsec_sa.h
> > @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm {
> > uint8_t proto; /**< next header protocol */
> > } trs; /**< transport mode related parameters */
> > };
> > -
> > - /**
> > - * window size to enable sequence replay attack handling.
> > - * replay checking is disabled if the window size is 0.
> > - */
> > - uint32_t replay_win_sz;
> > };
> >
> > /**
> > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
> > index 23d394b46..6f1d92c3c 100644
> > --- a/lib/librte_ipsec/sa.c
> > +++ b/lib/librte_ipsec/sa.c
> > @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm)
> > return rc;
> >
> > /* determine required size */
> > - wsz = prm->replay_win_sz;
> > + wsz = prm->ipsec_xform.replay_win_sz;
> > return ipsec_sa_size(type, &wsz, &nb);
> > }
> >
> > @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct
> rte_ipsec_sa_prm *prm,
> > return rc;
> >
> > /* determine required size */
> > - wsz = prm->replay_win_sz;
> > + wsz = prm->ipsec_xform.replay_win_sz;
> > sz = ipsec_sa_size(type, &wsz, &nb);
> > if (sz < 0)
> > return sz;
> > --
> > 2.17.1
> > > The rte_security lib has introduced replay_win_sz,
> > > so it can be removed from the rte_ipsec lib.
> > >
> > > The relaved tests,app are also update to reflect
> > > the usages.
> > >
> > > Note that esn and anti-replay fileds were earlier used
> > > only for ipsec library, they were enabling the libipsec
> > > by default. With this change esn and anti-replay setting
> > > will not automatically enabled libipsec.
> > >
> > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> > > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> > > ---
> > > app/test/test_ipsec.c | 2 +-
> > > doc/guides/rel_notes/release_19_11.rst | 7 +++++--
> > > examples/ipsec-secgw/ipsec-secgw.c | 5 -----
> > > examples/ipsec-secgw/ipsec.c | 4 ++++
> > > examples/ipsec-secgw/sa.c | 2 +-
> > > lib/librte_ipsec/Makefile | 2 +-
> > > lib/librte_ipsec/meson.build | 1 +
> > > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------
> > > lib/librte_ipsec/sa.c | 4 ++--
> > > 9 files changed, 15 insertions(+), 18 deletions(-)
> > >
> > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
> > > index 4007eff19..7dc83fee7 100644
> > > --- a/app/test/test_ipsec.c
> > > +++ b/app/test/test_ipsec.c
> > > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t
> > flags)
> > >
> > > prm->userdata = 1;
> > > prm->flags = flags;
> > > - prm->replay_win_sz = replay_win_sz;
> > >
> > > /* setup ipsec xform */
> > > prm->ipsec_xform = ut_params->ipsec_xform;
> > > prm->ipsec_xform.salt = (uint32_t)rte_rand();
> > > + prm->ipsec_xform.replay_win_sz = replay_win_sz;
> > >
> > > /* setup tunnel related fields */
> > > prm->tun.hdr_len = sizeof(ipv4_outer);
> > > diff --git a/doc/guides/rel_notes/release_19_11.rst
> > b/doc/guides/rel_notes/release_19_11.rst
> > > index dcae08002..0504a3443 100644
> > > --- a/doc/guides/rel_notes/release_19_11.rst
> > > +++ b/doc/guides/rel_notes/release_19_11.rst
> > > @@ -369,10 +369,13 @@ ABI Changes
> > > align the Ethernet header on receive and all known encapsulations
> > > preserve the alignment of the header.
> > >
> > > -* security: A new field ''replay_win_sz'' has been added to the structure
> > > +* security: The field ''replay_win_sz'' has been moved from ipsec library
> > > + based ''rte_ipsec_sa_prm'' structure to security library based structure
> > > ``rte_security_ipsec_xform``, which specify the Anti replay window size
> > > to enable sequence replay attack handling.
> > >
> > > +* ipsec: The field ''replay_win_sz'' has been removed from the structure
> > > + ''rte_ipsec_sa_prm'' as it has been added to the security library.
> > >
> > > Shared Library Versions
> > > -----------------------
> > > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were
> > incremented in this version.
> > > librte_gso.so.1
> > > librte_hash.so.2
> > > librte_ip_frag.so.1
> > > - librte_ipsec.so.1
> > > + + librte_ipsec.so.2
> > > librte_jobstats.so.1
> > > librte_kni.so.2
> > > librte_kvargs.so.1
> > > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-
> > secgw/ipsec-secgw.c
> > > index b12936470..3b5aaf683 100644
> > > --- a/examples/ipsec-secgw/ipsec-secgw.c
> > > +++ b/examples/ipsec-secgw/ipsec-secgw.c
> > > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm)
> > > printf("librte_ipsec usage: %s\n",
> > > (prm->enable == 0) ? "disabled" : "enabled");
> > >
> > > - if (prm->enable == 0)
> > > - return;
> > > -
> > > printf("replay window size: %u\n", prm->window_size);
> > > printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled");
> > > printf("SA flags: %#" PRIx64 "\n", prm->flags);
> > > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv)
> > > app_sa_prm.enable = 1;
> > > break;
> > > case 'w':
> > > - app_sa_prm.enable = 1;
> >
> > That actually will break lib-mode functional tests at:
> > examples/ipsec-secgw/test/
> > Due to my laziness I enabled in them library mode via '-w' option,
> > as that moment legacy mode didn't support replay window...
> > As these patches already applied, I'll send the fix in a new one in next few.
>
> No issues, I will squash your changes with the original patch as it is not applied
> On master.
Ok, thanks.
Patch at:
http://patches.dpdk.org/patch/62540/
>
> >
> > > app_sa_prm.window_size = parse_decimal(optarg);
> > > break;
> > > case 'e':
> > > - app_sa_prm.enable = 1;
> > > app_sa_prm.enable_esn = 1;
> > > break;
> > > case 'a':
> > > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> > > index d7761e966..d4b57121a 100644
> > > --- a/examples/ipsec-secgw/ipsec.c
> > > +++ b/examples/ipsec-secgw/ipsec.c
> > > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct
> > rte_security_ipsec_xform *ipsec)
> > > /* TODO support for Transport */
> > > }
> > > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
> > > + ipsec->replay_win_sz = app_sa_prm.window_size;
> > > + ipsec->options.esn = app_sa_prm.enable_esn;
> >
> > Ok, but what to do for the devices that don't support esn or replay_win_sz?
> > Should we add some check? Either to the app, or preferably into rte_security
> > level at rte_security_session_create()?
>
> Ideally app should check the capability of the device before setting it.
Yes... after another thought - as right now we do create session at run-time,
probably we need to check these device capabilities at init stage and report an error.
Konstantin
>
>
> > > }
> > >
> > > int
> > > @@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx,
> > struct ipsec_sa *sa,
> > > .spi = sa->spi,
> > > .salt = sa->salt,
> > > .options = { 0 },
> > > + .replay_win_sz = 0,
> > > .direction = sa->direction,
> > > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> > > .mode = (IS_TUNNEL(sa->flags)) ?
> > > @@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx,
> > struct ipsec_sa *sa,
> > > .spi = sa->spi,
> > > .salt = sa->salt,
> > > .options = { 0 },
> > > + .replay_win_sz = 0,
> > > .direction = sa->direction,
> > > .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> > > .mode = (sa->flags == IP4_TUNNEL ||
> > > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
> > > index a8dee342e..4605a3a6c 100644
> > > --- a/examples/ipsec-secgw/sa.c
> > > +++ b/examples/ipsec-secgw/sa.c
> > > @@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm
> > *prm,
> > >
> > > prm->flags = app_prm->flags;
> > > prm->ipsec_xform.options.esn = app_prm->enable_esn;
> > > - prm->replay_win_sz = app_prm->window_size;
> > > + prm->ipsec_xform.replay_win_sz = app_prm->window_size;
> > > }
> > >
> > > static int
> > > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile
> > > index 81fb99980..161ea9e3d 100644
> > > --- a/lib/librte_ipsec/Makefile
> > > +++ b/lib/librte_ipsec/Makefile
> > > @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash
> > >
> > > EXPORT_MAP := rte_ipsec_version.map
> > >
> > > -LIBABIVER := 1
> > > +LIBABIVER := 2
> > >
> > > # all source are stored in SRCS-y
> > > SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c
> > > diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build
> > > index 70358526b..e8604dadd 100644
> > > --- a/lib/librte_ipsec/meson.build
> > > +++ b/lib/librte_ipsec/meson.build
> > > @@ -1,6 +1,7 @@
> > > # SPDX-License-Identifier: BSD-3-Clause
> > > # Copyright(c) 2018 Intel Corporation
> > >
> > > +version = 2
> > > allow_experimental_apis = true
> > >
> > > sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c')
> > > diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h
> > > index 47ce169d2..1cfde5874 100644
> > > --- a/lib/librte_ipsec/rte_ipsec_sa.h
> > > +++ b/lib/librte_ipsec/rte_ipsec_sa.h
> > > @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm {
> > > uint8_t proto; /**< next header protocol */
> > > } trs; /**< transport mode related parameters */
> > > };
> > > -
> > > - /**
> > > - * window size to enable sequence replay attack handling.
> > > - * replay checking is disabled if the window size is 0.
> > > - */
> > > - uint32_t replay_win_sz;
> > > };
> > >
> > > /**
> > > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
> > > index 23d394b46..6f1d92c3c 100644
> > > --- a/lib/librte_ipsec/sa.c
> > > +++ b/lib/librte_ipsec/sa.c
> > > @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm)
> > > return rc;
> > >
> > > /* determine required size */
> > > - wsz = prm->replay_win_sz;
> > > + wsz = prm->ipsec_xform.replay_win_sz;
> > > return ipsec_sa_size(type, &wsz, &nb);
> > > }
> > >
> > > @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct
> > rte_ipsec_sa_prm *prm,
> > > return rc;
> > >
> > > /* determine required size */
> > > - wsz = prm->replay_win_sz;
> > > + wsz = prm->ipsec_xform.replay_win_sz;
> > > sz = ipsec_sa_size(type, &wsz, &nb);
> > > if (sz < 0)
> > > return sz;
> > > --
> > > 2.17.1
>
> > > > The rte_security lib has introduced replay_win_sz,
> > > > so it can be removed from the rte_ipsec lib.
> > > >
> > > > The relaved tests,app are also update to reflect
> > > > the usages.
> > > >
> > > > Note that esn and anti-replay fileds were earlier used
> > > > only for ipsec library, they were enabling the libipsec
> > > > by default. With this change esn and anti-replay setting
> > > > will not automatically enabled libipsec.
> > > >
> > > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> > > > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> > > > ---
> > > > app/test/test_ipsec.c | 2 +-
> > > > doc/guides/rel_notes/release_19_11.rst | 7 +++++--
> > > > examples/ipsec-secgw/ipsec-secgw.c | 5 -----
> > > > examples/ipsec-secgw/ipsec.c | 4 ++++
> > > > examples/ipsec-secgw/sa.c | 2 +-
> > > > lib/librte_ipsec/Makefile | 2 +-
> > > > lib/librte_ipsec/meson.build | 1 +
> > > > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------
> > > > lib/librte_ipsec/sa.c | 4 ++--
> > > > 9 files changed, 15 insertions(+), 18 deletions(-)
> > > >
> > > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
> > > > index 4007eff19..7dc83fee7 100644
> > > > --- a/app/test/test_ipsec.c
> > > > +++ b/app/test/test_ipsec.c
> > > > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz,
> uint64_t
> > > flags)
> > > >
> > > > prm->userdata = 1;
> > > > prm->flags = flags;
> > > > - prm->replay_win_sz = replay_win_sz;
> > > >
> > > > /* setup ipsec xform */
> > > > prm->ipsec_xform = ut_params->ipsec_xform;
> > > > prm->ipsec_xform.salt = (uint32_t)rte_rand();
> > > > + prm->ipsec_xform.replay_win_sz = replay_win_sz;
> > > >
> > > > /* setup tunnel related fields */
> > > > prm->tun.hdr_len = sizeof(ipv4_outer);
> > > > diff --git a/doc/guides/rel_notes/release_19_11.rst
> > > b/doc/guides/rel_notes/release_19_11.rst
> > > > index dcae08002..0504a3443 100644
> > > > --- a/doc/guides/rel_notes/release_19_11.rst
> > > > +++ b/doc/guides/rel_notes/release_19_11.rst
> > > > @@ -369,10 +369,13 @@ ABI Changes
> > > > align the Ethernet header on receive and all known encapsulations
> > > > preserve the alignment of the header.
> > > >
> > > > -* security: A new field ''replay_win_sz'' has been added to the structure
> > > > +* security: The field ''replay_win_sz'' has been moved from ipsec library
> > > > + based ''rte_ipsec_sa_prm'' structure to security library based structure
> > > > ``rte_security_ipsec_xform``, which specify the Anti replay window size
> > > > to enable sequence replay attack handling.
> > > >
> > > > +* ipsec: The field ''replay_win_sz'' has been removed from the structure
> > > > + ''rte_ipsec_sa_prm'' as it has been added to the security library.
> > > >
> > > > Shared Library Versions
> > > > -----------------------
> > > > @@ -415,7 +418,7 @@ The libraries prepended with a plus sign were
> > > incremented in this version.
> > > > librte_gso.so.1
> > > > librte_hash.so.2
> > > > librte_ip_frag.so.1
> > > > - librte_ipsec.so.1
> > > > + + librte_ipsec.so.2
> > > > librte_jobstats.so.1
> > > > librte_kni.so.2
> > > > librte_kvargs.so.1
> > > > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-
> > > secgw/ipsec-secgw.c
> > > > index b12936470..3b5aaf683 100644
> > > > --- a/examples/ipsec-secgw/ipsec-secgw.c
> > > > +++ b/examples/ipsec-secgw/ipsec-secgw.c
> > > > @@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm
> *prm)
> > > > printf("librte_ipsec usage: %s\n",
> > > > (prm->enable == 0) ? "disabled" : "enabled");
> > > >
> > > > - if (prm->enable == 0)
> > > > - return;
> > > > -
> > > > printf("replay window size: %u\n", prm->window_size);
> > > > printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled");
> > > > printf("SA flags: %#" PRIx64 "\n", prm->flags);
> > > > @@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv)
> > > > app_sa_prm.enable = 1;
> > > > break;
> > > > case 'w':
> > > > - app_sa_prm.enable = 1;
> > >
> > > That actually will break lib-mode functional tests at:
> > > examples/ipsec-secgw/test/
> > > Due to my laziness I enabled in them library mode via '-w' option,
> > > as that moment legacy mode didn't support replay window...
> > > As these patches already applied, I'll send the fix in a new one in next few.
> >
> > No issues, I will squash your changes with the original patch as it is not applied
> > On master.
>
> Ok, thanks.
> Patch at:
> http://patches.dpdk.org/patch/62540/
Removed the fixes line for this patch. Rebased the tree so that script patch is just after this patch.
Applied
>
> >
> > >
> > > > app_sa_prm.window_size = parse_decimal(optarg);
> > > > break;
> > > > case 'e':
> > > > - app_sa_prm.enable = 1;
> > > > app_sa_prm.enable_esn = 1;
> > > > break;
> > > > case 'a':
> > > > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
> > > > index d7761e966..d4b57121a 100644
> > > > --- a/examples/ipsec-secgw/ipsec.c
> > > > +++ b/examples/ipsec-secgw/ipsec.c
> > > > @@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct
> > > rte_security_ipsec_xform *ipsec)
> > > > /* TODO support for Transport */
> > > > }
> > > > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
> > > > + ipsec->replay_win_sz = app_sa_prm.window_size;
> > > > + ipsec->options.esn = app_sa_prm.enable_esn;
> > >
> > > Ok, but what to do for the devices that don't support esn or replay_win_sz?
> > > Should we add some check? Either to the app, or preferably into rte_security
> > > level at rte_security_session_create()?
> >
> > Ideally app should check the capability of the device before setting it.
>
> Yes... after another thought - as right now we do create session at run-time,
> probably we need to check these device capabilities at init stage and report an
> error.
Agreed
@@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags)
prm->userdata = 1;
prm->flags = flags;
- prm->replay_win_sz = replay_win_sz;
/* setup ipsec xform */
prm->ipsec_xform = ut_params->ipsec_xform;
prm->ipsec_xform.salt = (uint32_t)rte_rand();
+ prm->ipsec_xform.replay_win_sz = replay_win_sz;
/* setup tunnel related fields */
prm->tun.hdr_len = sizeof(ipv4_outer);
@@ -369,10 +369,13 @@ ABI Changes
align the Ethernet header on receive and all known encapsulations
preserve the alignment of the header.
-* security: A new field ''replay_win_sz'' has been added to the structure
+* security: The field ''replay_win_sz'' has been moved from ipsec library
+ based ''rte_ipsec_sa_prm'' structure to security library based structure
``rte_security_ipsec_xform``, which specify the Anti replay window size
to enable sequence replay attack handling.
+* ipsec: The field ''replay_win_sz'' has been removed from the structure
+ ''rte_ipsec_sa_prm'' as it has been added to the security library.
Shared Library Versions
-----------------------
@@ -415,7 +418,7 @@ The libraries prepended with a plus sign were incremented in this version.
librte_gso.so.1
librte_hash.so.2
librte_ip_frag.so.1
- librte_ipsec.so.1
+ + librte_ipsec.so.2
librte_jobstats.so.1
librte_kni.so.2
librte_kvargs.so.1
@@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm)
printf("librte_ipsec usage: %s\n",
(prm->enable == 0) ? "disabled" : "enabled");
- if (prm->enable == 0)
- return;
-
printf("replay window size: %u\n", prm->window_size);
printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled");
printf("SA flags: %#" PRIx64 "\n", prm->flags);
@@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv)
app_sa_prm.enable = 1;
break;
case 'w':
- app_sa_prm.enable = 1;
app_sa_prm.window_size = parse_decimal(optarg);
break;
case 'e':
- app_sa_prm.enable = 1;
app_sa_prm.enable_esn = 1;
break;
case 'a':
@@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
/* TODO support for Transport */
}
ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
+ ipsec->replay_win_sz = app_sa_prm.window_size;
+ ipsec->options.esn = app_sa_prm.enable_esn;
}
int
@@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
.spi = sa->spi,
.salt = sa->salt,
.options = { 0 },
+ .replay_win_sz = 0,
.direction = sa->direction,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = (IS_TUNNEL(sa->flags)) ?
@@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
.spi = sa->spi,
.salt = sa->salt,
.options = { 0 },
+ .replay_win_sz = 0,
.direction = sa->direction,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = (sa->flags == IP4_TUNNEL ||
@@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm,
prm->flags = app_prm->flags;
prm->ipsec_xform.options.esn = app_prm->enable_esn;
- prm->replay_win_sz = app_prm->window_size;
+ prm->ipsec_xform.replay_win_sz = app_prm->window_size;
}
static int
@@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash
EXPORT_MAP := rte_ipsec_version.map
-LIBABIVER := 1
+LIBABIVER := 2
# all source are stored in SRCS-y
SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c
@@ -1,6 +1,7 @@
# SPDX-License-Identifier: BSD-3-Clause
# Copyright(c) 2018 Intel Corporation
+version = 2
allow_experimental_apis = true
sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c')
@@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm {
uint8_t proto; /**< next header protocol */
} trs; /**< transport mode related parameters */
};
-
- /**
- * window size to enable sequence replay attack handling.
- * replay checking is disabled if the window size is 0.
- */
- uint32_t replay_win_sz;
};
/**
@@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm)
return rc;
/* determine required size */
- wsz = prm->replay_win_sz;
+ wsz = prm->ipsec_xform.replay_win_sz;
return ipsec_sa_size(type, &wsz, &nb);
}
@@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
return rc;
/* determine required size */
- wsz = prm->replay_win_sz;
+ wsz = prm->ipsec_xform.replay_win_sz;
sz = ipsec_sa_size(type, &wsz, &nb);
if (sz < 0)
return sz;