From patchwork Wed Oct 30 08:57:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hemant Agrawal X-Patchwork-Id: 178078 Delivered-To: patch@linaro.org Received: by 2002:a92:409a:0:0:0:0:0 with SMTP id d26csp975972ill; Wed, 30 Oct 2019 02:00:05 -0700 (PDT) X-Google-Smtp-Source: APXvYqwiByOX+hNkHoQJqg6vf1f+/ps9oRwt6Jq5H99UMcbm2PKsaX/of76zjrZkZ97cgYHhqT0o X-Received: by 2002:a50:b83d:: with SMTP id j58mr30307135ede.84.1572426005850; Wed, 30 Oct 2019 02:00:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572426005; cv=none; d=google.com; s=arc-20160816; b=YYtxWzcZsRKbgaGbxvT/XV4pqE5eDkiT/JDw3GUenhxNst7ipppbiWGWM4XYubRKbE zuiYjx4KzViAKPXGGDv6KYlxPzl6k6UZadqDm463cepackSf21gEkMpkA6ykNVMwzc3O Kv0YWmXilUGoPNn1rHuyVnzY9K/ObY6clFMQO5VgtpIEudmCIj6+hV0R1i+Tm/YLEb1U gPPwegeGEBEWSqth3jBLJMudzaonALQVTHW0iRZq3TBrLaeNC/3Hz9c7pzr52HLia7lg bXBP0rBlWcukjJ4Op/4URen7pi35h3bYIkWhS8l2f+x5oZSD4L5a5xRXBIaV2oKdgSWp RH/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:cc:to:from; bh=vU8DBbnXHa+g9i0c8m+bjtCcRJ/RZusAahcbGkH6WZQ=; b=GUkBahylYOsCmOdeLMBfhfQb8jQJwaaI0dYgrlt8l4+87iVU48KRmzbvGm2jJrPqp5 UR931E391uw95s21lXo01xhcFRpVZu50/77yU0CvuIc/6rXElCNo/cshe+C8yRUNG3oz xjJu3hQ9J5Qbrm4XX0NAHXWIcAc5gXulsdZMlD7lSJdiYDuSvJMAzENAIbVFyjH4E2rH G12gBmo92gD94sqHjJEit/9OhcnpLNcvHwlFn1JKr/L9qj1NYZm6gsJmYmhIapsF64RH iqaQ0FJz+sxZWPzuZ9MLvWL+0teEJN3CPS5I1BaWchHns9hMoYEdp/gE6V22f9zFJB11 mglg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Return-Path: Received: from dpdk.org (dpdk.org. [92.243.14.124]) by mx.google.com with ESMTP id fi30si772683ejb.257.2019.10.30.02.00.05; Wed, 30 Oct 2019 02:00:05 -0700 (PDT) Received-SPF: pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) client-ip=92.243.14.124; Authentication-Results: mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 6C92B1BEE0; Wed, 30 Oct 2019 10:00:05 +0100 (CET) Received: from inva021.nxp.com (inva021.nxp.com [92.121.34.21]) by dpdk.org (Postfix) with ESMTP id 9B9A21BEE0 for ; Wed, 30 Oct 2019 10:00:03 +0100 (CET) Received: from inva021.nxp.com (localhost [127.0.0.1]) by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 3061820099D; Wed, 30 Oct 2019 10:00:03 +0100 (CET) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 0B145200905; Wed, 30 Oct 2019 10:00:01 +0100 (CET) Received: from bf-netperf1.ap.freescale.net (bf-netperf1.ap.freescale.net [10.232.133.63]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id DE5E7402B7; Wed, 30 Oct 2019 16:59:57 +0800 (SGT) From: Hemant Agrawal To: dev@dpdk.org, akhil.goyal@nxp.com Cc: konstantin.ananyev@intel.com, Hemant Agrawal Date: Wed, 30 Oct 2019 14:27:00 +0530 Message-Id: <20191030085701.13815-1-hemant.agrawal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191030065703.32068-1-hemant.agrawal@nxp.com> References: <20191030065703.32068-1-hemant.agrawal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v3 1/2] security: add anti replay window size X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" At present the ipsec xfrom is missing the important step to configure the anti replay window size. The newly added field will also help in to enable or disable the anti replay checking, if available in offload by means of non-zero or zero value. Signed-off-by: Hemant Agrawal --- lib/librte_security/Makefile | 2 +- lib/librte_security/meson.build | 2 +- lib/librte_security/rte_security.h | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) -- 2.17.1 diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile index 6708effdb..6a268ee2a 100644 --- a/lib/librte_security/Makefile +++ b/lib/librte_security/Makefile @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB = librte_security.a # library version -LIBABIVER := 2 +LIBABIVER := 3 # build flags CFLAGS += -O3 diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build index a5130d2f6..6fed01273 100644 --- a/lib/librte_security/meson.build +++ b/lib/librte_security/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2017-2019 Intel Corporation -version = 2 +version = 3 sources = files('rte_security.c') headers = files('rte_security.h', 'rte_security_driver.h') deps += ['mempool', 'cryptodev'] diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h index aaafdfcd7..195ad5645 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform { /**< Tunnel parameters, NULL for transport mode */ uint64_t esn_soft_limit; /**< ESN for which the overflow event need to be raised */ + uint32_t replay_win_sz; + /**< Anti replay window size to enable sequence replay attack handling. + * replay checking is disabled if the window size is 0. + */ }; /** From patchwork Wed Oct 30 08:57:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hemant Agrawal X-Patchwork-Id: 178079 Delivered-To: patch@linaro.org Received: by 2002:a92:409a:0:0:0:0:0 with SMTP id d26csp976106ill; Wed, 30 Oct 2019 02:00:12 -0700 (PDT) X-Google-Smtp-Source: APXvYqzQTcaQONRPsWlWB8V1SNCTlZExyxZrXkPmlKkNlZdqaqAEJBfTdyEZ41H7RkR/hXiaBI+3 X-Received: by 2002:a17:906:1c97:: with SMTP id g23mr7748162ejh.66.1572426012438; Wed, 30 Oct 2019 02:00:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572426012; cv=none; d=google.com; s=arc-20160816; b=DgsRm2XI/2rkrUXET9G6ruS+YIq3BpQYW7aspcE90peFXFICFXQB0T064gBM079FOu Wn1ARBbSGa4LWBg5VNVOpiQITDmSLjUSgwK2Ugu/uiOLumiGjxOk6k0+GqcrS0Gwb0wm 3en5XM4D7t+Ri1MmsGTkbPv9j7sYdomLiwZvb3YAV+IIEso8A/7luYahIaDXEvVVW6hZ Q6nAW7m1mmEOuoXiZx40RQvfMXzAZP6pEM/z0eTA4TiGMwowuxiWwX+F9zrO7iXQwhin uChb12ffZiRt1qoSrVxPDTYgsUmJGp/Hjit1AsSu6QRv4B0e9WY2iYYVWjQndx0FYi/S SdAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:cc:to:from; bh=9fy1SC8xCOMma1ENkqIx5iqNteDx3RdkAO3UYg83qO0=; b=l2Wmh5GIGwOM2HNRJxP3cgR9gytC4lAJw1Qubnxcgek1GvWNgbgh0ID2y8LLXW0Yky y17cdACRhFMKF34l18s735Wa9xfKzHXkwixN2xirvIwalSwuf6hEPZIkVvA9Db7HpBpg CjEdIItVvUhB8B0kcMr/T2sF5MmsMRlY3xHkvjmHVwoWzDGNO/uCbbDZvt95ik1ACaVa nJsWUAbgOjJFCu3+0vaZ6Bz846hhfuVnPnBvjYQmvSaWRvkyK4tmXchpIH1zOFhKa6fh NFZPHHTv6Cj/d3hm3YObLJthh2le1LZFjVO1NDfXQtNL/81TOEP9onUEk7ZVX+7uKhC1 h2PQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Return-Path: Received: from dpdk.org (dpdk.org. [92.243.14.124]) by mx.google.com with ESMTP id s20si1044462edd.294.2019.10.30.02.00.12; Wed, 30 Oct 2019 02:00:12 -0700 (PDT) Received-SPF: pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) client-ip=92.243.14.124; Authentication-Results: mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id E83341BF49; Wed, 30 Oct 2019 10:00:07 +0100 (CET) Received: from inva021.nxp.com (inva021.nxp.com [92.121.34.21]) by dpdk.org (Postfix) with ESMTP id 393D21BEB5 for ; Wed, 30 Oct 2019 10:00:04 +0100 (CET) Received: from inva021.nxp.com (localhost [127.0.0.1]) by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 1AC9520000D; Wed, 30 Oct 2019 10:00:04 +0100 (CET) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id B0B9E2009A2; Wed, 30 Oct 2019 10:00:01 +0100 (CET) Received: from bf-netperf1.ap.freescale.net (bf-netperf1.ap.freescale.net [10.232.133.63]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id 906A8402C7; Wed, 30 Oct 2019 16:59:58 +0800 (SGT) From: Hemant Agrawal To: dev@dpdk.org, akhil.goyal@nxp.com Cc: konstantin.ananyev@intel.com, Hemant Agrawal Date: Wed, 30 Oct 2019 14:27:01 +0530 Message-Id: <20191030085701.13815-2-hemant.agrawal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191030085701.13815-1-hemant.agrawal@nxp.com> References: <20191030065703.32068-1-hemant.agrawal@nxp.com> <20191030085701.13815-1-hemant.agrawal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v3 2/2] ipsec: remove redundant replay_win_sz X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" The rte_security lib has introduced replay_win_sz, so it can be removed from the rte_ipsec lib. Also, the relaved tests,app are also update to reflect the usages. Signed-off-by: Hemant Agrawal --- v3: fix the compilation issue app/test/test_ipsec.c | 2 +- doc/guides/rel_notes/release_19_11.rst | 10 ++++++++-- examples/ipsec-secgw/ipsec.c | 1 + examples/ipsec-secgw/sa.c | 2 +- lib/librte_ipsec/Makefile | 2 +- lib/librte_ipsec/meson.build | 1 + lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ lib/librte_ipsec/sa.c | 4 ++-- 8 files changed, 15 insertions(+), 13 deletions(-) -- 2.17.1 diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c index 4007eff19..9e3dabd93 100644 --- a/app/test/test_ipsec.c +++ b/app/test/test_ipsec.c @@ -689,7 +689,7 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags) prm->userdata = 1; prm->flags = flags; - prm->replay_win_sz = replay_win_sz; + prm->ipsec_xform.replay_win_sz = replay_win_sz; /* setup ipsec xform */ prm->ipsec_xform = ut_params->ipsec_xform; diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index ae8e7b2f0..aa16c8422 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -365,6 +365,12 @@ ABI Changes align the Ethernet header on receive and all known encapsulations preserve the alignment of the header. +* security: A new field ''replay_win_sz'' has been added to the structure + ``rte_security_ipsec_xform``, which specify the Anti replay window size + to enable sequence replay attack handling. + +* ipsec: The field ''replay_win_sz'' has been removed from the structure + ''rte_ipsec_sa_prm'' as it has been added to the security library. Shared Library Versions ----------------------- @@ -407,7 +413,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_gso.so.1 librte_hash.so.2 librte_ip_frag.so.1 - librte_ipsec.so.1 + + librte_ipsec.so.2 librte_jobstats.so.1 librte_kni.so.2 librte_kvargs.so.1 @@ -437,7 +443,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_reorder.so.1 librte_ring.so.2 + librte_sched.so.4 - librte_security.so.2 + + librte_security.so.3 librte_stack.so.1 librte_table.so.3 librte_timer.so.1 diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 51fb22e8a..159e81f99 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -49,6 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) /* TODO support for Transport */ } ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; + ipsec->replay_win_sz = app_sa_prm.window_size; } int diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 14ee94731..3d687c459 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -1055,7 +1055,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, prm->flags = app_prm->flags; prm->ipsec_xform.options.esn = app_prm->enable_esn; - prm->replay_win_sz = app_prm->window_size; + prm->ipsec_xform.replay_win_sz = app_prm->window_size; } static int diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile index 81fb99980..161ea9e3d 100644 --- a/lib/librte_ipsec/Makefile +++ b/lib/librte_ipsec/Makefile @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash EXPORT_MAP := rte_ipsec_version.map -LIBABIVER := 1 +LIBABIVER := 2 # all source are stored in SRCS-y SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build index 70358526b..e8604dadd 100644 --- a/lib/librte_ipsec/meson.build +++ b/lib/librte_ipsec/meson.build @@ -1,6 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2018 Intel Corporation +version = 2 allow_experimental_apis = true sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h index 47ce169d2..1cfde5874 100644 --- a/lib/librte_ipsec/rte_ipsec_sa.h +++ b/lib/librte_ipsec/rte_ipsec_sa.h @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { uint8_t proto; /**< next header protocol */ } trs; /**< transport mode related parameters */ }; - - /** - * window size to enable sequence replay attack handling. - * replay checking is disabled if the window size is 0. - */ - uint32_t replay_win_sz; }; /** diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 23d394b46..6f1d92c3c 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; return ipsec_sa_size(type, &wsz, &nb); } @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; sz = ipsec_sa_size(type, &wsz, &nb); if (sz < 0) return sz;