From patchwork Wed Nov  6 06:54:12 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hemant Agrawal <hemant.agrawal@nxp.com>
X-Patchwork-Id: 178622
Delivered-To: patch@linaro.org
Received: by 2002:a92:38d5:0:0:0:0:0 with SMTP id g82csp207650ilf;
 Tue, 5 Nov 2019 22:57:25 -0800 (PST)
X-Google-Smtp-Source: APXvYqxuaxUabk63pBTWOVX0r9HJkXmnpJ1D1/hs+Wz5rc30KrfIhvIB/fypU5ZqJ4/dmTH1mz1Z
X-Received: by 2002:aa7:c887:: with SMTP id p7mr962351eds.268.1573023445200; 
 Tue, 05 Nov 2019 22:57:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1573023445; cv=none;
 d=google.com; s=arc-20160816;
 b=kFJGUjT5WwRqfN4Xj6r89ezgW/ORT+p/hqqKfJEWWIYy3W3wFEW3gEuWvvSJM/rA4R
 HLCCzojFLri18WKrFY5OSlYNDyhQOMYGb02NHD/h1nD7eoLiDB9akumPW6cShVvaUbwZ
 lOCpgGZGLJU6zSiVcz2NumpSlQFuF5JhLLNKjtvBM/+dL129kkycinAsEbZkPMygHSKQ
 /hx3ysHFTVzfhkPPMA+mK57hxuaWFQeabpzmBYgHbGLB3ecq7/kEtNf4AFHM/H3fPiN6
 43YnkB7wau0DN4PtNuUkbcaRjThGGwyxtDr5fdv35f+hXblZrlDaVqjheVU9WEozOujh
 tmXQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:subject:references:in-reply-to
 :message-id:date:cc:to:from;
 bh=sNtkJCTxLRMua5c0vkpOMYIvVu7lruu65bbhOaHn7JI=;
 b=WwFgKz02YWXql03VLZEbFtL22oQjHgzXtg+YM8fGN5OJrEbC4UQOgl6MvtcgdqugyC
 SWUqI8RGOXpBIem/PC2Sp74bX4zYISY+mEnfYXeS+oqKRMgoNUmtWAVS1w55u9O4U738
 e8e1KLlvTuuQvfQ/cBR0kqaWPVX0E7Av0j3qd7HCSa5N1sOZg9t7eZRuP3a61qHNPgfx
 rHWCWjZGMTqbHCTVyGXX8SQLZEPI2/wSRanY4heuShTo4/EhAMv4dEE/WiVADHcQkb0L
 0YdO3ZKqTY/cgvFKdqrPzlUV0HsrUHxh27SxWt9prcs/ihGipITBr3UoinfJMNLQeoPI
 iqXQ==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of dev-bounces@dpdk.org designates
 92.243.14.124 as permitted sender)
 smtp.mailfrom=dev-bounces@dpdk.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org. [92.243.14.124])
 by mx.google.com with ESMTP id
 y14si11308384edu.250.2019.11.05.22.57.24; 
 Tue, 05 Nov 2019 22:57:25 -0800 (PST)
Received-SPF: pass (google.com: domain of dev-bounces@dpdk.org designates
 92.243.14.124 as permitted sender) client-ip=92.243.14.124; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of dev-bounces@dpdk.org designates
 92.243.14.124 as permitted sender)
 smtp.mailfrom=dev-bounces@dpdk.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com
Received: from [92.243.14.124] (localhost [127.0.0.1])
 by dpdk.org (Postfix) with ESMTP id 373451BFB8;
 Wed,  6 Nov 2019 07:57:24 +0100 (CET)
Received: from inva021.nxp.com (inva021.nxp.com [92.121.34.21])
 by dpdk.org (Postfix) with ESMTP id D19771BFB5
 for <dev@dpdk.org>; Wed,  6 Nov 2019 07:57:22 +0100 (CET)
Received: from inva021.nxp.com (localhost [127.0.0.1])
 by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 6F85120031B;
 Wed,  6 Nov 2019 07:57:22 +0100 (CET)
Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com
 [165.114.16.14])
 by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 0AC8F2001C8;
 Wed,  6 Nov 2019 07:57:21 +0100 (CET)
Received: from bf-netperf1.ap.freescale.net (bf-netperf1.ap.freescale.net
 [10.232.133.63])
 by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id C5357402A9;
 Wed,  6 Nov 2019 14:57:18 +0800 (SGT)
From: Hemant Agrawal <hemant.agrawal@nxp.com>
To: dev@dpdk.org
Cc: akhil.goyal@nxp.com
Date: Wed,  6 Nov 2019 12:24:12 +0530
Message-Id: <20191106065414.4311-1-hemant.agrawal@nxp.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20191031131502.12504-1-hemant.agrawal@nxp.com>
References: <20191031131502.12504-1-hemant.agrawal@nxp.com>
X-Virus-Scanned: ClamAV using ClamSMTP
Subject: [dpdk-dev] [PATCH v6 1/3] security: add anti replay window size
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

At present the ipsec xfrom is missing the important step
to configure the anti replay window size.
The newly added field will also help in to enable or disable
the anti replay checking, if available in offload by means
of non-zero or zero value.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
---
 doc/guides/rel_notes/release_19_11.rst | 6 +++++-
 lib/librte_security/Makefile           | 2 +-
 lib/librte_security/meson.build        | 2 +-
 lib/librte_security/rte_security.h     | 8 ++++++++
 4 files changed, 15 insertions(+), 3 deletions(-)

-- 
2.17.1

diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst
index 2eec0a2c1..dcae08002 100644
--- a/doc/guides/rel_notes/release_19_11.rst
+++ b/doc/guides/rel_notes/release_19_11.rst
@@ -369,6 +369,10 @@ ABI Changes
   align the Ethernet header on receive and all known encapsulations
   preserve the alignment of the header.
 
+* security: A new field ''replay_win_sz'' has been added to the structure
+  ``rte_security_ipsec_xform``, which specify the Anti replay window size
+  to enable sequence replay attack handling.
+
 
 Shared Library Versions
 -----------------------
@@ -441,7 +445,7 @@ The libraries prepended with a plus sign were incremented in this version.
      librte_reorder.so.1
      librte_ring.so.2
    + librte_sched.so.4
-     librte_security.so.2
+   + librte_security.so.3
      librte_stack.so.1
      librte_table.so.3
      librte_timer.so.1
diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile
index 6708effdb..6a268ee2a 100644
--- a/lib/librte_security/Makefile
+++ b/lib/librte_security/Makefile
@@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk
 LIB = librte_security.a
 
 # library version
-LIBABIVER := 2
+LIBABIVER := 3
 
 # build flags
 CFLAGS += -O3
diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build
index a5130d2f6..6fed01273 100644
--- a/lib/librte_security/meson.build
+++ b/lib/librte_security/meson.build
@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: BSD-3-Clause
 # Copyright(c) 2017-2019 Intel Corporation
 
-version = 2
+version = 3
 sources = files('rte_security.c')
 headers = files('rte_security.h', 'rte_security_driver.h')
 deps += ['mempool', 'cryptodev']
diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
index aaafdfcd7..216e5370f 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -212,6 +212,10 @@ struct rte_security_ipsec_xform {
 	/**< Tunnel parameters, NULL for transport mode */
 	uint64_t esn_soft_limit;
 	/**< ESN for which the overflow event need to be raised */
+	uint32_t replay_win_sz;
+	/**< Anti replay window size to enable sequence replay attack handling.
+	 * replay checking is disabled if the window size is 0.
+	 */
 };
 
 /**
@@ -563,6 +567,10 @@ struct rte_security_capability {
 			/**< IPsec SA direction */
 			struct rte_security_ipsec_sa_options options;
 			/**< IPsec SA supported options */
+			uint32_t replay_win_sz_max;
+			/**< IPsec Anti Replay Window Size. A '0' value
+			 * indicates that Anti Replay Window is not supported.
+			 */
 		} ipsec;
 		/**< IPsec capability */
 		struct {

From patchwork Wed Nov  6 06:54:13 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hemant Agrawal <hemant.agrawal@nxp.com>
X-Patchwork-Id: 178623
Delivered-To: patch@linaro.org
Received: by 2002:a92:38d5:0:0:0:0:0 with SMTP id g82csp207748ilf;
 Tue, 5 Nov 2019 22:57:32 -0800 (PST)
X-Google-Smtp-Source: APXvYqwyo/+0qr0sObBvSkS8xdZLkUSHjAk4UkGr05fli2heMEWiCVLRNQWsw9o63exVA/mc9UOu
X-Received: by 2002:a50:984b:: with SMTP id h11mr984141edb.248.1573023452512; 
 Tue, 05 Nov 2019 22:57:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1573023452; cv=none;
 d=google.com; s=arc-20160816;
 b=XwR8dDLRWTDFm59mWPRHUYoFtiX0W+KXGJuF/iFl9+AdGAAWEvostpcaI0nAz2be4z
 yG8vc11PVhXRizqE5gPMUtvtqMk5Ubt0CAExMqYoDscytrIQqsbUY68a6uFfUKzCgQMZ
 FN/ZtMWbRF9m+nab5ku/TLctwYob/JL264AMNUmoSmdN84vqslgdPfU/ula6z5Sqj66p
 FaUM35RvvutYoyYqjWrwuyhPsOWYxuAbmE+rHjzg4lbI9odQD3ic15VUhYZp7aXbxpf5
 X9MYVqgDAlrath+dgx618O6S8s9oaGJvYIi//TuzsF1HK728Ao8CyO5uYOCV6dNJpIrs
 hbwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:subject:references:in-reply-to
 :message-id:date:cc:to:from;
 bh=YR8WIVJJ679Ecbr7ypmgciPkvP7Z+gPabopgNzXGMuc=;
 b=af8Z921xN3DCdhOAxNEDO18MsXzji+zIQBMb8ejvbTCizjdqLYvURrYACKGjvqIHYh
 F7LZFwQ8TY3IAfsa3qrL5EewofVVfeJUiaRGeZfCT7Q3LixVvhASTXtuOxGZ7yOwn518
 Q8o5xO6tJNsgzhMnckRk+U3/ujYToTXeQYv3ODHgDzO2pGclOE0MibxbcL2UXA9zS0Oz
 mK2kHIYhZKLnBhPbXL7QHseVIYCEoVNYVQH99iChl1GBnKjpwUmcoIDE43d+gl7qTNMK
 NsNtrykzXk9q2OE7FXB4XRxda10JFVeVCuVOmG5twFcR2k+MS957d7pL48OTo5BA74AH
 3/oA==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of dev-bounces@dpdk.org designates
 92.243.14.124 as permitted sender)
 smtp.mailfrom=dev-bounces@dpdk.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org. [92.243.14.124])
 by mx.google.com with ESMTP id
 f10si14432004edc.221.2019.11.05.22.57.32; 
 Tue, 05 Nov 2019 22:57:32 -0800 (PST)
Received-SPF: pass (google.com: domain of dev-bounces@dpdk.org designates
 92.243.14.124 as permitted sender) client-ip=92.243.14.124; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of dev-bounces@dpdk.org designates
 92.243.14.124 as permitted sender)
 smtp.mailfrom=dev-bounces@dpdk.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com
Received: from [92.243.14.124] (localhost [127.0.0.1])
 by dpdk.org (Postfix) with ESMTP id D0E111BFD1;
 Wed,  6 Nov 2019 07:57:25 +0100 (CET)
Received: from inva021.nxp.com (inva021.nxp.com [92.121.34.21])
 by dpdk.org (Postfix) with ESMTP id 94E701BFB5
 for <dev@dpdk.org>; Wed,  6 Nov 2019 07:57:23 +0100 (CET)
Received: from inva021.nxp.com (localhost [127.0.0.1])
 by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 3C44E2001C8;
 Wed,  6 Nov 2019 07:57:23 +0100 (CET)
Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com
 [165.114.16.14])
 by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 9A74C2002D1;
 Wed,  6 Nov 2019 07:57:21 +0100 (CET)
Received: from bf-netperf1.ap.freescale.net (bf-netperf1.ap.freescale.net
 [10.232.133.63])
 by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id 612AF402B7;
 Wed,  6 Nov 2019 14:57:19 +0800 (SGT)
From: Hemant Agrawal <hemant.agrawal@nxp.com>
To: dev@dpdk.org
Cc: akhil.goyal@nxp.com
Date: Wed,  6 Nov 2019 12:24:13 +0530
Message-Id: <20191106065414.4311-2-hemant.agrawal@nxp.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20191106065414.4311-1-hemant.agrawal@nxp.com>
References: <20191031131502.12504-1-hemant.agrawal@nxp.com>
 <20191106065414.4311-1-hemant.agrawal@nxp.com>
X-Virus-Scanned: ClamAV using ClamSMTP
Subject: [dpdk-dev] [PATCH v6 2/3] ipsec: remove redundant replay_win_sz
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

The rte_security lib has introduced replay_win_sz,
so it can be removed from the rte_ipsec lib.

The relaved tests,app are also update to reflect
the usages.

Note that esn and anti-replay fileds were earlier used
only for ipsec library, they were enabling the libipsec
by default. With this change esn and anti-replay setting
will not automatically enabled libipsec.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
 app/test/test_ipsec.c                  | 2 +-
 doc/guides/rel_notes/release_19_11.rst | 7 +++++--
 examples/ipsec-secgw/ipsec-secgw.c     | 5 -----
 examples/ipsec-secgw/ipsec.c           | 4 ++++
 examples/ipsec-secgw/sa.c              | 2 +-
 lib/librte_ipsec/Makefile              | 2 +-
 lib/librte_ipsec/meson.build           | 1 +
 lib/librte_ipsec/rte_ipsec_sa.h        | 6 ------
 lib/librte_ipsec/sa.c                  | 4 ++--
 9 files changed, 15 insertions(+), 18 deletions(-)

-- 
2.17.1

diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
index 4007eff19..7dc83fee7 100644
--- a/app/test/test_ipsec.c
+++ b/app/test/test_ipsec.c
@@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags)
 
 	prm->userdata = 1;
 	prm->flags = flags;
-	prm->replay_win_sz = replay_win_sz;
 
 	/* setup ipsec xform */
 	prm->ipsec_xform = ut_params->ipsec_xform;
 	prm->ipsec_xform.salt = (uint32_t)rte_rand();
+	prm->ipsec_xform.replay_win_sz = replay_win_sz;
 
 	/* setup tunnel related fields */
 	prm->tun.hdr_len = sizeof(ipv4_outer);
diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst
index dcae08002..0504a3443 100644
--- a/doc/guides/rel_notes/release_19_11.rst
+++ b/doc/guides/rel_notes/release_19_11.rst
@@ -369,10 +369,13 @@ ABI Changes
   align the Ethernet header on receive and all known encapsulations
   preserve the alignment of the header.
 
-* security: A new field ''replay_win_sz'' has been added to the structure
+* security: The field ''replay_win_sz'' has been moved from ipsec library
+  based ''rte_ipsec_sa_prm'' structure to security library based structure
   ``rte_security_ipsec_xform``, which specify the Anti replay window size
   to enable sequence replay attack handling.
 
+* ipsec: The field ''replay_win_sz'' has been removed from the structure
+  ''rte_ipsec_sa_prm'' as it has been added to the security library.
 
 Shared Library Versions
 -----------------------
@@ -415,7 +418,7 @@ The libraries prepended with a plus sign were incremented in this version.
      librte_gso.so.1
      librte_hash.so.2
      librte_ip_frag.so.1
-     librte_ipsec.so.1
+   + librte_ipsec.so.2
      librte_jobstats.so.1
      librte_kni.so.2
      librte_kvargs.so.1
diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c
index b12936470..3b5aaf683 100644
--- a/examples/ipsec-secgw/ipsec-secgw.c
+++ b/examples/ipsec-secgw/ipsec-secgw.c
@@ -1424,9 +1424,6 @@ print_app_sa_prm(const struct app_sa_prm *prm)
 	printf("librte_ipsec usage: %s\n",
 		(prm->enable == 0) ? "disabled" : "enabled");
 
-	if (prm->enable == 0)
-		return;
-
 	printf("replay window size: %u\n", prm->window_size);
 	printf("ESN: %s\n", (prm->enable_esn == 0) ? "disabled" : "enabled");
 	printf("SA flags: %#" PRIx64 "\n", prm->flags);
@@ -1495,11 +1492,9 @@ parse_args(int32_t argc, char **argv)
 			app_sa_prm.enable = 1;
 			break;
 		case 'w':
-			app_sa_prm.enable = 1;
 			app_sa_prm.window_size = parse_decimal(optarg);
 			break;
 		case 'e':
-			app_sa_prm.enable = 1;
 			app_sa_prm.enable_esn = 1;
 			break;
 		case 'a':
diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c
index d7761e966..d4b57121a 100644
--- a/examples/ipsec-secgw/ipsec.c
+++ b/examples/ipsec-secgw/ipsec.c
@@ -49,6 +49,8 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
 		/* TODO support for Transport */
 	}
 	ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT;
+	ipsec->replay_win_sz = app_sa_prm.window_size;
+	ipsec->options.esn = app_sa_prm.enable_esn;
 }
 
 int
@@ -92,6 +94,7 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
 				.spi = sa->spi,
 				.salt = sa->salt,
 				.options = { 0 },
+				.replay_win_sz = 0,
 				.direction = sa->direction,
 				.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 				.mode = (IS_TUNNEL(sa->flags)) ?
@@ -151,6 +154,7 @@ create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
 			.spi = sa->spi,
 			.salt = sa->salt,
 			.options = { 0 },
+			.replay_win_sz = 0,
 			.direction = sa->direction,
 			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 			.mode = (sa->flags == IP4_TUNNEL ||
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index a8dee342e..4605a3a6c 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -1115,7 +1115,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm,
 
 	prm->flags = app_prm->flags;
 	prm->ipsec_xform.options.esn = app_prm->enable_esn;
-	prm->replay_win_sz = app_prm->window_size;
+	prm->ipsec_xform.replay_win_sz = app_prm->window_size;
 }
 
 static int
diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile
index 81fb99980..161ea9e3d 100644
--- a/lib/librte_ipsec/Makefile
+++ b/lib/librte_ipsec/Makefile
@@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash
 
 EXPORT_MAP := rte_ipsec_version.map
 
-LIBABIVER := 1
+LIBABIVER := 2
 
 # all source are stored in SRCS-y
 SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c
diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build
index 70358526b..e8604dadd 100644
--- a/lib/librte_ipsec/meson.build
+++ b/lib/librte_ipsec/meson.build
@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: BSD-3-Clause
 # Copyright(c) 2018 Intel Corporation
 
+version = 2
 allow_experimental_apis = true
 
 sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c')
diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h
index 47ce169d2..1cfde5874 100644
--- a/lib/librte_ipsec/rte_ipsec_sa.h
+++ b/lib/librte_ipsec/rte_ipsec_sa.h
@@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm {
 			uint8_t proto;  /**< next header protocol */
 		} trs; /**< transport mode related parameters */
 	};
-
-	/**
-	 * window size to enable sequence replay attack handling.
-	 * replay checking is disabled if the window size is 0.
-	 */
-	uint32_t replay_win_sz;
 };
 
 /**
diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
index 23d394b46..6f1d92c3c 100644
--- a/lib/librte_ipsec/sa.c
+++ b/lib/librte_ipsec/sa.c
@@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm)
 		return rc;
 
 	/* determine required size */
-	wsz = prm->replay_win_sz;
+	wsz = prm->ipsec_xform.replay_win_sz;
 	return ipsec_sa_size(type, &wsz, &nb);
 }
 
@@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
 		return rc;
 
 	/* determine required size */
-	wsz = prm->replay_win_sz;
+	wsz = prm->ipsec_xform.replay_win_sz;
 	sz = ipsec_sa_size(type, &wsz, &nb);
 	if (sz < 0)
 		return sz;

From patchwork Wed Nov  6 06:54:14 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hemant Agrawal <hemant.agrawal@nxp.com>
X-Patchwork-Id: 178624
Delivered-To: patch@linaro.org
Received: by 2002:a92:38d5:0:0:0:0:0 with SMTP id g82csp207853ilf;
 Tue, 5 Nov 2019 22:57:40 -0800 (PST)
X-Google-Smtp-Source: APXvYqyBcBNJrYg6L2p682430aW28N7NP8vCXfNvSXGSdj9GaOZTohboB0lUvw40Qv+MaqlOa49i
X-Received: by 2002:a05:6402:1156:: with SMTP id
 g22mr948656edw.233.1573023460801; 
 Tue, 05 Nov 2019 22:57:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1573023460; cv=none;
 d=google.com; s=arc-20160816;
 b=eC9invsXG83G9gJjzt7q6RkzrgQmRakxjAUhJxnq8STAtRXaboHIQoufQhknFmaCHP
 wRMgiHhUZcmB3Oypgr8nW/rmU8/o84kTyufvhhnQ1f/2IJhU8ZbXx3UQwOHo5EXPuPA1
 D5/Ij3RnMeVq5bYjTLAHv45OwKLiWDqOk8eVyjgKtvUWvHBkq/mRsgw6x4MjJIJaJX86
 +ACL6KsTxPwexYbO9enHJv7OEn+360WKHCxwT8w1fChGIswtk2QY3o6XXp0X3iKPE3yq
 OoGB7rR41T1p/xJTny838BtlgQEpmnFjy4vmsurD8xXjsKWBkxmGH0EdVcuFl5XN4rkK
 Fk5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:subject:references:in-reply-to
 :message-id:date:cc:to:from;
 bh=5hceYQd95maDPxVXBOeQd5MpBTd9reUchUxKC/WTOxM=;
 b=0CH4BbsR22mpTWhFLOyyZ9EB+8h1rMJvoAxc3GzD8/zyqinf1lOo967EkosnC+gq2v
 UzICwQerSmIE7VEeAGnsAF4j4ISvUjSOmA5YOtUjyfqYb/t0ipvBKhOObMp1jQOnOcIW
 FF8Zm8qgz5VlGD8iKCPiCs40oVKmRkaWavMDhU7rhq0LaojS/7VxIu8Qj70d2P4DQ5Cx
 yu7YrafpBXdFkvL6SLZviE+Ut7WlSUbUuCqdok0ee7mDBl0TJvRPd8kmov5ujrD4EbB2
 Yrm+zSI9keJNN6oqF8r2u227TmlLWvKfdweaDVEoriTitaeUPnjCiQos/vQ6kzw+Y4hV
 VJ4A==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of dev-bounces@dpdk.org designates
 92.243.14.124 as permitted sender)
 smtp.mailfrom=dev-bounces@dpdk.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org. [92.243.14.124])
 by mx.google.com with ESMTP id
 b22si6918312ejv.159.2019.11.05.22.57.40; 
 Tue, 05 Nov 2019 22:57:40 -0800 (PST)
Received-SPF: pass (google.com: domain of dev-bounces@dpdk.org designates
 92.243.14.124 as permitted sender) client-ip=92.243.14.124; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of dev-bounces@dpdk.org designates
 92.243.14.124 as permitted sender)
 smtp.mailfrom=dev-bounces@dpdk.org; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com
Received: from [92.243.14.124] (localhost [127.0.0.1])
 by dpdk.org (Postfix) with ESMTP id 91B121BFEE;
 Wed,  6 Nov 2019 07:57:27 +0100 (CET)
Received: from inva021.nxp.com (inva021.nxp.com [92.121.34.21])
 by dpdk.org (Postfix) with ESMTP id EE4111BFB5
 for <dev@dpdk.org>; Wed,  6 Nov 2019 07:57:23 +0100 (CET)
Received: from inva021.nxp.com (localhost [127.0.0.1])
 by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id D27382001C8;
 Wed,  6 Nov 2019 07:57:23 +0100 (CET)
Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com
 [165.114.16.14])
 by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 35AF82002D6;
 Wed,  6 Nov 2019 07:57:22 +0100 (CET)
Received: from bf-netperf1.ap.freescale.net (bf-netperf1.ap.freescale.net
 [10.232.133.63])
 by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id F0705402DF;
 Wed,  6 Nov 2019 14:57:19 +0800 (SGT)
From: Hemant Agrawal <hemant.agrawal@nxp.com>
To: dev@dpdk.org
Cc: akhil.goyal@nxp.com
Date: Wed,  6 Nov 2019 12:24:14 +0530
Message-Id: <20191106065414.4311-3-hemant.agrawal@nxp.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20191106065414.4311-1-hemant.agrawal@nxp.com>
References: <20191031131502.12504-1-hemant.agrawal@nxp.com>
 <20191106065414.4311-1-hemant.agrawal@nxp.com>
X-Virus-Scanned: ClamAV using ClamSMTP
Subject: [dpdk-dev] [PATCH v6 3/3] crypto/dpaa2_sec: enable anti replay
 window config
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

This patch usages the anti replay window size to config
the anti replay checking  in decap path for lookaside
IPSEC offload

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c | 21 +++++++++++++++++++++
 drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h   |  6 ++++--
 drivers/crypto/dpaa_sec/dpaa_sec.c          | 21 +++++++++++++++++++++
 drivers/crypto/dpaa_sec/dpaa_sec.h          |  6 ++++--
 4 files changed, 50 insertions(+), 4 deletions(-)

-- 
2.17.1
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index 555730519..42b055cd8 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -2903,6 +2903,27 @@ dpaa2_sec_set_ipsec_session(struct rte_cryptodev *dev,
 				sizeof(struct rte_ipv6_hdr) << 16;
 		if (ipsec_xform->options.esn)
 			decap_pdb.options |= PDBOPTS_ESP_ESN;
+
+		if (ipsec_xform->replay_win_sz) {
+			uint32_t win_sz;
+			win_sz = rte_align32pow2(ipsec_xform->replay_win_sz);
+
+			switch (win_sz) {
+			case 1:
+			case 2:
+			case 4:
+			case 8:
+			case 16:
+			case 32:
+				decap_pdb.options |= PDBOPTS_ESP_ARS32;
+				break;
+			case 64:
+				decap_pdb.options |= PDBOPTS_ESP_ARS64;
+				break;
+			default:
+				decap_pdb.options |= PDBOPTS_ESP_ARS128;
+			}
+		}
 		session->dir = DIR_DEC;
 		bufsize = cnstr_shdsc_ipsec_new_decap(priv->flc_desc[0].desc,
 				1, 0, SHR_SERIAL,
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
index c10fbf8dd..528b64ef8 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h
@@ -716,7 +716,8 @@ static const struct rte_security_capability dpaa2_sec_security_cap[] = {
 			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
 			.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
-			.options = { 0 }
+			.options = { 0 },
+			.replay_win_sz_max = 128
 		},
 		.crypto_capabilities = dpaa2_sec_capabilities
 	},
@@ -727,7 +728,8 @@ static const struct rte_security_capability dpaa2_sec_security_cap[] = {
 			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
 			.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
-			.options = { 0 }
+			.options = { 0 },
+			.replay_win_sz_max = 128
 		},
 		.crypto_capabilities = dpaa2_sec_capabilities
 	},
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c b/drivers/crypto/dpaa_sec/dpaa_sec.c
index b0fa74540..adf0c7a20 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -2844,6 +2844,27 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
 					sizeof(struct rte_ipv6_hdr) << 16;
 		if (ipsec_xform->options.esn)
 			session->decap_pdb.options |= PDBOPTS_ESP_ESN;
+		if (ipsec_xform->replay_win_sz) {
+			uint32_t win_sz;
+			win_sz = rte_align32pow2(ipsec_xform->replay_win_sz);
+
+			switch (win_sz) {
+			case 1:
+			case 2:
+			case 4:
+			case 8:
+			case 16:
+			case 32:
+				session->decap_pdb.options |= PDBOPTS_ESP_ARS32;
+				break;
+			case 64:
+				session->decap_pdb.options |= PDBOPTS_ESP_ARS64;
+				break;
+			default:
+				session->decap_pdb.options |=
+							PDBOPTS_ESP_ARS128;
+			}
+		}
 	} else
 		goto out;
 	rte_spinlock_lock(&internals->lock);
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h b/drivers/crypto/dpaa_sec/dpaa_sec.h
index 039cce8e9..3ecc7eae5 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.h
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.h
@@ -733,7 +733,8 @@ static const struct rte_security_capability dpaa_sec_security_cap[] = {
 			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
 			.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
-			.options = { 0 }
+			.options = { 0 },
+			.replay_win_sz_max = 128
 		},
 		.crypto_capabilities = dpaa_sec_capabilities
 	},
@@ -744,7 +745,8 @@ static const struct rte_security_capability dpaa_sec_security_cap[] = {
 			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
 			.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
-			.options = { 0 }
+			.options = { 0 },
+			.replay_win_sz_max = 128
 		},
 		.crypto_capabilities = dpaa_sec_capabilities
 	},