From patchwork Wed Oct 30 06:57:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hemant Agrawal X-Patchwork-Id: 178069 Delivered-To: patch@linaro.org Received: by 2002:a92:409a:0:0:0:0:0 with SMTP id d26csp872866ill; Wed, 30 Oct 2019 00:00:08 -0700 (PDT) X-Google-Smtp-Source: APXvYqw59G/F9HHeiQmS31GbKHHCSc8RTeiake7KGqG2EjzPIucoWq5JbxgLNxMHpRaANyrLq/h/ X-Received: by 2002:a50:8871:: with SMTP id c46mr30228303edc.24.1572418808180; Wed, 30 Oct 2019 00:00:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572418808; cv=none; d=google.com; s=arc-20160816; b=PcUCZF4DJSM2kreZOyaNuUThdlfdso1/Meq48Tz5zCW/MLNq9K8kn0Zm7XX66AaTvB TLaQd0hX0nTYYHxHKP/5z4UTZzltHGXVHt4jG9PG+nCmV6Z2XgC5wAwNh1fNaQ+UGX1S lWpWCQRFzv3AEe60qvFnAIOP5/cYXQ2gaVYRR2g2X6baK9tOAi7umPQ2qfpeeRy3bYNj c7gru+rWJq6zoLf/civPUDTGVa+okMFFRwhINywVprbtdWPvc/MHw/f6ckceaCVucSUg fYOl5meX9Yf83dgXMXU+Yg+hoB8C8UJeZtv7y085C6bAkpGFIqdFDh0ZvR9qpP20+Ene yP1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:cc:to:from; bh=vU8DBbnXHa+g9i0c8m+bjtCcRJ/RZusAahcbGkH6WZQ=; b=FdorGjkvflX3jxwIKJtA+Y4XJY2OERvTzMXe2h98T9wKUDKLGU6/16ECnoC/AzQxYb u1fKzi4dcfB3qFyZyQ02PAshJtssFe7+IfMrnOcjhK5WPcn4tYrP7Nb2SYkeqid1HWAR P0XdoGVPu3xV/i+whn6EMhcY6faj2WfQYemlQGxVc+mbST4f6ZKiORAmsX2oNxyp7Fd5 p5nkTznkp5G5TBn3Mhxq/wxu3cUO7EKdN4CrPOSwdxCAGxNE66hA9w0Y8Z8nFDIJHl92 JDvisI5lnoMXXkhAiJ0ve2dFTKrd2YHCXMZjt76SyfEdh/evm2R1zxksJUkWkp9XtuV7 k9sQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Return-Path: Received: from dpdk.org (dpdk.org. [92.243.14.124]) by mx.google.com with ESMTP id 17si615867ejt.403.2019.10.30.00.00.08; Wed, 30 Oct 2019 00:00:08 -0700 (PDT) Received-SPF: pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) client-ip=92.243.14.124; Authentication-Results: mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 4762A1BEE0; Wed, 30 Oct 2019 08:00:07 +0100 (CET) Received: from inva020.nxp.com (inva020.nxp.com [92.121.34.13]) by dpdk.org (Postfix) with ESMTP id 19F35271 for ; Wed, 30 Oct 2019 08:00:04 +0100 (CET) Received: from inva020.nxp.com (localhost [127.0.0.1]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 888E91A0DEE; Wed, 30 Oct 2019 08:00:04 +0100 (CET) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 5BB871A0E75; Wed, 30 Oct 2019 08:00:02 +0100 (CET) Received: from bf-netperf1.ap.freescale.net (bf-netperf1.ap.freescale.net [10.232.133.63]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id 3B020402B7; Wed, 30 Oct 2019 14:59:59 +0800 (SGT) From: Hemant Agrawal To: dev@dpdk.org, akhil.goyal@nxp.com Cc: konstantin.ananyev@intel.com, Hemant Agrawal Date: Wed, 30 Oct 2019 12:27:02 +0530 Message-Id: <20191030065703.32068-1-hemant.agrawal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191025062021.18052-1-hemant.agrawal@nxp.com> References: <20191025062021.18052-1-hemant.agrawal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v2 1/2] security: add anti replay window size X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" At present the ipsec xfrom is missing the important step to configure the anti replay window size. The newly added field will also help in to enable or disable the anti replay checking, if available in offload by means of non-zero or zero value. Signed-off-by: Hemant Agrawal --- lib/librte_security/Makefile | 2 +- lib/librte_security/meson.build | 2 +- lib/librte_security/rte_security.h | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) -- 2.17.1 diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile index 6708effdb..6a268ee2a 100644 --- a/lib/librte_security/Makefile +++ b/lib/librte_security/Makefile @@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk LIB = librte_security.a # library version -LIBABIVER := 2 +LIBABIVER := 3 # build flags CFLAGS += -O3 diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build index a5130d2f6..6fed01273 100644 --- a/lib/librte_security/meson.build +++ b/lib/librte_security/meson.build @@ -1,7 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2017-2019 Intel Corporation -version = 2 +version = 3 sources = files('rte_security.c') headers = files('rte_security.h', 'rte_security_driver.h') deps += ['mempool', 'cryptodev'] diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h index aaafdfcd7..195ad5645 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -212,6 +212,10 @@ struct rte_security_ipsec_xform { /**< Tunnel parameters, NULL for transport mode */ uint64_t esn_soft_limit; /**< ESN for which the overflow event need to be raised */ + uint32_t replay_win_sz; + /**< Anti replay window size to enable sequence replay attack handling. + * replay checking is disabled if the window size is 0. + */ }; /** From patchwork Wed Oct 30 06:57:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hemant Agrawal X-Patchwork-Id: 178070 Delivered-To: patch@linaro.org Received: by 2002:a92:409a:0:0:0:0:0 with SMTP id d26csp873017ill; Wed, 30 Oct 2019 00:00:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqyaaz3tbmQaEnoRvegw5ayQ0+SiDGTOwW/tTLv0bcjLCn9tuVDLQdgSdl0fEpKrk3rj1pV9 X-Received: by 2002:aa7:c942:: with SMTP id h2mr31447259edt.238.1572418814976; Wed, 30 Oct 2019 00:00:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572418814; cv=none; d=google.com; s=arc-20160816; b=BU99sf5Cw+UvVjmiMaVf+zdyw6yB3mb4oG60JiMllKw8uomVuC+O1FHTqNy0IDsZFx TxybO986wtQXJ/QzFovmSxNJSRcuAr/38h5Ww4MBp7uE2zQ38HhmA4FO75TCljWgzQON jY5HsmYUWtt1n8Ssh7wJda+3hF70gXKOnfgPRpPZ1lhCcazoyudk6QnhCQ7CeEKjlC5f +j2yyObTLW7YbJDPxx1nqHnFM4eifa2IiqU3b2YdyeEd86ZP1v9D77dBDlS1O355j+NW MwxO/ind2WuYWPHSUyQTFi21yyyJZW/O3A4CQczrlIKasEXF23xaHNxYosym74qJFwL0 BjLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:references:in-reply-to :message-id:date:cc:to:from; bh=gf5Bo/gGFfP+uU/kLBTXH9clCB0fpFMnhnpHuY43zro=; b=xwn7AXwKsuby7OEmYTFx140rQZ3pa0q9hyBYBF7oj+1OBXGMKEjr5xPRB0wNGt0nsC c6S4qWuFxH0skLcUtHsYbrDBj5bza9c+uAvpi4XSDDyiTze053g2tmQgqSOR0lwQMKJy knRqN595bLxN7i3qFtSDdb0Lb0opDEbYBIjX5Wpumoaurr30O1mhQA95qloaJf4sq6Yu VjmztgLsNOEAyASR2T2wcbwlKr4+1DQhPYFGRbDth2/CTA7ma7Iy6yTiRYaB1T4QHhIt PGFJpQtUO0yUfYi5C9I3maaBPW2z4FZyx5z/ErvH9rpzV5kSvArJKhKDt4Rb+J1XTD9d o0vw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Return-Path: Received: from dpdk.org (dpdk.org. [92.243.14.124]) by mx.google.com with ESMTP id f23si957274edc.46.2019.10.30.00.00.14; Wed, 30 Oct 2019 00:00:14 -0700 (PDT) Received-SPF: pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) client-ip=92.243.14.124; Authentication-Results: mx.google.com; spf=pass (google.com: domain of dev-bounces@dpdk.org designates 92.243.14.124 as permitted sender) smtp.mailfrom=dev-bounces@dpdk.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 839321BEF5; Wed, 30 Oct 2019 08:00:10 +0100 (CET) Received: from inva021.nxp.com (inva021.nxp.com [92.121.34.21]) by dpdk.org (Postfix) with ESMTP id F1AE11BF1E for ; Wed, 30 Oct 2019 08:00:05 +0100 (CET) Received: from inva021.nxp.com (localhost [127.0.0.1]) by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 691B82008E4; Wed, 30 Oct 2019 08:00:05 +0100 (CET) Received: from invc005.ap-rdc01.nxp.com (invc005.ap-rdc01.nxp.com [165.114.16.14]) by inva021.eu-rdc02.nxp.com (Postfix) with ESMTP id 0C2E92008D7; Wed, 30 Oct 2019 08:00:03 +0100 (CET) Received: from bf-netperf1.ap.freescale.net (bf-netperf1.ap.freescale.net [10.232.133.63]) by invc005.ap-rdc01.nxp.com (Postfix) with ESMTP id E0E1C402C7; Wed, 30 Oct 2019 14:59:59 +0800 (SGT) From: Hemant Agrawal To: dev@dpdk.org, akhil.goyal@nxp.com Cc: konstantin.ananyev@intel.com, Hemant Agrawal Date: Wed, 30 Oct 2019 12:27:03 +0530 Message-Id: <20191030065703.32068-2-hemant.agrawal@nxp.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191030065703.32068-1-hemant.agrawal@nxp.com> References: <20191025062021.18052-1-hemant.agrawal@nxp.com> <20191030065703.32068-1-hemant.agrawal@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Subject: [dpdk-dev] [PATCH v2 2/2] ipsec: remove redundant replay_win_sz X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" The rte_security lib has introduced replay_win_sz, so it can be removed from the rte_ipsec lib. Also, the relaved tests,app are also update to reflect the usages. Signed-off-by: Hemant Agrawal --- app/test/test_ipsec.c | 2 +- doc/guides/rel_notes/release_19_11.rst | 10 ++++++++-- examples/ipsec-secgw/ipsec.c | 1 + examples/ipsec-secgw/sa.c | 2 +- lib/librte_ipsec/Makefile | 2 +- lib/librte_ipsec/meson.build | 1 + lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ lib/librte_ipsec/sa.c | 4 ++-- 8 files changed, 15 insertions(+), 13 deletions(-) -- 2.17.1 diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c index 4007eff19..9e3dabd93 100644 --- a/app/test/test_ipsec.c +++ b/app/test/test_ipsec.c @@ -689,7 +689,7 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags) prm->userdata = 1; prm->flags = flags; - prm->replay_win_sz = replay_win_sz; + prm->ipsec_xform.replay_win_sz = replay_win_sz; /* setup ipsec xform */ prm->ipsec_xform = ut_params->ipsec_xform; diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index ae8e7b2f0..aa16c8422 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -365,6 +365,12 @@ ABI Changes align the Ethernet header on receive and all known encapsulations preserve the alignment of the header. +* security: A new field ''replay_win_sz'' has been added to the structure + ``rte_security_ipsec_xform``, which specify the Anti replay window size + to enable sequence replay attack handling. + +* ipsec: The field ''replay_win_sz'' has been removed from the structure + ''rte_ipsec_sa_prm'' as it has been added to the security library. Shared Library Versions ----------------------- @@ -407,7 +413,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_gso.so.1 librte_hash.so.2 librte_ip_frag.so.1 - librte_ipsec.so.1 + + librte_ipsec.so.2 librte_jobstats.so.1 librte_kni.so.2 librte_kvargs.so.1 @@ -437,7 +443,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_reorder.so.1 librte_ring.so.2 + librte_sched.so.4 - librte_security.so.2 + + librte_security.so.3 librte_stack.so.1 librte_table.so.3 librte_timer.so.1 diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 51fb22e8a..159e81f99 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -49,6 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) /* TODO support for Transport */ } ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; + ipsec->replay_win_sz = app_sa_prm.window_size; } int diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 14ee94731..46cdc1241 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -1055,7 +1055,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, prm->flags = app_prm->flags; prm->ipsec_xform.options.esn = app_prm->enable_esn; - prm->replay_win_sz = app_prm->window_size; + prm->ipsec_xform.replay_win_sz = app_prm->replay_win_sz; } static int diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile index 81fb99980..161ea9e3d 100644 --- a/lib/librte_ipsec/Makefile +++ b/lib/librte_ipsec/Makefile @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash EXPORT_MAP := rte_ipsec_version.map -LIBABIVER := 1 +LIBABIVER := 2 # all source are stored in SRCS-y SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build index 70358526b..e8604dadd 100644 --- a/lib/librte_ipsec/meson.build +++ b/lib/librte_ipsec/meson.build @@ -1,6 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2018 Intel Corporation +version = 2 allow_experimental_apis = true sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h index 47ce169d2..1cfde5874 100644 --- a/lib/librte_ipsec/rte_ipsec_sa.h +++ b/lib/librte_ipsec/rte_ipsec_sa.h @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { uint8_t proto; /**< next header protocol */ } trs; /**< transport mode related parameters */ }; - - /** - * window size to enable sequence replay attack handling. - * replay checking is disabled if the window size is 0. - */ - uint32_t replay_win_sz; }; /** diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 23d394b46..6f1d92c3c 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; return ipsec_sa_size(type, &wsz, &nb); } @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; sz = ipsec_sa_size(type, &wsz, &nb); if (sz < 0) return sz;