Message ID | 20191031131502.12504-2-hemant.agrawal@nxp.com |
---|---|
State | New |
Headers | show |
Series | [v5,1/3] security: add anti replay window size | expand |
Hi Hemant, > > The rte_security lib has introduced replay_win_sz, > so it can be removed from the rte_ipsec lib. > > Also, the relaved tests,app are also update to reflect > the usages. > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > --- > app/test/test_ipsec.c | 2 +- > doc/guides/rel_notes/release_19_11.rst | 7 +++++-- > examples/ipsec-secgw/ipsec.c | 1 + > examples/ipsec-secgw/sa.c | 2 +- > lib/librte_ipsec/Makefile | 2 +- > lib/librte_ipsec/meson.build | 1 + > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ > lib/librte_ipsec/sa.c | 4 ++-- > 8 files changed, 12 insertions(+), 13 deletions(-) > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c > index 4007eff19..7dc83fee7 100644 > --- a/app/test/test_ipsec.c > +++ b/app/test/test_ipsec.c > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t > flags) > > prm->userdata = 1; > prm->flags = flags; > - prm->replay_win_sz = replay_win_sz; > > /* setup ipsec xform */ > prm->ipsec_xform = ut_params->ipsec_xform; > prm->ipsec_xform.salt = (uint32_t)rte_rand(); > + prm->ipsec_xform.replay_win_sz = replay_win_sz; > > /* setup tunnel related fields */ > prm->tun.hdr_len = sizeof(ipv4_outer); > diff --git a/doc/guides/rel_notes/release_19_11.rst > b/doc/guides/rel_notes/release_19_11.rst > index 0508ec545..ca414edb5 100644 > --- a/doc/guides/rel_notes/release_19_11.rst > +++ b/doc/guides/rel_notes/release_19_11.rst > @@ -365,10 +365,13 @@ ABI Changes > align the Ethernet header on receive and all known encapsulations > preserve the alignment of the header. > > -* security: A new field ''replay_win_sz'' has been added to the structure > +* security: The field ''replay_win_sz'' has been moved from ipsec library > + based ''rte_ipsec_sa_prm'' structure to security library based structure > ``rte_security_ipsec_xform``, which specify the Anti replay window size > to enable sequence replay attack handling. > > +* ipsec: The field ''replay_win_sz'' has been removed from the structure > + ''rte_ipsec_sa_prm'' as it has been added to the security library. > > Shared Library Versions > ----------------------- > @@ -411,7 +414,7 @@ The libraries prepended with a plus sign were > incremented in this version. > librte_gso.so.1 > librte_hash.so.2 > librte_ip_frag.so.1 > - librte_ipsec.so.1 > + + librte_ipsec.so.2 > librte_jobstats.so.1 > librte_kni.so.2 > librte_kvargs.so.1 > diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c > index 51fb22e8a..159e81f99 100644 > --- a/examples/ipsec-secgw/ipsec.c > +++ b/examples/ipsec-secgw/ipsec.c > @@ -49,6 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > rte_security_ipsec_xform *ipsec) > /* TODO support for Transport */ > } > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; > + ipsec->replay_win_sz = app_sa_prm.window_size; The value of window_size is coming from command line and while parsing it, lib mode Is getting enabled, which means people can use anti replay only when lib mode is enabled which is not correct. Also there should be a way to disable anti replay. So when it is not given as command line It should not be enabled and default value should be 0. > } > > int > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > index 14ee94731..3d687c459 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -1055,7 +1055,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, > > prm->flags = app_prm->flags; > prm->ipsec_xform.options.esn = app_prm->enable_esn; > - prm->replay_win_sz = app_prm->window_size; > + prm->ipsec_xform.replay_win_sz = app_prm->window_size; > } > > static int > diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile > index 81fb99980..161ea9e3d 100644 > --- a/lib/librte_ipsec/Makefile > +++ b/lib/librte_ipsec/Makefile > @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash > > EXPORT_MAP := rte_ipsec_version.map > > -LIBABIVER := 1 > +LIBABIVER := 2 > > # all source are stored in SRCS-y > SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c > diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build > index 70358526b..e8604dadd 100644 > --- a/lib/librte_ipsec/meson.build > +++ b/lib/librte_ipsec/meson.build > @@ -1,6 +1,7 @@ > # SPDX-License-Identifier: BSD-3-Clause > # Copyright(c) 2018 Intel Corporation > > +version = 2 > allow_experimental_apis = true > > sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') > diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h > index 47ce169d2..1cfde5874 100644 > --- a/lib/librte_ipsec/rte_ipsec_sa.h > +++ b/lib/librte_ipsec/rte_ipsec_sa.h > @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { > uint8_t proto; /**< next header protocol */ > } trs; /**< transport mode related parameters */ > }; > - > - /** > - * window size to enable sequence replay attack handling. > - * replay checking is disabled if the window size is 0. > - */ > - uint32_t replay_win_sz; > }; > > /** > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > index 23d394b46..6f1d92c3c 100644 > --- a/lib/librte_ipsec/sa.c > +++ b/lib/librte_ipsec/sa.c > @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) > return rc; > > /* determine required size */ > - wsz = prm->replay_win_sz; > + wsz = prm->ipsec_xform.replay_win_sz; > return ipsec_sa_size(type, &wsz, &nb); > } > > @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct > rte_ipsec_sa_prm *prm, > return rc; > > /* determine required size */ > - wsz = prm->replay_win_sz; > + wsz = prm->ipsec_xform.replay_win_sz; > sz = ipsec_sa_size(type, &wsz, &nb); > if (sz < 0) > return sz; > -- > 2.17.1
> -----Original Message----- > From: Akhil Goyal <akhil.goyal@nxp.com> > Sent: Wednesday, November 6, 2019 3:32 AM > To: Hemant Agrawal <hemant.agrawal@nxp.com>; dev@dpdk.org > Cc: konstantin.ananyev@intel.com; anoobj@marvell.com; Hemant Agrawal > <hemant.agrawal@nxp.com> > Subject: RE: [PATCH v5 2/3] ipsec: remove redundant replay_win_sz > Importance: High > > Hi Hemant, > > > > The rte_security lib has introduced replay_win_sz, so it can be > > removed from the rte_ipsec lib. > > > > Also, the relaved tests,app are also update to reflect the usages. > > > > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> > > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > > --- > > app/test/test_ipsec.c | 2 +- > > doc/guides/rel_notes/release_19_11.rst | 7 +++++-- > > examples/ipsec-secgw/ipsec.c | 1 + > > examples/ipsec-secgw/sa.c | 2 +- > > lib/librte_ipsec/Makefile | 2 +- > > lib/librte_ipsec/meson.build | 1 + > > lib/librte_ipsec/rte_ipsec_sa.h | 6 ------ > > lib/librte_ipsec/sa.c | 4 ++-- > > 8 files changed, 12 insertions(+), 13 deletions(-) > > > > diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c index > > 4007eff19..7dc83fee7 100644 > > --- a/app/test/test_ipsec.c > > +++ b/app/test/test_ipsec.c > > @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, > > uint64_t > > flags) > > > > prm->userdata = 1; > > prm->flags = flags; > > - prm->replay_win_sz = replay_win_sz; > > > > /* setup ipsec xform */ > > prm->ipsec_xform = ut_params->ipsec_xform; > > prm->ipsec_xform.salt = (uint32_t)rte_rand(); > > + prm->ipsec_xform.replay_win_sz = replay_win_sz; > > > > /* setup tunnel related fields */ > > prm->tun.hdr_len = sizeof(ipv4_outer); diff --git > > a/doc/guides/rel_notes/release_19_11.rst > > b/doc/guides/rel_notes/release_19_11.rst > > index 0508ec545..ca414edb5 100644 > > --- a/doc/guides/rel_notes/release_19_11.rst > > +++ b/doc/guides/rel_notes/release_19_11.rst > > @@ -365,10 +365,13 @@ ABI Changes > > align the Ethernet header on receive and all known encapsulations > > preserve the alignment of the header. > > > > -* security: A new field ''replay_win_sz'' has been added to the > > structure > > +* security: The field ''replay_win_sz'' has been moved from ipsec > > +library > > + based ''rte_ipsec_sa_prm'' structure to security library based > > +structure > > ``rte_security_ipsec_xform``, which specify the Anti replay window size > > to enable sequence replay attack handling. > > > > +* ipsec: The field ''replay_win_sz'' has been removed from the > > +structure > > + ''rte_ipsec_sa_prm'' as it has been added to the security library. > > > > Shared Library Versions > > ----------------------- > > @@ -411,7 +414,7 @@ The libraries prepended with a plus sign were > > incremented in this version. > > librte_gso.so.1 > > librte_hash.so.2 > > librte_ip_frag.so.1 > > - librte_ipsec.so.1 > > + + librte_ipsec.so.2 > > librte_jobstats.so.1 > > librte_kni.so.2 > > librte_kvargs.so.1 > > diff --git a/examples/ipsec-secgw/ipsec.c > > b/examples/ipsec-secgw/ipsec.c index 51fb22e8a..159e81f99 100644 > > --- a/examples/ipsec-secgw/ipsec.c > > +++ b/examples/ipsec-secgw/ipsec.c > > @@ -49,6 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct > > rte_security_ipsec_xform *ipsec) > > /* TODO support for Transport */ > > } > > ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; > > + ipsec->replay_win_sz = app_sa_prm.window_size; > > The value of window_size is coming from command line and while parsing it, > lib mode Is getting enabled, which means people can use anti replay only > when lib mode is enabled which is not correct. > Also there should be a way to disable anti replay. So when it is not given as > command line It should not be enabled and default value should be 0. > [Hemant] Ok. I will look into it.
diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c index 4007eff19..7dc83fee7 100644 --- a/app/test/test_ipsec.c +++ b/app/test/test_ipsec.c @@ -689,11 +689,11 @@ fill_ipsec_param(uint32_t replay_win_sz, uint64_t flags) prm->userdata = 1; prm->flags = flags; - prm->replay_win_sz = replay_win_sz; /* setup ipsec xform */ prm->ipsec_xform = ut_params->ipsec_xform; prm->ipsec_xform.salt = (uint32_t)rte_rand(); + prm->ipsec_xform.replay_win_sz = replay_win_sz; /* setup tunnel related fields */ prm->tun.hdr_len = sizeof(ipv4_outer); diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst index 0508ec545..ca414edb5 100644 --- a/doc/guides/rel_notes/release_19_11.rst +++ b/doc/guides/rel_notes/release_19_11.rst @@ -365,10 +365,13 @@ ABI Changes align the Ethernet header on receive and all known encapsulations preserve the alignment of the header. -* security: A new field ''replay_win_sz'' has been added to the structure +* security: The field ''replay_win_sz'' has been moved from ipsec library + based ''rte_ipsec_sa_prm'' structure to security library based structure ``rte_security_ipsec_xform``, which specify the Anti replay window size to enable sequence replay attack handling. +* ipsec: The field ''replay_win_sz'' has been removed from the structure + ''rte_ipsec_sa_prm'' as it has been added to the security library. Shared Library Versions ----------------------- @@ -411,7 +414,7 @@ The libraries prepended with a plus sign were incremented in this version. librte_gso.so.1 librte_hash.so.2 librte_ip_frag.so.1 - librte_ipsec.so.1 + + librte_ipsec.so.2 librte_jobstats.so.1 librte_kni.so.2 librte_kvargs.so.1 diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 51fb22e8a..159e81f99 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -49,6 +49,7 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) /* TODO support for Transport */ } ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; + ipsec->replay_win_sz = app_sa_prm.window_size; } int diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 14ee94731..3d687c459 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -1055,7 +1055,7 @@ fill_ipsec_app_sa_prm(struct rte_ipsec_sa_prm *prm, prm->flags = app_prm->flags; prm->ipsec_xform.options.esn = app_prm->enable_esn; - prm->replay_win_sz = app_prm->window_size; + prm->ipsec_xform.replay_win_sz = app_prm->window_size; } static int diff --git a/lib/librte_ipsec/Makefile b/lib/librte_ipsec/Makefile index 81fb99980..161ea9e3d 100644 --- a/lib/librte_ipsec/Makefile +++ b/lib/librte_ipsec/Makefile @@ -14,7 +14,7 @@ LDLIBS += -lrte_cryptodev -lrte_security -lrte_hash EXPORT_MAP := rte_ipsec_version.map -LIBABIVER := 1 +LIBABIVER := 2 # all source are stored in SRCS-y SRCS-$(CONFIG_RTE_LIBRTE_IPSEC) += esp_inb.c diff --git a/lib/librte_ipsec/meson.build b/lib/librte_ipsec/meson.build index 70358526b..e8604dadd 100644 --- a/lib/librte_ipsec/meson.build +++ b/lib/librte_ipsec/meson.build @@ -1,6 +1,7 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright(c) 2018 Intel Corporation +version = 2 allow_experimental_apis = true sources = files('esp_inb.c', 'esp_outb.c', 'sa.c', 'ses.c', 'ipsec_sad.c') diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h index 47ce169d2..1cfde5874 100644 --- a/lib/librte_ipsec/rte_ipsec_sa.h +++ b/lib/librte_ipsec/rte_ipsec_sa.h @@ -47,12 +47,6 @@ struct rte_ipsec_sa_prm { uint8_t proto; /**< next header protocol */ } trs; /**< transport mode related parameters */ }; - - /** - * window size to enable sequence replay attack handling. - * replay checking is disabled if the window size is 0. - */ - uint32_t replay_win_sz; }; /** diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 23d394b46..6f1d92c3c 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -439,7 +439,7 @@ rte_ipsec_sa_size(const struct rte_ipsec_sa_prm *prm) return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; return ipsec_sa_size(type, &wsz, &nb); } @@ -461,7 +461,7 @@ rte_ipsec_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, return rc; /* determine required size */ - wsz = prm->replay_win_sz; + wsz = prm->ipsec_xform.replay_win_sz; sz = ipsec_sa_size(type, &wsz, &nb); if (sz < 0) return sz;