summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHemant Agrawal <hemant.agrawal@nxp.com>2019-11-06 12:24:12 +0530
committerAkhil Goyal <akhil.goyal@nxp.com>2019-11-08 13:51:16 +0100
commitd5411b9a3dd027b2c6ad16afa5bfada78c53519a (patch)
treec81ced5eff02ca35e1fbd42b60c5e18cdbbc8172
parent2fcf3f70d19af191eef79fbc9f2d978b2ffb1588 (diff)
downloaddpdk-d5411b9a3dd027b2c6ad16afa5bfada78c53519a.zip
dpdk-d5411b9a3dd027b2c6ad16afa5bfada78c53519a.tar.gz
dpdk-d5411b9a3dd027b2c6ad16afa5bfada78c53519a.tar.xz
security: add anti replay window size
At present the ipsec xfrom is missing the important step to configure the anti replay window size. The newly added field will also help in to enable or disable the anti replay checking, if available in offload by means of non-zero or zero value. Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Anoob Joseph <anoobj@marvell.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
-rw-r--r--doc/guides/rel_notes/release_19_11.rst6
-rw-r--r--lib/librte_security/Makefile2
-rw-r--r--lib/librte_security/meson.build2
-rw-r--r--lib/librte_security/rte_security.h8
4 files changed, 15 insertions, 3 deletions
diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst
index 097e169..29e6bf8 100644
--- a/doc/guides/rel_notes/release_19_11.rst
+++ b/doc/guides/rel_notes/release_19_11.rst
@@ -403,6 +403,10 @@ ABI Changes
align the Ethernet header on receive and all known encapsulations
preserve the alignment of the header.
+* security: A new field ``replay_win_sz`` has been added to the structure
+ ``rte_security_ipsec_xform``, which specify the Anti replay window size
+ to enable sequence replay attack handling.
+
Shared Library Versions
-----------------------
@@ -477,7 +481,7 @@ The libraries prepended with a plus sign were incremented in this version.
librte_reorder.so.1
librte_ring.so.2
+ librte_sched.so.4
- librte_security.so.2
+ + librte_security.so.3
librte_stack.so.1
librte_table.so.3
librte_timer.so.1
diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile
index 6708eff..6a268ee 100644
--- a/lib/librte_security/Makefile
+++ b/lib/librte_security/Makefile
@@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk
LIB = librte_security.a
# library version
-LIBABIVER := 2
+LIBABIVER := 3
# build flags
CFLAGS += -O3
diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build
index a5130d2..6fed012 100644
--- a/lib/librte_security/meson.build
+++ b/lib/librte_security/meson.build
@@ -1,7 +1,7 @@
# SPDX-License-Identifier: BSD-3-Clause
# Copyright(c) 2017-2019 Intel Corporation
-version = 2
+version = 3
sources = files('rte_security.c')
headers = files('rte_security.h', 'rte_security_driver.h')
deps += ['mempool', 'cryptodev']
diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
index aaafdfc..546779d 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -212,6 +212,10 @@ struct rte_security_ipsec_xform {
/**< Tunnel parameters, NULL for transport mode */
uint64_t esn_soft_limit;
/**< ESN for which the overflow event need to be raised */
+ uint32_t replay_win_sz;
+ /**< Anti replay window size to enable sequence replay attack handling.
+ * replay checking is disabled if the window size is 0.
+ */
};
/**
@@ -563,6 +567,10 @@ struct rte_security_capability {
/**< IPsec SA direction */
struct rte_security_ipsec_sa_options options;
/**< IPsec SA supported options */
+ uint32_t replay_win_sz_max;
+ /**< IPsec Anti Replay Window Size. A '0' value
+ * indicates that Anti Replay is not supported.
+ */
} ipsec;
/**< IPsec capability */
struct {