security: add anti replay window size

At present the ipsec xfrom is missing the important step
to configure the anti replay window size.
The newly added field will also help in to enable or disable
the anti replay checking, if available in offload by means
of non-zero or zero value.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

diff --git a/doc/guides/rel_notes/release_19_11.rst b/doc/guides/rel_notes/release_19_11.rst
index 097e169949d8285c6b472d408ff90138821a194a..29e6bf86a9e43ab9fac0b82f0630bee9a6b0f8e4 100644 (file)
--- a/doc/guides/rel_notes/release_19_11.rst
+++ b/doc/guides/rel_notes/release_19_11.rst
@@ -403,6 +403,10 @@ ABI Changes
   align the Ethernet header on receive and all known encapsulations
   preserve the alignment of the header.
 
+* security: A new field ``replay_win_sz`` has been added to the structure
+  ``rte_security_ipsec_xform``, which specify the Anti replay window size
+  to enable sequence replay attack handling.
+
 
 Shared Library Versions
 -----------------------
@@ -477,7 +481,7 @@ The libraries prepended with a plus sign were incremented in this version.
      librte_reorder.so.1
      librte_ring.so.2
    + librte_sched.so.4
-     librte_security.so.2
+   + librte_security.so.3
      librte_stack.so.1
      librte_table.so.3
      librte_timer.so.1

diff --git a/lib/librte_security/Makefile b/lib/librte_security/Makefile
index 6708effdbb81a8fd373ef87926ba1a97249d1a12..6a268ee2a701900f28046daab114fd1cad8ed034 100644 (file)
--- a/lib/librte_security/Makefile
+++ b/lib/librte_security/Makefile
@@ -7,7 +7,7 @@ include $(RTE_SDK)/mk/rte.vars.mk
 LIB = librte_security.a
 
 # library version
-LIBABIVER := 2
+LIBABIVER := 3
 
 # build flags
 CFLAGS += -O3

diff --git a/lib/librte_security/meson.build b/lib/librte_security/meson.build
index a5130d2f6d1ed66f5e98ea9262df6a38bc4ebc49..6fed012731f0c4380738d4eaf7a65c948d94c6f5 100644 (file)
--- a/lib/librte_security/meson.build
+++ b/lib/librte_security/meson.build
@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: BSD-3-Clause
 # Copyright(c) 2017-2019 Intel Corporation
 
-version = 2
+version = 3
 sources = files('rte_security.c')
 headers = files('rte_security.h', 'rte_security_driver.h')
 deps += ['mempool', 'cryptodev']

diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
index aaafdfcd78bc0a23f30e1f2049ca592a04156433..546779df2b21c24a16298d3c9c28ed6812a0990b 100644 (file)
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -212,6 +212,10 @@ struct rte_security_ipsec_xform {
        /**< Tunnel parameters, NULL for transport mode */
        uint64_t esn_soft_limit;
        /**< ESN for which the overflow event need to be raised */
+       uint32_t replay_win_sz;
+       /**< Anti replay window size to enable sequence replay attack handling.
+        * replay checking is disabled if the window size is 0.
+        */
 };
 
 /**
@@ -563,6 +567,10 @@ struct rte_security_capability {
                        /**< IPsec SA direction */
                        struct rte_security_ipsec_sa_options options;
                        /**< IPsec SA supported options */
+                       uint32_t replay_win_sz_max;
+                       /**< IPsec Anti Replay Window Size. A '0' value
+                        * indicates that Anti Replay is not supported.
+                        */
                } ipsec;
                /**< IPsec capability */
                struct {