ipsec: allow stateless IPsec processing

Introduce stateless packet preparation API for IPsec
processing. The new API would allow preparation of IPsec
packets without altering the internal state of a

ipsec: allow stateless IPsec processing

Introduce stateless packet preparation API for IPsec
processing. The new API would allow preparation of IPsec
packets without altering the internal state of an IPsec
session.

For outbound IPsec processing, the change enables user to
provide sequence number to be used for the IPsec operation.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@huawei.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

test: tag tests type

Rather than having the test types called out in the meson.build file, we
can use macros to identify the test type in the C file itself and then
dynamically build up the tests li

test: tag tests type

Rather than having the test types called out in the meson.build file, we
can use macros to identify the test type in the C file itself and then
dynamically build up the tests lists at config time.

Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
Acked-by: Morten Brørup <mb@smartsharesystems.com>

show more ...

remove repeated words

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>

security: remove private mempool usage

As per current design, rte_security_session_create()
unnecessarily use 2 mempool objects for a single session.

To address this, the API will now take only 1 m

security: remove private mempool usage

As per current design, rte_security_session_create()
unnecessarily use 2 mempool objects for a single session.

To address this, the API will now take only 1 mempool
object instead of 2. With this change, the library layer
will get the object from mempool and session priv data is
stored contiguously in the same mempool object.

User need to ensure that the mempool created in application
is big enough for session private data as well. This can be
ensured if the pool is created after getting size of session
priv data using API rte_security_session_get_size().

Since set and get pkt metadata for security sessions are now
made inline for Inline crypto/proto mode, a new member fast_mdata
is added to the rte_security_session.
To access opaque data and fast_mdata will be accessed via inline
APIs which can do pointer manipulations inside library from
session_private_data pointer coming from application.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Tested-by: Gagandeep Singh <g.singh@nxp.com>
Tested-by: David Coyle <david.coyle@intel.com>
Tested-by: Kevin O'Sullivan <kevin.osullivan@intel.com>

show more ...

cryptodev: hide symmetric session structure

Structure rte_cryptodev_sym_session is moved to internal
headers which are not visible to applications.
The only field which should be used by app is opaq

cryptodev: hide symmetric session structure

Structure rte_cryptodev_sym_session is moved to internal
headers which are not visible to applications.
The only field which should be used by app is opaque_data.
This field can now be accessed via set/get APIs added in this
patch.
Subsequent changes in app and lib are made to compile the code.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Kai Ji <kai.ji@intel.com>
Tested-by: Gagandeep Singh <g.singh@nxp.com>
Tested-by: David Coyle <david.coyle@intel.com>
Tested-by: Kevin O'Sullivan <kevin.osullivan@intel.com>

show more ...

cryptodev: rework session framework

As per current design, rte_cryptodev_sym_session_create() and
rte_cryptodev_sym_session_init() use separate mempool objects
for a single session.
And structure rt

cryptodev: rework session framework

As per current design, rte_cryptodev_sym_session_create() and
rte_cryptodev_sym_session_init() use separate mempool objects
for a single session.
And structure rte_cryptodev_sym_session is not directly used
by the application, it may cause ABI breakage if the structure
is modified in future.

To address these two issues, the rte_cryptodev_sym_session_create
will take one mempool object that the session and session private
data are virtually/physically contiguous, and initializes both
fields. The API rte_cryptodev_sym_session_init is removed.

rte_cryptodev_sym_session_create will now return an opaque session
pointer which will be used by the app and other APIs.

In data path, opaque session pointer is attached to rte_crypto_op
and the PMD can call an internal library API to get the session
private data pointer based on the driver id.

Note: currently single session may be used by different device
drivers, given it is initialized by them. After the change the
session created by one device driver cannot be used or
reinitialized by another driver.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Signed-off-by: Ruifeng Wang <ruifeng.wang@arm.com>
Acked-by: Kai Ji <kai.ji@intel.com>
Tested-by: Gagandeep Singh <g.singh@nxp.com>
Tested-by: David Coyle <david.coyle@intel.com>
Tested-by: Kevin O'Sullivan <kevin.osullivan@intel.com>

show more ...

test/ipsec: fix build with GCC 12

GCC-12 raises following warning:

In function '_mm_loadu_si128',
inlined from 'rte_mov16' at
../lib/eal/x86/include/rte_memcpy.h:507:9,
inlined from 'rte_m

test/ipsec: fix build with GCC 12

GCC-12 raises following warning:

In function '_mm_loadu_si128',
inlined from 'rte_mov16' at
../lib/eal/x86/include/rte_memcpy.h:507:9,
inlined from 'rte_mov128' at
../lib/eal/x86/include/rte_memcpy.h:549:2,
inlined from 'rte_memcpy_generic' at
../lib/eal/x86/include/rte_memcpy.h:732:4,
inlined from 'rte_memcpy' at
../lib/eal/x86/include/rte_memcpy.h:882:10,
inlined from 'setup_test_string_tunneled' at
../app/test/test_ipsec.c:617:3:
/usr/lib/gcc/x86_64-pc-linux-gnu/12.1.1/include/emmintrin.h:703:10: error:
array subscript '__m128i_u[15]' is partly outside array bounds of
'const uint8_t[255]' {aka 'const unsigned char[255]'}
[-Werror=array-bounds]
703 | return *__P;
| ^~~~
../app/test/test_ipsec.c: In function 'setup_test_string_tunneled':
../app/test/test_ipsec.c:491:22: note: at offset 240 into object
'esp_pad_bytes' of size 255
491 | static const uint8_t esp_pad_bytes[IPSEC_MAX_PAD_SIZE] = {

This patch restrict the copy to minimum size.

Fixes: 05fe65eb66b2 ("test/ipsec: introduce functional test")
Cc: stable@dpdk.org

Signed-off-by: Amit Prakash Shukla <amitprakashs@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

show more ...

test/ipsec: skip if no compatible device

ipsec_autotest is now skipped if no compatible crypto devices are found.

Fixes issue where if at least one crypto device was found but no
compatible crypto

test/ipsec: skip if no compatible device

ipsec_autotest is now skipped if no compatible crypto devices are found.

Fixes issue where if at least one crypto device was found but no
compatible crypto devices for the ipsec_autotest test case are present,
the case would fail with no error message. Now, when this situation is
encountered, the test case will be skipped with an explanation.

Fixes: 59d7353b0df0 ("test/ipsec: fix test suite setup")
Cc: stable@dpdk.org

Signed-off-by: Jeremy Spewock <jspewock@iol.unh.edu>
Signed-off-by: Owen Hilyard <ohilyard@iol.unh.edu>
Reviewed-by: Ruifeng Wang <ruifeng.wang@arm.com>

show more ...

test/ipsec: fix build with GCC 12

GCC 12 raises the following warning:

In function ‘_mm256_loadu_si256’,
inlined from ‘rte_mov32’ at
../lib/eal/x86/include/rte_memcpy.h:319:9,
inlin

test/ipsec: fix build with GCC 12

GCC 12 raises the following warning:

In function ‘_mm256_loadu_si256’,
inlined from ‘rte_mov32’ at
../lib/eal/x86/include/rte_memcpy.h:319:9,
inlined from ‘rte_mov128’ at
../lib/eal/x86/include/rte_memcpy.h:344:2,
inlined from ‘rte_memcpy_generic’ at
../lib/eal/x86/include/rte_memcpy.h:438:4,
inlined from ‘rte_memcpy’ at
../lib/eal/x86/include/rte_memcpy.h:882:10,
inlined from ‘setup_test_string.constprop’ at
../app/test/test_ipsec.c:572:4:
/usr/lib/gcc/x86_64-redhat-linux/12/include/avxintrin.h:929:10: error:
array subscript ‘__m256i_u[3]’ is partly outside array bounds of
‘const char[108]’ [-Werror=array-bounds]
929 | return *__P;
| ^~~~
../app/test/test_ipsec.c: In function ‘setup_test_string.constprop’:
../app/test/test_ipsec.c:539:12: note: at offset 96 into object
‘null_plain_data’ of size 108
539 | const char null_plain_data[] =
| ^~~~~~~~~~~~~~~

Add a hint so that the compiler understands the copied data is within
the passed string boundaries.

Bugzilla ID: 848
Fixes: 05fe65eb66b2 ("test/ipsec: introduce functional test")
Cc: stable@dpdk.org

Signed-off-by: David Marchand <david.marchand@redhat.com>

show more ...

test: skip unsupported tests on Windows

Skip tests which are not yet supported for Windows:
- The libraries that tests depend on are not enabled on Windows yet
- The tests can compile but with issue

test: skip unsupported tests on Windows

Skip tests which are not yet supported for Windows:
- The libraries that tests depend on are not enabled on Windows yet
- The tests can compile but with issue still under investigation
* test_func_reentrancy:
Windows EAL has no protection against repeated calls.
* test_lcores:
Execution enters an infinite loops, requires investigation.
* test_rcu_qsbr_perf:
Execution hangs on Windows, requires investigation.

Signed-off-by: Jie Zhou <jizh@linux.microsoft.com>
Signed-off-by: Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>
Acked-by: Tyler Retzlaff <roretzla@linux.microsoft.com>

show more ...

fix spelling in comments and doxygen

Fix spelling errors in comments including doxygen found using codespell.

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Konstantin Anan

fix spelling in comments and doxygen

Fix spelling errors in comments including doxygen found using codespell.

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
Acked-by: Ray Kinsella <mdr@ashroe.eu>
Acked-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
Acked-by: Chenbo Xia <chenbo.xia@intel.com>

show more ...

mbuf: add namespace to offload flags

Fix the mbuf offload flags namespace by adding an RTE_ prefix to the
name. The old flags remain usable, but a deprecation warning is issued
at compilation.

Sign

mbuf: add namespace to offload flags

Fix the mbuf offload flags namespace by adding an RTE_ prefix to the
name. The old flags remain usable, but a deprecation warning is issued
at compilation.

Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
Acked-by: Andrew Rybchenko <andrew.rybchenko@oktetlabs.ru>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
Acked-by: Somnath Kotur <somnath.kotur@broadcom.com>

show more ...

test/crypto: remove illegal PMD header include

rte_cryptodev_pmd.h is an interface between
driver and library and it is mentioned in the
file that application cannot use it directly.
Hence, removing

test/crypto: remove illegal PMD header include

rte_cryptodev_pmd.h is an interface between
driver and library and it is mentioned in the
file that application cannot use it directly.
Hence, removing the include.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Matan Azrad <matan@nvidia.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>

show more ...

test/crypto: move test suite parameters to header file

The testsuite params struct and ut functions are now in the cryptodev
test header file. This will allow them be used outside of the
cryptodev_t

test/crypto: move test suite parameters to header file

The testsuite params struct and ut functions are now in the cryptodev
test header file. This will allow them be used outside of the
cryptodev_test.c file. They will be used in a subsequent patch by the
blockcipher test.

As a result of this change, slight renaming changes were necessary
for ipsec and asym tests, to avoid a clash in names.

Signed-off-by: Ciara Power <ciara.power@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Tested-by: Ruifeng Wang <ruifeng.wang@arm.com>

show more ...

test/ipsec: fix result code for not supported

During SA creation, if the required algorithm is not supported,
drivers can return ENOTSUP. But in most of the IPsec test cases,
if the SA creation does

test/ipsec: fix result code for not supported

During SA creation, if the required algorithm is not supported,
drivers can return ENOTSUP. But in most of the IPsec test cases,
if the SA creation does not success, it just returns
TEST_FAILED.

This patch fixes this issue by returning the actual return values
from the driver to the application, so that it can make decisions
whether the test case is passed, failed or unsupported.

Fixes: 05fe65eb66b2 ("test/ipsec: introduce functional test")
Cc: stable@dpdk.org

Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

show more ...

security: update session create API

The API ``rte_security_session_create`` takes only single
mempool for session and session private data. So the
application need to create mempool for twice the nu

security: update session create API

The API ``rte_security_session_create`` takes only single
mempool for session and session private data. So the
application need to create mempool for twice the number of
sessions needed and will also lead to wastage of memory as
session private data need more memory compared to session.
Hence the API is modified to take two mempool pointers
- one for session and one for private data.
This is very similar to crypto based session create APIs.

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Reviewed-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>
Tested-by: Lukasz Wojciechowski <l.wojciechow@partner.samsung.com>

show more ...

test/ipsec: fix crash in session destroy

Segfault was observed when running ipsec unit test:

+ TestCase [10] : test_ipsec_replay_inb_repeat_null_null_wrapper
succeeded
+ TestCa

test/ipsec: fix crash in session destroy

Segfault was observed when running ipsec unit test:

+ TestCase [10] : test_ipsec_replay_inb_repeat_null_null_wrapper
succeeded
+ TestCase [11] : test_ipsec_replay_inb_inside_burst_null_null_wrapper
succeeded
+ TestCase [12] : test_ipsec_crypto_inb_burst_2sa_null_null_wrapper
succeeded
+ TestCase [13] : test_ipsec_crypto_inb_burst_2sa_4grp_null_null_wrapper
succeeded
Segmentation fault

Data corruption happens due to incorrect destroy of session. Security
session needs process different from crypto session.

Destroy corresponding sessions according to different security actions.

Fixes: 05fe65eb66b2 ("test/ipsec: introduce functional test")
Cc: stable@dpdk.org

Signed-off-by: Ruifeng Wang <ruifeng.wang@arm.com>
Reviewed-by: Phil Yang <phil.yang@arm.com>
Reviewed-by: Gavin Hu <gavin.hu@arm.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

show more ...

test/ipsec: fix a typo in function name

The name of the static function check_cryptodev_capablity()
is fixed for the word "capability".
There is no functional change.

The same typo is fixed in a co

test/ipsec: fix a typo in function name

The name of the static function check_cryptodev_capablity()
is fixed for the word "capability".
There is no functional change.

The same typo is fixed in a comment in ip_fragmentation example.

Fixes: 05fe65eb66b2 ("test/ipsec: introduce functional test")
Cc: stable@dpdk.org

Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

show more ...

ipsec: remove redundant replay window size

The rte_security lib has introduced replay_win_sz,
so it can be removed from the rte_ipsec lib.

The relevant tests, app are also update to reflect
the usa

ipsec: remove redundant replay window size

The rte_security lib has introduced replay_win_sz,
so it can be removed from the rte_ipsec lib.

The relevant tests, app are also update to reflect
the usages.

Note that esn and anti-replay fileds were earlier used
only for ipsec library, they were enabling the libipsec
by default. With this change esn and anti-replay setting
will not automatically enabled libipsec.

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

show more ...

net: add missing rte prefix for ESP tail

This structure has been missed during the big rework.

Fixes: 5ef254676752 ("net: add rte prefix to ESP structure")
Cc: stable@dpdk.org

Signed-off-by: David

net: add missing rte prefix for ESP tail

This structure has been missed during the big rework.

Fixes: 5ef254676752 ("net: add rte prefix to ESP structure")
Cc: stable@dpdk.org

Signed-off-by: David Marchand <david.marchand@redhat.com>
Reviewed-by: Ferruh Yigit <ferruh.yigit@intel.com>

show more ...

test/ipsec: fix destroy SA

Call rte_cryptodev_sym_session_clear() function.

Fixes: 05fe65eb66b2 ("test/ipsec: introduce functional test")
Cc: stable@dpdk.org

Signed-off-by: Bernard Iremonger <bern

test/ipsec: fix destroy SA

Call rte_cryptodev_sym_session_clear() function.

Fixes: 05fe65eb66b2 ("test/ipsec: introduce functional test")
Cc: stable@dpdk.org

Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

show more ...

test/ipsec: fix tear down

Set freed cop pointers to NULL
Set other freed pointers to NULL instead of 0

Fixes: 05fe65eb66b2 ("test/ipsec: introduce functional test")
Cc: stable@dpdk.org

Signed-off-

test/ipsec: fix tear down

Set freed cop pointers to NULL
Set other freed pointers to NULL instead of 0

Fixes: 05fe65eb66b2 ("test/ipsec: introduce functional test")
Cc: stable@dpdk.org

Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

show more ...

test/ipsec: improve debug in group tests

Add dump_grp_pkt() function.
Dump invalid mbuf data in case of error in group tests 12 and 13.

Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com

test/ipsec: improve debug in group tests

Add dump_grp_pkt() function.
Dump invalid mbuf data in case of error in group tests 12 and 13.

Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

show more ...

test/ipsec: add extra test configuration

Add extra test configuration for BURST_SIZE packets

Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
Acked-by: Konstantin Ananyev <konstantin.

test/ipsec: add extra test configuration

Add extra test configuration for BURST_SIZE packets

Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

show more ...

test/ipsec: fix log messages

Error log messages after the create_sa() function calls
were using the wrong function name.
The function name is replaced with create_sa.

Fixes: 05fe65eb66b2 ("test/ips

test/ipsec: fix log messages

Error log messages after the create_sa() function calls
were using the wrong function name.
The function name is replaced with create_sa.

Fixes: 05fe65eb66b2 ("test/ipsec: introduce functional test")
Cc: stable@dpdk.org

Signed-off-by: Bernard Iremonger <bernard.iremonger@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

show more ...