fix spelling in comments and strings

The tool comes from https://github.com/jsoref

Signed-off-by: Josh Soref <[email protected]>
Signed-off-by: Thomas Monjalon <[email protected]>

examples/ipsec-secgw: support additional algorithms

Add support for AES-GMAC, AES_CTR, AES_XCBC_MAC,
AES_CCM, CHACHA20_POLY1305

Signed-off-by: Declan Doherty <[email protected]>
Signed-off-b

examples/ipsec-secgw: support additional algorithms

Add support for AES-GMAC, AES_CTR, AES_XCBC_MAC,
AES_CCM, CHACHA20_POLY1305

Signed-off-by: Declan Doherty <[email protected]>
Signed-off-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: define initial ESN value

New option added to the SA configuration arguments that
allows setting an arbitrary start value for ESN.

For example in the SA below ESN will be enabl

examples/ipsec-secgw: define initial ESN value

New option added to the SA configuration arguments that
allows setting an arbitrary start value for ESN.

For example in the SA below ESN will be enabled and first egress
IPsec packet will have the ESN value 10000:

sa out 15 cipher_algo null auth_algo null mode ipv4-tunnel \
src 172.16.1.5 dst 172.16.2.5 \
esn 10000

Signed-off-by: Declan Doherty <[email protected]>
Signed-off-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support telemetry

Add telemetry support to the IPsec GW sample app and add
support for per SA telemetry when using IPsec library.

Signed-off-by: Declan Doherty <declan.doherty

examples/ipsec-secgw: support telemetry

Add telemetry support to the IPsec GW sample app and add
support for per SA telemetry when using IPsec library.

Signed-off-by: Declan Doherty <[email protected]>
Signed-off-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support UDP encap for inline crypto

Enable UDP encapsulation for both transport and tunnel modes for the
inline crypto offload path.

Signed-off-by: Radu Nicolau <radu.nicolau@

examples/ipsec-secgw: support UDP encap for inline crypto

Enable UDP encapsulation for both transport and tunnel modes for the
inline crypto offload path.

Signed-off-by: Radu Nicolau <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support TCP TSO

Add support to allow user to specific MSS for TCP TSO offload on a per SA
basis. MSS configuration in the context of IPsec is only supported for
outbound SA's i

examples/ipsec-secgw: support TCP TSO

Add support to allow user to specific MSS for TCP TSO offload on a per SA
basis. MSS configuration in the context of IPsec is only supported for
outbound SA's in the context of an inline IPsec Crypto offload.

Signed-off-by: Declan Doherty <[email protected]>
Signed-off-by: Radu Nicolau <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

mbuf: add namespace to offload flags

Fix the mbuf offload flags namespace by adding an RTE_ prefix to the
name. The old flags remain usable, but a deprecation warning is issued
at compilation.

Sign

mbuf: add namespace to offload flags

Fix the mbuf offload flags namespace by adding an RTE_ prefix to the
name. The old flags remain usable, but a deprecation warning is issued
at compilation.

Signed-off-by: Olivier Matz <[email protected]>
Acked-by: Andrew Rybchenko <[email protected]>
Acked-by: Ajit Khaparde <[email protected]>
Acked-by: Somnath Kotur <[email protected]>

show more ...

ethdev: add namespace

Add 'RTE_ETH' namespace to all enums & macros in a backward compatible
way. The macros for backward compatibility can be removed in next LTS.
Also updated some struct names to

ethdev: add namespace

Add 'RTE_ETH' namespace to all enums & macros in a backward compatible
way. The macros for backward compatibility can be removed in next LTS.
Also updated some struct names to have 'rte_eth' prefix.

All internal components switched to using new names.

Syntax fixed on lines that this patch touches.

Signed-off-by: Ferruh Yigit <[email protected]>
Acked-by: Tyler Retzlaff <[email protected]>
Acked-by: Andrew Rybchenko <[email protected]>
Acked-by: Ajit Khaparde <[email protected]>
Acked-by: Jerin Jacob <[email protected]>
Acked-by: Wisam Jaddo <[email protected]>
Acked-by: Rosen Xu <[email protected]>
Acked-by: Chenbo Xia <[email protected]>
Acked-by: Hemant Agrawal <[email protected]>
Acked-by: Somnath Kotur <[email protected]>

show more ...

examples/ipsec-secgw: support inline UDP encapsulation

Adds support to allow udp-encap option for
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL mode also.

Signed-off-by: Srujana Challa <schalla@marvell.

examples/ipsec-secgw: support inline UDP encapsulation

Adds support to allow udp-encap option for
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL mode also.

Signed-off-by: Srujana Challa <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>

show more ...

examples/ipsec-secgw: support UDP encapsulation

Adding lookaside IPsec UDP encapsulation support
for NAT traversal.
Application has to add udp-encap option to sa config file
to enable UDP encapsulat

examples/ipsec-secgw: support UDP encapsulation

Adding lookaside IPsec UDP encapsulation support
for NAT traversal.
Application has to add udp-encap option to sa config file
to enable UDP encapsulation on the SA.

Signed-off-by: Tejasree Kondoj <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>

show more ...

examples/ipsec-secgw: remove limitation for crypto sessions

Get rid of hardcoded limit of cryptodev sessions.

Signed-off-by: Vladimir Medvedkin <[email protected]>
Tested-by: Konstantin

examples/ipsec-secgw: remove limitation for crypto sessions

Get rid of hardcoded limit of cryptodev sessions.

Signed-off-by: Vladimir Medvedkin <[email protected]>
Tested-by: Konstantin Ananyev <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: fix ESP flow error log

Function create_ipsec_esp_flow returns a negative number in case of any
failure and we are passing this to strerror to display the error message.
But str

examples/ipsec-secgw: fix ESP flow error log

Function create_ipsec_esp_flow returns a negative number in case of any
failure and we are passing this to strerror to display the error message.
But strerror()'s argument cannot be negative.
In case of failure, displaying exact error message to console is handled
in create_ipsec_esp_flow function.
So it is not required to print the error message again using strerror.
This patch will remove the unnecessary calling of strerror function
to fix the negative argument passing to strerror issue.

Coverity issue: 357691
Fixes: 6738c0a95695 ("examples/ipsec-secgw: support flow director")

Signed-off-by: Praveen Shetty <[email protected]>
Acked-by: Lukasz Wojciechowski <[email protected]>
Acked-by: Anoob Joseph <[email protected]>

show more ...

examples/ipsec-secgw: support flow director

Support load distribution in security gateway application using
NIC load distribution feature (Flow Director).
Flow Director is used to redirect the speci

examples/ipsec-secgw: support flow director

Support load distribution in security gateway application using
NIC load distribution feature (Flow Director).
Flow Director is used to redirect the specified inbound ipsec flow
to a specified queue. This is achieved by extending the SA rule syntax
to support specification by adding new action_type of <flow-direction>
to a specified <port_id> <queue_id>.

Signed-off-by: Praveen Shetty <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support 192/256 AES key sizes

Adding support for the following,
1. AES-192-GCM
2. AES-256-GCM
3. AES-192-CBC

Signed-off-by: Anoob Joseph <[email protected]>
Signed-off-by: Te

examples/ipsec-secgw: support 192/256 AES key sizes

Adding support for the following,
1. AES-192-GCM
2. AES-256-GCM
3. AES-192-CBC

Signed-off-by: Anoob Joseph <[email protected]>
Signed-off-by: Tejasree Kondoj <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: enable CPU crypto fallback

Added cpu-crypto fallback option parsing as well as tests for it

Signed-off-by: Mariusz Drost <[email protected]>
Tested-by: Konstantin Anany

examples/ipsec-secgw: enable CPU crypto fallback

Added cpu-crypto fallback option parsing as well as tests for it

Signed-off-by: Mariusz Drost <[email protected]>
Tested-by: Konstantin Ananyev <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>

show more ...

examples/ipsec-secgw: add event mode

Add eventmode support to ipsec-secgw. With the aid of event helper
configure and use the eventmode capabilities.

Signed-off-by: Anoob Joseph <[email protected]

examples/ipsec-secgw: add event mode

Add eventmode support to ipsec-secgw. With the aid of event helper
configure and use the eventmode capabilities.

Signed-off-by: Anoob Joseph <[email protected]>
Signed-off-by: Lukasz Bartosik <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: extend inline session to non AES-GCM

This patch extends creation of inline session to all the algorithms.
Previously the inline session was enabled only for AES-GCM cipher.

Fi

examples/ipsec-secgw: extend inline session to non AES-GCM

This patch extends creation of inline session to all the algorithms.
Previously the inline session was enabled only for AES-GCM cipher.

Fixes: 3a690d5a65e2 ("examples/ipsec-secgw: fix first packet with inline crypto")
Cc: [email protected]

Signed-off-by: Ankur Dwivedi <[email protected]>
Acked-by: Anoob Joseph <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: support CPU crypto

Add support for CPU accelerated crypto. 'cpu-crypto' SA type has
been introduced in configuration allowing to use abovementioned
acceleration.

Legacy mode i

examples/ipsec-secgw: support CPU crypto

Add support for CPU accelerated crypto. 'cpu-crypto' SA type has
been introduced in configuration allowing to use abovementioned
acceleration.

Legacy mode is not currently supported.

Signed-off-by: Konstantin Ananyev <[email protected]>
Signed-off-by: Marcin Smoczynski <[email protected]>
Acked-by: Fan Zhang <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: add SAD cache

Introduce SAD cache.
Stores the most recent SA in a per lcore cache.
Cache represents flat array containing SA's indexed by SPI.

Signed-off-by: Vladimir Medvedki

examples/ipsec-secgw: add SAD cache

Introduce SAD cache.
Stores the most recent SA in a per lcore cache.
Cache represents flat array containing SA's indexed by SPI.

Signed-off-by: Vladimir Medvedkin <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Acked-by: Anoob Joseph <[email protected]>

show more ...

examples/ipsec-secgw: get rid of maximum SA limitation

Get rid of maximum SA limitation.
Keep parsed SA's into the sorted by SPI value array.
Use binary search in the sorted SA array to find appropr

examples/ipsec-secgw: get rid of maximum SA limitation

Get rid of maximum SA limitation.
Keep parsed SA's into the sorted by SPI value array.
Use binary search in the sorted SA array to find appropriate SA
for a given SPI.

Signed-off-by: Vladimir Medvedkin <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Acked-by: Anoob Joseph <[email protected]>

show more ...

examples/ipsec-secgw: integrate inbound SAD

Integrate ipsec SAD support into secgw app:

1. Use SAD library for inbound SA lookup
2. Changes in struct sa_ctx:
- sa array allocates dynamically depe

examples/ipsec-secgw: integrate inbound SAD

Integrate ipsec SAD support into secgw app:

1. Use SAD library for inbound SA lookup
2. Changes in struct sa_ctx:
- sa array allocates dynamically depending on number of configured sa
- All SA's are kept one by one without using SPI2IDX
3. SP's userdata now contain index of SA in sa_ctx instead of SPI
4. Get rid of SPI2IDX macro

Signed-off-by: Vladimir Medvedkin <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>
Acked-by: Anoob Joseph <[email protected]>

show more ...

examples/ipsec-secgw: fix crash on unsupported algo

If algo is NULL set the status to error and return. This change
prevent crashing of ipsec-secgw application when a specific
cipher/auth/aead algo

examples/ipsec-secgw: fix crash on unsupported algo

If algo is NULL set the status to error and return. This change
prevent crashing of ipsec-secgw application when a specific
cipher/auth/aead algo are not supported by application.

Fixes: 0d547ed03717 ("examples/ipsec-secgw: support configuration file")
Cc: [email protected]

Signed-off-by: Savinay Dharmappa <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>

show more ...

ipsec: remove redundant replay window size

The rte_security lib has introduced replay_win_sz,
so it can be removed from the rte_ipsec lib.

The relevant tests, app are also update to reflect
the usa

ipsec: remove redundant replay window size

The rte_security lib has introduced replay_win_sz,
so it can be removed from the rte_ipsec lib.

The relevant tests, app are also update to reflect
the usages.

Note that esn and anti-replay fileds were earlier used
only for ipsec library, they were enabling the libipsec
by default. With this change esn and anti-replay setting
will not automatically enabled libipsec.

Signed-off-by: Hemant Agrawal <[email protected]>
Acked-by: Konstantin Ananyev <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: fix SHA256-HMAC digest length

As per RFC4868, SHA-256 should use 128 bits of ICV.
Fixes: b5350285ce6e ("examples/ipsec-secgw: support SHA256 HMAC")
Cc: [email protected]

Signed-

examples/ipsec-secgw: fix SHA256-HMAC digest length

As per RFC4868, SHA-256 should use 128 bits of ICV.
Fixes: b5350285ce6e ("examples/ipsec-secgw: support SHA256 HMAC")
Cc: [email protected]

Signed-off-by: Vakul Garg <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...

examples/ipsec-secgw: fix GCM IV length

The example IPsec application does not work properly when using
AES-GCM with crypto_openssl.

ESP with AES-GCM uses standard 96bit long algorithm IV ([1]) whi

examples/ipsec-secgw: fix GCM IV length

The example IPsec application does not work properly when using
AES-GCM with crypto_openssl.

ESP with AES-GCM uses standard 96bit long algorithm IV ([1]) which
later concatenated with be32(1) forms a J0 block. GCM specification
([2], chapter 7.1) states that when length of IV is different than
96b, in order to format a J0 block, GHASH function must be used.

According to specification ([2], chapter 5.1.1) GCM implementations
should support standard 96bit IVs, other lengths are optional. Every
DPDK cryptodev supports 96bit IV and few of them supports 128bit
IV as well (openssl, mrvl, ccp). When passing iv::length=16 to a
cryptodev which does support standard IVs only (e.g. qat) it
implicitly uses starting 96 bits. On the other hand, openssl follows
specification and uses GHASH to compute J0 for that case which results
in different than expected J0 values used for encryption/decryption.

Fix an inability to use AES-GCM with crypto_openssl by changing IV
length to the standard value of 12.

[1] RFC4106, section "4. Nonce format" and "3.1. Initialization Vector"
https://tools.ietf.org/html/rfc4106
[2] NIST SP800-38D
https://csrc.nist.gov/publications/detail/sp/800-38d/final

Fixes: 0fbd75a99f ("cryptodev: move IV parameters to session")
Cc: [email protected]

Signed-off-by: Marcin Smoczynski <[email protected]>
Acked-by: Akhil Goyal <[email protected]>

show more ...