[PATCH 0/2] compile ipsec on Windows

[PATCH 0/2] compile ipsec on Windows

[Andre Muezerie]

Removed VLA for compatibility with MSVC (which does not support VLAs).
Used alloca when a constant fixed length that can be used instead is
not known.

Implementation for rte_ipsec_pkt_crypto_group and
rte_ipsec_ses_from_crypto was moved to new file
lib\ipsec\ipsec_group.c because these functions get exported in a
shared library (lib\ipsec\version.map).

Implementation for rte_ipsec_pkt_crypto_prepare and
rte_ipsec_pkt_process was moved to new file lib\ipsec\ipsec.c because
these functions get exported in a shared library
(lib\ipsec\version.map).

Removed logic which was skipping ipsec on Windows.

Andre Muezerie (2):
  lib/ipsec: compile ipsec on Windows
  app/test: enable ipsec-related tests

 app/test/test_ipsec.c                 | 17 +----
 app/test/test_ipsec_perf.c            | 13 ----
 app/test/test_ipsec_sad.c             | 13 ----
 app/test/test_security_inline_proto.c | 26 --------
 lib/ipsec/esp_inb.c                   | 57 +++++++++++-----
 lib/ipsec/esp_outb.c                  | 48 ++++++++++----
 lib/ipsec/ipsec.c                     | 19 ++++++
 lib/ipsec/ipsec_group.c               | 93 +++++++++++++++++++++++++++
 lib/ipsec/ipsec_sad.c                 |  1 +
 lib/ipsec/ipsec_telemetry.c           |  1 +
 lib/ipsec/meson.build                 | 10 +--
 lib/ipsec/misc.h                      | 10 ++-
 lib/ipsec/rte_ipsec.h                 | 15 ++---
 lib/ipsec/rte_ipsec_group.h           | 84 ++----------------------
 lib/ipsec/sa.c                        |  4 +-
 15 files changed, 210 insertions(+), 201 deletions(-)
 create mode 100644 lib/ipsec/ipsec.c
 create mode 100644 lib/ipsec/ipsec_group.c

--
2.47.0.vfs.0.3

[PATCH 1/2] lib/ipsec: compile ipsec on Windows

[Andre Muezerie]

Removed VLA for compatibility with MSVC (which does not support VLAs).
Used alloca when a constant fixed length that can be used instead is
not known.

Implementation for rte_ipsec_pkt_crypto_group and
rte_ipsec_ses_from_crypto was moved to new file
lib\ipsec\ipsec_group.c because these functions get exported in a
shared library (lib\ipsec\version.map).

Implementation for rte_ipsec_pkt_crypto_prepare and
rte_ipsec_pkt_process was moved to new file lib\ipsec\ipsec.c because
these functions get exported in a shared library
(lib\ipsec\version.map).

Removed code in meson.build which was skipping ipsec on Windows.

Signed-off-by: Andre Muezerie <andremue@linux.microsoft.com>
---
 lib/ipsec/esp_inb.c         | 57 ++++++++++++++++-------
 lib/ipsec/esp_outb.c        | 48 +++++++++++++------
 lib/ipsec/ipsec.c           | 19 ++++++++
 lib/ipsec/ipsec_group.c     | 93 +++++++++++++++++++++++++++++++++++++
 lib/ipsec/ipsec_sad.c       |  1 +
 lib/ipsec/ipsec_telemetry.c |  1 +
 lib/ipsec/meson.build       | 10 +---
 lib/ipsec/misc.h            | 10 ++--
 lib/ipsec/rte_ipsec.h       | 15 ++----
 lib/ipsec/rte_ipsec_group.h | 84 ++-------------------------------
 lib/ipsec/sa.c              |  4 +-
 11 files changed, 208 insertions(+), 134 deletions(-)
 create mode 100644 lib/ipsec/ipsec.c
 create mode 100644 lib/ipsec/ipsec_group.c

diff --git a/lib/ipsec/esp_inb.c b/lib/ipsec/esp_inb.c
index f159bf7460..305ac48dc5 100644
--- a/lib/ipsec/esp_inb.c
+++ b/lib/ipsec/esp_inb.c
@@ -370,8 +370,9 @@ esp_inb_pkt_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],
 	struct rte_cryptodev_sym_session *cs;
 	struct replay_sqn *rsn;
 	union sym_op_data icv;
-	uint32_t dr[num];
+	uint32_t *dr;
 
+	dr = alloca(sizeof(uint32_t) * num);
 	sa = ss->sa;
 	cs = ss->crypto.ses;
 	rsn = rsn_acquire(sa);
@@ -576,12 +577,16 @@ tun_process(struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],
 	    uint32_t sqn[], uint32_t dr[], uint16_t num, uint8_t sqh_len)
 {
 	uint32_t adj, i, k, tl, bytes;
-	uint32_t hl[num], to[num];
-	struct rte_esp_tail espt[num];
-	struct rte_mbuf *ml[num];
+	uint32_t *hl, *to;
+	struct rte_esp_tail *espt;
+	struct rte_mbuf **ml;
 	const void *outh;
 	void *inh;
 
+	hl = alloca(sizeof(uint32_t) * num);
+	to = alloca(sizeof(uint32_t) * num);
+	espt = alloca(sizeof(struct rte_esp_tail) * num);
+	ml = alloca(sizeof(struct rte_mbuf *) * num);
 	/*
 	 * remove icv, esp trailer and high-order
 	 * 32 bits of esn from packet length
@@ -640,10 +645,14 @@ trs_process(struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],
 {
 	char *np;
 	uint32_t i, k, l2, tl, bytes;
-	uint32_t hl[num], to[num];
-	struct rte_esp_tail espt[num];
-	struct rte_mbuf *ml[num];
-
+	uint32_t *hl, *to;
+	struct rte_esp_tail *espt;
+	struct rte_mbuf **ml;
+
+	hl = alloca(sizeof(uint32_t) * num);
+	to = alloca(sizeof(uint32_t) * num);
+	espt = alloca(sizeof(struct rte_esp_tail) * num);
+	ml = alloca(sizeof(struct rte_mbuf *) * num);
 	/*
 	 * remove icv, esp trailer and high-order
 	 * 32 bits of esn from packet length
@@ -724,8 +733,11 @@ esp_inb_pkt_process(struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],
 	uint16_t num, uint8_t sqh_len, esp_inb_process_t process)
 {
 	uint32_t k, n;
-	uint32_t sqn[num];
-	uint32_t dr[num];
+	uint32_t *sqn;
+	uint32_t *dr;
+
+	sqn = alloca(sizeof(uint32_t) * num);
+	dr = alloca(sizeof(uint32_t) * num);
 
 	/* process packets, extract seq numbers */
 	k = process(sa, mb, sqn, dr, num, sqh_len);
@@ -760,13 +772,24 @@ cpu_inb_pkt_prepare(const struct rte_ipsec_session *ss,
 	struct rte_ipsec_sa *sa;
 	struct replay_sqn *rsn;
 	union sym_op_data icv;
-	struct rte_crypto_va_iova_ptr iv[num];
-	struct rte_crypto_va_iova_ptr aad[num];
-	struct rte_crypto_va_iova_ptr dgst[num];
-	uint32_t dr[num];
-	uint32_t l4ofs[num];
-	uint32_t clen[num];
-	uint64_t ivbuf[num][IPSEC_MAX_IV_QWORD];
+	struct rte_crypto_va_iova_ptr *iv;
+	struct rte_crypto_va_iova_ptr *aad;
+	struct rte_crypto_va_iova_ptr *dgst;
+	uint32_t *dr;
+	uint32_t *l4ofs;
+	uint32_t *clen;
+	uint64_t **ivbuf;
+
+	iv = alloca(sizeof(struct rte_crypto_va_iova_ptr) * num);
+	aad = alloca(sizeof(struct rte_crypto_va_iova_ptr) * num);
+	dgst = alloca(sizeof(struct rte_crypto_va_iova_ptr) * num);
+	dr = alloca(sizeof(uint32_t) * num);
+	l4ofs = alloca(sizeof(uint32_t) * num);
+	clen = alloca(sizeof(uint32_t) * num);
+
+	ivbuf = alloca(sizeof(uint64_t *) * num);
+	for (i = 0; i < num; i++)
+		ivbuf[i] = alloca(sizeof(uint64_t) * IPSEC_MAX_IV_QWORD);
 
 	sa = ss->sa;
 
diff --git a/lib/ipsec/esp_outb.c b/lib/ipsec/esp_outb.c
index 617fc52b21..838321b3b2 100644
--- a/lib/ipsec/esp_outb.c
+++ b/lib/ipsec/esp_outb.c
@@ -299,10 +299,11 @@ esp_outb_tun_prepare_helper(const struct rte_ipsec_session *ss, struct rte_mbuf
 	struct rte_cryptodev_sym_session *cs;
 	union sym_op_data icv;
 	uint64_t iv[IPSEC_MAX_IV_QWORD];
-	uint32_t dr[n];
+	uint32_t *dr;
 
 	sa = ss->sa;
 	cs = ss->crypto.ses;
+	dr = alloca(sizeof(uint32_t) * n);
 
 	k = 0;
 	for (i = 0; i != n; i++) {
@@ -468,10 +469,11 @@ esp_outb_trs_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],
 	struct rte_cryptodev_sym_session *cs;
 	union sym_op_data icv;
 	uint64_t iv[IPSEC_MAX_IV_QWORD];
-	uint32_t dr[num];
+	uint32_t *dr;
 
 	sa = ss->sa;
 	cs = ss->crypto.ses;
+	dr = alloca(sizeof(uint32_t) * num);
 
 	n = num;
 	sqn = esn_outb_update_sqn(sa, &n);
@@ -558,15 +560,26 @@ cpu_outb_pkt_prepare_helper(const struct rte_ipsec_session *ss,
 	uint32_t i, k;
 	uint32_t l2, l3;
 	union sym_op_data icv;
-	struct rte_crypto_va_iova_ptr iv[n];
-	struct rte_crypto_va_iova_ptr aad[n];
-	struct rte_crypto_va_iova_ptr dgst[n];
-	uint32_t dr[n];
-	uint32_t l4ofs[n];
-	uint32_t clen[n];
-	uint64_t ivbuf[n][IPSEC_MAX_IV_QWORD];
+	struct rte_crypto_va_iova_ptr *iv;
+	struct rte_crypto_va_iova_ptr *aad;
+	struct rte_crypto_va_iova_ptr *dgst;
+	uint32_t *dr;
+	uint32_t *l4ofs;
+	uint32_t *clen;
+	uint64_t **ivbuf;
 
 	sa = ss->sa;
+	iv = alloca(sizeof(struct rte_crypto_va_iova_ptr) * n);
+	aad = alloca(sizeof(struct rte_crypto_va_iova_ptr) * n);
+	dgst = alloca(sizeof(struct rte_crypto_va_iova_ptr) * n);
+	dr = alloca(sizeof(uint32_t) * n);
+	l4ofs = alloca(sizeof(uint32_t) * n);
+	clen = alloca(sizeof(uint32_t) * n);
+
+	ivbuf = alloca(sizeof(uint64_t *) * n);
+	for (i = 0; i < n; i++)
+		ivbuf[i] = alloca(sizeof(uint64_t) * IPSEC_MAX_IV_QWORD);
+
 
 	for (i = 0, k = 0; i != n; i++) {
 
@@ -665,13 +678,14 @@ esp_outb_sqh_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],
 	uint32_t i, k, icv_len, *icv, bytes;
 	struct rte_mbuf *ml;
 	struct rte_ipsec_sa *sa;
-	uint32_t dr[num];
+	uint32_t *dr;
 
 	sa = ss->sa;
 
 	k = 0;
 	icv_len = sa->icv_len;
 	bytes = 0;
+	dr = alloca(sizeof(uint32_t) * num);
 
 	for (i = 0; i != num; i++) {
 		if ((mb[i]->ol_flags & RTE_MBUF_F_RX_SEC_OFFLOAD_FAILED) == 0) {
@@ -764,8 +778,11 @@ inline_outb_tun_pkt_process(const struct rte_ipsec_session *ss,
 	struct rte_ipsec_sa *sa;
 	union sym_op_data icv;
 	uint64_t iv[IPSEC_MAX_IV_QWORD];
-	uint32_t dr[num];
-	uint16_t nb_segs[num];
+	uint32_t *dr;
+	uint16_t *nb_segs;
+
+	dr = alloca(sizeof(uint32_t) * num);
+	nb_segs = alloca(sizeof(uint16_t) * num);
 
 	sa = ss->sa;
 	nb_segs_total = 0;
@@ -832,8 +849,11 @@ inline_outb_trs_pkt_process(const struct rte_ipsec_session *ss,
 	struct rte_ipsec_sa *sa;
 	union sym_op_data icv;
 	uint64_t iv[IPSEC_MAX_IV_QWORD];
-	uint32_t dr[num];
-	uint16_t nb_segs[num];
+	uint32_t *dr;
+	uint16_t *nb_segs;
+
+	dr = alloca(sizeof(uint32_t) * num);
+	nb_segs = alloca(sizeof(uint16_t) * num);
 
 	sa = ss->sa;
 	nb_segs_total = 0;
diff --git a/lib/ipsec/ipsec.c b/lib/ipsec/ipsec.c
new file mode 100644
index 0000000000..77a6b6f024
--- /dev/null
+++ b/lib/ipsec/ipsec.c
@@ -0,0 +1,19 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2018-2020 Intel Corporation
+ */
+
+#include "rte_ipsec.h"
+
+uint16_t
+rte_ipsec_pkt_crypto_prepare(const struct rte_ipsec_session *ss,
+	struct rte_mbuf *mb[], struct rte_crypto_op *cop[], uint16_t num)
+{
+	return ss->pkt_func.prepare.async(ss, mb, cop, num);
+}
+
+uint16_t
+rte_ipsec_pkt_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],
+	uint16_t num)
+{
+	return ss->pkt_func.process(ss, mb, num);
+}
diff --git a/lib/ipsec/ipsec_group.c b/lib/ipsec/ipsec_group.c
new file mode 100644
index 0000000000..c8373627af
--- /dev/null
+++ b/lib/ipsec/ipsec_group.c
@@ -0,0 +1,93 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2018 Intel Corporation
+ */
+
+#include <rte_crypto.h>
+#include <rte_cryptodev.h>
+#include <rte_security.h>
+
+#include "rte_ipsec_group.h"
+
+uint16_t
+rte_ipsec_pkt_crypto_group(const struct rte_crypto_op *cop[],
+	struct rte_mbuf *mb[], struct rte_ipsec_group grp[], uint16_t num)
+{
+	uint32_t i, j, k, n;
+	void *ns, *ps;
+	struct rte_mbuf *m, **dr;
+
+	j = 0;
+	k = 0;
+	n = 0;
+	ps = NULL;
+	dr = alloca(sizeof(struct rte_mbuf *) * num);
+
+	for (i = 0; i != num; i++) {
+
+		m = cop[i]->sym[0].m_src;
+		ns = cop[i]->sym[0].session;
+
+		m->ol_flags |= RTE_MBUF_F_RX_SEC_OFFLOAD;
+		if (cop[i]->status != RTE_CRYPTO_OP_STATUS_SUCCESS)
+			m->ol_flags |= RTE_MBUF_F_RX_SEC_OFFLOAD_FAILED;
+
+		/* no valid session found */
+		if (ns == NULL) {
+			dr[k++] = m;
+			continue;
+		}
+
+		/* different SA */
+		if (ps != ns) {
+
+			/*
+			 * we already have an open group - finalize it,
+			 * then open a new one.
+			 */
+			if (ps != NULL) {
+				grp[n].id.ptr =
+					rte_ipsec_ses_from_crypto(cop[i - 1]);
+				grp[n].cnt = mb + j - grp[n].m;
+				n++;
+			}
+
+			/* start new group */
+			grp[n].m = mb + j;
+			ps = ns;
+		}
+
+		mb[j++] = m;
+	}
+
+	/* finalise last group */
+	if (ps != NULL) {
+		grp[n].id.ptr = rte_ipsec_ses_from_crypto(cop[i - 1]);
+		grp[n].cnt = mb + j - grp[n].m;
+		n++;
+	}
+
+	/* copy mbufs with unknown session beyond recognised ones */
+	if (k != 0 && k != num) {
+		for (i = 0; i != k; i++)
+			mb[j + i] = dr[i];
+	}
+
+	return n;
+}
+
+struct rte_ipsec_session *
+rte_ipsec_ses_from_crypto(const struct rte_crypto_op *cop)
+{
+	void *ses;
+
+	if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
+		ses = cop->sym[0].session;
+		return (struct rte_ipsec_session *)(uintptr_t)
+			rte_security_session_opaque_data_get(ses);
+	} else if (cop->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
+		ses = cop->sym[0].session;
+		return (struct rte_ipsec_session *)(uintptr_t)
+			rte_cryptodev_sym_session_opaque_data_get(ses);
+	}
+	return NULL;
+}
diff --git a/lib/ipsec/ipsec_sad.c b/lib/ipsec/ipsec_sad.c
index 7e147e729c..151d160758 100644
--- a/lib/ipsec/ipsec_sad.c
+++ b/lib/ipsec/ipsec_sad.c
@@ -3,6 +3,7 @@
  */
 
 #include <string.h>
+#include <sys/queue.h>
 
 #include <rte_eal_memconfig.h>
 #include <rte_errno.h>
diff --git a/lib/ipsec/ipsec_telemetry.c b/lib/ipsec/ipsec_telemetry.c
index 68a91108dd..76095a89ce 100644
--- a/lib/ipsec/ipsec_telemetry.c
+++ b/lib/ipsec/ipsec_telemetry.c
@@ -3,6 +3,7 @@
  */
 
 #include <stdlib.h>
+#include <sys/queue.h>
 #include <rte_ipsec.h>
 #include <rte_telemetry.h>
 #include <rte_malloc.h>
diff --git a/lib/ipsec/meson.build b/lib/ipsec/meson.build
index 5c5a4aae78..c90197f595 100644
--- a/lib/ipsec/meson.build
+++ b/lib/ipsec/meson.build
@@ -1,15 +1,9 @@
 # SPDX-License-Identifier: BSD-3-Clause
 # Copyright(c) 2018 Intel Corporation
 
-if is_windows
-    build = false
-    reason = 'not supported on Windows'
-    subdir_done()
-endif
-
 sources = files('esp_inb.c', 'esp_outb.c',
-                'sa.c', 'ses.c', 'ipsec_sad.c',
-                'ipsec_telemetry.c')
+                'ipsec.c', 'ipsec_group.c', 'ipsec_sad.c',
+                'ipsec_telemetry.c', 'sa.c', 'ses.c')
 
 headers = files('rte_ipsec.h', 'rte_ipsec_sa.h', 'rte_ipsec_sad.h')
 indirect_headers += files('rte_ipsec_group.h')
diff --git a/lib/ipsec/misc.h b/lib/ipsec/misc.h
index fd4d3f5256..dcc514b94b 100644
--- a/lib/ipsec/misc.h
+++ b/lib/ipsec/misc.h
@@ -20,10 +20,11 @@ move_bad_mbufs(struct rte_mbuf *mb[], const uint32_t bad_idx[], uint32_t nb_mb,
 	uint32_t nb_bad)
 {
 	uint32_t i, j, k;
-	struct rte_mbuf *drb[nb_bad];
+	struct rte_mbuf **drb;
 
 	j = 0;
 	k = 0;
+	drb = alloca(sizeof(struct rte_mbuf *) * nb_bad);
 
 	/* copy bad ones into a temp place */
 	for (i = 0; i != nb_mb; i++) {
@@ -119,8 +120,8 @@ cpu_crypto_bulk(const struct rte_ipsec_session *ss,
 {
 	uint32_t i, j, n;
 	int32_t vcnt, vofs;
-	int32_t st[num];
-	struct rte_crypto_sgl vecpkt[num];
+	int32_t *st;
+	struct rte_crypto_sgl *vecpkt;
 	struct rte_crypto_vec vec[UINT8_MAX];
 	struct rte_crypto_sym_vec symvec;
 
@@ -128,6 +129,9 @@ cpu_crypto_bulk(const struct rte_ipsec_session *ss,
 
 	j = 0, n = 0;
 	vofs = 0;
+	st = alloca(sizeof(int32_t) * num);
+	vecpkt = alloca(sizeof(struct rte_crypto_sgl) * num);
+
 	for (i = 0; i != num; i++) {
 
 		vcnt = rte_crypto_mbuf_to_vec(mb[i], l4ofs[i], clen[i],
diff --git a/lib/ipsec/rte_ipsec.h b/lib/ipsec/rte_ipsec.h
index e682d13315..ea3581b589 100644
--- a/lib/ipsec/rte_ipsec.h
+++ b/lib/ipsec/rte_ipsec.h
@@ -134,12 +134,9 @@ rte_ipsec_session_prepare(struct rte_ipsec_session *ss);
  * @return
  *   Number of successfully processed packets, with error code set in rte_errno.
  */
-static inline uint16_t
+uint16_t
 rte_ipsec_pkt_crypto_prepare(const struct rte_ipsec_session *ss,
-	struct rte_mbuf *mb[], struct rte_crypto_op *cop[], uint16_t num)
-{
-	return ss->pkt_func.prepare.async(ss, mb, cop, num);
-}
+	struct rte_mbuf *mb[], struct rte_crypto_op *cop[], uint16_t num);
 
 static inline uint16_t
 rte_ipsec_pkt_cpu_prepare(const struct rte_ipsec_session *ss,
@@ -231,13 +228,9 @@ rte_ipsec_pkt_cpu_prepare_stateless(const struct rte_ipsec_session *ss,
  * @return
  *   Number of successfully processed packets, with error code set in rte_errno.
  */
-static inline uint16_t
+uint16_t
 rte_ipsec_pkt_process(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],
-	uint16_t num)
-{
-	return ss->pkt_func.process(ss, mb, num);
-}
-
+	uint16_t num);
 
 /**
  * Enable per SA telemetry for a specific SA.
diff --git a/lib/ipsec/rte_ipsec_group.h b/lib/ipsec/rte_ipsec_group.h
index c6458ef81e..b395d6bbac 100644
--- a/lib/ipsec/rte_ipsec_group.h
+++ b/lib/ipsec/rte_ipsec_group.h
@@ -41,22 +41,8 @@ struct rte_ipsec_group {
  * @return
  *   The pointer to the related *rte_ipsec_session* structure.
  */
-static inline struct rte_ipsec_session *
-rte_ipsec_ses_from_crypto(const struct rte_crypto_op *cop)
-{
-	void *ses;
-
-	if (cop->sess_type == RTE_CRYPTO_OP_SECURITY_SESSION) {
-		ses = cop->sym[0].session;
-		return (struct rte_ipsec_session *)(uintptr_t)
-			rte_security_session_opaque_data_get(ses);
-	} else if (cop->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
-		ses = cop->sym[0].session;
-		return (struct rte_ipsec_session *)(uintptr_t)
-			rte_cryptodev_sym_session_opaque_data_get(ses);
-	}
-	return NULL;
-}
+struct rte_ipsec_session *
+rte_ipsec_ses_from_crypto(const struct rte_crypto_op *cop);
 
 /**
  * Take as input completed crypto ops, extract related mbufs
@@ -78,71 +64,9 @@ rte_ipsec_ses_from_crypto(const struct rte_crypto_op *cop)
  * @return
  *   Number of filled elements in *grp* array.
  */
-static inline uint16_t
+uint16_t
 rte_ipsec_pkt_crypto_group(const struct rte_crypto_op *cop[],
-	struct rte_mbuf *mb[], struct rte_ipsec_group grp[], uint16_t num)
-{
-	uint32_t i, j, k, n;
-	void *ns, *ps;
-	struct rte_mbuf *m, *dr[num];
-
-	j = 0;
-	k = 0;
-	n = 0;
-	ps = NULL;
-
-	for (i = 0; i != num; i++) {
-
-		m = cop[i]->sym[0].m_src;
-		ns = cop[i]->sym[0].session;
-
-		m->ol_flags |= RTE_MBUF_F_RX_SEC_OFFLOAD;
-		if (cop[i]->status != RTE_CRYPTO_OP_STATUS_SUCCESS)
-			m->ol_flags |= RTE_MBUF_F_RX_SEC_OFFLOAD_FAILED;
-
-		/* no valid session found */
-		if (ns == NULL) {
-			dr[k++] = m;
-			continue;
-		}
-
-		/* different SA */
-		if (ps != ns) {
-
-			/*
-			 * we already have an open group - finalize it,
-			 * then open a new one.
-			 */
-			if (ps != NULL) {
-				grp[n].id.ptr =
-					rte_ipsec_ses_from_crypto(cop[i - 1]);
-				grp[n].cnt = mb + j - grp[n].m;
-				n++;
-			}
-
-			/* start new group */
-			grp[n].m = mb + j;
-			ps = ns;
-		}
-
-		mb[j++] = m;
-	}
-
-	/* finalise last group */
-	if (ps != NULL) {
-		grp[n].id.ptr = rte_ipsec_ses_from_crypto(cop[i - 1]);
-		grp[n].cnt = mb + j - grp[n].m;
-		n++;
-	}
-
-	/* copy mbufs with unknown session beyond recognised ones */
-	if (k != 0 && k != num) {
-		for (i = 0; i != k; i++)
-			mb[j + i] = dr[i];
-	}
-
-	return n;
-}
+	struct rte_mbuf *mb[], struct rte_ipsec_group grp[], uint16_t num);
 
 #ifdef __cplusplus
 }
diff --git a/lib/ipsec/sa.c b/lib/ipsec/sa.c
index 741e079831..efa1319fc2 100644
--- a/lib/ipsec/sa.c
+++ b/lib/ipsec/sa.c
@@ -7,6 +7,7 @@
 #include <rte_ip.h>
 #include <rte_udp.h>
 #include <rte_errno.h>
+#include <rte_os_shim.h>
 
 #include "sa.h"
 #include "ipsec_sqn.h"
@@ -655,8 +656,9 @@ pkt_flag_process(const struct rte_ipsec_session *ss,
 		struct rte_mbuf *mb[], uint16_t num)
 {
 	uint32_t i, k, bytes;
-	uint32_t dr[num];
+	uint32_t *dr;
 
+	dr = alloca(sizeof(uint32_t) * num);
 	RTE_SET_USED(ss);
 
 	k = 0;
-- 
2.47.0.vfs.0.3

[PATCH 2/2] app/test: enable ipsec-related tests

[Andre Muezerie]

Removed ifdefs which were bypassing the ipsec tests on Windows.

Removed "return" from void function to avoid warning on MSVC.

Signed-off-by: Andre Muezerie <andremue@linux.microsoft.com>
---
 app/test/test_ipsec.c                 | 17 ++---------------
 app/test/test_ipsec_perf.c            | 13 -------------
 app/test/test_ipsec_sad.c             | 13 -------------
 app/test/test_security_inline_proto.c | 26 --------------------------
 4 files changed, 2 insertions(+), 67 deletions(-)

diff --git a/app/test/test_ipsec.c b/app/test/test_ipsec.c
index ac63c3b6d3..b0e4384d0b 100644
--- a/app/test/test_ipsec.c
+++ b/app/test/test_ipsec.c
@@ -17,17 +17,6 @@
 #include <rte_crypto.h>
 #include <rte_cryptodev.h>
 #include <rte_lcore.h>
-
-#ifdef RTE_EXEC_ENV_WINDOWS
-static int
-test_ipsec(void)
-{
-	printf("ipsec not supported on Windows, skipping test\n");
-	return TEST_SKIPPED;
-}
-
-#else
-
 #include <rte_ipsec.h>
 #include <rte_random.h>
 #include <rte_esp.h>
@@ -1185,9 +1174,9 @@ destroy_session(struct ipsec_unitest_params *ut,
 	uint8_t crypto_dev, uint32_t j)
 {
 	if (ut->ss[j].type == RTE_SECURITY_ACTION_TYPE_NONE)
-		return destroy_crypto_session(ut, crypto_dev, j);
+		destroy_crypto_session(ut, crypto_dev, j);
 	else
-		return destroy_dummy_sec_session(ut, j);
+		destroy_dummy_sec_session(ut, j);
 }
 
 static void
@@ -2615,6 +2604,4 @@ test_ipsec(void)
 	return unit_test_suite_runner(&ipsec_testsuite);
 }
 
-#endif /* !RTE_EXEC_ENV_WINDOWS */
-
 REGISTER_FAST_TEST(ipsec_autotest, true, true, test_ipsec);
diff --git a/app/test/test_ipsec_perf.c b/app/test/test_ipsec_perf.c
index a32a2086e9..d609bae57e 100644
--- a/app/test/test_ipsec_perf.c
+++ b/app/test/test_ipsec_perf.c
@@ -10,17 +10,6 @@
 #include <rte_ring.h>
 #include <rte_mbuf.h>
 #include <rte_cycles.h>
-
-#ifdef RTE_EXEC_ENV_WINDOWS
-static int
-test_libipsec_perf(void)
-{
-	printf("ipsec_perf not supported on Windows, skipping test\n");
-	return TEST_SKIPPED;
-}
-
-#else
-
 #include <rte_ipsec.h>
 #include <rte_random.h>
 
@@ -629,6 +618,4 @@ test_libipsec_perf(void)
 	return TEST_SUCCESS;
 }
 
-#endif /* !RTE_EXEC_ENV_WINDOWS */
-
 REGISTER_PERF_TEST(ipsec_perf_autotest, test_libipsec_perf);
diff --git a/app/test/test_ipsec_sad.c b/app/test/test_ipsec_sad.c
index 642643eb63..378ba3f871 100644
--- a/app/test/test_ipsec_sad.c
+++ b/app/test/test_ipsec_sad.c
@@ -8,17 +8,6 @@
 #include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
-
-#ifdef RTE_EXEC_ENV_WINDOWS
-static int
-test_ipsec_sad(void)
-{
-	printf("ipsec_sad not supported on Windows, skipping test\n");
-	return TEST_SKIPPED;
-}
-
-#else
-
 #include <rte_ipsec_sad.h>
 #include <rte_memory.h>
 
@@ -897,6 +886,4 @@ test_ipsec_sad(void)
 	return unit_test_suite_runner(&ipsec_sad_tests);
 }
 
-#endif /* !RTE_EXEC_ENV_WINDOWS */
-
 REGISTER_TEST_COMMAND(ipsec_sad_autotest, test_ipsec_sad);
diff --git a/app/test/test_security_inline_proto.c b/app/test/test_security_inline_proto.c
index 480469f672..f085ec716f 100644
--- a/app/test/test_security_inline_proto.c
+++ b/app/test/test_security_inline_proto.c
@@ -14,30 +14,6 @@
 #include "test_security_inline_proto_vectors.h"
 #include "test_security_proto.h"
 
-#ifdef RTE_EXEC_ENV_WINDOWS
-static int
-test_inline_ipsec(void)
-{
-	printf("Inline ipsec not supported on Windows, skipping test\n");
-	return TEST_SKIPPED;
-}
-
-static int
-test_event_inline_ipsec(void)
-{
-	printf("Event inline ipsec not supported on Windows, skipping test\n");
-	return TEST_SKIPPED;
-}
-
-static int
-test_inline_ipsec_sg(void)
-{
-	printf("Inline ipsec SG not supported on Windows, skipping test\n");
-	return TEST_SKIPPED;
-}
-
-#else
-
 #include <rte_eventdev.h>
 #include <rte_event_eth_rx_adapter.h>
 #include <rte_event_eth_tx_adapter.h>
@@ -3619,8 +3595,6 @@ test_event_inline_ipsec(void)
 	return unit_test_suite_runner(&inline_ipsec_testsuite);
 }
 
-#endif /* !RTE_EXEC_ENV_WINDOWS */
-
 REGISTER_TEST_COMMAND(inline_ipsec_autotest, test_inline_ipsec);
 REGISTER_TEST_COMMAND(inline_ipsec_sg_autotest, test_inline_ipsec_sg);
 REGISTER_TEST_COMMAND(event_inline_ipsec_autotest, test_event_inline_ipsec);
-- 
2.47.0.vfs.0.3

RE: [PATCH 1/2] lib/ipsec: compile ipsec on Windows

[Konstantin Ananyev]

> Removed VLA for compatibility with MSVC (which does not support VLAs).
> Used alloca when a constant fixed length that can be used instead is
> not known.
> 
> Implementation for rte_ipsec_pkt_crypto_group and
> rte_ipsec_ses_from_crypto was moved to new file
> lib\ipsec\ipsec_group.c because these functions get exported in a
> shared library (lib\ipsec\version.map).
> 
> Implementation for rte_ipsec_pkt_crypto_prepare and
> rte_ipsec_pkt_process was moved to new file lib\ipsec\ipsec.c because
> these functions get exported in a shared library
> (lib\ipsec\version.map).

Hmm... not sure I understood the rationale.
To me making inline functions not-inline first of all means ABI/API breakage,
plus it most likely will make things slower.

RE: [PATCH 1/2] lib/ipsec: compile ipsec on Windows

[Konstantin Ananyev]

> Removed VLA for compatibility with MSVC (which does not support VLAs).
> Used alloca when a constant fixed length that can be used instead is
> not known.
> 
...
 
> Signed-off-by: Andre Muezerie <andremue@linux.microsoft.com>
> ---

...

> diff --git a/lib/ipsec/esp_inb.c b/lib/ipsec/esp_inb.c
> index f159bf7460..305ac48dc5 100644
> --- a/lib/ipsec/esp_inb.c
> +++ b/lib/ipsec/esp_inb.c
> @@ -370,8 +370,9 @@ esp_inb_pkt_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],
>  	struct rte_cryptodev_sym_session *cs;
>  	struct replay_sqn *rsn;
>  	union sym_op_data icv;
> -	uint32_t dr[num];
> +	uint32_t *dr;

I understand the intention, but obviously as the lib maintainer, I am no
very happy with mechanic replacement of VLAs with alloca() calls.
Again, while it helps to make MSVC happy, it doesn't really solve a potential problem
with using VLAs here - I we can end-up with stack overflowed if someone will call
one of these functions with  input arrays of huge size.
It would be much better to re-work the internal functions to work over fixed-size array
an then call them in a loop. 
The main issue here is that by API convention we need to re-arrange input array by
moving bad (not processed) mbuf after the good ones.
But even with that splitting processing into multiple iterations over small chunks
might help I think.  

> +	dr = alloca(sizeof(uint32_t) * num);
>  	sa = ss->sa;
>  	cs = ss->crypto.ses;
>  	rsn = rsn_acquire(sa);
> @@ -576,12 +577,16 @@ tun_process(struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],
>  	    uint32_t sqn[], uint32_t dr[], uint16_t num, uint8_t sqh_len)
>  {
>  	uint32_t adj, i, k, tl, bytes;
> -	uint32_t hl[num], to[num];
> -	struct rte_esp_tail espt[num];
> -	struct rte_mbuf *ml[num];
> +	uint32_t *hl, *to;
> +	struct rte_esp_tail *espt;
> +	struct rte_mbuf **ml;
>  	const void *outh;
>  	void *inh;
> 
> +	hl = alloca(sizeof(uint32_t) * num);
> +	to = alloca(sizeof(uint32_t) * num);
> +	espt = alloca(sizeof(struct rte_esp_tail) * num);
> +	ml = alloca(sizeof(struct rte_mbuf *) * num);
>  	/*
>  	 * remove icv, esp trailer and high-order
>  	 * 32 bits of esn from packet length

Re: [PATCH 1/2] lib/ipsec: compile ipsec on Windows

[Andre Muezerie]

On Thu, Jan 09, 2025 at 05:27:11PM +0000, Konstantin Ananyev wrote:
> 
> 
> > Removed VLA for compatibility with MSVC (which does not support VLAs).
> > Used alloca when a constant fixed length that can be used instead is
> > not known.
> > 
> ...
>  
> > Signed-off-by: Andre Muezerie <andremue@linux.microsoft.com>
> > ---
> 
> ...
> 
> > diff --git a/lib/ipsec/esp_inb.c b/lib/ipsec/esp_inb.c
> > index f159bf7460..305ac48dc5 100644
> > --- a/lib/ipsec/esp_inb.c
> > +++ b/lib/ipsec/esp_inb.c
> > @@ -370,8 +370,9 @@ esp_inb_pkt_prepare(const struct rte_ipsec_session *ss, struct rte_mbuf *mb[],
> >  	struct rte_cryptodev_sym_session *cs;
> >  	struct replay_sqn *rsn;
> >  	union sym_op_data icv;
> > -	uint32_t dr[num];
> > +	uint32_t *dr;
> 
> I understand the intention, but obviously as the lib maintainer, I am no
> very happy with mechanic replacement of VLAs with alloca() calls.
> Again, while it helps to make MSVC happy, it doesn't really solve a potential problem
> with using VLAs here - I we can end-up with stack overflowed if someone will call
> one of these functions with  input arrays of huge size.
> It would be much better to re-work the internal functions to work over fixed-size array
> an then call them in a loop. 
> The main issue here is that by API convention we need to re-arrange input array by
> moving bad (not processed) mbuf after the good ones.
> But even with that splitting processing into multiple iterations over small chunks
> might help I think.  

Understood. I'll focus on the other patches being reviewed and revisit this one at some other time.

> 
> > +	dr = alloca(sizeof(uint32_t) * num);
> >  	sa = ss->sa;
> >  	cs = ss->crypto.ses;
> >  	rsn = rsn_acquire(sa);
> > @@ -576,12 +577,16 @@ tun_process(struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],
> >  	    uint32_t sqn[], uint32_t dr[], uint16_t num, uint8_t sqh_len)
> >  {
> >  	uint32_t adj, i, k, tl, bytes;
> > -	uint32_t hl[num], to[num];
> > -	struct rte_esp_tail espt[num];
> > -	struct rte_mbuf *ml[num];
> > +	uint32_t *hl, *to;
> > +	struct rte_esp_tail *espt;
> > +	struct rte_mbuf **ml;
> >  	const void *outh;
> >  	void *inh;
> > 
> > +	hl = alloca(sizeof(uint32_t) * num);
> > +	to = alloca(sizeof(uint32_t) * num);
> > +	espt = alloca(sizeof(struct rte_esp_tail) * num);
> > +	ml = alloca(sizeof(struct rte_mbuf *) * num);
> >  	/*
> >  	 * remove icv, esp trailer and high-order
> >  	 * 32 bits of esn from packet length