From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by dpdk.org (Postfix) with ESMTP id 0DD187CF5 for ; Mon, 26 Jun 2017 20:23:36 +0200 (CEST) Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Jun 2017 11:23:36 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.39,396,1493708400"; d="scan'208";a="101655639" Received: from silpixa00399464.ir.intel.com (HELO silpixa00399464.ger.corp.intel.com) ([10.237.222.157]) by orsmga004.jf.intel.com with ESMTP; 26 Jun 2017 11:23:34 -0700 From: Pablo de Lara To: declan.doherty@intel.com, zbigniew.bodek@caviumnetworks.com, jerin.jacob@caviumnetworks.com, akhil.goyal@nxp.com, hemant.agrawal@nxp.com Cc: dev@dpdk.org, Pablo de Lara Date: Mon, 26 Jun 2017 11:22:57 +0100 Message-Id: <20170626102300.56637-25-pablo.de.lara.guarch@intel.com> X-Mailer: git-send-email 2.9.4 In-Reply-To: <20170626102300.56637-1-pablo.de.lara.guarch@intel.com> References: <1496005522-134934-1-git-send-email-pablo.de.lara.guarch@intel.com> <20170626102300.56637-1-pablo.de.lara.guarch@intel.com> Subject: [dpdk-dev] [PATCH v2 24/27] examples/ipsec-secgw: add AEAD parameters X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jun 2017 18:23:38 -0000 Signed-off-by: Pablo de Lara --- doc/guides/sample_app_ug/ipsec_secgw.rst | 32 +++++++-- examples/ipsec-secgw/ipsec.h | 1 + examples/ipsec-secgw/sa.c | 116 +++++++++++++++++++++++++++++-- 3 files changed, 139 insertions(+), 10 deletions(-) diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst index 885c77e..ca2a34d 100644 --- a/doc/guides/sample_app_ug/ipsec_secgw.rst +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst @@ -412,7 +412,7 @@ where each options means: * Cipher algorithm - * Optional: No + * Optional: Yes, unless is not used * Available options: @@ -427,7 +427,8 @@ where each options means: * Cipher key, NOT available when 'null' algorithm is used - * Optional: No, must followed by option + * Optional: Yes, unless is not used. + Must be followed by option * Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'. The number of bytes should be as same as the specified cipher algorithm @@ -440,7 +441,7 @@ where each options means: * Authentication algorithm - * Optional: No + * Optional: Yes, unless is not used * Available options: @@ -453,7 +454,8 @@ where each options means: * Authentication key, NOT available when 'null' or 'aes-128-gcm' algorithm is used. - * Optional: No, must followed by option + * Optional: Yes, unless is not used. + Must be followed by option * Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'. The number of bytes should be as same as the specified authentication @@ -462,6 +464,28 @@ where each options means: For example: *auth_key A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4: A1:B2:C3:D4* +```` + + * AEAD algorithm + + * Optional: Yes, unless and are not used + + * Syntax: *cipher_algo * + +```` + + * Cipher key, NOT available when 'null' algorithm is used + + * Optional: Yes, unless and are not used. + Must be followed by option + + * Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'. + The number of bytes should be as same as the specified AEAD algorithm + key size. + + For example: *aead_key A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4: + A1:B2:C3:D4* + ```` * The operation mode diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index 405cf3d..f8569ca 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -103,6 +103,7 @@ struct ipsec_sa { struct rte_cryptodev_sym_session *crypto_session; enum rte_crypto_cipher_algorithm cipher_algo; enum rte_crypto_auth_algorithm auth_algo; + enum rte_crypto_aead_algorithm aead_algo; uint16_t digest_len; uint16_t iv_len; uint16_t block_size; diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 85e4d4e..9d80bd3 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -68,6 +68,17 @@ struct supported_auth_algo { uint8_t key_not_req; }; +struct supported_aead_algo { + const char *keyword; + enum rte_crypto_aead_algorithm algo; + uint16_t iv_len; + uint16_t block_size; + uint16_t digest_len; + uint16_t key_len; + uint8_t aad_len; +}; + + const struct supported_cipher_algo cipher_algos[] = { { .keyword = "null", @@ -128,6 +139,8 @@ const struct supported_auth_algo auth_algos[] = { } }; +const struct supported_aead_algo aead_algos[] = { { } }; + struct ipsec_sa sa_out[IPSEC_SA_MAX_ENTRIES]; uint32_t nb_sa_out; @@ -166,6 +179,22 @@ find_match_auth_algo(const char *auth_keyword) return NULL; } +static const struct supported_aead_algo * +find_match_aead_algo(const char *aead_keyword) +{ + size_t i; + + for (i = 0; i < RTE_DIM(aead_algos); i++) { + const struct supported_aead_algo *algo = + &aead_algos[i]; + + if (strcmp(aead_keyword, algo->keyword) == 0) + return algo; + } + + return NULL; +} + /** parse_key_string * parse x:x:x:x.... hex number key string into uint8_t *key * return: @@ -210,6 +239,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, uint32_t *ri /*rule index*/; uint32_t cipher_algo_p = 0; uint32_t auth_algo_p = 0; + uint32_t aead_algo_p = 0; uint32_t src_p = 0; uint32_t dst_p = 0; uint32_t mode_p = 0; @@ -386,6 +416,61 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, continue; } + if (strcmp(tokens[ti], "aead_algo") == 0) { + const struct supported_aead_algo *algo; + uint32_t key_len; + + APP_CHECK_PRESENCE(aead_algo_p, tokens[ti], + status); + if (status->status < 0) + return; + + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); + if (status->status < 0) + return; + + algo = find_match_aead_algo(tokens[ti]); + + APP_CHECK(algo != NULL, status, "unrecognized " + "input \"%s\"", tokens[ti]); + + rule->aead_algo = algo->algo; + rule->cipher_key_len = algo->key_len; + rule->digest_len = algo->digest_len; + rule->aad_len = algo->key_len; + rule->block_size = algo->block_size; + rule->iv_len = algo->iv_len; + + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); + if (status->status < 0) + return; + + APP_CHECK(strcmp(tokens[ti], "aead_key") == 0, + status, "unrecognized input \"%s\", " + "expect \"aead_key\"", tokens[ti]); + if (status->status < 0) + return; + + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); + if (status->status < 0) + return; + + key_len = parse_key_string(tokens[ti], + rule->cipher_key); + APP_CHECK(key_len == rule->cipher_key_len, status, + "unrecognized input \"%s\"", tokens[ti]); + if (status->status < 0) + return; + + key_len -= 4; + rule->cipher_key_len = key_len; + memcpy(&rule->salt, + &rule->cipher_key[key_len], 4); + + aead_algo_p = 1; + continue; + } + if (strcmp(tokens[ti], "src") == 0) { APP_CHECK_PRESENCE(src_p, tokens[ti], status); if (status->status < 0) @@ -477,13 +562,25 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, return; } - APP_CHECK(cipher_algo_p == 1, status, "missing cipher options"); - if (status->status < 0) - return; + if (aead_algo_p) { + APP_CHECK(cipher_algo_p == 0, status, + "AEAD used, no need for cipher options"); + if (status->status < 0) + return; - APP_CHECK(auth_algo_p == 1, status, "missing auth options"); - if (status->status < 0) - return; + APP_CHECK(auth_algo_p == 0, status, + "AEAD used, no need for auth options"); + if (status->status < 0) + return; + } else { + APP_CHECK(cipher_algo_p == 1, status, "missing cipher or AEAD options"); + if (status->status < 0) + return; + + APP_CHECK(auth_algo_p == 1, status, "missing auth or AEAD options"); + if (status->status < 0) + return; + } APP_CHECK(mode_p == 1, status, "missing mode option"); if (status->status < 0) @@ -514,6 +611,13 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) } } + for (i = 0; i < RTE_DIM(aead_algos); i++) { + if (aead_algos[i].algo == sa->aead_algo) { + printf("%s ", aead_algos[i].keyword); + break; + } + } + printf("mode:"); switch (sa->flags) { -- 2.9.4