* [dpdk-dev] [PATCH 0/4] ipsec: add AES-CTR and 3DES-CBC support
@ 2019-02-18 16:32 Fan Zhang
2019-02-18 16:32 ` [dpdk-dev] [PATCH 1/4] ipsec: add AES-CTR algorithm support Fan Zhang
` (4 more replies)
0 siblings, 5 replies; 54+ messages in thread
From: Fan Zhang @ 2019-02-18 16:32 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang
This patchset adds the AES-CTR and 3DES-CBC cipher algorithms
support to ipsec library. The test scripts for ipsec-secgw
sample application are added too.
Fan Zhang (4):
ipsec: add AES-CTR algorithm support
ipsec-secgw: add test scripts for aes ctr
ipsec: add 3DES-CBC algorithm support
ipsec-secgw: add 3des test files
examples/ipsec-secgw/test/common_defs.sh | 4 +-
examples/ipsec-secgw/test/run_test.sh | 18 ++-
.../test/trs_3descbc_sha1_common_defs.sh | 73 +++++++++++
examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++
.../test/trs_3descbc_sha1_esn_atom_defs.sh | 5 +
.../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh | 66 ++++++++++
.../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh | 5 +
.../test/trs_aesctr_sha1_common_defs.sh | 69 ++++++++++
examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 67 ++++++++++
.../test/trs_aesctr_sha1_esn_atom_defs.sh | 5 +
.../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh | 66 ++++++++++
.../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh | 5 +
.../test/tun_3descbc_sha1_common_defs.sh | 72 +++++++++++
examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 ++++++++++
.../test/tun_3descbc_sha1_esn_atom_defs.sh | 5 +
.../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh | 70 ++++++++++
.../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh | 5 +
.../test/tun_aesctr_sha1_common_defs.sh | 68 ++++++++++
examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 70 ++++++++++
.../test/tun_aesctr_sha1_esn_atom_defs.sh | 5 +
.../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh | 70 ++++++++++
.../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh | 5 +
lib/librte_ipsec/crypto.h | 17 +++
lib/librte_ipsec/sa.c | 143 ++++++++++++++++++---
lib/librte_ipsec/sa.h | 24 ++++
25 files changed, 1050 insertions(+), 24 deletions(-)
create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
--
2.14.5
^ permalink raw reply [flat|nested] 54+ messages in thread* [dpdk-dev] [PATCH 1/4] ipsec: add AES-CTR algorithm support 2019-02-18 16:32 [dpdk-dev] [PATCH 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang @ 2019-02-18 16:32 ` Fan Zhang 2019-02-18 16:32 ` [dpdk-dev] [PATCH 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang ` (3 subsequent siblings) 4 siblings, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-02-18 16:32 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang This patch adds AES-CTR cipher algorithm support to ipsec library. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- lib/librte_ipsec/crypto.h | 17 ++++++ lib/librte_ipsec/sa.c | 133 ++++++++++++++++++++++++++++++++++++++-------- lib/librte_ipsec/sa.h | 18 +++++++ 3 files changed, 147 insertions(+), 21 deletions(-) diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h index b5f264831..4f551e39c 100644 --- a/lib/librte_ipsec/crypto.h +++ b/lib/librte_ipsec/crypto.h @@ -11,6 +11,16 @@ * by ipsec library. */ +/* + * AES-CTR counter block format. + */ + +struct aesctr_cnt_blk { + uint32_t nonce; + uint64_t iv; + uint32_t cnt; +} __attribute__((packed)); + /* * AES-GCM devices have some specific requirements for IV and AAD formats. * Ideally that to be done by the driver itself. @@ -41,6 +51,13 @@ struct gcm_esph_iv { uint64_t iv; } __attribute__((packed)); +static inline void +aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce) +{ + ctr->nonce = nonce; + ctr->iv = iv; + ctr->cnt = rte_cpu_to_be_32(1); +} static inline void aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt) diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 5f55c2a4e..e34dd320a 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -219,18 +219,28 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm) static void esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) { + uint8_t algo_type; + sa->sqn.outb.raw = 1; /* these params may differ with new algorithms support */ sa->ctp.auth.offset = hlen; sa->ctp.auth.length = sizeof(struct esp_hdr) + sa->iv_len + sa->sqh_len; - if (sa->aad_len != 0) { + + algo_type = sa->algo_type; + + switch (algo_type) { + case ALGO_TYPE_AES_GCM: + case ALGO_TYPE_AES_CTR: + case ALGO_TYPE_NULL: sa->ctp.cipher.offset = hlen + sizeof(struct esp_hdr) + sa->iv_len; sa->ctp.cipher.length = 0; - } else { + break; + case ALGO_TYPE_AES_CBC: sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr); sa->ctp.cipher.length = sa->iv_len; + break; } } @@ -259,26 +269,47 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, RTE_IPSEC_SATP_MODE_MASK; if (cxf->aead != NULL) { - /* RFC 4106 */ - if (cxf->aead->algo != RTE_CRYPTO_AEAD_AES_GCM) + switch (cxf->aead->algo) { + case RTE_CRYPTO_AEAD_AES_GCM: + /* RFC 4106 */ + sa->aad_len = sizeof(struct aead_gcm_aad); + sa->icv_len = cxf->aead->digest_length; + sa->iv_ofs = cxf->aead->iv.offset; + sa->iv_len = sizeof(uint64_t); + sa->pad_align = IPSEC_PAD_AES_GCM; + sa->algo_type = ALGO_TYPE_AES_GCM; + break; + default: return -EINVAL; - sa->aad_len = sizeof(struct aead_gcm_aad); - sa->icv_len = cxf->aead->digest_length; - sa->iv_ofs = cxf->aead->iv.offset; - sa->iv_len = sizeof(uint64_t); - sa->pad_align = IPSEC_PAD_AES_GCM; + } } else { sa->icv_len = cxf->auth->digest_length; sa->iv_ofs = cxf->cipher->iv.offset; sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0; - if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_NULL) { + + switch (cxf->cipher->algo) { + case RTE_CRYPTO_CIPHER_NULL: sa->pad_align = IPSEC_PAD_NULL; sa->iv_len = 0; - } else if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) { + sa->algo_type = ALGO_TYPE_NULL; + break; + + case RTE_CRYPTO_CIPHER_AES_CBC: sa->pad_align = IPSEC_PAD_AES_CBC; sa->iv_len = IPSEC_MAX_IV_SIZE; - } else + sa->algo_type = ALGO_TYPE_AES_CBC; + break; + + case RTE_CRYPTO_CIPHER_AES_CTR: + /* RFC 3686 */ + sa->pad_align = IPSEC_PAD_AES_CTR; + sa->iv_len = IPSEC_AES_CTR_IV_SIZE; + sa->algo_type = ALGO_TYPE_AES_CTR; + break; + + default: return -EINVAL; + } } sa->udata = prm->userdata; @@ -438,12 +469,15 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, { struct rte_crypto_sym_op *sop; struct aead_gcm_iv *gcm; + struct aesctr_cnt_blk *ctr; + uint8_t algo_type = sa->algo_type; /* fill sym op fields */ sop = cop->sym; - /* AEAD (AES_GCM) case */ - if (sa->aad_len != 0) { + switch (algo_type) { + case ALGO_TYPE_AES_GCM: + /* AEAD (AES_GCM) case */ sop->aead.data.offset = sa->ctp.cipher.offset + hlen; sop->aead.data.length = sa->ctp.cipher.length + plen; sop->aead.digest.data = icv->va; @@ -455,14 +489,40 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *, sa->iv_ofs); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); - /* CRYPT+AUTH case */ - } else { + break; + case ALGO_TYPE_AES_CBC: + /* Cipher-Auth (AES-CBC *) case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; + case ALGO_TYPE_AES_CTR: + /* Cipher-Auth (AES-CTR *) case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + + ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *, + sa->iv_ofs); + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); + break; + case ALGO_TYPE_NULL: + /* NULL case */ sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; sop->cipher.data.length = sa->ctp.cipher.length + plen; sop->auth.data.offset = sa->ctp.auth.offset + hlen; sop->auth.data.length = sa->ctp.auth.length + plen; sop->auth.digest.data = icv->va; sop->auth.digest.phys_addr = icv->pa; + break; + default: + break; } } @@ -561,6 +621,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, { uint32_t *psqh; struct aead_gcm_aad *aad; + uint8_t algo_type = sa->algo_type; /* insert SQN.hi between ESP trailer and ICV */ if (sa->sqh_len != 0) { @@ -572,7 +633,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, * fill IV and AAD fields, if any (aad fields are placed after icv), * right now we support only one AEAD algorithm: AES-GCM . */ - if (sa->aad_len != 0) { + if (algo_type == ALGO_TYPE_AES_GCM) { aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len); aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa)); } @@ -783,8 +844,10 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, { struct rte_crypto_sym_op *sop; struct aead_gcm_iv *gcm; + struct aesctr_cnt_blk *ctr; uint64_t *ivc, *ivp; uint32_t clen; + uint8_t algo_type = sa->algo_type; clen = plen - sa->ctp.cipher.length; if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0) @@ -793,8 +856,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, /* fill sym op fields */ sop = cop->sym; - /* AEAD (AES_GCM) case */ - if (sa->aad_len != 0) { + switch (algo_type) { + case ALGO_TYPE_AES_GCM: sop->aead.data.offset = pofs + sa->ctp.cipher.offset; sop->aead.data.length = clen; sop->aead.digest.data = icv->va; @@ -808,8 +871,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, pofs + sizeof(struct esp_hdr)); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); - /* CRYPT+AUTH case */ - } else { + break; + case ALGO_TYPE_AES_CBC: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; sop->cipher.data.length = clen; sop->auth.data.offset = pofs + sa->ctp.auth.offset; @@ -822,7 +885,35 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, pofs + sizeof(struct esp_hdr)); copy_iv(ivc, ivp, sa->iv_len); + break; + case ALGO_TYPE_AES_CTR: + sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; + sop->cipher.data.length = clen; + sop->auth.data.offset = pofs + sa->ctp.auth.offset; + sop->auth.data.length = plen - sa->ctp.auth.length; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + + /* copy iv from the input packet to the cop */ + ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *, + sa->iv_ofs); + ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, + pofs + sizeof(struct esp_hdr)); + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); + break; + case ALGO_TYPE_NULL: + sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; + sop->cipher.data.length = clen; + sop->auth.data.offset = pofs + sa->ctp.auth.offset; + sop->auth.data.length = plen - sa->ctp.auth.length; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; + + default: + return -EINVAL; } + return 0; } diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h index 392e8fd7b..12c061ee6 100644 --- a/lib/librte_ipsec/sa.h +++ b/lib/librte_ipsec/sa.h @@ -15,10 +15,17 @@ enum { IPSEC_PAD_DEFAULT = 4, IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, + IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT, }; +/* iv sizes for different algorithms */ +enum { + IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, + IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), +}; + /* these definitions probably has to be in rte_crypto_sym.h */ union sym_op_ofslen { uint64_t raw; @@ -47,7 +54,17 @@ struct replay_sqn { __extension__ uint64_t window[0]; }; +/*IPSEC SA supported algorithms */ +enum sa_algo_type { + ALGO_TYPE_NULL = 0, + ALGO_TYPE_AES_CBC, + ALGO_TYPE_AES_CTR, + ALGO_TYPE_AES_GCM, + ALGO_TYPE_MAX +}; + struct rte_ipsec_sa { + uint64_t type; /* type of given SA */ uint64_t udata; /* user defined */ uint32_t size; /* size of given sa object */ @@ -65,6 +82,7 @@ struct rte_ipsec_sa { union sym_op_ofslen auth; } ctp; uint32_t salt; + uint8_t algo_type; uint8_t proto; /* next proto */ uint8_t aad_len; uint8_t hdr_len; -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH 2/4] ipsec-secgw: add test scripts for aes ctr 2019-02-18 16:32 [dpdk-dev] [PATCH 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang 2019-02-18 16:32 ` [dpdk-dev] [PATCH 1/4] ipsec: add AES-CTR algorithm support Fan Zhang @ 2019-02-18 16:32 ` Fan Zhang 2019-02-18 16:32 ` [dpdk-dev] [PATCH 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang ` (2 subsequent siblings) 4 siblings, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-02-18 16:32 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang This patch adds the functional test scripts to ipsec-secgw sample application for both transport and tunnel working mode. Updated a bit on common_defs to use "mktemp" instead of "tempfile" as Fedora does not like the command. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- examples/ipsec-secgw/test/common_defs.sh | 4 +- examples/ipsec-secgw/test/run_test.sh | 10 +++- .../test/trs_aesctr_sha1_common_defs.sh | 69 +++++++++++++++++++++ examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 67 +++++++++++++++++++++ .../test/trs_aesctr_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh | 66 ++++++++++++++++++++ .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh | 5 ++ .../test/tun_aesctr_sha1_common_defs.sh | 68 +++++++++++++++++++++ examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 70 ++++++++++++++++++++++ .../test/tun_aesctr_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh | 70 ++++++++++++++++++++++ .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh | 5 ++ 12 files changed, 441 insertions(+), 3 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh diff --git a/examples/ipsec-secgw/test/common_defs.sh b/examples/ipsec-secgw/test/common_defs.sh index 1ed31f89f..ea17cf9fd 100644 --- a/examples/ipsec-secgw/test/common_defs.sh +++ b/examples/ipsec-secgw/test/common_defs.sh @@ -53,7 +53,7 @@ SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4 ${ETH_DEV}" SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})" SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\"" -SGW_CFG_FILE=$(tempfile) +SGW_CFG_FILE=$(mktemp) # configure local host/ifaces config_local_iface() @@ -129,7 +129,7 @@ config6_iface() #start ipsec-secgw secgw_start() { - SGW_EXEC_FILE=$(tempfile) + SGW_EXEC_FILE=$(mktemp) cat <<EOF > ${SGW_EXEC_FILE} ${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \ --vdev="net_tap0,mac=fixed" \ diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh index 6dc0ce54e..435de5da6 100644 --- a/examples/ipsec-secgw/test/run_test.sh +++ b/examples/ipsec-secgw/test/run_test.sh @@ -32,7 +32,15 @@ trs_aesgcm_esn_atom \ tun_aescbc_sha1_old \ tun_aesgcm_old \ trs_aescbc_sha1_old \ -trs_aesgcm_old" +trs_aesgcm_old \ +tun_aesctr_sha1 \ +tun_aesctr_sha1_esn \ +tun_aesctr_sha1_esn_atom \ +tun_aesctr_sha1_old \ +trs_aesctr_sha1 \ +trs_aesctr_sha1_esn \ +trs_aesctr_sha1_esn_atom \ +trs_aesctr_sha1_old" DIR=`dirname $0` diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh new file mode 100644 index 000000000..9c213e3cc --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh @@ -0,0 +1,69 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +sa in 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh new file mode 100644 index 000000000..73642f881 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh @@ -0,0 +1,67 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..17c81c267 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh new file mode 100644 index 000000000..e401a4bed --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh @@ -0,0 +1,66 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh new file mode 100644 index 000000000..3aa071229 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh new file mode 100644 index 000000000..a3ac3a698 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh @@ -0,0 +1,68 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh new file mode 100644 index 000000000..3710f897c --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..7dcfc3218 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh new file mode 100644 index 000000000..c3ce11da1 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh new file mode 100644 index 000000000..26f0d0290 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_defs.sh + +SGW_CMD_XPRM= -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH 3/4] ipsec: add 3DES-CBC algorithm support 2019-02-18 16:32 [dpdk-dev] [PATCH 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang 2019-02-18 16:32 ` [dpdk-dev] [PATCH 1/4] ipsec: add AES-CTR algorithm support Fan Zhang 2019-02-18 16:32 ` [dpdk-dev] [PATCH 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang @ 2019-02-18 16:32 ` Fan Zhang 2019-02-18 16:32 ` [dpdk-dev] [PATCH 4/4] ipsec-secgw: add 3des test files Fan Zhang 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang 4 siblings, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-02-18 16:32 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang This patch adds triple-des CBC mode cipher algorithm to ipsec library. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- lib/librte_ipsec/sa.c | 10 ++++++++++ lib/librte_ipsec/sa.h | 6 ++++++ 2 files changed, 16 insertions(+) diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index e34dd320a..5c59c4b67 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -307,6 +307,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, sa->algo_type = ALGO_TYPE_AES_CTR; break; + case RTE_CRYPTO_CIPHER_3DES_CBC: + /* RFC 1851 */ + sa->pad_align = IPSEC_PAD_3DES_CBC; + sa->iv_len = IPSEC_3DES_IV_SIZE; + sa->algo_type = ALGO_TYPE_3DES; + break; + default: return -EINVAL; } @@ -512,6 +519,8 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, sa->iv_ofs); aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); break; + case ALGO_TYPE_3DES: + /* Cipher-Auth (3DES-CBC *) case */ case ALGO_TYPE_NULL: /* NULL case */ sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; @@ -873,6 +882,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; case ALGO_TYPE_AES_CBC: + case ALGO_TYPE_3DES: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; sop->cipher.data.length = clen; sop->auth.data.offset = pofs + sa->ctp.auth.offset; diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h index 12c061ee6..8398748d1 100644 --- a/lib/librte_ipsec/sa.h +++ b/lib/librte_ipsec/sa.h @@ -14,6 +14,7 @@ /* padding alignment for different algorithms */ enum { IPSEC_PAD_DEFAULT = 4, + IPSEC_PAD_3DES_CBC = IPSEC_PAD_DEFAULT, IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, @@ -24,6 +25,10 @@ enum { enum { IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), + /* TripleDES supports IV size of 32bits or 64bits but he library + * only supports 64bits. + */ + IPSEC_3DES_IV_SIZE = sizeof(uint64_t), }; /* these definitions probably has to be in rte_crypto_sym.h */ @@ -57,6 +62,7 @@ struct replay_sqn { /*IPSEC SA supported algorithms */ enum sa_algo_type { ALGO_TYPE_NULL = 0, + ALGO_TYPE_3DES, ALGO_TYPE_AES_CBC, ALGO_TYPE_AES_CTR, ALGO_TYPE_AES_GCM, -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH 4/4] ipsec-secgw: add 3des test files 2019-02-18 16:32 [dpdk-dev] [PATCH 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang ` (2 preceding siblings ...) 2019-02-18 16:32 ` [dpdk-dev] [PATCH 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang @ 2019-02-18 16:32 ` Fan Zhang 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang 4 siblings, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-02-18 16:32 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang This patch adds the functional test scripts to ipsec-secgw sample application for both transport and tunnel working mode. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- examples/ipsec-secgw/test/run_test.sh | 10 ++- .../test/trs_3descbc_sha1_common_defs.sh | 73 ++++++++++++++++++++++ examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++++++++++++ .../test/trs_3descbc_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh | 66 +++++++++++++++++++ .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh | 5 ++ .../test/tun_3descbc_sha1_common_defs.sh | 72 +++++++++++++++++++++ examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++++++++++++ .../test/tun_3descbc_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh | 70 +++++++++++++++++++++ .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh | 5 ++ 11 files changed, 447 insertions(+), 1 deletion(-) create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh index 435de5da6..492156aae 100644 --- a/examples/ipsec-secgw/test/run_test.sh +++ b/examples/ipsec-secgw/test/run_test.sh @@ -40,7 +40,15 @@ tun_aesctr_sha1_old \ trs_aesctr_sha1 \ trs_aesctr_sha1_esn \ trs_aesctr_sha1_esn_atom \ -trs_aesctr_sha1_old" +trs_aesctr_sha1_old \ +tun_3descbc_sha1 \ +tun_3descbc_sha1_esn \ +tun_3descbc_sha1_esn_atom \ +tun_3descbc_sha1_old \ +trs_3descbc_sha1 \ +trs_3descbc_sha1_esn \ +trs_3descbc_sha1_esn_atom \ +trs_3descbc_sha1_old" DIR=`dirname $0` diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh new file mode 100644 index 000000000..bb4cef6a9 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh @@ -0,0 +1,73 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +sa in 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh new file mode 100644 index 000000000..31f94492f --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh @@ -0,0 +1,67 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..d7439ad15 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh new file mode 100644 index 000000000..e4283f3dd --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh @@ -0,0 +1,66 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh new file mode 100644 index 000000000..ffd945bac --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh new file mode 100644 index 000000000..dd802d6be --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh @@ -0,0 +1,72 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh new file mode 100644 index 000000000..2bbe14292 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..1d8e36cbd --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh new file mode 100644 index 000000000..98349c7bc --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh new file mode 100644 index 000000000..eaf248ad1 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_defs.sh + +SGW_CMD_XPRM= -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v2 0/4] ipsec: add AES-CTR and 3DES-CBC support 2019-02-18 16:32 [dpdk-dev] [PATCH 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang ` (3 preceding siblings ...) 2019-02-18 16:32 ` [dpdk-dev] [PATCH 4/4] ipsec-secgw: add 3des test files Fan Zhang @ 2019-02-19 15:32 ` Fan Zhang 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support Fan Zhang ` (4 more replies) 4 siblings, 5 replies; 54+ messages in thread From: Fan Zhang @ 2019-02-19 15:32 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang This patchset adds the AES-CTR and 3DES-CBC cipher algorithms support to ipsec library. The test scripts for ipsec-secgw sample application are added too. v2: - removed unsupported tests. Fan Zhang (4): ipsec: add AES-CTR algorithm support ipsec-secgw: add test scripts for aes ctr ipsec: add 3DES-CBC algorithm support ipsec-secgw: add 3des test files examples/ipsec-secgw/test/common_defs.sh | 4 +- examples/ipsec-secgw/test/run_test.sh | 14 +- .../test/trs_3descbc_sha1_common_defs.sh | 73 +++++++++++ examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++ .../test/trs_3descbc_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh | 66 ++++++++++ .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh | 5 + .../test/trs_aesctr_sha1_common_defs.sh | 69 ++++++++++ examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 67 ++++++++++ .../test/trs_aesctr_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh | 66 ++++++++++ .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh | 5 + .../test/tun_3descbc_sha1_common_defs.sh | 72 +++++++++++ examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 ++++++++++ .../test/tun_3descbc_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh | 70 ++++++++++ .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh | 5 + .../test/tun_aesctr_sha1_common_defs.sh | 68 ++++++++++ examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 70 ++++++++++ .../test/tun_aesctr_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh | 70 ++++++++++ .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh | 5 + lib/librte_ipsec/crypto.h | 17 +++ lib/librte_ipsec/sa.c | 143 ++++++++++++++++++--- lib/librte_ipsec/sa.h | 24 ++++ 25 files changed, 1046 insertions(+), 24 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang @ 2019-02-19 15:32 ` Fan Zhang 2019-02-22 12:43 ` Ananyev, Konstantin 2019-03-19 14:32 ` Akhil Goyal 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang ` (3 subsequent siblings) 4 siblings, 2 replies; 54+ messages in thread From: Fan Zhang @ 2019-02-19 15:32 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang This patch adds AES-CTR cipher algorithm support to ipsec library. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- lib/librte_ipsec/crypto.h | 17 ++++++ lib/librte_ipsec/sa.c | 133 ++++++++++++++++++++++++++++++++++++++-------- lib/librte_ipsec/sa.h | 18 +++++++ 3 files changed, 147 insertions(+), 21 deletions(-) diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h index b5f264831..4f551e39c 100644 --- a/lib/librte_ipsec/crypto.h +++ b/lib/librte_ipsec/crypto.h @@ -11,6 +11,16 @@ * by ipsec library. */ +/* + * AES-CTR counter block format. + */ + +struct aesctr_cnt_blk { + uint32_t nonce; + uint64_t iv; + uint32_t cnt; +} __attribute__((packed)); + /* * AES-GCM devices have some specific requirements for IV and AAD formats. * Ideally that to be done by the driver itself. @@ -41,6 +51,13 @@ struct gcm_esph_iv { uint64_t iv; } __attribute__((packed)); +static inline void +aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce) +{ + ctr->nonce = nonce; + ctr->iv = iv; + ctr->cnt = rte_cpu_to_be_32(1); +} static inline void aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt) diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 5f55c2a4e..e34dd320a 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -219,18 +219,28 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm) static void esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) { + uint8_t algo_type; + sa->sqn.outb.raw = 1; /* these params may differ with new algorithms support */ sa->ctp.auth.offset = hlen; sa->ctp.auth.length = sizeof(struct esp_hdr) + sa->iv_len + sa->sqh_len; - if (sa->aad_len != 0) { + + algo_type = sa->algo_type; + + switch (algo_type) { + case ALGO_TYPE_AES_GCM: + case ALGO_TYPE_AES_CTR: + case ALGO_TYPE_NULL: sa->ctp.cipher.offset = hlen + sizeof(struct esp_hdr) + sa->iv_len; sa->ctp.cipher.length = 0; - } else { + break; + case ALGO_TYPE_AES_CBC: sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr); sa->ctp.cipher.length = sa->iv_len; + break; } } @@ -259,26 +269,47 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, RTE_IPSEC_SATP_MODE_MASK; if (cxf->aead != NULL) { - /* RFC 4106 */ - if (cxf->aead->algo != RTE_CRYPTO_AEAD_AES_GCM) + switch (cxf->aead->algo) { + case RTE_CRYPTO_AEAD_AES_GCM: + /* RFC 4106 */ + sa->aad_len = sizeof(struct aead_gcm_aad); + sa->icv_len = cxf->aead->digest_length; + sa->iv_ofs = cxf->aead->iv.offset; + sa->iv_len = sizeof(uint64_t); + sa->pad_align = IPSEC_PAD_AES_GCM; + sa->algo_type = ALGO_TYPE_AES_GCM; + break; + default: return -EINVAL; - sa->aad_len = sizeof(struct aead_gcm_aad); - sa->icv_len = cxf->aead->digest_length; - sa->iv_ofs = cxf->aead->iv.offset; - sa->iv_len = sizeof(uint64_t); - sa->pad_align = IPSEC_PAD_AES_GCM; + } } else { sa->icv_len = cxf->auth->digest_length; sa->iv_ofs = cxf->cipher->iv.offset; sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0; - if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_NULL) { + + switch (cxf->cipher->algo) { + case RTE_CRYPTO_CIPHER_NULL: sa->pad_align = IPSEC_PAD_NULL; sa->iv_len = 0; - } else if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) { + sa->algo_type = ALGO_TYPE_NULL; + break; + + case RTE_CRYPTO_CIPHER_AES_CBC: sa->pad_align = IPSEC_PAD_AES_CBC; sa->iv_len = IPSEC_MAX_IV_SIZE; - } else + sa->algo_type = ALGO_TYPE_AES_CBC; + break; + + case RTE_CRYPTO_CIPHER_AES_CTR: + /* RFC 3686 */ + sa->pad_align = IPSEC_PAD_AES_CTR; + sa->iv_len = IPSEC_AES_CTR_IV_SIZE; + sa->algo_type = ALGO_TYPE_AES_CTR; + break; + + default: return -EINVAL; + } } sa->udata = prm->userdata; @@ -438,12 +469,15 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, { struct rte_crypto_sym_op *sop; struct aead_gcm_iv *gcm; + struct aesctr_cnt_blk *ctr; + uint8_t algo_type = sa->algo_type; /* fill sym op fields */ sop = cop->sym; - /* AEAD (AES_GCM) case */ - if (sa->aad_len != 0) { + switch (algo_type) { + case ALGO_TYPE_AES_GCM: + /* AEAD (AES_GCM) case */ sop->aead.data.offset = sa->ctp.cipher.offset + hlen; sop->aead.data.length = sa->ctp.cipher.length + plen; sop->aead.digest.data = icv->va; @@ -455,14 +489,40 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *, sa->iv_ofs); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); - /* CRYPT+AUTH case */ - } else { + break; + case ALGO_TYPE_AES_CBC: + /* Cipher-Auth (AES-CBC *) case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; + case ALGO_TYPE_AES_CTR: + /* Cipher-Auth (AES-CTR *) case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + + ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *, + sa->iv_ofs); + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); + break; + case ALGO_TYPE_NULL: + /* NULL case */ sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; sop->cipher.data.length = sa->ctp.cipher.length + plen; sop->auth.data.offset = sa->ctp.auth.offset + hlen; sop->auth.data.length = sa->ctp.auth.length + plen; sop->auth.digest.data = icv->va; sop->auth.digest.phys_addr = icv->pa; + break; + default: + break; } } @@ -561,6 +621,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, { uint32_t *psqh; struct aead_gcm_aad *aad; + uint8_t algo_type = sa->algo_type; /* insert SQN.hi between ESP trailer and ICV */ if (sa->sqh_len != 0) { @@ -572,7 +633,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, * fill IV and AAD fields, if any (aad fields are placed after icv), * right now we support only one AEAD algorithm: AES-GCM . */ - if (sa->aad_len != 0) { + if (algo_type == ALGO_TYPE_AES_GCM) { aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len); aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa)); } @@ -783,8 +844,10 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, { struct rte_crypto_sym_op *sop; struct aead_gcm_iv *gcm; + struct aesctr_cnt_blk *ctr; uint64_t *ivc, *ivp; uint32_t clen; + uint8_t algo_type = sa->algo_type; clen = plen - sa->ctp.cipher.length; if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0) @@ -793,8 +856,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, /* fill sym op fields */ sop = cop->sym; - /* AEAD (AES_GCM) case */ - if (sa->aad_len != 0) { + switch (algo_type) { + case ALGO_TYPE_AES_GCM: sop->aead.data.offset = pofs + sa->ctp.cipher.offset; sop->aead.data.length = clen; sop->aead.digest.data = icv->va; @@ -808,8 +871,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, pofs + sizeof(struct esp_hdr)); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); - /* CRYPT+AUTH case */ - } else { + break; + case ALGO_TYPE_AES_CBC: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; sop->cipher.data.length = clen; sop->auth.data.offset = pofs + sa->ctp.auth.offset; @@ -822,7 +885,35 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, pofs + sizeof(struct esp_hdr)); copy_iv(ivc, ivp, sa->iv_len); + break; + case ALGO_TYPE_AES_CTR: + sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; + sop->cipher.data.length = clen; + sop->auth.data.offset = pofs + sa->ctp.auth.offset; + sop->auth.data.length = plen - sa->ctp.auth.length; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + + /* copy iv from the input packet to the cop */ + ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *, + sa->iv_ofs); + ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, + pofs + sizeof(struct esp_hdr)); + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); + break; + case ALGO_TYPE_NULL: + sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; + sop->cipher.data.length = clen; + sop->auth.data.offset = pofs + sa->ctp.auth.offset; + sop->auth.data.length = plen - sa->ctp.auth.length; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; + + default: + return -EINVAL; } + return 0; } diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h index 392e8fd7b..12c061ee6 100644 --- a/lib/librte_ipsec/sa.h +++ b/lib/librte_ipsec/sa.h @@ -15,10 +15,17 @@ enum { IPSEC_PAD_DEFAULT = 4, IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, + IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT, }; +/* iv sizes for different algorithms */ +enum { + IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, + IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), +}; + /* these definitions probably has to be in rte_crypto_sym.h */ union sym_op_ofslen { uint64_t raw; @@ -47,7 +54,17 @@ struct replay_sqn { __extension__ uint64_t window[0]; }; +/*IPSEC SA supported algorithms */ +enum sa_algo_type { + ALGO_TYPE_NULL = 0, + ALGO_TYPE_AES_CBC, + ALGO_TYPE_AES_CTR, + ALGO_TYPE_AES_GCM, + ALGO_TYPE_MAX +}; + struct rte_ipsec_sa { + uint64_t type; /* type of given SA */ uint64_t udata; /* user defined */ uint32_t size; /* size of given sa object */ @@ -65,6 +82,7 @@ struct rte_ipsec_sa { union sym_op_ofslen auth; } ctp; uint32_t salt; + uint8_t algo_type; uint8_t proto; /* next proto */ uint8_t aad_len; uint8_t hdr_len; -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* Re: [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support Fan Zhang @ 2019-02-22 12:43 ` Ananyev, Konstantin 2019-03-19 14:32 ` Akhil Goyal 1 sibling, 0 replies; 54+ messages in thread From: Ananyev, Konstantin @ 2019-02-22 12:43 UTC (permalink / raw) To: Zhang, Roy Fan, dev; +Cc: akhil.goyal > > This patch adds AES-CTR cipher algorithm support to ipsec > library. > > Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> > --- > lib/librte_ipsec/crypto.h | 17 ++++++ > lib/librte_ipsec/sa.c | 133 ++++++++++++++++++++++++++++++++++++++-------- > lib/librte_ipsec/sa.h | 18 +++++++ > 3 files changed, 147 insertions(+), 21 deletions(-) > -- Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* Re: [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support Fan Zhang 2019-02-22 12:43 ` Ananyev, Konstantin @ 2019-03-19 14:32 ` Akhil Goyal 2019-03-19 14:32 ` Akhil Goyal 1 sibling, 1 reply; 54+ messages in thread From: Akhil Goyal @ 2019-03-19 14:32 UTC (permalink / raw) To: Fan Zhang, dev; +Cc: konstantin.ananyev Hi Fan, title should be ipsec: support aes-ctr On 2/19/2019 9:02 PM, Fan Zhang wrote: > This patch adds AES-CTR cipher algorithm support to ipsec > library. > > Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> > --- > lib/librte_ipsec/crypto.h | 17 ++++++ > lib/librte_ipsec/sa.c | 133 ++++++++++++++++++++++++++++++++++++++-------- > lib/librte_ipsec/sa.h | 18 +++++++ > 3 files changed, 147 insertions(+), 21 deletions(-) > > diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h > index b5f264831..4f551e39c 100644 > --- a/lib/librte_ipsec/crypto.h > +++ b/lib/librte_ipsec/crypto.h > @@ -11,6 +11,16 @@ > * by ipsec library. > */ > > +/* > + * AES-CTR counter block format. > + */ > + > +struct aesctr_cnt_blk { > + uint32_t nonce; > + uint64_t iv; > + uint32_t cnt; > +} __attribute__((packed)); > + I believe cnt should be above iv. > /* > * AES-GCM devices have some specific requirements for IV and AAD formats. > * Ideally that to be done by the driver itself. > @@ -41,6 +51,13 @@ struct gcm_esph_iv { > uint64_t iv; > } __attribute__((packed)); > > Apart from that, Acked-by: Akhil Goyal <akhil.goyal@nxp.com> ^ permalink raw reply [flat|nested] 54+ messages in thread
* Re: [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support 2019-03-19 14:32 ` Akhil Goyal @ 2019-03-19 14:32 ` Akhil Goyal 0 siblings, 0 replies; 54+ messages in thread From: Akhil Goyal @ 2019-03-19 14:32 UTC (permalink / raw) To: Fan Zhang, dev; +Cc: konstantin.ananyev Hi Fan, title should be ipsec: support aes-ctr On 2/19/2019 9:02 PM, Fan Zhang wrote: > This patch adds AES-CTR cipher algorithm support to ipsec > library. > > Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> > --- > lib/librte_ipsec/crypto.h | 17 ++++++ > lib/librte_ipsec/sa.c | 133 ++++++++++++++++++++++++++++++++++++++-------- > lib/librte_ipsec/sa.h | 18 +++++++ > 3 files changed, 147 insertions(+), 21 deletions(-) > > diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h > index b5f264831..4f551e39c 100644 > --- a/lib/librte_ipsec/crypto.h > +++ b/lib/librte_ipsec/crypto.h > @@ -11,6 +11,16 @@ > * by ipsec library. > */ > > +/* > + * AES-CTR counter block format. > + */ > + > +struct aesctr_cnt_blk { > + uint32_t nonce; > + uint64_t iv; > + uint32_t cnt; > +} __attribute__((packed)); > + I believe cnt should be above iv. > /* > * AES-GCM devices have some specific requirements for IV and AAD formats. > * Ideally that to be done by the driver itself. > @@ -41,6 +51,13 @@ struct gcm_esph_iv { > uint64_t iv; > } __attribute__((packed)); > > Apart from that, Acked-by: Akhil Goyal <akhil.goyal@nxp.com> ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v2 2/4] ipsec-secgw: add test scripts for aes ctr 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support Fan Zhang @ 2019-02-19 15:32 ` Fan Zhang 2019-02-22 12:39 ` Ananyev, Konstantin 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang ` (2 subsequent siblings) 4 siblings, 1 reply; 54+ messages in thread From: Fan Zhang @ 2019-02-19 15:32 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang This patch adds the functional test scripts to ipsec-secgw sample application for both transport and tunnel working mode. Updated a bit on common_defs to use "mktemp" instead of "tempfile" as Fedora does not like the command. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- examples/ipsec-secgw/test/common_defs.sh | 4 +- examples/ipsec-secgw/test/run_test.sh | 8 ++- .../test/trs_aesctr_sha1_common_defs.sh | 69 +++++++++++++++++++++ examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 67 +++++++++++++++++++++ .../test/trs_aesctr_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh | 66 ++++++++++++++++++++ .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh | 5 ++ .../test/tun_aesctr_sha1_common_defs.sh | 68 +++++++++++++++++++++ examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 70 ++++++++++++++++++++++ .../test/tun_aesctr_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh | 70 ++++++++++++++++++++++ .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh | 5 ++ 12 files changed, 439 insertions(+), 3 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh diff --git a/examples/ipsec-secgw/test/common_defs.sh b/examples/ipsec-secgw/test/common_defs.sh index 1ed31f89f..ea17cf9fd 100644 --- a/examples/ipsec-secgw/test/common_defs.sh +++ b/examples/ipsec-secgw/test/common_defs.sh @@ -53,7 +53,7 @@ SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4 ${ETH_DEV}" SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})" SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\"" -SGW_CFG_FILE=$(tempfile) +SGW_CFG_FILE=$(mktemp) # configure local host/ifaces config_local_iface() @@ -129,7 +129,7 @@ config6_iface() #start ipsec-secgw secgw_start() { - SGW_EXEC_FILE=$(tempfile) + SGW_EXEC_FILE=$(mktemp) cat <<EOF > ${SGW_EXEC_FILE} ${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \ --vdev="net_tap0,mac=fixed" \ diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh index 6dc0ce54e..3c38d8850 100644 --- a/examples/ipsec-secgw/test/run_test.sh +++ b/examples/ipsec-secgw/test/run_test.sh @@ -32,7 +32,13 @@ trs_aesgcm_esn_atom \ tun_aescbc_sha1_old \ tun_aesgcm_old \ trs_aescbc_sha1_old \ -trs_aesgcm_old" +trs_aesgcm_old \ +tun_aesctr_sha1 \ +tun_aesctr_sha1_esn \ +tun_aesctr_sha1_esn_atom \ +trs_aesctr_sha1 \ +trs_aesctr_sha1_esn \ +trs_aesctr_sha1_esn_atom" DIR=`dirname $0` diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh new file mode 100644 index 000000000..9c213e3cc --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh @@ -0,0 +1,69 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +sa in 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh new file mode 100644 index 000000000..73642f881 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh @@ -0,0 +1,67 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..17c81c267 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh new file mode 100644 index 000000000..e401a4bed --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh @@ -0,0 +1,66 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh new file mode 100644 index 000000000..3aa071229 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh new file mode 100644 index 000000000..a3ac3a698 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh @@ -0,0 +1,68 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh new file mode 100644 index 000000000..3710f897c --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..7dcfc3218 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh new file mode 100644 index 000000000..c3ce11da1 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh new file mode 100644 index 000000000..26f0d0290 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_defs.sh + +SGW_CMD_XPRM= -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* Re: [dpdk-dev] [PATCH v2 2/4] ipsec-secgw: add test scripts for aes ctr 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang @ 2019-02-22 12:39 ` Ananyev, Konstantin 0 siblings, 0 replies; 54+ messages in thread From: Ananyev, Konstantin @ 2019-02-22 12:39 UTC (permalink / raw) To: Zhang, Roy Fan, dev; +Cc: akhil.goyal > This patch adds the functional test scripts to ipsec-secgw > sample application for both transport and tunnel working > mode. > > Updated a bit on common_defs to use "mktemp" instead of "tempfile" > as Fedora does not like the command. > > Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> > --- > examples/ipsec-secgw/test/common_defs.sh | 4 +- > examples/ipsec-secgw/test/run_test.sh | 8 ++- > .../test/trs_aesctr_sha1_common_defs.sh | 69 +++++++++++++++++++++ > examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 67 +++++++++++++++++++++ > .../test/trs_aesctr_sha1_esn_atom_defs.sh | 5 ++ > .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh | 66 ++++++++++++++++++++ > .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh | 5 ++ > .../test/tun_aesctr_sha1_common_defs.sh | 68 +++++++++++++++++++++ > examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 70 ++++++++++++++++++++++ > .../test/tun_aesctr_sha1_esn_atom_defs.sh | 5 ++ > .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh | 70 ++++++++++++++++++++++ > .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh | 5 ++ > 12 files changed, 439 insertions(+), 3 deletions(-) > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > -- > 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v2 3/4] ipsec: add 3DES-CBC algorithm support 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support Fan Zhang 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang @ 2019-02-19 15:32 ` Fan Zhang 2019-02-22 12:38 ` Ananyev, Konstantin 2019-03-19 14:46 ` Akhil Goyal 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 4/4] ipsec-secgw: add 3des test files Fan Zhang 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang 4 siblings, 2 replies; 54+ messages in thread From: Fan Zhang @ 2019-02-19 15:32 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang This patch adds triple-des CBC mode cipher algorithm to ipsec library. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- lib/librte_ipsec/sa.c | 10 ++++++++++ lib/librte_ipsec/sa.h | 6 ++++++ 2 files changed, 16 insertions(+) diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index e34dd320a..5c59c4b67 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -307,6 +307,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, sa->algo_type = ALGO_TYPE_AES_CTR; break; + case RTE_CRYPTO_CIPHER_3DES_CBC: + /* RFC 1851 */ + sa->pad_align = IPSEC_PAD_3DES_CBC; + sa->iv_len = IPSEC_3DES_IV_SIZE; + sa->algo_type = ALGO_TYPE_3DES; + break; + default: return -EINVAL; } @@ -512,6 +519,8 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, sa->iv_ofs); aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); break; + case ALGO_TYPE_3DES: + /* Cipher-Auth (3DES-CBC *) case */ case ALGO_TYPE_NULL: /* NULL case */ sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; @@ -873,6 +882,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; case ALGO_TYPE_AES_CBC: + case ALGO_TYPE_3DES: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; sop->cipher.data.length = clen; sop->auth.data.offset = pofs + sa->ctp.auth.offset; diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h index 12c061ee6..8398748d1 100644 --- a/lib/librte_ipsec/sa.h +++ b/lib/librte_ipsec/sa.h @@ -14,6 +14,7 @@ /* padding alignment for different algorithms */ enum { IPSEC_PAD_DEFAULT = 4, + IPSEC_PAD_3DES_CBC = IPSEC_PAD_DEFAULT, IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, @@ -24,6 +25,10 @@ enum { enum { IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), + /* TripleDES supports IV size of 32bits or 64bits but he library + * only supports 64bits. + */ + IPSEC_3DES_IV_SIZE = sizeof(uint64_t), }; /* these definitions probably has to be in rte_crypto_sym.h */ @@ -57,6 +62,7 @@ struct replay_sqn { /*IPSEC SA supported algorithms */ enum sa_algo_type { ALGO_TYPE_NULL = 0, + ALGO_TYPE_3DES, ALGO_TYPE_AES_CBC, ALGO_TYPE_AES_CTR, ALGO_TYPE_AES_GCM, -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* Re: [dpdk-dev] [PATCH v2 3/4] ipsec: add 3DES-CBC algorithm support 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang @ 2019-02-22 12:38 ` Ananyev, Konstantin 2019-03-19 14:46 ` Akhil Goyal 1 sibling, 0 replies; 54+ messages in thread From: Ananyev, Konstantin @ 2019-02-22 12:38 UTC (permalink / raw) To: Zhang, Roy Fan, dev; +Cc: akhil.goyal > This patch adds triple-des CBC mode cipher algorithm to ipsec > library. > > Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> > --- > lib/librte_ipsec/sa.c | 10 ++++++++++ > lib/librte_ipsec/sa.h | 6 ++++++ > 2 files changed, 16 insertions(+) > > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > index e34dd320a..5c59c4b67 100644 > --- a/lib/librte_ipsec/sa.c > +++ b/lib/librte_ipsec/sa.c > @@ -307,6 +307,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, > sa->algo_type = ALGO_TYPE_AES_CTR; > break; > > + case RTE_CRYPTO_CIPHER_3DES_CBC: > + /* RFC 1851 */ > + sa->pad_align = IPSEC_PAD_3DES_CBC; > + sa->iv_len = IPSEC_3DES_IV_SIZE; > + sa->algo_type = ALGO_TYPE_3DES; > + break; > + > default: > return -EINVAL; > } > @@ -512,6 +519,8 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, > sa->iv_ofs); > aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); > break; > + case ALGO_TYPE_3DES: > + /* Cipher-Auth (3DES-CBC *) case */ > case ALGO_TYPE_NULL: > /* NULL case */ > sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; > @@ -873,6 +882,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, > aead_gcm_iv_fill(gcm, ivp[0], sa->salt); > break; > case ALGO_TYPE_AES_CBC: > + case ALGO_TYPE_3DES: > sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; > sop->cipher.data.length = clen; > sop->auth.data.offset = pofs + sa->ctp.auth.offset; > diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h > index 12c061ee6..8398748d1 100644 > --- a/lib/librte_ipsec/sa.h > +++ b/lib/librte_ipsec/sa.h > @@ -14,6 +14,7 @@ > /* padding alignment for different algorithms */ > enum { > IPSEC_PAD_DEFAULT = 4, > + IPSEC_PAD_3DES_CBC = IPSEC_PAD_DEFAULT, > IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, > IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, > IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, > @@ -24,6 +25,10 @@ enum { > enum { > IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, > IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), > + /* TripleDES supports IV size of 32bits or 64bits but he library Typo: 's/ he / the /' > + * only supports 64bits. > + */ > + IPSEC_3DES_IV_SIZE = sizeof(uint64_t), > }; > > /* these definitions probably has to be in rte_crypto_sym.h */ > @@ -57,6 +62,7 @@ struct replay_sqn { > /*IPSEC SA supported algorithms */ > enum sa_algo_type { > ALGO_TYPE_NULL = 0, > + ALGO_TYPE_3DES, > ALGO_TYPE_AES_CBC, > ALGO_TYPE_AES_CTR, > ALGO_TYPE_AES_GCM, > -- Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* Re: [dpdk-dev] [PATCH v2 3/4] ipsec: add 3DES-CBC algorithm support 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang 2019-02-22 12:38 ` Ananyev, Konstantin @ 2019-03-19 14:46 ` Akhil Goyal 2019-03-19 14:46 ` Akhil Goyal 1 sibling, 1 reply; 54+ messages in thread From: Akhil Goyal @ 2019-03-19 14:46 UTC (permalink / raw) To: Fan Zhang, dev; +Cc: konstantin.ananyev On 2/19/2019 9:02 PM, Fan Zhang wrote: > This patch adds triple-des CBC mode cipher algorithm to ipsec > library. > > Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> > --- > lib/librte_ipsec/sa.c | 10 ++++++++++ > lib/librte_ipsec/sa.h | 6 ++++++ > 2 files changed, 16 insertions(+) > > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > index e34dd320a..5c59c4b67 100644 > --- a/lib/librte_ipsec/sa.c > +++ b/lib/librte_ipsec/sa.c > @@ -307,6 +307,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, > sa->algo_type = ALGO_TYPE_AES_CTR; > break; > > + case RTE_CRYPTO_CIPHER_3DES_CBC: > + /* RFC 1851 */ > + sa->pad_align = IPSEC_PAD_3DES_CBC; > + sa->iv_len = IPSEC_3DES_IV_SIZE; > + sa->algo_type = ALGO_TYPE_3DES; > + break; > + > default: > return -EINVAL; > } > @@ -512,6 +519,8 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, > sa->iv_ofs); > aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); > break; > + case ALGO_TYPE_3DES: > + /* Cipher-Auth (3DES-CBC *) case */ > case ALGO_TYPE_NULL: > /* NULL case */ > sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; > @@ -873,6 +882,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, > aead_gcm_iv_fill(gcm, ivp[0], sa->salt); > break; > case ALGO_TYPE_AES_CBC: > + case ALGO_TYPE_3DES: > sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; > sop->cipher.data.length = clen; > sop->auth.data.offset = pofs + sa->ctp.auth.offset; > diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h > index 12c061ee6..8398748d1 100644 > --- a/lib/librte_ipsec/sa.h > +++ b/lib/librte_ipsec/sa.h > @@ -14,6 +14,7 @@ > /* padding alignment for different algorithms */ > enum { > IPSEC_PAD_DEFAULT = 4, > + IPSEC_PAD_3DES_CBC = IPSEC_PAD_DEFAULT, > IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, > IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, > IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, > @@ -24,6 +25,10 @@ enum { > enum { > IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, > IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), > + /* TripleDES supports IV size of 32bits or 64bits but he library > + * only supports 64bits. > + */ > + IPSEC_3DES_IV_SIZE = sizeof(uint64_t), > }; > > /* these definitions probably has to be in rte_crypto_sym.h */ > @@ -57,6 +62,7 @@ struct replay_sqn { > /*IPSEC SA supported algorithms */ > enum sa_algo_type { > ALGO_TYPE_NULL = 0, > + ALGO_TYPE_3DES, this should be 3des_cbc > ALGO_TYPE_AES_CBC, > ALGO_TYPE_AES_CTR, > ALGO_TYPE_AES_GCM, ^ permalink raw reply [flat|nested] 54+ messages in thread
* Re: [dpdk-dev] [PATCH v2 3/4] ipsec: add 3DES-CBC algorithm support 2019-03-19 14:46 ` Akhil Goyal @ 2019-03-19 14:46 ` Akhil Goyal 0 siblings, 0 replies; 54+ messages in thread From: Akhil Goyal @ 2019-03-19 14:46 UTC (permalink / raw) To: Fan Zhang, dev; +Cc: konstantin.ananyev On 2/19/2019 9:02 PM, Fan Zhang wrote: > This patch adds triple-des CBC mode cipher algorithm to ipsec > library. > > Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> > --- > lib/librte_ipsec/sa.c | 10 ++++++++++ > lib/librte_ipsec/sa.h | 6 ++++++ > 2 files changed, 16 insertions(+) > > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > index e34dd320a..5c59c4b67 100644 > --- a/lib/librte_ipsec/sa.c > +++ b/lib/librte_ipsec/sa.c > @@ -307,6 +307,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, > sa->algo_type = ALGO_TYPE_AES_CTR; > break; > > + case RTE_CRYPTO_CIPHER_3DES_CBC: > + /* RFC 1851 */ > + sa->pad_align = IPSEC_PAD_3DES_CBC; > + sa->iv_len = IPSEC_3DES_IV_SIZE; > + sa->algo_type = ALGO_TYPE_3DES; > + break; > + > default: > return -EINVAL; > } > @@ -512,6 +519,8 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, > sa->iv_ofs); > aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); > break; > + case ALGO_TYPE_3DES: > + /* Cipher-Auth (3DES-CBC *) case */ > case ALGO_TYPE_NULL: > /* NULL case */ > sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; > @@ -873,6 +882,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, > aead_gcm_iv_fill(gcm, ivp[0], sa->salt); > break; > case ALGO_TYPE_AES_CBC: > + case ALGO_TYPE_3DES: > sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; > sop->cipher.data.length = clen; > sop->auth.data.offset = pofs + sa->ctp.auth.offset; > diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h > index 12c061ee6..8398748d1 100644 > --- a/lib/librte_ipsec/sa.h > +++ b/lib/librte_ipsec/sa.h > @@ -14,6 +14,7 @@ > /* padding alignment for different algorithms */ > enum { > IPSEC_PAD_DEFAULT = 4, > + IPSEC_PAD_3DES_CBC = IPSEC_PAD_DEFAULT, > IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, > IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, > IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, > @@ -24,6 +25,10 @@ enum { > enum { > IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, > IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), > + /* TripleDES supports IV size of 32bits or 64bits but he library > + * only supports 64bits. > + */ > + IPSEC_3DES_IV_SIZE = sizeof(uint64_t), > }; > > /* these definitions probably has to be in rte_crypto_sym.h */ > @@ -57,6 +62,7 @@ struct replay_sqn { > /*IPSEC SA supported algorithms */ > enum sa_algo_type { > ALGO_TYPE_NULL = 0, > + ALGO_TYPE_3DES, this should be 3des_cbc > ALGO_TYPE_AES_CBC, > ALGO_TYPE_AES_CTR, > ALGO_TYPE_AES_GCM, ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v2 4/4] ipsec-secgw: add 3des test files 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang ` (2 preceding siblings ...) 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang @ 2019-02-19 15:32 ` Fan Zhang 2019-02-22 12:40 ` Ananyev, Konstantin 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang 4 siblings, 1 reply; 54+ messages in thread From: Fan Zhang @ 2019-02-19 15:32 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang This patch adds the functional test scripts to ipsec-secgw sample application for both transport and tunnel working mode. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- examples/ipsec-secgw/test/run_test.sh | 8 ++- .../test/trs_3descbc_sha1_common_defs.sh | 73 ++++++++++++++++++++++ examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++++++++++++ .../test/trs_3descbc_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh | 66 +++++++++++++++++++ .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh | 5 ++ .../test/tun_3descbc_sha1_common_defs.sh | 72 +++++++++++++++++++++ examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++++++++++++ .../test/tun_3descbc_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh | 70 +++++++++++++++++++++ .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh | 5 ++ 11 files changed, 445 insertions(+), 1 deletion(-) create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh index 3c38d8850..38edb4183 100644 --- a/examples/ipsec-secgw/test/run_test.sh +++ b/examples/ipsec-secgw/test/run_test.sh @@ -38,7 +38,13 @@ tun_aesctr_sha1_esn \ tun_aesctr_sha1_esn_atom \ trs_aesctr_sha1 \ trs_aesctr_sha1_esn \ -trs_aesctr_sha1_esn_atom" +trs_aesctr_sha1_esn_atom \ +tun_3descbc_sha1 \ +tun_3descbc_sha1_esn \ +tun_3descbc_sha1_esn_atom \ +trs_3descbc_sha1 \ +trs_3descbc_sha1_esn \ +trs_3descbc_sha1_esn_atom" DIR=`dirname $0` diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh new file mode 100644 index 000000000..bb4cef6a9 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh @@ -0,0 +1,73 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +sa in 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh new file mode 100644 index 000000000..31f94492f --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh @@ -0,0 +1,67 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..d7439ad15 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh new file mode 100644 index 000000000..e4283f3dd --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh @@ -0,0 +1,66 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh new file mode 100644 index 000000000..ffd945bac --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh new file mode 100644 index 000000000..dd802d6be --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh @@ -0,0 +1,72 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh new file mode 100644 index 000000000..2bbe14292 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..1d8e36cbd --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh new file mode 100644 index 000000000..98349c7bc --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh new file mode 100644 index 000000000..eaf248ad1 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_defs.sh + +SGW_CMD_XPRM= -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* Re: [dpdk-dev] [PATCH v2 4/4] ipsec-secgw: add 3des test files 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 4/4] ipsec-secgw: add 3des test files Fan Zhang @ 2019-02-22 12:40 ` Ananyev, Konstantin 0 siblings, 0 replies; 54+ messages in thread From: Ananyev, Konstantin @ 2019-02-22 12:40 UTC (permalink / raw) To: Zhang, Roy Fan, dev; +Cc: akhil.goyal > -----Original Message----- > From: Zhang, Roy Fan > Sent: Tuesday, February 19, 2019 3:33 PM > To: dev@dpdk.org > Cc: akhil.goyal@nxp.com; Ananyev, Konstantin <konstantin.ananyev@intel.com>; Zhang, Roy Fan <roy.fan.zhang@intel.com> > Subject: [PATCH v2 4/4] ipsec-secgw: add 3des test files > > This patch adds the functional test scripts to ipsec-secgw > sample application for both transport and tunnel working > mode. > > Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> > --- > examples/ipsec-secgw/test/run_test.sh | 8 ++- > .../test/trs_3descbc_sha1_common_defs.sh | 73 ++++++++++++++++++++++ > examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++++++++++++ > .../test/trs_3descbc_sha1_esn_atom_defs.sh | 5 ++ > .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh | 66 +++++++++++++++++++ > .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh | 5 ++ > .../test/tun_3descbc_sha1_common_defs.sh | 72 +++++++++++++++++++++ > examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++++++++++++ > .../test/tun_3descbc_sha1_esn_atom_defs.sh | 5 ++ > .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh | 70 +++++++++++++++++++++ > .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh | 5 ++ > 11 files changed, 445 insertions(+), 1 deletion(-) > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh > > -- Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang ` (3 preceding siblings ...) 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 4/4] ipsec-secgw: add 3des test files Fan Zhang @ 2019-02-25 12:07 ` Fan Zhang 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 1/4] ipsec: add AES-CTR algorithm support Fan Zhang ` (5 more replies) 4 siblings, 6 replies; 54+ messages in thread From: Fan Zhang @ 2019-02-25 12:07 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang This patchset adds the AES-CTR and 3DES-CBC cipher algorithms support to ipsec library. The test scripts for ipsec-secgw sample application are added too. v3: - fixed a bug in 3DES. v2: - removed unsupported tests. Fan Zhang (4): ipsec: add AES-CTR algorithm support ipsec-secgw: add test scripts for aes ctr ipsec: add 3DES-CBC algorithm support ipsec-secgw: add 3des test files examples/ipsec-secgw/test/common_defs.sh | 4 +- examples/ipsec-secgw/test/run_test.sh | 14 ++- .../test/trs_3descbc_sha1_common_defs.sh | 73 +++++++++++ examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++ .../test/trs_3descbc_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh | 66 ++++++++++ .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh | 5 + .../test/trs_aesctr_sha1_common_defs.sh | 69 +++++++++++ examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 67 ++++++++++ .../test/trs_aesctr_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh | 66 ++++++++++ .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh | 5 + .../test/tun_3descbc_sha1_common_defs.sh | 72 +++++++++++ examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++ .../test/tun_3descbc_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh | 70 +++++++++++ .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh | 5 + .../test/tun_aesctr_sha1_common_defs.sh | 68 ++++++++++ examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 70 +++++++++++ .../test/tun_aesctr_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh | 70 +++++++++++ .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh | 5 + lib/librte_ipsec/crypto.h | 17 +++ lib/librte_ipsec/sa.c | 137 +++++++++++++++++---- lib/librte_ipsec/sa.h | 24 ++++ 25 files changed, 1040 insertions(+), 24 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v3 1/4] ipsec: add AES-CTR algorithm support 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang @ 2019-02-25 12:07 ` Fan Zhang 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang ` (4 subsequent siblings) 5 siblings, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-02-25 12:07 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang This patch adds AES-CTR cipher algorithm support to ipsec library. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- lib/librte_ipsec/crypto.h | 17 ++++++ lib/librte_ipsec/sa.c | 133 ++++++++++++++++++++++++++++++++++++++-------- lib/librte_ipsec/sa.h | 18 +++++++ 3 files changed, 147 insertions(+), 21 deletions(-) diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h index b5f264831..4f551e39c 100644 --- a/lib/librte_ipsec/crypto.h +++ b/lib/librte_ipsec/crypto.h @@ -11,6 +11,16 @@ * by ipsec library. */ +/* + * AES-CTR counter block format. + */ + +struct aesctr_cnt_blk { + uint32_t nonce; + uint64_t iv; + uint32_t cnt; +} __attribute__((packed)); + /* * AES-GCM devices have some specific requirements for IV and AAD formats. * Ideally that to be done by the driver itself. @@ -41,6 +51,13 @@ struct gcm_esph_iv { uint64_t iv; } __attribute__((packed)); +static inline void +aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce) +{ + ctr->nonce = nonce; + ctr->iv = iv; + ctr->cnt = rte_cpu_to_be_32(1); +} static inline void aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt) diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 5f55c2a4e..e34dd320a 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -219,18 +219,28 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm) static void esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) { + uint8_t algo_type; + sa->sqn.outb.raw = 1; /* these params may differ with new algorithms support */ sa->ctp.auth.offset = hlen; sa->ctp.auth.length = sizeof(struct esp_hdr) + sa->iv_len + sa->sqh_len; - if (sa->aad_len != 0) { + + algo_type = sa->algo_type; + + switch (algo_type) { + case ALGO_TYPE_AES_GCM: + case ALGO_TYPE_AES_CTR: + case ALGO_TYPE_NULL: sa->ctp.cipher.offset = hlen + sizeof(struct esp_hdr) + sa->iv_len; sa->ctp.cipher.length = 0; - } else { + break; + case ALGO_TYPE_AES_CBC: sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr); sa->ctp.cipher.length = sa->iv_len; + break; } } @@ -259,26 +269,47 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, RTE_IPSEC_SATP_MODE_MASK; if (cxf->aead != NULL) { - /* RFC 4106 */ - if (cxf->aead->algo != RTE_CRYPTO_AEAD_AES_GCM) + switch (cxf->aead->algo) { + case RTE_CRYPTO_AEAD_AES_GCM: + /* RFC 4106 */ + sa->aad_len = sizeof(struct aead_gcm_aad); + sa->icv_len = cxf->aead->digest_length; + sa->iv_ofs = cxf->aead->iv.offset; + sa->iv_len = sizeof(uint64_t); + sa->pad_align = IPSEC_PAD_AES_GCM; + sa->algo_type = ALGO_TYPE_AES_GCM; + break; + default: return -EINVAL; - sa->aad_len = sizeof(struct aead_gcm_aad); - sa->icv_len = cxf->aead->digest_length; - sa->iv_ofs = cxf->aead->iv.offset; - sa->iv_len = sizeof(uint64_t); - sa->pad_align = IPSEC_PAD_AES_GCM; + } } else { sa->icv_len = cxf->auth->digest_length; sa->iv_ofs = cxf->cipher->iv.offset; sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0; - if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_NULL) { + + switch (cxf->cipher->algo) { + case RTE_CRYPTO_CIPHER_NULL: sa->pad_align = IPSEC_PAD_NULL; sa->iv_len = 0; - } else if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) { + sa->algo_type = ALGO_TYPE_NULL; + break; + + case RTE_CRYPTO_CIPHER_AES_CBC: sa->pad_align = IPSEC_PAD_AES_CBC; sa->iv_len = IPSEC_MAX_IV_SIZE; - } else + sa->algo_type = ALGO_TYPE_AES_CBC; + break; + + case RTE_CRYPTO_CIPHER_AES_CTR: + /* RFC 3686 */ + sa->pad_align = IPSEC_PAD_AES_CTR; + sa->iv_len = IPSEC_AES_CTR_IV_SIZE; + sa->algo_type = ALGO_TYPE_AES_CTR; + break; + + default: return -EINVAL; + } } sa->udata = prm->userdata; @@ -438,12 +469,15 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, { struct rte_crypto_sym_op *sop; struct aead_gcm_iv *gcm; + struct aesctr_cnt_blk *ctr; + uint8_t algo_type = sa->algo_type; /* fill sym op fields */ sop = cop->sym; - /* AEAD (AES_GCM) case */ - if (sa->aad_len != 0) { + switch (algo_type) { + case ALGO_TYPE_AES_GCM: + /* AEAD (AES_GCM) case */ sop->aead.data.offset = sa->ctp.cipher.offset + hlen; sop->aead.data.length = sa->ctp.cipher.length + plen; sop->aead.digest.data = icv->va; @@ -455,14 +489,40 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *, sa->iv_ofs); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); - /* CRYPT+AUTH case */ - } else { + break; + case ALGO_TYPE_AES_CBC: + /* Cipher-Auth (AES-CBC *) case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; + case ALGO_TYPE_AES_CTR: + /* Cipher-Auth (AES-CTR *) case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + + ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *, + sa->iv_ofs); + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); + break; + case ALGO_TYPE_NULL: + /* NULL case */ sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; sop->cipher.data.length = sa->ctp.cipher.length + plen; sop->auth.data.offset = sa->ctp.auth.offset + hlen; sop->auth.data.length = sa->ctp.auth.length + plen; sop->auth.digest.data = icv->va; sop->auth.digest.phys_addr = icv->pa; + break; + default: + break; } } @@ -561,6 +621,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, { uint32_t *psqh; struct aead_gcm_aad *aad; + uint8_t algo_type = sa->algo_type; /* insert SQN.hi between ESP trailer and ICV */ if (sa->sqh_len != 0) { @@ -572,7 +633,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, * fill IV and AAD fields, if any (aad fields are placed after icv), * right now we support only one AEAD algorithm: AES-GCM . */ - if (sa->aad_len != 0) { + if (algo_type == ALGO_TYPE_AES_GCM) { aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len); aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa)); } @@ -783,8 +844,10 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, { struct rte_crypto_sym_op *sop; struct aead_gcm_iv *gcm; + struct aesctr_cnt_blk *ctr; uint64_t *ivc, *ivp; uint32_t clen; + uint8_t algo_type = sa->algo_type; clen = plen - sa->ctp.cipher.length; if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0) @@ -793,8 +856,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, /* fill sym op fields */ sop = cop->sym; - /* AEAD (AES_GCM) case */ - if (sa->aad_len != 0) { + switch (algo_type) { + case ALGO_TYPE_AES_GCM: sop->aead.data.offset = pofs + sa->ctp.cipher.offset; sop->aead.data.length = clen; sop->aead.digest.data = icv->va; @@ -808,8 +871,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, pofs + sizeof(struct esp_hdr)); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); - /* CRYPT+AUTH case */ - } else { + break; + case ALGO_TYPE_AES_CBC: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; sop->cipher.data.length = clen; sop->auth.data.offset = pofs + sa->ctp.auth.offset; @@ -822,7 +885,35 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, pofs + sizeof(struct esp_hdr)); copy_iv(ivc, ivp, sa->iv_len); + break; + case ALGO_TYPE_AES_CTR: + sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; + sop->cipher.data.length = clen; + sop->auth.data.offset = pofs + sa->ctp.auth.offset; + sop->auth.data.length = plen - sa->ctp.auth.length; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + + /* copy iv from the input packet to the cop */ + ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *, + sa->iv_ofs); + ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, + pofs + sizeof(struct esp_hdr)); + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); + break; + case ALGO_TYPE_NULL: + sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; + sop->cipher.data.length = clen; + sop->auth.data.offset = pofs + sa->ctp.auth.offset; + sop->auth.data.length = plen - sa->ctp.auth.length; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; + + default: + return -EINVAL; } + return 0; } diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h index 392e8fd7b..12c061ee6 100644 --- a/lib/librte_ipsec/sa.h +++ b/lib/librte_ipsec/sa.h @@ -15,10 +15,17 @@ enum { IPSEC_PAD_DEFAULT = 4, IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, + IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT, }; +/* iv sizes for different algorithms */ +enum { + IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, + IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), +}; + /* these definitions probably has to be in rte_crypto_sym.h */ union sym_op_ofslen { uint64_t raw; @@ -47,7 +54,17 @@ struct replay_sqn { __extension__ uint64_t window[0]; }; +/*IPSEC SA supported algorithms */ +enum sa_algo_type { + ALGO_TYPE_NULL = 0, + ALGO_TYPE_AES_CBC, + ALGO_TYPE_AES_CTR, + ALGO_TYPE_AES_GCM, + ALGO_TYPE_MAX +}; + struct rte_ipsec_sa { + uint64_t type; /* type of given SA */ uint64_t udata; /* user defined */ uint32_t size; /* size of given sa object */ @@ -65,6 +82,7 @@ struct rte_ipsec_sa { union sym_op_ofslen auth; } ctp; uint32_t salt; + uint8_t algo_type; uint8_t proto; /* next proto */ uint8_t aad_len; uint8_t hdr_len; -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v3 2/4] ipsec-secgw: add test scripts for aes ctr 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 1/4] ipsec: add AES-CTR algorithm support Fan Zhang @ 2019-02-25 12:07 ` Fan Zhang 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang ` (3 subsequent siblings) 5 siblings, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-02-25 12:07 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang This patch adds the functional test scripts to ipsec-secgw sample application for both transport and tunnel working mode. Updated a bit on common_defs to use "mktemp" instead of "tempfile" as Fedora does not like the command. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- examples/ipsec-secgw/test/common_defs.sh | 4 +- examples/ipsec-secgw/test/run_test.sh | 8 ++- .../test/trs_aesctr_sha1_common_defs.sh | 69 +++++++++++++++++++++ examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 67 +++++++++++++++++++++ .../test/trs_aesctr_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh | 66 ++++++++++++++++++++ .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh | 5 ++ .../test/tun_aesctr_sha1_common_defs.sh | 68 +++++++++++++++++++++ examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 70 ++++++++++++++++++++++ .../test/tun_aesctr_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh | 70 ++++++++++++++++++++++ .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh | 5 ++ 12 files changed, 439 insertions(+), 3 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh diff --git a/examples/ipsec-secgw/test/common_defs.sh b/examples/ipsec-secgw/test/common_defs.sh index 1ed31f89f..ea17cf9fd 100644 --- a/examples/ipsec-secgw/test/common_defs.sh +++ b/examples/ipsec-secgw/test/common_defs.sh @@ -53,7 +53,7 @@ SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4 ${ETH_DEV}" SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})" SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\"" -SGW_CFG_FILE=$(tempfile) +SGW_CFG_FILE=$(mktemp) # configure local host/ifaces config_local_iface() @@ -129,7 +129,7 @@ config6_iface() #start ipsec-secgw secgw_start() { - SGW_EXEC_FILE=$(tempfile) + SGW_EXEC_FILE=$(mktemp) cat <<EOF > ${SGW_EXEC_FILE} ${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \ --vdev="net_tap0,mac=fixed" \ diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh index 6dc0ce54e..3c38d8850 100644 --- a/examples/ipsec-secgw/test/run_test.sh +++ b/examples/ipsec-secgw/test/run_test.sh @@ -32,7 +32,13 @@ trs_aesgcm_esn_atom \ tun_aescbc_sha1_old \ tun_aesgcm_old \ trs_aescbc_sha1_old \ -trs_aesgcm_old" +trs_aesgcm_old \ +tun_aesctr_sha1 \ +tun_aesctr_sha1_esn \ +tun_aesctr_sha1_esn_atom \ +trs_aesctr_sha1 \ +trs_aesctr_sha1_esn \ +trs_aesctr_sha1_esn_atom" DIR=`dirname $0` diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh new file mode 100644 index 000000000..9c213e3cc --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh @@ -0,0 +1,69 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +sa in 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh new file mode 100644 index 000000000..73642f881 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh @@ -0,0 +1,67 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..17c81c267 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh new file mode 100644 index 000000000..e401a4bed --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh @@ -0,0 +1,66 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh new file mode 100644 index 000000000..3aa071229 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh new file mode 100644 index 000000000..a3ac3a698 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh @@ -0,0 +1,68 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh new file mode 100644 index 000000000..3710f897c --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..7dcfc3218 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh new file mode 100644 index 000000000..c3ce11da1 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh new file mode 100644 index 000000000..26f0d0290 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_defs.sh + +SGW_CMD_XPRM= -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v3 3/4] ipsec: add 3DES-CBC algorithm support 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 1/4] ipsec: add AES-CTR algorithm support Fan Zhang 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang @ 2019-02-25 12:07 ` Fan Zhang 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 4/4] ipsec-secgw: add 3des test files Fan Zhang ` (2 subsequent siblings) 5 siblings, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-02-25 12:07 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang This patch adds triple-des CBC mode cipher algorithm to ipsec library. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- lib/librte_ipsec/sa.c | 40 ++++++++++++++++++++++------------------ lib/librte_ipsec/sa.h | 6 ++++++ 2 files changed, 28 insertions(+), 18 deletions(-) diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index e34dd320a..81d25fd49 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -238,6 +238,7 @@ esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) sa->ctp.cipher.length = 0; break; case ALGO_TYPE_AES_CBC: + case ALGO_TYPE_3DES: sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr); sa->ctp.cipher.length = sa->iv_len; break; @@ -307,6 +308,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, sa->algo_type = ALGO_TYPE_AES_CTR; break; + case RTE_CRYPTO_CIPHER_3DES_CBC: + /* RFC 1851 */ + sa->pad_align = IPSEC_PAD_3DES_CBC; + sa->iv_len = IPSEC_3DES_IV_SIZE; + sa->algo_type = ALGO_TYPE_3DES; + break; + default: return -EINVAL; } @@ -476,6 +484,19 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, sop = cop->sym; switch (algo_type) { + case ALGO_TYPE_AES_CBC: + /* Cipher-Auth (AES-CBC *) case */ + case ALGO_TYPE_3DES: + /* Cipher-Auth (3DES-CBC *) case */ + case ALGO_TYPE_NULL: + /* NULL case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; case ALGO_TYPE_AES_GCM: /* AEAD (AES_GCM) case */ sop->aead.data.offset = sa->ctp.cipher.offset + hlen; @@ -490,15 +511,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, sa->iv_ofs); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; - case ALGO_TYPE_AES_CBC: - /* Cipher-Auth (AES-CBC *) case */ - sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; - sop->cipher.data.length = sa->ctp.cipher.length + plen; - sop->auth.data.offset = sa->ctp.auth.offset + hlen; - sop->auth.data.length = sa->ctp.auth.length + plen; - sop->auth.digest.data = icv->va; - sop->auth.digest.phys_addr = icv->pa; - break; case ALGO_TYPE_AES_CTR: /* Cipher-Auth (AES-CTR *) case */ sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; @@ -512,15 +524,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, sa->iv_ofs); aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); break; - case ALGO_TYPE_NULL: - /* NULL case */ - sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; - sop->cipher.data.length = sa->ctp.cipher.length + plen; - sop->auth.data.offset = sa->ctp.auth.offset + hlen; - sop->auth.data.length = sa->ctp.auth.length + plen; - sop->auth.digest.data = icv->va; - sop->auth.digest.phys_addr = icv->pa; - break; default: break; } @@ -873,6 +876,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; case ALGO_TYPE_AES_CBC: + case ALGO_TYPE_3DES: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; sop->cipher.data.length = clen; sop->auth.data.offset = pofs + sa->ctp.auth.offset; diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h index 12c061ee6..ceff41390 100644 --- a/lib/librte_ipsec/sa.h +++ b/lib/librte_ipsec/sa.h @@ -14,6 +14,7 @@ /* padding alignment for different algorithms */ enum { IPSEC_PAD_DEFAULT = 4, + IPSEC_PAD_3DES_CBC = 8, IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, @@ -24,6 +25,10 @@ enum { enum { IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), + /* TripleDES supports IV size of 32bits or 64bits but he library + * only supports 64bits. + */ + IPSEC_3DES_IV_SIZE = sizeof(uint64_t), }; /* these definitions probably has to be in rte_crypto_sym.h */ @@ -57,6 +62,7 @@ struct replay_sqn { /*IPSEC SA supported algorithms */ enum sa_algo_type { ALGO_TYPE_NULL = 0, + ALGO_TYPE_3DES, ALGO_TYPE_AES_CBC, ALGO_TYPE_AES_CTR, ALGO_TYPE_AES_GCM, -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v3 4/4] ipsec-secgw: add 3des test files 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang ` (2 preceding siblings ...) 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang @ 2019-02-25 12:07 ` Fan Zhang 2019-03-04 16:38 ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Ananyev, Konstantin 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC Fan Zhang 5 siblings, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-02-25 12:07 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang This patch adds the functional test scripts to ipsec-secgw sample application for both transport and tunnel working mode. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- examples/ipsec-secgw/test/run_test.sh | 8 ++- .../test/trs_3descbc_sha1_common_defs.sh | 73 ++++++++++++++++++++++ examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++++++++++++ .../test/trs_3descbc_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh | 66 +++++++++++++++++++ .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh | 5 ++ .../test/tun_3descbc_sha1_common_defs.sh | 72 +++++++++++++++++++++ examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++++++++++++ .../test/tun_3descbc_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh | 70 +++++++++++++++++++++ .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh | 5 ++ 11 files changed, 445 insertions(+), 1 deletion(-) create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh index 3c38d8850..38edb4183 100644 --- a/examples/ipsec-secgw/test/run_test.sh +++ b/examples/ipsec-secgw/test/run_test.sh @@ -38,7 +38,13 @@ tun_aesctr_sha1_esn \ tun_aesctr_sha1_esn_atom \ trs_aesctr_sha1 \ trs_aesctr_sha1_esn \ -trs_aesctr_sha1_esn_atom" +trs_aesctr_sha1_esn_atom \ +tun_3descbc_sha1 \ +tun_3descbc_sha1_esn \ +tun_3descbc_sha1_esn_atom \ +trs_3descbc_sha1 \ +trs_3descbc_sha1_esn \ +trs_3descbc_sha1_esn_atom" DIR=`dirname $0` diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh new file mode 100644 index 000000000..bb4cef6a9 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh @@ -0,0 +1,73 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +sa in 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh new file mode 100644 index 000000000..31f94492f --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh @@ -0,0 +1,67 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..d7439ad15 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh new file mode 100644 index 000000000..e4283f3dd --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh @@ -0,0 +1,66 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh new file mode 100644 index 000000000..ffd945bac --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh new file mode 100644 index 000000000..dd802d6be --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh @@ -0,0 +1,72 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh new file mode 100644 index 000000000..2bbe14292 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..1d8e36cbd --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh new file mode 100644 index 000000000..98349c7bc --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh new file mode 100644 index 000000000..eaf248ad1 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_defs.sh + +SGW_CMD_XPRM= -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* Re: [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang ` (3 preceding siblings ...) 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 4/4] ipsec-secgw: add 3des test files Fan Zhang @ 2019-03-04 16:38 ` Ananyev, Konstantin 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC Fan Zhang 5 siblings, 0 replies; 54+ messages in thread From: Ananyev, Konstantin @ 2019-03-04 16:38 UTC (permalink / raw) To: Zhang, Roy Fan, dev; +Cc: akhil.goyal > > This patchset adds the AES-CTR and 3DES-CBC cipher algorithms > support to ipsec library. The test scripts for ipsec-secgw > sample application are added too. > > v3: > - fixed a bug in 3DES. > > v2: > - removed unsupported tests. > > Fan Zhang (4): > ipsec: add AES-CTR algorithm support > ipsec-secgw: add test scripts for aes ctr > ipsec: add 3DES-CBC algorithm support > ipsec-secgw: add 3des test files > > examples/ipsec-secgw/test/common_defs.sh | 4 +- > examples/ipsec-secgw/test/run_test.sh | 14 ++- > .../test/trs_3descbc_sha1_common_defs.sh | 73 +++++++++++ > examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++ > .../test/trs_3descbc_sha1_esn_atom_defs.sh | 5 + > .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh | 66 ++++++++++ > .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh | 5 + > .../test/trs_aesctr_sha1_common_defs.sh | 69 +++++++++++ > examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 67 ++++++++++ > .../test/trs_aesctr_sha1_esn_atom_defs.sh | 5 + > .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh | 66 ++++++++++ > .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh | 5 + > .../test/tun_3descbc_sha1_common_defs.sh | 72 +++++++++++ > examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++ > .../test/tun_3descbc_sha1_esn_atom_defs.sh | 5 + > .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh | 70 +++++++++++ > .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh | 5 + > .../test/tun_aesctr_sha1_common_defs.sh | 68 ++++++++++ > examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 70 +++++++++++ > .../test/tun_aesctr_sha1_esn_atom_defs.sh | 5 + > .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh | 70 +++++++++++ > .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh | 5 + > lib/librte_ipsec/crypto.h | 17 +++ > lib/librte_ipsec/sa.c | 137 +++++++++++++++++---- > lib/librte_ipsec/sa.h | 24 ++++ > 25 files changed, 1040 insertions(+), 24 deletions(-) > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh > > -- Reviewed-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang ` (4 preceding siblings ...) 2019-03-04 16:38 ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Ananyev, Konstantin @ 2019-03-20 13:51 ` Fan Zhang 2019-03-20 13:51 ` Fan Zhang ` (5 more replies) 5 siblings, 6 replies; 54+ messages in thread From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang This patchset adds the AES-CTR and 3DES-CBC cipher algorithms support to ipsec library. The test scripts for ipsec-secgw sample application are added. v4: - changed patch titles. - changed ALGO_TYPE naming for 3DES-CBC v3: - fixed a bug in 3DES. v2: - removed unsupported tests. Fan Zhang (4): ipsec: support AES-CTR ipsec-secgw: add test scripts for aes ctr ipsec: support 3DES-CBC ipsec-secgw: add 3des test files examples/ipsec-secgw/test/common_defs.sh | 4 +- examples/ipsec-secgw/test/run_test.sh | 14 ++- .../test/trs_3descbc_sha1_common_defs.sh | 73 +++++++++++ examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++ .../test/trs_3descbc_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh | 66 ++++++++++ .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh | 5 + .../test/trs_aesctr_sha1_common_defs.sh | 69 +++++++++++ examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 67 ++++++++++ .../test/trs_aesctr_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh | 66 ++++++++++ .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh | 5 + .../test/tun_3descbc_sha1_common_defs.sh | 72 +++++++++++ examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++ .../test/tun_3descbc_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh | 70 +++++++++++ .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh | 5 + .../test/tun_aesctr_sha1_common_defs.sh | 68 ++++++++++ examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 70 +++++++++++ .../test/tun_aesctr_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh | 70 +++++++++++ .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh | 5 + lib/librte_ipsec/crypto.h | 17 +++ lib/librte_ipsec/sa.c | 137 +++++++++++++++++---- lib/librte_ipsec/sa.h | 24 ++++ 25 files changed, 1040 insertions(+), 24 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC Fan Zhang @ 2019-03-20 13:51 ` Fan Zhang 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 1/4] ipsec: support AES-CTR Fan Zhang ` (4 subsequent siblings) 5 siblings, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang This patchset adds the AES-CTR and 3DES-CBC cipher algorithms support to ipsec library. The test scripts for ipsec-secgw sample application are added. v4: - changed patch titles. - changed ALGO_TYPE naming for 3DES-CBC v3: - fixed a bug in 3DES. v2: - removed unsupported tests. Fan Zhang (4): ipsec: support AES-CTR ipsec-secgw: add test scripts for aes ctr ipsec: support 3DES-CBC ipsec-secgw: add 3des test files examples/ipsec-secgw/test/common_defs.sh | 4 +- examples/ipsec-secgw/test/run_test.sh | 14 ++- .../test/trs_3descbc_sha1_common_defs.sh | 73 +++++++++++ examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++ .../test/trs_3descbc_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh | 66 ++++++++++ .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh | 5 + .../test/trs_aesctr_sha1_common_defs.sh | 69 +++++++++++ examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 67 ++++++++++ .../test/trs_aesctr_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh | 66 ++++++++++ .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh | 5 + .../test/tun_3descbc_sha1_common_defs.sh | 72 +++++++++++ examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++ .../test/tun_3descbc_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh | 70 +++++++++++ .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh | 5 + .../test/tun_aesctr_sha1_common_defs.sh | 68 ++++++++++ examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 70 +++++++++++ .../test/tun_aesctr_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh | 70 +++++++++++ .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh | 5 + lib/librte_ipsec/crypto.h | 17 +++ lib/librte_ipsec/sa.c | 137 +++++++++++++++++---- lib/librte_ipsec/sa.h | 24 ++++ 25 files changed, 1040 insertions(+), 24 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v4 1/4] ipsec: support AES-CTR 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC Fan Zhang 2019-03-20 13:51 ` Fan Zhang @ 2019-03-20 13:51 ` Fan Zhang 2019-03-20 13:51 ` Fan Zhang 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang ` (3 subsequent siblings) 5 siblings, 1 reply; 54+ messages in thread From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang This patch adds AES-CTR cipher algorithm support to ipsec library. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> --- lib/librte_ipsec/crypto.h | 17 ++++++ lib/librte_ipsec/sa.c | 133 ++++++++++++++++++++++++++++++++++++++-------- lib/librte_ipsec/sa.h | 18 +++++++ 3 files changed, 147 insertions(+), 21 deletions(-) diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h index b5f264831..4f551e39c 100644 --- a/lib/librte_ipsec/crypto.h +++ b/lib/librte_ipsec/crypto.h @@ -11,6 +11,16 @@ * by ipsec library. */ +/* + * AES-CTR counter block format. + */ + +struct aesctr_cnt_blk { + uint32_t nonce; + uint64_t iv; + uint32_t cnt; +} __attribute__((packed)); + /* * AES-GCM devices have some specific requirements for IV and AAD formats. * Ideally that to be done by the driver itself. @@ -41,6 +51,13 @@ struct gcm_esph_iv { uint64_t iv; } __attribute__((packed)); +static inline void +aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce) +{ + ctr->nonce = nonce; + ctr->iv = iv; + ctr->cnt = rte_cpu_to_be_32(1); +} static inline void aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt) diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 5f55c2a4e..e34dd320a 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -219,18 +219,28 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm) static void esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) { + uint8_t algo_type; + sa->sqn.outb.raw = 1; /* these params may differ with new algorithms support */ sa->ctp.auth.offset = hlen; sa->ctp.auth.length = sizeof(struct esp_hdr) + sa->iv_len + sa->sqh_len; - if (sa->aad_len != 0) { + + algo_type = sa->algo_type; + + switch (algo_type) { + case ALGO_TYPE_AES_GCM: + case ALGO_TYPE_AES_CTR: + case ALGO_TYPE_NULL: sa->ctp.cipher.offset = hlen + sizeof(struct esp_hdr) + sa->iv_len; sa->ctp.cipher.length = 0; - } else { + break; + case ALGO_TYPE_AES_CBC: sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr); sa->ctp.cipher.length = sa->iv_len; + break; } } @@ -259,26 +269,47 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, RTE_IPSEC_SATP_MODE_MASK; if (cxf->aead != NULL) { - /* RFC 4106 */ - if (cxf->aead->algo != RTE_CRYPTO_AEAD_AES_GCM) + switch (cxf->aead->algo) { + case RTE_CRYPTO_AEAD_AES_GCM: + /* RFC 4106 */ + sa->aad_len = sizeof(struct aead_gcm_aad); + sa->icv_len = cxf->aead->digest_length; + sa->iv_ofs = cxf->aead->iv.offset; + sa->iv_len = sizeof(uint64_t); + sa->pad_align = IPSEC_PAD_AES_GCM; + sa->algo_type = ALGO_TYPE_AES_GCM; + break; + default: return -EINVAL; - sa->aad_len = sizeof(struct aead_gcm_aad); - sa->icv_len = cxf->aead->digest_length; - sa->iv_ofs = cxf->aead->iv.offset; - sa->iv_len = sizeof(uint64_t); - sa->pad_align = IPSEC_PAD_AES_GCM; + } } else { sa->icv_len = cxf->auth->digest_length; sa->iv_ofs = cxf->cipher->iv.offset; sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0; - if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_NULL) { + + switch (cxf->cipher->algo) { + case RTE_CRYPTO_CIPHER_NULL: sa->pad_align = IPSEC_PAD_NULL; sa->iv_len = 0; - } else if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) { + sa->algo_type = ALGO_TYPE_NULL; + break; + + case RTE_CRYPTO_CIPHER_AES_CBC: sa->pad_align = IPSEC_PAD_AES_CBC; sa->iv_len = IPSEC_MAX_IV_SIZE; - } else + sa->algo_type = ALGO_TYPE_AES_CBC; + break; + + case RTE_CRYPTO_CIPHER_AES_CTR: + /* RFC 3686 */ + sa->pad_align = IPSEC_PAD_AES_CTR; + sa->iv_len = IPSEC_AES_CTR_IV_SIZE; + sa->algo_type = ALGO_TYPE_AES_CTR; + break; + + default: return -EINVAL; + } } sa->udata = prm->userdata; @@ -438,12 +469,15 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, { struct rte_crypto_sym_op *sop; struct aead_gcm_iv *gcm; + struct aesctr_cnt_blk *ctr; + uint8_t algo_type = sa->algo_type; /* fill sym op fields */ sop = cop->sym; - /* AEAD (AES_GCM) case */ - if (sa->aad_len != 0) { + switch (algo_type) { + case ALGO_TYPE_AES_GCM: + /* AEAD (AES_GCM) case */ sop->aead.data.offset = sa->ctp.cipher.offset + hlen; sop->aead.data.length = sa->ctp.cipher.length + plen; sop->aead.digest.data = icv->va; @@ -455,14 +489,40 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *, sa->iv_ofs); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); - /* CRYPT+AUTH case */ - } else { + break; + case ALGO_TYPE_AES_CBC: + /* Cipher-Auth (AES-CBC *) case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; + case ALGO_TYPE_AES_CTR: + /* Cipher-Auth (AES-CTR *) case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + + ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *, + sa->iv_ofs); + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); + break; + case ALGO_TYPE_NULL: + /* NULL case */ sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; sop->cipher.data.length = sa->ctp.cipher.length + plen; sop->auth.data.offset = sa->ctp.auth.offset + hlen; sop->auth.data.length = sa->ctp.auth.length + plen; sop->auth.digest.data = icv->va; sop->auth.digest.phys_addr = icv->pa; + break; + default: + break; } } @@ -561,6 +621,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, { uint32_t *psqh; struct aead_gcm_aad *aad; + uint8_t algo_type = sa->algo_type; /* insert SQN.hi between ESP trailer and ICV */ if (sa->sqh_len != 0) { @@ -572,7 +633,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, * fill IV and AAD fields, if any (aad fields are placed after icv), * right now we support only one AEAD algorithm: AES-GCM . */ - if (sa->aad_len != 0) { + if (algo_type == ALGO_TYPE_AES_GCM) { aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len); aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa)); } @@ -783,8 +844,10 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, { struct rte_crypto_sym_op *sop; struct aead_gcm_iv *gcm; + struct aesctr_cnt_blk *ctr; uint64_t *ivc, *ivp; uint32_t clen; + uint8_t algo_type = sa->algo_type; clen = plen - sa->ctp.cipher.length; if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0) @@ -793,8 +856,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, /* fill sym op fields */ sop = cop->sym; - /* AEAD (AES_GCM) case */ - if (sa->aad_len != 0) { + switch (algo_type) { + case ALGO_TYPE_AES_GCM: sop->aead.data.offset = pofs + sa->ctp.cipher.offset; sop->aead.data.length = clen; sop->aead.digest.data = icv->va; @@ -808,8 +871,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, pofs + sizeof(struct esp_hdr)); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); - /* CRYPT+AUTH case */ - } else { + break; + case ALGO_TYPE_AES_CBC: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; sop->cipher.data.length = clen; sop->auth.data.offset = pofs + sa->ctp.auth.offset; @@ -822,7 +885,35 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, pofs + sizeof(struct esp_hdr)); copy_iv(ivc, ivp, sa->iv_len); + break; + case ALGO_TYPE_AES_CTR: + sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; + sop->cipher.data.length = clen; + sop->auth.data.offset = pofs + sa->ctp.auth.offset; + sop->auth.data.length = plen - sa->ctp.auth.length; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + + /* copy iv from the input packet to the cop */ + ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *, + sa->iv_ofs); + ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, + pofs + sizeof(struct esp_hdr)); + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); + break; + case ALGO_TYPE_NULL: + sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; + sop->cipher.data.length = clen; + sop->auth.data.offset = pofs + sa->ctp.auth.offset; + sop->auth.data.length = plen - sa->ctp.auth.length; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; + + default: + return -EINVAL; } + return 0; } diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h index 392e8fd7b..12c061ee6 100644 --- a/lib/librte_ipsec/sa.h +++ b/lib/librte_ipsec/sa.h @@ -15,10 +15,17 @@ enum { IPSEC_PAD_DEFAULT = 4, IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, + IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT, }; +/* iv sizes for different algorithms */ +enum { + IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, + IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), +}; + /* these definitions probably has to be in rte_crypto_sym.h */ union sym_op_ofslen { uint64_t raw; @@ -47,7 +54,17 @@ struct replay_sqn { __extension__ uint64_t window[0]; }; +/*IPSEC SA supported algorithms */ +enum sa_algo_type { + ALGO_TYPE_NULL = 0, + ALGO_TYPE_AES_CBC, + ALGO_TYPE_AES_CTR, + ALGO_TYPE_AES_GCM, + ALGO_TYPE_MAX +}; + struct rte_ipsec_sa { + uint64_t type; /* type of given SA */ uint64_t udata; /* user defined */ uint32_t size; /* size of given sa object */ @@ -65,6 +82,7 @@ struct rte_ipsec_sa { union sym_op_ofslen auth; } ctp; uint32_t salt; + uint8_t algo_type; uint8_t proto; /* next proto */ uint8_t aad_len; uint8_t hdr_len; -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v4 1/4] ipsec: support AES-CTR 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 1/4] ipsec: support AES-CTR Fan Zhang @ 2019-03-20 13:51 ` Fan Zhang 0 siblings, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang This patch adds AES-CTR cipher algorithm support to ipsec library. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> --- lib/librte_ipsec/crypto.h | 17 ++++++ lib/librte_ipsec/sa.c | 133 ++++++++++++++++++++++++++++++++++++++-------- lib/librte_ipsec/sa.h | 18 +++++++ 3 files changed, 147 insertions(+), 21 deletions(-) diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h index b5f264831..4f551e39c 100644 --- a/lib/librte_ipsec/crypto.h +++ b/lib/librte_ipsec/crypto.h @@ -11,6 +11,16 @@ * by ipsec library. */ +/* + * AES-CTR counter block format. + */ + +struct aesctr_cnt_blk { + uint32_t nonce; + uint64_t iv; + uint32_t cnt; +} __attribute__((packed)); + /* * AES-GCM devices have some specific requirements for IV and AAD formats. * Ideally that to be done by the driver itself. @@ -41,6 +51,13 @@ struct gcm_esph_iv { uint64_t iv; } __attribute__((packed)); +static inline void +aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce) +{ + ctr->nonce = nonce; + ctr->iv = iv; + ctr->cnt = rte_cpu_to_be_32(1); +} static inline void aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt) diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 5f55c2a4e..e34dd320a 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -219,18 +219,28 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm) static void esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) { + uint8_t algo_type; + sa->sqn.outb.raw = 1; /* these params may differ with new algorithms support */ sa->ctp.auth.offset = hlen; sa->ctp.auth.length = sizeof(struct esp_hdr) + sa->iv_len + sa->sqh_len; - if (sa->aad_len != 0) { + + algo_type = sa->algo_type; + + switch (algo_type) { + case ALGO_TYPE_AES_GCM: + case ALGO_TYPE_AES_CTR: + case ALGO_TYPE_NULL: sa->ctp.cipher.offset = hlen + sizeof(struct esp_hdr) + sa->iv_len; sa->ctp.cipher.length = 0; - } else { + break; + case ALGO_TYPE_AES_CBC: sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr); sa->ctp.cipher.length = sa->iv_len; + break; } } @@ -259,26 +269,47 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, RTE_IPSEC_SATP_MODE_MASK; if (cxf->aead != NULL) { - /* RFC 4106 */ - if (cxf->aead->algo != RTE_CRYPTO_AEAD_AES_GCM) + switch (cxf->aead->algo) { + case RTE_CRYPTO_AEAD_AES_GCM: + /* RFC 4106 */ + sa->aad_len = sizeof(struct aead_gcm_aad); + sa->icv_len = cxf->aead->digest_length; + sa->iv_ofs = cxf->aead->iv.offset; + sa->iv_len = sizeof(uint64_t); + sa->pad_align = IPSEC_PAD_AES_GCM; + sa->algo_type = ALGO_TYPE_AES_GCM; + break; + default: return -EINVAL; - sa->aad_len = sizeof(struct aead_gcm_aad); - sa->icv_len = cxf->aead->digest_length; - sa->iv_ofs = cxf->aead->iv.offset; - sa->iv_len = sizeof(uint64_t); - sa->pad_align = IPSEC_PAD_AES_GCM; + } } else { sa->icv_len = cxf->auth->digest_length; sa->iv_ofs = cxf->cipher->iv.offset; sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0; - if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_NULL) { + + switch (cxf->cipher->algo) { + case RTE_CRYPTO_CIPHER_NULL: sa->pad_align = IPSEC_PAD_NULL; sa->iv_len = 0; - } else if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) { + sa->algo_type = ALGO_TYPE_NULL; + break; + + case RTE_CRYPTO_CIPHER_AES_CBC: sa->pad_align = IPSEC_PAD_AES_CBC; sa->iv_len = IPSEC_MAX_IV_SIZE; - } else + sa->algo_type = ALGO_TYPE_AES_CBC; + break; + + case RTE_CRYPTO_CIPHER_AES_CTR: + /* RFC 3686 */ + sa->pad_align = IPSEC_PAD_AES_CTR; + sa->iv_len = IPSEC_AES_CTR_IV_SIZE; + sa->algo_type = ALGO_TYPE_AES_CTR; + break; + + default: return -EINVAL; + } } sa->udata = prm->userdata; @@ -438,12 +469,15 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, { struct rte_crypto_sym_op *sop; struct aead_gcm_iv *gcm; + struct aesctr_cnt_blk *ctr; + uint8_t algo_type = sa->algo_type; /* fill sym op fields */ sop = cop->sym; - /* AEAD (AES_GCM) case */ - if (sa->aad_len != 0) { + switch (algo_type) { + case ALGO_TYPE_AES_GCM: + /* AEAD (AES_GCM) case */ sop->aead.data.offset = sa->ctp.cipher.offset + hlen; sop->aead.data.length = sa->ctp.cipher.length + plen; sop->aead.digest.data = icv->va; @@ -455,14 +489,40 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *, sa->iv_ofs); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); - /* CRYPT+AUTH case */ - } else { + break; + case ALGO_TYPE_AES_CBC: + /* Cipher-Auth (AES-CBC *) case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; + case ALGO_TYPE_AES_CTR: + /* Cipher-Auth (AES-CTR *) case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + + ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *, + sa->iv_ofs); + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); + break; + case ALGO_TYPE_NULL: + /* NULL case */ sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; sop->cipher.data.length = sa->ctp.cipher.length + plen; sop->auth.data.offset = sa->ctp.auth.offset + hlen; sop->auth.data.length = sa->ctp.auth.length + plen; sop->auth.digest.data = icv->va; sop->auth.digest.phys_addr = icv->pa; + break; + default: + break; } } @@ -561,6 +621,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, { uint32_t *psqh; struct aead_gcm_aad *aad; + uint8_t algo_type = sa->algo_type; /* insert SQN.hi between ESP trailer and ICV */ if (sa->sqh_len != 0) { @@ -572,7 +633,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, * fill IV and AAD fields, if any (aad fields are placed after icv), * right now we support only one AEAD algorithm: AES-GCM . */ - if (sa->aad_len != 0) { + if (algo_type == ALGO_TYPE_AES_GCM) { aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len); aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa)); } @@ -783,8 +844,10 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, { struct rte_crypto_sym_op *sop; struct aead_gcm_iv *gcm; + struct aesctr_cnt_blk *ctr; uint64_t *ivc, *ivp; uint32_t clen; + uint8_t algo_type = sa->algo_type; clen = plen - sa->ctp.cipher.length; if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0) @@ -793,8 +856,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, /* fill sym op fields */ sop = cop->sym; - /* AEAD (AES_GCM) case */ - if (sa->aad_len != 0) { + switch (algo_type) { + case ALGO_TYPE_AES_GCM: sop->aead.data.offset = pofs + sa->ctp.cipher.offset; sop->aead.data.length = clen; sop->aead.digest.data = icv->va; @@ -808,8 +871,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, pofs + sizeof(struct esp_hdr)); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); - /* CRYPT+AUTH case */ - } else { + break; + case ALGO_TYPE_AES_CBC: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; sop->cipher.data.length = clen; sop->auth.data.offset = pofs + sa->ctp.auth.offset; @@ -822,7 +885,35 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, pofs + sizeof(struct esp_hdr)); copy_iv(ivc, ivp, sa->iv_len); + break; + case ALGO_TYPE_AES_CTR: + sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; + sop->cipher.data.length = clen; + sop->auth.data.offset = pofs + sa->ctp.auth.offset; + sop->auth.data.length = plen - sa->ctp.auth.length; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + + /* copy iv from the input packet to the cop */ + ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *, + sa->iv_ofs); + ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, + pofs + sizeof(struct esp_hdr)); + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); + break; + case ALGO_TYPE_NULL: + sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; + sop->cipher.data.length = clen; + sop->auth.data.offset = pofs + sa->ctp.auth.offset; + sop->auth.data.length = plen - sa->ctp.auth.length; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; + + default: + return -EINVAL; } + return 0; } diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h index 392e8fd7b..12c061ee6 100644 --- a/lib/librte_ipsec/sa.h +++ b/lib/librte_ipsec/sa.h @@ -15,10 +15,17 @@ enum { IPSEC_PAD_DEFAULT = 4, IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, + IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT, }; +/* iv sizes for different algorithms */ +enum { + IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, + IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), +}; + /* these definitions probably has to be in rte_crypto_sym.h */ union sym_op_ofslen { uint64_t raw; @@ -47,7 +54,17 @@ struct replay_sqn { __extension__ uint64_t window[0]; }; +/*IPSEC SA supported algorithms */ +enum sa_algo_type { + ALGO_TYPE_NULL = 0, + ALGO_TYPE_AES_CBC, + ALGO_TYPE_AES_CTR, + ALGO_TYPE_AES_GCM, + ALGO_TYPE_MAX +}; + struct rte_ipsec_sa { + uint64_t type; /* type of given SA */ uint64_t udata; /* user defined */ uint32_t size; /* size of given sa object */ @@ -65,6 +82,7 @@ struct rte_ipsec_sa { union sym_op_ofslen auth; } ctp; uint32_t salt; + uint8_t algo_type; uint8_t proto; /* next proto */ uint8_t aad_len; uint8_t hdr_len; -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v4 2/4] ipsec-secgw: add test scripts for aes ctr 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC Fan Zhang 2019-03-20 13:51 ` Fan Zhang 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 1/4] ipsec: support AES-CTR Fan Zhang @ 2019-03-20 13:51 ` Fan Zhang 2019-03-20 13:51 ` Fan Zhang 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 3/4] ipsec: support 3DES-CBC Fan Zhang ` (2 subsequent siblings) 5 siblings, 1 reply; 54+ messages in thread From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang This patch adds the functional test scripts to ipsec-secgw sample application for both transport and tunnel working mode. Updated a bit on common_defs to use "mktemp" instead of "tempfile" as Fedora does not like the command. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- examples/ipsec-secgw/test/common_defs.sh | 4 +- examples/ipsec-secgw/test/run_test.sh | 8 ++- .../test/trs_aesctr_sha1_common_defs.sh | 69 +++++++++++++++++++++ examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 67 +++++++++++++++++++++ .../test/trs_aesctr_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh | 66 ++++++++++++++++++++ .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh | 5 ++ .../test/tun_aesctr_sha1_common_defs.sh | 68 +++++++++++++++++++++ examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 70 ++++++++++++++++++++++ .../test/tun_aesctr_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh | 70 ++++++++++++++++++++++ .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh | 5 ++ 12 files changed, 439 insertions(+), 3 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh diff --git a/examples/ipsec-secgw/test/common_defs.sh b/examples/ipsec-secgw/test/common_defs.sh index 693c70cd1..8dc574b50 100644 --- a/examples/ipsec-secgw/test/common_defs.sh +++ b/examples/ipsec-secgw/test/common_defs.sh @@ -53,7 +53,7 @@ SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4 ${ETH_DEV}" SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})" SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\"" -SGW_CFG_FILE=$(tempfile) +SGW_CFG_FILE=$(mktemp) # configure local host/ifaces config_local_iface() @@ -129,7 +129,7 @@ config6_iface() #start ipsec-secgw secgw_start() { - SGW_EXEC_FILE=$(tempfile) + SGW_EXEC_FILE=$(mktemp) cat <<EOF > ${SGW_EXEC_FILE} ${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \ --vdev="net_tap0,mac=fixed" \ diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh index 6dc0ce54e..3c38d8850 100644 --- a/examples/ipsec-secgw/test/run_test.sh +++ b/examples/ipsec-secgw/test/run_test.sh @@ -32,7 +32,13 @@ trs_aesgcm_esn_atom \ tun_aescbc_sha1_old \ tun_aesgcm_old \ trs_aescbc_sha1_old \ -trs_aesgcm_old" +trs_aesgcm_old \ +tun_aesctr_sha1 \ +tun_aesctr_sha1_esn \ +tun_aesctr_sha1_esn_atom \ +trs_aesctr_sha1 \ +trs_aesctr_sha1_esn \ +trs_aesctr_sha1_esn_atom" DIR=`dirname $0` diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh new file mode 100644 index 000000000..9c213e3cc --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh @@ -0,0 +1,69 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +sa in 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh new file mode 100644 index 000000000..73642f881 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh @@ -0,0 +1,67 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..17c81c267 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh new file mode 100644 index 000000000..e401a4bed --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh @@ -0,0 +1,66 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh new file mode 100644 index 000000000..3aa071229 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh new file mode 100644 index 000000000..a3ac3a698 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh @@ -0,0 +1,68 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh new file mode 100644 index 000000000..3710f897c --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..7dcfc3218 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh new file mode 100644 index 000000000..c3ce11da1 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh new file mode 100644 index 000000000..26f0d0290 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_defs.sh + +SGW_CMD_XPRM= -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v4 2/4] ipsec-secgw: add test scripts for aes ctr 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang @ 2019-03-20 13:51 ` Fan Zhang 0 siblings, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang This patch adds the functional test scripts to ipsec-secgw sample application for both transport and tunnel working mode. Updated a bit on common_defs to use "mktemp" instead of "tempfile" as Fedora does not like the command. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- examples/ipsec-secgw/test/common_defs.sh | 4 +- examples/ipsec-secgw/test/run_test.sh | 8 ++- .../test/trs_aesctr_sha1_common_defs.sh | 69 +++++++++++++++++++++ examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 67 +++++++++++++++++++++ .../test/trs_aesctr_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh | 66 ++++++++++++++++++++ .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh | 5 ++ .../test/tun_aesctr_sha1_common_defs.sh | 68 +++++++++++++++++++++ examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 70 ++++++++++++++++++++++ .../test/tun_aesctr_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh | 70 ++++++++++++++++++++++ .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh | 5 ++ 12 files changed, 439 insertions(+), 3 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh diff --git a/examples/ipsec-secgw/test/common_defs.sh b/examples/ipsec-secgw/test/common_defs.sh index 693c70cd1..8dc574b50 100644 --- a/examples/ipsec-secgw/test/common_defs.sh +++ b/examples/ipsec-secgw/test/common_defs.sh @@ -53,7 +53,7 @@ SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4 ${ETH_DEV}" SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})" SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\"" -SGW_CFG_FILE=$(tempfile) +SGW_CFG_FILE=$(mktemp) # configure local host/ifaces config_local_iface() @@ -129,7 +129,7 @@ config6_iface() #start ipsec-secgw secgw_start() { - SGW_EXEC_FILE=$(tempfile) + SGW_EXEC_FILE=$(mktemp) cat <<EOF > ${SGW_EXEC_FILE} ${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \ --vdev="net_tap0,mac=fixed" \ diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh index 6dc0ce54e..3c38d8850 100644 --- a/examples/ipsec-secgw/test/run_test.sh +++ b/examples/ipsec-secgw/test/run_test.sh @@ -32,7 +32,13 @@ trs_aesgcm_esn_atom \ tun_aescbc_sha1_old \ tun_aesgcm_old \ trs_aescbc_sha1_old \ -trs_aesgcm_old" +trs_aesgcm_old \ +tun_aesctr_sha1 \ +tun_aesctr_sha1_esn \ +tun_aesctr_sha1_esn_atom \ +trs_aesctr_sha1 \ +trs_aesctr_sha1_esn \ +trs_aesctr_sha1_esn_atom" DIR=`dirname $0` diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh new file mode 100644 index 000000000..9c213e3cc --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh @@ -0,0 +1,69 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +sa in 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh new file mode 100644 index 000000000..73642f881 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh @@ -0,0 +1,67 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..17c81c267 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh new file mode 100644 index 000000000..e401a4bed --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh @@ -0,0 +1,66 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh new file mode 100644 index 000000000..3aa071229 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh new file mode 100644 index 000000000..a3ac3a698 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh @@ -0,0 +1,68 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh new file mode 100644 index 000000000..3710f897c --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..7dcfc3218 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh new file mode 100644 index 000000000..c3ce11da1 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh new file mode 100644 index 000000000..26f0d0290 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_defs.sh + +SGW_CMD_XPRM= -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v4 3/4] ipsec: support 3DES-CBC 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC Fan Zhang ` (2 preceding siblings ...) 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang @ 2019-03-20 13:51 ` Fan Zhang 2019-03-20 13:51 ` Fan Zhang 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 4/4] ipsec-secgw: add 3des test files Fan Zhang 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang 5 siblings, 1 reply; 54+ messages in thread From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang This patch adds triple-des CBC mode cipher algorithm to ipsec library. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- lib/librte_ipsec/sa.c | 40 ++++++++++++++++++++++------------------ lib/librte_ipsec/sa.h | 6 ++++++ 2 files changed, 28 insertions(+), 18 deletions(-) diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index e34dd320a..2eb6bae07 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -238,6 +238,7 @@ esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) sa->ctp.cipher.length = 0; break; case ALGO_TYPE_AES_CBC: + case ALGO_TYPE_3DES_CBC: sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr); sa->ctp.cipher.length = sa->iv_len; break; @@ -307,6 +308,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, sa->algo_type = ALGO_TYPE_AES_CTR; break; + case RTE_CRYPTO_CIPHER_3DES_CBC: + /* RFC 1851 */ + sa->pad_align = IPSEC_PAD_3DES_CBC; + sa->iv_len = IPSEC_3DES_IV_SIZE; + sa->algo_type = ALGO_TYPE_3DES_CBC; + break; + default: return -EINVAL; } @@ -476,6 +484,19 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, sop = cop->sym; switch (algo_type) { + case ALGO_TYPE_AES_CBC: + /* Cipher-Auth (AES-CBC *) case */ + case ALGO_TYPE_3DES_CBC: + /* Cipher-Auth (3DES-CBC *) case */ + case ALGO_TYPE_NULL: + /* NULL case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; case ALGO_TYPE_AES_GCM: /* AEAD (AES_GCM) case */ sop->aead.data.offset = sa->ctp.cipher.offset + hlen; @@ -490,15 +511,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, sa->iv_ofs); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; - case ALGO_TYPE_AES_CBC: - /* Cipher-Auth (AES-CBC *) case */ - sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; - sop->cipher.data.length = sa->ctp.cipher.length + plen; - sop->auth.data.offset = sa->ctp.auth.offset + hlen; - sop->auth.data.length = sa->ctp.auth.length + plen; - sop->auth.digest.data = icv->va; - sop->auth.digest.phys_addr = icv->pa; - break; case ALGO_TYPE_AES_CTR: /* Cipher-Auth (AES-CTR *) case */ sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; @@ -512,15 +524,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, sa->iv_ofs); aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); break; - case ALGO_TYPE_NULL: - /* NULL case */ - sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; - sop->cipher.data.length = sa->ctp.cipher.length + plen; - sop->auth.data.offset = sa->ctp.auth.offset + hlen; - sop->auth.data.length = sa->ctp.auth.length + plen; - sop->auth.digest.data = icv->va; - sop->auth.digest.phys_addr = icv->pa; - break; default: break; } @@ -873,6 +876,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; case ALGO_TYPE_AES_CBC: + case ALGO_TYPE_3DES_CBC: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; sop->cipher.data.length = clen; sop->auth.data.offset = pofs + sa->ctp.auth.offset; diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h index 12c061ee6..c3a0d84bc 100644 --- a/lib/librte_ipsec/sa.h +++ b/lib/librte_ipsec/sa.h @@ -14,6 +14,7 @@ /* padding alignment for different algorithms */ enum { IPSEC_PAD_DEFAULT = 4, + IPSEC_PAD_3DES_CBC = 8, IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, @@ -24,6 +25,10 @@ enum { enum { IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), + /* TripleDES supports IV size of 32bits or 64bits but he library + * only supports 64bits. + */ + IPSEC_3DES_IV_SIZE = sizeof(uint64_t), }; /* these definitions probably has to be in rte_crypto_sym.h */ @@ -57,6 +62,7 @@ struct replay_sqn { /*IPSEC SA supported algorithms */ enum sa_algo_type { ALGO_TYPE_NULL = 0, + ALGO_TYPE_3DES_CBC, ALGO_TYPE_AES_CBC, ALGO_TYPE_AES_CTR, ALGO_TYPE_AES_GCM, -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v4 3/4] ipsec: support 3DES-CBC 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 3/4] ipsec: support 3DES-CBC Fan Zhang @ 2019-03-20 13:51 ` Fan Zhang 0 siblings, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang This patch adds triple-des CBC mode cipher algorithm to ipsec library. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- lib/librte_ipsec/sa.c | 40 ++++++++++++++++++++++------------------ lib/librte_ipsec/sa.h | 6 ++++++ 2 files changed, 28 insertions(+), 18 deletions(-) diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index e34dd320a..2eb6bae07 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -238,6 +238,7 @@ esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) sa->ctp.cipher.length = 0; break; case ALGO_TYPE_AES_CBC: + case ALGO_TYPE_3DES_CBC: sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr); sa->ctp.cipher.length = sa->iv_len; break; @@ -307,6 +308,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, sa->algo_type = ALGO_TYPE_AES_CTR; break; + case RTE_CRYPTO_CIPHER_3DES_CBC: + /* RFC 1851 */ + sa->pad_align = IPSEC_PAD_3DES_CBC; + sa->iv_len = IPSEC_3DES_IV_SIZE; + sa->algo_type = ALGO_TYPE_3DES_CBC; + break; + default: return -EINVAL; } @@ -476,6 +484,19 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, sop = cop->sym; switch (algo_type) { + case ALGO_TYPE_AES_CBC: + /* Cipher-Auth (AES-CBC *) case */ + case ALGO_TYPE_3DES_CBC: + /* Cipher-Auth (3DES-CBC *) case */ + case ALGO_TYPE_NULL: + /* NULL case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; case ALGO_TYPE_AES_GCM: /* AEAD (AES_GCM) case */ sop->aead.data.offset = sa->ctp.cipher.offset + hlen; @@ -490,15 +511,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, sa->iv_ofs); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; - case ALGO_TYPE_AES_CBC: - /* Cipher-Auth (AES-CBC *) case */ - sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; - sop->cipher.data.length = sa->ctp.cipher.length + plen; - sop->auth.data.offset = sa->ctp.auth.offset + hlen; - sop->auth.data.length = sa->ctp.auth.length + plen; - sop->auth.digest.data = icv->va; - sop->auth.digest.phys_addr = icv->pa; - break; case ALGO_TYPE_AES_CTR: /* Cipher-Auth (AES-CTR *) case */ sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; @@ -512,15 +524,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, sa->iv_ofs); aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); break; - case ALGO_TYPE_NULL: - /* NULL case */ - sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; - sop->cipher.data.length = sa->ctp.cipher.length + plen; - sop->auth.data.offset = sa->ctp.auth.offset + hlen; - sop->auth.data.length = sa->ctp.auth.length + plen; - sop->auth.digest.data = icv->va; - sop->auth.digest.phys_addr = icv->pa; - break; default: break; } @@ -873,6 +876,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; case ALGO_TYPE_AES_CBC: + case ALGO_TYPE_3DES_CBC: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; sop->cipher.data.length = clen; sop->auth.data.offset = pofs + sa->ctp.auth.offset; diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h index 12c061ee6..c3a0d84bc 100644 --- a/lib/librte_ipsec/sa.h +++ b/lib/librte_ipsec/sa.h @@ -14,6 +14,7 @@ /* padding alignment for different algorithms */ enum { IPSEC_PAD_DEFAULT = 4, + IPSEC_PAD_3DES_CBC = 8, IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, @@ -24,6 +25,10 @@ enum { enum { IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), + /* TripleDES supports IV size of 32bits or 64bits but he library + * only supports 64bits. + */ + IPSEC_3DES_IV_SIZE = sizeof(uint64_t), }; /* these definitions probably has to be in rte_crypto_sym.h */ @@ -57,6 +62,7 @@ struct replay_sqn { /*IPSEC SA supported algorithms */ enum sa_algo_type { ALGO_TYPE_NULL = 0, + ALGO_TYPE_3DES_CBC, ALGO_TYPE_AES_CBC, ALGO_TYPE_AES_CTR, ALGO_TYPE_AES_GCM, -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v4 4/4] ipsec-secgw: add 3des test files 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC Fan Zhang ` (3 preceding siblings ...) 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 3/4] ipsec: support 3DES-CBC Fan Zhang @ 2019-03-20 13:51 ` Fan Zhang 2019-03-20 13:51 ` Fan Zhang 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang 5 siblings, 1 reply; 54+ messages in thread From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang This patch adds the functional test scripts to ipsec-secgw sample application for both transport and tunnel working mode. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- examples/ipsec-secgw/test/run_test.sh | 8 ++- .../test/trs_3descbc_sha1_common_defs.sh | 73 ++++++++++++++++++++++ examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++++++++++++ .../test/trs_3descbc_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh | 66 +++++++++++++++++++ .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh | 5 ++ .../test/tun_3descbc_sha1_common_defs.sh | 72 +++++++++++++++++++++ examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++++++++++++ .../test/tun_3descbc_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh | 70 +++++++++++++++++++++ .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh | 5 ++ 11 files changed, 445 insertions(+), 1 deletion(-) create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh index 3c38d8850..38edb4183 100644 --- a/examples/ipsec-secgw/test/run_test.sh +++ b/examples/ipsec-secgw/test/run_test.sh @@ -38,7 +38,13 @@ tun_aesctr_sha1_esn \ tun_aesctr_sha1_esn_atom \ trs_aesctr_sha1 \ trs_aesctr_sha1_esn \ -trs_aesctr_sha1_esn_atom" +trs_aesctr_sha1_esn_atom \ +tun_3descbc_sha1 \ +tun_3descbc_sha1_esn \ +tun_3descbc_sha1_esn_atom \ +trs_3descbc_sha1 \ +trs_3descbc_sha1_esn \ +trs_3descbc_sha1_esn_atom" DIR=`dirname $0` diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh new file mode 100644 index 000000000..bb4cef6a9 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh @@ -0,0 +1,73 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +sa in 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh new file mode 100644 index 000000000..31f94492f --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh @@ -0,0 +1,67 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..d7439ad15 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh new file mode 100644 index 000000000..e4283f3dd --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh @@ -0,0 +1,66 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh new file mode 100644 index 000000000..ffd945bac --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh new file mode 100644 index 000000000..dd802d6be --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh @@ -0,0 +1,72 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh new file mode 100644 index 000000000..2bbe14292 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..1d8e36cbd --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh new file mode 100644 index 000000000..98349c7bc --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh new file mode 100644 index 000000000..eaf248ad1 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_defs.sh + +SGW_CMD_XPRM= -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v4 4/4] ipsec-secgw: add 3des test files 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 4/4] ipsec-secgw: add 3des test files Fan Zhang @ 2019-03-20 13:51 ` Fan Zhang 0 siblings, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang This patch adds the functional test scripts to ipsec-secgw sample application for both transport and tunnel working mode. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- examples/ipsec-secgw/test/run_test.sh | 8 ++- .../test/trs_3descbc_sha1_common_defs.sh | 73 ++++++++++++++++++++++ examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++++++++++++ .../test/trs_3descbc_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh | 66 +++++++++++++++++++ .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh | 5 ++ .../test/tun_3descbc_sha1_common_defs.sh | 72 +++++++++++++++++++++ examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++++++++++++ .../test/tun_3descbc_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh | 70 +++++++++++++++++++++ .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh | 5 ++ 11 files changed, 445 insertions(+), 1 deletion(-) create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh index 3c38d8850..38edb4183 100644 --- a/examples/ipsec-secgw/test/run_test.sh +++ b/examples/ipsec-secgw/test/run_test.sh @@ -38,7 +38,13 @@ tun_aesctr_sha1_esn \ tun_aesctr_sha1_esn_atom \ trs_aesctr_sha1 \ trs_aesctr_sha1_esn \ -trs_aesctr_sha1_esn_atom" +trs_aesctr_sha1_esn_atom \ +tun_3descbc_sha1 \ +tun_3descbc_sha1_esn \ +tun_3descbc_sha1_esn_atom \ +trs_3descbc_sha1 \ +trs_3descbc_sha1_esn \ +trs_3descbc_sha1_esn_atom" DIR=`dirname $0` diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh new file mode 100644 index 000000000..bb4cef6a9 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh @@ -0,0 +1,73 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +sa in 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh new file mode 100644 index 000000000..31f94492f --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh @@ -0,0 +1,67 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..d7439ad15 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh new file mode 100644 index 000000000..e4283f3dd --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh @@ -0,0 +1,66 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh new file mode 100644 index 000000000..ffd945bac --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh new file mode 100644 index 000000000..dd802d6be --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh @@ -0,0 +1,72 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh new file mode 100644 index 000000000..2bbe14292 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..1d8e36cbd --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh new file mode 100644 index 000000000..98349c7bc --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh new file mode 100644 index 000000000..eaf248ad1 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_defs.sh + +SGW_CMD_XPRM= -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC Fan Zhang ` (4 preceding siblings ...) 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 4/4] ipsec-secgw: add 3des test files Fan Zhang @ 2019-03-20 15:38 ` Fan Zhang 2019-03-20 15:38 ` Fan Zhang ` (6 more replies) 5 siblings, 7 replies; 54+ messages in thread From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev This patchset adds the AES-CTR and 3DES-CBC cipher algorithms support to ipsec library. The test scripts for ipsec-secgw sample application are added. v5: - updated ipsec-secgw run_test.sh script - updated release note v4: - changed patch titles. - changed ALGO_TYPE naming for 3DES-CBC v3: - fixed a bug in 3DES. v2: - removed unsupported tests. Fan Zhang (5): ipsec: support AES-CTR ipsec-secgw: add test scripts for aes ctr ipsec: support 3DES-CBC ipsec-secgw: add 3des test files doc: update release note doc/guides/rel_notes/release_19_05.rst | 6 + examples/ipsec-secgw/test/common_defs.sh | 4 +- examples/ipsec-secgw/test/run_test.sh | 18 ++- .../test/trs_3descbc_sha1_common_defs.sh | 73 +++++++++++ examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++ .../test/trs_3descbc_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh | 66 ++++++++++ .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh | 5 + .../test/trs_aesctr_sha1_common_defs.sh | 69 +++++++++++ examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 67 ++++++++++ .../test/trs_aesctr_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh | 66 ++++++++++ .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh | 5 + .../test/tun_3descbc_sha1_common_defs.sh | 72 +++++++++++ examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++ .../test/tun_3descbc_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh | 70 +++++++++++ .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh | 5 + .../test/tun_aesctr_sha1_common_defs.sh | 68 ++++++++++ examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 70 +++++++++++ .../test/tun_aesctr_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh | 70 +++++++++++ .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh | 5 + lib/librte_ipsec/crypto.h | 17 +++ lib/librte_ipsec/sa.c | 137 +++++++++++++++++---- lib/librte_ipsec/sa.h | 24 ++++ 26 files changed, 1050 insertions(+), 24 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang @ 2019-03-20 15:38 ` Fan Zhang 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR Fan Zhang ` (5 subsequent siblings) 6 siblings, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev This patchset adds the AES-CTR and 3DES-CBC cipher algorithms support to ipsec library. The test scripts for ipsec-secgw sample application are added. v5: - updated ipsec-secgw run_test.sh script - updated release note v4: - changed patch titles. - changed ALGO_TYPE naming for 3DES-CBC v3: - fixed a bug in 3DES. v2: - removed unsupported tests. Fan Zhang (5): ipsec: support AES-CTR ipsec-secgw: add test scripts for aes ctr ipsec: support 3DES-CBC ipsec-secgw: add 3des test files doc: update release note doc/guides/rel_notes/release_19_05.rst | 6 + examples/ipsec-secgw/test/common_defs.sh | 4 +- examples/ipsec-secgw/test/run_test.sh | 18 ++- .../test/trs_3descbc_sha1_common_defs.sh | 73 +++++++++++ examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++ .../test/trs_3descbc_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh | 66 ++++++++++ .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh | 5 + .../test/trs_aesctr_sha1_common_defs.sh | 69 +++++++++++ examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 67 ++++++++++ .../test/trs_aesctr_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh | 66 ++++++++++ .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh | 5 + .../test/tun_3descbc_sha1_common_defs.sh | 72 +++++++++++ examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++ .../test/tun_3descbc_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh | 70 +++++++++++ .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh | 5 + .../test/tun_aesctr_sha1_common_defs.sh | 68 ++++++++++ examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 70 +++++++++++ .../test/tun_aesctr_sha1_esn_atom_defs.sh | 5 + .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh | 70 +++++++++++ .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh | 5 + lib/librte_ipsec/crypto.h | 17 +++ lib/librte_ipsec/sa.c | 137 +++++++++++++++++---- lib/librte_ipsec/sa.h | 24 ++++ 26 files changed, 1050 insertions(+), 24 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang 2019-03-20 15:38 ` Fan Zhang @ 2019-03-20 15:38 ` Fan Zhang 2019-03-20 15:38 ` Fan Zhang 2019-03-22 11:53 ` Akhil Goyal 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 2/5] ipsec-secgw: add test scripts for aes ctr Fan Zhang ` (4 subsequent siblings) 6 siblings, 2 replies; 54+ messages in thread From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev This patch adds AES-CTR cipher algorithm support to ipsec library. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> --- lib/librte_ipsec/crypto.h | 17 ++++++ lib/librte_ipsec/sa.c | 133 ++++++++++++++++++++++++++++++++++++++-------- lib/librte_ipsec/sa.h | 18 +++++++ 3 files changed, 147 insertions(+), 21 deletions(-) diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h index b5f264831..4f551e39c 100644 --- a/lib/librte_ipsec/crypto.h +++ b/lib/librte_ipsec/crypto.h @@ -11,6 +11,16 @@ * by ipsec library. */ +/* + * AES-CTR counter block format. + */ + +struct aesctr_cnt_blk { + uint32_t nonce; + uint64_t iv; + uint32_t cnt; +} __attribute__((packed)); + /* * AES-GCM devices have some specific requirements for IV and AAD formats. * Ideally that to be done by the driver itself. @@ -41,6 +51,13 @@ struct gcm_esph_iv { uint64_t iv; } __attribute__((packed)); +static inline void +aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce) +{ + ctr->nonce = nonce; + ctr->iv = iv; + ctr->cnt = rte_cpu_to_be_32(1); +} static inline void aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt) diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 5f55c2a4e..e34dd320a 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -219,18 +219,28 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm) static void esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) { + uint8_t algo_type; + sa->sqn.outb.raw = 1; /* these params may differ with new algorithms support */ sa->ctp.auth.offset = hlen; sa->ctp.auth.length = sizeof(struct esp_hdr) + sa->iv_len + sa->sqh_len; - if (sa->aad_len != 0) { + + algo_type = sa->algo_type; + + switch (algo_type) { + case ALGO_TYPE_AES_GCM: + case ALGO_TYPE_AES_CTR: + case ALGO_TYPE_NULL: sa->ctp.cipher.offset = hlen + sizeof(struct esp_hdr) + sa->iv_len; sa->ctp.cipher.length = 0; - } else { + break; + case ALGO_TYPE_AES_CBC: sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr); sa->ctp.cipher.length = sa->iv_len; + break; } } @@ -259,26 +269,47 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, RTE_IPSEC_SATP_MODE_MASK; if (cxf->aead != NULL) { - /* RFC 4106 */ - if (cxf->aead->algo != RTE_CRYPTO_AEAD_AES_GCM) + switch (cxf->aead->algo) { + case RTE_CRYPTO_AEAD_AES_GCM: + /* RFC 4106 */ + sa->aad_len = sizeof(struct aead_gcm_aad); + sa->icv_len = cxf->aead->digest_length; + sa->iv_ofs = cxf->aead->iv.offset; + sa->iv_len = sizeof(uint64_t); + sa->pad_align = IPSEC_PAD_AES_GCM; + sa->algo_type = ALGO_TYPE_AES_GCM; + break; + default: return -EINVAL; - sa->aad_len = sizeof(struct aead_gcm_aad); - sa->icv_len = cxf->aead->digest_length; - sa->iv_ofs = cxf->aead->iv.offset; - sa->iv_len = sizeof(uint64_t); - sa->pad_align = IPSEC_PAD_AES_GCM; + } } else { sa->icv_len = cxf->auth->digest_length; sa->iv_ofs = cxf->cipher->iv.offset; sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0; - if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_NULL) { + + switch (cxf->cipher->algo) { + case RTE_CRYPTO_CIPHER_NULL: sa->pad_align = IPSEC_PAD_NULL; sa->iv_len = 0; - } else if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) { + sa->algo_type = ALGO_TYPE_NULL; + break; + + case RTE_CRYPTO_CIPHER_AES_CBC: sa->pad_align = IPSEC_PAD_AES_CBC; sa->iv_len = IPSEC_MAX_IV_SIZE; - } else + sa->algo_type = ALGO_TYPE_AES_CBC; + break; + + case RTE_CRYPTO_CIPHER_AES_CTR: + /* RFC 3686 */ + sa->pad_align = IPSEC_PAD_AES_CTR; + sa->iv_len = IPSEC_AES_CTR_IV_SIZE; + sa->algo_type = ALGO_TYPE_AES_CTR; + break; + + default: return -EINVAL; + } } sa->udata = prm->userdata; @@ -438,12 +469,15 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, { struct rte_crypto_sym_op *sop; struct aead_gcm_iv *gcm; + struct aesctr_cnt_blk *ctr; + uint8_t algo_type = sa->algo_type; /* fill sym op fields */ sop = cop->sym; - /* AEAD (AES_GCM) case */ - if (sa->aad_len != 0) { + switch (algo_type) { + case ALGO_TYPE_AES_GCM: + /* AEAD (AES_GCM) case */ sop->aead.data.offset = sa->ctp.cipher.offset + hlen; sop->aead.data.length = sa->ctp.cipher.length + plen; sop->aead.digest.data = icv->va; @@ -455,14 +489,40 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *, sa->iv_ofs); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); - /* CRYPT+AUTH case */ - } else { + break; + case ALGO_TYPE_AES_CBC: + /* Cipher-Auth (AES-CBC *) case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; + case ALGO_TYPE_AES_CTR: + /* Cipher-Auth (AES-CTR *) case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + + ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *, + sa->iv_ofs); + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); + break; + case ALGO_TYPE_NULL: + /* NULL case */ sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; sop->cipher.data.length = sa->ctp.cipher.length + plen; sop->auth.data.offset = sa->ctp.auth.offset + hlen; sop->auth.data.length = sa->ctp.auth.length + plen; sop->auth.digest.data = icv->va; sop->auth.digest.phys_addr = icv->pa; + break; + default: + break; } } @@ -561,6 +621,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, { uint32_t *psqh; struct aead_gcm_aad *aad; + uint8_t algo_type = sa->algo_type; /* insert SQN.hi between ESP trailer and ICV */ if (sa->sqh_len != 0) { @@ -572,7 +633,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, * fill IV and AAD fields, if any (aad fields are placed after icv), * right now we support only one AEAD algorithm: AES-GCM . */ - if (sa->aad_len != 0) { + if (algo_type == ALGO_TYPE_AES_GCM) { aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len); aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa)); } @@ -783,8 +844,10 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, { struct rte_crypto_sym_op *sop; struct aead_gcm_iv *gcm; + struct aesctr_cnt_blk *ctr; uint64_t *ivc, *ivp; uint32_t clen; + uint8_t algo_type = sa->algo_type; clen = plen - sa->ctp.cipher.length; if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0) @@ -793,8 +856,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, /* fill sym op fields */ sop = cop->sym; - /* AEAD (AES_GCM) case */ - if (sa->aad_len != 0) { + switch (algo_type) { + case ALGO_TYPE_AES_GCM: sop->aead.data.offset = pofs + sa->ctp.cipher.offset; sop->aead.data.length = clen; sop->aead.digest.data = icv->va; @@ -808,8 +871,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, pofs + sizeof(struct esp_hdr)); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); - /* CRYPT+AUTH case */ - } else { + break; + case ALGO_TYPE_AES_CBC: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; sop->cipher.data.length = clen; sop->auth.data.offset = pofs + sa->ctp.auth.offset; @@ -822,7 +885,35 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, pofs + sizeof(struct esp_hdr)); copy_iv(ivc, ivp, sa->iv_len); + break; + case ALGO_TYPE_AES_CTR: + sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; + sop->cipher.data.length = clen; + sop->auth.data.offset = pofs + sa->ctp.auth.offset; + sop->auth.data.length = plen - sa->ctp.auth.length; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + + /* copy iv from the input packet to the cop */ + ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *, + sa->iv_ofs); + ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, + pofs + sizeof(struct esp_hdr)); + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); + break; + case ALGO_TYPE_NULL: + sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; + sop->cipher.data.length = clen; + sop->auth.data.offset = pofs + sa->ctp.auth.offset; + sop->auth.data.length = plen - sa->ctp.auth.length; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; + + default: + return -EINVAL; } + return 0; } diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h index 392e8fd7b..12c061ee6 100644 --- a/lib/librte_ipsec/sa.h +++ b/lib/librte_ipsec/sa.h @@ -15,10 +15,17 @@ enum { IPSEC_PAD_DEFAULT = 4, IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, + IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT, }; +/* iv sizes for different algorithms */ +enum { + IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, + IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), +}; + /* these definitions probably has to be in rte_crypto_sym.h */ union sym_op_ofslen { uint64_t raw; @@ -47,7 +54,17 @@ struct replay_sqn { __extension__ uint64_t window[0]; }; +/*IPSEC SA supported algorithms */ +enum sa_algo_type { + ALGO_TYPE_NULL = 0, + ALGO_TYPE_AES_CBC, + ALGO_TYPE_AES_CTR, + ALGO_TYPE_AES_GCM, + ALGO_TYPE_MAX +}; + struct rte_ipsec_sa { + uint64_t type; /* type of given SA */ uint64_t udata; /* user defined */ uint32_t size; /* size of given sa object */ @@ -65,6 +82,7 @@ struct rte_ipsec_sa { union sym_op_ofslen auth; } ctp; uint32_t salt; + uint8_t algo_type; uint8_t proto; /* next proto */ uint8_t aad_len; uint8_t hdr_len; -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR Fan Zhang @ 2019-03-20 15:38 ` Fan Zhang 2019-03-22 11:53 ` Akhil Goyal 1 sibling, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev This patch adds AES-CTR cipher algorithm support to ipsec library. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> --- lib/librte_ipsec/crypto.h | 17 ++++++ lib/librte_ipsec/sa.c | 133 ++++++++++++++++++++++++++++++++++++++-------- lib/librte_ipsec/sa.h | 18 +++++++ 3 files changed, 147 insertions(+), 21 deletions(-) diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h index b5f264831..4f551e39c 100644 --- a/lib/librte_ipsec/crypto.h +++ b/lib/librte_ipsec/crypto.h @@ -11,6 +11,16 @@ * by ipsec library. */ +/* + * AES-CTR counter block format. + */ + +struct aesctr_cnt_blk { + uint32_t nonce; + uint64_t iv; + uint32_t cnt; +} __attribute__((packed)); + /* * AES-GCM devices have some specific requirements for IV and AAD formats. * Ideally that to be done by the driver itself. @@ -41,6 +51,13 @@ struct gcm_esph_iv { uint64_t iv; } __attribute__((packed)); +static inline void +aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce) +{ + ctr->nonce = nonce; + ctr->iv = iv; + ctr->cnt = rte_cpu_to_be_32(1); +} static inline void aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt) diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 5f55c2a4e..e34dd320a 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -219,18 +219,28 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm) static void esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) { + uint8_t algo_type; + sa->sqn.outb.raw = 1; /* these params may differ with new algorithms support */ sa->ctp.auth.offset = hlen; sa->ctp.auth.length = sizeof(struct esp_hdr) + sa->iv_len + sa->sqh_len; - if (sa->aad_len != 0) { + + algo_type = sa->algo_type; + + switch (algo_type) { + case ALGO_TYPE_AES_GCM: + case ALGO_TYPE_AES_CTR: + case ALGO_TYPE_NULL: sa->ctp.cipher.offset = hlen + sizeof(struct esp_hdr) + sa->iv_len; sa->ctp.cipher.length = 0; - } else { + break; + case ALGO_TYPE_AES_CBC: sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr); sa->ctp.cipher.length = sa->iv_len; + break; } } @@ -259,26 +269,47 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, RTE_IPSEC_SATP_MODE_MASK; if (cxf->aead != NULL) { - /* RFC 4106 */ - if (cxf->aead->algo != RTE_CRYPTO_AEAD_AES_GCM) + switch (cxf->aead->algo) { + case RTE_CRYPTO_AEAD_AES_GCM: + /* RFC 4106 */ + sa->aad_len = sizeof(struct aead_gcm_aad); + sa->icv_len = cxf->aead->digest_length; + sa->iv_ofs = cxf->aead->iv.offset; + sa->iv_len = sizeof(uint64_t); + sa->pad_align = IPSEC_PAD_AES_GCM; + sa->algo_type = ALGO_TYPE_AES_GCM; + break; + default: return -EINVAL; - sa->aad_len = sizeof(struct aead_gcm_aad); - sa->icv_len = cxf->aead->digest_length; - sa->iv_ofs = cxf->aead->iv.offset; - sa->iv_len = sizeof(uint64_t); - sa->pad_align = IPSEC_PAD_AES_GCM; + } } else { sa->icv_len = cxf->auth->digest_length; sa->iv_ofs = cxf->cipher->iv.offset; sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0; - if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_NULL) { + + switch (cxf->cipher->algo) { + case RTE_CRYPTO_CIPHER_NULL: sa->pad_align = IPSEC_PAD_NULL; sa->iv_len = 0; - } else if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) { + sa->algo_type = ALGO_TYPE_NULL; + break; + + case RTE_CRYPTO_CIPHER_AES_CBC: sa->pad_align = IPSEC_PAD_AES_CBC; sa->iv_len = IPSEC_MAX_IV_SIZE; - } else + sa->algo_type = ALGO_TYPE_AES_CBC; + break; + + case RTE_CRYPTO_CIPHER_AES_CTR: + /* RFC 3686 */ + sa->pad_align = IPSEC_PAD_AES_CTR; + sa->iv_len = IPSEC_AES_CTR_IV_SIZE; + sa->algo_type = ALGO_TYPE_AES_CTR; + break; + + default: return -EINVAL; + } } sa->udata = prm->userdata; @@ -438,12 +469,15 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, { struct rte_crypto_sym_op *sop; struct aead_gcm_iv *gcm; + struct aesctr_cnt_blk *ctr; + uint8_t algo_type = sa->algo_type; /* fill sym op fields */ sop = cop->sym; - /* AEAD (AES_GCM) case */ - if (sa->aad_len != 0) { + switch (algo_type) { + case ALGO_TYPE_AES_GCM: + /* AEAD (AES_GCM) case */ sop->aead.data.offset = sa->ctp.cipher.offset + hlen; sop->aead.data.length = sa->ctp.cipher.length + plen; sop->aead.digest.data = icv->va; @@ -455,14 +489,40 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *, sa->iv_ofs); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); - /* CRYPT+AUTH case */ - } else { + break; + case ALGO_TYPE_AES_CBC: + /* Cipher-Auth (AES-CBC *) case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; + case ALGO_TYPE_AES_CTR: + /* Cipher-Auth (AES-CTR *) case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + + ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *, + sa->iv_ofs); + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); + break; + case ALGO_TYPE_NULL: + /* NULL case */ sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; sop->cipher.data.length = sa->ctp.cipher.length + plen; sop->auth.data.offset = sa->ctp.auth.offset + hlen; sop->auth.data.length = sa->ctp.auth.length + plen; sop->auth.digest.data = icv->va; sop->auth.digest.phys_addr = icv->pa; + break; + default: + break; } } @@ -561,6 +621,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, { uint32_t *psqh; struct aead_gcm_aad *aad; + uint8_t algo_type = sa->algo_type; /* insert SQN.hi between ESP trailer and ICV */ if (sa->sqh_len != 0) { @@ -572,7 +633,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, * fill IV and AAD fields, if any (aad fields are placed after icv), * right now we support only one AEAD algorithm: AES-GCM . */ - if (sa->aad_len != 0) { + if (algo_type == ALGO_TYPE_AES_GCM) { aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len); aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa)); } @@ -783,8 +844,10 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, { struct rte_crypto_sym_op *sop; struct aead_gcm_iv *gcm; + struct aesctr_cnt_blk *ctr; uint64_t *ivc, *ivp; uint32_t clen; + uint8_t algo_type = sa->algo_type; clen = plen - sa->ctp.cipher.length; if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0) @@ -793,8 +856,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, /* fill sym op fields */ sop = cop->sym; - /* AEAD (AES_GCM) case */ - if (sa->aad_len != 0) { + switch (algo_type) { + case ALGO_TYPE_AES_GCM: sop->aead.data.offset = pofs + sa->ctp.cipher.offset; sop->aead.data.length = clen; sop->aead.digest.data = icv->va; @@ -808,8 +871,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, pofs + sizeof(struct esp_hdr)); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); - /* CRYPT+AUTH case */ - } else { + break; + case ALGO_TYPE_AES_CBC: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; sop->cipher.data.length = clen; sop->auth.data.offset = pofs + sa->ctp.auth.offset; @@ -822,7 +885,35 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, pofs + sizeof(struct esp_hdr)); copy_iv(ivc, ivp, sa->iv_len); + break; + case ALGO_TYPE_AES_CTR: + sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; + sop->cipher.data.length = clen; + sop->auth.data.offset = pofs + sa->ctp.auth.offset; + sop->auth.data.length = plen - sa->ctp.auth.length; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + + /* copy iv from the input packet to the cop */ + ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *, + sa->iv_ofs); + ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, + pofs + sizeof(struct esp_hdr)); + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); + break; + case ALGO_TYPE_NULL: + sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; + sop->cipher.data.length = clen; + sop->auth.data.offset = pofs + sa->ctp.auth.offset; + sop->auth.data.length = plen - sa->ctp.auth.length; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; + + default: + return -EINVAL; } + return 0; } diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h index 392e8fd7b..12c061ee6 100644 --- a/lib/librte_ipsec/sa.h +++ b/lib/librte_ipsec/sa.h @@ -15,10 +15,17 @@ enum { IPSEC_PAD_DEFAULT = 4, IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, + IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT, }; +/* iv sizes for different algorithms */ +enum { + IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, + IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), +}; + /* these definitions probably has to be in rte_crypto_sym.h */ union sym_op_ofslen { uint64_t raw; @@ -47,7 +54,17 @@ struct replay_sqn { __extension__ uint64_t window[0]; }; +/*IPSEC SA supported algorithms */ +enum sa_algo_type { + ALGO_TYPE_NULL = 0, + ALGO_TYPE_AES_CBC, + ALGO_TYPE_AES_CTR, + ALGO_TYPE_AES_GCM, + ALGO_TYPE_MAX +}; + struct rte_ipsec_sa { + uint64_t type; /* type of given SA */ uint64_t udata; /* user defined */ uint32_t size; /* size of given sa object */ @@ -65,6 +82,7 @@ struct rte_ipsec_sa { union sym_op_ofslen auth; } ctp; uint32_t salt; + uint8_t algo_type; uint8_t proto; /* next proto */ uint8_t aad_len; uint8_t hdr_len; -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* Re: [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR Fan Zhang 2019-03-20 15:38 ` Fan Zhang @ 2019-03-22 11:53 ` Akhil Goyal 2019-03-22 11:53 ` Akhil Goyal 2019-03-22 12:46 ` Ananyev, Konstantin 1 sibling, 2 replies; 54+ messages in thread From: Akhil Goyal @ 2019-03-22 11:53 UTC (permalink / raw) To: Fan Zhang, dev; +Cc: konstantin.ananyev Hi Fan, On 3/20/2019 9:08 PM, Fan Zhang wrote: > This patch adds AES-CTR cipher algorithm support to ipsec > library. > > Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> > Acked-by: Akhil Goyal <akhil.goyal@nxp.com> > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > --- > lib/librte_ipsec/crypto.h | 17 ++++++ > lib/librte_ipsec/sa.c | 133 ++++++++++++++++++++++++++++++++++++++-------- > lib/librte_ipsec/sa.h | 18 +++++++ > 3 files changed, 147 insertions(+), 21 deletions(-) > > diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h > index b5f264831..4f551e39c 100644 > --- a/lib/librte_ipsec/crypto.h > +++ b/lib/librte_ipsec/crypto.h > @@ -11,6 +11,16 @@ > * by ipsec library. > */ > > +/* > + * AES-CTR counter block format. > + */ > + > +struct aesctr_cnt_blk { > + uint32_t nonce; > + uint64_t iv; > + uint32_t cnt; > +} __attribute__((packed)); > + In the v3 I gave a comment on this structure. It is not fixed. I believe cnt should be before iv. > /* > * AES-GCM devices have some specific requirements for IV and AAD formats. > * Ideally that to be done by the driver itself. > @@ -41,6 +51,13 @@ struct gcm_esph_iv { > uint64_t iv; > } __attribute__((packed)); > > +static inline void > +aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce) > +{ > + ctr->nonce = nonce; > + ctr->iv = iv; > + ctr->cnt = rte_cpu_to_be_32(1); > +} > > static inline void > aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt) > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > index 5f55c2a4e..e34dd320a 100644 > --- a/lib/librte_ipsec/sa.c > +++ b/lib/librte_ipsec/sa.c > @@ -219,18 +219,28 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm) > static void > esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) > { > + uint8_t algo_type; > + > sa->sqn.outb.raw = 1; > > /* these params may differ with new algorithms support */ > sa->ctp.auth.offset = hlen; > sa->ctp.auth.length = sizeof(struct esp_hdr) + sa->iv_len + sa->sqh_len; > - if (sa->aad_len != 0) { > + > + algo_type = sa->algo_type; > + > + switch (algo_type) { > + case ALGO_TYPE_AES_GCM: > + case ALGO_TYPE_AES_CTR: > + case ALGO_TYPE_NULL: > sa->ctp.cipher.offset = hlen + sizeof(struct esp_hdr) + > sa->iv_len; > sa->ctp.cipher.length = 0; > - } else { > + break; > + case ALGO_TYPE_AES_CBC: > sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr); > sa->ctp.cipher.length = sa->iv_len; > + break; > } > } > > @@ -259,26 +269,47 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, > RTE_IPSEC_SATP_MODE_MASK; > > if (cxf->aead != NULL) { > - /* RFC 4106 */ > - if (cxf->aead->algo != RTE_CRYPTO_AEAD_AES_GCM) > + switch (cxf->aead->algo) { > + case RTE_CRYPTO_AEAD_AES_GCM: > + /* RFC 4106 */ > + sa->aad_len = sizeof(struct aead_gcm_aad); > + sa->icv_len = cxf->aead->digest_length; > + sa->iv_ofs = cxf->aead->iv.offset; > + sa->iv_len = sizeof(uint64_t); > + sa->pad_align = IPSEC_PAD_AES_GCM; > + sa->algo_type = ALGO_TYPE_AES_GCM; > + break; > + default: > return -EINVAL; > - sa->aad_len = sizeof(struct aead_gcm_aad); > - sa->icv_len = cxf->aead->digest_length; > - sa->iv_ofs = cxf->aead->iv.offset; > - sa->iv_len = sizeof(uint64_t); > - sa->pad_align = IPSEC_PAD_AES_GCM; > + } > } else { > sa->icv_len = cxf->auth->digest_length; > sa->iv_ofs = cxf->cipher->iv.offset; > sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0; > - if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_NULL) { > + > + switch (cxf->cipher->algo) { > + case RTE_CRYPTO_CIPHER_NULL: > sa->pad_align = IPSEC_PAD_NULL; > sa->iv_len = 0; > - } else if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) { > + sa->algo_type = ALGO_TYPE_NULL; > + break; > + > + case RTE_CRYPTO_CIPHER_AES_CBC: > sa->pad_align = IPSEC_PAD_AES_CBC; > sa->iv_len = IPSEC_MAX_IV_SIZE; > - } else > + sa->algo_type = ALGO_TYPE_AES_CBC; > + break; > + > + case RTE_CRYPTO_CIPHER_AES_CTR: > + /* RFC 3686 */ > + sa->pad_align = IPSEC_PAD_AES_CTR; > + sa->iv_len = IPSEC_AES_CTR_IV_SIZE; > + sa->algo_type = ALGO_TYPE_AES_CTR; > + break; > + > + default: > return -EINVAL; > + } > } > > sa->udata = prm->userdata; > @@ -438,12 +469,15 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, > { > struct rte_crypto_sym_op *sop; > struct aead_gcm_iv *gcm; > + struct aesctr_cnt_blk *ctr; > + uint8_t algo_type = sa->algo_type; > > /* fill sym op fields */ > sop = cop->sym; > > - /* AEAD (AES_GCM) case */ > - if (sa->aad_len != 0) { > + switch (algo_type) { > + case ALGO_TYPE_AES_GCM: > + /* AEAD (AES_GCM) case */ > sop->aead.data.offset = sa->ctp.cipher.offset + hlen; > sop->aead.data.length = sa->ctp.cipher.length + plen; > sop->aead.digest.data = icv->va; > @@ -455,14 +489,40 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, > gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *, > sa->iv_ofs); > aead_gcm_iv_fill(gcm, ivp[0], sa->salt); > - /* CRYPT+AUTH case */ > - } else { > + break; > + case ALGO_TYPE_AES_CBC: > + /* Cipher-Auth (AES-CBC *) case */ > + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; > + sop->cipher.data.length = sa->ctp.cipher.length + plen; > + sop->auth.data.offset = sa->ctp.auth.offset + hlen; > + sop->auth.data.length = sa->ctp.auth.length + plen; > + sop->auth.digest.data = icv->va; > + sop->auth.digest.phys_addr = icv->pa; > + break; > + case ALGO_TYPE_AES_CTR: > + /* Cipher-Auth (AES-CTR *) case */ > + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; > + sop->cipher.data.length = sa->ctp.cipher.length + plen; > + sop->auth.data.offset = sa->ctp.auth.offset + hlen; > + sop->auth.data.length = sa->ctp.auth.length + plen; > + sop->auth.digest.data = icv->va; > + sop->auth.digest.phys_addr = icv->pa; > + > + ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *, > + sa->iv_ofs); > + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); > + break; > + case ALGO_TYPE_NULL: > + /* NULL case */ > sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; > sop->cipher.data.length = sa->ctp.cipher.length + plen; > sop->auth.data.offset = sa->ctp.auth.offset + hlen; > sop->auth.data.length = sa->ctp.auth.length + plen; > sop->auth.digest.data = icv->va; > sop->auth.digest.phys_addr = icv->pa; > + break; > + default: > + break; > } > } > > @@ -561,6 +621,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, > { > uint32_t *psqh; > struct aead_gcm_aad *aad; > + uint8_t algo_type = sa->algo_type; > > /* insert SQN.hi between ESP trailer and ICV */ > if (sa->sqh_len != 0) { > @@ -572,7 +633,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, > * fill IV and AAD fields, if any (aad fields are placed after icv), > * right now we support only one AEAD algorithm: AES-GCM . > */ > - if (sa->aad_len != 0) { > + if (algo_type == ALGO_TYPE_AES_GCM) { > aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len); > aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa)); > } > @@ -783,8 +844,10 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, > { > struct rte_crypto_sym_op *sop; > struct aead_gcm_iv *gcm; > + struct aesctr_cnt_blk *ctr; > uint64_t *ivc, *ivp; > uint32_t clen; > + uint8_t algo_type = sa->algo_type; > > clen = plen - sa->ctp.cipher.length; > if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0) > @@ -793,8 +856,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, > /* fill sym op fields */ > sop = cop->sym; > > - /* AEAD (AES_GCM) case */ > - if (sa->aad_len != 0) { > + switch (algo_type) { > + case ALGO_TYPE_AES_GCM: > sop->aead.data.offset = pofs + sa->ctp.cipher.offset; > sop->aead.data.length = clen; > sop->aead.digest.data = icv->va; > @@ -808,8 +871,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, > ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, > pofs + sizeof(struct esp_hdr)); > aead_gcm_iv_fill(gcm, ivp[0], sa->salt); > - /* CRYPT+AUTH case */ > - } else { > + break; > + case ALGO_TYPE_AES_CBC: > sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; > sop->cipher.data.length = clen; > sop->auth.data.offset = pofs + sa->ctp.auth.offset; > @@ -822,7 +885,35 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, > ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, > pofs + sizeof(struct esp_hdr)); > copy_iv(ivc, ivp, sa->iv_len); > + break; > + case ALGO_TYPE_AES_CTR: > + sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; > + sop->cipher.data.length = clen; > + sop->auth.data.offset = pofs + sa->ctp.auth.offset; > + sop->auth.data.length = plen - sa->ctp.auth.length; > + sop->auth.digest.data = icv->va; > + sop->auth.digest.phys_addr = icv->pa; > + > + /* copy iv from the input packet to the cop */ > + ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *, > + sa->iv_ofs); > + ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, > + pofs + sizeof(struct esp_hdr)); > + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); > + break; > + case ALGO_TYPE_NULL: > + sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; > + sop->cipher.data.length = clen; > + sop->auth.data.offset = pofs + sa->ctp.auth.offset; > + sop->auth.data.length = plen - sa->ctp.auth.length; > + sop->auth.digest.data = icv->va; > + sop->auth.digest.phys_addr = icv->pa; > + break; > + > + default: > + return -EINVAL; > } > + > return 0; > } > > diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h > index 392e8fd7b..12c061ee6 100644 > --- a/lib/librte_ipsec/sa.h > +++ b/lib/librte_ipsec/sa.h > @@ -15,10 +15,17 @@ > enum { > IPSEC_PAD_DEFAULT = 4, > IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, > + IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, > IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, > IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT, > }; > > +/* iv sizes for different algorithms */ > +enum { > + IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, > + IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), > +}; > + > /* these definitions probably has to be in rte_crypto_sym.h */ > union sym_op_ofslen { > uint64_t raw; > @@ -47,7 +54,17 @@ struct replay_sqn { > __extension__ uint64_t window[0]; > }; > > +/*IPSEC SA supported algorithms */ > +enum sa_algo_type { > + ALGO_TYPE_NULL = 0, > + ALGO_TYPE_AES_CBC, > + ALGO_TYPE_AES_CTR, > + ALGO_TYPE_AES_GCM, > + ALGO_TYPE_MAX > +}; > + > struct rte_ipsec_sa { > + > uint64_t type; /* type of given SA */ > uint64_t udata; /* user defined */ > uint32_t size; /* size of given sa object */ > @@ -65,6 +82,7 @@ struct rte_ipsec_sa { > union sym_op_ofslen auth; > } ctp; > uint32_t salt; > + uint8_t algo_type; > uint8_t proto; /* next proto */ > uint8_t aad_len; > uint8_t hdr_len; ^ permalink raw reply [flat|nested] 54+ messages in thread
* Re: [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR 2019-03-22 11:53 ` Akhil Goyal @ 2019-03-22 11:53 ` Akhil Goyal 2019-03-22 12:46 ` Ananyev, Konstantin 1 sibling, 0 replies; 54+ messages in thread From: Akhil Goyal @ 2019-03-22 11:53 UTC (permalink / raw) To: Fan Zhang, dev; +Cc: konstantin.ananyev Hi Fan, On 3/20/2019 9:08 PM, Fan Zhang wrote: > This patch adds AES-CTR cipher algorithm support to ipsec > library. > > Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> > Acked-by: Akhil Goyal <akhil.goyal@nxp.com> > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > --- > lib/librte_ipsec/crypto.h | 17 ++++++ > lib/librte_ipsec/sa.c | 133 ++++++++++++++++++++++++++++++++++++++-------- > lib/librte_ipsec/sa.h | 18 +++++++ > 3 files changed, 147 insertions(+), 21 deletions(-) > > diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h > index b5f264831..4f551e39c 100644 > --- a/lib/librte_ipsec/crypto.h > +++ b/lib/librte_ipsec/crypto.h > @@ -11,6 +11,16 @@ > * by ipsec library. > */ > > +/* > + * AES-CTR counter block format. > + */ > + > +struct aesctr_cnt_blk { > + uint32_t nonce; > + uint64_t iv; > + uint32_t cnt; > +} __attribute__((packed)); > + In the v3 I gave a comment on this structure. It is not fixed. I believe cnt should be before iv. > /* > * AES-GCM devices have some specific requirements for IV and AAD formats. > * Ideally that to be done by the driver itself. > @@ -41,6 +51,13 @@ struct gcm_esph_iv { > uint64_t iv; > } __attribute__((packed)); > > +static inline void > +aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce) > +{ > + ctr->nonce = nonce; > + ctr->iv = iv; > + ctr->cnt = rte_cpu_to_be_32(1); > +} > > static inline void > aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt) > diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c > index 5f55c2a4e..e34dd320a 100644 > --- a/lib/librte_ipsec/sa.c > +++ b/lib/librte_ipsec/sa.c > @@ -219,18 +219,28 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm) > static void > esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) > { > + uint8_t algo_type; > + > sa->sqn.outb.raw = 1; > > /* these params may differ with new algorithms support */ > sa->ctp.auth.offset = hlen; > sa->ctp.auth.length = sizeof(struct esp_hdr) + sa->iv_len + sa->sqh_len; > - if (sa->aad_len != 0) { > + > + algo_type = sa->algo_type; > + > + switch (algo_type) { > + case ALGO_TYPE_AES_GCM: > + case ALGO_TYPE_AES_CTR: > + case ALGO_TYPE_NULL: > sa->ctp.cipher.offset = hlen + sizeof(struct esp_hdr) + > sa->iv_len; > sa->ctp.cipher.length = 0; > - } else { > + break; > + case ALGO_TYPE_AES_CBC: > sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr); > sa->ctp.cipher.length = sa->iv_len; > + break; > } > } > > @@ -259,26 +269,47 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, > RTE_IPSEC_SATP_MODE_MASK; > > if (cxf->aead != NULL) { > - /* RFC 4106 */ > - if (cxf->aead->algo != RTE_CRYPTO_AEAD_AES_GCM) > + switch (cxf->aead->algo) { > + case RTE_CRYPTO_AEAD_AES_GCM: > + /* RFC 4106 */ > + sa->aad_len = sizeof(struct aead_gcm_aad); > + sa->icv_len = cxf->aead->digest_length; > + sa->iv_ofs = cxf->aead->iv.offset; > + sa->iv_len = sizeof(uint64_t); > + sa->pad_align = IPSEC_PAD_AES_GCM; > + sa->algo_type = ALGO_TYPE_AES_GCM; > + break; > + default: > return -EINVAL; > - sa->aad_len = sizeof(struct aead_gcm_aad); > - sa->icv_len = cxf->aead->digest_length; > - sa->iv_ofs = cxf->aead->iv.offset; > - sa->iv_len = sizeof(uint64_t); > - sa->pad_align = IPSEC_PAD_AES_GCM; > + } > } else { > sa->icv_len = cxf->auth->digest_length; > sa->iv_ofs = cxf->cipher->iv.offset; > sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0; > - if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_NULL) { > + > + switch (cxf->cipher->algo) { > + case RTE_CRYPTO_CIPHER_NULL: > sa->pad_align = IPSEC_PAD_NULL; > sa->iv_len = 0; > - } else if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) { > + sa->algo_type = ALGO_TYPE_NULL; > + break; > + > + case RTE_CRYPTO_CIPHER_AES_CBC: > sa->pad_align = IPSEC_PAD_AES_CBC; > sa->iv_len = IPSEC_MAX_IV_SIZE; > - } else > + sa->algo_type = ALGO_TYPE_AES_CBC; > + break; > + > + case RTE_CRYPTO_CIPHER_AES_CTR: > + /* RFC 3686 */ > + sa->pad_align = IPSEC_PAD_AES_CTR; > + sa->iv_len = IPSEC_AES_CTR_IV_SIZE; > + sa->algo_type = ALGO_TYPE_AES_CTR; > + break; > + > + default: > return -EINVAL; > + } > } > > sa->udata = prm->userdata; > @@ -438,12 +469,15 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, > { > struct rte_crypto_sym_op *sop; > struct aead_gcm_iv *gcm; > + struct aesctr_cnt_blk *ctr; > + uint8_t algo_type = sa->algo_type; > > /* fill sym op fields */ > sop = cop->sym; > > - /* AEAD (AES_GCM) case */ > - if (sa->aad_len != 0) { > + switch (algo_type) { > + case ALGO_TYPE_AES_GCM: > + /* AEAD (AES_GCM) case */ > sop->aead.data.offset = sa->ctp.cipher.offset + hlen; > sop->aead.data.length = sa->ctp.cipher.length + plen; > sop->aead.digest.data = icv->va; > @@ -455,14 +489,40 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, > gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *, > sa->iv_ofs); > aead_gcm_iv_fill(gcm, ivp[0], sa->salt); > - /* CRYPT+AUTH case */ > - } else { > + break; > + case ALGO_TYPE_AES_CBC: > + /* Cipher-Auth (AES-CBC *) case */ > + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; > + sop->cipher.data.length = sa->ctp.cipher.length + plen; > + sop->auth.data.offset = sa->ctp.auth.offset + hlen; > + sop->auth.data.length = sa->ctp.auth.length + plen; > + sop->auth.digest.data = icv->va; > + sop->auth.digest.phys_addr = icv->pa; > + break; > + case ALGO_TYPE_AES_CTR: > + /* Cipher-Auth (AES-CTR *) case */ > + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; > + sop->cipher.data.length = sa->ctp.cipher.length + plen; > + sop->auth.data.offset = sa->ctp.auth.offset + hlen; > + sop->auth.data.length = sa->ctp.auth.length + plen; > + sop->auth.digest.data = icv->va; > + sop->auth.digest.phys_addr = icv->pa; > + > + ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *, > + sa->iv_ofs); > + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); > + break; > + case ALGO_TYPE_NULL: > + /* NULL case */ > sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; > sop->cipher.data.length = sa->ctp.cipher.length + plen; > sop->auth.data.offset = sa->ctp.auth.offset + hlen; > sop->auth.data.length = sa->ctp.auth.length + plen; > sop->auth.digest.data = icv->va; > sop->auth.digest.phys_addr = icv->pa; > + break; > + default: > + break; > } > } > > @@ -561,6 +621,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, > { > uint32_t *psqh; > struct aead_gcm_aad *aad; > + uint8_t algo_type = sa->algo_type; > > /* insert SQN.hi between ESP trailer and ICV */ > if (sa->sqh_len != 0) { > @@ -572,7 +633,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc, > * fill IV and AAD fields, if any (aad fields are placed after icv), > * right now we support only one AEAD algorithm: AES-GCM . > */ > - if (sa->aad_len != 0) { > + if (algo_type == ALGO_TYPE_AES_GCM) { > aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len); > aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa)); > } > @@ -783,8 +844,10 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, > { > struct rte_crypto_sym_op *sop; > struct aead_gcm_iv *gcm; > + struct aesctr_cnt_blk *ctr; > uint64_t *ivc, *ivp; > uint32_t clen; > + uint8_t algo_type = sa->algo_type; > > clen = plen - sa->ctp.cipher.length; > if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0) > @@ -793,8 +856,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, > /* fill sym op fields */ > sop = cop->sym; > > - /* AEAD (AES_GCM) case */ > - if (sa->aad_len != 0) { > + switch (algo_type) { > + case ALGO_TYPE_AES_GCM: > sop->aead.data.offset = pofs + sa->ctp.cipher.offset; > sop->aead.data.length = clen; > sop->aead.digest.data = icv->va; > @@ -808,8 +871,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, > ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, > pofs + sizeof(struct esp_hdr)); > aead_gcm_iv_fill(gcm, ivp[0], sa->salt); > - /* CRYPT+AUTH case */ > - } else { > + break; > + case ALGO_TYPE_AES_CBC: > sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; > sop->cipher.data.length = clen; > sop->auth.data.offset = pofs + sa->ctp.auth.offset; > @@ -822,7 +885,35 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, > ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, > pofs + sizeof(struct esp_hdr)); > copy_iv(ivc, ivp, sa->iv_len); > + break; > + case ALGO_TYPE_AES_CTR: > + sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; > + sop->cipher.data.length = clen; > + sop->auth.data.offset = pofs + sa->ctp.auth.offset; > + sop->auth.data.length = plen - sa->ctp.auth.length; > + sop->auth.digest.data = icv->va; > + sop->auth.digest.phys_addr = icv->pa; > + > + /* copy iv from the input packet to the cop */ > + ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *, > + sa->iv_ofs); > + ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *, > + pofs + sizeof(struct esp_hdr)); > + aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); > + break; > + case ALGO_TYPE_NULL: > + sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; > + sop->cipher.data.length = clen; > + sop->auth.data.offset = pofs + sa->ctp.auth.offset; > + sop->auth.data.length = plen - sa->ctp.auth.length; > + sop->auth.digest.data = icv->va; > + sop->auth.digest.phys_addr = icv->pa; > + break; > + > + default: > + return -EINVAL; > } > + > return 0; > } > > diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h > index 392e8fd7b..12c061ee6 100644 > --- a/lib/librte_ipsec/sa.h > +++ b/lib/librte_ipsec/sa.h > @@ -15,10 +15,17 @@ > enum { > IPSEC_PAD_DEFAULT = 4, > IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, > + IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, > IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, > IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT, > }; > > +/* iv sizes for different algorithms */ > +enum { > + IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, > + IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), > +}; > + > /* these definitions probably has to be in rte_crypto_sym.h */ > union sym_op_ofslen { > uint64_t raw; > @@ -47,7 +54,17 @@ struct replay_sqn { > __extension__ uint64_t window[0]; > }; > > +/*IPSEC SA supported algorithms */ > +enum sa_algo_type { > + ALGO_TYPE_NULL = 0, > + ALGO_TYPE_AES_CBC, > + ALGO_TYPE_AES_CTR, > + ALGO_TYPE_AES_GCM, > + ALGO_TYPE_MAX > +}; > + > struct rte_ipsec_sa { > + > uint64_t type; /* type of given SA */ > uint64_t udata; /* user defined */ > uint32_t size; /* size of given sa object */ > @@ -65,6 +82,7 @@ struct rte_ipsec_sa { > union sym_op_ofslen auth; > } ctp; > uint32_t salt; > + uint8_t algo_type; > uint8_t proto; /* next proto */ > uint8_t aad_len; > uint8_t hdr_len; ^ permalink raw reply [flat|nested] 54+ messages in thread
* Re: [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR 2019-03-22 11:53 ` Akhil Goyal 2019-03-22 11:53 ` Akhil Goyal @ 2019-03-22 12:46 ` Ananyev, Konstantin 2019-03-22 12:46 ` Ananyev, Konstantin 2019-03-22 13:01 ` Akhil Goyal 1 sibling, 2 replies; 54+ messages in thread From: Ananyev, Konstantin @ 2019-03-22 12:46 UTC (permalink / raw) To: Akhil Goyal, Zhang, Roy Fan, dev Hi Akhil, > > On 3/20/2019 9:08 PM, Fan Zhang wrote: > > This patch adds AES-CTR cipher algorithm support to ipsec > > library. > > > > Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> > > Acked-by: Akhil Goyal <akhil.goyal@nxp.com> > > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > > --- > > lib/librte_ipsec/crypto.h | 17 ++++++ > > lib/librte_ipsec/sa.c | 133 ++++++++++++++++++++++++++++++++++++++-------- > > lib/librte_ipsec/sa.h | 18 +++++++ > > 3 files changed, 147 insertions(+), 21 deletions(-) > > > > diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h > > index b5f264831..4f551e39c 100644 > > --- a/lib/librte_ipsec/crypto.h > > +++ b/lib/librte_ipsec/crypto.h > > @@ -11,6 +11,16 @@ > > * by ipsec library. > > */ > > > > +/* > > + * AES-CTR counter block format. > > + */ > > + > > +struct aesctr_cnt_blk { > > + uint32_t nonce; > > + uint64_t iv; > > + uint32_t cnt; > > +} __attribute__((packed)); > > + > In the v3 I gave a comment on this structure. It is not fixed. > I believe cnt should be before iv. Could you explain, what makes you think that way? https://tools.ietf.org/html/rfc3686#section-4 clearly stays that format of the counter block should be the following: nonce; IV; counter. Original ipsec-secgw app uses the same format: struct cnt_blk { uint32_t salt; uint64_t iv; uint32_t cnt; } __attribute__((packed)); So I believe format above is correct one. Again this series introduces new test-case specially for CTR algo: examples/ipsec-secgw/test/*ctr*.sh and they do pass on both aesni_mb and QAT device. Konstantin ^ permalink raw reply [flat|nested] 54+ messages in thread
* Re: [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR 2019-03-22 12:46 ` Ananyev, Konstantin @ 2019-03-22 12:46 ` Ananyev, Konstantin 2019-03-22 13:01 ` Akhil Goyal 1 sibling, 0 replies; 54+ messages in thread From: Ananyev, Konstantin @ 2019-03-22 12:46 UTC (permalink / raw) To: Akhil Goyal, Zhang, Roy Fan, dev Hi Akhil, > > On 3/20/2019 9:08 PM, Fan Zhang wrote: > > This patch adds AES-CTR cipher algorithm support to ipsec > > library. > > > > Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> > > Acked-by: Akhil Goyal <akhil.goyal@nxp.com> > > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> > > --- > > lib/librte_ipsec/crypto.h | 17 ++++++ > > lib/librte_ipsec/sa.c | 133 ++++++++++++++++++++++++++++++++++++++-------- > > lib/librte_ipsec/sa.h | 18 +++++++ > > 3 files changed, 147 insertions(+), 21 deletions(-) > > > > diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h > > index b5f264831..4f551e39c 100644 > > --- a/lib/librte_ipsec/crypto.h > > +++ b/lib/librte_ipsec/crypto.h > > @@ -11,6 +11,16 @@ > > * by ipsec library. > > */ > > > > +/* > > + * AES-CTR counter block format. > > + */ > > + > > +struct aesctr_cnt_blk { > > + uint32_t nonce; > > + uint64_t iv; > > + uint32_t cnt; > > +} __attribute__((packed)); > > + > In the v3 I gave a comment on this structure. It is not fixed. > I believe cnt should be before iv. Could you explain, what makes you think that way? https://tools.ietf.org/html/rfc3686#section-4 clearly stays that format of the counter block should be the following: nonce; IV; counter. Original ipsec-secgw app uses the same format: struct cnt_blk { uint32_t salt; uint64_t iv; uint32_t cnt; } __attribute__((packed)); So I believe format above is correct one. Again this series introduces new test-case specially for CTR algo: examples/ipsec-secgw/test/*ctr*.sh and they do pass on both aesni_mb and QAT device. Konstantin ^ permalink raw reply [flat|nested] 54+ messages in thread
* Re: [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR 2019-03-22 12:46 ` Ananyev, Konstantin 2019-03-22 12:46 ` Ananyev, Konstantin @ 2019-03-22 13:01 ` Akhil Goyal 2019-03-22 13:01 ` Akhil Goyal 1 sibling, 1 reply; 54+ messages in thread From: Akhil Goyal @ 2019-03-22 13:01 UTC (permalink / raw) To: Ananyev, Konstantin, Zhang, Roy Fan, dev Hi Konstantin, On 3/22/2019 6:16 PM, Ananyev, Konstantin wrote: > Hi Akhil, > >> On 3/20/2019 9:08 PM, Fan Zhang wrote: >>> This patch adds AES-CTR cipher algorithm support to ipsec >>> library. >>> >>> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> >>> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> >>> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> >>> --- >>> lib/librte_ipsec/crypto.h | 17 ++++++ >>> lib/librte_ipsec/sa.c | 133 ++++++++++++++++++++++++++++++++++++++-------- >>> lib/librte_ipsec/sa.h | 18 +++++++ >>> 3 files changed, 147 insertions(+), 21 deletions(-) >>> >>> diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h >>> index b5f264831..4f551e39c 100644 >>> --- a/lib/librte_ipsec/crypto.h >>> +++ b/lib/librte_ipsec/crypto.h >>> @@ -11,6 +11,16 @@ >>> * by ipsec library. >>> */ >>> >>> +/* >>> + * AES-CTR counter block format. >>> + */ >>> + >>> +struct aesctr_cnt_blk { >>> + uint32_t nonce; >>> + uint64_t iv; >>> + uint32_t cnt; >>> +} __attribute__((packed)); >>> + >> In the v3 I gave a comment on this structure. It is not fixed. >> I believe cnt should be before iv. > Could you explain, what makes you think that way? > https://tools.ietf.org/html/rfc3686#section-4 > clearly stays that format of the counter block should be the following: > nonce; IV; counter. > Original ipsec-secgw app uses the same format: > struct cnt_blk { > uint32_t salt; > uint64_t iv; > uint32_t cnt; > } __attribute__((packed)); > > So I believe format above is correct one. > Again this series introduces new test-case specially for CTR algo: > examples/ipsec-secgw/test/*ctr*.sh > and they do pass on both aesni_mb and QAT device. > Konstantin Got it. Thanks for correcting me. ^ permalink raw reply [flat|nested] 54+ messages in thread
* Re: [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR 2019-03-22 13:01 ` Akhil Goyal @ 2019-03-22 13:01 ` Akhil Goyal 0 siblings, 0 replies; 54+ messages in thread From: Akhil Goyal @ 2019-03-22 13:01 UTC (permalink / raw) To: Ananyev, Konstantin, Zhang, Roy Fan, dev Hi Konstantin, On 3/22/2019 6:16 PM, Ananyev, Konstantin wrote: > Hi Akhil, > >> On 3/20/2019 9:08 PM, Fan Zhang wrote: >>> This patch adds AES-CTR cipher algorithm support to ipsec >>> library. >>> >>> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> >>> Acked-by: Akhil Goyal <akhil.goyal@nxp.com> >>> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> >>> --- >>> lib/librte_ipsec/crypto.h | 17 ++++++ >>> lib/librte_ipsec/sa.c | 133 ++++++++++++++++++++++++++++++++++++++-------- >>> lib/librte_ipsec/sa.h | 18 +++++++ >>> 3 files changed, 147 insertions(+), 21 deletions(-) >>> >>> diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h >>> index b5f264831..4f551e39c 100644 >>> --- a/lib/librte_ipsec/crypto.h >>> +++ b/lib/librte_ipsec/crypto.h >>> @@ -11,6 +11,16 @@ >>> * by ipsec library. >>> */ >>> >>> +/* >>> + * AES-CTR counter block format. >>> + */ >>> + >>> +struct aesctr_cnt_blk { >>> + uint32_t nonce; >>> + uint64_t iv; >>> + uint32_t cnt; >>> +} __attribute__((packed)); >>> + >> In the v3 I gave a comment on this structure. It is not fixed. >> I believe cnt should be before iv. > Could you explain, what makes you think that way? > https://tools.ietf.org/html/rfc3686#section-4 > clearly stays that format of the counter block should be the following: > nonce; IV; counter. > Original ipsec-secgw app uses the same format: > struct cnt_blk { > uint32_t salt; > uint64_t iv; > uint32_t cnt; > } __attribute__((packed)); > > So I believe format above is correct one. > Again this series introduces new test-case specially for CTR algo: > examples/ipsec-secgw/test/*ctr*.sh > and they do pass on both aesni_mb and QAT device. > Konstantin Got it. Thanks for correcting me. ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v5 2/5] ipsec-secgw: add test scripts for aes ctr 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang 2019-03-20 15:38 ` Fan Zhang 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR Fan Zhang @ 2019-03-20 15:38 ` Fan Zhang 2019-03-20 15:38 ` Fan Zhang 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 3/5] ipsec: support 3DES-CBC Fan Zhang ` (3 subsequent siblings) 6 siblings, 1 reply; 54+ messages in thread From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev This patch adds the functional test scripts to ipsec-secgw sample application for both transport and tunnel working mode. Updated a bit on common_defs to use "mktemp" instead of "tempfile" as Fedora does not like the command. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> --- examples/ipsec-secgw/test/common_defs.sh | 4 +- examples/ipsec-secgw/test/run_test.sh | 10 +++- .../test/trs_aesctr_sha1_common_defs.sh | 69 +++++++++++++++++++++ examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 67 +++++++++++++++++++++ .../test/trs_aesctr_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh | 66 ++++++++++++++++++++ .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh | 5 ++ .../test/tun_aesctr_sha1_common_defs.sh | 68 +++++++++++++++++++++ examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 70 ++++++++++++++++++++++ .../test/tun_aesctr_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh | 70 ++++++++++++++++++++++ .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh | 5 ++ 12 files changed, 441 insertions(+), 3 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh diff --git a/examples/ipsec-secgw/test/common_defs.sh b/examples/ipsec-secgw/test/common_defs.sh index 693c70cd1..8dc574b50 100644 --- a/examples/ipsec-secgw/test/common_defs.sh +++ b/examples/ipsec-secgw/test/common_defs.sh @@ -53,7 +53,7 @@ SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4 ${ETH_DEV}" SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})" SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\"" -SGW_CFG_FILE=$(tempfile) +SGW_CFG_FILE=$(mktemp) # configure local host/ifaces config_local_iface() @@ -129,7 +129,7 @@ config6_iface() #start ipsec-secgw secgw_start() { - SGW_EXEC_FILE=$(tempfile) + SGW_EXEC_FILE=$(mktemp) cat <<EOF > ${SGW_EXEC_FILE} ${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \ --vdev="net_tap0,mac=fixed" \ diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh index 6dc0ce54e..a6e363125 100644 --- a/examples/ipsec-secgw/test/run_test.sh +++ b/examples/ipsec-secgw/test/run_test.sh @@ -32,7 +32,15 @@ trs_aesgcm_esn_atom \ tun_aescbc_sha1_old \ tun_aesgcm_old \ trs_aescbc_sha1_old \ -trs_aesgcm_old" +trs_aesgcm_old \ +tun_aesctr_sha1 \ +tun_aesctr_sha1_old \ +tun_aesctr_sha1_esn \ +tun_aesctr_sha1_esn_atom \ +trs_aesctr_sha1 \ +trs_aesctr_sha1_old \ +trs_aesctr_sha1_esn \ +trs_aesctr_sha1_esn_atom" DIR=`dirname $0` diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh new file mode 100644 index 000000000..9c213e3cc --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh @@ -0,0 +1,69 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +sa in 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh new file mode 100644 index 000000000..73642f881 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh @@ -0,0 +1,67 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..17c81c267 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh new file mode 100644 index 000000000..e401a4bed --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh @@ -0,0 +1,66 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh new file mode 100644 index 000000000..3aa071229 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh new file mode 100644 index 000000000..a3ac3a698 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh @@ -0,0 +1,68 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh new file mode 100644 index 000000000..3710f897c --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..7dcfc3218 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh new file mode 100644 index 000000000..c3ce11da1 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh new file mode 100644 index 000000000..26f0d0290 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_defs.sh + +SGW_CMD_XPRM= -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v5 2/5] ipsec-secgw: add test scripts for aes ctr 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 2/5] ipsec-secgw: add test scripts for aes ctr Fan Zhang @ 2019-03-20 15:38 ` Fan Zhang 0 siblings, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev This patch adds the functional test scripts to ipsec-secgw sample application for both transport and tunnel working mode. Updated a bit on common_defs to use "mktemp" instead of "tempfile" as Fedora does not like the command. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> --- examples/ipsec-secgw/test/common_defs.sh | 4 +- examples/ipsec-secgw/test/run_test.sh | 10 +++- .../test/trs_aesctr_sha1_common_defs.sh | 69 +++++++++++++++++++++ examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 67 +++++++++++++++++++++ .../test/trs_aesctr_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh | 66 ++++++++++++++++++++ .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh | 5 ++ .../test/tun_aesctr_sha1_common_defs.sh | 68 +++++++++++++++++++++ examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 70 ++++++++++++++++++++++ .../test/tun_aesctr_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh | 70 ++++++++++++++++++++++ .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh | 5 ++ 12 files changed, 441 insertions(+), 3 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh diff --git a/examples/ipsec-secgw/test/common_defs.sh b/examples/ipsec-secgw/test/common_defs.sh index 693c70cd1..8dc574b50 100644 --- a/examples/ipsec-secgw/test/common_defs.sh +++ b/examples/ipsec-secgw/test/common_defs.sh @@ -53,7 +53,7 @@ SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4 ${ETH_DEV}" SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})" SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\"" -SGW_CFG_FILE=$(tempfile) +SGW_CFG_FILE=$(mktemp) # configure local host/ifaces config_local_iface() @@ -129,7 +129,7 @@ config6_iface() #start ipsec-secgw secgw_start() { - SGW_EXEC_FILE=$(tempfile) + SGW_EXEC_FILE=$(mktemp) cat <<EOF > ${SGW_EXEC_FILE} ${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \ --vdev="net_tap0,mac=fixed" \ diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh index 6dc0ce54e..a6e363125 100644 --- a/examples/ipsec-secgw/test/run_test.sh +++ b/examples/ipsec-secgw/test/run_test.sh @@ -32,7 +32,15 @@ trs_aesgcm_esn_atom \ tun_aescbc_sha1_old \ tun_aesgcm_old \ trs_aescbc_sha1_old \ -trs_aesgcm_old" +trs_aesgcm_old \ +tun_aesctr_sha1 \ +tun_aesctr_sha1_old \ +tun_aesctr_sha1_esn \ +tun_aesctr_sha1_esn_atom \ +trs_aesctr_sha1 \ +trs_aesctr_sha1_old \ +trs_aesctr_sha1_esn \ +trs_aesctr_sha1_esn_atom" DIR=`dirname $0` diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh new file mode 100644 index 000000000..9c213e3cc --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh @@ -0,0 +1,69 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +sa in 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh new file mode 100644 index 000000000..73642f881 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh @@ -0,0 +1,67 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..17c81c267 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh new file mode 100644 index 000000000..e401a4bed --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh @@ -0,0 +1,66 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh new file mode 100644 index 000000000..3aa071229 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh new file mode 100644 index 000000000..a3ac3a698 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh @@ -0,0 +1,68 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 7 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 9 cipher_algo aes-128-ctr \ +cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh new file mode 100644 index 000000000..3710f897c --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..7dcfc3218 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh new file mode 100644 index 000000000..c3ce11da1 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh new file mode 100644 index 000000000..26f0d0290 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_defs.sh + +SGW_CMD_XPRM= -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v5 3/5] ipsec: support 3DES-CBC 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang ` (2 preceding siblings ...) 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 2/5] ipsec-secgw: add test scripts for aes ctr Fan Zhang @ 2019-03-20 15:38 ` Fan Zhang 2019-03-20 15:38 ` Fan Zhang 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 4/5] ipsec-secgw: add 3des test files Fan Zhang ` (2 subsequent siblings) 6 siblings, 1 reply; 54+ messages in thread From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev This patch adds triple-des CBC mode cipher algorithm to ipsec library. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> --- lib/librte_ipsec/sa.c | 40 ++++++++++++++++++++++------------------ lib/librte_ipsec/sa.h | 6 ++++++ 2 files changed, 28 insertions(+), 18 deletions(-) diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index e34dd320a..2eb6bae07 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -238,6 +238,7 @@ esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) sa->ctp.cipher.length = 0; break; case ALGO_TYPE_AES_CBC: + case ALGO_TYPE_3DES_CBC: sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr); sa->ctp.cipher.length = sa->iv_len; break; @@ -307,6 +308,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, sa->algo_type = ALGO_TYPE_AES_CTR; break; + case RTE_CRYPTO_CIPHER_3DES_CBC: + /* RFC 1851 */ + sa->pad_align = IPSEC_PAD_3DES_CBC; + sa->iv_len = IPSEC_3DES_IV_SIZE; + sa->algo_type = ALGO_TYPE_3DES_CBC; + break; + default: return -EINVAL; } @@ -476,6 +484,19 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, sop = cop->sym; switch (algo_type) { + case ALGO_TYPE_AES_CBC: + /* Cipher-Auth (AES-CBC *) case */ + case ALGO_TYPE_3DES_CBC: + /* Cipher-Auth (3DES-CBC *) case */ + case ALGO_TYPE_NULL: + /* NULL case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; case ALGO_TYPE_AES_GCM: /* AEAD (AES_GCM) case */ sop->aead.data.offset = sa->ctp.cipher.offset + hlen; @@ -490,15 +511,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, sa->iv_ofs); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; - case ALGO_TYPE_AES_CBC: - /* Cipher-Auth (AES-CBC *) case */ - sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; - sop->cipher.data.length = sa->ctp.cipher.length + plen; - sop->auth.data.offset = sa->ctp.auth.offset + hlen; - sop->auth.data.length = sa->ctp.auth.length + plen; - sop->auth.digest.data = icv->va; - sop->auth.digest.phys_addr = icv->pa; - break; case ALGO_TYPE_AES_CTR: /* Cipher-Auth (AES-CTR *) case */ sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; @@ -512,15 +524,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, sa->iv_ofs); aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); break; - case ALGO_TYPE_NULL: - /* NULL case */ - sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; - sop->cipher.data.length = sa->ctp.cipher.length + plen; - sop->auth.data.offset = sa->ctp.auth.offset + hlen; - sop->auth.data.length = sa->ctp.auth.length + plen; - sop->auth.digest.data = icv->va; - sop->auth.digest.phys_addr = icv->pa; - break; default: break; } @@ -873,6 +876,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; case ALGO_TYPE_AES_CBC: + case ALGO_TYPE_3DES_CBC: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; sop->cipher.data.length = clen; sop->auth.data.offset = pofs + sa->ctp.auth.offset; diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h index 12c061ee6..c3a0d84bc 100644 --- a/lib/librte_ipsec/sa.h +++ b/lib/librte_ipsec/sa.h @@ -14,6 +14,7 @@ /* padding alignment for different algorithms */ enum { IPSEC_PAD_DEFAULT = 4, + IPSEC_PAD_3DES_CBC = 8, IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, @@ -24,6 +25,10 @@ enum { enum { IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), + /* TripleDES supports IV size of 32bits or 64bits but he library + * only supports 64bits. + */ + IPSEC_3DES_IV_SIZE = sizeof(uint64_t), }; /* these definitions probably has to be in rte_crypto_sym.h */ @@ -57,6 +62,7 @@ struct replay_sqn { /*IPSEC SA supported algorithms */ enum sa_algo_type { ALGO_TYPE_NULL = 0, + ALGO_TYPE_3DES_CBC, ALGO_TYPE_AES_CBC, ALGO_TYPE_AES_CTR, ALGO_TYPE_AES_GCM, -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v5 3/5] ipsec: support 3DES-CBC 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 3/5] ipsec: support 3DES-CBC Fan Zhang @ 2019-03-20 15:38 ` Fan Zhang 0 siblings, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev This patch adds triple-des CBC mode cipher algorithm to ipsec library. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> --- lib/librte_ipsec/sa.c | 40 ++++++++++++++++++++++------------------ lib/librte_ipsec/sa.h | 6 ++++++ 2 files changed, 28 insertions(+), 18 deletions(-) diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index e34dd320a..2eb6bae07 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -238,6 +238,7 @@ esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen) sa->ctp.cipher.length = 0; break; case ALGO_TYPE_AES_CBC: + case ALGO_TYPE_3DES_CBC: sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr); sa->ctp.cipher.length = sa->iv_len; break; @@ -307,6 +308,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, sa->algo_type = ALGO_TYPE_AES_CTR; break; + case RTE_CRYPTO_CIPHER_3DES_CBC: + /* RFC 1851 */ + sa->pad_align = IPSEC_PAD_3DES_CBC; + sa->iv_len = IPSEC_3DES_IV_SIZE; + sa->algo_type = ALGO_TYPE_3DES_CBC; + break; + default: return -EINVAL; } @@ -476,6 +484,19 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, sop = cop->sym; switch (algo_type) { + case ALGO_TYPE_AES_CBC: + /* Cipher-Auth (AES-CBC *) case */ + case ALGO_TYPE_3DES_CBC: + /* Cipher-Auth (3DES-CBC *) case */ + case ALGO_TYPE_NULL: + /* NULL case */ + sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; + sop->cipher.data.length = sa->ctp.cipher.length + plen; + sop->auth.data.offset = sa->ctp.auth.offset + hlen; + sop->auth.data.length = sa->ctp.auth.length + plen; + sop->auth.digest.data = icv->va; + sop->auth.digest.phys_addr = icv->pa; + break; case ALGO_TYPE_AES_GCM: /* AEAD (AES_GCM) case */ sop->aead.data.offset = sa->ctp.cipher.offset + hlen; @@ -490,15 +511,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, sa->iv_ofs); aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; - case ALGO_TYPE_AES_CBC: - /* Cipher-Auth (AES-CBC *) case */ - sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; - sop->cipher.data.length = sa->ctp.cipher.length + plen; - sop->auth.data.offset = sa->ctp.auth.offset + hlen; - sop->auth.data.length = sa->ctp.auth.length + plen; - sop->auth.digest.data = icv->va; - sop->auth.digest.phys_addr = icv->pa; - break; case ALGO_TYPE_AES_CTR: /* Cipher-Auth (AES-CTR *) case */ sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; @@ -512,15 +524,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop, sa->iv_ofs); aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt); break; - case ALGO_TYPE_NULL: - /* NULL case */ - sop->cipher.data.offset = sa->ctp.cipher.offset + hlen; - sop->cipher.data.length = sa->ctp.cipher.length + plen; - sop->auth.data.offset = sa->ctp.auth.offset + hlen; - sop->auth.data.length = sa->ctp.auth.length + plen; - sop->auth.digest.data = icv->va; - sop->auth.digest.phys_addr = icv->pa; - break; default: break; } @@ -873,6 +876,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop, aead_gcm_iv_fill(gcm, ivp[0], sa->salt); break; case ALGO_TYPE_AES_CBC: + case ALGO_TYPE_3DES_CBC: sop->cipher.data.offset = pofs + sa->ctp.cipher.offset; sop->cipher.data.length = clen; sop->auth.data.offset = pofs + sa->ctp.auth.offset; diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h index 12c061ee6..c3a0d84bc 100644 --- a/lib/librte_ipsec/sa.h +++ b/lib/librte_ipsec/sa.h @@ -14,6 +14,7 @@ /* padding alignment for different algorithms */ enum { IPSEC_PAD_DEFAULT = 4, + IPSEC_PAD_3DES_CBC = 8, IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE, IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT, IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT, @@ -24,6 +25,10 @@ enum { enum { IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE, IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t), + /* TripleDES supports IV size of 32bits or 64bits but he library + * only supports 64bits. + */ + IPSEC_3DES_IV_SIZE = sizeof(uint64_t), }; /* these definitions probably has to be in rte_crypto_sym.h */ @@ -57,6 +62,7 @@ struct replay_sqn { /*IPSEC SA supported algorithms */ enum sa_algo_type { ALGO_TYPE_NULL = 0, + ALGO_TYPE_3DES_CBC, ALGO_TYPE_AES_CBC, ALGO_TYPE_AES_CTR, ALGO_TYPE_AES_GCM, -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v5 4/5] ipsec-secgw: add 3des test files 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang ` (3 preceding siblings ...) 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 3/5] ipsec: support 3DES-CBC Fan Zhang @ 2019-03-20 15:38 ` Fan Zhang 2019-03-20 15:38 ` Fan Zhang 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 5/5] doc: update release note Fan Zhang 2019-03-22 14:59 ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Akhil Goyal 6 siblings, 1 reply; 54+ messages in thread From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev This patch adds the functional test scripts to ipsec-secgw sample application for both transport and tunnel working mode. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> --- examples/ipsec-secgw/test/run_test.sh | 10 ++- .../test/trs_3descbc_sha1_common_defs.sh | 73 ++++++++++++++++++++++ examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++++++++++++ .../test/trs_3descbc_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh | 66 +++++++++++++++++++ .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh | 5 ++ .../test/tun_3descbc_sha1_common_defs.sh | 72 +++++++++++++++++++++ examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++++++++++++ .../test/tun_3descbc_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh | 70 +++++++++++++++++++++ .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh | 5 ++ 11 files changed, 447 insertions(+), 1 deletion(-) create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh index a6e363125..d8c4b6625 100644 --- a/examples/ipsec-secgw/test/run_test.sh +++ b/examples/ipsec-secgw/test/run_test.sh @@ -40,7 +40,15 @@ tun_aesctr_sha1_esn_atom \ trs_aesctr_sha1 \ trs_aesctr_sha1_old \ trs_aesctr_sha1_esn \ -trs_aesctr_sha1_esn_atom" +trs_aesctr_sha1_esn_atom \ +tun_3descbc_sha1 \ +tun_3descbc_sha1_old \ +tun_3descbc_sha1_esn \ +tun_3descbc_sha1_esn_atom \ +trs_3descbc_sha1 \ +trs_3descbc_sha1_old \ +trs_3descbc_sha1_esn \ +trs_3descbc_sha1_esn_atom" DIR=`dirname $0` diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh new file mode 100644 index 000000000..bb4cef6a9 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh @@ -0,0 +1,73 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +sa in 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh new file mode 100644 index 000000000..31f94492f --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh @@ -0,0 +1,67 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..d7439ad15 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh new file mode 100644 index 000000000..e4283f3dd --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh @@ -0,0 +1,66 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh new file mode 100644 index 000000000..ffd945bac --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh new file mode 100644 index 000000000..dd802d6be --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh @@ -0,0 +1,72 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh new file mode 100644 index 000000000..2bbe14292 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..1d8e36cbd --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh new file mode 100644 index 000000000..98349c7bc --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh new file mode 100644 index 000000000..eaf248ad1 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_defs.sh + +SGW_CMD_XPRM= -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v5 4/5] ipsec-secgw: add 3des test files 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 4/5] ipsec-secgw: add 3des test files Fan Zhang @ 2019-03-20 15:38 ` Fan Zhang 0 siblings, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev This patch adds the functional test scripts to ipsec-secgw sample application for both transport and tunnel working mode. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> --- examples/ipsec-secgw/test/run_test.sh | 10 ++- .../test/trs_3descbc_sha1_common_defs.sh | 73 ++++++++++++++++++++++ examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++++++++++++ .../test/trs_3descbc_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh | 66 +++++++++++++++++++ .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh | 5 ++ .../test/tun_3descbc_sha1_common_defs.sh | 72 +++++++++++++++++++++ examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++++++++++++ .../test/tun_3descbc_sha1_esn_atom_defs.sh | 5 ++ .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh | 70 +++++++++++++++++++++ .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh | 5 ++ 11 files changed, 447 insertions(+), 1 deletion(-) create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh index a6e363125..d8c4b6625 100644 --- a/examples/ipsec-secgw/test/run_test.sh +++ b/examples/ipsec-secgw/test/run_test.sh @@ -40,7 +40,15 @@ tun_aesctr_sha1_esn_atom \ trs_aesctr_sha1 \ trs_aesctr_sha1_old \ trs_aesctr_sha1_esn \ -trs_aesctr_sha1_esn_atom" +trs_aesctr_sha1_esn_atom \ +tun_3descbc_sha1 \ +tun_3descbc_sha1_old \ +tun_3descbc_sha1_esn \ +tun_3descbc_sha1_esn_atom \ +trs_3descbc_sha1 \ +trs_3descbc_sha1_old \ +trs_3descbc_sha1_esn \ +trs_3descbc_sha1_esn_atom" DIR=`dirname $0` diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh new file mode 100644 index 000000000..bb4cef6a9 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh @@ -0,0 +1,73 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#SP in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +sa in 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#SA out rules +sa out 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode transport + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh new file mode 100644 index 000000000..31f94492f --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh @@ -0,0 +1,67 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..d7439ad15 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh new file mode 100644 index 000000000..e4283f3dd --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh @@ -0,0 +1,66 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl proto esp mode transport reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl proto esp mode transport reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh new file mode 100644 index 000000000..ffd945bac --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_defs.sh + +SGW_CMD_XPRM= diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh new file mode 100644 index 000000000..dd802d6be --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh @@ -0,0 +1,72 @@ +#! /bin/bash + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +#generate cfg file for ipsec-secgw +config_secgw() +{ + cat <<EOF > ${SGW_CFG_FILE} +#sp in IPv4 rules +sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv4 rules +sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ +sport 0:65535 dport 0:65535 +sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#sp in IPv6 rules +sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SP out IPv6 rules +sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ +sport 0:65535 dport 0:65535 +sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 + +#SA in rules +sa in 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} + +sa in 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} + +#SA out rules +sa out 7 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} + +sa out 9 cipher_algo 3des-cbc \ +cipher_key \ +de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +auth_algo sha1-hmac \ +auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} + +#Routing rules +rt ipv4 dst ${REMOTE_IPV4}/32 port 0 +rt ipv4 dst ${LOCAL_IPV4}/32 port 1 + +rt ipv6 dst ${REMOTE_IPV6}/128 port 0 +rt ipv6 dst ${LOCAL_IPV6}/128 port 1 + +#neighbours +neigh port 0 ${REMOTE_MAC} +neigh port 1 ${LOCAL_MAC} +EOF + + cat ${SGW_CFG_FILE} +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh new file mode 100644 index 000000000..2bbe14292 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh new file mode 100644 index 000000000..1d8e36cbd --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_esn_defs.sh + +SGW_CMD_XPRM='-e -a -w 300' diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh new file mode 100644 index 000000000..98349c7bc --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh @@ -0,0 +1,70 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_common_defs.sh + +SGW_CMD_XPRM='-e -w 300' + +config_remote_xfrm() +{ + ssh ${REMOTE_HOST} ip xfrm policy flush + ssh ${REMOTE_HOST} ip xfrm state flush + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp mode tunnel reqid 1 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp mode tunnel reqid 2 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \ +proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \ +proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} + +config6_remote_xfrm() +{ + config_remote_xfrm + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +dir out ptype main action allow \ +tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp mode tunnel reqid 3 + + ssh ${REMOTE_HOST} ip xfrm policy add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +dir in ptype main action allow \ +tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp mode tunnel reqid 4 + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \ +proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm state add \ +src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \ +proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \ +auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \ +enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef + + ssh ${REMOTE_HOST} ip xfrm policy list + ssh ${REMOTE_HOST} ip xfrm state list +} diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh new file mode 100644 index 000000000..eaf248ad1 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_defs.sh + +SGW_CMD_XPRM= -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v5 5/5] doc: update release note 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang ` (4 preceding siblings ...) 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 4/5] ipsec-secgw: add 3des test files Fan Zhang @ 2019-03-20 15:38 ` Fan Zhang 2019-03-20 15:38 ` Fan Zhang 2019-03-22 14:59 ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Akhil Goyal 6 siblings, 1 reply; 54+ messages in thread From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev This patch updates the 19.05 release note with IPsec library updates for the newly added AES-CTR and 3DES-CBC algorithm support. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- doc/guides/rel_notes/release_19_05.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/guides/rel_notes/release_19_05.rst b/doc/guides/rel_notes/release_19_05.rst index bbc5e5b61..4c12db7bb 100644 --- a/doc/guides/rel_notes/release_19_05.rst +++ b/doc/guides/rel_notes/release_19_05.rst @@ -91,6 +91,12 @@ New Features * Added promiscuous mode support. +* **Updated the IPsec library.** + + The IPsec library has been updated with AES-CTR and 3DES-CBC cipher algorithms + support. The ipsec-secgw sample application test scripts have also been updated + with these two algorithms' testing as well. + Removed Items ------------- -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* [dpdk-dev] [PATCH v5 5/5] doc: update release note 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 5/5] doc: update release note Fan Zhang @ 2019-03-20 15:38 ` Fan Zhang 0 siblings, 0 replies; 54+ messages in thread From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw) To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev This patch updates the 19.05 release note with IPsec library updates for the newly added AES-CTR and 3DES-CBC algorithm support. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> --- doc/guides/rel_notes/release_19_05.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/guides/rel_notes/release_19_05.rst b/doc/guides/rel_notes/release_19_05.rst index bbc5e5b61..4c12db7bb 100644 --- a/doc/guides/rel_notes/release_19_05.rst +++ b/doc/guides/rel_notes/release_19_05.rst @@ -91,6 +91,12 @@ New Features * Added promiscuous mode support. +* **Updated the IPsec library.** + + The IPsec library has been updated with AES-CTR and 3DES-CBC cipher algorithms + support. The ipsec-secgw sample application test scripts have also been updated + with these two algorithms' testing as well. + Removed Items ------------- -- 2.14.5 ^ permalink raw reply [flat|nested] 54+ messages in thread
* Re: [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang ` (5 preceding siblings ...) 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 5/5] doc: update release note Fan Zhang @ 2019-03-22 14:59 ` Akhil Goyal 2019-03-22 14:59 ` Akhil Goyal 6 siblings, 1 reply; 54+ messages in thread From: Akhil Goyal @ 2019-03-22 14:59 UTC (permalink / raw) To: Fan Zhang, dev; +Cc: konstantin.ananyev On 3/20/2019 9:08 PM, Fan Zhang wrote: > This patchset adds the AES-CTR and 3DES-CBC cipher algorithms > support to ipsec library. The test scripts for ipsec-secgw > sample application are added. > > v5: > - updated ipsec-secgw run_test.sh script > - updated release note > > v4: > - changed patch titles. > - changed ALGO_TYPE naming for 3DES-CBC > > v3: > - fixed a bug in 3DES. > > v2: > - removed unsupported tests. > > Fan Zhang (5): > ipsec: support AES-CTR > ipsec-secgw: add test scripts for aes ctr > ipsec: support 3DES-CBC > ipsec-secgw: add 3des test files > doc: update release note > > doc/guides/rel_notes/release_19_05.rst | 6 + > examples/ipsec-secgw/test/common_defs.sh | 4 +- > examples/ipsec-secgw/test/run_test.sh | 18 ++- > .../test/trs_3descbc_sha1_common_defs.sh | 73 +++++++++++ > examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++ > .../test/trs_3descbc_sha1_esn_atom_defs.sh | 5 + > .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh | 66 ++++++++++ > .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh | 5 + > .../test/trs_aesctr_sha1_common_defs.sh | 69 +++++++++++ > examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 67 ++++++++++ > .../test/trs_aesctr_sha1_esn_atom_defs.sh | 5 + > .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh | 66 ++++++++++ > .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh | 5 + > .../test/tun_3descbc_sha1_common_defs.sh | 72 +++++++++++ > examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++ > .../test/tun_3descbc_sha1_esn_atom_defs.sh | 5 + > .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh | 70 +++++++++++ > .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh | 5 + > .../test/tun_aesctr_sha1_common_defs.sh | 68 ++++++++++ > examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 70 +++++++++++ > .../test/tun_aesctr_sha1_esn_atom_defs.sh | 5 + > .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh | 70 +++++++++++ > .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh | 5 + > lib/librte_ipsec/crypto.h | 17 +++ > lib/librte_ipsec/sa.c | 137 +++++++++++++++++---- > lib/librte_ipsec/sa.h | 24 ++++ > 26 files changed, 1050 insertions(+), 24 deletions(-) > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh > series applied to dpdk-next-crypto Thanks. ^ permalink raw reply [flat|nested] 54+ messages in thread
* Re: [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC 2019-03-22 14:59 ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Akhil Goyal @ 2019-03-22 14:59 ` Akhil Goyal 0 siblings, 0 replies; 54+ messages in thread From: Akhil Goyal @ 2019-03-22 14:59 UTC (permalink / raw) To: Fan Zhang, dev; +Cc: konstantin.ananyev On 3/20/2019 9:08 PM, Fan Zhang wrote: > This patchset adds the AES-CTR and 3DES-CBC cipher algorithms > support to ipsec library. The test scripts for ipsec-secgw > sample application are added. > > v5: > - updated ipsec-secgw run_test.sh script > - updated release note > > v4: > - changed patch titles. > - changed ALGO_TYPE naming for 3DES-CBC > > v3: > - fixed a bug in 3DES. > > v2: > - removed unsupported tests. > > Fan Zhang (5): > ipsec: support AES-CTR > ipsec-secgw: add test scripts for aes ctr > ipsec: support 3DES-CBC > ipsec-secgw: add 3des test files > doc: update release note > > doc/guides/rel_notes/release_19_05.rst | 6 + > examples/ipsec-secgw/test/common_defs.sh | 4 +- > examples/ipsec-secgw/test/run_test.sh | 18 ++- > .../test/trs_3descbc_sha1_common_defs.sh | 73 +++++++++++ > examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++ > .../test/trs_3descbc_sha1_esn_atom_defs.sh | 5 + > .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh | 66 ++++++++++ > .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh | 5 + > .../test/trs_aesctr_sha1_common_defs.sh | 69 +++++++++++ > examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh | 67 ++++++++++ > .../test/trs_aesctr_sha1_esn_atom_defs.sh | 5 + > .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh | 66 ++++++++++ > .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh | 5 + > .../test/tun_3descbc_sha1_common_defs.sh | 72 +++++++++++ > examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++ > .../test/tun_3descbc_sha1_esn_atom_defs.sh | 5 + > .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh | 70 +++++++++++ > .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh | 5 + > .../test/tun_aesctr_sha1_common_defs.sh | 68 ++++++++++ > examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh | 70 +++++++++++ > .../test/tun_aesctr_sha1_esn_atom_defs.sh | 5 + > .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh | 70 +++++++++++ > .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh | 5 + > lib/librte_ipsec/crypto.h | 17 +++ > lib/librte_ipsec/sa.c | 137 +++++++++++++++++---- > lib/librte_ipsec/sa.h | 24 ++++ > 26 files changed, 1050 insertions(+), 24 deletions(-) > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh > create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh > create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh > series applied to dpdk-next-crypto Thanks. ^ permalink raw reply [flat|nested] 54+ messages in thread
end of thread, other threads:[~2019-03-22 14:59 UTC | newest] Thread overview: 54+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-02-18 16:32 [dpdk-dev] [PATCH 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang 2019-02-18 16:32 ` [dpdk-dev] [PATCH 1/4] ipsec: add AES-CTR algorithm support Fan Zhang 2019-02-18 16:32 ` [dpdk-dev] [PATCH 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang 2019-02-18 16:32 ` [dpdk-dev] [PATCH 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang 2019-02-18 16:32 ` [dpdk-dev] [PATCH 4/4] ipsec-secgw: add 3des test files Fan Zhang 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support Fan Zhang 2019-02-22 12:43 ` Ananyev, Konstantin 2019-03-19 14:32 ` Akhil Goyal 2019-03-19 14:32 ` Akhil Goyal 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang 2019-02-22 12:39 ` Ananyev, Konstantin 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang 2019-02-22 12:38 ` Ananyev, Konstantin 2019-03-19 14:46 ` Akhil Goyal 2019-03-19 14:46 ` Akhil Goyal 2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 4/4] ipsec-secgw: add 3des test files Fan Zhang 2019-02-22 12:40 ` Ananyev, Konstantin 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 1/4] ipsec: add AES-CTR algorithm support Fan Zhang 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang 2019-02-25 12:07 ` [dpdk-dev] [PATCH v3 4/4] ipsec-secgw: add 3des test files Fan Zhang 2019-03-04 16:38 ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Ananyev, Konstantin 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC Fan Zhang 2019-03-20 13:51 ` Fan Zhang 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 1/4] ipsec: support AES-CTR Fan Zhang 2019-03-20 13:51 ` Fan Zhang 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang 2019-03-20 13:51 ` Fan Zhang 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 3/4] ipsec: support 3DES-CBC Fan Zhang 2019-03-20 13:51 ` Fan Zhang 2019-03-20 13:51 ` [dpdk-dev] [PATCH v4 4/4] ipsec-secgw: add 3des test files Fan Zhang 2019-03-20 13:51 ` Fan Zhang 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang 2019-03-20 15:38 ` Fan Zhang 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR Fan Zhang 2019-03-20 15:38 ` Fan Zhang 2019-03-22 11:53 ` Akhil Goyal 2019-03-22 11:53 ` Akhil Goyal 2019-03-22 12:46 ` Ananyev, Konstantin 2019-03-22 12:46 ` Ananyev, Konstantin 2019-03-22 13:01 ` Akhil Goyal 2019-03-22 13:01 ` Akhil Goyal 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 2/5] ipsec-secgw: add test scripts for aes ctr Fan Zhang 2019-03-20 15:38 ` Fan Zhang 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 3/5] ipsec: support 3DES-CBC Fan Zhang 2019-03-20 15:38 ` Fan Zhang 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 4/5] ipsec-secgw: add 3des test files Fan Zhang 2019-03-20 15:38 ` Fan Zhang 2019-03-20 15:38 ` [dpdk-dev] [PATCH v5 5/5] doc: update release note Fan Zhang 2019-03-20 15:38 ` Fan Zhang 2019-03-22 14:59 ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Akhil Goyal 2019-03-22 14:59 ` Akhil Goyal
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).