From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 4E436A2EEB for ; Mon, 7 Oct 2019 18:30:36 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id C0FDD1D40D; Mon, 7 Oct 2019 18:29:20 +0200 (CEST) Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by dpdk.org (Postfix) with ESMTP id 7C8431D166 for ; Mon, 7 Oct 2019 18:29:12 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Oct 2019 09:29:12 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.67,268,1566889200"; d="scan'208";a="393082068" Received: from silpixa00398673.ir.intel.com (HELO silpixa00398673.ger.corp.intel.com) ([10.237.223.136]) by fmsmga005.fm.intel.com with ESMTP; 07 Oct 2019 09:29:10 -0700 From: Fan Zhang To: dev@dpdk.org Cc: konstantin.ananyev@intel.com, declan.doherty@intel.com, akhil.goyal@nxp.com, Fan Zhang Date: Mon, 7 Oct 2019 17:28:49 +0100 Message-Id: <20191007162850.60552-10-roy.fan.zhang@intel.com> X-Mailer: git-send-email 2.14.5 In-Reply-To: <20191007162850.60552-1-roy.fan.zhang@intel.com> References: <20190906131330.40185-1-roy.fan.zhang@intel.com> <20191007162850.60552-1-roy.fan.zhang@intel.com> Subject: [dpdk-dev] [PATCH v2 09/10] examples/ipsec-secgw: add security cpu_crypto action support X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Since ipsec library is added cpu_crypto security action type support, this patch updates ipsec-secgw sample application with added action type "cpu-crypto". The patch also includes a number of test scripts to prove the correctness of the implementation. Signed-off-by: Fan Zhang --- examples/ipsec-secgw/ipsec.c | 35 ++++++++++++++++++++++ examples/ipsec-secgw/ipsec_process.c | 7 +++-- examples/ipsec-secgw/sa.c | 13 ++++++-- examples/ipsec-secgw/test/run_test.sh | 10 +++++++ .../test/trs_3descbc_sha1_common_defs.sh | 8 ++--- .../test/trs_3descbc_sha1_cpu_crypto_defs.sh | 5 ++++ .../test/trs_aescbc_sha1_common_defs.sh | 8 ++--- .../test/trs_aescbc_sha1_cpu_crypto_defs.sh | 5 ++++ .../test/trs_aesctr_sha1_common_defs.sh | 8 ++--- .../test/trs_aesctr_sha1_cpu_crypto_defs.sh | 5 ++++ .../ipsec-secgw/test/trs_aesgcm_cpu_crypto_defs.sh | 5 ++++ .../test/trs_aesgcm_mb_cpu_crypto_defs.sh | 7 +++++ .../test/tun_3descbc_sha1_common_defs.sh | 8 ++--- .../test/tun_3descbc_sha1_cpu_crypto_defs.sh | 5 ++++ .../test/tun_aescbc_sha1_common_defs.sh | 8 ++--- .../test/tun_aescbc_sha1_cpu_crypto_defs.sh | 5 ++++ .../test/tun_aesctr_sha1_common_defs.sh | 8 ++--- .../test/tun_aesctr_sha1_cpu_crypto_defs.sh | 5 ++++ .../ipsec-secgw/test/tun_aesgcm_cpu_crypto_defs.sh | 5 ++++ .../test/tun_aesgcm_mb_cpu_crypto_defs.sh | 7 +++++ 20 files changed, 138 insertions(+), 29 deletions(-) create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aescbc_sha1_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/trs_aesgcm_mb_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aescbc_sha1_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_cpu_crypto_defs.sh create mode 100644 examples/ipsec-secgw/test/tun_aesgcm_mb_cpu_crypto_defs.sh diff --git a/examples/ipsec-secgw/ipsec.c b/examples/ipsec-secgw/ipsec.c index 1145ca1c0..02b9443a8 100644 --- a/examples/ipsec-secgw/ipsec.c +++ b/examples/ipsec-secgw/ipsec.c @@ -10,6 +10,7 @@ #include #include #include +#include #include #include #include @@ -51,6 +52,19 @@ set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec) ipsec->esn_soft_limit = IPSEC_OFFLOAD_ESN_SOFTLIMIT; } +static int32_t +compute_cipher_offset(struct ipsec_sa *sa) +{ + int32_t offset; + + if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) + return 0; + + offset = (sa->iv_len + sizeof(struct rte_esp_hdr)); + + return offset; +} + int create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) { @@ -117,6 +131,25 @@ create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa) "SEC Session init failed: err: %d\n", ret); return -1; } + } else if (sa->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) { + struct rte_security_ctx *ctx = + (struct rte_security_ctx *) + rte_cryptodev_get_sec_ctx( + ipsec_ctx->tbl[cdev_id_qp].id); + + /* Set IPsec parameters in conf */ + sess_conf.cpucrypto.cipher_offset = + compute_cipher_offset(sa); + + set_ipsec_conf(sa, &(sess_conf.ipsec)); + sa->security_ctx = ctx; + sa->sec_session = rte_security_session_create(ctx, + &sess_conf, ipsec_ctx->session_priv_pool); + if (sa->sec_session == NULL) { + RTE_LOG(ERR, IPSEC, + "SEC Session init failed: err: %d\n", ret); + return -1; + } } else { RTE_LOG(ERR, IPSEC, "Inline not supported\n"); return -1; @@ -512,6 +545,8 @@ ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx, sa->security_ctx, sa->sec_session, pkts[i], NULL); continue; + default: + continue; } RTE_ASSERT(sa->cdev_id_qp < ipsec_ctx->nb_qps); diff --git a/examples/ipsec-secgw/ipsec_process.c b/examples/ipsec-secgw/ipsec_process.c index 868f1a28d..1932b631f 100644 --- a/examples/ipsec-secgw/ipsec_process.c +++ b/examples/ipsec-secgw/ipsec_process.c @@ -101,7 +101,8 @@ fill_ipsec_session(struct rte_ipsec_session *ss, struct ipsec_ctx *ctx, } ss->crypto.ses = sa->crypto_session; /* setup session action type */ - } else if (sa->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) { + } else if (sa->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL || + sa->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) { if (sa->sec_session == NULL) { rc = create_lookaside_session(ctx, sa); if (rc != 0) @@ -227,8 +228,8 @@ ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf) /* process packets inline */ else if (sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO || - sa->type == - RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) { + sa->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL || + sa->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) { satp = rte_ipsec_sa_type(ips->sa); diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index c3cf3bd1f..ba773346f 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -570,6 +570,9 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; else if (strcmp(tokens[ti], "no-offload") == 0) rule->type = RTE_SECURITY_ACTION_TYPE_NONE; + else if (strcmp(tokens[ti], "cpu-crypto") == 0) + rule->type = + RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO; else { APP_CHECK(0, status, "Invalid input \"%s\"", tokens[ti]); @@ -624,10 +627,13 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, if (status->status < 0) return; - if ((rule->type != RTE_SECURITY_ACTION_TYPE_NONE) && (portid_p == 0)) + if ((rule->type != RTE_SECURITY_ACTION_TYPE_NONE && rule->type != + RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) && + (portid_p == 0)) printf("Missing portid option, falling back to non-offload\n"); - if (!type_p || !portid_p) { + if (!type_p || (!portid_p && rule->type != + RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO)) { rule->type = RTE_SECURITY_ACTION_TYPE_NONE; rule->portid = -1; } @@ -709,6 +715,9 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL: printf("lookaside-protocol-offload "); break; + case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO: + printf("cpu-crypto-accelerated"); + break; } printf("\n"); } diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh index 8055a4c04..bcaf91715 100755 --- a/examples/ipsec-secgw/test/run_test.sh +++ b/examples/ipsec-secgw/test/run_test.sh @@ -32,15 +32,21 @@ usage() } LINUX_TEST="tun_aescbc_sha1 \ +tun_aescbc_sha1_cpu_crypto \ tun_aescbc_sha1_esn \ tun_aescbc_sha1_esn_atom \ tun_aesgcm \ +tun_aesgcm_cpu_crypto \ +tun_aesgcm_mb_cpu_crypto \ tun_aesgcm_esn \ tun_aesgcm_esn_atom \ trs_aescbc_sha1 \ +trs_aescbc_sha1_cpu_crypto \ trs_aescbc_sha1_esn \ trs_aescbc_sha1_esn_atom \ trs_aesgcm \ +trs_aesgcm_cpu_crypto \ +trs_aesgcm_mb_cpu_crypto \ trs_aesgcm_esn \ trs_aesgcm_esn_atom \ tun_aescbc_sha1_old \ @@ -49,17 +55,21 @@ trs_aescbc_sha1_old \ trs_aesgcm_old \ tun_aesctr_sha1 \ tun_aesctr_sha1_old \ +tun_aesctr_sha1_cpu_crypto \ tun_aesctr_sha1_esn \ tun_aesctr_sha1_esn_atom \ trs_aesctr_sha1 \ +trs_aesctr_sha1_cpu_crypto \ trs_aesctr_sha1_old \ trs_aesctr_sha1_esn \ trs_aesctr_sha1_esn_atom \ tun_3descbc_sha1 \ +tun_3descbc_sha1_cpu_crypto \ tun_3descbc_sha1_old \ tun_3descbc_sha1_esn \ tun_3descbc_sha1_esn_atom \ trs_3descbc_sha1 \ +trs_3descbc_sha1_cpu_crypto \ trs_3descbc_sha1_old \ trs_3descbc_sha1_esn \ trs_3descbc_sha1_esn_atom" diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh index bb4cef6a9..eda2ddf0c 100644 --- a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh @@ -32,14 +32,14 @@ cipher_key \ de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport +mode transport ${SGW_CFG_XPRM} sa in 9 cipher_algo 3des-cbc \ cipher_key \ de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport +mode transport ${SGW_CFG_XPRM} #SA out rules sa out 7 cipher_algo 3des-cbc \ @@ -47,7 +47,7 @@ cipher_key \ de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport +mode transport ${SGW_CFG_XPRM} #SA out rules sa out 9 cipher_algo 3des-cbc \ @@ -55,7 +55,7 @@ cipher_key \ de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport +mode transport ${SGW_CFG_XPRM} #Routing rules rt ipv4 dst ${REMOTE_IPV4}/32 port 0 diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_cpu_crypto_defs.sh new file mode 100644 index 000000000..a864a8886 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_cpu_crypto_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_3descbc_sha1_defs.sh + +SGW_CFG_XPRM='type cpu-crypto' diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh index e2621e0df..49b7b0713 100644 --- a/examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh +++ b/examples/ipsec-secgw/test/trs_aescbc_sha1_common_defs.sh @@ -31,27 +31,27 @@ sa in 7 cipher_algo aes-128-cbc \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport +mode transport ${SGW_CFG_XPRM} sa in 9 cipher_algo aes-128-cbc \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport +mode transport ${SGW_CFG_XPRM} #SA out rules sa out 7 cipher_algo aes-128-cbc \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport +mode transport ${SGW_CFG_XPRM} #SA out rules sa out 9 cipher_algo aes-128-cbc \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport +mode transport ${SGW_CFG_XPRM} #Routing rules rt ipv4 dst ${REMOTE_IPV4}/32 port 0 diff --git a/examples/ipsec-secgw/test/trs_aescbc_sha1_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/trs_aescbc_sha1_cpu_crypto_defs.sh new file mode 100644 index 000000000..b515cd9f8 --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aescbc_sha1_cpu_crypto_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aescbc_sha1_defs.sh + +SGW_CFG_XPRM='type cpu-crypto' diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh index 9c213e3cc..428322307 100644 --- a/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh @@ -31,27 +31,27 @@ sa in 7 cipher_algo aes-128-ctr \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport +mode transport ${SGW_CFG_XPRM} sa in 9 cipher_algo aes-128-ctr \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport +mode transport ${SGW_CFG_XPRM} #SA out rules sa out 7 cipher_algo aes-128-ctr \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport +mode transport ${SGW_CFG_XPRM} #SA out rules sa out 9 cipher_algo aes-128-ctr \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode transport +mode transport ${SGW_CFG_XPRM} #Routing rules rt ipv4 dst ${REMOTE_IPV4}/32 port 0 diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_cpu_crypto_defs.sh new file mode 100644 index 000000000..745a2a02b --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_cpu_crypto_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesctr_sha1_defs.sh + +SGW_CFG_XPRM='type cpu-crypto' diff --git a/examples/ipsec-secgw/test/trs_aesgcm_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_cpu_crypto_defs.sh new file mode 100644 index 000000000..8917122da --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesgcm_cpu_crypto_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/trs_aesgcm_defs.sh + +SGW_CFG_XPRM='type cpu-crypto' diff --git a/examples/ipsec-secgw/test/trs_aesgcm_mb_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/trs_aesgcm_mb_cpu_crypto_defs.sh new file mode 100644 index 000000000..26943321f --- /dev/null +++ b/examples/ipsec-secgw/test/trs_aesgcm_mb_cpu_crypto_defs.sh @@ -0,0 +1,7 @@ +#! /bin/bash + +. ${DIR}/trs_aesgcm_defs.sh + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +SGW_CFG_XPRM='type cpu-crypto' diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh index dd802d6be..a583ef605 100644 --- a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh @@ -32,14 +32,14 @@ cipher_key \ de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM} sa in 9 cipher_algo 3des-cbc \ cipher_key \ de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM} #SA out rules sa out 7 cipher_algo 3des-cbc \ @@ -47,14 +47,14 @@ cipher_key \ de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM} sa out 9 cipher_algo 3des-cbc \ cipher_key \ de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM} #Routing rules rt ipv4 dst ${REMOTE_IPV4}/32 port 0 diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_cpu_crypto_defs.sh new file mode 100644 index 000000000..747141f62 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_cpu_crypto_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_3descbc_sha1_defs.sh + +SGW_CFG_XPRM='type cpu-crypto' diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh index 4025da232..ac0232d2c 100644 --- a/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh +++ b/examples/ipsec-secgw/test/tun_aescbc_sha1_common_defs.sh @@ -31,26 +31,26 @@ sa in 7 cipher_algo aes-128-cbc \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM} sa in 9 cipher_algo aes-128-cbc \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM} #SA out rules sa out 7 cipher_algo aes-128-cbc \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM} sa out 9 cipher_algo aes-128-cbc \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM} #Routing rules rt ipv4 dst ${REMOTE_IPV4}/32 port 0 diff --git a/examples/ipsec-secgw/test/tun_aescbc_sha1_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/tun_aescbc_sha1_cpu_crypto_defs.sh new file mode 100644 index 000000000..56076fa50 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aescbc_sha1_cpu_crypto_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aescbc_sha1_defs.sh + +SGW_CFG_XPRM='type cpu-crypto' diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh index a3ac3a698..523c396c9 100644 --- a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh @@ -31,26 +31,26 @@ sa in 7 cipher_algo aes-128-ctr \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} +mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM} sa in 9 cipher_algo aes-128-ctr \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} +mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM} #SA out rules sa out 7 cipher_algo aes-128-ctr \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} +mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM} sa out 9 cipher_algo aes-128-ctr \ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ auth_algo sha1-hmac \ auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ -mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} +mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM} #Routing rules rt ipv4 dst ${REMOTE_IPV4}/32 port 0 diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_cpu_crypto_defs.sh new file mode 100644 index 000000000..3af680533 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_cpu_crypto_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesctr_sha1_defs.sh + +SGW_CFG_XPRM='type cpu-crypto' diff --git a/examples/ipsec-secgw/test/tun_aesgcm_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_cpu_crypto_defs.sh new file mode 100644 index 000000000..5bf1c0ae5 --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesgcm_cpu_crypto_defs.sh @@ -0,0 +1,5 @@ +#! /bin/bash + +. ${DIR}/tun_aesgcm_defs.sh + +SGW_CFG_XPRM='type cpu-crypto' diff --git a/examples/ipsec-secgw/test/tun_aesgcm_mb_cpu_crypto_defs.sh b/examples/ipsec-secgw/test/tun_aesgcm_mb_cpu_crypto_defs.sh new file mode 100644 index 000000000..039b8095e --- /dev/null +++ b/examples/ipsec-secgw/test/tun_aesgcm_mb_cpu_crypto_defs.sh @@ -0,0 +1,7 @@ +#! /bin/bash + +. ${DIR}/tun_aesgcm_defs.sh + +CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} + +SGW_CFG_XPRM='type cpu-crypto' -- 2.14.5