From: Radu Nicolau <radu.nicolau@intel.com>
To: Radu Nicolau <radu.nicolau@intel.com>, Akhil Goyal <gakhil@marvell.com>
Cc: dev@dpdk.org, declan.doherty@intel.com, hemant.agrawal@oss.nxp.com
Subject: [dpdk-dev] [PATCH v5 7/7] examples/ipsec-secgw: add support for additional algorithms
Date: Wed, 27 Oct 2021 12:45:30 +0100 [thread overview]
Message-ID: <20211027114530.2244661-8-radu.nicolau@intel.com> (raw)
In-Reply-To: <20211027114530.2244661-1-radu.nicolau@intel.com>
Add support for AES-GMAC, AES_CTR, AES_XCBC_MAC,
AES_CCM, CHACHA20_POLY1305
Signed-off-by: Declan Doherty <declan.doherty@intel.com>
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
---
doc/guides/rel_notes/release_21_11.rst | 2 +
doc/guides/sample_app_ug/ipsec_secgw.rst | 3 +-
examples/ipsec-secgw/ipsec.h | 3 +-
examples/ipsec-secgw/sa.c | 122 +++++++++++++++++++++--
4 files changed, 119 insertions(+), 11 deletions(-)
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 0a0bf05568..1d656b8e2b 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -308,6 +308,8 @@ New Features
* **IPsec Security Gateway sample application new features.**
* Added support for telemetry
+ * Added support for more AEAD algorithms: AES-GMAC, AES_CTR, AES_XCBC_MAC,
+ AES_CCM, CHACHA20_POLY1305
Removed Items
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
index 02846ac160..edd3d439f5 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -106,7 +106,8 @@ Constraints
* No IPv6 options headers.
* No AH mode.
-* Supported algorithms: AES-CBC, AES-CTR, AES-GCM, 3DES-CBC, HMAC-SHA1 and NULL.
+* Supported algorithms: AES-CBC, AES-CTR, AES-GCM, 3DES-CBC, HMAC-SHA1,
+ AES-GMAC, AES_CTR, AES_XCBC_MAC, AES_CCM, CHACHA20_POLY1305 and NULL.
* Each SA must be handle by a unique lcore (*1 RX queue per port*).
Compiling the Application
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index b037d5179f..0dfb0d6acb 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -63,8 +63,7 @@ struct ip_addr {
} ip;
};
-#define MAX_KEY_SIZE 36
-
+#define MAX_KEY_SIZE 64
/*
* application wide SA parameters
*/
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 8725001fc7..44c18badbb 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -46,6 +46,7 @@ struct supported_cipher_algo {
struct supported_auth_algo {
const char *keyword;
enum rte_crypto_auth_algorithm algo;
+ uint16_t iv_len;
uint16_t digest_len;
uint16_t key_len;
uint8_t key_not_req;
@@ -98,6 +99,20 @@ const struct supported_cipher_algo cipher_algos[] = {
.block_size = 4,
.key_len = 20
},
+ {
+ .keyword = "aes-192-ctr",
+ .algo = RTE_CRYPTO_CIPHER_AES_CTR,
+ .iv_len = 16,
+ .block_size = 16,
+ .key_len = 28
+ },
+ {
+ .keyword = "aes-256-ctr",
+ .algo = RTE_CRYPTO_CIPHER_AES_CTR,
+ .iv_len = 16,
+ .block_size = 16,
+ .key_len = 36
+ },
{
.keyword = "3des-cbc",
.algo = RTE_CRYPTO_CIPHER_3DES_CBC,
@@ -126,6 +141,31 @@ const struct supported_auth_algo auth_algos[] = {
.algo = RTE_CRYPTO_AUTH_SHA256_HMAC,
.digest_len = 16,
.key_len = 32
+ },
+ {
+ .keyword = "sha384-hmac",
+ .algo = RTE_CRYPTO_AUTH_SHA384_HMAC,
+ .digest_len = 24,
+ .key_len = 48
+ },
+ {
+ .keyword = "sha512-hmac",
+ .algo = RTE_CRYPTO_AUTH_SHA512_HMAC,
+ .digest_len = 32,
+ .key_len = 64
+ },
+ {
+ .keyword = "aes-gmac",
+ .algo = RTE_CRYPTO_AUTH_AES_GMAC,
+ .iv_len = 8,
+ .digest_len = 16,
+ .key_len = 20
+ },
+ {
+ .keyword = "aes-xcbc-mac-96",
+ .algo = RTE_CRYPTO_AUTH_AES_XCBC_MAC,
+ .digest_len = 12,
+ .key_len = 16
}
};
@@ -156,6 +196,42 @@ const struct supported_aead_algo aead_algos[] = {
.key_len = 36,
.digest_len = 16,
.aad_len = 8,
+ },
+ {
+ .keyword = "aes-128-ccm",
+ .algo = RTE_CRYPTO_AEAD_AES_CCM,
+ .iv_len = 8,
+ .block_size = 4,
+ .key_len = 20,
+ .digest_len = 16,
+ .aad_len = 8,
+ },
+ {
+ .keyword = "aes-192-ccm",
+ .algo = RTE_CRYPTO_AEAD_AES_CCM,
+ .iv_len = 8,
+ .block_size = 4,
+ .key_len = 28,
+ .digest_len = 16,
+ .aad_len = 8,
+ },
+ {
+ .keyword = "aes-256-ccm",
+ .algo = RTE_CRYPTO_AEAD_AES_CCM,
+ .iv_len = 8,
+ .block_size = 4,
+ .key_len = 36,
+ .digest_len = 16,
+ .aad_len = 8,
+ },
+ {
+ .keyword = "chacha20-poly1305",
+ .algo = RTE_CRYPTO_AEAD_CHACHA20_POLY1305,
+ .iv_len = 12,
+ .block_size = 64,
+ .key_len = 36,
+ .digest_len = 16,
+ .aad_len = 8,
}
};
@@ -484,6 +560,14 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
if (status->status < 0)
return;
+ if (algo->algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+ key_len -= 4;
+ rule->auth_key_len = key_len;
+ rule->iv_len = algo->iv_len;
+ memcpy(&rule->salt,
+ &rule->auth_key[key_len], 4);
+ }
+
auth_algo_p = 1;
continue;
}
@@ -1171,8 +1255,15 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
break;
}
- if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
- iv_length = 12;
+
+ if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM ||
+ sa->aead_algo == RTE_CRYPTO_AEAD_AES_CCM ||
+ sa->aead_algo == RTE_CRYPTO_AEAD_CHACHA20_POLY1305) {
+
+ if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_CCM)
+ iv_length = 11;
+ else
+ iv_length = 12;
sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AEAD;
sa_ctx->xf[idx].a.aead.algo = sa->aead_algo;
@@ -1196,10 +1287,8 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
case RTE_CRYPTO_CIPHER_NULL:
case RTE_CRYPTO_CIPHER_3DES_CBC:
case RTE_CRYPTO_CIPHER_AES_CBC:
- iv_length = sa->iv_len;
- break;
case RTE_CRYPTO_CIPHER_AES_CTR:
- iv_length = 16;
+ iv_length = sa->iv_len;
break;
default:
RTE_LOG(ERR, IPSEC_ESP,
@@ -1208,6 +1297,10 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
return -EINVAL;
}
+ /* AES_GMAC uses salt like AEAD algorithms */
+ if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GMAC)
+ iv_length = 12;
+
if (inbound) {
sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
sa_ctx->xf[idx].b.cipher.algo = sa->cipher_algo;
@@ -1229,6 +1322,9 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
sa->digest_len;
sa_ctx->xf[idx].a.auth.op =
RTE_CRYPTO_AUTH_OP_VERIFY;
+ sa_ctx->xf[idx].a.auth.iv.offset = IV_OFFSET;
+ sa_ctx->xf[idx].a.auth.iv.length = iv_length;
+
} else { /* outbound */
sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
sa_ctx->xf[idx].a.cipher.algo = sa->cipher_algo;
@@ -1250,11 +1346,21 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
sa->digest_len;
sa_ctx->xf[idx].b.auth.op =
RTE_CRYPTO_AUTH_OP_GENERATE;
+ sa_ctx->xf[idx].b.auth.iv.offset = IV_OFFSET;
+ sa_ctx->xf[idx].b.auth.iv.length = iv_length;
+
}
- sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
- sa_ctx->xf[idx].b.next = NULL;
- sa->xforms = &sa_ctx->xf[idx].a;
+ if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+ sa->xforms = inbound ?
+ &sa_ctx->xf[idx].a : &sa_ctx->xf[idx].b;
+ sa->xforms->next = NULL;
+
+ } else {
+ sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
+ sa_ctx->xf[idx].b.next = NULL;
+ sa->xforms = &sa_ctx->xf[idx].a;
+ }
}
if (ips->type ==
--
2.25.1
next prev parent reply other threads:[~2021-10-27 12:00 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-03 11:22 [dpdk-dev] [PATCH 0/7] IPsec Sec GW new features Radu Nicolau
2021-09-03 11:22 ` [dpdk-dev] [PATCH 1/7] examples/ipsec-secgw: add ol_flags support Radu Nicolau
2021-09-08 12:48 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-09-09 8:57 ` Nicolau, Radu
2021-09-03 11:22 ` [dpdk-dev] [PATCH 2/7] examples/ipsec-secgw: add support for NAT-T Radu Nicolau
2021-09-08 10:36 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-09-03 11:22 ` [dpdk-dev] [PATCH 3/7] examples/ipsec-secgw: add support for TSO Radu Nicolau
2021-09-08 12:54 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-09-03 11:22 ` [dpdk-dev] [PATCH 4/7] examples/ipsec-secgw: enable stats by default Radu Nicolau
2021-09-03 12:50 ` Zhang, Roy Fan
2021-09-08 13:08 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-09-08 16:05 ` Hemant Agrawal
2021-09-03 11:22 ` [dpdk-dev] [PATCH 5/7] examples/ipsec-secgw: add support for telemetry Radu Nicolau
2021-09-08 14:09 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-09-03 11:22 ` [dpdk-dev] [PATCH 6/7] examples/ipsec-secgw: add support for defining initial sequence number value Radu Nicolau
2021-09-08 14:11 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-09-03 11:22 ` [dpdk-dev] [PATCH 7/7] examples/ipsec-secgw: add ethdev reset callback Radu Nicolau
2021-09-08 14:24 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-09-15 13:45 ` [dpdk-dev] [PATCH v2 0/9] IPsec Sec GW new features Radu Nicolau
2021-09-15 13:45 ` [dpdk-dev] [PATCH v2 1/9] examples/ipsec-secgw: update create inline session Radu Nicolau
2021-09-15 13:45 ` [dpdk-dev] [PATCH v2 2/9] examples/ipsec-secgw: update SA parameters with L3 options Radu Nicolau
2021-09-15 13:45 ` [dpdk-dev] [PATCH v2 3/9] examples/ipsec-secgw: add support for telemetry Radu Nicolau
2021-09-15 13:45 ` [dpdk-dev] [PATCH v2 4/9] examples/ipsec-secgw: add stats interval argument Radu Nicolau
2021-09-16 9:13 ` Hemant Agrawal
2021-09-16 9:30 ` [dpdk-dev] [EXT] " Anoob Joseph
2021-09-16 10:24 ` Nicolau, Radu
2021-09-17 12:51 ` Anoob Joseph
2021-09-15 13:45 ` [dpdk-dev] [PATCH v2 5/9] examples/ipsec-secgw: add support for TSO Radu Nicolau
2021-09-15 13:45 ` [dpdk-dev] [PATCH v2 6/9] examples/ipsec-secgw: add support for defining initial sequence number value Radu Nicolau
2021-09-15 13:45 ` [dpdk-dev] [PATCH v2 7/9] examples/ipsec-secgw: add ethdev reset callback Radu Nicolau
2021-09-15 13:45 ` [dpdk-dev] [PATCH v2 8/9] examples/ipsec-secgw: add support for additional algorithms Radu Nicolau
2021-09-15 13:45 ` [dpdk-dev] [PATCH v2 9/9] examples/ipsec-secgw: add support for inline crypto UDP encapsulation Radu Nicolau
2021-10-01 9:51 ` [dpdk-dev] [PATCH v3 0/8] IPsec Sec GW new features Radu Nicolau
2021-10-01 9:51 ` [dpdk-dev] [PATCH v3 1/8] examples/ipsec-secgw: add stats interval argument Radu Nicolau
2021-10-08 18:37 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-01 9:51 ` [dpdk-dev] [PATCH v3 2/8] examples/ipsec-secgw: update create inline session Radu Nicolau
2021-10-08 18:38 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-01 9:51 ` [dpdk-dev] [PATCH v3 3/8] examples/ipsec-secgw: add support for inline crypto UDP encapsulation Radu Nicolau
2021-10-08 18:42 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-01 9:51 ` [dpdk-dev] [PATCH v3 4/8] examples/ipsec-secgw: add support for TSO Radu Nicolau
2021-10-08 18:46 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-01 9:51 ` [dpdk-dev] [PATCH v3 5/8] examples/ipsec-secgw: add support for telemetry Radu Nicolau
2021-10-08 18:51 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-01 9:52 ` [dpdk-dev] [PATCH v3 6/8] examples/ipsec-secgw: add support for defining initial sequence number value Radu Nicolau
2021-10-08 18:57 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-01 9:52 ` [dpdk-dev] [PATCH v3 7/8] examples/ipsec-secgw: add ethdev reset callback Radu Nicolau
2021-10-01 9:52 ` [dpdk-dev] [PATCH v3 8/8] examples/ipsec-secgw: add support for additional algorithms Radu Nicolau
2021-10-08 19:07 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-11 15:40 ` Nicolau, Radu
2021-10-18 10:28 ` [dpdk-dev] [PATCH v4 0/7] IPsec Sec GW new features Radu Nicolau
2021-10-18 10:28 ` [dpdk-dev] [PATCH v4 1/7] examples/ipsec-secgw: add stats interval argument Radu Nicolau
2021-10-18 10:28 ` [dpdk-dev] [PATCH v4 2/7] examples/ipsec-secgw: update create inline session Radu Nicolau
2021-10-18 10:28 ` [dpdk-dev] [PATCH v4 3/7] examples/ipsec-secgw: add support for inline crypto UDP encapsulation Radu Nicolau
2021-10-18 10:28 ` [dpdk-dev] [PATCH v4 4/7] examples/ipsec-secgw: support telemetry Radu Nicolau
2021-10-18 10:28 ` [dpdk-dev] [PATCH v4 5/7] examples/ipsec-secgw: define initial ESN value Radu Nicolau
2021-10-18 10:28 ` [dpdk-dev] [PATCH v4 6/7] examples/ipsec-secgw: add ethdev reset callback Radu Nicolau
2021-10-18 10:29 ` [dpdk-dev] [PATCH v4 7/7] examples/ipsec-secgw: add support for additional algorithms Radu Nicolau
2021-10-27 11:45 ` [dpdk-dev] [PATCH v5 0/7] IPsec Sec GW new features Radu Nicolau
2021-10-27 11:45 ` [dpdk-dev] [PATCH v5 1/7] examples/ipsec-secgw: add stats interval argument Radu Nicolau
2021-10-27 11:45 ` [dpdk-dev] [PATCH v5 2/7] examples/ipsec-secgw: update create inline session Radu Nicolau
2021-10-27 11:45 ` [dpdk-dev] [PATCH v5 3/7] examples/ipsec-secgw: add support for inline crypto UDP encapsulation Radu Nicolau
2021-10-31 20:03 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-27 11:45 ` [dpdk-dev] [PATCH v5 4/7] examples/ipsec-secgw: support telemetry Radu Nicolau
2021-10-31 20:22 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-27 11:45 ` [dpdk-dev] [PATCH v5 5/7] examples/ipsec-secgw: define initial ESN value Radu Nicolau
2021-10-31 20:23 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-27 11:45 ` [dpdk-dev] [PATCH v5 6/7] examples/ipsec-secgw: add ethdev reset callback Radu Nicolau
2021-10-31 20:25 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-27 11:45 ` Radu Nicolau [this message]
2021-10-31 20:29 ` [dpdk-dev] [EXT] [PATCH v5 7/7] examples/ipsec-secgw: add support for additional algorithms Akhil Goyal
2021-11-01 12:58 ` [dpdk-dev] [PATCH v6 0/7] IPsec Sec GW new features Radu Nicolau
2021-11-01 12:58 ` [dpdk-dev] [PATCH v6 1/7] examples/ipsec-secgw: add stats interval argument Radu Nicolau
2021-11-03 9:23 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-11-03 10:51 ` Nicolau, Radu
2021-11-03 13:20 ` Akhil Goyal
2021-11-01 12:58 ` [dpdk-dev] [PATCH v6 2/7] examples/ipsec-secgw: update create inline session Radu Nicolau
2021-11-01 12:58 ` [dpdk-dev] [PATCH v6 3/7] examples/ipsec-secgw: add support for inline crypto UDP encapsulation Radu Nicolau
2021-11-01 12:58 ` [dpdk-dev] [PATCH v6 4/7] examples/ipsec-secgw: support telemetry Radu Nicolau
2021-11-01 12:58 ` [dpdk-dev] [PATCH v6 5/7] examples/ipsec-secgw: define initial ESN value Radu Nicolau
2021-11-01 12:58 ` [dpdk-dev] [PATCH v6 6/7] examples/ipsec-secgw: add ethdev reset callback Radu Nicolau
2021-11-01 12:58 ` [dpdk-dev] [PATCH v6 7/7] examples/ipsec-secgw: add support for additional algorithms Radu Nicolau
2021-11-03 14:13 ` [dpdk-dev] [EXT] [PATCH v6 0/7] IPsec Sec GW new features Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211027114530.2244661-8-radu.nicolau@intel.com \
--to=radu.nicolau@intel.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=gakhil@marvell.com \
--cc=hemant.agrawal@oss.nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).