From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 654D5A0577; Sun, 5 Apr 2020 19:11:06 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 370531BEE0; Sun, 5 Apr 2020 19:11:06 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by dpdk.org (Postfix) with ESMTP id 62E9F1BEE0 for ; Sun, 5 Apr 2020 19:11:04 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 035HB0pw017157; Sun, 5 Apr 2020 10:11:03 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=pfpt0818; bh=lDAh9jueZdVflKLutozqQUr9fWfQ1RweaxBnn/9BT5A=; b=ROAkCT0fG5j4dQ9+6xZeCXRBEVTZ6fCdZ7TP6f2b0fy4styK10AuYVbPWVAU5AdzVnP+ wEbnhhE2vCwIZQ18jYP66OSlpgPXd4ym8pOyBn/MnmxyjZufR+GEI75CuDrbjmarPjhP 04FsB5iqhzFajYV8N9Ko7sVcWxJX4ngl2ZwGsMfH/LCp+HL1oKvH62W91NCNddgkbyIc TXVea5RJwX02xvRUpIPuONz7JA4NubRQ5Ht+aXAasPDKIO+velXGRs+gTe7fPrEazXmJ abu1Qimz2Lp0A8V7V/ZoonmgZHyCV+ZjWfMKdUaUrxyivyhaQWmMy48kUm9WAy2UzF6c RA== Received: from sc-exch01.marvell.com ([199.233.58.181]) by mx0a-0016f401.pphosted.com with ESMTP id 306qkqum3j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sun, 05 Apr 2020 10:11:03 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by SC-EXCH01.marvell.com (10.93.176.81) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 5 Apr 2020 10:11:02 -0700 Received: from SC-EXCH04.marvell.com (10.93.176.84) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 5 Apr 2020 10:11:01 -0700 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.174) by SC-EXCH04.marvell.com (10.93.176.84) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Sun, 5 Apr 2020 10:11:01 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=a4wHbfFUo74gv9Pv9OrREJSX2tX9rZ1D0kZ3WrlB9HCwRJ6I3+8kSbunxDwAaKOpowp2Hqns496X5gRwPf0QlhztExMaul26Z4j3u1TG6ieEYGs7BMBGp2dGiVdyo+tsUjGRkeKLVqHtWNOILb1QHTF7tYcoBWTzMFrrJ7D1AVtykH8bg7iHKeGVWiNP+UmDhmUvJtDPIQc8dDcPV6ufucu48Ai45pzOq24wtTPAap3KeTR2OgvvhFxyOk+xzVHhPilRnLAvNYAPXCt7UgMSObH82LjXKnhKcLY+k8Mb/utxl1y8d93Jnp1WC8XCK4K2NA8aZXJobm5nBuqE+Rc7XA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lDAh9jueZdVflKLutozqQUr9fWfQ1RweaxBnn/9BT5A=; b=nntXowlO3r5LwvrqNU0v0GQqiiQ8P1ArhQSKV1UKZDHpHRcTtOmrZWcecXf2YcHcaonZoXz9qXLPrbAM6bChIeCJm/J5PpGaMXS9ygqGM37qIZLPApTA0gFbJPRiwBzBH4PXXXhiiLob9OGfIpnUveb3PjE/vP2/3qs3Ie4eUuk1XXe2kox9If8+OR6IznIe9dqCUsWUvk6cTH0zrHNcRSLT5yv3n+fFpwtBZwM35JHXJ1jOkwRVgElFF1CjkUW83lSkFXahI+Wg8IJFAQC5RtCCvk4hP3lf/+eVOnaH2zb8FLsbwiKo4jsLPkPiZx5UzT//YSb23xpqFsPblxi5Fw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=marvell.com; dmarc=pass action=none header.from=marvell.com; dkim=pass header.d=marvell.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.onmicrosoft.com; s=selector1-marvell-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lDAh9jueZdVflKLutozqQUr9fWfQ1RweaxBnn/9BT5A=; b=jBUt8BsGWIT8FkOAnYTfx34RVCDSi68/C03epRISxh7RHdIWuTyQOiVrBIiKp2bWVht2/HCYDRmVsQzifNOkwAMc8/Ts1jN17LedDPP/ZbNb+h1VqSk7ApMRnQwTlM2qhDQIbhNPI68WMde+uBMHiDkyUnt6wqps71M/OeXCs+4= Received: from MN2PR18MB2877.namprd18.prod.outlook.com (2603:10b6:208:3b::26) by MN2PR18MB2784.namprd18.prod.outlook.com (2603:10b6:208:a5::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.15; Sun, 5 Apr 2020 17:10:59 +0000 Received: from MN2PR18MB2877.namprd18.prod.outlook.com ([fe80::648f:e7fa:f95e:191b]) by MN2PR18MB2877.namprd18.prod.outlook.com ([fe80::648f:e7fa:f95e:191b%2]) with mapi id 15.20.2878.016; Sun, 5 Apr 2020 17:10:59 +0000 From: Anoob Joseph To: Akhil Goyal , Radu Nicolau CC: Narayana Prasad Raju Athreya , Tejasree Kondoj , "dev@dpdk.org" Thread-Topic: [PATCH v3] examples/ipsec-secgw: support 192/256 AES key sizes Thread-Index: AQHWCWMKGDDWiADXCkCNPAf0PSDq8ahqqdKAgAAa7hA= Date: Sun, 5 Apr 2020 17:10:59 +0000 Message-ID: References: <1585221759-23016-1-git-send-email-anoobj@marvell.com> <1585882384-28213-1-git-send-email-anoobj@marvell.com> In-Reply-To: Accept-Language: en-IN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [27.34.244.203] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 5c44c14b-6a89-407f-f026-08d7d9844ff4 x-ms-traffictypediagnostic: MN2PR18MB2784: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:5797; x-forefront-prvs: 03648EFF89 x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR18MB2877.namprd18.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(136003)(376002)(366004)(396003)(346002)(39850400004)(26005)(71200400001)(52536014)(8676002)(2906002)(81166006)(81156014)(5660300002)(8936002)(53546011)(6506007)(186003)(66946007)(66556008)(66446008)(478600001)(76116006)(110136005)(4326008)(54906003)(86362001)(316002)(7696005)(66476007)(33656002)(55016002)(9686003)(64756008)(334744003); DIR:OUT; SFP:1101; received-spf: None (protection.outlook.com: marvell.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Q1noweGxLU08bJdH1LLoIUt3kyjG7hLL/7ES7qAH49bPEkwYN76eVc8a5eQCrW6C/53ltXVDpA+b/4PrGO8n4A8R0N1EIl5IrFMinbrRohW1DlOWlQyhYRzV4OxjM/FhesLgqC0/cdvdC0d6Pvtx4TL9WMerMENGo5iqSOqCGlh0HL6xHBOhf3x2lMM3mhm41nRxG/CVMA+DN5j/aG+kbSvRcG7lLy6T6+3B5fg5CSUgq0MVtAeCCpCGAHV8+9Sam+Cl1qF9iJQXV/DsqlHISK5ISpevU8FJ3B3fwVXwIIGrF/h7gAKee/eBDDM/y4u9v0b5l09utdkBUKyx/LlF1HoUKJjuYn/43ZYvumzeTMxvx2NPM+geKQyIxObxu4vCJ8sB/6JBrO+uaw/+i7prRvqyM8+meVb3kd/nEI4iOz4n02AAgwNScelZf9ZNeBv/dBn0d2+9k4klfkW04d9L/HeY+sxWD/dMElL/WLaOTsw52xtBHikCQhYNudDkiYuI x-ms-exchange-antispam-messagedata: PdN0IU79StcSnI/1F2vsegqawtDCVLZ+0s3EE4gtmIjr6JjG1ei6YhhVaO26HcE1ZqaSB05+etFZq5Ib53Wm+ZyDvt8U4/puBlQ19XpHpLWyBB+Pe79vnd2oxGZMOMKNArkTqAv37MXMb6BGfwsigg== Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: 5c44c14b-6a89-407f-f026-08d7d9844ff4 X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Apr 2020 17:10:59.4698 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 70e1fb47-1155-421d-87fc-2e58f638b6e0 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: uxTedXAYmIxDdhSX3FX1H9uRZuT2UyNhtdtuDae80RRITEU6MLrApHU121EI0F2J3xmfak9UBJGyTX2V7oA6Mw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR18MB2784 X-OriginatorOrg: marvell.com X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.676 definitions=2020-04-05_08:2020-04-03, 2020-04-05 signatures=0 Subject: Re: [dpdk-dev] [PATCH v3] examples/ipsec-secgw: support 192/256 AES key sizes X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Hi Akhil, Please see inline. Thanks, Anoob > -----Original Message----- > From: Akhil Goyal > Sent: Sunday, April 5, 2020 8:54 PM > To: Anoob Joseph ; Radu Nicolau > > Cc: Narayana Prasad Raju Athreya ; Tejasree Kondoj > ; dev@dpdk.org > Subject: [EXT] RE: [PATCH v3] examples/ipsec-secgw: support 192/256 AES k= ey > sizes >=20 > External Email >=20 > ---------------------------------------------------------------------- > Hi Anoob, >=20 > > > > Adding support for the following, > > 1. AES-192-GCM > > 2. AES-256-GCM > > 3. AES-192-CBC > > > > Signed-off-by: Anoob Joseph > > Signed-off-by: Tejasree Kondoj > > --- > > v3: > > * Fixed incorrect AES-GCM key length being printed during app startup > > * Introduced new macro 'SALT_SIZE' to make the usage more obvious (AES- > GCM > > key has key following 4 byte salt) > > * Minor cleanup for the existing code. >=20 > I believe GCM keys are extended by 4 bytes to include the SALT value in m= any > apps. > We may add a comment that it is including the SALT value, but it makes mo= re > confusing now. >=20 > The length which is being printed is 16Bytes but we expect the user to ha= ve > 20Bytes In the ep0.cfg file. This will be confusing also to configure the= packet > capturing APPs Like wireshark which accepts 20Byte keys in case of GCM. [Anoob] The ones I've edited is just internal data structures. These are no= t exposed and not directly printed anywhere. spi_in( 51):aes-128-gcm mode:IP4Tunnel 10.0.10.1 10.0.10.2 type:inline-prot= ocol-offload=20 spi_in( 52):aes-192-gcm mode:IP4Tunnel 10.0.20.1 10.0.20.2 type:inline-prot= ocol-offload=20 spi_in( 53):aes-256-gcm mode:IP4Tunnel 10.0.30.1 10.0.30.2 type:inline-prot= ocol-offload Also, my initial patch didn't try to address this aspect. In that patch, I = had the following addition, in which key length was clearly not matching th= e string. { .keyword =3D "aes-192-gcm", .algo =3D RTE_CRYPTO_AEAD_AES_GCM, .iv_len =3D 8, .block_size =3D 4, .key_len =3D 28, .digest_len =3D 16, .aad_len =3D 8, }, In either case, the "misleading" part in config file would stay as the stri= ng would be "aes-128-gcm"/"aes-192-gcm"/"aes-256-gcm", and the key specifie= d will have additional 4 bytes. Please do comment inline on what you think = is the right approach. You can check if you are fine with v2 approach. I ca= n resend that with a minor change required in the print.=20 One more thing. I was just checking the ipsec-secgw documentation of AEAD k= eys. I think we need to update that as well. Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'. The n= umber of bytes should be as same as the specified AEAD algorithm key size. For example: aead_key A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4: A1:B2:C3:D4 Can you advice on what should be the approach here? >=20 > > > > v2: > > * Updated doc and release notes > > > > doc/guides/rel_notes/release_20_05.rst | 7 ++++++ > > doc/guides/sample_app_ug/ipsec_secgw.rst | 3 +++ > > examples/ipsec-secgw/ipsec.h | 3 ++- > > examples/ipsec-secgw/sa.c | 38 ++++++++++++++++++++++++= ++------ > > 4 files changed, 43 insertions(+), 8 deletions(-) > > > > diff --git a/doc/guides/rel_notes/release_20_05.rst > > b/doc/guides/rel_notes/release_20_05.rst > > index 1dfcfcc..c0b0625 100644 > > --- a/doc/guides/rel_notes/release_20_05.rst > > +++ b/doc/guides/rel_notes/release_20_05.rst > > @@ -70,6 +70,13 @@ New Features > > by making use of the event device capabilities. The event mode > > currently supports > > only inline IPsec protocol offload. > > > > +* **Added 192/256 AES key sizes in ipsec-secgw application.** > > + > > + Updated ipsec-secgw application to support the following key sizes, > > + - AES-192-CBC > > + - AES-192-GCM > > + - AES-256-GCM > > + > > > > Removed Items > > ------------- > > diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst > > b/doc/guides/sample_app_ug/ipsec_secgw.rst > > index 038f593..f5e94bf 100644 > > --- a/doc/guides/sample_app_ug/ipsec_secgw.rst > > +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst > > @@ -538,6 +538,7 @@ where each options means: > > > > * *null*: NULL algorithm > > * *aes-128-cbc*: AES-CBC 128-bit algorithm > > + * *aes-192-cbc*: AES-CBC 192-bit algorithm > > * *aes-256-cbc*: AES-CBC 256-bit algorithm > > * *aes-128-ctr*: AES-CTR 128-bit algorithm > > * *3des-cbc*: 3DES-CBC 192-bit algorithm @@ -593,6 +594,8 @@ where > > each options means: > > * Available options: > > > > * *aes-128-gcm*: AES-GCM 128-bit algorithm > > + * *aes-192-gcm*: AES-GCM 192-bit algorithm > > + * *aes-256-gcm*: AES-GCM 256-bit algorithm > > > > * Syntax: *cipher_algo * > > > > diff --git a/examples/ipsec-secgw/ipsec.h > > b/examples/ipsec-secgw/ipsec.h index f8f29f9..476a6d5 100644 > > --- a/examples/ipsec-secgw/ipsec.h > > +++ b/examples/ipsec-secgw/ipsec.h > > @@ -73,6 +73,7 @@ struct ip_addr { > > }; > > > > #define MAX_KEY_SIZE 32 > > +#define SALT_SIZE 4 > > > > /* > > * application wide SA parameters > > @@ -133,7 +134,7 @@ struct ipsec_sa { > > #define IP6_TRANSPORT (1 << 4) > > struct ip_addr src; > > struct ip_addr dst; > > - uint8_t cipher_key[MAX_KEY_SIZE]; > > + uint8_t cipher_key[MAX_KEY_SIZE + SALT_SIZE]; > > uint16_t cipher_key_len; > > uint8_t auth_key[MAX_KEY_SIZE]; > > uint16_t auth_key_len; > > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > > index 0eb52d1..fc6bc97 100644 > > --- a/examples/ipsec-secgw/sa.c > > +++ b/examples/ipsec-secgw/sa.c > > @@ -77,6 +77,13 @@ const struct supported_cipher_algo cipher_algos[] = =3D { > > .key_len =3D 16 > > }, > > { > > + .keyword =3D "aes-192-cbc", > > + .algo =3D RTE_CRYPTO_CIPHER_AES_CBC, > > + .iv_len =3D 16, > > + .block_size =3D 16, > > + .key_len =3D 24 > > + }, > > + { > > .keyword =3D "aes-256-cbc", > > .algo =3D RTE_CRYPTO_CIPHER_AES_CBC, > > .iv_len =3D 16, > > @@ -127,7 +134,25 @@ const struct supported_aead_algo aead_algos[] =3D = { > > .algo =3D RTE_CRYPTO_AEAD_AES_GCM, > > .iv_len =3D 8, > > .block_size =3D 4, > > - .key_len =3D 20, > > + .key_len =3D 16, > > + .digest_len =3D 16, > > + .aad_len =3D 8, > > + }, > > + { > > + .keyword =3D "aes-192-gcm", > > + .algo =3D RTE_CRYPTO_AEAD_AES_GCM, > > + .iv_len =3D 8, > > + .block_size =3D 4, > > + .key_len =3D 24, > > + .digest_len =3D 16, > > + .aad_len =3D 8, > > + }, > > + { > > + .keyword =3D "aes-256-gcm", > > + .algo =3D RTE_CRYPTO_AEAD_AES_GCM, > > + .iv_len =3D 8, > > + .block_size =3D 4, > > + .key_len =3D 32, > > .digest_len =3D 16, > > .aad_len =3D 8, > > } > > @@ -495,16 +520,14 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > > return; > > > > key_len =3D parse_key_string(tokens[ti], > > - rule->cipher_key); > > + rule->cipher_key) - SALT_SIZE; > > APP_CHECK(key_len =3D=3D rule->cipher_key_len, status, > > "unrecognized input \"%s\"", tokens[ti]); > > if (status->status < 0) > > return; > > > > - key_len -=3D 4; > > - rule->cipher_key_len =3D key_len; > > - memcpy(&rule->salt, > > - &rule->cipher_key[key_len], 4); > > + memcpy(&rule->salt, &rule->cipher_key[key_len], > > + SALT_SIZE); > > > > aead_algo_p =3D 1; > > continue; > > @@ -751,7 +774,8 @@ print_one_sa_rule(const struct ipsec_sa *sa, int > inbound) > > } > > > > for (i =3D 0; i < RTE_DIM(aead_algos); i++) { > > - if (aead_algos[i].algo =3D=3D sa->aead_algo) { > > + if (aead_algos[i].algo =3D=3D sa->aead_algo && > > + aead_algos[i].key_len =3D=3D sa->cipher_key_len) { > > printf("%s ", aead_algos[i].keyword); > > break; > > } > > -- > > 2.7.4