From: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
To: dev@dpdk.org
Subject: [dpdk-dev] [PATCH 3/3] examples/ipsec-secgw: add AES-GCM support
Date: Tue, 23 Aug 2016 17:59:34 +0100 [thread overview]
Message-ID: <1471971574-108998-4-git-send-email-sergio.gonzalez.monroy@intel.com> (raw)
In-Reply-To: <1471971574-108998-1-git-send-email-sergio.gonzalez.monroy@intel.com>
Add support for AES-GCM (Galois-Counter Mode).
RFC4106: The Use of Galois-Counter Mode (GCM) in IPSec ESP.
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
---
examples/ipsec-secgw/esp.c | 59 ++++++++++++++++++++++++++++++++++++++------
examples/ipsec-secgw/ipsec.h | 9 +++++++
examples/ipsec-secgw/sa.c | 36 +++++++++++++++++++++------
3 files changed, 90 insertions(+), 14 deletions(-)
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index d640ab2..3852c7e 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -90,6 +90,8 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
sa->iv_len;
sym_cop->cipher.data.length = payload_len;
+ struct cnt_blk *nonce;
+ uint8_t *aad;
uint8_t *iv = RTE_PTR_ADD(ip4, ip_hdr_len + sizeof(struct esp_hdr));
switch (sa->cipher_algo) {
@@ -99,14 +101,41 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
sym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
ip_hdr_len + sizeof(struct esp_hdr));
sym_cop->cipher.iv.length = sa->iv_len;
+ break;
+ case RTE_CRYPTO_CIPHER_AES_GCM:
+ nonce = get_cnt_blk(m);
+ nonce->salt = sa->salt;
+ memcpy(&nonce->iv, iv, 8);
+ sym_cop->cipher.iv.data = (uint8_t *)nonce;
+ sym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m,
+ (uint8_t *)nonce - rte_pktmbuf_mtod(m, uint8_t *));
+ /* FIXME should be 12 for GCM, but API needs 16 */
+ sym_cop->cipher.iv.length = 16;
+ break;
+ default:
+ RTE_LOG(ERR, IPSEC_ESP, "unsupported cipher algorithm %u\n",
+ sa->cipher_algo);
+ return -EINVAL;
+ }
+ switch (sa->auth_algo) {
+ case RTE_CRYPTO_AUTH_NULL:
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
sym_cop->auth.data.offset = ip_hdr_len;
sym_cop->auth.data.length = sizeof(struct esp_hdr) +
sa->iv_len + payload_len;
break;
+ case RTE_CRYPTO_AUTH_AES_GCM:
+ aad = get_aad(m);
+ memcpy(aad, iv - sizeof(struct esp_hdr), 8);
+ sym_cop->auth.aad.data = aad;
+ sym_cop->auth.aad.phys_addr = rte_pktmbuf_mtophys_offset(m,
+ aad - rte_pktmbuf_mtod(m, uint8_t *));
+ sym_cop->auth.aad.length = 8;
+ break;
default:
- RTE_LOG(ERR, IPSEC_ESP, "unsupported cipher algorithm %u\n",
- sa->cipher_algo);
+ RTE_LOG(ERR, IPSEC_ESP, "unsupported auth algorithm %u\n",
+ sa->auth_algo);
return -EINVAL;
}
@@ -291,6 +320,12 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
sizeof(struct esp_hdr);
sym_cop->cipher.data.length = pad_payload_len + sa->iv_len;
break;
+ case RTE_CRYPTO_CIPHER_AES_GCM:
+ *iv = sa->seq;
+ sym_cop->cipher.data.offset = ip_hdr_len +
+ sizeof(struct esp_hdr) + sa->iv_len;
+ sym_cop->cipher.data.length = pad_payload_len;
+ break;
default:
RTE_LOG(ERR, IPSEC_ESP, "unsupported cipher algorithm %u\n",
sa->cipher_algo);
@@ -312,16 +347,26 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
/* FIXME should be 12 for GCM, but API needs 16 */
sym_cop->cipher.iv.length = 16;
- switch (sa->cipher_algo) {
- case RTE_CRYPTO_CIPHER_NULL:
- case RTE_CRYPTO_CIPHER_AES_CBC:
+ uint8_t *aad;
+
+ switch (sa->auth_algo) {
+ case RTE_CRYPTO_AUTH_NULL:
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
sym_cop->auth.data.offset = ip_hdr_len;
sym_cop->auth.data.length = sizeof(struct esp_hdr) +
sa->iv_len + pad_payload_len;
break;
+ case RTE_CRYPTO_AUTH_AES_GCM:
+ aad = get_aad(m);
+ memcpy(aad, esp, 8);
+ sym_cop->auth.aad.data = aad;
+ sym_cop->auth.aad.phys_addr = rte_pktmbuf_mtophys_offset(m,
+ aad - rte_pktmbuf_mtod(m, uint8_t *));
+ sym_cop->auth.aad.length = 8;
+ break;
default:
- RTE_LOG(ERR, IPSEC_ESP, "unsupported cipher algorithm %u\n",
- sa->cipher_algo);
+ RTE_LOG(ERR, IPSEC_ESP, "unsupported auth algorithm %u\n",
+ sa->auth_algo);
return -EINVAL;
}
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index d950df3..4db6691 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -113,6 +113,7 @@ struct ipsec_sa {
uint16_t cipher_key_len;
uint8_t auth_key[MAX_KEY_SIZE];
uint16_t auth_key_len;
+ uint16_t aad_len;
struct rte_crypto_sym_xform *xforms;
} __rte_cache_aligned;
@@ -193,6 +194,14 @@ get_cnt_blk(struct rte_mbuf *m)
}
static inline void *
+get_aad(struct rte_mbuf *m)
+{
+ struct ipsec_mbuf_metadata *priv = get_priv(m);
+
+ return &priv->buf[16];
+}
+
+static inline void *
get_cop(struct rte_mbuf *m)
{
struct ipsec_mbuf_metadata *priv = get_priv(m);
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 54b5b19..67d39c9 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -63,6 +63,8 @@ struct supported_auth_algo {
enum rte_crypto_auth_algorithm algo;
uint16_t digest_len;
uint16_t key_len;
+ uint8_t aad_len;
+ uint8_t key_not_req;
};
const struct supported_cipher_algo cipher_algos[] = {
@@ -79,6 +81,13 @@ const struct supported_cipher_algo cipher_algos[] = {
.iv_len = 16,
.block_size = 16,
.key_len = 16
+ },
+ {
+ .keyword = "aes-128-gcm",
+ .algo = RTE_CRYPTO_CIPHER_AES_GCM,
+ .iv_len = 8,
+ .block_size = 4,
+ .key_len = 16
}
};
@@ -87,13 +96,22 @@ const struct supported_auth_algo auth_algos[] = {
.keyword = "null",
.algo = RTE_CRYPTO_AUTH_NULL,
.digest_len = 0,
- .key_len = 0
+ .key_len = 0,
+ .key_not_req = 1
},
{
.keyword = "sha1-hmac",
.algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
.digest_len = 12,
.key_len = 20
+ },
+ {
+ .keyword = "aes-128-gcm",
+ .algo = RTE_CRYPTO_AUTH_AES_GCM,
+ .digest_len = 16,
+ .key_len = 16,
+ .aad_len = 8,
+ .key_not_req = 1
}
};
@@ -255,8 +273,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
rule->iv_len = algo->iv_len;
rule->cipher_key_len = algo->key_len;
- /* for NULL algorithm, no cipher key should
- * exist */
+ /* for NULL algorithm, no cipher key required */
if (rule->cipher_algo == RTE_CRYPTO_CIPHER_NULL) {
cipher_algo_p = 1;
continue;
@@ -307,9 +324,12 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
rule->auth_algo = algo->algo;
rule->auth_key_len = algo->key_len;
rule->digest_len = algo->digest_len;
+ rule->aad_len = algo->key_len;
- /* for NULL algorithm, no auth key should exist */
- if (rule->auth_algo == RTE_CRYPTO_AUTH_NULL) {
+ /* NULL algorithm and combined algos do not
+ * require auth key
+ */
+ if (algo->key_not_req) {
auth_algo_p = 1;
continue;
}
@@ -572,7 +592,8 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AUTH;
sa_ctx->xf[idx].a.auth.algo = sa->auth_algo;
- sa_ctx->xf[idx].a.auth.add_auth_data_length = 0;
+ sa_ctx->xf[idx].a.auth.add_auth_data_length =
+ sa->aad_len;
sa_ctx->xf[idx].a.auth.key.data = sa->auth_key;
sa_ctx->xf[idx].a.auth.key.length =
sa->auth_key_len;
@@ -593,7 +614,8 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_AUTH;
sa_ctx->xf[idx].b.auth.algo = sa->auth_algo;
- sa_ctx->xf[idx].b.auth.add_auth_data_length = 0;
+ sa_ctx->xf[idx].b.auth.add_auth_data_length =
+ sa->aad_len;
sa_ctx->xf[idx].b.auth.key.data = sa->auth_key;
sa_ctx->xf[idx].b.auth.key.length =
sa->auth_key_len;
--
2.5.5
next prev parent reply other threads:[~2016-08-23 16:59 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-23 16:59 [dpdk-dev] [PATCH 0/3] IPSec " Sergio Gonzalez Monroy
2016-08-23 16:59 ` [dpdk-dev] [PATCH 1/3] examples/ipsec-secgw: change CBC IV generation Sergio Gonzalez Monroy
2016-08-23 16:59 ` [dpdk-dev] [PATCH 2/3] examples/ipsec-secgw: reset crypto operation status Sergio Gonzalez Monroy
2016-08-23 16:59 ` Sergio Gonzalez Monroy [this message]
2016-09-07 18:11 ` [dpdk-dev] [PATCH 3/3] examples/ipsec-secgw: add AES-GCM support De Lara Guarch, Pablo
2016-09-23 7:45 ` [dpdk-dev] [PATCH v2 0/8] IPsec Enhancements Sergio Gonzalez Monroy
2016-09-23 7:45 ` [dpdk-dev] [PATCH v2 1/7] examples/ipsec-secgw: change CBC IV generation Sergio Gonzalez Monroy
2016-09-28 3:51 ` De Lara Guarch, Pablo
2016-09-29 14:39 ` Sergio Gonzalez Monroy
2016-09-23 7:45 ` [dpdk-dev] [PATCH v2 2/7] examples/ipsec-secgw: reset crypto operation status Sergio Gonzalez Monroy
2016-09-23 7:45 ` [dpdk-dev] [PATCH v2 3/7] examples/ipsec-secgw: add AES-GCM support Sergio Gonzalez Monroy
2016-09-23 7:45 ` [dpdk-dev] [PATCH v2 4/7] examples/ipsec-secgw: enable AES-CTR mode Sergio Gonzalez Monroy
2016-09-23 7:45 ` [dpdk-dev] [PATCH v2 5/7] examples/ipsec-secgw: check sp only when setup Sergio Gonzalez Monroy
2016-09-23 7:45 ` [dpdk-dev] [PATCH v2 6/7] examples/ipsec-secgw: cryptodev queue size macro Sergio Gonzalez Monroy
2016-09-28 3:50 ` De Lara Guarch, Pablo
2016-09-23 7:45 ` [dpdk-dev] [PATCH v2 7/7] examples/ipsec-secgw: initialize sa salt Sergio Gonzalez Monroy
2016-09-23 7:45 ` [dpdk-dev] [PATCH v2 8/8] examples/ipsec-secgw: update release notes Sergio Gonzalez Monroy
2016-09-28 4:05 ` De Lara Guarch, Pablo
2016-09-29 14:32 ` Sergio Gonzalez Monroy
2016-09-29 2:23 ` [dpdk-dev] [PATCH v2 0/8] IPsec Enhancements Chen, Zhaoyan
2016-09-29 15:44 ` [dpdk-dev] [PATCH v3 0/9] " Sergio Gonzalez Monroy
2016-09-29 15:44 ` [dpdk-dev] [PATCH v3 1/9] examples/ipsec-secgw: change CBC IV generation Sergio Gonzalez Monroy
2016-09-29 15:44 ` [dpdk-dev] [PATCH v3 2/9] examples/ipsec-secgw: reset crypto operation status Sergio Gonzalez Monroy
2016-09-29 15:44 ` [dpdk-dev] [PATCH v3 3/9] examples/ipsec-secgw: add AES-GCM support Sergio Gonzalez Monroy
2016-09-29 15:44 ` [dpdk-dev] [PATCH v3 4/9] examples/ipsec-secgw: enable AES-CTR mode Sergio Gonzalez Monroy
2016-09-29 15:44 ` [dpdk-dev] [PATCH v3 5/9] examples/ipsec-secgw: check sp only when setup Sergio Gonzalez Monroy
2016-09-29 15:44 ` [dpdk-dev] [PATCH v3 6/9] examples/ipsec-secgw: add cryptodev queue size macro Sergio Gonzalez Monroy
2016-09-29 15:44 ` [dpdk-dev] [PATCH v3 7/9] examples/ipsec-secgw: initialize sa salt Sergio Gonzalez Monroy
2016-09-29 15:44 ` [dpdk-dev] [PATCH v3 8/9] doc: ipsec-secgw release notes Sergio Gonzalez Monroy
2016-09-30 15:04 ` Mcnamara, John
2016-09-29 15:44 ` [dpdk-dev] [PATCH v3 8/9] examples/ipsec-secgw: update " Sergio Gonzalez Monroy
2016-09-29 15:44 ` [dpdk-dev] [PATCH v3 9/9] doc: update ipsec-secgw sample app guide Sergio Gonzalez Monroy
2016-09-30 15:04 ` Mcnamara, John
2016-09-29 15:44 ` [dpdk-dev] [PATCH v3 9/9] examples/ipsec-secgw: update ipsec-secgw guide Sergio Gonzalez Monroy
2016-09-30 0:27 ` [dpdk-dev] [PATCH v3 0/9] IPsec Enhancements De Lara Guarch, Pablo
2016-10-05 0:43 ` De Lara Guarch, Pablo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1471971574-108998-4-git-send-email-sergio.gonzalez.monroy@intel.com \
--to=sergio.gonzalez.monroy@intel.com \
--cc=dev@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).