[dpdk-dev] [PATCH 0/4] ipsec: add AES-CTR and 3DES-CBC support

DPDK patches and discussions
 help / color / mirror / Atom feed

* [dpdk-dev] [PATCH 0/4] ipsec: add AES-CTR and 3DES-CBC support
@ 2019-02-18 16:32 Fan Zhang
  2019-02-18 16:32 ` [dpdk-dev] [PATCH 1/4] ipsec: add AES-CTR algorithm support Fan Zhang
                   ` (4 more replies)
  0 siblings, 5 replies; 54+ messages in thread
From: Fan Zhang @ 2019-02-18 16:32 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang

This patchset adds the AES-CTR and 3DES-CBC cipher algorithms
support to ipsec library. The test scripts for ipsec-secgw
sample application are added too.

Fan Zhang (4):
  ipsec: add AES-CTR algorithm support
  ipsec-secgw: add test scripts for aes ctr
  ipsec: add 3DES-CBC algorithm support
  ipsec-secgw: add 3des test files

 examples/ipsec-secgw/test/common_defs.sh           |   4 +-
 examples/ipsec-secgw/test/run_test.sh              |  18 ++-
 .../test/trs_3descbc_sha1_common_defs.sh           |  73 +++++++++++
 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh |  67 ++++++++++
 .../test/trs_3descbc_sha1_esn_atom_defs.sh         |   5 +
 .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh  |  66 ++++++++++
 .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh  |   5 +
 .../test/trs_aesctr_sha1_common_defs.sh            |  69 ++++++++++
 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh  |  67 ++++++++++
 .../test/trs_aesctr_sha1_esn_atom_defs.sh          |   5 +
 .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh   |  66 ++++++++++
 .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh   |   5 +
 .../test/tun_3descbc_sha1_common_defs.sh           |  72 +++++++++++
 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh |  70 ++++++++++
 .../test/tun_3descbc_sha1_esn_atom_defs.sh         |   5 +
 .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh  |  70 ++++++++++
 .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh  |   5 +
 .../test/tun_aesctr_sha1_common_defs.sh            |  68 ++++++++++
 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh  |  70 ++++++++++
 .../test/tun_aesctr_sha1_esn_atom_defs.sh          |   5 +
 .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh   |  70 ++++++++++
 .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh   |   5 +
 lib/librte_ipsec/crypto.h                          |  17 +++
 lib/librte_ipsec/sa.c                              | 143 ++++++++++++++++++---
 lib/librte_ipsec/sa.h                              |  24 ++++
 25 files changed, 1050 insertions(+), 24 deletions(-)
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh

-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH 1/4] ipsec: add AES-CTR algorithm support
  2019-02-18 16:32 [dpdk-dev] [PATCH 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
@ 2019-02-18 16:32 ` Fan Zhang
  2019-02-18 16:32 ` [dpdk-dev] [PATCH 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-02-18 16:32 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang

This patch adds AES-CTR cipher algorithm support to ipsec
library.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 lib/librte_ipsec/crypto.h |  17 ++++++
 lib/librte_ipsec/sa.c     | 133 ++++++++++++++++++++++++++++++++++++++--------
 lib/librte_ipsec/sa.h     |  18 +++++++
 3 files changed, 147 insertions(+), 21 deletions(-)

diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h
index b5f264831..4f551e39c 100644
--- a/lib/librte_ipsec/crypto.h
+++ b/lib/librte_ipsec/crypto.h
@@ -11,6 +11,16 @@
  * by ipsec library.
  */
 
+/*
+ * AES-CTR counter block format.
+ */
+
+struct aesctr_cnt_blk {
+	uint32_t nonce;
+	uint64_t iv;
+	uint32_t cnt;
+} __attribute__((packed));
+
  /*
   * AES-GCM devices have some specific requirements for IV and AAD formats.
   * Ideally that to be done by the driver itself.
@@ -41,6 +51,13 @@ struct gcm_esph_iv {
 	uint64_t iv;
 } __attribute__((packed));
 
+static inline void
+aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce)
+{
+	ctr->nonce = nonce;
+	ctr->iv = iv;
+	ctr->cnt = rte_cpu_to_be_32(1);
+}
 
 static inline void
 aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt)
diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
index 5f55c2a4e..e34dd320a 100644
--- a/lib/librte_ipsec/sa.c
+++ b/lib/librte_ipsec/sa.c
@@ -219,18 +219,28 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm)
 static void
 esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen)
 {
+	uint8_t algo_type;
+
 	sa->sqn.outb.raw = 1;
 
 	/* these params may differ with new algorithms support */
 	sa->ctp.auth.offset = hlen;
 	sa->ctp.auth.length = sizeof(struct esp_hdr) + sa->iv_len + sa->sqh_len;
-	if (sa->aad_len != 0) {
+
+	algo_type = sa->algo_type;
+
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
+	case ALGO_TYPE_AES_CTR:
+	case ALGO_TYPE_NULL:
 		sa->ctp.cipher.offset = hlen + sizeof(struct esp_hdr) +
 			sa->iv_len;
 		sa->ctp.cipher.length = 0;
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
 		sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr);
 		sa->ctp.cipher.length = sa->iv_len;
+		break;
 	}
 }
 
@@ -259,26 +269,47 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
 				RTE_IPSEC_SATP_MODE_MASK;
 
 	if (cxf->aead != NULL) {
-		/* RFC 4106 */
-		if (cxf->aead->algo != RTE_CRYPTO_AEAD_AES_GCM)
+		switch (cxf->aead->algo) {
+		case RTE_CRYPTO_AEAD_AES_GCM:
+			/* RFC 4106 */
+			sa->aad_len = sizeof(struct aead_gcm_aad);
+			sa->icv_len = cxf->aead->digest_length;
+			sa->iv_ofs = cxf->aead->iv.offset;
+			sa->iv_len = sizeof(uint64_t);
+			sa->pad_align = IPSEC_PAD_AES_GCM;
+			sa->algo_type = ALGO_TYPE_AES_GCM;
+			break;
+		default:
 			return -EINVAL;
-		sa->aad_len = sizeof(struct aead_gcm_aad);
-		sa->icv_len = cxf->aead->digest_length;
-		sa->iv_ofs = cxf->aead->iv.offset;
-		sa->iv_len = sizeof(uint64_t);
-		sa->pad_align = IPSEC_PAD_AES_GCM;
+		}
 	} else {
 		sa->icv_len = cxf->auth->digest_length;
 		sa->iv_ofs = cxf->cipher->iv.offset;
 		sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0;
-		if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_NULL) {
+
+		switch (cxf->cipher->algo) {
+		case RTE_CRYPTO_CIPHER_NULL:
 			sa->pad_align = IPSEC_PAD_NULL;
 			sa->iv_len = 0;
-		} else if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+			sa->algo_type = ALGO_TYPE_NULL;
+			break;
+
+		case RTE_CRYPTO_CIPHER_AES_CBC:
 			sa->pad_align = IPSEC_PAD_AES_CBC;
 			sa->iv_len = IPSEC_MAX_IV_SIZE;
-		} else
+			sa->algo_type = ALGO_TYPE_AES_CBC;
+			break;
+
+		case RTE_CRYPTO_CIPHER_AES_CTR:
+			/* RFC 3686 */
+			sa->pad_align = IPSEC_PAD_AES_CTR;
+			sa->iv_len = IPSEC_AES_CTR_IV_SIZE;
+			sa->algo_type = ALGO_TYPE_AES_CTR;
+			break;
+
+		default:
 			return -EINVAL;
+		}
 	}
 
 	sa->udata = prm->userdata;
@@ -438,12 +469,15 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 {
 	struct rte_crypto_sym_op *sop;
 	struct aead_gcm_iv *gcm;
+	struct aesctr_cnt_blk *ctr;
+	uint8_t algo_type = sa->algo_type;
 
 	/* fill sym op fields */
 	sop = cop->sym;
 
-	/* AEAD (AES_GCM) case */
-	if (sa->aad_len != 0) {
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
+		/* AEAD (AES_GCM) case */
 		sop->aead.data.offset = sa->ctp.cipher.offset + hlen;
 		sop->aead.data.length = sa->ctp.cipher.length + plen;
 		sop->aead.digest.data = icv->va;
@@ -455,14 +489,40 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 		gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *,
 			sa->iv_ofs);
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
-	/* CRYPT+AUTH case */
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
+		/* Cipher-Auth (AES-CBC *) case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
+	case ALGO_TYPE_AES_CTR:
+		/* Cipher-Auth (AES-CTR *) case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+
+		ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *,
+			sa->iv_ofs);
+		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
+		break;
+	case ALGO_TYPE_NULL:
+		/* NULL case */
 		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
 		sop->cipher.data.length = sa->ctp.cipher.length + plen;
 		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
 		sop->auth.data.length = sa->ctp.auth.length + plen;
 		sop->auth.digest.data = icv->va;
 		sop->auth.digest.phys_addr = icv->pa;
+		break;
+	default:
+		break;
 	}
 }
 
@@ -561,6 +621,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc,
 {
 	uint32_t *psqh;
 	struct aead_gcm_aad *aad;
+	uint8_t algo_type = sa->algo_type;
 
 	/* insert SQN.hi between ESP trailer and ICV */
 	if (sa->sqh_len != 0) {
@@ -572,7 +633,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc,
 	 * fill IV and AAD fields, if any (aad fields are placed after icv),
 	 * right now we support only one AEAD algorithm: AES-GCM .
 	 */
-	if (sa->aad_len != 0) {
+	if (algo_type == ALGO_TYPE_AES_GCM) {
 		aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len);
 		aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa));
 	}
@@ -783,8 +844,10 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 {
 	struct rte_crypto_sym_op *sop;
 	struct aead_gcm_iv *gcm;
+	struct aesctr_cnt_blk *ctr;
 	uint64_t *ivc, *ivp;
 	uint32_t clen;
+	uint8_t algo_type = sa->algo_type;
 
 	clen = plen - sa->ctp.cipher.length;
 	if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0)
@@ -793,8 +856,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 	/* fill sym op fields */
 	sop = cop->sym;
 
-	/* AEAD (AES_GCM) case */
-	if (sa->aad_len != 0) {
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
 		sop->aead.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->aead.data.length = clen;
 		sop->aead.digest.data = icv->va;
@@ -808,8 +871,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
 			pofs + sizeof(struct esp_hdr));
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
-	/* CRYPT+AUTH case */
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
 		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->cipher.data.length = clen;
 		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
@@ -822,7 +885,35 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
 			pofs + sizeof(struct esp_hdr));
 		copy_iv(ivc, ivp, sa->iv_len);
+		break;
+	case ALGO_TYPE_AES_CTR:
+		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
+		sop->cipher.data.length = clen;
+		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
+		sop->auth.data.length = plen - sa->ctp.auth.length;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+
+		/* copy iv from the input packet to the cop */
+		ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *,
+			sa->iv_ofs);
+		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
+			pofs + sizeof(struct esp_hdr));
+		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
+		break;
+	case ALGO_TYPE_NULL:
+		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
+		sop->cipher.data.length = clen;
+		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
+		sop->auth.data.length = plen - sa->ctp.auth.length;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
+
+	default:
+		return -EINVAL;
 	}
+
 	return 0;
 }
 
diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
index 392e8fd7b..12c061ee6 100644
--- a/lib/librte_ipsec/sa.h
+++ b/lib/librte_ipsec/sa.h
@@ -15,10 +15,17 @@
 enum {
 	IPSEC_PAD_DEFAULT = 4,
 	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
+	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT,
 };
 
+/* iv sizes for different algorithms */
+enum {
+	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
+	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
+};
+
 /* these definitions probably has to be in rte_crypto_sym.h */
 union sym_op_ofslen {
 	uint64_t raw;
@@ -47,7 +54,17 @@ struct replay_sqn {
 	__extension__ uint64_t window[0];
 };
 
+/*IPSEC SA supported algorithms */
+enum sa_algo_type	{
+	ALGO_TYPE_NULL = 0,
+	ALGO_TYPE_AES_CBC,
+	ALGO_TYPE_AES_CTR,
+	ALGO_TYPE_AES_GCM,
+	ALGO_TYPE_MAX
+};
+
 struct rte_ipsec_sa {
+
 	uint64_t type;     /* type of given SA */
 	uint64_t udata;    /* user defined */
 	uint32_t size;     /* size of given sa object */
@@ -65,6 +82,7 @@ struct rte_ipsec_sa {
 		union sym_op_ofslen auth;
 	} ctp;
 	uint32_t salt;
+	uint8_t algo_type;
 	uint8_t proto;    /* next proto */
 	uint8_t aad_len;
 	uint8_t hdr_len;
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH 2/4] ipsec-secgw: add test scripts for aes ctr
  2019-02-18 16:32 [dpdk-dev] [PATCH 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
  2019-02-18 16:32 ` [dpdk-dev] [PATCH 1/4] ipsec: add AES-CTR algorithm support Fan Zhang
@ 2019-02-18 16:32 ` Fan Zhang
  2019-02-18 16:32 ` [dpdk-dev] [PATCH 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-02-18 16:32 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang

This patch adds the functional test scripts to ipsec-secgw
sample application for both transport and tunnel working
mode.

Updated a bit on common_defs to use "mktemp" instead of "tempfile"
as Fedora does not like the command.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 examples/ipsec-secgw/test/common_defs.sh           |  4 +-
 examples/ipsec-secgw/test/run_test.sh              | 10 +++-
 .../test/trs_aesctr_sha1_common_defs.sh            | 69 +++++++++++++++++++++
 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh  | 67 +++++++++++++++++++++
 .../test/trs_aesctr_sha1_esn_atom_defs.sh          |  5 ++
 .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh   | 66 ++++++++++++++++++++
 .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh   |  5 ++
 .../test/tun_aesctr_sha1_common_defs.sh            | 68 +++++++++++++++++++++
 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh  | 70 ++++++++++++++++++++++
 .../test/tun_aesctr_sha1_esn_atom_defs.sh          |  5 ++
 .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh   | 70 ++++++++++++++++++++++
 .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh   |  5 ++
 12 files changed, 441 insertions(+), 3 deletions(-)
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh

diff --git a/examples/ipsec-secgw/test/common_defs.sh b/examples/ipsec-secgw/test/common_defs.sh
index 1ed31f89f..ea17cf9fd 100644
--- a/examples/ipsec-secgw/test/common_defs.sh
+++ b/examples/ipsec-secgw/test/common_defs.sh
@@ -53,7 +53,7 @@ SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4 ${ETH_DEV}"
 SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})"
 SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\""
 
-SGW_CFG_FILE=$(tempfile)
+SGW_CFG_FILE=$(mktemp)
 
 # configure local host/ifaces
 config_local_iface()
@@ -129,7 +129,7 @@ config6_iface()
 #start ipsec-secgw
 secgw_start()
 {
-	SGW_EXEC_FILE=$(tempfile)
+	SGW_EXEC_FILE=$(mktemp)
 	cat <<EOF > ${SGW_EXEC_FILE}
 ${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \
 --vdev="net_tap0,mac=fixed" \
diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh
index 6dc0ce54e..435de5da6 100644
--- a/examples/ipsec-secgw/test/run_test.sh
+++ b/examples/ipsec-secgw/test/run_test.sh
@@ -32,7 +32,15 @@ trs_aesgcm_esn_atom \
 tun_aescbc_sha1_old \
 tun_aesgcm_old \
 trs_aescbc_sha1_old \
-trs_aesgcm_old"
+trs_aesgcm_old \
+tun_aesctr_sha1 \
+tun_aesctr_sha1_esn \
+tun_aesctr_sha1_esn_atom \
+tun_aesctr_sha1_old \
+trs_aesctr_sha1 \
+trs_aesctr_sha1_esn \
+trs_aesctr_sha1_esn_atom \
+trs_aesctr_sha1_old"
 
 DIR=`dirname $0`
 
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
new file mode 100644
index 000000000..9c213e3cc
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
@@ -0,0 +1,69 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#SP in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+sa in 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
new file mode 100644
index 000000000..73642f881
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
@@ -0,0 +1,67 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..17c81c267
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
new file mode 100644
index 000000000..e401a4bed
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
@@ -0,0 +1,66 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
new file mode 100644
index 000000000..3aa071229
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_defs.sh
+
+SGW_CMD_XPRM=
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
new file mode 100644
index 000000000..a3ac3a698
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
@@ -0,0 +1,68 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#sp in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+sa in 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+#SA out rules
+sa out 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+sa out 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
new file mode 100644
index 000000000..3710f897c
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..7dcfc3218
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
new file mode 100644
index 000000000..c3ce11da1
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
new file mode 100644
index 000000000..26f0d0290
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_defs.sh
+
+SGW_CMD_XPRM=
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH 3/4] ipsec: add 3DES-CBC algorithm support
  2019-02-18 16:32 [dpdk-dev] [PATCH 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
  2019-02-18 16:32 ` [dpdk-dev] [PATCH 1/4] ipsec: add AES-CTR algorithm support Fan Zhang
  2019-02-18 16:32 ` [dpdk-dev] [PATCH 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang
@ 2019-02-18 16:32 ` Fan Zhang
  2019-02-18 16:32 ` [dpdk-dev] [PATCH 4/4] ipsec-secgw: add 3des test files Fan Zhang
  2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
  4 siblings, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-02-18 16:32 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang

This patch adds triple-des CBC mode cipher algorithm to ipsec
library.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 lib/librte_ipsec/sa.c | 10 ++++++++++
 lib/librte_ipsec/sa.h |  6 ++++++
 2 files changed, 16 insertions(+)

diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
index e34dd320a..5c59c4b67 100644
--- a/lib/librte_ipsec/sa.c
+++ b/lib/librte_ipsec/sa.c
@@ -307,6 +307,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
 			sa->algo_type = ALGO_TYPE_AES_CTR;
 			break;
 
+		case RTE_CRYPTO_CIPHER_3DES_CBC:
+			/* RFC 1851 */
+			sa->pad_align = IPSEC_PAD_3DES_CBC;
+			sa->iv_len = IPSEC_3DES_IV_SIZE;
+			sa->algo_type = ALGO_TYPE_3DES;
+			break;
+
 		default:
 			return -EINVAL;
 		}
@@ -512,6 +519,8 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 			sa->iv_ofs);
 		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
 		break;
+	case ALGO_TYPE_3DES:
+		/* Cipher-Auth (3DES-CBC *) case */
 	case ALGO_TYPE_NULL:
 		/* NULL case */
 		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
@@ -873,6 +882,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
 		break;
 	case ALGO_TYPE_AES_CBC:
+	case ALGO_TYPE_3DES:
 		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->cipher.data.length = clen;
 		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
index 12c061ee6..8398748d1 100644
--- a/lib/librte_ipsec/sa.h
+++ b/lib/librte_ipsec/sa.h
@@ -14,6 +14,7 @@
 /* padding alignment for different algorithms */
 enum {
 	IPSEC_PAD_DEFAULT = 4,
+	IPSEC_PAD_3DES_CBC = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
 	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
@@ -24,6 +25,10 @@ enum {
 enum {
 	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
 	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
+	/* TripleDES supports IV size of 32bits or 64bits but he library
+	 * only supports 64bits.
+	 */
+	IPSEC_3DES_IV_SIZE = sizeof(uint64_t),
 };
 
 /* these definitions probably has to be in rte_crypto_sym.h */
@@ -57,6 +62,7 @@ struct replay_sqn {
 /*IPSEC SA supported algorithms */
 enum sa_algo_type	{
 	ALGO_TYPE_NULL = 0,
+	ALGO_TYPE_3DES,
 	ALGO_TYPE_AES_CBC,
 	ALGO_TYPE_AES_CTR,
 	ALGO_TYPE_AES_GCM,
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH 4/4] ipsec-secgw: add 3des test files
  2019-02-18 16:32 [dpdk-dev] [PATCH 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
                   ` (2 preceding siblings ...)
  2019-02-18 16:32 ` [dpdk-dev] [PATCH 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang
@ 2019-02-18 16:32 ` Fan Zhang
  2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
  4 siblings, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-02-18 16:32 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang

This patch adds the functional test scripts to ipsec-secgw
sample application for both transport and tunnel working
mode.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 examples/ipsec-secgw/test/run_test.sh              | 10 ++-
 .../test/trs_3descbc_sha1_common_defs.sh           | 73 ++++++++++++++++++++++
 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++++++++++++
 .../test/trs_3descbc_sha1_esn_atom_defs.sh         |  5 ++
 .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh  | 66 +++++++++++++++++++
 .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh  |  5 ++
 .../test/tun_3descbc_sha1_common_defs.sh           | 72 +++++++++++++++++++++
 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++++++++++++
 .../test/tun_3descbc_sha1_esn_atom_defs.sh         |  5 ++
 .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh  | 70 +++++++++++++++++++++
 .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh  |  5 ++
 11 files changed, 447 insertions(+), 1 deletion(-)
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh

diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh
index 435de5da6..492156aae 100644
--- a/examples/ipsec-secgw/test/run_test.sh
+++ b/examples/ipsec-secgw/test/run_test.sh
@@ -40,7 +40,15 @@ tun_aesctr_sha1_old \
 trs_aesctr_sha1 \
 trs_aesctr_sha1_esn \
 trs_aesctr_sha1_esn_atom \
-trs_aesctr_sha1_old"
+trs_aesctr_sha1_old \
+tun_3descbc_sha1 \
+tun_3descbc_sha1_esn \
+tun_3descbc_sha1_esn_atom \
+tun_3descbc_sha1_old \
+trs_3descbc_sha1 \
+trs_3descbc_sha1_esn \
+trs_3descbc_sha1_esn_atom \
+trs_3descbc_sha1_old"
 
 DIR=`dirname $0`
 
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
new file mode 100644
index 000000000..bb4cef6a9
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
@@ -0,0 +1,73 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#SP in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+sa in 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
new file mode 100644
index 000000000..31f94492f
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
@@ -0,0 +1,67 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..d7439ad15
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
new file mode 100644
index 000000000..e4283f3dd
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
@@ -0,0 +1,66 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
new file mode 100644
index 000000000..ffd945bac
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_defs.sh
+
+SGW_CMD_XPRM=
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
new file mode 100644
index 000000000..dd802d6be
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
@@ -0,0 +1,72 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#sp in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+sa in 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+#SA out rules
+sa out 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+sa out 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
new file mode 100644
index 000000000..2bbe14292
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..1d8e36cbd
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
new file mode 100644
index 000000000..98349c7bc
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
new file mode 100644
index 000000000..eaf248ad1
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_defs.sh
+
+SGW_CMD_XPRM=
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v2 0/4] ipsec: add AES-CTR and 3DES-CBC support
  2019-02-18 16:32 [dpdk-dev] [PATCH 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
                   ` (3 preceding siblings ...)
  2019-02-18 16:32 ` [dpdk-dev] [PATCH 4/4] ipsec-secgw: add 3des test files Fan Zhang
@ 2019-02-19 15:32 ` Fan Zhang
  2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support Fan Zhang
                     ` (4 more replies)
  4 siblings, 5 replies; 54+ messages in thread
From: Fan Zhang @ 2019-02-19 15:32 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang

This patchset adds the AES-CTR and 3DES-CBC cipher algorithms
support to ipsec library. The test scripts for ipsec-secgw
sample application are added too.

v2:
- removed unsupported tests.

Fan Zhang (4):
  ipsec: add AES-CTR algorithm support
  ipsec-secgw: add test scripts for aes ctr
  ipsec: add 3DES-CBC algorithm support
  ipsec-secgw: add 3des test files

 examples/ipsec-secgw/test/common_defs.sh           |   4 +-
 examples/ipsec-secgw/test/run_test.sh              |  14 +-
 .../test/trs_3descbc_sha1_common_defs.sh           |  73 +++++++++++
 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh |  67 ++++++++++
 .../test/trs_3descbc_sha1_esn_atom_defs.sh         |   5 +
 .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh  |  66 ++++++++++
 .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh  |   5 +
 .../test/trs_aesctr_sha1_common_defs.sh            |  69 ++++++++++
 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh  |  67 ++++++++++
 .../test/trs_aesctr_sha1_esn_atom_defs.sh          |   5 +
 .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh   |  66 ++++++++++
 .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh   |   5 +
 .../test/tun_3descbc_sha1_common_defs.sh           |  72 +++++++++++
 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh |  70 ++++++++++
 .../test/tun_3descbc_sha1_esn_atom_defs.sh         |   5 +
 .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh  |  70 ++++++++++
 .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh  |   5 +
 .../test/tun_aesctr_sha1_common_defs.sh            |  68 ++++++++++
 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh  |  70 ++++++++++
 .../test/tun_aesctr_sha1_esn_atom_defs.sh          |   5 +
 .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh   |  70 ++++++++++
 .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh   |   5 +
 lib/librte_ipsec/crypto.h                          |  17 +++
 lib/librte_ipsec/sa.c                              | 143 ++++++++++++++++++---
 lib/librte_ipsec/sa.h                              |  24 ++++
 25 files changed, 1046 insertions(+), 24 deletions(-)
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh

-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support
  2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
@ 2019-02-19 15:32   ` Fan Zhang
  2019-02-22 12:43     ` Ananyev, Konstantin
  2019-03-19 14:32     ` Akhil Goyal
  2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang
                     ` (3 subsequent siblings)
  4 siblings, 2 replies; 54+ messages in thread
From: Fan Zhang @ 2019-02-19 15:32 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang

This patch adds AES-CTR cipher algorithm support to ipsec
library.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 lib/librte_ipsec/crypto.h |  17 ++++++
 lib/librte_ipsec/sa.c     | 133 ++++++++++++++++++++++++++++++++++++++--------
 lib/librte_ipsec/sa.h     |  18 +++++++
 3 files changed, 147 insertions(+), 21 deletions(-)

diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h
index b5f264831..4f551e39c 100644
--- a/lib/librte_ipsec/crypto.h
+++ b/lib/librte_ipsec/crypto.h
@@ -11,6 +11,16 @@
  * by ipsec library.
  */
 
+/*
+ * AES-CTR counter block format.
+ */
+
+struct aesctr_cnt_blk {
+	uint32_t nonce;
+	uint64_t iv;
+	uint32_t cnt;
+} __attribute__((packed));
+
  /*
   * AES-GCM devices have some specific requirements for IV and AAD formats.
   * Ideally that to be done by the driver itself.
@@ -41,6 +51,13 @@ struct gcm_esph_iv {
 	uint64_t iv;
 } __attribute__((packed));
 
+static inline void
+aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce)
+{
+	ctr->nonce = nonce;
+	ctr->iv = iv;
+	ctr->cnt = rte_cpu_to_be_32(1);
+}
 
 static inline void
 aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt)
diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
index 5f55c2a4e..e34dd320a 100644
--- a/lib/librte_ipsec/sa.c
+++ b/lib/librte_ipsec/sa.c
@@ -219,18 +219,28 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm)
 static void
 esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen)
 {
+	uint8_t algo_type;
+
 	sa->sqn.outb.raw = 1;
 
 	/* these params may differ with new algorithms support */
 	sa->ctp.auth.offset = hlen;
 	sa->ctp.auth.length = sizeof(struct esp_hdr) + sa->iv_len + sa->sqh_len;
-	if (sa->aad_len != 0) {
+
+	algo_type = sa->algo_type;
+
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
+	case ALGO_TYPE_AES_CTR:
+	case ALGO_TYPE_NULL:
 		sa->ctp.cipher.offset = hlen + sizeof(struct esp_hdr) +
 			sa->iv_len;
 		sa->ctp.cipher.length = 0;
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
 		sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr);
 		sa->ctp.cipher.length = sa->iv_len;
+		break;
 	}
 }
 
@@ -259,26 +269,47 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
 				RTE_IPSEC_SATP_MODE_MASK;
 
 	if (cxf->aead != NULL) {
-		/* RFC 4106 */
-		if (cxf->aead->algo != RTE_CRYPTO_AEAD_AES_GCM)
+		switch (cxf->aead->algo) {
+		case RTE_CRYPTO_AEAD_AES_GCM:
+			/* RFC 4106 */
+			sa->aad_len = sizeof(struct aead_gcm_aad);
+			sa->icv_len = cxf->aead->digest_length;
+			sa->iv_ofs = cxf->aead->iv.offset;
+			sa->iv_len = sizeof(uint64_t);
+			sa->pad_align = IPSEC_PAD_AES_GCM;
+			sa->algo_type = ALGO_TYPE_AES_GCM;
+			break;
+		default:
 			return -EINVAL;
-		sa->aad_len = sizeof(struct aead_gcm_aad);
-		sa->icv_len = cxf->aead->digest_length;
-		sa->iv_ofs = cxf->aead->iv.offset;
-		sa->iv_len = sizeof(uint64_t);
-		sa->pad_align = IPSEC_PAD_AES_GCM;
+		}
 	} else {
 		sa->icv_len = cxf->auth->digest_length;
 		sa->iv_ofs = cxf->cipher->iv.offset;
 		sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0;
-		if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_NULL) {
+
+		switch (cxf->cipher->algo) {
+		case RTE_CRYPTO_CIPHER_NULL:
 			sa->pad_align = IPSEC_PAD_NULL;
 			sa->iv_len = 0;
-		} else if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+			sa->algo_type = ALGO_TYPE_NULL;
+			break;
+
+		case RTE_CRYPTO_CIPHER_AES_CBC:
 			sa->pad_align = IPSEC_PAD_AES_CBC;
 			sa->iv_len = IPSEC_MAX_IV_SIZE;
-		} else
+			sa->algo_type = ALGO_TYPE_AES_CBC;
+			break;
+
+		case RTE_CRYPTO_CIPHER_AES_CTR:
+			/* RFC 3686 */
+			sa->pad_align = IPSEC_PAD_AES_CTR;
+			sa->iv_len = IPSEC_AES_CTR_IV_SIZE;
+			sa->algo_type = ALGO_TYPE_AES_CTR;
+			break;
+
+		default:
 			return -EINVAL;
+		}
 	}
 
 	sa->udata = prm->userdata;
@@ -438,12 +469,15 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 {
 	struct rte_crypto_sym_op *sop;
 	struct aead_gcm_iv *gcm;
+	struct aesctr_cnt_blk *ctr;
+	uint8_t algo_type = sa->algo_type;
 
 	/* fill sym op fields */
 	sop = cop->sym;
 
-	/* AEAD (AES_GCM) case */
-	if (sa->aad_len != 0) {
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
+		/* AEAD (AES_GCM) case */
 		sop->aead.data.offset = sa->ctp.cipher.offset + hlen;
 		sop->aead.data.length = sa->ctp.cipher.length + plen;
 		sop->aead.digest.data = icv->va;
@@ -455,14 +489,40 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 		gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *,
 			sa->iv_ofs);
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
-	/* CRYPT+AUTH case */
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
+		/* Cipher-Auth (AES-CBC *) case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
+	case ALGO_TYPE_AES_CTR:
+		/* Cipher-Auth (AES-CTR *) case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+
+		ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *,
+			sa->iv_ofs);
+		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
+		break;
+	case ALGO_TYPE_NULL:
+		/* NULL case */
 		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
 		sop->cipher.data.length = sa->ctp.cipher.length + plen;
 		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
 		sop->auth.data.length = sa->ctp.auth.length + plen;
 		sop->auth.digest.data = icv->va;
 		sop->auth.digest.phys_addr = icv->pa;
+		break;
+	default:
+		break;
 	}
 }
 
@@ -561,6 +621,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc,
 {
 	uint32_t *psqh;
 	struct aead_gcm_aad *aad;
+	uint8_t algo_type = sa->algo_type;
 
 	/* insert SQN.hi between ESP trailer and ICV */
 	if (sa->sqh_len != 0) {
@@ -572,7 +633,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc,
 	 * fill IV and AAD fields, if any (aad fields are placed after icv),
 	 * right now we support only one AEAD algorithm: AES-GCM .
 	 */
-	if (sa->aad_len != 0) {
+	if (algo_type == ALGO_TYPE_AES_GCM) {
 		aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len);
 		aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa));
 	}
@@ -783,8 +844,10 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 {
 	struct rte_crypto_sym_op *sop;
 	struct aead_gcm_iv *gcm;
+	struct aesctr_cnt_blk *ctr;
 	uint64_t *ivc, *ivp;
 	uint32_t clen;
+	uint8_t algo_type = sa->algo_type;
 
 	clen = plen - sa->ctp.cipher.length;
 	if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0)
@@ -793,8 +856,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 	/* fill sym op fields */
 	sop = cop->sym;
 
-	/* AEAD (AES_GCM) case */
-	if (sa->aad_len != 0) {
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
 		sop->aead.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->aead.data.length = clen;
 		sop->aead.digest.data = icv->va;
@@ -808,8 +871,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
 			pofs + sizeof(struct esp_hdr));
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
-	/* CRYPT+AUTH case */
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
 		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->cipher.data.length = clen;
 		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
@@ -822,7 +885,35 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
 			pofs + sizeof(struct esp_hdr));
 		copy_iv(ivc, ivp, sa->iv_len);
+		break;
+	case ALGO_TYPE_AES_CTR:
+		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
+		sop->cipher.data.length = clen;
+		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
+		sop->auth.data.length = plen - sa->ctp.auth.length;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+
+		/* copy iv from the input packet to the cop */
+		ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *,
+			sa->iv_ofs);
+		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
+			pofs + sizeof(struct esp_hdr));
+		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
+		break;
+	case ALGO_TYPE_NULL:
+		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
+		sop->cipher.data.length = clen;
+		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
+		sop->auth.data.length = plen - sa->ctp.auth.length;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
+
+	default:
+		return -EINVAL;
 	}
+
 	return 0;
 }
 
diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
index 392e8fd7b..12c061ee6 100644
--- a/lib/librte_ipsec/sa.h
+++ b/lib/librte_ipsec/sa.h
@@ -15,10 +15,17 @@
 enum {
 	IPSEC_PAD_DEFAULT = 4,
 	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
+	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT,
 };
 
+/* iv sizes for different algorithms */
+enum {
+	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
+	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
+};
+
 /* these definitions probably has to be in rte_crypto_sym.h */
 union sym_op_ofslen {
 	uint64_t raw;
@@ -47,7 +54,17 @@ struct replay_sqn {
 	__extension__ uint64_t window[0];
 };
 
+/*IPSEC SA supported algorithms */
+enum sa_algo_type	{
+	ALGO_TYPE_NULL = 0,
+	ALGO_TYPE_AES_CBC,
+	ALGO_TYPE_AES_CTR,
+	ALGO_TYPE_AES_GCM,
+	ALGO_TYPE_MAX
+};
+
 struct rte_ipsec_sa {
+
 	uint64_t type;     /* type of given SA */
 	uint64_t udata;    /* user defined */
 	uint32_t size;     /* size of given sa object */
@@ -65,6 +82,7 @@ struct rte_ipsec_sa {
 		union sym_op_ofslen auth;
 	} ctp;
 	uint32_t salt;
+	uint8_t algo_type;
 	uint8_t proto;    /* next proto */
 	uint8_t aad_len;
 	uint8_t hdr_len;
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v2 2/4] ipsec-secgw: add test scripts for aes ctr
  2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
  2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support Fan Zhang
@ 2019-02-19 15:32   ` Fan Zhang
  2019-02-22 12:39     ` Ananyev, Konstantin
  2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang
                     ` (2 subsequent siblings)
  4 siblings, 1 reply; 54+ messages in thread
From: Fan Zhang @ 2019-02-19 15:32 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang

This patch adds the functional test scripts to ipsec-secgw
sample application for both transport and tunnel working
mode.

Updated a bit on common_defs to use "mktemp" instead of "tempfile"
as Fedora does not like the command.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 examples/ipsec-secgw/test/common_defs.sh           |  4 +-
 examples/ipsec-secgw/test/run_test.sh              |  8 ++-
 .../test/trs_aesctr_sha1_common_defs.sh            | 69 +++++++++++++++++++++
 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh  | 67 +++++++++++++++++++++
 .../test/trs_aesctr_sha1_esn_atom_defs.sh          |  5 ++
 .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh   | 66 ++++++++++++++++++++
 .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh   |  5 ++
 .../test/tun_aesctr_sha1_common_defs.sh            | 68 +++++++++++++++++++++
 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh  | 70 ++++++++++++++++++++++
 .../test/tun_aesctr_sha1_esn_atom_defs.sh          |  5 ++
 .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh   | 70 ++++++++++++++++++++++
 .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh   |  5 ++
 12 files changed, 439 insertions(+), 3 deletions(-)
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh

diff --git a/examples/ipsec-secgw/test/common_defs.sh b/examples/ipsec-secgw/test/common_defs.sh
index 1ed31f89f..ea17cf9fd 100644
--- a/examples/ipsec-secgw/test/common_defs.sh
+++ b/examples/ipsec-secgw/test/common_defs.sh
@@ -53,7 +53,7 @@ SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4 ${ETH_DEV}"
 SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})"
 SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\""
 
-SGW_CFG_FILE=$(tempfile)
+SGW_CFG_FILE=$(mktemp)
 
 # configure local host/ifaces
 config_local_iface()
@@ -129,7 +129,7 @@ config6_iface()
 #start ipsec-secgw
 secgw_start()
 {
-	SGW_EXEC_FILE=$(tempfile)
+	SGW_EXEC_FILE=$(mktemp)
 	cat <<EOF > ${SGW_EXEC_FILE}
 ${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \
 --vdev="net_tap0,mac=fixed" \
diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh
index 6dc0ce54e..3c38d8850 100644
--- a/examples/ipsec-secgw/test/run_test.sh
+++ b/examples/ipsec-secgw/test/run_test.sh
@@ -32,7 +32,13 @@ trs_aesgcm_esn_atom \
 tun_aescbc_sha1_old \
 tun_aesgcm_old \
 trs_aescbc_sha1_old \
-trs_aesgcm_old"
+trs_aesgcm_old \
+tun_aesctr_sha1 \
+tun_aesctr_sha1_esn \
+tun_aesctr_sha1_esn_atom \
+trs_aesctr_sha1 \
+trs_aesctr_sha1_esn \
+trs_aesctr_sha1_esn_atom"
 
 DIR=`dirname $0`
 
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
new file mode 100644
index 000000000..9c213e3cc
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
@@ -0,0 +1,69 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#SP in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+sa in 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
new file mode 100644
index 000000000..73642f881
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
@@ -0,0 +1,67 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..17c81c267
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
new file mode 100644
index 000000000..e401a4bed
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
@@ -0,0 +1,66 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
new file mode 100644
index 000000000..3aa071229
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_defs.sh
+
+SGW_CMD_XPRM=
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
new file mode 100644
index 000000000..a3ac3a698
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
@@ -0,0 +1,68 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#sp in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+sa in 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+#SA out rules
+sa out 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+sa out 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
new file mode 100644
index 000000000..3710f897c
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..7dcfc3218
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
new file mode 100644
index 000000000..c3ce11da1
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
new file mode 100644
index 000000000..26f0d0290
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_defs.sh
+
+SGW_CMD_XPRM=
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v2 3/4] ipsec: add 3DES-CBC algorithm support
  2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
  2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support Fan Zhang
  2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang
@ 2019-02-19 15:32   ` Fan Zhang
  2019-02-22 12:38     ` Ananyev, Konstantin
  2019-03-19 14:46     ` Akhil Goyal
  2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 4/4] ipsec-secgw: add 3des test files Fan Zhang
  2019-02-25 12:07   ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
  4 siblings, 2 replies; 54+ messages in thread
From: Fan Zhang @ 2019-02-19 15:32 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang

This patch adds triple-des CBC mode cipher algorithm to ipsec
library.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 lib/librte_ipsec/sa.c | 10 ++++++++++
 lib/librte_ipsec/sa.h |  6 ++++++
 2 files changed, 16 insertions(+)

diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
index e34dd320a..5c59c4b67 100644
--- a/lib/librte_ipsec/sa.c
+++ b/lib/librte_ipsec/sa.c
@@ -307,6 +307,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
 			sa->algo_type = ALGO_TYPE_AES_CTR;
 			break;
 
+		case RTE_CRYPTO_CIPHER_3DES_CBC:
+			/* RFC 1851 */
+			sa->pad_align = IPSEC_PAD_3DES_CBC;
+			sa->iv_len = IPSEC_3DES_IV_SIZE;
+			sa->algo_type = ALGO_TYPE_3DES;
+			break;
+
 		default:
 			return -EINVAL;
 		}
@@ -512,6 +519,8 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 			sa->iv_ofs);
 		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
 		break;
+	case ALGO_TYPE_3DES:
+		/* Cipher-Auth (3DES-CBC *) case */
 	case ALGO_TYPE_NULL:
 		/* NULL case */
 		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
@@ -873,6 +882,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
 		break;
 	case ALGO_TYPE_AES_CBC:
+	case ALGO_TYPE_3DES:
 		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->cipher.data.length = clen;
 		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
index 12c061ee6..8398748d1 100644
--- a/lib/librte_ipsec/sa.h
+++ b/lib/librte_ipsec/sa.h
@@ -14,6 +14,7 @@
 /* padding alignment for different algorithms */
 enum {
 	IPSEC_PAD_DEFAULT = 4,
+	IPSEC_PAD_3DES_CBC = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
 	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
@@ -24,6 +25,10 @@ enum {
 enum {
 	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
 	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
+	/* TripleDES supports IV size of 32bits or 64bits but he library
+	 * only supports 64bits.
+	 */
+	IPSEC_3DES_IV_SIZE = sizeof(uint64_t),
 };
 
 /* these definitions probably has to be in rte_crypto_sym.h */
@@ -57,6 +62,7 @@ struct replay_sqn {
 /*IPSEC SA supported algorithms */
 enum sa_algo_type	{
 	ALGO_TYPE_NULL = 0,
+	ALGO_TYPE_3DES,
 	ALGO_TYPE_AES_CBC,
 	ALGO_TYPE_AES_CTR,
 	ALGO_TYPE_AES_GCM,
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v2 4/4] ipsec-secgw: add 3des test files
  2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
                     ` (2 preceding siblings ...)
  2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang
@ 2019-02-19 15:32   ` Fan Zhang
  2019-02-22 12:40     ` Ananyev, Konstantin
  2019-02-25 12:07   ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
  4 siblings, 1 reply; 54+ messages in thread
From: Fan Zhang @ 2019-02-19 15:32 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang

This patch adds the functional test scripts to ipsec-secgw
sample application for both transport and tunnel working
mode.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 examples/ipsec-secgw/test/run_test.sh              |  8 ++-
 .../test/trs_3descbc_sha1_common_defs.sh           | 73 ++++++++++++++++++++++
 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++++++++++++
 .../test/trs_3descbc_sha1_esn_atom_defs.sh         |  5 ++
 .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh  | 66 +++++++++++++++++++
 .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh  |  5 ++
 .../test/tun_3descbc_sha1_common_defs.sh           | 72 +++++++++++++++++++++
 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++++++++++++
 .../test/tun_3descbc_sha1_esn_atom_defs.sh         |  5 ++
 .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh  | 70 +++++++++++++++++++++
 .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh  |  5 ++
 11 files changed, 445 insertions(+), 1 deletion(-)
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh

diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh
index 3c38d8850..38edb4183 100644
--- a/examples/ipsec-secgw/test/run_test.sh
+++ b/examples/ipsec-secgw/test/run_test.sh
@@ -38,7 +38,13 @@ tun_aesctr_sha1_esn \
 tun_aesctr_sha1_esn_atom \
 trs_aesctr_sha1 \
 trs_aesctr_sha1_esn \
-trs_aesctr_sha1_esn_atom"
+trs_aesctr_sha1_esn_atom \
+tun_3descbc_sha1 \
+tun_3descbc_sha1_esn \
+tun_3descbc_sha1_esn_atom \
+trs_3descbc_sha1 \
+trs_3descbc_sha1_esn \
+trs_3descbc_sha1_esn_atom"
 
 DIR=`dirname $0`
 
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
new file mode 100644
index 000000000..bb4cef6a9
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
@@ -0,0 +1,73 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#SP in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+sa in 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
new file mode 100644
index 000000000..31f94492f
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
@@ -0,0 +1,67 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..d7439ad15
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
new file mode 100644
index 000000000..e4283f3dd
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
@@ -0,0 +1,66 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
new file mode 100644
index 000000000..ffd945bac
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_defs.sh
+
+SGW_CMD_XPRM=
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
new file mode 100644
index 000000000..dd802d6be
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
@@ -0,0 +1,72 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#sp in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+sa in 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+#SA out rules
+sa out 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+sa out 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
new file mode 100644
index 000000000..2bbe14292
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..1d8e36cbd
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
new file mode 100644
index 000000000..98349c7bc
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
new file mode 100644
index 000000000..eaf248ad1
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_defs.sh
+
+SGW_CMD_XPRM=
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [dpdk-dev] [PATCH v2 3/4] ipsec: add 3DES-CBC algorithm support
  2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang
@ 2019-02-22 12:38     ` Ananyev, Konstantin
  2019-03-19 14:46     ` Akhil Goyal
  1 sibling, 0 replies; 54+ messages in thread
From: Ananyev, Konstantin @ 2019-02-22 12:38 UTC (permalink / raw)
  To: Zhang, Roy Fan, dev; +Cc: akhil.goyal

> This patch adds triple-des CBC mode cipher algorithm to ipsec
> library.
> 
> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
> ---
>  lib/librte_ipsec/sa.c | 10 ++++++++++
>  lib/librte_ipsec/sa.h |  6 ++++++
>  2 files changed, 16 insertions(+)
> 
> diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
> index e34dd320a..5c59c4b67 100644
> --- a/lib/librte_ipsec/sa.c
> +++ b/lib/librte_ipsec/sa.c
> @@ -307,6 +307,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
>  			sa->algo_type = ALGO_TYPE_AES_CTR;
>  			break;
> 
> +		case RTE_CRYPTO_CIPHER_3DES_CBC:
> +			/* RFC 1851 */
> +			sa->pad_align = IPSEC_PAD_3DES_CBC;
> +			sa->iv_len = IPSEC_3DES_IV_SIZE;
> +			sa->algo_type = ALGO_TYPE_3DES;
> +			break;
> +
>  		default:
>  			return -EINVAL;
>  		}
> @@ -512,6 +519,8 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
>  			sa->iv_ofs);
>  		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
>  		break;
> +	case ALGO_TYPE_3DES:
> +		/* Cipher-Auth (3DES-CBC *) case */
>  	case ALGO_TYPE_NULL:
>  		/* NULL case */
>  		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
> @@ -873,6 +882,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
>  		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
>  		break;
>  	case ALGO_TYPE_AES_CBC:
> +	case ALGO_TYPE_3DES:
>  		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
>  		sop->cipher.data.length = clen;
>  		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
> diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
> index 12c061ee6..8398748d1 100644
> --- a/lib/librte_ipsec/sa.h
> +++ b/lib/librte_ipsec/sa.h
> @@ -14,6 +14,7 @@
>  /* padding alignment for different algorithms */
>  enum {
>  	IPSEC_PAD_DEFAULT = 4,
> +	IPSEC_PAD_3DES_CBC = IPSEC_PAD_DEFAULT,
>  	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
>  	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
>  	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
> @@ -24,6 +25,10 @@ enum {
>  enum {
>  	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
>  	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
> +	/* TripleDES supports IV size of 32bits or 64bits but he library

Typo: 's/ he / the /'

> +	 * only supports 64bits.
> +	 */
> +	IPSEC_3DES_IV_SIZE = sizeof(uint64_t),
>  };
> 
>  /* these definitions probably has to be in rte_crypto_sym.h */
> @@ -57,6 +62,7 @@ struct replay_sqn {
>  /*IPSEC SA supported algorithms */
>  enum sa_algo_type	{
>  	ALGO_TYPE_NULL = 0,
> +	ALGO_TYPE_3DES,
>  	ALGO_TYPE_AES_CBC,
>  	ALGO_TYPE_AES_CTR,
>  	ALGO_TYPE_AES_GCM,
> --

Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

> 2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [dpdk-dev] [PATCH v2 2/4] ipsec-secgw: add test scripts for aes ctr
  2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang
@ 2019-02-22 12:39     ` Ananyev, Konstantin
  0 siblings, 0 replies; 54+ messages in thread
From: Ananyev, Konstantin @ 2019-02-22 12:39 UTC (permalink / raw)
  To: Zhang, Roy Fan, dev; +Cc: akhil.goyal

> This patch adds the functional test scripts to ipsec-secgw
> sample application for both transport and tunnel working
> mode.
> 
> Updated a bit on common_defs to use "mktemp" instead of "tempfile"
> as Fedora does not like the command.
> 
> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
> ---
>  examples/ipsec-secgw/test/common_defs.sh           |  4 +-
>  examples/ipsec-secgw/test/run_test.sh              |  8 ++-
>  .../test/trs_aesctr_sha1_common_defs.sh            | 69 +++++++++++++++++++++
>  examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh  | 67 +++++++++++++++++++++
>  .../test/trs_aesctr_sha1_esn_atom_defs.sh          |  5 ++
>  .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh   | 66 ++++++++++++++++++++
>  .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh   |  5 ++
>  .../test/tun_aesctr_sha1_common_defs.sh            | 68 +++++++++++++++++++++
>  examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh  | 70 ++++++++++++++++++++++
>  .../test/tun_aesctr_sha1_esn_atom_defs.sh          |  5 ++
>  .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh   | 70 ++++++++++++++++++++++
>  .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh   |  5 ++
>  12 files changed, 439 insertions(+), 3 deletions(-)
>  create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
> 

Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

> --
> 2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [dpdk-dev] [PATCH v2 4/4] ipsec-secgw: add 3des test files
  2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 4/4] ipsec-secgw: add 3des test files Fan Zhang
@ 2019-02-22 12:40     ` Ananyev, Konstantin
  0 siblings, 0 replies; 54+ messages in thread
From: Ananyev, Konstantin @ 2019-02-22 12:40 UTC (permalink / raw)
  To: Zhang, Roy Fan, dev; +Cc: akhil.goyal



> -----Original Message-----
> From: Zhang, Roy Fan
> Sent: Tuesday, February 19, 2019 3:33 PM
> To: dev@dpdk.org
> Cc: akhil.goyal@nxp.com; Ananyev, Konstantin <konstantin.ananyev@intel.com>; Zhang, Roy Fan <roy.fan.zhang@intel.com>
> Subject: [PATCH v2 4/4] ipsec-secgw: add 3des test files
> 
> This patch adds the functional test scripts to ipsec-secgw
> sample application for both transport and tunnel working
> mode.
> 
> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
> ---
>  examples/ipsec-secgw/test/run_test.sh              |  8 ++-
>  .../test/trs_3descbc_sha1_common_defs.sh           | 73 ++++++++++++++++++++++
>  examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++++++++++++
>  .../test/trs_3descbc_sha1_esn_atom_defs.sh         |  5 ++
>  .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh  | 66 +++++++++++++++++++
>  .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh  |  5 ++
>  .../test/tun_3descbc_sha1_common_defs.sh           | 72 +++++++++++++++++++++
>  examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++++++++++++
>  .../test/tun_3descbc_sha1_esn_atom_defs.sh         |  5 ++
>  .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh  | 70 +++++++++++++++++++++
>  .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh  |  5 ++
>  11 files changed, 445 insertions(+), 1 deletion(-)
>  create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
> 
> --

Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

> 2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support
  2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support Fan Zhang
@ 2019-02-22 12:43     ` Ananyev, Konstantin
  2019-03-19 14:32     ` Akhil Goyal
  1 sibling, 0 replies; 54+ messages in thread
From: Ananyev, Konstantin @ 2019-02-22 12:43 UTC (permalink / raw)
  To: Zhang, Roy Fan, dev; +Cc: akhil.goyal


> 
> This patch adds AES-CTR cipher algorithm support to ipsec
> library.
> 
> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
> ---
>  lib/librte_ipsec/crypto.h |  17 ++++++
>  lib/librte_ipsec/sa.c     | 133 ++++++++++++++++++++++++++++++++++++++--------
>  lib/librte_ipsec/sa.h     |  18 +++++++
>  3 files changed, 147 insertions(+), 21 deletions(-)

> --

Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

> 2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support
  2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
                     ` (3 preceding siblings ...)
  2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 4/4] ipsec-secgw: add 3des test files Fan Zhang
@ 2019-02-25 12:07   ` Fan Zhang
  2019-02-25 12:07     ` [dpdk-dev] [PATCH v3 1/4] ipsec: add AES-CTR algorithm support Fan Zhang
                       ` (5 more replies)
  4 siblings, 6 replies; 54+ messages in thread
From: Fan Zhang @ 2019-02-25 12:07 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang

This patchset adds the AES-CTR and 3DES-CBC cipher algorithms
support to ipsec library. The test scripts for ipsec-secgw
sample application are added too.

v3:
- fixed a bug in 3DES.

v2:
- removed unsupported tests.

Fan Zhang (4):
  ipsec: add AES-CTR algorithm support
  ipsec-secgw: add test scripts for aes ctr
  ipsec: add 3DES-CBC algorithm support
  ipsec-secgw: add 3des test files

 examples/ipsec-secgw/test/common_defs.sh           |   4 +-
 examples/ipsec-secgw/test/run_test.sh              |  14 ++-
 .../test/trs_3descbc_sha1_common_defs.sh           |  73 +++++++++++
 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh |  67 ++++++++++
 .../test/trs_3descbc_sha1_esn_atom_defs.sh         |   5 +
 .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh  |  66 ++++++++++
 .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh  |   5 +
 .../test/trs_aesctr_sha1_common_defs.sh            |  69 +++++++++++
 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh  |  67 ++++++++++
 .../test/trs_aesctr_sha1_esn_atom_defs.sh          |   5 +
 .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh   |  66 ++++++++++
 .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh   |   5 +
 .../test/tun_3descbc_sha1_common_defs.sh           |  72 +++++++++++
 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh |  70 +++++++++++
 .../test/tun_3descbc_sha1_esn_atom_defs.sh         |   5 +
 .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh  |  70 +++++++++++
 .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh  |   5 +
 .../test/tun_aesctr_sha1_common_defs.sh            |  68 ++++++++++
 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh  |  70 +++++++++++
 .../test/tun_aesctr_sha1_esn_atom_defs.sh          |   5 +
 .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh   |  70 +++++++++++
 .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh   |   5 +
 lib/librte_ipsec/crypto.h                          |  17 +++
 lib/librte_ipsec/sa.c                              | 137 +++++++++++++++++----
 lib/librte_ipsec/sa.h                              |  24 ++++
 25 files changed, 1040 insertions(+), 24 deletions(-)
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh

-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v3 1/4] ipsec: add AES-CTR algorithm support
  2019-02-25 12:07   ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
@ 2019-02-25 12:07     ` Fan Zhang
  2019-02-25 12:07     ` [dpdk-dev] [PATCH v3 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang
                       ` (4 subsequent siblings)
  5 siblings, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-02-25 12:07 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang

This patch adds AES-CTR cipher algorithm support to ipsec
library.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 lib/librte_ipsec/crypto.h |  17 ++++++
 lib/librte_ipsec/sa.c     | 133 ++++++++++++++++++++++++++++++++++++++--------
 lib/librte_ipsec/sa.h     |  18 +++++++
 3 files changed, 147 insertions(+), 21 deletions(-)

diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h
index b5f264831..4f551e39c 100644
--- a/lib/librte_ipsec/crypto.h
+++ b/lib/librte_ipsec/crypto.h
@@ -11,6 +11,16 @@
  * by ipsec library.
  */
 
+/*
+ * AES-CTR counter block format.
+ */
+
+struct aesctr_cnt_blk {
+	uint32_t nonce;
+	uint64_t iv;
+	uint32_t cnt;
+} __attribute__((packed));
+
  /*
   * AES-GCM devices have some specific requirements for IV and AAD formats.
   * Ideally that to be done by the driver itself.
@@ -41,6 +51,13 @@ struct gcm_esph_iv {
 	uint64_t iv;
 } __attribute__((packed));
 
+static inline void
+aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce)
+{
+	ctr->nonce = nonce;
+	ctr->iv = iv;
+	ctr->cnt = rte_cpu_to_be_32(1);
+}
 
 static inline void
 aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt)
diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
index 5f55c2a4e..e34dd320a 100644
--- a/lib/librte_ipsec/sa.c
+++ b/lib/librte_ipsec/sa.c
@@ -219,18 +219,28 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm)
 static void
 esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen)
 {
+	uint8_t algo_type;
+
 	sa->sqn.outb.raw = 1;
 
 	/* these params may differ with new algorithms support */
 	sa->ctp.auth.offset = hlen;
 	sa->ctp.auth.length = sizeof(struct esp_hdr) + sa->iv_len + sa->sqh_len;
-	if (sa->aad_len != 0) {
+
+	algo_type = sa->algo_type;
+
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
+	case ALGO_TYPE_AES_CTR:
+	case ALGO_TYPE_NULL:
 		sa->ctp.cipher.offset = hlen + sizeof(struct esp_hdr) +
 			sa->iv_len;
 		sa->ctp.cipher.length = 0;
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
 		sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr);
 		sa->ctp.cipher.length = sa->iv_len;
+		break;
 	}
 }
 
@@ -259,26 +269,47 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
 				RTE_IPSEC_SATP_MODE_MASK;
 
 	if (cxf->aead != NULL) {
-		/* RFC 4106 */
-		if (cxf->aead->algo != RTE_CRYPTO_AEAD_AES_GCM)
+		switch (cxf->aead->algo) {
+		case RTE_CRYPTO_AEAD_AES_GCM:
+			/* RFC 4106 */
+			sa->aad_len = sizeof(struct aead_gcm_aad);
+			sa->icv_len = cxf->aead->digest_length;
+			sa->iv_ofs = cxf->aead->iv.offset;
+			sa->iv_len = sizeof(uint64_t);
+			sa->pad_align = IPSEC_PAD_AES_GCM;
+			sa->algo_type = ALGO_TYPE_AES_GCM;
+			break;
+		default:
 			return -EINVAL;
-		sa->aad_len = sizeof(struct aead_gcm_aad);
-		sa->icv_len = cxf->aead->digest_length;
-		sa->iv_ofs = cxf->aead->iv.offset;
-		sa->iv_len = sizeof(uint64_t);
-		sa->pad_align = IPSEC_PAD_AES_GCM;
+		}
 	} else {
 		sa->icv_len = cxf->auth->digest_length;
 		sa->iv_ofs = cxf->cipher->iv.offset;
 		sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0;
-		if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_NULL) {
+
+		switch (cxf->cipher->algo) {
+		case RTE_CRYPTO_CIPHER_NULL:
 			sa->pad_align = IPSEC_PAD_NULL;
 			sa->iv_len = 0;
-		} else if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+			sa->algo_type = ALGO_TYPE_NULL;
+			break;
+
+		case RTE_CRYPTO_CIPHER_AES_CBC:
 			sa->pad_align = IPSEC_PAD_AES_CBC;
 			sa->iv_len = IPSEC_MAX_IV_SIZE;
-		} else
+			sa->algo_type = ALGO_TYPE_AES_CBC;
+			break;
+
+		case RTE_CRYPTO_CIPHER_AES_CTR:
+			/* RFC 3686 */
+			sa->pad_align = IPSEC_PAD_AES_CTR;
+			sa->iv_len = IPSEC_AES_CTR_IV_SIZE;
+			sa->algo_type = ALGO_TYPE_AES_CTR;
+			break;
+
+		default:
 			return -EINVAL;
+		}
 	}
 
 	sa->udata = prm->userdata;
@@ -438,12 +469,15 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 {
 	struct rte_crypto_sym_op *sop;
 	struct aead_gcm_iv *gcm;
+	struct aesctr_cnt_blk *ctr;
+	uint8_t algo_type = sa->algo_type;
 
 	/* fill sym op fields */
 	sop = cop->sym;
 
-	/* AEAD (AES_GCM) case */
-	if (sa->aad_len != 0) {
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
+		/* AEAD (AES_GCM) case */
 		sop->aead.data.offset = sa->ctp.cipher.offset + hlen;
 		sop->aead.data.length = sa->ctp.cipher.length + plen;
 		sop->aead.digest.data = icv->va;
@@ -455,14 +489,40 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 		gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *,
 			sa->iv_ofs);
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
-	/* CRYPT+AUTH case */
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
+		/* Cipher-Auth (AES-CBC *) case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
+	case ALGO_TYPE_AES_CTR:
+		/* Cipher-Auth (AES-CTR *) case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+
+		ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *,
+			sa->iv_ofs);
+		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
+		break;
+	case ALGO_TYPE_NULL:
+		/* NULL case */
 		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
 		sop->cipher.data.length = sa->ctp.cipher.length + plen;
 		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
 		sop->auth.data.length = sa->ctp.auth.length + plen;
 		sop->auth.digest.data = icv->va;
 		sop->auth.digest.phys_addr = icv->pa;
+		break;
+	default:
+		break;
 	}
 }
 
@@ -561,6 +621,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc,
 {
 	uint32_t *psqh;
 	struct aead_gcm_aad *aad;
+	uint8_t algo_type = sa->algo_type;
 
 	/* insert SQN.hi between ESP trailer and ICV */
 	if (sa->sqh_len != 0) {
@@ -572,7 +633,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc,
 	 * fill IV and AAD fields, if any (aad fields are placed after icv),
 	 * right now we support only one AEAD algorithm: AES-GCM .
 	 */
-	if (sa->aad_len != 0) {
+	if (algo_type == ALGO_TYPE_AES_GCM) {
 		aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len);
 		aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa));
 	}
@@ -783,8 +844,10 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 {
 	struct rte_crypto_sym_op *sop;
 	struct aead_gcm_iv *gcm;
+	struct aesctr_cnt_blk *ctr;
 	uint64_t *ivc, *ivp;
 	uint32_t clen;
+	uint8_t algo_type = sa->algo_type;
 
 	clen = plen - sa->ctp.cipher.length;
 	if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0)
@@ -793,8 +856,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 	/* fill sym op fields */
 	sop = cop->sym;
 
-	/* AEAD (AES_GCM) case */
-	if (sa->aad_len != 0) {
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
 		sop->aead.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->aead.data.length = clen;
 		sop->aead.digest.data = icv->va;
@@ -808,8 +871,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
 			pofs + sizeof(struct esp_hdr));
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
-	/* CRYPT+AUTH case */
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
 		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->cipher.data.length = clen;
 		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
@@ -822,7 +885,35 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
 			pofs + sizeof(struct esp_hdr));
 		copy_iv(ivc, ivp, sa->iv_len);
+		break;
+	case ALGO_TYPE_AES_CTR:
+		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
+		sop->cipher.data.length = clen;
+		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
+		sop->auth.data.length = plen - sa->ctp.auth.length;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+
+		/* copy iv from the input packet to the cop */
+		ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *,
+			sa->iv_ofs);
+		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
+			pofs + sizeof(struct esp_hdr));
+		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
+		break;
+	case ALGO_TYPE_NULL:
+		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
+		sop->cipher.data.length = clen;
+		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
+		sop->auth.data.length = plen - sa->ctp.auth.length;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
+
+	default:
+		return -EINVAL;
 	}
+
 	return 0;
 }
 
diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
index 392e8fd7b..12c061ee6 100644
--- a/lib/librte_ipsec/sa.h
+++ b/lib/librte_ipsec/sa.h
@@ -15,10 +15,17 @@
 enum {
 	IPSEC_PAD_DEFAULT = 4,
 	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
+	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT,
 };
 
+/* iv sizes for different algorithms */
+enum {
+	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
+	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
+};
+
 /* these definitions probably has to be in rte_crypto_sym.h */
 union sym_op_ofslen {
 	uint64_t raw;
@@ -47,7 +54,17 @@ struct replay_sqn {
 	__extension__ uint64_t window[0];
 };
 
+/*IPSEC SA supported algorithms */
+enum sa_algo_type	{
+	ALGO_TYPE_NULL = 0,
+	ALGO_TYPE_AES_CBC,
+	ALGO_TYPE_AES_CTR,
+	ALGO_TYPE_AES_GCM,
+	ALGO_TYPE_MAX
+};
+
 struct rte_ipsec_sa {
+
 	uint64_t type;     /* type of given SA */
 	uint64_t udata;    /* user defined */
 	uint32_t size;     /* size of given sa object */
@@ -65,6 +82,7 @@ struct rte_ipsec_sa {
 		union sym_op_ofslen auth;
 	} ctp;
 	uint32_t salt;
+	uint8_t algo_type;
 	uint8_t proto;    /* next proto */
 	uint8_t aad_len;
 	uint8_t hdr_len;
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v3 2/4] ipsec-secgw: add test scripts for aes ctr
  2019-02-25 12:07   ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
  2019-02-25 12:07     ` [dpdk-dev] [PATCH v3 1/4] ipsec: add AES-CTR algorithm support Fan Zhang
@ 2019-02-25 12:07     ` Fan Zhang
  2019-02-25 12:07     ` [dpdk-dev] [PATCH v3 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang
                       ` (3 subsequent siblings)
  5 siblings, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-02-25 12:07 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang

This patch adds the functional test scripts to ipsec-secgw
sample application for both transport and tunnel working
mode.

Updated a bit on common_defs to use "mktemp" instead of "tempfile"
as Fedora does not like the command.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 examples/ipsec-secgw/test/common_defs.sh           |  4 +-
 examples/ipsec-secgw/test/run_test.sh              |  8 ++-
 .../test/trs_aesctr_sha1_common_defs.sh            | 69 +++++++++++++++++++++
 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh  | 67 +++++++++++++++++++++
 .../test/trs_aesctr_sha1_esn_atom_defs.sh          |  5 ++
 .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh   | 66 ++++++++++++++++++++
 .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh   |  5 ++
 .../test/tun_aesctr_sha1_common_defs.sh            | 68 +++++++++++++++++++++
 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh  | 70 ++++++++++++++++++++++
 .../test/tun_aesctr_sha1_esn_atom_defs.sh          |  5 ++
 .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh   | 70 ++++++++++++++++++++++
 .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh   |  5 ++
 12 files changed, 439 insertions(+), 3 deletions(-)
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh

diff --git a/examples/ipsec-secgw/test/common_defs.sh b/examples/ipsec-secgw/test/common_defs.sh
index 1ed31f89f..ea17cf9fd 100644
--- a/examples/ipsec-secgw/test/common_defs.sh
+++ b/examples/ipsec-secgw/test/common_defs.sh
@@ -53,7 +53,7 @@ SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4 ${ETH_DEV}"
 SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})"
 SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\""
 
-SGW_CFG_FILE=$(tempfile)
+SGW_CFG_FILE=$(mktemp)
 
 # configure local host/ifaces
 config_local_iface()
@@ -129,7 +129,7 @@ config6_iface()
 #start ipsec-secgw
 secgw_start()
 {
-	SGW_EXEC_FILE=$(tempfile)
+	SGW_EXEC_FILE=$(mktemp)
 	cat <<EOF > ${SGW_EXEC_FILE}
 ${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \
 --vdev="net_tap0,mac=fixed" \
diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh
index 6dc0ce54e..3c38d8850 100644
--- a/examples/ipsec-secgw/test/run_test.sh
+++ b/examples/ipsec-secgw/test/run_test.sh
@@ -32,7 +32,13 @@ trs_aesgcm_esn_atom \
 tun_aescbc_sha1_old \
 tun_aesgcm_old \
 trs_aescbc_sha1_old \
-trs_aesgcm_old"
+trs_aesgcm_old \
+tun_aesctr_sha1 \
+tun_aesctr_sha1_esn \
+tun_aesctr_sha1_esn_atom \
+trs_aesctr_sha1 \
+trs_aesctr_sha1_esn \
+trs_aesctr_sha1_esn_atom"
 
 DIR=`dirname $0`
 
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
new file mode 100644
index 000000000..9c213e3cc
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
@@ -0,0 +1,69 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#SP in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+sa in 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
new file mode 100644
index 000000000..73642f881
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
@@ -0,0 +1,67 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..17c81c267
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
new file mode 100644
index 000000000..e401a4bed
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
@@ -0,0 +1,66 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
new file mode 100644
index 000000000..3aa071229
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_defs.sh
+
+SGW_CMD_XPRM=
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
new file mode 100644
index 000000000..a3ac3a698
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
@@ -0,0 +1,68 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#sp in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+sa in 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+#SA out rules
+sa out 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+sa out 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
new file mode 100644
index 000000000..3710f897c
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..7dcfc3218
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
new file mode 100644
index 000000000..c3ce11da1
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
new file mode 100644
index 000000000..26f0d0290
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_defs.sh
+
+SGW_CMD_XPRM=
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v3 3/4] ipsec: add 3DES-CBC algorithm support
  2019-02-25 12:07   ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
  2019-02-25 12:07     ` [dpdk-dev] [PATCH v3 1/4] ipsec: add AES-CTR algorithm support Fan Zhang
  2019-02-25 12:07     ` [dpdk-dev] [PATCH v3 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang
@ 2019-02-25 12:07     ` Fan Zhang
  2019-02-25 12:07     ` [dpdk-dev] [PATCH v3 4/4] ipsec-secgw: add 3des test files Fan Zhang
                       ` (2 subsequent siblings)
  5 siblings, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-02-25 12:07 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang

This patch adds triple-des CBC mode cipher algorithm to ipsec
library.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 lib/librte_ipsec/sa.c | 40 ++++++++++++++++++++++------------------
 lib/librte_ipsec/sa.h |  6 ++++++
 2 files changed, 28 insertions(+), 18 deletions(-)

diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
index e34dd320a..81d25fd49 100644
--- a/lib/librte_ipsec/sa.c
+++ b/lib/librte_ipsec/sa.c
@@ -238,6 +238,7 @@ esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen)
 		sa->ctp.cipher.length = 0;
 		break;
 	case ALGO_TYPE_AES_CBC:
+	case ALGO_TYPE_3DES:
 		sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr);
 		sa->ctp.cipher.length = sa->iv_len;
 		break;
@@ -307,6 +308,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
 			sa->algo_type = ALGO_TYPE_AES_CTR;
 			break;
 
+		case RTE_CRYPTO_CIPHER_3DES_CBC:
+			/* RFC 1851 */
+			sa->pad_align = IPSEC_PAD_3DES_CBC;
+			sa->iv_len = IPSEC_3DES_IV_SIZE;
+			sa->algo_type = ALGO_TYPE_3DES;
+			break;
+
 		default:
 			return -EINVAL;
 		}
@@ -476,6 +484,19 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 	sop = cop->sym;
 
 	switch (algo_type) {
+	case ALGO_TYPE_AES_CBC:
+		/* Cipher-Auth (AES-CBC *) case */
+	case ALGO_TYPE_3DES:
+		/* Cipher-Auth (3DES-CBC *) case */
+	case ALGO_TYPE_NULL:
+		/* NULL case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
 	case ALGO_TYPE_AES_GCM:
 		/* AEAD (AES_GCM) case */
 		sop->aead.data.offset = sa->ctp.cipher.offset + hlen;
@@ -490,15 +511,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 			sa->iv_ofs);
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
 		break;
-	case ALGO_TYPE_AES_CBC:
-		/* Cipher-Auth (AES-CBC *) case */
-		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
-		sop->cipher.data.length = sa->ctp.cipher.length + plen;
-		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
-		sop->auth.data.length = sa->ctp.auth.length + plen;
-		sop->auth.digest.data = icv->va;
-		sop->auth.digest.phys_addr = icv->pa;
-		break;
 	case ALGO_TYPE_AES_CTR:
 		/* Cipher-Auth (AES-CTR *) case */
 		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
@@ -512,15 +524,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 			sa->iv_ofs);
 		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
 		break;
-	case ALGO_TYPE_NULL:
-		/* NULL case */
-		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
-		sop->cipher.data.length = sa->ctp.cipher.length + plen;
-		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
-		sop->auth.data.length = sa->ctp.auth.length + plen;
-		sop->auth.digest.data = icv->va;
-		sop->auth.digest.phys_addr = icv->pa;
-		break;
 	default:
 		break;
 	}
@@ -873,6 +876,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
 		break;
 	case ALGO_TYPE_AES_CBC:
+	case ALGO_TYPE_3DES:
 		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->cipher.data.length = clen;
 		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
index 12c061ee6..ceff41390 100644
--- a/lib/librte_ipsec/sa.h
+++ b/lib/librte_ipsec/sa.h
@@ -14,6 +14,7 @@
 /* padding alignment for different algorithms */
 enum {
 	IPSEC_PAD_DEFAULT = 4,
+	IPSEC_PAD_3DES_CBC = 8,
 	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
 	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
@@ -24,6 +25,10 @@ enum {
 enum {
 	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
 	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
+	/* TripleDES supports IV size of 32bits or 64bits but he library
+	 * only supports 64bits.
+	 */
+	IPSEC_3DES_IV_SIZE = sizeof(uint64_t),
 };
 
 /* these definitions probably has to be in rte_crypto_sym.h */
@@ -57,6 +62,7 @@ struct replay_sqn {
 /*IPSEC SA supported algorithms */
 enum sa_algo_type	{
 	ALGO_TYPE_NULL = 0,
+	ALGO_TYPE_3DES,
 	ALGO_TYPE_AES_CBC,
 	ALGO_TYPE_AES_CTR,
 	ALGO_TYPE_AES_GCM,
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v3 4/4] ipsec-secgw: add 3des test files
  2019-02-25 12:07   ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
                       ` (2 preceding siblings ...)
  2019-02-25 12:07     ` [dpdk-dev] [PATCH v3 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang
@ 2019-02-25 12:07     ` Fan Zhang
  2019-03-04 16:38     ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Ananyev, Konstantin
  2019-03-20 13:51     ` [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
  5 siblings, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-02-25 12:07 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, konstantin.ananyev, roy.fan.zhang

This patch adds the functional test scripts to ipsec-secgw
sample application for both transport and tunnel working
mode.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 examples/ipsec-secgw/test/run_test.sh              |  8 ++-
 .../test/trs_3descbc_sha1_common_defs.sh           | 73 ++++++++++++++++++++++
 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++++++++++++
 .../test/trs_3descbc_sha1_esn_atom_defs.sh         |  5 ++
 .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh  | 66 +++++++++++++++++++
 .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh  |  5 ++
 .../test/tun_3descbc_sha1_common_defs.sh           | 72 +++++++++++++++++++++
 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++++++++++++
 .../test/tun_3descbc_sha1_esn_atom_defs.sh         |  5 ++
 .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh  | 70 +++++++++++++++++++++
 .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh  |  5 ++
 11 files changed, 445 insertions(+), 1 deletion(-)
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh

diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh
index 3c38d8850..38edb4183 100644
--- a/examples/ipsec-secgw/test/run_test.sh
+++ b/examples/ipsec-secgw/test/run_test.sh
@@ -38,7 +38,13 @@ tun_aesctr_sha1_esn \
 tun_aesctr_sha1_esn_atom \
 trs_aesctr_sha1 \
 trs_aesctr_sha1_esn \
-trs_aesctr_sha1_esn_atom"
+trs_aesctr_sha1_esn_atom \
+tun_3descbc_sha1 \
+tun_3descbc_sha1_esn \
+tun_3descbc_sha1_esn_atom \
+trs_3descbc_sha1 \
+trs_3descbc_sha1_esn \
+trs_3descbc_sha1_esn_atom"
 
 DIR=`dirname $0`
 
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
new file mode 100644
index 000000000..bb4cef6a9
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
@@ -0,0 +1,73 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#SP in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+sa in 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
new file mode 100644
index 000000000..31f94492f
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
@@ -0,0 +1,67 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..d7439ad15
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
new file mode 100644
index 000000000..e4283f3dd
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
@@ -0,0 +1,66 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
new file mode 100644
index 000000000..ffd945bac
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_defs.sh
+
+SGW_CMD_XPRM=
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
new file mode 100644
index 000000000..dd802d6be
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
@@ -0,0 +1,72 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#sp in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+sa in 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+#SA out rules
+sa out 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+sa out 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
new file mode 100644
index 000000000..2bbe14292
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..1d8e36cbd
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
new file mode 100644
index 000000000..98349c7bc
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
new file mode 100644
index 000000000..eaf248ad1
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_defs.sh
+
+SGW_CMD_XPRM=
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support
  2019-02-25 12:07   ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
                       ` (3 preceding siblings ...)
  2019-02-25 12:07     ` [dpdk-dev] [PATCH v3 4/4] ipsec-secgw: add 3des test files Fan Zhang
@ 2019-03-04 16:38     ` Ananyev, Konstantin
  2019-03-20 13:51     ` [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
  5 siblings, 0 replies; 54+ messages in thread
From: Ananyev, Konstantin @ 2019-03-04 16:38 UTC (permalink / raw)
  To: Zhang, Roy Fan, dev; +Cc: akhil.goyal



> 
> This patchset adds the AES-CTR and 3DES-CBC cipher algorithms
> support to ipsec library. The test scripts for ipsec-secgw
> sample application are added too.
> 
> v3:
> - fixed a bug in 3DES.
> 
> v2:
> - removed unsupported tests.
> 
> Fan Zhang (4):
>   ipsec: add AES-CTR algorithm support
>   ipsec-secgw: add test scripts for aes ctr
>   ipsec: add 3DES-CBC algorithm support
>   ipsec-secgw: add 3des test files
> 
>  examples/ipsec-secgw/test/common_defs.sh           |   4 +-
>  examples/ipsec-secgw/test/run_test.sh              |  14 ++-
>  .../test/trs_3descbc_sha1_common_defs.sh           |  73 +++++++++++
>  examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh |  67 ++++++++++
>  .../test/trs_3descbc_sha1_esn_atom_defs.sh         |   5 +
>  .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh  |  66 ++++++++++
>  .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh  |   5 +
>  .../test/trs_aesctr_sha1_common_defs.sh            |  69 +++++++++++
>  examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh  |  67 ++++++++++
>  .../test/trs_aesctr_sha1_esn_atom_defs.sh          |   5 +
>  .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh   |  66 ++++++++++
>  .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh   |   5 +
>  .../test/tun_3descbc_sha1_common_defs.sh           |  72 +++++++++++
>  examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh |  70 +++++++++++
>  .../test/tun_3descbc_sha1_esn_atom_defs.sh         |   5 +
>  .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh  |  70 +++++++++++
>  .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh  |   5 +
>  .../test/tun_aesctr_sha1_common_defs.sh            |  68 ++++++++++
>  examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh  |  70 +++++++++++
>  .../test/tun_aesctr_sha1_esn_atom_defs.sh          |   5 +
>  .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh   |  70 +++++++++++
>  .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh   |   5 +
>  lib/librte_ipsec/crypto.h                          |  17 +++
>  lib/librte_ipsec/sa.c                              | 137 +++++++++++++++++----
>  lib/librte_ipsec/sa.h                              |  24 ++++
>  25 files changed, 1040 insertions(+), 24 deletions(-)
>  create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
>  create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
> 
> --

Reviewed-by: Konstantin Ananyev <konstantin.ananyev@intel.com>


> 2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support
  2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support Fan Zhang
  2019-02-22 12:43     ` Ananyev, Konstantin
@ 2019-03-19 14:32     ` Akhil Goyal
  2019-03-19 14:32       ` Akhil Goyal
  1 sibling, 1 reply; 54+ messages in thread
From: Akhil Goyal @ 2019-03-19 14:32 UTC (permalink / raw)
  To: Fan Zhang, dev; +Cc: konstantin.ananyev

Hi Fan,

title should be ipsec: support aes-ctr

On 2/19/2019 9:02 PM, Fan Zhang wrote:
> This patch adds AES-CTR cipher algorithm support to ipsec
> library.
>
> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
> ---
>   lib/librte_ipsec/crypto.h |  17 ++++++
>   lib/librte_ipsec/sa.c     | 133 ++++++++++++++++++++++++++++++++++++++--------
>   lib/librte_ipsec/sa.h     |  18 +++++++
>   3 files changed, 147 insertions(+), 21 deletions(-)
>
> diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h
> index b5f264831..4f551e39c 100644
> --- a/lib/librte_ipsec/crypto.h
> +++ b/lib/librte_ipsec/crypto.h
> @@ -11,6 +11,16 @@
>    * by ipsec library.
>    */
>   
> +/*
> + * AES-CTR counter block format.
> + */
> +
> +struct aesctr_cnt_blk {
> +	uint32_t nonce;
> +	uint64_t iv;
> +	uint32_t cnt;
> +} __attribute__((packed));
> +
I believe cnt should be above iv.
>    /*
>     * AES-GCM devices have some specific requirements for IV and AAD formats.
>     * Ideally that to be done by the driver itself.
> @@ -41,6 +51,13 @@ struct gcm_esph_iv {
>   	uint64_t iv;
>   } __attribute__((packed));
>   
>
Apart from that,
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support
  2019-03-19 14:32     ` Akhil Goyal
@ 2019-03-19 14:32       ` Akhil Goyal
  0 siblings, 0 replies; 54+ messages in thread
From: Akhil Goyal @ 2019-03-19 14:32 UTC (permalink / raw)
  To: Fan Zhang, dev; +Cc: konstantin.ananyev

Hi Fan,

title should be ipsec: support aes-ctr

On 2/19/2019 9:02 PM, Fan Zhang wrote:
> This patch adds AES-CTR cipher algorithm support to ipsec
> library.
>
> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
> ---
>   lib/librte_ipsec/crypto.h |  17 ++++++
>   lib/librte_ipsec/sa.c     | 133 ++++++++++++++++++++++++++++++++++++++--------
>   lib/librte_ipsec/sa.h     |  18 +++++++
>   3 files changed, 147 insertions(+), 21 deletions(-)
>
> diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h
> index b5f264831..4f551e39c 100644
> --- a/lib/librte_ipsec/crypto.h
> +++ b/lib/librte_ipsec/crypto.h
> @@ -11,6 +11,16 @@
>    * by ipsec library.
>    */
>   
> +/*
> + * AES-CTR counter block format.
> + */
> +
> +struct aesctr_cnt_blk {
> +	uint32_t nonce;
> +	uint64_t iv;
> +	uint32_t cnt;
> +} __attribute__((packed));
> +
I believe cnt should be above iv.
>    /*
>     * AES-GCM devices have some specific requirements for IV and AAD formats.
>     * Ideally that to be done by the driver itself.
> @@ -41,6 +51,13 @@ struct gcm_esph_iv {
>   	uint64_t iv;
>   } __attribute__((packed));
>   
>
Apart from that,
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [dpdk-dev] [PATCH v2 3/4] ipsec: add 3DES-CBC algorithm support
  2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang
  2019-02-22 12:38     ` Ananyev, Konstantin
@ 2019-03-19 14:46     ` Akhil Goyal
  2019-03-19 14:46       ` Akhil Goyal
  1 sibling, 1 reply; 54+ messages in thread
From: Akhil Goyal @ 2019-03-19 14:46 UTC (permalink / raw)
  To: Fan Zhang, dev; +Cc: konstantin.ananyev



On 2/19/2019 9:02 PM, Fan Zhang wrote:
> This patch adds triple-des CBC mode cipher algorithm to ipsec
> library.
>
> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
> ---
>   lib/librte_ipsec/sa.c | 10 ++++++++++
>   lib/librte_ipsec/sa.h |  6 ++++++
>   2 files changed, 16 insertions(+)
>
> diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
> index e34dd320a..5c59c4b67 100644
> --- a/lib/librte_ipsec/sa.c
> +++ b/lib/librte_ipsec/sa.c
> @@ -307,6 +307,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
>   			sa->algo_type = ALGO_TYPE_AES_CTR;
>   			break;
>   
> +		case RTE_CRYPTO_CIPHER_3DES_CBC:
> +			/* RFC 1851 */
> +			sa->pad_align = IPSEC_PAD_3DES_CBC;
> +			sa->iv_len = IPSEC_3DES_IV_SIZE;
> +			sa->algo_type = ALGO_TYPE_3DES;
> +			break;
> +
>   		default:
>   			return -EINVAL;
>   		}
> @@ -512,6 +519,8 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
>   			sa->iv_ofs);
>   		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
>   		break;
> +	case ALGO_TYPE_3DES:
> +		/* Cipher-Auth (3DES-CBC *) case */
>   	case ALGO_TYPE_NULL:
>   		/* NULL case */
>   		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
> @@ -873,6 +882,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
>   		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
>   		break;
>   	case ALGO_TYPE_AES_CBC:
> +	case ALGO_TYPE_3DES:
>   		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
>   		sop->cipher.data.length = clen;
>   		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
> diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
> index 12c061ee6..8398748d1 100644
> --- a/lib/librte_ipsec/sa.h
> +++ b/lib/librte_ipsec/sa.h
> @@ -14,6 +14,7 @@
>   /* padding alignment for different algorithms */
>   enum {
>   	IPSEC_PAD_DEFAULT = 4,
> +	IPSEC_PAD_3DES_CBC = IPSEC_PAD_DEFAULT,
>   	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
>   	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
>   	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
> @@ -24,6 +25,10 @@ enum {
>   enum {
>   	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
>   	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
> +	/* TripleDES supports IV size of 32bits or 64bits but he library
> +	 * only supports 64bits.
> +	 */
> +	IPSEC_3DES_IV_SIZE = sizeof(uint64_t),
>   };
>   
>   /* these definitions probably has to be in rte_crypto_sym.h */
> @@ -57,6 +62,7 @@ struct replay_sqn {
>   /*IPSEC SA supported algorithms */
>   enum sa_algo_type	{
>   	ALGO_TYPE_NULL = 0,
> +	ALGO_TYPE_3DES,
this should be 3des_cbc
>   	ALGO_TYPE_AES_CBC,
>   	ALGO_TYPE_AES_CTR,
>   	ALGO_TYPE_AES_GCM,


^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [dpdk-dev] [PATCH v2 3/4] ipsec: add 3DES-CBC algorithm support
  2019-03-19 14:46     ` Akhil Goyal
@ 2019-03-19 14:46       ` Akhil Goyal
  0 siblings, 0 replies; 54+ messages in thread
From: Akhil Goyal @ 2019-03-19 14:46 UTC (permalink / raw)
  To: Fan Zhang, dev; +Cc: konstantin.ananyev



On 2/19/2019 9:02 PM, Fan Zhang wrote:
> This patch adds triple-des CBC mode cipher algorithm to ipsec
> library.
>
> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
> ---
>   lib/librte_ipsec/sa.c | 10 ++++++++++
>   lib/librte_ipsec/sa.h |  6 ++++++
>   2 files changed, 16 insertions(+)
>
> diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
> index e34dd320a..5c59c4b67 100644
> --- a/lib/librte_ipsec/sa.c
> +++ b/lib/librte_ipsec/sa.c
> @@ -307,6 +307,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
>   			sa->algo_type = ALGO_TYPE_AES_CTR;
>   			break;
>   
> +		case RTE_CRYPTO_CIPHER_3DES_CBC:
> +			/* RFC 1851 */
> +			sa->pad_align = IPSEC_PAD_3DES_CBC;
> +			sa->iv_len = IPSEC_3DES_IV_SIZE;
> +			sa->algo_type = ALGO_TYPE_3DES;
> +			break;
> +
>   		default:
>   			return -EINVAL;
>   		}
> @@ -512,6 +519,8 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
>   			sa->iv_ofs);
>   		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
>   		break;
> +	case ALGO_TYPE_3DES:
> +		/* Cipher-Auth (3DES-CBC *) case */
>   	case ALGO_TYPE_NULL:
>   		/* NULL case */
>   		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
> @@ -873,6 +882,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
>   		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
>   		break;
>   	case ALGO_TYPE_AES_CBC:
> +	case ALGO_TYPE_3DES:
>   		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
>   		sop->cipher.data.length = clen;
>   		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
> diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
> index 12c061ee6..8398748d1 100644
> --- a/lib/librte_ipsec/sa.h
> +++ b/lib/librte_ipsec/sa.h
> @@ -14,6 +14,7 @@
>   /* padding alignment for different algorithms */
>   enum {
>   	IPSEC_PAD_DEFAULT = 4,
> +	IPSEC_PAD_3DES_CBC = IPSEC_PAD_DEFAULT,
>   	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
>   	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
>   	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
> @@ -24,6 +25,10 @@ enum {
>   enum {
>   	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
>   	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
> +	/* TripleDES supports IV size of 32bits or 64bits but he library
> +	 * only supports 64bits.
> +	 */
> +	IPSEC_3DES_IV_SIZE = sizeof(uint64_t),
>   };
>   
>   /* these definitions probably has to be in rte_crypto_sym.h */
> @@ -57,6 +62,7 @@ struct replay_sqn {
>   /*IPSEC SA supported algorithms */
>   enum sa_algo_type	{
>   	ALGO_TYPE_NULL = 0,
> +	ALGO_TYPE_3DES,
this should be 3des_cbc
>   	ALGO_TYPE_AES_CBC,
>   	ALGO_TYPE_AES_CTR,
>   	ALGO_TYPE_AES_GCM,


^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC
  2019-02-25 12:07   ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
                       ` (4 preceding siblings ...)
  2019-03-04 16:38     ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Ananyev, Konstantin
@ 2019-03-20 13:51     ` Fan Zhang
  2019-03-20 13:51       ` Fan Zhang
                         ` (5 more replies)
  5 siblings, 6 replies; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang

This patchset adds the AES-CTR and 3DES-CBC cipher algorithms
support to ipsec library. The test scripts for ipsec-secgw
sample application are added.

v4:
- changed patch titles.
- changed ALGO_TYPE naming for 3DES-CBC

v3:
- fixed a bug in 3DES.

v2:
- removed unsupported tests.

Fan Zhang (4):
  ipsec: support AES-CTR
  ipsec-secgw: add test scripts for aes ctr
  ipsec: support 3DES-CBC
  ipsec-secgw: add 3des test files

 examples/ipsec-secgw/test/common_defs.sh           |   4 +-
 examples/ipsec-secgw/test/run_test.sh              |  14 ++-
 .../test/trs_3descbc_sha1_common_defs.sh           |  73 +++++++++++
 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh |  67 ++++++++++
 .../test/trs_3descbc_sha1_esn_atom_defs.sh         |   5 +
 .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh  |  66 ++++++++++
 .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh  |   5 +
 .../test/trs_aesctr_sha1_common_defs.sh            |  69 +++++++++++
 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh  |  67 ++++++++++
 .../test/trs_aesctr_sha1_esn_atom_defs.sh          |   5 +
 .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh   |  66 ++++++++++
 .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh   |   5 +
 .../test/tun_3descbc_sha1_common_defs.sh           |  72 +++++++++++
 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh |  70 +++++++++++
 .../test/tun_3descbc_sha1_esn_atom_defs.sh         |   5 +
 .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh  |  70 +++++++++++
 .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh  |   5 +
 .../test/tun_aesctr_sha1_common_defs.sh            |  68 ++++++++++
 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh  |  70 +++++++++++
 .../test/tun_aesctr_sha1_esn_atom_defs.sh          |   5 +
 .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh   |  70 +++++++++++
 .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh   |   5 +
 lib/librte_ipsec/crypto.h                          |  17 +++
 lib/librte_ipsec/sa.c                              | 137 +++++++++++++++++----
 lib/librte_ipsec/sa.h                              |  24 ++++
 25 files changed, 1040 insertions(+), 24 deletions(-)
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh

-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC
  2019-03-20 13:51     ` [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
@ 2019-03-20 13:51       ` Fan Zhang
  2019-03-20 13:51       ` [dpdk-dev] [PATCH v4 1/4] ipsec: support AES-CTR Fan Zhang
                         ` (4 subsequent siblings)
  5 siblings, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang

This patchset adds the AES-CTR and 3DES-CBC cipher algorithms
support to ipsec library. The test scripts for ipsec-secgw
sample application are added.

v4:
- changed patch titles.
- changed ALGO_TYPE naming for 3DES-CBC

v3:
- fixed a bug in 3DES.

v2:
- removed unsupported tests.

Fan Zhang (4):
  ipsec: support AES-CTR
  ipsec-secgw: add test scripts for aes ctr
  ipsec: support 3DES-CBC
  ipsec-secgw: add 3des test files

 examples/ipsec-secgw/test/common_defs.sh           |   4 +-
 examples/ipsec-secgw/test/run_test.sh              |  14 ++-
 .../test/trs_3descbc_sha1_common_defs.sh           |  73 +++++++++++
 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh |  67 ++++++++++
 .../test/trs_3descbc_sha1_esn_atom_defs.sh         |   5 +
 .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh  |  66 ++++++++++
 .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh  |   5 +
 .../test/trs_aesctr_sha1_common_defs.sh            |  69 +++++++++++
 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh  |  67 ++++++++++
 .../test/trs_aesctr_sha1_esn_atom_defs.sh          |   5 +
 .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh   |  66 ++++++++++
 .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh   |   5 +
 .../test/tun_3descbc_sha1_common_defs.sh           |  72 +++++++++++
 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh |  70 +++++++++++
 .../test/tun_3descbc_sha1_esn_atom_defs.sh         |   5 +
 .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh  |  70 +++++++++++
 .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh  |   5 +
 .../test/tun_aesctr_sha1_common_defs.sh            |  68 ++++++++++
 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh  |  70 +++++++++++
 .../test/tun_aesctr_sha1_esn_atom_defs.sh          |   5 +
 .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh   |  70 +++++++++++
 .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh   |   5 +
 lib/librte_ipsec/crypto.h                          |  17 +++
 lib/librte_ipsec/sa.c                              | 137 +++++++++++++++++----
 lib/librte_ipsec/sa.h                              |  24 ++++
 25 files changed, 1040 insertions(+), 24 deletions(-)
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh

-- 
2.14.5


^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v4 1/4] ipsec: support AES-CTR
  2019-03-20 13:51     ` [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
  2019-03-20 13:51       ` Fan Zhang
@ 2019-03-20 13:51       ` Fan Zhang
  2019-03-20 13:51         ` Fan Zhang
  2019-03-20 13:51       ` [dpdk-dev] [PATCH v4 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang
                         ` (3 subsequent siblings)
  5 siblings, 1 reply; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang

This patch adds AES-CTR cipher algorithm support to ipsec
library.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
---
 lib/librte_ipsec/crypto.h |  17 ++++++
 lib/librte_ipsec/sa.c     | 133 ++++++++++++++++++++++++++++++++++++++--------
 lib/librte_ipsec/sa.h     |  18 +++++++
 3 files changed, 147 insertions(+), 21 deletions(-)

diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h
index b5f264831..4f551e39c 100644
--- a/lib/librte_ipsec/crypto.h
+++ b/lib/librte_ipsec/crypto.h
@@ -11,6 +11,16 @@
  * by ipsec library.
  */
 
+/*
+ * AES-CTR counter block format.
+ */
+
+struct aesctr_cnt_blk {
+	uint32_t nonce;
+	uint64_t iv;
+	uint32_t cnt;
+} __attribute__((packed));
+
  /*
   * AES-GCM devices have some specific requirements for IV and AAD formats.
   * Ideally that to be done by the driver itself.
@@ -41,6 +51,13 @@ struct gcm_esph_iv {
 	uint64_t iv;
 } __attribute__((packed));
 
+static inline void
+aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce)
+{
+	ctr->nonce = nonce;
+	ctr->iv = iv;
+	ctr->cnt = rte_cpu_to_be_32(1);
+}
 
 static inline void
 aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt)
diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
index 5f55c2a4e..e34dd320a 100644
--- a/lib/librte_ipsec/sa.c
+++ b/lib/librte_ipsec/sa.c
@@ -219,18 +219,28 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm)
 static void
 esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen)
 {
+	uint8_t algo_type;
+
 	sa->sqn.outb.raw = 1;
 
 	/* these params may differ with new algorithms support */
 	sa->ctp.auth.offset = hlen;
 	sa->ctp.auth.length = sizeof(struct esp_hdr) + sa->iv_len + sa->sqh_len;
-	if (sa->aad_len != 0) {
+
+	algo_type = sa->algo_type;
+
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
+	case ALGO_TYPE_AES_CTR:
+	case ALGO_TYPE_NULL:
 		sa->ctp.cipher.offset = hlen + sizeof(struct esp_hdr) +
 			sa->iv_len;
 		sa->ctp.cipher.length = 0;
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
 		sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr);
 		sa->ctp.cipher.length = sa->iv_len;
+		break;
 	}
 }
 
@@ -259,26 +269,47 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
 				RTE_IPSEC_SATP_MODE_MASK;
 
 	if (cxf->aead != NULL) {
-		/* RFC 4106 */
-		if (cxf->aead->algo != RTE_CRYPTO_AEAD_AES_GCM)
+		switch (cxf->aead->algo) {
+		case RTE_CRYPTO_AEAD_AES_GCM:
+			/* RFC 4106 */
+			sa->aad_len = sizeof(struct aead_gcm_aad);
+			sa->icv_len = cxf->aead->digest_length;
+			sa->iv_ofs = cxf->aead->iv.offset;
+			sa->iv_len = sizeof(uint64_t);
+			sa->pad_align = IPSEC_PAD_AES_GCM;
+			sa->algo_type = ALGO_TYPE_AES_GCM;
+			break;
+		default:
 			return -EINVAL;
-		sa->aad_len = sizeof(struct aead_gcm_aad);
-		sa->icv_len = cxf->aead->digest_length;
-		sa->iv_ofs = cxf->aead->iv.offset;
-		sa->iv_len = sizeof(uint64_t);
-		sa->pad_align = IPSEC_PAD_AES_GCM;
+		}
 	} else {
 		sa->icv_len = cxf->auth->digest_length;
 		sa->iv_ofs = cxf->cipher->iv.offset;
 		sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0;
-		if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_NULL) {
+
+		switch (cxf->cipher->algo) {
+		case RTE_CRYPTO_CIPHER_NULL:
 			sa->pad_align = IPSEC_PAD_NULL;
 			sa->iv_len = 0;
-		} else if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+			sa->algo_type = ALGO_TYPE_NULL;
+			break;
+
+		case RTE_CRYPTO_CIPHER_AES_CBC:
 			sa->pad_align = IPSEC_PAD_AES_CBC;
 			sa->iv_len = IPSEC_MAX_IV_SIZE;
-		} else
+			sa->algo_type = ALGO_TYPE_AES_CBC;
+			break;
+
+		case RTE_CRYPTO_CIPHER_AES_CTR:
+			/* RFC 3686 */
+			sa->pad_align = IPSEC_PAD_AES_CTR;
+			sa->iv_len = IPSEC_AES_CTR_IV_SIZE;
+			sa->algo_type = ALGO_TYPE_AES_CTR;
+			break;
+
+		default:
 			return -EINVAL;
+		}
 	}
 
 	sa->udata = prm->userdata;
@@ -438,12 +469,15 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 {
 	struct rte_crypto_sym_op *sop;
 	struct aead_gcm_iv *gcm;
+	struct aesctr_cnt_blk *ctr;
+	uint8_t algo_type = sa->algo_type;
 
 	/* fill sym op fields */
 	sop = cop->sym;
 
-	/* AEAD (AES_GCM) case */
-	if (sa->aad_len != 0) {
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
+		/* AEAD (AES_GCM) case */
 		sop->aead.data.offset = sa->ctp.cipher.offset + hlen;
 		sop->aead.data.length = sa->ctp.cipher.length + plen;
 		sop->aead.digest.data = icv->va;
@@ -455,14 +489,40 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 		gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *,
 			sa->iv_ofs);
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
-	/* CRYPT+AUTH case */
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
+		/* Cipher-Auth (AES-CBC *) case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
+	case ALGO_TYPE_AES_CTR:
+		/* Cipher-Auth (AES-CTR *) case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+
+		ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *,
+			sa->iv_ofs);
+		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
+		break;
+	case ALGO_TYPE_NULL:
+		/* NULL case */
 		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
 		sop->cipher.data.length = sa->ctp.cipher.length + plen;
 		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
 		sop->auth.data.length = sa->ctp.auth.length + plen;
 		sop->auth.digest.data = icv->va;
 		sop->auth.digest.phys_addr = icv->pa;
+		break;
+	default:
+		break;
 	}
 }
 
@@ -561,6 +621,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc,
 {
 	uint32_t *psqh;
 	struct aead_gcm_aad *aad;
+	uint8_t algo_type = sa->algo_type;
 
 	/* insert SQN.hi between ESP trailer and ICV */
 	if (sa->sqh_len != 0) {
@@ -572,7 +633,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc,
 	 * fill IV and AAD fields, if any (aad fields are placed after icv),
 	 * right now we support only one AEAD algorithm: AES-GCM .
 	 */
-	if (sa->aad_len != 0) {
+	if (algo_type == ALGO_TYPE_AES_GCM) {
 		aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len);
 		aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa));
 	}
@@ -783,8 +844,10 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 {
 	struct rte_crypto_sym_op *sop;
 	struct aead_gcm_iv *gcm;
+	struct aesctr_cnt_blk *ctr;
 	uint64_t *ivc, *ivp;
 	uint32_t clen;
+	uint8_t algo_type = sa->algo_type;
 
 	clen = plen - sa->ctp.cipher.length;
 	if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0)
@@ -793,8 +856,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 	/* fill sym op fields */
 	sop = cop->sym;
 
-	/* AEAD (AES_GCM) case */
-	if (sa->aad_len != 0) {
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
 		sop->aead.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->aead.data.length = clen;
 		sop->aead.digest.data = icv->va;
@@ -808,8 +871,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
 			pofs + sizeof(struct esp_hdr));
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
-	/* CRYPT+AUTH case */
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
 		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->cipher.data.length = clen;
 		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
@@ -822,7 +885,35 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
 			pofs + sizeof(struct esp_hdr));
 		copy_iv(ivc, ivp, sa->iv_len);
+		break;
+	case ALGO_TYPE_AES_CTR:
+		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
+		sop->cipher.data.length = clen;
+		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
+		sop->auth.data.length = plen - sa->ctp.auth.length;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+
+		/* copy iv from the input packet to the cop */
+		ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *,
+			sa->iv_ofs);
+		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
+			pofs + sizeof(struct esp_hdr));
+		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
+		break;
+	case ALGO_TYPE_NULL:
+		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
+		sop->cipher.data.length = clen;
+		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
+		sop->auth.data.length = plen - sa->ctp.auth.length;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
+
+	default:
+		return -EINVAL;
 	}
+
 	return 0;
 }
 
diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
index 392e8fd7b..12c061ee6 100644
--- a/lib/librte_ipsec/sa.h
+++ b/lib/librte_ipsec/sa.h
@@ -15,10 +15,17 @@
 enum {
 	IPSEC_PAD_DEFAULT = 4,
 	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
+	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT,
 };
 
+/* iv sizes for different algorithms */
+enum {
+	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
+	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
+};
+
 /* these definitions probably has to be in rte_crypto_sym.h */
 union sym_op_ofslen {
 	uint64_t raw;
@@ -47,7 +54,17 @@ struct replay_sqn {
 	__extension__ uint64_t window[0];
 };
 
+/*IPSEC SA supported algorithms */
+enum sa_algo_type	{
+	ALGO_TYPE_NULL = 0,
+	ALGO_TYPE_AES_CBC,
+	ALGO_TYPE_AES_CTR,
+	ALGO_TYPE_AES_GCM,
+	ALGO_TYPE_MAX
+};
+
 struct rte_ipsec_sa {
+
 	uint64_t type;     /* type of given SA */
 	uint64_t udata;    /* user defined */
 	uint32_t size;     /* size of given sa object */
@@ -65,6 +82,7 @@ struct rte_ipsec_sa {
 		union sym_op_ofslen auth;
 	} ctp;
 	uint32_t salt;
+	uint8_t algo_type;
 	uint8_t proto;    /* next proto */
 	uint8_t aad_len;
 	uint8_t hdr_len;
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v4 1/4] ipsec: support AES-CTR
  2019-03-20 13:51       ` [dpdk-dev] [PATCH v4 1/4] ipsec: support AES-CTR Fan Zhang
@ 2019-03-20 13:51         ` Fan Zhang
  0 siblings, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang

This patch adds AES-CTR cipher algorithm support to ipsec
library.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
---
 lib/librte_ipsec/crypto.h |  17 ++++++
 lib/librte_ipsec/sa.c     | 133 ++++++++++++++++++++++++++++++++++++++--------
 lib/librte_ipsec/sa.h     |  18 +++++++
 3 files changed, 147 insertions(+), 21 deletions(-)

diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h
index b5f264831..4f551e39c 100644
--- a/lib/librte_ipsec/crypto.h
+++ b/lib/librte_ipsec/crypto.h
@@ -11,6 +11,16 @@
  * by ipsec library.
  */
 
+/*
+ * AES-CTR counter block format.
+ */
+
+struct aesctr_cnt_blk {
+	uint32_t nonce;
+	uint64_t iv;
+	uint32_t cnt;
+} __attribute__((packed));
+
  /*
   * AES-GCM devices have some specific requirements for IV and AAD formats.
   * Ideally that to be done by the driver itself.
@@ -41,6 +51,13 @@ struct gcm_esph_iv {
 	uint64_t iv;
 } __attribute__((packed));
 
+static inline void
+aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce)
+{
+	ctr->nonce = nonce;
+	ctr->iv = iv;
+	ctr->cnt = rte_cpu_to_be_32(1);
+}
 
 static inline void
 aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt)
diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
index 5f55c2a4e..e34dd320a 100644
--- a/lib/librte_ipsec/sa.c
+++ b/lib/librte_ipsec/sa.c
@@ -219,18 +219,28 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm)
 static void
 esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen)
 {
+	uint8_t algo_type;
+
 	sa->sqn.outb.raw = 1;
 
 	/* these params may differ with new algorithms support */
 	sa->ctp.auth.offset = hlen;
 	sa->ctp.auth.length = sizeof(struct esp_hdr) + sa->iv_len + sa->sqh_len;
-	if (sa->aad_len != 0) {
+
+	algo_type = sa->algo_type;
+
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
+	case ALGO_TYPE_AES_CTR:
+	case ALGO_TYPE_NULL:
 		sa->ctp.cipher.offset = hlen + sizeof(struct esp_hdr) +
 			sa->iv_len;
 		sa->ctp.cipher.length = 0;
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
 		sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr);
 		sa->ctp.cipher.length = sa->iv_len;
+		break;
 	}
 }
 
@@ -259,26 +269,47 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
 				RTE_IPSEC_SATP_MODE_MASK;
 
 	if (cxf->aead != NULL) {
-		/* RFC 4106 */
-		if (cxf->aead->algo != RTE_CRYPTO_AEAD_AES_GCM)
+		switch (cxf->aead->algo) {
+		case RTE_CRYPTO_AEAD_AES_GCM:
+			/* RFC 4106 */
+			sa->aad_len = sizeof(struct aead_gcm_aad);
+			sa->icv_len = cxf->aead->digest_length;
+			sa->iv_ofs = cxf->aead->iv.offset;
+			sa->iv_len = sizeof(uint64_t);
+			sa->pad_align = IPSEC_PAD_AES_GCM;
+			sa->algo_type = ALGO_TYPE_AES_GCM;
+			break;
+		default:
 			return -EINVAL;
-		sa->aad_len = sizeof(struct aead_gcm_aad);
-		sa->icv_len = cxf->aead->digest_length;
-		sa->iv_ofs = cxf->aead->iv.offset;
-		sa->iv_len = sizeof(uint64_t);
-		sa->pad_align = IPSEC_PAD_AES_GCM;
+		}
 	} else {
 		sa->icv_len = cxf->auth->digest_length;
 		sa->iv_ofs = cxf->cipher->iv.offset;
 		sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0;
-		if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_NULL) {
+
+		switch (cxf->cipher->algo) {
+		case RTE_CRYPTO_CIPHER_NULL:
 			sa->pad_align = IPSEC_PAD_NULL;
 			sa->iv_len = 0;
-		} else if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+			sa->algo_type = ALGO_TYPE_NULL;
+			break;
+
+		case RTE_CRYPTO_CIPHER_AES_CBC:
 			sa->pad_align = IPSEC_PAD_AES_CBC;
 			sa->iv_len = IPSEC_MAX_IV_SIZE;
-		} else
+			sa->algo_type = ALGO_TYPE_AES_CBC;
+			break;
+
+		case RTE_CRYPTO_CIPHER_AES_CTR:
+			/* RFC 3686 */
+			sa->pad_align = IPSEC_PAD_AES_CTR;
+			sa->iv_len = IPSEC_AES_CTR_IV_SIZE;
+			sa->algo_type = ALGO_TYPE_AES_CTR;
+			break;
+
+		default:
 			return -EINVAL;
+		}
 	}
 
 	sa->udata = prm->userdata;
@@ -438,12 +469,15 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 {
 	struct rte_crypto_sym_op *sop;
 	struct aead_gcm_iv *gcm;
+	struct aesctr_cnt_blk *ctr;
+	uint8_t algo_type = sa->algo_type;
 
 	/* fill sym op fields */
 	sop = cop->sym;
 
-	/* AEAD (AES_GCM) case */
-	if (sa->aad_len != 0) {
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
+		/* AEAD (AES_GCM) case */
 		sop->aead.data.offset = sa->ctp.cipher.offset + hlen;
 		sop->aead.data.length = sa->ctp.cipher.length + plen;
 		sop->aead.digest.data = icv->va;
@@ -455,14 +489,40 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 		gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *,
 			sa->iv_ofs);
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
-	/* CRYPT+AUTH case */
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
+		/* Cipher-Auth (AES-CBC *) case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
+	case ALGO_TYPE_AES_CTR:
+		/* Cipher-Auth (AES-CTR *) case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+
+		ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *,
+			sa->iv_ofs);
+		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
+		break;
+	case ALGO_TYPE_NULL:
+		/* NULL case */
 		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
 		sop->cipher.data.length = sa->ctp.cipher.length + plen;
 		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
 		sop->auth.data.length = sa->ctp.auth.length + plen;
 		sop->auth.digest.data = icv->va;
 		sop->auth.digest.phys_addr = icv->pa;
+		break;
+	default:
+		break;
 	}
 }
 
@@ -561,6 +621,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc,
 {
 	uint32_t *psqh;
 	struct aead_gcm_aad *aad;
+	uint8_t algo_type = sa->algo_type;
 
 	/* insert SQN.hi between ESP trailer and ICV */
 	if (sa->sqh_len != 0) {
@@ -572,7 +633,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc,
 	 * fill IV and AAD fields, if any (aad fields are placed after icv),
 	 * right now we support only one AEAD algorithm: AES-GCM .
 	 */
-	if (sa->aad_len != 0) {
+	if (algo_type == ALGO_TYPE_AES_GCM) {
 		aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len);
 		aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa));
 	}
@@ -783,8 +844,10 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 {
 	struct rte_crypto_sym_op *sop;
 	struct aead_gcm_iv *gcm;
+	struct aesctr_cnt_blk *ctr;
 	uint64_t *ivc, *ivp;
 	uint32_t clen;
+	uint8_t algo_type = sa->algo_type;
 
 	clen = plen - sa->ctp.cipher.length;
 	if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0)
@@ -793,8 +856,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 	/* fill sym op fields */
 	sop = cop->sym;
 
-	/* AEAD (AES_GCM) case */
-	if (sa->aad_len != 0) {
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
 		sop->aead.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->aead.data.length = clen;
 		sop->aead.digest.data = icv->va;
@@ -808,8 +871,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
 			pofs + sizeof(struct esp_hdr));
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
-	/* CRYPT+AUTH case */
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
 		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->cipher.data.length = clen;
 		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
@@ -822,7 +885,35 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
 			pofs + sizeof(struct esp_hdr));
 		copy_iv(ivc, ivp, sa->iv_len);
+		break;
+	case ALGO_TYPE_AES_CTR:
+		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
+		sop->cipher.data.length = clen;
+		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
+		sop->auth.data.length = plen - sa->ctp.auth.length;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+
+		/* copy iv from the input packet to the cop */
+		ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *,
+			sa->iv_ofs);
+		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
+			pofs + sizeof(struct esp_hdr));
+		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
+		break;
+	case ALGO_TYPE_NULL:
+		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
+		sop->cipher.data.length = clen;
+		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
+		sop->auth.data.length = plen - sa->ctp.auth.length;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
+
+	default:
+		return -EINVAL;
 	}
+
 	return 0;
 }
 
diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
index 392e8fd7b..12c061ee6 100644
--- a/lib/librte_ipsec/sa.h
+++ b/lib/librte_ipsec/sa.h
@@ -15,10 +15,17 @@
 enum {
 	IPSEC_PAD_DEFAULT = 4,
 	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
+	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT,
 };
 
+/* iv sizes for different algorithms */
+enum {
+	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
+	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
+};
+
 /* these definitions probably has to be in rte_crypto_sym.h */
 union sym_op_ofslen {
 	uint64_t raw;
@@ -47,7 +54,17 @@ struct replay_sqn {
 	__extension__ uint64_t window[0];
 };
 
+/*IPSEC SA supported algorithms */
+enum sa_algo_type	{
+	ALGO_TYPE_NULL = 0,
+	ALGO_TYPE_AES_CBC,
+	ALGO_TYPE_AES_CTR,
+	ALGO_TYPE_AES_GCM,
+	ALGO_TYPE_MAX
+};
+
 struct rte_ipsec_sa {
+
 	uint64_t type;     /* type of given SA */
 	uint64_t udata;    /* user defined */
 	uint32_t size;     /* size of given sa object */
@@ -65,6 +82,7 @@ struct rte_ipsec_sa {
 		union sym_op_ofslen auth;
 	} ctp;
 	uint32_t salt;
+	uint8_t algo_type;
 	uint8_t proto;    /* next proto */
 	uint8_t aad_len;
 	uint8_t hdr_len;
-- 
2.14.5


^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v4 2/4] ipsec-secgw: add test scripts for aes ctr
  2019-03-20 13:51     ` [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
  2019-03-20 13:51       ` Fan Zhang
  2019-03-20 13:51       ` [dpdk-dev] [PATCH v4 1/4] ipsec: support AES-CTR Fan Zhang
@ 2019-03-20 13:51       ` Fan Zhang
  2019-03-20 13:51         ` Fan Zhang
  2019-03-20 13:51       ` [dpdk-dev] [PATCH v4 3/4] ipsec: support 3DES-CBC Fan Zhang
                         ` (2 subsequent siblings)
  5 siblings, 1 reply; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang

This patch adds the functional test scripts to ipsec-secgw
sample application for both transport and tunnel working
mode.

Updated a bit on common_defs to use "mktemp" instead of "tempfile"
as Fedora does not like the command.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 examples/ipsec-secgw/test/common_defs.sh           |  4 +-
 examples/ipsec-secgw/test/run_test.sh              |  8 ++-
 .../test/trs_aesctr_sha1_common_defs.sh            | 69 +++++++++++++++++++++
 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh  | 67 +++++++++++++++++++++
 .../test/trs_aesctr_sha1_esn_atom_defs.sh          |  5 ++
 .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh   | 66 ++++++++++++++++++++
 .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh   |  5 ++
 .../test/tun_aesctr_sha1_common_defs.sh            | 68 +++++++++++++++++++++
 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh  | 70 ++++++++++++++++++++++
 .../test/tun_aesctr_sha1_esn_atom_defs.sh          |  5 ++
 .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh   | 70 ++++++++++++++++++++++
 .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh   |  5 ++
 12 files changed, 439 insertions(+), 3 deletions(-)
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh

diff --git a/examples/ipsec-secgw/test/common_defs.sh b/examples/ipsec-secgw/test/common_defs.sh
index 693c70cd1..8dc574b50 100644
--- a/examples/ipsec-secgw/test/common_defs.sh
+++ b/examples/ipsec-secgw/test/common_defs.sh
@@ -53,7 +53,7 @@ SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4 ${ETH_DEV}"
 SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})"
 SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\""
 
-SGW_CFG_FILE=$(tempfile)
+SGW_CFG_FILE=$(mktemp)
 
 # configure local host/ifaces
 config_local_iface()
@@ -129,7 +129,7 @@ config6_iface()
 #start ipsec-secgw
 secgw_start()
 {
-	SGW_EXEC_FILE=$(tempfile)
+	SGW_EXEC_FILE=$(mktemp)
 	cat <<EOF > ${SGW_EXEC_FILE}
 ${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \
 --vdev="net_tap0,mac=fixed" \
diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh
index 6dc0ce54e..3c38d8850 100644
--- a/examples/ipsec-secgw/test/run_test.sh
+++ b/examples/ipsec-secgw/test/run_test.sh
@@ -32,7 +32,13 @@ trs_aesgcm_esn_atom \
 tun_aescbc_sha1_old \
 tun_aesgcm_old \
 trs_aescbc_sha1_old \
-trs_aesgcm_old"
+trs_aesgcm_old \
+tun_aesctr_sha1 \
+tun_aesctr_sha1_esn \
+tun_aesctr_sha1_esn_atom \
+trs_aesctr_sha1 \
+trs_aesctr_sha1_esn \
+trs_aesctr_sha1_esn_atom"
 
 DIR=`dirname $0`
 
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
new file mode 100644
index 000000000..9c213e3cc
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
@@ -0,0 +1,69 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#SP in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+sa in 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
new file mode 100644
index 000000000..73642f881
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
@@ -0,0 +1,67 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..17c81c267
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
new file mode 100644
index 000000000..e401a4bed
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
@@ -0,0 +1,66 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
new file mode 100644
index 000000000..3aa071229
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_defs.sh
+
+SGW_CMD_XPRM=
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
new file mode 100644
index 000000000..a3ac3a698
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
@@ -0,0 +1,68 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#sp in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+sa in 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+#SA out rules
+sa out 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+sa out 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
new file mode 100644
index 000000000..3710f897c
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..7dcfc3218
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
new file mode 100644
index 000000000..c3ce11da1
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
new file mode 100644
index 000000000..26f0d0290
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_defs.sh
+
+SGW_CMD_XPRM=
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v4 2/4] ipsec-secgw: add test scripts for aes ctr
  2019-03-20 13:51       ` [dpdk-dev] [PATCH v4 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang
@ 2019-03-20 13:51         ` Fan Zhang
  0 siblings, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang

This patch adds the functional test scripts to ipsec-secgw
sample application for both transport and tunnel working
mode.

Updated a bit on common_defs to use "mktemp" instead of "tempfile"
as Fedora does not like the command.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 examples/ipsec-secgw/test/common_defs.sh           |  4 +-
 examples/ipsec-secgw/test/run_test.sh              |  8 ++-
 .../test/trs_aesctr_sha1_common_defs.sh            | 69 +++++++++++++++++++++
 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh  | 67 +++++++++++++++++++++
 .../test/trs_aesctr_sha1_esn_atom_defs.sh          |  5 ++
 .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh   | 66 ++++++++++++++++++++
 .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh   |  5 ++
 .../test/tun_aesctr_sha1_common_defs.sh            | 68 +++++++++++++++++++++
 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh  | 70 ++++++++++++++++++++++
 .../test/tun_aesctr_sha1_esn_atom_defs.sh          |  5 ++
 .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh   | 70 ++++++++++++++++++++++
 .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh   |  5 ++
 12 files changed, 439 insertions(+), 3 deletions(-)
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh

diff --git a/examples/ipsec-secgw/test/common_defs.sh b/examples/ipsec-secgw/test/common_defs.sh
index 693c70cd1..8dc574b50 100644
--- a/examples/ipsec-secgw/test/common_defs.sh
+++ b/examples/ipsec-secgw/test/common_defs.sh
@@ -53,7 +53,7 @@ SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4 ${ETH_DEV}"
 SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})"
 SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\""
 
-SGW_CFG_FILE=$(tempfile)
+SGW_CFG_FILE=$(mktemp)
 
 # configure local host/ifaces
 config_local_iface()
@@ -129,7 +129,7 @@ config6_iface()
 #start ipsec-secgw
 secgw_start()
 {
-	SGW_EXEC_FILE=$(tempfile)
+	SGW_EXEC_FILE=$(mktemp)
 	cat <<EOF > ${SGW_EXEC_FILE}
 ${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \
 --vdev="net_tap0,mac=fixed" \
diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh
index 6dc0ce54e..3c38d8850 100644
--- a/examples/ipsec-secgw/test/run_test.sh
+++ b/examples/ipsec-secgw/test/run_test.sh
@@ -32,7 +32,13 @@ trs_aesgcm_esn_atom \
 tun_aescbc_sha1_old \
 tun_aesgcm_old \
 trs_aescbc_sha1_old \
-trs_aesgcm_old"
+trs_aesgcm_old \
+tun_aesctr_sha1 \
+tun_aesctr_sha1_esn \
+tun_aesctr_sha1_esn_atom \
+trs_aesctr_sha1 \
+trs_aesctr_sha1_esn \
+trs_aesctr_sha1_esn_atom"
 
 DIR=`dirname $0`
 
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
new file mode 100644
index 000000000..9c213e3cc
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
@@ -0,0 +1,69 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#SP in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+sa in 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
new file mode 100644
index 000000000..73642f881
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
@@ -0,0 +1,67 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..17c81c267
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
new file mode 100644
index 000000000..e401a4bed
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
@@ -0,0 +1,66 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
new file mode 100644
index 000000000..3aa071229
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_defs.sh
+
+SGW_CMD_XPRM=
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
new file mode 100644
index 000000000..a3ac3a698
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
@@ -0,0 +1,68 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#sp in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+sa in 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+#SA out rules
+sa out 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+sa out 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
new file mode 100644
index 000000000..3710f897c
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..7dcfc3218
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
new file mode 100644
index 000000000..c3ce11da1
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
new file mode 100644
index 000000000..26f0d0290
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_defs.sh
+
+SGW_CMD_XPRM=
-- 
2.14.5


^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v4 3/4] ipsec: support 3DES-CBC
  2019-03-20 13:51     ` [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
                         ` (2 preceding siblings ...)
  2019-03-20 13:51       ` [dpdk-dev] [PATCH v4 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang
@ 2019-03-20 13:51       ` Fan Zhang
  2019-03-20 13:51         ` Fan Zhang
  2019-03-20 13:51       ` [dpdk-dev] [PATCH v4 4/4] ipsec-secgw: add 3des test files Fan Zhang
  2019-03-20 15:38       ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
  5 siblings, 1 reply; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang

This patch adds triple-des CBC mode cipher algorithm to ipsec
library.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 lib/librte_ipsec/sa.c | 40 ++++++++++++++++++++++------------------
 lib/librte_ipsec/sa.h |  6 ++++++
 2 files changed, 28 insertions(+), 18 deletions(-)

diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
index e34dd320a..2eb6bae07 100644
--- a/lib/librte_ipsec/sa.c
+++ b/lib/librte_ipsec/sa.c
@@ -238,6 +238,7 @@ esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen)
 		sa->ctp.cipher.length = 0;
 		break;
 	case ALGO_TYPE_AES_CBC:
+	case ALGO_TYPE_3DES_CBC:
 		sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr);
 		sa->ctp.cipher.length = sa->iv_len;
 		break;
@@ -307,6 +308,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
 			sa->algo_type = ALGO_TYPE_AES_CTR;
 			break;
 
+		case RTE_CRYPTO_CIPHER_3DES_CBC:
+			/* RFC 1851 */
+			sa->pad_align = IPSEC_PAD_3DES_CBC;
+			sa->iv_len = IPSEC_3DES_IV_SIZE;
+			sa->algo_type = ALGO_TYPE_3DES_CBC;
+			break;
+
 		default:
 			return -EINVAL;
 		}
@@ -476,6 +484,19 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 	sop = cop->sym;
 
 	switch (algo_type) {
+	case ALGO_TYPE_AES_CBC:
+		/* Cipher-Auth (AES-CBC *) case */
+	case ALGO_TYPE_3DES_CBC:
+		/* Cipher-Auth (3DES-CBC *) case */
+	case ALGO_TYPE_NULL:
+		/* NULL case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
 	case ALGO_TYPE_AES_GCM:
 		/* AEAD (AES_GCM) case */
 		sop->aead.data.offset = sa->ctp.cipher.offset + hlen;
@@ -490,15 +511,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 			sa->iv_ofs);
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
 		break;
-	case ALGO_TYPE_AES_CBC:
-		/* Cipher-Auth (AES-CBC *) case */
-		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
-		sop->cipher.data.length = sa->ctp.cipher.length + plen;
-		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
-		sop->auth.data.length = sa->ctp.auth.length + plen;
-		sop->auth.digest.data = icv->va;
-		sop->auth.digest.phys_addr = icv->pa;
-		break;
 	case ALGO_TYPE_AES_CTR:
 		/* Cipher-Auth (AES-CTR *) case */
 		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
@@ -512,15 +524,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 			sa->iv_ofs);
 		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
 		break;
-	case ALGO_TYPE_NULL:
-		/* NULL case */
-		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
-		sop->cipher.data.length = sa->ctp.cipher.length + plen;
-		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
-		sop->auth.data.length = sa->ctp.auth.length + plen;
-		sop->auth.digest.data = icv->va;
-		sop->auth.digest.phys_addr = icv->pa;
-		break;
 	default:
 		break;
 	}
@@ -873,6 +876,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
 		break;
 	case ALGO_TYPE_AES_CBC:
+	case ALGO_TYPE_3DES_CBC:
 		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->cipher.data.length = clen;
 		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
index 12c061ee6..c3a0d84bc 100644
--- a/lib/librte_ipsec/sa.h
+++ b/lib/librte_ipsec/sa.h
@@ -14,6 +14,7 @@
 /* padding alignment for different algorithms */
 enum {
 	IPSEC_PAD_DEFAULT = 4,
+	IPSEC_PAD_3DES_CBC = 8,
 	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
 	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
@@ -24,6 +25,10 @@ enum {
 enum {
 	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
 	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
+	/* TripleDES supports IV size of 32bits or 64bits but he library
+	 * only supports 64bits.
+	 */
+	IPSEC_3DES_IV_SIZE = sizeof(uint64_t),
 };
 
 /* these definitions probably has to be in rte_crypto_sym.h */
@@ -57,6 +62,7 @@ struct replay_sqn {
 /*IPSEC SA supported algorithms */
 enum sa_algo_type	{
 	ALGO_TYPE_NULL = 0,
+	ALGO_TYPE_3DES_CBC,
 	ALGO_TYPE_AES_CBC,
 	ALGO_TYPE_AES_CTR,
 	ALGO_TYPE_AES_GCM,
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v4 3/4] ipsec: support 3DES-CBC
  2019-03-20 13:51       ` [dpdk-dev] [PATCH v4 3/4] ipsec: support 3DES-CBC Fan Zhang
@ 2019-03-20 13:51         ` Fan Zhang
  0 siblings, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang

This patch adds triple-des CBC mode cipher algorithm to ipsec
library.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 lib/librte_ipsec/sa.c | 40 ++++++++++++++++++++++------------------
 lib/librte_ipsec/sa.h |  6 ++++++
 2 files changed, 28 insertions(+), 18 deletions(-)

diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
index e34dd320a..2eb6bae07 100644
--- a/lib/librte_ipsec/sa.c
+++ b/lib/librte_ipsec/sa.c
@@ -238,6 +238,7 @@ esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen)
 		sa->ctp.cipher.length = 0;
 		break;
 	case ALGO_TYPE_AES_CBC:
+	case ALGO_TYPE_3DES_CBC:
 		sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr);
 		sa->ctp.cipher.length = sa->iv_len;
 		break;
@@ -307,6 +308,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
 			sa->algo_type = ALGO_TYPE_AES_CTR;
 			break;
 
+		case RTE_CRYPTO_CIPHER_3DES_CBC:
+			/* RFC 1851 */
+			sa->pad_align = IPSEC_PAD_3DES_CBC;
+			sa->iv_len = IPSEC_3DES_IV_SIZE;
+			sa->algo_type = ALGO_TYPE_3DES_CBC;
+			break;
+
 		default:
 			return -EINVAL;
 		}
@@ -476,6 +484,19 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 	sop = cop->sym;
 
 	switch (algo_type) {
+	case ALGO_TYPE_AES_CBC:
+		/* Cipher-Auth (AES-CBC *) case */
+	case ALGO_TYPE_3DES_CBC:
+		/* Cipher-Auth (3DES-CBC *) case */
+	case ALGO_TYPE_NULL:
+		/* NULL case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
 	case ALGO_TYPE_AES_GCM:
 		/* AEAD (AES_GCM) case */
 		sop->aead.data.offset = sa->ctp.cipher.offset + hlen;
@@ -490,15 +511,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 			sa->iv_ofs);
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
 		break;
-	case ALGO_TYPE_AES_CBC:
-		/* Cipher-Auth (AES-CBC *) case */
-		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
-		sop->cipher.data.length = sa->ctp.cipher.length + plen;
-		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
-		sop->auth.data.length = sa->ctp.auth.length + plen;
-		sop->auth.digest.data = icv->va;
-		sop->auth.digest.phys_addr = icv->pa;
-		break;
 	case ALGO_TYPE_AES_CTR:
 		/* Cipher-Auth (AES-CTR *) case */
 		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
@@ -512,15 +524,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 			sa->iv_ofs);
 		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
 		break;
-	case ALGO_TYPE_NULL:
-		/* NULL case */
-		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
-		sop->cipher.data.length = sa->ctp.cipher.length + plen;
-		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
-		sop->auth.data.length = sa->ctp.auth.length + plen;
-		sop->auth.digest.data = icv->va;
-		sop->auth.digest.phys_addr = icv->pa;
-		break;
 	default:
 		break;
 	}
@@ -873,6 +876,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
 		break;
 	case ALGO_TYPE_AES_CBC:
+	case ALGO_TYPE_3DES_CBC:
 		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->cipher.data.length = clen;
 		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
index 12c061ee6..c3a0d84bc 100644
--- a/lib/librte_ipsec/sa.h
+++ b/lib/librte_ipsec/sa.h
@@ -14,6 +14,7 @@
 /* padding alignment for different algorithms */
 enum {
 	IPSEC_PAD_DEFAULT = 4,
+	IPSEC_PAD_3DES_CBC = 8,
 	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
 	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
@@ -24,6 +25,10 @@ enum {
 enum {
 	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
 	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
+	/* TripleDES supports IV size of 32bits or 64bits but he library
+	 * only supports 64bits.
+	 */
+	IPSEC_3DES_IV_SIZE = sizeof(uint64_t),
 };
 
 /* these definitions probably has to be in rte_crypto_sym.h */
@@ -57,6 +62,7 @@ struct replay_sqn {
 /*IPSEC SA supported algorithms */
 enum sa_algo_type	{
 	ALGO_TYPE_NULL = 0,
+	ALGO_TYPE_3DES_CBC,
 	ALGO_TYPE_AES_CBC,
 	ALGO_TYPE_AES_CTR,
 	ALGO_TYPE_AES_GCM,
-- 
2.14.5


^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v4 4/4] ipsec-secgw: add 3des test files
  2019-03-20 13:51     ` [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
                         ` (3 preceding siblings ...)
  2019-03-20 13:51       ` [dpdk-dev] [PATCH v4 3/4] ipsec: support 3DES-CBC Fan Zhang
@ 2019-03-20 13:51       ` Fan Zhang
  2019-03-20 13:51         ` Fan Zhang
  2019-03-20 15:38       ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
  5 siblings, 1 reply; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang

This patch adds the functional test scripts to ipsec-secgw
sample application for both transport and tunnel working
mode.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 examples/ipsec-secgw/test/run_test.sh              |  8 ++-
 .../test/trs_3descbc_sha1_common_defs.sh           | 73 ++++++++++++++++++++++
 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++++++++++++
 .../test/trs_3descbc_sha1_esn_atom_defs.sh         |  5 ++
 .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh  | 66 +++++++++++++++++++
 .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh  |  5 ++
 .../test/tun_3descbc_sha1_common_defs.sh           | 72 +++++++++++++++++++++
 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++++++++++++
 .../test/tun_3descbc_sha1_esn_atom_defs.sh         |  5 ++
 .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh  | 70 +++++++++++++++++++++
 .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh  |  5 ++
 11 files changed, 445 insertions(+), 1 deletion(-)
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh

diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh
index 3c38d8850..38edb4183 100644
--- a/examples/ipsec-secgw/test/run_test.sh
+++ b/examples/ipsec-secgw/test/run_test.sh
@@ -38,7 +38,13 @@ tun_aesctr_sha1_esn \
 tun_aesctr_sha1_esn_atom \
 trs_aesctr_sha1 \
 trs_aesctr_sha1_esn \
-trs_aesctr_sha1_esn_atom"
+trs_aesctr_sha1_esn_atom \
+tun_3descbc_sha1 \
+tun_3descbc_sha1_esn \
+tun_3descbc_sha1_esn_atom \
+trs_3descbc_sha1 \
+trs_3descbc_sha1_esn \
+trs_3descbc_sha1_esn_atom"
 
 DIR=`dirname $0`
 
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
new file mode 100644
index 000000000..bb4cef6a9
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
@@ -0,0 +1,73 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#SP in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+sa in 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
new file mode 100644
index 000000000..31f94492f
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
@@ -0,0 +1,67 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..d7439ad15
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
new file mode 100644
index 000000000..e4283f3dd
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
@@ -0,0 +1,66 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
new file mode 100644
index 000000000..ffd945bac
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_defs.sh
+
+SGW_CMD_XPRM=
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
new file mode 100644
index 000000000..dd802d6be
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
@@ -0,0 +1,72 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#sp in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+sa in 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+#SA out rules
+sa out 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+sa out 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
new file mode 100644
index 000000000..2bbe14292
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..1d8e36cbd
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
new file mode 100644
index 000000000..98349c7bc
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
new file mode 100644
index 000000000..eaf248ad1
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_defs.sh
+
+SGW_CMD_XPRM=
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v4 4/4] ipsec-secgw: add 3des test files
  2019-03-20 13:51       ` [dpdk-dev] [PATCH v4 4/4] ipsec-secgw: add 3des test files Fan Zhang
@ 2019-03-20 13:51         ` Fan Zhang
  0 siblings, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 13:51 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang

This patch adds the functional test scripts to ipsec-secgw
sample application for both transport and tunnel working
mode.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 examples/ipsec-secgw/test/run_test.sh              |  8 ++-
 .../test/trs_3descbc_sha1_common_defs.sh           | 73 ++++++++++++++++++++++
 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++++++++++++
 .../test/trs_3descbc_sha1_esn_atom_defs.sh         |  5 ++
 .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh  | 66 +++++++++++++++++++
 .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh  |  5 ++
 .../test/tun_3descbc_sha1_common_defs.sh           | 72 +++++++++++++++++++++
 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++++++++++++
 .../test/tun_3descbc_sha1_esn_atom_defs.sh         |  5 ++
 .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh  | 70 +++++++++++++++++++++
 .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh  |  5 ++
 11 files changed, 445 insertions(+), 1 deletion(-)
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh

diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh
index 3c38d8850..38edb4183 100644
--- a/examples/ipsec-secgw/test/run_test.sh
+++ b/examples/ipsec-secgw/test/run_test.sh
@@ -38,7 +38,13 @@ tun_aesctr_sha1_esn \
 tun_aesctr_sha1_esn_atom \
 trs_aesctr_sha1 \
 trs_aesctr_sha1_esn \
-trs_aesctr_sha1_esn_atom"
+trs_aesctr_sha1_esn_atom \
+tun_3descbc_sha1 \
+tun_3descbc_sha1_esn \
+tun_3descbc_sha1_esn_atom \
+trs_3descbc_sha1 \
+trs_3descbc_sha1_esn \
+trs_3descbc_sha1_esn_atom"
 
 DIR=`dirname $0`
 
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
new file mode 100644
index 000000000..bb4cef6a9
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
@@ -0,0 +1,73 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#SP in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+sa in 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
new file mode 100644
index 000000000..31f94492f
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
@@ -0,0 +1,67 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..d7439ad15
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
new file mode 100644
index 000000000..e4283f3dd
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
@@ -0,0 +1,66 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
new file mode 100644
index 000000000..ffd945bac
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_defs.sh
+
+SGW_CMD_XPRM=
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
new file mode 100644
index 000000000..dd802d6be
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
@@ -0,0 +1,72 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#sp in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+sa in 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+#SA out rules
+sa out 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+sa out 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
new file mode 100644
index 000000000..2bbe14292
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..1d8e36cbd
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
new file mode 100644
index 000000000..98349c7bc
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
new file mode 100644
index 000000000..eaf248ad1
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_defs.sh
+
+SGW_CMD_XPRM=
-- 
2.14.5


^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC
  2019-03-20 13:51     ` [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
                         ` (4 preceding siblings ...)
  2019-03-20 13:51       ` [dpdk-dev] [PATCH v4 4/4] ipsec-secgw: add 3des test files Fan Zhang
@ 2019-03-20 15:38       ` Fan Zhang
  2019-03-20 15:38         ` Fan Zhang
                           ` (6 more replies)
  5 siblings, 7 replies; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev

This patchset adds the AES-CTR and 3DES-CBC cipher algorithms
support to ipsec library. The test scripts for ipsec-secgw
sample application are added.

v5:
- updated ipsec-secgw run_test.sh script
- updated release note

v4:
- changed patch titles.
- changed ALGO_TYPE naming for 3DES-CBC

v3:
- fixed a bug in 3DES.

v2:
- removed unsupported tests.

Fan Zhang (5):
  ipsec: support AES-CTR
  ipsec-secgw: add test scripts for aes ctr
  ipsec: support 3DES-CBC
  ipsec-secgw: add 3des test files
  doc: update release note

 doc/guides/rel_notes/release_19_05.rst             |   6 +
 examples/ipsec-secgw/test/common_defs.sh           |   4 +-
 examples/ipsec-secgw/test/run_test.sh              |  18 ++-
 .../test/trs_3descbc_sha1_common_defs.sh           |  73 +++++++++++
 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh |  67 ++++++++++
 .../test/trs_3descbc_sha1_esn_atom_defs.sh         |   5 +
 .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh  |  66 ++++++++++
 .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh  |   5 +
 .../test/trs_aesctr_sha1_common_defs.sh            |  69 +++++++++++
 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh  |  67 ++++++++++
 .../test/trs_aesctr_sha1_esn_atom_defs.sh          |   5 +
 .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh   |  66 ++++++++++
 .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh   |   5 +
 .../test/tun_3descbc_sha1_common_defs.sh           |  72 +++++++++++
 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh |  70 +++++++++++
 .../test/tun_3descbc_sha1_esn_atom_defs.sh         |   5 +
 .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh  |  70 +++++++++++
 .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh  |   5 +
 .../test/tun_aesctr_sha1_common_defs.sh            |  68 ++++++++++
 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh  |  70 +++++++++++
 .../test/tun_aesctr_sha1_esn_atom_defs.sh          |   5 +
 .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh   |  70 +++++++++++
 .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh   |   5 +
 lib/librte_ipsec/crypto.h                          |  17 +++
 lib/librte_ipsec/sa.c                              | 137 +++++++++++++++++----
 lib/librte_ipsec/sa.h                              |  24 ++++
 26 files changed, 1050 insertions(+), 24 deletions(-)
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh

-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC
  2019-03-20 15:38       ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
@ 2019-03-20 15:38         ` Fan Zhang
  2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR Fan Zhang
                           ` (5 subsequent siblings)
  6 siblings, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev

This patchset adds the AES-CTR and 3DES-CBC cipher algorithms
support to ipsec library. The test scripts for ipsec-secgw
sample application are added.

v5:
- updated ipsec-secgw run_test.sh script
- updated release note

v4:
- changed patch titles.
- changed ALGO_TYPE naming for 3DES-CBC

v3:
- fixed a bug in 3DES.

v2:
- removed unsupported tests.

Fan Zhang (5):
  ipsec: support AES-CTR
  ipsec-secgw: add test scripts for aes ctr
  ipsec: support 3DES-CBC
  ipsec-secgw: add 3des test files
  doc: update release note

 doc/guides/rel_notes/release_19_05.rst             |   6 +
 examples/ipsec-secgw/test/common_defs.sh           |   4 +-
 examples/ipsec-secgw/test/run_test.sh              |  18 ++-
 .../test/trs_3descbc_sha1_common_defs.sh           |  73 +++++++++++
 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh |  67 ++++++++++
 .../test/trs_3descbc_sha1_esn_atom_defs.sh         |   5 +
 .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh  |  66 ++++++++++
 .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh  |   5 +
 .../test/trs_aesctr_sha1_common_defs.sh            |  69 +++++++++++
 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh  |  67 ++++++++++
 .../test/trs_aesctr_sha1_esn_atom_defs.sh          |   5 +
 .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh   |  66 ++++++++++
 .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh   |   5 +
 .../test/tun_3descbc_sha1_common_defs.sh           |  72 +++++++++++
 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh |  70 +++++++++++
 .../test/tun_3descbc_sha1_esn_atom_defs.sh         |   5 +
 .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh  |  70 +++++++++++
 .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh  |   5 +
 .../test/tun_aesctr_sha1_common_defs.sh            |  68 ++++++++++
 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh  |  70 +++++++++++
 .../test/tun_aesctr_sha1_esn_atom_defs.sh          |   5 +
 .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh   |  70 +++++++++++
 .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh   |   5 +
 lib/librte_ipsec/crypto.h                          |  17 +++
 lib/librte_ipsec/sa.c                              | 137 +++++++++++++++++----
 lib/librte_ipsec/sa.h                              |  24 ++++
 26 files changed, 1050 insertions(+), 24 deletions(-)
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh

-- 
2.14.5


^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR
  2019-03-20 15:38       ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
  2019-03-20 15:38         ` Fan Zhang
@ 2019-03-20 15:38         ` Fan Zhang
  2019-03-20 15:38           ` Fan Zhang
  2019-03-22 11:53           ` Akhil Goyal
  2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 2/5] ipsec-secgw: add test scripts for aes ctr Fan Zhang
                           ` (4 subsequent siblings)
  6 siblings, 2 replies; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev

This patch adds AES-CTR cipher algorithm support to ipsec
library.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
 lib/librte_ipsec/crypto.h |  17 ++++++
 lib/librte_ipsec/sa.c     | 133 ++++++++++++++++++++++++++++++++++++++--------
 lib/librte_ipsec/sa.h     |  18 +++++++
 3 files changed, 147 insertions(+), 21 deletions(-)

diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h
index b5f264831..4f551e39c 100644
--- a/lib/librte_ipsec/crypto.h
+++ b/lib/librte_ipsec/crypto.h
@@ -11,6 +11,16 @@
  * by ipsec library.
  */
 
+/*
+ * AES-CTR counter block format.
+ */
+
+struct aesctr_cnt_blk {
+	uint32_t nonce;
+	uint64_t iv;
+	uint32_t cnt;
+} __attribute__((packed));
+
  /*
   * AES-GCM devices have some specific requirements for IV and AAD formats.
   * Ideally that to be done by the driver itself.
@@ -41,6 +51,13 @@ struct gcm_esph_iv {
 	uint64_t iv;
 } __attribute__((packed));
 
+static inline void
+aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce)
+{
+	ctr->nonce = nonce;
+	ctr->iv = iv;
+	ctr->cnt = rte_cpu_to_be_32(1);
+}
 
 static inline void
 aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt)
diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
index 5f55c2a4e..e34dd320a 100644
--- a/lib/librte_ipsec/sa.c
+++ b/lib/librte_ipsec/sa.c
@@ -219,18 +219,28 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm)
 static void
 esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen)
 {
+	uint8_t algo_type;
+
 	sa->sqn.outb.raw = 1;
 
 	/* these params may differ with new algorithms support */
 	sa->ctp.auth.offset = hlen;
 	sa->ctp.auth.length = sizeof(struct esp_hdr) + sa->iv_len + sa->sqh_len;
-	if (sa->aad_len != 0) {
+
+	algo_type = sa->algo_type;
+
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
+	case ALGO_TYPE_AES_CTR:
+	case ALGO_TYPE_NULL:
 		sa->ctp.cipher.offset = hlen + sizeof(struct esp_hdr) +
 			sa->iv_len;
 		sa->ctp.cipher.length = 0;
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
 		sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr);
 		sa->ctp.cipher.length = sa->iv_len;
+		break;
 	}
 }
 
@@ -259,26 +269,47 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
 				RTE_IPSEC_SATP_MODE_MASK;
 
 	if (cxf->aead != NULL) {
-		/* RFC 4106 */
-		if (cxf->aead->algo != RTE_CRYPTO_AEAD_AES_GCM)
+		switch (cxf->aead->algo) {
+		case RTE_CRYPTO_AEAD_AES_GCM:
+			/* RFC 4106 */
+			sa->aad_len = sizeof(struct aead_gcm_aad);
+			sa->icv_len = cxf->aead->digest_length;
+			sa->iv_ofs = cxf->aead->iv.offset;
+			sa->iv_len = sizeof(uint64_t);
+			sa->pad_align = IPSEC_PAD_AES_GCM;
+			sa->algo_type = ALGO_TYPE_AES_GCM;
+			break;
+		default:
 			return -EINVAL;
-		sa->aad_len = sizeof(struct aead_gcm_aad);
-		sa->icv_len = cxf->aead->digest_length;
-		sa->iv_ofs = cxf->aead->iv.offset;
-		sa->iv_len = sizeof(uint64_t);
-		sa->pad_align = IPSEC_PAD_AES_GCM;
+		}
 	} else {
 		sa->icv_len = cxf->auth->digest_length;
 		sa->iv_ofs = cxf->cipher->iv.offset;
 		sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0;
-		if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_NULL) {
+
+		switch (cxf->cipher->algo) {
+		case RTE_CRYPTO_CIPHER_NULL:
 			sa->pad_align = IPSEC_PAD_NULL;
 			sa->iv_len = 0;
-		} else if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+			sa->algo_type = ALGO_TYPE_NULL;
+			break;
+
+		case RTE_CRYPTO_CIPHER_AES_CBC:
 			sa->pad_align = IPSEC_PAD_AES_CBC;
 			sa->iv_len = IPSEC_MAX_IV_SIZE;
-		} else
+			sa->algo_type = ALGO_TYPE_AES_CBC;
+			break;
+
+		case RTE_CRYPTO_CIPHER_AES_CTR:
+			/* RFC 3686 */
+			sa->pad_align = IPSEC_PAD_AES_CTR;
+			sa->iv_len = IPSEC_AES_CTR_IV_SIZE;
+			sa->algo_type = ALGO_TYPE_AES_CTR;
+			break;
+
+		default:
 			return -EINVAL;
+		}
 	}
 
 	sa->udata = prm->userdata;
@@ -438,12 +469,15 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 {
 	struct rte_crypto_sym_op *sop;
 	struct aead_gcm_iv *gcm;
+	struct aesctr_cnt_blk *ctr;
+	uint8_t algo_type = sa->algo_type;
 
 	/* fill sym op fields */
 	sop = cop->sym;
 
-	/* AEAD (AES_GCM) case */
-	if (sa->aad_len != 0) {
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
+		/* AEAD (AES_GCM) case */
 		sop->aead.data.offset = sa->ctp.cipher.offset + hlen;
 		sop->aead.data.length = sa->ctp.cipher.length + plen;
 		sop->aead.digest.data = icv->va;
@@ -455,14 +489,40 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 		gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *,
 			sa->iv_ofs);
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
-	/* CRYPT+AUTH case */
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
+		/* Cipher-Auth (AES-CBC *) case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
+	case ALGO_TYPE_AES_CTR:
+		/* Cipher-Auth (AES-CTR *) case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+
+		ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *,
+			sa->iv_ofs);
+		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
+		break;
+	case ALGO_TYPE_NULL:
+		/* NULL case */
 		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
 		sop->cipher.data.length = sa->ctp.cipher.length + plen;
 		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
 		sop->auth.data.length = sa->ctp.auth.length + plen;
 		sop->auth.digest.data = icv->va;
 		sop->auth.digest.phys_addr = icv->pa;
+		break;
+	default:
+		break;
 	}
 }
 
@@ -561,6 +621,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc,
 {
 	uint32_t *psqh;
 	struct aead_gcm_aad *aad;
+	uint8_t algo_type = sa->algo_type;
 
 	/* insert SQN.hi between ESP trailer and ICV */
 	if (sa->sqh_len != 0) {
@@ -572,7 +633,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc,
 	 * fill IV and AAD fields, if any (aad fields are placed after icv),
 	 * right now we support only one AEAD algorithm: AES-GCM .
 	 */
-	if (sa->aad_len != 0) {
+	if (algo_type == ALGO_TYPE_AES_GCM) {
 		aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len);
 		aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa));
 	}
@@ -783,8 +844,10 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 {
 	struct rte_crypto_sym_op *sop;
 	struct aead_gcm_iv *gcm;
+	struct aesctr_cnt_blk *ctr;
 	uint64_t *ivc, *ivp;
 	uint32_t clen;
+	uint8_t algo_type = sa->algo_type;
 
 	clen = plen - sa->ctp.cipher.length;
 	if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0)
@@ -793,8 +856,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 	/* fill sym op fields */
 	sop = cop->sym;
 
-	/* AEAD (AES_GCM) case */
-	if (sa->aad_len != 0) {
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
 		sop->aead.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->aead.data.length = clen;
 		sop->aead.digest.data = icv->va;
@@ -808,8 +871,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
 			pofs + sizeof(struct esp_hdr));
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
-	/* CRYPT+AUTH case */
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
 		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->cipher.data.length = clen;
 		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
@@ -822,7 +885,35 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
 			pofs + sizeof(struct esp_hdr));
 		copy_iv(ivc, ivp, sa->iv_len);
+		break;
+	case ALGO_TYPE_AES_CTR:
+		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
+		sop->cipher.data.length = clen;
+		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
+		sop->auth.data.length = plen - sa->ctp.auth.length;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+
+		/* copy iv from the input packet to the cop */
+		ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *,
+			sa->iv_ofs);
+		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
+			pofs + sizeof(struct esp_hdr));
+		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
+		break;
+	case ALGO_TYPE_NULL:
+		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
+		sop->cipher.data.length = clen;
+		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
+		sop->auth.data.length = plen - sa->ctp.auth.length;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
+
+	default:
+		return -EINVAL;
 	}
+
 	return 0;
 }
 
diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
index 392e8fd7b..12c061ee6 100644
--- a/lib/librte_ipsec/sa.h
+++ b/lib/librte_ipsec/sa.h
@@ -15,10 +15,17 @@
 enum {
 	IPSEC_PAD_DEFAULT = 4,
 	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
+	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT,
 };
 
+/* iv sizes for different algorithms */
+enum {
+	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
+	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
+};
+
 /* these definitions probably has to be in rte_crypto_sym.h */
 union sym_op_ofslen {
 	uint64_t raw;
@@ -47,7 +54,17 @@ struct replay_sqn {
 	__extension__ uint64_t window[0];
 };
 
+/*IPSEC SA supported algorithms */
+enum sa_algo_type	{
+	ALGO_TYPE_NULL = 0,
+	ALGO_TYPE_AES_CBC,
+	ALGO_TYPE_AES_CTR,
+	ALGO_TYPE_AES_GCM,
+	ALGO_TYPE_MAX
+};
+
 struct rte_ipsec_sa {
+
 	uint64_t type;     /* type of given SA */
 	uint64_t udata;    /* user defined */
 	uint32_t size;     /* size of given sa object */
@@ -65,6 +82,7 @@ struct rte_ipsec_sa {
 		union sym_op_ofslen auth;
 	} ctp;
 	uint32_t salt;
+	uint8_t algo_type;
 	uint8_t proto;    /* next proto */
 	uint8_t aad_len;
 	uint8_t hdr_len;
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR
  2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR Fan Zhang
@ 2019-03-20 15:38           ` Fan Zhang
  2019-03-22 11:53           ` Akhil Goyal
  1 sibling, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev

This patch adds AES-CTR cipher algorithm support to ipsec
library.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
 lib/librte_ipsec/crypto.h |  17 ++++++
 lib/librte_ipsec/sa.c     | 133 ++++++++++++++++++++++++++++++++++++++--------
 lib/librte_ipsec/sa.h     |  18 +++++++
 3 files changed, 147 insertions(+), 21 deletions(-)

diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h
index b5f264831..4f551e39c 100644
--- a/lib/librte_ipsec/crypto.h
+++ b/lib/librte_ipsec/crypto.h
@@ -11,6 +11,16 @@
  * by ipsec library.
  */
 
+/*
+ * AES-CTR counter block format.
+ */
+
+struct aesctr_cnt_blk {
+	uint32_t nonce;
+	uint64_t iv;
+	uint32_t cnt;
+} __attribute__((packed));
+
  /*
   * AES-GCM devices have some specific requirements for IV and AAD formats.
   * Ideally that to be done by the driver itself.
@@ -41,6 +51,13 @@ struct gcm_esph_iv {
 	uint64_t iv;
 } __attribute__((packed));
 
+static inline void
+aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce)
+{
+	ctr->nonce = nonce;
+	ctr->iv = iv;
+	ctr->cnt = rte_cpu_to_be_32(1);
+}
 
 static inline void
 aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt)
diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
index 5f55c2a4e..e34dd320a 100644
--- a/lib/librte_ipsec/sa.c
+++ b/lib/librte_ipsec/sa.c
@@ -219,18 +219,28 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm)
 static void
 esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen)
 {
+	uint8_t algo_type;
+
 	sa->sqn.outb.raw = 1;
 
 	/* these params may differ with new algorithms support */
 	sa->ctp.auth.offset = hlen;
 	sa->ctp.auth.length = sizeof(struct esp_hdr) + sa->iv_len + sa->sqh_len;
-	if (sa->aad_len != 0) {
+
+	algo_type = sa->algo_type;
+
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
+	case ALGO_TYPE_AES_CTR:
+	case ALGO_TYPE_NULL:
 		sa->ctp.cipher.offset = hlen + sizeof(struct esp_hdr) +
 			sa->iv_len;
 		sa->ctp.cipher.length = 0;
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
 		sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr);
 		sa->ctp.cipher.length = sa->iv_len;
+		break;
 	}
 }
 
@@ -259,26 +269,47 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
 				RTE_IPSEC_SATP_MODE_MASK;
 
 	if (cxf->aead != NULL) {
-		/* RFC 4106 */
-		if (cxf->aead->algo != RTE_CRYPTO_AEAD_AES_GCM)
+		switch (cxf->aead->algo) {
+		case RTE_CRYPTO_AEAD_AES_GCM:
+			/* RFC 4106 */
+			sa->aad_len = sizeof(struct aead_gcm_aad);
+			sa->icv_len = cxf->aead->digest_length;
+			sa->iv_ofs = cxf->aead->iv.offset;
+			sa->iv_len = sizeof(uint64_t);
+			sa->pad_align = IPSEC_PAD_AES_GCM;
+			sa->algo_type = ALGO_TYPE_AES_GCM;
+			break;
+		default:
 			return -EINVAL;
-		sa->aad_len = sizeof(struct aead_gcm_aad);
-		sa->icv_len = cxf->aead->digest_length;
-		sa->iv_ofs = cxf->aead->iv.offset;
-		sa->iv_len = sizeof(uint64_t);
-		sa->pad_align = IPSEC_PAD_AES_GCM;
+		}
 	} else {
 		sa->icv_len = cxf->auth->digest_length;
 		sa->iv_ofs = cxf->cipher->iv.offset;
 		sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0;
-		if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_NULL) {
+
+		switch (cxf->cipher->algo) {
+		case RTE_CRYPTO_CIPHER_NULL:
 			sa->pad_align = IPSEC_PAD_NULL;
 			sa->iv_len = 0;
-		} else if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+			sa->algo_type = ALGO_TYPE_NULL;
+			break;
+
+		case RTE_CRYPTO_CIPHER_AES_CBC:
 			sa->pad_align = IPSEC_PAD_AES_CBC;
 			sa->iv_len = IPSEC_MAX_IV_SIZE;
-		} else
+			sa->algo_type = ALGO_TYPE_AES_CBC;
+			break;
+
+		case RTE_CRYPTO_CIPHER_AES_CTR:
+			/* RFC 3686 */
+			sa->pad_align = IPSEC_PAD_AES_CTR;
+			sa->iv_len = IPSEC_AES_CTR_IV_SIZE;
+			sa->algo_type = ALGO_TYPE_AES_CTR;
+			break;
+
+		default:
 			return -EINVAL;
+		}
 	}
 
 	sa->udata = prm->userdata;
@@ -438,12 +469,15 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 {
 	struct rte_crypto_sym_op *sop;
 	struct aead_gcm_iv *gcm;
+	struct aesctr_cnt_blk *ctr;
+	uint8_t algo_type = sa->algo_type;
 
 	/* fill sym op fields */
 	sop = cop->sym;
 
-	/* AEAD (AES_GCM) case */
-	if (sa->aad_len != 0) {
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
+		/* AEAD (AES_GCM) case */
 		sop->aead.data.offset = sa->ctp.cipher.offset + hlen;
 		sop->aead.data.length = sa->ctp.cipher.length + plen;
 		sop->aead.digest.data = icv->va;
@@ -455,14 +489,40 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 		gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *,
 			sa->iv_ofs);
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
-	/* CRYPT+AUTH case */
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
+		/* Cipher-Auth (AES-CBC *) case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
+	case ALGO_TYPE_AES_CTR:
+		/* Cipher-Auth (AES-CTR *) case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+
+		ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *,
+			sa->iv_ofs);
+		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
+		break;
+	case ALGO_TYPE_NULL:
+		/* NULL case */
 		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
 		sop->cipher.data.length = sa->ctp.cipher.length + plen;
 		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
 		sop->auth.data.length = sa->ctp.auth.length + plen;
 		sop->auth.digest.data = icv->va;
 		sop->auth.digest.phys_addr = icv->pa;
+		break;
+	default:
+		break;
 	}
 }
 
@@ -561,6 +621,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc,
 {
 	uint32_t *psqh;
 	struct aead_gcm_aad *aad;
+	uint8_t algo_type = sa->algo_type;
 
 	/* insert SQN.hi between ESP trailer and ICV */
 	if (sa->sqh_len != 0) {
@@ -572,7 +633,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc,
 	 * fill IV and AAD fields, if any (aad fields are placed after icv),
 	 * right now we support only one AEAD algorithm: AES-GCM .
 	 */
-	if (sa->aad_len != 0) {
+	if (algo_type == ALGO_TYPE_AES_GCM) {
 		aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len);
 		aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa));
 	}
@@ -783,8 +844,10 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 {
 	struct rte_crypto_sym_op *sop;
 	struct aead_gcm_iv *gcm;
+	struct aesctr_cnt_blk *ctr;
 	uint64_t *ivc, *ivp;
 	uint32_t clen;
+	uint8_t algo_type = sa->algo_type;
 
 	clen = plen - sa->ctp.cipher.length;
 	if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0)
@@ -793,8 +856,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 	/* fill sym op fields */
 	sop = cop->sym;
 
-	/* AEAD (AES_GCM) case */
-	if (sa->aad_len != 0) {
+	switch (algo_type) {
+	case ALGO_TYPE_AES_GCM:
 		sop->aead.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->aead.data.length = clen;
 		sop->aead.digest.data = icv->va;
@@ -808,8 +871,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
 			pofs + sizeof(struct esp_hdr));
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
-	/* CRYPT+AUTH case */
-	} else {
+		break;
+	case ALGO_TYPE_AES_CBC:
 		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->cipher.data.length = clen;
 		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
@@ -822,7 +885,35 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
 			pofs + sizeof(struct esp_hdr));
 		copy_iv(ivc, ivp, sa->iv_len);
+		break;
+	case ALGO_TYPE_AES_CTR:
+		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
+		sop->cipher.data.length = clen;
+		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
+		sop->auth.data.length = plen - sa->ctp.auth.length;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+
+		/* copy iv from the input packet to the cop */
+		ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *,
+			sa->iv_ofs);
+		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
+			pofs + sizeof(struct esp_hdr));
+		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
+		break;
+	case ALGO_TYPE_NULL:
+		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
+		sop->cipher.data.length = clen;
+		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
+		sop->auth.data.length = plen - sa->ctp.auth.length;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
+
+	default:
+		return -EINVAL;
 	}
+
 	return 0;
 }
 
diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
index 392e8fd7b..12c061ee6 100644
--- a/lib/librte_ipsec/sa.h
+++ b/lib/librte_ipsec/sa.h
@@ -15,10 +15,17 @@
 enum {
 	IPSEC_PAD_DEFAULT = 4,
 	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
+	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT,
 };
 
+/* iv sizes for different algorithms */
+enum {
+	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
+	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
+};
+
 /* these definitions probably has to be in rte_crypto_sym.h */
 union sym_op_ofslen {
 	uint64_t raw;
@@ -47,7 +54,17 @@ struct replay_sqn {
 	__extension__ uint64_t window[0];
 };
 
+/*IPSEC SA supported algorithms */
+enum sa_algo_type	{
+	ALGO_TYPE_NULL = 0,
+	ALGO_TYPE_AES_CBC,
+	ALGO_TYPE_AES_CTR,
+	ALGO_TYPE_AES_GCM,
+	ALGO_TYPE_MAX
+};
+
 struct rte_ipsec_sa {
+
 	uint64_t type;     /* type of given SA */
 	uint64_t udata;    /* user defined */
 	uint32_t size;     /* size of given sa object */
@@ -65,6 +82,7 @@ struct rte_ipsec_sa {
 		union sym_op_ofslen auth;
 	} ctp;
 	uint32_t salt;
+	uint8_t algo_type;
 	uint8_t proto;    /* next proto */
 	uint8_t aad_len;
 	uint8_t hdr_len;
-- 
2.14.5


^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v5 2/5] ipsec-secgw: add test scripts for aes ctr
  2019-03-20 15:38       ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
  2019-03-20 15:38         ` Fan Zhang
  2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR Fan Zhang
@ 2019-03-20 15:38         ` Fan Zhang
  2019-03-20 15:38           ` Fan Zhang
  2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 3/5] ipsec: support 3DES-CBC Fan Zhang
                           ` (3 subsequent siblings)
  6 siblings, 1 reply; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev

This patch adds the functional test scripts to ipsec-secgw
sample application for both transport and tunnel working
mode.

Updated a bit on common_defs to use "mktemp" instead of "tempfile"
as Fedora does not like the command.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
 examples/ipsec-secgw/test/common_defs.sh           |  4 +-
 examples/ipsec-secgw/test/run_test.sh              | 10 +++-
 .../test/trs_aesctr_sha1_common_defs.sh            | 69 +++++++++++++++++++++
 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh  | 67 +++++++++++++++++++++
 .../test/trs_aesctr_sha1_esn_atom_defs.sh          |  5 ++
 .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh   | 66 ++++++++++++++++++++
 .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh   |  5 ++
 .../test/tun_aesctr_sha1_common_defs.sh            | 68 +++++++++++++++++++++
 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh  | 70 ++++++++++++++++++++++
 .../test/tun_aesctr_sha1_esn_atom_defs.sh          |  5 ++
 .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh   | 70 ++++++++++++++++++++++
 .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh   |  5 ++
 12 files changed, 441 insertions(+), 3 deletions(-)
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh

diff --git a/examples/ipsec-secgw/test/common_defs.sh b/examples/ipsec-secgw/test/common_defs.sh
index 693c70cd1..8dc574b50 100644
--- a/examples/ipsec-secgw/test/common_defs.sh
+++ b/examples/ipsec-secgw/test/common_defs.sh
@@ -53,7 +53,7 @@ SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4 ${ETH_DEV}"
 SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})"
 SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\""
 
-SGW_CFG_FILE=$(tempfile)
+SGW_CFG_FILE=$(mktemp)
 
 # configure local host/ifaces
 config_local_iface()
@@ -129,7 +129,7 @@ config6_iface()
 #start ipsec-secgw
 secgw_start()
 {
-	SGW_EXEC_FILE=$(tempfile)
+	SGW_EXEC_FILE=$(mktemp)
 	cat <<EOF > ${SGW_EXEC_FILE}
 ${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \
 --vdev="net_tap0,mac=fixed" \
diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh
index 6dc0ce54e..a6e363125 100644
--- a/examples/ipsec-secgw/test/run_test.sh
+++ b/examples/ipsec-secgw/test/run_test.sh
@@ -32,7 +32,15 @@ trs_aesgcm_esn_atom \
 tun_aescbc_sha1_old \
 tun_aesgcm_old \
 trs_aescbc_sha1_old \
-trs_aesgcm_old"
+trs_aesgcm_old \
+tun_aesctr_sha1 \
+tun_aesctr_sha1_old \
+tun_aesctr_sha1_esn \
+tun_aesctr_sha1_esn_atom \
+trs_aesctr_sha1 \
+trs_aesctr_sha1_old \
+trs_aesctr_sha1_esn \
+trs_aesctr_sha1_esn_atom"
 
 DIR=`dirname $0`
 
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
new file mode 100644
index 000000000..9c213e3cc
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
@@ -0,0 +1,69 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#SP in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+sa in 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
new file mode 100644
index 000000000..73642f881
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
@@ -0,0 +1,67 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..17c81c267
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
new file mode 100644
index 000000000..e401a4bed
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
@@ -0,0 +1,66 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
new file mode 100644
index 000000000..3aa071229
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_defs.sh
+
+SGW_CMD_XPRM=
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
new file mode 100644
index 000000000..a3ac3a698
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
@@ -0,0 +1,68 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#sp in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+sa in 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+#SA out rules
+sa out 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+sa out 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
new file mode 100644
index 000000000..3710f897c
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..7dcfc3218
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
new file mode 100644
index 000000000..c3ce11da1
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
new file mode 100644
index 000000000..26f0d0290
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_defs.sh
+
+SGW_CMD_XPRM=
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v5 2/5] ipsec-secgw: add test scripts for aes ctr
  2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 2/5] ipsec-secgw: add test scripts for aes ctr Fan Zhang
@ 2019-03-20 15:38           ` Fan Zhang
  0 siblings, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev

This patch adds the functional test scripts to ipsec-secgw
sample application for both transport and tunnel working
mode.

Updated a bit on common_defs to use "mktemp" instead of "tempfile"
as Fedora does not like the command.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
 examples/ipsec-secgw/test/common_defs.sh           |  4 +-
 examples/ipsec-secgw/test/run_test.sh              | 10 +++-
 .../test/trs_aesctr_sha1_common_defs.sh            | 69 +++++++++++++++++++++
 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh  | 67 +++++++++++++++++++++
 .../test/trs_aesctr_sha1_esn_atom_defs.sh          |  5 ++
 .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh   | 66 ++++++++++++++++++++
 .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh   |  5 ++
 .../test/tun_aesctr_sha1_common_defs.sh            | 68 +++++++++++++++++++++
 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh  | 70 ++++++++++++++++++++++
 .../test/tun_aesctr_sha1_esn_atom_defs.sh          |  5 ++
 .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh   | 70 ++++++++++++++++++++++
 .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh   |  5 ++
 12 files changed, 441 insertions(+), 3 deletions(-)
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh

diff --git a/examples/ipsec-secgw/test/common_defs.sh b/examples/ipsec-secgw/test/common_defs.sh
index 693c70cd1..8dc574b50 100644
--- a/examples/ipsec-secgw/test/common_defs.sh
+++ b/examples/ipsec-secgw/test/common_defs.sh
@@ -53,7 +53,7 @@ SGW_CMD_EAL_PRM="--lcores=${SGW_LCORE} -n 4 ${ETH_DEV}"
 SGW_CMD_CFG="(0,0,${SGW_LCORE}),(1,0,${SGW_LCORE})"
 SGW_CMD_PRM="-p 0x3 -u 1 -P --config=\"${SGW_CMD_CFG}\""
 
-SGW_CFG_FILE=$(tempfile)
+SGW_CFG_FILE=$(mktemp)
 
 # configure local host/ifaces
 config_local_iface()
@@ -129,7 +129,7 @@ config6_iface()
 #start ipsec-secgw
 secgw_start()
 {
-	SGW_EXEC_FILE=$(tempfile)
+	SGW_EXEC_FILE=$(mktemp)
 	cat <<EOF > ${SGW_EXEC_FILE}
 ${SGW_PATH} ${SGW_CMD_EAL_PRM} ${CRYPTO_DEV} \
 --vdev="net_tap0,mac=fixed" \
diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh
index 6dc0ce54e..a6e363125 100644
--- a/examples/ipsec-secgw/test/run_test.sh
+++ b/examples/ipsec-secgw/test/run_test.sh
@@ -32,7 +32,15 @@ trs_aesgcm_esn_atom \
 tun_aescbc_sha1_old \
 tun_aesgcm_old \
 trs_aescbc_sha1_old \
-trs_aesgcm_old"
+trs_aesgcm_old \
+tun_aesctr_sha1 \
+tun_aesctr_sha1_old \
+tun_aesctr_sha1_esn \
+tun_aesctr_sha1_esn_atom \
+trs_aesctr_sha1 \
+trs_aesctr_sha1_old \
+trs_aesctr_sha1_esn \
+trs_aesctr_sha1_esn_atom"
 
 DIR=`dirname $0`
 
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
new file mode 100644
index 000000000..9c213e3cc
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
@@ -0,0 +1,69 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#SP in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+sa in 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
new file mode 100644
index 000000000..73642f881
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
@@ -0,0 +1,67 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..17c81c267
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
new file mode 100644
index 000000000..e401a4bed
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
@@ -0,0 +1,66 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
new file mode 100644
index 000000000..3aa071229
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_aesctr_sha1_defs.sh
+
+SGW_CMD_XPRM=
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
new file mode 100644
index 000000000..a3ac3a698
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
@@ -0,0 +1,68 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#sp in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+sa in 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+#SA out rules
+sa out 7 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+sa out 9 cipher_algo aes-128-ctr \
+cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
new file mode 100644
index 000000000..3710f897c
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..7dcfc3218
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
new file mode 100644
index 000000000..c3ce11da1
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "rfc3686\(ctr\(aes\)\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
new file mode 100644
index 000000000..26f0d0290
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_aesctr_sha1_defs.sh
+
+SGW_CMD_XPRM=
-- 
2.14.5


^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v5 3/5] ipsec: support 3DES-CBC
  2019-03-20 15:38       ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
                           ` (2 preceding siblings ...)
  2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 2/5] ipsec-secgw: add test scripts for aes ctr Fan Zhang
@ 2019-03-20 15:38         ` Fan Zhang
  2019-03-20 15:38           ` Fan Zhang
  2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 4/5] ipsec-secgw: add 3des test files Fan Zhang
                           ` (2 subsequent siblings)
  6 siblings, 1 reply; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev

This patch adds triple-des CBC mode cipher algorithm to ipsec
library.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
 lib/librte_ipsec/sa.c | 40 ++++++++++++++++++++++------------------
 lib/librte_ipsec/sa.h |  6 ++++++
 2 files changed, 28 insertions(+), 18 deletions(-)

diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
index e34dd320a..2eb6bae07 100644
--- a/lib/librte_ipsec/sa.c
+++ b/lib/librte_ipsec/sa.c
@@ -238,6 +238,7 @@ esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen)
 		sa->ctp.cipher.length = 0;
 		break;
 	case ALGO_TYPE_AES_CBC:
+	case ALGO_TYPE_3DES_CBC:
 		sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr);
 		sa->ctp.cipher.length = sa->iv_len;
 		break;
@@ -307,6 +308,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
 			sa->algo_type = ALGO_TYPE_AES_CTR;
 			break;
 
+		case RTE_CRYPTO_CIPHER_3DES_CBC:
+			/* RFC 1851 */
+			sa->pad_align = IPSEC_PAD_3DES_CBC;
+			sa->iv_len = IPSEC_3DES_IV_SIZE;
+			sa->algo_type = ALGO_TYPE_3DES_CBC;
+			break;
+
 		default:
 			return -EINVAL;
 		}
@@ -476,6 +484,19 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 	sop = cop->sym;
 
 	switch (algo_type) {
+	case ALGO_TYPE_AES_CBC:
+		/* Cipher-Auth (AES-CBC *) case */
+	case ALGO_TYPE_3DES_CBC:
+		/* Cipher-Auth (3DES-CBC *) case */
+	case ALGO_TYPE_NULL:
+		/* NULL case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
 	case ALGO_TYPE_AES_GCM:
 		/* AEAD (AES_GCM) case */
 		sop->aead.data.offset = sa->ctp.cipher.offset + hlen;
@@ -490,15 +511,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 			sa->iv_ofs);
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
 		break;
-	case ALGO_TYPE_AES_CBC:
-		/* Cipher-Auth (AES-CBC *) case */
-		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
-		sop->cipher.data.length = sa->ctp.cipher.length + plen;
-		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
-		sop->auth.data.length = sa->ctp.auth.length + plen;
-		sop->auth.digest.data = icv->va;
-		sop->auth.digest.phys_addr = icv->pa;
-		break;
 	case ALGO_TYPE_AES_CTR:
 		/* Cipher-Auth (AES-CTR *) case */
 		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
@@ -512,15 +524,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 			sa->iv_ofs);
 		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
 		break;
-	case ALGO_TYPE_NULL:
-		/* NULL case */
-		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
-		sop->cipher.data.length = sa->ctp.cipher.length + plen;
-		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
-		sop->auth.data.length = sa->ctp.auth.length + plen;
-		sop->auth.digest.data = icv->va;
-		sop->auth.digest.phys_addr = icv->pa;
-		break;
 	default:
 		break;
 	}
@@ -873,6 +876,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
 		break;
 	case ALGO_TYPE_AES_CBC:
+	case ALGO_TYPE_3DES_CBC:
 		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->cipher.data.length = clen;
 		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
index 12c061ee6..c3a0d84bc 100644
--- a/lib/librte_ipsec/sa.h
+++ b/lib/librte_ipsec/sa.h
@@ -14,6 +14,7 @@
 /* padding alignment for different algorithms */
 enum {
 	IPSEC_PAD_DEFAULT = 4,
+	IPSEC_PAD_3DES_CBC = 8,
 	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
 	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
@@ -24,6 +25,10 @@ enum {
 enum {
 	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
 	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
+	/* TripleDES supports IV size of 32bits or 64bits but he library
+	 * only supports 64bits.
+	 */
+	IPSEC_3DES_IV_SIZE = sizeof(uint64_t),
 };
 
 /* these definitions probably has to be in rte_crypto_sym.h */
@@ -57,6 +62,7 @@ struct replay_sqn {
 /*IPSEC SA supported algorithms */
 enum sa_algo_type	{
 	ALGO_TYPE_NULL = 0,
+	ALGO_TYPE_3DES_CBC,
 	ALGO_TYPE_AES_CBC,
 	ALGO_TYPE_AES_CTR,
 	ALGO_TYPE_AES_GCM,
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v5 3/5] ipsec: support 3DES-CBC
  2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 3/5] ipsec: support 3DES-CBC Fan Zhang
@ 2019-03-20 15:38           ` Fan Zhang
  0 siblings, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev

This patch adds triple-des CBC mode cipher algorithm to ipsec
library.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
 lib/librte_ipsec/sa.c | 40 ++++++++++++++++++++++------------------
 lib/librte_ipsec/sa.h |  6 ++++++
 2 files changed, 28 insertions(+), 18 deletions(-)

diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
index e34dd320a..2eb6bae07 100644
--- a/lib/librte_ipsec/sa.c
+++ b/lib/librte_ipsec/sa.c
@@ -238,6 +238,7 @@ esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen)
 		sa->ctp.cipher.length = 0;
 		break;
 	case ALGO_TYPE_AES_CBC:
+	case ALGO_TYPE_3DES_CBC:
 		sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr);
 		sa->ctp.cipher.length = sa->iv_len;
 		break;
@@ -307,6 +308,13 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
 			sa->algo_type = ALGO_TYPE_AES_CTR;
 			break;
 
+		case RTE_CRYPTO_CIPHER_3DES_CBC:
+			/* RFC 1851 */
+			sa->pad_align = IPSEC_PAD_3DES_CBC;
+			sa->iv_len = IPSEC_3DES_IV_SIZE;
+			sa->algo_type = ALGO_TYPE_3DES_CBC;
+			break;
+
 		default:
 			return -EINVAL;
 		}
@@ -476,6 +484,19 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 	sop = cop->sym;
 
 	switch (algo_type) {
+	case ALGO_TYPE_AES_CBC:
+		/* Cipher-Auth (AES-CBC *) case */
+	case ALGO_TYPE_3DES_CBC:
+		/* Cipher-Auth (3DES-CBC *) case */
+	case ALGO_TYPE_NULL:
+		/* NULL case */
+		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
+		sop->cipher.data.length = sa->ctp.cipher.length + plen;
+		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
+		sop->auth.data.length = sa->ctp.auth.length + plen;
+		sop->auth.digest.data = icv->va;
+		sop->auth.digest.phys_addr = icv->pa;
+		break;
 	case ALGO_TYPE_AES_GCM:
 		/* AEAD (AES_GCM) case */
 		sop->aead.data.offset = sa->ctp.cipher.offset + hlen;
@@ -490,15 +511,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 			sa->iv_ofs);
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
 		break;
-	case ALGO_TYPE_AES_CBC:
-		/* Cipher-Auth (AES-CBC *) case */
-		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
-		sop->cipher.data.length = sa->ctp.cipher.length + plen;
-		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
-		sop->auth.data.length = sa->ctp.auth.length + plen;
-		sop->auth.digest.data = icv->va;
-		sop->auth.digest.phys_addr = icv->pa;
-		break;
 	case ALGO_TYPE_AES_CTR:
 		/* Cipher-Auth (AES-CTR *) case */
 		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
@@ -512,15 +524,6 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
 			sa->iv_ofs);
 		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
 		break;
-	case ALGO_TYPE_NULL:
-		/* NULL case */
-		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
-		sop->cipher.data.length = sa->ctp.cipher.length + plen;
-		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
-		sop->auth.data.length = sa->ctp.auth.length + plen;
-		sop->auth.digest.data = icv->va;
-		sop->auth.digest.phys_addr = icv->pa;
-		break;
 	default:
 		break;
 	}
@@ -873,6 +876,7 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
 		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
 		break;
 	case ALGO_TYPE_AES_CBC:
+	case ALGO_TYPE_3DES_CBC:
 		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
 		sop->cipher.data.length = clen;
 		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
index 12c061ee6..c3a0d84bc 100644
--- a/lib/librte_ipsec/sa.h
+++ b/lib/librte_ipsec/sa.h
@@ -14,6 +14,7 @@
 /* padding alignment for different algorithms */
 enum {
 	IPSEC_PAD_DEFAULT = 4,
+	IPSEC_PAD_3DES_CBC = 8,
 	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
 	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
 	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
@@ -24,6 +25,10 @@ enum {
 enum {
 	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
 	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
+	/* TripleDES supports IV size of 32bits or 64bits but he library
+	 * only supports 64bits.
+	 */
+	IPSEC_3DES_IV_SIZE = sizeof(uint64_t),
 };
 
 /* these definitions probably has to be in rte_crypto_sym.h */
@@ -57,6 +62,7 @@ struct replay_sqn {
 /*IPSEC SA supported algorithms */
 enum sa_algo_type	{
 	ALGO_TYPE_NULL = 0,
+	ALGO_TYPE_3DES_CBC,
 	ALGO_TYPE_AES_CBC,
 	ALGO_TYPE_AES_CTR,
 	ALGO_TYPE_AES_GCM,
-- 
2.14.5


^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v5 4/5] ipsec-secgw: add 3des test files
  2019-03-20 15:38       ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
                           ` (3 preceding siblings ...)
  2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 3/5] ipsec: support 3DES-CBC Fan Zhang
@ 2019-03-20 15:38         ` Fan Zhang
  2019-03-20 15:38           ` Fan Zhang
  2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 5/5] doc: update release note Fan Zhang
  2019-03-22 14:59         ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Akhil Goyal
  6 siblings, 1 reply; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev

This patch adds the functional test scripts to ipsec-secgw
sample application for both transport and tunnel working
mode.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
 examples/ipsec-secgw/test/run_test.sh              | 10 ++-
 .../test/trs_3descbc_sha1_common_defs.sh           | 73 ++++++++++++++++++++++
 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++++++++++++
 .../test/trs_3descbc_sha1_esn_atom_defs.sh         |  5 ++
 .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh  | 66 +++++++++++++++++++
 .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh  |  5 ++
 .../test/tun_3descbc_sha1_common_defs.sh           | 72 +++++++++++++++++++++
 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++++++++++++
 .../test/tun_3descbc_sha1_esn_atom_defs.sh         |  5 ++
 .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh  | 70 +++++++++++++++++++++
 .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh  |  5 ++
 11 files changed, 447 insertions(+), 1 deletion(-)
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh

diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh
index a6e363125..d8c4b6625 100644
--- a/examples/ipsec-secgw/test/run_test.sh
+++ b/examples/ipsec-secgw/test/run_test.sh
@@ -40,7 +40,15 @@ tun_aesctr_sha1_esn_atom \
 trs_aesctr_sha1 \
 trs_aesctr_sha1_old \
 trs_aesctr_sha1_esn \
-trs_aesctr_sha1_esn_atom"
+trs_aesctr_sha1_esn_atom \
+tun_3descbc_sha1 \
+tun_3descbc_sha1_old \
+tun_3descbc_sha1_esn \
+tun_3descbc_sha1_esn_atom \
+trs_3descbc_sha1 \
+trs_3descbc_sha1_old \
+trs_3descbc_sha1_esn \
+trs_3descbc_sha1_esn_atom"
 
 DIR=`dirname $0`
 
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
new file mode 100644
index 000000000..bb4cef6a9
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
@@ -0,0 +1,73 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#SP in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+sa in 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
new file mode 100644
index 000000000..31f94492f
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
@@ -0,0 +1,67 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..d7439ad15
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
new file mode 100644
index 000000000..e4283f3dd
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
@@ -0,0 +1,66 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
new file mode 100644
index 000000000..ffd945bac
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_defs.sh
+
+SGW_CMD_XPRM=
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
new file mode 100644
index 000000000..dd802d6be
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
@@ -0,0 +1,72 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#sp in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+sa in 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+#SA out rules
+sa out 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+sa out 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
new file mode 100644
index 000000000..2bbe14292
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..1d8e36cbd
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
new file mode 100644
index 000000000..98349c7bc
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
new file mode 100644
index 000000000..eaf248ad1
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_defs.sh
+
+SGW_CMD_XPRM=
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v5 4/5] ipsec-secgw: add 3des test files
  2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 4/5] ipsec-secgw: add 3des test files Fan Zhang
@ 2019-03-20 15:38           ` Fan Zhang
  0 siblings, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev

This patch adds the functional test scripts to ipsec-secgw
sample application for both transport and tunnel working
mode.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
 examples/ipsec-secgw/test/run_test.sh              | 10 ++-
 .../test/trs_3descbc_sha1_common_defs.sh           | 73 ++++++++++++++++++++++
 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh | 67 ++++++++++++++++++++
 .../test/trs_3descbc_sha1_esn_atom_defs.sh         |  5 ++
 .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh  | 66 +++++++++++++++++++
 .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh  |  5 ++
 .../test/tun_3descbc_sha1_common_defs.sh           | 72 +++++++++++++++++++++
 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh | 70 +++++++++++++++++++++
 .../test/tun_3descbc_sha1_esn_atom_defs.sh         |  5 ++
 .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh  | 70 +++++++++++++++++++++
 .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh  |  5 ++
 11 files changed, 447 insertions(+), 1 deletion(-)
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
 create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh

diff --git a/examples/ipsec-secgw/test/run_test.sh b/examples/ipsec-secgw/test/run_test.sh
index a6e363125..d8c4b6625 100644
--- a/examples/ipsec-secgw/test/run_test.sh
+++ b/examples/ipsec-secgw/test/run_test.sh
@@ -40,7 +40,15 @@ tun_aesctr_sha1_esn_atom \
 trs_aesctr_sha1 \
 trs_aesctr_sha1_old \
 trs_aesctr_sha1_esn \
-trs_aesctr_sha1_esn_atom"
+trs_aesctr_sha1_esn_atom \
+tun_3descbc_sha1 \
+tun_3descbc_sha1_old \
+tun_3descbc_sha1_esn \
+tun_3descbc_sha1_esn_atom \
+trs_3descbc_sha1 \
+trs_3descbc_sha1_old \
+trs_3descbc_sha1_esn \
+trs_3descbc_sha1_esn_atom"
 
 DIR=`dirname $0`
 
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
new file mode 100644
index 000000000..bb4cef6a9
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
@@ -0,0 +1,73 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#SP in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+sa in 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#SA out rules
+sa out 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode transport
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
new file mode 100644
index 000000000..31f94492f
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
@@ -0,0 +1,67 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..d7439ad15
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
new file mode 100644
index 000000000..e4283f3dd
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
@@ -0,0 +1,66 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl proto esp mode transport reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl proto esp mode transport reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode transport replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
new file mode 100644
index 000000000..ffd945bac
--- /dev/null
+++ b/examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/trs_3descbc_sha1_defs.sh
+
+SGW_CMD_XPRM=
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
new file mode 100644
index 000000000..dd802d6be
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
@@ -0,0 +1,72 @@
+#! /bin/bash
+
+CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'}
+
+#generate cfg file for ipsec-secgw
+config_secgw()
+{
+	cat <<EOF > ${SGW_CFG_FILE}
+#sp in IPv4 rules
+sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv4 rules
+sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \
+sport 0:65535 dport 0:65535
+sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#sp in IPv6 rules
+sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SP out IPv6 rules
+sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \
+sport 0:65535 dport 0:65535
+sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535
+
+#SA in rules
+sa in 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4}
+
+sa in 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6}
+
+#SA out rules
+sa out 7 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4}
+
+sa out 9 cipher_algo 3des-cbc \
+cipher_key \
+de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+auth_algo sha1-hmac \
+auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6}
+
+#Routing rules
+rt ipv4 dst ${REMOTE_IPV4}/32 port 0
+rt ipv4 dst ${LOCAL_IPV4}/32 port 1
+
+rt ipv6 dst ${REMOTE_IPV6}/128 port 0
+rt ipv6 dst ${LOCAL_IPV6}/128 port 1
+
+#neighbours
+neigh port 0 ${REMOTE_MAC}
+neigh port 1 ${LOCAL_MAC}
+EOF
+
+	cat ${SGW_CFG_FILE}
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
new file mode 100644
index 000000000..2bbe14292
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
new file mode 100644
index 000000000..1d8e36cbd
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_esn_defs.sh
+
+SGW_CMD_XPRM='-e -a -w 300'
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
new file mode 100644
index 000000000..98349c7bc
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
@@ -0,0 +1,70 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_common_defs.sh
+
+SGW_CMD_XPRM='-e -w 300'
+
+config_remote_xfrm()
+{
+	ssh ${REMOTE_HOST} ip xfrm policy flush
+	ssh ${REMOTE_HOST} ip xfrm state flush
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp mode tunnel reqid 1
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp mode tunnel reqid 2
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV4} dst ${LOCAL_IPV4} \
+proto esp spi 7 reqid 1 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV4} dst ${REMOTE_IPV4} \
+proto esp spi 7 reqid 2 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
+
+config6_remote_xfrm()
+{
+	config_remote_xfrm
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+dir out ptype main action allow \
+tmpl src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp mode tunnel reqid 3
+
+	ssh ${REMOTE_HOST} ip xfrm policy add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+dir in ptype main action allow \
+tmpl src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp mode tunnel reqid 4
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${REMOTE_IPV6} dst ${LOCAL_IPV6} \
+proto esp spi 9 reqid 3 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm state add \
+src ${LOCAL_IPV6} dst ${REMOTE_IPV6} \
+proto esp spi 9 reqid 4 mode tunnel replay-window 64 flag esn \
+auth sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef \
+enc "cbc\(des3_ede\)" 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef
+
+	ssh ${REMOTE_HOST} ip xfrm policy list
+	ssh ${REMOTE_HOST} ip xfrm state list
+}
diff --git a/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
new file mode 100644
index 000000000..eaf248ad1
--- /dev/null
+++ b/examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
@@ -0,0 +1,5 @@
+#! /bin/bash
+
+. ${DIR}/tun_3descbc_sha1_defs.sh
+
+SGW_CMD_XPRM=
-- 
2.14.5


^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v5 5/5] doc: update release note
  2019-03-20 15:38       ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
                           ` (4 preceding siblings ...)
  2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 4/5] ipsec-secgw: add 3des test files Fan Zhang
@ 2019-03-20 15:38         ` Fan Zhang
  2019-03-20 15:38           ` Fan Zhang
  2019-03-22 14:59         ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Akhil Goyal
  6 siblings, 1 reply; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev

This patch updates the 19.05 release note with IPsec library
updates for the newly added AES-CTR and 3DES-CBC algorithm
support.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 doc/guides/rel_notes/release_19_05.rst | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/doc/guides/rel_notes/release_19_05.rst b/doc/guides/rel_notes/release_19_05.rst
index bbc5e5b61..4c12db7bb 100644
--- a/doc/guides/rel_notes/release_19_05.rst
+++ b/doc/guides/rel_notes/release_19_05.rst
@@ -91,6 +91,12 @@ New Features
 
   * Added promiscuous mode support.
 
+* **Updated the IPsec library.**
+
+  The IPsec library has been updated with AES-CTR and 3DES-CBC cipher algorithms
+  support. The ipsec-secgw sample application test scripts have also been updated
+  with these two algorithms' testing as well.
+
 
 Removed Items
 -------------
-- 
2.14.5

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [dpdk-dev] [PATCH v5 5/5] doc: update release note
  2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 5/5] doc: update release note Fan Zhang
@ 2019-03-20 15:38           ` Fan Zhang
  0 siblings, 0 replies; 54+ messages in thread
From: Fan Zhang @ 2019-03-20 15:38 UTC (permalink / raw)
  To: dev; +Cc: akhil.goyal, roy.fan.zhang, konstantin.ananyev

This patch updates the 19.05 release note with IPsec library
updates for the newly added AES-CTR and 3DES-CBC algorithm
support.

Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 doc/guides/rel_notes/release_19_05.rst | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/doc/guides/rel_notes/release_19_05.rst b/doc/guides/rel_notes/release_19_05.rst
index bbc5e5b61..4c12db7bb 100644
--- a/doc/guides/rel_notes/release_19_05.rst
+++ b/doc/guides/rel_notes/release_19_05.rst
@@ -91,6 +91,12 @@ New Features
 
   * Added promiscuous mode support.
 
+* **Updated the IPsec library.**
+
+  The IPsec library has been updated with AES-CTR and 3DES-CBC cipher algorithms
+  support. The ipsec-secgw sample application test scripts have also been updated
+  with these two algorithms' testing as well.
+
 
 Removed Items
 -------------
-- 
2.14.5


^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR
  2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR Fan Zhang
  2019-03-20 15:38           ` Fan Zhang
@ 2019-03-22 11:53           ` Akhil Goyal
  2019-03-22 11:53             ` Akhil Goyal
  2019-03-22 12:46             ` Ananyev, Konstantin
  1 sibling, 2 replies; 54+ messages in thread
From: Akhil Goyal @ 2019-03-22 11:53 UTC (permalink / raw)
  To: Fan Zhang, dev; +Cc: konstantin.ananyev

Hi Fan,

On 3/20/2019 9:08 PM, Fan Zhang wrote:
> This patch adds AES-CTR cipher algorithm support to ipsec
> library.
>
> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> ---
>   lib/librte_ipsec/crypto.h |  17 ++++++
>   lib/librte_ipsec/sa.c     | 133 ++++++++++++++++++++++++++++++++++++++--------
>   lib/librte_ipsec/sa.h     |  18 +++++++
>   3 files changed, 147 insertions(+), 21 deletions(-)
>
> diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h
> index b5f264831..4f551e39c 100644
> --- a/lib/librte_ipsec/crypto.h
> +++ b/lib/librte_ipsec/crypto.h
> @@ -11,6 +11,16 @@
>    * by ipsec library.
>    */
>   
> +/*
> + * AES-CTR counter block format.
> + */
> +
> +struct aesctr_cnt_blk {
> +	uint32_t nonce;
> +	uint64_t iv;
> +	uint32_t cnt;
> +} __attribute__((packed));
> +
In the v3 I gave a comment on this structure. It is not fixed.
I believe cnt should be before iv.

>    /*
>     * AES-GCM devices have some specific requirements for IV and AAD formats.
>     * Ideally that to be done by the driver itself.
> @@ -41,6 +51,13 @@ struct gcm_esph_iv {
>   	uint64_t iv;
>   } __attribute__((packed));
>   
> +static inline void
> +aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce)
> +{
> +	ctr->nonce = nonce;
> +	ctr->iv = iv;
> +	ctr->cnt = rte_cpu_to_be_32(1);
> +}
>   
>   static inline void
>   aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt)
> diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
> index 5f55c2a4e..e34dd320a 100644
> --- a/lib/librte_ipsec/sa.c
> +++ b/lib/librte_ipsec/sa.c
> @@ -219,18 +219,28 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm)
>   static void
>   esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen)
>   {
> +	uint8_t algo_type;
> +
>   	sa->sqn.outb.raw = 1;
>   
>   	/* these params may differ with new algorithms support */
>   	sa->ctp.auth.offset = hlen;
>   	sa->ctp.auth.length = sizeof(struct esp_hdr) + sa->iv_len + sa->sqh_len;
> -	if (sa->aad_len != 0) {
> +
> +	algo_type = sa->algo_type;
> +
> +	switch (algo_type) {
> +	case ALGO_TYPE_AES_GCM:
> +	case ALGO_TYPE_AES_CTR:
> +	case ALGO_TYPE_NULL:
>   		sa->ctp.cipher.offset = hlen + sizeof(struct esp_hdr) +
>   			sa->iv_len;
>   		sa->ctp.cipher.length = 0;
> -	} else {
> +		break;
> +	case ALGO_TYPE_AES_CBC:
>   		sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr);
>   		sa->ctp.cipher.length = sa->iv_len;
> +		break;
>   	}
>   }
>   
> @@ -259,26 +269,47 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
>   				RTE_IPSEC_SATP_MODE_MASK;
>   
>   	if (cxf->aead != NULL) {
> -		/* RFC 4106 */
> -		if (cxf->aead->algo != RTE_CRYPTO_AEAD_AES_GCM)
> +		switch (cxf->aead->algo) {
> +		case RTE_CRYPTO_AEAD_AES_GCM:
> +			/* RFC 4106 */
> +			sa->aad_len = sizeof(struct aead_gcm_aad);
> +			sa->icv_len = cxf->aead->digest_length;
> +			sa->iv_ofs = cxf->aead->iv.offset;
> +			sa->iv_len = sizeof(uint64_t);
> +			sa->pad_align = IPSEC_PAD_AES_GCM;
> +			sa->algo_type = ALGO_TYPE_AES_GCM;
> +			break;
> +		default:
>   			return -EINVAL;
> -		sa->aad_len = sizeof(struct aead_gcm_aad);
> -		sa->icv_len = cxf->aead->digest_length;
> -		sa->iv_ofs = cxf->aead->iv.offset;
> -		sa->iv_len = sizeof(uint64_t);
> -		sa->pad_align = IPSEC_PAD_AES_GCM;
> +		}
>   	} else {
>   		sa->icv_len = cxf->auth->digest_length;
>   		sa->iv_ofs = cxf->cipher->iv.offset;
>   		sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0;
> -		if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_NULL) {
> +
> +		switch (cxf->cipher->algo) {
> +		case RTE_CRYPTO_CIPHER_NULL:
>   			sa->pad_align = IPSEC_PAD_NULL;
>   			sa->iv_len = 0;
> -		} else if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) {
> +			sa->algo_type = ALGO_TYPE_NULL;
> +			break;
> +
> +		case RTE_CRYPTO_CIPHER_AES_CBC:
>   			sa->pad_align = IPSEC_PAD_AES_CBC;
>   			sa->iv_len = IPSEC_MAX_IV_SIZE;
> -		} else
> +			sa->algo_type = ALGO_TYPE_AES_CBC;
> +			break;
> +
> +		case RTE_CRYPTO_CIPHER_AES_CTR:
> +			/* RFC 3686 */
> +			sa->pad_align = IPSEC_PAD_AES_CTR;
> +			sa->iv_len = IPSEC_AES_CTR_IV_SIZE;
> +			sa->algo_type = ALGO_TYPE_AES_CTR;
> +			break;
> +
> +		default:
>   			return -EINVAL;
> +		}
>   	}
>   
>   	sa->udata = prm->userdata;
> @@ -438,12 +469,15 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
>   {
>   	struct rte_crypto_sym_op *sop;
>   	struct aead_gcm_iv *gcm;
> +	struct aesctr_cnt_blk *ctr;
> +	uint8_t algo_type = sa->algo_type;
>   
>   	/* fill sym op fields */
>   	sop = cop->sym;
>   
> -	/* AEAD (AES_GCM) case */
> -	if (sa->aad_len != 0) {
> +	switch (algo_type) {
> +	case ALGO_TYPE_AES_GCM:
> +		/* AEAD (AES_GCM) case */
>   		sop->aead.data.offset = sa->ctp.cipher.offset + hlen;
>   		sop->aead.data.length = sa->ctp.cipher.length + plen;
>   		sop->aead.digest.data = icv->va;
> @@ -455,14 +489,40 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
>   		gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *,
>   			sa->iv_ofs);
>   		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
> -	/* CRYPT+AUTH case */
> -	} else {
> +		break;
> +	case ALGO_TYPE_AES_CBC:
> +		/* Cipher-Auth (AES-CBC *) case */
> +		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
> +		sop->cipher.data.length = sa->ctp.cipher.length + plen;
> +		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
> +		sop->auth.data.length = sa->ctp.auth.length + plen;
> +		sop->auth.digest.data = icv->va;
> +		sop->auth.digest.phys_addr = icv->pa;
> +		break;
> +	case ALGO_TYPE_AES_CTR:
> +		/* Cipher-Auth (AES-CTR *) case */
> +		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
> +		sop->cipher.data.length = sa->ctp.cipher.length + plen;
> +		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
> +		sop->auth.data.length = sa->ctp.auth.length + plen;
> +		sop->auth.digest.data = icv->va;
> +		sop->auth.digest.phys_addr = icv->pa;
> +
> +		ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *,
> +			sa->iv_ofs);
> +		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
> +		break;
> +	case ALGO_TYPE_NULL:
> +		/* NULL case */
>   		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
>   		sop->cipher.data.length = sa->ctp.cipher.length + plen;
>   		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
>   		sop->auth.data.length = sa->ctp.auth.length + plen;
>   		sop->auth.digest.data = icv->va;
>   		sop->auth.digest.phys_addr = icv->pa;
> +		break;
> +	default:
> +		break;
>   	}
>   }
>   
> @@ -561,6 +621,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc,
>   {
>   	uint32_t *psqh;
>   	struct aead_gcm_aad *aad;
> +	uint8_t algo_type = sa->algo_type;
>   
>   	/* insert SQN.hi between ESP trailer and ICV */
>   	if (sa->sqh_len != 0) {
> @@ -572,7 +633,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc,
>   	 * fill IV and AAD fields, if any (aad fields are placed after icv),
>   	 * right now we support only one AEAD algorithm: AES-GCM .
>   	 */
> -	if (sa->aad_len != 0) {
> +	if (algo_type == ALGO_TYPE_AES_GCM) {
>   		aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len);
>   		aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa));
>   	}
> @@ -783,8 +844,10 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
>   {
>   	struct rte_crypto_sym_op *sop;
>   	struct aead_gcm_iv *gcm;
> +	struct aesctr_cnt_blk *ctr;
>   	uint64_t *ivc, *ivp;
>   	uint32_t clen;
> +	uint8_t algo_type = sa->algo_type;
>   
>   	clen = plen - sa->ctp.cipher.length;
>   	if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0)
> @@ -793,8 +856,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
>   	/* fill sym op fields */
>   	sop = cop->sym;
>   
> -	/* AEAD (AES_GCM) case */
> -	if (sa->aad_len != 0) {
> +	switch (algo_type) {
> +	case ALGO_TYPE_AES_GCM:
>   		sop->aead.data.offset = pofs + sa->ctp.cipher.offset;
>   		sop->aead.data.length = clen;
>   		sop->aead.digest.data = icv->va;
> @@ -808,8 +871,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
>   		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
>   			pofs + sizeof(struct esp_hdr));
>   		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
> -	/* CRYPT+AUTH case */
> -	} else {
> +		break;
> +	case ALGO_TYPE_AES_CBC:
>   		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
>   		sop->cipher.data.length = clen;
>   		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
> @@ -822,7 +885,35 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
>   		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
>   			pofs + sizeof(struct esp_hdr));
>   		copy_iv(ivc, ivp, sa->iv_len);
> +		break;
> +	case ALGO_TYPE_AES_CTR:
> +		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
> +		sop->cipher.data.length = clen;
> +		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
> +		sop->auth.data.length = plen - sa->ctp.auth.length;
> +		sop->auth.digest.data = icv->va;
> +		sop->auth.digest.phys_addr = icv->pa;
> +
> +		/* copy iv from the input packet to the cop */
> +		ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *,
> +			sa->iv_ofs);
> +		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
> +			pofs + sizeof(struct esp_hdr));
> +		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
> +		break;
> +	case ALGO_TYPE_NULL:
> +		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
> +		sop->cipher.data.length = clen;
> +		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
> +		sop->auth.data.length = plen - sa->ctp.auth.length;
> +		sop->auth.digest.data = icv->va;
> +		sop->auth.digest.phys_addr = icv->pa;
> +		break;
> +
> +	default:
> +		return -EINVAL;
>   	}
> +
>   	return 0;
>   }
>   
> diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
> index 392e8fd7b..12c061ee6 100644
> --- a/lib/librte_ipsec/sa.h
> +++ b/lib/librte_ipsec/sa.h
> @@ -15,10 +15,17 @@
>   enum {
>   	IPSEC_PAD_DEFAULT = 4,
>   	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
> +	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
>   	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
>   	IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT,
>   };
>   
> +/* iv sizes for different algorithms */
> +enum {
> +	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
> +	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
> +};
> +
>   /* these definitions probably has to be in rte_crypto_sym.h */
>   union sym_op_ofslen {
>   	uint64_t raw;
> @@ -47,7 +54,17 @@ struct replay_sqn {
>   	__extension__ uint64_t window[0];
>   };
>   
> +/*IPSEC SA supported algorithms */
> +enum sa_algo_type	{
> +	ALGO_TYPE_NULL = 0,
> +	ALGO_TYPE_AES_CBC,
> +	ALGO_TYPE_AES_CTR,
> +	ALGO_TYPE_AES_GCM,
> +	ALGO_TYPE_MAX
> +};
> +
>   struct rte_ipsec_sa {
> +
>   	uint64_t type;     /* type of given SA */
>   	uint64_t udata;    /* user defined */
>   	uint32_t size;     /* size of given sa object */
> @@ -65,6 +82,7 @@ struct rte_ipsec_sa {
>   		union sym_op_ofslen auth;
>   	} ctp;
>   	uint32_t salt;
> +	uint8_t algo_type;
>   	uint8_t proto;    /* next proto */
>   	uint8_t aad_len;
>   	uint8_t hdr_len;


^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR
  2019-03-22 11:53           ` Akhil Goyal
@ 2019-03-22 11:53             ` Akhil Goyal
  2019-03-22 12:46             ` Ananyev, Konstantin
  1 sibling, 0 replies; 54+ messages in thread
From: Akhil Goyal @ 2019-03-22 11:53 UTC (permalink / raw)
  To: Fan Zhang, dev; +Cc: konstantin.ananyev

Hi Fan,

On 3/20/2019 9:08 PM, Fan Zhang wrote:
> This patch adds AES-CTR cipher algorithm support to ipsec
> library.
>
> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> ---
>   lib/librte_ipsec/crypto.h |  17 ++++++
>   lib/librte_ipsec/sa.c     | 133 ++++++++++++++++++++++++++++++++++++++--------
>   lib/librte_ipsec/sa.h     |  18 +++++++
>   3 files changed, 147 insertions(+), 21 deletions(-)
>
> diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h
> index b5f264831..4f551e39c 100644
> --- a/lib/librte_ipsec/crypto.h
> +++ b/lib/librte_ipsec/crypto.h
> @@ -11,6 +11,16 @@
>    * by ipsec library.
>    */
>   
> +/*
> + * AES-CTR counter block format.
> + */
> +
> +struct aesctr_cnt_blk {
> +	uint32_t nonce;
> +	uint64_t iv;
> +	uint32_t cnt;
> +} __attribute__((packed));
> +
In the v3 I gave a comment on this structure. It is not fixed.
I believe cnt should be before iv.

>    /*
>     * AES-GCM devices have some specific requirements for IV and AAD formats.
>     * Ideally that to be done by the driver itself.
> @@ -41,6 +51,13 @@ struct gcm_esph_iv {
>   	uint64_t iv;
>   } __attribute__((packed));
>   
> +static inline void
> +aes_ctr_cnt_blk_fill(struct aesctr_cnt_blk *ctr, uint64_t iv, uint32_t nonce)
> +{
> +	ctr->nonce = nonce;
> +	ctr->iv = iv;
> +	ctr->cnt = rte_cpu_to_be_32(1);
> +}
>   
>   static inline void
>   aead_gcm_iv_fill(struct aead_gcm_iv *gcm, uint64_t iv, uint32_t salt)
> diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
> index 5f55c2a4e..e34dd320a 100644
> --- a/lib/librte_ipsec/sa.c
> +++ b/lib/librte_ipsec/sa.c
> @@ -219,18 +219,28 @@ esp_inb_tun_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm)
>   static void
>   esp_outb_init(struct rte_ipsec_sa *sa, uint32_t hlen)
>   {
> +	uint8_t algo_type;
> +
>   	sa->sqn.outb.raw = 1;
>   
>   	/* these params may differ with new algorithms support */
>   	sa->ctp.auth.offset = hlen;
>   	sa->ctp.auth.length = sizeof(struct esp_hdr) + sa->iv_len + sa->sqh_len;
> -	if (sa->aad_len != 0) {
> +
> +	algo_type = sa->algo_type;
> +
> +	switch (algo_type) {
> +	case ALGO_TYPE_AES_GCM:
> +	case ALGO_TYPE_AES_CTR:
> +	case ALGO_TYPE_NULL:
>   		sa->ctp.cipher.offset = hlen + sizeof(struct esp_hdr) +
>   			sa->iv_len;
>   		sa->ctp.cipher.length = 0;
> -	} else {
> +		break;
> +	case ALGO_TYPE_AES_CBC:
>   		sa->ctp.cipher.offset = sa->hdr_len + sizeof(struct esp_hdr);
>   		sa->ctp.cipher.length = sa->iv_len;
> +		break;
>   	}
>   }
>   
> @@ -259,26 +269,47 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
>   				RTE_IPSEC_SATP_MODE_MASK;
>   
>   	if (cxf->aead != NULL) {
> -		/* RFC 4106 */
> -		if (cxf->aead->algo != RTE_CRYPTO_AEAD_AES_GCM)
> +		switch (cxf->aead->algo) {
> +		case RTE_CRYPTO_AEAD_AES_GCM:
> +			/* RFC 4106 */
> +			sa->aad_len = sizeof(struct aead_gcm_aad);
> +			sa->icv_len = cxf->aead->digest_length;
> +			sa->iv_ofs = cxf->aead->iv.offset;
> +			sa->iv_len = sizeof(uint64_t);
> +			sa->pad_align = IPSEC_PAD_AES_GCM;
> +			sa->algo_type = ALGO_TYPE_AES_GCM;
> +			break;
> +		default:
>   			return -EINVAL;
> -		sa->aad_len = sizeof(struct aead_gcm_aad);
> -		sa->icv_len = cxf->aead->digest_length;
> -		sa->iv_ofs = cxf->aead->iv.offset;
> -		sa->iv_len = sizeof(uint64_t);
> -		sa->pad_align = IPSEC_PAD_AES_GCM;
> +		}
>   	} else {
>   		sa->icv_len = cxf->auth->digest_length;
>   		sa->iv_ofs = cxf->cipher->iv.offset;
>   		sa->sqh_len = IS_ESN(sa) ? sizeof(uint32_t) : 0;
> -		if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_NULL) {
> +
> +		switch (cxf->cipher->algo) {
> +		case RTE_CRYPTO_CIPHER_NULL:
>   			sa->pad_align = IPSEC_PAD_NULL;
>   			sa->iv_len = 0;
> -		} else if (cxf->cipher->algo == RTE_CRYPTO_CIPHER_AES_CBC) {
> +			sa->algo_type = ALGO_TYPE_NULL;
> +			break;
> +
> +		case RTE_CRYPTO_CIPHER_AES_CBC:
>   			sa->pad_align = IPSEC_PAD_AES_CBC;
>   			sa->iv_len = IPSEC_MAX_IV_SIZE;
> -		} else
> +			sa->algo_type = ALGO_TYPE_AES_CBC;
> +			break;
> +
> +		case RTE_CRYPTO_CIPHER_AES_CTR:
> +			/* RFC 3686 */
> +			sa->pad_align = IPSEC_PAD_AES_CTR;
> +			sa->iv_len = IPSEC_AES_CTR_IV_SIZE;
> +			sa->algo_type = ALGO_TYPE_AES_CTR;
> +			break;
> +
> +		default:
>   			return -EINVAL;
> +		}
>   	}
>   
>   	sa->udata = prm->userdata;
> @@ -438,12 +469,15 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
>   {
>   	struct rte_crypto_sym_op *sop;
>   	struct aead_gcm_iv *gcm;
> +	struct aesctr_cnt_blk *ctr;
> +	uint8_t algo_type = sa->algo_type;
>   
>   	/* fill sym op fields */
>   	sop = cop->sym;
>   
> -	/* AEAD (AES_GCM) case */
> -	if (sa->aad_len != 0) {
> +	switch (algo_type) {
> +	case ALGO_TYPE_AES_GCM:
> +		/* AEAD (AES_GCM) case */
>   		sop->aead.data.offset = sa->ctp.cipher.offset + hlen;
>   		sop->aead.data.length = sa->ctp.cipher.length + plen;
>   		sop->aead.digest.data = icv->va;
> @@ -455,14 +489,40 @@ esp_outb_cop_prepare(struct rte_crypto_op *cop,
>   		gcm = rte_crypto_op_ctod_offset(cop, struct aead_gcm_iv *,
>   			sa->iv_ofs);
>   		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
> -	/* CRYPT+AUTH case */
> -	} else {
> +		break;
> +	case ALGO_TYPE_AES_CBC:
> +		/* Cipher-Auth (AES-CBC *) case */
> +		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
> +		sop->cipher.data.length = sa->ctp.cipher.length + plen;
> +		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
> +		sop->auth.data.length = sa->ctp.auth.length + plen;
> +		sop->auth.digest.data = icv->va;
> +		sop->auth.digest.phys_addr = icv->pa;
> +		break;
> +	case ALGO_TYPE_AES_CTR:
> +		/* Cipher-Auth (AES-CTR *) case */
> +		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
> +		sop->cipher.data.length = sa->ctp.cipher.length + plen;
> +		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
> +		sop->auth.data.length = sa->ctp.auth.length + plen;
> +		sop->auth.digest.data = icv->va;
> +		sop->auth.digest.phys_addr = icv->pa;
> +
> +		ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *,
> +			sa->iv_ofs);
> +		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
> +		break;
> +	case ALGO_TYPE_NULL:
> +		/* NULL case */
>   		sop->cipher.data.offset = sa->ctp.cipher.offset + hlen;
>   		sop->cipher.data.length = sa->ctp.cipher.length + plen;
>   		sop->auth.data.offset = sa->ctp.auth.offset + hlen;
>   		sop->auth.data.length = sa->ctp.auth.length + plen;
>   		sop->auth.digest.data = icv->va;
>   		sop->auth.digest.phys_addr = icv->pa;
> +		break;
> +	default:
> +		break;
>   	}
>   }
>   
> @@ -561,6 +621,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc,
>   {
>   	uint32_t *psqh;
>   	struct aead_gcm_aad *aad;
> +	uint8_t algo_type = sa->algo_type;
>   
>   	/* insert SQN.hi between ESP trailer and ICV */
>   	if (sa->sqh_len != 0) {
> @@ -572,7 +633,7 @@ outb_pkt_xprepare(const struct rte_ipsec_sa *sa, rte_be64_t sqc,
>   	 * fill IV and AAD fields, if any (aad fields are placed after icv),
>   	 * right now we support only one AEAD algorithm: AES-GCM .
>   	 */
> -	if (sa->aad_len != 0) {
> +	if (algo_type == ALGO_TYPE_AES_GCM) {
>   		aad = (struct aead_gcm_aad *)(icv->va + sa->icv_len);
>   		aead_gcm_aad_fill(aad, sa->spi, sqc, IS_ESN(sa));
>   	}
> @@ -783,8 +844,10 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
>   {
>   	struct rte_crypto_sym_op *sop;
>   	struct aead_gcm_iv *gcm;
> +	struct aesctr_cnt_blk *ctr;
>   	uint64_t *ivc, *ivp;
>   	uint32_t clen;
> +	uint8_t algo_type = sa->algo_type;
>   
>   	clen = plen - sa->ctp.cipher.length;
>   	if ((int32_t)clen < 0 || (clen & (sa->pad_align - 1)) != 0)
> @@ -793,8 +856,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
>   	/* fill sym op fields */
>   	sop = cop->sym;
>   
> -	/* AEAD (AES_GCM) case */
> -	if (sa->aad_len != 0) {
> +	switch (algo_type) {
> +	case ALGO_TYPE_AES_GCM:
>   		sop->aead.data.offset = pofs + sa->ctp.cipher.offset;
>   		sop->aead.data.length = clen;
>   		sop->aead.digest.data = icv->va;
> @@ -808,8 +871,8 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
>   		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
>   			pofs + sizeof(struct esp_hdr));
>   		aead_gcm_iv_fill(gcm, ivp[0], sa->salt);
> -	/* CRYPT+AUTH case */
> -	} else {
> +		break;
> +	case ALGO_TYPE_AES_CBC:
>   		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
>   		sop->cipher.data.length = clen;
>   		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
> @@ -822,7 +885,35 @@ esp_inb_tun_cop_prepare(struct rte_crypto_op *cop,
>   		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
>   			pofs + sizeof(struct esp_hdr));
>   		copy_iv(ivc, ivp, sa->iv_len);
> +		break;
> +	case ALGO_TYPE_AES_CTR:
> +		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
> +		sop->cipher.data.length = clen;
> +		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
> +		sop->auth.data.length = plen - sa->ctp.auth.length;
> +		sop->auth.digest.data = icv->va;
> +		sop->auth.digest.phys_addr = icv->pa;
> +
> +		/* copy iv from the input packet to the cop */
> +		ctr = rte_crypto_op_ctod_offset(cop, struct aesctr_cnt_blk *,
> +			sa->iv_ofs);
> +		ivp = rte_pktmbuf_mtod_offset(mb, uint64_t *,
> +			pofs + sizeof(struct esp_hdr));
> +		aes_ctr_cnt_blk_fill(ctr, ivp[0], sa->salt);
> +		break;
> +	case ALGO_TYPE_NULL:
> +		sop->cipher.data.offset = pofs + sa->ctp.cipher.offset;
> +		sop->cipher.data.length = clen;
> +		sop->auth.data.offset = pofs + sa->ctp.auth.offset;
> +		sop->auth.data.length = plen - sa->ctp.auth.length;
> +		sop->auth.digest.data = icv->va;
> +		sop->auth.digest.phys_addr = icv->pa;
> +		break;
> +
> +	default:
> +		return -EINVAL;
>   	}
> +
>   	return 0;
>   }
>   
> diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
> index 392e8fd7b..12c061ee6 100644
> --- a/lib/librte_ipsec/sa.h
> +++ b/lib/librte_ipsec/sa.h
> @@ -15,10 +15,17 @@
>   enum {
>   	IPSEC_PAD_DEFAULT = 4,
>   	IPSEC_PAD_AES_CBC = IPSEC_MAX_IV_SIZE,
> +	IPSEC_PAD_AES_CTR = IPSEC_PAD_DEFAULT,
>   	IPSEC_PAD_AES_GCM = IPSEC_PAD_DEFAULT,
>   	IPSEC_PAD_NULL = IPSEC_PAD_DEFAULT,
>   };
>   
> +/* iv sizes for different algorithms */
> +enum {
> +	IPSEC_IV_SIZE_DEFAULT = IPSEC_MAX_IV_SIZE,
> +	IPSEC_AES_CTR_IV_SIZE = sizeof(uint64_t),
> +};
> +
>   /* these definitions probably has to be in rte_crypto_sym.h */
>   union sym_op_ofslen {
>   	uint64_t raw;
> @@ -47,7 +54,17 @@ struct replay_sqn {
>   	__extension__ uint64_t window[0];
>   };
>   
> +/*IPSEC SA supported algorithms */
> +enum sa_algo_type	{
> +	ALGO_TYPE_NULL = 0,
> +	ALGO_TYPE_AES_CBC,
> +	ALGO_TYPE_AES_CTR,
> +	ALGO_TYPE_AES_GCM,
> +	ALGO_TYPE_MAX
> +};
> +
>   struct rte_ipsec_sa {
> +
>   	uint64_t type;     /* type of given SA */
>   	uint64_t udata;    /* user defined */
>   	uint32_t size;     /* size of given sa object */
> @@ -65,6 +82,7 @@ struct rte_ipsec_sa {
>   		union sym_op_ofslen auth;
>   	} ctp;
>   	uint32_t salt;
> +	uint8_t algo_type;
>   	uint8_t proto;    /* next proto */
>   	uint8_t aad_len;
>   	uint8_t hdr_len;


^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR
  2019-03-22 11:53           ` Akhil Goyal
  2019-03-22 11:53             ` Akhil Goyal
@ 2019-03-22 12:46             ` Ananyev, Konstantin
  2019-03-22 12:46               ` Ananyev, Konstantin
  2019-03-22 13:01               ` Akhil Goyal
  1 sibling, 2 replies; 54+ messages in thread
From: Ananyev, Konstantin @ 2019-03-22 12:46 UTC (permalink / raw)
  To: Akhil Goyal, Zhang, Roy Fan, dev

Hi Akhil,

> 
> On 3/20/2019 9:08 PM, Fan Zhang wrote:
> > This patch adds AES-CTR cipher algorithm support to ipsec
> > library.
> >
> > Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
> > Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
> > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> > ---
> >   lib/librte_ipsec/crypto.h |  17 ++++++
> >   lib/librte_ipsec/sa.c     | 133 ++++++++++++++++++++++++++++++++++++++--------
> >   lib/librte_ipsec/sa.h     |  18 +++++++
> >   3 files changed, 147 insertions(+), 21 deletions(-)
> >
> > diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h
> > index b5f264831..4f551e39c 100644
> > --- a/lib/librte_ipsec/crypto.h
> > +++ b/lib/librte_ipsec/crypto.h
> > @@ -11,6 +11,16 @@
> >    * by ipsec library.
> >    */
> >
> > +/*
> > + * AES-CTR counter block format.
> > + */
> > +
> > +struct aesctr_cnt_blk {
> > +	uint32_t nonce;
> > +	uint64_t iv;
> > +	uint32_t cnt;
> > +} __attribute__((packed));
> > +
> In the v3 I gave a comment on this structure. It is not fixed.
> I believe cnt should be before iv.

Could you explain, what makes you think that way?
https://tools.ietf.org/html/rfc3686#section-4 
clearly stays that format of the counter block should be the following:
nonce; IV; counter.
Original ipsec-secgw app uses the same format:
struct cnt_blk {
        uint32_t salt;
        uint64_t iv;
        uint32_t cnt;
} __attribute__((packed));

So I believe format above is correct one.
Again this series introduces new test-case specially for CTR algo:
examples/ipsec-secgw/test/*ctr*.sh
and they do pass on both aesni_mb and QAT device.
Konstantin

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR
  2019-03-22 12:46             ` Ananyev, Konstantin
@ 2019-03-22 12:46               ` Ananyev, Konstantin
  2019-03-22 13:01               ` Akhil Goyal
  1 sibling, 0 replies; 54+ messages in thread
From: Ananyev, Konstantin @ 2019-03-22 12:46 UTC (permalink / raw)
  To: Akhil Goyal, Zhang, Roy Fan, dev

Hi Akhil,

> 
> On 3/20/2019 9:08 PM, Fan Zhang wrote:
> > This patch adds AES-CTR cipher algorithm support to ipsec
> > library.
> >
> > Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
> > Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
> > Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> > ---
> >   lib/librte_ipsec/crypto.h |  17 ++++++
> >   lib/librte_ipsec/sa.c     | 133 ++++++++++++++++++++++++++++++++++++++--------
> >   lib/librte_ipsec/sa.h     |  18 +++++++
> >   3 files changed, 147 insertions(+), 21 deletions(-)
> >
> > diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h
> > index b5f264831..4f551e39c 100644
> > --- a/lib/librte_ipsec/crypto.h
> > +++ b/lib/librte_ipsec/crypto.h
> > @@ -11,6 +11,16 @@
> >    * by ipsec library.
> >    */
> >
> > +/*
> > + * AES-CTR counter block format.
> > + */
> > +
> > +struct aesctr_cnt_blk {
> > +	uint32_t nonce;
> > +	uint64_t iv;
> > +	uint32_t cnt;
> > +} __attribute__((packed));
> > +
> In the v3 I gave a comment on this structure. It is not fixed.
> I believe cnt should be before iv.

Could you explain, what makes you think that way?
https://tools.ietf.org/html/rfc3686#section-4 
clearly stays that format of the counter block should be the following:
nonce; IV; counter.
Original ipsec-secgw app uses the same format:
struct cnt_blk {
        uint32_t salt;
        uint64_t iv;
        uint32_t cnt;
} __attribute__((packed));

So I believe format above is correct one.
Again this series introduces new test-case specially for CTR algo:
examples/ipsec-secgw/test/*ctr*.sh
and they do pass on both aesni_mb and QAT device.
Konstantin

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR
  2019-03-22 12:46             ` Ananyev, Konstantin
  2019-03-22 12:46               ` Ananyev, Konstantin
@ 2019-03-22 13:01               ` Akhil Goyal
  2019-03-22 13:01                 ` Akhil Goyal
  1 sibling, 1 reply; 54+ messages in thread
From: Akhil Goyal @ 2019-03-22 13:01 UTC (permalink / raw)
  To: Ananyev, Konstantin, Zhang, Roy Fan, dev

Hi Konstantin,

On 3/22/2019 6:16 PM, Ananyev, Konstantin wrote:
> Hi Akhil,
>
>> On 3/20/2019 9:08 PM, Fan Zhang wrote:
>>> This patch adds AES-CTR cipher algorithm support to ipsec
>>> library.
>>>
>>> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
>>> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
>>> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
>>> ---
>>>    lib/librte_ipsec/crypto.h |  17 ++++++
>>>    lib/librte_ipsec/sa.c     | 133 ++++++++++++++++++++++++++++++++++++++--------
>>>    lib/librte_ipsec/sa.h     |  18 +++++++
>>>    3 files changed, 147 insertions(+), 21 deletions(-)
>>>
>>> diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h
>>> index b5f264831..4f551e39c 100644
>>> --- a/lib/librte_ipsec/crypto.h
>>> +++ b/lib/librte_ipsec/crypto.h
>>> @@ -11,6 +11,16 @@
>>>     * by ipsec library.
>>>     */
>>>
>>> +/*
>>> + * AES-CTR counter block format.
>>> + */
>>> +
>>> +struct aesctr_cnt_blk {
>>> +	uint32_t nonce;
>>> +	uint64_t iv;
>>> +	uint32_t cnt;
>>> +} __attribute__((packed));
>>> +
>> In the v3 I gave a comment on this structure. It is not fixed.
>> I believe cnt should be before iv.
> Could you explain, what makes you think that way?
> https://tools.ietf.org/html/rfc3686#section-4
> clearly stays that format of the counter block should be the following:
> nonce; IV; counter.
> Original ipsec-secgw app uses the same format:
> struct cnt_blk {
>          uint32_t salt;
>          uint64_t iv;
>          uint32_t cnt;
> } __attribute__((packed));
>
> So I believe format above is correct one.
> Again this series introduces new test-case specially for CTR algo:
> examples/ipsec-secgw/test/*ctr*.sh
> and they do pass on both aesni_mb and QAT device.
> Konstantin
Got it. Thanks for correcting me.


^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR
  2019-03-22 13:01               ` Akhil Goyal
@ 2019-03-22 13:01                 ` Akhil Goyal
  0 siblings, 0 replies; 54+ messages in thread
From: Akhil Goyal @ 2019-03-22 13:01 UTC (permalink / raw)
  To: Ananyev, Konstantin, Zhang, Roy Fan, dev

Hi Konstantin,

On 3/22/2019 6:16 PM, Ananyev, Konstantin wrote:
> Hi Akhil,
>
>> On 3/20/2019 9:08 PM, Fan Zhang wrote:
>>> This patch adds AES-CTR cipher algorithm support to ipsec
>>> library.
>>>
>>> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
>>> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
>>> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
>>> ---
>>>    lib/librte_ipsec/crypto.h |  17 ++++++
>>>    lib/librte_ipsec/sa.c     | 133 ++++++++++++++++++++++++++++++++++++++--------
>>>    lib/librte_ipsec/sa.h     |  18 +++++++
>>>    3 files changed, 147 insertions(+), 21 deletions(-)
>>>
>>> diff --git a/lib/librte_ipsec/crypto.h b/lib/librte_ipsec/crypto.h
>>> index b5f264831..4f551e39c 100644
>>> --- a/lib/librte_ipsec/crypto.h
>>> +++ b/lib/librte_ipsec/crypto.h
>>> @@ -11,6 +11,16 @@
>>>     * by ipsec library.
>>>     */
>>>
>>> +/*
>>> + * AES-CTR counter block format.
>>> + */
>>> +
>>> +struct aesctr_cnt_blk {
>>> +	uint32_t nonce;
>>> +	uint64_t iv;
>>> +	uint32_t cnt;
>>> +} __attribute__((packed));
>>> +
>> In the v3 I gave a comment on this structure. It is not fixed.
>> I believe cnt should be before iv.
> Could you explain, what makes you think that way?
> https://tools.ietf.org/html/rfc3686#section-4
> clearly stays that format of the counter block should be the following:
> nonce; IV; counter.
> Original ipsec-secgw app uses the same format:
> struct cnt_blk {
>          uint32_t salt;
>          uint64_t iv;
>          uint32_t cnt;
> } __attribute__((packed));
>
> So I believe format above is correct one.
> Again this series introduces new test-case specially for CTR algo:
> examples/ipsec-secgw/test/*ctr*.sh
> and they do pass on both aesni_mb and QAT device.
> Konstantin
Got it. Thanks for correcting me.


^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC
  2019-03-20 15:38       ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
                           ` (5 preceding siblings ...)
  2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 5/5] doc: update release note Fan Zhang
@ 2019-03-22 14:59         ` Akhil Goyal
  2019-03-22 14:59           ` Akhil Goyal
  6 siblings, 1 reply; 54+ messages in thread
From: Akhil Goyal @ 2019-03-22 14:59 UTC (permalink / raw)
  To: Fan Zhang, dev; +Cc: konstantin.ananyev



On 3/20/2019 9:08 PM, Fan Zhang wrote:
> This patchset adds the AES-CTR and 3DES-CBC cipher algorithms
> support to ipsec library. The test scripts for ipsec-secgw
> sample application are added.
>
> v5:
> - updated ipsec-secgw run_test.sh script
> - updated release note
>
> v4:
> - changed patch titles.
> - changed ALGO_TYPE naming for 3DES-CBC
>
> v3:
> - fixed a bug in 3DES.
>
> v2:
> - removed unsupported tests.
>
> Fan Zhang (5):
>    ipsec: support AES-CTR
>    ipsec-secgw: add test scripts for aes ctr
>    ipsec: support 3DES-CBC
>    ipsec-secgw: add 3des test files
>    doc: update release note
>
>   doc/guides/rel_notes/release_19_05.rst             |   6 +
>   examples/ipsec-secgw/test/common_defs.sh           |   4 +-
>   examples/ipsec-secgw/test/run_test.sh              |  18 ++-
>   .../test/trs_3descbc_sha1_common_defs.sh           |  73 +++++++++++
>   examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh |  67 ++++++++++
>   .../test/trs_3descbc_sha1_esn_atom_defs.sh         |   5 +
>   .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh  |  66 ++++++++++
>   .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh  |   5 +
>   .../test/trs_aesctr_sha1_common_defs.sh            |  69 +++++++++++
>   examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh  |  67 ++++++++++
>   .../test/trs_aesctr_sha1_esn_atom_defs.sh          |   5 +
>   .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh   |  66 ++++++++++
>   .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh   |   5 +
>   .../test/tun_3descbc_sha1_common_defs.sh           |  72 +++++++++++
>   examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh |  70 +++++++++++
>   .../test/tun_3descbc_sha1_esn_atom_defs.sh         |   5 +
>   .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh  |  70 +++++++++++
>   .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh  |   5 +
>   .../test/tun_aesctr_sha1_common_defs.sh            |  68 ++++++++++
>   examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh  |  70 +++++++++++
>   .../test/tun_aesctr_sha1_esn_atom_defs.sh          |   5 +
>   .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh   |  70 +++++++++++
>   .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh   |   5 +
>   lib/librte_ipsec/crypto.h                          |  17 +++
>   lib/librte_ipsec/sa.c                              | 137 +++++++++++++++++----
>   lib/librte_ipsec/sa.h                              |  24 ++++
>   26 files changed, 1050 insertions(+), 24 deletions(-)
>   create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
>
series applied to dpdk-next-crypto

Thanks.

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC
  2019-03-22 14:59         ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Akhil Goyal
@ 2019-03-22 14:59           ` Akhil Goyal
  0 siblings, 0 replies; 54+ messages in thread
From: Akhil Goyal @ 2019-03-22 14:59 UTC (permalink / raw)
  To: Fan Zhang, dev; +Cc: konstantin.ananyev



On 3/20/2019 9:08 PM, Fan Zhang wrote:
> This patchset adds the AES-CTR and 3DES-CBC cipher algorithms
> support to ipsec library. The test scripts for ipsec-secgw
> sample application are added.
>
> v5:
> - updated ipsec-secgw run_test.sh script
> - updated release note
>
> v4:
> - changed patch titles.
> - changed ALGO_TYPE naming for 3DES-CBC
>
> v3:
> - fixed a bug in 3DES.
>
> v2:
> - removed unsupported tests.
>
> Fan Zhang (5):
>    ipsec: support AES-CTR
>    ipsec-secgw: add test scripts for aes ctr
>    ipsec: support 3DES-CBC
>    ipsec-secgw: add 3des test files
>    doc: update release note
>
>   doc/guides/rel_notes/release_19_05.rst             |   6 +
>   examples/ipsec-secgw/test/common_defs.sh           |   4 +-
>   examples/ipsec-secgw/test/run_test.sh              |  18 ++-
>   .../test/trs_3descbc_sha1_common_defs.sh           |  73 +++++++++++
>   examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh |  67 ++++++++++
>   .../test/trs_3descbc_sha1_esn_atom_defs.sh         |   5 +
>   .../ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh  |  66 ++++++++++
>   .../ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh  |   5 +
>   .../test/trs_aesctr_sha1_common_defs.sh            |  69 +++++++++++
>   examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh  |  67 ++++++++++
>   .../test/trs_aesctr_sha1_esn_atom_defs.sh          |   5 +
>   .../ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh   |  66 ++++++++++
>   .../ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh   |   5 +
>   .../test/tun_3descbc_sha1_common_defs.sh           |  72 +++++++++++
>   examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh |  70 +++++++++++
>   .../test/tun_3descbc_sha1_esn_atom_defs.sh         |   5 +
>   .../ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh  |  70 +++++++++++
>   .../ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh  |   5 +
>   .../test/tun_aesctr_sha1_common_defs.sh            |  68 ++++++++++
>   examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh  |  70 +++++++++++
>   .../test/tun_aesctr_sha1_esn_atom_defs.sh          |   5 +
>   .../ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh   |  70 +++++++++++
>   .../ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh   |   5 +
>   lib/librte_ipsec/crypto.h                          |  17 +++
>   lib/librte_ipsec/sa.c                              | 137 +++++++++++++++++----
>   lib/librte_ipsec/sa.h                              |  24 ++++
>   26 files changed, 1050 insertions(+), 24 deletions(-)
>   create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_common_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_atom_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_esn_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_3descbc_sha1_old_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_common_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_atom_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_esn_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/trs_aesctr_sha1_old_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_common_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_atom_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_esn_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_3descbc_sha1_old_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_common_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_atom_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_esn_defs.sh
>   create mode 100644 examples/ipsec-secgw/test/tun_aesctr_sha1_old_defs.sh
>
series applied to dpdk-next-crypto

Thanks.

^ permalink raw reply	[flat|nested] 54+ messages in thread

end of thread, other threads:[~2019-03-22 14:59 UTC | newest]

Thread overview: 54+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-18 16:32 [dpdk-dev] [PATCH 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
2019-02-18 16:32 ` [dpdk-dev] [PATCH 1/4] ipsec: add AES-CTR algorithm support Fan Zhang
2019-02-18 16:32 ` [dpdk-dev] [PATCH 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang
2019-02-18 16:32 ` [dpdk-dev] [PATCH 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang
2019-02-18 16:32 ` [dpdk-dev] [PATCH 4/4] ipsec-secgw: add 3des test files Fan Zhang
2019-02-19 15:32 ` [dpdk-dev] [PATCH v2 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 1/4] ipsec: add AES-CTR algorithm support Fan Zhang
2019-02-22 12:43     ` Ananyev, Konstantin
2019-03-19 14:32     ` Akhil Goyal
2019-03-19 14:32       ` Akhil Goyal
2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang
2019-02-22 12:39     ` Ananyev, Konstantin
2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang
2019-02-22 12:38     ` Ananyev, Konstantin
2019-03-19 14:46     ` Akhil Goyal
2019-03-19 14:46       ` Akhil Goyal
2019-02-19 15:32   ` [dpdk-dev] [PATCH v2 4/4] ipsec-secgw: add 3des test files Fan Zhang
2019-02-22 12:40     ` Ananyev, Konstantin
2019-02-25 12:07   ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Fan Zhang
2019-02-25 12:07     ` [dpdk-dev] [PATCH v3 1/4] ipsec: add AES-CTR algorithm support Fan Zhang
2019-02-25 12:07     ` [dpdk-dev] [PATCH v3 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang
2019-02-25 12:07     ` [dpdk-dev] [PATCH v3 3/4] ipsec: add 3DES-CBC algorithm support Fan Zhang
2019-02-25 12:07     ` [dpdk-dev] [PATCH v3 4/4] ipsec-secgw: add 3des test files Fan Zhang
2019-03-04 16:38     ` [dpdk-dev] [PATCH v3 0/4] ipsec: add AES-CTR and 3DES-CBC support Ananyev, Konstantin
2019-03-20 13:51     ` [dpdk-dev] [PATCH v4 0/4] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
2019-03-20 13:51       ` Fan Zhang
2019-03-20 13:51       ` [dpdk-dev] [PATCH v4 1/4] ipsec: support AES-CTR Fan Zhang
2019-03-20 13:51         ` Fan Zhang
2019-03-20 13:51       ` [dpdk-dev] [PATCH v4 2/4] ipsec-secgw: add test scripts for aes ctr Fan Zhang
2019-03-20 13:51         ` Fan Zhang
2019-03-20 13:51       ` [dpdk-dev] [PATCH v4 3/4] ipsec: support 3DES-CBC Fan Zhang
2019-03-20 13:51         ` Fan Zhang
2019-03-20 13:51       ` [dpdk-dev] [PATCH v4 4/4] ipsec-secgw: add 3des test files Fan Zhang
2019-03-20 13:51         ` Fan Zhang
2019-03-20 15:38       ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Fan Zhang
2019-03-20 15:38         ` Fan Zhang
2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 1/5] ipsec: support AES-CTR Fan Zhang
2019-03-20 15:38           ` Fan Zhang
2019-03-22 11:53           ` Akhil Goyal
2019-03-22 11:53             ` Akhil Goyal
2019-03-22 12:46             ` Ananyev, Konstantin
2019-03-22 12:46               ` Ananyev, Konstantin
2019-03-22 13:01               ` Akhil Goyal
2019-03-22 13:01                 ` Akhil Goyal
2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 2/5] ipsec-secgw: add test scripts for aes ctr Fan Zhang
2019-03-20 15:38           ` Fan Zhang
2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 3/5] ipsec: support 3DES-CBC Fan Zhang
2019-03-20 15:38           ` Fan Zhang
2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 4/5] ipsec-secgw: add 3des test files Fan Zhang
2019-03-20 15:38           ` Fan Zhang
2019-03-20 15:38         ` [dpdk-dev] [PATCH v5 5/5] doc: update release note Fan Zhang
2019-03-20 15:38           ` Fan Zhang
2019-03-22 14:59         ` [dpdk-dev] [PATCH v5 0/5] ipsec: support AES-CTR and 3DES-CBC Akhil Goyal
2019-03-22 14:59           ` Akhil Goyal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).