#include <rte_byteorder.h>
#include <rte_errno.h>
#include <rte_ip.h>
+#include <rte_random.h>
#include "ipsec.h"
#include "esp.h"
enum rte_crypto_auth_algorithm algo;
uint16_t digest_len;
uint16_t key_len;
+ uint8_t aad_len;
+ uint8_t key_not_req;
};
const struct supported_cipher_algo cipher_algos[] = {
.iv_len = 16,
.block_size = 16,
.key_len = 16
+ },
+ {
+ .keyword = "aes-128-gcm",
+ .algo = RTE_CRYPTO_CIPHER_AES_GCM,
+ .iv_len = 8,
+ .block_size = 4,
+ .key_len = 20
+ },
+ {
+ .keyword = "aes-128-ctr",
+ .algo = RTE_CRYPTO_CIPHER_AES_CTR,
+ .iv_len = 8,
+ .block_size = 16, /* XXX AESNI MB limition, should be 4 */
+ .key_len = 20
}
};
.keyword = "null",
.algo = RTE_CRYPTO_AUTH_NULL,
.digest_len = 0,
- .key_len = 0
+ .key_len = 0,
+ .key_not_req = 1
},
{
.keyword = "sha1-hmac",
.algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
.digest_len = 12,
.key_len = 20
+ },
+ {
+ .keyword = "sha256-hmac",
+ .algo = RTE_CRYPTO_AUTH_SHA256_HMAC,
+ .digest_len = 12,
+ .key_len = 32
+ },
+ {
+ .keyword = "aes-128-gcm",
+ .algo = RTE_CRYPTO_AUTH_AES_GCM,
+ .digest_len = 16,
+ .aad_len = 8,
+ .key_not_req = 1
}
};
parse_key_string(const char *key_str, uint8_t *key)
{
const char *pt_start = key_str, *pt_end = key_str;
- char sub_str[3];
uint32_t nb_bytes = 0;
while (pt_end != NULL) {
+ char sub_str[3] = {0};
+
pt_end = strchr(pt_start, ':');
- if (pt_end == NULL)
- strncpy(sub_str, pt_start, strlen(pt_start));
- else {
+ if (pt_end == NULL) {
+ if (strlen(pt_start) > 2)
+ return 0;
+ strncpy(sub_str, pt_start, 2);
+ } else {
if (pt_end - pt_start > 2)
return 0;
rule->iv_len = algo->iv_len;
rule->cipher_key_len = algo->key_len;
- /* for NULL algorithm, no cipher key should
- * exist */
+ /* for NULL algorithm, no cipher key required */
if (rule->cipher_algo == RTE_CRYPTO_CIPHER_NULL) {
cipher_algo_p = 1;
continue;
if (status->status < 0)
return;
+ if (algo->algo == RTE_CRYPTO_CIPHER_AES_CBC)
+ rule->salt = (uint32_t)rte_rand();
+
+ if ((algo->algo == RTE_CRYPTO_CIPHER_AES_CTR) ||
+ (algo->algo == RTE_CRYPTO_CIPHER_AES_GCM)) {
+ key_len -= 4;
+ rule->cipher_key_len = key_len;
+ memcpy(&rule->salt,
+ &rule->cipher_key[key_len], 4);
+ }
+
cipher_algo_p = 1;
continue;
}
rule->auth_algo = algo->algo;
rule->auth_key_len = algo->key_len;
rule->digest_len = algo->digest_len;
+ rule->aad_len = algo->key_len;
- /* for NULL algorithm, no auth key should exist */
- if (rule->auth_algo == RTE_CRYPTO_AUTH_NULL) {
+ /* NULL algorithm and combined algos do not
+ * require auth key
+ */
+ if (algo->key_not_req) {
auth_algo_p = 1;
continue;
}
sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AUTH;
sa_ctx->xf[idx].a.auth.algo = sa->auth_algo;
- sa_ctx->xf[idx].a.auth.add_auth_data_length = 0;
+ sa_ctx->xf[idx].a.auth.add_auth_data_length =
+ sa->aad_len;
sa_ctx->xf[idx].a.auth.key.data = sa->auth_key;
sa_ctx->xf[idx].a.auth.key.length =
sa->auth_key_len;
sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_AUTH;
sa_ctx->xf[idx].b.auth.algo = sa->auth_algo;
- sa_ctx->xf[idx].b.auth.add_auth_data_length = 0;
+ sa_ctx->xf[idx].b.auth.add_auth_data_length =
+ sa->aad_len;
sa_ctx->xf[idx].b.auth.key.data = sa->auth_key;
sa_ctx->xf[idx].b.auth.key.length =
sa->auth_key_len;