From: Gagandeep Singh Date: Fri, 20 May 2022 04:20:59 +0000 (+0530) Subject: examples/ipsec-secgw: support XCBC-MAC/DES-CBC X-Git-Url: http://git.droids-corp.org/?a=commitdiff_plain;h=923b5f27656627248979bd15b5aa07eff4932f85;p=dpdk.git examples/ipsec-secgw: support XCBC-MAC/DES-CBC ipsec-secgw application is updated to support DES-CBC ciphering and XCBC-MAC authentication based IPsec functionality. Signed-off-by: Gagandeep Singh Acked-by: Akhil Goyal --- diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst index d93acf0667..5cb6a69a27 100644 --- a/doc/guides/sample_app_ug/ipsec_secgw.rst +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst @@ -115,8 +115,9 @@ Constraints * No IPv6 options headers. * No AH mode. -* Supported algorithms: AES-CBC, AES-CTR, AES-GCM, 3DES-CBC, HMAC-SHA1, - AES-GMAC, AES_CTR, AES_XCBC_MAC, AES_CCM, CHACHA20_POLY1305 and NULL. +* Supported algorithms: AES-CBC, AES-CTR, AES-GCM, 3DES-CBC, DES-CBC, + HMAC-SHA1, AES-GMAC, AES_CTR, AES_XCBC_MAC, AES_CCM, CHACHA20_POLY1305 + and NULL. * Each SA must be handle by a unique lcore (*1 RX queue per port*). Compiling the Application @@ -566,6 +567,7 @@ where each options means: * *aes-256-cbc*: AES-CBC 256-bit algorithm * *aes-128-ctr*: AES-CTR 128-bit algorithm * *3des-cbc*: 3DES-CBC 192-bit algorithm + * *des-cbc*: DES-CBC 64-bit algorithm * Syntax: *cipher_algo * @@ -593,6 +595,7 @@ where each options means: * *null*: NULL algorithm * *sha1-hmac*: HMAC SHA1 algorithm + * *aes-xcbc-mac*: AES XCBC MAC algorithm ```` diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c index bd233752c8..b72a5604c8 100644 --- a/examples/ipsec-secgw/esp.c +++ b/examples/ipsec-secgw/esp.c @@ -100,6 +100,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa, switch (sa->cipher_algo) { case RTE_CRYPTO_CIPHER_NULL: + case RTE_CRYPTO_CIPHER_DES_CBC: case RTE_CRYPTO_CIPHER_3DES_CBC: case RTE_CRYPTO_CIPHER_AES_CBC: /* Copy IV at the end of crypto operation */ @@ -121,6 +122,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa, case RTE_CRYPTO_AUTH_NULL: case RTE_CRYPTO_AUTH_SHA1_HMAC: case RTE_CRYPTO_AUTH_SHA256_HMAC: + case RTE_CRYPTO_AUTH_AES_XCBC_MAC: sym_cop->auth.data.offset = ip_hdr_len; sym_cop->auth.data.length = sizeof(struct rte_esp_hdr) + sa->iv_len + payload_len; @@ -336,6 +338,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, } else { switch (sa->cipher_algo) { case RTE_CRYPTO_CIPHER_NULL: + case RTE_CRYPTO_CIPHER_DES_CBC: case RTE_CRYPTO_CIPHER_3DES_CBC: case RTE_CRYPTO_CIPHER_AES_CBC: memset(iv, 0, sa->iv_len); @@ -399,6 +402,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, } else { switch (sa->cipher_algo) { case RTE_CRYPTO_CIPHER_NULL: + case RTE_CRYPTO_CIPHER_DES_CBC: case RTE_CRYPTO_CIPHER_3DES_CBC: case RTE_CRYPTO_CIPHER_AES_CBC: sym_cop->cipher.data.offset = ip_hdr_len + @@ -431,6 +435,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, case RTE_CRYPTO_AUTH_NULL: case RTE_CRYPTO_AUTH_SHA1_HMAC: case RTE_CRYPTO_AUTH_SHA256_HMAC: + case RTE_CRYPTO_AUTH_AES_XCBC_MAC: sym_cop->auth.data.offset = ip_hdr_len; sym_cop->auth.data.length = sizeof(struct rte_esp_hdr) + sa->iv_len + pad_payload_len; diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 3b0bc5a2cf..0b27f11fc0 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -119,6 +119,13 @@ const struct supported_cipher_algo cipher_algos[] = { .iv_len = 8, .block_size = 8, .key_len = 24 + }, + { + .keyword = "des-cbc", + .algo = RTE_CRYPTO_CIPHER_DES_CBC, + .iv_len = 8, + .block_size = 8, + .key_len = 8 } }; @@ -1311,6 +1318,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], } else { switch (sa->cipher_algo) { case RTE_CRYPTO_CIPHER_NULL: + case RTE_CRYPTO_CIPHER_DES_CBC: case RTE_CRYPTO_CIPHER_3DES_CBC: case RTE_CRYPTO_CIPHER_AES_CBC: case RTE_CRYPTO_CIPHER_AES_CTR: