From 501e9c226adf23c581cddb9cae6d6299811b9f8b Mon Sep 17 00:00:00 2001 From: Pablo de Lara Date: Sun, 2 Jul 2017 06:41:24 +0100 Subject: [PATCH] examples/ipsec-secgw: add AEAD parameters Since there is a new operation type (AEAD), add parameters for this in the application. Signed-off-by: Pablo de Lara Acked-by: Declan Doherty Acked-by: Akhil Goyal Acked-by: Fiona Trahe --- doc/guides/sample_app_ug/ipsec_secgw.rst | 34 ++++++- examples/ipsec-secgw/ipsec.h | 1 + examples/ipsec-secgw/sa.c | 118 +++++++++++++++++++++-- 3 files changed, 141 insertions(+), 12 deletions(-) diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst index 885c77e397..86556bd4fa 100644 --- a/doc/guides/sample_app_ug/ipsec_secgw.rst +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst @@ -1,5 +1,5 @@ .. BSD LICENSE - Copyright(c) 2016 Intel Corporation. All rights reserved. + Copyright(c) 2016-2017 Intel Corporation. All rights reserved. All rights reserved. Redistribution and use in source and binary forms, with or without @@ -412,7 +412,7 @@ where each options means: * Cipher algorithm - * Optional: No + * Optional: Yes, unless is not used * Available options: @@ -427,7 +427,8 @@ where each options means: * Cipher key, NOT available when 'null' algorithm is used - * Optional: No, must followed by option + * Optional: Yes, unless is not used. + Must be followed by option * Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'. The number of bytes should be as same as the specified cipher algorithm @@ -440,7 +441,7 @@ where each options means: * Authentication algorithm - * Optional: No + * Optional: Yes, unless is not used * Available options: @@ -453,7 +454,8 @@ where each options means: * Authentication key, NOT available when 'null' or 'aes-128-gcm' algorithm is used. - * Optional: No, must followed by option + * Optional: Yes, unless is not used. + Must be followed by option * Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'. The number of bytes should be as same as the specified authentication @@ -462,6 +464,28 @@ where each options means: For example: *auth_key A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4: A1:B2:C3:D4* +```` + + * AEAD algorithm + + * Optional: Yes, unless and are not used + + * Syntax: *cipher_algo * + +```` + + * Cipher key, NOT available when 'null' algorithm is used + + * Optional: Yes, unless and are not used. + Must be followed by option + + * Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'. + The number of bytes should be as same as the specified AEAD algorithm + key size. + + For example: *aead_key A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4: + A1:B2:C3:D4* + ```` * The operation mode diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index 97d67d0251..0ef68ed1c8 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -103,6 +103,7 @@ struct ipsec_sa { struct rte_cryptodev_sym_session *crypto_session; enum rte_crypto_cipher_algorithm cipher_algo; enum rte_crypto_auth_algorithm auth_algo; + enum rte_crypto_aead_algorithm aead_algo; uint16_t digest_len; uint16_t iv_len; uint16_t block_size; diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 85e4d4e6a3..1e071e6ca3 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -1,7 +1,7 @@ /*- * BSD LICENSE * - * Copyright(c) 2016 Intel Corporation. All rights reserved. + * Copyright(c) 2016-2017 Intel Corporation. All rights reserved. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -68,6 +68,17 @@ struct supported_auth_algo { uint8_t key_not_req; }; +struct supported_aead_algo { + const char *keyword; + enum rte_crypto_aead_algorithm algo; + uint16_t iv_len; + uint16_t block_size; + uint16_t digest_len; + uint16_t key_len; + uint8_t aad_len; +}; + + const struct supported_cipher_algo cipher_algos[] = { { .keyword = "null", @@ -128,6 +139,8 @@ const struct supported_auth_algo auth_algos[] = { } }; +const struct supported_aead_algo aead_algos[] = { { } }; + struct ipsec_sa sa_out[IPSEC_SA_MAX_ENTRIES]; uint32_t nb_sa_out; @@ -166,6 +179,22 @@ find_match_auth_algo(const char *auth_keyword) return NULL; } +static const struct supported_aead_algo * +find_match_aead_algo(const char *aead_keyword) +{ + size_t i; + + for (i = 0; i < RTE_DIM(aead_algos); i++) { + const struct supported_aead_algo *algo = + &aead_algos[i]; + + if (strcmp(aead_keyword, algo->keyword) == 0) + return algo; + } + + return NULL; +} + /** parse_key_string * parse x:x:x:x.... hex number key string into uint8_t *key * return: @@ -210,6 +239,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, uint32_t *ri /*rule index*/; uint32_t cipher_algo_p = 0; uint32_t auth_algo_p = 0; + uint32_t aead_algo_p = 0; uint32_t src_p = 0; uint32_t dst_p = 0; uint32_t mode_p = 0; @@ -386,6 +416,61 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, continue; } + if (strcmp(tokens[ti], "aead_algo") == 0) { + const struct supported_aead_algo *algo; + uint32_t key_len; + + APP_CHECK_PRESENCE(aead_algo_p, tokens[ti], + status); + if (status->status < 0) + return; + + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); + if (status->status < 0) + return; + + algo = find_match_aead_algo(tokens[ti]); + + APP_CHECK(algo != NULL, status, "unrecognized " + "input \"%s\"", tokens[ti]); + + rule->aead_algo = algo->algo; + rule->cipher_key_len = algo->key_len; + rule->digest_len = algo->digest_len; + rule->aad_len = algo->key_len; + rule->block_size = algo->block_size; + rule->iv_len = algo->iv_len; + + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); + if (status->status < 0) + return; + + APP_CHECK(strcmp(tokens[ti], "aead_key") == 0, + status, "unrecognized input \"%s\", " + "expect \"aead_key\"", tokens[ti]); + if (status->status < 0) + return; + + INCREMENT_TOKEN_INDEX(ti, n_tokens, status); + if (status->status < 0) + return; + + key_len = parse_key_string(tokens[ti], + rule->cipher_key); + APP_CHECK(key_len == rule->cipher_key_len, status, + "unrecognized input \"%s\"", tokens[ti]); + if (status->status < 0) + return; + + key_len -= 4; + rule->cipher_key_len = key_len; + memcpy(&rule->salt, + &rule->cipher_key[key_len], 4); + + aead_algo_p = 1; + continue; + } + if (strcmp(tokens[ti], "src") == 0) { APP_CHECK_PRESENCE(src_p, tokens[ti], status); if (status->status < 0) @@ -477,13 +562,25 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, return; } - APP_CHECK(cipher_algo_p == 1, status, "missing cipher options"); - if (status->status < 0) - return; + if (aead_algo_p) { + APP_CHECK(cipher_algo_p == 0, status, + "AEAD used, no need for cipher options"); + if (status->status < 0) + return; - APP_CHECK(auth_algo_p == 1, status, "missing auth options"); - if (status->status < 0) - return; + APP_CHECK(auth_algo_p == 0, status, + "AEAD used, no need for auth options"); + if (status->status < 0) + return; + } else { + APP_CHECK(cipher_algo_p == 1, status, "missing cipher or AEAD options"); + if (status->status < 0) + return; + + APP_CHECK(auth_algo_p == 1, status, "missing auth or AEAD options"); + if (status->status < 0) + return; + } APP_CHECK(mode_p == 1, status, "missing mode option"); if (status->status < 0) @@ -514,6 +611,13 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) } } + for (i = 0; i < RTE_DIM(aead_algos); i++) { + if (aead_algos[i].algo == sa->aead_algo) { + printf("%s ", aead_algos[i].keyword); + break; + } + } + printf("mode:"); switch (sa->flags) { -- 2.20.1