From a8af994b41ffb982d2940bbd8bef89dd345cdbb6 Mon Sep 17 00:00:00 2001 From: Anoob Joseph Date: Tue, 7 Apr 2020 12:00:42 +0530 Subject: [PATCH] examples/ipsec-secgw: support 192/256 AES key sizes Adding support for the following, 1. AES-192-GCM 2. AES-256-GCM 3. AES-192-CBC Signed-off-by: Anoob Joseph Signed-off-by: Tejasree Kondoj Acked-by: Akhil Goyal --- doc/guides/rel_notes/release_20_05.rst | 16 +++++++++----- doc/guides/sample_app_ug/ipsec_secgw.rst | 10 ++++++--- examples/ipsec-secgw/ipsec.h | 2 +- examples/ipsec-secgw/sa.c | 28 +++++++++++++++++++++++- 4 files changed, 45 insertions(+), 11 deletions(-) diff --git a/doc/guides/rel_notes/release_20_05.rst b/doc/guides/rel_notes/release_20_05.rst index 709372e5e5..31bf9ac59d 100644 --- a/doc/guides/rel_notes/release_20_05.rst +++ b/doc/guides/rel_notes/release_20_05.rst @@ -89,13 +89,17 @@ New Features Supported large size code blocks which does not fit in one mbuf segment. -* **Added event mode to ipsec-secgw application.** +* **Updated ipsec-secgw sample application with following features.** - Updated ipsec-secgw application to add event based packet processing. The worker - thread(s) would receive events and submit them back to the event device after - the processing. This way, multicore scaling and HW assisted scheduling is achieved - by making use of the event device capabilities. The event mode currently supports - only inline IPsec protocol offload. + * Updated ipsec-secgw application to add event based packet processing. + The worker thread(s) would receive events and submit them back to the + event device after the processing. This way, multicore scaling and HW + assisted scheduling is achieved by making use of the event device + capabilities. The event mode currently supports only inline IPsec + protocol offload. + + * Updated ipsec-secgw application to support key sizes for AES-192-CBC, + AES-192-GCM, AES-256-GCM algorithms. Removed Items diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst index 038f593f4c..dea3ae4e78 100644 --- a/doc/guides/sample_app_ug/ipsec_secgw.rst +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst @@ -538,6 +538,7 @@ where each options means: * *null*: NULL algorithm * *aes-128-cbc*: AES-CBC 128-bit algorithm + * *aes-192-cbc*: AES-CBC 192-bit algorithm * *aes-256-cbc*: AES-CBC 256-bit algorithm * *aes-128-ctr*: AES-CTR 128-bit algorithm * *3des-cbc*: 3DES-CBC 192-bit algorithm @@ -593,6 +594,8 @@ where each options means: * Available options: * *aes-128-gcm*: AES-GCM 128-bit algorithm + * *aes-192-gcm*: AES-GCM 192-bit algorithm + * *aes-256-gcm*: AES-GCM 256-bit algorithm * Syntax: *cipher_algo * @@ -604,11 +607,12 @@ where each options means: Must be followed by option * Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'. - The number of bytes should be as same as the specified AEAD algorithm - key size. + Last 4 bytes of the provided key will be used as 'salt' and so, the + number of bytes should be same as the sum of specified AEAD algorithm + key size and salt size (4 bytes). For example: *aead_key A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4: - A1:B2:C3:D4* + A1:B2:C3:D4:A1:B2:C3:D4* ```` diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index 1f264c08fc..2fc60ff3f9 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -72,7 +72,7 @@ struct ip_addr { } ip; }; -#define MAX_KEY_SIZE 32 +#define MAX_KEY_SIZE 36 /* * application wide SA parameters diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index a6bf5e8b13..5e3a7aaf7f 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -76,6 +76,13 @@ const struct supported_cipher_algo cipher_algos[] = { .block_size = 16, .key_len = 16 }, + { + .keyword = "aes-192-cbc", + .algo = RTE_CRYPTO_CIPHER_AES_CBC, + .iv_len = 16, + .block_size = 16, + .key_len = 24 + }, { .keyword = "aes-256-cbc", .algo = RTE_CRYPTO_CIPHER_AES_CBC, @@ -130,6 +137,24 @@ const struct supported_aead_algo aead_algos[] = { .key_len = 20, .digest_len = 16, .aad_len = 8, + }, + { + .keyword = "aes-192-gcm", + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .iv_len = 8, + .block_size = 4, + .key_len = 28, + .digest_len = 16, + .aad_len = 8, + }, + { + .keyword = "aes-256-gcm", + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .iv_len = 8, + .block_size = 4, + .key_len = 36, + .digest_len = 16, + .aad_len = 8, } }; @@ -753,7 +778,8 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) } for (i = 0; i < RTE_DIM(aead_algos); i++) { - if (aead_algos[i].algo == sa->aead_algo) { + if (aead_algos[i].algo == sa->aead_algo && + aead_algos[i].key_len-4 == sa->cipher_key_len) { printf("%s ", aead_algos[i].keyword); break; } -- 2.20.1