All of lore.kernel.org
 help / color / mirror / Atom feed
From: Radu Nicolau <radu.nicolau@intel.com>
To: Radu Nicolau <radu.nicolau@intel.com>, Akhil Goyal <gakhil@marvell.com>
Cc: dev@dpdk.org, declan.doherty@intel.com, hemant.agrawal@oss.nxp.com
Subject: [dpdk-dev] [PATCH v5 7/7] examples/ipsec-secgw: add support for additional algorithms
Date: Wed, 27 Oct 2021 12:45:30 +0100	[thread overview]
Message-ID: <20211027114530.2244661-8-radu.nicolau@intel.com> (raw)
In-Reply-To: <20211027114530.2244661-1-radu.nicolau@intel.com>

Add support for AES-GMAC, AES_CTR, AES_XCBC_MAC,
AES_CCM, CHACHA20_POLY1305

Signed-off-by: Declan Doherty <declan.doherty@intel.com>
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
---
 doc/guides/rel_notes/release_21_11.rst   |   2 +
 doc/guides/sample_app_ug/ipsec_secgw.rst |   3 +-
 examples/ipsec-secgw/ipsec.h             |   3 +-
 examples/ipsec-secgw/sa.c                | 122 +++++++++++++++++++++--
 4 files changed, 119 insertions(+), 11 deletions(-)

diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 0a0bf05568..1d656b8e2b 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -308,6 +308,8 @@ New Features
 * **IPsec Security Gateway sample application new features.**
 
   * Added support for telemetry
+  * Added support for more AEAD algorithms: AES-GMAC, AES_CTR, AES_XCBC_MAC,
+    AES_CCM, CHACHA20_POLY1305
 
 
 Removed Items
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
index 02846ac160..edd3d439f5 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -106,7 +106,8 @@ Constraints
 
 *  No IPv6 options headers.
 *  No AH mode.
-*  Supported algorithms: AES-CBC, AES-CTR, AES-GCM, 3DES-CBC, HMAC-SHA1 and NULL.
+*  Supported algorithms: AES-CBC, AES-CTR, AES-GCM, 3DES-CBC, HMAC-SHA1,
+   AES-GMAC, AES_CTR, AES_XCBC_MAC, AES_CCM, CHACHA20_POLY1305 and NULL.
 *  Each SA must be handle by a unique lcore (*1 RX queue per port*).
 
 Compiling the Application
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index b037d5179f..0dfb0d6acb 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -63,8 +63,7 @@ struct ip_addr {
 	} ip;
 };
 
-#define MAX_KEY_SIZE		36
-
+#define MAX_KEY_SIZE		64
 /*
  * application wide SA parameters
  */
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 8725001fc7..44c18badbb 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -46,6 +46,7 @@ struct supported_cipher_algo {
 struct supported_auth_algo {
 	const char *keyword;
 	enum rte_crypto_auth_algorithm algo;
+	uint16_t iv_len;
 	uint16_t digest_len;
 	uint16_t key_len;
 	uint8_t key_not_req;
@@ -98,6 +99,20 @@ const struct supported_cipher_algo cipher_algos[] = {
 		.block_size = 4,
 		.key_len = 20
 	},
+	{
+		.keyword = "aes-192-ctr",
+		.algo = RTE_CRYPTO_CIPHER_AES_CTR,
+		.iv_len = 16,
+		.block_size = 16,
+		.key_len = 28
+	},
+	{
+		.keyword = "aes-256-ctr",
+		.algo = RTE_CRYPTO_CIPHER_AES_CTR,
+		.iv_len = 16,
+		.block_size = 16,
+		.key_len = 36
+	},
 	{
 		.keyword = "3des-cbc",
 		.algo = RTE_CRYPTO_CIPHER_3DES_CBC,
@@ -126,6 +141,31 @@ const struct supported_auth_algo auth_algos[] = {
 		.algo = RTE_CRYPTO_AUTH_SHA256_HMAC,
 		.digest_len = 16,
 		.key_len = 32
+	},
+	{
+		.keyword = "sha384-hmac",
+		.algo = RTE_CRYPTO_AUTH_SHA384_HMAC,
+		.digest_len = 24,
+		.key_len = 48
+	},
+	{
+		.keyword = "sha512-hmac",
+		.algo = RTE_CRYPTO_AUTH_SHA512_HMAC,
+		.digest_len = 32,
+		.key_len = 64
+	},
+	{
+		.keyword = "aes-gmac",
+		.algo = RTE_CRYPTO_AUTH_AES_GMAC,
+		.iv_len = 8,
+		.digest_len = 16,
+		.key_len = 20
+	},
+	{
+		.keyword = "aes-xcbc-mac-96",
+		.algo = RTE_CRYPTO_AUTH_AES_XCBC_MAC,
+		.digest_len = 12,
+		.key_len = 16
 	}
 };
 
@@ -156,6 +196,42 @@ const struct supported_aead_algo aead_algos[] = {
 		.key_len = 36,
 		.digest_len = 16,
 		.aad_len = 8,
+	},
+	{
+		.keyword = "aes-128-ccm",
+		.algo = RTE_CRYPTO_AEAD_AES_CCM,
+		.iv_len = 8,
+		.block_size = 4,
+		.key_len = 20,
+		.digest_len = 16,
+		.aad_len = 8,
+	},
+	{
+		.keyword = "aes-192-ccm",
+		.algo = RTE_CRYPTO_AEAD_AES_CCM,
+		.iv_len = 8,
+		.block_size = 4,
+		.key_len = 28,
+		.digest_len = 16,
+		.aad_len = 8,
+	},
+	{
+		.keyword = "aes-256-ccm",
+		.algo = RTE_CRYPTO_AEAD_AES_CCM,
+		.iv_len = 8,
+		.block_size = 4,
+		.key_len = 36,
+		.digest_len = 16,
+		.aad_len = 8,
+	},
+	{
+		.keyword = "chacha20-poly1305",
+		.algo = RTE_CRYPTO_AEAD_CHACHA20_POLY1305,
+		.iv_len = 12,
+		.block_size = 64,
+		.key_len = 36,
+		.digest_len = 16,
+		.aad_len = 8,
 	}
 };
 
@@ -484,6 +560,14 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 			if (status->status < 0)
 				return;
 
+			if (algo->algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+				key_len -= 4;
+				rule->auth_key_len = key_len;
+				rule->iv_len = algo->iv_len;
+				memcpy(&rule->salt,
+					&rule->auth_key[key_len], 4);
+			}
+
 			auth_algo_p = 1;
 			continue;
 		}
@@ -1171,8 +1255,15 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
 			break;
 		}
 
-		if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
-			iv_length = 12;
+
+		if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM ||
+			sa->aead_algo == RTE_CRYPTO_AEAD_AES_CCM ||
+			sa->aead_algo == RTE_CRYPTO_AEAD_CHACHA20_POLY1305) {
+
+			if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_CCM)
+				iv_length = 11;
+			else
+				iv_length = 12;
 
 			sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AEAD;
 			sa_ctx->xf[idx].a.aead.algo = sa->aead_algo;
@@ -1196,10 +1287,8 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
 			case RTE_CRYPTO_CIPHER_NULL:
 			case RTE_CRYPTO_CIPHER_3DES_CBC:
 			case RTE_CRYPTO_CIPHER_AES_CBC:
-				iv_length = sa->iv_len;
-				break;
 			case RTE_CRYPTO_CIPHER_AES_CTR:
-				iv_length = 16;
+				iv_length = sa->iv_len;
 				break;
 			default:
 				RTE_LOG(ERR, IPSEC_ESP,
@@ -1208,6 +1297,10 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
 				return -EINVAL;
 			}
 
+			/* AES_GMAC uses salt like AEAD algorithms */
+			if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GMAC)
+					iv_length = 12;
+
 			if (inbound) {
 				sa_ctx->xf[idx].b.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 				sa_ctx->xf[idx].b.cipher.algo = sa->cipher_algo;
@@ -1229,6 +1322,9 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
 					sa->digest_len;
 				sa_ctx->xf[idx].a.auth.op =
 					RTE_CRYPTO_AUTH_OP_VERIFY;
+				sa_ctx->xf[idx].a.auth.iv.offset = IV_OFFSET;
+				sa_ctx->xf[idx].a.auth.iv.length = iv_length;
+
 			} else { /* outbound */
 				sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 				sa_ctx->xf[idx].a.cipher.algo = sa->cipher_algo;
@@ -1250,11 +1346,21 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
 					sa->digest_len;
 				sa_ctx->xf[idx].b.auth.op =
 					RTE_CRYPTO_AUTH_OP_GENERATE;
+				sa_ctx->xf[idx].b.auth.iv.offset = IV_OFFSET;
+				sa_ctx->xf[idx].b.auth.iv.length = iv_length;
+
 			}
 
-			sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
-			sa_ctx->xf[idx].b.next = NULL;
-			sa->xforms = &sa_ctx->xf[idx].a;
+			if (sa->auth_algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+				sa->xforms = inbound ?
+					&sa_ctx->xf[idx].a : &sa_ctx->xf[idx].b;
+				sa->xforms->next = NULL;
+
+			} else {
+				sa_ctx->xf[idx].a.next = &sa_ctx->xf[idx].b;
+				sa_ctx->xf[idx].b.next = NULL;
+				sa->xforms = &sa_ctx->xf[idx].a;
+			}
 		}
 
 		if (ips->type ==
-- 
2.25.1


  parent reply	other threads:[~2021-10-27 12:00 UTC|newest]

Thread overview: 82+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-03 11:22 [dpdk-dev] [PATCH 0/7] IPsec Sec GW new features Radu Nicolau
2021-09-03 11:22 ` [dpdk-dev] [PATCH 1/7] examples/ipsec-secgw: add ol_flags support Radu Nicolau
2021-09-08 12:48   ` [dpdk-dev] [EXT] " Akhil Goyal
2021-09-09  8:57     ` Nicolau, Radu
2021-09-03 11:22 ` [dpdk-dev] [PATCH 2/7] examples/ipsec-secgw: add support for NAT-T Radu Nicolau
2021-09-08 10:36   ` [dpdk-dev] [EXT] " Akhil Goyal
2021-09-03 11:22 ` [dpdk-dev] [PATCH 3/7] examples/ipsec-secgw: add support for TSO Radu Nicolau
2021-09-08 12:54   ` [dpdk-dev] [EXT] " Akhil Goyal
2021-09-03 11:22 ` [dpdk-dev] [PATCH 4/7] examples/ipsec-secgw: enable stats by default Radu Nicolau
2021-09-03 12:50   ` Zhang, Roy Fan
2021-09-08 13:08   ` [dpdk-dev] [EXT] " Akhil Goyal
2021-09-08 16:05     ` Hemant Agrawal
2021-09-03 11:22 ` [dpdk-dev] [PATCH 5/7] examples/ipsec-secgw: add support for telemetry Radu Nicolau
2021-09-08 14:09   ` [dpdk-dev] [EXT] " Akhil Goyal
2021-09-03 11:22 ` [dpdk-dev] [PATCH 6/7] examples/ipsec-secgw: add support for defining initial sequence number value Radu Nicolau
2021-09-08 14:11   ` [dpdk-dev] [EXT] " Akhil Goyal
2021-09-03 11:22 ` [dpdk-dev] [PATCH 7/7] examples/ipsec-secgw: add ethdev reset callback Radu Nicolau
2021-09-08 14:24   ` [dpdk-dev] [EXT] " Akhil Goyal
2021-09-15 13:45 ` [dpdk-dev] [PATCH v2 0/9] IPsec Sec GW new features Radu Nicolau
2021-09-15 13:45   ` [dpdk-dev] [PATCH v2 1/9] examples/ipsec-secgw: update create inline session Radu Nicolau
2021-09-15 13:45   ` [dpdk-dev] [PATCH v2 2/9] examples/ipsec-secgw: update SA parameters with L3 options Radu Nicolau
2021-09-15 13:45   ` [dpdk-dev] [PATCH v2 3/9] examples/ipsec-secgw: add support for telemetry Radu Nicolau
2021-09-15 13:45   ` [dpdk-dev] [PATCH v2 4/9] examples/ipsec-secgw: add stats interval argument Radu Nicolau
2021-09-16  9:13     ` Hemant Agrawal
2021-09-16  9:30     ` [dpdk-dev] [EXT] " Anoob Joseph
2021-09-16 10:24       ` Nicolau, Radu
2021-09-17 12:51         ` Anoob Joseph
2021-09-15 13:45   ` [dpdk-dev] [PATCH v2 5/9] examples/ipsec-secgw: add support for TSO Radu Nicolau
2021-09-15 13:45   ` [dpdk-dev] [PATCH v2 6/9] examples/ipsec-secgw: add support for defining initial sequence number value Radu Nicolau
2021-09-15 13:45   ` [dpdk-dev] [PATCH v2 7/9] examples/ipsec-secgw: add ethdev reset callback Radu Nicolau
2021-09-15 13:45   ` [dpdk-dev] [PATCH v2 8/9] examples/ipsec-secgw: add support for additional algorithms Radu Nicolau
2021-09-15 13:45   ` [dpdk-dev] [PATCH v2 9/9] examples/ipsec-secgw: add support for inline crypto UDP encapsulation Radu Nicolau
2021-10-01  9:51 ` [dpdk-dev] [PATCH v3 0/8] IPsec Sec GW new features Radu Nicolau
2021-10-01  9:51   ` [dpdk-dev] [PATCH v3 1/8] examples/ipsec-secgw: add stats interval argument Radu Nicolau
2021-10-08 18:37     ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-01  9:51   ` [dpdk-dev] [PATCH v3 2/8] examples/ipsec-secgw: update create inline session Radu Nicolau
2021-10-08 18:38     ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-01  9:51   ` [dpdk-dev] [PATCH v3 3/8] examples/ipsec-secgw: add support for inline crypto UDP encapsulation Radu Nicolau
2021-10-08 18:42     ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-01  9:51   ` [dpdk-dev] [PATCH v3 4/8] examples/ipsec-secgw: add support for TSO Radu Nicolau
2021-10-08 18:46     ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-01  9:51   ` [dpdk-dev] [PATCH v3 5/8] examples/ipsec-secgw: add support for telemetry Radu Nicolau
2021-10-08 18:51     ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-01  9:52   ` [dpdk-dev] [PATCH v3 6/8] examples/ipsec-secgw: add support for defining initial sequence number value Radu Nicolau
2021-10-08 18:57     ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-01  9:52   ` [dpdk-dev] [PATCH v3 7/8] examples/ipsec-secgw: add ethdev reset callback Radu Nicolau
2021-10-01  9:52   ` [dpdk-dev] [PATCH v3 8/8] examples/ipsec-secgw: add support for additional algorithms Radu Nicolau
2021-10-08 19:07     ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-11 15:40       ` Nicolau, Radu
2021-10-18 10:28 ` [dpdk-dev] [PATCH v4 0/7] IPsec Sec GW new features Radu Nicolau
2021-10-18 10:28   ` [dpdk-dev] [PATCH v4 1/7] examples/ipsec-secgw: add stats interval argument Radu Nicolau
2021-10-18 10:28   ` [dpdk-dev] [PATCH v4 2/7] examples/ipsec-secgw: update create inline session Radu Nicolau
2021-10-18 10:28   ` [dpdk-dev] [PATCH v4 3/7] examples/ipsec-secgw: add support for inline crypto UDP encapsulation Radu Nicolau
2021-10-18 10:28   ` [dpdk-dev] [PATCH v4 4/7] examples/ipsec-secgw: support telemetry Radu Nicolau
2021-10-18 10:28   ` [dpdk-dev] [PATCH v4 5/7] examples/ipsec-secgw: define initial ESN value Radu Nicolau
2021-10-18 10:28   ` [dpdk-dev] [PATCH v4 6/7] examples/ipsec-secgw: add ethdev reset callback Radu Nicolau
2021-10-18 10:29   ` [dpdk-dev] [PATCH v4 7/7] examples/ipsec-secgw: add support for additional algorithms Radu Nicolau
2021-10-27 11:45 ` [dpdk-dev] [PATCH v5 0/7] IPsec Sec GW new features Radu Nicolau
2021-10-27 11:45   ` [dpdk-dev] [PATCH v5 1/7] examples/ipsec-secgw: add stats interval argument Radu Nicolau
2021-10-27 11:45   ` [dpdk-dev] [PATCH v5 2/7] examples/ipsec-secgw: update create inline session Radu Nicolau
2021-10-27 11:45   ` [dpdk-dev] [PATCH v5 3/7] examples/ipsec-secgw: add support for inline crypto UDP encapsulation Radu Nicolau
2021-10-31 20:03     ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-27 11:45   ` [dpdk-dev] [PATCH v5 4/7] examples/ipsec-secgw: support telemetry Radu Nicolau
2021-10-31 20:22     ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-27 11:45   ` [dpdk-dev] [PATCH v5 5/7] examples/ipsec-secgw: define initial ESN value Radu Nicolau
2021-10-31 20:23     ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-27 11:45   ` [dpdk-dev] [PATCH v5 6/7] examples/ipsec-secgw: add ethdev reset callback Radu Nicolau
2021-10-31 20:25     ` [dpdk-dev] [EXT] " Akhil Goyal
2021-10-27 11:45   ` Radu Nicolau [this message]
2021-10-31 20:29     ` [dpdk-dev] [EXT] [PATCH v5 7/7] examples/ipsec-secgw: add support for additional algorithms Akhil Goyal
2021-11-01 12:58 ` [dpdk-dev] [PATCH v6 0/7] IPsec Sec GW new features Radu Nicolau
2021-11-01 12:58   ` [dpdk-dev] [PATCH v6 1/7] examples/ipsec-secgw: add stats interval argument Radu Nicolau
2021-11-03  9:23     ` [dpdk-dev] [EXT] " Akhil Goyal
2021-11-03 10:51       ` Nicolau, Radu
2021-11-03 13:20         ` Akhil Goyal
2021-11-01 12:58   ` [dpdk-dev] [PATCH v6 2/7] examples/ipsec-secgw: update create inline session Radu Nicolau
2021-11-01 12:58   ` [dpdk-dev] [PATCH v6 3/7] examples/ipsec-secgw: add support for inline crypto UDP encapsulation Radu Nicolau
2021-11-01 12:58   ` [dpdk-dev] [PATCH v6 4/7] examples/ipsec-secgw: support telemetry Radu Nicolau
2021-11-01 12:58   ` [dpdk-dev] [PATCH v6 5/7] examples/ipsec-secgw: define initial ESN value Radu Nicolau
2021-11-01 12:58   ` [dpdk-dev] [PATCH v6 6/7] examples/ipsec-secgw: add ethdev reset callback Radu Nicolau
2021-11-01 12:58   ` [dpdk-dev] [PATCH v6 7/7] examples/ipsec-secgw: add support for additional algorithms Radu Nicolau
2021-11-03 14:13   ` [dpdk-dev] [EXT] [PATCH v6 0/7] IPsec Sec GW new features Akhil Goyal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211027114530.2244661-8-radu.nicolau@intel.com \
    --to=radu.nicolau@intel.com \
    --cc=declan.doherty@intel.com \
    --cc=dev@dpdk.org \
    --cc=gakhil@marvell.com \
    --cc=hemant.agrawal@oss.nxp.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.