diff mbox series

[3/8] examples/ipsec-secgw: support XCBC-MAC/DES-CBC

Message ID 20220425041423.2232034-3-g.singh@nxp.com (mailing list archive)
State Changes Requested, archived
Delegated to: akhil goyal
Headers
Series [1/8] app/test-crypto-perf: improve dequeue logic |

Checks

Context Check Description
ci/checkpatch success coding style OK

Commit Message

Gagandeep Singh April 25, 2022, 4:14 a.m. UTC 
  ipsec-secgw application is updated to support
DES-CBC ciphering and XCBC-MAC authentication
based IPsec functionality.

Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
---
 examples/ipsec-secgw/esp.c | 5 +++++
 examples/ipsec-secgw/sa.c  | 8 ++++++++
 2 files changed, 13 insertions(+)

Comments

Akhil Goyal May 13, 2022, 9:54 a.m. UTC | #1 
> ipsec-secgw application is updated to support
> DES-CBC ciphering and XCBC-MAC authentication
> based IPsec functionality.
> 
> Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
> ---
>  examples/ipsec-secgw/esp.c | 5 +++++
>  examples/ipsec-secgw/sa.c  | 8 ++++++++
>  2 files changed, 13 insertions(+)
Documentation updates missing for new algos
"doc/guides/sample_app_ug/ipsec_secgw.rst"

> 
> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
> index bd233752c8..b72a5604c8 100644
> --- a/examples/ipsec-secgw/esp.c
> +++ b/examples/ipsec-secgw/esp.c
> @@ -100,6 +100,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
> 
>  		switch (sa->cipher_algo) {
>  		case RTE_CRYPTO_CIPHER_NULL:
> +		case RTE_CRYPTO_CIPHER_DES_CBC:
>  		case RTE_CRYPTO_CIPHER_3DES_CBC:
>  		case RTE_CRYPTO_CIPHER_AES_CBC:
>  			/* Copy IV at the end of crypto operation */
> @@ -121,6 +122,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>  		case RTE_CRYPTO_AUTH_NULL:
>  		case RTE_CRYPTO_AUTH_SHA1_HMAC:
>  		case RTE_CRYPTO_AUTH_SHA256_HMAC:
> +		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
>  			sym_cop->auth.data.offset = ip_hdr_len;
>  			sym_cop->auth.data.length = sizeof(struct rte_esp_hdr)
> +
>  				sa->iv_len + payload_len;
> @@ -336,6 +338,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>  	} else {
>  		switch (sa->cipher_algo) {
>  		case RTE_CRYPTO_CIPHER_NULL:
> +		case RTE_CRYPTO_CIPHER_DES_CBC:
>  		case RTE_CRYPTO_CIPHER_3DES_CBC:
>  		case RTE_CRYPTO_CIPHER_AES_CBC:
>  			memset(iv, 0, sa->iv_len);
> @@ -399,6 +402,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>  	} else {
>  		switch (sa->cipher_algo) {
>  		case RTE_CRYPTO_CIPHER_NULL:
> +		case RTE_CRYPTO_CIPHER_DES_CBC:
>  		case RTE_CRYPTO_CIPHER_3DES_CBC:
>  		case RTE_CRYPTO_CIPHER_AES_CBC:
>  			sym_cop->cipher.data.offset = ip_hdr_len +
> @@ -431,6 +435,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>  		case RTE_CRYPTO_AUTH_NULL:
>  		case RTE_CRYPTO_AUTH_SHA1_HMAC:
>  		case RTE_CRYPTO_AUTH_SHA256_HMAC:
> +		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
>  			sym_cop->auth.data.offset = ip_hdr_len;
>  			sym_cop->auth.data.length = sizeof(struct rte_esp_hdr)
> +
>  				sa->iv_len + pad_payload_len;
> diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
> index 1839ac71af..8159b32a72 100644
> --- a/examples/ipsec-secgw/sa.c
> +++ b/examples/ipsec-secgw/sa.c
> @@ -119,6 +119,13 @@ const struct supported_cipher_algo cipher_algos[] = {
>  		.iv_len = 8,
>  		.block_size = 8,
>  		.key_len = 24
> +	},
> +	{
> +		.keyword = "des-cbc",
> +		.algo = RTE_CRYPTO_CIPHER_DES_CBC,
> +		.iv_len = 8,
> +		.block_size = 8,
> +		.key_len = 8
>  	}
>  };
> 
> @@ -1301,6 +1308,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct
> ipsec_sa entries[],
>  		} else {
>  			switch (sa->cipher_algo) {
>  			case RTE_CRYPTO_CIPHER_NULL:
> +			case RTE_CRYPTO_CIPHER_DES_CBC:
>  			case RTE_CRYPTO_CIPHER_3DES_CBC:
>  			case RTE_CRYPTO_CIPHER_AES_CBC:
>  			case RTE_CRYPTO_CIPHER_AES_CTR:
> --
> 2.25.1
Gagandeep Singh May 16, 2022, 9:45 a.m. UTC | #2 
> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Friday, May 13, 2022 3:24 PM
> To: Gagandeep Singh <G.Singh@nxp.com>; dev@dpdk.org
> Subject: RE: [EXT] [PATCH 3/8] examples/ipsec-secgw: support XCBC-MAC/DES-
> CBC
> 
> > ipsec-secgw application is updated to support DES-CBC ciphering and
> > XCBC-MAC authentication based IPsec functionality.
> >
> > Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
> > ---
> >  examples/ipsec-secgw/esp.c | 5 +++++
> >  examples/ipsec-secgw/sa.c  | 8 ++++++++
> >  2 files changed, 13 insertions(+)
> Documentation updates missing for new algos
> "doc/guides/sample_app_ug/ipsec_secgw.rst"

Ok, It appears algo SHA256_HMAC is also missing in the document. 

> 
> >
> > diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
> > index bd233752c8..b72a5604c8 100644
> > --- a/examples/ipsec-secgw/esp.c
> > +++ b/examples/ipsec-secgw/esp.c
> > @@ -100,6 +100,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa
> > *sa,
> >
> >  		switch (sa->cipher_algo) {
> >  		case RTE_CRYPTO_CIPHER_NULL:
> > +		case RTE_CRYPTO_CIPHER_DES_CBC:
> >  		case RTE_CRYPTO_CIPHER_3DES_CBC:
> >  		case RTE_CRYPTO_CIPHER_AES_CBC:
> >  			/* Copy IV at the end of crypto operation */ @@ -121,6
> +122,7 @@
> > esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
> >  		case RTE_CRYPTO_AUTH_NULL:
> >  		case RTE_CRYPTO_AUTH_SHA1_HMAC:
> >  		case RTE_CRYPTO_AUTH_SHA256_HMAC:
> > +		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
> >  			sym_cop->auth.data.offset = ip_hdr_len;
> >  			sym_cop->auth.data.length = sizeof(struct rte_esp_hdr)
> > +
> >  				sa->iv_len + payload_len;
> > @@ -336,6 +338,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
> >  	} else {
> >  		switch (sa->cipher_algo) {
> >  		case RTE_CRYPTO_CIPHER_NULL:
> > +		case RTE_CRYPTO_CIPHER_DES_CBC:
> >  		case RTE_CRYPTO_CIPHER_3DES_CBC:
> >  		case RTE_CRYPTO_CIPHER_AES_CBC:
> >  			memset(iv, 0, sa->iv_len);
> > @@ -399,6 +402,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
> >  	} else {
> >  		switch (sa->cipher_algo) {
> >  		case RTE_CRYPTO_CIPHER_NULL:
> > +		case RTE_CRYPTO_CIPHER_DES_CBC:
> >  		case RTE_CRYPTO_CIPHER_3DES_CBC:
> >  		case RTE_CRYPTO_CIPHER_AES_CBC:
> >  			sym_cop->cipher.data.offset = ip_hdr_len + @@ -431,6
> +435,7 @@
> > esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
> >  		case RTE_CRYPTO_AUTH_NULL:
> >  		case RTE_CRYPTO_AUTH_SHA1_HMAC:
> >  		case RTE_CRYPTO_AUTH_SHA256_HMAC:
> > +		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
> >  			sym_cop->auth.data.offset = ip_hdr_len;
> >  			sym_cop->auth.data.length = sizeof(struct rte_esp_hdr)
> > +
> >  				sa->iv_len + pad_payload_len;
> > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
> > index 1839ac71af..8159b32a72 100644
> > --- a/examples/ipsec-secgw/sa.c
> > +++ b/examples/ipsec-secgw/sa.c
> > @@ -119,6 +119,13 @@ const struct supported_cipher_algo cipher_algos[] =
> {
> >  		.iv_len = 8,
> >  		.block_size = 8,
> >  		.key_len = 24
> > +	},
> > +	{
> > +		.keyword = "des-cbc",
> > +		.algo = RTE_CRYPTO_CIPHER_DES_CBC,
> > +		.iv_len = 8,
> > +		.block_size = 8,
> > +		.key_len = 8
> >  	}
> >  };
> >
> > @@ -1301,6 +1308,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct
> > ipsec_sa entries[],
> >  		} else {
> >  			switch (sa->cipher_algo) {
> >  			case RTE_CRYPTO_CIPHER_NULL:
> > +			case RTE_CRYPTO_CIPHER_DES_CBC:
> >  			case RTE_CRYPTO_CIPHER_3DES_CBC:
> >  			case RTE_CRYPTO_CIPHER_AES_CBC:
> >  			case RTE_CRYPTO_CIPHER_AES_CTR:
> > --
> > 2.25.1
diff mbox series

Patch

diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index bd233752c8..b72a5604c8 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -100,6 +100,7 @@  esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 
 		switch (sa->cipher_algo) {
 		case RTE_CRYPTO_CIPHER_NULL:
+		case RTE_CRYPTO_CIPHER_DES_CBC:
 		case RTE_CRYPTO_CIPHER_3DES_CBC:
 		case RTE_CRYPTO_CIPHER_AES_CBC:
 			/* Copy IV at the end of crypto operation */
@@ -121,6 +122,7 @@  esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 		case RTE_CRYPTO_AUTH_NULL:
 		case RTE_CRYPTO_AUTH_SHA1_HMAC:
 		case RTE_CRYPTO_AUTH_SHA256_HMAC:
+		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
 			sym_cop->auth.data.offset = ip_hdr_len;
 			sym_cop->auth.data.length = sizeof(struct rte_esp_hdr) +
 				sa->iv_len + payload_len;
@@ -336,6 +338,7 @@  esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 	} else {
 		switch (sa->cipher_algo) {
 		case RTE_CRYPTO_CIPHER_NULL:
+		case RTE_CRYPTO_CIPHER_DES_CBC:
 		case RTE_CRYPTO_CIPHER_3DES_CBC:
 		case RTE_CRYPTO_CIPHER_AES_CBC:
 			memset(iv, 0, sa->iv_len);
@@ -399,6 +402,7 @@  esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 	} else {
 		switch (sa->cipher_algo) {
 		case RTE_CRYPTO_CIPHER_NULL:
+		case RTE_CRYPTO_CIPHER_DES_CBC:
 		case RTE_CRYPTO_CIPHER_3DES_CBC:
 		case RTE_CRYPTO_CIPHER_AES_CBC:
 			sym_cop->cipher.data.offset = ip_hdr_len +
@@ -431,6 +435,7 @@  esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 		case RTE_CRYPTO_AUTH_NULL:
 		case RTE_CRYPTO_AUTH_SHA1_HMAC:
 		case RTE_CRYPTO_AUTH_SHA256_HMAC:
+		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
 			sym_cop->auth.data.offset = ip_hdr_len;
 			sym_cop->auth.data.length = sizeof(struct rte_esp_hdr) +
 				sa->iv_len + pad_payload_len;
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 1839ac71af..8159b32a72 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -119,6 +119,13 @@  const struct supported_cipher_algo cipher_algos[] = {
 		.iv_len = 8,
 		.block_size = 8,
 		.key_len = 24
+	},
+	{
+		.keyword = "des-cbc",
+		.algo = RTE_CRYPTO_CIPHER_DES_CBC,
+		.iv_len = 8,
+		.block_size = 8,
+		.key_len = 8
 	}
 };
 
@@ -1301,6 +1308,7 @@  sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
 		} else {
 			switch (sa->cipher_algo) {
 			case RTE_CRYPTO_CIPHER_NULL:
+			case RTE_CRYPTO_CIPHER_DES_CBC:
 			case RTE_CRYPTO_CIPHER_3DES_CBC:
 			case RTE_CRYPTO_CIPHER_AES_CBC:
 			case RTE_CRYPTO_CIPHER_AES_CTR: