[3/8] examples/ipsec-secgw: support XCBC-MAC/DES-CBC
Checks
Commit Message
ipsec-secgw application is updated to support
DES-CBC ciphering and XCBC-MAC authentication
based IPsec functionality.
Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
---
examples/ipsec-secgw/esp.c | 5 +++++
examples/ipsec-secgw/sa.c | 8 ++++++++
2 files changed, 13 insertions(+)
Comments
> ipsec-secgw application is updated to support
> DES-CBC ciphering and XCBC-MAC authentication
> based IPsec functionality.
>
> Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
> ---
> examples/ipsec-secgw/esp.c | 5 +++++
> examples/ipsec-secgw/sa.c | 8 ++++++++
> 2 files changed, 13 insertions(+)
Documentation updates missing for new algos
"doc/guides/sample_app_ug/ipsec_secgw.rst"
>
> diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
> index bd233752c8..b72a5604c8 100644
> --- a/examples/ipsec-secgw/esp.c
> +++ b/examples/ipsec-secgw/esp.c
> @@ -100,6 +100,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
>
> switch (sa->cipher_algo) {
> case RTE_CRYPTO_CIPHER_NULL:
> + case RTE_CRYPTO_CIPHER_DES_CBC:
> case RTE_CRYPTO_CIPHER_3DES_CBC:
> case RTE_CRYPTO_CIPHER_AES_CBC:
> /* Copy IV at the end of crypto operation */
> @@ -121,6 +122,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
> case RTE_CRYPTO_AUTH_NULL:
> case RTE_CRYPTO_AUTH_SHA1_HMAC:
> case RTE_CRYPTO_AUTH_SHA256_HMAC:
> + case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
> sym_cop->auth.data.offset = ip_hdr_len;
> sym_cop->auth.data.length = sizeof(struct rte_esp_hdr)
> +
> sa->iv_len + payload_len;
> @@ -336,6 +338,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
> } else {
> switch (sa->cipher_algo) {
> case RTE_CRYPTO_CIPHER_NULL:
> + case RTE_CRYPTO_CIPHER_DES_CBC:
> case RTE_CRYPTO_CIPHER_3DES_CBC:
> case RTE_CRYPTO_CIPHER_AES_CBC:
> memset(iv, 0, sa->iv_len);
> @@ -399,6 +402,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
> } else {
> switch (sa->cipher_algo) {
> case RTE_CRYPTO_CIPHER_NULL:
> + case RTE_CRYPTO_CIPHER_DES_CBC:
> case RTE_CRYPTO_CIPHER_3DES_CBC:
> case RTE_CRYPTO_CIPHER_AES_CBC:
> sym_cop->cipher.data.offset = ip_hdr_len +
> @@ -431,6 +435,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
> case RTE_CRYPTO_AUTH_NULL:
> case RTE_CRYPTO_AUTH_SHA1_HMAC:
> case RTE_CRYPTO_AUTH_SHA256_HMAC:
> + case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
> sym_cop->auth.data.offset = ip_hdr_len;
> sym_cop->auth.data.length = sizeof(struct rte_esp_hdr)
> +
> sa->iv_len + pad_payload_len;
> diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
> index 1839ac71af..8159b32a72 100644
> --- a/examples/ipsec-secgw/sa.c
> +++ b/examples/ipsec-secgw/sa.c
> @@ -119,6 +119,13 @@ const struct supported_cipher_algo cipher_algos[] = {
> .iv_len = 8,
> .block_size = 8,
> .key_len = 24
> + },
> + {
> + .keyword = "des-cbc",
> + .algo = RTE_CRYPTO_CIPHER_DES_CBC,
> + .iv_len = 8,
> + .block_size = 8,
> + .key_len = 8
> }
> };
>
> @@ -1301,6 +1308,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct
> ipsec_sa entries[],
> } else {
> switch (sa->cipher_algo) {
> case RTE_CRYPTO_CIPHER_NULL:
> + case RTE_CRYPTO_CIPHER_DES_CBC:
> case RTE_CRYPTO_CIPHER_3DES_CBC:
> case RTE_CRYPTO_CIPHER_AES_CBC:
> case RTE_CRYPTO_CIPHER_AES_CTR:
> --
> 2.25.1
> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Friday, May 13, 2022 3:24 PM
> To: Gagandeep Singh <G.Singh@nxp.com>; dev@dpdk.org
> Subject: RE: [EXT] [PATCH 3/8] examples/ipsec-secgw: support XCBC-MAC/DES-
> CBC
>
> > ipsec-secgw application is updated to support DES-CBC ciphering and
> > XCBC-MAC authentication based IPsec functionality.
> >
> > Signed-off-by: Gagandeep Singh <g.singh@nxp.com>
> > ---
> > examples/ipsec-secgw/esp.c | 5 +++++
> > examples/ipsec-secgw/sa.c | 8 ++++++++
> > 2 files changed, 13 insertions(+)
> Documentation updates missing for new algos
> "doc/guides/sample_app_ug/ipsec_secgw.rst"
Ok, It appears algo SHA256_HMAC is also missing in the document.
>
> >
> > diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
> > index bd233752c8..b72a5604c8 100644
> > --- a/examples/ipsec-secgw/esp.c
> > +++ b/examples/ipsec-secgw/esp.c
> > @@ -100,6 +100,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa
> > *sa,
> >
> > switch (sa->cipher_algo) {
> > case RTE_CRYPTO_CIPHER_NULL:
> > + case RTE_CRYPTO_CIPHER_DES_CBC:
> > case RTE_CRYPTO_CIPHER_3DES_CBC:
> > case RTE_CRYPTO_CIPHER_AES_CBC:
> > /* Copy IV at the end of crypto operation */ @@ -121,6
> +122,7 @@
> > esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
> > case RTE_CRYPTO_AUTH_NULL:
> > case RTE_CRYPTO_AUTH_SHA1_HMAC:
> > case RTE_CRYPTO_AUTH_SHA256_HMAC:
> > + case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
> > sym_cop->auth.data.offset = ip_hdr_len;
> > sym_cop->auth.data.length = sizeof(struct rte_esp_hdr)
> > +
> > sa->iv_len + payload_len;
> > @@ -336,6 +338,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
> > } else {
> > switch (sa->cipher_algo) {
> > case RTE_CRYPTO_CIPHER_NULL:
> > + case RTE_CRYPTO_CIPHER_DES_CBC:
> > case RTE_CRYPTO_CIPHER_3DES_CBC:
> > case RTE_CRYPTO_CIPHER_AES_CBC:
> > memset(iv, 0, sa->iv_len);
> > @@ -399,6 +402,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
> > } else {
> > switch (sa->cipher_algo) {
> > case RTE_CRYPTO_CIPHER_NULL:
> > + case RTE_CRYPTO_CIPHER_DES_CBC:
> > case RTE_CRYPTO_CIPHER_3DES_CBC:
> > case RTE_CRYPTO_CIPHER_AES_CBC:
> > sym_cop->cipher.data.offset = ip_hdr_len + @@ -431,6
> +435,7 @@
> > esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
> > case RTE_CRYPTO_AUTH_NULL:
> > case RTE_CRYPTO_AUTH_SHA1_HMAC:
> > case RTE_CRYPTO_AUTH_SHA256_HMAC:
> > + case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
> > sym_cop->auth.data.offset = ip_hdr_len;
> > sym_cop->auth.data.length = sizeof(struct rte_esp_hdr)
> > +
> > sa->iv_len + pad_payload_len;
> > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
> > index 1839ac71af..8159b32a72 100644
> > --- a/examples/ipsec-secgw/sa.c
> > +++ b/examples/ipsec-secgw/sa.c
> > @@ -119,6 +119,13 @@ const struct supported_cipher_algo cipher_algos[] =
> {
> > .iv_len = 8,
> > .block_size = 8,
> > .key_len = 24
> > + },
> > + {
> > + .keyword = "des-cbc",
> > + .algo = RTE_CRYPTO_CIPHER_DES_CBC,
> > + .iv_len = 8,
> > + .block_size = 8,
> > + .key_len = 8
> > }
> > };
> >
> > @@ -1301,6 +1308,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct
> > ipsec_sa entries[],
> > } else {
> > switch (sa->cipher_algo) {
> > case RTE_CRYPTO_CIPHER_NULL:
> > + case RTE_CRYPTO_CIPHER_DES_CBC:
> > case RTE_CRYPTO_CIPHER_3DES_CBC:
> > case RTE_CRYPTO_CIPHER_AES_CBC:
> > case RTE_CRYPTO_CIPHER_AES_CTR:
> > --
> > 2.25.1
@@ -100,6 +100,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
switch (sa->cipher_algo) {
case RTE_CRYPTO_CIPHER_NULL:
+ case RTE_CRYPTO_CIPHER_DES_CBC:
case RTE_CRYPTO_CIPHER_3DES_CBC:
case RTE_CRYPTO_CIPHER_AES_CBC:
/* Copy IV at the end of crypto operation */
@@ -121,6 +122,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
case RTE_CRYPTO_AUTH_NULL:
case RTE_CRYPTO_AUTH_SHA1_HMAC:
case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
sym_cop->auth.data.offset = ip_hdr_len;
sym_cop->auth.data.length = sizeof(struct rte_esp_hdr) +
sa->iv_len + payload_len;
@@ -336,6 +338,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
} else {
switch (sa->cipher_algo) {
case RTE_CRYPTO_CIPHER_NULL:
+ case RTE_CRYPTO_CIPHER_DES_CBC:
case RTE_CRYPTO_CIPHER_3DES_CBC:
case RTE_CRYPTO_CIPHER_AES_CBC:
memset(iv, 0, sa->iv_len);
@@ -399,6 +402,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
} else {
switch (sa->cipher_algo) {
case RTE_CRYPTO_CIPHER_NULL:
+ case RTE_CRYPTO_CIPHER_DES_CBC:
case RTE_CRYPTO_CIPHER_3DES_CBC:
case RTE_CRYPTO_CIPHER_AES_CBC:
sym_cop->cipher.data.offset = ip_hdr_len +
@@ -431,6 +435,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
case RTE_CRYPTO_AUTH_NULL:
case RTE_CRYPTO_AUTH_SHA1_HMAC:
case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
sym_cop->auth.data.offset = ip_hdr_len;
sym_cop->auth.data.length = sizeof(struct rte_esp_hdr) +
sa->iv_len + pad_payload_len;
@@ -119,6 +119,13 @@ const struct supported_cipher_algo cipher_algos[] = {
.iv_len = 8,
.block_size = 8,
.key_len = 24
+ },
+ {
+ .keyword = "des-cbc",
+ .algo = RTE_CRYPTO_CIPHER_DES_CBC,
+ .iv_len = 8,
+ .block_size = 8,
+ .key_len = 8
}
};
@@ -1301,6 +1308,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
} else {
switch (sa->cipher_algo) {
case RTE_CRYPTO_CIPHER_NULL:
+ case RTE_CRYPTO_CIPHER_DES_CBC:
case RTE_CRYPTO_CIPHER_3DES_CBC:
case RTE_CRYPTO_CIPHER_AES_CBC:
case RTE_CRYPTO_CIPHER_AES_CTR: