From patchwork Wed Dec 20 20:00:11 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 122497 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp6033932qgn; Wed, 20 Dec 2017 12:02:03 -0800 (PST) X-Google-Smtp-Source: ACJfBosbhSkb+EKyHwCe00vn8D28XfxRqyM1szkfa0qEePgCUx9PP6Cemob82RgHEgMyBj+DB9U1 X-Received: by 10.200.26.234 with SMTP id h39mr11757133qtk.135.1513800123111; Wed, 20 Dec 2017 12:02:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1513800123; cv=none; d=google.com; s=arc-20160816; b=Vh9dTNBH45Ou+p4M6pNzLW9ynNIkxdvxzCpQxKBFMACSY9H5l85LxBCP1pJuF4f9uY vk8W0Pa0LG/gfRf//2tmFm18sgcY+MmoMxH8rhKs4ttF5tYbwl4uMO1k9ooO0m3U0OtV 7NCjWM4H06nKibMa4+JNh93WQKZ8GJDBMVlCTr7ELZoFkxzrMRf46RE4IOID4lf9TnfX THtPRE9nQ2EKZtzbnbDBfYAM4Ea93Sz/kdFwKUFm4nXphm0RuzqK0GEnigVhqyJU3Y5V gpA7+ASRgZVWUk8bq+NO4zgeguSQV1DBCq/kn7U9sFnGxeWC8BTbYYS5W4MVqj1rfPHm 2RcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=lbBiX+PNKvJRdoaviPail/xVoGWKj4El2OkS4gTC5ZA=; b=Hl1RVzgLtaE004KHwXzNji/MLUuhlV7cQjTGuQQxQnISqCFZsUVC0RUUXzlwHHbvw4 u/6zmIakhl42Wbt9EL++krC0KsQ0VlfixqoWhP/By4ORLyZMPShUMblHPIE8XqmYB4Nm 4fSlICKbIdPIl7jnx797npnWSd/2kxteWblQRTjKuUg0oaE5IU315uxXEio/WI484ShR z+msR8kzZWhGAIuCO42QSXZKkbl7FwnzB2WDl4MzuUDlF5bn1stVtzm9BLUtVuMh/GjJ Q/IsXu5jYvyI2qso17+6az4jlLU8UNRurfMQrq3j7dVLq/u+T+AB3mgRbNVF0Uv8L++U jj7Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id o63si3176731qkf.281.2017.12.20.12.02.02; Wed, 20 Dec 2017 12:02:03 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id 15AB060956; Wed, 20 Dec 2017 20:02:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2 autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id E50CD60912; Wed, 20 Dec 2017 20:00:28 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id 72E00608EE; Wed, 20 Dec 2017 20:00:19 +0000 (UTC) Received: from forward104p.mail.yandex.net (forward104p.mail.yandex.net [77.88.28.107]) by lists.linaro.org (Postfix) with ESMTPS id 61367608F8 for ; Wed, 20 Dec 2017 20:00:16 +0000 (UTC) Received: from mxback2j.mail.yandex.net (mxback2j.mail.yandex.net [IPv6:2a02:6b8:0:1619::10b]) by forward104p.mail.yandex.net (Yandex) with ESMTP id 29101183620 for ; Wed, 20 Dec 2017 23:00:15 +0300 (MSK) Received: from smtp3o.mail.yandex.net (smtp3o.mail.yandex.net [2a02:6b8:0:1a2d::27]) by mxback2j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id ML2riFfynD-0Fc0NcRu; Wed, 20 Dec 2017 23:00:15 +0300 Received: by smtp3o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id xnVhh3DIik-0EBSvNCi; Wed, 20 Dec 2017 23:00:14 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Wed, 20 Dec 2017 23:00:11 +0300 Message-Id: <1513800011-1560-4-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1513800011-1560-1-git-send-email-odpbot@yandex.ru> References: <1513800011-1560-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 351 Subject: [lng-odp] [PATCH API-NEXT v5 3/3] linux-gen: ipsec: adapt to capability changes X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 351 (lumag:ipsec_crypto_caps) ** https://github.com/Linaro/odp/pull/351 ** Patch: https://github.com/Linaro/odp/pull/351.patch ** Base sha: 9e35c84dea1b66bae27a35dfc71018a0bb455950 ** Merge commit sha: 051f69796bfb3ee5c82407da77df8fdb76fcffcc **/ .../linux-generic/include/odp_ipsec_internal.h | 6 ++ platform/linux-generic/odp_ipsec.c | 67 +++++++++++++- platform/linux-generic/odp_ipsec_sad.c | 101 ++++++++++++++------- 3 files changed, 137 insertions(+), 37 deletions(-) diff --git a/platform/linux-generic/include/odp_ipsec_internal.h b/platform/linux-generic/include/odp_ipsec_internal.h index c6f241fac..70a583c5b 100644 --- a/platform/linux-generic/include/odp_ipsec_internal.h +++ b/platform/linux-generic/include/odp_ipsec_internal.h @@ -206,6 +206,12 @@ typedef struct ODP_PACKED { odp_u32be_t seq_no; /**< Sequence Number */ } ipsec_aad_t; +/* Return IV length required for the cipher for IPsec use */ +uint32_t _odp_ipsec_cipher_iv_len(odp_cipher_alg_t cipher); + +/* Return digest length required for the cipher for IPsec use */ +uint32_t _odp_ipsec_auth_digest_len(odp_auth_alg_t auth); + /** * Obtain SA reference */ diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c index 4f23eb17b..f9ba4a165 100644 --- a/platform/linux-generic/odp_ipsec.c +++ b/platform/linux-generic/odp_ipsec.c @@ -57,16 +57,75 @@ int odp_ipsec_capability(odp_ipsec_capability_t *capa) return 0; } +/* This should be enough for all ciphers and auths. Currently used maximum is 3 + * capabilities */ +#define MAX_CAPS 10 + int odp_ipsec_cipher_capability(odp_cipher_alg_t cipher, - odp_crypto_cipher_capability_t capa[], int num) + odp_ipsec_cipher_capability_t capa[], int num) { - return odp_crypto_cipher_capability(cipher, capa, num); + odp_crypto_cipher_capability_t crypto_capa[MAX_CAPS]; + uint32_t req_iv_len; + int rc, i, out; + + rc = odp_crypto_cipher_capability(cipher, crypto_capa, MAX_CAPS); + if (rc <= 0) + return rc; + + ODP_ASSERT(rc <= MAX_CAPS); + if (rc > MAX_CAPS) + rc = MAX_CAPS; + + req_iv_len = _odp_ipsec_cipher_iv_len(cipher); + for (i = 0, out = 0; i < rc; i++) { + if (crypto_capa[i].iv_len != req_iv_len) + continue; + + if (out < num) + capa[out].key_len = crypto_capa[i].key_len; + out++; + } + + return out; } int odp_ipsec_auth_capability(odp_auth_alg_t auth, - odp_crypto_auth_capability_t capa[], int num) + odp_ipsec_auth_capability_t capa[], int num) { - return odp_crypto_auth_capability(auth, capa, num); + odp_crypto_auth_capability_t crypto_capa[MAX_CAPS]; + uint32_t req_digest_len; + int rc, i, out; + + rc = odp_crypto_auth_capability(auth, crypto_capa, MAX_CAPS); + if (rc <= 0) + return rc; + + ODP_ASSERT(rc <= MAX_CAPS); + if (rc > MAX_CAPS) + rc = MAX_CAPS; + + req_digest_len = _odp_ipsec_auth_digest_len(auth); + for (i = 0, out = 0; i < rc; i++) { + if (crypto_capa[i].digest_len != req_digest_len) + continue; + + if (ODP_AUTH_ALG_AES_GCM == auth || + ODP_DEPRECATE(ODP_AUTH_ALG_AES128_GCM) == auth) { + uint8_t aad_len = 12; + + if (aad_len < crypto_capa[i].aad_len.min || + aad_len > crypto_capa[i].aad_len.max || + 0 != (aad_len - crypto_capa[i].aad_len.min) % + crypto_capa[i].aad_len.inc) + continue; + } + + if (out < num) + capa[out].key_len = crypto_capa[i].key_len; + out++; + } + + return out; } void odp_ipsec_config_init(odp_ipsec_config_t *config) diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c index 2d6321166..845a73dea 100644 --- a/platform/linux-generic/odp_ipsec_sad.c +++ b/platform/linux-generic/odp_ipsec_sad.c @@ -190,12 +190,66 @@ void odp_ipsec_sa_param_init(odp_ipsec_sa_param_t *param) param->dest_queue = ODP_QUEUE_INVALID; } +/* Return IV length required for the cipher for IPsec use */ +uint32_t _odp_ipsec_cipher_iv_len(odp_cipher_alg_t cipher) +{ + switch (cipher) { + case ODP_CIPHER_ALG_NULL: + return 0; + case ODP_CIPHER_ALG_DES: + case ODP_CIPHER_ALG_3DES_CBC: + return 8; +#if ODP_DEPRECATED_API + case ODP_CIPHER_ALG_AES128_CBC: +#endif + case ODP_CIPHER_ALG_AES_CBC: + case ODP_CIPHER_ALG_AES_CTR: + return 16; +#if ODP_DEPRECATED_API + case ODP_CIPHER_ALG_AES128_GCM: +#endif + case ODP_CIPHER_ALG_AES_GCM: + return 12; + default: + return (uint32_t)-1; + } +} + +/* Return digest length required for the cipher for IPsec use */ +uint32_t _odp_ipsec_auth_digest_len(odp_auth_alg_t auth) +{ + switch (auth) { + case ODP_AUTH_ALG_NULL: + return 0; +#if ODP_DEPRECATED_API + case ODP_AUTH_ALG_MD5_96: +#endif + case ODP_AUTH_ALG_MD5_HMAC: + case ODP_AUTH_ALG_SHA1_HMAC: + return 12; +#if ODP_DEPRECATED_API + case ODP_AUTH_ALG_SHA256_128: +#endif + case ODP_AUTH_ALG_SHA256_HMAC: + return 16; + case ODP_AUTH_ALG_SHA512_HMAC: + return 32; +#if ODP_DEPRECATED_API + case ODP_AUTH_ALG_AES128_GCM: +#endif + case ODP_AUTH_ALG_AES_GCM: + case ODP_AUTH_ALG_AES_GMAC: + return 16; + default: + return (uint32_t)-1; + } +} + odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) { ipsec_sa_t *ipsec_sa; odp_crypto_session_param_t crypto_param; odp_crypto_ses_create_err_t ses_create_rc; - uint32_t aad_len = 0; ipsec_sa = ipsec_sa_reserve(); if (NULL == ipsec_sa) { @@ -297,17 +351,25 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) crypto_param.auth_alg = param->crypto.auth_alg; crypto_param.auth_key = param->crypto.auth_key; + crypto_param.iv.length = + _odp_ipsec_cipher_iv_len(crypto_param.cipher_alg); + + crypto_param.auth_digest_len = + _odp_ipsec_auth_digest_len(crypto_param.auth_alg); + + if ((uint32_t)-1 == crypto_param.iv.length || + (uint32_t)-1 == crypto_param.auth_digest_len) + goto error; + switch (crypto_param.cipher_alg) { case ODP_CIPHER_ALG_NULL: ipsec_sa->esp_iv_len = 0; ipsec_sa->esp_block_len = 1; - crypto_param.iv.length = 0; break; case ODP_CIPHER_ALG_DES: case ODP_CIPHER_ALG_3DES_CBC: ipsec_sa->esp_iv_len = 8; ipsec_sa->esp_block_len = 8; - crypto_param.iv.length = 8; break; #if ODP_DEPRECATED_API case ODP_CIPHER_ALG_AES128_CBC: @@ -315,14 +377,12 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) case ODP_CIPHER_ALG_AES_CBC: ipsec_sa->esp_iv_len = 16; ipsec_sa->esp_block_len = 16; - crypto_param.iv.length = 16; break; case ODP_CIPHER_ALG_AES_CTR: ipsec_sa->use_counter_iv = 1; ipsec_sa->aes_ctr_iv = 1; ipsec_sa->esp_iv_len = 8; ipsec_sa->esp_block_len = 16; - crypto_param.iv.length = 16; break; #if ODP_DEPRECATED_API case ODP_CIPHER_ALG_AES128_GCM: @@ -331,40 +391,17 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) ipsec_sa->use_counter_iv = 1; ipsec_sa->esp_iv_len = 8; ipsec_sa->esp_block_len = 16; - crypto_param.iv.length = 12; break; default: goto error; } switch (crypto_param.auth_alg) { - case ODP_AUTH_ALG_NULL: - ipsec_sa->icv_len = 0; - break; -#if ODP_DEPRECATED_API - case ODP_AUTH_ALG_MD5_96: -#endif - case ODP_AUTH_ALG_MD5_HMAC: - ipsec_sa->icv_len = 12; - break; - case ODP_AUTH_ALG_SHA1_HMAC: - ipsec_sa->icv_len = 12; - break; -#if ODP_DEPRECATED_API - case ODP_AUTH_ALG_SHA256_128: -#endif - case ODP_AUTH_ALG_SHA256_HMAC: - ipsec_sa->icv_len = 16; - break; - case ODP_AUTH_ALG_SHA512_HMAC: - ipsec_sa->icv_len = 32; - break; #if ODP_DEPRECATED_API case ODP_AUTH_ALG_AES128_GCM: #endif case ODP_AUTH_ALG_AES_GCM: - ipsec_sa->icv_len = 16; - aad_len = sizeof(ipsec_aad_t); + crypto_param.auth_aad_len = sizeof(ipsec_aad_t); break; case ODP_AUTH_ALG_AES_GMAC: if (ODP_CIPHER_ALG_NULL != crypto_param.cipher_alg) @@ -372,19 +409,17 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) ipsec_sa->use_counter_iv = 1; ipsec_sa->esp_iv_len = 8; ipsec_sa->esp_block_len = 16; - ipsec_sa->icv_len = 16; crypto_param.iv.length = 12; break; default: - goto error; + break; } if (1 == ipsec_sa->use_counter_iv && ODP_IPSEC_DIR_OUTBOUND == param->dir) odp_atomic_init_u64(&ipsec_sa->out.counter, 1); - crypto_param.auth_digest_len = ipsec_sa->icv_len; - crypto_param.auth_aad_len = aad_len; + ipsec_sa->icv_len = crypto_param.auth_digest_len; if (param->crypto.cipher_key_extra.length) { if (param->crypto.cipher_key_extra.length >