[dpdk-dev] [PATCH v4] examples/ipsec-secgw: support 192/256 AES key sizes
Anoob Joseph
anoobj at marvell.com
Tue Apr 7 08:30:42 CEST 2020
Adding support for the following,
1. AES-192-GCM
2. AES-256-GCM
3. AES-192-CBC
Signed-off-by: Anoob Joseph <anoobj at marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree at marvell.com>
---
v4:
* Reverted to v2 as suggested by Akhil.
* Added additional check in print routines to make sure correct key size is
printed.
* Updated incorrect documentation of 'aead_key'
v3:
* Fixed incorrect AES-GCM key length being printed during app startup
* Introduced new macro 'SALT_SIZE' to make the usage more obvious (AES-GCM
key has key following 4 byte salt)
* Minor cleanup for the existing code.
v2:
* Updated doc and release notes
doc/guides/rel_notes/release_20_05.rst | 7 +++++++
doc/guides/sample_app_ug/ipsec_secgw.rst | 10 +++++++---
examples/ipsec-secgw/ipsec.h | 2 +-
examples/ipsec-secgw/sa.c | 28 +++++++++++++++++++++++++++-
4 files changed, 42 insertions(+), 5 deletions(-)
diff --git a/doc/guides/rel_notes/release_20_05.rst b/doc/guides/rel_notes/release_20_05.rst
index 6b1a7c5..8cfcef2 100644
--- a/doc/guides/rel_notes/release_20_05.rst
+++ b/doc/guides/rel_notes/release_20_05.rst
@@ -81,6 +81,13 @@ New Features
by making use of the event device capabilities. The event mode currently supports
only inline IPsec protocol offload.
+* **Added 192/256 AES key sizes in ipsec-secgw application.**
+
+ Updated ipsec-secgw application to support the following key sizes,
+ - AES-192-CBC
+ - AES-192-GCM
+ - AES-256-GCM
+
Removed Items
-------------
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
index 038f593..c02d16a 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -538,6 +538,7 @@ where each options means:
* *null*: NULL algorithm
* *aes-128-cbc*: AES-CBC 128-bit algorithm
+ * *aes-192-cbc*: AES-CBC 192-bit algorithm
* *aes-256-cbc*: AES-CBC 256-bit algorithm
* *aes-128-ctr*: AES-CTR 128-bit algorithm
* *3des-cbc*: 3DES-CBC 192-bit algorithm
@@ -593,6 +594,8 @@ where each options means:
* Available options:
* *aes-128-gcm*: AES-GCM 128-bit algorithm
+ * *aes-192-gcm*: AES-GCM 192-bit algorithm
+ * *aes-256-gcm*: AES-GCM 256-bit algorithm
* Syntax: *cipher_algo <your algorithm>*
@@ -604,11 +607,12 @@ where each options means:
Must be followed by <aead_algo> option
* Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'.
- The number of bytes should be as same as the specified AEAD algorithm
- key size.
+ Last 4 bytes of the provided key will be used as 'salt' and so, the
+ number of bytes should be same as the sum of specified AEAD algorithm
+ key size and salt size (4 bytes).
For example: *aead_key A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4:
- A1:B2:C3:D4*
+ A1:B2:C3:D4:A1:B2:C3:D4*
``<mode>``
diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h
index f8f29f9..46a974e 100644
--- a/examples/ipsec-secgw/ipsec.h
+++ b/examples/ipsec-secgw/ipsec.h
@@ -72,7 +72,7 @@ struct ip_addr {
} ip;
};
-#define MAX_KEY_SIZE 32
+#define MAX_KEY_SIZE 36
/*
* application wide SA parameters
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index a6bf5e8..5e3a7aa 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -77,6 +77,13 @@ const struct supported_cipher_algo cipher_algos[] = {
.key_len = 16
},
{
+ .keyword = "aes-192-cbc",
+ .algo = RTE_CRYPTO_CIPHER_AES_CBC,
+ .iv_len = 16,
+ .block_size = 16,
+ .key_len = 24
+ },
+ {
.keyword = "aes-256-cbc",
.algo = RTE_CRYPTO_CIPHER_AES_CBC,
.iv_len = 16,
@@ -130,6 +137,24 @@ const struct supported_aead_algo aead_algos[] = {
.key_len = 20,
.digest_len = 16,
.aad_len = 8,
+ },
+ {
+ .keyword = "aes-192-gcm",
+ .algo = RTE_CRYPTO_AEAD_AES_GCM,
+ .iv_len = 8,
+ .block_size = 4,
+ .key_len = 28,
+ .digest_len = 16,
+ .aad_len = 8,
+ },
+ {
+ .keyword = "aes-256-gcm",
+ .algo = RTE_CRYPTO_AEAD_AES_GCM,
+ .iv_len = 8,
+ .block_size = 4,
+ .key_len = 36,
+ .digest_len = 16,
+ .aad_len = 8,
}
};
@@ -753,7 +778,8 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound)
}
for (i = 0; i < RTE_DIM(aead_algos); i++) {
- if (aead_algos[i].algo == sa->aead_algo) {
+ if (aead_algos[i].algo == sa->aead_algo &&
+ aead_algos[i].key_len-4 == sa->cipher_key_len) {
printf("%s ", aead_algos[i].keyword);
break;
}
--
2.7.4
More information about the dev
mailing list