summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
diff options
context:
space:
mode:
authorDamjan Marion <damarion@cisco.com>2019-03-29 13:47:54 +0100
committerDamjan Marion <damarion@cisco.com>2019-04-07 11:19:35 +0200
commit060bfb987a277624e5644de2fcbee1196c2c76e8 (patch)
tree2ca6ccf57c09c5e016f9613b0e0e75f8e49475eb /src/vnet/ipsec
parentdc43bcd8abef2cee4eebdc94d9a82c0194ba00fb (diff)
crypto: add support for AEAD and AES-GCM
Change-Id: Iff6f81a49b9cff5522fbb4914d47472423eac5db Signed-off-by: Damjan Marion <damarion@cisco.com>
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r--src/vnet/ipsec/esp.h8
-rw-r--r--src/vnet/ipsec/esp_decrypt.c11
-rw-r--r--src/vnet/ipsec/esp_encrypt.c13
-rw-r--r--src/vnet/ipsec/ipsec.c30
-rw-r--r--src/vnet/ipsec/ipsec.h6
-rw-r--r--src/vnet/ipsec/ipsec_sa.c6
-rw-r--r--src/vnet/ipsec/ipsec_sa.h6
7 files changed, 39 insertions, 41 deletions
diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h
index b6942fadf97..4b67eb2134b 100644
--- a/src/vnet/ipsec/esp.h
+++ b/src/vnet/ipsec/esp.h
@@ -94,16 +94,16 @@ hmac_calc (vlib_main_t * vm, ipsec_sa_t * sa, u8 * data, int data_len,
{
vnet_crypto_op_t _op, *op = &_op;
- if (PREDICT_FALSE (sa->integ_op_type == 0))
+ if (PREDICT_FALSE (sa->integ_op_id == 0))
return 0;
- vnet_crypto_op_init (op, sa->integ_op_type);
+ vnet_crypto_op_init (op, sa->integ_op_id);
op->key = sa->integ_key.data;
op->key_len = sa->integ_key.len;
op->src = data;
op->len = data_len;
- op->dst = signature;
- op->hmac_trunc_len = sa->integ_icv_size;
+ op->digest = signature;
+ op->digest_len = sa->integ_icv_size;
if (ipsec_sa_is_set_USE_ESN (sa))
{
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index 7737d186865..9b24e5aaeaa 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -202,14 +202,14 @@ esp_decrypt_inline (vlib_main_t * vm,
vnet_crypto_op_t *op;
vec_add2_aligned (ptd->integ_ops, op, 1, CLIB_CACHE_LINE_BYTES);
- vnet_crypto_op_init (op, sa0->integ_op_type);
+ vnet_crypto_op_init (op, sa0->integ_op_id);
op->key = sa0->integ_key.data;
op->key_len = sa0->integ_key.len;
op->src = payload;
- op->hmac_trunc_len = cpd.icv_sz;
op->flags = VNET_CRYPTO_OP_FLAG_HMAC_CHECK;
op->user_data = b - bufs;
- op->dst = payload + len;
+ op->digest = payload + len;
+ op->digest_len = cpd.icv_sz;
op->len = len;
if (PREDICT_TRUE (sa0->flags & IPSEC_SA_FLAG_USE_ESN))
{
@@ -226,11 +226,11 @@ esp_decrypt_inline (vlib_main_t * vm,
payload += esp_sz;
len -= esp_sz;
- if (sa0->crypto_enc_op_type != VNET_CRYPTO_OP_NONE)
+ if (sa0->crypto_enc_op_id != VNET_CRYPTO_OP_NONE)
{
vnet_crypto_op_t *op;
vec_add2_aligned (ptd->crypto_ops, op, 1, CLIB_CACHE_LINE_BYTES);
- vnet_crypto_op_init (op, sa0->crypto_dec_op_type);
+ vnet_crypto_op_init (op, sa0->crypto_dec_op_id);
op->key = sa0->crypto_key.data;
op->iv = payload;
op->src = op->dst = payload += cpd.iv_sz;
@@ -271,7 +271,6 @@ esp_decrypt_inline (vlib_main_t * vm,
op++;
}
}
-
if ((n = vec_len (ptd->crypto_ops)))
{
vnet_crypto_op_t *op = ptd->crypto_ops;
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index 29e27d4488c..bb1effda68b 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -425,11 +425,11 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
esp->spi = spi;
esp->seq = clib_net_to_host_u32 (sa0->seq);
- if (sa0->crypto_enc_op_type)
+ if (sa0->crypto_enc_op_id)
{
vnet_crypto_op_t *op;
vec_add2_aligned (ptd->crypto_ops, op, 1, CLIB_CACHE_LINE_BYTES);
- vnet_crypto_op_init (op, sa0->crypto_enc_op_type);
+ vnet_crypto_op_init (op, sa0->crypto_enc_op_id);
op->iv = payload - iv_sz;
op->src = op->dst = payload;
op->key = sa0->crypto_key.data;
@@ -438,16 +438,16 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
op->user_data = b - bufs;
}
- if (sa0->integ_op_type)
+ if (sa0->integ_op_id)
{
vnet_crypto_op_t *op;
vec_add2_aligned (ptd->integ_ops, op, 1, CLIB_CACHE_LINE_BYTES);
- vnet_crypto_op_init (op, sa0->integ_op_type);
+ vnet_crypto_op_init (op, sa0->integ_op_id);
op->src = payload - iv_sz - sizeof (esp_header_t);
- op->dst = payload + payload_len - icv_sz;
+ op->digest = payload + payload_len - icv_sz;
op->key = sa0->integ_key.data;
op->key_len = sa0->integ_key.len;
- op->hmac_trunc_len = icv_sz;
+ op->digest_len = icv_sz;
op->len = payload_len - icv_sz + iv_sz + sizeof (esp_header_t);
op->user_data = b - bufs;
if (ipsec_sa_is_set_USE_ESN (sa0))
@@ -484,7 +484,6 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
vlib_increment_combined_counter (&ipsec_sa_counters, thread_index,
current_sa_index, current_sa_packets,
current_sa_bytes);
-
esp_process_ops (vm, node, ptd->crypto_ops, bufs, nexts);
esp_process_ops (vm, node, ptd->integ_ops, bufs, nexts);
diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c
index 9719d3a2d09..dc2f4cdbb60 100644
--- a/src/vnet/ipsec/ipsec.c
+++ b/src/vnet/ipsec/ipsec.c
@@ -269,51 +269,51 @@ ipsec_init (vlib_main_t * vm)
vec_validate (im->crypto_algs, IPSEC_CRYPTO_N_ALG - 1);
a = im->crypto_algs + IPSEC_CRYPTO_ALG_DES_CBC;
- a->enc_op_type = VNET_CRYPTO_OP_DES_CBC_ENC;
- a->dec_op_type = VNET_CRYPTO_OP_DES_CBC_DEC;
+ a->enc_op_id = VNET_CRYPTO_OP_DES_CBC_ENC;
+ a->dec_op_id = VNET_CRYPTO_OP_DES_CBC_DEC;
a->iv_size = a->block_size = 8;
a = im->crypto_algs + IPSEC_CRYPTO_ALG_3DES_CBC;
- a->enc_op_type = VNET_CRYPTO_OP_3DES_CBC_ENC;
- a->dec_op_type = VNET_CRYPTO_OP_3DES_CBC_DEC;
+ a->enc_op_id = VNET_CRYPTO_OP_3DES_CBC_ENC;
+ a->dec_op_id = VNET_CRYPTO_OP_3DES_CBC_DEC;
a->iv_size = a->block_size = 8;
a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_CBC_128;
- a->enc_op_type = VNET_CRYPTO_OP_AES_128_CBC_ENC;
- a->dec_op_type = VNET_CRYPTO_OP_AES_128_CBC_DEC;
+ a->enc_op_id = VNET_CRYPTO_OP_AES_128_CBC_ENC;
+ a->dec_op_id = VNET_CRYPTO_OP_AES_128_CBC_DEC;
a->iv_size = a->block_size = 16;
a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_CBC_192;
- a->enc_op_type = VNET_CRYPTO_OP_AES_192_CBC_ENC;
- a->dec_op_type = VNET_CRYPTO_OP_AES_192_CBC_DEC;
+ a->enc_op_id = VNET_CRYPTO_OP_AES_192_CBC_ENC;
+ a->dec_op_id = VNET_CRYPTO_OP_AES_192_CBC_DEC;
a->iv_size = a->block_size = 16;
a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_CBC_256;
- a->enc_op_type = VNET_CRYPTO_OP_AES_256_CBC_ENC;
- a->dec_op_type = VNET_CRYPTO_OP_AES_256_CBC_DEC;
+ a->enc_op_id = VNET_CRYPTO_OP_AES_256_CBC_ENC;
+ a->dec_op_id = VNET_CRYPTO_OP_AES_256_CBC_DEC;
a->iv_size = a->block_size = 16;
vec_validate (im->integ_algs, IPSEC_INTEG_N_ALG - 1);
ipsec_main_integ_alg_t *i;
i = &im->integ_algs[IPSEC_INTEG_ALG_SHA1_96];
- i->op_type = VNET_CRYPTO_OP_SHA1_HMAC;
+ i->op_id = VNET_CRYPTO_OP_SHA1_HMAC;
i->icv_size = 12;
i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_256_96];
- i->op_type = VNET_CRYPTO_OP_SHA1_HMAC;
+ i->op_id = VNET_CRYPTO_OP_SHA1_HMAC;
i->icv_size = 12;
i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_256_128];
- i->op_type = VNET_CRYPTO_OP_SHA256_HMAC;
+ i->op_id = VNET_CRYPTO_OP_SHA256_HMAC;
i->icv_size = 16;
i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_384_192];
- i->op_type = VNET_CRYPTO_OP_SHA384_HMAC;
+ i->op_id = VNET_CRYPTO_OP_SHA384_HMAC;
i->icv_size = 24;
i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_512_256];
- i->op_type = VNET_CRYPTO_OP_SHA512_HMAC;
+ i->op_id = VNET_CRYPTO_OP_SHA512_HMAC;
i->icv_size = 32;
vec_validate_aligned (im->ptd, vlib_num_workers (), CLIB_CACHE_LINE_BYTES);
diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h
index 821b7ed3107..b6332d672fb 100644
--- a/src/vnet/ipsec/ipsec.h
+++ b/src/vnet/ipsec/ipsec.h
@@ -66,15 +66,15 @@ typedef struct
typedef struct
{
- vnet_crypto_op_type_t enc_op_type;
- vnet_crypto_op_type_t dec_op_type;
+ vnet_crypto_op_id_t enc_op_id;
+ vnet_crypto_op_id_t dec_op_id;
u8 iv_size;
u8 block_size;
} ipsec_main_crypto_alg_t;
typedef struct
{
- vnet_crypto_op_type_t op_type;
+ vnet_crypto_op_id_t op_id;
u8 icv_size;
} ipsec_main_integ_alg_t;
diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c
index 4d20566686d..af37b2e49cc 100644
--- a/src/vnet/ipsec/ipsec_sa.c
+++ b/src/vnet/ipsec/ipsec_sa.c
@@ -98,8 +98,8 @@ ipsec_sa_set_crypto_alg (ipsec_sa_t * sa, ipsec_crypto_alg_t crypto_alg)
sa->crypto_alg = crypto_alg;
sa->crypto_iv_size = im->crypto_algs[crypto_alg].iv_size;
sa->crypto_block_size = im->crypto_algs[crypto_alg].block_size;
- sa->crypto_enc_op_type = im->crypto_algs[crypto_alg].enc_op_type;
- sa->crypto_dec_op_type = im->crypto_algs[crypto_alg].dec_op_type;
+ sa->crypto_enc_op_id = im->crypto_algs[crypto_alg].enc_op_id;
+ sa->crypto_dec_op_id = im->crypto_algs[crypto_alg].dec_op_id;
ASSERT (sa->crypto_iv_size <= ESP_MAX_IV_SIZE);
ASSERT (sa->crypto_block_size <= ESP_MAX_BLOCK_SIZE);
}
@@ -110,7 +110,7 @@ ipsec_sa_set_integ_alg (ipsec_sa_t * sa, ipsec_integ_alg_t integ_alg)
ipsec_main_t *im = &ipsec_main;
sa->integ_alg = integ_alg;
sa->integ_icv_size = im->integ_algs[integ_alg].icv_size;
- sa->integ_op_type = im->integ_algs[integ_alg].op_type;
+ sa->integ_op_id = im->integ_algs[integ_alg].op_id;
ASSERT (sa->integ_icv_size <= ESP_MAX_ICV_SIZE);
}
diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index 12700ccaa39..72a592984f6 100644
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -119,9 +119,9 @@ typedef struct
u32 last_seq_hi;
u64 replay_window;
- vnet_crypto_op_type_t crypto_enc_op_type;
- vnet_crypto_op_type_t crypto_dec_op_type;
- vnet_crypto_op_type_t integ_op_type;
+ vnet_crypto_op_id_t crypto_enc_op_id;
+ vnet_crypto_op_id_t crypto_dec_op_id;
+ vnet_crypto_op_id_t integ_op_id;
dpo_id_t dpo[IPSEC_N_PROTOCOLS];