diff options
author | Damjan Marion <damarion@cisco.com> | 2019-03-29 13:47:54 +0100 |
---|---|---|
committer | Damjan Marion <damarion@cisco.com> | 2019-04-07 11:19:35 +0200 |
commit | 060bfb987a277624e5644de2fcbee1196c2c76e8 (patch) | |
tree | 2ca6ccf57c09c5e016f9613b0e0e75f8e49475eb /src/vnet/ipsec | |
parent | dc43bcd8abef2cee4eebdc94d9a82c0194ba00fb (diff) |
crypto: add support for AEAD and AES-GCM
Change-Id: Iff6f81a49b9cff5522fbb4914d47472423eac5db
Signed-off-by: Damjan Marion <damarion@cisco.com>
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r-- | src/vnet/ipsec/esp.h | 8 | ||||
-rw-r--r-- | src/vnet/ipsec/esp_decrypt.c | 11 | ||||
-rw-r--r-- | src/vnet/ipsec/esp_encrypt.c | 13 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec.c | 30 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec.h | 6 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.c | 6 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.h | 6 |
7 files changed, 39 insertions, 41 deletions
diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h index b6942fadf97..4b67eb2134b 100644 --- a/src/vnet/ipsec/esp.h +++ b/src/vnet/ipsec/esp.h @@ -94,16 +94,16 @@ hmac_calc (vlib_main_t * vm, ipsec_sa_t * sa, u8 * data, int data_len, { vnet_crypto_op_t _op, *op = &_op; - if (PREDICT_FALSE (sa->integ_op_type == 0)) + if (PREDICT_FALSE (sa->integ_op_id == 0)) return 0; - vnet_crypto_op_init (op, sa->integ_op_type); + vnet_crypto_op_init (op, sa->integ_op_id); op->key = sa->integ_key.data; op->key_len = sa->integ_key.len; op->src = data; op->len = data_len; - op->dst = signature; - op->hmac_trunc_len = sa->integ_icv_size; + op->digest = signature; + op->digest_len = sa->integ_icv_size; if (ipsec_sa_is_set_USE_ESN (sa)) { diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c index 7737d186865..9b24e5aaeaa 100644 --- a/src/vnet/ipsec/esp_decrypt.c +++ b/src/vnet/ipsec/esp_decrypt.c @@ -202,14 +202,14 @@ esp_decrypt_inline (vlib_main_t * vm, vnet_crypto_op_t *op; vec_add2_aligned (ptd->integ_ops, op, 1, CLIB_CACHE_LINE_BYTES); - vnet_crypto_op_init (op, sa0->integ_op_type); + vnet_crypto_op_init (op, sa0->integ_op_id); op->key = sa0->integ_key.data; op->key_len = sa0->integ_key.len; op->src = payload; - op->hmac_trunc_len = cpd.icv_sz; op->flags = VNET_CRYPTO_OP_FLAG_HMAC_CHECK; op->user_data = b - bufs; - op->dst = payload + len; + op->digest = payload + len; + op->digest_len = cpd.icv_sz; op->len = len; if (PREDICT_TRUE (sa0->flags & IPSEC_SA_FLAG_USE_ESN)) { @@ -226,11 +226,11 @@ esp_decrypt_inline (vlib_main_t * vm, payload += esp_sz; len -= esp_sz; - if (sa0->crypto_enc_op_type != VNET_CRYPTO_OP_NONE) + if (sa0->crypto_enc_op_id != VNET_CRYPTO_OP_NONE) { vnet_crypto_op_t *op; vec_add2_aligned (ptd->crypto_ops, op, 1, CLIB_CACHE_LINE_BYTES); - vnet_crypto_op_init (op, sa0->crypto_dec_op_type); + vnet_crypto_op_init (op, sa0->crypto_dec_op_id); op->key = sa0->crypto_key.data; op->iv = payload; op->src = op->dst = payload += cpd.iv_sz; @@ -271,7 +271,6 @@ esp_decrypt_inline (vlib_main_t * vm, op++; } } - if ((n = vec_len (ptd->crypto_ops))) { vnet_crypto_op_t *op = ptd->crypto_ops; diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index 29e27d4488c..bb1effda68b 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -425,11 +425,11 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, esp->spi = spi; esp->seq = clib_net_to_host_u32 (sa0->seq); - if (sa0->crypto_enc_op_type) + if (sa0->crypto_enc_op_id) { vnet_crypto_op_t *op; vec_add2_aligned (ptd->crypto_ops, op, 1, CLIB_CACHE_LINE_BYTES); - vnet_crypto_op_init (op, sa0->crypto_enc_op_type); + vnet_crypto_op_init (op, sa0->crypto_enc_op_id); op->iv = payload - iv_sz; op->src = op->dst = payload; op->key = sa0->crypto_key.data; @@ -438,16 +438,16 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, op->user_data = b - bufs; } - if (sa0->integ_op_type) + if (sa0->integ_op_id) { vnet_crypto_op_t *op; vec_add2_aligned (ptd->integ_ops, op, 1, CLIB_CACHE_LINE_BYTES); - vnet_crypto_op_init (op, sa0->integ_op_type); + vnet_crypto_op_init (op, sa0->integ_op_id); op->src = payload - iv_sz - sizeof (esp_header_t); - op->dst = payload + payload_len - icv_sz; + op->digest = payload + payload_len - icv_sz; op->key = sa0->integ_key.data; op->key_len = sa0->integ_key.len; - op->hmac_trunc_len = icv_sz; + op->digest_len = icv_sz; op->len = payload_len - icv_sz + iv_sz + sizeof (esp_header_t); op->user_data = b - bufs; if (ipsec_sa_is_set_USE_ESN (sa0)) @@ -484,7 +484,6 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_increment_combined_counter (&ipsec_sa_counters, thread_index, current_sa_index, current_sa_packets, current_sa_bytes); - esp_process_ops (vm, node, ptd->crypto_ops, bufs, nexts); esp_process_ops (vm, node, ptd->integ_ops, bufs, nexts); diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c index 9719d3a2d09..dc2f4cdbb60 100644 --- a/src/vnet/ipsec/ipsec.c +++ b/src/vnet/ipsec/ipsec.c @@ -269,51 +269,51 @@ ipsec_init (vlib_main_t * vm) vec_validate (im->crypto_algs, IPSEC_CRYPTO_N_ALG - 1); a = im->crypto_algs + IPSEC_CRYPTO_ALG_DES_CBC; - a->enc_op_type = VNET_CRYPTO_OP_DES_CBC_ENC; - a->dec_op_type = VNET_CRYPTO_OP_DES_CBC_DEC; + a->enc_op_id = VNET_CRYPTO_OP_DES_CBC_ENC; + a->dec_op_id = VNET_CRYPTO_OP_DES_CBC_DEC; a->iv_size = a->block_size = 8; a = im->crypto_algs + IPSEC_CRYPTO_ALG_3DES_CBC; - a->enc_op_type = VNET_CRYPTO_OP_3DES_CBC_ENC; - a->dec_op_type = VNET_CRYPTO_OP_3DES_CBC_DEC; + a->enc_op_id = VNET_CRYPTO_OP_3DES_CBC_ENC; + a->dec_op_id = VNET_CRYPTO_OP_3DES_CBC_DEC; a->iv_size = a->block_size = 8; a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_CBC_128; - a->enc_op_type = VNET_CRYPTO_OP_AES_128_CBC_ENC; - a->dec_op_type = VNET_CRYPTO_OP_AES_128_CBC_DEC; + a->enc_op_id = VNET_CRYPTO_OP_AES_128_CBC_ENC; + a->dec_op_id = VNET_CRYPTO_OP_AES_128_CBC_DEC; a->iv_size = a->block_size = 16; a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_CBC_192; - a->enc_op_type = VNET_CRYPTO_OP_AES_192_CBC_ENC; - a->dec_op_type = VNET_CRYPTO_OP_AES_192_CBC_DEC; + a->enc_op_id = VNET_CRYPTO_OP_AES_192_CBC_ENC; + a->dec_op_id = VNET_CRYPTO_OP_AES_192_CBC_DEC; a->iv_size = a->block_size = 16; a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_CBC_256; - a->enc_op_type = VNET_CRYPTO_OP_AES_256_CBC_ENC; - a->dec_op_type = VNET_CRYPTO_OP_AES_256_CBC_DEC; + a->enc_op_id = VNET_CRYPTO_OP_AES_256_CBC_ENC; + a->dec_op_id = VNET_CRYPTO_OP_AES_256_CBC_DEC; a->iv_size = a->block_size = 16; vec_validate (im->integ_algs, IPSEC_INTEG_N_ALG - 1); ipsec_main_integ_alg_t *i; i = &im->integ_algs[IPSEC_INTEG_ALG_SHA1_96]; - i->op_type = VNET_CRYPTO_OP_SHA1_HMAC; + i->op_id = VNET_CRYPTO_OP_SHA1_HMAC; i->icv_size = 12; i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_256_96]; - i->op_type = VNET_CRYPTO_OP_SHA1_HMAC; + i->op_id = VNET_CRYPTO_OP_SHA1_HMAC; i->icv_size = 12; i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_256_128]; - i->op_type = VNET_CRYPTO_OP_SHA256_HMAC; + i->op_id = VNET_CRYPTO_OP_SHA256_HMAC; i->icv_size = 16; i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_384_192]; - i->op_type = VNET_CRYPTO_OP_SHA384_HMAC; + i->op_id = VNET_CRYPTO_OP_SHA384_HMAC; i->icv_size = 24; i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_512_256]; - i->op_type = VNET_CRYPTO_OP_SHA512_HMAC; + i->op_id = VNET_CRYPTO_OP_SHA512_HMAC; i->icv_size = 32; vec_validate_aligned (im->ptd, vlib_num_workers (), CLIB_CACHE_LINE_BYTES); diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h index 821b7ed3107..b6332d672fb 100644 --- a/src/vnet/ipsec/ipsec.h +++ b/src/vnet/ipsec/ipsec.h @@ -66,15 +66,15 @@ typedef struct typedef struct { - vnet_crypto_op_type_t enc_op_type; - vnet_crypto_op_type_t dec_op_type; + vnet_crypto_op_id_t enc_op_id; + vnet_crypto_op_id_t dec_op_id; u8 iv_size; u8 block_size; } ipsec_main_crypto_alg_t; typedef struct { - vnet_crypto_op_type_t op_type; + vnet_crypto_op_id_t op_id; u8 icv_size; } ipsec_main_integ_alg_t; diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c index 4d20566686d..af37b2e49cc 100644 --- a/src/vnet/ipsec/ipsec_sa.c +++ b/src/vnet/ipsec/ipsec_sa.c @@ -98,8 +98,8 @@ ipsec_sa_set_crypto_alg (ipsec_sa_t * sa, ipsec_crypto_alg_t crypto_alg) sa->crypto_alg = crypto_alg; sa->crypto_iv_size = im->crypto_algs[crypto_alg].iv_size; sa->crypto_block_size = im->crypto_algs[crypto_alg].block_size; - sa->crypto_enc_op_type = im->crypto_algs[crypto_alg].enc_op_type; - sa->crypto_dec_op_type = im->crypto_algs[crypto_alg].dec_op_type; + sa->crypto_enc_op_id = im->crypto_algs[crypto_alg].enc_op_id; + sa->crypto_dec_op_id = im->crypto_algs[crypto_alg].dec_op_id; ASSERT (sa->crypto_iv_size <= ESP_MAX_IV_SIZE); ASSERT (sa->crypto_block_size <= ESP_MAX_BLOCK_SIZE); } @@ -110,7 +110,7 @@ ipsec_sa_set_integ_alg (ipsec_sa_t * sa, ipsec_integ_alg_t integ_alg) ipsec_main_t *im = &ipsec_main; sa->integ_alg = integ_alg; sa->integ_icv_size = im->integ_algs[integ_alg].icv_size; - sa->integ_op_type = im->integ_algs[integ_alg].op_type; + sa->integ_op_id = im->integ_algs[integ_alg].op_id; ASSERT (sa->integ_icv_size <= ESP_MAX_ICV_SIZE); } diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h index 12700ccaa39..72a592984f6 100644 --- a/src/vnet/ipsec/ipsec_sa.h +++ b/src/vnet/ipsec/ipsec_sa.h @@ -119,9 +119,9 @@ typedef struct u32 last_seq_hi; u64 replay_window; - vnet_crypto_op_type_t crypto_enc_op_type; - vnet_crypto_op_type_t crypto_dec_op_type; - vnet_crypto_op_type_t integ_op_type; + vnet_crypto_op_id_t crypto_enc_op_id; + vnet_crypto_op_id_t crypto_dec_op_id; + vnet_crypto_op_id_t integ_op_id; dpo_id_t dpo[IPSEC_N_PROTOCOLS]; |