[API-NEXT,v2,3/3] linux-gen: ipsec: adapt to capability changes

Message ID	1513706411-15615-4-git-send-email-odpbot@yandex.ru
State	Superseded
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; From: Github ODP bot <odpbot@yandex.ru> To: lng-odp@lists.linaro.org Date: Tue, 19 Dec 2017 21:00:11 +0300 Message-Id: <1513706411-15615-4-git-send-email-odpbot@yandex.ru> In-Reply-To: <1513706411-15615-1-git-send-email-odpbot@yandex.ru> References: <1513706411-15615-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 351 Subject: [lng-odp] [PATCH API-NEXT v2 3/3] linux-gen: ipsec: adapt to capability changes Precedence: list Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" <lng-odp-bounces@lists.linaro.org>
Series	[API-NEXT,v2,1/3] api: ipsec: add capabilities for cipher and auth algos \| expand [API-NEXT,v2,1/3] api: ipsec: add capabilities for cipher and auth algos [API-NEXT,v2,2/3] validation: ipsec: adapt to crypto capability changes [API-NEXT,v2,3/3] linux-gen: ipsec: adapt to capability changes

diff --git a/platform/linux-generic/include/odp_ipsec_internal.h b/platform/linux-generic/include/odp_ipsec_internal.h index c6f241fac..70a583c5b 100644 --- a/platform/linux-generic/include/odp_ipsec_internal.h +++ b/platform/linux-generic/include/odp_ipsec_internal.h @@ -206,6 +206,12 @@ typedef struct ODP_PACKED { odp_u32be_t seq_no; /**< Sequence Number */ } ipsec_aad_t; +/* Return IV length required for the cipher for IPsec use */ +uint32_t _odp_ipsec_cipher_iv_len(odp_cipher_alg_t cipher); + +/* Return digest length required for the cipher for IPsec use */ +uint32_t _odp_ipsec_auth_digest_len(odp_auth_alg_t auth); + /** * Obtain SA reference */ diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c index 4f23eb17b..89a05acdb 100644 --- a/platform/linux-generic/odp_ipsec.c +++ b/platform/linux-generic/odp_ipsec.c @@ -58,15 +58,55 @@ int odp_ipsec_capability(odp_ipsec_capability_t *capa) } int odp_ipsec_cipher_capability(odp_cipher_alg_t cipher, - odp_crypto_cipher_capability_t capa[], int num) + odp_ipsec_cipher_capability_t capa[], int num) { - return odp_crypto_cipher_capability(cipher, capa, num); + int caps = odp_crypto_cipher_capability(cipher, NULL, 0); + odp_crypto_cipher_capability_t crypto_capa[caps]; + uint32_t req_iv_len; + int rc, i, out; + + rc = odp_crypto_cipher_capability(cipher, crypto_capa, caps); + if (rc <= 0) + return rc; + + req_iv_len = _odp_ipsec_cipher_iv_len(cipher); + for (i = 0, out = 0; i < rc; i++) { + if (crypto_capa[i].iv_len != req_iv_len) + continue; + + if (out < num) + capa[out].key_len = crypto_capa[i].key_len; + out ++; + } + + return out; } int odp_ipsec_auth_capability(odp_auth_alg_t auth, - odp_crypto_auth_capability_t capa[], int num) + odp_ipsec_auth_capability_t capa[], int num) { - return odp_crypto_auth_capability(auth, capa, num); + int caps = odp_crypto_auth_capability(auth, NULL, 0); + odp_crypto_auth_capability_t crypto_capa[caps]; + uint32_t req_digest_len; + int rc, i, out; + + rc = odp_crypto_auth_capability(auth, crypto_capa, caps); + if (rc <= 0) + return rc; + + req_digest_len = _odp_ipsec_auth_digest_len(auth); + for (i = 0, out = 0; i < rc; i++) { + if (crypto_capa[i].digest_len != req_digest_len) + continue; + + /* FIXME: check AAD len for AES_GCM/AES128_GCM */ + + if (out < num) + capa[out].key_len = crypto_capa[i].key_len; + out ++; + } + + return out; } void odp_ipsec_config_init(odp_ipsec_config_t *config) diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c index 2d6321166..1dbfc5444 100644 --- a/platform/linux-generic/odp_ipsec_sad.c +++ b/platform/linux-generic/odp_ipsec_sad.c @@ -190,12 +190,66 @@ void odp_ipsec_sa_param_init(odp_ipsec_sa_param_t *param) param->dest_queue = ODP_QUEUE_INVALID; } +/* Return IV length required for the cipher for IPsec use */ +uint32_t _odp_ipsec_cipher_iv_len(odp_cipher_alg_t cipher) +{ + switch (cipher) { + case ODP_CIPHER_ALG_NULL: + return 0; + case ODP_CIPHER_ALG_DES: + case ODP_CIPHER_ALG_3DES_CBC: + return 8; +#if ODP_DEPRECATED_API + case ODP_CIPHER_ALG_AES128_CBC: +#endif + case ODP_CIPHER_ALG_AES_CBC: + case ODP_CIPHER_ALG_AES_CTR: + return 16; +#if ODP_DEPRECATED_API + case ODP_CIPHER_ALG_AES128_GCM: +#endif + case ODP_CIPHER_ALG_AES_GCM: + return 12; + default: + return (uint32_t)-1; + } +} + +/* Return digest length required for the cipher for IPsec use */ +uint32_t _odp_ipsec_auth_digest_len(odp_auth_alg_t auth) +{ + switch (auth) { + case ODP_AUTH_ALG_NULL: + return 0; +#if ODP_DEPRECATED_API + case ODP_AUTH_ALG_MD5_96: +#endif + case ODP_AUTH_ALG_MD5_HMAC: + case ODP_AUTH_ALG_SHA1_HMAC: + return 12; +#if ODP_DEPRECATED_API + case ODP_AUTH_ALG_SHA256_128: +#endif + case ODP_AUTH_ALG_SHA256_HMAC: + return 16; + case ODP_AUTH_ALG_SHA512_HMAC: + return 32; +#if ODP_DEPRECATED_API + case ODP_AUTH_ALG_AES128_GCM: +#endif + case ODP_AUTH_ALG_AES_GCM: + case ODP_AUTH_ALG_AES_GMAC: + return 16; + default: + return (uint32_t)-1; + } +} + odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) { ipsec_sa_t *ipsec_sa; odp_crypto_session_param_t crypto_param; odp_crypto_ses_create_err_t ses_create_rc; - uint32_t aad_len = 0; ipsec_sa = ipsec_sa_reserve(); if (NULL == ipsec_sa) { @@ -297,17 +351,21 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) crypto_param.auth_alg = param->crypto.auth_alg; crypto_param.auth_key = param->crypto.auth_key; + crypto_param.iv.length = + _odp_ipsec_cipher_iv_len(crypto_param.cipher_alg); + + crypto_param.auth_digest_len = + _odp_ipsec_auth_digest_len(crypto_param.auth_alg); + switch (crypto_param.cipher_alg) { case ODP_CIPHER_ALG_NULL: ipsec_sa->esp_iv_len = 0; ipsec_sa->esp_block_len = 1; - crypto_param.iv.length = 0; break; case ODP_CIPHER_ALG_DES: case ODP_CIPHER_ALG_3DES_CBC: ipsec_sa->esp_iv_len = 8; ipsec_sa->esp_block_len = 8; - crypto_param.iv.length = 8; break; #if ODP_DEPRECATED_API case ODP_CIPHER_ALG_AES128_CBC: @@ -315,14 +373,12 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) case ODP_CIPHER_ALG_AES_CBC: ipsec_sa->esp_iv_len = 16; ipsec_sa->esp_block_len = 16; - crypto_param.iv.length = 16; break; case ODP_CIPHER_ALG_AES_CTR: ipsec_sa->use_counter_iv = 1; ipsec_sa->aes_ctr_iv = 1; ipsec_sa->esp_iv_len = 8; ipsec_sa->esp_block_len = 16; - crypto_param.iv.length = 16; break; #if ODP_DEPRECATED_API case ODP_CIPHER_ALG_AES128_GCM: @@ -331,40 +387,17 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) ipsec_sa->use_counter_iv = 1; ipsec_sa->esp_iv_len = 8; ipsec_sa->esp_block_len = 16; - crypto_param.iv.length = 12; break; default: goto error; } switch (crypto_param.auth_alg) { - case ODP_AUTH_ALG_NULL: - ipsec_sa->icv_len = 0; - break; -#if ODP_DEPRECATED_API - case ODP_AUTH_ALG_MD5_96: -#endif - case ODP_AUTH_ALG_MD5_HMAC: - ipsec_sa->icv_len = 12; - break; - case ODP_AUTH_ALG_SHA1_HMAC: - ipsec_sa->icv_len = 12; - break; -#if ODP_DEPRECATED_API - case ODP_AUTH_ALG_SHA256_128: -#endif - case ODP_AUTH_ALG_SHA256_HMAC: - ipsec_sa->icv_len = 16; - break; - case ODP_AUTH_ALG_SHA512_HMAC: - ipsec_sa->icv_len = 32; - break; #if ODP_DEPRECATED_API case ODP_AUTH_ALG_AES128_GCM: #endif case ODP_AUTH_ALG_AES_GCM: - ipsec_sa->icv_len = 16; - aad_len = sizeof(ipsec_aad_t); + crypto_param.auth_aad_len = sizeof(ipsec_aad_t); break; case ODP_AUTH_ALG_AES_GMAC: if (ODP_CIPHER_ALG_NULL != crypto_param.cipher_alg) @@ -372,19 +405,17 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) ipsec_sa->use_counter_iv = 1; ipsec_sa->esp_iv_len = 8; ipsec_sa->esp_block_len = 16; - ipsec_sa->icv_len = 16; crypto_param.iv.length = 12; break; default: - goto error; + break; } if (1 == ipsec_sa->use_counter_iv && ODP_IPSEC_DIR_OUTBOUND == param->dir) odp_atomic_init_u64(&ipsec_sa->out.counter, 1); - crypto_param.auth_digest_len = ipsec_sa->icv_len; - crypto_param.auth_aad_len = aad_len; + ipsec_sa->icv_len = crypto_param.auth_digest_len; if (param->crypto.cipher_key_extra.length) { if (param->crypto.cipher_key_extra.length >

[API-NEXT,v2,3/3] linux-gen: ipsec: adapt to capability changes

Commit Message

Patch