diff mbox

[1/2] examples: ipsec: tunnel mode support

Message ID 1431344907-30359-1-git-send-email-alexandru.badicioiu@linaro.org
State Accepted
Commit 672527913097507903ec9286fa8330f09c68340c
Headers show

Commit Message

Alexandru Badicioiu May 11, 2015, 11:48 a.m. UTC
From: Alexandru Badicioiu <alexandru.badicioiu@linaro.org>

Tunnel mode is enabled from the command line using -t argument with
the following format: SrcIP:DstIP:TunnelSrcIP:TunnelDstIP.
SrcIP - cleartext packet source IP
DstIP - cleartext packet destination IP
TunnelSrcIP - tunnel source IP
TunnelDstIP - tunnel destination IP

The outbound packets matching SrcIP:DstIP will be encapsulated
in a TunnelSrcIP:TunnelDstIP IPSec tunnel (AH/ESP/AH+ESP)
if a matching outbound SA is determined (as for transport mode).
For inbound packets each entry in the IPSec cache is matched
for the cleartext addresses, as in the transport mode (SrcIP:DstIP)
and then for the tunnel addresses (TunnelSrcIP:TunnelDstIP)
in case cleartext addresses didn't match. After authentication and
decryption tunneled packets are verified against the tunnel entry
(packets came in from the expected tunnel).

Signed-off-by: Alexandru Badicioiu <alexandru.badicioiu@linaro.org>
---
 example/ipsec/odp_ipsec.c        |  105 +++++++++++++++++++++++++++---
 example/ipsec/odp_ipsec_cache.c  |   31 +++++++++-
 example/ipsec/odp_ipsec_cache.h  |    5 ++
 example/ipsec/odp_ipsec_sa_db.c  |  133 +++++++++++++++++++++++++++++++++++++-
 example/ipsec/odp_ipsec_sa_db.h  |   57 ++++++++++++++++
 example/ipsec/odp_ipsec_stream.c |  101 ++++++++++++++++++++++++----
 6 files changed, 402 insertions(+), 30 deletions(-)

Comments

Maxim Uvarov May 18, 2015, 4:55 p.m. UTC | #1
Hello Robbie,

can you please review that patch and next 2/2 patch.

Thanks,
Maxim.

On 05/11/2015 14:48, alexandru.badicioiu@linaro.org wrote:
> From: Alexandru Badicioiu <alexandru.badicioiu@linaro.org>
>
> Tunnel mode is enabled from the command line using -t argument with
> the following format: SrcIP:DstIP:TunnelSrcIP:TunnelDstIP.
> SrcIP - cleartext packet source IP
> DstIP - cleartext packet destination IP
> TunnelSrcIP - tunnel source IP
> TunnelDstIP - tunnel destination IP
>
> The outbound packets matching SrcIP:DstIP will be encapsulated
> in a TunnelSrcIP:TunnelDstIP IPSec tunnel (AH/ESP/AH+ESP)
> if a matching outbound SA is determined (as for transport mode).
> For inbound packets each entry in the IPSec cache is matched
> for the cleartext addresses, as in the transport mode (SrcIP:DstIP)
> and then for the tunnel addresses (TunnelSrcIP:TunnelDstIP)
> in case cleartext addresses didn't match. After authentication and
> decryption tunneled packets are verified against the tunnel entry
> (packets came in from the expected tunnel).
>
> Signed-off-by: Alexandru Badicioiu <alexandru.badicioiu@linaro.org>
> ---
>   example/ipsec/odp_ipsec.c        |  105 +++++++++++++++++++++++++++---
>   example/ipsec/odp_ipsec_cache.c  |   31 +++++++++-
>   example/ipsec/odp_ipsec_cache.h  |    5 ++
>   example/ipsec/odp_ipsec_sa_db.c  |  133 +++++++++++++++++++++++++++++++++++++-
>   example/ipsec/odp_ipsec_sa_db.h  |   57 ++++++++++++++++
>   example/ipsec/odp_ipsec_stream.c |  101 ++++++++++++++++++++++++----
>   6 files changed, 402 insertions(+), 30 deletions(-)
>
> diff --git a/example/ipsec/odp_ipsec.c b/example/ipsec/odp_ipsec.c
> index cb8f535..e325347 100644
> --- a/example/ipsec/odp_ipsec.c
> +++ b/example/ipsec/odp_ipsec.c
> @@ -135,13 +135,20 @@ typedef struct {
>   	uint8_t  ip_ttl;         /**< Saved IP TTL value */
>   	int      hdr_len;        /**< Length of IPsec headers */
>   	int      trl_len;        /**< Length of IPsec trailers */
> +	uint16_t tun_hdr_offset; /**< Offset of tunnel header from
> +				      buffer start */
>   	uint16_t ah_offset;      /**< Offset of AH header from buffer start */
>   	uint16_t esp_offset;     /**< Offset of ESP header from buffer start */
>   
> +	/* Input only */
> +	uint32_t src_ip;         /**< SA source IP address */
> +	uint32_t dst_ip;         /**< SA dest IP address */
> +
>   	/* Output only */
>   	odp_crypto_op_params_t params;  /**< Parameters for crypto call */
>   	uint32_t *ah_seq;               /**< AH sequence number location */
>   	uint32_t *esp_seq;              /**< ESP sequence number location */
> +	uint16_t *tun_hdr_id;           /**< Tunnel header ID > */
>   } ipsec_ctx_t;
>   
>   /**
> @@ -357,6 +364,7 @@ void ipsec_init_pre(void)
>   	/* Initialize our data bases */
>   	init_sp_db();
>   	init_sa_db();
> +	init_tun_db();
>   	init_ipsec_cache();
>   }
>   
> @@ -376,19 +384,27 @@ void ipsec_init_post(crypto_api_mode_e api_mode)
>   	for (entry = sp_db->list; NULL != entry; entry = entry->next) {
>   		sa_db_entry_t *cipher_sa = NULL;
>   		sa_db_entry_t *auth_sa = NULL;
> +		tun_db_entry_t *tun;
>   
> -		if (entry->esp)
> +		if (entry->esp) {
>   			cipher_sa = find_sa_db_entry(&entry->src_subnet,
>   						     &entry->dst_subnet,
>   						     1);
> -		if (entry->ah)
> +			tun = find_tun_db_entry(cipher_sa->src_ip,
> +						      cipher_sa->dst_ip);
> +		}
> +		if (entry->ah) {
>   			auth_sa = find_sa_db_entry(&entry->src_subnet,
>   						   &entry->dst_subnet,
>   						   0);
> +			tun = find_tun_db_entry(auth_sa->src_ip,
> +						      auth_sa->dst_ip);
> +		}
>   
>   		if (cipher_sa || auth_sa) {
>   			if (create_ipsec_cache_entry(cipher_sa,
>   						     auth_sa,
> +						     tun,
>   						     api_mode,
>   						     entry->input,
>   						     completionq,
> @@ -661,6 +677,8 @@ pkt_disposition_e do_ipsec_in_classify(odp_packet_t pkt,
>   	ctx->ipsec.esp_offset = esp ? ((uint8_t *)esp) - buf : 0;
>   	ctx->ipsec.hdr_len = hdr_len;
>   	ctx->ipsec.trl_len = 0;
> +	ctx->ipsec.src_ip = entry->src_ip;
> +	ctx->ipsec.dst_ip = entry->dst_ip;
>   
>   	/*If authenticating, zero the mutable fields build the request */
>   	if (ah) {
> @@ -741,6 +759,23 @@ pkt_disposition_e do_ipsec_in_finish(odp_packet_t pkt,
>   		trl_len += esp_t->pad_len + sizeof(*esp_t);
>   	}
>   
> +	/* We have a tunneled IPv4 packet */
> +	if (ip->proto == ODPH_IPV4) {
> +		odp_packet_pull_head(pkt, sizeof(*ip) + hdr_len);
> +		odp_packet_pull_tail(pkt, trl_len);
> +		odph_ethhdr_t *eth;
> +		eth = (odph_ethhdr_t *)odp_packet_l2_ptr(pkt, NULL);
> +		eth->type = ODPH_ETHTYPE_IPV4;
> +		ip = (odph_ipv4hdr_t *)odp_packet_l3_ptr(pkt, NULL);
> +
> +		/* Check inbound policy */
> +		if ((ip->src_addr != ctx->ipsec.src_ip ||
> +		     ip->dst_addr != ctx->ipsec.dst_ip))
> +			return PKT_DROP;
> +
> +		return PKT_CONTINUE;
> +	}
> +
>   	/* Finalize the IPv4 header */
>   	ipv4_adjust_len(ip, -(hdr_len + trl_len));
>   	ip->ttl = ctx->ipsec.ip_ttl;
> @@ -812,9 +847,13 @@ pkt_disposition_e do_ipsec_out_classify(odp_packet_t pkt,
>   	params.pkt = pkt;
>   	params.out_pkt = entry->in_place ? pkt : ODP_PACKET_INVALID;
>   
> +	if (entry->mode == IPSEC_SA_MODE_TUNNEL) {
> +		hdr_len += sizeof(odph_ipv4hdr_t);
> +		ip_data = (uint8_t *)ip;
> +	}
>   	/* Compute ah and esp, determine length of headers, move the data */
>   	if (entry->ah.alg) {
> -		ah = (odph_ahhdr_t *)(ip_data);
> +		ah = (odph_ahhdr_t *)(ip_data + hdr_len);
>   		hdr_len += sizeof(odph_ahhdr_t);
>   		hdr_len += entry->ah.icv_len;
>   	}
> @@ -826,21 +865,39 @@ pkt_disposition_e do_ipsec_out_classify(odp_packet_t pkt,
>   	memmove(ip_data + hdr_len, ip_data, ip_data_len);
>   	ip_data += hdr_len;
>   
> +	/* update outer header in tunnel mode */
> +	if (entry->mode == IPSEC_SA_MODE_TUNNEL) {
> +		/* tunnel addresses */
> +		ip->src_addr = odp_cpu_to_be_32(entry->tun_src_ip);
> +		ip->dst_addr = odp_cpu_to_be_32(entry->tun_dst_ip);
> +	}
> +
>   	/* For cipher, compute encrypt length, build headers and request */
>   	if (esp) {
>   		uint32_t encrypt_len;
>   		odph_esptrl_t *esp_t;
>   
> -		encrypt_len = ESP_ENCODE_LEN(ip_data_len + sizeof(*esp_t),
> -					     entry->esp.block_len);
> -		trl_len = encrypt_len - ip_data_len;
> +		if (entry->mode == IPSEC_SA_MODE_TUNNEL) {
> +			encrypt_len = ESP_ENCODE_LEN(ip->tot_len +
> +						     sizeof(*esp_t),
> +						     entry->esp.block_len);
> +			trl_len = encrypt_len - ip->tot_len;
> +		} else {
> +			encrypt_len = ESP_ENCODE_LEN(ip_data_len +
> +						     sizeof(*esp_t),
> +						     entry->esp.block_len);
> +			trl_len = encrypt_len - ip_data_len;
> +		}
>   
>   		esp->spi = odp_cpu_to_be_32(entry->esp.spi);
>   		memcpy(esp + 1, entry->state.iv, entry->esp.iv_len);
>   
>   		esp_t = (odph_esptrl_t *)(ip_data + encrypt_len) - 1;
>   		esp_t->pad_len     = trl_len - sizeof(*esp_t);
> -		esp_t->next_header = ip->proto;
> +		if (entry->mode == IPSEC_SA_MODE_TUNNEL)
> +			esp_t->next_header = ODPH_IPV4;
> +		else
> +			esp_t->next_header = ip->proto;
>   		ip->proto = ODPH_IPPROTO_ESP;
>   
>   		params.cipher_range.offset = ip_data - buf;
> @@ -852,7 +909,10 @@ pkt_disposition_e do_ipsec_out_classify(odp_packet_t pkt,
>   		memset(ah, 0, sizeof(*ah) + entry->ah.icv_len);
>   		ah->spi = odp_cpu_to_be_32(entry->ah.spi);
>   		ah->ah_len = 1 + (entry->ah.icv_len / 4);
> -		ah->next_header = ip->proto;
> +		if (entry->mode == IPSEC_SA_MODE_TUNNEL && !esp)
> +			ah->next_header = ODPH_IPV4;
> +		else
> +			ah->next_header = ip->proto;
>   		ip->proto = ODPH_IPPROTO_AH;
>   
>   		ip->chksum = 0;
> @@ -875,8 +935,11 @@ pkt_disposition_e do_ipsec_out_classify(odp_packet_t pkt,
>   	ctx->ipsec.trl_len = trl_len;
>   	ctx->ipsec.ah_offset = ah ? ((uint8_t *)ah) - buf : 0;
>   	ctx->ipsec.esp_offset = esp ? ((uint8_t *)esp) - buf : 0;
> +	ctx->ipsec.tun_hdr_offset = (entry->mode == IPSEC_SA_MODE_TUNNEL) ?
> +				       ((uint8_t *)ip - buf) : 0;
>   	ctx->ipsec.ah_seq = &entry->state.ah_seq;
>   	ctx->ipsec.esp_seq = &entry->state.esp_seq;
> +	ctx->ipsec.tun_hdr_id = &entry->state.tun_hdr_id;
>   	memcpy(&ctx->ipsec.params, &params, sizeof(params));
>   
>   	*skip = FALSE;
> @@ -915,6 +978,20 @@ pkt_disposition_e do_ipsec_out_seq(odp_packet_t pkt,
>   		esp = (odph_esphdr_t *)(ctx->ipsec.esp_offset + buf);
>   		esp->seq_no = odp_cpu_to_be_32((*ctx->ipsec.esp_seq)++);
>   	}
> +	if (ctx->ipsec.tun_hdr_offset) {
> +		odph_ipv4hdr_t *ip;
> +		int ret;
> +		ip = (odph_ipv4hdr_t *)(ctx->ipsec.tun_hdr_offset + buf);
> +		ip->id = odp_cpu_to_be_16((*ctx->ipsec.tun_hdr_id)++);
> +		if (!ip->id) {
> +			/* re-init tunnel hdr id */
> +			ret = odp_random_data((uint8_t *)ctx->ipsec.tun_hdr_id,
> +					      sizeof(*ctx->ipsec.tun_hdr_id),
> +					      1);
> +			if (ret != sizeof(*ctx->ipsec.tun_hdr_id))
> +				abort();
> +		}
> +	}
>   
>   	/* Issue crypto request */
>   	if (odp_crypto_operation(&ctx->ipsec.params,
> @@ -1306,8 +1383,9 @@ static void parse_args(int argc, char *argv[], appl_args_t *appl_args)
>   		{"mode", required_argument, NULL, 'm'},		/* return 'm' */
>   		{"route", required_argument, NULL, 'r'},	/* return 'r' */
>   		{"policy", required_argument, NULL, 'p'},	/* return 'p' */
> -		{"ah", required_argument, NULL, 'a'},	        /* return 'a' */
> -		{"esp", required_argument, NULL, 'e'},	        /* return 'e' */
> +		{"ah", required_argument, NULL, 'a'},		/* return 'a' */
> +		{"esp", required_argument, NULL, 'e'},		/* return 'e' */
> +		{"tunnel", required_argument, NULL, 't'},       /* return 't' */
>   		{"stream", required_argument, NULL, 's'},	/* return 's' */
>   		{"help", no_argument, NULL, 'h'},		/* return 'h' */
>   		{NULL, 0, NULL, 0}
> @@ -1318,7 +1396,7 @@ static void parse_args(int argc, char *argv[], appl_args_t *appl_args)
>   	appl_args->mode = 0;  /* turn off async crypto API by default */
>   
>   	while (!rc) {
> -		opt = getopt_long(argc, argv, "+c:i:m:h:r:p:a:e:s:",
> +		opt = getopt_long(argc, argv, "+c:i:m:h:r:p:a:e:t:s:",
>   				  longopts, &long_index);
>   
>   		if (-1 == opt)
> @@ -1389,6 +1467,10 @@ static void parse_args(int argc, char *argv[], appl_args_t *appl_args)
>   			rc = create_sa_db_entry(optarg, TRUE);
>   			break;
>   
> +		case 't':
> +			rc = create_tun_db_entry(optarg);
> +			break;
> +
>   		case 's':
>   			rc = create_stream_db_entry(optarg);
>   			break;
> @@ -1449,6 +1531,7 @@ static void print_info(char *progname, appl_args_t *appl_args)
>   	dump_fwd_db();
>   	dump_sp_db();
>   	dump_sa_db();
> +	dump_tun_db();
>   	printf("\n\n");
>   	fflush(NULL);
>   }
> diff --git a/example/ipsec/odp_ipsec_cache.c b/example/ipsec/odp_ipsec_cache.c
> index 12b960d..046e43c 100644
> --- a/example/ipsec/odp_ipsec_cache.c
> +++ b/example/ipsec/odp_ipsec_cache.c
> @@ -38,6 +38,7 @@ void init_ipsec_cache(void)
>   
>   int create_ipsec_cache_entry(sa_db_entry_t *cipher_sa,
>   			     sa_db_entry_t *auth_sa,
> +			     tun_db_entry_t *tun,
>   			     crypto_api_mode_e api_mode,
>   			     odp_bool_t in,
>   			     odp_queue_t completionq,
> @@ -47,12 +48,18 @@ int create_ipsec_cache_entry(sa_db_entry_t *cipher_sa,
>   	ipsec_cache_entry_t *entry;
>   	enum odp_crypto_ses_create_err ses_create_rc;
>   	odp_crypto_session_t session;
> +	sa_mode_t mode = IPSEC_SA_MODE_TRANSPORT;
>   
>   	/* Verify we have a good entry */
>   	entry = &ipsec_cache->array[ipsec_cache->index];
>   	if (MAX_DB <= ipsec_cache->index)
>   		return -1;
>   
> +	/* Verify SA mode match in case of cipher&auth */
> +	if (cipher_sa && auth_sa &&
> +	    (cipher_sa->mode != auth_sa->mode))
> +		return -1;
> +
>   	/* Setup parameters and call crypto library to create session */
>   	params.op = (in) ? ODP_CRYPTO_OP_DECODE : ODP_CRYPTO_OP_ENCODE;
>   	params.auth_cipher_text = TRUE;
> @@ -79,6 +86,7 @@ int create_ipsec_cache_entry(sa_db_entry_t *cipher_sa,
>   		params.cipher_key.length  = cipher_sa->key.length;
>   		params.iv.data = entry->state.iv;
>   		params.iv.length = cipher_sa->iv_len;
> +		mode = cipher_sa->mode;
>   	} else {
>   		params.cipher_alg = ODP_CIPHER_ALG_NULL;
>   		params.iv.data = NULL;
> @@ -90,6 +98,7 @@ int create_ipsec_cache_entry(sa_db_entry_t *cipher_sa,
>   		params.auth_alg = auth_sa->alg.u.auth;
>   		params.auth_key.data = auth_sa->key.data;
>   		params.auth_key.length = auth_sa->key.length;
> +		mode = auth_sa->mode;
>   	} else {
>   		params.auth_alg = ODP_AUTH_ALG_NULL;
>   	}
> @@ -128,6 +137,24 @@ int create_ipsec_cache_entry(sa_db_entry_t *cipher_sa,
>   		memcpy(&entry->ah.key, &auth_sa->key, sizeof(ipsec_key_t));
>   	}
>   
> +	if (tun) {
> +		entry->tun_src_ip = tun->tun_src_ip;
> +		entry->tun_dst_ip = tun->tun_dst_ip;
> +		mode = IPSEC_SA_MODE_TUNNEL;
> +
> +		int ret;
> +		if (!in) {
> +			/* init tun hdr id */
> +			ret = odp_random_data((uint8_t *)
> +					      &entry->state.tun_hdr_id,
> +					      sizeof(entry->state.tun_hdr_id),
> +					      1);
> +			if (ret != sizeof(entry->state.tun_hdr_id))
> +				return -1;
> +		}
> +	}
> +	entry->mode = mode;
> +
>   	/* Initialize state */
>   	entry->state.esp_seq = 0;
>   	entry->state.ah_seq = 0;
> @@ -156,7 +183,9 @@ ipsec_cache_entry_t *find_ipsec_cache_entry_in(uint32_t src_ip,
>   	/* Look for a hit */
>   	for (; NULL != entry; entry = entry->next) {
>   		if ((entry->src_ip != src_ip) || (entry->dst_ip != dst_ip))
> -			continue;
> +			if ((entry->tun_src_ip != src_ip) ||
> +			    (entry->tun_dst_ip != dst_ip))
> +				continue;
>   		if (ah &&
>   		    ((!entry->ah.alg) ||
>   		     (entry->ah.spi != odp_be_to_cpu_32(ah->spi))))
> diff --git a/example/ipsec/odp_ipsec_cache.h b/example/ipsec/odp_ipsec_cache.h
> index 714cae8..6b1be5f 100644
> --- a/example/ipsec/odp_ipsec_cache.h
> +++ b/example/ipsec/odp_ipsec_cache.h
> @@ -34,6 +34,9 @@ typedef struct ipsec_cache_entry_s {
>   	odp_bool_t                   in_place;    /**< Crypto API mode */
>   	uint32_t                     src_ip;      /**< Source v4 address */
>   	uint32_t                     dst_ip;      /**< Destination v4 address */
> +	sa_mode_t		     mode;        /**< SA mode - transport/tun */
> +	uint32_t                     tun_src_ip;  /**< Tunnel src IPv4 addr */
> +	uint32_t                     tun_dst_ip;  /**< Tunnel dst IPv4 addr */
>   	struct {
>   		enum  odp_cipher_alg alg;         /**< Cipher algorithm */
>   		uint32_t             spi;         /**< Cipher SPI */
> @@ -54,6 +57,7 @@ typedef struct ipsec_cache_entry_s {
>   		uint32_t      esp_seq;         /**< ESP TX sequence number */
>   		uint32_t      ah_seq;          /**< AH TX sequence number */
>   		uint8_t       iv[MAX_IV_LEN];  /**< ESP IV storage */
> +		uint16be_t    tun_hdr_id;      /**< Tunnel header IP ID */
>   	} state;
>   } ipsec_cache_entry_t;
>   
> @@ -87,6 +91,7 @@ void init_ipsec_cache(void);
>    */
>   int create_ipsec_cache_entry(sa_db_entry_t *cipher_sa,
>   			     sa_db_entry_t *auth_sa,
> +			     tun_db_entry_t *tun,
>   			     crypto_api_mode_e api_mode,
>   			     odp_bool_t in,
>   			     odp_queue_t completionq,
> diff --git a/example/ipsec/odp_ipsec_sa_db.c b/example/ipsec/odp_ipsec_sa_db.c
> index 5837cb6..78f43da 100644
> --- a/example/ipsec/odp_ipsec_sa_db.c
> +++ b/example/ipsec/odp_ipsec_sa_db.c
> @@ -1,7 +1,7 @@
>   /* Copyright (c) 2014, Linaro Limited
>    * All rights reserved.
>    *
> - * SPDX-License-Identifier:     BSD-3-Clause
> + * SPDX-License-Identifier:	BSD-3-Clause
>    */
>   
>   /* enable strtok */
> @@ -19,6 +19,9 @@
>   /** Global pointer to sa db */
>   static sa_db_t *sa_db;
>   
> +/** Global pointer to tun db */
> +static tun_db_t *tun_db;
> +
>   void init_sa_db(void)
>   {
>   	odp_shm_t shm;
> @@ -37,6 +40,22 @@ void init_sa_db(void)
>   	memset(sa_db, 0, sizeof(*sa_db));
>   }
>   
> +void init_tun_db(void)
> +{
> +	odp_shm_t shm;
> +	shm = odp_shm_reserve("shm_tun_db",
> +			      sizeof(tun_db_t),
> +			      ODP_CACHE_LINE_SIZE,
> +			      0);
> +	tun_db = odp_shm_addr(shm);
> +
> +	if (tun_db == NULL) {
> +		EXAMPLE_ERR("Error: shared mem alloc failed.\n");
> +		exit(EXIT_FAILURE);
> +	}
> +	memset(tun_db, 0, sizeof(*tun_db));
> +}
> +
>   int create_sa_db_entry(char *input, odp_bool_t cipher)
>   {
>   	int pos = 0;
> @@ -81,7 +100,7 @@ int create_sa_db_entry(char *input, odp_bool_t cipher)
>   					entry->alg.u.cipher =
>   						ODP_CIPHER_ALG_3DES_CBC;
>   					entry->block_len  = 8;
> -					entry->iv_len     = 8;
> +					entry->iv_len	  = 8;
>   				} else {
>   					entry->alg.u.cipher =
>   						ODP_CIPHER_ALG_NULL;
> @@ -90,7 +109,7 @@ int create_sa_db_entry(char *input, odp_bool_t cipher)
>   				if (0 == strcmp(token, "md5")) {
>   					entry->alg.u.auth =
>   						ODP_AUTH_ALG_MD5_96;
> -					entry->icv_len    = 12;
> +					entry->icv_len	  = 12;
>   				} else {
>   					entry->alg.u.auth = ODP_AUTH_ALG_NULL;
>   				}
> @@ -132,6 +151,89 @@ int create_sa_db_entry(char *input, odp_bool_t cipher)
>   	return 0;
>   }
>   
> +int create_tun_db_entry(char *input)
> +{
> +	int pos = 0;
> +	char *local;
> +	char *str;
> +	char *save;
> +	char *token;
> +	tun_db_entry_t *entry = &tun_db->array[tun_db->index];
> +
> +	/* Verify we have a good entry */
> +	if (MAX_DB <= tun_db->index)
> +		return -1;
> +
> +	/* Make a local copy */
> +	local = malloc(strlen(input) + 1);
> +	if (NULL == local)
> +		return -1;
> +	strcpy(local, input);
> +
> +	/* Setup for using "strtok_r" to search input string */
> +	str = local;
> +	save = NULL;
> +
> +	/* Parse tokens separated by ':' */
> +	while (NULL != (token = strtok_r(str, ":", &save))) {
> +		str = NULL;  /* reset str for subsequent strtok_r calls */
> +
> +		/* Parse token based on its position */
> +		switch (pos) {
> +		case 0:
> +			parse_ipv4_string(token, &entry->src_ip, NULL);
> +			break;
> +		case 1:
> +			parse_ipv4_string(token, &entry->dst_ip, NULL);
> +			break;
> +		case 2:
> +			parse_ipv4_string(token, &entry->tun_src_ip, NULL);
> +			break;
> +		case 3:
> +			parse_ipv4_string(token, &entry->tun_dst_ip, NULL);
> +			break;
> +		default:
> +			printf("ERROR: extra token \"%s\" at position %d\n",
> +			       token, pos);
> +			break;
> +		}
> +		pos++;
> +	}
> +
> +	/* Verify we parsed exactly the number of tokens we expected */
> +	if (4 != pos) {
> +		printf("ERROR: \"%s\" contains %d tokens, expected 4\n",
> +		       input,
> +		       pos);
> +		free(local);
> +		return -1;
> +	}
> +
> +	/* Add route to the list */
> +	tun_db->index++;
> +	entry->next = tun_db->list;
> +	tun_db->list = entry;
> +
> +	free(local);
> +	return 0;
> +}
> +
> +tun_db_entry_t *find_tun_db_entry(uint32_t ip_src,
> +					uint32_t ip_dst)
> +{
> +	tun_db_entry_t *entry = NULL;
> +
> +	/* Scan all entries and return first match */
> +	for (entry = tun_db->list; NULL != entry; entry = entry->next) {
> +		if (entry->src_ip != ip_src)
> +			continue;
> +		if (entry->dst_ip != ip_dst)
> +			continue;
> +		break;
> +	}
> +	return entry;
> +}
> +
>   void dump_sa_db(void)
>   {
>   	sa_db_entry_t *entry;
> @@ -182,3 +284,28 @@ sa_db_entry_t *find_sa_db_entry(ip_addr_range_t *src,
>   	}
>   	return entry;
>   }
> +
> +void dump_tun_db(void)
> +{
> +	tun_db_entry_t *entry;
> +
> +	printf("\n"
> +	       "Tunnel table\n"
> +	       "--------------------------\n");
> +
> +	for (entry = tun_db->list; NULL != entry; entry = entry->next) {
> +		char src_ip_str[MAX_STRING];
> +		char dst_ip_str[MAX_STRING];
> +		char tun_src_ip_str[MAX_STRING];
> +		char tun_dst_ip_str[MAX_STRING];
> +
> +		printf(" %s:%s %s:%s ",
> +		       ipv4_addr_str(src_ip_str, entry->src_ip),
> +		       ipv4_addr_str(dst_ip_str, entry->dst_ip),
> +		       ipv4_addr_str(tun_src_ip_str, entry->tun_src_ip),
> +		       ipv4_addr_str(tun_dst_ip_str, entry->tun_dst_ip)
> +		      );
> +
> +		printf("\n");
> +	}
> +}
> diff --git a/example/ipsec/odp_ipsec_sa_db.h b/example/ipsec/odp_ipsec_sa_db.h
> index c30cbdb..79bfc78 100644
> --- a/example/ipsec/odp_ipsec_sa_db.h
> +++ b/example/ipsec/odp_ipsec_sa_db.h
> @@ -13,6 +13,10 @@ extern "C" {
>   
>   #include <odp_ipsec_misc.h>
>   
> +typedef enum sa_mode_s {
> +	IPSEC_SA_MODE_TRANSPORT,
> +	IPSEC_SA_MODE_TUNNEL
> +} sa_mode_t;
>   /**
>    * Security Assocation (SA) data base entry
>    */
> @@ -26,6 +30,7 @@ typedef struct sa_db_entry_s {
>   	uint32_t              block_len; /**< Cipher block length */
>   	uint32_t              iv_len;    /**< Initialization Vector length */
>   	uint32_t              icv_len;   /**< Integrity Check Value length */
> +	sa_mode_t             mode;      /**< SA mode - transport/tun */
>   } sa_db_entry_t;
>   
>   /**
> @@ -37,6 +42,7 @@ typedef struct sa_db_s {
>   	sa_db_entry_t    array[MAX_DB];  /**< Entry storage */
>   } sa_db_t;
>   
> +
>   /** Initialize SA database global control structure */
>   void init_sa_db(void);
>   
> @@ -69,6 +75,57 @@ sa_db_entry_t *find_sa_db_entry(ip_addr_range_t *src,
>   				ip_addr_range_t *dst,
>   				odp_bool_t cipher);
>   
> +/**
> + * Tunnel entry
> + */
> +typedef struct tun_db_entry_s {
> +	struct tun_db_entry_s *next;
> +	uint32_t        src_ip;        /**< Inner Source IPv4 address */
> +	uint32_t        dst_ip;        /**< Inner Destination IPv4 address */
> +	uint32_t        tun_src_ip; /**< Tunnel Source IPv4 address */
> +	uint32_t        tun_dst_ip; /**< Tunnel Source IPv4 address */
> +} tun_db_entry_t;
> +
> +/**
> + * Tunnel database
> + */
> +typedef struct tun_db_s {
> +	uint32_t         index;          /**< Index of next available entry */
> +	tun_db_entry_t *list;	 /**< List of active entries */
> +	tun_db_entry_t array[MAX_DB]; /**< Entry storage */
> +} tun_db_t;
> +
> +/** Initialize tun database global control structure */
> +void init_tun_db(void);
> +
> +/**
> + * Create an tunnel DB entry
> + *
> + * String is of the format "SrcIP:DstIP:TunSrcIp:TunDstIp"
> + *
> + * @param input  Pointer to string describing tun
> + *
> + * @return 0 if successful else -1
> + */
> +int create_tun_db_entry(char *input);
> +
> +/**
> + * Display the tun DB
> + */
> +void dump_tun_db(void);
> +
> +/**
> + * Find a matching tun DB entry
> + *
> + * @param ip_src    Inner source IP address
> + * @param ip_dst    Inner destination IP address
> + *
> + * @return pointer to tun DB entry else NULL
> + */
> +tun_db_entry_t *find_tun_db_entry(uint32_t ip_src,
> +					uint32_t ip_dst);
> +
> +
>   #ifdef __cplusplus
>   }
>   #endif
> diff --git a/example/ipsec/odp_ipsec_stream.c b/example/ipsec/odp_ipsec_stream.c
> index 35042f5..69f73f1 100644
> --- a/example/ipsec/odp_ipsec_stream.c
> +++ b/example/ipsec/odp_ipsec_stream.c
> @@ -169,18 +169,24 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t *stream,
>   				uint8_t *dmac,
>   				odp_pool_t pkt_pool)
>   {
> -	ipsec_cache_entry_t *entry = stream->input.entry;
> +	ipsec_cache_entry_t *entry = NULL;
>   	odp_packet_t pkt;
>   	uint8_t *base;
>   	uint8_t *data;
>   	odph_ethhdr_t *eth;
>   	odph_ipv4hdr_t *ip;
> +	odph_ipv4hdr_t *inner_ip = NULL;
>   	odph_ahhdr_t *ah = NULL;
>   	odph_esphdr_t *esp = NULL;
>   	odph_icmphdr_t *icmp;
>   	stream_pkt_hdr_t *test;
>   	unsigned i;
>   
> +	if (stream->input.entry)
> +		entry = stream->input.entry;
> +	else if (stream->output.entry)
> +		entry = stream->output.entry;
> +
>   	/* Get packet */
>   	pkt = odp_packet_alloc(pkt_pool, 0);
>   	if (ODP_PACKET_INVALID == pkt)
> @@ -205,13 +211,22 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t *stream,
>   	/* Wait until almost finished to fill in mutable fields */
>   	memset((char *)ip, 0, sizeof(*ip));
>   	ip->ver_ihl = 0x45;
> -	ip->proto = ODPH_IPPROTO_ICMP;
>   	ip->id = odp_cpu_to_be_16(stream->id);
> -	ip->src_addr = odp_cpu_to_be_32(stream->src_ip);
> -	ip->dst_addr = odp_cpu_to_be_32(stream->dst_ip);
> +	/* Outer IP header in tunnel mode */
> +	if (entry && entry->mode == IPSEC_SA_MODE_TUNNEL &&
> +	    (entry == stream->input.entry)) {
> +		ip->proto = ODPH_IPV4;
> +		ip->src_addr = odp_cpu_to_be_32(entry->tun_src_ip);
> +		ip->dst_addr = odp_cpu_to_be_32(entry->tun_dst_ip);
> +	} else {
> +		ip->proto = ODPH_IPPROTO_ICMP;
> +		ip->src_addr = odp_cpu_to_be_32(stream->src_ip);
> +		ip->dst_addr = odp_cpu_to_be_32(stream->dst_ip);
> +	}
>   
>   	/* AH (if specified) */
> -	if (entry && (ODP_AUTH_ALG_NULL != entry->ah.alg)) {
> +	if (entry && (entry == stream->input.entry) &&
> +	    (ODP_AUTH_ALG_NULL != entry->ah.alg)) {
>   		if (ODP_AUTH_ALG_MD5_96 != entry->ah.alg)
>   			abort();
>   
> @@ -226,7 +241,8 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t *stream,
>   	}
>   
>   	/* ESP (if specified) */
> -	if (entry && (ODP_CIPHER_ALG_NULL != entry->esp.alg)) {
> +	if (entry && (entry == stream->input.entry) &&
> +	    (ODP_CIPHER_ALG_NULL != entry->esp.alg)) {
>   		if (ODP_CIPHER_ALG_3DES_CBC != entry->esp.alg)
>   			abort();
>   
> @@ -239,6 +255,23 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t *stream,
>   		RAND_bytes(esp->iv, 8);
>   	}
>   
> +	/* Inner IP header in tunnel mode */
> +	if (entry && (entry == stream->input.entry) &&
> +	    (entry->mode == IPSEC_SA_MODE_TUNNEL)) {
> +		inner_ip = (odph_ipv4hdr_t *)data;
> +		memset((char *)inner_ip, 0, sizeof(*inner_ip));
> +		inner_ip->ver_ihl = 0x45;
> +		inner_ip->proto = ODPH_IPPROTO_ICMP;
> +		inner_ip->id = odp_cpu_to_be_16(stream->id);
> +		inner_ip->ttl = 64;
> +		inner_ip->tos = 0;
> +		inner_ip->frag_offset = 0;
> +		inner_ip->src_addr = odp_cpu_to_be_32(stream->src_ip);
> +		inner_ip->dst_addr = odp_cpu_to_be_32(stream->dst_ip);
> +		inner_ip->chksum = odp_chksum(inner_ip, sizeof(inner_ip));
> +		data += sizeof(*inner_ip);
> +	}
> +
>   	/* ICMP header so we can see it on wireshark */
>   	icmp = (odph_icmphdr_t *)data;
>   	data += sizeof(*icmp);
> @@ -261,6 +294,13 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t *stream,
>   	/* Close ESP if specified */
>   	if (esp) {
>   		int payload_len = data - (uint8_t *)icmp;
> +		uint8_t *encrypt_start = (uint8_t *)icmp;
> +
> +		if (entry->mode == IPSEC_SA_MODE_TUNNEL) {
> +			payload_len = data - (uint8_t *)inner_ip;
> +			encrypt_start = (uint8_t *)inner_ip;
> +		}
> +
>   		int encrypt_len;
>   		odph_esptrl_t *esp_t;
>   		DES_key_schedule ks1, ks2, ks3;
> @@ -282,8 +322,8 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t *stream,
>   		DES_set_key((DES_cblock *)&entry->esp.key.data[8], &ks2);
>   		DES_set_key((DES_cblock *)&entry->esp.key.data[16], &ks3);
>   
> -		DES_ede3_cbc_encrypt((uint8_t *)icmp,
> -				     (uint8_t *)icmp,
> +		DES_ede3_cbc_encrypt(encrypt_start,
> +				     encrypt_start,
>   				     encrypt_len,
>   				     &ks1,
>   				     &ks2,
> @@ -332,7 +372,7 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t *stream,
>   odp_bool_t verify_ipv4_packet(stream_db_entry_t *stream,
>   			      odp_packet_t pkt)
>   {
> -	ipsec_cache_entry_t *entry = stream->output.entry;
> +	ipsec_cache_entry_t *entry = NULL;
>   	uint8_t *data;
>   	odph_ipv4hdr_t *ip;
>   	odph_ahhdr_t *ah = NULL;
> @@ -340,6 +380,12 @@ odp_bool_t verify_ipv4_packet(stream_db_entry_t *stream,
>   	int hdr_len;
>   	odph_icmphdr_t *icmp;
>   	stream_pkt_hdr_t *test;
> +	uint32_t src_ip, dst_ip;
> +
> +	if (stream->input.entry)
> +		entry = stream->input.entry;
> +	else if (stream->output.entry)
> +		entry = stream->output.entry;
>   
>   	/* Basic IPv4 verify (add checksum verification) */
>   	data = odp_packet_l3_ptr(pkt, NULL);
> @@ -347,13 +393,29 @@ odp_bool_t verify_ipv4_packet(stream_db_entry_t *stream,
>   	data += sizeof(*ip);
>   	if (0x45 != ip->ver_ihl)
>   		return FALSE;
> -	if (stream->src_ip != odp_be_to_cpu_32(ip->src_addr))
> +
> +	src_ip = odp_be_to_cpu_32(ip->src_addr);
> +	dst_ip = odp_be_to_cpu_32(ip->dst_addr);
> +	if ((stream->src_ip != src_ip) && stream->output.entry &&
> +	    (stream->output.entry->tun_src_ip != src_ip))
> +		return FALSE;
> +	if ((stream->dst_ip != dst_ip) && stream->output.entry &&
> +	    (stream->output.entry->tun_dst_ip != dst_ip))
> +		return FALSE;
> +
> +	if ((stream->src_ip != src_ip) && stream->input.entry &&
> +	    (stream->input.entry->tun_src_ip != src_ip))
>   		return FALSE;
> -	if (stream->dst_ip != odp_be_to_cpu_32(ip->dst_addr))
> +	if ((stream->dst_ip != dst_ip) && stream->input.entry &&
> +	    (stream->input.entry->tun_dst_ip != dst_ip))
>   		return FALSE;
>   
>   	/* Find IPsec headers if any and compare against entry */
>   	hdr_len = locate_ipsec_headers(ip, &ah, &esp);
> +
> +	/* Cleartext packet */
> +	if (!ah && !esp)
> +		goto clear_packet;
>   	if (ah) {
>   		if (!entry)
>   			return FALSE;
> @@ -446,12 +508,21 @@ odp_bool_t verify_ipv4_packet(stream_db_entry_t *stream,
>   		ip->proto = esp_t->next_header;
>   	}
>   
> -	/* Verify ICMP packet */
> -	if (ODPH_IPPROTO_ICMP != ip->proto)
> -		return FALSE;
> +clear_packet:
> +	/* Verify IP/ICMP packet */
> +	if (entry && (entry->mode == IPSEC_SA_MODE_TUNNEL) && (ah || esp)) {
> +		if (ODPH_IPV4 != ip->proto)
> +			return FALSE;
> +		odph_ipv4hdr_t *inner_ip = (odph_ipv4hdr_t *)data;
> +		icmp = (odph_icmphdr_t *)(inner_ip + 1);
> +		data = (uint8_t *)icmp;
> +	} else {
> +		if (ODPH_IPPROTO_ICMP != ip->proto)
> +			return FALSE;
> +		icmp = (odph_icmphdr_t *)data;
> +	}
>   
>   	/* Verify ICMP header */
> -	icmp = (odph_icmphdr_t *)data;
>   	data += sizeof(*icmp);
>   	if (ICMP_ECHO != icmp->type)
>   		return FALSE;
Alexandru Badicioiu May 19, 2015, 6:42 a.m. UTC | #2
Hi Steve,
please find comments inline.

Alex

On 19 May 2015 at 04:13, Steve Kordus (skordus) <skordus@cisco.com> wrote:

> Sorry it took so long.
>
> I just  have a couple of  questions/comments (see the SRK>>> imbedded  in
> the diffs below), otherwise it looked fine to me.
>
> Steve
>
>
> -----Original Message-----
> From: Robbie King (robking)
> Sent: Monday, May 18, 2015 1:47 PM
> To: Maxim Uvarov; lng-odp@lists.linaro.org
> Cc: Steve Kordus (skordus)
> Subject: RE: [lng-odp] [PATCH 1/2] examples: ipsec: tunnel mode support
>
> Hi Maxim, Steve Kordus is going to handle this one.
>
> Thanks Steve!
>
> -----Original Message-----
> From: Maxim Uvarov [mailto:maxim.uvarov@linaro.org]
> Sent: Monday, May 18, 2015 12:56 PM
> To: lng-odp@lists.linaro.org; Robbie King (robking)
> Subject: Re: [lng-odp] [PATCH 1/2] examples: ipsec: tunnel mode support
>
> Hello Robbie,
>
> can you please review that patch and next 2/2 patch.
>
> Thanks,
> Maxim.
>
> On 05/11/2015 14:48, alexandru.badicioiu@linaro.org wrote:
> > From: Alexandru Badicioiu <alexandru.badicioiu@linaro.org>
> >
> > Tunnel mode is enabled from the command line using -t argument with
> > the following format: SrcIP:DstIP:TunnelSrcIP:TunnelDstIP.
> > SrcIP - cleartext packet source IP
> > DstIP - cleartext packet destination IP TunnelSrcIP - tunnel source IP
> > TunnelDstIP - tunnel destination IP
> >
> > The outbound packets matching SrcIP:DstIP will be encapsulated in a
> > TunnelSrcIP:TunnelDstIP IPSec tunnel (AH/ESP/AH+ESP) if a matching
> > outbound SA is determined (as for transport mode).
> > For inbound packets each entry in the IPSec cache is matched for the
> > cleartext addresses, as in the transport mode (SrcIP:DstIP) and then
> > for the tunnel addresses (TunnelSrcIP:TunnelDstIP) in case cleartext
> > addresses didn't match. After authentication and decryption tunneled
> > packets are verified against the tunnel entry (packets came in from
> > the expected tunnel).
> >
> > Signed-off-by: Alexandru Badicioiu <alexandru.badicioiu@linaro.org>
> > ---
> >   example/ipsec/odp_ipsec.c        |  105 +++++++++++++++++++++++++++---
> >   example/ipsec/odp_ipsec_cache.c  |   31 +++++++++-
> >   example/ipsec/odp_ipsec_cache.h  |    5 ++
> >   example/ipsec/odp_ipsec_sa_db.c  |  133
> +++++++++++++++++++++++++++++++++++++-
> >   example/ipsec/odp_ipsec_sa_db.h  |   57 ++++++++++++++++
> >   example/ipsec/odp_ipsec_stream.c |  101 ++++++++++++++++++++++++----
> >   6 files changed, 402 insertions(+), 30 deletions(-)
> >
> > diff --git a/example/ipsec/odp_ipsec.c b/example/ipsec/odp_ipsec.c
> > index cb8f535..e325347 100644
> > --- a/example/ipsec/odp_ipsec.c
> > +++ b/example/ipsec/odp_ipsec.c
> > @@ -135,13 +135,20 @@ typedef struct {
> >       uint8_t  ip_ttl;         /**< Saved IP TTL value */
> >       int      hdr_len;        /**< Length of IPsec headers */
> >       int      trl_len;        /**< Length of IPsec trailers */
> > +     uint16_t tun_hdr_offset; /**< Offset of tunnel header from
> > +                                   buffer start */
> >       uint16_t ah_offset;      /**< Offset of AH header from buffer
> start */
> >       uint16_t esp_offset;     /**< Offset of ESP header from buffer
> start */
> >
> > +     /* Input only */
> > +     uint32_t src_ip;         /**< SA source IP address */
> > +     uint32_t dst_ip;         /**< SA dest IP address */
> > +
> >       /* Output only */
> >       odp_crypto_op_params_t params;  /**< Parameters for crypto call */
> >       uint32_t *ah_seq;               /**< AH sequence number location */
> >       uint32_t *esp_seq;              /**< ESP sequence number location
> */
> > +     uint16_t *tun_hdr_id;           /**< Tunnel header ID > */
> >   } ipsec_ctx_t;
> >
> >   /**
> > @@ -357,6 +364,7 @@ void ipsec_init_pre(void)
> >       /* Initialize our data bases */
> >       init_sp_db();
> >       init_sa_db();
> > +     init_tun_db();
> >       init_ipsec_cache();
> >   }
> >
> > @@ -376,19 +384,27 @@ void ipsec_init_post(crypto_api_mode_e api_mode)
> >       for (entry = sp_db->list; NULL != entry; entry = entry->next) {
> >               sa_db_entry_t *cipher_sa = NULL;
> >               sa_db_entry_t *auth_sa = NULL;
> > +             tun_db_entry_t *tun;
> >
> > -             if (entry->esp)
> > +             if (entry->esp) {
> >                       cipher_sa = find_sa_db_entry(&entry->src_subnet,
> >                                                    &entry->dst_subnet,
> >                                                    1);
> > -             if (entry->ah)
> > +                     tun = find_tun_db_entry(cipher_sa->src_ip,
> > +                                                   cipher_sa->dst_ip);
> > +             }
> > +             if (entry->ah) {
> >                       auth_sa = find_sa_db_entry(&entry->src_subnet,
> >                                                  &entry->dst_subnet,
> >                                                  0);
> > +                     tun = find_tun_db_entry(auth_sa->src_ip,
> > +                                                   auth_sa->dst_ip);
> > +             }
> >
> >               if (cipher_sa || auth_sa) {
> >                       if (create_ipsec_cache_entry(cipher_sa,
> >                                                    auth_sa,
> > +                                                  tun,
> >                                                    api_mode,
> >                                                    entry->input,
> >                                                    completionq,
> > @@ -661,6 +677,8 @@ pkt_disposition_e do_ipsec_in_classify(odp_packet_t
> pkt,
> >       ctx->ipsec.esp_offset = esp ? ((uint8_t *)esp) - buf : 0;
> >       ctx->ipsec.hdr_len = hdr_len;
> >       ctx->ipsec.trl_len = 0;
> > +     ctx->ipsec.src_ip = entry->src_ip;
> > +     ctx->ipsec.dst_ip = entry->dst_ip;
> >
> >       /*If authenticating, zero the mutable fields build the request */
> >       if (ah) {
> > @@ -741,6 +759,23 @@ pkt_disposition_e do_ipsec_in_finish(odp_packet_t
> pkt,
> >               trl_len += esp_t->pad_len + sizeof(*esp_t);
> >       }
> >
> > +     /* We have a tunneled IPv4 packet */
> > +     if (ip->proto == ODPH_IPV4) {
> > +             odp_packet_pull_head(pkt, sizeof(*ip) + hdr_len);
> > +             odp_packet_pull_tail(pkt, trl_len);
> > +             odph_ethhdr_t *eth;
> > +             eth = (odph_ethhdr_t *)odp_packet_l2_ptr(pkt, NULL);
> > +             eth->type = ODPH_ETHTYPE_IPV4;
> > +             ip = (odph_ipv4hdr_t *)odp_packet_l3_ptr(pkt, NULL);
> > +
> > +             /* Check inbound policy */
> > +             if ((ip->src_addr != ctx->ipsec.src_ip ||
> > +                  ip->dst_addr != ctx->ipsec.dst_ip))
> > +                     return PKT_DROP;
> > +
> > +             return PKT_CONTINUE;
> > +     }
> > +
> >       /* Finalize the IPv4 header */
> >       ipv4_adjust_len(ip, -(hdr_len + trl_len));
> >       ip->ttl = ctx->ipsec.ip_ttl;
> > @@ -812,9 +847,13 @@ pkt_disposition_e
> do_ipsec_out_classify(odp_packet_t pkt,
> >       params.pkt = pkt;
> >       params.out_pkt = entry->in_place ? pkt : ODP_PACKET_INVALID;
> >
> > +     if (entry->mode == IPSEC_SA_MODE_TUNNEL) {
> > +             hdr_len += sizeof(odph_ipv4hdr_t);
> > +             ip_data = (uint8_t *)ip;
> > +     }
> >       /* Compute ah and esp, determine length of headers, move the data
> */
> >       if (entry->ah.alg) {
> > -             ah = (odph_ahhdr_t *)(ip_data);
> > +             ah = (odph_ahhdr_t *)(ip_data + hdr_len);
> >               hdr_len += sizeof(odph_ahhdr_t);
> >               hdr_len += entry->ah.icv_len;
> >       }
> > @@ -826,21 +865,39 @@ pkt_disposition_e
> do_ipsec_out_classify(odp_packet_t pkt,
> >       memmove(ip_data + hdr_len, ip_data, ip_data_len);
> >       ip_data += hdr_len;
> >
> > +     /* update outer header in tunnel mode */
> > +     if (entry->mode == IPSEC_SA_MODE_TUNNEL) {
> > +             /* tunnel addresses */
> > +             ip->src_addr = odp_cpu_to_be_32(entry->tun_src_ip);
> > +             ip->dst_addr = odp_cpu_to_be_32(entry->tun_dst_ip);
> > +     }
> > +
> >       /* For cipher, compute encrypt length, build headers and request */
> >       if (esp) {
> >               uint32_t encrypt_len;
> >               odph_esptrl_t *esp_t;
> >
> > -             encrypt_len = ESP_ENCODE_LEN(ip_data_len + sizeof(*esp_t),
> > -                                          entry->esp.block_len);
> > -             trl_len = encrypt_len - ip_data_len;
> > +             if (entry->mode == IPSEC_SA_MODE_TUNNEL) {
> > +                     encrypt_len = ESP_ENCODE_LEN(ip->tot_len +
> > +                                                  sizeof(*esp_t),
> > +                                                  entry->esp.block_len);
> > +                     trl_len = encrypt_len - ip->tot_len;
> > +             } else {
> > +                     encrypt_len = ESP_ENCODE_LEN(ip_data_len +
> > +                                                  sizeof(*esp_t),
> > +                                                  entry->esp.block_len);
> > +                     trl_len = encrypt_len - ip_data_len;
> > +             }
> >
> >               esp->spi = odp_cpu_to_be_32(entry->esp.spi);
> >               memcpy(esp + 1, entry->state.iv, entry->esp.iv_len);
> >
> >               esp_t = (odph_esptrl_t *)(ip_data + encrypt_len) - 1;
> >               esp_t->pad_len     = trl_len - sizeof(*esp_t);
> > -             esp_t->next_header = ip->proto;
> > +             if (entry->mode == IPSEC_SA_MODE_TUNNEL)
> > +                     esp_t->next_header = ODPH_IPV4;
> > +             else
> > +                     esp_t->next_header = ip->proto;
> >               ip->proto = ODPH_IPPROTO_ESP;
> >
> >               params.cipher_range.offset = ip_data - buf; @@ -852,7
> +909,10 @@
> > pkt_disposition_e do_ipsec_out_classify(odp_packet_t pkt,
> >               memset(ah, 0, sizeof(*ah) + entry->ah.icv_len);
> >               ah->spi = odp_cpu_to_be_32(entry->ah.spi);
> >               ah->ah_len = 1 + (entry->ah.icv_len / 4);
> > -             ah->next_header = ip->proto;
> > +             if (entry->mode == IPSEC_SA_MODE_TUNNEL && !esp)
> > +                     ah->next_header = ODPH_IPV4;
> > +             else
> > +                     ah->next_header = ip->proto;
> >               ip->proto = ODPH_IPPROTO_AH;
> >
> >               ip->chksum = 0;
> > @@ -875,8 +935,11 @@ pkt_disposition_e
> do_ipsec_out_classify(odp_packet_t pkt,
> >       ctx->ipsec.trl_len = trl_len;
> >       ctx->ipsec.ah_offset = ah ? ((uint8_t *)ah) - buf : 0;
> >       ctx->ipsec.esp_offset = esp ? ((uint8_t *)esp) - buf : 0;
> > +     ctx->ipsec.tun_hdr_offset = (entry->mode == IPSEC_SA_MODE_TUNNEL) ?
> > +                                    ((uint8_t *)ip - buf) : 0;
> >       ctx->ipsec.ah_seq = &entry->state.ah_seq;
> >       ctx->ipsec.esp_seq = &entry->state.esp_seq;
> > +     ctx->ipsec.tun_hdr_id = &entry->state.tun_hdr_id;
> >       memcpy(&ctx->ipsec.params, &params, sizeof(params));
> >
> >       *skip = FALSE;
> > @@ -915,6 +978,20 @@ pkt_disposition_e do_ipsec_out_seq(odp_packet_t pkt,
> >               esp = (odph_esphdr_t *)(ctx->ipsec.esp_offset + buf);
> >               esp->seq_no = odp_cpu_to_be_32((*ctx->ipsec.esp_seq)++);
> >       }
> > +     if (ctx->ipsec.tun_hdr_offset) {
> > +             odph_ipv4hdr_t *ip;
> > +             int ret;
> > +             ip = (odph_ipv4hdr_t *)(ctx->ipsec.tun_hdr_offset + buf);
> > +             ip->id = odp_cpu_to_be_16((*ctx->ipsec.tun_hdr_id)++);
> > +             if (!ip->id) {
> > +                     /* re-init tunnel hdr id */
> > +                     ret = odp_random_data((uint8_t
> *)ctx->ipsec.tun_hdr_id,
> > +
>  sizeof(*ctx->ipsec.tun_hdr_id),
> > +                                           1);
> > +                     if (ret != sizeof(*ctx->ipsec.tun_hdr_id))
> > +                             abort();
>
> SRK>>>  -- isn't there something like an odp_abort()  that should be used
> instead ?
>
[AB] - there's an ODP_ABORT macro but it is implementation internal.
Standard library abort() (used in many places in odp_ipsec) seems to be
norm, at least for now.

> > +             }
> > +     }
> >
> >       /* Issue crypto request */
> >       if (odp_crypto_operation(&ctx->ipsec.params,
> > @@ -1306,8 +1383,9 @@ static void parse_args(int argc, char *argv[],
> appl_args_t *appl_args)
> >               {"mode", required_argument, NULL, 'm'},         /* return
> 'm' */
> >               {"route", required_argument, NULL, 'r'},        /* return
> 'r' */
> >               {"policy", required_argument, NULL, 'p'},       /* return
> 'p' */
> > -             {"ah", required_argument, NULL, 'a'},           /* return
> 'a' */
> > -             {"esp", required_argument, NULL, 'e'},          /* return
> 'e' */
> > +             {"ah", required_argument, NULL, 'a'},           /* return
> 'a' */
> > +             {"esp", required_argument, NULL, 'e'},          /* return
> 'e' */
> > +             {"tunnel", required_argument, NULL, 't'},       /* return
> 't' */
> >               {"stream", required_argument, NULL, 's'},       /* return
> 's' */
> >               {"help", no_argument, NULL, 'h'},               /* return
> 'h' */
> >               {NULL, 0, NULL, 0}
> > @@ -1318,7 +1396,7 @@ static void parse_args(int argc, char *argv[],
> appl_args_t *appl_args)
> >       appl_args->mode = 0;  /* turn off async crypto API by default */
> >
> >       while (!rc) {
> > -             opt = getopt_long(argc, argv, "+c:i:m:h:r:p:a:e:s:",
> > +             opt = getopt_long(argc, argv, "+c:i:m:h:r:p:a:e:t:s:",
> >                                 longopts, &long_index);
> >
> >               if (-1 == opt)
> > @@ -1389,6 +1467,10 @@ static void parse_args(int argc, char *argv[],
> appl_args_t *appl_args)
> >                       rc = create_sa_db_entry(optarg, TRUE);
> >                       break;
> >
> > +             case 't':
> > +                     rc = create_tun_db_entry(optarg);
> > +                     break;
> > +
> >               case 's':
> >                       rc = create_stream_db_entry(optarg);
> >                       break;
> > @@ -1449,6 +1531,7 @@ static void print_info(char *progname, appl_args_t
> *appl_args)
> >       dump_fwd_db();
> >       dump_sp_db();
> >       dump_sa_db();
> > +     dump_tun_db();
> >       printf("\n\n");
> >       fflush(NULL);
> >   }
> > diff --git a/example/ipsec/odp_ipsec_cache.c
> > b/example/ipsec/odp_ipsec_cache.c index 12b960d..046e43c 100644
> > --- a/example/ipsec/odp_ipsec_cache.c
> > +++ b/example/ipsec/odp_ipsec_cache.c
> > @@ -38,6 +38,7 @@ void init_ipsec_cache(void)
> >
> >   int create_ipsec_cache_entry(sa_db_entry_t *cipher_sa,
> >                            sa_db_entry_t *auth_sa,
> > +                          tun_db_entry_t *tun,
> >                            crypto_api_mode_e api_mode,
> >                            odp_bool_t in,
> >                            odp_queue_t completionq,
> > @@ -47,12 +48,18 @@ int create_ipsec_cache_entry(sa_db_entry_t
> *cipher_sa,
> >       ipsec_cache_entry_t *entry;
> >       enum odp_crypto_ses_create_err ses_create_rc;
> >       odp_crypto_session_t session;
> > +     sa_mode_t mode = IPSEC_SA_MODE_TRANSPORT;
> >
> >       /* Verify we have a good entry */
> >       entry = &ipsec_cache->array[ipsec_cache->index];
> >       if (MAX_DB <= ipsec_cache->index)
> >               return -1;
> >
> > +     /* Verify SA mode match in case of cipher&auth */
> > +     if (cipher_sa && auth_sa &&
> > +         (cipher_sa->mode != auth_sa->mode))
> > +             return -1;
> > +
> >       /* Setup parameters and call crypto library to create session */
> >       params.op = (in) ? ODP_CRYPTO_OP_DECODE : ODP_CRYPTO_OP_ENCODE;
> >       params.auth_cipher_text = TRUE;
> > @@ -79,6 +86,7 @@ int create_ipsec_cache_entry(sa_db_entry_t *cipher_sa,
> >               params.cipher_key.length  = cipher_sa->key.length;
> >               params.iv.data = entry->state.iv;
> >               params.iv.length = cipher_sa->iv_len;
> > +             mode = cipher_sa->mode;
> >       } else {
> >               params.cipher_alg = ODP_CIPHER_ALG_NULL;
> >               params.iv.data = NULL;
> > @@ -90,6 +98,7 @@ int create_ipsec_cache_entry(sa_db_entry_t *cipher_sa,
> >               params.auth_alg = auth_sa->alg.u.auth;
> >               params.auth_key.data = auth_sa->key.data;
> >               params.auth_key.length = auth_sa->key.length;
> > +             mode = auth_sa->mode;
> >       } else {
> >               params.auth_alg = ODP_AUTH_ALG_NULL;
> >       }
> > @@ -128,6 +137,24 @@ int create_ipsec_cache_entry(sa_db_entry_t
> *cipher_sa,
> >               memcpy(&entry->ah.key, &auth_sa->key, sizeof(ipsec_key_t));
> >       }
> >
> > +     if (tun) {
> > +             entry->tun_src_ip = tun->tun_src_ip;
> > +             entry->tun_dst_ip = tun->tun_dst_ip;
> > +             mode = IPSEC_SA_MODE_TUNNEL;
> > +
> > +             int ret;
> > +             if (!in) {
> > +                     /* init tun hdr id */
> > +                     ret = odp_random_data((uint8_t *)
> > +                                           &entry->state.tun_hdr_id,
> > +
>  sizeof(entry->state.tun_hdr_id),
> > +                                           1);
> > +                     if (ret != sizeof(entry->state.tun_hdr_id))
> > +                             return -1;
> > +             }
> > +     }
> > +     entry->mode = mode;
> > +
> >       /* Initialize state */
> >       entry->state.esp_seq = 0;
> >       entry->state.ah_seq = 0;
> > @@ -156,7 +183,9 @@ ipsec_cache_entry_t
> *find_ipsec_cache_entry_in(uint32_t src_ip,
> >       /* Look for a hit */
> >       for (; NULL != entry; entry = entry->next) {
> >               if ((entry->src_ip != src_ip) || (entry->dst_ip != dst_ip))
> > -                     continue;
> > +                     if ((entry->tun_src_ip != src_ip) ||
> > +                         (entry->tun_dst_ip != dst_ip))
> > +                             continue;
> >               if (ah &&
> >                   ((!entry->ah.alg) ||
> >                    (entry->ah.spi != odp_be_to_cpu_32(ah->spi)))) diff
> --git
> > a/example/ipsec/odp_ipsec_cache.h b/example/ipsec/odp_ipsec_cache.h
> > index 714cae8..6b1be5f 100644
> > --- a/example/ipsec/odp_ipsec_cache.h
> > +++ b/example/ipsec/odp_ipsec_cache.h
> > @@ -34,6 +34,9 @@ typedef struct ipsec_cache_entry_s {
> >       odp_bool_t                   in_place;    /**< Crypto API mode */
> >       uint32_t                     src_ip;      /**< Source v4 address */
> >       uint32_t                     dst_ip;      /**< Destination v4
> address */
> > +     sa_mode_t                    mode;        /**< SA mode -
> transport/tun */
> > +     uint32_t                     tun_src_ip;  /**< Tunnel src IPv4
> addr */
> > +     uint32_t                     tun_dst_ip;  /**< Tunnel dst IPv4
> addr */
> >       struct {
> >               enum  odp_cipher_alg alg;         /**< Cipher algorithm */
> >               uint32_t             spi;         /**< Cipher SPI */
> > @@ -54,6 +57,7 @@ typedef struct ipsec_cache_entry_s {
> >               uint32_t      esp_seq;         /**< ESP TX sequence number
> */
> >               uint32_t      ah_seq;          /**< AH TX sequence number
> */
> >               uint8_t       iv[MAX_IV_LEN];  /**< ESP IV storage */
> > +             uint16be_t    tun_hdr_id;      /**< Tunnel header IP ID */
> >       } state;
> >   } ipsec_cache_entry_t;
> >
> > @@ -87,6 +91,7 @@ void init_ipsec_cache(void);
> >    */
> >   int create_ipsec_cache_entry(sa_db_entry_t *cipher_sa,
> >                            sa_db_entry_t *auth_sa,
> > +                          tun_db_entry_t *tun,
> SRK>>>  shouldn't the comments above this include a @param tun
> pupose/description added ?
>
[AB] I agree. A v2 patch will address this.

> >                            crypto_api_mode_e api_mode,
> >                            odp_bool_t in,
> >                            odp_queue_t completionq,
> > diff --git a/example/ipsec/odp_ipsec_sa_db.c
> > b/example/ipsec/odp_ipsec_sa_db.c index 5837cb6..78f43da 100644
> > --- a/example/ipsec/odp_ipsec_sa_db.c
> > +++ b/example/ipsec/odp_ipsec_sa_db.c
> > @@ -1,7 +1,7 @@
> >   /* Copyright (c) 2014, Linaro Limited
> >    * All rights reserved.
> >    *
> > - * SPDX-License-Identifier:     BSD-3-Clause
> > + * SPDX-License-Identifier:  BSD-3-Clause
> >    */
> >
> >   /* enable strtok */
> > @@ -19,6 +19,9 @@
> >   /** Global pointer to sa db */
> >   static sa_db_t *sa_db;
> >
> > +/** Global pointer to tun db */
> > +static tun_db_t *tun_db;
> > +
> >   void init_sa_db(void)
> >   {
> >       odp_shm_t shm;
> > @@ -37,6 +40,22 @@ void init_sa_db(void)
> >       memset(sa_db, 0, sizeof(*sa_db));
> >   }
> >
> > +void init_tun_db(void)
> > +{
> > +     odp_shm_t shm;
> > +     shm = odp_shm_reserve("shm_tun_db",
> > +                           sizeof(tun_db_t),
> > +                           ODP_CACHE_LINE_SIZE,
> > +                           0);
> > +     tun_db = odp_shm_addr(shm);
> > +
> > +     if (tun_db == NULL) {
> > +             EXAMPLE_ERR("Error: shared mem alloc failed.\n");
> > +             exit(EXIT_FAILURE);
> > +     }
> > +     memset(tun_db, 0, sizeof(*tun_db));
> > +}
> > +
> >   int create_sa_db_entry(char *input, odp_bool_t cipher)
> >   {
> >       int pos = 0;
> > @@ -81,7 +100,7 @@ int create_sa_db_entry(char *input, odp_bool_t cipher)
> >                                       entry->alg.u.cipher =
> >                                               ODP_CIPHER_ALG_3DES_CBC;
> >                                       entry->block_len  = 8;
> > -                                     entry->iv_len     = 8;
> > +                                     entry->iv_len     = 8;
> >                               } else {
> >                                       entry->alg.u.cipher =
> >                                               ODP_CIPHER_ALG_NULL;
> > @@ -90,7 +109,7 @@ int create_sa_db_entry(char *input, odp_bool_t cipher)
> >                               if (0 == strcmp(token, "md5")) {
> >                                       entry->alg.u.auth =
> >                                               ODP_AUTH_ALG_MD5_96;
> > -                                     entry->icv_len    = 12;
> > +                                     entry->icv_len    = 12;
> >                               } else {
> >                                       entry->alg.u.auth =
> ODP_AUTH_ALG_NULL;
> >                               }
> > @@ -132,6 +151,89 @@ int create_sa_db_entry(char *input, odp_bool_t
> cipher)
> >       return 0;
> >   }
> >
> > +int create_tun_db_entry(char *input)
> > +{
> > +     int pos = 0;
> > +     char *local;
> > +     char *str;
> > +     char *save;
> > +     char *token;
> > +     tun_db_entry_t *entry = &tun_db->array[tun_db->index];
> > +
> > +     /* Verify we have a good entry */
> > +     if (MAX_DB <= tun_db->index)
> > +             return -1;
> > +
> > +     /* Make a local copy */
> > +     local = malloc(strlen(input) + 1);
> > +     if (NULL == local)
> > +             return -1;
> > +     strcpy(local, input);
> > +
> > +     /* Setup for using "strtok_r" to search input string */
> > +     str = local;
> > +     save = NULL;
> > +
> > +     /* Parse tokens separated by ':' */
> > +     while (NULL != (token = strtok_r(str, ":", &save))) {
> > +             str = NULL;  /* reset str for subsequent strtok_r calls */
> > +
> > +             /* Parse token based on its position */
> > +             switch (pos) {
> > +             case 0:
> > +                     parse_ipv4_string(token, &entry->src_ip, NULL);
> > +                     break;
> > +             case 1:
> > +                     parse_ipv4_string(token, &entry->dst_ip, NULL);
> > +                     break;
> > +             case 2:
> > +                     parse_ipv4_string(token, &entry->tun_src_ip, NULL);
> > +                     break;
> > +             case 3:
> > +                     parse_ipv4_string(token, &entry->tun_dst_ip, NULL);
> > +                     break;
> > +             default:
> > +                     printf("ERROR: extra token \"%s\" at position
> %d\n",
> > +                            token, pos);
> > +                     break;
> > +             }
> > +             pos++;
> > +     }
> > +
> > +     /* Verify we parsed exactly the number of tokens we expected */
> > +     if (4 != pos) {
> > +             printf("ERROR: \"%s\" contains %d tokens, expected 4\n",
> > +                    input,
> > +                    pos);
> > +             free(local);
> > +             return -1;
> > +     }
> > +
> > +     /* Add route to the list */
> > +     tun_db->index++;
> > +     entry->next = tun_db->list;
> > +     tun_db->list = entry;
> > +
> > +     free(local);
> > +     return 0;
> > +}
> > +
> > +tun_db_entry_t *find_tun_db_entry(uint32_t ip_src,
> > +                                     uint32_t ip_dst)
> > +{
> > +     tun_db_entry_t *entry = NULL;
> > +
> > +     /* Scan all entries and return first match */
> > +     for (entry = tun_db->list; NULL != entry; entry = entry->next) {
> > +             if (entry->src_ip != ip_src)
> > +                     continue;
> > +             if (entry->dst_ip != ip_dst)
> > +                     continue;
> > +             break;
> > +     }
> > +     return entry;
> > +}
> > +
> >   void dump_sa_db(void)
> >   {
> >       sa_db_entry_t *entry;
> > @@ -182,3 +284,28 @@ sa_db_entry_t *find_sa_db_entry(ip_addr_range_t
> *src,
> >       }
> >       return entry;
> >   }
> > +
> > +void dump_tun_db(void)
> > +{
> > +     tun_db_entry_t *entry;
> > +
> > +     printf("\n"
> > +            "Tunnel table\n"
> > +            "--------------------------\n");
> > +
> > +     for (entry = tun_db->list; NULL != entry; entry = entry->next) {
> > +             char src_ip_str[MAX_STRING];
> > +             char dst_ip_str[MAX_STRING];
> > +             char tun_src_ip_str[MAX_STRING];
> > +             char tun_dst_ip_str[MAX_STRING];
> > +
> > +             printf(" %s:%s %s:%s ",
> > +                    ipv4_addr_str(src_ip_str, entry->src_ip),
> > +                    ipv4_addr_str(dst_ip_str, entry->dst_ip),
> > +                    ipv4_addr_str(tun_src_ip_str, entry->tun_src_ip),
> > +                    ipv4_addr_str(tun_dst_ip_str, entry->tun_dst_ip)
> > +                   );
> > +
> > +             printf("\n");
> > +     }
> > +}
> > diff --git a/example/ipsec/odp_ipsec_sa_db.h
> > b/example/ipsec/odp_ipsec_sa_db.h index c30cbdb..79bfc78 100644
> > --- a/example/ipsec/odp_ipsec_sa_db.h
> > +++ b/example/ipsec/odp_ipsec_sa_db.h
> > @@ -13,6 +13,10 @@ extern "C" {
> >
> >   #include <odp_ipsec_misc.h>
> >
> > +typedef enum sa_mode_s {
> > +     IPSEC_SA_MODE_TRANSPORT,
> > +     IPSEC_SA_MODE_TUNNEL
> > +} sa_mode_t;
> >   /**
> >    * Security Assocation (SA) data base entry
> >    */
> > @@ -26,6 +30,7 @@ typedef struct sa_db_entry_s {
> >       uint32_t              block_len; /**< Cipher block length */
> >       uint32_t              iv_len;    /**< Initialization Vector length
> */
> >       uint32_t              icv_len;   /**< Integrity Check Value length
> */
> > +     sa_mode_t             mode;      /**< SA mode - transport/tun */
> >   } sa_db_entry_t;
> >
> >   /**
> > @@ -37,6 +42,7 @@ typedef struct sa_db_s {
> >       sa_db_entry_t    array[MAX_DB];  /**< Entry storage */
> >   } sa_db_t;
> >
> > +
> >   /** Initialize SA database global control structure */
> >   void init_sa_db(void);
> >
> > @@ -69,6 +75,57 @@ sa_db_entry_t *find_sa_db_entry(ip_addr_range_t *src,
> >                               ip_addr_range_t *dst,
> >                               odp_bool_t cipher);
> >
> > +/**
> > + * Tunnel entry
> > + */
> > +typedef struct tun_db_entry_s {
> > +     struct tun_db_entry_s *next;
> > +     uint32_t        src_ip;        /**< Inner Source IPv4 address */
> > +     uint32_t        dst_ip;        /**< Inner Destination IPv4 address
> */
> > +     uint32_t        tun_src_ip; /**< Tunnel Source IPv4 address */
> > +     uint32_t        tun_dst_ip; /**< Tunnel Source IPv4 address */
> > +} tun_db_entry_t;
> > +
> > +/**
> > + * Tunnel database
> > + */
> > +typedef struct tun_db_s {
> > +     uint32_t         index;          /**< Index of next available
> entry */
> > +     tun_db_entry_t *list;    /**< List of active entries */
> > +     tun_db_entry_t array[MAX_DB]; /**< Entry storage */ } tun_db_t;
> > +
> > +/** Initialize tun database global control structure */ void
> > +init_tun_db(void);
> > +
> > +/**
> > + * Create an tunnel DB entry
> > + *
> > + * String is of the format "SrcIP:DstIP:TunSrcIp:TunDstIp"
> > + *
> > + * @param input  Pointer to string describing tun
> > + *
> > + * @return 0 if successful else -1
> > + */
> > +int create_tun_db_entry(char *input);
> > +
> > +/**
> > + * Display the tun DB
> > + */
> > +void dump_tun_db(void);
> > +
> > +/**
> > + * Find a matching tun DB entry
> > + *
> > + * @param ip_src    Inner source IP address
> > + * @param ip_dst    Inner destination IP address
> > + *
> > + * @return pointer to tun DB entry else NULL  */ tun_db_entry_t
> > +*find_tun_db_entry(uint32_t ip_src,
> > +                                     uint32_t ip_dst);
> > +
> > +
> >   #ifdef __cplusplus
> >   }
> >   #endif
> > diff --git a/example/ipsec/odp_ipsec_stream.c
> > b/example/ipsec/odp_ipsec_stream.c
> > index 35042f5..69f73f1 100644
> > --- a/example/ipsec/odp_ipsec_stream.c
> > +++ b/example/ipsec/odp_ipsec_stream.c
> > @@ -169,18 +169,24 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t
> *stream,
> >                               uint8_t *dmac,
> >                               odp_pool_t pkt_pool)
> >   {
> > -     ipsec_cache_entry_t *entry = stream->input.entry;
> > +     ipsec_cache_entry_t *entry = NULL;
> >       odp_packet_t pkt;
> >       uint8_t *base;
> >       uint8_t *data;
> >       odph_ethhdr_t *eth;
> >       odph_ipv4hdr_t *ip;
> > +     odph_ipv4hdr_t *inner_ip = NULL;
> >       odph_ahhdr_t *ah = NULL;
> >       odph_esphdr_t *esp = NULL;
> >       odph_icmphdr_t *icmp;
> >       stream_pkt_hdr_t *test;
> >       unsigned i;
> >
> > +     if (stream->input.entry)
> > +             entry = stream->input.entry;
> > +     else if (stream->output.entry)
> > +             entry = stream->output.entry;
> > +
> >       /* Get packet */
> >       pkt = odp_packet_alloc(pkt_pool, 0);
> >       if (ODP_PACKET_INVALID == pkt)
> > @@ -205,13 +211,22 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t
> *stream,
> >       /* Wait until almost finished to fill in mutable fields */
> >       memset((char *)ip, 0, sizeof(*ip));
> >       ip->ver_ihl = 0x45;
> > -     ip->proto = ODPH_IPPROTO_ICMP;
> >       ip->id = odp_cpu_to_be_16(stream->id);
> > -     ip->src_addr = odp_cpu_to_be_32(stream->src_ip);
> > -     ip->dst_addr = odp_cpu_to_be_32(stream->dst_ip);
> > +     /* Outer IP header in tunnel mode */
> > +     if (entry && entry->mode == IPSEC_SA_MODE_TUNNEL &&
> > +         (entry == stream->input.entry)) {
> > +             ip->proto = ODPH_IPV4;
> > +             ip->src_addr = odp_cpu_to_be_32(entry->tun_src_ip);
> > +             ip->dst_addr = odp_cpu_to_be_32(entry->tun_dst_ip);
> > +     } else {
> > +             ip->proto = ODPH_IPPROTO_ICMP;
> > +             ip->src_addr = odp_cpu_to_be_32(stream->src_ip);
> > +             ip->dst_addr = odp_cpu_to_be_32(stream->dst_ip);
> > +     }
> >
> >       /* AH (if specified) */
> > -     if (entry && (ODP_AUTH_ALG_NULL != entry->ah.alg)) {
> > +     if (entry && (entry == stream->input.entry) &&
> > +         (ODP_AUTH_ALG_NULL != entry->ah.alg)) {
> >               if (ODP_AUTH_ALG_MD5_96 != entry->ah.alg)
> >                       abort();
> >
> > @@ -226,7 +241,8 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t
> *stream,
> >       }
> >
> >       /* ESP (if specified) */
> > -     if (entry && (ODP_CIPHER_ALG_NULL != entry->esp.alg)) {
> > +     if (entry && (entry == stream->input.entry) &&
> > +         (ODP_CIPHER_ALG_NULL != entry->esp.alg)) {
> >               if (ODP_CIPHER_ALG_3DES_CBC != entry->esp.alg)
> >                       abort();
> >
> > @@ -239,6 +255,23 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t
> *stream,
> >               RAND_bytes(esp->iv, 8);
> >       }
> >
> > +     /* Inner IP header in tunnel mode */
> > +     if (entry && (entry == stream->input.entry) &&
> > +         (entry->mode == IPSEC_SA_MODE_TUNNEL)) {
> > +             inner_ip = (odph_ipv4hdr_t *)data;
> > +             memset((char *)inner_ip, 0, sizeof(*inner_ip));
> > +             inner_ip->ver_ihl = 0x45;
> > +             inner_ip->proto = ODPH_IPPROTO_ICMP;
> > +             inner_ip->id = odp_cpu_to_be_16(stream->id);
> > +             inner_ip->ttl = 64;
> > +             inner_ip->tos = 0;
> > +             inner_ip->frag_offset = 0;
> > +             inner_ip->src_addr = odp_cpu_to_be_32(stream->src_ip);
> > +             inner_ip->dst_addr = odp_cpu_to_be_32(stream->dst_ip);
> > +             inner_ip->chksum = odp_chksum(inner_ip, sizeof(inner_ip));
> > +             data += sizeof(*inner_ip);
> > +     }
> > +
> >       /* ICMP header so we can see it on wireshark */
> >       icmp = (odph_icmphdr_t *)data;
> >       data += sizeof(*icmp);
> > @@ -261,6 +294,13 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t
> *stream,
> >       /* Close ESP if specified */
> >       if (esp) {
> >               int payload_len = data - (uint8_t *)icmp;
> > +             uint8_t *encrypt_start = (uint8_t *)icmp;
> > +
> > +             if (entry->mode == IPSEC_SA_MODE_TUNNEL) {
> > +                     payload_len = data - (uint8_t *)inner_ip;
> > +                     encrypt_start = (uint8_t *)inner_ip;
> > +             }
> > +
> >               int encrypt_len;
> >               odph_esptrl_t *esp_t;
> >               DES_key_schedule ks1, ks2, ks3;
> > @@ -282,8 +322,8 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t
> *stream,
> >               DES_set_key((DES_cblock *)&entry->esp.key.data[8], &ks2);
> >               DES_set_key((DES_cblock *)&entry->esp.key.data[16], &ks3);
> >
> > -             DES_ede3_cbc_encrypt((uint8_t *)icmp,
> > -                                  (uint8_t *)icmp,
> > +             DES_ede3_cbc_encrypt(encrypt_start,
> > +                                  encrypt_start,
> >                                    encrypt_len,
> >                                    &ks1,
> >                                    &ks2,
> > @@ -332,7 +372,7 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t
> *stream,
> >   odp_bool_t verify_ipv4_packet(stream_db_entry_t *stream,
> >                             odp_packet_t pkt)
> >   {
> > -     ipsec_cache_entry_t *entry = stream->output.entry;
> > +     ipsec_cache_entry_t *entry = NULL;
> >       uint8_t *data;
> >       odph_ipv4hdr_t *ip;
> >       odph_ahhdr_t *ah = NULL;
> > @@ -340,6 +380,12 @@ odp_bool_t verify_ipv4_packet(stream_db_entry_t
> *stream,
> >       int hdr_len;
> >       odph_icmphdr_t *icmp;
> >       stream_pkt_hdr_t *test;
> > +     uint32_t src_ip, dst_ip;
> > +
> > +     if (stream->input.entry)
> > +             entry = stream->input.entry;
> > +     else if (stream->output.entry)
> > +             entry = stream->output.entry;
> >
> >       /* Basic IPv4 verify (add checksum verification) */
> >       data = odp_packet_l3_ptr(pkt, NULL); @@ -347,13 +393,29 @@
> > odp_bool_t verify_ipv4_packet(stream_db_entry_t *stream,
> >       data += sizeof(*ip);
> >       if (0x45 != ip->ver_ihl)
> >               return FALSE;
> > -     if (stream->src_ip != odp_be_to_cpu_32(ip->src_addr))
> > +
> > +     src_ip = odp_be_to_cpu_32(ip->src_addr);
> > +     dst_ip = odp_be_to_cpu_32(ip->dst_addr);
> > +     if ((stream->src_ip != src_ip) && stream->output.entry &&
> > +         (stream->output.entry->tun_src_ip != src_ip))
> > +             return FALSE;
> > +     if ((stream->dst_ip != dst_ip) && stream->output.entry &&
> > +         (stream->output.entry->tun_dst_ip != dst_ip))
> > +             return FALSE;
> > +
> > +     if ((stream->src_ip != src_ip) && stream->input.entry &&
> > +         (stream->input.entry->tun_src_ip != src_ip))
> >               return FALSE;
> > -     if (stream->dst_ip != odp_be_to_cpu_32(ip->dst_addr))
> > +     if ((stream->dst_ip != dst_ip) && stream->input.entry &&
> > +         (stream->input.entry->tun_dst_ip != dst_ip))
> >               return FALSE;
> >
> >       /* Find IPsec headers if any and compare against entry */
> >       hdr_len = locate_ipsec_headers(ip, &ah, &esp);
> > +
> > +     /* Cleartext packet */
> > +     if (!ah && !esp)
> > +             goto clear_packet;
> >       if (ah) {
> >               if (!entry)
> >                       return FALSE;
> > @@ -446,12 +508,21 @@ odp_bool_t verify_ipv4_packet(stream_db_entry_t
> *stream,
> >               ip->proto = esp_t->next_header;
> >       }
> >
> > -     /* Verify ICMP packet */
> > -     if (ODPH_IPPROTO_ICMP != ip->proto)
> > -             return FALSE;
> > +clear_packet:
> > +     /* Verify IP/ICMP packet */
> > +     if (entry && (entry->mode == IPSEC_SA_MODE_TUNNEL) && (ah || esp))
> {
> > +             if (ODPH_IPV4 != ip->proto)
> > +                     return FALSE;
> > +             odph_ipv4hdr_t *inner_ip = (odph_ipv4hdr_t *)data;
> > +             icmp = (odph_icmphdr_t *)(inner_ip + 1);
> > +             data = (uint8_t *)icmp;
> > +     } else {
> > +             if (ODPH_IPPROTO_ICMP != ip->proto)
> > +                     return FALSE;
> > +             icmp = (odph_icmphdr_t *)data;
> > +     }
> >
> >       /* Verify ICMP header */
> > -     icmp = (odph_icmphdr_t *)data;
> >       data += sizeof(*icmp);
> >       if (ICMP_ECHO != icmp->type)
> >               return FALSE;
>
> _______________________________________________
> lng-odp mailing list
> lng-odp@lists.linaro.org
> https://lists.linaro.org/mailman/listinfo/lng-odp
>
diff mbox

Patch

diff --git a/example/ipsec/odp_ipsec.c b/example/ipsec/odp_ipsec.c
index cb8f535..e325347 100644
--- a/example/ipsec/odp_ipsec.c
+++ b/example/ipsec/odp_ipsec.c
@@ -135,13 +135,20 @@  typedef struct {
 	uint8_t  ip_ttl;         /**< Saved IP TTL value */
 	int      hdr_len;        /**< Length of IPsec headers */
 	int      trl_len;        /**< Length of IPsec trailers */
+	uint16_t tun_hdr_offset; /**< Offset of tunnel header from
+				      buffer start */
 	uint16_t ah_offset;      /**< Offset of AH header from buffer start */
 	uint16_t esp_offset;     /**< Offset of ESP header from buffer start */
 
+	/* Input only */
+	uint32_t src_ip;         /**< SA source IP address */
+	uint32_t dst_ip;         /**< SA dest IP address */
+
 	/* Output only */
 	odp_crypto_op_params_t params;  /**< Parameters for crypto call */
 	uint32_t *ah_seq;               /**< AH sequence number location */
 	uint32_t *esp_seq;              /**< ESP sequence number location */
+	uint16_t *tun_hdr_id;           /**< Tunnel header ID > */
 } ipsec_ctx_t;
 
 /**
@@ -357,6 +364,7 @@  void ipsec_init_pre(void)
 	/* Initialize our data bases */
 	init_sp_db();
 	init_sa_db();
+	init_tun_db();
 	init_ipsec_cache();
 }
 
@@ -376,19 +384,27 @@  void ipsec_init_post(crypto_api_mode_e api_mode)
 	for (entry = sp_db->list; NULL != entry; entry = entry->next) {
 		sa_db_entry_t *cipher_sa = NULL;
 		sa_db_entry_t *auth_sa = NULL;
+		tun_db_entry_t *tun;
 
-		if (entry->esp)
+		if (entry->esp) {
 			cipher_sa = find_sa_db_entry(&entry->src_subnet,
 						     &entry->dst_subnet,
 						     1);
-		if (entry->ah)
+			tun = find_tun_db_entry(cipher_sa->src_ip,
+						      cipher_sa->dst_ip);
+		}
+		if (entry->ah) {
 			auth_sa = find_sa_db_entry(&entry->src_subnet,
 						   &entry->dst_subnet,
 						   0);
+			tun = find_tun_db_entry(auth_sa->src_ip,
+						      auth_sa->dst_ip);
+		}
 
 		if (cipher_sa || auth_sa) {
 			if (create_ipsec_cache_entry(cipher_sa,
 						     auth_sa,
+						     tun,
 						     api_mode,
 						     entry->input,
 						     completionq,
@@ -661,6 +677,8 @@  pkt_disposition_e do_ipsec_in_classify(odp_packet_t pkt,
 	ctx->ipsec.esp_offset = esp ? ((uint8_t *)esp) - buf : 0;
 	ctx->ipsec.hdr_len = hdr_len;
 	ctx->ipsec.trl_len = 0;
+	ctx->ipsec.src_ip = entry->src_ip;
+	ctx->ipsec.dst_ip = entry->dst_ip;
 
 	/*If authenticating, zero the mutable fields build the request */
 	if (ah) {
@@ -741,6 +759,23 @@  pkt_disposition_e do_ipsec_in_finish(odp_packet_t pkt,
 		trl_len += esp_t->pad_len + sizeof(*esp_t);
 	}
 
+	/* We have a tunneled IPv4 packet */
+	if (ip->proto == ODPH_IPV4) {
+		odp_packet_pull_head(pkt, sizeof(*ip) + hdr_len);
+		odp_packet_pull_tail(pkt, trl_len);
+		odph_ethhdr_t *eth;
+		eth = (odph_ethhdr_t *)odp_packet_l2_ptr(pkt, NULL);
+		eth->type = ODPH_ETHTYPE_IPV4;
+		ip = (odph_ipv4hdr_t *)odp_packet_l3_ptr(pkt, NULL);
+
+		/* Check inbound policy */
+		if ((ip->src_addr != ctx->ipsec.src_ip ||
+		     ip->dst_addr != ctx->ipsec.dst_ip))
+			return PKT_DROP;
+
+		return PKT_CONTINUE;
+	}
+
 	/* Finalize the IPv4 header */
 	ipv4_adjust_len(ip, -(hdr_len + trl_len));
 	ip->ttl = ctx->ipsec.ip_ttl;
@@ -812,9 +847,13 @@  pkt_disposition_e do_ipsec_out_classify(odp_packet_t pkt,
 	params.pkt = pkt;
 	params.out_pkt = entry->in_place ? pkt : ODP_PACKET_INVALID;
 
+	if (entry->mode == IPSEC_SA_MODE_TUNNEL) {
+		hdr_len += sizeof(odph_ipv4hdr_t);
+		ip_data = (uint8_t *)ip;
+	}
 	/* Compute ah and esp, determine length of headers, move the data */
 	if (entry->ah.alg) {
-		ah = (odph_ahhdr_t *)(ip_data);
+		ah = (odph_ahhdr_t *)(ip_data + hdr_len);
 		hdr_len += sizeof(odph_ahhdr_t);
 		hdr_len += entry->ah.icv_len;
 	}
@@ -826,21 +865,39 @@  pkt_disposition_e do_ipsec_out_classify(odp_packet_t pkt,
 	memmove(ip_data + hdr_len, ip_data, ip_data_len);
 	ip_data += hdr_len;
 
+	/* update outer header in tunnel mode */
+	if (entry->mode == IPSEC_SA_MODE_TUNNEL) {
+		/* tunnel addresses */
+		ip->src_addr = odp_cpu_to_be_32(entry->tun_src_ip);
+		ip->dst_addr = odp_cpu_to_be_32(entry->tun_dst_ip);
+	}
+
 	/* For cipher, compute encrypt length, build headers and request */
 	if (esp) {
 		uint32_t encrypt_len;
 		odph_esptrl_t *esp_t;
 
-		encrypt_len = ESP_ENCODE_LEN(ip_data_len + sizeof(*esp_t),
-					     entry->esp.block_len);
-		trl_len = encrypt_len - ip_data_len;
+		if (entry->mode == IPSEC_SA_MODE_TUNNEL) {
+			encrypt_len = ESP_ENCODE_LEN(ip->tot_len +
+						     sizeof(*esp_t),
+						     entry->esp.block_len);
+			trl_len = encrypt_len - ip->tot_len;
+		} else {
+			encrypt_len = ESP_ENCODE_LEN(ip_data_len +
+						     sizeof(*esp_t),
+						     entry->esp.block_len);
+			trl_len = encrypt_len - ip_data_len;
+		}
 
 		esp->spi = odp_cpu_to_be_32(entry->esp.spi);
 		memcpy(esp + 1, entry->state.iv, entry->esp.iv_len);
 
 		esp_t = (odph_esptrl_t *)(ip_data + encrypt_len) - 1;
 		esp_t->pad_len     = trl_len - sizeof(*esp_t);
-		esp_t->next_header = ip->proto;
+		if (entry->mode == IPSEC_SA_MODE_TUNNEL)
+			esp_t->next_header = ODPH_IPV4;
+		else
+			esp_t->next_header = ip->proto;
 		ip->proto = ODPH_IPPROTO_ESP;
 
 		params.cipher_range.offset = ip_data - buf;
@@ -852,7 +909,10 @@  pkt_disposition_e do_ipsec_out_classify(odp_packet_t pkt,
 		memset(ah, 0, sizeof(*ah) + entry->ah.icv_len);
 		ah->spi = odp_cpu_to_be_32(entry->ah.spi);
 		ah->ah_len = 1 + (entry->ah.icv_len / 4);
-		ah->next_header = ip->proto;
+		if (entry->mode == IPSEC_SA_MODE_TUNNEL && !esp)
+			ah->next_header = ODPH_IPV4;
+		else
+			ah->next_header = ip->proto;
 		ip->proto = ODPH_IPPROTO_AH;
 
 		ip->chksum = 0;
@@ -875,8 +935,11 @@  pkt_disposition_e do_ipsec_out_classify(odp_packet_t pkt,
 	ctx->ipsec.trl_len = trl_len;
 	ctx->ipsec.ah_offset = ah ? ((uint8_t *)ah) - buf : 0;
 	ctx->ipsec.esp_offset = esp ? ((uint8_t *)esp) - buf : 0;
+	ctx->ipsec.tun_hdr_offset = (entry->mode == IPSEC_SA_MODE_TUNNEL) ?
+				       ((uint8_t *)ip - buf) : 0;
 	ctx->ipsec.ah_seq = &entry->state.ah_seq;
 	ctx->ipsec.esp_seq = &entry->state.esp_seq;
+	ctx->ipsec.tun_hdr_id = &entry->state.tun_hdr_id;
 	memcpy(&ctx->ipsec.params, &params, sizeof(params));
 
 	*skip = FALSE;
@@ -915,6 +978,20 @@  pkt_disposition_e do_ipsec_out_seq(odp_packet_t pkt,
 		esp = (odph_esphdr_t *)(ctx->ipsec.esp_offset + buf);
 		esp->seq_no = odp_cpu_to_be_32((*ctx->ipsec.esp_seq)++);
 	}
+	if (ctx->ipsec.tun_hdr_offset) {
+		odph_ipv4hdr_t *ip;
+		int ret;
+		ip = (odph_ipv4hdr_t *)(ctx->ipsec.tun_hdr_offset + buf);
+		ip->id = odp_cpu_to_be_16((*ctx->ipsec.tun_hdr_id)++);
+		if (!ip->id) {
+			/* re-init tunnel hdr id */
+			ret = odp_random_data((uint8_t *)ctx->ipsec.tun_hdr_id,
+					      sizeof(*ctx->ipsec.tun_hdr_id),
+					      1);
+			if (ret != sizeof(*ctx->ipsec.tun_hdr_id))
+				abort();
+		}
+	}
 
 	/* Issue crypto request */
 	if (odp_crypto_operation(&ctx->ipsec.params,
@@ -1306,8 +1383,9 @@  static void parse_args(int argc, char *argv[], appl_args_t *appl_args)
 		{"mode", required_argument, NULL, 'm'},		/* return 'm' */
 		{"route", required_argument, NULL, 'r'},	/* return 'r' */
 		{"policy", required_argument, NULL, 'p'},	/* return 'p' */
-		{"ah", required_argument, NULL, 'a'},	        /* return 'a' */
-		{"esp", required_argument, NULL, 'e'},	        /* return 'e' */
+		{"ah", required_argument, NULL, 'a'},		/* return 'a' */
+		{"esp", required_argument, NULL, 'e'},		/* return 'e' */
+		{"tunnel", required_argument, NULL, 't'},       /* return 't' */
 		{"stream", required_argument, NULL, 's'},	/* return 's' */
 		{"help", no_argument, NULL, 'h'},		/* return 'h' */
 		{NULL, 0, NULL, 0}
@@ -1318,7 +1396,7 @@  static void parse_args(int argc, char *argv[], appl_args_t *appl_args)
 	appl_args->mode = 0;  /* turn off async crypto API by default */
 
 	while (!rc) {
-		opt = getopt_long(argc, argv, "+c:i:m:h:r:p:a:e:s:",
+		opt = getopt_long(argc, argv, "+c:i:m:h:r:p:a:e:t:s:",
 				  longopts, &long_index);
 
 		if (-1 == opt)
@@ -1389,6 +1467,10 @@  static void parse_args(int argc, char *argv[], appl_args_t *appl_args)
 			rc = create_sa_db_entry(optarg, TRUE);
 			break;
 
+		case 't':
+			rc = create_tun_db_entry(optarg);
+			break;
+
 		case 's':
 			rc = create_stream_db_entry(optarg);
 			break;
@@ -1449,6 +1531,7 @@  static void print_info(char *progname, appl_args_t *appl_args)
 	dump_fwd_db();
 	dump_sp_db();
 	dump_sa_db();
+	dump_tun_db();
 	printf("\n\n");
 	fflush(NULL);
 }
diff --git a/example/ipsec/odp_ipsec_cache.c b/example/ipsec/odp_ipsec_cache.c
index 12b960d..046e43c 100644
--- a/example/ipsec/odp_ipsec_cache.c
+++ b/example/ipsec/odp_ipsec_cache.c
@@ -38,6 +38,7 @@  void init_ipsec_cache(void)
 
 int create_ipsec_cache_entry(sa_db_entry_t *cipher_sa,
 			     sa_db_entry_t *auth_sa,
+			     tun_db_entry_t *tun,
 			     crypto_api_mode_e api_mode,
 			     odp_bool_t in,
 			     odp_queue_t completionq,
@@ -47,12 +48,18 @@  int create_ipsec_cache_entry(sa_db_entry_t *cipher_sa,
 	ipsec_cache_entry_t *entry;
 	enum odp_crypto_ses_create_err ses_create_rc;
 	odp_crypto_session_t session;
+	sa_mode_t mode = IPSEC_SA_MODE_TRANSPORT;
 
 	/* Verify we have a good entry */
 	entry = &ipsec_cache->array[ipsec_cache->index];
 	if (MAX_DB <= ipsec_cache->index)
 		return -1;
 
+	/* Verify SA mode match in case of cipher&auth */
+	if (cipher_sa && auth_sa &&
+	    (cipher_sa->mode != auth_sa->mode))
+		return -1;
+
 	/* Setup parameters and call crypto library to create session */
 	params.op = (in) ? ODP_CRYPTO_OP_DECODE : ODP_CRYPTO_OP_ENCODE;
 	params.auth_cipher_text = TRUE;
@@ -79,6 +86,7 @@  int create_ipsec_cache_entry(sa_db_entry_t *cipher_sa,
 		params.cipher_key.length  = cipher_sa->key.length;
 		params.iv.data = entry->state.iv;
 		params.iv.length = cipher_sa->iv_len;
+		mode = cipher_sa->mode;
 	} else {
 		params.cipher_alg = ODP_CIPHER_ALG_NULL;
 		params.iv.data = NULL;
@@ -90,6 +98,7 @@  int create_ipsec_cache_entry(sa_db_entry_t *cipher_sa,
 		params.auth_alg = auth_sa->alg.u.auth;
 		params.auth_key.data = auth_sa->key.data;
 		params.auth_key.length = auth_sa->key.length;
+		mode = auth_sa->mode;
 	} else {
 		params.auth_alg = ODP_AUTH_ALG_NULL;
 	}
@@ -128,6 +137,24 @@  int create_ipsec_cache_entry(sa_db_entry_t *cipher_sa,
 		memcpy(&entry->ah.key, &auth_sa->key, sizeof(ipsec_key_t));
 	}
 
+	if (tun) {
+		entry->tun_src_ip = tun->tun_src_ip;
+		entry->tun_dst_ip = tun->tun_dst_ip;
+		mode = IPSEC_SA_MODE_TUNNEL;
+
+		int ret;
+		if (!in) {
+			/* init tun hdr id */
+			ret = odp_random_data((uint8_t *)
+					      &entry->state.tun_hdr_id,
+					      sizeof(entry->state.tun_hdr_id),
+					      1);
+			if (ret != sizeof(entry->state.tun_hdr_id))
+				return -1;
+		}
+	}
+	entry->mode = mode;
+
 	/* Initialize state */
 	entry->state.esp_seq = 0;
 	entry->state.ah_seq = 0;
@@ -156,7 +183,9 @@  ipsec_cache_entry_t *find_ipsec_cache_entry_in(uint32_t src_ip,
 	/* Look for a hit */
 	for (; NULL != entry; entry = entry->next) {
 		if ((entry->src_ip != src_ip) || (entry->dst_ip != dst_ip))
-			continue;
+			if ((entry->tun_src_ip != src_ip) ||
+			    (entry->tun_dst_ip != dst_ip))
+				continue;
 		if (ah &&
 		    ((!entry->ah.alg) ||
 		     (entry->ah.spi != odp_be_to_cpu_32(ah->spi))))
diff --git a/example/ipsec/odp_ipsec_cache.h b/example/ipsec/odp_ipsec_cache.h
index 714cae8..6b1be5f 100644
--- a/example/ipsec/odp_ipsec_cache.h
+++ b/example/ipsec/odp_ipsec_cache.h
@@ -34,6 +34,9 @@  typedef struct ipsec_cache_entry_s {
 	odp_bool_t                   in_place;    /**< Crypto API mode */
 	uint32_t                     src_ip;      /**< Source v4 address */
 	uint32_t                     dst_ip;      /**< Destination v4 address */
+	sa_mode_t		     mode;        /**< SA mode - transport/tun */
+	uint32_t                     tun_src_ip;  /**< Tunnel src IPv4 addr */
+	uint32_t                     tun_dst_ip;  /**< Tunnel dst IPv4 addr */
 	struct {
 		enum  odp_cipher_alg alg;         /**< Cipher algorithm */
 		uint32_t             spi;         /**< Cipher SPI */
@@ -54,6 +57,7 @@  typedef struct ipsec_cache_entry_s {
 		uint32_t      esp_seq;         /**< ESP TX sequence number */
 		uint32_t      ah_seq;          /**< AH TX sequence number */
 		uint8_t       iv[MAX_IV_LEN];  /**< ESP IV storage */
+		uint16be_t    tun_hdr_id;      /**< Tunnel header IP ID */
 	} state;
 } ipsec_cache_entry_t;
 
@@ -87,6 +91,7 @@  void init_ipsec_cache(void);
  */
 int create_ipsec_cache_entry(sa_db_entry_t *cipher_sa,
 			     sa_db_entry_t *auth_sa,
+			     tun_db_entry_t *tun,
 			     crypto_api_mode_e api_mode,
 			     odp_bool_t in,
 			     odp_queue_t completionq,
diff --git a/example/ipsec/odp_ipsec_sa_db.c b/example/ipsec/odp_ipsec_sa_db.c
index 5837cb6..78f43da 100644
--- a/example/ipsec/odp_ipsec_sa_db.c
+++ b/example/ipsec/odp_ipsec_sa_db.c
@@ -1,7 +1,7 @@ 
 /* Copyright (c) 2014, Linaro Limited
  * All rights reserved.
  *
- * SPDX-License-Identifier:     BSD-3-Clause
+ * SPDX-License-Identifier:	BSD-3-Clause
  */
 
 /* enable strtok */
@@ -19,6 +19,9 @@ 
 /** Global pointer to sa db */
 static sa_db_t *sa_db;
 
+/** Global pointer to tun db */
+static tun_db_t *tun_db;
+
 void init_sa_db(void)
 {
 	odp_shm_t shm;
@@ -37,6 +40,22 @@  void init_sa_db(void)
 	memset(sa_db, 0, sizeof(*sa_db));
 }
 
+void init_tun_db(void)
+{
+	odp_shm_t shm;
+	shm = odp_shm_reserve("shm_tun_db",
+			      sizeof(tun_db_t),
+			      ODP_CACHE_LINE_SIZE,
+			      0);
+	tun_db = odp_shm_addr(shm);
+
+	if (tun_db == NULL) {
+		EXAMPLE_ERR("Error: shared mem alloc failed.\n");
+		exit(EXIT_FAILURE);
+	}
+	memset(tun_db, 0, sizeof(*tun_db));
+}
+
 int create_sa_db_entry(char *input, odp_bool_t cipher)
 {
 	int pos = 0;
@@ -81,7 +100,7 @@  int create_sa_db_entry(char *input, odp_bool_t cipher)
 					entry->alg.u.cipher =
 						ODP_CIPHER_ALG_3DES_CBC;
 					entry->block_len  = 8;
-					entry->iv_len     = 8;
+					entry->iv_len	  = 8;
 				} else {
 					entry->alg.u.cipher =
 						ODP_CIPHER_ALG_NULL;
@@ -90,7 +109,7 @@  int create_sa_db_entry(char *input, odp_bool_t cipher)
 				if (0 == strcmp(token, "md5")) {
 					entry->alg.u.auth =
 						ODP_AUTH_ALG_MD5_96;
-					entry->icv_len    = 12;
+					entry->icv_len	  = 12;
 				} else {
 					entry->alg.u.auth = ODP_AUTH_ALG_NULL;
 				}
@@ -132,6 +151,89 @@  int create_sa_db_entry(char *input, odp_bool_t cipher)
 	return 0;
 }
 
+int create_tun_db_entry(char *input)
+{
+	int pos = 0;
+	char *local;
+	char *str;
+	char *save;
+	char *token;
+	tun_db_entry_t *entry = &tun_db->array[tun_db->index];
+
+	/* Verify we have a good entry */
+	if (MAX_DB <= tun_db->index)
+		return -1;
+
+	/* Make a local copy */
+	local = malloc(strlen(input) + 1);
+	if (NULL == local)
+		return -1;
+	strcpy(local, input);
+
+	/* Setup for using "strtok_r" to search input string */
+	str = local;
+	save = NULL;
+
+	/* Parse tokens separated by ':' */
+	while (NULL != (token = strtok_r(str, ":", &save))) {
+		str = NULL;  /* reset str for subsequent strtok_r calls */
+
+		/* Parse token based on its position */
+		switch (pos) {
+		case 0:
+			parse_ipv4_string(token, &entry->src_ip, NULL);
+			break;
+		case 1:
+			parse_ipv4_string(token, &entry->dst_ip, NULL);
+			break;
+		case 2:
+			parse_ipv4_string(token, &entry->tun_src_ip, NULL);
+			break;
+		case 3:
+			parse_ipv4_string(token, &entry->tun_dst_ip, NULL);
+			break;
+		default:
+			printf("ERROR: extra token \"%s\" at position %d\n",
+			       token, pos);
+			break;
+		}
+		pos++;
+	}
+
+	/* Verify we parsed exactly the number of tokens we expected */
+	if (4 != pos) {
+		printf("ERROR: \"%s\" contains %d tokens, expected 4\n",
+		       input,
+		       pos);
+		free(local);
+		return -1;
+	}
+
+	/* Add route to the list */
+	tun_db->index++;
+	entry->next = tun_db->list;
+	tun_db->list = entry;
+
+	free(local);
+	return 0;
+}
+
+tun_db_entry_t *find_tun_db_entry(uint32_t ip_src,
+					uint32_t ip_dst)
+{
+	tun_db_entry_t *entry = NULL;
+
+	/* Scan all entries and return first match */
+	for (entry = tun_db->list; NULL != entry; entry = entry->next) {
+		if (entry->src_ip != ip_src)
+			continue;
+		if (entry->dst_ip != ip_dst)
+			continue;
+		break;
+	}
+	return entry;
+}
+
 void dump_sa_db(void)
 {
 	sa_db_entry_t *entry;
@@ -182,3 +284,28 @@  sa_db_entry_t *find_sa_db_entry(ip_addr_range_t *src,
 	}
 	return entry;
 }
+
+void dump_tun_db(void)
+{
+	tun_db_entry_t *entry;
+
+	printf("\n"
+	       "Tunnel table\n"
+	       "--------------------------\n");
+
+	for (entry = tun_db->list; NULL != entry; entry = entry->next) {
+		char src_ip_str[MAX_STRING];
+		char dst_ip_str[MAX_STRING];
+		char tun_src_ip_str[MAX_STRING];
+		char tun_dst_ip_str[MAX_STRING];
+
+		printf(" %s:%s %s:%s ",
+		       ipv4_addr_str(src_ip_str, entry->src_ip),
+		       ipv4_addr_str(dst_ip_str, entry->dst_ip),
+		       ipv4_addr_str(tun_src_ip_str, entry->tun_src_ip),
+		       ipv4_addr_str(tun_dst_ip_str, entry->tun_dst_ip)
+		      );
+
+		printf("\n");
+	}
+}
diff --git a/example/ipsec/odp_ipsec_sa_db.h b/example/ipsec/odp_ipsec_sa_db.h
index c30cbdb..79bfc78 100644
--- a/example/ipsec/odp_ipsec_sa_db.h
+++ b/example/ipsec/odp_ipsec_sa_db.h
@@ -13,6 +13,10 @@  extern "C" {
 
 #include <odp_ipsec_misc.h>
 
+typedef enum sa_mode_s {
+	IPSEC_SA_MODE_TRANSPORT,
+	IPSEC_SA_MODE_TUNNEL
+} sa_mode_t;
 /**
  * Security Assocation (SA) data base entry
  */
@@ -26,6 +30,7 @@  typedef struct sa_db_entry_s {
 	uint32_t              block_len; /**< Cipher block length */
 	uint32_t              iv_len;    /**< Initialization Vector length */
 	uint32_t              icv_len;   /**< Integrity Check Value length */
+	sa_mode_t             mode;      /**< SA mode - transport/tun */
 } sa_db_entry_t;
 
 /**
@@ -37,6 +42,7 @@  typedef struct sa_db_s {
 	sa_db_entry_t    array[MAX_DB];  /**< Entry storage */
 } sa_db_t;
 
+
 /** Initialize SA database global control structure */
 void init_sa_db(void);
 
@@ -69,6 +75,57 @@  sa_db_entry_t *find_sa_db_entry(ip_addr_range_t *src,
 				ip_addr_range_t *dst,
 				odp_bool_t cipher);
 
+/**
+ * Tunnel entry
+ */
+typedef struct tun_db_entry_s {
+	struct tun_db_entry_s *next;
+	uint32_t        src_ip;        /**< Inner Source IPv4 address */
+	uint32_t        dst_ip;        /**< Inner Destination IPv4 address */
+	uint32_t        tun_src_ip; /**< Tunnel Source IPv4 address */
+	uint32_t        tun_dst_ip; /**< Tunnel Source IPv4 address */
+} tun_db_entry_t;
+
+/**
+ * Tunnel database
+ */
+typedef struct tun_db_s {
+	uint32_t         index;          /**< Index of next available entry */
+	tun_db_entry_t *list;	 /**< List of active entries */
+	tun_db_entry_t array[MAX_DB]; /**< Entry storage */
+} tun_db_t;
+
+/** Initialize tun database global control structure */
+void init_tun_db(void);
+
+/**
+ * Create an tunnel DB entry
+ *
+ * String is of the format "SrcIP:DstIP:TunSrcIp:TunDstIp"
+ *
+ * @param input  Pointer to string describing tun
+ *
+ * @return 0 if successful else -1
+ */
+int create_tun_db_entry(char *input);
+
+/**
+ * Display the tun DB
+ */
+void dump_tun_db(void);
+
+/**
+ * Find a matching tun DB entry
+ *
+ * @param ip_src    Inner source IP address
+ * @param ip_dst    Inner destination IP address
+ *
+ * @return pointer to tun DB entry else NULL
+ */
+tun_db_entry_t *find_tun_db_entry(uint32_t ip_src,
+					uint32_t ip_dst);
+
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/example/ipsec/odp_ipsec_stream.c b/example/ipsec/odp_ipsec_stream.c
index 35042f5..69f73f1 100644
--- a/example/ipsec/odp_ipsec_stream.c
+++ b/example/ipsec/odp_ipsec_stream.c
@@ -169,18 +169,24 @@  odp_packet_t create_ipv4_packet(stream_db_entry_t *stream,
 				uint8_t *dmac,
 				odp_pool_t pkt_pool)
 {
-	ipsec_cache_entry_t *entry = stream->input.entry;
+	ipsec_cache_entry_t *entry = NULL;
 	odp_packet_t pkt;
 	uint8_t *base;
 	uint8_t *data;
 	odph_ethhdr_t *eth;
 	odph_ipv4hdr_t *ip;
+	odph_ipv4hdr_t *inner_ip = NULL;
 	odph_ahhdr_t *ah = NULL;
 	odph_esphdr_t *esp = NULL;
 	odph_icmphdr_t *icmp;
 	stream_pkt_hdr_t *test;
 	unsigned i;
 
+	if (stream->input.entry)
+		entry = stream->input.entry;
+	else if (stream->output.entry)
+		entry = stream->output.entry;
+
 	/* Get packet */
 	pkt = odp_packet_alloc(pkt_pool, 0);
 	if (ODP_PACKET_INVALID == pkt)
@@ -205,13 +211,22 @@  odp_packet_t create_ipv4_packet(stream_db_entry_t *stream,
 	/* Wait until almost finished to fill in mutable fields */
 	memset((char *)ip, 0, sizeof(*ip));
 	ip->ver_ihl = 0x45;
-	ip->proto = ODPH_IPPROTO_ICMP;
 	ip->id = odp_cpu_to_be_16(stream->id);
-	ip->src_addr = odp_cpu_to_be_32(stream->src_ip);
-	ip->dst_addr = odp_cpu_to_be_32(stream->dst_ip);
+	/* Outer IP header in tunnel mode */
+	if (entry && entry->mode == IPSEC_SA_MODE_TUNNEL &&
+	    (entry == stream->input.entry)) {
+		ip->proto = ODPH_IPV4;
+		ip->src_addr = odp_cpu_to_be_32(entry->tun_src_ip);
+		ip->dst_addr = odp_cpu_to_be_32(entry->tun_dst_ip);
+	} else {
+		ip->proto = ODPH_IPPROTO_ICMP;
+		ip->src_addr = odp_cpu_to_be_32(stream->src_ip);
+		ip->dst_addr = odp_cpu_to_be_32(stream->dst_ip);
+	}
 
 	/* AH (if specified) */
-	if (entry && (ODP_AUTH_ALG_NULL != entry->ah.alg)) {
+	if (entry && (entry == stream->input.entry) &&
+	    (ODP_AUTH_ALG_NULL != entry->ah.alg)) {
 		if (ODP_AUTH_ALG_MD5_96 != entry->ah.alg)
 			abort();
 
@@ -226,7 +241,8 @@  odp_packet_t create_ipv4_packet(stream_db_entry_t *stream,
 	}
 
 	/* ESP (if specified) */
-	if (entry && (ODP_CIPHER_ALG_NULL != entry->esp.alg)) {
+	if (entry && (entry == stream->input.entry) &&
+	    (ODP_CIPHER_ALG_NULL != entry->esp.alg)) {
 		if (ODP_CIPHER_ALG_3DES_CBC != entry->esp.alg)
 			abort();
 
@@ -239,6 +255,23 @@  odp_packet_t create_ipv4_packet(stream_db_entry_t *stream,
 		RAND_bytes(esp->iv, 8);
 	}
 
+	/* Inner IP header in tunnel mode */
+	if (entry && (entry == stream->input.entry) &&
+	    (entry->mode == IPSEC_SA_MODE_TUNNEL)) {
+		inner_ip = (odph_ipv4hdr_t *)data;
+		memset((char *)inner_ip, 0, sizeof(*inner_ip));
+		inner_ip->ver_ihl = 0x45;
+		inner_ip->proto = ODPH_IPPROTO_ICMP;
+		inner_ip->id = odp_cpu_to_be_16(stream->id);
+		inner_ip->ttl = 64;
+		inner_ip->tos = 0;
+		inner_ip->frag_offset = 0;
+		inner_ip->src_addr = odp_cpu_to_be_32(stream->src_ip);
+		inner_ip->dst_addr = odp_cpu_to_be_32(stream->dst_ip);
+		inner_ip->chksum = odp_chksum(inner_ip, sizeof(inner_ip));
+		data += sizeof(*inner_ip);
+	}
+
 	/* ICMP header so we can see it on wireshark */
 	icmp = (odph_icmphdr_t *)data;
 	data += sizeof(*icmp);
@@ -261,6 +294,13 @@  odp_packet_t create_ipv4_packet(stream_db_entry_t *stream,
 	/* Close ESP if specified */
 	if (esp) {
 		int payload_len = data - (uint8_t *)icmp;
+		uint8_t *encrypt_start = (uint8_t *)icmp;
+
+		if (entry->mode == IPSEC_SA_MODE_TUNNEL) {
+			payload_len = data - (uint8_t *)inner_ip;
+			encrypt_start = (uint8_t *)inner_ip;
+		}
+
 		int encrypt_len;
 		odph_esptrl_t *esp_t;
 		DES_key_schedule ks1, ks2, ks3;
@@ -282,8 +322,8 @@  odp_packet_t create_ipv4_packet(stream_db_entry_t *stream,
 		DES_set_key((DES_cblock *)&entry->esp.key.data[8], &ks2);
 		DES_set_key((DES_cblock *)&entry->esp.key.data[16], &ks3);
 
-		DES_ede3_cbc_encrypt((uint8_t *)icmp,
-				     (uint8_t *)icmp,
+		DES_ede3_cbc_encrypt(encrypt_start,
+				     encrypt_start,
 				     encrypt_len,
 				     &ks1,
 				     &ks2,
@@ -332,7 +372,7 @@  odp_packet_t create_ipv4_packet(stream_db_entry_t *stream,
 odp_bool_t verify_ipv4_packet(stream_db_entry_t *stream,
 			      odp_packet_t pkt)
 {
-	ipsec_cache_entry_t *entry = stream->output.entry;
+	ipsec_cache_entry_t *entry = NULL;
 	uint8_t *data;
 	odph_ipv4hdr_t *ip;
 	odph_ahhdr_t *ah = NULL;
@@ -340,6 +380,12 @@  odp_bool_t verify_ipv4_packet(stream_db_entry_t *stream,
 	int hdr_len;
 	odph_icmphdr_t *icmp;
 	stream_pkt_hdr_t *test;
+	uint32_t src_ip, dst_ip;
+
+	if (stream->input.entry)
+		entry = stream->input.entry;
+	else if (stream->output.entry)
+		entry = stream->output.entry;
 
 	/* Basic IPv4 verify (add checksum verification) */
 	data = odp_packet_l3_ptr(pkt, NULL);
@@ -347,13 +393,29 @@  odp_bool_t verify_ipv4_packet(stream_db_entry_t *stream,
 	data += sizeof(*ip);
 	if (0x45 != ip->ver_ihl)
 		return FALSE;
-	if (stream->src_ip != odp_be_to_cpu_32(ip->src_addr))
+
+	src_ip = odp_be_to_cpu_32(ip->src_addr);
+	dst_ip = odp_be_to_cpu_32(ip->dst_addr);
+	if ((stream->src_ip != src_ip) && stream->output.entry &&
+	    (stream->output.entry->tun_src_ip != src_ip))
+		return FALSE;
+	if ((stream->dst_ip != dst_ip) && stream->output.entry &&
+	    (stream->output.entry->tun_dst_ip != dst_ip))
+		return FALSE;
+
+	if ((stream->src_ip != src_ip) && stream->input.entry &&
+	    (stream->input.entry->tun_src_ip != src_ip))
 		return FALSE;
-	if (stream->dst_ip != odp_be_to_cpu_32(ip->dst_addr))
+	if ((stream->dst_ip != dst_ip) && stream->input.entry &&
+	    (stream->input.entry->tun_dst_ip != dst_ip))
 		return FALSE;
 
 	/* Find IPsec headers if any and compare against entry */
 	hdr_len = locate_ipsec_headers(ip, &ah, &esp);
+
+	/* Cleartext packet */
+	if (!ah && !esp)
+		goto clear_packet;
 	if (ah) {
 		if (!entry)
 			return FALSE;
@@ -446,12 +508,21 @@  odp_bool_t verify_ipv4_packet(stream_db_entry_t *stream,
 		ip->proto = esp_t->next_header;
 	}
 
-	/* Verify ICMP packet */
-	if (ODPH_IPPROTO_ICMP != ip->proto)
-		return FALSE;
+clear_packet:
+	/* Verify IP/ICMP packet */
+	if (entry && (entry->mode == IPSEC_SA_MODE_TUNNEL) && (ah || esp)) {
+		if (ODPH_IPV4 != ip->proto)
+			return FALSE;
+		odph_ipv4hdr_t *inner_ip = (odph_ipv4hdr_t *)data;
+		icmp = (odph_icmphdr_t *)(inner_ip + 1);
+		data = (uint8_t *)icmp;
+	} else {
+		if (ODPH_IPPROTO_ICMP != ip->proto)
+			return FALSE;
+		icmp = (odph_icmphdr_t *)data;
+	}
 
 	/* Verify ICMP header */
-	icmp = (odph_icmphdr_t *)data;
 	data += sizeof(*icmp);
 	if (ICMP_ECHO != icmp->type)
 		return FALSE;