GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/patches/16234/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 16234,
    "url": "http://patches.dpdk.org/api/patches/16234/?format=api",
    "web_url": "http://patches.dpdk.org/project/dpdk/patch/1475163857-142366-2-git-send-email-sergio.gonzalez.monroy@intel.com/",
    "project": {
        "id": 1,
        "url": "http://patches.dpdk.org/api/projects/1/?format=api",
        "name": "DPDK",
        "link_name": "dpdk",
        "list_id": "dev.dpdk.org",
        "list_email": "dev@dpdk.org",
        "web_url": "http://core.dpdk.org",
        "scm_url": "git://dpdk.org/dpdk",
        "webscm_url": "http://git.dpdk.org/dpdk",
        "list_archive_url": "https://inbox.dpdk.org/dev",
        "list_archive_url_format": "https://inbox.dpdk.org/dev/{}",
        "commit_url_format": ""
    },
    "msgid": "<1475163857-142366-2-git-send-email-sergio.gonzalez.monroy@intel.com>",
    "list_archive_url": "https://inbox.dpdk.org/dev/1475163857-142366-2-git-send-email-sergio.gonzalez.monroy@intel.com",
    "date": "2016-09-29T15:44:07",
    "name": "[dpdk-dev,v3,1/9] examples/ipsec-secgw: change CBC IV generation",
    "commit_ref": null,
    "pull_url": null,
    "state": "accepted",
    "archived": true,
    "hash": "74a2bd9b19b3928816388cc83f87ac44b88420a7",
    "submitter": {
        "id": 73,
        "url": "http://patches.dpdk.org/api/people/73/?format=api",
        "name": "Sergio Gonzalez Monroy",
        "email": "sergio.gonzalez.monroy@intel.com"
    },
    "delegate": {
        "id": 22,
        "url": "http://patches.dpdk.org/api/users/22/?format=api",
        "username": "pdelarag",
        "first_name": "Pablo",
        "last_name": "de Lara Guarch",
        "email": "pablo.de.lara.guarch@intel.com"
    },
    "mbox": "http://patches.dpdk.org/project/dpdk/patch/1475163857-142366-2-git-send-email-sergio.gonzalez.monroy@intel.com/mbox/",
    "series": [],
    "comments": "http://patches.dpdk.org/api/patches/16234/comments/",
    "check": "pending",
    "checks": "http://patches.dpdk.org/api/patches/16234/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<dev-bounces@dpdk.org>",
        "X-Original-To": "patchwork@dpdk.org",
        "Delivered-To": "patchwork@dpdk.org",
        "Received": [
            "from [92.243.14.124] (localhost [IPv6:::1])\n\tby dpdk.org (Postfix) with ESMTP id D3741590E;\n\tThu, 29 Sep 2016 17:44:28 +0200 (CEST)",
            "from mga11.intel.com (mga11.intel.com [192.55.52.93])\n\tby dpdk.org (Postfix) with ESMTP id C04C95689\n\tfor <dev@dpdk.org>; Thu, 29 Sep 2016 17:44:23 +0200 (CEST)",
            "from fmsmga005.fm.intel.com ([10.253.24.32])\n\tby fmsmga102.fm.intel.com with ESMTP; 29 Sep 2016 08:44:20 -0700",
            "from sie-lab-212-109.ir.intel.com (HELO\n\tsilpixa00389029.ir.intel.com) ([10.237.212.109])\n\tby fmsmga005.fm.intel.com with ESMTP; 29 Sep 2016 08:44:19 -0700"
        ],
        "X-ExtLoop1": "1",
        "X-IronPort-AV": "E=Sophos;i=\"5.30,415,1470726000\"; d=\"scan'208\";a=\"14587568\"",
        "From": "Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>",
        "To": "dev@dpdk.org",
        "Cc": "pablo.de.lara.guarch@intel.com",
        "Date": "Thu, 29 Sep 2016 16:44:07 +0100",
        "Message-Id": "<1475163857-142366-2-git-send-email-sergio.gonzalez.monroy@intel.com>",
        "X-Mailer": "git-send-email 2.5.5",
        "In-Reply-To": "<1475163857-142366-1-git-send-email-sergio.gonzalez.monroy@intel.com>",
        "References": "<1474616734-118291-1-git-send-email-sergio.gonzalez.monroy@intel.com>\n\t<1475163857-142366-1-git-send-email-sergio.gonzalez.monroy@intel.com>",
        "Subject": "[dpdk-dev] [PATCH v3 1/9] examples/ipsec-secgw: change CBC IV\n\tgeneration",
        "X-BeenThere": "dev@dpdk.org",
        "X-Mailman-Version": "2.1.15",
        "Precedence": "list",
        "List-Id": "patches and discussions about DPDK <dev.dpdk.org>",
        "List-Unsubscribe": "<http://dpdk.org/ml/options/dev>,\n\t<mailto:dev-request@dpdk.org?subject=unsubscribe>",
        "List-Archive": "<http://dpdk.org/ml/archives/dev/>",
        "List-Post": "<mailto:dev@dpdk.org>",
        "List-Help": "<mailto:dev-request@dpdk.org?subject=help>",
        "List-Subscribe": "<http://dpdk.org/ml/listinfo/dev>,\n\t<mailto:dev-request@dpdk.org?subject=subscribe>",
        "Errors-To": "dev-bounces@dpdk.org",
        "Sender": "\"dev\" <dev-bounces@dpdk.org>"
    },
    "content": "NIST SP800-38A recommends two methods to generate unpredictable IVs\n(Initilisation Vector) for CBC mode:\n1) Apply the forward function to a nonce (ie. counter)\n2) Use a FIPS-approved random number generator\n\nThis patch implements the first recommended method by using the forward\nfunction to generate the IV.\n\nSigned-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>\n---\n examples/ipsec-secgw/esp.c   | 99 +++++++++++++++++++++++++-------------------\n examples/ipsec-secgw/ipsec.h | 26 +++++++++++-\n 2 files changed, 81 insertions(+), 44 deletions(-)",
    "diff": "diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c\nindex 05caa77..21b2f02 100644\n--- a/examples/ipsec-secgw/esp.c\n+++ b/examples/ipsec-secgw/esp.c\n@@ -50,21 +50,6 @@\n #include \"esp.h\"\n #include \"ipip.h\"\n \n-static inline void\n-random_iv_u64(uint64_t *buf, uint16_t n)\n-{\n-\tuint32_t left = n & 0x7;\n-\tuint32_t i;\n-\n-\tRTE_ASSERT((n & 0x3) == 0);\n-\n-\tfor (i = 0; i < (n >> 3); i++)\n-\t\tbuf[i] = rte_rand();\n-\n-\tif (left)\n-\t\t*((uint32_t *)&buf[i]) = (uint32_t)lrand48();\n-}\n-\n int\n esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,\n \t\tstruct rte_crypto_op *cop)\n@@ -98,22 +83,32 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,\n \t\treturn -EINVAL;\n \t}\n \n-\tsym_cop = (struct rte_crypto_sym_op *)(cop + 1);\n+\tsym_cop = get_sym_cop(cop);\n \n \tsym_cop->m_src = m;\n \tsym_cop->cipher.data.offset =  ip_hdr_len + sizeof(struct esp_hdr) +\n \t\tsa->iv_len;\n \tsym_cop->cipher.data.length = payload_len;\n \n-\tsym_cop->cipher.iv.data = rte_pktmbuf_mtod_offset(m, void*,\n-\t\t\t ip_hdr_len + sizeof(struct esp_hdr));\n-\tsym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m,\n-\t\t\t ip_hdr_len + sizeof(struct esp_hdr));\n-\tsym_cop->cipher.iv.length = sa->iv_len;\n+\tuint8_t *iv = RTE_PTR_ADD(ip4, ip_hdr_len + sizeof(struct esp_hdr));\n+\n+\tswitch (sa->cipher_algo) {\n+\tcase RTE_CRYPTO_CIPHER_NULL:\n+\tcase RTE_CRYPTO_CIPHER_AES_CBC:\n+\t\tsym_cop->cipher.iv.data = iv;\n+\t\tsym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m,\n+\t\t\t\t ip_hdr_len + sizeof(struct esp_hdr));\n+\t\tsym_cop->cipher.iv.length = sa->iv_len;\n \n-\tsym_cop->auth.data.offset = ip_hdr_len;\n-\tsym_cop->auth.data.length = sizeof(struct esp_hdr) +\n-\t\tsa->iv_len + payload_len;\n+\t\tsym_cop->auth.data.offset = ip_hdr_len;\n+\t\tsym_cop->auth.data.length = sizeof(struct esp_hdr) +\n+\t\t\tsa->iv_len + payload_len;\n+\t\tbreak;\n+\tdefault:\n+\t\tRTE_LOG(ERR, IPSEC_ESP, \"unsupported cipher algorithm %u\\n\",\n+\t\t\t\tsa->cipher_algo);\n+\t\treturn -EINVAL;\n+\t}\n \n \tsym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, void*,\n \t\t\trte_pktmbuf_pkt_len(m) - sa->digest_len);\n@@ -282,10 +277,25 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,\n \n \tsa->seq++;\n \tesp->spi = rte_cpu_to_be_32(sa->spi);\n-\tesp->seq = rte_cpu_to_be_32(sa->seq);\n+\tesp->seq = rte_cpu_to_be_32((uint32_t)sa->seq);\n \n-\tif (sa->cipher_algo == RTE_CRYPTO_CIPHER_AES_CBC)\n-\t\trandom_iv_u64((uint64_t *)(esp + 1), sa->iv_len);\n+\tuint64_t *iv = (uint64_t *)(esp + 1);\n+\n+\tsym_cop = get_sym_cop(cop);\n+\tsym_cop->m_src = m;\n+\tswitch (sa->cipher_algo) {\n+\tcase RTE_CRYPTO_CIPHER_NULL:\n+\tcase RTE_CRYPTO_CIPHER_AES_CBC:\n+\t\tmemset(iv, 0, sa->iv_len);\n+\t\tsym_cop->cipher.data.offset = ip_hdr_len +\n+\t\t\tsizeof(struct esp_hdr);\n+\t\tsym_cop->cipher.data.length = pad_payload_len + sa->iv_len;\n+\t\tbreak;\n+\tdefault:\n+\t\tRTE_LOG(ERR, IPSEC_ESP, \"unsupported cipher algorithm %u\\n\",\n+\t\t\t\tsa->cipher_algo);\n+\t\treturn -EINVAL;\n+\t}\n \n \t/* Fill pad_len using default sequential scheme */\n \tfor (i = 0; i < pad_len - 2; i++)\n@@ -293,22 +303,27 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,\n \tpadding[pad_len - 2] = pad_len - 2;\n \tpadding[pad_len - 1] = nlp;\n \n-\tsym_cop = (struct rte_crypto_sym_op *)(cop + 1);\n-\n-\tsym_cop->m_src = m;\n-\tsym_cop->cipher.data.offset = ip_hdr_len + sizeof(struct esp_hdr) +\n-\t\t\tsa->iv_len;\n-\tsym_cop->cipher.data.length = pad_payload_len;\n-\n-\tsym_cop->cipher.iv.data = rte_pktmbuf_mtod_offset(m, uint8_t *,\n-\t\t\t ip_hdr_len + sizeof(struct esp_hdr));\n+\tstruct cnt_blk *icb = get_cnt_blk(m);\n+\ticb->salt = sa->salt;\n+\ticb->iv = sa->seq;\n+\ticb->cnt = rte_cpu_to_be_32(1);\n+\tsym_cop->cipher.iv.data = (uint8_t *)icb;\n \tsym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m,\n-\t\t\t ip_hdr_len + sizeof(struct esp_hdr));\n-\tsym_cop->cipher.iv.length = sa->iv_len;\n-\n-\tsym_cop->auth.data.offset = ip_hdr_len;\n-\tsym_cop->auth.data.length = sizeof(struct esp_hdr) + sa->iv_len +\n-\t\tpad_payload_len;\n+\t\t\t (uint8_t *)icb - rte_pktmbuf_mtod(m, uint8_t *));\n+\tsym_cop->cipher.iv.length = 16;\n+\n+\tswitch (sa->cipher_algo) {\n+\tcase RTE_CRYPTO_CIPHER_NULL:\n+\tcase RTE_CRYPTO_CIPHER_AES_CBC:\n+\t\tsym_cop->auth.data.offset = ip_hdr_len;\n+\t\tsym_cop->auth.data.length = sizeof(struct esp_hdr) +\n+\t\t\tsa->iv_len + pad_payload_len;\n+\t\tbreak;\n+\tdefault:\n+\t\tRTE_LOG(ERR, IPSEC_ESP, \"unsupported cipher algorithm %u\\n\",\n+\t\t\t\tsa->cipher_algo);\n+\t\treturn -EINVAL;\n+\t}\n \n \tsym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, uint8_t *,\n \t\t\trte_pktmbuf_pkt_len(m) - sa->digest_len);\ndiff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h\nindex 4cc316c..ad96782 100644\n--- a/examples/ipsec-secgw/ipsec.h\n+++ b/examples/ipsec-secgw/ipsec.h\n@@ -95,8 +95,9 @@ struct ip_addr {\n struct ipsec_sa {\n \tuint32_t spi;\n \tuint32_t cdev_id_qp;\n+\tuint64_t seq;\n+\tuint32_t salt;\n \tstruct rte_cryptodev_sym_session *crypto_session;\n-\tuint32_t seq;\n \tenum rte_crypto_cipher_algorithm cipher_algo;\n \tenum rte_crypto_auth_algorithm auth_algo;\n \tuint16_t digest_len;\n@@ -116,10 +117,11 @@ struct ipsec_sa {\n } __rte_cache_aligned;\n \n struct ipsec_mbuf_metadata {\n+\tuint8_t buf[32];\n \tstruct ipsec_sa *sa;\n \tstruct rte_crypto_op cop;\n \tstruct rte_crypto_sym_op sym_cop;\n-};\n+} __rte_cache_aligned;\n \n struct cdev_qp {\n \tuint16_t id;\n@@ -157,6 +159,12 @@ struct socket_ctx {\n \tstruct rte_mempool *mbuf_pool;\n };\n \n+struct cnt_blk {\n+\tuint32_t salt;\n+\tuint64_t iv;\n+\tuint32_t cnt;\n+} __attribute__((packed));\n+\n uint16_t\n ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],\n \t\tuint16_t nb_pkts, uint16_t len);\n@@ -177,6 +185,20 @@ get_priv(struct rte_mbuf *m)\n \treturn RTE_PTR_ADD(m, sizeof(struct rte_mbuf));\n }\n \n+static inline void *\n+get_cnt_blk(struct rte_mbuf *m)\n+{\n+\tstruct ipsec_mbuf_metadata *priv = get_priv(m);\n+\n+\treturn &priv->buf[0];\n+}\n+\n+static inline void *\n+get_sym_cop(struct rte_crypto_op *cop)\n+{\n+\treturn (cop + 1);\n+}\n+\n int\n inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx);\n \n",
    "prefixes": [
        "dpdk-dev",
        "v3",
        "1/9"
    ]
}