Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/16234/?format=api
http://patches.dpdk.org/api/patches/16234/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/patch/1475163857-142366-2-git-send-email-sergio.gonzalez.monroy@intel.com/", "project": { "id": 1, "url": "http://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<1475163857-142366-2-git-send-email-sergio.gonzalez.monroy@intel.com>", "list_archive_url": "https://inbox.dpdk.org/dev/1475163857-142366-2-git-send-email-sergio.gonzalez.monroy@intel.com", "date": "2016-09-29T15:44:07", "name": "[dpdk-dev,v3,1/9] examples/ipsec-secgw: change CBC IV generation", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": true, "hash": "74a2bd9b19b3928816388cc83f87ac44b88420a7", "submitter": { "id": 73, "url": "http://patches.dpdk.org/api/people/73/?format=api", "name": "Sergio Gonzalez Monroy", "email": "sergio.gonzalez.monroy@intel.com" }, "delegate": { "id": 22, "url": "http://patches.dpdk.org/api/users/22/?format=api", "username": "pdelarag", "first_name": "Pablo", "last_name": "de Lara Guarch", "email": "pablo.de.lara.guarch@intel.com" }, "mbox": "http://patches.dpdk.org/project/dpdk/patch/1475163857-142366-2-git-send-email-sergio.gonzalez.monroy@intel.com/mbox/", "series": [], "comments": "http://patches.dpdk.org/api/patches/16234/comments/", "check": "pending", "checks": "http://patches.dpdk.org/api/patches/16234/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@dpdk.org", "Delivered-To": "patchwork@dpdk.org", "Received": [ "from [92.243.14.124] (localhost [IPv6:::1])\n\tby dpdk.org (Postfix) with ESMTP id D3741590E;\n\tThu, 29 Sep 2016 17:44:28 +0200 (CEST)", "from mga11.intel.com (mga11.intel.com [192.55.52.93])\n\tby dpdk.org (Postfix) with ESMTP id C04C95689\n\tfor <dev@dpdk.org>; Thu, 29 Sep 2016 17:44:23 +0200 (CEST)", "from fmsmga005.fm.intel.com ([10.253.24.32])\n\tby fmsmga102.fm.intel.com with ESMTP; 29 Sep 2016 08:44:20 -0700", "from sie-lab-212-109.ir.intel.com (HELO\n\tsilpixa00389029.ir.intel.com) ([10.237.212.109])\n\tby fmsmga005.fm.intel.com with ESMTP; 29 Sep 2016 08:44:19 -0700" ], "X-ExtLoop1": "1", "X-IronPort-AV": "E=Sophos;i=\"5.30,415,1470726000\"; d=\"scan'208\";a=\"14587568\"", "From": "Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>", "To": "dev@dpdk.org", "Cc": "pablo.de.lara.guarch@intel.com", "Date": "Thu, 29 Sep 2016 16:44:07 +0100", "Message-Id": "<1475163857-142366-2-git-send-email-sergio.gonzalez.monroy@intel.com>", "X-Mailer": "git-send-email 2.5.5", "In-Reply-To": "<1475163857-142366-1-git-send-email-sergio.gonzalez.monroy@intel.com>", "References": "<1474616734-118291-1-git-send-email-sergio.gonzalez.monroy@intel.com>\n\t<1475163857-142366-1-git-send-email-sergio.gonzalez.monroy@intel.com>", "Subject": "[dpdk-dev] [PATCH v3 1/9] examples/ipsec-secgw: change CBC IV\n\tgeneration", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.15", "Precedence": "list", "List-Id": "patches and discussions about DPDK <dev.dpdk.org>", "List-Unsubscribe": "<http://dpdk.org/ml/options/dev>,\n\t<mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://dpdk.org/ml/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<http://dpdk.org/ml/listinfo/dev>,\n\t<mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org", "Sender": "\"dev\" <dev-bounces@dpdk.org>" }, "content": "NIST SP800-38A recommends two methods to generate unpredictable IVs\n(Initilisation Vector) for CBC mode:\n1) Apply the forward function to a nonce (ie. counter)\n2) Use a FIPS-approved random number generator\n\nThis patch implements the first recommended method by using the forward\nfunction to generate the IV.\n\nSigned-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>\n---\n examples/ipsec-secgw/esp.c | 99 +++++++++++++++++++++++++-------------------\n examples/ipsec-secgw/ipsec.h | 26 +++++++++++-\n 2 files changed, 81 insertions(+), 44 deletions(-)", "diff": "diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c\nindex 05caa77..21b2f02 100644\n--- a/examples/ipsec-secgw/esp.c\n+++ b/examples/ipsec-secgw/esp.c\n@@ -50,21 +50,6 @@\n #include \"esp.h\"\n #include \"ipip.h\"\n \n-static inline void\n-random_iv_u64(uint64_t *buf, uint16_t n)\n-{\n-\tuint32_t left = n & 0x7;\n-\tuint32_t i;\n-\n-\tRTE_ASSERT((n & 0x3) == 0);\n-\n-\tfor (i = 0; i < (n >> 3); i++)\n-\t\tbuf[i] = rte_rand();\n-\n-\tif (left)\n-\t\t*((uint32_t *)&buf[i]) = (uint32_t)lrand48();\n-}\n-\n int\n esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,\n \t\tstruct rte_crypto_op *cop)\n@@ -98,22 +83,32 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,\n \t\treturn -EINVAL;\n \t}\n \n-\tsym_cop = (struct rte_crypto_sym_op *)(cop + 1);\n+\tsym_cop = get_sym_cop(cop);\n \n \tsym_cop->m_src = m;\n \tsym_cop->cipher.data.offset = ip_hdr_len + sizeof(struct esp_hdr) +\n \t\tsa->iv_len;\n \tsym_cop->cipher.data.length = payload_len;\n \n-\tsym_cop->cipher.iv.data = rte_pktmbuf_mtod_offset(m, void*,\n-\t\t\t ip_hdr_len + sizeof(struct esp_hdr));\n-\tsym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m,\n-\t\t\t ip_hdr_len + sizeof(struct esp_hdr));\n-\tsym_cop->cipher.iv.length = sa->iv_len;\n+\tuint8_t *iv = RTE_PTR_ADD(ip4, ip_hdr_len + sizeof(struct esp_hdr));\n+\n+\tswitch (sa->cipher_algo) {\n+\tcase RTE_CRYPTO_CIPHER_NULL:\n+\tcase RTE_CRYPTO_CIPHER_AES_CBC:\n+\t\tsym_cop->cipher.iv.data = iv;\n+\t\tsym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m,\n+\t\t\t\t ip_hdr_len + sizeof(struct esp_hdr));\n+\t\tsym_cop->cipher.iv.length = sa->iv_len;\n \n-\tsym_cop->auth.data.offset = ip_hdr_len;\n-\tsym_cop->auth.data.length = sizeof(struct esp_hdr) +\n-\t\tsa->iv_len + payload_len;\n+\t\tsym_cop->auth.data.offset = ip_hdr_len;\n+\t\tsym_cop->auth.data.length = sizeof(struct esp_hdr) +\n+\t\t\tsa->iv_len + payload_len;\n+\t\tbreak;\n+\tdefault:\n+\t\tRTE_LOG(ERR, IPSEC_ESP, \"unsupported cipher algorithm %u\\n\",\n+\t\t\t\tsa->cipher_algo);\n+\t\treturn -EINVAL;\n+\t}\n \n \tsym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, void*,\n \t\t\trte_pktmbuf_pkt_len(m) - sa->digest_len);\n@@ -282,10 +277,25 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,\n \n \tsa->seq++;\n \tesp->spi = rte_cpu_to_be_32(sa->spi);\n-\tesp->seq = rte_cpu_to_be_32(sa->seq);\n+\tesp->seq = rte_cpu_to_be_32((uint32_t)sa->seq);\n \n-\tif (sa->cipher_algo == RTE_CRYPTO_CIPHER_AES_CBC)\n-\t\trandom_iv_u64((uint64_t *)(esp + 1), sa->iv_len);\n+\tuint64_t *iv = (uint64_t *)(esp + 1);\n+\n+\tsym_cop = get_sym_cop(cop);\n+\tsym_cop->m_src = m;\n+\tswitch (sa->cipher_algo) {\n+\tcase RTE_CRYPTO_CIPHER_NULL:\n+\tcase RTE_CRYPTO_CIPHER_AES_CBC:\n+\t\tmemset(iv, 0, sa->iv_len);\n+\t\tsym_cop->cipher.data.offset = ip_hdr_len +\n+\t\t\tsizeof(struct esp_hdr);\n+\t\tsym_cop->cipher.data.length = pad_payload_len + sa->iv_len;\n+\t\tbreak;\n+\tdefault:\n+\t\tRTE_LOG(ERR, IPSEC_ESP, \"unsupported cipher algorithm %u\\n\",\n+\t\t\t\tsa->cipher_algo);\n+\t\treturn -EINVAL;\n+\t}\n \n \t/* Fill pad_len using default sequential scheme */\n \tfor (i = 0; i < pad_len - 2; i++)\n@@ -293,22 +303,27 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,\n \tpadding[pad_len - 2] = pad_len - 2;\n \tpadding[pad_len - 1] = nlp;\n \n-\tsym_cop = (struct rte_crypto_sym_op *)(cop + 1);\n-\n-\tsym_cop->m_src = m;\n-\tsym_cop->cipher.data.offset = ip_hdr_len + sizeof(struct esp_hdr) +\n-\t\t\tsa->iv_len;\n-\tsym_cop->cipher.data.length = pad_payload_len;\n-\n-\tsym_cop->cipher.iv.data = rte_pktmbuf_mtod_offset(m, uint8_t *,\n-\t\t\t ip_hdr_len + sizeof(struct esp_hdr));\n+\tstruct cnt_blk *icb = get_cnt_blk(m);\n+\ticb->salt = sa->salt;\n+\ticb->iv = sa->seq;\n+\ticb->cnt = rte_cpu_to_be_32(1);\n+\tsym_cop->cipher.iv.data = (uint8_t *)icb;\n \tsym_cop->cipher.iv.phys_addr = rte_pktmbuf_mtophys_offset(m,\n-\t\t\t ip_hdr_len + sizeof(struct esp_hdr));\n-\tsym_cop->cipher.iv.length = sa->iv_len;\n-\n-\tsym_cop->auth.data.offset = ip_hdr_len;\n-\tsym_cop->auth.data.length = sizeof(struct esp_hdr) + sa->iv_len +\n-\t\tpad_payload_len;\n+\t\t\t (uint8_t *)icb - rte_pktmbuf_mtod(m, uint8_t *));\n+\tsym_cop->cipher.iv.length = 16;\n+\n+\tswitch (sa->cipher_algo) {\n+\tcase RTE_CRYPTO_CIPHER_NULL:\n+\tcase RTE_CRYPTO_CIPHER_AES_CBC:\n+\t\tsym_cop->auth.data.offset = ip_hdr_len;\n+\t\tsym_cop->auth.data.length = sizeof(struct esp_hdr) +\n+\t\t\tsa->iv_len + pad_payload_len;\n+\t\tbreak;\n+\tdefault:\n+\t\tRTE_LOG(ERR, IPSEC_ESP, \"unsupported cipher algorithm %u\\n\",\n+\t\t\t\tsa->cipher_algo);\n+\t\treturn -EINVAL;\n+\t}\n \n \tsym_cop->auth.digest.data = rte_pktmbuf_mtod_offset(m, uint8_t *,\n \t\t\trte_pktmbuf_pkt_len(m) - sa->digest_len);\ndiff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h\nindex 4cc316c..ad96782 100644\n--- a/examples/ipsec-secgw/ipsec.h\n+++ b/examples/ipsec-secgw/ipsec.h\n@@ -95,8 +95,9 @@ struct ip_addr {\n struct ipsec_sa {\n \tuint32_t spi;\n \tuint32_t cdev_id_qp;\n+\tuint64_t seq;\n+\tuint32_t salt;\n \tstruct rte_cryptodev_sym_session *crypto_session;\n-\tuint32_t seq;\n \tenum rte_crypto_cipher_algorithm cipher_algo;\n \tenum rte_crypto_auth_algorithm auth_algo;\n \tuint16_t digest_len;\n@@ -116,10 +117,11 @@ struct ipsec_sa {\n } __rte_cache_aligned;\n \n struct ipsec_mbuf_metadata {\n+\tuint8_t buf[32];\n \tstruct ipsec_sa *sa;\n \tstruct rte_crypto_op cop;\n \tstruct rte_crypto_sym_op sym_cop;\n-};\n+} __rte_cache_aligned;\n \n struct cdev_qp {\n \tuint16_t id;\n@@ -157,6 +159,12 @@ struct socket_ctx {\n \tstruct rte_mempool *mbuf_pool;\n };\n \n+struct cnt_blk {\n+\tuint32_t salt;\n+\tuint64_t iv;\n+\tuint32_t cnt;\n+} __attribute__((packed));\n+\n uint16_t\n ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],\n \t\tuint16_t nb_pkts, uint16_t len);\n@@ -177,6 +185,20 @@ get_priv(struct rte_mbuf *m)\n \treturn RTE_PTR_ADD(m, sizeof(struct rte_mbuf));\n }\n \n+static inline void *\n+get_cnt_blk(struct rte_mbuf *m)\n+{\n+\tstruct ipsec_mbuf_metadata *priv = get_priv(m);\n+\n+\treturn &priv->buf[0];\n+}\n+\n+static inline void *\n+get_sym_cop(struct rte_crypto_op *cop)\n+{\n+\treturn (cop + 1);\n+}\n+\n int\n inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx);\n \n", "prefixes": [ "dpdk-dev", "v3", "1/9" ] }{ "id": 16234, "url": "