From: Dmitry Eremin-Solenikov <dmitry.ereminsoleni...@linaro.org>
Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsoleni...@linaro.org>
---
/** Email created from pull request 351 (lumag:ipsec_crypto_caps)
** https://github.com/Linaro/odp/pull/351
** Patch: https://github.com/Linaro/odp/pull/351.patch
** Base sha: 12fd3a9224a856271934986a1bad981843915d68
** Merge commit sha: 178b98f2e440762b31d9e91d85aafbe82829c231
**/
.../linux-generic/include/odp_ipsec_internal.h | 6 ++
platform/linux-generic/odp_ipsec.c | 48 ++++++++++-
platform/linux-generic/odp_ipsec_sad.c | 97 ++++++++++++++--------
3 files changed, 114 insertions(+), 37 deletions(-)
diff --git a/platform/linux-generic/include/odp_ipsec_internal.h
b/platform/linux-generic/include/odp_ipsec_internal.h
index c6f241fac..70a583c5b 100644
--- a/platform/linux-generic/include/odp_ipsec_internal.h
+++ b/platform/linux-generic/include/odp_ipsec_internal.h
@@ -206,6 +206,12 @@ typedef struct ODP_PACKED {
odp_u32be_t seq_no; /**< Sequence Number */
} ipsec_aad_t;
+/* Return IV length required for the cipher for IPsec use */
+uint32_t _odp_ipsec_cipher_iv_len(odp_cipher_alg_t cipher);
+
+/* Return digest length required for the cipher for IPsec use */
+uint32_t _odp_ipsec_auth_digest_len(odp_auth_alg_t auth);
+
/**
* Obtain SA reference
*/
diff --git a/platform/linux-generic/odp_ipsec.c
b/platform/linux-generic/odp_ipsec.c
index 4f23eb17b..89a05acdb 100644
--- a/platform/linux-generic/odp_ipsec.c
+++ b/platform/linux-generic/odp_ipsec.c
@@ -58,15 +58,55 @@ int odp_ipsec_capability(odp_ipsec_capability_t *capa)
}
int odp_ipsec_cipher_capability(odp_cipher_alg_t cipher,
- odp_crypto_cipher_capability_t capa[], int num)
+ odp_ipsec_cipher_capability_t capa[], int num)
{
- return odp_crypto_cipher_capability(cipher, capa, num);
+ int caps = odp_crypto_cipher_capability(cipher, NULL, 0);
+ odp_crypto_cipher_capability_t crypto_capa[caps];
+ uint32_t req_iv_len;
+ int rc, i, out;
+
+ rc = odp_crypto_cipher_capability(cipher, crypto_capa, caps);
+ if (rc <= 0)
+ return rc;
+
+ req_iv_len = _odp_ipsec_cipher_iv_len(cipher);
+ for (i = 0, out = 0; i < rc; i++) {
+ if (crypto_capa[i].iv_len != req_iv_len)
+ continue;
+
+ if (out < num)
+ capa[out].key_len = crypto_capa[i].key_len;
+ out ++;
+ }
+
+ return out;
}
int odp_ipsec_auth_capability(odp_auth_alg_t auth,
- odp_crypto_auth_capability_t capa[], int num)
+ odp_ipsec_auth_capability_t capa[], int num)
{
- return odp_crypto_auth_capability(auth, capa, num);
+ int caps = odp_crypto_auth_capability(auth, NULL, 0);
+ odp_crypto_auth_capability_t crypto_capa[caps];
+ uint32_t req_digest_len;
+ int rc, i, out;
+
+ rc = odp_crypto_auth_capability(auth, crypto_capa, caps);
+ if (rc <= 0)
+ return rc;
+
+ req_digest_len = _odp_ipsec_auth_digest_len(auth);
+ for (i = 0, out = 0; i < rc; i++) {
+ if (crypto_capa[i].digest_len != req_digest_len)
+ continue;
+
+ /* FIXME: check AAD len for AES_GCM/AES128_GCM */
+
+ if (out < num)
+ capa[out].key_len = crypto_capa[i].key_len;
+ out ++;
+ }
+
+ return out;
}
void odp_ipsec_config_init(odp_ipsec_config_t *config)
diff --git a/platform/linux-generic/odp_ipsec_sad.c
b/platform/linux-generic/odp_ipsec_sad.c
index 2d6321166..1dbfc5444 100644
--- a/platform/linux-generic/odp_ipsec_sad.c
+++ b/platform/linux-generic/odp_ipsec_sad.c
@@ -190,12 +190,66 @@ void odp_ipsec_sa_param_init(odp_ipsec_sa_param_t *param)
param->dest_queue = ODP_QUEUE_INVALID;
}
+/* Return IV length required for the cipher for IPsec use */
+uint32_t _odp_ipsec_cipher_iv_len(odp_cipher_alg_t cipher)
+{
+ switch (cipher) {
+ case ODP_CIPHER_ALG_NULL:
+ return 0;
+ case ODP_CIPHER_ALG_DES:
+ case ODP_CIPHER_ALG_3DES_CBC:
+ return 8;
+#if ODP_DEPRECATED_API
+ case ODP_CIPHER_ALG_AES128_CBC:
+#endif
+ case ODP_CIPHER_ALG_AES_CBC:
+ case ODP_CIPHER_ALG_AES_CTR:
+ return 16;
+#if ODP_DEPRECATED_API
+ case ODP_CIPHER_ALG_AES128_GCM:
+#endif
+ case ODP_CIPHER_ALG_AES_GCM:
+ return 12;
+ default:
+ return (uint32_t)-1;
+ }
+}
+
+/* Return digest length required for the cipher for IPsec use */
+uint32_t _odp_ipsec_auth_digest_len(odp_auth_alg_t auth)
+{
+ switch (auth) {
+ case ODP_AUTH_ALG_NULL:
+ return 0;
+#if ODP_DEPRECATED_API
+ case ODP_AUTH_ALG_MD5_96:
+#endif
+ case ODP_AUTH_ALG_MD5_HMAC:
+ case ODP_AUTH_ALG_SHA1_HMAC:
+ return 12;
+#if ODP_DEPRECATED_API
+ case ODP_AUTH_ALG_SHA256_128:
+#endif
+ case ODP_AUTH_ALG_SHA256_HMAC:
+ return 16;
+ case ODP_AUTH_ALG_SHA512_HMAC:
+ return 32;
+#if ODP_DEPRECATED_API
+ case ODP_AUTH_ALG_AES128_GCM:
+#endif
+ case ODP_AUTH_ALG_AES_GCM:
+ case ODP_AUTH_ALG_AES_GMAC:
+ return 16;
+ default:
+ return (uint32_t)-1;
+ }
+}
+
odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
{
ipsec_sa_t *ipsec_sa;
odp_crypto_session_param_t crypto_param;
odp_crypto_ses_create_err_t ses_create_rc;
- uint32_t aad_len = 0;
ipsec_sa = ipsec_sa_reserve();
if (NULL == ipsec_sa) {
@@ -297,17 +351,21 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const
odp_ipsec_sa_param_t *param)
crypto_param.auth_alg = param->crypto.auth_alg;
crypto_param.auth_key = param->crypto.auth_key;
+ crypto_param.iv.length =
+ _odp_ipsec_cipher_iv_len(crypto_param.cipher_alg);
+
+ crypto_param.auth_digest_len =
+ _odp_ipsec_auth_digest_len(crypto_param.auth_alg);
+
switch (crypto_param.cipher_alg) {
case ODP_CIPHER_ALG_NULL:
ipsec_sa->esp_iv_len = 0;
ipsec_sa->esp_block_len = 1;
- crypto_param.iv.length = 0;
break;
case ODP_CIPHER_ALG_DES:
case ODP_CIPHER_ALG_3DES_CBC:
ipsec_sa->esp_iv_len = 8;
ipsec_sa->esp_block_len = 8;
- crypto_param.iv.length = 8;
break;
#if ODP_DEPRECATED_API
case ODP_CIPHER_ALG_AES128_CBC:
@@ -315,14 +373,12 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const
odp_ipsec_sa_param_t *param)
case ODP_CIPHER_ALG_AES_CBC:
ipsec_sa->esp_iv_len = 16;
ipsec_sa->esp_block_len = 16;
- crypto_param.iv.length = 16;
break;
case ODP_CIPHER_ALG_AES_CTR:
ipsec_sa->use_counter_iv = 1;
ipsec_sa->aes_ctr_iv = 1;
ipsec_sa->esp_iv_len = 8;
ipsec_sa->esp_block_len = 16;
- crypto_param.iv.length = 16;
break;
#if ODP_DEPRECATED_API
case ODP_CIPHER_ALG_AES128_GCM:
@@ -331,40 +387,17 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const
odp_ipsec_sa_param_t *param)
ipsec_sa->use_counter_iv = 1;
ipsec_sa->esp_iv_len = 8;
ipsec_sa->esp_block_len = 16;
- crypto_param.iv.length = 12;
break;
default:
goto error;
}
switch (crypto_param.auth_alg) {
- case ODP_AUTH_ALG_NULL:
- ipsec_sa->icv_len = 0;
- break;
-#if ODP_DEPRECATED_API
- case ODP_AUTH_ALG_MD5_96:
-#endif
- case ODP_AUTH_ALG_MD5_HMAC:
- ipsec_sa->icv_len = 12;
- break;
- case ODP_AUTH_ALG_SHA1_HMAC:
- ipsec_sa->icv_len = 12;
- break;
-#if ODP_DEPRECATED_API
- case ODP_AUTH_ALG_SHA256_128:
-#endif
- case ODP_AUTH_ALG_SHA256_HMAC:
- ipsec_sa->icv_len = 16;
- break;
- case ODP_AUTH_ALG_SHA512_HMAC:
- ipsec_sa->icv_len = 32;
- break;
#if ODP_DEPRECATED_API
case ODP_AUTH_ALG_AES128_GCM:
#endif
case ODP_AUTH_ALG_AES_GCM:
- ipsec_sa->icv_len = 16;
- aad_len = sizeof(ipsec_aad_t);
+ crypto_param.auth_aad_len = sizeof(ipsec_aad_t);
break;
case ODP_AUTH_ALG_AES_GMAC:
if (ODP_CIPHER_ALG_NULL != crypto_param.cipher_alg)
@@ -372,19 +405,17 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const
odp_ipsec_sa_param_t *param)
ipsec_sa->use_counter_iv = 1;
ipsec_sa->esp_iv_len = 8;
ipsec_sa->esp_block_len = 16;
- ipsec_sa->icv_len = 16;
crypto_param.iv.length = 12;
break;
default:
- goto error;
+ break;
}
if (1 == ipsec_sa->use_counter_iv &&
ODP_IPSEC_DIR_OUTBOUND == param->dir)
odp_atomic_init_u64(&ipsec_sa->out.counter, 1);
- crypto_param.auth_digest_len = ipsec_sa->icv_len;
- crypto_param.auth_aad_len = aad_len;
+ ipsec_sa->icv_len = crypto_param.auth_digest_len;
if (param->crypto.cipher_key_extra.length) {
if (param->crypto.cipher_key_extra.length >
