example: ipsec: add sha1 and sha256 support in AH mode

Currently AH mode supports only MD5 auth. Enable support for
SHA1 and SHA256 auth algorithms.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
Reviewed-by: Janne Peltonen <janne.peltonen@nokia.com>

6 files changed, 50 insertions, 10 deletions

diff --git a/example/ipsec_api/odp_ipsec.c b/example/ipsec_api/odp_ipsec.c
index d23eeb2c6..5cdb59da3 100644
--- a/example/ipsec_api/odp_ipsec.c
+++ b/example/ipsec_api/odp_ipsec.c
@@ -1346,7 +1346,7 @@ static void usage(char *progname)
 	       " -r, --route SubNet,Intf,NextHopMAC\n"
 	       " -p, --policy SrcSubNet,DstSubNet,(in|out),(ah|esp)\n"
 	       " -e, --esp SrcIP,DstIP,(3des|null),SPI,Key192\n"
-	       " -a, --ah SrcIP,DstIP,(sha256|md5|null),SPI,Key(256|128)\n"
+	       " -a, --ah SrcIP,DstIP,(sha256|sha1|md5|null),SPI,Key(256|160|128)\n"
 	       "\n"
 	       "  Where: NextHopMAC is raw hex/colon notation, i.e. 03:BA:44:9A:CE:02\n"
 	       "         IP is decimal/dot notation, i.e. 192.168.1.1\n"
diff --git a/example/ipsec_crypto/odp_ipsec.c b/example/ipsec_crypto/odp_ipsec.c
index d6102b866..a55aa6aba 100644
--- a/example/ipsec_crypto/odp_ipsec.c
+++ b/example/ipsec_crypto/odp_ipsec.c
@@ -1646,7 +1646,7 @@ static void usage(char *progname)
 	       " -r, --route SubNet,Intf,NextHopMAC\n"
 	       " -p, --policy SrcSubNet,DstSubNet,(in|out),(ah|esp|both)\n"
 	       " -e, --esp SrcIP,DstIP,(3des|null),SPI,Key192\n"
-	       " -a, --ah SrcIP,DstIP,(sha256|md5|null),SPI,Key(256|128)\n"
+	       " -a, --ah SrcIP,DstIP,(sha256|sha1|md5|null),SPI,Key(256|160|128)\n"
 	       "\n"
 	       "  Where: NextHopMAC is raw hex/colon notation, i.e. 03:BA;44:9A:CE:02\n"
 	       "         IP is decimal/dot notation, i.e. 192.168.1.1\n"
diff --git a/example/ipsec_crypto/odp_ipsec_misc.h b/example/ipsec_crypto/odp_ipsec_misc.h
index 0ff3fc0c7..23b89ae84 100644
--- a/example/ipsec_crypto/odp_ipsec_misc.h
+++ b/example/ipsec_crypto/odp_ipsec_misc.h
@@ -28,6 +28,7 @@ extern "C" {
 
 #define KEY_BITS_3DES       192  /**< 3DES cipher key length in bits */
 #define KEY_BITS_MD5_96     128  /**< MD5_96 auth key length in bits */
+#define KEY_BITS_SHA1_96    160  /**< MD5_96 auth key length in bits */
 #define KEY_BITS_SHA256_128 256  /**< SHA256_128 auth key length in bits */
 
 /**< Number of bits represnted by a string of hexadecimal characters */
@@ -101,6 +102,9 @@ int parse_key_string(char *keystring,
 		if ((alg->u.auth == ODP_AUTH_ALG_MD5_HMAC) &&
 		    (KEY_BITS_MD5_96 == key_bits_in))
 			key->length = key_bits_in / 8;
+		else if ((alg->u.auth == ODP_AUTH_ALG_SHA1_HMAC) &&
+			 (KEY_BITS_SHA1_96 == key_bits_in))
+			key->length = key_bits_in / 8;
 		else if ((alg->u.auth == ODP_AUTH_ALG_SHA256_HMAC) &&
 			 (KEY_BITS_SHA256_128 == key_bits_in))
 			key->length = key_bits_in / 8;
diff --git a/example/ipsec_crypto/odp_ipsec_sa_db.c b/example/ipsec_crypto/odp_ipsec_sa_db.c
index ff9d7e3c7..0d60cbc7a 100644
--- a/example/ipsec_crypto/odp_ipsec_sa_db.c
+++ b/example/ipsec_crypto/odp_ipsec_sa_db.c
@@ -123,6 +123,10 @@ int create_sa_db_entry(char *input, odp_bool_t cipher)
 					entry->alg.u.auth =
 						ODP_AUTH_ALG_MD5_HMAC;
 					entry->icv_len	  = 12;
+				} else if (!strcmp(token, "sha1")) {
+					entry->alg.u.auth =
+						ODP_AUTH_ALG_SHA1_HMAC;
+					entry->icv_len	  = 12;
 				} else if (!strcmp(token, "sha256")) {
 					entry->alg.u.auth =
 						ODP_AUTH_ALG_SHA256_HMAC;
diff --git a/example/ipsec_crypto/odp_ipsec_stream.c b/example/ipsec_crypto/odp_ipsec_stream.c
index 0ca5138bc..110f7d5df 100644
--- a/example/ipsec_crypto/odp_ipsec_stream.c
+++ b/example/ipsec_crypto/odp_ipsec_stream.c
@@ -15,7 +15,6 @@
 #include <openssl/des.h>
 #include <openssl/rand.h>
 #include <openssl/hmac.h>
-#include <openssl/evp.h>
 
 #include <odp_api.h>
 
@@ -139,6 +138,27 @@ int create_stream_db_entry(char *input)
 	return 0;
 }
 
+static const EVP_MD *get_evp_md(odp_auth_alg_t auth)
+{
+	const EVP_MD *evp_md;
+
+	switch (auth) {
+	case ODP_AUTH_ALG_MD5_HMAC:
+		evp_md = EVP_md5();
+		break;
+	case ODP_AUTH_ALG_SHA1_HMAC:
+		evp_md = EVP_sha1();
+		break;
+	case ODP_AUTH_ALG_SHA256_HMAC:
+		evp_md = EVP_sha256();
+		break;
+	default:
+		evp_md = NULL;
+	}
+
+	return evp_md;
+}
+
 void resolve_stream_db(void)
 {
 	stream_db_entry_t *stream = NULL;
@@ -156,6 +176,9 @@ void resolve_stream_db(void)
 
 		stream->input.pktio = odp_pktio_lookup(stream->input.intf);
 
+		if (entry)
+			stream->evp_md = get_evp_md(entry->ah.alg);
+
 		/* Lookup output entry */
 		entry = find_ipsec_cache_entry_out(stream->src_ip,
 						   stream->dst_ip,
@@ -163,6 +186,9 @@ void resolve_stream_db(void)
 		stream->output.entry = entry;
 
 		stream->output.pktio = odp_pktio_lookup(stream->output.intf);
+
+		if (stream->evp_md == NULL && entry)
+			stream->evp_md = get_evp_md(entry->ah.alg);
 	}
 }
 
@@ -238,6 +264,7 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t *stream,
 	if (entry && (entry == stream->input.entry) &&
 	    (ODP_AUTH_ALG_NULL != entry->ah.alg)) {
 		if (entry->ah.alg != ODP_AUTH_ALG_MD5_HMAC &&
+		    entry->ah.alg != ODP_AUTH_ALG_SHA1_HMAC &&
 		    entry->ah.alg != ODP_AUTH_ALG_SHA256_HMAC)
 			abort();
 
@@ -359,7 +386,7 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t *stream,
 		ah->next_header = ip->proto;
 		ip->proto = ODPH_IPPROTO_AH;
 
-		HMAC(EVP_md5(),
+		HMAC(stream->evp_md,
 		     entry->ah.key.data,
 		     entry->ah.key.length,
 		     (uint8_t *)ip,
@@ -367,7 +394,7 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t *stream,
 		     hash,
 		     NULL);
 
-		memcpy(ah->icv, hash, 12);
+		memcpy(ah->icv, hash, entry->ah.icv_len);
 	}
 
 	/* Correct set packet length offsets */
@@ -446,7 +473,9 @@ odp_bool_t verify_ipv4_packet(stream_db_entry_t *stream,
 			return FALSE;
 		if (odp_be_to_cpu_32(ah->spi) != entry->ah.spi)
 			return FALSE;
-		if (ODP_AUTH_ALG_MD5_HMAC != entry->ah.alg)
+		if (ODP_AUTH_ALG_MD5_HMAC != entry->ah.alg &&
+		    ODP_AUTH_ALG_SHA1_HMAC != entry->ah.alg &&
+		    ODP_AUTH_ALG_SHA256_HMAC != entry->ah.alg)
 			abort();
 	} else {
 		if (entry && (ODP_AUTH_ALG_NULL != entry->ah.alg))
@@ -473,7 +502,7 @@ odp_bool_t verify_ipv4_packet(stream_db_entry_t *stream,
 		uint8_t  ip_tos;
 		uint8_t  ip_ttl;
 		uint16_t ip_frag_offset;
-		uint8_t  icv[12];
+		uint8_t  icv[entry->ah.icv_len];
 		uint8_t  hash[EVP_MAX_MD_SIZE];
 
 		/* Save/clear mutable fields */
@@ -484,11 +513,11 @@ odp_bool_t verify_ipv4_packet(stream_db_entry_t *stream,
 		ip->ttl = 0;
 		ip->frag_offset = 0;
 		ip->chksum = 0;
-		memcpy(icv, ah->icv, 12);
-		memset(ah->icv, 0, 12);
+		memcpy(icv, ah->icv, entry->ah.icv_len);
+		memset(ah->icv, 0, entry->ah.icv_len);
 
 		/* Calculate HMAC and compare */
-		HMAC(EVP_md5(),
+		HMAC(stream->evp_md,
 		     entry->ah.key.data,
 		     entry->ah.key.length,
 		     (uint8_t *)ip,
diff --git a/example/ipsec_crypto/odp_ipsec_stream.h b/example/ipsec_crypto/odp_ipsec_stream.h
index 685b4ee86..2055d3f00 100644
--- a/example/ipsec_crypto/odp_ipsec_stream.h
+++ b/example/ipsec_crypto/odp_ipsec_stream.h
@@ -11,6 +11,8 @@
 extern "C" {
 #endif
 
+#include <openssl/evp.h>
+
 #include <odp_api.h>
 #include <odp_ipsec_misc.h>
 #include <odp_ipsec_cache.h>
@@ -27,6 +29,7 @@ typedef struct stream_db_entry_s {
 	uint32_t         length;        /**< Packet payload length */
 	uint32_t         created;       /**< Number successfully created */
 	uint32_t         verified;      /**< Number successfully verified */
+	const EVP_MD    *evp_md;        /**< Digest method */
 	struct {
 		const char *intf;	/**< Input interface name */
 		odp_pktio_t pktio;	/**< Input PktI/O interface */