diff options
author | Aakash Sasidharan <asasidharan@marvell.com> | 2021-06-07 12:31:04 +0530 |
---|---|---|
committer | Petri Savolainen <petri.savolainen@nokia.com> | 2021-06-17 09:45:53 +0300 |
commit | cdfc7a3f375af613c0cfb4b5f55c30056a41135f (patch) | |
tree | 9745672ce5453a5740e1aa72342a66140234abbc | |
parent | e37c49f5c6ec3443ae1f9e835775a761a8ceaa48 (diff) |
example: ipsec: add sha1 and sha256 support in AH mode
Currently AH mode supports only MD5 auth. Enable support for
SHA1 and SHA256 auth algorithms.
Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
Reviewed-by: Janne Peltonen <janne.peltonen@nokia.com>
-rw-r--r-- | example/ipsec_api/odp_ipsec.c | 2 | ||||
-rw-r--r-- | example/ipsec_crypto/odp_ipsec.c | 2 | ||||
-rw-r--r-- | example/ipsec_crypto/odp_ipsec_misc.h | 4 | ||||
-rw-r--r-- | example/ipsec_crypto/odp_ipsec_sa_db.c | 4 | ||||
-rw-r--r-- | example/ipsec_crypto/odp_ipsec_stream.c | 45 | ||||
-rw-r--r-- | example/ipsec_crypto/odp_ipsec_stream.h | 3 |
6 files changed, 50 insertions, 10 deletions
diff --git a/example/ipsec_api/odp_ipsec.c b/example/ipsec_api/odp_ipsec.c index d23eeb2c6..5cdb59da3 100644 --- a/example/ipsec_api/odp_ipsec.c +++ b/example/ipsec_api/odp_ipsec.c @@ -1346,7 +1346,7 @@ static void usage(char *progname) " -r, --route SubNet,Intf,NextHopMAC\n" " -p, --policy SrcSubNet,DstSubNet,(in|out),(ah|esp)\n" " -e, --esp SrcIP,DstIP,(3des|null),SPI,Key192\n" - " -a, --ah SrcIP,DstIP,(sha256|md5|null),SPI,Key(256|128)\n" + " -a, --ah SrcIP,DstIP,(sha256|sha1|md5|null),SPI,Key(256|160|128)\n" "\n" " Where: NextHopMAC is raw hex/colon notation, i.e. 03:BA:44:9A:CE:02\n" " IP is decimal/dot notation, i.e. 192.168.1.1\n" diff --git a/example/ipsec_crypto/odp_ipsec.c b/example/ipsec_crypto/odp_ipsec.c index d6102b866..a55aa6aba 100644 --- a/example/ipsec_crypto/odp_ipsec.c +++ b/example/ipsec_crypto/odp_ipsec.c @@ -1646,7 +1646,7 @@ static void usage(char *progname) " -r, --route SubNet,Intf,NextHopMAC\n" " -p, --policy SrcSubNet,DstSubNet,(in|out),(ah|esp|both)\n" " -e, --esp SrcIP,DstIP,(3des|null),SPI,Key192\n" - " -a, --ah SrcIP,DstIP,(sha256|md5|null),SPI,Key(256|128)\n" + " -a, --ah SrcIP,DstIP,(sha256|sha1|md5|null),SPI,Key(256|160|128)\n" "\n" " Where: NextHopMAC is raw hex/colon notation, i.e. 03:BA;44:9A:CE:02\n" " IP is decimal/dot notation, i.e. 192.168.1.1\n" diff --git a/example/ipsec_crypto/odp_ipsec_misc.h b/example/ipsec_crypto/odp_ipsec_misc.h index 0ff3fc0c7..23b89ae84 100644 --- a/example/ipsec_crypto/odp_ipsec_misc.h +++ b/example/ipsec_crypto/odp_ipsec_misc.h @@ -28,6 +28,7 @@ extern "C" { #define KEY_BITS_3DES 192 /**< 3DES cipher key length in bits */ #define KEY_BITS_MD5_96 128 /**< MD5_96 auth key length in bits */ +#define KEY_BITS_SHA1_96 160 /**< MD5_96 auth key length in bits */ #define KEY_BITS_SHA256_128 256 /**< SHA256_128 auth key length in bits */ /**< Number of bits represnted by a string of hexadecimal characters */ @@ -101,6 +102,9 @@ int parse_key_string(char *keystring, if ((alg->u.auth == ODP_AUTH_ALG_MD5_HMAC) && (KEY_BITS_MD5_96 == key_bits_in)) key->length = key_bits_in / 8; + else if ((alg->u.auth == ODP_AUTH_ALG_SHA1_HMAC) && + (KEY_BITS_SHA1_96 == key_bits_in)) + key->length = key_bits_in / 8; else if ((alg->u.auth == ODP_AUTH_ALG_SHA256_HMAC) && (KEY_BITS_SHA256_128 == key_bits_in)) key->length = key_bits_in / 8; diff --git a/example/ipsec_crypto/odp_ipsec_sa_db.c b/example/ipsec_crypto/odp_ipsec_sa_db.c index ff9d7e3c7..0d60cbc7a 100644 --- a/example/ipsec_crypto/odp_ipsec_sa_db.c +++ b/example/ipsec_crypto/odp_ipsec_sa_db.c @@ -123,6 +123,10 @@ int create_sa_db_entry(char *input, odp_bool_t cipher) entry->alg.u.auth = ODP_AUTH_ALG_MD5_HMAC; entry->icv_len = 12; + } else if (!strcmp(token, "sha1")) { + entry->alg.u.auth = + ODP_AUTH_ALG_SHA1_HMAC; + entry->icv_len = 12; } else if (!strcmp(token, "sha256")) { entry->alg.u.auth = ODP_AUTH_ALG_SHA256_HMAC; diff --git a/example/ipsec_crypto/odp_ipsec_stream.c b/example/ipsec_crypto/odp_ipsec_stream.c index 0ca5138bc..110f7d5df 100644 --- a/example/ipsec_crypto/odp_ipsec_stream.c +++ b/example/ipsec_crypto/odp_ipsec_stream.c @@ -15,7 +15,6 @@ #include <openssl/des.h> #include <openssl/rand.h> #include <openssl/hmac.h> -#include <openssl/evp.h> #include <odp_api.h> @@ -139,6 +138,27 @@ int create_stream_db_entry(char *input) return 0; } +static const EVP_MD *get_evp_md(odp_auth_alg_t auth) +{ + const EVP_MD *evp_md; + + switch (auth) { + case ODP_AUTH_ALG_MD5_HMAC: + evp_md = EVP_md5(); + break; + case ODP_AUTH_ALG_SHA1_HMAC: + evp_md = EVP_sha1(); + break; + case ODP_AUTH_ALG_SHA256_HMAC: + evp_md = EVP_sha256(); + break; + default: + evp_md = NULL; + } + + return evp_md; +} + void resolve_stream_db(void) { stream_db_entry_t *stream = NULL; @@ -156,6 +176,9 @@ void resolve_stream_db(void) stream->input.pktio = odp_pktio_lookup(stream->input.intf); + if (entry) + stream->evp_md = get_evp_md(entry->ah.alg); + /* Lookup output entry */ entry = find_ipsec_cache_entry_out(stream->src_ip, stream->dst_ip, @@ -163,6 +186,9 @@ void resolve_stream_db(void) stream->output.entry = entry; stream->output.pktio = odp_pktio_lookup(stream->output.intf); + + if (stream->evp_md == NULL && entry) + stream->evp_md = get_evp_md(entry->ah.alg); } } @@ -238,6 +264,7 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t *stream, if (entry && (entry == stream->input.entry) && (ODP_AUTH_ALG_NULL != entry->ah.alg)) { if (entry->ah.alg != ODP_AUTH_ALG_MD5_HMAC && + entry->ah.alg != ODP_AUTH_ALG_SHA1_HMAC && entry->ah.alg != ODP_AUTH_ALG_SHA256_HMAC) abort(); @@ -359,7 +386,7 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t *stream, ah->next_header = ip->proto; ip->proto = ODPH_IPPROTO_AH; - HMAC(EVP_md5(), + HMAC(stream->evp_md, entry->ah.key.data, entry->ah.key.length, (uint8_t *)ip, @@ -367,7 +394,7 @@ odp_packet_t create_ipv4_packet(stream_db_entry_t *stream, hash, NULL); - memcpy(ah->icv, hash, 12); + memcpy(ah->icv, hash, entry->ah.icv_len); } /* Correct set packet length offsets */ @@ -446,7 +473,9 @@ odp_bool_t verify_ipv4_packet(stream_db_entry_t *stream, return FALSE; if (odp_be_to_cpu_32(ah->spi) != entry->ah.spi) return FALSE; - if (ODP_AUTH_ALG_MD5_HMAC != entry->ah.alg) + if (ODP_AUTH_ALG_MD5_HMAC != entry->ah.alg && + ODP_AUTH_ALG_SHA1_HMAC != entry->ah.alg && + ODP_AUTH_ALG_SHA256_HMAC != entry->ah.alg) abort(); } else { if (entry && (ODP_AUTH_ALG_NULL != entry->ah.alg)) @@ -473,7 +502,7 @@ odp_bool_t verify_ipv4_packet(stream_db_entry_t *stream, uint8_t ip_tos; uint8_t ip_ttl; uint16_t ip_frag_offset; - uint8_t icv[12]; + uint8_t icv[entry->ah.icv_len]; uint8_t hash[EVP_MAX_MD_SIZE]; /* Save/clear mutable fields */ @@ -484,11 +513,11 @@ odp_bool_t verify_ipv4_packet(stream_db_entry_t *stream, ip->ttl = 0; ip->frag_offset = 0; ip->chksum = 0; - memcpy(icv, ah->icv, 12); - memset(ah->icv, 0, 12); + memcpy(icv, ah->icv, entry->ah.icv_len); + memset(ah->icv, 0, entry->ah.icv_len); /* Calculate HMAC and compare */ - HMAC(EVP_md5(), + HMAC(stream->evp_md, entry->ah.key.data, entry->ah.key.length, (uint8_t *)ip, diff --git a/example/ipsec_crypto/odp_ipsec_stream.h b/example/ipsec_crypto/odp_ipsec_stream.h index 685b4ee86..2055d3f00 100644 --- a/example/ipsec_crypto/odp_ipsec_stream.h +++ b/example/ipsec_crypto/odp_ipsec_stream.h @@ -11,6 +11,8 @@ extern "C" { #endif +#include <openssl/evp.h> + #include <odp_api.h> #include <odp_ipsec_misc.h> #include <odp_ipsec_cache.h> @@ -27,6 +29,7 @@ typedef struct stream_db_entry_s { uint32_t length; /**< Packet payload length */ uint32_t created; /**< Number successfully created */ uint32_t verified; /**< Number successfully verified */ + const EVP_MD *evp_md; /**< Digest method */ struct { const char *intf; /**< Input interface name */ odp_pktio_t pktio; /**< Input PktI/O interface */ |