[v3,07/13] crypto/dpaa_sec: add AES-GCM support for lookaside case
Checks
Commit Message
This patch add support for AES-128-GCM, when used in
proto lookaside mode.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
drivers/crypto/dpaa_sec/dpaa_sec.c | 309 ++++++++++++++++++++---------
1 file changed, 211 insertions(+), 98 deletions(-)
Comments
Hi Akhil,
> -----Original Message-----
> From: dev <dev-bounces@dpdk.org> On Behalf Of Hemant Agrawal
> Sent: Wednesday, November 6, 2019 10:47 AM
> To: dev@dpdk.org
> Cc: Akhil Goyal <akhil.goyal@nxp.com>
> Subject: [dpdk-dev] [PATCH v3 07/13] crypto/dpaa_sec: add AES-GCM
> support for lookaside case
>
> This patch add support for AES-128-GCM, when used in proto lookaside
> mode.
>
> Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
> ---
> drivers/crypto/dpaa_sec/dpaa_sec.c | 309 ++++++++++++++++++++---------
> 1 file changed, 211 insertions(+), 98 deletions(-)
>
> diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c
> b/drivers/crypto/dpaa_sec/dpaa_sec.c
> index 0ef17ee00..27a31d065 100644
> --- a/drivers/crypto/dpaa_sec/dpaa_sec.c
> +++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
> @@ -382,12 +382,14 @@ dpaa_sec_prep_ipsec_cdb(dpaa_sec_session
> *ses)
> cipherdata.algtype = ses->cipher_key.alg;
> cipherdata.algmode = ses->cipher_key.algmode;
>
> - authdata.key = (size_t)ses->auth_key.data;
> - authdata.keylen = ses->auth_key.length;
> - authdata.key_enc_flags = 0;
> - authdata.key_type = RTA_DATA_IMM;
> - authdata.algtype = ses->auth_key.alg;
> - authdata.algmode = ses->auth_key.algmode;
> + if (ses->auth_key.length) {
> + authdata.key = (size_t)ses->auth_key.data;
> + authdata.keylen = ses->auth_key.length;
> + authdata.key_enc_flags = 0;
> + authdata.key_type = RTA_DATA_IMM;
> + authdata.algtype = ses->auth_key.alg;
> + authdata.algmode = ses->auth_key.algmode;
> + }
>
> cdb->sh_desc[0] = cipherdata.keylen;
> cdb->sh_desc[1] = authdata.keylen;
> @@ -2523,33 +2525,76 @@ dpaa_sec_sym_session_clear(struct
> rte_cryptodev *dev,
>
> #ifdef RTE_LIBRTE_SECURITY
> static int
> -dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
> - struct rte_security_session_conf *conf,
> - void *sess)
> +dpaa_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform,
> + struct rte_security_ipsec_xform *ipsec_xform,
> + dpaa_sec_session *session)
> {
> - struct dpaa_sec_dev_private *internals = dev->data->dev_private;
> - struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec;
> - struct rte_crypto_auth_xform *auth_xform = NULL;
> - struct rte_crypto_cipher_xform *cipher_xform = NULL;
> - dpaa_sec_session *session = (dpaa_sec_session *)sess;
> - uint32_t i;
> -
> PMD_INIT_FUNC_TRACE();
>
> - memset(session, 0, sizeof(dpaa_sec_session));
> - if (ipsec_xform->direction ==
> RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
> - cipher_xform = &conf->crypto_xform->cipher;
> - if (conf->crypto_xform->next)
> - auth_xform = &conf->crypto_xform->next->auth;
> - } else {
> - auth_xform = &conf->crypto_xform->auth;
> - if (conf->crypto_xform->next)
> - cipher_xform = &conf->crypto_xform->next-
> >cipher;
> + session->aead_key.data = rte_zmalloc(NULL, aead_xform-
> >key.length,
> + RTE_CACHE_LINE_SIZE);
> + if (session->aead_key.data == NULL && aead_xform->key.length >
> 0) {
> + DPAA_SEC_ERR("No Memory for aead key");
> + return -1;
> }
> - session->proto_alg = conf->protocol;
> - session->ctxt = DPAA_SEC_IPSEC;
> + memcpy(session->aead_key.data, aead_xform->key.data,
> + aead_xform->key.length);
> +
> + session->digest_length = aead_xform->digest_length;
> + session->aead_key.length = aead_xform->key.length;
> +
> + switch (aead_xform->algo) {
> + case RTE_CRYPTO_AEAD_AES_GCM:
> + switch (session->digest_length) {
> + case 8:
> + session->aead_key.alg = OP_PCL_IPSEC_AES_GCM8;
> + break;
> + case 12:
> + session->aead_key.alg =
> OP_PCL_IPSEC_AES_GCM12;
> + break;
> + case 16:
> + session->aead_key.alg =
> OP_PCL_IPSEC_AES_GCM16;
> + break;
> + default:
> + DPAA_SEC_ERR("Crypto: Undefined GCM digest
> %d",
> + session->digest_length);
> + return -1;
> + }
> + if (session->dir == DIR_ENC) {
> + memcpy(session->encap_pdb.gcm.salt,
> + (uint8_t *)&(ipsec_xform->salt), 4);
> + } else {
> + memcpy(session->decap_pdb.gcm.salt,
> + (uint8_t *)&(ipsec_xform->salt), 4);
> + }
> + session->aead_key.algmode = OP_ALG_AAI_GCM;
> + session->aead_alg = RTE_CRYPTO_AEAD_AES_GCM;
> + break;
[Hemant] There is a merge error. I see that you have already applied it.
Can you remove following line from the patch.
>>> start here.
> + if (session->dir == DIR_ENC) {
> + /* todo CCM salt length is 3 bytes, left shift 8 bits */
> + memcpy(session->encap_pdb.ccm.salt,
> + (uint8_t *)&(ipsec_xform->salt), 4);
> + } else {
> + memcpy(session->decap_pdb.ccm.salt,
> + (uint8_t *)&(ipsec_xform->salt), 4);
> + }
> + session->aead_key.algmode = OP_ALG_AAI_CCM;
> + session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM;
> + break;
>>> end here.
> + default:
> + DPAA_SEC_ERR("Crypto: Undefined AEAD specified %u",
> + aead_xform->algo);
> + return -1;
> + }
> + return 0;
> +}
>
> - if (cipher_xform && cipher_xform->algo !=
> RTE_CRYPTO_CIPHER_NULL) {
> +static int
> +dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform
> *cipher_xform,
> + struct rte_crypto_auth_xform *auth_xform,
> + dpaa_sec_session *session)
> +{
> + if (cipher_xform) {
> session->cipher_key.data = rte_zmalloc(NULL,
> cipher_xform-
> >key.length,
> RTE_CACHE_LINE_SIZE);
> @@ -2558,31 +2603,10 @@ dpaa_sec_set_ipsec_session(__rte_unused
> struct rte_cryptodev *dev,
> DPAA_SEC_ERR("No Memory for cipher key");
> return -ENOMEM;
> }
> +
> + session->cipher_key.length = cipher_xform->key.length;
> memcpy(session->cipher_key.data, cipher_xform-
> >key.data,
> cipher_xform->key.length);
> - session->cipher_key.length = cipher_xform->key.length;
> -
> - switch (cipher_xform->algo) {
> - case RTE_CRYPTO_CIPHER_NULL:
> - session->cipher_key.alg = OP_PCL_IPSEC_NULL;
> - break;
> - case RTE_CRYPTO_CIPHER_AES_CBC:
> - session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC;
> - session->cipher_key.algmode = OP_ALG_AAI_CBC;
> - break;
> - case RTE_CRYPTO_CIPHER_3DES_CBC:
> - session->cipher_key.alg = OP_PCL_IPSEC_3DES;
> - session->cipher_key.algmode = OP_ALG_AAI_CBC;
> - break;
> - case RTE_CRYPTO_CIPHER_AES_CTR:
> - session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
> - session->cipher_key.algmode = OP_ALG_AAI_CTR;
> - break;
> - default:
> - DPAA_SEC_ERR("Crypto: Unsupported Cipher alg
> %u",
> - cipher_xform->algo);
> - goto out;
> - }
> session->cipher_alg = cipher_xform->algo;
> } else {
> session->cipher_key.data = NULL;
> @@ -2590,54 +2614,18 @@ dpaa_sec_set_ipsec_session(__rte_unused
> struct rte_cryptodev *dev,
> session->cipher_alg = RTE_CRYPTO_CIPHER_NULL;
> }
>
> - if (auth_xform && auth_xform->algo != RTE_CRYPTO_AUTH_NULL) {
> + if (auth_xform) {
> session->auth_key.data = rte_zmalloc(NULL,
> auth_xform->key.length,
> RTE_CACHE_LINE_SIZE);
> if (session->auth_key.data == NULL &&
> auth_xform->key.length > 0) {
> DPAA_SEC_ERR("No Memory for auth key");
> - rte_free(session->cipher_key.data);
> return -ENOMEM;
> }
> + session->auth_key.length = auth_xform->key.length;
> memcpy(session->auth_key.data, auth_xform->key.data,
> auth_xform->key.length);
> - session->auth_key.length = auth_xform->key.length;
> -
> - switch (auth_xform->algo) {
> - case RTE_CRYPTO_AUTH_NULL:
> - session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_NULL;
> - session->digest_length = 0;
> - break;
> - case RTE_CRYPTO_AUTH_MD5_HMAC:
> - session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_MD5_96;
> - session->auth_key.algmode = OP_ALG_AAI_HMAC;
> - break;
> - case RTE_CRYPTO_AUTH_SHA1_HMAC:
> - session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA1_96;
> - session->auth_key.algmode = OP_ALG_AAI_HMAC;
> - break;
> - case RTE_CRYPTO_AUTH_SHA224_HMAC:
> - session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA1_160;
> - session->auth_key.algmode = OP_ALG_AAI_HMAC;
> - break;
> - case RTE_CRYPTO_AUTH_SHA256_HMAC:
> - session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA2_256_128;
> - session->auth_key.algmode = OP_ALG_AAI_HMAC;
> - break;
> - case RTE_CRYPTO_AUTH_SHA384_HMAC:
> - session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA2_384_192;
> - session->auth_key.algmode = OP_ALG_AAI_HMAC;
> - break;
> - case RTE_CRYPTO_AUTH_SHA512_HMAC:
> - session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA2_512_256;
> - session->auth_key.algmode = OP_ALG_AAI_HMAC;
> - break;
> - default:
> - DPAA_SEC_ERR("Crypto: Unsupported auth alg %u",
> - auth_xform->algo);
> - goto out;
> - }
> session->auth_alg = auth_xform->algo;
> } else {
> session->auth_key.data = NULL;
> @@ -2645,12 +2633,142 @@ dpaa_sec_set_ipsec_session(__rte_unused
> struct rte_cryptodev *dev,
> session->auth_alg = RTE_CRYPTO_AUTH_NULL;
> }
>
> + switch (session->auth_alg) {
> + case RTE_CRYPTO_AUTH_SHA1_HMAC:
> + session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96;
> + session->auth_key.algmode = OP_ALG_AAI_HMAC;
> + break;
> + case RTE_CRYPTO_AUTH_MD5_HMAC:
> + session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96;
> + session->auth_key.algmode = OP_ALG_AAI_HMAC;
> + break;
> + case RTE_CRYPTO_AUTH_SHA256_HMAC:
> + session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA2_256_128;
> + session->auth_key.algmode = OP_ALG_AAI_HMAC;
> + break;
> + case RTE_CRYPTO_AUTH_SHA384_HMAC:
> + session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA2_384_192;
> + session->auth_key.algmode = OP_ALG_AAI_HMAC;
> + break;
> + case RTE_CRYPTO_AUTH_SHA512_HMAC:
> + session->auth_key.alg =
> OP_PCL_IPSEC_HMAC_SHA2_512_256;
> + session->auth_key.algmode = OP_ALG_AAI_HMAC;
> + break;
> + case RTE_CRYPTO_AUTH_AES_CMAC:
> + session->auth_key.alg = OP_PCL_IPSEC_AES_CMAC_96;
> + break;
> + case RTE_CRYPTO_AUTH_NULL:
> + session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL;
> + break;
> + case RTE_CRYPTO_AUTH_SHA224_HMAC:
> + case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
> + case RTE_CRYPTO_AUTH_SNOW3G_UIA2:
> + case RTE_CRYPTO_AUTH_SHA1:
> + case RTE_CRYPTO_AUTH_SHA256:
> + case RTE_CRYPTO_AUTH_SHA512:
> + case RTE_CRYPTO_AUTH_SHA224:
> + case RTE_CRYPTO_AUTH_SHA384:
> + case RTE_CRYPTO_AUTH_MD5:
> + case RTE_CRYPTO_AUTH_AES_GMAC:
> + case RTE_CRYPTO_AUTH_KASUMI_F9:
> + case RTE_CRYPTO_AUTH_AES_CBC_MAC:
> + case RTE_CRYPTO_AUTH_ZUC_EIA3:
> + DPAA_SEC_ERR("Crypto: Unsupported auth alg %u",
> + session->auth_alg);
> + return -1;
> + default:
> + DPAA_SEC_ERR("Crypto: Undefined Auth specified %u",
> + session->auth_alg);
> + return -1;
> + }
> +
> + switch (session->cipher_alg) {
> + case RTE_CRYPTO_CIPHER_AES_CBC:
> + session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC;
> + session->cipher_key.algmode = OP_ALG_AAI_CBC;
> + break;
> + case RTE_CRYPTO_CIPHER_3DES_CBC:
> + session->cipher_key.alg = OP_PCL_IPSEC_3DES;
> + session->cipher_key.algmode = OP_ALG_AAI_CBC;
> + break;
> + case RTE_CRYPTO_CIPHER_AES_CTR:
> + session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
> + session->cipher_key.algmode = OP_ALG_AAI_CTR;
> + break;
> + case RTE_CRYPTO_CIPHER_NULL:
> + session->cipher_key.alg = OP_PCL_IPSEC_NULL;
> + break;
> + case RTE_CRYPTO_CIPHER_SNOW3G_UEA2:
> + case RTE_CRYPTO_CIPHER_ZUC_EEA3:
> + case RTE_CRYPTO_CIPHER_3DES_ECB:
> + case RTE_CRYPTO_CIPHER_AES_ECB:
> + case RTE_CRYPTO_CIPHER_KASUMI_F8:
> + DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u",
> + session->cipher_alg);
> + return -1;
> + default:
> + DPAA_SEC_ERR("Crypto: Undefined Cipher specified %u",
> + session->cipher_alg);
> + return -1;
> + }
> +
> + return 0;
> +}
> +
> +static int
> +dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
> + struct rte_security_session_conf *conf,
> + void *sess)
> +{
> + struct dpaa_sec_dev_private *internals = dev->data->dev_private;
> + struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec;
> + struct rte_crypto_auth_xform *auth_xform = NULL;
> + struct rte_crypto_cipher_xform *cipher_xform = NULL;
> + struct rte_crypto_aead_xform *aead_xform = NULL;
> + dpaa_sec_session *session = (dpaa_sec_session *)sess;
> + uint32_t i;
> + int ret;
> +
> + PMD_INIT_FUNC_TRACE();
> +
> + memset(session, 0, sizeof(dpaa_sec_session));
> + session->proto_alg = conf->protocol;
> + session->ctxt = DPAA_SEC_IPSEC;
> +
> + if (ipsec_xform->direction ==
> RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
> + session->dir = DIR_ENC;
> + else
> + session->dir = DIR_DEC;
> +
> + if (conf->crypto_xform->type ==
> RTE_CRYPTO_SYM_XFORM_CIPHER) {
> + cipher_xform = &conf->crypto_xform->cipher;
> + if (conf->crypto_xform->next)
> + auth_xform = &conf->crypto_xform->next->auth;
> + ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
> + session);
> + } else if (conf->crypto_xform->type ==
> RTE_CRYPTO_SYM_XFORM_AUTH) {
> + auth_xform = &conf->crypto_xform->auth;
> + if (conf->crypto_xform->next)
> + cipher_xform = &conf->crypto_xform->next-
> >cipher;
> + ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
> + session);
> + } else if (conf->crypto_xform->type ==
> RTE_CRYPTO_SYM_XFORM_AEAD) {
> + aead_xform = &conf->crypto_xform->aead;
> + ret = dpaa_sec_ipsec_aead_init(aead_xform,
> + ipsec_xform, session);
> + } else {
> + DPAA_SEC_ERR("XFORM not specified");
> + ret = -EINVAL;
> + goto out;
> + }
> + if (ret) {
> + DPAA_SEC_ERR("Failed to process xform");
> + goto out;
> + }
> +
> if (ipsec_xform->direction ==
> RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
> if (ipsec_xform->tunnel.type ==
> RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
> - memset(&session->encap_pdb, 0,
> - sizeof(struct ipsec_encap_pdb) +
> - sizeof(session->ip4_hdr));
> session->ip4_hdr.ip_v = IPVERSION;
> session->ip4_hdr.ip_hl = 5;
> session->ip4_hdr.ip_len = rte_cpu_to_be_16( @@ -
> 2673,9 +2791,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct
> rte_cryptodev *dev,
> session->encap_pdb.ip_hdr_len = sizeof(struct ip);
> } else if (ipsec_xform->tunnel.type ==
> RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
> - memset(&session->encap_pdb, 0,
> - sizeof(struct ipsec_encap_pdb) +
> - sizeof(session->ip6_hdr));
> session->ip6_hdr.vtc_flow = rte_cpu_to_be_32(
> DPAA_IPv6_DEFAULT_VTC_FLOW |
> ((ipsec_xform->tunnel.ipv6.dscp <<
> @@ -2707,10 +2822,9 @@ dpaa_sec_set_ipsec_session(__rte_unused struct
> rte_cryptodev *dev,
> if (ipsec_xform->options.esn)
> session->encap_pdb.options |= PDBOPTS_ESP_ESN;
> session->encap_pdb.spi = ipsec_xform->spi;
> - session->dir = DIR_ENC;
> +
> } else if (ipsec_xform->direction ==
> RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
> - memset(&session->decap_pdb, 0, sizeof(struct
> ipsec_decap_pdb));
> if (ipsec_xform->tunnel.type ==
> RTE_SECURITY_IPSEC_TUNNEL_IPV4)
> session->decap_pdb.options = sizeof(struct ip) << 16;
> else
> @@ -2718,7 +2832,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct
> rte_cryptodev *dev,
> sizeof(struct rte_ipv6_hdr) << 16;
> if (ipsec_xform->options.esn)
> session->decap_pdb.options |= PDBOPTS_ESP_ESN;
> - session->dir = DIR_DEC;
> } else
> goto out;
> rte_spinlock_lock(&internals->lock);
> --
> 2.17.1
>
> Hi Akhil,
>
>
> [Hemant] There is a merge error. I see that you have already applied it.
> Can you remove following line from the patch.
> >>> start here.
> > + if (session->dir == DIR_ENC) {
> > + /* todo CCM salt length is 3 bytes, left shift 8 bits */
> > + memcpy(session->encap_pdb.ccm.salt,
> > + (uint8_t *)&(ipsec_xform->salt), 4);
> > + } else {
> > + memcpy(session->decap_pdb.ccm.salt,
> > + (uint8_t *)&(ipsec_xform->salt), 4);
> > + }
> > + session->aead_key.algmode = OP_ALG_AAI_CCM;
> > + session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM;
> > + break;
> >>> end here.
>
done
@@ -382,12 +382,14 @@ dpaa_sec_prep_ipsec_cdb(dpaa_sec_session *ses)
cipherdata.algtype = ses->cipher_key.alg;
cipherdata.algmode = ses->cipher_key.algmode;
- authdata.key = (size_t)ses->auth_key.data;
- authdata.keylen = ses->auth_key.length;
- authdata.key_enc_flags = 0;
- authdata.key_type = RTA_DATA_IMM;
- authdata.algtype = ses->auth_key.alg;
- authdata.algmode = ses->auth_key.algmode;
+ if (ses->auth_key.length) {
+ authdata.key = (size_t)ses->auth_key.data;
+ authdata.keylen = ses->auth_key.length;
+ authdata.key_enc_flags = 0;
+ authdata.key_type = RTA_DATA_IMM;
+ authdata.algtype = ses->auth_key.alg;
+ authdata.algmode = ses->auth_key.algmode;
+ }
cdb->sh_desc[0] = cipherdata.keylen;
cdb->sh_desc[1] = authdata.keylen;
@@ -2523,33 +2525,76 @@ dpaa_sec_sym_session_clear(struct rte_cryptodev *dev,
#ifdef RTE_LIBRTE_SECURITY
static int
-dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
- struct rte_security_session_conf *conf,
- void *sess)
+dpaa_sec_ipsec_aead_init(struct rte_crypto_aead_xform *aead_xform,
+ struct rte_security_ipsec_xform *ipsec_xform,
+ dpaa_sec_session *session)
{
- struct dpaa_sec_dev_private *internals = dev->data->dev_private;
- struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec;
- struct rte_crypto_auth_xform *auth_xform = NULL;
- struct rte_crypto_cipher_xform *cipher_xform = NULL;
- dpaa_sec_session *session = (dpaa_sec_session *)sess;
- uint32_t i;
-
PMD_INIT_FUNC_TRACE();
- memset(session, 0, sizeof(dpaa_sec_session));
- if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
- cipher_xform = &conf->crypto_xform->cipher;
- if (conf->crypto_xform->next)
- auth_xform = &conf->crypto_xform->next->auth;
- } else {
- auth_xform = &conf->crypto_xform->auth;
- if (conf->crypto_xform->next)
- cipher_xform = &conf->crypto_xform->next->cipher;
+ session->aead_key.data = rte_zmalloc(NULL, aead_xform->key.length,
+ RTE_CACHE_LINE_SIZE);
+ if (session->aead_key.data == NULL && aead_xform->key.length > 0) {
+ DPAA_SEC_ERR("No Memory for aead key");
+ return -1;
}
- session->proto_alg = conf->protocol;
- session->ctxt = DPAA_SEC_IPSEC;
+ memcpy(session->aead_key.data, aead_xform->key.data,
+ aead_xform->key.length);
+
+ session->digest_length = aead_xform->digest_length;
+ session->aead_key.length = aead_xform->key.length;
+
+ switch (aead_xform->algo) {
+ case RTE_CRYPTO_AEAD_AES_GCM:
+ switch (session->digest_length) {
+ case 8:
+ session->aead_key.alg = OP_PCL_IPSEC_AES_GCM8;
+ break;
+ case 12:
+ session->aead_key.alg = OP_PCL_IPSEC_AES_GCM12;
+ break;
+ case 16:
+ session->aead_key.alg = OP_PCL_IPSEC_AES_GCM16;
+ break;
+ default:
+ DPAA_SEC_ERR("Crypto: Undefined GCM digest %d",
+ session->digest_length);
+ return -1;
+ }
+ if (session->dir == DIR_ENC) {
+ memcpy(session->encap_pdb.gcm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ } else {
+ memcpy(session->decap_pdb.gcm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ }
+ session->aead_key.algmode = OP_ALG_AAI_GCM;
+ session->aead_alg = RTE_CRYPTO_AEAD_AES_GCM;
+ break;
+ if (session->dir == DIR_ENC) {
+ /* todo CCM salt length is 3 bytes, left shift 8 bits */
+ memcpy(session->encap_pdb.ccm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ } else {
+ memcpy(session->decap_pdb.ccm.salt,
+ (uint8_t *)&(ipsec_xform->salt), 4);
+ }
+ session->aead_key.algmode = OP_ALG_AAI_CCM;
+ session->aead_alg = RTE_CRYPTO_AEAD_AES_CCM;
+ break;
+ default:
+ DPAA_SEC_ERR("Crypto: Undefined AEAD specified %u",
+ aead_xform->algo);
+ return -1;
+ }
+ return 0;
+}
- if (cipher_xform && cipher_xform->algo != RTE_CRYPTO_CIPHER_NULL) {
+static int
+dpaa_sec_ipsec_proto_init(struct rte_crypto_cipher_xform *cipher_xform,
+ struct rte_crypto_auth_xform *auth_xform,
+ dpaa_sec_session *session)
+{
+ if (cipher_xform) {
session->cipher_key.data = rte_zmalloc(NULL,
cipher_xform->key.length,
RTE_CACHE_LINE_SIZE);
@@ -2558,31 +2603,10 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
DPAA_SEC_ERR("No Memory for cipher key");
return -ENOMEM;
}
+
+ session->cipher_key.length = cipher_xform->key.length;
memcpy(session->cipher_key.data, cipher_xform->key.data,
cipher_xform->key.length);
- session->cipher_key.length = cipher_xform->key.length;
-
- switch (cipher_xform->algo) {
- case RTE_CRYPTO_CIPHER_NULL:
- session->cipher_key.alg = OP_PCL_IPSEC_NULL;
- break;
- case RTE_CRYPTO_CIPHER_AES_CBC:
- session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC;
- session->cipher_key.algmode = OP_ALG_AAI_CBC;
- break;
- case RTE_CRYPTO_CIPHER_3DES_CBC:
- session->cipher_key.alg = OP_PCL_IPSEC_3DES;
- session->cipher_key.algmode = OP_ALG_AAI_CBC;
- break;
- case RTE_CRYPTO_CIPHER_AES_CTR:
- session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
- session->cipher_key.algmode = OP_ALG_AAI_CTR;
- break;
- default:
- DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u",
- cipher_xform->algo);
- goto out;
- }
session->cipher_alg = cipher_xform->algo;
} else {
session->cipher_key.data = NULL;
@@ -2590,54 +2614,18 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
session->cipher_alg = RTE_CRYPTO_CIPHER_NULL;
}
- if (auth_xform && auth_xform->algo != RTE_CRYPTO_AUTH_NULL) {
+ if (auth_xform) {
session->auth_key.data = rte_zmalloc(NULL,
auth_xform->key.length,
RTE_CACHE_LINE_SIZE);
if (session->auth_key.data == NULL &&
auth_xform->key.length > 0) {
DPAA_SEC_ERR("No Memory for auth key");
- rte_free(session->cipher_key.data);
return -ENOMEM;
}
+ session->auth_key.length = auth_xform->key.length;
memcpy(session->auth_key.data, auth_xform->key.data,
auth_xform->key.length);
- session->auth_key.length = auth_xform->key.length;
-
- switch (auth_xform->algo) {
- case RTE_CRYPTO_AUTH_NULL:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL;
- session->digest_length = 0;
- break;
- case RTE_CRYPTO_AUTH_MD5_HMAC:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96;
- session->auth_key.algmode = OP_ALG_AAI_HMAC;
- break;
- case RTE_CRYPTO_AUTH_SHA1_HMAC:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96;
- session->auth_key.algmode = OP_ALG_AAI_HMAC;
- break;
- case RTE_CRYPTO_AUTH_SHA224_HMAC:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_160;
- session->auth_key.algmode = OP_ALG_AAI_HMAC;
- break;
- case RTE_CRYPTO_AUTH_SHA256_HMAC:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128;
- session->auth_key.algmode = OP_ALG_AAI_HMAC;
- break;
- case RTE_CRYPTO_AUTH_SHA384_HMAC:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192;
- session->auth_key.algmode = OP_ALG_AAI_HMAC;
- break;
- case RTE_CRYPTO_AUTH_SHA512_HMAC:
- session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_512_256;
- session->auth_key.algmode = OP_ALG_AAI_HMAC;
- break;
- default:
- DPAA_SEC_ERR("Crypto: Unsupported auth alg %u",
- auth_xform->algo);
- goto out;
- }
session->auth_alg = auth_xform->algo;
} else {
session->auth_key.data = NULL;
@@ -2645,12 +2633,142 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
session->auth_alg = RTE_CRYPTO_AUTH_NULL;
}
+ switch (session->auth_alg) {
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA1_96;
+ session->auth_key.algmode = OP_ALG_AAI_HMAC;
+ break;
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ session->auth_key.alg = OP_PCL_IPSEC_HMAC_MD5_96;
+ session->auth_key.algmode = OP_ALG_AAI_HMAC;
+ break;
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_256_128;
+ session->auth_key.algmode = OP_ALG_AAI_HMAC;
+ break;
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_384_192;
+ session->auth_key.algmode = OP_ALG_AAI_HMAC;
+ break;
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ session->auth_key.alg = OP_PCL_IPSEC_HMAC_SHA2_512_256;
+ session->auth_key.algmode = OP_ALG_AAI_HMAC;
+ break;
+ case RTE_CRYPTO_AUTH_AES_CMAC:
+ session->auth_key.alg = OP_PCL_IPSEC_AES_CMAC_96;
+ break;
+ case RTE_CRYPTO_AUTH_NULL:
+ session->auth_key.alg = OP_PCL_IPSEC_HMAC_NULL;
+ break;
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+ case RTE_CRYPTO_AUTH_SNOW3G_UIA2:
+ case RTE_CRYPTO_AUTH_SHA1:
+ case RTE_CRYPTO_AUTH_SHA256:
+ case RTE_CRYPTO_AUTH_SHA512:
+ case RTE_CRYPTO_AUTH_SHA224:
+ case RTE_CRYPTO_AUTH_SHA384:
+ case RTE_CRYPTO_AUTH_MD5:
+ case RTE_CRYPTO_AUTH_AES_GMAC:
+ case RTE_CRYPTO_AUTH_KASUMI_F9:
+ case RTE_CRYPTO_AUTH_AES_CBC_MAC:
+ case RTE_CRYPTO_AUTH_ZUC_EIA3:
+ DPAA_SEC_ERR("Crypto: Unsupported auth alg %u",
+ session->auth_alg);
+ return -1;
+ default:
+ DPAA_SEC_ERR("Crypto: Undefined Auth specified %u",
+ session->auth_alg);
+ return -1;
+ }
+
+ switch (session->cipher_alg) {
+ case RTE_CRYPTO_CIPHER_AES_CBC:
+ session->cipher_key.alg = OP_PCL_IPSEC_AES_CBC;
+ session->cipher_key.algmode = OP_ALG_AAI_CBC;
+ break;
+ case RTE_CRYPTO_CIPHER_3DES_CBC:
+ session->cipher_key.alg = OP_PCL_IPSEC_3DES;
+ session->cipher_key.algmode = OP_ALG_AAI_CBC;
+ break;
+ case RTE_CRYPTO_CIPHER_AES_CTR:
+ session->cipher_key.alg = OP_PCL_IPSEC_AES_CTR;
+ session->cipher_key.algmode = OP_ALG_AAI_CTR;
+ break;
+ case RTE_CRYPTO_CIPHER_NULL:
+ session->cipher_key.alg = OP_PCL_IPSEC_NULL;
+ break;
+ case RTE_CRYPTO_CIPHER_SNOW3G_UEA2:
+ case RTE_CRYPTO_CIPHER_ZUC_EEA3:
+ case RTE_CRYPTO_CIPHER_3DES_ECB:
+ case RTE_CRYPTO_CIPHER_AES_ECB:
+ case RTE_CRYPTO_CIPHER_KASUMI_F8:
+ DPAA_SEC_ERR("Crypto: Unsupported Cipher alg %u",
+ session->cipher_alg);
+ return -1;
+ default:
+ DPAA_SEC_ERR("Crypto: Undefined Cipher specified %u",
+ session->cipher_alg);
+ return -1;
+ }
+
+ return 0;
+}
+
+static int
+dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
+ struct rte_security_session_conf *conf,
+ void *sess)
+{
+ struct dpaa_sec_dev_private *internals = dev->data->dev_private;
+ struct rte_security_ipsec_xform *ipsec_xform = &conf->ipsec;
+ struct rte_crypto_auth_xform *auth_xform = NULL;
+ struct rte_crypto_cipher_xform *cipher_xform = NULL;
+ struct rte_crypto_aead_xform *aead_xform = NULL;
+ dpaa_sec_session *session = (dpaa_sec_session *)sess;
+ uint32_t i;
+ int ret;
+
+ PMD_INIT_FUNC_TRACE();
+
+ memset(session, 0, sizeof(dpaa_sec_session));
+ session->proto_alg = conf->protocol;
+ session->ctxt = DPAA_SEC_IPSEC;
+
+ if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
+ session->dir = DIR_ENC;
+ else
+ session->dir = DIR_DEC;
+
+ if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
+ cipher_xform = &conf->crypto_xform->cipher;
+ if (conf->crypto_xform->next)
+ auth_xform = &conf->crypto_xform->next->auth;
+ ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
+ session);
+ } else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+ auth_xform = &conf->crypto_xform->auth;
+ if (conf->crypto_xform->next)
+ cipher_xform = &conf->crypto_xform->next->cipher;
+ ret = dpaa_sec_ipsec_proto_init(cipher_xform, auth_xform,
+ session);
+ } else if (conf->crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+ aead_xform = &conf->crypto_xform->aead;
+ ret = dpaa_sec_ipsec_aead_init(aead_xform,
+ ipsec_xform, session);
+ } else {
+ DPAA_SEC_ERR("XFORM not specified");
+ ret = -EINVAL;
+ goto out;
+ }
+ if (ret) {
+ DPAA_SEC_ERR("Failed to process xform");
+ goto out;
+ }
+
if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
if (ipsec_xform->tunnel.type ==
RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
- memset(&session->encap_pdb, 0,
- sizeof(struct ipsec_encap_pdb) +
- sizeof(session->ip4_hdr));
session->ip4_hdr.ip_v = IPVERSION;
session->ip4_hdr.ip_hl = 5;
session->ip4_hdr.ip_len = rte_cpu_to_be_16(
@@ -2673,9 +2791,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
session->encap_pdb.ip_hdr_len = sizeof(struct ip);
} else if (ipsec_xform->tunnel.type ==
RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
- memset(&session->encap_pdb, 0,
- sizeof(struct ipsec_encap_pdb) +
- sizeof(session->ip6_hdr));
session->ip6_hdr.vtc_flow = rte_cpu_to_be_32(
DPAA_IPv6_DEFAULT_VTC_FLOW |
((ipsec_xform->tunnel.ipv6.dscp <<
@@ -2707,10 +2822,9 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
if (ipsec_xform->options.esn)
session->encap_pdb.options |= PDBOPTS_ESP_ESN;
session->encap_pdb.spi = ipsec_xform->spi;
- session->dir = DIR_ENC;
+
} else if (ipsec_xform->direction ==
RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
- memset(&session->decap_pdb, 0, sizeof(struct ipsec_decap_pdb));
if (ipsec_xform->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
session->decap_pdb.options = sizeof(struct ip) << 16;
else
@@ -2718,7 +2832,6 @@ dpaa_sec_set_ipsec_session(__rte_unused struct rte_cryptodev *dev,
sizeof(struct rte_ipv6_hdr) << 16;
if (ipsec_xform->options.esn)
session->decap_pdb.options |= PDBOPTS_ESP_ESN;
- session->dir = DIR_DEC;
} else
goto out;
rte_spinlock_lock(&internals->lock);