From patchwork Mon Jul 18 16:25:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ashwin Sekhar T K X-Patchwork-Id: 114038 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 98BC9A0032; Mon, 18 Jul 2022 18:26:04 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 8A65740DF6; Mon, 18 Jul 2022 18:26:04 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 73FD840698 for ; Mon, 18 Jul 2022 18:26:02 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 26IA1NCl009918; Mon, 18 Jul 2022 09:26:01 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=hPQtNw7lAePrRC4V/rYh6t+5/E6R8SqZkiRi77LMgWA=; b=gPWGU2JQJMQfBagJUawapejKmMRI8dphN8wYOq0kppTpOsx1OFlancPUMTg1wkuaypds BjgA1y/eAO+r4yuWBpTw+EXnZpLI+RNze2Y2NTWxxLCoW6B85BjxeC5uhFarVNbjdCO6 qtZkvDxfUm328lguXZ4y85s49tVW4gZJrOriFjpycXEU27re2IAEuNvjVq2n/rlL1iX4 L6ecPySGqU97tFZKD5X6vHUpgtBcz+E+6tammQthn8Ow9c4BsriUcxuAEOfr3i9dfMSd GUiHjcrMcagQjVt1p7LZq8jE65aiuS8HomYNlATxWThnCohDUZgvEGxRbiURuRrVygwn QA== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3hbvumnw1j-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 18 Jul 2022 09:26:01 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Mon, 18 Jul 2022 09:25:50 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Mon, 18 Jul 2022 09:25:50 -0700 Received: from localhost.localdomain (unknown [10.28.36.142]) by maili.marvell.com (Postfix) with ESMTP id 847FF3F7074; Mon, 18 Jul 2022 09:25:46 -0700 (PDT) From: Ashwin Sekhar T K To: CC: , , , , , , , , , , , Subject: [PATCH v5 1/1] crypto/openssl: support aes cmac operations Date: Mon, 18 Jul 2022 21:55:21 +0530 Message-ID: <20220718162521.94787-2-asekhar@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220718162521.94787-1-asekhar@marvell.com> References: <20220718091855.17604-2-asekhar@marvell.com> <20220718162521.94787-1-asekhar@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: 315kH9PgtI6TcvCt6BoKrkXAwXzXh-qR X-Proofpoint-ORIG-GUID: 315kH9PgtI6TcvCt6BoKrkXAwXzXh-qR X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-18_16,2022-07-18_01,2022-06-22_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Extend openssl crypto PMD to support AES CMAC operations. Signed-off-by: Ashwin Sekhar T K Acked-by: Kai Ji --- drivers/crypto/openssl/openssl_pmd_private.h | 14 ++ drivers/crypto/openssl/rte_openssl_pmd.c | 138 ++++++++++++++++++- drivers/crypto/openssl/rte_openssl_pmd_ops.c | 20 +++ 3 files changed, 165 insertions(+), 7 deletions(-) diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index 5963a67a08..c34fd9a546 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -6,6 +6,7 @@ #define _OPENSSL_PMD_PRIVATE_H_ #include +#include #include #include #include @@ -50,6 +51,7 @@ enum openssl_cipher_mode { enum openssl_auth_mode { OPENSSL_AUTH_AS_AUTH, OPENSSL_AUTH_AS_HMAC, + OPENSSL_AUTH_AS_CMAC, }; /** private data structure for each OPENSSL crypto device */ @@ -145,6 +147,18 @@ struct openssl_session { # endif /**< pointer to EVP context structure */ } hmac; + + struct { +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX * ctx; + /**< pointer to EVP context structure */ +# else + const EVP_CIPHER * evp_algo; + /**< pointer to EVP algorithm function */ + CMAC_CTX *ctx; + /**< pointer to EVP context structure */ +# endif + } cmac; }; uint16_t aad_length; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 5658b9db66..a078038651 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -10,6 +10,7 @@ #include #include +#include #include #include @@ -592,6 +593,12 @@ static int openssl_set_session_auth_parameters(struct openssl_session *sess, const struct rte_crypto_sym_xform *xform) { +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + char algo_name[MAX_OSSL_ALGO_NAME_SIZE]; + OSSL_PARAM params[2]; + const char *algo; + EVP_MAC *mac; +# endif /* Select auth generate/verify */ sess->auth.operation = xform->auth.op; sess->auth.algo = xform->auth.algo; @@ -636,6 +643,47 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.auth.ctx = EVP_MD_CTX_create(); break; + case RTE_CRYPTO_AUTH_AES_CMAC: +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + if (xform->auth.key.length == 16) + algo = SN_aes_128_cbc; + else if (xform->auth.key.length == 24) + algo = SN_aes_192_cbc; + else if (xform->auth.key.length == 32) + algo = SN_aes_256_cbc; + else + return -EINVAL; + + rte_memcpy(algo_name, algo, strlen(algo) + 1); + params[0] = OSSL_PARAM_construct_utf8_string( + OSSL_MAC_PARAM_CIPHER, algo_name, 0); + params[1] = OSSL_PARAM_construct_end(); + + sess->auth.mode = OPENSSL_AUTH_AS_CMAC; + mac = EVP_MAC_fetch(NULL, OSSL_MAC_NAME_CMAC, NULL); + sess->auth.cmac.ctx = EVP_MAC_CTX_new(mac); + EVP_MAC_free(mac); + + if (EVP_MAC_init(sess->auth.cmac.ctx, + xform->auth.key.data, + xform->auth.key.length, + params) != 1) + return -EINVAL; +# else + sess->auth.mode = OPENSSL_AUTH_AS_CMAC; + sess->auth.cmac.ctx = CMAC_CTX_new(); + if (get_cipher_algo(RTE_CRYPTO_CIPHER_AES_CBC, + xform->auth.key.length, + &sess->auth.cmac.evp_algo) != 0) + return -EINVAL; + if (CMAC_Init(sess->auth.cmac.ctx, + xform->auth.key.data, + xform->auth.key.length, + sess->auth.cmac.evp_algo, NULL) != 1) + return -EINVAL; +# endif + break; + # if (OPENSSL_VERSION_NUMBER >= 0x30000000L) case RTE_CRYPTO_AUTH_MD5_HMAC: case RTE_CRYPTO_AUTH_SHA1_HMAC: @@ -645,15 +693,12 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, case RTE_CRYPTO_AUTH_SHA512_HMAC: sess->auth.mode = OPENSSL_AUTH_AS_HMAC; - OSSL_PARAM params[2]; - const char *algo; algo = digest_name_get(xform->auth.algo); if (!algo) return -EINVAL; - char algo_name[MAX_OSSL_ALGO_NAME_SIZE]; rte_memcpy(algo_name, algo, (sizeof(algo)+1)); - EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + mac = EVP_MAC_fetch(NULL, "HMAC", NULL); sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac); EVP_MAC_free(mac); if (get_auth_algo(xform->auth.algo, @@ -817,6 +862,13 @@ openssl_reset_session(struct openssl_session *sess) EVP_MAC_CTX_free(sess->auth.hmac.ctx); # else HMAC_CTX_free(sess->auth.hmac.ctx); +# endif + break; + case OPENSSL_AUTH_AS_CMAC: +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX_free(sess->auth.cmac.ctx); +# else + CMAC_CTX_free(sess->auth.cmac.ctx); # endif break; default: @@ -1355,9 +1407,9 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, } # if OPENSSL_VERSION_NUMBER >= 0x30000000L -/** Process standard openssl auth algorithms with hmac */ +/** Process standard openssl auth algorithms with hmac/cmac */ static int -process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, +process_openssl_auth_mac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, int srclen, EVP_MAC_CTX *ctx) { size_t dstlen; @@ -1459,6 +1511,58 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, OPENSSL_LOG(ERR, "Process openssl auth failed"); return -EINVAL; } + +/** Process standard openssl auth algorithms with cmac */ +static int +process_openssl_auth_cmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, + int srclen, CMAC_CTX *ctx) +{ + unsigned int dstlen; + struct rte_mbuf *m; + int l, n = srclen; + uint8_t *src; + + for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m); + m = m->next) + offset -= rte_pktmbuf_data_len(m); + + if (m == 0) + goto process_auth_err; + + src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset); + + l = rte_pktmbuf_data_len(m) - offset; + if (srclen <= l) { + if (CMAC_Update(ctx, (unsigned char *)src, srclen) != 1) + goto process_auth_err; + goto process_auth_final; + } + + if (CMAC_Update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + + n -= l; + + for (m = m->next; (m != NULL) && (n > 0); m = m->next) { + src = rte_pktmbuf_mtod(m, uint8_t *); + l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n; + if (CMAC_Update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + n -= l; + } + +process_auth_final: + if (CMAC_Final(ctx, dst, (size_t *)&dstlen) != 1) + goto process_auth_err; + + CMAC_CTX_cleanup(ctx); + + return 0; + +process_auth_err: + OPENSSL_LOG(ERR, "Process openssl cmac auth failed"); + return -EINVAL; +} # endif /*----------------------------------------------------------------------------*/ @@ -1700,9 +1804,11 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, EVP_MD_CTX *ctx_a; # if OPENSSL_VERSION_NUMBER >= 0x30000000L EVP_MAC_CTX *ctx_h; + EVP_MAC_CTX *ctx_c; EVP_MAC *mac; # else HMAC_CTX *ctx_h; + CMAC_CTX *ctx_c; # endif srclen = op->sym->auth.data.length; @@ -1724,7 +1830,7 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, ctx_h = EVP_MAC_CTX_new(mac); ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx); EVP_MAC_free(mac); - status = process_openssl_auth_hmac(mbuf_src, dst, + status = process_openssl_auth_mac(mbuf_src, dst, op->sym->auth.data.offset, srclen, ctx_h); # else @@ -1734,6 +1840,24 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, op->sym->auth.data.offset, srclen, ctx_h); HMAC_CTX_free(ctx_h); +# endif + break; + case OPENSSL_AUTH_AS_CMAC: +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + mac = EVP_MAC_fetch(NULL, OSSL_MAC_NAME_CMAC, NULL); + ctx_c = EVP_MAC_CTX_new(mac); + ctx_c = EVP_MAC_CTX_dup(sess->auth.cmac.ctx); + EVP_MAC_free(mac); + status = process_openssl_auth_mac(mbuf_src, dst, + op->sym->auth.data.offset, srclen, + ctx_c); +# else + ctx_c = CMAC_CTX_new(); + CMAC_CTX_copy(ctx_c, sess->auth.cmac.ctx); + status = process_openssl_auth_cmac(mbuf_src, dst, + op->sym->auth.data.offset, srclen, + ctx_c); + CMAC_CTX_free(ctx_c); # endif break; default: diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index 3e24ef94f7..f7ddbf9c73 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -394,6 +394,26 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { }, } }, } }, + { /* AES CMAC (AUTH) */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH, + {.auth = { + .algo = RTE_CRYPTO_AUTH_AES_CMAC, + .block_size = 16, + .key_size = { + .min = 16, + .max = 32, + .increment = 8 + }, + .digest_size = { + .min = 4, + .max = 16, + .increment = 4 + }, + }, } + }, } + }, { /* 3DES CBC */ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, {.sym = {