/** Set session authentication parameters */
static int
aesni_mb_set_session_auth_parameters(const struct aesni_mb_op_fns *mb_ops,
struct aesni_mb_session *sess,
const struct rte_crypto_sym_xform *xform)
{
hash_one_block_t hash_oneblock_fn;
unsigned int key_larger_block_size = 0;
uint8_t hashed_key[HMAC_MAX_BLOCK_SIZE] = { 0 };
if (xform == NULL) {
sess->auth.algo = NULL_HASH;
return 0;
}
if (xform->type != RTE_CRYPTO_SYM_XFORM_AUTH) {
AESNI_MB_LOG(ERR, "Crypto xform struct not of type auth");
return -1;
}
/* Set the request digest size */
sess->auth.req_digest_len = xform->auth.digest_length;
/* Select auth generate/verify */
sess->auth.operation = xform->auth.op;
/* Set Authentication Parameters */
if (xform->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC) {
sess->auth.algo = AES_XCBC;
uint16_t xcbc_mac_digest_len =
get_truncated_digest_byte_length(AES_XCBC);
if (sess->auth.req_digest_len != xcbc_mac_digest_len) {
AESNI_MB_LOG(ERR, "Invalid digest size\n");
return -EINVAL;
}
sess->auth.gen_digest_len = sess->auth.req_digest_len;
(*mb_ops->aux.keyexp.aes_xcbc)(xform->auth.key.data,
sess->auth.xcbc.k1_expanded,
sess->auth.xcbc.k2, sess->auth.xcbc.k3);
return 0;
}
if (xform->auth.algo == RTE_CRYPTO_AUTH_AES_CMAC) {
sess->auth.algo = AES_CMAC;
uint16_t cmac_digest_len = get_digest_byte_length(AES_CMAC);
if (sess->auth.req_digest_len > cmac_digest_len) {
AESNI_MB_LOG(ERR, "Invalid digest size\n");
return -EINVAL;
}
/*
* Multi-buffer lib supports digest sizes from 4 to 16 bytes
* in version 0.50 and sizes of 12 and 16 bytes,
* in version 0.49.
* If size requested is different, generate the full digest
* (16 bytes) in a temporary location and then memcpy
* the requested number of bytes.
*/
#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0)
if (sess->auth.req_digest_len < 4)
#else
uint16_t cmac_trunc_digest_len =
get_truncated_digest_byte_length(AES_CMAC);
if (sess->auth.req_digest_len != cmac_digest_len &&
sess->auth.req_digest_len != cmac_trunc_digest_len)
#endif
sess->auth.gen_digest_len = cmac_digest_len;
else
sess->auth.gen_digest_len = sess->auth.req_digest_len;
(*mb_ops->aux.keyexp.aes_cmac_expkey)(xform->auth.key.data,
sess->auth.cmac.expkey);
(*mb_ops->aux.keyexp.aes_cmac_subkey)(sess->auth.cmac.expkey,
sess->auth.cmac.skey1, sess->auth.cmac.skey2);
return 0;
}
switch (xform->auth.algo) {
case RTE_CRYPTO_AUTH_MD5_HMAC:
sess->auth.algo = MD5;
hash_oneblock_fn = mb_ops->aux.one_block.md5;
break;
case RTE_CRYPTO_AUTH_SHA1_HMAC:
sess->auth.algo = SHA1;
hash_oneblock_fn = mb_ops->aux.one_block.sha1;
#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0)
if (xform->auth.key.length > get_auth_algo_blocksize(SHA1)) {
mb_ops->aux.multi_block.sha1(
xform->auth.key.data,
xform->auth.key.length,
hashed_key);
key_larger_block_size = 1;
}
#endif
break;
case RTE_CRYPTO_AUTH_SHA224_HMAC:
sess->auth.algo = SHA_224;
hash_oneblock_fn = mb_ops->aux.one_block.sha224;
#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0)
if (xform->auth.key.length > get_auth_algo_blocksize(SHA_224)) {
mb_ops->aux.multi_block.sha224(
xform->auth.key.data,
xform->auth.key.length,
hashed_key);
key_larger_block_size = 1;
}
#endif
break;
case RTE_CRYPTO_AUTH_SHA256_HMAC:
sess->auth.algo = SHA_256;
hash_oneblock_fn = mb_ops->aux.one_block.sha256;
#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0)
if (xform->auth.key.length > get_auth_algo_blocksize(SHA_256)) {
mb_ops->aux.multi_block.sha256(
xform->auth.key.data,
xform->auth.key.length,
hashed_key);
key_larger_block_size = 1;
}
#endif
break;
case RTE_CRYPTO_AUTH_SHA384_HMAC:
sess->auth.algo = SHA_384;
hash_oneblock_fn = mb_ops->aux.one_block.sha384;
#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0)
if (xform->auth.key.length > get_auth_algo_blocksize(SHA_384)) {
mb_ops->aux.multi_block.sha384(
xform->auth.key.data,
xform->auth.key.length,
hashed_key);
key_larger_block_size = 1;
}
#endif
break;
case RTE_CRYPTO_AUTH_SHA512_HMAC:
sess->auth.algo = SHA_512;
hash_oneblock_fn = mb_ops->aux.one_block.sha512;
#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0)
if (xform->auth.key.length > get_auth_algo_blocksize(SHA_512)) {
mb_ops->aux.multi_block.sha512(
xform->auth.key.data,
xform->auth.key.length,
hashed_key);
key_larger_block_size = 1;
}
#endif
break;
default:
AESNI_MB_LOG(ERR, "Unsupported authentication algorithm selection");
return -ENOTSUP;
}
uint16_t trunc_digest_size =
get_truncated_digest_byte_length(sess->auth.algo);
uint16_t full_digest_size =
get_digest_byte_length(sess->auth.algo);
#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0)
if (sess->auth.req_digest_len > full_digest_size ||
sess->auth.req_digest_len == 0) {
#else
if (sess->auth.req_digest_len != trunc_digest_size) {
#endif
AESNI_MB_LOG(ERR, "Invalid digest size\n");
return -EINVAL;
}
if (sess->auth.req_digest_len != trunc_digest_size &&
sess->auth.req_digest_len != full_digest_size)
sess->auth.gen_digest_len = full_digest_size;
else
sess->auth.gen_digest_len = sess->auth.req_digest_len;
/* Calculate Authentication precomputes */
if (key_larger_block_size) {
calculate_auth_precomputes(hash_oneblock_fn,
sess->auth.pads.inner, sess->auth.pads.outer,
hashed_key,
xform->auth.key.length,
get_auth_algo_blocksize(sess->auth.algo));
} else {
calculate_auth_precomputes(hash_oneblock_fn,
sess->auth.pads.inner, sess->auth.pads.outer,
xform->auth.key.data,
xform->auth.key.length,
get_auth_algo_blocksize(sess->auth.algo));
}
return 0;
}
/** Set session cipher parameters */
static int
aesni_mb_set_session_cipher_parameters(const struct aesni_mb_op_fns *mb_ops,
struct aesni_mb_session *sess,
const struct rte_crypto_sym_xform *xform)
{
uint8_t is_aes = 0;
uint8_t is_3DES = 0;
aes_keyexp_t aes_keyexp_fn;
if (xform == NULL) {
sess->cipher.mode = NULL_CIPHER;
return 0;
}
if (xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER) {
AESNI_MB_LOG(ERR, "Crypto xform struct not of type cipher");
return -EINVAL;
}
/* Select cipher direction */
switch (xform->cipher.op) {
case RTE_CRYPTO_CIPHER_OP_ENCRYPT:
sess->cipher.direction = ENCRYPT;
break;
case RTE_CRYPTO_CIPHER_OP_DECRYPT:
sess->cipher.direction = DECRYPT;
break;
default:
AESNI_MB_LOG(ERR, "Invalid cipher operation parameter");
return -EINVAL;
}
/* Select cipher mode */
switch (xform->cipher.algo) {
case RTE_CRYPTO_CIPHER_AES_CBC:
sess->cipher.mode = CBC;
is_aes = 1;
break;
case RTE_CRYPTO_CIPHER_AES_CTR:
sess->cipher.mode = CNTR;
is_aes = 1;
break;
case RTE_CRYPTO_CIPHER_AES_DOCSISBPI:
sess->cipher.mode = DOCSIS_SEC_BPI;
is_aes = 1;
break;
case RTE_CRYPTO_CIPHER_DES_CBC:
sess->cipher.mode = DES;
break;
case RTE_CRYPTO_CIPHER_DES_DOCSISBPI:
sess->cipher.mode = DOCSIS_DES;
break;
case RTE_CRYPTO_CIPHER_3DES_CBC:
sess->cipher.mode = DES3;
is_3DES = 1;
break;
default:
AESNI_MB_LOG(ERR, "Unsupported cipher mode parameter");
return -ENOTSUP;
}
/* Set IV parameters */
sess->iv.offset = xform->cipher.iv.offset;
sess->iv.length = xform->cipher.iv.length;
/* Check key length and choose key expansion function for AES */
if (is_aes) {
switch (xform->cipher.key.length) {
case AES_128_BYTES:
sess->cipher.key_length_in_bytes = AES_128_BYTES;
aes_keyexp_fn = mb_ops->aux.keyexp.aes128;
break;
case AES_192_BYTES:
sess->cipher.key_length_in_bytes = AES_192_BYTES;
aes_keyexp_fn = mb_ops->aux.keyexp.aes192;
break;
case AES_256_BYTES:
sess->cipher.key_length_in_bytes = AES_256_BYTES;
aes_keyexp_fn = mb_ops->aux.keyexp.aes256;
break;
default:
AESNI_MB_LOG(ERR, "Invalid cipher key length");
return -EINVAL;
}
/* Expanded cipher keys */
(*aes_keyexp_fn)(xform->cipher.key.data,
sess->cipher.expanded_aes_keys.encode,
sess->cipher.expanded_aes_keys.decode);
} else if (is_3DES) {
uint64_t *keys[3] = {sess->cipher.exp_3des_keys.key[0],
sess->cipher.exp_3des_keys.key[1],
sess->cipher.exp_3des_keys.key[2]};
switch (xform->cipher.key.length) {
case 24:
des_key_schedule(keys[0], xform->cipher.key.data);
des_key_schedule(keys[1], xform->cipher.key.data+8);
des_key_schedule(keys[2], xform->cipher.key.data+16);
/* Initialize keys - 24 bytes: [K1-K2-K3] */
sess->cipher.exp_3des_keys.ks_ptr[0] = keys[0];
sess->cipher.exp_3des_keys.ks_ptr[1] = keys[1];
sess->cipher.exp_3des_keys.ks_ptr[2] = keys[2];
break;
case 16:
des_key_schedule(keys[0], xform->cipher.key.data);
des_key_schedule(keys[1], xform->cipher.key.data+8);
/* Initialize keys - 16 bytes: [K1=K1,K2=K2,K3=K1] */
sess->cipher.exp_3des_keys.ks_ptr[0] = keys[0];
sess->cipher.exp_3des_keys.ks_ptr[1] = keys[1];
sess->cipher.exp_3des_keys.ks_ptr[2] = keys[0];
break;
case 8:
des_key_schedule(keys[0], xform->cipher.key.data);
/* Initialize keys - 8 bytes: [K1 = K2 = K3] */
sess->cipher.exp_3des_keys.ks_ptr[0] = keys[0];
sess->cipher.exp_3des_keys.ks_ptr[1] = keys[0];
sess->cipher.exp_3des_keys.ks_ptr[2] = keys[0];
break;
default:
AESNI_MB_LOG(ERR, "Invalid cipher key length");
return -EINVAL;
}
#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0)
sess->cipher.key_length_in_bytes = 24;
#else
sess->cipher.key_length_in_bytes = 8;
#endif
} else {
if (xform->cipher.key.length != 8) {
AESNI_MB_LOG(ERR, "Invalid cipher key length");
return -EINVAL;
}
sess->cipher.key_length_in_bytes = 8;
des_key_schedule((uint64_t *)sess->cipher.expanded_aes_keys.encode,
xform->cipher.key.data);
des_key_schedule((uint64_t *)sess->cipher.expanded_aes_keys.decode,
xform->cipher.key.data);
}
return 0;
}
/**
* Process a crypto operation and complete a JOB_AES_HMAC job structure for
* submission to the multi buffer library for processing.
*
* @param qp queue pair
* @param job JOB_AES_HMAC structure to fill
* @param m mbuf to process
*
* @return
* - Completed JOB_AES_HMAC structure pointer on success
* - NULL pointer if completion of JOB_AES_HMAC structure isn't possible
*/
static JOB_AES_HMAC *
process_crypto_op(struct aesni_mb_qp *qp, struct rte_mbuf *m,
struct rte_crypto_op *c_op, struct aesni_mb_session *session)
{
JOB_AES_HMAC *job;
job = (*qp->ops->job.get_next)(&qp->mb_mgr);
if (unlikely(job == NULL))
return job;
/* Set crypto operation */
job->chain_order = session->chain_order;
/* Set cipher parameters */
job->cipher_direction = session->cipher.direction;
job->cipher_mode = session->cipher.mode;
job->aes_key_len_in_bytes = session->cipher.key_length_in_bytes;
job->aes_enc_key_expanded = session->cipher.expanded_aes_keys.encode;
job->aes_dec_key_expanded = session->cipher.expanded_aes_keys.decode;
/* Set authentication parameters */
job->hash_alg = session->auth.algo;
if (job->hash_alg == AES_XCBC) {
job->_k1_expanded = session->auth.xcbc.k1_expanded;
job->_k2 = session->auth.xcbc.k2;
job->_k3 = session->auth.xcbc.k3;
} else {
job->hashed_auth_key_xor_ipad = session->auth.pads.inner;
job->hashed_auth_key_xor_opad = session->auth.pads.outer;
}
/* Mutable crypto operation parameters */
/* Set digest output location */
if (job->cipher_direction == DECRYPT) {
job->auth_tag_output = (uint8_t *)rte_pktmbuf_append(m,
get_digest_byte_length(job->hash_alg));
if (job->auth_tag_output)
memset(job->auth_tag_output, 0,
sizeof(get_digest_byte_length(job->hash_alg)));
else
return NULL;
} else {
job->auth_tag_output = c_op->digest.data;
}
/*
* Multiple buffer library current only support returning a truncated
* digest length as specified in the relevant IPsec RFCs
*/
job->auth_tag_output_len_in_bytes =
get_truncated_digest_byte_length(job->hash_alg);
/* Set IV parameters */
job->iv = c_op->iv.data;
job->iv_len_in_bytes = c_op->iv.length;
/* Data Parameter */
job->src = rte_pktmbuf_mtod(m, uint8_t *);
job->dst = c_op->dst.m ?
rte_pktmbuf_mtod(c_op->dst.m, uint8_t *) +
c_op->dst.offset :
rte_pktmbuf_mtod(m, uint8_t *) +
c_op->data.to_cipher.offset;
job->cipher_start_src_offset_in_bytes = c_op->data.to_cipher.offset;
job->msg_len_to_cipher_in_bytes = c_op->data.to_cipher.length;
job->hash_start_src_offset_in_bytes = c_op->data.to_hash.offset;
job->msg_len_to_hash_in_bytes = c_op->data.to_hash.length;
/* Set user data to be crypto operation data struct */
job->user_data = m;
job->user_data2 = c_op;
return job;
}
