From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by dpdk.org (Postfix) with ESMTP id 1DBA64C74 for ; Tue, 14 Aug 2018 10:45:20 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Aug 2018 01:45:20 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,237,1531810800"; d="scan'208";a="224482064" Received: from silpixa00399466.ir.intel.com (HELO silpixa00399466.ger.corp.intel.com) ([10.237.223.220]) by orsmga004.jf.intel.com with ESMTP; 14 Aug 2018 01:45:19 -0700 From: Pablo de Lara To: declan.doherty@intel.com Cc: dev@dpdk.org, Pablo de Lara Date: Tue, 14 Aug 2018 01:38:48 +0100 Message-Id: <20180814003848.11095-6-pablo.de.lara.guarch@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180814003848.11095-1-pablo.de.lara.guarch@intel.com> References: <20180814003848.11095-1-pablo.de.lara.guarch@intel.com> Subject: [dpdk-dev] [PATCH 5/5] crypto/aesni_mb: support large HMAC key sizes X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2018 08:45:22 -0000 Add support for SHAx-HMAC key sizes larger than the block size. For these sizes, the input key is digested with the non-HMAC version of the algorithm and used as the key. Signed-off-by: Pablo de Lara --- drivers/crypto/aesni_mb/aesni_mb_ops.h | 61 +++++++++++++++++++ drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c | 59 +++++++++++++++++- .../crypto/aesni_mb/rte_aesni_mb_pmd_ops.c | 20 ++++++ .../aesni_mb/rte_aesni_mb_pmd_private.h | 9 --- 4 files changed, 138 insertions(+), 11 deletions(-) diff --git a/drivers/crypto/aesni_mb/aesni_mb_ops.h b/drivers/crypto/aesni_mb/aesni_mb_ops.h index 5a1cba6cb..d224b7249 100644 --- a/drivers/crypto/aesni_mb/aesni_mb_ops.h +++ b/drivers/crypto/aesni_mb/aesni_mb_ops.h @@ -11,6 +11,15 @@ #include +/* + * IMB_VERSION_NUM macro was introduced in version Multi-buffer 0.50, + * so if macro is not defined, it means that the version is 0.49. + */ +#if !defined(IMB_VERSION_NUM) +#define IMB_VERSION(a, b, c) (((a) << 16) + ((b) << 8) + (c)) +#define IMB_VERSION_NUM IMB_VERSION(0, 49, 0) +#endif + enum aesni_mb_vector_mode { RTE_AESNI_MB_NOT_SUPPORTED = 0, RTE_AESNI_MB_SSE, @@ -88,6 +97,16 @@ struct aesni_mb_op_fns { /**< AES CMAC key expansions */ } keyexp; /**< Key expansion functions */ +#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0) + struct { + hash_fn_t sha1; + hash_fn_t sha224; + hash_fn_t sha256; + hash_fn_t sha384; + hash_fn_t sha512; + } multi_block; + /** multi block hash functions */ +#endif } aux; /**< Auxiliary functions */ }; @@ -104,7 +123,13 @@ static const struct aesni_mb_op_fns job_ops[] = { }, .keyexp = { NULL + }, +#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0) + .multi_block = { + NULL } +#endif + } }, [RTE_AESNI_MB_SSE] = { @@ -131,7 +156,16 @@ static const struct aesni_mb_op_fns job_ops[] = { aes_xcbc_expand_key_sse, aes_cmac_subkey_gen_sse, aes_keyexp_128_enc_sse + }, +#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0) + .multi_block = { + sha1_sse, + sha224_sse, + sha256_sse, + sha384_sse, + sha512_sse } +#endif } }, [RTE_AESNI_MB_AVX] = { @@ -158,7 +192,16 @@ static const struct aesni_mb_op_fns job_ops[] = { aes_xcbc_expand_key_avx, aes_cmac_subkey_gen_avx, aes_keyexp_128_enc_avx + }, +#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0) + .multi_block = { + sha1_avx, + sha224_avx, + sha256_avx, + sha384_avx, + sha512_avx } +#endif } }, [RTE_AESNI_MB_AVX2] = { @@ -185,7 +228,16 @@ static const struct aesni_mb_op_fns job_ops[] = { aes_xcbc_expand_key_avx2, aes_cmac_subkey_gen_avx2, aes_keyexp_128_enc_avx2 + }, +#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0) + .multi_block = { + sha1_avx2, + sha224_avx2, + sha256_avx2, + sha384_avx2, + sha512_avx2 } +#endif } }, [RTE_AESNI_MB_AVX512] = { @@ -212,7 +264,16 @@ static const struct aesni_mb_op_fns job_ops[] = { aes_xcbc_expand_key_avx512, aes_cmac_subkey_gen_avx512, aes_keyexp_128_enc_avx512 + }, +#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0) + .multi_block = { + sha1_avx512, + sha224_avx512, + sha256_avx512, + sha384_avx512, + sha512_avx512 } +#endif } } }; diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c index 007c3fb2b..b5a3692e6 100644 --- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c +++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c @@ -16,7 +16,7 @@ #define AES_CCM_DIGEST_MIN_LEN 4 #define AES_CCM_DIGEST_MAX_LEN 16 - +#define HMAC_MAX_BLOCK_SIZE 128 static uint8_t cryptodev_driver_id; typedef void (*hash_one_block_t)(const void *data, void *digest); @@ -104,6 +104,8 @@ aesni_mb_set_session_auth_parameters(const struct aesni_mb_op_fns *mb_ops, const struct rte_crypto_sym_xform *xform) { hash_one_block_t hash_oneblock_fn; + unsigned int key_larger_block_size = 0; + uint8_t hashed_key[HMAC_MAX_BLOCK_SIZE] = { 0 }; if (xform == NULL) { sess->auth.algo = NULL_HASH; @@ -182,22 +184,67 @@ aesni_mb_set_session_auth_parameters(const struct aesni_mb_op_fns *mb_ops, case RTE_CRYPTO_AUTH_SHA1_HMAC: sess->auth.algo = SHA1; hash_oneblock_fn = mb_ops->aux.one_block.sha1; +#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0) + if (xform->auth.key.length > get_auth_algo_blocksize(SHA1)) { + mb_ops->aux.multi_block.sha1( + xform->auth.key.data, + xform->auth.key.length, + hashed_key); + key_larger_block_size = 1; + } +#endif break; case RTE_CRYPTO_AUTH_SHA224_HMAC: sess->auth.algo = SHA_224; hash_oneblock_fn = mb_ops->aux.one_block.sha224; +#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0) + if (xform->auth.key.length > get_auth_algo_blocksize(SHA_224)) { + mb_ops->aux.multi_block.sha224( + xform->auth.key.data, + xform->auth.key.length, + hashed_key); + key_larger_block_size = 1; + } +#endif break; case RTE_CRYPTO_AUTH_SHA256_HMAC: sess->auth.algo = SHA_256; hash_oneblock_fn = mb_ops->aux.one_block.sha256; +#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0) + if (xform->auth.key.length > get_auth_algo_blocksize(SHA_256)) { + mb_ops->aux.multi_block.sha256( + xform->auth.key.data, + xform->auth.key.length, + hashed_key); + key_larger_block_size = 1; + } +#endif break; case RTE_CRYPTO_AUTH_SHA384_HMAC: sess->auth.algo = SHA_384; hash_oneblock_fn = mb_ops->aux.one_block.sha384; +#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0) + if (xform->auth.key.length > get_auth_algo_blocksize(SHA_384)) { + mb_ops->aux.multi_block.sha384( + xform->auth.key.data, + xform->auth.key.length, + hashed_key); + key_larger_block_size = 1; + } +#endif break; case RTE_CRYPTO_AUTH_SHA512_HMAC: sess->auth.algo = SHA_512; hash_oneblock_fn = mb_ops->aux.one_block.sha512; +#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0) + if (xform->auth.key.length > get_auth_algo_blocksize(SHA_512)) { + mb_ops->aux.multi_block.sha512( + xform->auth.key.data, + xform->auth.key.length, + hashed_key); + key_larger_block_size = 1; + } +#endif break; default: AESNI_MB_LOG(ERR, "Unsupported authentication algorithm selection"); @@ -225,11 +272,19 @@ aesni_mb_set_session_auth_parameters(const struct aesni_mb_op_fns *mb_ops, sess->auth.gen_digest_len = sess->auth.req_digest_len; /* Calculate Authentication precomputes */ - calculate_auth_precomputes(hash_oneblock_fn, + if (key_larger_block_size) { + calculate_auth_precomputes(hash_oneblock_fn, + sess->auth.pads.inner, sess->auth.pads.outer, + hashed_key, + xform->auth.key.length, + get_auth_algo_blocksize(sess->auth.algo)); + } else { + calculate_auth_precomputes(hash_oneblock_fn, sess->auth.pads.inner, sess->auth.pads.outer, xform->auth.key.data, xform->auth.key.length, get_auth_algo_blocksize(sess->auth.algo)); + } return 0; } diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c index e41ba70fa..4f0139b20 100644 --- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c +++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c @@ -48,7 +48,11 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = { .block_size = 64, .key_size = { .min = 1, +#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0) + .max = 65535, +#else .max = 64, +#endif .increment = 1 }, .digest_size = { @@ -75,7 +79,11 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = { .block_size = 64, .key_size = { .min = 1, +#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0) + .max = 65535, +#else .max = 64, +#endif .increment = 1 }, .digest_size = { @@ -102,7 +110,11 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = { .block_size = 64, .key_size = { .min = 1, +#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0) + .max = 65535, +#else .max = 64, +#endif .increment = 1 }, .digest_size = { @@ -129,7 +141,11 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = { .block_size = 128, .key_size = { .min = 1, +#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0) + .max = 65535, +#else .max = 128, +#endif .increment = 1 }, .digest_size = { @@ -156,7 +172,11 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = { .block_size = 128, .key_size = { .min = 1, +#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0) + .max = 65535, +#else .max = 128, +#endif .increment = 1 }, .digest_size = { diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_private.h b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_private.h index 1e297f032..8c027a87e 100644 --- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_private.h +++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_private.h @@ -7,15 +7,6 @@ #include "aesni_mb_ops.h" -/* - * IMB_VERSION_NUM macro was introduced in version Multi-buffer 0.50, - * so if macro is not defined, it means that the version is 0.49. - */ -#if !defined(IMB_VERSION_NUM) -#define IMB_VERSION(a, b, c) (((a) << 16) + ((b) << 8) + (c)) -#define IMB_VERSION_NUM IMB_VERSION(0, 49, 0) -#endif - #define CRYPTODEV_NAME_AESNI_MB_PMD crypto_aesni_mb /**< AES-NI Multi buffer PMD device name */ -- 2.17.1