From: Fan Zhang <roy.fan.zhang@intel.com>
To: dev@dpdk.org
Cc: akhil.goyal@nxp.co
Subject: [dpdk-dev] [PATCH v2] crypto/aesni_mb: add gmac support
Date: Tue, 11 Dec 2018 14:24:09 +0000 [thread overview]
Message-ID: <20181211142409.21631-1-roy.fan.zhang@intel.com> (raw)
In-Reply-To: <20181115172415.67551-1-roy.fan.zhang@intel.com>
This patch adds AES-GMAC authentication only support to AESNI-MB
PMD. The unit test is updated accordingly.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
v2:
- updated documentation
doc/guides/cryptodevs/aesni_mb.rst | 3 +
drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c | 127 +++++++++++++++++++------
drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c | 25 +++++
test/test/test_cryptodev.c | 13 +++
4 files changed, 141 insertions(+), 27 deletions(-)
diff --git a/doc/guides/cryptodevs/aesni_mb.rst b/doc/guides/cryptodevs/aesni_mb.rst
index 63e060d75..c7624fb00 100644
--- a/doc/guides/cryptodevs/aesni_mb.rst
+++ b/doc/guides/cryptodevs/aesni_mb.rst
@@ -40,6 +40,7 @@ Hash algorithms:
* RTE_CRYPTO_HASH_SHA512_HMAC
* RTE_CRYPTO_HASH_AES_XCBC_HMAC
* RTE_CRYPTO_HASH_AES_CMAC
+* RTE_CRYPTO_AUTH_AES_GMAC
AEAD algorithms:
@@ -51,6 +52,8 @@ Limitations
* Chained mbufs are not supported.
* Only in-place is currently supported (destination address is the same as source address).
+* RTE_CRYPTO_AUTH_AES_GMAC only works properly when Intel multi buffer library
+ is version 0.51.0 or older.
Installation
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
index 83250e32c..3ead8a61f 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
@@ -177,6 +177,54 @@ aesni_mb_set_session_auth_parameters(const struct aesni_mb_op_fns *mb_ops,
return 0;
}
+ if (xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+ if (xform->auth.op == RTE_CRYPTO_AUTH_OP_GENERATE) {
+ sess->cipher.direction = ENCRYPT;
+ sess->chain_order = CIPHER_HASH;
+ } else
+ sess->cipher.direction = DECRYPT;
+
+ sess->auth.algo = AES_GMAC;
+ /*
+ * Multi-buffer lib supports 8, 12 and 16 bytes of digest.
+ * If size requested is different, generate the full digest
+ * (16 bytes) in a temporary location and then memcpy
+ * the requested number of bytes.
+ */
+ if (sess->auth.req_digest_len != 16 &&
+ sess->auth.req_digest_len != 12 &&
+ sess->auth.req_digest_len != 8) {
+ sess->auth.gen_digest_len = 16;
+ } else {
+ sess->auth.gen_digest_len = sess->auth.req_digest_len;
+ }
+ sess->iv.length = xform->auth.iv.length;
+ sess->iv.offset = xform->auth.iv.offset;
+
+ switch (xform->auth.key.length) {
+ case AES_128_BYTES:
+ sess->cipher.key_length_in_bytes = AES_128_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_128)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ case AES_192_BYTES:
+ sess->cipher.key_length_in_bytes = AES_192_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_192)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ case AES_256_BYTES:
+ sess->cipher.key_length_in_bytes = AES_256_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_256)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ default:
+ RTE_LOG(ERR, PMD, "failed to parse test type\n");
+ return -EINVAL;
+ }
+
+ return 0;
+ }
+
switch (xform->auth.algo) {
case RTE_CRYPTO_AUTH_MD5_HMAC:
sess->auth.algo = MD5;
@@ -760,8 +808,16 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->u.GCM.aad = op->sym->aead.aad.data;
- job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ if (session->cipher.mode == GCM) {
+ job->u.GCM.aad = op->sym->aead.aad.data;
+ job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ } else {
+ /* For GMAC */
+ job->u.GCM.aad = rte_pktmbuf_mtod_offset(m_src,
+ uint8_t *, op->sym->auth.data.offset);
+ job->u.GCM.aad_len_in_bytes = op->sym->auth.data.length;
+ job->cipher_mode = GCM;
+ }
job->aes_enc_key_expanded = &session->cipher.gcm_key;
job->aes_dec_key_expanded = &session->cipher.gcm_key;
break;
@@ -801,7 +857,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
rte_pktmbuf_data_len(op->sym->m_src));
} else {
m_dst = m_src;
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
m_offset = op->sym->aead.data.offset;
else
m_offset = op->sym->cipher.data.offset;
@@ -813,7 +870,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
job->auth_tag_output = qp->temp_digests[*digest_idx];
*digest_idx = (*digest_idx + 1) % MAX_JOBS;
} else {
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
job->auth_tag_output = op->sym->aead.digest.data;
else
job->auth_tag_output = op->sym->auth.digest.data;
@@ -851,11 +909,24 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->cipher_start_src_offset_in_bytes =
- op->sym->aead.data.offset;
- job->hash_start_src_offset_in_bytes = op->sym->aead.data.offset;
- job->msg_len_to_cipher_in_bytes = op->sym->aead.data.length;
- job->msg_len_to_hash_in_bytes = job->msg_len_to_cipher_in_bytes;
+ if (session->cipher.mode == GCM) {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->msg_len_to_cipher_in_bytes =
+ op->sym->aead.data.length;
+ job->msg_len_to_hash_in_bytes =
+ op->sym->aead.data.length;
+ } else {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->msg_len_to_cipher_in_bytes = 0;
+ job->msg_len_to_hash_in_bytes = 0;
+ }
+
job->iv = rte_crypto_op_ctod_offset(op, uint8_t *,
session->iv.offset);
break;
@@ -879,19 +950,10 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
}
static inline void
-verify_digest(JOB_AES_HMAC *job, struct rte_crypto_op *op,
- struct aesni_mb_session *sess)
+verify_digest(JOB_AES_HMAC *job, void *digest, uint16_t len, uint8_t *status)
{
- /* Verify digest if required */
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC) {
- if (memcmp(job->auth_tag_output, op->sym->aead.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- } else {
- if (memcmp(job->auth_tag_output, op->sym->auth.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- }
+ if (memcmp(job->auth_tag_output, digest, len) != 0)
+ *status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
static inline void
@@ -933,13 +995,24 @@ post_process_mb_job(struct aesni_mb_qp *qp, JOB_AES_HMAC *job)
case STS_COMPLETED:
op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
- if (job->hash_alg != NULL_HASH) {
- if (sess->auth.operation ==
- RTE_CRYPTO_AUTH_OP_VERIFY)
- verify_digest(job, op, sess);
+ if (job->hash_alg == NULL_HASH)
+ break;
+
+ if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
+ if (job->hash_alg == AES_CCM ||
+ (job->hash_alg == AES_GMAC &&
+ sess->cipher.mode == GCM))
+ verify_digest(job,
+ op->sym->aead.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
else
- generate_digest(job, op, sess);
- }
+ verify_digest(job,
+ op->sym->auth.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
+ } else
+ generate_digest(job, op, sess);
break;
default:
op->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
index f3eff2685..1ca6baafa 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
@@ -416,6 +416,31 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = {
}, }
}, }
},
+ { /* AES GMAC (AUTH) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_AES_GMAC,
+ .block_size = 16,
+ .key_size = {
+ .min = 16,
+ .max = 32,
+ .increment = 8
+ },
+ .digest_size = {
+ .min = 8,
+ .max = 16,
+ .increment = 4
+ },
+ .iv_size = {
+ .min = 12,
+ .max = 12,
+ .increment = 0
+ }
+ }, }
+ }, }
+ },
RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
};
diff --git a/test/test/test_cryptodev.c b/test/test/test_cryptodev.c
index 84065eb49..8b4694c13 100644
--- a/test/test/test_cryptodev.c
+++ b/test/test/test_cryptodev.c
@@ -9341,6 +9341,19 @@ static struct unit_test_suite cryptodev_aesni_mb_testsuite = {
TEST_CASE_ST(ut_setup, ut_teardown,
test_AES_GCM_authenticated_decryption_sessionless_test_case_1),
+ /** AES GMAC Authentication */
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_1),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_1),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_2),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_2),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_3),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_3),
TEST_CASE_ST(ut_setup, ut_teardown, test_AES_chain_mb_all),
TEST_CASE_ST(ut_setup, ut_teardown, test_AES_cipheronly_mb_all),
--
2.13.6
next prev parent reply other threads:[~2018-12-11 14:24 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-15 17:24 [dpdk-dev] [PATCH] " Fan Zhang
2018-12-11 14:24 ` Fan Zhang [this message]
2018-12-18 13:51 ` [dpdk-dev] [PATCH v3] " Fan Zhang
2018-12-18 15:22 ` Akhil Goyal
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 0/3] " Fan Zhang
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 1/3] " Fan Zhang
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 2/3] test: add aesni-mb gmac test Fan Zhang
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 3/3] doc: update release note and PMD information Fan Zhang
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 0/3] crypto/aesni_mb: add gmac support Fan Zhang
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 1/3] " Fan Zhang
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 2/3] test: add aesni-mb gmac test Fan Zhang
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 3/3] doc: update release note and pmd info Fan Zhang
2018-12-20 12:07 ` [dpdk-dev] [PATCH v6] crypto/aesni_mb: support AES-GMAC Fan Zhang
2019-01-09 22:15 ` De Lara Guarch, Pablo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181211142409.21631-1-roy.fan.zhang@intel.com \
--to=roy.fan.zhang@intel.com \
--cc=akhil.goyal@nxp.co \
--cc=dev@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).