From: Ashwin Sekhar T K <asekhar@marvell.com>
To: <roy.fan.zhang@intel.com>
Cc: <anoobj@marvell.com>, <asekhar@marvell.com>, <dev@dpdk.org>,
<gakhil@marvell.com>, <hkalra@marvell.com>, <jerinj@marvell.com>,
<kirankumark@marvell.com>, <ndabilpuram@marvell.com>,
<pbhagavatula@marvell.com>, <psatheesh@marvell.com>,
<skori@marvell.com>, <skoteshwar@marvell.com>
Subject: [PATCH v2 1/1] crypto/openssl: support aes cmac operations
Date: Mon, 18 Jul 2022 11:37:26 +0530 [thread overview]
Message-ID: <20220718060726.4189219-2-asekhar@marvell.com> (raw)
In-Reply-To: <20220718060726.4189219-1-asekhar@marvell.com>
Extend openssl crypto PMD to support AES CMAC operations.
Signed-off-by: Ashwin Sekhar T K <asekhar@marvell.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 14 ++
drivers/crypto/openssl/rte_openssl_pmd.c | 142 ++++++++++++++++++-
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 20 +++
3 files changed, 169 insertions(+), 7 deletions(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index 5963a67a08..c1aa5f550c 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -6,6 +6,7 @@
#define _OPENSSL_PMD_PRIVATE_H_
#include <openssl/evp.h>
+#include <openssl/cmac.h>
#include <openssl/hmac.h>
#include <openssl/des.h>
#include <openssl/rsa.h>
@@ -50,6 +51,7 @@ enum openssl_cipher_mode {
enum openssl_auth_mode {
OPENSSL_AUTH_AS_AUTH,
OPENSSL_AUTH_AS_HMAC,
+ OPENSSL_AUTH_AS_CMAC,
};
/** private data structure for each OPENSSL crypto device */
@@ -145,6 +147,18 @@ struct openssl_session {
# endif
/**< pointer to EVP context structure */
} hmac;
+
+ struct {
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX * ctx;
+ /**< pointer to EVP context structure */
+# else
+ const EVP_CIPHER *evp_algo;
+ /**< pointer to EVP algorithm function */
+ CMAC_CTX *ctx;
+ /**< pointer to EVP context structure */
+# endif
+ } cmac;
};
uint16_t aad_length;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 5658b9db66..460f1e7be6 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -10,6 +10,7 @@
#include <rte_malloc.h>
#include <rte_cpuflags.h>
+#include <openssl/cmac.h>
#include <openssl/hmac.h>
#include <openssl/evp.h>
@@ -592,6 +593,12 @@ static int
openssl_set_session_auth_parameters(struct openssl_session *sess,
const struct rte_crypto_sym_xform *xform)
{
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ char algo_name[MAX_OSSL_ALGO_NAME_SIZE];
+ OSSL_PARAM params[2];
+ const char *algo;
+ EVP_MAC *mac;
+# endif
/* Select auth generate/verify */
sess->auth.operation = xform->auth.op;
sess->auth.algo = xform->auth.algo;
@@ -636,6 +643,47 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
sess->auth.auth.ctx = EVP_MD_CTX_create();
break;
+ case RTE_CRYPTO_AUTH_AES_CMAC:
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ if (xform->auth.key.length == 16)
+ algo = SN_aes_128_cbc;
+ else if (xform->auth.key.length == 24)
+ algo = SN_aes_192_cbc;
+ else if (xform->auth.key.length == 32)
+ algo = SN_aes_256_cbc;
+ else
+ return -EINVAL;
+
+ rte_memcpy(algo_name, algo, strlen(algo) + 1);
+ params[0] = OSSL_PARAM_construct_utf8_string(
+ OSSL_MAC_PARAM_CIPHER, algo_name, 0);
+ params[1] = OSSL_PARAM_construct_end();
+
+ sess->auth.mode = OPENSSL_AUTH_AS_CMAC;
+ mac = EVP_MAC_fetch(NULL, OSSL_MAC_NAME_CMAC, NULL);
+ sess->auth.cmac.ctx = EVP_MAC_CTX_new(mac);
+ EVP_MAC_free(mac);
+
+ if (EVP_MAC_init(sess->auth.cmac.ctx,
+ xform->auth.key.data,
+ xform->auth.key.length,
+ params) != 1)
+ return -EINVAL;
+# else
+ sess->auth.mode = OPENSSL_AUTH_AS_CMAC;
+ sess->auth.cmac.ctx = CMAC_CTX_new();
+ if (get_cipher_algo(RTE_CRYPTO_CIPHER_AES_CBC,
+ xform->auth.key.length,
+ &sess->auth.cmac.evp_algo) != 0)
+ return -EINVAL;
+ if (CMAC_Init(sess->auth.cmac.ctx,
+ xform->auth.key.data,
+ xform->auth.key.length,
+ sess->auth.cmac.evp_algo, NULL) != 1)
+ return -EINVAL;
+# endif
+ break;
+
# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
case RTE_CRYPTO_AUTH_MD5_HMAC:
case RTE_CRYPTO_AUTH_SHA1_HMAC:
@@ -645,15 +693,12 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
case RTE_CRYPTO_AUTH_SHA512_HMAC:
sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
- OSSL_PARAM params[2];
- const char *algo;
algo = digest_name_get(xform->auth.algo);
if (!algo)
return -EINVAL;
- char algo_name[MAX_OSSL_ALGO_NAME_SIZE];
rte_memcpy(algo_name, algo, (sizeof(algo)+1));
- EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
EVP_MAC_free(mac);
if (get_auth_algo(xform->auth.algo,
@@ -817,6 +862,13 @@ openssl_reset_session(struct openssl_session *sess)
EVP_MAC_CTX_free(sess->auth.hmac.ctx);
# else
HMAC_CTX_free(sess->auth.hmac.ctx);
+# endif
+ break;
+ case OPENSSL_AUTH_AS_CMAC:
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX_free(sess->auth.cmac.ctx);
+# else
+ CMAC_CTX_free(sess->auth.cmac.ctx);
# endif
break;
default:
@@ -1354,10 +1406,14 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
return -EINVAL;
}
+
# if OPENSSL_VERSION_NUMBER >= 0x30000000L
-/** Process standard openssl auth algorithms with hmac */
+# endif
+
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/** Process standard openssl auth algorithms with hmac/cmac */
static int
-process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
+process_openssl_auth_mac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
int srclen, EVP_MAC_CTX *ctx)
{
size_t dstlen;
@@ -1459,6 +1515,58 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
OPENSSL_LOG(ERR, "Process openssl auth failed");
return -EINVAL;
}
+
+/** Process standard openssl auth algorithms with cmac */
+static int
+process_openssl_auth_cmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
+ int srclen, CMAC_CTX *ctx)
+{
+ unsigned int dstlen;
+ struct rte_mbuf *m;
+ int l, n = srclen;
+ uint8_t *src;
+
+ for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+ m = m->next)
+ offset -= rte_pktmbuf_data_len(m);
+
+ if (m == 0)
+ goto process_auth_err;
+
+ src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+ l = rte_pktmbuf_data_len(m) - offset;
+ if (srclen <= l) {
+ if (CMAC_Update(ctx, (unsigned char *)src, srclen) != 1)
+ goto process_auth_err;
+ goto process_auth_final;
+ }
+
+ if (CMAC_Update(ctx, (unsigned char *)src, l) != 1)
+ goto process_auth_err;
+
+ n -= l;
+
+ for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+ src = rte_pktmbuf_mtod(m, uint8_t *);
+ l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+ if (CMAC_Update(ctx, (unsigned char *)src, l) != 1)
+ goto process_auth_err;
+ n -= l;
+ }
+
+process_auth_final:
+ if (CMAC_Final(ctx, dst, (size_t *)&dstlen) != 1)
+ goto process_auth_err;
+
+ CMAC_CTX_cleanup(ctx);
+
+ return 0;
+
+process_auth_err:
+ OPENSSL_LOG(ERR, "Process openssl cmac auth failed");
+ return -EINVAL;
+}
# endif
/*----------------------------------------------------------------------------*/
@@ -1700,9 +1808,11 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
EVP_MD_CTX *ctx_a;
# if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_MAC_CTX *ctx_h;
+ EVP_MAC_CTX *ctx_c;
EVP_MAC *mac;
# else
HMAC_CTX *ctx_h;
+ CMAC_CTX *ctx_c;
# endif
srclen = op->sym->auth.data.length;
@@ -1724,7 +1834,7 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
ctx_h = EVP_MAC_CTX_new(mac);
ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
EVP_MAC_free(mac);
- status = process_openssl_auth_hmac(mbuf_src, dst,
+ status = process_openssl_auth_mac(mbuf_src, dst,
op->sym->auth.data.offset, srclen,
ctx_h);
# else
@@ -1734,6 +1844,24 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
op->sym->auth.data.offset, srclen,
ctx_h);
HMAC_CTX_free(ctx_h);
+# endif
+ break;
+ case OPENSSL_AUTH_AS_CMAC:
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ mac = EVP_MAC_fetch(NULL, OSSL_MAC_NAME_CMAC, NULL);
+ ctx_c = EVP_MAC_CTX_new(mac);
+ ctx_c = EVP_MAC_CTX_dup(sess->auth.cmac.ctx);
+ EVP_MAC_free(mac);
+ status = process_openssl_auth_mac(mbuf_src, dst,
+ op->sym->auth.data.offset, srclen,
+ ctx_c);
+# else
+ ctx_c = CMAC_CTX_new();
+ CMAC_CTX_copy(ctx_c, sess->auth.cmac.ctx);
+ status = process_openssl_auth_cmac(mbuf_src, dst,
+ op->sym->auth.data.offset, srclen,
+ ctx_c);
+ CMAC_CTX_free(ctx_c);
# endif
break;
default:
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 3e24ef94f7..f7ddbf9c73 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -394,6 +394,26 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
}, }
}, }
},
+ { /* AES CMAC (AUTH) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_AES_CMAC,
+ .block_size = 16,
+ .key_size = {
+ .min = 16,
+ .max = 32,
+ .increment = 8
+ },
+ .digest_size = {
+ .min = 4,
+ .max = 16,
+ .increment = 4
+ },
+ }, }
+ }, }
+ },
{ /* 3DES CBC */
.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
{.sym = {
--
2.25.1
next prev parent reply other threads:[~2022-07-18 6:07 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-10 16:28 [PATCH] crypto/openssl: support " Ashwin Sekhar T K
2022-06-17 10:11 ` Zhang, Roy Fan
2022-07-18 6:07 ` [PATCH v2 0/1] crypto/openssl: add aes cmac support Ashwin Sekhar T K
2022-07-18 6:07 ` Ashwin Sekhar T K [this message]
2022-07-18 9:12 ` [PATCH v3 " Ashwin Sekhar T K
2022-07-18 9:12 ` [PATCH v3 1/1] crypto/openssl: support aes cmac operations Ashwin Sekhar T K
2022-07-18 9:18 ` [PATCH v4 0/1] crypto/openssl: add aes cmac support Ashwin Sekhar T K
2022-07-18 9:18 ` [PATCH v4 1/1] crypto/openssl: support aes cmac operations Ashwin Sekhar T K
2022-07-18 16:25 ` [PATCH v5 0/1] crypto/openssl: add aes cmac support Ashwin Sekhar T K
2022-07-18 16:25 ` [PATCH v5 1/1] crypto/openssl: support aes cmac operations Ashwin Sekhar T K
2022-07-18 16:54 ` Ji, Kai
2022-08-26 8:52 ` Akhil Goyal
2022-07-18 13:57 ` [PATCH v4 0/1] crypto/openssl: add aes cmac support Ji, Kai
2022-07-18 16:18 ` Ashwin Sekhar Thalakalath Kottilveetil
2022-06-30 15:41 ` [PATCH v2] crypto/ipsec_mb: enable support for arm64 Ashwin Sekhar T K
2022-07-04 14:47 ` Zhang, Roy Fan
2022-07-27 8:29 ` Ruifeng Wang
2022-07-27 8:48 ` Ashwin Sekhar Thalakalath Kottilveetil
2022-08-26 8:45 ` Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220718060726.4189219-2-asekhar@marvell.com \
--to=asekhar@marvell.com \
--cc=anoobj@marvell.com \
--cc=dev@dpdk.org \
--cc=gakhil@marvell.com \
--cc=hkalra@marvell.com \
--cc=jerinj@marvell.com \
--cc=kirankumark@marvell.com \
--cc=ndabilpuram@marvell.com \
--cc=pbhagavatula@marvell.com \
--cc=psatheesh@marvell.com \
--cc=roy.fan.zhang@intel.com \
--cc=skori@marvell.com \
--cc=skoteshwar@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).