* [dpdk-dev] [PATCH] crypto/aesni_mb: add gmac support
@ 2018-11-15 17:24 Fan Zhang
2018-12-11 14:24 ` [dpdk-dev] [PATCH v2] " Fan Zhang
0 siblings, 1 reply; 14+ messages in thread
From: Fan Zhang @ 2018-11-15 17:24 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
This patch adds AES-GMAC authentication only support to AESNI-MB
PMD. The unit test is updated accordingly.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
This patch targets 19.02 release.
drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c | 127 +++++++++++++++++++------
drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c | 25 +++++
test/test/test_cryptodev.c | 13 +++
3 files changed, 138 insertions(+), 27 deletions(-)
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
index 83250e32c..3ead8a61f 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
@@ -177,6 +177,54 @@ aesni_mb_set_session_auth_parameters(const struct aesni_mb_op_fns *mb_ops,
return 0;
}
+ if (xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+ if (xform->auth.op == RTE_CRYPTO_AUTH_OP_GENERATE) {
+ sess->cipher.direction = ENCRYPT;
+ sess->chain_order = CIPHER_HASH;
+ } else
+ sess->cipher.direction = DECRYPT;
+
+ sess->auth.algo = AES_GMAC;
+ /*
+ * Multi-buffer lib supports 8, 12 and 16 bytes of digest.
+ * If size requested is different, generate the full digest
+ * (16 bytes) in a temporary location and then memcpy
+ * the requested number of bytes.
+ */
+ if (sess->auth.req_digest_len != 16 &&
+ sess->auth.req_digest_len != 12 &&
+ sess->auth.req_digest_len != 8) {
+ sess->auth.gen_digest_len = 16;
+ } else {
+ sess->auth.gen_digest_len = sess->auth.req_digest_len;
+ }
+ sess->iv.length = xform->auth.iv.length;
+ sess->iv.offset = xform->auth.iv.offset;
+
+ switch (xform->auth.key.length) {
+ case AES_128_BYTES:
+ sess->cipher.key_length_in_bytes = AES_128_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_128)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ case AES_192_BYTES:
+ sess->cipher.key_length_in_bytes = AES_192_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_192)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ case AES_256_BYTES:
+ sess->cipher.key_length_in_bytes = AES_256_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_256)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ default:
+ RTE_LOG(ERR, PMD, "failed to parse test type\n");
+ return -EINVAL;
+ }
+
+ return 0;
+ }
+
switch (xform->auth.algo) {
case RTE_CRYPTO_AUTH_MD5_HMAC:
sess->auth.algo = MD5;
@@ -760,8 +808,16 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->u.GCM.aad = op->sym->aead.aad.data;
- job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ if (session->cipher.mode == GCM) {
+ job->u.GCM.aad = op->sym->aead.aad.data;
+ job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ } else {
+ /* For GMAC */
+ job->u.GCM.aad = rte_pktmbuf_mtod_offset(m_src,
+ uint8_t *, op->sym->auth.data.offset);
+ job->u.GCM.aad_len_in_bytes = op->sym->auth.data.length;
+ job->cipher_mode = GCM;
+ }
job->aes_enc_key_expanded = &session->cipher.gcm_key;
job->aes_dec_key_expanded = &session->cipher.gcm_key;
break;
@@ -801,7 +857,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
rte_pktmbuf_data_len(op->sym->m_src));
} else {
m_dst = m_src;
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
m_offset = op->sym->aead.data.offset;
else
m_offset = op->sym->cipher.data.offset;
@@ -813,7 +870,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
job->auth_tag_output = qp->temp_digests[*digest_idx];
*digest_idx = (*digest_idx + 1) % MAX_JOBS;
} else {
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
job->auth_tag_output = op->sym->aead.digest.data;
else
job->auth_tag_output = op->sym->auth.digest.data;
@@ -851,11 +909,24 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->cipher_start_src_offset_in_bytes =
- op->sym->aead.data.offset;
- job->hash_start_src_offset_in_bytes = op->sym->aead.data.offset;
- job->msg_len_to_cipher_in_bytes = op->sym->aead.data.length;
- job->msg_len_to_hash_in_bytes = job->msg_len_to_cipher_in_bytes;
+ if (session->cipher.mode == GCM) {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->msg_len_to_cipher_in_bytes =
+ op->sym->aead.data.length;
+ job->msg_len_to_hash_in_bytes =
+ op->sym->aead.data.length;
+ } else {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->msg_len_to_cipher_in_bytes = 0;
+ job->msg_len_to_hash_in_bytes = 0;
+ }
+
job->iv = rte_crypto_op_ctod_offset(op, uint8_t *,
session->iv.offset);
break;
@@ -879,19 +950,10 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
}
static inline void
-verify_digest(JOB_AES_HMAC *job, struct rte_crypto_op *op,
- struct aesni_mb_session *sess)
+verify_digest(JOB_AES_HMAC *job, void *digest, uint16_t len, uint8_t *status)
{
- /* Verify digest if required */
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC) {
- if (memcmp(job->auth_tag_output, op->sym->aead.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- } else {
- if (memcmp(job->auth_tag_output, op->sym->auth.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- }
+ if (memcmp(job->auth_tag_output, digest, len) != 0)
+ *status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
static inline void
@@ -933,13 +995,24 @@ post_process_mb_job(struct aesni_mb_qp *qp, JOB_AES_HMAC *job)
case STS_COMPLETED:
op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
- if (job->hash_alg != NULL_HASH) {
- if (sess->auth.operation ==
- RTE_CRYPTO_AUTH_OP_VERIFY)
- verify_digest(job, op, sess);
+ if (job->hash_alg == NULL_HASH)
+ break;
+
+ if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
+ if (job->hash_alg == AES_CCM ||
+ (job->hash_alg == AES_GMAC &&
+ sess->cipher.mode == GCM))
+ verify_digest(job,
+ op->sym->aead.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
else
- generate_digest(job, op, sess);
- }
+ verify_digest(job,
+ op->sym->auth.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
+ } else
+ generate_digest(job, op, sess);
break;
default:
op->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
index f3eff2685..1ca6baafa 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
@@ -416,6 +416,31 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = {
}, }
}, }
},
+ { /* AES GMAC (AUTH) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_AES_GMAC,
+ .block_size = 16,
+ .key_size = {
+ .min = 16,
+ .max = 32,
+ .increment = 8
+ },
+ .digest_size = {
+ .min = 8,
+ .max = 16,
+ .increment = 4
+ },
+ .iv_size = {
+ .min = 12,
+ .max = 12,
+ .increment = 0
+ }
+ }, }
+ }, }
+ },
RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
};
diff --git a/test/test/test_cryptodev.c b/test/test/test_cryptodev.c
index 84065eb49..8b4694c13 100644
--- a/test/test/test_cryptodev.c
+++ b/test/test/test_cryptodev.c
@@ -9341,6 +9341,19 @@ static struct unit_test_suite cryptodev_aesni_mb_testsuite = {
TEST_CASE_ST(ut_setup, ut_teardown,
test_AES_GCM_authenticated_decryption_sessionless_test_case_1),
+ /** AES GMAC Authentication */
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_1),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_1),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_2),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_2),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_3),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_3),
TEST_CASE_ST(ut_setup, ut_teardown, test_AES_chain_mb_all),
TEST_CASE_ST(ut_setup, ut_teardown, test_AES_cipheronly_mb_all),
--
2.13.6
^ permalink raw reply [flat|nested] 14+ messages in thread
* [dpdk-dev] [PATCH v2] crypto/aesni_mb: add gmac support
2018-11-15 17:24 [dpdk-dev] [PATCH] crypto/aesni_mb: add gmac support Fan Zhang
@ 2018-12-11 14:24 ` Fan Zhang
2018-12-18 13:51 ` [dpdk-dev] [PATCH v3] " Fan Zhang
0 siblings, 1 reply; 14+ messages in thread
From: Fan Zhang @ 2018-12-11 14:24 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
This patch adds AES-GMAC authentication only support to AESNI-MB
PMD. The unit test is updated accordingly.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
v2:
- updated documentation
doc/guides/cryptodevs/aesni_mb.rst | 3 +
drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c | 127 +++++++++++++++++++------
drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c | 25 +++++
test/test/test_cryptodev.c | 13 +++
4 files changed, 141 insertions(+), 27 deletions(-)
diff --git a/doc/guides/cryptodevs/aesni_mb.rst b/doc/guides/cryptodevs/aesni_mb.rst
index 63e060d75..c7624fb00 100644
--- a/doc/guides/cryptodevs/aesni_mb.rst
+++ b/doc/guides/cryptodevs/aesni_mb.rst
@@ -40,6 +40,7 @@ Hash algorithms:
* RTE_CRYPTO_HASH_SHA512_HMAC
* RTE_CRYPTO_HASH_AES_XCBC_HMAC
* RTE_CRYPTO_HASH_AES_CMAC
+* RTE_CRYPTO_AUTH_AES_GMAC
AEAD algorithms:
@@ -51,6 +52,8 @@ Limitations
* Chained mbufs are not supported.
* Only in-place is currently supported (destination address is the same as source address).
+* RTE_CRYPTO_AUTH_AES_GMAC only works properly when Intel multi buffer library
+ is version 0.51.0 or older.
Installation
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
index 83250e32c..3ead8a61f 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
@@ -177,6 +177,54 @@ aesni_mb_set_session_auth_parameters(const struct aesni_mb_op_fns *mb_ops,
return 0;
}
+ if (xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+ if (xform->auth.op == RTE_CRYPTO_AUTH_OP_GENERATE) {
+ sess->cipher.direction = ENCRYPT;
+ sess->chain_order = CIPHER_HASH;
+ } else
+ sess->cipher.direction = DECRYPT;
+
+ sess->auth.algo = AES_GMAC;
+ /*
+ * Multi-buffer lib supports 8, 12 and 16 bytes of digest.
+ * If size requested is different, generate the full digest
+ * (16 bytes) in a temporary location and then memcpy
+ * the requested number of bytes.
+ */
+ if (sess->auth.req_digest_len != 16 &&
+ sess->auth.req_digest_len != 12 &&
+ sess->auth.req_digest_len != 8) {
+ sess->auth.gen_digest_len = 16;
+ } else {
+ sess->auth.gen_digest_len = sess->auth.req_digest_len;
+ }
+ sess->iv.length = xform->auth.iv.length;
+ sess->iv.offset = xform->auth.iv.offset;
+
+ switch (xform->auth.key.length) {
+ case AES_128_BYTES:
+ sess->cipher.key_length_in_bytes = AES_128_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_128)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ case AES_192_BYTES:
+ sess->cipher.key_length_in_bytes = AES_192_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_192)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ case AES_256_BYTES:
+ sess->cipher.key_length_in_bytes = AES_256_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_256)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ default:
+ RTE_LOG(ERR, PMD, "failed to parse test type\n");
+ return -EINVAL;
+ }
+
+ return 0;
+ }
+
switch (xform->auth.algo) {
case RTE_CRYPTO_AUTH_MD5_HMAC:
sess->auth.algo = MD5;
@@ -760,8 +808,16 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->u.GCM.aad = op->sym->aead.aad.data;
- job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ if (session->cipher.mode == GCM) {
+ job->u.GCM.aad = op->sym->aead.aad.data;
+ job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ } else {
+ /* For GMAC */
+ job->u.GCM.aad = rte_pktmbuf_mtod_offset(m_src,
+ uint8_t *, op->sym->auth.data.offset);
+ job->u.GCM.aad_len_in_bytes = op->sym->auth.data.length;
+ job->cipher_mode = GCM;
+ }
job->aes_enc_key_expanded = &session->cipher.gcm_key;
job->aes_dec_key_expanded = &session->cipher.gcm_key;
break;
@@ -801,7 +857,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
rte_pktmbuf_data_len(op->sym->m_src));
} else {
m_dst = m_src;
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
m_offset = op->sym->aead.data.offset;
else
m_offset = op->sym->cipher.data.offset;
@@ -813,7 +870,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
job->auth_tag_output = qp->temp_digests[*digest_idx];
*digest_idx = (*digest_idx + 1) % MAX_JOBS;
} else {
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
job->auth_tag_output = op->sym->aead.digest.data;
else
job->auth_tag_output = op->sym->auth.digest.data;
@@ -851,11 +909,24 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->cipher_start_src_offset_in_bytes =
- op->sym->aead.data.offset;
- job->hash_start_src_offset_in_bytes = op->sym->aead.data.offset;
- job->msg_len_to_cipher_in_bytes = op->sym->aead.data.length;
- job->msg_len_to_hash_in_bytes = job->msg_len_to_cipher_in_bytes;
+ if (session->cipher.mode == GCM) {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->msg_len_to_cipher_in_bytes =
+ op->sym->aead.data.length;
+ job->msg_len_to_hash_in_bytes =
+ op->sym->aead.data.length;
+ } else {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->msg_len_to_cipher_in_bytes = 0;
+ job->msg_len_to_hash_in_bytes = 0;
+ }
+
job->iv = rte_crypto_op_ctod_offset(op, uint8_t *,
session->iv.offset);
break;
@@ -879,19 +950,10 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
}
static inline void
-verify_digest(JOB_AES_HMAC *job, struct rte_crypto_op *op,
- struct aesni_mb_session *sess)
+verify_digest(JOB_AES_HMAC *job, void *digest, uint16_t len, uint8_t *status)
{
- /* Verify digest if required */
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC) {
- if (memcmp(job->auth_tag_output, op->sym->aead.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- } else {
- if (memcmp(job->auth_tag_output, op->sym->auth.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- }
+ if (memcmp(job->auth_tag_output, digest, len) != 0)
+ *status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
static inline void
@@ -933,13 +995,24 @@ post_process_mb_job(struct aesni_mb_qp *qp, JOB_AES_HMAC *job)
case STS_COMPLETED:
op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
- if (job->hash_alg != NULL_HASH) {
- if (sess->auth.operation ==
- RTE_CRYPTO_AUTH_OP_VERIFY)
- verify_digest(job, op, sess);
+ if (job->hash_alg == NULL_HASH)
+ break;
+
+ if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
+ if (job->hash_alg == AES_CCM ||
+ (job->hash_alg == AES_GMAC &&
+ sess->cipher.mode == GCM))
+ verify_digest(job,
+ op->sym->aead.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
else
- generate_digest(job, op, sess);
- }
+ verify_digest(job,
+ op->sym->auth.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
+ } else
+ generate_digest(job, op, sess);
break;
default:
op->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
index f3eff2685..1ca6baafa 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
@@ -416,6 +416,31 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = {
}, }
}, }
},
+ { /* AES GMAC (AUTH) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_AES_GMAC,
+ .block_size = 16,
+ .key_size = {
+ .min = 16,
+ .max = 32,
+ .increment = 8
+ },
+ .digest_size = {
+ .min = 8,
+ .max = 16,
+ .increment = 4
+ },
+ .iv_size = {
+ .min = 12,
+ .max = 12,
+ .increment = 0
+ }
+ }, }
+ }, }
+ },
RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
};
diff --git a/test/test/test_cryptodev.c b/test/test/test_cryptodev.c
index 84065eb49..8b4694c13 100644
--- a/test/test/test_cryptodev.c
+++ b/test/test/test_cryptodev.c
@@ -9341,6 +9341,19 @@ static struct unit_test_suite cryptodev_aesni_mb_testsuite = {
TEST_CASE_ST(ut_setup, ut_teardown,
test_AES_GCM_authenticated_decryption_sessionless_test_case_1),
+ /** AES GMAC Authentication */
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_1),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_1),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_2),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_2),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_3),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_3),
TEST_CASE_ST(ut_setup, ut_teardown, test_AES_chain_mb_all),
TEST_CASE_ST(ut_setup, ut_teardown, test_AES_cipheronly_mb_all),
--
2.13.6
^ permalink raw reply [flat|nested] 14+ messages in thread
* [dpdk-dev] [PATCH v3] crypto/aesni_mb: add gmac support
2018-12-11 14:24 ` [dpdk-dev] [PATCH v2] " Fan Zhang
@ 2018-12-18 13:51 ` Fan Zhang
2018-12-18 15:22 ` Akhil Goyal
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 0/3] " Fan Zhang
0 siblings, 2 replies; 14+ messages in thread
From: Fan Zhang @ 2018-12-18 13:51 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
This patch adds AES-GMAC authentication only support to AESNI-MB
PMD. The unit test is updated accordingly.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Damian Nowak <damianx.nowak@intel.com>
---
v3:
- rebased on top of latest code.
- updated release note.
v2:
- updated documentation.
doc/guides/cryptodevs/aesni_mb.rst | 6 +-
doc/guides/rel_notes/release_19_02.rst | 5 +
drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c | 127 ++++++++++++++++-----
drivers/crypto/aesni_mb/rte_aesni_mb_pmd_next.c | 126 +++++++++++++++-----
drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c | 25 ++++
.../crypto/aesni_mb/rte_aesni_mb_pmd_ops_next.c | 25 ++++
test/test/test_cryptodev.c | 13 +++
7 files changed, 272 insertions(+), 55 deletions(-)
diff --git a/doc/guides/cryptodevs/aesni_mb.rst b/doc/guides/cryptodevs/aesni_mb.rst
index 81183b606..71b2cf2c7 100644
--- a/doc/guides/cryptodevs/aesni_mb.rst
+++ b/doc/guides/cryptodevs/aesni_mb.rst
@@ -38,6 +38,7 @@ Hash algorithms:
* RTE_CRYPTO_HASH_SHA256_HMAC
* RTE_CRYPTO_HASH_SHA384_HMAC
* RTE_CRYPTO_HASH_SHA512_HMAC
+* RTE_CRYPTO_AUTH_AES_GMAC
* RTE_CRYPTO_HASH_AES_XCBC_HMAC
* RTE_CRYPTO_HASH_AES_CMAC
* RTE_CRYPTO_HASH_SHA1
@@ -46,6 +47,7 @@ Hash algorithms:
* RTE_CRYPTO_HASH_SHA384
* RTE_CRYPTO_HASH_SHA512
+
AEAD algorithms:
* RTE_CRYPTO_AEAD_AES_CCM
@@ -56,8 +58,8 @@ Limitations
* Chained mbufs are not supported.
* Only in-place is currently supported (destination address is the same as source address).
-* RTE_CRYPTO_AEAD_AES_GCM only works properly when the multi-buffer library is
- 0.51.0 or older.
+* RTE_CRYPTO_AEAD_AES_GCM and RTE_CRYPTO_AUTH_AES_GMAC only works properly when
+ Intel multi buffer library is version 0.51.0 or older.
Installation
diff --git a/doc/guides/rel_notes/release_19_02.rst b/doc/guides/rel_notes/release_19_02.rst
index 0a39723b2..671e9c681 100644
--- a/doc/guides/rel_notes/release_19_02.rst
+++ b/doc/guides/rel_notes/release_19_02.rst
@@ -65,6 +65,11 @@ New Features
Added a new performance test tool to test the compressdev PMD. The tool tests
compression ratio and compression throughput.
+* **Updated the AESNI MB PMD.**
+
+ The AESNI MB PMD has been updated with additional support for the AES-GMAC
+ authentication only algorithm.
+
Removed Items
-------------
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
index 83250e32c..3ead8a61f 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
@@ -177,6 +177,54 @@ aesni_mb_set_session_auth_parameters(const struct aesni_mb_op_fns *mb_ops,
return 0;
}
+ if (xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+ if (xform->auth.op == RTE_CRYPTO_AUTH_OP_GENERATE) {
+ sess->cipher.direction = ENCRYPT;
+ sess->chain_order = CIPHER_HASH;
+ } else
+ sess->cipher.direction = DECRYPT;
+
+ sess->auth.algo = AES_GMAC;
+ /*
+ * Multi-buffer lib supports 8, 12 and 16 bytes of digest.
+ * If size requested is different, generate the full digest
+ * (16 bytes) in a temporary location and then memcpy
+ * the requested number of bytes.
+ */
+ if (sess->auth.req_digest_len != 16 &&
+ sess->auth.req_digest_len != 12 &&
+ sess->auth.req_digest_len != 8) {
+ sess->auth.gen_digest_len = 16;
+ } else {
+ sess->auth.gen_digest_len = sess->auth.req_digest_len;
+ }
+ sess->iv.length = xform->auth.iv.length;
+ sess->iv.offset = xform->auth.iv.offset;
+
+ switch (xform->auth.key.length) {
+ case AES_128_BYTES:
+ sess->cipher.key_length_in_bytes = AES_128_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_128)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ case AES_192_BYTES:
+ sess->cipher.key_length_in_bytes = AES_192_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_192)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ case AES_256_BYTES:
+ sess->cipher.key_length_in_bytes = AES_256_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_256)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ default:
+ RTE_LOG(ERR, PMD, "failed to parse test type\n");
+ return -EINVAL;
+ }
+
+ return 0;
+ }
+
switch (xform->auth.algo) {
case RTE_CRYPTO_AUTH_MD5_HMAC:
sess->auth.algo = MD5;
@@ -760,8 +808,16 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->u.GCM.aad = op->sym->aead.aad.data;
- job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ if (session->cipher.mode == GCM) {
+ job->u.GCM.aad = op->sym->aead.aad.data;
+ job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ } else {
+ /* For GMAC */
+ job->u.GCM.aad = rte_pktmbuf_mtod_offset(m_src,
+ uint8_t *, op->sym->auth.data.offset);
+ job->u.GCM.aad_len_in_bytes = op->sym->auth.data.length;
+ job->cipher_mode = GCM;
+ }
job->aes_enc_key_expanded = &session->cipher.gcm_key;
job->aes_dec_key_expanded = &session->cipher.gcm_key;
break;
@@ -801,7 +857,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
rte_pktmbuf_data_len(op->sym->m_src));
} else {
m_dst = m_src;
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
m_offset = op->sym->aead.data.offset;
else
m_offset = op->sym->cipher.data.offset;
@@ -813,7 +870,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
job->auth_tag_output = qp->temp_digests[*digest_idx];
*digest_idx = (*digest_idx + 1) % MAX_JOBS;
} else {
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
job->auth_tag_output = op->sym->aead.digest.data;
else
job->auth_tag_output = op->sym->auth.digest.data;
@@ -851,11 +909,24 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->cipher_start_src_offset_in_bytes =
- op->sym->aead.data.offset;
- job->hash_start_src_offset_in_bytes = op->sym->aead.data.offset;
- job->msg_len_to_cipher_in_bytes = op->sym->aead.data.length;
- job->msg_len_to_hash_in_bytes = job->msg_len_to_cipher_in_bytes;
+ if (session->cipher.mode == GCM) {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->msg_len_to_cipher_in_bytes =
+ op->sym->aead.data.length;
+ job->msg_len_to_hash_in_bytes =
+ op->sym->aead.data.length;
+ } else {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->msg_len_to_cipher_in_bytes = 0;
+ job->msg_len_to_hash_in_bytes = 0;
+ }
+
job->iv = rte_crypto_op_ctod_offset(op, uint8_t *,
session->iv.offset);
break;
@@ -879,19 +950,10 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
}
static inline void
-verify_digest(JOB_AES_HMAC *job, struct rte_crypto_op *op,
- struct aesni_mb_session *sess)
+verify_digest(JOB_AES_HMAC *job, void *digest, uint16_t len, uint8_t *status)
{
- /* Verify digest if required */
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC) {
- if (memcmp(job->auth_tag_output, op->sym->aead.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- } else {
- if (memcmp(job->auth_tag_output, op->sym->auth.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- }
+ if (memcmp(job->auth_tag_output, digest, len) != 0)
+ *status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
static inline void
@@ -933,13 +995,24 @@ post_process_mb_job(struct aesni_mb_qp *qp, JOB_AES_HMAC *job)
case STS_COMPLETED:
op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
- if (job->hash_alg != NULL_HASH) {
- if (sess->auth.operation ==
- RTE_CRYPTO_AUTH_OP_VERIFY)
- verify_digest(job, op, sess);
+ if (job->hash_alg == NULL_HASH)
+ break;
+
+ if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
+ if (job->hash_alg == AES_CCM ||
+ (job->hash_alg == AES_GMAC &&
+ sess->cipher.mode == GCM))
+ verify_digest(job,
+ op->sym->aead.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
else
- generate_digest(job, op, sess);
- }
+ verify_digest(job,
+ op->sym->auth.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
+ } else
+ generate_digest(job, op, sess);
break;
default:
op->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_next.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_next.c
index c794652ce..4e31735ca 100755
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_next.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_next.c
@@ -174,6 +174,54 @@ aesni_mb_set_session_auth_parameters(const MB_MGR *mb_mgr,
return 0;
}
+ if (xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+ if (xform->auth.op == RTE_CRYPTO_AUTH_OP_GENERATE) {
+ sess->cipher.direction = ENCRYPT;
+ sess->chain_order = CIPHER_HASH;
+ } else
+ sess->cipher.direction = DECRYPT;
+
+ sess->auth.algo = AES_GMAC;
+ /*
+ * Multi-buffer lib supports 8, 12 and 16 bytes of digest.
+ * If size requested is different, generate the full digest
+ * (16 bytes) in a temporary location and then memcpy
+ * the requested number of bytes.
+ */
+ if (sess->auth.req_digest_len != 16 &&
+ sess->auth.req_digest_len != 12 &&
+ sess->auth.req_digest_len != 8) {
+ sess->auth.gen_digest_len = 16;
+ } else {
+ sess->auth.gen_digest_len = sess->auth.req_digest_len;
+ }
+ sess->iv.length = xform->auth.iv.length;
+ sess->iv.offset = xform->auth.iv.offset;
+
+ switch (xform->auth.key.length) {
+ case AES_128_BYTES:
+ IMB_AES128_GCM_PRE(mb_mgr, xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ sess->cipher.key_length_in_bytes = AES_128_BYTES;
+ break;
+ case AES_192_BYTES:
+ IMB_AES192_GCM_PRE(mb_mgr, xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ sess->cipher.key_length_in_bytes = AES_192_BYTES;
+ break;
+ case AES_256_BYTES:
+ IMB_AES256_GCM_PRE(mb_mgr, xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ sess->cipher.key_length_in_bytes = AES_256_BYTES;
+ break;
+ default:
+ RTE_LOG(ERR, PMD, "failed to parse test type\n");
+ return -EINVAL;
+ }
+
+ return 0;
+ }
+
switch (xform->auth.algo) {
case RTE_CRYPTO_AUTH_MD5_HMAC:
sess->auth.algo = MD5;
@@ -760,8 +808,16 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->u.GCM.aad = op->sym->aead.aad.data;
- job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ if (session->cipher.mode == GCM) {
+ job->u.GCM.aad = op->sym->aead.aad.data;
+ job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ } else {
+ /* For GMAC */
+ job->u.GCM.aad = rte_pktmbuf_mtod_offset(m_src,
+ uint8_t *, op->sym->auth.data.offset);
+ job->u.GCM.aad_len_in_bytes = op->sym->auth.data.length;
+ job->cipher_mode = GCM;
+ }
job->aes_enc_key_expanded = &session->cipher.gcm_key;
job->aes_dec_key_expanded = &session->cipher.gcm_key;
break;
@@ -801,7 +857,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
rte_pktmbuf_data_len(op->sym->m_src));
} else {
m_dst = m_src;
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
m_offset = op->sym->aead.data.offset;
else
m_offset = op->sym->cipher.data.offset;
@@ -813,7 +870,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
job->auth_tag_output = qp->temp_digests[*digest_idx];
*digest_idx = (*digest_idx + 1) % MAX_JOBS;
} else {
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
job->auth_tag_output = op->sym->aead.digest.data;
else
job->auth_tag_output = op->sym->auth.digest.data;
@@ -851,11 +909,24 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->cipher_start_src_offset_in_bytes =
- op->sym->aead.data.offset;
- job->hash_start_src_offset_in_bytes = op->sym->aead.data.offset;
- job->msg_len_to_cipher_in_bytes = op->sym->aead.data.length;
- job->msg_len_to_hash_in_bytes = job->msg_len_to_cipher_in_bytes;
+ if (session->cipher.mode == GCM) {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->msg_len_to_cipher_in_bytes =
+ op->sym->aead.data.length;
+ job->msg_len_to_hash_in_bytes =
+ op->sym->aead.data.length;
+ } else {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->msg_len_to_cipher_in_bytes = 0;
+ job->msg_len_to_hash_in_bytes = 0;
+ }
+
job->iv = rte_crypto_op_ctod_offset(op, uint8_t *,
session->iv.offset);
break;
@@ -879,19 +950,11 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
}
static inline void
-verify_digest(JOB_AES_HMAC *job, struct rte_crypto_op *op,
- struct aesni_mb_session *sess)
+verify_digest(JOB_AES_HMAC *job, void *digest, uint16_t len, uint8_t *status)
{
/* Verify digest if required */
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC) {
- if (memcmp(job->auth_tag_output, op->sym->aead.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- } else {
- if (memcmp(job->auth_tag_output, op->sym->auth.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- }
+ if (memcmp(job->auth_tag_output, digest, len) != 0)
+ *status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
static inline void
@@ -933,13 +996,24 @@ post_process_mb_job(struct aesni_mb_qp *qp, JOB_AES_HMAC *job)
case STS_COMPLETED:
op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
- if (job->hash_alg != NULL_HASH) {
- if (sess->auth.operation ==
- RTE_CRYPTO_AUTH_OP_VERIFY)
- verify_digest(job, op, sess);
+ if (job->hash_alg == NULL_HASH)
+ break;
+
+ if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
+ if (job->hash_alg == AES_CCM ||
+ (job->hash_alg == AES_GMAC &&
+ sess->cipher.mode == GCM))
+ verify_digest(job,
+ op->sym->aead.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
else
- generate_digest(job, op, sess);
- }
+ verify_digest(job,
+ op->sym->auth.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
+ } else
+ generate_digest(job, op, sess);
break;
default:
op->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
index f3eff2685..1ca6baafa 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
@@ -416,6 +416,31 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = {
}, }
}, }
},
+ { /* AES GMAC (AUTH) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_AES_GMAC,
+ .block_size = 16,
+ .key_size = {
+ .min = 16,
+ .max = 32,
+ .increment = 8
+ },
+ .digest_size = {
+ .min = 8,
+ .max = 16,
+ .increment = 4
+ },
+ .iv_size = {
+ .min = 12,
+ .max = 12,
+ .increment = 0
+ }
+ }, }
+ }, }
+ },
RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
};
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops_next.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops_next.c
index c57065d0f..c90f6baa3 100755
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops_next.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops_next.c
@@ -465,6 +465,31 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = {
}, }
}, }
},
+ { /* AES GMAC (AUTH) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_AES_GMAC,
+ .block_size = 16,
+ .key_size = {
+ .min = 16,
+ .max = 32,
+ .increment = 8
+ },
+ .digest_size = {
+ .min = 8,
+ .max = 16,
+ .increment = 4
+ },
+ .iv_size = {
+ .min = 12,
+ .max = 12,
+ .increment = 0
+ }
+ }, }
+ }, }
+ },
RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
};
diff --git a/test/test/test_cryptodev.c b/test/test/test_cryptodev.c
index 84065eb49..8b4694c13 100644
--- a/test/test/test_cryptodev.c
+++ b/test/test/test_cryptodev.c
@@ -9341,6 +9341,19 @@ static struct unit_test_suite cryptodev_aesni_mb_testsuite = {
TEST_CASE_ST(ut_setup, ut_teardown,
test_AES_GCM_authenticated_decryption_sessionless_test_case_1),
+ /** AES GMAC Authentication */
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_1),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_1),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_2),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_2),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_3),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_3),
TEST_CASE_ST(ut_setup, ut_teardown, test_AES_chain_mb_all),
TEST_CASE_ST(ut_setup, ut_teardown, test_AES_cipheronly_mb_all),
--
2.13.6
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [dpdk-dev] [PATCH v3] crypto/aesni_mb: add gmac support
2018-12-18 13:51 ` [dpdk-dev] [PATCH v3] " Fan Zhang
@ 2018-12-18 15:22 ` Akhil Goyal
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 0/3] " Fan Zhang
1 sibling, 0 replies; 14+ messages in thread
From: Akhil Goyal @ 2018-12-18 15:22 UTC (permalink / raw)
To: Fan Zhang, dev
On 12/18/2018 7:21 PM, Fan Zhang wrote:
> This patch adds AES-GMAC authentication only support to AESNI-MB
> PMD. The unit test is updated accordingly.
>
> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
> Acked-by: Damian Nowak <damianx.nowak@intel.com>
> ---
> v3:
> - rebased on top of latest code.
> - updated release note.
>
> v2:
> - updated documentation.
>
Applied to dpdk-next-crypto
^ permalink raw reply [flat|nested] 14+ messages in thread
* [dpdk-dev] [PATCH v4 0/3] crypto/aesni_mb: add gmac support
2018-12-18 13:51 ` [dpdk-dev] [PATCH v3] " Fan Zhang
2018-12-18 15:22 ` Akhil Goyal
@ 2018-12-19 21:42 ` Fan Zhang
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 1/3] " Fan Zhang
` (3 more replies)
1 sibling, 4 replies; 14+ messages in thread
From: Fan Zhang @ 2018-12-19 21:42 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
This patchset adds the AES-GMAC authentication only support to AESNI-MB PMD,
including the driver code, cryptodev unit test, and documentation updates.
This patchset is built on top of the patchset "use architecure independent
macros" (https://mails.dpdk.org/archives/dev/2018-December/121680.html)
Acked-by: Damian Nowak <damianx.nowak@intel.com>
v4:
- rebased on top of latest "use architecure independent macros" patchset.
- patch split.
v3:
- rebased on top of latest code.
- updated release note.
v2:
- updated documentation.
Fan Zhang (3):
crypto/aesni_mb: add gmac support
test: add aesni-mb gmac test
doc: update release note and PMD information
doc/guides/cryptodevs/aesni_mb.rst | 2 +
doc/guides/rel_notes/release_19_02.rst | 5 +
drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c | 126 +++++++++++++++-----
drivers/crypto/aesni_mb/rte_aesni_mb_pmd_compat.c | 127 ++++++++++++++++-----
drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c | 25 ++++
.../crypto/aesni_mb/rte_aesni_mb_pmd_ops_compat.c | 25 ++++
test/test/test_cryptodev.c | 24 ++++
7 files changed, 281 insertions(+), 53 deletions(-)
--
2.13.6
^ permalink raw reply [flat|nested] 14+ messages in thread
* [dpdk-dev] [PATCH v4 1/3] crypto/aesni_mb: add gmac support
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 0/3] " Fan Zhang
@ 2018-12-19 21:42 ` Fan Zhang
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 2/3] test: add aesni-mb gmac test Fan Zhang
` (2 subsequent siblings)
3 siblings, 0 replies; 14+ messages in thread
From: Fan Zhang @ 2018-12-19 21:42 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
This patch updates the AESNI-MB PMD to add AES-GMAC support.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Damian Nowak <damianx.nowak@intel.com>
---
drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c | 126 +++++++++++++++-----
drivers/crypto/aesni_mb/rte_aesni_mb_pmd_compat.c | 127 ++++++++++++++++-----
drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c | 25 ++++
.../crypto/aesni_mb/rte_aesni_mb_pmd_ops_compat.c | 25 ++++
4 files changed, 250 insertions(+), 53 deletions(-)
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
index 2c25b7b32..d34cbc36a 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
@@ -173,6 +173,54 @@ aesni_mb_set_session_auth_parameters(const MB_MGR *mb_mgr,
return 0;
}
+ if (xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+ if (xform->auth.op == RTE_CRYPTO_AUTH_OP_GENERATE) {
+ sess->cipher.direction = ENCRYPT;
+ sess->chain_order = CIPHER_HASH;
+ } else
+ sess->cipher.direction = DECRYPT;
+
+ sess->auth.algo = AES_GMAC;
+ /*
+ * Multi-buffer lib supports 8, 12 and 16 bytes of digest.
+ * If size requested is different, generate the full digest
+ * (16 bytes) in a temporary location and then memcpy
+ * the requested number of bytes.
+ */
+ if (sess->auth.req_digest_len != 16 &&
+ sess->auth.req_digest_len != 12 &&
+ sess->auth.req_digest_len != 8) {
+ sess->auth.gen_digest_len = 16;
+ } else {
+ sess->auth.gen_digest_len = sess->auth.req_digest_len;
+ }
+ sess->iv.length = xform->auth.iv.length;
+ sess->iv.offset = xform->auth.iv.offset;
+
+ switch (xform->auth.key.length) {
+ case AES_128_BYTES:
+ IMB_AES128_GCM_PRE(mb_mgr, xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ sess->cipher.key_length_in_bytes = AES_128_BYTES;
+ break;
+ case AES_192_BYTES:
+ IMB_AES192_GCM_PRE(mb_mgr, xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ sess->cipher.key_length_in_bytes = AES_192_BYTES;
+ break;
+ case AES_256_BYTES:
+ IMB_AES256_GCM_PRE(mb_mgr, xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ sess->cipher.key_length_in_bytes = AES_256_BYTES;
+ break;
+ default:
+ RTE_LOG(ERR, PMD, "failed to parse test type\n");
+ return -EINVAL;
+ }
+
+ return 0;
+ }
+
switch (xform->auth.algo) {
case RTE_CRYPTO_AUTH_MD5_HMAC:
sess->auth.algo = MD5;
@@ -735,8 +783,16 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->u.GCM.aad = op->sym->aead.aad.data;
- job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ if (session->cipher.mode == GCM) {
+ job->u.GCM.aad = op->sym->aead.aad.data;
+ job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ } else {
+ /* For GMAC */
+ job->u.GCM.aad = rte_pktmbuf_mtod_offset(m_src,
+ uint8_t *, op->sym->auth.data.offset);
+ job->u.GCM.aad_len_in_bytes = op->sym->auth.data.length;
+ job->cipher_mode = GCM;
+ }
job->aes_enc_key_expanded = &session->cipher.gcm_key;
job->aes_dec_key_expanded = &session->cipher.gcm_key;
break;
@@ -776,7 +832,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
rte_pktmbuf_data_len(op->sym->m_src));
} else {
m_dst = m_src;
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
m_offset = op->sym->aead.data.offset;
else
m_offset = op->sym->cipher.data.offset;
@@ -788,7 +845,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
job->auth_tag_output = qp->temp_digests[*digest_idx];
*digest_idx = (*digest_idx + 1) % MAX_JOBS;
} else {
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
job->auth_tag_output = op->sym->aead.digest.data;
else
job->auth_tag_output = op->sym->auth.digest.data;
@@ -826,11 +884,24 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->cipher_start_src_offset_in_bytes =
- op->sym->aead.data.offset;
- job->hash_start_src_offset_in_bytes = op->sym->aead.data.offset;
- job->msg_len_to_cipher_in_bytes = op->sym->aead.data.length;
- job->msg_len_to_hash_in_bytes = job->msg_len_to_cipher_in_bytes;
+ if (session->cipher.mode == GCM) {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->msg_len_to_cipher_in_bytes =
+ op->sym->aead.data.length;
+ job->msg_len_to_hash_in_bytes =
+ op->sym->aead.data.length;
+ } else {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->msg_len_to_cipher_in_bytes = 0;
+ job->msg_len_to_hash_in_bytes = 0;
+ }
+
job->iv = rte_crypto_op_ctod_offset(op, uint8_t *,
session->iv.offset);
break;
@@ -854,19 +925,11 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
}
static inline void
-verify_digest(JOB_AES_HMAC *job, struct rte_crypto_op *op,
- struct aesni_mb_session *sess)
+verify_digest(JOB_AES_HMAC *job, void *digest, uint16_t len, uint8_t *status)
{
/* Verify digest if required */
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC) {
- if (memcmp(job->auth_tag_output, op->sym->aead.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- } else {
- if (memcmp(job->auth_tag_output, op->sym->auth.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- }
+ if (memcmp(job->auth_tag_output, digest, len) != 0)
+ *status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
static inline void
@@ -908,13 +971,24 @@ post_process_mb_job(struct aesni_mb_qp *qp, JOB_AES_HMAC *job)
case STS_COMPLETED:
op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
- if (job->hash_alg != NULL_HASH) {
- if (sess->auth.operation ==
- RTE_CRYPTO_AUTH_OP_VERIFY)
- verify_digest(job, op, sess);
+ if (job->hash_alg == NULL_HASH)
+ break;
+
+ if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
+ if (job->hash_alg == AES_CCM ||
+ (job->hash_alg == AES_GMAC &&
+ sess->cipher.mode == GCM))
+ verify_digest(job,
+ op->sym->aead.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
else
- generate_digest(job, op, sess);
- }
+ verify_digest(job,
+ op->sym->auth.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
+ } else
+ generate_digest(job, op, sess);
break;
default:
op->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_compat.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_compat.c
index 83250e32c..56ce54946 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_compat.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_compat.c
@@ -177,6 +177,54 @@ aesni_mb_set_session_auth_parameters(const struct aesni_mb_op_fns *mb_ops,
return 0;
}
+ if (xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+ if (xform->auth.op == RTE_CRYPTO_AUTH_OP_GENERATE) {
+ sess->cipher.direction = ENCRYPT;
+ sess->chain_order = CIPHER_HASH;
+ } else
+ sess->cipher.direction = DECRYPT;
+
+ sess->auth.algo = AES_GMAC;
+ /*
+ * Multi-buffer lib supports 8, 12 and 16 bytes of digest.
+ * If size requested is different, generate the full digest
+ * (16 bytes) in a temporary location and then memcpy
+ * the requested number of bytes.
+ */
+ if (sess->auth.req_digest_len != 16 &&
+ sess->auth.req_digest_len != 12 &&
+ sess->auth.req_digest_len != 8) {
+ sess->auth.gen_digest_len = 16;
+ } else {
+ sess->auth.gen_digest_len = sess->auth.req_digest_len;
+ }
+ sess->iv.length = xform->auth.iv.length;
+ sess->iv.offset = xform->auth.iv.offset;
+
+ switch (xform->auth.key.length) {
+ case AES_128_BYTES:
+ sess->cipher.key_length_in_bytes = AES_128_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_128)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ case AES_192_BYTES:
+ sess->cipher.key_length_in_bytes = AES_192_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_192)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ case AES_256_BYTES:
+ sess->cipher.key_length_in_bytes = AES_256_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_256)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ default:
+ RTE_LOG(ERR, PMD, "failed to parse test type\n");
+ return -EINVAL;
+ }
+
+ return 0;
+ }
+
switch (xform->auth.algo) {
case RTE_CRYPTO_AUTH_MD5_HMAC:
sess->auth.algo = MD5;
@@ -760,8 +808,16 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->u.GCM.aad = op->sym->aead.aad.data;
- job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ if (session->cipher.mode == GCM) {
+ job->u.GCM.aad = op->sym->aead.aad.data;
+ job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ } else {
+ /* For GMAC */
+ job->u.GCM.aad = rte_pktmbuf_mtod_offset(m_src,
+ uint8_t *, op->sym->auth.data.offset);
+ job->u.GCM.aad_len_in_bytes = op->sym->auth.data.length;
+ job->cipher_mode = GCM;
+ }
job->aes_enc_key_expanded = &session->cipher.gcm_key;
job->aes_dec_key_expanded = &session->cipher.gcm_key;
break;
@@ -801,7 +857,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
rte_pktmbuf_data_len(op->sym->m_src));
} else {
m_dst = m_src;
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
m_offset = op->sym->aead.data.offset;
else
m_offset = op->sym->cipher.data.offset;
@@ -813,7 +870,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
job->auth_tag_output = qp->temp_digests[*digest_idx];
*digest_idx = (*digest_idx + 1) % MAX_JOBS;
} else {
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
job->auth_tag_output = op->sym->aead.digest.data;
else
job->auth_tag_output = op->sym->auth.digest.data;
@@ -851,13 +909,26 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->cipher_start_src_offset_in_bytes =
- op->sym->aead.data.offset;
- job->hash_start_src_offset_in_bytes = op->sym->aead.data.offset;
- job->msg_len_to_cipher_in_bytes = op->sym->aead.data.length;
- job->msg_len_to_hash_in_bytes = job->msg_len_to_cipher_in_bytes;
+ if (session->cipher.mode == GCM) {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->msg_len_to_cipher_in_bytes =
+ op->sym->aead.data.length;
+ job->msg_len_to_hash_in_bytes =
+ op->sym->aead.data.length;
+ } else {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->msg_len_to_cipher_in_bytes = 0;
+ job->msg_len_to_hash_in_bytes = 0;
+ }
job->iv = rte_crypto_op_ctod_offset(op, uint8_t *,
session->iv.offset);
+
break;
default:
@@ -879,19 +950,10 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
}
static inline void
-verify_digest(JOB_AES_HMAC *job, struct rte_crypto_op *op,
- struct aesni_mb_session *sess)
+verify_digest(JOB_AES_HMAC *job, void *digest, uint16_t len, uint8_t *status)
{
- /* Verify digest if required */
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC) {
- if (memcmp(job->auth_tag_output, op->sym->aead.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- } else {
- if (memcmp(job->auth_tag_output, op->sym->auth.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- }
+ if (memcmp(job->auth_tag_output, digest, len) != 0)
+ *status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
static inline void
@@ -933,13 +995,24 @@ post_process_mb_job(struct aesni_mb_qp *qp, JOB_AES_HMAC *job)
case STS_COMPLETED:
op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
- if (job->hash_alg != NULL_HASH) {
- if (sess->auth.operation ==
- RTE_CRYPTO_AUTH_OP_VERIFY)
- verify_digest(job, op, sess);
+ if (job->hash_alg == NULL_HASH)
+ break;
+
+ if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
+ if (job->hash_alg == AES_CCM ||
+ (job->hash_alg == AES_GMAC &&
+ sess->cipher.mode == GCM))
+ verify_digest(job,
+ op->sym->aead.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
else
- generate_digest(job, op, sess);
- }
+ verify_digest(job,
+ op->sym->auth.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
+ } else
+ generate_digest(job, op, sess);
break;
default:
op->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
index 5788e37d1..56d409b4b 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
@@ -360,6 +360,31 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = {
}, }
}, }
},
+ { /* AES GMAC (AUTH) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_AES_GMAC,
+ .block_size = 16,
+ .key_size = {
+ .min = 16,
+ .max = 32,
+ .increment = 8
+ },
+ .digest_size = {
+ .min = 8,
+ .max = 16,
+ .increment = 4
+ },
+ .iv_size = {
+ .min = 12,
+ .max = 12,
+ .increment = 0
+ }
+ }, }
+ }, }
+ },
RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
};
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops_compat.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops_compat.c
index f3eff2685..1ca6baafa 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops_compat.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops_compat.c
@@ -416,6 +416,31 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = {
}, }
}, }
},
+ { /* AES GMAC (AUTH) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_AES_GMAC,
+ .block_size = 16,
+ .key_size = {
+ .min = 16,
+ .max = 32,
+ .increment = 8
+ },
+ .digest_size = {
+ .min = 8,
+ .max = 16,
+ .increment = 4
+ },
+ .iv_size = {
+ .min = 12,
+ .max = 12,
+ .increment = 0
+ }
+ }, }
+ }, }
+ },
RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
};
--
2.13.6
^ permalink raw reply [flat|nested] 14+ messages in thread
* [dpdk-dev] [PATCH v4 2/3] test: add aesni-mb gmac test
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 0/3] " Fan Zhang
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 1/3] " Fan Zhang
@ 2018-12-19 21:42 ` Fan Zhang
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 3/3] doc: update release note and PMD information Fan Zhang
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 0/3] crypto/aesni_mb: add gmac support Fan Zhang
3 siblings, 0 replies; 14+ messages in thread
From: Fan Zhang @ 2018-12-19 21:42 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
This patch adds the GMAC test cases to AESNI-MB crypto unit test.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Damian Nowak <damianx.nowak@intel.com>
---
test/test/test_cryptodev.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/test/test/test_cryptodev.c b/test/test/test_cryptodev.c
index 84065eb49..f17054520 100644
--- a/test/test/test_cryptodev.c
+++ b/test/test/test_cryptodev.c
@@ -21,6 +21,10 @@
#include <rte_cryptodev_scheduler_operations.h>
#endif
+#ifdef RTE_LIBRTE_PMD_AESNI_MB
+#include <intel-ipsec-mb.h>
+#endif
+
#include <rte_lcore.h>
#include "test.h"
@@ -41,6 +45,11 @@
#define VDEV_ARGS_SIZE 100
#define MAX_NB_SESSIONS 4
+#if !defined(IMB_VERSION_NUM)
+#define IMB_VERSION(a, b, c) (((a) << 16) + ((b) << 8) + (c))
+#define IMB_VERSION_NUM IMB_VERSION(0, 49, 0)
+#endif
+
static int gbl_driver_id;
struct crypto_testsuite_params {
@@ -9228,6 +9237,7 @@ static struct unit_test_suite cryptodev_aesni_mb_testsuite = {
.setup = testsuite_setup,
.teardown = testsuite_teardown,
.unit_test_cases = {
+#if IMB_VERSION_NUM >= IMB_VERSION(0, 51, 0)
TEST_CASE_ST(ut_setup, ut_teardown,
test_AES_GCM_authenticated_encryption_test_case_1),
TEST_CASE_ST(ut_setup, ut_teardown,
@@ -9341,6 +9351,20 @@ static struct unit_test_suite cryptodev_aesni_mb_testsuite = {
TEST_CASE_ST(ut_setup, ut_teardown,
test_AES_GCM_authenticated_decryption_sessionless_test_case_1),
+ /** AES GMAC Authentication */
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_1),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_1),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_2),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_2),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_3),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_3),
+#endif /* IMB_VERSION_NUM >= IMB_VERSION(0, 51, 0) */
TEST_CASE_ST(ut_setup, ut_teardown, test_AES_chain_mb_all),
TEST_CASE_ST(ut_setup, ut_teardown, test_AES_cipheronly_mb_all),
--
2.13.6
^ permalink raw reply [flat|nested] 14+ messages in thread
* [dpdk-dev] [PATCH v4 3/3] doc: update release note and PMD information
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 0/3] " Fan Zhang
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 1/3] " Fan Zhang
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 2/3] test: add aesni-mb gmac test Fan Zhang
@ 2018-12-19 21:42 ` Fan Zhang
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 0/3] crypto/aesni_mb: add gmac support Fan Zhang
3 siblings, 0 replies; 14+ messages in thread
From: Fan Zhang @ 2018-12-19 21:42 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
This patch updates the release note and AESNI-MD PMD documentation.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Damian Nowak <damianx.nowak@intel.com>
---
doc/guides/cryptodevs/aesni_mb.rst | 2 ++
doc/guides/rel_notes/release_19_02.rst | 5 +++++
2 files changed, 7 insertions(+)
diff --git a/doc/guides/cryptodevs/aesni_mb.rst b/doc/guides/cryptodevs/aesni_mb.rst
index 12532c63e..98082595d 100644
--- a/doc/guides/cryptodevs/aesni_mb.rst
+++ b/doc/guides/cryptodevs/aesni_mb.rst
@@ -40,6 +40,7 @@ Hash algorithms:
* RTE_CRYPTO_HASH_SHA512_HMAC
* RTE_CRYPTO_HASH_AES_XCBC_HMAC
* RTE_CRYPTO_HASH_AES_CMAC
+* RTE_CRYPTO_HASH_AES_GMAC
AEAD algorithms:
@@ -51,6 +52,7 @@ Limitations
* Chained mbufs are not supported.
* Only in-place is currently supported (destination address is the same as source address).
+* RTE_CRYPTO_HASH_AES_GMAC is supported by library version v0.51 or later.
Installation
diff --git a/doc/guides/rel_notes/release_19_02.rst b/doc/guides/rel_notes/release_19_02.rst
index 8deb68b9a..48b183e81 100644
--- a/doc/guides/rel_notes/release_19_02.rst
+++ b/doc/guides/rel_notes/release_19_02.rst
@@ -60,6 +60,11 @@ New Features
* Added the handler to get firmware version string.
* Added support for multicast filtering.
+* **Updated the AESNI MB PMD.**
+
+ The AESNI MB PMD has been updated with additional support for the AES-GMAC
+ authentication only algorithm.
+
Removed Items
-------------
--
2.13.6
^ permalink raw reply [flat|nested] 14+ messages in thread
* [dpdk-dev] [PATCH v5 0/3] crypto/aesni_mb: add gmac support
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 0/3] " Fan Zhang
` (2 preceding siblings ...)
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 3/3] doc: update release note and PMD information Fan Zhang
@ 2018-12-19 22:04 ` Fan Zhang
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 1/3] " Fan Zhang
` (3 more replies)
3 siblings, 4 replies; 14+ messages in thread
From: Fan Zhang @ 2018-12-19 22:04 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
This patchset adds the AES-GMAC authentication only support to AESNI-MB PMD,
including the driver code, cryptodev unit test, and documentation updates.
This patchset is built on top of the patchset "use architecure independent
macros" (https://mails.dpdk.org/archives/dev/2018-December/121680.html)
Acked-by: Damian Nowak <damianx.nowak@intel.com>
v5:
- changed IMB_VERSION_NUM definition place.
v4:
- rebased on top of latest "use architecure independent macros" patchset.
- patch split.
v3:
- rebased on top of latest code.
- updated release note.
v2:
- updated documentation.
Fan Zhang (3):
crypto/aesni_mb: add gmac support
test: add aesni-mb gmac test
doc: update release note and pmd info
doc/guides/cryptodevs/aesni_mb.rst | 2 +
doc/guides/rel_notes/release_19_02.rst | 5 +
drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c | 126 +++++++++++++++-----
drivers/crypto/aesni_mb/rte_aesni_mb_pmd_compat.c | 127 ++++++++++++++++-----
drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c | 25 ++++
.../crypto/aesni_mb/rte_aesni_mb_pmd_ops_compat.c | 25 ++++
test/test/test_cryptodev.c | 15 +++
test/test/test_cryptodev_hash_test_vectors.h | 9 ++
8 files changed, 281 insertions(+), 53 deletions(-)
--
2.13.6
^ permalink raw reply [flat|nested] 14+ messages in thread
* [dpdk-dev] [PATCH v5 1/3] crypto/aesni_mb: add gmac support
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 0/3] crypto/aesni_mb: add gmac support Fan Zhang
@ 2018-12-19 22:04 ` Fan Zhang
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 2/3] test: add aesni-mb gmac test Fan Zhang
` (2 subsequent siblings)
3 siblings, 0 replies; 14+ messages in thread
From: Fan Zhang @ 2018-12-19 22:04 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
This patch updates the AESNI-MB PMD to add AES-GMAC support.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Damian Nowak <damianx.nowak@intel.com>
---
drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c | 126 +++++++++++++++-----
drivers/crypto/aesni_mb/rte_aesni_mb_pmd_compat.c | 127 ++++++++++++++++-----
drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c | 25 ++++
.../crypto/aesni_mb/rte_aesni_mb_pmd_ops_compat.c | 25 ++++
4 files changed, 250 insertions(+), 53 deletions(-)
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
index 2c25b7b32..d34cbc36a 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
@@ -173,6 +173,54 @@ aesni_mb_set_session_auth_parameters(const MB_MGR *mb_mgr,
return 0;
}
+ if (xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+ if (xform->auth.op == RTE_CRYPTO_AUTH_OP_GENERATE) {
+ sess->cipher.direction = ENCRYPT;
+ sess->chain_order = CIPHER_HASH;
+ } else
+ sess->cipher.direction = DECRYPT;
+
+ sess->auth.algo = AES_GMAC;
+ /*
+ * Multi-buffer lib supports 8, 12 and 16 bytes of digest.
+ * If size requested is different, generate the full digest
+ * (16 bytes) in a temporary location and then memcpy
+ * the requested number of bytes.
+ */
+ if (sess->auth.req_digest_len != 16 &&
+ sess->auth.req_digest_len != 12 &&
+ sess->auth.req_digest_len != 8) {
+ sess->auth.gen_digest_len = 16;
+ } else {
+ sess->auth.gen_digest_len = sess->auth.req_digest_len;
+ }
+ sess->iv.length = xform->auth.iv.length;
+ sess->iv.offset = xform->auth.iv.offset;
+
+ switch (xform->auth.key.length) {
+ case AES_128_BYTES:
+ IMB_AES128_GCM_PRE(mb_mgr, xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ sess->cipher.key_length_in_bytes = AES_128_BYTES;
+ break;
+ case AES_192_BYTES:
+ IMB_AES192_GCM_PRE(mb_mgr, xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ sess->cipher.key_length_in_bytes = AES_192_BYTES;
+ break;
+ case AES_256_BYTES:
+ IMB_AES256_GCM_PRE(mb_mgr, xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ sess->cipher.key_length_in_bytes = AES_256_BYTES;
+ break;
+ default:
+ RTE_LOG(ERR, PMD, "failed to parse test type\n");
+ return -EINVAL;
+ }
+
+ return 0;
+ }
+
switch (xform->auth.algo) {
case RTE_CRYPTO_AUTH_MD5_HMAC:
sess->auth.algo = MD5;
@@ -735,8 +783,16 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->u.GCM.aad = op->sym->aead.aad.data;
- job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ if (session->cipher.mode == GCM) {
+ job->u.GCM.aad = op->sym->aead.aad.data;
+ job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ } else {
+ /* For GMAC */
+ job->u.GCM.aad = rte_pktmbuf_mtod_offset(m_src,
+ uint8_t *, op->sym->auth.data.offset);
+ job->u.GCM.aad_len_in_bytes = op->sym->auth.data.length;
+ job->cipher_mode = GCM;
+ }
job->aes_enc_key_expanded = &session->cipher.gcm_key;
job->aes_dec_key_expanded = &session->cipher.gcm_key;
break;
@@ -776,7 +832,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
rte_pktmbuf_data_len(op->sym->m_src));
} else {
m_dst = m_src;
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
m_offset = op->sym->aead.data.offset;
else
m_offset = op->sym->cipher.data.offset;
@@ -788,7 +845,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
job->auth_tag_output = qp->temp_digests[*digest_idx];
*digest_idx = (*digest_idx + 1) % MAX_JOBS;
} else {
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
job->auth_tag_output = op->sym->aead.digest.data;
else
job->auth_tag_output = op->sym->auth.digest.data;
@@ -826,11 +884,24 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->cipher_start_src_offset_in_bytes =
- op->sym->aead.data.offset;
- job->hash_start_src_offset_in_bytes = op->sym->aead.data.offset;
- job->msg_len_to_cipher_in_bytes = op->sym->aead.data.length;
- job->msg_len_to_hash_in_bytes = job->msg_len_to_cipher_in_bytes;
+ if (session->cipher.mode == GCM) {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->msg_len_to_cipher_in_bytes =
+ op->sym->aead.data.length;
+ job->msg_len_to_hash_in_bytes =
+ op->sym->aead.data.length;
+ } else {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->msg_len_to_cipher_in_bytes = 0;
+ job->msg_len_to_hash_in_bytes = 0;
+ }
+
job->iv = rte_crypto_op_ctod_offset(op, uint8_t *,
session->iv.offset);
break;
@@ -854,19 +925,11 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
}
static inline void
-verify_digest(JOB_AES_HMAC *job, struct rte_crypto_op *op,
- struct aesni_mb_session *sess)
+verify_digest(JOB_AES_HMAC *job, void *digest, uint16_t len, uint8_t *status)
{
/* Verify digest if required */
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC) {
- if (memcmp(job->auth_tag_output, op->sym->aead.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- } else {
- if (memcmp(job->auth_tag_output, op->sym->auth.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- }
+ if (memcmp(job->auth_tag_output, digest, len) != 0)
+ *status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
static inline void
@@ -908,13 +971,24 @@ post_process_mb_job(struct aesni_mb_qp *qp, JOB_AES_HMAC *job)
case STS_COMPLETED:
op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
- if (job->hash_alg != NULL_HASH) {
- if (sess->auth.operation ==
- RTE_CRYPTO_AUTH_OP_VERIFY)
- verify_digest(job, op, sess);
+ if (job->hash_alg == NULL_HASH)
+ break;
+
+ if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
+ if (job->hash_alg == AES_CCM ||
+ (job->hash_alg == AES_GMAC &&
+ sess->cipher.mode == GCM))
+ verify_digest(job,
+ op->sym->aead.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
else
- generate_digest(job, op, sess);
- }
+ verify_digest(job,
+ op->sym->auth.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
+ } else
+ generate_digest(job, op, sess);
break;
default:
op->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_compat.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_compat.c
index 83250e32c..56ce54946 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_compat.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_compat.c
@@ -177,6 +177,54 @@ aesni_mb_set_session_auth_parameters(const struct aesni_mb_op_fns *mb_ops,
return 0;
}
+ if (xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+ if (xform->auth.op == RTE_CRYPTO_AUTH_OP_GENERATE) {
+ sess->cipher.direction = ENCRYPT;
+ sess->chain_order = CIPHER_HASH;
+ } else
+ sess->cipher.direction = DECRYPT;
+
+ sess->auth.algo = AES_GMAC;
+ /*
+ * Multi-buffer lib supports 8, 12 and 16 bytes of digest.
+ * If size requested is different, generate the full digest
+ * (16 bytes) in a temporary location and then memcpy
+ * the requested number of bytes.
+ */
+ if (sess->auth.req_digest_len != 16 &&
+ sess->auth.req_digest_len != 12 &&
+ sess->auth.req_digest_len != 8) {
+ sess->auth.gen_digest_len = 16;
+ } else {
+ sess->auth.gen_digest_len = sess->auth.req_digest_len;
+ }
+ sess->iv.length = xform->auth.iv.length;
+ sess->iv.offset = xform->auth.iv.offset;
+
+ switch (xform->auth.key.length) {
+ case AES_128_BYTES:
+ sess->cipher.key_length_in_bytes = AES_128_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_128)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ case AES_192_BYTES:
+ sess->cipher.key_length_in_bytes = AES_192_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_192)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ case AES_256_BYTES:
+ sess->cipher.key_length_in_bytes = AES_256_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_256)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ default:
+ RTE_LOG(ERR, PMD, "failed to parse test type\n");
+ return -EINVAL;
+ }
+
+ return 0;
+ }
+
switch (xform->auth.algo) {
case RTE_CRYPTO_AUTH_MD5_HMAC:
sess->auth.algo = MD5;
@@ -760,8 +808,16 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->u.GCM.aad = op->sym->aead.aad.data;
- job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ if (session->cipher.mode == GCM) {
+ job->u.GCM.aad = op->sym->aead.aad.data;
+ job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ } else {
+ /* For GMAC */
+ job->u.GCM.aad = rte_pktmbuf_mtod_offset(m_src,
+ uint8_t *, op->sym->auth.data.offset);
+ job->u.GCM.aad_len_in_bytes = op->sym->auth.data.length;
+ job->cipher_mode = GCM;
+ }
job->aes_enc_key_expanded = &session->cipher.gcm_key;
job->aes_dec_key_expanded = &session->cipher.gcm_key;
break;
@@ -801,7 +857,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
rte_pktmbuf_data_len(op->sym->m_src));
} else {
m_dst = m_src;
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
m_offset = op->sym->aead.data.offset;
else
m_offset = op->sym->cipher.data.offset;
@@ -813,7 +870,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
job->auth_tag_output = qp->temp_digests[*digest_idx];
*digest_idx = (*digest_idx + 1) % MAX_JOBS;
} else {
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
job->auth_tag_output = op->sym->aead.digest.data;
else
job->auth_tag_output = op->sym->auth.digest.data;
@@ -851,13 +909,26 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->cipher_start_src_offset_in_bytes =
- op->sym->aead.data.offset;
- job->hash_start_src_offset_in_bytes = op->sym->aead.data.offset;
- job->msg_len_to_cipher_in_bytes = op->sym->aead.data.length;
- job->msg_len_to_hash_in_bytes = job->msg_len_to_cipher_in_bytes;
+ if (session->cipher.mode == GCM) {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->msg_len_to_cipher_in_bytes =
+ op->sym->aead.data.length;
+ job->msg_len_to_hash_in_bytes =
+ op->sym->aead.data.length;
+ } else {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->msg_len_to_cipher_in_bytes = 0;
+ job->msg_len_to_hash_in_bytes = 0;
+ }
job->iv = rte_crypto_op_ctod_offset(op, uint8_t *,
session->iv.offset);
+
break;
default:
@@ -879,19 +950,10 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
}
static inline void
-verify_digest(JOB_AES_HMAC *job, struct rte_crypto_op *op,
- struct aesni_mb_session *sess)
+verify_digest(JOB_AES_HMAC *job, void *digest, uint16_t len, uint8_t *status)
{
- /* Verify digest if required */
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC) {
- if (memcmp(job->auth_tag_output, op->sym->aead.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- } else {
- if (memcmp(job->auth_tag_output, op->sym->auth.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- }
+ if (memcmp(job->auth_tag_output, digest, len) != 0)
+ *status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
static inline void
@@ -933,13 +995,24 @@ post_process_mb_job(struct aesni_mb_qp *qp, JOB_AES_HMAC *job)
case STS_COMPLETED:
op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
- if (job->hash_alg != NULL_HASH) {
- if (sess->auth.operation ==
- RTE_CRYPTO_AUTH_OP_VERIFY)
- verify_digest(job, op, sess);
+ if (job->hash_alg == NULL_HASH)
+ break;
+
+ if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
+ if (job->hash_alg == AES_CCM ||
+ (job->hash_alg == AES_GMAC &&
+ sess->cipher.mode == GCM))
+ verify_digest(job,
+ op->sym->aead.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
else
- generate_digest(job, op, sess);
- }
+ verify_digest(job,
+ op->sym->auth.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
+ } else
+ generate_digest(job, op, sess);
break;
default:
op->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
index 5788e37d1..56d409b4b 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
@@ -360,6 +360,31 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = {
}, }
}, }
},
+ { /* AES GMAC (AUTH) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_AES_GMAC,
+ .block_size = 16,
+ .key_size = {
+ .min = 16,
+ .max = 32,
+ .increment = 8
+ },
+ .digest_size = {
+ .min = 8,
+ .max = 16,
+ .increment = 4
+ },
+ .iv_size = {
+ .min = 12,
+ .max = 12,
+ .increment = 0
+ }
+ }, }
+ }, }
+ },
RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
};
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops_compat.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops_compat.c
index f3eff2685..1ca6baafa 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops_compat.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops_compat.c
@@ -416,6 +416,31 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = {
}, }
}, }
},
+ { /* AES GMAC (AUTH) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_AES_GMAC,
+ .block_size = 16,
+ .key_size = {
+ .min = 16,
+ .max = 32,
+ .increment = 8
+ },
+ .digest_size = {
+ .min = 8,
+ .max = 16,
+ .increment = 4
+ },
+ .iv_size = {
+ .min = 12,
+ .max = 12,
+ .increment = 0
+ }
+ }, }
+ }, }
+ },
RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
};
--
2.13.6
^ permalink raw reply [flat|nested] 14+ messages in thread
* [dpdk-dev] [PATCH v5 2/3] test: add aesni-mb gmac test
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 0/3] crypto/aesni_mb: add gmac support Fan Zhang
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 1/3] " Fan Zhang
@ 2018-12-19 22:04 ` Fan Zhang
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 3/3] doc: update release note and pmd info Fan Zhang
2018-12-20 12:07 ` [dpdk-dev] [PATCH v6] crypto/aesni_mb: support AES-GMAC Fan Zhang
3 siblings, 0 replies; 14+ messages in thread
From: Fan Zhang @ 2018-12-19 22:04 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
This patch adds the GMAC test cases to AESNI-MB crypto unit test.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Damian Nowak <damianx.nowak@intel.com>
---
test/test/test_cryptodev.c | 15 +++++++++++++++
test/test/test_cryptodev_hash_test_vectors.h | 9 +++++++++
2 files changed, 24 insertions(+)
diff --git a/test/test/test_cryptodev.c b/test/test/test_cryptodev.c
index 84065eb49..f437321ac 100644
--- a/test/test/test_cryptodev.c
+++ b/test/test/test_cryptodev.c
@@ -9228,6 +9228,7 @@ static struct unit_test_suite cryptodev_aesni_mb_testsuite = {
.setup = testsuite_setup,
.teardown = testsuite_teardown,
.unit_test_cases = {
+#if IMB_VERSION_NUM >= IMB_VERSION(0, 51, 0)
TEST_CASE_ST(ut_setup, ut_teardown,
test_AES_GCM_authenticated_encryption_test_case_1),
TEST_CASE_ST(ut_setup, ut_teardown,
@@ -9341,6 +9342,20 @@ static struct unit_test_suite cryptodev_aesni_mb_testsuite = {
TEST_CASE_ST(ut_setup, ut_teardown,
test_AES_GCM_authenticated_decryption_sessionless_test_case_1),
+ /** AES GMAC Authentication */
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_1),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_1),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_2),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_2),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_3),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_3),
+#endif /* IMB_VERSION_NUM >= IMB_VERSION(0, 51, 0) */
TEST_CASE_ST(ut_setup, ut_teardown, test_AES_chain_mb_all),
TEST_CASE_ST(ut_setup, ut_teardown, test_AES_cipheronly_mb_all),
diff --git a/test/test/test_cryptodev_hash_test_vectors.h b/test/test/test_cryptodev_hash_test_vectors.h
index a02dfb3c3..8964a3bac 100644
--- a/test/test/test_cryptodev_hash_test_vectors.h
+++ b/test/test/test_cryptodev_hash_test_vectors.h
@@ -5,6 +5,15 @@
#ifndef TEST_CRYPTODEV_HASH_TEST_VECTORS_H_
#define TEST_CRYPTODEV_HASH_TEST_VECTORS_H_
+#ifdef RTE_LIBRTE_PMD_AESNI_MB
+#include <intel-ipsec-mb.h>
+#endif
+
+#if !defined(IMB_VERSION_NUM)
+#define IMB_VERSION(a, b, c) (((a) << 16) + ((b) << 8) + (c))
+#define IMB_VERSION_NUM IMB_VERSION(0, 49, 0)
+#endif
+
static const uint8_t plaintext_hash[] = {
"What a lousy earth! He wondered how many people "
"were destitute that same night even in his own "
--
2.13.6
^ permalink raw reply [flat|nested] 14+ messages in thread
* [dpdk-dev] [PATCH v5 3/3] doc: update release note and pmd info
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 0/3] crypto/aesni_mb: add gmac support Fan Zhang
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 1/3] " Fan Zhang
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 2/3] test: add aesni-mb gmac test Fan Zhang
@ 2018-12-19 22:04 ` Fan Zhang
2018-12-20 12:07 ` [dpdk-dev] [PATCH v6] crypto/aesni_mb: support AES-GMAC Fan Zhang
3 siblings, 0 replies; 14+ messages in thread
From: Fan Zhang @ 2018-12-19 22:04 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal
This patch updates the release note and AESNI-MD PMD documentation.
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Damian Nowak <damianx.nowak@intel.com>
---
doc/guides/cryptodevs/aesni_mb.rst | 2 ++
doc/guides/rel_notes/release_19_02.rst | 5 +++++
2 files changed, 7 insertions(+)
diff --git a/doc/guides/cryptodevs/aesni_mb.rst b/doc/guides/cryptodevs/aesni_mb.rst
index 12532c63e..98082595d 100644
--- a/doc/guides/cryptodevs/aesni_mb.rst
+++ b/doc/guides/cryptodevs/aesni_mb.rst
@@ -40,6 +40,7 @@ Hash algorithms:
* RTE_CRYPTO_HASH_SHA512_HMAC
* RTE_CRYPTO_HASH_AES_XCBC_HMAC
* RTE_CRYPTO_HASH_AES_CMAC
+* RTE_CRYPTO_HASH_AES_GMAC
AEAD algorithms:
@@ -51,6 +52,7 @@ Limitations
* Chained mbufs are not supported.
* Only in-place is currently supported (destination address is the same as source address).
+* RTE_CRYPTO_HASH_AES_GMAC is supported by library version v0.51 or later.
Installation
diff --git a/doc/guides/rel_notes/release_19_02.rst b/doc/guides/rel_notes/release_19_02.rst
index 8deb68b9a..48b183e81 100644
--- a/doc/guides/rel_notes/release_19_02.rst
+++ b/doc/guides/rel_notes/release_19_02.rst
@@ -60,6 +60,11 @@ New Features
* Added the handler to get firmware version string.
* Added support for multicast filtering.
+* **Updated the AESNI MB PMD.**
+
+ The AESNI MB PMD has been updated with additional support for the AES-GMAC
+ authentication only algorithm.
+
Removed Items
-------------
--
2.13.6
^ permalink raw reply [flat|nested] 14+ messages in thread
* [dpdk-dev] [PATCH v6] crypto/aesni_mb: support AES-GMAC
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 0/3] crypto/aesni_mb: add gmac support Fan Zhang
` (2 preceding siblings ...)
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 3/3] doc: update release note and pmd info Fan Zhang
@ 2018-12-20 12:07 ` Fan Zhang
2019-01-09 22:15 ` De Lara Guarch, Pablo
3 siblings, 1 reply; 14+ messages in thread
From: Fan Zhang @ 2018-12-20 12:07 UTC (permalink / raw)
To: dev; +Cc: akhil.goyal, pablo.de.lara.guarch
This patchh adds the AES-GMAC authentication only support to AESNI-MB
PMD, including the driver code, cryptodev unit test, and documentation
updates.
This patch depends on the following patchset
"[PATCH v4 0/3] use architecure independent macros"
(https://mails.dpdk.org/archives/dev/2018-December/121788.html)
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Damian Nowak <damianx.nowak@intel.com>
---
v6:
- combined the patchset into one patch.
v5:
- changed IMB_VERSION_NUM definition place.
v4:
- rebased on top of latest "use architecure independent macros" patchset.
- patch split.
v3:
- rebased on top of latest code.
- updated release note.
v2:
- updated documentation.
doc/guides/cryptodevs/aesni_mb.rst | 2 +
doc/guides/rel_notes/release_19_02.rst | 1 +
drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c | 126 +++++++++++++++-----
drivers/crypto/aesni_mb/rte_aesni_mb_pmd_compat.c | 127 ++++++++++++++++-----
drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c | 25 ++++
.../crypto/aesni_mb/rte_aesni_mb_pmd_ops_compat.c | 25 ++++
test/test/test_cryptodev.c | 15 +++
test/test/test_cryptodev_hash_test_vectors.h | 9 ++
8 files changed, 277 insertions(+), 53 deletions(-)
diff --git a/doc/guides/cryptodevs/aesni_mb.rst b/doc/guides/cryptodevs/aesni_mb.rst
index 12532c63e..98082595d 100644
--- a/doc/guides/cryptodevs/aesni_mb.rst
+++ b/doc/guides/cryptodevs/aesni_mb.rst
@@ -40,6 +40,7 @@ Hash algorithms:
* RTE_CRYPTO_HASH_SHA512_HMAC
* RTE_CRYPTO_HASH_AES_XCBC_HMAC
* RTE_CRYPTO_HASH_AES_CMAC
+* RTE_CRYPTO_HASH_AES_GMAC
AEAD algorithms:
@@ -51,6 +52,7 @@ Limitations
* Chained mbufs are not supported.
* Only in-place is currently supported (destination address is the same as source address).
+* RTE_CRYPTO_HASH_AES_GMAC is supported by library version v0.51 or later.
Installation
diff --git a/doc/guides/rel_notes/release_19_02.rst b/doc/guides/rel_notes/release_19_02.rst
index 161974c77..3f513a914 100644
--- a/doc/guides/rel_notes/release_19_02.rst
+++ b/doc/guides/rel_notes/release_19_02.rst
@@ -67,6 +67,7 @@ New Features
* **updated the AESNI-MB PMD.**
* Added support for intel-ipsec-mb version 0.52.
+ * Added AES-GMAC algorithm support.
Removed Items
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
index 2c25b7b32..d34cbc36a 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
@@ -173,6 +173,54 @@ aesni_mb_set_session_auth_parameters(const MB_MGR *mb_mgr,
return 0;
}
+ if (xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+ if (xform->auth.op == RTE_CRYPTO_AUTH_OP_GENERATE) {
+ sess->cipher.direction = ENCRYPT;
+ sess->chain_order = CIPHER_HASH;
+ } else
+ sess->cipher.direction = DECRYPT;
+
+ sess->auth.algo = AES_GMAC;
+ /*
+ * Multi-buffer lib supports 8, 12 and 16 bytes of digest.
+ * If size requested is different, generate the full digest
+ * (16 bytes) in a temporary location and then memcpy
+ * the requested number of bytes.
+ */
+ if (sess->auth.req_digest_len != 16 &&
+ sess->auth.req_digest_len != 12 &&
+ sess->auth.req_digest_len != 8) {
+ sess->auth.gen_digest_len = 16;
+ } else {
+ sess->auth.gen_digest_len = sess->auth.req_digest_len;
+ }
+ sess->iv.length = xform->auth.iv.length;
+ sess->iv.offset = xform->auth.iv.offset;
+
+ switch (xform->auth.key.length) {
+ case AES_128_BYTES:
+ IMB_AES128_GCM_PRE(mb_mgr, xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ sess->cipher.key_length_in_bytes = AES_128_BYTES;
+ break;
+ case AES_192_BYTES:
+ IMB_AES192_GCM_PRE(mb_mgr, xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ sess->cipher.key_length_in_bytes = AES_192_BYTES;
+ break;
+ case AES_256_BYTES:
+ IMB_AES256_GCM_PRE(mb_mgr, xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ sess->cipher.key_length_in_bytes = AES_256_BYTES;
+ break;
+ default:
+ RTE_LOG(ERR, PMD, "failed to parse test type\n");
+ return -EINVAL;
+ }
+
+ return 0;
+ }
+
switch (xform->auth.algo) {
case RTE_CRYPTO_AUTH_MD5_HMAC:
sess->auth.algo = MD5;
@@ -735,8 +783,16 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->u.GCM.aad = op->sym->aead.aad.data;
- job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ if (session->cipher.mode == GCM) {
+ job->u.GCM.aad = op->sym->aead.aad.data;
+ job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ } else {
+ /* For GMAC */
+ job->u.GCM.aad = rte_pktmbuf_mtod_offset(m_src,
+ uint8_t *, op->sym->auth.data.offset);
+ job->u.GCM.aad_len_in_bytes = op->sym->auth.data.length;
+ job->cipher_mode = GCM;
+ }
job->aes_enc_key_expanded = &session->cipher.gcm_key;
job->aes_dec_key_expanded = &session->cipher.gcm_key;
break;
@@ -776,7 +832,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
rte_pktmbuf_data_len(op->sym->m_src));
} else {
m_dst = m_src;
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
m_offset = op->sym->aead.data.offset;
else
m_offset = op->sym->cipher.data.offset;
@@ -788,7 +845,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
job->auth_tag_output = qp->temp_digests[*digest_idx];
*digest_idx = (*digest_idx + 1) % MAX_JOBS;
} else {
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
job->auth_tag_output = op->sym->aead.digest.data;
else
job->auth_tag_output = op->sym->auth.digest.data;
@@ -826,11 +884,24 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->cipher_start_src_offset_in_bytes =
- op->sym->aead.data.offset;
- job->hash_start_src_offset_in_bytes = op->sym->aead.data.offset;
- job->msg_len_to_cipher_in_bytes = op->sym->aead.data.length;
- job->msg_len_to_hash_in_bytes = job->msg_len_to_cipher_in_bytes;
+ if (session->cipher.mode == GCM) {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->msg_len_to_cipher_in_bytes =
+ op->sym->aead.data.length;
+ job->msg_len_to_hash_in_bytes =
+ op->sym->aead.data.length;
+ } else {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->msg_len_to_cipher_in_bytes = 0;
+ job->msg_len_to_hash_in_bytes = 0;
+ }
+
job->iv = rte_crypto_op_ctod_offset(op, uint8_t *,
session->iv.offset);
break;
@@ -854,19 +925,11 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
}
static inline void
-verify_digest(JOB_AES_HMAC *job, struct rte_crypto_op *op,
- struct aesni_mb_session *sess)
+verify_digest(JOB_AES_HMAC *job, void *digest, uint16_t len, uint8_t *status)
{
/* Verify digest if required */
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC) {
- if (memcmp(job->auth_tag_output, op->sym->aead.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- } else {
- if (memcmp(job->auth_tag_output, op->sym->auth.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- }
+ if (memcmp(job->auth_tag_output, digest, len) != 0)
+ *status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
static inline void
@@ -908,13 +971,24 @@ post_process_mb_job(struct aesni_mb_qp *qp, JOB_AES_HMAC *job)
case STS_COMPLETED:
op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
- if (job->hash_alg != NULL_HASH) {
- if (sess->auth.operation ==
- RTE_CRYPTO_AUTH_OP_VERIFY)
- verify_digest(job, op, sess);
+ if (job->hash_alg == NULL_HASH)
+ break;
+
+ if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
+ if (job->hash_alg == AES_CCM ||
+ (job->hash_alg == AES_GMAC &&
+ sess->cipher.mode == GCM))
+ verify_digest(job,
+ op->sym->aead.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
else
- generate_digest(job, op, sess);
- }
+ verify_digest(job,
+ op->sym->auth.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
+ } else
+ generate_digest(job, op, sess);
break;
default:
op->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_compat.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_compat.c
index 83250e32c..56ce54946 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_compat.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_compat.c
@@ -177,6 +177,54 @@ aesni_mb_set_session_auth_parameters(const struct aesni_mb_op_fns *mb_ops,
return 0;
}
+ if (xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+ if (xform->auth.op == RTE_CRYPTO_AUTH_OP_GENERATE) {
+ sess->cipher.direction = ENCRYPT;
+ sess->chain_order = CIPHER_HASH;
+ } else
+ sess->cipher.direction = DECRYPT;
+
+ sess->auth.algo = AES_GMAC;
+ /*
+ * Multi-buffer lib supports 8, 12 and 16 bytes of digest.
+ * If size requested is different, generate the full digest
+ * (16 bytes) in a temporary location and then memcpy
+ * the requested number of bytes.
+ */
+ if (sess->auth.req_digest_len != 16 &&
+ sess->auth.req_digest_len != 12 &&
+ sess->auth.req_digest_len != 8) {
+ sess->auth.gen_digest_len = 16;
+ } else {
+ sess->auth.gen_digest_len = sess->auth.req_digest_len;
+ }
+ sess->iv.length = xform->auth.iv.length;
+ sess->iv.offset = xform->auth.iv.offset;
+
+ switch (xform->auth.key.length) {
+ case AES_128_BYTES:
+ sess->cipher.key_length_in_bytes = AES_128_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_128)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ case AES_192_BYTES:
+ sess->cipher.key_length_in_bytes = AES_192_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_192)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ case AES_256_BYTES:
+ sess->cipher.key_length_in_bytes = AES_256_BYTES;
+ (mb_ops->aux.keyexp.aes_gcm_256)(xform->auth.key.data,
+ &sess->cipher.gcm_key);
+ break;
+ default:
+ RTE_LOG(ERR, PMD, "failed to parse test type\n");
+ return -EINVAL;
+ }
+
+ return 0;
+ }
+
switch (xform->auth.algo) {
case RTE_CRYPTO_AUTH_MD5_HMAC:
sess->auth.algo = MD5;
@@ -760,8 +808,16 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->u.GCM.aad = op->sym->aead.aad.data;
- job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ if (session->cipher.mode == GCM) {
+ job->u.GCM.aad = op->sym->aead.aad.data;
+ job->u.GCM.aad_len_in_bytes = session->aead.aad_len;
+ } else {
+ /* For GMAC */
+ job->u.GCM.aad = rte_pktmbuf_mtod_offset(m_src,
+ uint8_t *, op->sym->auth.data.offset);
+ job->u.GCM.aad_len_in_bytes = op->sym->auth.data.length;
+ job->cipher_mode = GCM;
+ }
job->aes_enc_key_expanded = &session->cipher.gcm_key;
job->aes_dec_key_expanded = &session->cipher.gcm_key;
break;
@@ -801,7 +857,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
rte_pktmbuf_data_len(op->sym->m_src));
} else {
m_dst = m_src;
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
m_offset = op->sym->aead.data.offset;
else
m_offset = op->sym->cipher.data.offset;
@@ -813,7 +870,8 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
job->auth_tag_output = qp->temp_digests[*digest_idx];
*digest_idx = (*digest_idx + 1) % MAX_JOBS;
} else {
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC)
+ if (job->hash_alg == AES_CCM || (job->hash_alg == AES_GMAC &&
+ session->cipher.mode == GCM))
job->auth_tag_output = op->sym->aead.digest.data;
else
job->auth_tag_output = op->sym->auth.digest.data;
@@ -851,13 +909,26 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
break;
case AES_GMAC:
- job->cipher_start_src_offset_in_bytes =
- op->sym->aead.data.offset;
- job->hash_start_src_offset_in_bytes = op->sym->aead.data.offset;
- job->msg_len_to_cipher_in_bytes = op->sym->aead.data.length;
- job->msg_len_to_hash_in_bytes = job->msg_len_to_cipher_in_bytes;
+ if (session->cipher.mode == GCM) {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->aead.data.offset;
+ job->msg_len_to_cipher_in_bytes =
+ op->sym->aead.data.length;
+ job->msg_len_to_hash_in_bytes =
+ op->sym->aead.data.length;
+ } else {
+ job->cipher_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->hash_start_src_offset_in_bytes =
+ op->sym->auth.data.offset;
+ job->msg_len_to_cipher_in_bytes = 0;
+ job->msg_len_to_hash_in_bytes = 0;
+ }
job->iv = rte_crypto_op_ctod_offset(op, uint8_t *,
session->iv.offset);
+
break;
default:
@@ -879,19 +950,10 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
}
static inline void
-verify_digest(JOB_AES_HMAC *job, struct rte_crypto_op *op,
- struct aesni_mb_session *sess)
+verify_digest(JOB_AES_HMAC *job, void *digest, uint16_t len, uint8_t *status)
{
- /* Verify digest if required */
- if (job->hash_alg == AES_CCM || job->hash_alg == AES_GMAC) {
- if (memcmp(job->auth_tag_output, op->sym->aead.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- } else {
- if (memcmp(job->auth_tag_output, op->sym->auth.digest.data,
- sess->auth.req_digest_len) != 0)
- op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
- }
+ if (memcmp(job->auth_tag_output, digest, len) != 0)
+ *status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
static inline void
@@ -933,13 +995,24 @@ post_process_mb_job(struct aesni_mb_qp *qp, JOB_AES_HMAC *job)
case STS_COMPLETED:
op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
- if (job->hash_alg != NULL_HASH) {
- if (sess->auth.operation ==
- RTE_CRYPTO_AUTH_OP_VERIFY)
- verify_digest(job, op, sess);
+ if (job->hash_alg == NULL_HASH)
+ break;
+
+ if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
+ if (job->hash_alg == AES_CCM ||
+ (job->hash_alg == AES_GMAC &&
+ sess->cipher.mode == GCM))
+ verify_digest(job,
+ op->sym->aead.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
else
- generate_digest(job, op, sess);
- }
+ verify_digest(job,
+ op->sym->auth.digest.data,
+ sess->auth.req_digest_len,
+ &op->status);
+ } else
+ generate_digest(job, op, sess);
break;
default:
op->status = RTE_CRYPTO_OP_STATUS_ERROR;
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
index 5788e37d1..56d409b4b 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
@@ -360,6 +360,31 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = {
}, }
}, }
},
+ { /* AES GMAC (AUTH) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_AES_GMAC,
+ .block_size = 16,
+ .key_size = {
+ .min = 16,
+ .max = 32,
+ .increment = 8
+ },
+ .digest_size = {
+ .min = 8,
+ .max = 16,
+ .increment = 4
+ },
+ .iv_size = {
+ .min = 12,
+ .max = 12,
+ .increment = 0
+ }
+ }, }
+ }, }
+ },
RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
};
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops_compat.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops_compat.c
index f3eff2685..1ca6baafa 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops_compat.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops_compat.c
@@ -416,6 +416,31 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = {
}, }
}, }
},
+ { /* AES GMAC (AUTH) */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_AES_GMAC,
+ .block_size = 16,
+ .key_size = {
+ .min = 16,
+ .max = 32,
+ .increment = 8
+ },
+ .digest_size = {
+ .min = 8,
+ .max = 16,
+ .increment = 4
+ },
+ .iv_size = {
+ .min = 12,
+ .max = 12,
+ .increment = 0
+ }
+ }, }
+ }, }
+ },
RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
};
diff --git a/test/test/test_cryptodev.c b/test/test/test_cryptodev.c
index 84065eb49..f437321ac 100644
--- a/test/test/test_cryptodev.c
+++ b/test/test/test_cryptodev.c
@@ -9228,6 +9228,7 @@ static struct unit_test_suite cryptodev_aesni_mb_testsuite = {
.setup = testsuite_setup,
.teardown = testsuite_teardown,
.unit_test_cases = {
+#if IMB_VERSION_NUM >= IMB_VERSION(0, 51, 0)
TEST_CASE_ST(ut_setup, ut_teardown,
test_AES_GCM_authenticated_encryption_test_case_1),
TEST_CASE_ST(ut_setup, ut_teardown,
@@ -9341,6 +9342,20 @@ static struct unit_test_suite cryptodev_aesni_mb_testsuite = {
TEST_CASE_ST(ut_setup, ut_teardown,
test_AES_GCM_authenticated_decryption_sessionless_test_case_1),
+ /** AES GMAC Authentication */
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_1),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_1),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_2),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_2),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_test_case_3),
+ TEST_CASE_ST(ut_setup, ut_teardown,
+ test_AES_GMAC_authentication_verify_test_case_3),
+#endif /* IMB_VERSION_NUM >= IMB_VERSION(0, 51, 0) */
TEST_CASE_ST(ut_setup, ut_teardown, test_AES_chain_mb_all),
TEST_CASE_ST(ut_setup, ut_teardown, test_AES_cipheronly_mb_all),
diff --git a/test/test/test_cryptodev_hash_test_vectors.h b/test/test/test_cryptodev_hash_test_vectors.h
index a02dfb3c3..8964a3bac 100644
--- a/test/test/test_cryptodev_hash_test_vectors.h
+++ b/test/test/test_cryptodev_hash_test_vectors.h
@@ -5,6 +5,15 @@
#ifndef TEST_CRYPTODEV_HASH_TEST_VECTORS_H_
#define TEST_CRYPTODEV_HASH_TEST_VECTORS_H_
+#ifdef RTE_LIBRTE_PMD_AESNI_MB
+#include <intel-ipsec-mb.h>
+#endif
+
+#if !defined(IMB_VERSION_NUM)
+#define IMB_VERSION(a, b, c) (((a) << 16) + ((b) << 8) + (c))
+#define IMB_VERSION_NUM IMB_VERSION(0, 49, 0)
+#endif
+
static const uint8_t plaintext_hash[] = {
"What a lousy earth! He wondered how many people "
"were destitute that same night even in his own "
--
2.13.6
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [dpdk-dev] [PATCH v6] crypto/aesni_mb: support AES-GMAC
2018-12-20 12:07 ` [dpdk-dev] [PATCH v6] crypto/aesni_mb: support AES-GMAC Fan Zhang
@ 2019-01-09 22:15 ` De Lara Guarch, Pablo
0 siblings, 0 replies; 14+ messages in thread
From: De Lara Guarch, Pablo @ 2019-01-09 22:15 UTC (permalink / raw)
To: Zhang, Roy Fan, dev; +Cc: akhil.goyal
> -----Original Message-----
> From: Zhang, Roy Fan
> Sent: Thursday, December 20, 2018 12:08 PM
> To: dev@dpdk.org
> Cc: akhil.goyal@nxp.com; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>
> Subject: [PATCH v6] crypto/aesni_mb: support AES-GMAC
>
> This patchh adds the AES-GMAC authentication only support to AESNI-MB
> PMD, including the driver code, cryptodev unit test, and documentation
> updates.
>
> This patch depends on the following patchset "[PATCH v4 0/3] use
> architecure independent macros"
> (https://mails.dpdk.org/archives/dev/2018-December/121788.html)
>
> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
> Acked-by: Damian Nowak <damianx.nowak@intel.com>
Applied to dpdk-next-crypto.
Thanks,
Pablo
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2019-01-09 22:15 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-15 17:24 [dpdk-dev] [PATCH] crypto/aesni_mb: add gmac support Fan Zhang
2018-12-11 14:24 ` [dpdk-dev] [PATCH v2] " Fan Zhang
2018-12-18 13:51 ` [dpdk-dev] [PATCH v3] " Fan Zhang
2018-12-18 15:22 ` Akhil Goyal
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 0/3] " Fan Zhang
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 1/3] " Fan Zhang
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 2/3] test: add aesni-mb gmac test Fan Zhang
2018-12-19 21:42 ` [dpdk-dev] [PATCH v4 3/3] doc: update release note and PMD information Fan Zhang
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 0/3] crypto/aesni_mb: add gmac support Fan Zhang
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 1/3] " Fan Zhang
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 2/3] test: add aesni-mb gmac test Fan Zhang
2018-12-19 22:04 ` [dpdk-dev] [PATCH v5 3/3] doc: update release note and pmd info Fan Zhang
2018-12-20 12:07 ` [dpdk-dev] [PATCH v6] crypto/aesni_mb: support AES-GMAC Fan Zhang
2019-01-09 22:15 ` De Lara Guarch, Pablo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).