d/numam-dpdk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

crypto/openssl: support scatter-gather

Browse Source 
Signed-off-by: Tomasz Kulasek <tomaszx.kulasek@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
This commit is contained in:
Tomasz Kulasek 2017-01-13 16:23:16 +01:00 committed by Pablo de Lara
parent 2d03ec6abd
commit 8f675fc72d
2 changed files with 259 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/guides/cryptodevs/openssl.rst
View File

@ -112,6 +112,7 @@ Limitations
-----------
* Maximum number of sessions is 2048.
* Chained mbufs are not supported.
* Chained mbufs are supported only for source mbuf (destination must be
contiguous).
* Hash only is not supported for GCM and GMAC.
* Cipher only is not supported for GCM and GMAC.

329
drivers/crypto/openssl/rte_openssl_pmd.c
View File

@ -484,24 +484,112 @@ get_session(struct openssl_qp *qp, struct rte_crypto_op *op)
* Process Operations
*------------------------------------------------------------------------------
*/
static inline int
process_openssl_encryption_update(struct rte_mbuf *mbuf_src, int offset,
uint8_t **dst, int srclen, EVP_CIPHER_CTX *ctx)
{
struct rte_mbuf *m;
int dstlen;
int l, n = srclen;
uint8_t *src;
for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
m = m->next)
offset -= rte_pktmbuf_data_len(m);
if (m == 0)
return -1;
src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
l = rte_pktmbuf_data_len(m) - offset;
if (srclen <= l) {
if (EVP_EncryptUpdate(ctx, *dst, &dstlen, src, srclen) <= 0)
return -1;
*dst += l;
return 0;
}
if (EVP_EncryptUpdate(ctx, *dst, &dstlen, src, l) <= 0)
return -1;
*dst += dstlen;
n -= l;
for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
src = rte_pktmbuf_mtod(m, uint8_t *);
l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
if (EVP_EncryptUpdate(ctx, *dst, &dstlen, src, l) <= 0)
return -1;
*dst += dstlen;
n -= l;
}
return 0;
}
static inline int
process_openssl_decryption_update(struct rte_mbuf *mbuf_src, int offset,
uint8_t **dst, int srclen, EVP_CIPHER_CTX *ctx)
{
struct rte_mbuf *m;
int dstlen;
int l, n = srclen;
uint8_t *src;
for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
m = m->next)
offset -= rte_pktmbuf_data_len(m);
if (m == 0)
return -1;
src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
l = rte_pktmbuf_data_len(m) - offset;
if (srclen <= l) {
if (EVP_DecryptUpdate(ctx, *dst, &dstlen, src, srclen) <= 0)
return -1;
*dst += l;
return 0;
}
if (EVP_DecryptUpdate(ctx, *dst, &dstlen, src, l) <= 0)
return -1;
*dst += dstlen;
n -= l;
for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
src = rte_pktmbuf_mtod(m, uint8_t *);
l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
if (EVP_DecryptUpdate(ctx, *dst, &dstlen, src, l) <= 0)
return -1;
*dst += dstlen;
n -= l;
}
return 0;
}
/** Process standard openssl cipher encryption */
static int
process_openssl_cipher_encrypt(uint8_t *src, uint8_t *dst,
uint8_t *iv, uint8_t *key, int srclen,
process_openssl_cipher_encrypt(struct rte_mbuf *mbuf_src, uint8_t *dst,
int offset, uint8_t *iv, uint8_t *key, int srclen,
EVP_CIPHER_CTX *ctx, const EVP_CIPHER *algo)
{
int dstlen, totlen;
int totlen;
if (EVP_EncryptInit_ex(ctx, algo, NULL, key, iv) <= 0)
goto process_cipher_encrypt_err;
EVP_CIPHER_CTX_set_padding(ctx, 0);
if (EVP_EncryptUpdate(ctx, dst, &dstlen, src, srclen) <= 0)
if (process_openssl_encryption_update(mbuf_src, offset, &dst,
srclen, ctx))
goto process_cipher_encrypt_err;
if (EVP_EncryptFinal_ex(ctx, dst + dstlen, &totlen) <= 0)
if (EVP_EncryptFinal_ex(ctx, dst, &totlen) <= 0)
goto process_cipher_encrypt_err;
return 0;
@ -513,23 +601,23 @@ process_openssl_cipher_encrypt(uint8_t *src, uint8_t *dst,
/** Process standard openssl cipher decryption */
static int
process_openssl_cipher_decrypt(uint8_t *src, uint8_t *dst,
uint8_t *iv, uint8_t *key, int srclen,
process_openssl_cipher_decrypt(struct rte_mbuf *mbuf_src, uint8_t *dst,
int offset, uint8_t *iv, uint8_t *key, int srclen,
EVP_CIPHER_CTX *ctx, const EVP_CIPHER *algo)
{
int dstlen, totlen;
int totlen;
if (EVP_DecryptInit_ex(ctx, algo, NULL, key, iv) <= 0)
goto process_cipher_decrypt_err;
EVP_CIPHER_CTX_set_padding(ctx, 0);
if (EVP_DecryptUpdate(ctx, dst, &dstlen, src, srclen) <= 0)
if (process_openssl_decryption_update(mbuf_src, offset, &dst,
srclen, ctx))
goto process_cipher_decrypt_err;
if (EVP_DecryptFinal_ex(ctx, dst + dstlen, &totlen) <= 0)
if (EVP_DecryptFinal_ex(ctx, dst, &totlen) <= 0)
goto process_cipher_decrypt_err;
return 0;
process_cipher_decrypt_err:
@ -539,11 +627,25 @@ process_openssl_cipher_decrypt(uint8_t *src, uint8_t *dst,
/** Process cipher des 3 ctr encryption, decryption algorithm */
static int
process_openssl_cipher_des3ctr(uint8_t *src, uint8_t *dst,
uint8_t *iv, uint8_t *key, int srclen, EVP_CIPHER_CTX *ctx)
process_openssl_cipher_des3ctr(struct rte_mbuf *mbuf_src, uint8_t *dst,
int offset, uint8_t *iv, uint8_t *key, int srclen,
EVP_CIPHER_CTX *ctx)
{
uint8_t ebuf[8], ctr[8];
int unused, n;
struct rte_mbuf *m;
uint8_t *src;
int l;
for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
m = m->next)
offset -= rte_pktmbuf_data_len(m);
if (m == 0)
goto process_cipher_des3ctr_err;
src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
l = rte_pktmbuf_data_len(m) - offset;
/* We use 3DES encryption also for decryption.
* IV is not important for 3DES ecb
@ -552,9 +654,8 @@ process_openssl_cipher_des3ctr(uint8_t *src, uint8_t *dst,
goto process_cipher_des3ctr_err;
memcpy(ctr, iv, 8);
n = 0;
while (n < srclen) {
for (n = 0; n < srclen; n++) {
if (n % 8 == 0) {
if (EVP_EncryptUpdate(ctx,
(unsigned char *)&ebuf, &unused,
@ -562,8 +663,16 @@ process_openssl_cipher_des3ctr(uint8_t *src, uint8_t *dst,
goto process_cipher_des3ctr_err;
ctr_inc(ctr);
}
dst[n] = src[n] ^ ebuf[n % 8];
n++;
dst[n] = *(src++) ^ ebuf[n % 8];
l--;
if (!l) {
m = m->next;
if (m) {
src = rte_pktmbuf_mtod(m, uint8_t *);
l = rte_pktmbuf_data_len(m);
}
}
}
return 0;
@ -575,9 +684,9 @@ process_openssl_cipher_des3ctr(uint8_t *src, uint8_t *dst,
/** Process auth/encription aes-gcm algorithm */
static int
process_openssl_auth_encryption_gcm(uint8_t *src, int srclen,
uint8_t *aad, int aadlen, uint8_t *iv, int ivlen,
uint8_t *key, uint8_t *dst, uint8_t *tag,
process_openssl_auth_encryption_gcm(struct rte_mbuf *mbuf_src, int offset,
int srclen, uint8_t *aad, int aadlen, uint8_t *iv, int ivlen,
uint8_t *key, uint8_t *dst, uint8_t *tag,
EVP_CIPHER_CTX *ctx, const EVP_CIPHER *algo)
{
int len = 0, unused = 0;
@ -592,20 +701,20 @@ process_openssl_auth_encryption_gcm(uint8_t *src, int srclen,
if (EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv) <= 0)
goto process_auth_encryption_gcm_err;
if (aadlen > 0) {
if (aadlen > 0)
if (EVP_EncryptUpdate(ctx, NULL, &len, aad, aadlen) <= 0)
goto process_auth_encryption_gcm_err;
/* Workaround open ssl bug in version less then 1.0.1f */
if (EVP_EncryptUpdate(ctx, empty, &unused, empty, 0) <= 0)
goto process_auth_encryption_gcm_err;
}
if (srclen > 0)
if (EVP_EncryptUpdate(ctx, dst, &len, src, srclen) <= 0)
if (process_openssl_encryption_update(mbuf_src, offset, &dst,
srclen, ctx))
goto process_auth_encryption_gcm_err;
if (EVP_EncryptFinal_ex(ctx, dst + len, &len) <= 0)
/* Workaround open ssl bug in version less then 1.0.1f */
if (EVP_EncryptUpdate(ctx, empty, &unused, empty, 0) <= 0)
goto process_auth_encryption_gcm_err;
if (EVP_EncryptFinal_ex(ctx, dst, &len) <= 0)
goto process_auth_encryption_gcm_err;
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag) <= 0)
@ -619,10 +728,10 @@ process_openssl_auth_encryption_gcm(uint8_t *src, int srclen,
}
static int
process_openssl_auth_decryption_gcm(uint8_t *src, int srclen,
uint8_t *aad, int aadlen, uint8_t *iv, int ivlen,
uint8_t *key, uint8_t *dst, uint8_t *tag,
EVP_CIPHER_CTX *ctx, const EVP_CIPHER *algo)
process_openssl_auth_decryption_gcm(struct rte_mbuf *mbuf_src, int offset,
int srclen, uint8_t *aad, int aadlen, uint8_t *iv, int ivlen,
uint8_t *key, uint8_t *dst, uint8_t *tag, EVP_CIPHER_CTX *ctx,
const EVP_CIPHER *algo)
{
int len = 0, unused = 0;
uint8_t empty[] = {};
@ -639,20 +748,20 @@ process_openssl_auth_decryption_gcm(uint8_t *src, int srclen,
if (EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv) <= 0)
goto process_auth_decryption_gcm_err;
if (aadlen > 0) {
if (aadlen > 0)
if (EVP_DecryptUpdate(ctx, NULL, &len, aad, aadlen) <= 0)
goto process_auth_decryption_gcm_err;
/* Workaround open ssl bug in version less then 1.0.1f */
if (EVP_DecryptUpdate(ctx, empty, &unused, empty, 0) <= 0)
goto process_auth_decryption_gcm_err;
}
if (srclen > 0)
if (EVP_DecryptUpdate(ctx, dst, &len, src, srclen) <= 0)
if (process_openssl_decryption_update(mbuf_src, offset, &dst,
srclen, ctx))
goto process_auth_decryption_gcm_err;
if (EVP_DecryptFinal_ex(ctx, dst + len, &len) <= 0)
/* Workaround open ssl bug in version less then 1.0.1f */
if (EVP_DecryptUpdate(ctx, empty, &unused, empty, 0) <= 0)
goto process_auth_decryption_gcm_err;
if (EVP_DecryptFinal_ex(ctx, dst, &len) <= 0)
goto process_auth_decryption_gcm_final_err;
return 0;
@ -667,21 +776,50 @@ process_openssl_auth_decryption_gcm(uint8_t *src, int srclen,
/** Process standard openssl auth algorithms */
static int
process_openssl_auth(uint8_t *src, uint8_t *dst,
process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
__rte_unused uint8_t *iv, __rte_unused EVP_PKEY * pkey,
int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo)
{
size_t dstlen;
struct rte_mbuf *m;
int l, n = srclen;
uint8_t *src;
for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
m = m->next)
offset -= rte_pktmbuf_data_len(m);
if (m == 0)
goto process_auth_err;
if (EVP_DigestInit_ex(ctx, algo, NULL) <= 0)
goto process_auth_err;
if (EVP_DigestUpdate(ctx, (char *)src, srclen) <= 0)
src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
l = rte_pktmbuf_data_len(m) - offset;
if (srclen <= l) {
if (EVP_DigestUpdate(ctx, (char *)src, srclen) <= 0)
goto process_auth_err;
goto process_auth_final;
}
if (EVP_DigestUpdate(ctx, (char *)src, l) <= 0)
goto process_auth_err;
n -= l;
for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
src = rte_pktmbuf_mtod(m, uint8_t *);
l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
if (EVP_DigestUpdate(ctx, (char *)src, l) <= 0)
goto process_auth_err;
n -= l;
}
process_auth_final:
if (EVP_DigestFinal_ex(ctx, dst, (unsigned int *)&dstlen) <= 0)
goto process_auth_err;
return 0;
process_auth_err:
@ -691,18 +829,48 @@ process_openssl_auth(uint8_t *src, uint8_t *dst,
/** Process standard openssl auth algorithms with hmac */
static int
process_openssl_auth_hmac(uint8_t *src, uint8_t *dst,
process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
__rte_unused uint8_t *iv, EVP_PKEY *pkey,
int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo)
int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo)
{
size_t dstlen;
struct rte_mbuf *m;
int l, n = srclen;
uint8_t *src;
for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
m = m->next)
offset -= rte_pktmbuf_data_len(m);
if (m == 0)
goto process_auth_err;
if (EVP_DigestSignInit(ctx, NULL, algo, NULL, pkey) <= 0)
goto process_auth_err;
if (EVP_DigestSignUpdate(ctx, (char *)src, srclen) <= 0)
src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
l = rte_pktmbuf_data_len(m) - offset;
if (srclen <= l) {
if (EVP_DigestSignUpdate(ctx, (char *)src, srclen) <= 0)
goto process_auth_err;
goto process_auth_final;
}
if (EVP_DigestSignUpdate(ctx, (char *)src, l) <= 0)
goto process_auth_err;
n -= l;
for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
src = rte_pktmbuf_mtod(m, uint8_t *);
l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
if (EVP_DigestSignUpdate(ctx, (char *)src, l) <= 0)
goto process_auth_err;
n -= l;
}
process_auth_final:
if (EVP_DigestSignFinal(ctx, dst, &dstlen) <= 0)
goto process_auth_err;
@ -722,9 +890,18 @@ process_openssl_combined_op
struct rte_mbuf *mbuf_src, struct rte_mbuf *mbuf_dst)
{
/* cipher */
uint8_t *src = NULL, *dst = NULL, *iv, *tag, *aad;
uint8_t *dst = NULL, *iv, *tag, *aad;
int srclen, ivlen, aadlen, status = -1;
/*
* Segmented destination buffer is not supported for
* encryption/decryption
*/
if (!rte_pktmbuf_is_contiguous(mbuf_dst)) {
op->status = RTE_CRYPTO_OP_STATUS_ERROR;
return;
}
iv = op->sym->cipher.iv.data;
ivlen = op->sym->cipher.iv.length;
aad = op->sym->auth.aad.data;
@ -740,22 +917,22 @@ process_openssl_combined_op
srclen = 0;
else {
srclen = op->sym->cipher.data.length;
src = rte_pktmbuf_mtod_offset(mbuf_src, uint8_t *,
op->sym->cipher.data.offset);
dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
op->sym->cipher.data.offset);
}
if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
status = process_openssl_auth_encryption_gcm(
src, srclen, aad, aadlen, iv, ivlen,
sess->cipher.key.data, dst, tag,
sess->cipher.ctx, sess->cipher.evp_algo);
mbuf_src, op->sym->cipher.data.offset, srclen,
aad, aadlen, iv, ivlen, sess->cipher.key.data,
dst, tag, sess->cipher.ctx,
sess->cipher.evp_algo);
else
status = process_openssl_auth_decryption_gcm(
src, srclen, aad, aadlen, iv, ivlen,
sess->cipher.key.data, dst, tag,
sess->cipher.ctx, sess->cipher.evp_algo);
mbuf_src, op->sym->cipher.data.offset, srclen,
aad, aadlen, iv, ivlen, sess->cipher.key.data,
dst, tag, sess->cipher.ctx,
sess->cipher.evp_algo);
if (status != 0) {
if (status == (-EFAULT) &&
@ -773,12 +950,19 @@ process_openssl_cipher_op
(struct rte_crypto_op *op, struct openssl_session *sess,
struct rte_mbuf *mbuf_src, struct rte_mbuf *mbuf_dst)
{
uint8_t *src, *dst, *iv;
uint8_t *dst, *iv;
int srclen, status;
/*
* Segmented destination buffer is not supported for
* encryption/decryption
*/
if (!rte_pktmbuf_is_contiguous(mbuf_dst)) {
op->status = RTE_CRYPTO_OP_STATUS_ERROR;
return;
}
srclen = op->sym->cipher.data.length;
src = rte_pktmbuf_mtod_offset(mbuf_src, uint8_t *,
op->sym->cipher.data.offset);
dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
op->sym->cipher.data.offset);
@ -786,17 +970,20 @@ process_openssl_cipher_op
if (sess->cipher.mode == OPENSSL_CIPHER_LIB)
if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
status = process_openssl_cipher_encrypt(src, dst, iv,
status = process_openssl_cipher_encrypt(mbuf_src, dst,
op->sym->cipher.data.offset, iv,
sess->cipher.key.data, srclen,
sess->cipher.ctx,
sess->cipher.evp_algo);
else
status = process_openssl_cipher_decrypt(src, dst, iv,
status = process_openssl_cipher_decrypt(mbuf_src, dst,
op->sym->cipher.data.offset, iv,
sess->cipher.key.data, srclen,
sess->cipher.ctx,
sess->cipher.evp_algo);
else
status = process_openssl_cipher_des3ctr(src, dst, iv,
status = process_openssl_cipher_des3ctr(mbuf_src, dst,
op->sym->cipher.data.offset, iv,
sess->cipher.key.data, srclen,
sess->cipher.ctx);
@ -810,12 +997,10 @@ process_openssl_auth_op
(struct rte_crypto_op *op, struct openssl_session *sess,
struct rte_mbuf *mbuf_src, struct rte_mbuf *mbuf_dst)
{
uint8_t *src, *dst;
uint8_t *dst;
int srclen, status;
srclen = op->sym->auth.data.length;
src = rte_pktmbuf_mtod_offset(mbuf_src, uint8_t *,
op->sym->auth.data.offset);
if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY)
dst = (uint8_t *)rte_pktmbuf_append(mbuf_src,
@ -830,13 +1015,14 @@ process_openssl_auth_op
switch (sess->auth.mode) {
case OPENSSL_AUTH_AS_AUTH:
status = process_openssl_auth(src, dst,
NULL, NULL, srclen,
status = process_openssl_auth(mbuf_src, dst,
op->sym->auth.data.offset, NULL, NULL, srclen,
sess->auth.auth.ctx, sess->auth.auth.evp_algo);
break;
case OPENSSL_AUTH_AS_HMAC:
status = process_openssl_auth_hmac(src, dst,
NULL, sess->auth.hmac.pkey, srclen,
status = process_openssl_auth_hmac(mbuf_src, dst,
op->sym->auth.data.offset, NULL,
sess->auth.hmac.pkey, srclen,
sess->auth.hmac.ctx, sess->auth.hmac.evp_algo);
break;
default:
@ -850,8 +1036,7 @@ process_openssl_auth_op
op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
/* Trim area used for digest from mbuf. */
rte_pktmbuf_trim(mbuf_src,
op->sym->auth.digest.length);
rte_pktmbuf_trim(mbuf_src, op->sym->auth.digest.length);
}
if (status != 0)
@ -902,7 +1087,6 @@ process_op(const struct openssl_qp *qp, struct rte_crypto_op *op,
op->sym->session = NULL;
}
if (op->status == RTE_CRYPTO_OP_STATUS_NOT_PROCESSED)
op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
@ -996,7 +1180,8 @@ cryptodev_openssl_create(const char *name,
dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING |
RTE_CRYPTODEV_FF_CPU_AESNI;
RTE_CRYPTODEV_FF_CPU_AESNI |
RTE_CRYPTODEV_FF_MBUF_SCATTER_GATHER;
/* Set vector instructions mode supported */
internals = dev->data->dev_private;