@@ -31,6 +31,14 @@
#define MAX_SESSIONS 2048
#define NB_MBUF 8192
+enum crypto_chain_order {
+ CRYPTO_CHAIN_ONLY_CIPHER,
+ CRYPTO_CHAIN_ONLY_AUTH,
+ CRYPTO_CHAIN_CIPHER_AUTH,
+ CRYPTO_CHAIN_AUTH_CIPHER,
+ CRYPTO_CHAIN_NOT_SUPPORTED
+};
+
typedef struct crypto_session_entry_s crypto_session_entry_t;
struct crypto_session_entry_s {
struct crypto_session_entry_s *next;
@@ -116,13 +124,14 @@ static int auth_alg_odp_to_rte(odp_auth_alg_t auth_alg,
switch (auth_alg) {
case ODP_AUTH_ALG_NULL:
auth_xform->auth.algo = RTE_CRYPTO_AUTH_NULL;
+ auth_xform->auth.digest_length = 0;
break;
case ODP_AUTH_ALG_MD5_HMAC:
#if ODP_DEPRECATED_API
case ODP_AUTH_ALG_MD5_96:
#endif
auth_xform->auth.algo = RTE_CRYPTO_AUTH_MD5_HMAC;
- auth_xform->auth.digest_length = 12;
+ auth_xform->auth.digest_length = 16;
break;
case ODP_AUTH_ALG_SHA256_HMAC:
#if ODP_DEPRECATED_API
@@ -538,9 +547,9 @@ int odp_crypto_cipher_capability(odp_cipher_alg_t cipher,
i = 0;
cap = &dev_info.capabilities[i];
while (cap->op != RTE_CRYPTO_OP_TYPE_UNDEFINED) {
- cap_cipher_algo = cap->sym.cipher.algo;
if (cap->sym.xform_type ==
RTE_CRYPTO_SYM_XFORM_CIPHER) {
+ cap_cipher_algo = cap->sym.cipher.algo;
if (cap_cipher_algo == cipher_xform.cipher.algo)
break;
}
@@ -615,7 +624,7 @@ int odp_crypto_auth_capability(odp_auth_alg_t auth,
while (cap->op != RTE_CRYPTO_OP_TYPE_UNDEFINED) {
cap_auth_algo = cap->sym.auth.algo;
if (cap->sym.xform_type ==
- RTE_CRYPTO_SYM_XFORM_CIPHER) {
+ RTE_CRYPTO_SYM_XFORM_AUTH) {
if (cap_auth_algo == auth_xform.auth.algo)
break;
}
@@ -663,76 +672,105 @@ int odp_crypto_auth_capability(odp_auth_alg_t auth,
return idx;
}
-static int get_crypto_dev(struct rte_crypto_sym_xform *cipher_xform,
- struct rte_crypto_sym_xform *auth_xform,
+static int get_crypto_dev(struct rte_crypto_sym_xform *first_xform,
+ enum crypto_chain_order res,
uint16_t iv_length, uint8_t *dev_id)
{
uint8_t cdev_id, id;
const struct rte_cryptodev_capabilities *cap;
+ struct rte_crypto_sym_xform *auth_xform = NULL;
+ struct rte_crypto_sym_xform *cipher_xform = NULL;
enum rte_crypto_cipher_algorithm cap_cipher_algo;
enum rte_crypto_auth_algorithm cap_auth_algo;
enum rte_crypto_cipher_algorithm app_cipher_algo;
enum rte_crypto_auth_algorithm app_auth_algo;
+ switch (res) {
+ case CRYPTO_CHAIN_ONLY_CIPHER:
+ cipher_xform = first_xform;
+ break;
+ case CRYPTO_CHAIN_ONLY_AUTH:
+ auth_xform = first_xform;
+ break;
+ case CRYPTO_CHAIN_CIPHER_AUTH:
+ cipher_xform = first_xform;
+ auth_xform = first_xform->next;
+ break;
+ case CRYPTO_CHAIN_AUTH_CIPHER:
+ auth_xform = first_xform;
+ cipher_xform = first_xform->next;
+ break;
+ default:
+ return -1;
+ }
+
for (id = 0; id < global->enabled_crypto_devs; id++) {
struct rte_cryptodev_info dev_info;
int i = 0;
cdev_id = global->enabled_crypto_dev_ids[id];
rte_cryptodev_info_get(cdev_id, &dev_info);
- app_cipher_algo = cipher_xform->cipher.algo;
cap = &dev_info.capabilities[i];
- while (cap->op != RTE_CRYPTO_OP_TYPE_UNDEFINED) {
- cap_cipher_algo = cap->sym.cipher.algo;
+ while (cipher_xform && cap->op !=
+ RTE_CRYPTO_OP_TYPE_UNDEFINED) {
if (cap->sym.xform_type ==
RTE_CRYPTO_SYM_XFORM_CIPHER) {
+ app_cipher_algo = cipher_xform->cipher.algo;
+ cap_cipher_algo = cap->sym.cipher.algo;
if (cap_cipher_algo == app_cipher_algo)
break;
}
- cap = &dev_info.capabilities[++i];
+ cap = &dev_info.capabilities[++i];
}
if (cap->op == RTE_CRYPTO_OP_TYPE_UNDEFINED)
continue;
- /* Check if key size is supported by the algorithm. */
- if (cipher_xform->cipher.key.length) {
- if (is_valid_size(cipher_xform->cipher.key.length,
- cap->sym.cipher.key_size.min,
- cap->sym.cipher.key_size.max,
- cap->sym.cipher.key_size.
- increment) != 0) {
- ODP_ERR("Unsupported cipher key length\n");
- return -1;
- }
- /* No size provided, use minimum size. */
- } else
- cipher_xform->cipher.key.length =
- cap->sym.cipher.key_size.min;
-
- /* Check if iv length is supported by the algorithm. */
- if (iv_length) {
- if (is_valid_size(iv_length,
- cap->sym.cipher.iv_size.min,
- cap->sym.cipher.iv_size.max,
- cap->sym.cipher.iv_size.
- increment) != 0) {
- ODP_ERR("Unsupported iv length\n");
- return -1;
+ if (cipher_xform) {
+ /* Check if key size is supported by the algorithm. */
+ if (cipher_xform->cipher.key.length) {
+ if (is_valid_size(
+ cipher_xform->cipher.key.length,
+ cap->sym.cipher.key_size.min,
+ cap->sym.cipher.key_size.max,
+ cap->sym.cipher.key_size.
+ increment) != 0) {
+ ODP_ERR("Invalid cipher key length\n");
+ return -1;
+ }
+ /* No size provided, use minimum size. */
+ } else
+ cipher_xform->cipher.key.length =
+ cap->sym.cipher.key_size.min;
+
+ /* Check if iv length is supported by the algorithm. */
+ if (iv_length) {
+ if (is_valid_size(iv_length,
+ cap->sym.cipher.iv_size.min,
+ cap->sym.cipher.iv_size.max,
+ cap->sym.cipher.iv_size.
+ increment) != 0) {
+ ODP_ERR("Invalid iv length\n");
+ return -1;
+ }
}
}
+ if (cipher_xform && !auth_xform) {
+ memcpy(dev_id, &cdev_id, sizeof(cdev_id));
+ return 0;
+ }
+
i = 0;
- app_auth_algo = auth_xform->auth.algo;
cap = &dev_info.capabilities[i];
- while (cap->op != RTE_CRYPTO_OP_TYPE_UNDEFINED) {
- cap_auth_algo = cap->sym.auth.algo;
+ while (auth_xform && cap->op != RTE_CRYPTO_OP_TYPE_UNDEFINED) {
if ((cap->sym.xform_type ==
- RTE_CRYPTO_SYM_XFORM_AUTH) &
- (cap_auth_algo == app_auth_algo)) {
- break;
+ RTE_CRYPTO_SYM_XFORM_AUTH)) {
+ app_auth_algo = auth_xform->auth.algo;
+ cap_auth_algo = cap->sym.auth.algo;
+ if (cap_auth_algo == app_auth_algo)
+ break;
}
-
cap = &dev_info.capabilities[++i];
}
@@ -786,6 +824,7 @@ int odp_crypto_session_create(odp_crypto_session_param_t *param,
struct rte_crypto_sym_xform auth_xform;
struct rte_crypto_sym_xform *first_xform;
struct rte_cryptodev_sym_session *session;
+ enum crypto_chain_order res = CRYPTO_CHAIN_NOT_SUPPORTED;
crypto_session_entry_t *entry;
*session_out = ODP_CRYPTO_SESSION_INVALID;
@@ -810,6 +849,16 @@ int odp_crypto_session_create(odp_crypto_session_param_t *param,
cipher_xform.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
cipher_xform.next = NULL;
+ rc = cipher_alg_odp_to_rte(param->cipher_alg, &cipher_xform);
+
+ /* Check result */
+ if (rc) {
+ *status = ODP_CRYPTO_SES_CREATE_ERR_INV_CIPHER;
+ /* remove the crypto_session_entry_t */
+ memset(entry, 0, sizeof(*entry));
+ free_session(entry);
+ return -1;
+ }
if (param->cipher_key.length) {
/* Cipher Data */
@@ -828,12 +877,22 @@ int odp_crypto_session_create(odp_crypto_session_param_t *param,
param->cipher_key.data,
param->cipher_key.length);
} else {
- cipher_xform.cipher.key.data = 0;
cipher_xform.cipher.key.length = 0;
+ cipher_xform.cipher.key.data = 0;
}
auth_xform.type = RTE_CRYPTO_SYM_XFORM_AUTH;
auth_xform.next = NULL;
+ rc = auth_alg_odp_to_rte(param->auth_alg, &auth_xform);
+
+ /* Check result */
+ if (rc) {
+ *status = ODP_CRYPTO_SES_CREATE_ERR_INV_AUTH;
+ /* remove the crypto_session_entry_t */
+ memset(entry, 0, sizeof(*entry));
+ free_session(entry);
+ return -1;
+ }
if (param->auth_key.length) {
/* Authentication Data */
@@ -855,7 +914,6 @@ int odp_crypto_session_create(odp_crypto_session_param_t *param,
auth_xform.auth.key.length = 0;
}
-
/* Derive order */
if (ODP_CRYPTO_OP_ENCODE == param->op)
entry->do_cipher_first = param->auth_cipher_text;
@@ -868,35 +926,36 @@ int odp_crypto_session_create(odp_crypto_session_param_t *param,
cipher_xform.cipher.op = RTE_CRYPTO_CIPHER_OP_ENCRYPT;
auth_xform.auth.op = RTE_CRYPTO_AUTH_OP_GENERATE;
first_xform = &cipher_xform;
- first_xform->next = &auth_xform;
+ if (auth_xform.auth.algo == RTE_CRYPTO_AUTH_NULL) {
+ first_xform->next = NULL;
+ res = CRYPTO_CHAIN_ONLY_CIPHER;
+ } else if (cipher_xform.cipher.algo == RTE_CRYPTO_CIPHER_NULL) {
+ first_xform = &auth_xform;
+ first_xform->next = NULL;
+ res = CRYPTO_CHAIN_ONLY_AUTH;
+ } else {
+ first_xform->next = &auth_xform;
+ res = CRYPTO_CHAIN_CIPHER_AUTH;
+ }
} else {
cipher_xform.cipher.op = RTE_CRYPTO_CIPHER_OP_DECRYPT;
auth_xform.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY;
first_xform = &auth_xform;
- first_xform->next = &cipher_xform;
- }
-
- rc = cipher_alg_odp_to_rte(param->cipher_alg, &cipher_xform);
-
- /* Check result */
- if (rc) {
- *status = ODP_CRYPTO_SES_CREATE_ERR_INV_CIPHER;
- return -1;
- }
-
- rc = auth_alg_odp_to_rte(param->auth_alg, &auth_xform);
-
- /* Check result */
- if (rc) {
- *status = ODP_CRYPTO_SES_CREATE_ERR_INV_AUTH;
- /* remove the crypto_session_entry_t */
- memset(entry, 0, sizeof(*entry));
- free_session(entry);
- return -1;
+ if (cipher_xform.cipher.algo == RTE_CRYPTO_CIPHER_NULL) {
+ first_xform->next = NULL;
+ res = CRYPTO_CHAIN_ONLY_AUTH;
+ } else if (auth_xform.auth.algo == RTE_CRYPTO_AUTH_NULL) {
+ first_xform = &cipher_xform;
+ first_xform->next = NULL;
+ res = CRYPTO_CHAIN_ONLY_CIPHER;
+ } else {
+ first_xform->next = &cipher_xform;
+ res = CRYPTO_CHAIN_AUTH_CIPHER;
+ }
}
- rc = get_crypto_dev(&cipher_xform,
- &auth_xform,
+ rc = get_crypto_dev(first_xform,
+ res,
param->iv.length,
&cdev_id);
@@ -1269,15 +1328,13 @@ int odp_crypto_int(odp_packet_t pkt_in,
op->sym->auth.aad.length = aad_len;
}
- if (entry->iv.length == 0) {
- ODP_ERR("Wrong IV length");
- goto err_op_free;
- }
- op->sym->cipher.iv.data = rte_malloc("iv", entry->iv.length, 0);
- if (op->sym->cipher.iv.data == NULL) {
- ODP_ERR("Failed to allocate memory for IV");
- goto err_op_free;
+ if (entry->iv.length) {
+ op->sym->cipher.iv.data = rte_malloc("iv", entry->iv.length, 0);
+ if (op->sym->cipher.iv.data == NULL) {
+ ODP_ERR("Failed to allocate memory for IV");
+ goto err_op_free;
+ }
}
if (param->override_iv_ptr) {
@@ -1,6 +1,6 @@
#!/bin/bash
-export ODP_PLATFORM_PARAMS=${ODP_PLATFORM_PARAMS:--n 4 --vdev "crypto_openssl"}
+export ODP_PLATFORM_PARAMS=${ODP_PLATFORM_PARAMS:--n 4 --vdev "crypto_openssl" --vdev "crypto_null"}
# where to mount huge pages
export HUGEPAGEDIR=${HUGEPAGEDIR:-/mnt/huge}
@@ -303,6 +303,7 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
case ODP_CIPHER_ALG_3DES_CBC:
ipsec_sa->esp_iv_len = 8;
ipsec_sa->esp_block_len = 8;
+ crypto_param.iv.length = 8;
break;
#if ODP_DEPRECATED_API
case ODP_CIPHER_ALG_AES128_CBC:
@@ -310,6 +311,7 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
case ODP_CIPHER_ALG_AES_CBC:
ipsec_sa->esp_iv_len = 16;
ipsec_sa->esp_block_len = 16;
+ crypto_param.iv.length = 16;
break;
#if ODP_DEPRECATED_API
case ODP_CIPHER_ALG_AES128_GCM:
@@ -32,17 +32,26 @@
static uint8_t test_iv[8] = "01234567";
-static uint8_t test_key16[16] = { 0x01, 0x02, 0x03, 0x04, 0x05,
+static uint8_t test_key24[24] = { 0x01, 0x02, 0x03, 0x04, 0x05,
0x06, 0x07, 0x08, 0x09, 0x0a,
0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
- 0x10,
+ 0x10, 0x11, 0x12, 0x13, 0x14,
+ 0x15, 0x16, 0x17, 0x18
};
-static uint8_t test_key24[24] = { 0x01, 0x02, 0x03, 0x04, 0x05,
+static uint8_t test_key64[64] = { 0x01, 0x02, 0x03, 0x04, 0x05,
0x06, 0x07, 0x08, 0x09, 0x0a,
0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
0x10, 0x11, 0x12, 0x13, 0x14,
- 0x15, 0x16, 0x17, 0x18
+ 0x15, 0x16, 0x17, 0x18, 0x19,
+ 0x1a, 0x1b, 0x1c, 0x1d, 0x1e,
+ 0x1f, 0x20, 0x21, 0x22, 0x23,
+ 0x24, 0x25, 0x26, 0x27, 0x28,
+ 0x29, 0x2a, 0x2b, 0x2c, 0x2d,
+ 0x2e, 0x2f, 0x30, 0x31, 0x32,
+ 0x33, 0x34, 0x35, 0x36, 0x37,
+ 0x38, 0x39, 0x3a, 0x3b, 0x3c,
+ 0x3d, 0x3e, 0x3f, 0x40
};
/**
@@ -208,8 +217,8 @@ static crypto_alg_config_t algs_config[] = {
},
.auth_alg = ODP_AUTH_ALG_MD5_HMAC,
.auth_key = {
- .data = test_key16,
- .length = sizeof(test_key16)
+ .data = test_key64,
+ .length = sizeof(test_key64)
},
.auth_digest_len = 12,
},
@@ -220,8 +229,8 @@ static crypto_alg_config_t algs_config[] = {
.cipher_alg = ODP_CIPHER_ALG_NULL,
.auth_alg = ODP_AUTH_ALG_MD5_HMAC,
.auth_key = {
- .data = test_key16,
- .length = sizeof(test_key16)
+ .data = test_key64,
+ .length = sizeof(test_key64)
},
.auth_digest_len = 12,
},
@@ -429,6 +438,7 @@ create_session_from_config(odp_crypto_session_t *session,
odp_crypto_session_param_init(¶ms);
memcpy(¶ms, &config->session, sizeof(odp_crypto_session_param_t));
params.op = ODP_CRYPTO_OP_ENCODE;
+ params.auth_cipher_text = 1;
params.pref_mode = ODP_CRYPTO_SYNC;
/* Lookup the packet pool */
@@ -416,7 +416,7 @@ static void alg_test(odp_crypto_op_t op,
/* Create a crypto session */
odp_crypto_session_param_init(&ses_params);
ses_params.op = op;
- ses_params.auth_cipher_text = false;
+ ses_params.auth_cipher_text = true;
ses_params.op_mode = suite_context.op_mode;
ses_params.pref_mode = suite_context.pref_mode;
ses_params.cipher_alg = cipher_alg;
@@ -54,19 +54,6 @@ static crypto_test_reference_t tdes_cbc_reference[] = {
.length = 8,
.plaintext = { 0x32, 0x6a, 0x49, 0x4c, 0xd3, 0x3f, 0xe7, 0x56 },
.ciphertext = { 0xb2, 0x2b, 0x8d, 0x66, 0xde, 0x97, 0x06, 0x92 }
- },
- {
- .cipher_key_length = TDES_CBC_KEY_LEN,
- .cipher_key = { 0x37, 0xae, 0x5e, 0xbf, 0x46, 0xdf, 0xf2, 0xdc,
- 0x07, 0x54, 0xb9, 0x4f, 0x31, 0xcb, 0xb3, 0x85,
- 0x5e, 0x7f, 0xd3, 0x6d, 0xc8, 0x70, 0xbf, 0xae},
- .iv_length = TDES_CBC_IV_LEN,
- .iv = {0x3d, 0x1d, 0xe3, 0xcc, 0x13, 0x2e, 0x3b, 0x65 },
- .length = 16,
- .plaintext = { 0x84, 0x40, 0x1f, 0x78, 0xfe, 0x6c, 0x10, 0x87,
- 0x6d, 0x8e, 0xa2, 0x30, 0x94, 0xea, 0x53, 0x09 },
- .ciphertext = { 0x7b, 0x1f, 0x7c, 0x7e, 0x3b, 0x1c, 0x94, 0x8e,
- 0xbd, 0x04, 0xa7, 0x5f, 0xfb, 0xa7, 0xd2, 0xf5 }
}
};
@@ -119,7 +119,8 @@ static void pktio_stop(odp_pktio_t pktio)
int ipsec_check(odp_bool_t ah,
odp_cipher_alg_t cipher,
uint32_t cipher_bits,
- odp_auth_alg_t auth)
+ odp_auth_alg_t auth,
+ uint32_t auth_bits)
{
odp_ipsec_capability_t capa;
odp_crypto_cipher_capability_t cipher_capa[MAX_ALG_CAPA];
@@ -220,52 +221,65 @@ int ipsec_check(odp_bool_t ah,
}
if (!found) {
- fprintf(stderr, "Unsupported key length\n");
+ fprintf(stderr, "Unsupported cipher key length\n");
return ODP_TEST_INACTIVE;
}
+ found = false;
num = odp_ipsec_auth_capability(auth, auth_capa, MAX_ALG_CAPA);
if (num <= 0) {
fprintf(stderr, "Wrong auth capabilities\n");
return ODP_TEST_INACTIVE;
}
+ for (i = 0; i < num; i++) {
+ if (auth_capa[i].key_len == auth_bits / 8) {
+ found = 1;
+ break;
+ }
+ }
+
+ if (!found) {
+ fprintf(stderr, "Unsupported auth key length\n");
+ return ODP_TEST_INACTIVE;
+ }
+
return ODP_TEST_ACTIVE;
}
int ipsec_check_ah_sha256(void)
{
- return ipsec_check_ah(ODP_AUTH_ALG_SHA256_HMAC);
+ return ipsec_check_ah(ODP_AUTH_ALG_SHA256_HMAC, 256);
}
int ipsec_check_esp_null_sha256(void)
{
return ipsec_check_esp(ODP_CIPHER_ALG_NULL, 0,
- ODP_AUTH_ALG_SHA256_HMAC);
+ ODP_AUTH_ALG_SHA256_HMAC, 256);
}
int ipsec_check_esp_aes_cbc_128_null(void)
{
return ipsec_check_esp(ODP_CIPHER_ALG_AES_CBC, 128,
- ODP_AUTH_ALG_NULL);
+ ODP_AUTH_ALG_NULL, 0);
}
int ipsec_check_esp_aes_cbc_128_sha256(void)
{
return ipsec_check_esp(ODP_CIPHER_ALG_AES_CBC, 128,
- ODP_AUTH_ALG_SHA256_HMAC);
+ ODP_AUTH_ALG_SHA256_HMAC, 256);
}
int ipsec_check_esp_aes_gcm_128(void)
{
return ipsec_check_esp(ODP_CIPHER_ALG_AES_GCM, 128,
- ODP_AUTH_ALG_AES_GCM);
+ ODP_AUTH_ALG_AES_GCM, 128);
}
int ipsec_check_esp_aes_gcm_256(void)
{
return ipsec_check_esp(ODP_CIPHER_ALG_AES_GCM, 256,
- ODP_AUTH_ALG_AES_GCM);
+ ODP_AUTH_ALG_AES_GCM, 256);
}
void ipsec_sa_param_fill(odp_ipsec_sa_param_t *param,
@@ -74,16 +74,16 @@ void ipsec_check_out_in_one(const ipsec_test_part *part,
int ipsec_check(odp_bool_t ah,
odp_cipher_alg_t cipher,
uint32_t cipher_bits,
- odp_auth_alg_t auth);
-#define ipsec_check_ah(auth) \
- ipsec_check(true, ODP_CIPHER_ALG_NULL, 0, auth)
-#define ipsec_check_esp(cipher, cipher_bits, auth) \
- ipsec_check(false, cipher, cipher_bits, auth)
+ odp_auth_alg_t auth,
+ uint32_t auth_bits);
+#define ipsec_check_ah(auth, auth_bits) \
+ ipsec_check(true, ODP_CIPHER_ALG_NULL, 0, auth, auth_bits)
+#define ipsec_check_esp(cipher, cipher_bits, auth, auth_bits) \
+ ipsec_check(false, cipher, cipher_bits, auth, auth_bits)
int ipsec_check_ah_sha256(void);
int ipsec_check_esp_null_sha256(void);
int ipsec_check_esp_aes_cbc_128_null(void);
int ipsec_check_esp_aes_cbc_128_sha256(void);
int ipsec_check_esp_aes_gcm_128(void);
int ipsec_check_esp_aes_gcm_256(void);
-
#endif