1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(c) 2016-2017 Intel Corporation
5 #define OPENSSL_API_COMPAT 0x10100000L
7 #include <rte_common.h>
8 #include <rte_hexdump.h>
9 #include <rte_cryptodev.h>
10 #include <cryptodev_pmd.h>
11 #include <rte_bus_vdev.h>
12 #include <rte_malloc.h>
13 #include <rte_cpuflags.h>
15 #include <openssl/hmac.h>
16 #include <openssl/evp.h>
18 #include "openssl_pmd_private.h"
21 #define DES_BLOCK_SIZE 8
23 static uint8_t cryptodev_driver_id;
25 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
26 static HMAC_CTX *HMAC_CTX_new(void)
28 HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
35 static void HMAC_CTX_free(HMAC_CTX *ctx)
38 HMAC_CTX_cleanup(ctx);
44 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
46 #include <openssl/provider.h>
47 #include <openssl/core_names.h>
49 #define MAX_OSSL_ALGO_NAME_SIZE 16
51 OSSL_PROVIDER *legacy;
54 static void ossl_legacy_provider_load(void)
56 /* Load Multiple providers into the default (NULL) library context */
57 legacy = OSSL_PROVIDER_load(NULL, "legacy");
59 OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
63 deflt = OSSL_PROVIDER_load(NULL, "default");
65 OPENSSL_LOG(ERR, "Failed to load Default provider\n");
66 OSSL_PROVIDER_unload(legacy);
71 static void ossl_legacy_provider_unload(void)
73 OSSL_PROVIDER_unload(legacy);
74 OSSL_PROVIDER_unload(deflt);
77 static __rte_always_inline const char *
78 digest_name_get(enum rte_crypto_auth_algorithm algo)
81 case RTE_CRYPTO_AUTH_MD5_HMAC:
82 return OSSL_DIGEST_NAME_MD5;
83 case RTE_CRYPTO_AUTH_SHA1_HMAC:
84 return OSSL_DIGEST_NAME_SHA1;
85 case RTE_CRYPTO_AUTH_SHA224_HMAC:
86 return OSSL_DIGEST_NAME_SHA2_224;
87 case RTE_CRYPTO_AUTH_SHA256_HMAC:
88 return OSSL_DIGEST_NAME_SHA2_256;
89 case RTE_CRYPTO_AUTH_SHA384_HMAC:
90 return OSSL_DIGEST_NAME_SHA2_384;
91 case RTE_CRYPTO_AUTH_SHA512_HMAC:
92 return OSSL_DIGEST_NAME_SHA2_512;
99 static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
101 /*----------------------------------------------------------------------------*/
104 * Increment counter by 1
105 * Counter is 64 bit array, big-endian
108 ctr_inc(uint8_t *ctr)
110 uint64_t *ctr64 = (uint64_t *)ctr;
112 *ctr64 = __builtin_bswap64(*ctr64);
114 *ctr64 = __builtin_bswap64(*ctr64);
118 *------------------------------------------------------------------------------
120 *------------------------------------------------------------------------------
123 /** Get xform chain order */
124 static enum openssl_chain_order
125 openssl_get_chain_order(const struct rte_crypto_sym_xform *xform)
127 enum openssl_chain_order res = OPENSSL_CHAIN_NOT_SUPPORTED;
130 if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
131 if (xform->next == NULL)
132 res = OPENSSL_CHAIN_ONLY_AUTH;
133 else if (xform->next->type ==
134 RTE_CRYPTO_SYM_XFORM_CIPHER)
135 res = OPENSSL_CHAIN_AUTH_CIPHER;
137 if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
138 if (xform->next == NULL)
139 res = OPENSSL_CHAIN_ONLY_CIPHER;
140 else if (xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH)
141 res = OPENSSL_CHAIN_CIPHER_AUTH;
143 if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
144 res = OPENSSL_CHAIN_COMBINED;
150 /** Get session cipher key from input cipher key */
152 get_cipher_key(const uint8_t *input_key, int keylen, uint8_t *session_key)
154 memcpy(session_key, input_key, keylen);
157 /** Get key ede 24 bytes standard from input key */
159 get_cipher_key_ede(const uint8_t *key, int keylen, uint8_t *key_ede)
163 /* Initialize keys - 24 bytes: [key1-key2-key3] */
166 memcpy(key_ede, key, 24);
170 memcpy(key_ede, key, 16);
171 memcpy(key_ede + 16, key, 8);
174 /* K1 = K2 = K3 (DES compatibility) */
175 memcpy(key_ede, key, 8);
176 memcpy(key_ede + 8, key, 8);
177 memcpy(key_ede + 16, key, 8);
180 OPENSSL_LOG(ERR, "Unsupported key size");
187 /** Get adequate openssl function for input cipher algorithm */
189 get_cipher_algo(enum rte_crypto_cipher_algorithm sess_algo, size_t keylen,
190 const EVP_CIPHER **algo)
196 case RTE_CRYPTO_CIPHER_3DES_CBC:
199 *algo = EVP_des_cbc();
202 *algo = EVP_des_ede_cbc();
205 *algo = EVP_des_ede3_cbc();
211 case RTE_CRYPTO_CIPHER_3DES_CTR:
213 case RTE_CRYPTO_CIPHER_AES_CBC:
216 *algo = EVP_aes_128_cbc();
219 *algo = EVP_aes_192_cbc();
222 *algo = EVP_aes_256_cbc();
228 case RTE_CRYPTO_CIPHER_AES_CTR:
231 *algo = EVP_aes_128_ctr();
234 *algo = EVP_aes_192_ctr();
237 *algo = EVP_aes_256_ctr();
254 /** Get adequate openssl function for input auth algorithm */
256 get_auth_algo(enum rte_crypto_auth_algorithm sessalgo,
263 case RTE_CRYPTO_AUTH_MD5:
264 case RTE_CRYPTO_AUTH_MD5_HMAC:
267 case RTE_CRYPTO_AUTH_SHA1:
268 case RTE_CRYPTO_AUTH_SHA1_HMAC:
271 case RTE_CRYPTO_AUTH_SHA224:
272 case RTE_CRYPTO_AUTH_SHA224_HMAC:
273 *algo = EVP_sha224();
275 case RTE_CRYPTO_AUTH_SHA256:
276 case RTE_CRYPTO_AUTH_SHA256_HMAC:
277 *algo = EVP_sha256();
279 case RTE_CRYPTO_AUTH_SHA384:
280 case RTE_CRYPTO_AUTH_SHA384_HMAC:
281 *algo = EVP_sha384();
283 case RTE_CRYPTO_AUTH_SHA512:
284 case RTE_CRYPTO_AUTH_SHA512_HMAC:
285 *algo = EVP_sha512();
298 /** Get adequate openssl function for input cipher algorithm */
300 get_aead_algo(enum rte_crypto_aead_algorithm sess_algo, size_t keylen,
301 const EVP_CIPHER **algo)
307 case RTE_CRYPTO_AEAD_AES_GCM:
310 *algo = EVP_aes_128_gcm();
313 *algo = EVP_aes_192_gcm();
316 *algo = EVP_aes_256_gcm();
322 case RTE_CRYPTO_AEAD_AES_CCM:
325 *algo = EVP_aes_128_ccm();
328 *algo = EVP_aes_192_ccm();
331 *algo = EVP_aes_256_ccm();
348 /* Set session AEAD encryption parameters */
350 openssl_set_sess_aead_enc_param(struct openssl_session *sess,
351 enum rte_crypto_aead_algorithm algo,
352 uint8_t tag_len, const uint8_t *key)
357 sess->cipher.direction = RTE_CRYPTO_CIPHER_OP_ENCRYPT;
358 sess->auth.operation = RTE_CRYPTO_AUTH_OP_GENERATE;
360 /* Select AEAD algo */
362 case RTE_CRYPTO_AEAD_AES_GCM:
363 iv_type = EVP_CTRL_GCM_SET_IVLEN;
368 case RTE_CRYPTO_AEAD_AES_CCM:
369 iv_type = EVP_CTRL_CCM_SET_IVLEN;
370 /* Digest size can be 4, 6, 8, 10, 12, 14 or 16 bytes */
371 if (tag_len < 4 || tag_len > 16 || (tag_len & 1) == 1)
379 sess->cipher.mode = OPENSSL_CIPHER_LIB;
380 sess->cipher.ctx = EVP_CIPHER_CTX_new();
382 if (get_aead_algo(algo, sess->cipher.key.length,
383 &sess->cipher.evp_algo) != 0)
386 get_cipher_key(key, sess->cipher.key.length, sess->cipher.key.data);
388 sess->chain_order = OPENSSL_CHAIN_COMBINED;
390 if (EVP_EncryptInit_ex(sess->cipher.ctx, sess->cipher.evp_algo,
391 NULL, NULL, NULL) <= 0)
394 if (EVP_CIPHER_CTX_ctrl(sess->cipher.ctx, iv_type, sess->iv.length,
399 EVP_CIPHER_CTX_ctrl(sess->cipher.ctx, EVP_CTRL_CCM_SET_TAG,
402 if (EVP_EncryptInit_ex(sess->cipher.ctx, NULL, NULL, key, NULL) <= 0)
408 /* Set session AEAD decryption parameters */
410 openssl_set_sess_aead_dec_param(struct openssl_session *sess,
411 enum rte_crypto_aead_algorithm algo,
412 uint8_t tag_len, const uint8_t *key)
415 unsigned int do_ccm = 0;
417 sess->cipher.direction = RTE_CRYPTO_CIPHER_OP_DECRYPT;
418 sess->auth.operation = RTE_CRYPTO_AUTH_OP_VERIFY;
420 /* Select AEAD algo */
422 case RTE_CRYPTO_AEAD_AES_GCM:
423 iv_type = EVP_CTRL_GCM_SET_IVLEN;
427 case RTE_CRYPTO_AEAD_AES_CCM:
428 iv_type = EVP_CTRL_CCM_SET_IVLEN;
429 /* Digest size can be 4, 6, 8, 10, 12, 14 or 16 bytes */
430 if (tag_len < 4 || tag_len > 16 || (tag_len & 1) == 1)
438 sess->cipher.mode = OPENSSL_CIPHER_LIB;
439 sess->cipher.ctx = EVP_CIPHER_CTX_new();
441 if (get_aead_algo(algo, sess->cipher.key.length,
442 &sess->cipher.evp_algo) != 0)
445 get_cipher_key(key, sess->cipher.key.length, sess->cipher.key.data);
447 sess->chain_order = OPENSSL_CHAIN_COMBINED;
449 if (EVP_DecryptInit_ex(sess->cipher.ctx, sess->cipher.evp_algo,
450 NULL, NULL, NULL) <= 0)
453 if (EVP_CIPHER_CTX_ctrl(sess->cipher.ctx, iv_type,
454 sess->iv.length, NULL) <= 0)
458 EVP_CIPHER_CTX_ctrl(sess->cipher.ctx, EVP_CTRL_CCM_SET_TAG,
461 if (EVP_DecryptInit_ex(sess->cipher.ctx, NULL, NULL, key, NULL) <= 0)
467 /** Set session cipher parameters */
469 openssl_set_session_cipher_parameters(struct openssl_session *sess,
470 const struct rte_crypto_sym_xform *xform)
472 /* Select cipher direction */
473 sess->cipher.direction = xform->cipher.op;
474 /* Select cipher key */
475 sess->cipher.key.length = xform->cipher.key.length;
477 /* Set IV parameters */
478 sess->iv.offset = xform->cipher.iv.offset;
479 sess->iv.length = xform->cipher.iv.length;
481 /* Select cipher algo */
482 switch (xform->cipher.algo) {
483 case RTE_CRYPTO_CIPHER_3DES_CBC:
484 case RTE_CRYPTO_CIPHER_AES_CBC:
485 case RTE_CRYPTO_CIPHER_AES_CTR:
486 sess->cipher.mode = OPENSSL_CIPHER_LIB;
487 sess->cipher.algo = xform->cipher.algo;
488 sess->cipher.ctx = EVP_CIPHER_CTX_new();
490 if (get_cipher_algo(sess->cipher.algo, sess->cipher.key.length,
491 &sess->cipher.evp_algo) != 0)
494 get_cipher_key(xform->cipher.key.data, sess->cipher.key.length,
495 sess->cipher.key.data);
496 if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
497 if (EVP_EncryptInit_ex(sess->cipher.ctx,
498 sess->cipher.evp_algo,
499 NULL, xform->cipher.key.data,
503 } else if (sess->cipher.direction ==
504 RTE_CRYPTO_CIPHER_OP_DECRYPT) {
505 if (EVP_DecryptInit_ex(sess->cipher.ctx,
506 sess->cipher.evp_algo,
507 NULL, xform->cipher.key.data,
515 case RTE_CRYPTO_CIPHER_3DES_CTR:
516 sess->cipher.mode = OPENSSL_CIPHER_DES3CTR;
517 sess->cipher.ctx = EVP_CIPHER_CTX_new();
519 if (get_cipher_key_ede(xform->cipher.key.data,
520 sess->cipher.key.length,
521 sess->cipher.key.data) != 0)
525 case RTE_CRYPTO_CIPHER_DES_CBC:
526 sess->cipher.algo = xform->cipher.algo;
527 sess->cipher.ctx = EVP_CIPHER_CTX_new();
528 sess->cipher.evp_algo = EVP_des_cbc();
530 get_cipher_key(xform->cipher.key.data, sess->cipher.key.length,
531 sess->cipher.key.data);
532 if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
533 if (EVP_EncryptInit_ex(sess->cipher.ctx,
534 sess->cipher.evp_algo,
535 NULL, xform->cipher.key.data,
539 } else if (sess->cipher.direction ==
540 RTE_CRYPTO_CIPHER_OP_DECRYPT) {
541 if (EVP_DecryptInit_ex(sess->cipher.ctx,
542 sess->cipher.evp_algo,
543 NULL, xform->cipher.key.data,
551 case RTE_CRYPTO_CIPHER_DES_DOCSISBPI:
552 sess->cipher.algo = xform->cipher.algo;
553 sess->chain_order = OPENSSL_CHAIN_CIPHER_BPI;
554 sess->cipher.ctx = EVP_CIPHER_CTX_new();
555 sess->cipher.evp_algo = EVP_des_cbc();
557 sess->cipher.bpi_ctx = EVP_CIPHER_CTX_new();
558 /* IV will be ECB encrypted whether direction is encrypt or decrypt */
559 if (EVP_EncryptInit_ex(sess->cipher.bpi_ctx, EVP_des_ecb(),
560 NULL, xform->cipher.key.data, 0) != 1)
563 get_cipher_key(xform->cipher.key.data, sess->cipher.key.length,
564 sess->cipher.key.data);
565 if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
566 if (EVP_EncryptInit_ex(sess->cipher.ctx,
567 sess->cipher.evp_algo,
568 NULL, xform->cipher.key.data,
572 } else if (sess->cipher.direction ==
573 RTE_CRYPTO_CIPHER_OP_DECRYPT) {
574 if (EVP_DecryptInit_ex(sess->cipher.ctx,
575 sess->cipher.evp_algo,
576 NULL, xform->cipher.key.data,
584 sess->cipher.algo = RTE_CRYPTO_CIPHER_NULL;
591 /* Set session auth parameters */
593 openssl_set_session_auth_parameters(struct openssl_session *sess,
594 const struct rte_crypto_sym_xform *xform)
596 /* Select auth generate/verify */
597 sess->auth.operation = xform->auth.op;
598 sess->auth.algo = xform->auth.algo;
600 sess->auth.digest_length = xform->auth.digest_length;
602 /* Select auth algo */
603 switch (xform->auth.algo) {
604 case RTE_CRYPTO_AUTH_AES_GMAC:
606 * OpenSSL requires GMAC to be a GCM operation
607 * with no cipher data length
609 sess->cipher.key.length = xform->auth.key.length;
611 /* Set IV parameters */
612 sess->iv.offset = xform->auth.iv.offset;
613 sess->iv.length = xform->auth.iv.length;
615 if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_GENERATE)
616 return openssl_set_sess_aead_enc_param(sess,
617 RTE_CRYPTO_AEAD_AES_GCM,
618 xform->auth.digest_length,
619 xform->auth.key.data);
621 return openssl_set_sess_aead_dec_param(sess,
622 RTE_CRYPTO_AEAD_AES_GCM,
623 xform->auth.digest_length,
624 xform->auth.key.data);
627 case RTE_CRYPTO_AUTH_MD5:
628 case RTE_CRYPTO_AUTH_SHA1:
629 case RTE_CRYPTO_AUTH_SHA224:
630 case RTE_CRYPTO_AUTH_SHA256:
631 case RTE_CRYPTO_AUTH_SHA384:
632 case RTE_CRYPTO_AUTH_SHA512:
633 sess->auth.mode = OPENSSL_AUTH_AS_AUTH;
634 if (get_auth_algo(xform->auth.algo,
635 &sess->auth.auth.evp_algo) != 0)
637 sess->auth.auth.ctx = EVP_MD_CTX_create();
640 # if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
641 case RTE_CRYPTO_AUTH_MD5_HMAC:
642 case RTE_CRYPTO_AUTH_SHA1_HMAC:
643 case RTE_CRYPTO_AUTH_SHA224_HMAC:
644 case RTE_CRYPTO_AUTH_SHA256_HMAC:
645 case RTE_CRYPTO_AUTH_SHA384_HMAC:
646 case RTE_CRYPTO_AUTH_SHA512_HMAC:
647 sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
649 OSSL_PARAM params[2];
651 algo = digest_name_get(xform->auth.algo);
654 char algo_name[MAX_OSSL_ALGO_NAME_SIZE];
655 rte_memcpy(algo_name, algo, (sizeof(algo)+1));
657 EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
658 sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
660 if (get_auth_algo(xform->auth.algo,
661 &sess->auth.hmac.evp_algo) != 0)
664 params[0] = OSSL_PARAM_construct_utf8_string("digest",
666 params[1] = OSSL_PARAM_construct_end();
667 if (EVP_MAC_init(sess->auth.hmac.ctx,
668 xform->auth.key.data,
669 xform->auth.key.length,
674 case RTE_CRYPTO_AUTH_MD5_HMAC:
675 case RTE_CRYPTO_AUTH_SHA1_HMAC:
676 case RTE_CRYPTO_AUTH_SHA224_HMAC:
677 case RTE_CRYPTO_AUTH_SHA256_HMAC:
678 case RTE_CRYPTO_AUTH_SHA384_HMAC:
679 case RTE_CRYPTO_AUTH_SHA512_HMAC:
680 sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
681 sess->auth.hmac.ctx = HMAC_CTX_new();
682 if (get_auth_algo(xform->auth.algo,
683 &sess->auth.hmac.evp_algo) != 0)
686 if (HMAC_Init_ex(sess->auth.hmac.ctx,
687 xform->auth.key.data,
688 xform->auth.key.length,
689 sess->auth.hmac.evp_algo, NULL) != 1)
700 /* Set session AEAD parameters */
702 openssl_set_session_aead_parameters(struct openssl_session *sess,
703 const struct rte_crypto_sym_xform *xform)
705 /* Select cipher key */
706 sess->cipher.key.length = xform->aead.key.length;
708 /* Set IV parameters */
709 if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_CCM)
711 * For AES-CCM, the actual IV is placed
712 * one byte after the start of the IV field,
713 * according to the API.
715 sess->iv.offset = xform->aead.iv.offset + 1;
717 sess->iv.offset = xform->aead.iv.offset;
719 sess->iv.length = xform->aead.iv.length;
721 sess->auth.aad_length = xform->aead.aad_length;
722 sess->auth.digest_length = xform->aead.digest_length;
724 sess->aead_algo = xform->aead.algo;
725 /* Select cipher direction */
726 if (xform->aead.op == RTE_CRYPTO_AEAD_OP_ENCRYPT)
727 return openssl_set_sess_aead_enc_param(sess, xform->aead.algo,
728 xform->aead.digest_length, xform->aead.key.data);
730 return openssl_set_sess_aead_dec_param(sess, xform->aead.algo,
731 xform->aead.digest_length, xform->aead.key.data);
734 /** Parse crypto xform chain and set private session parameters */
736 openssl_set_session_parameters(struct openssl_session *sess,
737 const struct rte_crypto_sym_xform *xform)
739 const struct rte_crypto_sym_xform *cipher_xform = NULL;
740 const struct rte_crypto_sym_xform *auth_xform = NULL;
741 const struct rte_crypto_sym_xform *aead_xform = NULL;
744 sess->chain_order = openssl_get_chain_order(xform);
745 switch (sess->chain_order) {
746 case OPENSSL_CHAIN_ONLY_CIPHER:
747 cipher_xform = xform;
749 case OPENSSL_CHAIN_ONLY_AUTH:
752 case OPENSSL_CHAIN_CIPHER_AUTH:
753 cipher_xform = xform;
754 auth_xform = xform->next;
756 case OPENSSL_CHAIN_AUTH_CIPHER:
758 cipher_xform = xform->next;
760 case OPENSSL_CHAIN_COMBINED:
767 /* Default IV length = 0 */
770 /* cipher_xform must be check before auth_xform */
772 ret = openssl_set_session_cipher_parameters(
776 "Invalid/unsupported cipher parameters");
782 ret = openssl_set_session_auth_parameters(sess, auth_xform);
785 "Invalid/unsupported auth parameters");
791 ret = openssl_set_session_aead_parameters(sess, aead_xform);
794 "Invalid/unsupported AEAD parameters");
802 /** Reset private session parameters */
804 openssl_reset_session(struct openssl_session *sess)
806 EVP_CIPHER_CTX_free(sess->cipher.ctx);
808 if (sess->chain_order == OPENSSL_CHAIN_CIPHER_BPI)
809 EVP_CIPHER_CTX_free(sess->cipher.bpi_ctx);
811 switch (sess->auth.mode) {
812 case OPENSSL_AUTH_AS_AUTH:
813 EVP_MD_CTX_destroy(sess->auth.auth.ctx);
815 case OPENSSL_AUTH_AS_HMAC:
816 EVP_PKEY_free(sess->auth.hmac.pkey);
817 # if OPENSSL_VERSION_NUMBER >= 0x30000000L
818 EVP_MAC_CTX_free(sess->auth.hmac.ctx);
820 HMAC_CTX_free(sess->auth.hmac.ctx);
828 /** Provide session for operation */
830 get_session(struct openssl_qp *qp, struct rte_crypto_op *op)
832 struct openssl_session *sess = NULL;
833 struct openssl_asym_session *asym_sess = NULL;
835 if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
836 if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
837 /* get existing session */
838 if (likely(op->sym->session != NULL))
839 sess = (struct openssl_session *)
840 get_sym_session_private_data(
842 cryptodev_driver_id);
844 if (likely(op->asym->session != NULL))
845 asym_sess = (struct openssl_asym_session *)
846 op->asym->session->sess_private_data;
847 if (asym_sess == NULL)
849 RTE_CRYPTO_OP_STATUS_INVALID_SESSION;
853 /* sessionless asymmetric not supported */
854 if (op->type == RTE_CRYPTO_OP_TYPE_ASYMMETRIC)
857 /* provide internal session */
858 void *_sess = rte_cryptodev_sym_session_create(qp->sess_mp);
859 void *_sess_private_data = NULL;
864 if (rte_mempool_get(qp->sess_mp_priv,
865 (void **)&_sess_private_data))
868 sess = (struct openssl_session *)_sess_private_data;
870 if (unlikely(openssl_set_session_parameters(sess,
871 op->sym->xform) != 0)) {
872 rte_mempool_put(qp->sess_mp, _sess);
873 rte_mempool_put(qp->sess_mp_priv, _sess_private_data);
876 op->sym->session = (struct rte_cryptodev_sym_session *)_sess;
877 set_sym_session_private_data(op->sym->session,
878 cryptodev_driver_id, _sess_private_data);
882 op->status = RTE_CRYPTO_OP_STATUS_INVALID_SESSION;
888 *------------------------------------------------------------------------------
890 *------------------------------------------------------------------------------
893 process_openssl_encryption_update(struct rte_mbuf *mbuf_src, int offset,
894 uint8_t **dst, int srclen, EVP_CIPHER_CTX *ctx, uint8_t inplace)
899 uint8_t *src, temp[EVP_CIPHER_CTX_block_size(ctx)];
901 for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
903 offset -= rte_pktmbuf_data_len(m);
908 src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
912 l = rte_pktmbuf_data_len(m) - offset;
914 if (EVP_EncryptUpdate(ctx, *dst, &dstlen, src, srclen) <= 0)
920 if (EVP_EncryptUpdate(ctx, *dst, &dstlen, src, l) <= 0)
926 for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
927 uint8_t diff = l - dstlen, rem;
929 src = rte_pktmbuf_mtod(m, uint8_t *);
930 l = RTE_MIN(rte_pktmbuf_data_len(m), n);
931 if (diff && inplace) {
933 (EVP_CIPHER_CTX_block_size(ctx) - diff));
934 if (EVP_EncryptUpdate(ctx, temp,
935 &dstlen, src, rem) <= 0)
938 rte_memcpy(*dst, temp, diff);
939 rte_memcpy(src, temp + diff, rem);
945 if (EVP_EncryptUpdate(ctx, *dst, &dstlen, src, l) <= 0)
955 process_openssl_decryption_update(struct rte_mbuf *mbuf_src, int offset,
956 uint8_t **dst, int srclen, EVP_CIPHER_CTX *ctx, uint8_t inplace)
961 uint8_t *src, temp[EVP_CIPHER_CTX_block_size(ctx)];
963 for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
965 offset -= rte_pktmbuf_data_len(m);
970 src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
974 l = rte_pktmbuf_data_len(m) - offset;
976 if (EVP_DecryptUpdate(ctx, *dst, &dstlen, src, srclen) <= 0)
982 if (EVP_DecryptUpdate(ctx, *dst, &dstlen, src, l) <= 0)
988 for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
989 uint8_t diff = l - dstlen, rem;
991 src = rte_pktmbuf_mtod(m, uint8_t *);
992 l = RTE_MIN(rte_pktmbuf_data_len(m), n);
993 if (diff && inplace) {
995 (EVP_CIPHER_CTX_block_size(ctx) - diff));
996 if (EVP_DecryptUpdate(ctx, temp,
997 &dstlen, src, rem) <= 0)
1000 rte_memcpy(*dst, temp, diff);
1001 rte_memcpy(src, temp + diff, rem);
1007 if (EVP_DecryptUpdate(ctx, *dst, &dstlen, src, l) <= 0)
1016 /** Process standard openssl cipher encryption */
1018 process_openssl_cipher_encrypt(struct rte_mbuf *mbuf_src, uint8_t *dst,
1019 int offset, uint8_t *iv, int srclen, EVP_CIPHER_CTX *ctx,
1024 if (EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0)
1025 goto process_cipher_encrypt_err;
1027 EVP_CIPHER_CTX_set_padding(ctx, 0);
1029 if (process_openssl_encryption_update(mbuf_src, offset, &dst,
1030 srclen, ctx, inplace))
1031 goto process_cipher_encrypt_err;
1033 if (EVP_EncryptFinal_ex(ctx, dst, &totlen) <= 0)
1034 goto process_cipher_encrypt_err;
1038 process_cipher_encrypt_err:
1039 OPENSSL_LOG(ERR, "Process openssl cipher encrypt failed");
1043 /** Process standard openssl cipher encryption */
1045 process_openssl_cipher_bpi_encrypt(uint8_t *src, uint8_t *dst,
1046 uint8_t *iv, int srclen,
1047 EVP_CIPHER_CTX *ctx)
1050 uint8_t encrypted_iv[DES_BLOCK_SIZE];
1051 int encrypted_ivlen;
1053 if (EVP_EncryptUpdate(ctx, encrypted_iv, &encrypted_ivlen,
1054 iv, DES_BLOCK_SIZE) <= 0)
1055 goto process_cipher_encrypt_err;
1057 for (i = 0; i < srclen; i++)
1058 *(dst + i) = *(src + i) ^ (encrypted_iv[i]);
1062 process_cipher_encrypt_err:
1063 OPENSSL_LOG(ERR, "Process openssl cipher bpi encrypt failed");
1066 /** Process standard openssl cipher decryption */
1068 process_openssl_cipher_decrypt(struct rte_mbuf *mbuf_src, uint8_t *dst,
1069 int offset, uint8_t *iv, int srclen, EVP_CIPHER_CTX *ctx,
1074 if (EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0)
1075 goto process_cipher_decrypt_err;
1077 EVP_CIPHER_CTX_set_padding(ctx, 0);
1079 if (process_openssl_decryption_update(mbuf_src, offset, &dst,
1080 srclen, ctx, inplace))
1081 goto process_cipher_decrypt_err;
1083 if (EVP_DecryptFinal_ex(ctx, dst, &totlen) <= 0)
1084 goto process_cipher_decrypt_err;
1087 process_cipher_decrypt_err:
1088 OPENSSL_LOG(ERR, "Process openssl cipher decrypt failed");
1092 /** Process cipher des 3 ctr encryption, decryption algorithm */
1094 process_openssl_cipher_des3ctr(struct rte_mbuf *mbuf_src, uint8_t *dst,
1095 int offset, uint8_t *iv, uint8_t *key, int srclen,
1096 EVP_CIPHER_CTX *ctx)
1098 uint8_t ebuf[8], ctr[8];
1104 for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
1106 offset -= rte_pktmbuf_data_len(m);
1109 goto process_cipher_des3ctr_err;
1111 src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
1112 l = rte_pktmbuf_data_len(m) - offset;
1114 /* We use 3DES encryption also for decryption.
1115 * IV is not important for 3DES ecb
1117 if (EVP_EncryptInit_ex(ctx, EVP_des_ede3_ecb(), NULL, key, NULL) <= 0)
1118 goto process_cipher_des3ctr_err;
1122 for (n = 0; n < srclen; n++) {
1124 if (EVP_EncryptUpdate(ctx,
1125 (unsigned char *)&ebuf, &unused,
1126 (const unsigned char *)&ctr, 8) <= 0)
1127 goto process_cipher_des3ctr_err;
1130 dst[n] = *(src++) ^ ebuf[n % 8];
1136 src = rte_pktmbuf_mtod(m, uint8_t *);
1137 l = rte_pktmbuf_data_len(m);
1144 process_cipher_des3ctr_err:
1145 OPENSSL_LOG(ERR, "Process openssl cipher des 3 ede ctr failed");
1149 /** Process AES-GCM encrypt algorithm */
1151 process_openssl_auth_encryption_gcm(struct rte_mbuf *mbuf_src, int offset,
1152 int srclen, uint8_t *aad, int aadlen, uint8_t *iv,
1153 uint8_t *dst, uint8_t *tag, EVP_CIPHER_CTX *ctx)
1155 int len = 0, unused = 0;
1156 uint8_t empty[] = {};
1158 if (EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0)
1159 goto process_auth_encryption_gcm_err;
1162 if (EVP_EncryptUpdate(ctx, NULL, &len, aad, aadlen) <= 0)
1163 goto process_auth_encryption_gcm_err;
1166 if (process_openssl_encryption_update(mbuf_src, offset, &dst,
1168 goto process_auth_encryption_gcm_err;
1170 /* Workaround open ssl bug in version less then 1.0.1f */
1171 if (EVP_EncryptUpdate(ctx, empty, &unused, empty, 0) <= 0)
1172 goto process_auth_encryption_gcm_err;
1174 if (EVP_EncryptFinal_ex(ctx, dst, &len) <= 0)
1175 goto process_auth_encryption_gcm_err;
1177 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag) <= 0)
1178 goto process_auth_encryption_gcm_err;
1182 process_auth_encryption_gcm_err:
1183 OPENSSL_LOG(ERR, "Process openssl auth encryption gcm failed");
1187 /** Process AES-CCM encrypt algorithm */
1189 process_openssl_auth_encryption_ccm(struct rte_mbuf *mbuf_src, int offset,
1190 int srclen, uint8_t *aad, int aadlen, uint8_t *iv,
1191 uint8_t *dst, uint8_t *tag, uint8_t taglen, EVP_CIPHER_CTX *ctx)
1195 if (EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0)
1196 goto process_auth_encryption_ccm_err;
1198 if (EVP_EncryptUpdate(ctx, NULL, &len, NULL, srclen) <= 0)
1199 goto process_auth_encryption_ccm_err;
1203 * For AES-CCM, the actual AAD is placed
1204 * 18 bytes after the start of the AAD field,
1205 * according to the API.
1207 if (EVP_EncryptUpdate(ctx, NULL, &len, aad + 18, aadlen) <= 0)
1208 goto process_auth_encryption_ccm_err;
1211 if (process_openssl_encryption_update(mbuf_src, offset, &dst,
1213 goto process_auth_encryption_ccm_err;
1215 if (EVP_EncryptFinal_ex(ctx, dst, &len) <= 0)
1216 goto process_auth_encryption_ccm_err;
1218 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, taglen, tag) <= 0)
1219 goto process_auth_encryption_ccm_err;
1223 process_auth_encryption_ccm_err:
1224 OPENSSL_LOG(ERR, "Process openssl auth encryption ccm failed");
1228 /** Process AES-GCM decrypt algorithm */
1230 process_openssl_auth_decryption_gcm(struct rte_mbuf *mbuf_src, int offset,
1231 int srclen, uint8_t *aad, int aadlen, uint8_t *iv,
1232 uint8_t *dst, uint8_t *tag, EVP_CIPHER_CTX *ctx)
1234 int len = 0, unused = 0;
1235 uint8_t empty[] = {};
1237 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag) <= 0)
1238 goto process_auth_decryption_gcm_err;
1240 if (EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0)
1241 goto process_auth_decryption_gcm_err;
1244 if (EVP_DecryptUpdate(ctx, NULL, &len, aad, aadlen) <= 0)
1245 goto process_auth_decryption_gcm_err;
1248 if (process_openssl_decryption_update(mbuf_src, offset, &dst,
1250 goto process_auth_decryption_gcm_err;
1252 /* Workaround open ssl bug in version less then 1.0.1f */
1253 if (EVP_DecryptUpdate(ctx, empty, &unused, empty, 0) <= 0)
1254 goto process_auth_decryption_gcm_err;
1256 if (EVP_DecryptFinal_ex(ctx, dst, &len) <= 0)
1261 process_auth_decryption_gcm_err:
1262 OPENSSL_LOG(ERR, "Process openssl auth decryption gcm failed");
1266 /** Process AES-CCM decrypt algorithm */
1268 process_openssl_auth_decryption_ccm(struct rte_mbuf *mbuf_src, int offset,
1269 int srclen, uint8_t *aad, int aadlen, uint8_t *iv,
1270 uint8_t *dst, uint8_t *tag, uint8_t tag_len,
1271 EVP_CIPHER_CTX *ctx)
1275 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, tag_len, tag) <= 0)
1276 goto process_auth_decryption_ccm_err;
1278 if (EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0)
1279 goto process_auth_decryption_ccm_err;
1281 if (EVP_DecryptUpdate(ctx, NULL, &len, NULL, srclen) <= 0)
1282 goto process_auth_decryption_ccm_err;
1286 * For AES-CCM, the actual AAD is placed
1287 * 18 bytes after the start of the AAD field,
1288 * according to the API.
1290 if (EVP_DecryptUpdate(ctx, NULL, &len, aad + 18, aadlen) <= 0)
1291 goto process_auth_decryption_ccm_err;
1294 if (process_openssl_decryption_update(mbuf_src, offset, &dst,
1300 process_auth_decryption_ccm_err:
1301 OPENSSL_LOG(ERR, "Process openssl auth decryption ccm failed");
1305 /** Process standard openssl auth algorithms */
1307 process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
1308 __rte_unused uint8_t *iv, __rte_unused EVP_PKEY * pkey,
1309 int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo)
1316 for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
1318 offset -= rte_pktmbuf_data_len(m);
1321 goto process_auth_err;
1323 if (EVP_DigestInit_ex(ctx, algo, NULL) <= 0)
1324 goto process_auth_err;
1326 src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
1328 l = rte_pktmbuf_data_len(m) - offset;
1330 if (EVP_DigestUpdate(ctx, (char *)src, srclen) <= 0)
1331 goto process_auth_err;
1332 goto process_auth_final;
1335 if (EVP_DigestUpdate(ctx, (char *)src, l) <= 0)
1336 goto process_auth_err;
1340 for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
1341 src = rte_pktmbuf_mtod(m, uint8_t *);
1342 l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
1343 if (EVP_DigestUpdate(ctx, (char *)src, l) <= 0)
1344 goto process_auth_err;
1349 if (EVP_DigestFinal_ex(ctx, dst, (unsigned int *)&dstlen) <= 0)
1350 goto process_auth_err;
1354 OPENSSL_LOG(ERR, "Process openssl auth failed");
1358 # if OPENSSL_VERSION_NUMBER >= 0x30000000L
1359 /** Process standard openssl auth algorithms with hmac */
1361 process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
1362 int srclen, EVP_MAC_CTX *ctx)
1369 for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
1371 offset -= rte_pktmbuf_data_len(m);
1374 goto process_auth_err;
1376 src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
1378 l = rte_pktmbuf_data_len(m) - offset;
1380 if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
1381 goto process_auth_err;
1382 goto process_auth_final;
1385 if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
1386 goto process_auth_err;
1390 for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
1391 src = rte_pktmbuf_mtod(m, uint8_t *);
1392 l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
1393 if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
1394 goto process_auth_err;
1399 if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
1400 goto process_auth_err;
1402 EVP_MAC_CTX_free(ctx);
1406 EVP_MAC_CTX_free(ctx);
1407 OPENSSL_LOG(ERR, "Process openssl auth failed");
1411 /** Process standard openssl auth algorithms with hmac */
1413 process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
1414 int srclen, HMAC_CTX *ctx)
1416 unsigned int dstlen;
1421 for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
1423 offset -= rte_pktmbuf_data_len(m);
1426 goto process_auth_err;
1428 src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
1430 l = rte_pktmbuf_data_len(m) - offset;
1432 if (HMAC_Update(ctx, (unsigned char *)src, srclen) != 1)
1433 goto process_auth_err;
1434 goto process_auth_final;
1437 if (HMAC_Update(ctx, (unsigned char *)src, l) != 1)
1438 goto process_auth_err;
1442 for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
1443 src = rte_pktmbuf_mtod(m, uint8_t *);
1444 l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
1445 if (HMAC_Update(ctx, (unsigned char *)src, l) != 1)
1446 goto process_auth_err;
1451 if (HMAC_Final(ctx, dst, &dstlen) != 1)
1452 goto process_auth_err;
1454 if (unlikely(HMAC_Init_ex(ctx, NULL, 0, NULL, NULL) != 1))
1455 goto process_auth_err;
1460 OPENSSL_LOG(ERR, "Process openssl auth failed");
1464 /*----------------------------------------------------------------------------*/
1466 /** Process auth/cipher combined operation */
1468 process_openssl_combined_op
1469 (struct rte_crypto_op *op, struct openssl_session *sess,
1470 struct rte_mbuf *mbuf_src, struct rte_mbuf *mbuf_dst)
1473 uint8_t *dst = NULL, *iv, *tag, *aad;
1474 int srclen, aadlen, status = -1;
1479 * Segmented destination buffer is not supported for
1480 * encryption/decryption
1482 if (!rte_pktmbuf_is_contiguous(mbuf_dst)) {
1483 op->status = RTE_CRYPTO_OP_STATUS_ERROR;
1487 iv = rte_crypto_op_ctod_offset(op, uint8_t *,
1489 if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
1491 offset = op->sym->auth.data.offset;
1492 aadlen = op->sym->auth.data.length;
1493 aad = rte_pktmbuf_mtod_offset(mbuf_src, uint8_t *,
1494 op->sym->auth.data.offset);
1495 tag = op->sym->auth.digest.data;
1497 tag = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
1500 srclen = op->sym->aead.data.length;
1501 dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
1502 op->sym->aead.data.offset);
1503 offset = op->sym->aead.data.offset;
1504 aad = op->sym->aead.aad.data;
1505 aadlen = sess->auth.aad_length;
1506 tag = op->sym->aead.digest.data;
1508 tag = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
1512 taglen = sess->auth.digest_length;
1514 if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
1515 if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
1516 sess->aead_algo == RTE_CRYPTO_AEAD_AES_GCM)
1517 status = process_openssl_auth_encryption_gcm(
1518 mbuf_src, offset, srclen,
1520 dst, tag, sess->cipher.ctx);
1522 status = process_openssl_auth_encryption_ccm(
1523 mbuf_src, offset, srclen,
1525 dst, tag, taglen, sess->cipher.ctx);
1528 if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
1529 sess->aead_algo == RTE_CRYPTO_AEAD_AES_GCM)
1530 status = process_openssl_auth_decryption_gcm(
1531 mbuf_src, offset, srclen,
1533 dst, tag, sess->cipher.ctx);
1535 status = process_openssl_auth_decryption_ccm(
1536 mbuf_src, offset, srclen,
1538 dst, tag, taglen, sess->cipher.ctx);
1542 if (status == (-EFAULT) &&
1543 sess->auth.operation ==
1544 RTE_CRYPTO_AUTH_OP_VERIFY)
1545 op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
1547 op->status = RTE_CRYPTO_OP_STATUS_ERROR;
1551 /** Process cipher operation */
1553 process_openssl_cipher_op
1554 (struct rte_crypto_op *op, struct openssl_session *sess,
1555 struct rte_mbuf *mbuf_src, struct rte_mbuf *mbuf_dst)
1559 uint8_t inplace = (mbuf_src == mbuf_dst) ? 1 : 0;
1560 EVP_CIPHER_CTX *ctx_copy;
1563 * Segmented OOP destination buffer is not supported for encryption/
1564 * decryption. In case of des3ctr, even inplace segmented buffers are
1567 if (!rte_pktmbuf_is_contiguous(mbuf_dst) &&
1568 (!inplace || sess->cipher.mode != OPENSSL_CIPHER_LIB)) {
1569 op->status = RTE_CRYPTO_OP_STATUS_ERROR;
1573 srclen = op->sym->cipher.data.length;
1574 dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
1575 op->sym->cipher.data.offset);
1577 iv = rte_crypto_op_ctod_offset(op, uint8_t *,
1579 ctx_copy = EVP_CIPHER_CTX_new();
1580 EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
1582 if (sess->cipher.mode == OPENSSL_CIPHER_LIB)
1583 if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
1584 status = process_openssl_cipher_encrypt(mbuf_src, dst,
1585 op->sym->cipher.data.offset, iv,
1586 srclen, ctx_copy, inplace);
1588 status = process_openssl_cipher_decrypt(mbuf_src, dst,
1589 op->sym->cipher.data.offset, iv,
1590 srclen, ctx_copy, inplace);
1592 status = process_openssl_cipher_des3ctr(mbuf_src, dst,
1593 op->sym->cipher.data.offset, iv,
1594 sess->cipher.key.data, srclen,
1597 EVP_CIPHER_CTX_free(ctx_copy);
1599 op->status = RTE_CRYPTO_OP_STATUS_ERROR;
1602 /** Process cipher operation */
1604 process_openssl_docsis_bpi_op(struct rte_crypto_op *op,
1605 struct openssl_session *sess, struct rte_mbuf *mbuf_src,
1606 struct rte_mbuf *mbuf_dst)
1608 uint8_t *src, *dst, *iv;
1609 uint8_t block_size, last_block_len;
1610 int srclen, status = 0;
1612 srclen = op->sym->cipher.data.length;
1613 src = rte_pktmbuf_mtod_offset(mbuf_src, uint8_t *,
1614 op->sym->cipher.data.offset);
1615 dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
1616 op->sym->cipher.data.offset);
1618 iv = rte_crypto_op_ctod_offset(op, uint8_t *,
1621 block_size = DES_BLOCK_SIZE;
1623 last_block_len = srclen % block_size;
1624 if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
1625 /* Encrypt only with ECB mode XOR IV */
1626 if (srclen < block_size) {
1627 status = process_openssl_cipher_bpi_encrypt(src, dst,
1629 sess->cipher.bpi_ctx);
1631 srclen -= last_block_len;
1632 /* Encrypt with the block aligned stream with CBC mode */
1633 status = process_openssl_cipher_encrypt(mbuf_src, dst,
1634 op->sym->cipher.data.offset, iv,
1635 srclen, sess->cipher.ctx, 0);
1636 if (last_block_len) {
1637 /* Point at last block */
1640 * IV is the last encrypted block from
1641 * the previous operation
1643 iv = dst - block_size;
1645 srclen = last_block_len;
1646 /* Encrypt the last frame with ECB mode */
1647 status |= process_openssl_cipher_bpi_encrypt(src,
1649 srclen, sess->cipher.bpi_ctx);
1653 /* Decrypt only with ECB mode (encrypt, as it is same operation) */
1654 if (srclen < block_size) {
1655 status = process_openssl_cipher_bpi_encrypt(src, dst,
1658 sess->cipher.bpi_ctx);
1660 if (last_block_len) {
1661 /* Point at last block */
1662 dst += srclen - last_block_len;
1663 src += srclen - last_block_len;
1665 * IV is the last full block
1667 iv = src - block_size;
1669 * Decrypt the last frame with ECB mode
1670 * (encrypt, as it is the same operation)
1672 status = process_openssl_cipher_bpi_encrypt(src,
1674 last_block_len, sess->cipher.bpi_ctx);
1675 /* Prepare parameters for CBC mode op */
1676 iv = rte_crypto_op_ctod_offset(op, uint8_t *,
1678 dst += last_block_len - srclen;
1679 srclen -= last_block_len;
1682 /* Decrypt with CBC mode */
1683 status |= process_openssl_cipher_decrypt(mbuf_src, dst,
1684 op->sym->cipher.data.offset, iv,
1685 srclen, sess->cipher.ctx, 0);
1690 op->status = RTE_CRYPTO_OP_STATUS_ERROR;
1693 /** Process auth operation */
1695 process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
1696 struct openssl_session *sess, struct rte_mbuf *mbuf_src,
1697 struct rte_mbuf *mbuf_dst)
1702 # if OPENSSL_VERSION_NUMBER >= 0x30000000L
1709 srclen = op->sym->auth.data.length;
1711 dst = qp->temp_digest;
1713 switch (sess->auth.mode) {
1714 case OPENSSL_AUTH_AS_AUTH:
1715 ctx_a = EVP_MD_CTX_create();
1716 EVP_MD_CTX_copy_ex(ctx_a, sess->auth.auth.ctx);
1717 status = process_openssl_auth(mbuf_src, dst,
1718 op->sym->auth.data.offset, NULL, NULL, srclen,
1719 ctx_a, sess->auth.auth.evp_algo);
1720 EVP_MD_CTX_destroy(ctx_a);
1722 case OPENSSL_AUTH_AS_HMAC:
1723 # if OPENSSL_VERSION_NUMBER >= 0x30000000L
1724 mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
1725 ctx_h = EVP_MAC_CTX_new(mac);
1726 ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
1728 status = process_openssl_auth_hmac(mbuf_src, dst,
1729 op->sym->auth.data.offset, srclen,
1732 ctx_h = HMAC_CTX_new();
1733 HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
1734 status = process_openssl_auth_hmac(mbuf_src, dst,
1735 op->sym->auth.data.offset, srclen,
1737 HMAC_CTX_free(ctx_h);
1745 if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
1746 if (CRYPTO_memcmp(dst, op->sym->auth.digest.data,
1747 sess->auth.digest_length) != 0) {
1748 op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
1753 auth_dst = op->sym->auth.digest.data;
1754 if (auth_dst == NULL)
1755 auth_dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
1756 op->sym->auth.data.offset +
1757 op->sym->auth.data.length);
1758 memcpy(auth_dst, dst, sess->auth.digest_length);
1762 op->status = RTE_CRYPTO_OP_STATUS_ERROR;
1765 /* process dsa sign operation */
1767 process_openssl_dsa_sign_op(struct rte_crypto_op *cop,
1768 struct openssl_asym_session *sess)
1770 struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
1771 DSA *dsa = sess->u.s.dsa;
1772 DSA_SIG *sign = NULL;
1774 sign = DSA_do_sign(op->message.data,
1779 OPENSSL_LOG(ERR, "%s:%d\n", __func__, __LINE__);
1780 cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
1782 const BIGNUM *r = NULL, *s = NULL;
1783 get_dsa_sign(sign, &r, &s);
1785 op->r.length = BN_bn2bin(r, op->r.data);
1786 op->s.length = BN_bn2bin(s, op->s.data);
1787 cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
1795 /* process dsa verify operation */
1797 process_openssl_dsa_verify_op(struct rte_crypto_op *cop,
1798 struct openssl_asym_session *sess)
1800 struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
1801 DSA *dsa = sess->u.s.dsa;
1803 DSA_SIG *sign = DSA_SIG_new();
1804 BIGNUM *r = NULL, *s = NULL;
1805 BIGNUM *pub_key = NULL;
1808 OPENSSL_LOG(ERR, " %s:%d\n", __func__, __LINE__);
1809 cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
1813 r = BN_bin2bn(op->r.data,
1816 s = BN_bin2bn(op->s.data,
1819 pub_key = BN_bin2bn(op->y.data,
1822 if (!r || !s || !pub_key) {
1827 cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
1830 set_dsa_sign(sign, r, s);
1831 set_dsa_pub_key(dsa, pub_key);
1833 ret = DSA_do_verify(op->message.data,
1839 cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
1841 cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
1848 /* process dh operation */
1850 process_openssl_dh_op(struct rte_crypto_op *cop,
1851 struct openssl_asym_session *sess)
1853 struct rte_crypto_dh_op_param *op = &cop->asym->dh;
1854 struct rte_crypto_asym_op *asym_op = cop->asym;
1855 DH *dh_key = sess->u.dh.dh_key;
1856 BIGNUM *priv_key = NULL;
1859 if (asym_op->dh.ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) {
1860 /* compute shared secret using peer public key
1861 * and current private key
1862 * shared secret = peer_key ^ priv_key mod p
1864 BIGNUM *peer_key = NULL;
1866 /* copy private key and peer key and compute shared secret */
1867 peer_key = BN_bin2bn(op->pub_key.data,
1870 if (peer_key == NULL) {
1871 cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
1874 priv_key = BN_bin2bn(op->priv_key.data,
1875 op->priv_key.length,
1877 if (priv_key == NULL) {
1879 cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
1882 ret = set_dh_priv_key(dh_key, priv_key);
1884 OPENSSL_LOG(ERR, "Failed to set private key\n");
1885 cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
1891 ret = DH_compute_key(
1892 op->shared_secret.data,
1895 cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
1897 /* priv key is already loaded into dh,
1898 * let's not free that directly here.
1899 * DH_free() will auto free it later.
1903 cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
1904 op->shared_secret.length = ret;
1910 * other options are public and private key generations.
1912 * if user provides private key,
1913 * then first set DH with user provided private key
1915 if (asym_op->dh.ke_type == RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE &&
1916 op->priv_key.length) {
1917 /* generate public key using user-provided private key
1918 * pub_key = g ^ priv_key mod p
1921 /* load private key into DH */
1922 priv_key = BN_bin2bn(op->priv_key.data,
1923 op->priv_key.length,
1925 if (priv_key == NULL) {
1926 cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
1929 ret = set_dh_priv_key(dh_key, priv_key);
1931 OPENSSL_LOG(ERR, "Failed to set private key\n");
1932 cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
1938 /* generate public and private key pair.
1940 * if private key already set, generates only public key.
1942 * if private key is not already set, then set it to random value
1943 * and update internal private key.
1945 if (!DH_generate_key(dh_key)) {
1946 cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
1950 if (asym_op->dh.ke_type == RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE) {
1951 const BIGNUM *pub_key = NULL;
1953 OPENSSL_LOG(DEBUG, "%s:%d update public key\n",
1954 __func__, __LINE__);
1956 /* get the generated keys */
1957 get_dh_pub_key(dh_key, &pub_key);
1959 /* output public key */
1960 op->pub_key.length = BN_bn2bin(pub_key,
1964 if (asym_op->dh.ke_type == RTE_CRYPTO_ASYM_KE_PRIV_KEY_GENERATE) {
1965 const BIGNUM *priv_key = NULL;
1967 OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n",
1968 __func__, __LINE__);
1970 /* get the generated keys */
1971 get_dh_priv_key(dh_key, &priv_key);
1973 /* provide generated private key back to user */
1974 op->priv_key.length = BN_bn2bin(priv_key,
1978 cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
1983 /* process modinv operation */
1985 process_openssl_modinv_op(struct rte_crypto_op *cop,
1986 struct openssl_asym_session *sess)
1988 struct rte_crypto_asym_op *op = cop->asym;
1989 BIGNUM *base = BN_CTX_get(sess->u.m.ctx);
1990 BIGNUM *res = BN_CTX_get(sess->u.m.ctx);
1992 if (unlikely(base == NULL || res == NULL)) {
1995 cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
1999 base = BN_bin2bn((const unsigned char *)op->modinv.base.data,
2000 op->modinv.base.length, base);
2002 if (BN_mod_inverse(res, base, sess->u.m.modulus, sess->u.m.ctx)) {
2003 cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
2004 op->modinv.result.length = BN_bn2bin(res, op->modinv.result.data);
2006 cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
2015 /* process modexp operation */
2017 process_openssl_modexp_op(struct rte_crypto_op *cop,
2018 struct openssl_asym_session *sess)
2020 struct rte_crypto_asym_op *op = cop->asym;
2021 BIGNUM *base = BN_CTX_get(sess->u.e.ctx);
2022 BIGNUM *res = BN_CTX_get(sess->u.e.ctx);
2024 if (unlikely(base == NULL || res == NULL)) {
2027 cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
2031 base = BN_bin2bn((const unsigned char *)op->modex.base.data,
2032 op->modex.base.length, base);
2034 if (BN_mod_exp(res, base, sess->u.e.exp,
2035 sess->u.e.mod, sess->u.e.ctx)) {
2036 op->modex.result.length = BN_bn2bin(res, op->modex.result.data);
2037 cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
2039 cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
2048 /* process rsa operations */
2049 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
2051 process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
2052 struct openssl_asym_session *sess)
2054 struct rte_crypto_asym_op *op = cop->asym;
2055 uint32_t pad = (op->rsa.padding.type);
2060 cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
2061 EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx;
2066 case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
2067 pad = RSA_PKCS1_PADDING;
2069 case RTE_CRYPTO_RSA_PADDING_NONE:
2070 pad = RSA_NO_PADDING;
2073 cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
2075 "rsa pad type not supported %d\n", pad);
2079 switch (op->rsa.op_type) {
2080 case RTE_CRYPTO_ASYM_OP_ENCRYPT:
2081 if (EVP_PKEY_encrypt_init(rsa_ctx) != 1)
2084 if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
2087 if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen,
2088 op->rsa.message.data,
2089 op->rsa.message.length) <= 0)
2095 if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen,
2096 op->rsa.message.data,
2097 op->rsa.message.length) <= 0)
2099 op->rsa.cipher.length = outlen;
2102 "length of encrypted text %zu\n", outlen);
2105 case RTE_CRYPTO_ASYM_OP_DECRYPT:
2106 if (EVP_PKEY_decrypt_init(rsa_ctx) != 1)
2109 if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
2112 if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen,
2113 op->rsa.cipher.data,
2114 op->rsa.cipher.length) <= 0)
2120 if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen,
2121 op->rsa.cipher.data,
2122 op->rsa.cipher.length) <= 0)
2124 op->rsa.message.length = outlen;
2126 OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n", outlen);
2129 case RTE_CRYPTO_ASYM_OP_SIGN:
2130 if (EVP_PKEY_sign_init(rsa_ctx) <= 0)
2133 if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
2136 if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
2137 op->rsa.message.data,
2138 op->rsa.message.length) <= 0)
2140 op->rsa.sign.length = outlen;
2143 case RTE_CRYPTO_ASYM_OP_VERIFY:
2144 tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
2146 OPENSSL_LOG(ERR, "Memory allocation failed");
2150 if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
2155 if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
2160 if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
2162 op->rsa.sign.length) <= 0) {
2168 "Length of public_decrypt %zu "
2169 "length of message %zd\n",
2170 outlen, op->rsa.message.length);
2171 if (CRYPTO_memcmp(tmp, op->rsa.message.data,
2172 op->rsa.message.length)) {
2173 OPENSSL_LOG(ERR, "RSA sign Verification failed");
2179 /* allow ops with invalid args to be pushed to
2182 cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
2187 cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
2194 process_openssl_rsa_op(struct rte_crypto_op *cop,
2195 struct openssl_asym_session *sess)
2198 struct rte_crypto_asym_op *op = cop->asym;
2199 RSA *rsa = sess->u.r.rsa;
2200 uint32_t pad = (op->rsa.padding.type);
2203 cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
2206 case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
2207 pad = RSA_PKCS1_PADDING;
2209 case RTE_CRYPTO_RSA_PADDING_NONE:
2210 pad = RSA_NO_PADDING;
2213 cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
2215 "rsa pad type not supported %d\n", pad);
2219 switch (op->rsa.op_type) {
2220 case RTE_CRYPTO_ASYM_OP_ENCRYPT:
2221 ret = RSA_public_encrypt(op->rsa.message.length,
2222 op->rsa.message.data,
2223 op->rsa.cipher.data,
2228 op->rsa.cipher.length = ret;
2230 "length of encrypted text %d\n", ret);
2233 case RTE_CRYPTO_ASYM_OP_DECRYPT:
2234 ret = RSA_private_decrypt(op->rsa.cipher.length,
2235 op->rsa.cipher.data,
2236 op->rsa.message.data,
2240 op->rsa.message.length = ret;
2243 case RTE_CRYPTO_ASYM_OP_SIGN:
2244 ret = RSA_private_encrypt(op->rsa.message.length,
2245 op->rsa.message.data,
2250 op->rsa.sign.length = ret;
2253 case RTE_CRYPTO_ASYM_OP_VERIFY:
2254 tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
2256 OPENSSL_LOG(ERR, "Memory allocation failed");
2257 cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
2260 ret = RSA_public_decrypt(op->rsa.sign.length,
2267 "Length of public_decrypt %d "
2268 "length of message %zd\n",
2269 ret, op->rsa.message.length);
2270 if ((ret <= 0) || (CRYPTO_memcmp(tmp, op->rsa.message.data,
2271 op->rsa.message.length))) {
2272 OPENSSL_LOG(ERR, "RSA sign Verification failed");
2273 cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
2279 /* allow ops with invalid args to be pushed to
2282 cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
2287 cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
2294 process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
2295 struct openssl_asym_session *sess)
2299 op->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
2301 switch (sess->xfrm_type) {
2302 case RTE_CRYPTO_ASYM_XFORM_RSA:
2303 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
2304 retval = process_openssl_rsa_op_evp(op, sess);
2306 retval = process_openssl_rsa_op(op, sess);
2309 case RTE_CRYPTO_ASYM_XFORM_MODEX:
2310 retval = process_openssl_modexp_op(op, sess);
2312 case RTE_CRYPTO_ASYM_XFORM_MODINV:
2313 retval = process_openssl_modinv_op(op, sess);
2315 case RTE_CRYPTO_ASYM_XFORM_DH:
2316 retval = process_openssl_dh_op(op, sess);
2318 case RTE_CRYPTO_ASYM_XFORM_DSA:
2319 if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
2320 retval = process_openssl_dsa_sign_op(op, sess);
2321 else if (op->asym->dsa.op_type ==
2322 RTE_CRYPTO_ASYM_OP_VERIFY)
2324 process_openssl_dsa_verify_op(op, sess);
2326 op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
2329 op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
2333 /* op processed so push to completion queue as processed */
2334 retval = rte_ring_enqueue(qp->processed_ops, (void *)op);
2336 /* return error if failed to put in completion queue */
2344 copy_plaintext(struct rte_mbuf *m_src, struct rte_mbuf *m_dst,
2345 struct rte_crypto_op *op)
2347 uint8_t *p_src, *p_dst;
2349 p_src = rte_pktmbuf_mtod(m_src, uint8_t *);
2350 p_dst = rte_pktmbuf_mtod(m_dst, uint8_t *);
2353 * Copy the content between cipher offset and auth offset
2354 * for generating correct digest.
2356 if (op->sym->cipher.data.offset > op->sym->auth.data.offset)
2357 memcpy(p_dst + op->sym->auth.data.offset,
2358 p_src + op->sym->auth.data.offset,
2359 op->sym->cipher.data.offset -
2360 op->sym->auth.data.offset);
2363 /** Process crypto operation for mbuf */
2365 process_op(struct openssl_qp *qp, struct rte_crypto_op *op,
2366 struct openssl_session *sess)
2368 struct rte_mbuf *msrc, *mdst;
2371 msrc = op->sym->m_src;
2372 mdst = op->sym->m_dst ? op->sym->m_dst : op->sym->m_src;
2374 op->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
2376 switch (sess->chain_order) {
2377 case OPENSSL_CHAIN_ONLY_CIPHER:
2378 process_openssl_cipher_op(op, sess, msrc, mdst);
2380 case OPENSSL_CHAIN_ONLY_AUTH:
2381 process_openssl_auth_op(qp, op, sess, msrc, mdst);
2383 case OPENSSL_CHAIN_CIPHER_AUTH:
2384 process_openssl_cipher_op(op, sess, msrc, mdst);
2387 copy_plaintext(msrc, mdst, op);
2388 process_openssl_auth_op(qp, op, sess, mdst, mdst);
2390 case OPENSSL_CHAIN_AUTH_CIPHER:
2391 process_openssl_auth_op(qp, op, sess, msrc, mdst);
2392 process_openssl_cipher_op(op, sess, msrc, mdst);
2394 case OPENSSL_CHAIN_COMBINED:
2395 process_openssl_combined_op(op, sess, msrc, mdst);
2397 case OPENSSL_CHAIN_CIPHER_BPI:
2398 process_openssl_docsis_bpi_op(op, sess, msrc, mdst);
2401 op->status = RTE_CRYPTO_OP_STATUS_ERROR;
2405 /* Free session if a session-less crypto op */
2406 if (op->sess_type == RTE_CRYPTO_OP_SESSIONLESS) {
2407 openssl_reset_session(sess);
2408 memset(sess, 0, sizeof(struct openssl_session));
2409 memset(op->sym->session, 0,
2410 rte_cryptodev_sym_get_existing_header_session_size(
2412 rte_mempool_put(qp->sess_mp_priv, sess);
2413 rte_mempool_put(qp->sess_mp, op->sym->session);
2414 op->sym->session = NULL;
2417 if (op->status == RTE_CRYPTO_OP_STATUS_NOT_PROCESSED)
2418 op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
2420 if (op->status != RTE_CRYPTO_OP_STATUS_ERROR)
2421 retval = rte_ring_enqueue(qp->processed_ops, (void *)op);
2429 *------------------------------------------------------------------------------
2431 *------------------------------------------------------------------------------
2434 /** Enqueue burst */
2436 openssl_pmd_enqueue_burst(void *queue_pair, struct rte_crypto_op **ops,
2440 struct openssl_qp *qp = queue_pair;
2443 for (i = 0; i < nb_ops; i++) {
2444 sess = get_session(qp, ops[i]);
2445 if (unlikely(sess == NULL))
2448 if (ops[i]->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC)
2449 retval = process_op(qp, ops[i],
2450 (struct openssl_session *) sess);
2452 retval = process_asym_op(qp, ops[i],
2453 (struct openssl_asym_session *) sess);
2454 if (unlikely(retval < 0))
2458 qp->stats.enqueued_count += i;
2462 qp->stats.enqueue_err_count++;
2466 /** Dequeue burst */
2468 openssl_pmd_dequeue_burst(void *queue_pair, struct rte_crypto_op **ops,
2471 struct openssl_qp *qp = queue_pair;
2473 unsigned int nb_dequeued = 0;
2475 nb_dequeued = rte_ring_dequeue_burst(qp->processed_ops,
2476 (void **)ops, nb_ops, NULL);
2477 qp->stats.dequeued_count += nb_dequeued;
2482 /** Create OPENSSL crypto device */
2484 cryptodev_openssl_create(const char *name,
2485 struct rte_vdev_device *vdev,
2486 struct rte_cryptodev_pmd_init_params *init_params)
2488 struct rte_cryptodev *dev;
2489 struct openssl_private *internals;
2491 dev = rte_cryptodev_pmd_create(name, &vdev->device, init_params);
2493 OPENSSL_LOG(ERR, "failed to create cryptodev vdev");
2497 dev->driver_id = cryptodev_driver_id;
2498 dev->dev_ops = rte_openssl_pmd_ops;
2500 /* register rx/tx burst functions for data path */
2501 dev->dequeue_burst = openssl_pmd_dequeue_burst;
2502 dev->enqueue_burst = openssl_pmd_enqueue_burst;
2504 dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
2505 RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING |
2506 RTE_CRYPTODEV_FF_CPU_AESNI |
2507 RTE_CRYPTODEV_FF_IN_PLACE_SGL |
2508 RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT |
2509 RTE_CRYPTODEV_FF_OOP_LB_IN_LB_OUT |
2510 RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO |
2511 RTE_CRYPTODEV_FF_RSA_PRIV_OP_KEY_EXP |
2512 RTE_CRYPTODEV_FF_RSA_PRIV_OP_KEY_QT |
2513 RTE_CRYPTODEV_FF_SYM_SESSIONLESS;
2515 internals = dev->data->dev_private;
2517 internals->max_nb_qpairs = init_params->max_nb_queue_pairs;
2519 rte_cryptodev_pmd_probing_finish(dev);
2521 # if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
2522 /* Load legacy provider
2523 * Some algorithms are no longer available in earlier version of openssl,
2524 * unless the legacy provider explicitly loaded. e.g. DES
2526 ossl_legacy_provider_load();
2531 OPENSSL_LOG(ERR, "driver %s: create failed",
2534 cryptodev_openssl_remove(vdev);
2538 /** Initialise OPENSSL crypto device */
2540 cryptodev_openssl_probe(struct rte_vdev_device *vdev)
2542 struct rte_cryptodev_pmd_init_params init_params = {
2544 sizeof(struct openssl_private),
2546 RTE_CRYPTODEV_PMD_DEFAULT_MAX_NB_QUEUE_PAIRS
2549 const char *input_args;
2551 name = rte_vdev_device_name(vdev);
2554 input_args = rte_vdev_device_args(vdev);
2556 rte_cryptodev_pmd_parse_input_args(&init_params, input_args);
2558 return cryptodev_openssl_create(name, vdev, &init_params);
2561 /** Uninitialise OPENSSL crypto device */
2563 cryptodev_openssl_remove(struct rte_vdev_device *vdev)
2565 struct rte_cryptodev *cryptodev;
2568 name = rte_vdev_device_name(vdev);
2572 cryptodev = rte_cryptodev_pmd_get_named_dev(name);
2573 if (cryptodev == NULL)
2576 # if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
2577 ossl_legacy_provider_unload();
2579 return rte_cryptodev_pmd_destroy(cryptodev);
2582 static struct rte_vdev_driver cryptodev_openssl_pmd_drv = {
2583 .probe = cryptodev_openssl_probe,
2584 .remove = cryptodev_openssl_remove
2587 static struct cryptodev_driver openssl_crypto_drv;
2589 RTE_PMD_REGISTER_VDEV(CRYPTODEV_NAME_OPENSSL_PMD,
2590 cryptodev_openssl_pmd_drv);
2591 RTE_PMD_REGISTER_PARAM_STRING(CRYPTODEV_NAME_OPENSSL_PMD,
2592 "max_nb_queue_pairs=<int> "
2594 RTE_PMD_REGISTER_CRYPTO_DRIVER(openssl_crypto_drv,
2595 cryptodev_openssl_pmd_drv.driver, cryptodev_driver_id);
2596 RTE_LOG_REGISTER_DEFAULT(openssl_logtype_driver, INFO);