net/sfc: check mbufs allocated using mempool API for Rx

[dpdk.git] / drivers / crypto / aesni_mb / rte_aesni_mb_pmd.c

diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
index e2dd834..05f08a6 100644 (file)
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd.c
@@ -14,6 +14,9 @@
 
 #include "rte_aesni_mb_pmd_private.h"
 
+#define AES_CCM_DIGEST_MIN_LEN 4
+#define AES_CCM_DIGEST_MAX_LEN 16
+#define HMAC_MAX_BLOCK_SIZE 128
 static uint8_t cryptodev_driver_id;
 
 typedef void (*hash_one_block_t)(const void *data, void *digest);
@@ -101,6 +104,8 @@ aesni_mb_set_session_auth_parameters(const struct aesni_mb_op_fns *mb_ops,
                const struct rte_crypto_sym_xform *xform)
 {
        hash_one_block_t hash_oneblock_fn;
+       unsigned int key_larger_block_size = 0;
+       uint8_t hashed_key[HMAC_MAX_BLOCK_SIZE] = { 0 };
 
        if (xform == NULL) {
                sess->auth.algo = NULL_HASH;
@@ -112,12 +117,23 @@ aesni_mb_set_session_auth_parameters(const struct aesni_mb_op_fns *mb_ops,
                return -1;
        }
 
+       /* Set the request digest size */
+       sess->auth.req_digest_len = xform->auth.digest_length;
+
        /* Select auth generate/verify */
        sess->auth.operation = xform->auth.op;
 
        /* Set Authentication Parameters */
        if (xform->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC) {
                sess->auth.algo = AES_XCBC;
+
+               uint16_t xcbc_mac_digest_len =
+                       get_truncated_digest_byte_length(AES_XCBC);
+               if (sess->auth.req_digest_len != xcbc_mac_digest_len) {
+                       AESNI_MB_LOG(ERR, "Invalid digest size\n");
+                       return -EINVAL;
+               }
+               sess->auth.gen_digest_len = sess->auth.req_digest_len;
                (*mb_ops->aux.keyexp.aes_xcbc)(xform->auth.key.data,
                                sess->auth.xcbc.k1_expanded,
                                sess->auth.xcbc.k2, sess->auth.xcbc.k3);
@@ -126,6 +142,32 @@ aesni_mb_set_session_auth_parameters(const struct aesni_mb_op_fns *mb_ops,
 
        if (xform->auth.algo == RTE_CRYPTO_AUTH_AES_CMAC) {
                sess->auth.algo = AES_CMAC;
+
+               uint16_t cmac_digest_len = get_digest_byte_length(AES_CMAC);
+
+               if (sess->auth.req_digest_len > cmac_digest_len) {
+                       AESNI_MB_LOG(ERR, "Invalid digest size\n");
+                       return -EINVAL;
+               }
+               /*
+                * Multi-buffer lib supports digest sizes from 4 to 16 bytes
+                * in version 0.50 and sizes of 12 and 16 bytes,
+                * in version 0.49.
+                * If size requested is different, generate the full digest
+                * (16 bytes) in a temporary location and then memcpy
+                * the requested number of bytes.
+                */
+#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0)
+               if (sess->auth.req_digest_len < 4)
+#else
+               uint16_t cmac_trunc_digest_len =
+                               get_truncated_digest_byte_length(AES_CMAC);
+               if (sess->auth.req_digest_len != cmac_digest_len &&
+                               sess->auth.req_digest_len != cmac_trunc_digest_len)
+#endif
+                       sess->auth.gen_digest_len = cmac_digest_len;
+               else
+                       sess->auth.gen_digest_len = sess->auth.req_digest_len;
                (*mb_ops->aux.keyexp.aes_cmac_expkey)(xform->auth.key.data,
                                sess->auth.cmac.expkey);
 
@@ -134,7 +176,6 @@ aesni_mb_set_session_auth_parameters(const struct aesni_mb_op_fns *mb_ops,
                return 0;
        }
 
-
        switch (xform->auth.algo) {
        case RTE_CRYPTO_AUTH_MD5_HMAC:
                sess->auth.algo = MD5;
@@ -143,34 +184,107 @@ aesni_mb_set_session_auth_parameters(const struct aesni_mb_op_fns *mb_ops,
        case RTE_CRYPTO_AUTH_SHA1_HMAC:
                sess->auth.algo = SHA1;
                hash_oneblock_fn = mb_ops->aux.one_block.sha1;
+#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0)
+               if (xform->auth.key.length > get_auth_algo_blocksize(SHA1)) {
+                       mb_ops->aux.multi_block.sha1(
+                               xform->auth.key.data,
+                               xform->auth.key.length,
+                               hashed_key);
+                       key_larger_block_size = 1;
+               }
+#endif
                break;
        case RTE_CRYPTO_AUTH_SHA224_HMAC:
                sess->auth.algo = SHA_224;
                hash_oneblock_fn = mb_ops->aux.one_block.sha224;
+#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0)
+               if (xform->auth.key.length > get_auth_algo_blocksize(SHA_224)) {
+                       mb_ops->aux.multi_block.sha224(
+                               xform->auth.key.data,
+                               xform->auth.key.length,
+                               hashed_key);
+                       key_larger_block_size = 1;
+               }
+#endif
                break;
        case RTE_CRYPTO_AUTH_SHA256_HMAC:
                sess->auth.algo = SHA_256;
                hash_oneblock_fn = mb_ops->aux.one_block.sha256;
+#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0)
+               if (xform->auth.key.length > get_auth_algo_blocksize(SHA_256)) {
+                       mb_ops->aux.multi_block.sha256(
+                               xform->auth.key.data,
+                               xform->auth.key.length,
+                               hashed_key);
+                       key_larger_block_size = 1;
+               }
+#endif
                break;
        case RTE_CRYPTO_AUTH_SHA384_HMAC:
                sess->auth.algo = SHA_384;
                hash_oneblock_fn = mb_ops->aux.one_block.sha384;
+#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0)
+               if (xform->auth.key.length > get_auth_algo_blocksize(SHA_384)) {
+                       mb_ops->aux.multi_block.sha384(
+                               xform->auth.key.data,
+                               xform->auth.key.length,
+                               hashed_key);
+                       key_larger_block_size = 1;
+               }
+#endif
                break;
        case RTE_CRYPTO_AUTH_SHA512_HMAC:
                sess->auth.algo = SHA_512;
                hash_oneblock_fn = mb_ops->aux.one_block.sha512;
+#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0)
+               if (xform->auth.key.length > get_auth_algo_blocksize(SHA_512)) {
+                       mb_ops->aux.multi_block.sha512(
+                               xform->auth.key.data,
+                               xform->auth.key.length,
+                               hashed_key);
+                       key_larger_block_size = 1;
+               }
+#endif
                break;
        default:
                AESNI_MB_LOG(ERR, "Unsupported authentication algorithm selection");
                return -ENOTSUP;
        }
+       uint16_t trunc_digest_size =
+                       get_truncated_digest_byte_length(sess->auth.algo);
+       uint16_t full_digest_size =
+                       get_digest_byte_length(sess->auth.algo);
+
+#if IMB_VERSION_NUM >= IMB_VERSION(0, 50, 0)
+       if (sess->auth.req_digest_len > full_digest_size ||
+                       sess->auth.req_digest_len == 0) {
+#else
+       if (sess->auth.req_digest_len != trunc_digest_size) {
+#endif
+               AESNI_MB_LOG(ERR, "Invalid digest size\n");
+               return -EINVAL;
+       }
+
+       if (sess->auth.req_digest_len != trunc_digest_size &&
+                       sess->auth.req_digest_len != full_digest_size)
+               sess->auth.gen_digest_len = full_digest_size;
+       else
+               sess->auth.gen_digest_len = sess->auth.req_digest_len;
 
        /* Calculate Authentication precomputes */
-       calculate_auth_precomputes(hash_oneblock_fn,
+       if (key_larger_block_size) {
+               calculate_auth_precomputes(hash_oneblock_fn,
+                       sess->auth.pads.inner, sess->auth.pads.outer,
+                       hashed_key,
+                       xform->auth.key.length,
+                       get_auth_algo_blocksize(sess->auth.algo));
+       } else {
+               calculate_auth_precomputes(hash_oneblock_fn,
                        sess->auth.pads.inner, sess->auth.pads.outer,
                        xform->auth.key.data,
                        xform->auth.key.length,
                        get_auth_algo_blocksize(sess->auth.algo));
+       }
 
        return 0;
 }
@@ -360,6 +474,16 @@ aesni_mb_set_session_aead_parameters(const struct aesni_mb_op_fns *mb_ops,
        sess->iv.offset = xform->aead.iv.offset;
        sess->iv.length = xform->aead.iv.length;
 
+       sess->auth.req_digest_len = xform->aead.digest_length;
+       /* CCM digests must be between 4 and 16 and an even number */
+       if (sess->auth.req_digest_len < AES_CCM_DIGEST_MIN_LEN ||
+                       sess->auth.req_digest_len > AES_CCM_DIGEST_MAX_LEN ||
+                       (sess->auth.req_digest_len & 1) == 1) {
+               AESNI_MB_LOG(ERR, "Invalid digest size\n");
+               return -EINVAL;
+       }
+       sess->auth.gen_digest_len = sess->auth.req_digest_len;
+
        /* Check key length and choose key expansion function for AES */
 
        switch (xform->aead.key.length) {
@@ -397,19 +521,16 @@ aesni_mb_set_session_parameters(const struct aesni_mb_op_fns *mb_ops,
                sess->chain_order = HASH_CIPHER;
                auth_xform = xform;
                cipher_xform = xform->next;
-               sess->auth.digest_len = xform->auth.digest_length;
                break;
        case AESNI_MB_OP_CIPHER_HASH:
                sess->chain_order = CIPHER_HASH;
                auth_xform = xform->next;
                cipher_xform = xform;
-               sess->auth.digest_len = xform->auth.digest_length;
                break;
        case AESNI_MB_OP_HASH_ONLY:
                sess->chain_order = HASH_CIPHER;
                auth_xform = xform;
                cipher_xform = NULL;
-               sess->auth.digest_len = xform->auth.digest_length;
                break;
        case AESNI_MB_OP_CIPHER_ONLY:
                /*
@@ -428,13 +549,11 @@ aesni_mb_set_session_parameters(const struct aesni_mb_op_fns *mb_ops,
        case AESNI_MB_OP_AEAD_CIPHER_HASH:
                sess->chain_order = CIPHER_HASH;
                sess->aead.aad_len = xform->aead.aad_length;
-               sess->auth.digest_len = xform->aead.digest_length;
                aead_xform = xform;
                break;
        case AESNI_MB_OP_AEAD_HASH_CIPHER:
                sess->chain_order = HASH_CIPHER;
                sess->aead.aad_len = xform->aead.aad_length;
-               sess->auth.digest_len = xform->aead.digest_length;
                aead_xform = xform;
                break;
        case AESNI_MB_OP_NOT_SUPPORTED:
@@ -641,21 +760,17 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
                        job->auth_tag_output = op->sym->aead.digest.data;
                else
                        job->auth_tag_output = op->sym->auth.digest.data;
-       }
 
-       /*
-        * Multi-buffer library current only support returning a truncated
-        * digest length as specified in the relevant IPsec RFCs
-        */
-       if (job->hash_alg != AES_CCM && job->hash_alg != AES_CMAC)
-               job->auth_tag_output_len_in_bytes =
-                               get_truncated_digest_byte_length(job->hash_alg);
-       else
-               job->auth_tag_output_len_in_bytes = session->auth.digest_len;
+               if (session->auth.req_digest_len != session->auth.gen_digest_len) {
+                       job->auth_tag_output = qp->temp_digests[*digest_idx];
+                       *digest_idx = (*digest_idx + 1) % MAX_JOBS;
+               }
+       }
 
+       /* Set digest length */
+       job->auth_tag_output_len_in_bytes = session->auth.gen_digest_len;
 
        /* Set IV parameters */
-
        job->iv_len_in_bytes = session->iv.length;
 
        /* Data  Parameter */
@@ -690,20 +805,37 @@ set_mb_job_params(JOB_AES_HMAC *job, struct aesni_mb_qp *qp,
 }
 
 static inline void
-verify_digest(struct aesni_mb_qp *qp __rte_unused, JOB_AES_HMAC *job,
-               struct rte_crypto_op *op) {
+verify_digest(JOB_AES_HMAC *job, struct rte_crypto_op *op,
+               struct aesni_mb_session *sess)
+{
        /* Verify digest if required */
        if (job->hash_alg == AES_CCM) {
                if (memcmp(job->auth_tag_output, op->sym->aead.digest.data,
-                               job->auth_tag_output_len_in_bytes) != 0)
+                               sess->auth.req_digest_len) != 0)
                        op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
        } else {
                if (memcmp(job->auth_tag_output, op->sym->auth.digest.data,
-                               job->auth_tag_output_len_in_bytes) != 0)
+                               sess->auth.req_digest_len) != 0)
                        op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
        }
 }
 
+static inline void
+generate_digest(JOB_AES_HMAC *job, struct rte_crypto_op *op,
+               struct aesni_mb_session *sess)
+{
+       /* No extra copy neeed */
+       if (likely(sess->auth.req_digest_len == sess->auth.gen_digest_len))
+               return;
+
+       /*
+        * This can only happen for HMAC, so only digest
+        * for authentication algos is required
+        */
+       memcpy(op->sym->auth.digest.data, job->auth_tag_output,
+                       sess->auth.req_digest_len);
+}
+
 /**
  * Process a completed job and return rte_mbuf which job processed
  *
@@ -730,7 +862,9 @@ post_process_mb_job(struct aesni_mb_qp *qp, JOB_AES_HMAC *job)
                        if (job->hash_alg != NULL_HASH) {
                                if (sess->auth.operation ==
                                                RTE_CRYPTO_AUTH_OP_VERIFY)
-                                       verify_digest(qp, job, op);
+                                       verify_digest(job, op, sess);
+                               else
+                                       generate_digest(job, op, sess);
                        }
                        break;
                default: