summaryrefslogtreecommitdiffstats
path: root/src/plugins/crypto_ia32
diff options
context:
space:
mode:
authorDamjan Marion <damarion@cisco.com>2019-04-24 15:20:35 +0200
committerNeale Ranns <nranns@cisco.com>2019-04-25 01:36:12 +0000
commitd1bed687231bb64cf7761da37431ba61bc32b6d8 (patch)
tree891af80a873db9dda53c18e95f5eeb9366a1cb07 /src/plugins/crypto_ia32
parent20bc56ab58189ad9fa24feaaca3e76ea8e636140 (diff)
crypto: improve key handling
Change-Id: If96f661d507305da4b96cac7b1a8f14ba90676ad Signed-off-by: Damjan Marion <damarion@cisco.com>
Diffstat (limited to 'src/plugins/crypto_ia32')
-rw-r--r--src/plugins/crypto_ia32/aes_cbc.c25
-rw-r--r--src/plugins/crypto_ia32/aesni.h7
-rw-r--r--src/plugins/crypto_ia32/crypto_ia32.h1
-rw-r--r--src/plugins/crypto_ia32/main.c75
4 files changed, 94 insertions, 14 deletions
diff --git a/src/plugins/crypto_ia32/aes_cbc.c b/src/plugins/crypto_ia32/aes_cbc.c
index 091f7b6a539..7befdd2b4e6 100644
--- a/src/plugins/crypto_ia32/aes_cbc.c
+++ b/src/plugins/crypto_ia32/aes_cbc.c
@@ -97,7 +97,7 @@ aesni_ops_enc_aes_cbc (vlib_main_t * vm, vnet_crypto_op_t * ops[],
u8 dummy[8192];
u8 *src[4] = { };
u8 *dst[4] = { };
- u8 *key[4] = { };
+ vnet_crypto_key_index_t key_index[4] = { ~0, ~0, ~0, ~0 };
u32x4 dummy_mask, len = { };
u32 i, j, count, n_left = n_ops;
__m128i r[4] = { }, k[4][rounds + 1];
@@ -127,10 +127,13 @@ more:
dst[i] = ops[0]->dst;
len[i] = ops[0]->len;
dummy_mask[i] = ~0;
- if (key[i] != ops[0]->key)
+ if (key_index[i] != ops[0]->key_index)
{
- aes_key_expand (k[i], ops[0]->key, ks);
- key[i] = ops[0]->key;
+ aesni_key_data_t *kd;
+ key_index[i] = ops[0]->key_index;
+ kd = (aesni_key_data_t *) cm->key_data[key_index[i]];
+ clib_memcpy_fast (k[i], kd->encrypt_key,
+ (rounds + 1) * sizeof (__m128i));
}
ops[0]->status = VNET_CRYPTO_OP_STATUS_COMPLETED;
n_left--;
@@ -188,28 +191,22 @@ static_always_inline u32
aesni_ops_dec_aes_cbc (vlib_main_t * vm, vnet_crypto_op_t * ops[],
u32 n_ops, aesni_key_size_t ks)
{
+ crypto_ia32_main_t *cm = &crypto_ia32_main;
int rounds = AESNI_KEY_ROUNDS (ks);
vnet_crypto_op_t *op = ops[0];
+ aesni_key_data_t *kd = (aesni_key_data_t *) cm->key_data[op->key_index];
u32 n_left = n_ops;
- u8 *last_key;
- __m128i k[rounds + 1];
ASSERT (n_ops >= 1);
-key_expand:
- last_key = op->key;
- aes_key_expand (k, op->key, ks);
- aes_key_enc_to_dec (k, ks);
-
decrypt:
- aes_cbc_dec (k, op->src, op->dst, op->iv, op->len, rounds);
+ aes_cbc_dec (kd->decrypt_key, op->src, op->dst, op->iv, op->len, rounds);
op->status = VNET_CRYPTO_OP_STATUS_COMPLETED;
if (--n_left)
{
op += 1;
- if (last_key != op->key)
- goto key_expand;
+ kd = (aesni_key_data_t *) cm->key_data[op->key_index];
goto decrypt;
}
diff --git a/src/plugins/crypto_ia32/aesni.h b/src/plugins/crypto_ia32/aesni.h
index 28e09fc5c51..80e30e51b33 100644
--- a/src/plugins/crypto_ia32/aesni.h
+++ b/src/plugins/crypto_ia32/aesni.h
@@ -18,6 +18,13 @@
#ifndef __aesni_h__
#define __aesni_h__
+
+typedef struct
+{
+ __m128i encrypt_key[15];
+ __m128i decrypt_key[15];
+} aesni_key_data_t;
+
typedef enum
{
AESNI_KEY_128 = 0,
diff --git a/src/plugins/crypto_ia32/crypto_ia32.h b/src/plugins/crypto_ia32/crypto_ia32.h
index ccb26ab1a4d..f5f09dfd499 100644
--- a/src/plugins/crypto_ia32/crypto_ia32.h
+++ b/src/plugins/crypto_ia32/crypto_ia32.h
@@ -27,6 +27,7 @@ typedef struct
{
u32 crypto_engine_index;
crypto_ia32_per_thread_data_t *per_thread_data;
+ void **key_data;
} crypto_ia32_main_t;
extern crypto_ia32_main_t crypto_ia32_main;
diff --git a/src/plugins/crypto_ia32/main.c b/src/plugins/crypto_ia32/main.c
index 9b83f8913db..8dd596b0dd6 100644
--- a/src/plugins/crypto_ia32/main.c
+++ b/src/plugins/crypto_ia32/main.c
@@ -19,9 +19,80 @@
#include <vnet/plugin/plugin.h>
#include <vnet/crypto/crypto.h>
#include <crypto_ia32/crypto_ia32.h>
+#include <crypto_ia32/aesni.h>
crypto_ia32_main_t crypto_ia32_main;
+static void
+crypto_ia32_key_handler (vlib_main_t * vm, vnet_crypto_key_op_t kop,
+ vnet_crypto_key_index_t idx)
+{
+ vnet_crypto_key_t *key = vnet_crypto_get_key (idx);
+ crypto_ia32_main_t *cm = &crypto_ia32_main;
+ aesni_key_data_t *kd;
+
+ switch (key->alg)
+ {
+ case VNET_CRYPTO_ALG_AES_128_CBC:
+ case VNET_CRYPTO_ALG_AES_192_CBC:
+ case VNET_CRYPTO_ALG_AES_256_CBC:
+ break;
+ default:
+ return;
+ break;
+ }
+
+ if (kop == VNET_CRYPTO_KEY_OP_DEL)
+ {
+ if (idx >= vec_len (cm->key_data))
+ return;
+
+ if (cm->key_data[idx] == 0)
+ return;
+
+ clib_memset_u8 (cm->key_data[idx], 0,
+ clib_mem_size (cm->key_data[idx]));
+ clib_mem_free (cm->key_data[idx]);
+ cm->key_data[idx] = 0;
+ return;
+ }
+
+ vec_validate_aligned (cm->key_data, idx, CLIB_CACHE_LINE_BYTES);
+
+ if (kop == VNET_CRYPTO_KEY_OP_MODIFY && cm->key_data[idx])
+ {
+ clib_memset_u8 (cm->key_data[idx], 0,
+ clib_mem_size (cm->key_data[idx]));
+ clib_mem_free (cm->key_data[idx]);
+ }
+
+ kd = cm->key_data[idx] = clib_mem_alloc_aligned (sizeof (aesni_key_data_t),
+ CLIB_CACHE_LINE_BYTES);
+
+ /* ADD or MODIFY */
+ switch (key->alg)
+ {
+ case VNET_CRYPTO_ALG_AES_128_CBC:
+ aes_key_expand (kd->encrypt_key, key->data, AESNI_KEY_128);
+ aes_key_expand (kd->decrypt_key, key->data, AESNI_KEY_128);
+ aes_key_enc_to_dec (kd->decrypt_key, AESNI_KEY_128);
+ break;
+ case VNET_CRYPTO_ALG_AES_192_CBC:
+ aes_key_expand (kd->encrypt_key, key->data, AESNI_KEY_192);
+ aes_key_expand (kd->decrypt_key, key->data, AESNI_KEY_192);
+ aes_key_enc_to_dec (kd->decrypt_key, AESNI_KEY_192);
+ break;
+ case VNET_CRYPTO_ALG_AES_256_CBC:
+ aes_key_expand (kd->encrypt_key, key->data, AESNI_KEY_256);
+ aes_key_expand (kd->decrypt_key, key->data, AESNI_KEY_256);
+ aes_key_enc_to_dec (kd->decrypt_key, AESNI_KEY_256);
+ break;
+ default:
+ return;
+ break;
+ }
+}
+
clib_error_t *
crypto_ia32_init (vlib_main_t * vm)
{
@@ -43,6 +114,10 @@ crypto_ia32_init (vlib_main_t * vm)
(error = crypto_ia32_aesni_cbc_init (vm)))
goto error;
+ vnet_crypto_register_key_handler (vm, cm->crypto_engine_index,
+ crypto_ia32_key_handler);
+
+
error:
if (error)
vec_free (cm->per_thread_data);