diff options
author | Damjan Marion <damarion@cisco.com> | 2019-04-24 15:20:35 +0200 |
---|---|---|
committer | Neale Ranns <nranns@cisco.com> | 2019-04-25 01:36:12 +0000 |
commit | d1bed687231bb64cf7761da37431ba61bc32b6d8 (patch) | |
tree | 891af80a873db9dda53c18e95f5eeb9366a1cb07 /src/plugins/crypto_ia32 | |
parent | 20bc56ab58189ad9fa24feaaca3e76ea8e636140 (diff) |
crypto: improve key handling
Change-Id: If96f661d507305da4b96cac7b1a8f14ba90676ad
Signed-off-by: Damjan Marion <damarion@cisco.com>
Diffstat (limited to 'src/plugins/crypto_ia32')
-rw-r--r-- | src/plugins/crypto_ia32/aes_cbc.c | 25 | ||||
-rw-r--r-- | src/plugins/crypto_ia32/aesni.h | 7 | ||||
-rw-r--r-- | src/plugins/crypto_ia32/crypto_ia32.h | 1 | ||||
-rw-r--r-- | src/plugins/crypto_ia32/main.c | 75 |
4 files changed, 94 insertions, 14 deletions
diff --git a/src/plugins/crypto_ia32/aes_cbc.c b/src/plugins/crypto_ia32/aes_cbc.c index 091f7b6a539..7befdd2b4e6 100644 --- a/src/plugins/crypto_ia32/aes_cbc.c +++ b/src/plugins/crypto_ia32/aes_cbc.c @@ -97,7 +97,7 @@ aesni_ops_enc_aes_cbc (vlib_main_t * vm, vnet_crypto_op_t * ops[], u8 dummy[8192]; u8 *src[4] = { }; u8 *dst[4] = { }; - u8 *key[4] = { }; + vnet_crypto_key_index_t key_index[4] = { ~0, ~0, ~0, ~0 }; u32x4 dummy_mask, len = { }; u32 i, j, count, n_left = n_ops; __m128i r[4] = { }, k[4][rounds + 1]; @@ -127,10 +127,13 @@ more: dst[i] = ops[0]->dst; len[i] = ops[0]->len; dummy_mask[i] = ~0; - if (key[i] != ops[0]->key) + if (key_index[i] != ops[0]->key_index) { - aes_key_expand (k[i], ops[0]->key, ks); - key[i] = ops[0]->key; + aesni_key_data_t *kd; + key_index[i] = ops[0]->key_index; + kd = (aesni_key_data_t *) cm->key_data[key_index[i]]; + clib_memcpy_fast (k[i], kd->encrypt_key, + (rounds + 1) * sizeof (__m128i)); } ops[0]->status = VNET_CRYPTO_OP_STATUS_COMPLETED; n_left--; @@ -188,28 +191,22 @@ static_always_inline u32 aesni_ops_dec_aes_cbc (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops, aesni_key_size_t ks) { + crypto_ia32_main_t *cm = &crypto_ia32_main; int rounds = AESNI_KEY_ROUNDS (ks); vnet_crypto_op_t *op = ops[0]; + aesni_key_data_t *kd = (aesni_key_data_t *) cm->key_data[op->key_index]; u32 n_left = n_ops; - u8 *last_key; - __m128i k[rounds + 1]; ASSERT (n_ops >= 1); -key_expand: - last_key = op->key; - aes_key_expand (k, op->key, ks); - aes_key_enc_to_dec (k, ks); - decrypt: - aes_cbc_dec (k, op->src, op->dst, op->iv, op->len, rounds); + aes_cbc_dec (kd->decrypt_key, op->src, op->dst, op->iv, op->len, rounds); op->status = VNET_CRYPTO_OP_STATUS_COMPLETED; if (--n_left) { op += 1; - if (last_key != op->key) - goto key_expand; + kd = (aesni_key_data_t *) cm->key_data[op->key_index]; goto decrypt; } diff --git a/src/plugins/crypto_ia32/aesni.h b/src/plugins/crypto_ia32/aesni.h index 28e09fc5c51..80e30e51b33 100644 --- a/src/plugins/crypto_ia32/aesni.h +++ b/src/plugins/crypto_ia32/aesni.h @@ -18,6 +18,13 @@ #ifndef __aesni_h__ #define __aesni_h__ + +typedef struct +{ + __m128i encrypt_key[15]; + __m128i decrypt_key[15]; +} aesni_key_data_t; + typedef enum { AESNI_KEY_128 = 0, diff --git a/src/plugins/crypto_ia32/crypto_ia32.h b/src/plugins/crypto_ia32/crypto_ia32.h index ccb26ab1a4d..f5f09dfd499 100644 --- a/src/plugins/crypto_ia32/crypto_ia32.h +++ b/src/plugins/crypto_ia32/crypto_ia32.h @@ -27,6 +27,7 @@ typedef struct { u32 crypto_engine_index; crypto_ia32_per_thread_data_t *per_thread_data; + void **key_data; } crypto_ia32_main_t; extern crypto_ia32_main_t crypto_ia32_main; diff --git a/src/plugins/crypto_ia32/main.c b/src/plugins/crypto_ia32/main.c index 9b83f8913db..8dd596b0dd6 100644 --- a/src/plugins/crypto_ia32/main.c +++ b/src/plugins/crypto_ia32/main.c @@ -19,9 +19,80 @@ #include <vnet/plugin/plugin.h> #include <vnet/crypto/crypto.h> #include <crypto_ia32/crypto_ia32.h> +#include <crypto_ia32/aesni.h> crypto_ia32_main_t crypto_ia32_main; +static void +crypto_ia32_key_handler (vlib_main_t * vm, vnet_crypto_key_op_t kop, + vnet_crypto_key_index_t idx) +{ + vnet_crypto_key_t *key = vnet_crypto_get_key (idx); + crypto_ia32_main_t *cm = &crypto_ia32_main; + aesni_key_data_t *kd; + + switch (key->alg) + { + case VNET_CRYPTO_ALG_AES_128_CBC: + case VNET_CRYPTO_ALG_AES_192_CBC: + case VNET_CRYPTO_ALG_AES_256_CBC: + break; + default: + return; + break; + } + + if (kop == VNET_CRYPTO_KEY_OP_DEL) + { + if (idx >= vec_len (cm->key_data)) + return; + + if (cm->key_data[idx] == 0) + return; + + clib_memset_u8 (cm->key_data[idx], 0, + clib_mem_size (cm->key_data[idx])); + clib_mem_free (cm->key_data[idx]); + cm->key_data[idx] = 0; + return; + } + + vec_validate_aligned (cm->key_data, idx, CLIB_CACHE_LINE_BYTES); + + if (kop == VNET_CRYPTO_KEY_OP_MODIFY && cm->key_data[idx]) + { + clib_memset_u8 (cm->key_data[idx], 0, + clib_mem_size (cm->key_data[idx])); + clib_mem_free (cm->key_data[idx]); + } + + kd = cm->key_data[idx] = clib_mem_alloc_aligned (sizeof (aesni_key_data_t), + CLIB_CACHE_LINE_BYTES); + + /* ADD or MODIFY */ + switch (key->alg) + { + case VNET_CRYPTO_ALG_AES_128_CBC: + aes_key_expand (kd->encrypt_key, key->data, AESNI_KEY_128); + aes_key_expand (kd->decrypt_key, key->data, AESNI_KEY_128); + aes_key_enc_to_dec (kd->decrypt_key, AESNI_KEY_128); + break; + case VNET_CRYPTO_ALG_AES_192_CBC: + aes_key_expand (kd->encrypt_key, key->data, AESNI_KEY_192); + aes_key_expand (kd->decrypt_key, key->data, AESNI_KEY_192); + aes_key_enc_to_dec (kd->decrypt_key, AESNI_KEY_192); + break; + case VNET_CRYPTO_ALG_AES_256_CBC: + aes_key_expand (kd->encrypt_key, key->data, AESNI_KEY_256); + aes_key_expand (kd->decrypt_key, key->data, AESNI_KEY_256); + aes_key_enc_to_dec (kd->decrypt_key, AESNI_KEY_256); + break; + default: + return; + break; + } +} + clib_error_t * crypto_ia32_init (vlib_main_t * vm) { @@ -43,6 +114,10 @@ crypto_ia32_init (vlib_main_t * vm) (error = crypto_ia32_aesni_cbc_init (vm))) goto error; + vnet_crypto_register_key_handler (vm, cm->crypto_engine_index, + crypto_ia32_key_handler); + + error: if (error) vec_free (cm->per_thread_data); |