DPDK patches and discussions
 help / color / mirror / Atom feed
From: Kai Ji <kai.ji@intel.com>
To: dev@dpdk.org
Cc: gakhil@marvell.com, Kai Ji <kai.ji@intel.com>
Subject: [dpdk-dev v5 2/4] crypto/openssl: update on RSA routine with 3.0 EVP API
Date: Tue, 21 Jun 2022 23:42:12 +0800	[thread overview]
Message-ID: <20220621154214.78176-3-kai.ji@intel.com> (raw)
In-Reply-To: <20220621154214.78176-1-kai.ji@intel.com>

This patch updates asymmetric RSA routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis.

Signed-off-by: Kai Ji <kai.ji@intel.com>
---
 drivers/crypto/openssl/openssl_pmd_private.h |   7 +
 drivers/crypto/openssl/rte_openssl_pmd.c     | 149 +++++++++++++++++++
 drivers/crypto/openssl/rte_openssl_pmd_ops.c | 112 +++++++++++++-
 3 files changed, 267 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index 6bcfb584a4..9d4ac721a7 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -11,6 +11,10 @@
 #include <openssl/rsa.h>
 #include <openssl/dh.h>
 #include <openssl/dsa.h>
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#endif
 
 #define CRYPTODEV_NAME_OPENSSL_PMD	crypto_openssl
 /**< Open SSL Crypto PMD device name */
@@ -157,6 +161,9 @@ struct openssl_asym_session {
 	union {
 		struct rsa {
 			RSA *rsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+			EVP_PKEY_CTX * ctx;
+#endif
 		} r;
 		struct exp {
 			BIGNUM *exp;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 06ede435dd..caa5d54c0a 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -2046,6 +2046,150 @@ process_openssl_modexp_op(struct rte_crypto_op *cop,
 }
 
 /* process rsa operations */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
+		struct openssl_asym_session *sess)
+{
+	struct rte_crypto_asym_op *op = cop->asym;
+	uint32_t pad = (op->rsa.padding.type);
+	uint8_t *tmp;
+	size_t outlen = 0;
+	int ret = -1;
+
+	cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+	EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx;
+	if (!rsa_ctx)
+		return ret;
+
+	switch (pad) {
+	case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
+		pad = RSA_PKCS1_PADDING;
+		break;
+	case RTE_CRYPTO_RSA_PADDING_NONE:
+		pad = RSA_NO_PADDING;
+		break;
+	default:
+		cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+		OPENSSL_LOG(ERR,
+				"rsa pad type not supported %d\n", pad);
+		return ret;
+	}
+
+	switch (op->rsa.op_type) {
+	case RTE_CRYPTO_ASYM_OP_ENCRYPT:
+		if (EVP_PKEY_encrypt_init(rsa_ctx) != 1)
+			goto err_rsa;
+
+		if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+			goto err_rsa;
+
+		if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen,
+				op->rsa.message.data,
+				op->rsa.message.length) <= 0)
+			goto err_rsa;
+
+		if (outlen <= 0)
+			goto err_rsa;
+
+		if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen,
+				op->rsa.message.data,
+				op->rsa.message.length) <= 0)
+			goto err_rsa;
+		op->rsa.cipher.length = outlen;
+
+		OPENSSL_LOG(DEBUG,
+				"length of encrypted text %zu\n", outlen);
+		break;
+
+	case RTE_CRYPTO_ASYM_OP_DECRYPT:
+		if (EVP_PKEY_decrypt_init(rsa_ctx) != 1)
+			goto err_rsa;
+
+		if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+			goto err_rsa;
+
+		if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen,
+				op->rsa.cipher.data,
+				op->rsa.cipher.length) <= 0)
+			goto err_rsa;
+
+		if (outlen <= 0)
+			goto err_rsa;
+
+		if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen,
+				op->rsa.cipher.data,
+				op->rsa.cipher.length) <= 0)
+			goto err_rsa;
+		op->rsa.message.length = outlen;
+
+		OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n", outlen);
+		break;
+
+	case RTE_CRYPTO_ASYM_OP_SIGN:
+		if (EVP_PKEY_sign_init(rsa_ctx) <= 0)
+			goto err_rsa;
+
+		if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+			goto err_rsa;
+
+		if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
+				op->rsa.message.data,
+				op->rsa.message.length) <= 0)
+			goto err_rsa;
+		op->rsa.sign.length = outlen;
+		break;
+
+	case RTE_CRYPTO_ASYM_OP_VERIFY:
+		tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
+		if (tmp == NULL) {
+			OPENSSL_LOG(ERR, "Memory allocation failed");
+			goto err_rsa;
+		}
+
+		if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
+			rte_free(tmp);
+			goto err_rsa;
+		}
+
+		if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
+			rte_free(tmp);
+			goto err_rsa;
+		}
+
+		if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
+				op->rsa.sign.data,
+				op->rsa.sign.length) <= 0) {
+			rte_free(tmp);
+			goto err_rsa;
+		}
+
+		OPENSSL_LOG(DEBUG,
+				"Length of public_decrypt %zu "
+				"length of message %zd\n",
+				outlen, op->rsa.message.length);
+		if (CRYPTO_memcmp(tmp, op->rsa.message.data,
+				op->rsa.message.length)) {
+			OPENSSL_LOG(ERR, "RSA sign Verification failed");
+		}
+		rte_free(tmp);
+		break;
+
+	default:
+		/* allow ops with invalid args to be pushed to
+		 * completion queue
+		 */
+		cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+		goto err_rsa;
+	}
+
+	ret = 0;
+	cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+err_rsa:
+	return ret;
+
+}
+#else
 static int
 process_openssl_rsa_op(struct rte_crypto_op *cop,
 		struct openssl_asym_session *sess)
@@ -2144,6 +2288,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
 
 	return 0;
 }
+#endif
 
 static int
 process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
@@ -2155,7 +2300,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 
 	switch (sess->xfrm_type) {
 	case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+		retval = process_openssl_rsa_op_evp(op, sess);
+# else
 		retval = process_openssl_rsa_op(op, sess);
+#endif
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_MODEX:
 		retval = process_openssl_modexp_op(op, sess);
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 7d0da52a33..e94e72c12b 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -12,7 +12,11 @@
 
 #include "openssl_pmd_private.h"
 #include "compat.h"
-
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#include <openssl/param_build.h>
+#endif
 
 static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
 	{	/* MD5 HMAC */
@@ -835,6 +839,106 @@ static int openssl_set_asym_session_parameters(
 		if (!n || !e)
 			goto err_rsa;
 
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+		OSSL_PARAM_BLD * param_bld = OSSL_PARAM_BLD_new();
+		if (!param_bld) {
+			OPENSSL_LOG(ERR, "failed to allocate resources\n");
+			goto err_rsa;
+		}
+
+		if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+			|| !OSSL_PARAM_BLD_push_BN(param_bld,
+					OSSL_PKEY_PARAM_RSA_E, e)) {
+			OSSL_PARAM_BLD_free(param_bld);
+			OPENSSL_LOG(ERR, "failed to allocate resources\n");
+			goto err_rsa;
+		}
+
+		if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) {
+			d = BN_bin2bn(
+			(const unsigned char *)xform->rsa.d.data,
+			xform->rsa.d.length,
+			d);
+			if (!d) {
+				OSSL_PARAM_BLD_free(param_bld);
+				goto err_rsa;
+			}
+		} else {
+			p = BN_bin2bn((const unsigned char *)
+					xform->rsa.qt.p.data,
+					xform->rsa.qt.p.length,
+					p);
+			q = BN_bin2bn((const unsigned char *)
+					xform->rsa.qt.q.data,
+					xform->rsa.qt.q.length,
+					q);
+			dmp1 = BN_bin2bn((const unsigned char *)
+					xform->rsa.qt.dP.data,
+					xform->rsa.qt.dP.length,
+					dmp1);
+			dmq1 = BN_bin2bn((const unsigned char *)
+					xform->rsa.qt.dQ.data,
+					xform->rsa.qt.dQ.length,
+					dmq1);
+			iqmp = BN_bin2bn((const unsigned char *)
+					xform->rsa.qt.qInv.data,
+					xform->rsa.qt.qInv.length,
+					iqmp);
+
+			if (!p || !q || !dmp1 || !dmq1 || !iqmp) {
+				OSSL_PARAM_BLD_free(param_bld);
+				goto err_rsa;
+			}
+
+			if (!OSSL_PARAM_BLD_push_BN(param_bld,
+							OSSL_PKEY_PARAM_RSA_FACTOR1, p)
+				|| !OSSL_PARAM_BLD_push_BN(param_bld,
+							OSSL_PKEY_PARAM_RSA_FACTOR2, q)
+				|| !OSSL_PARAM_BLD_push_BN(param_bld,
+							OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1)
+				|| !OSSL_PARAM_BLD_push_BN(param_bld,
+							OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1)
+				|| !OSSL_PARAM_BLD_push_BN(param_bld,
+							OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) {
+				OSSL_PARAM_BLD_free(param_bld);
+				goto err_rsa;
+			}
+		}
+
+		if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+			|| !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e)
+			|| !OSSL_PARAM_BLD_push_BN(param_bld,
+						OSSL_PKEY_PARAM_RSA_D, d)) {
+			OSSL_PARAM_BLD_free(param_bld);
+			goto err_rsa;
+		}
+
+		EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
+		EVP_PKEY *pkey = NULL;
+		EVP_PKEY_CTX *rsa_ctx = NULL;
+		OSSL_PARAM *params = NULL;
+
+		params = OSSL_PARAM_BLD_to_param(param_bld);
+		if (!params) {
+			OSSL_PARAM_BLD_free(param_bld);
+			goto err_rsa;
+		}
+
+		if (key_ctx == NULL
+			|| EVP_PKEY_fromdata_init(key_ctx) <= 0
+			|| EVP_PKEY_fromdata(key_ctx, &pkey,
+				EVP_PKEY_KEYPAIR, params) <= 0) {
+			OSSL_PARAM_free(params);
+			goto err_rsa;
+		}
+
+		rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+		asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
+		asym_session->u.r.ctx = rsa_ctx;
+		EVP_PKEY_CTX_free(key_ctx);
+		OSSL_PARAM_free(params);
+		break;
+#else
 		RSA *rsa = RSA_new();
 		if (rsa == NULL)
 			goto err_rsa;
@@ -904,6 +1008,7 @@ static int openssl_set_asym_session_parameters(
 		asym_session->u.r.rsa = rsa;
 		asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
 		break;
+#endif
 err_rsa:
 		BN_clear_free(n);
 		BN_clear_free(e);
@@ -1135,8 +1240,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
 {
 	switch (sess->xfrm_type) {
 	case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+		if (sess->u.r.ctx)
+			EVP_PKEY_CTX_free(sess->u.r.ctx);
+#else
 		if (sess->u.r.rsa)
 			RSA_free(sess->u.r.rsa);
+#endif
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_MODEX:
 		if (sess->u.e.ctx) {
-- 
2.17.1


  parent reply	other threads:[~2022-06-21 15:42 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-07 16:36 [dpdk-dev v1] crypto/openssl: openssl 3.0 support on asym crypto routine Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 0/5] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-05-16 10:10   ` [dpdk-dev v2 1/5] drivers/crypto: suppress openssl deprecated api warning messages Kai Ji
2022-05-16 19:21     ` [EXT] " Akhil Goyal
2022-05-16 20:20       ` Stephen Hemminger
2022-05-17  6:52         ` Akhil Goyal
2022-05-16 10:10   ` [dpdk-dev v2 2/5] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-05-16 10:10   ` [dpdk-dev v2 3/5] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-05-16 10:10   ` [dpdk-dev v2 4/5] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-05-16 10:10   ` [dpdk-dev v2 5/5] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-13 16:40   ` [dpdk-dev v3 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-13 16:40     ` [dpdk-dev v3 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-06-13 16:40     ` [dpdk-dev v3 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-06-13 16:40     ` [dpdk-dev v3 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-06-13 16:40     ` [dpdk-dev v3 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-14 13:25     ` [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-14 13:25       ` [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-06-17 10:04         ` Zhang, Roy Fan
2022-06-21  9:22         ` [EXT] " Akhil Goyal
2022-06-14 13:25       ` [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-06-17 10:04         ` Zhang, Roy Fan
2022-06-21  9:30         ` [EXT] " Akhil Goyal
2022-06-21 13:35           ` Ji, Kai
2022-06-14 13:25       ` [dpdk-dev v4 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-06-17 10:05         ` Zhang, Roy Fan
2022-06-14 13:25       ` [dpdk-dev v4 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-17 10:05         ` Zhang, Roy Fan
2022-06-21 10:16       ` [EXT] [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal
2022-06-21 13:55       ` [dpdk-dev v5 " Kai Ji
2022-06-21 13:55         ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
2022-06-21 13:55         ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA " Kai Ji
2022-06-21 13:55         ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
2022-06-21 13:55         ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
2022-06-21 15:42         ` [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-21 15:42           ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
2022-06-21 15:42           ` Kai Ji [this message]
2022-06-21 15:42           ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
2022-06-21 15:42           ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
2022-06-21 17:15           ` [EXT] [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220621154214.78176-3-kai.ji@intel.com \
    --to=kai.ji@intel.com \
    --cc=dev@dpdk.org \
    --cc=gakhil@marvell.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).