DPDK patches and discussions
 help / color / mirror / Atom feed
From: Akhil Goyal <gakhil@marvell.com>
To: Kai Ji <kai.ji@intel.com>, "dev@dpdk.org" <dev@dpdk.org>
Cc: "roy.fan.zhang@intel.com" <roy.fan.zhang@intel.com>
Subject: RE: [EXT] [dpdk-dev v3] crypto/openssl: openssl 3.0 support on sym crypto routine
Date: Thu, 17 Feb 2022 18:01:52 +0000	[thread overview]
Message-ID: <CO6PR18MB44844119CC15B7C31D981DCAD8369@CO6PR18MB4484.namprd18.prod.outlook.com> (raw)
In-Reply-To: <20220217174552.50903-1-kai.ji@intel.com>

> This patch update the symmetric EVP routine in crypto openssl pmd
> to adopt openssl 3.0 library.
> 
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> 
> v3:
> - rebase to 22.03-RC1
> - enable openssl 3.0 lagacy library of DES
> - remove local ctx in combined op as EVP_CIPHER_CTX_copy refuse copy
> without
>   a valid dup function pointer.
> 
> v2:
> - minor code fix
> 
> ---
>  drivers/crypto/openssl/compat.h              |  12 ++
>  drivers/crypto/openssl/openssl_pmd_private.h |   4 +
>  drivers/crypto/openssl/rte_openssl_pmd.c     | 181 ++++++++++++++++++-
>  3 files changed, 188 insertions(+), 9 deletions(-)
> 
> diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h
> index eecb7d3698..d3884334bd 100644
> --- a/drivers/crypto/openssl/compat.h
> +++ b/drivers/crypto/openssl/compat.h
> @@ -192,6 +192,18 @@ get_dsa_priv_key(DSA *dsa, const BIGNUM
> **priv_key)
>  	DSA_get0_key(dsa, NULL, priv_key);
>  }
> 
> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +/* Known DIGEST names (not a complete list) */
> +#define OSSL_DIGEST_NAME_MD5            "MD5"
> +#define OSSL_DIGEST_NAME_MD5_SHA1       "MD5-SHA1"
> +#define OSSL_DIGEST_NAME_SHA1           "SHA1"
> +#define OSSL_DIGEST_NAME_SHA2_224       "SHA2-224"
> +#define OSSL_DIGEST_NAME_SHA2_256       "SHA2-256"
> +#define OSSL_DIGEST_NAME_SHA2_384       "SHA2-384"
> +#define OSSL_DIGEST_NAME_SHA2_512       "SHA2-512"
> +
> +#endif
> +
>  #endif /* version < 10100000 */
> 
>  #endif /* __RTA_COMPAT_H__ */
> diff --git a/drivers/crypto/openssl/openssl_pmd_private.h
> b/drivers/crypto/openssl/openssl_pmd_private.h
> index b2054b3754..86dc169aaf 100644
> --- a/drivers/crypto/openssl/openssl_pmd_private.h
> +++ b/drivers/crypto/openssl/openssl_pmd_private.h
> @@ -134,8 +134,12 @@ struct openssl_session {
>  				/**< pointer to EVP key */
>  				const EVP_MD *evp_algo;
>  				/**< pointer to EVP algorithm function */
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +				EVP_MAC_CTX * ctx;
> +# else
>  				HMAC_CTX *ctx;
>  				/**< pointer to EVP context structure */
> +# endif
>  			} hmac;
>  		};
> 
> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c
> b/drivers/crypto/openssl/rte_openssl_pmd.c
> index d80e1052e2..14a6524b6c 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
> @@ -39,6 +39,57 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
>  }
>  #endif
> 
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +#include <openssl/provider.h>
> +
> +OSSL_PROVIDER * legacy;
> +OSSL_PROVIDER *deflt;
> +
> +static void ossl_load_legacy_provider(void)
> +{
> +	/* Load Multiple providers into the default (NULL) library context */
> +	legacy = OSSL_PROVIDER_load(NULL, "legacy");
> +	if (legacy == NULL) {
> +		OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
> +		return -EINVAL;
> +	}
> +
> +	deflt = OSSL_PROVIDER_load(NULL, "default");
> +	if (deflt == NULL) {
> +		OPENSSL_LOG(ERR, "Failed to load Default provider\n");
> +		OSSL_PROVIDER_unload(legacy);
> +		return -EINVAL;
> +	}
> +}
> +
> +static void ossl_unload_legacy_provider(void)
> +{
> +	OSSL_PROVIDER_unload(legacy);
> +	OSSL_PROVIDER_unload(deflt);
> +}
> +
> +static __rte_always_inline const char *
> +get_digest_name(const struct rte_crypto_sym_xform *xform)
> +{
> +	switch (xform->auth.algo) {
> +	case RTE_CRYPTO_AUTH_MD5_HMAC:
> +		return OSSL_DIGEST_NAME_MD5;
> +	case RTE_CRYPTO_AUTH_SHA1_HMAC:
> +		return OSSL_DIGEST_NAME_SHA1;
> +	case RTE_CRYPTO_AUTH_SHA224_HMAC:
> +		return OSSL_DIGEST_NAME_SHA2_224;
> +	case RTE_CRYPTO_AUTH_SHA256_HMAC:
> +		return OSSL_DIGEST_NAME_SHA2_256;
> +	case RTE_CRYPTO_AUTH_SHA384_HMAC:
> +		return OSSL_DIGEST_NAME_SHA2_384;
> +	case RTE_CRYPTO_AUTH_SHA512_HMAC:
> +		return OSSL_DIGEST_NAME_SHA2_512;
> +	default:
> +		return NULL;
> +	}
> +}
> +#endif
> +
>  static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
> 
>  /*----------------------------------------------------------------------------*/
> @@ -580,6 +631,34 @@ openssl_set_session_auth_parameters(struct
> openssl_session *sess,
>  		sess->auth.auth.ctx = EVP_MD_CTX_create();
>  		break;
> 
> +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +	case RTE_CRYPTO_AUTH_MD5_HMAC:
> +	case RTE_CRYPTO_AUTH_SHA1_HMAC:
> +	case RTE_CRYPTO_AUTH_SHA224_HMAC:
> +	case RTE_CRYPTO_AUTH_SHA256_HMAC:
> +	case RTE_CRYPTO_AUTH_SHA384_HMAC:
> +	case RTE_CRYPTO_AUTH_SHA512_HMAC:
> +		sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
> +
> +		OSSL_PARAM params[2];
> +		const char *algo = get_digest_name(xform);
> +		EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
> +		sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
> +		EVP_MAC_free(mac);
> +		if (get_auth_algo(xform->auth.algo,
> +				&sess->auth.hmac.evp_algo) != 0)
> +			return -EINVAL;
> +
> +		params[0] = OSSL_PARAM_construct_utf8_string("digest",
> +					(char *)algo, 0);
> +		params[1] = OSSL_PARAM_construct_end();
> +		if (EVP_MAC_init(sess->auth.hmac.ctx,
> +				xform->auth.key.data,
> +				xform->auth.key.length,
> +				params) != 1)
> +			return -EINVAL;
> +		break;
> +# else
>  	case RTE_CRYPTO_AUTH_MD5_HMAC:
>  	case RTE_CRYPTO_AUTH_SHA1_HMAC:
>  	case RTE_CRYPTO_AUTH_SHA224_HMAC:
> @@ -598,7 +677,7 @@ openssl_set_session_auth_parameters(struct
> openssl_session *sess,
>  				sess->auth.hmac.evp_algo, NULL) != 1)
>  			return -EINVAL;
>  		break;
> -
> +# endif
>  	default:
>  		return -ENOTSUP;
>  	}
> @@ -723,7 +802,11 @@ openssl_reset_session(struct openssl_session *sess)
>  		break;
>  	case OPENSSL_AUTH_AS_HMAC:
>  		EVP_PKEY_free(sess->auth.hmac.pkey);
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +		EVP_MAC_CTX_free(sess->auth.hmac.ctx);
> +# else
>  		HMAC_CTX_free(sess->auth.hmac.ctx);
> +# endif
>  		break;
>  	default:
>  		break;
> @@ -1260,6 +1343,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src,
> uint8_t *dst, int offset,
>  	return -EINVAL;
>  }
> 
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +/** Process standard openssl auth algorithms with hmac */
> +static int
> +process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int
> offset,
> +		int srclen, EVP_MAC_CTX *ctx)
> +{
> +	size_t dstlen;
> +	struct rte_mbuf *m;
> +	int l, n = srclen;
> +	uint8_t *src;
> +
> +	for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
> +			m = m->next)
> +		offset -= rte_pktmbuf_data_len(m);
> +
> +	if (m == 0)
> +		goto process_auth_err;
> +
> +	src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
> +
> +	l = rte_pktmbuf_data_len(m) - offset;
> +	if (srclen <= l) {
> +		if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
> +			goto process_auth_err;
> +		goto process_auth_final;
> +	}
> +
> +	if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
> +		goto process_auth_err;
> +
> +	n -= l;
> +
> +	for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
> +		src = rte_pktmbuf_mtod(m, uint8_t *);
> +		l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
> +		if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
> +			goto process_auth_err;
> +		n -= l;
> +	}
> +
> +process_auth_final:
> +	if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
> +		goto process_auth_err;
> +
> +	EVP_MAC_CTX_free(ctx);
> +	return 0;
> +
> +process_auth_err:
> +	EVP_MAC_CTX_free(ctx);
> +	OPENSSL_LOG(ERR, "Process openssl auth failed");
> +	return -EINVAL;
> +}
> +# else
>  /** Process standard openssl auth algorithms with hmac */
>  static int
>  process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int
> offset,
> @@ -1312,6 +1448,7 @@ process_openssl_auth_hmac(struct rte_mbuf
> *mbuf_src, uint8_t *dst, int offset,
>  	OPENSSL_LOG(ERR, "Process openssl auth failed");
>  	return -EINVAL;
>  }
> +# endif
> 
>  /*----------------------------------------------------------------------------*/
> 
> @@ -1326,7 +1463,6 @@ process_openssl_combined_op
>  	int srclen, aadlen, status = -1;
>  	uint32_t offset;
>  	uint8_t taglen;
> -	EVP_CIPHER_CTX *ctx_copy;
> 
>  	/*
>  	 * Segmented destination buffer is not supported for
> @@ -1363,8 +1499,6 @@ process_openssl_combined_op
>  	}
> 
>  	taglen = sess->auth.digest_length;
> -	ctx_copy = EVP_CIPHER_CTX_new();
> -	EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
> 
>  	if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
>  		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
> @@ -1372,12 +1506,12 @@ process_openssl_combined_op
>  			status = process_openssl_auth_encryption_gcm(
>  					mbuf_src, offset, srclen,
>  					aad, aadlen, iv,
> -					dst, tag, ctx_copy);
> +					dst, tag, sess->cipher.ctx);
>  		else
>  			status = process_openssl_auth_encryption_ccm(
>  					mbuf_src, offset, srclen,
>  					aad, aadlen, iv,
> -					dst, tag, taglen, ctx_copy);
> +					dst, tag, taglen, sess->cipher.ctx);
> 
>  	} else {
>  		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
> @@ -1385,15 +1519,14 @@ process_openssl_combined_op
>  			status = process_openssl_auth_decryption_gcm(
>  					mbuf_src, offset, srclen,
>  					aad, aadlen, iv,
> -					dst, tag, ctx_copy);
> +					dst, tag, sess->cipher.ctx);
>  		else
>  			status = process_openssl_auth_decryption_ccm(
>  					mbuf_src, offset, srclen,
>  					aad, aadlen, iv,
> -					dst, tag, taglen, ctx_copy);
> +					dst, tag, taglen, sess->cipher.ctx);
>  	}
> 
> -	EVP_CIPHER_CTX_free(ctx_copy);
>  	if (status != 0) {
>  		if (status == (-EFAULT) &&
>  				sess->auth.operation ==
> @@ -1555,7 +1688,13 @@ process_openssl_auth_op(struct openssl_qp *qp,
> struct rte_crypto_op *op,
>  	uint8_t *dst;
>  	int srclen, status;
>  	EVP_MD_CTX *ctx_a;
> +
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +	EVP_MAC_CTX *ctx_h;
> +	EVP_MAC *mac;
> +# else
>  	HMAC_CTX *ctx_h;
> +# endif
> 
>  	srclen = op->sym->auth.data.length;
> 
> @@ -1571,12 +1710,24 @@ process_openssl_auth_op(struct openssl_qp *qp,
> struct rte_crypto_op *op,
>  		EVP_MD_CTX_destroy(ctx_a);
>  		break;
>  	case OPENSSL_AUTH_AS_HMAC:
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +
> +		mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
> +		ctx_h = EVP_MAC_CTX_new(mac);
> +		ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
> +		EVP_MAC_free(mac);
> +		status = process_openssl_auth_hmac(mbuf_src, dst,
> +				op->sym->auth.data.offset, srclen,
> +				ctx_h);
> +# else
> +
>  		ctx_h = HMAC_CTX_new();
>  		HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
>  		status = process_openssl_auth_hmac(mbuf_src, dst,
>  				op->sym->auth.data.offset, srclen,
>  				ctx_h);
>  		HMAC_CTX_free(ctx_h);
> +# endif
>  		break;
>  	default:
>  		status = -1;
> @@ -2213,6 +2364,14 @@ cryptodev_openssl_create(const char *name,
> 
>  	rte_cryptodev_pmd_probing_finish(dev);
> 
> +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +	/* Load lagacy provider
> +	 * Some algorithms are no longer available in earlier version of openssl,
> +	 * unless the legacy provider explicitly.loaded. e.g. DES
> +	 */
> +	ossl_load_legacy_provider();
> +# endif
> +

Please remove extra blank lines here and elsewhere.
Also run spell check.
%s/lagacy/legacy

>  	return 0;
> 
>  init_error:
> @@ -2261,6 +2420,10 @@ cryptodev_openssl_remove(struct rte_vdev_device
> *vdev)
>  	if (cryptodev == NULL)
>  		return -ENODEV;
> 
> +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +	ossl_unload_legacy_provider();
> +# endif
> +
>  	return rte_cryptodev_pmd_destroy(cryptodev);
>  }
> 
> --
> 2.17.1


  reply	other threads:[~2022-02-17 18:02 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-04 17:57 [dpdk-dev v1] crypto/openssl: openssl EVP MAC routine api update Kai Ji
2022-02-07 15:24 ` [dpdk-dev v2] crypto/openssl: openssl 3.0 support on sym MAC routine Kai Ji
2022-02-07 15:40   ` Zhang, Roy Fan
2022-02-17 17:45   ` [dpdk-dev v3] crypto/openssl: openssl 3.0 support on sym crypto routine Kai Ji
2022-02-17 18:01     ` Akhil Goyal [this message]
2022-02-18  9:44     ` [dpdk-dev v4] " Kai Ji
2022-02-18 11:51       ` [dpdk-dev v5] " Kai Ji
2022-02-18 13:41         ` Zhang, Roy Fan
2022-02-24 19:02         ` [EXT] " Akhil Goyal
2022-02-24 23:13           ` Ji, Kai
2022-02-25  3:55             ` Akhil Goyal
2022-02-25 10:19               ` Ji, Kai
2022-02-25 10:39                 ` Akhil Goyal
2022-02-25 11:19                   ` Ji, Kai
2022-02-25 13:51                   ` Zhang, Roy Fan
2022-02-28  5:35                     ` Namburu, Chandu-babu
2022-02-25 15:13         ` [dpdk-dev v6] " Kai Ji
2022-02-25 17:35           ` Stephen Hemminger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CO6PR18MB44844119CC15B7C31D981DCAD8369@CO6PR18MB4484.namprd18.prod.outlook.com \
    --to=gakhil@marvell.com \
    --cc=dev@dpdk.org \
    --cc=kai.ji@intel.com \
    --cc=roy.fan.zhang@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).