From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 660DBA0350;
	Fri,  4 Feb 2022 18:57:38 +0100 (CET)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 2887B4013F;
	Fri,  4 Feb 2022 18:57:38 +0100 (CET)
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
 by mails.dpdk.org (Postfix) with ESMTP id 18D4D40041
 for <dev@dpdk.org>; Fri,  4 Feb 2022 18:57:35 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
 t=1643997456; x=1675533456;
 h=from:to:cc:subject:date:message-id;
 bh=NETxGt88sT2DmGQtb6/P2AKKZ19gCC9NMxpibijSs3k=;
 b=EjtvOU1lMfQCsNU4AYTW5nthw9GOqZI/5bVYfQrONtgkyk119refTKPh
 hSifgCV0fTw8vHbbtv1iht0XyQ1jzt2PJ3lLsLevtduM0yPhWAhR/eicE
 b7VdrHkv1WaCK1BnT00Brtxw5oblfCr5vkcuOe/CMrVF2d+INtaUCVEAA
 y3qSiRz0qR6+zJQMFN7zxBbKe0721dgU4hcAgVuPqAT2v7+EhTBX+iC3j
 3mRbYARsDm/HOcOrRHowHaHLBVuw8Ny31qCOoDfpy4uxUl+A9JGHF7hCj
 0upSum7ovc0PIN4H35o1LeYfu/XWsqZ6S4eQeHADIxCA7W/l/uN1l7YLZ w==;
X-IronPort-AV: E=McAfee;i="6200,9189,10248"; a="248173862"
X-IronPort-AV: E=Sophos;i="5.88,343,1635231600"; d="scan'208";a="248173862"
Received: from orsmga004.jf.intel.com ([10.7.209.38])
 by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 04 Feb 2022 09:57:35 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.88,343,1635231600"; d="scan'208";a="631774427"
Received: from silpixa00400465.ir.intel.com ([10.55.128.22])
 by orsmga004.jf.intel.com with ESMTP; 04 Feb 2022 09:57:34 -0800
From: Kai Ji <kai.ji@intel.com>
To: dev@dpdk.org
Cc: Kai Ji <kai.ji@intel.com>
Subject: [dpdk-dev v1] crypto/openssl: openssl EVP MAC routine api update
Date: Sat,  5 Feb 2022 01:57:31 +0800
Message-Id: <20220204175731.37989-1-kai.ji@intel.com>
X-Mailer: git-send-email 2.17.1
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

This patch update the EVP MAC routine in crypto openssl pmd
to adopt openssl 3.0 library.

Signed-off-by: Kai Ji <kai.ji@intel.com>
---
 drivers/crypto/openssl/compat.h              |  12 ++
 drivers/crypto/openssl/openssl_pmd_private.h |   4 +
 drivers/crypto/openssl/rte_openssl_pmd.c     | 129 ++++++++++++++++++-
 3 files changed, 144 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h
index eecb7d3698..d3884334bd 100644
--- a/drivers/crypto/openssl/compat.h
+++ b/drivers/crypto/openssl/compat.h
@@ -192,6 +192,18 @@ get_dsa_priv_key(DSA *dsa, const BIGNUM **priv_key)
 	DSA_get0_key(dsa, NULL, priv_key);
 }
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/* Known DIGEST names (not a complete list) */
+#define OSSL_DIGEST_NAME_MD5            "MD5"
+#define OSSL_DIGEST_NAME_MD5_SHA1       "MD5-SHA1"
+#define OSSL_DIGEST_NAME_SHA1           "SHA1"
+#define OSSL_DIGEST_NAME_SHA2_224       "SHA2-224"
+#define OSSL_DIGEST_NAME_SHA2_256       "SHA2-256"
+#define OSSL_DIGEST_NAME_SHA2_384       "SHA2-384"
+#define OSSL_DIGEST_NAME_SHA2_512       "SHA2-512"
+
+#endif
+
 #endif /* version < 10100000 */
 
 #endif /* __RTA_COMPAT_H__ */
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index b2054b3754..86dc169aaf 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -134,8 +134,12 @@ struct openssl_session {
 				/**< pointer to EVP key */
 				const EVP_MD *evp_algo;
 				/**< pointer to EVP algorithm function */
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+				EVP_MAC_CTX * ctx;
+# else
 				HMAC_CTX *ctx;
 				/**< pointer to EVP context structure */
+# endif
 			} hmac;
 		};
 
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 5794ed8159..e930821a4b 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -39,6 +39,29 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
 }
 #endif
 
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static __rte_always_inline const char *
+get_digest_name(const struct rte_crypto_sym_xform *xform)
+{
+	switch (xform->auth.algo) {
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+		return OSSL_DIGEST_NAME_MD5;
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+		return OSSL_DIGEST_NAME_SHA1;
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_224;
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_256;
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_384;
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_512;
+	default:
+		return NULL;
+	}
+}
+#endif
+
 static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
 
 /*----------------------------------------------------------------------------*/
@@ -580,6 +603,34 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 		sess->auth.auth.ctx = EVP_MD_CTX_create();
 		break;
 
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
+
+		OSSL_PARAM params[2];
+		const char *algo = get_digest_name(xform);
+		EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+		sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
+		EVP_MAC_free(mac);
+		if (get_auth_algo(xform->auth.algo,
+				&sess->auth.hmac.evp_algo) != 0)
+			return -EINVAL;
+
+		params[0] = OSSL_PARAM_construct_utf8_string("digest",
+					(char *)algo, 0);
+		params[1] = OSSL_PARAM_construct_end();
+		if (EVP_MAC_init(sess->auth.hmac.ctx,
+				xform->auth.key.data,
+				xform->auth.key.length,
+				params) != 1)
+			return -EINVAL;
+		break;
+# else
 	case RTE_CRYPTO_AUTH_MD5_HMAC:
 	case RTE_CRYPTO_AUTH_SHA1_HMAC:
 	case RTE_CRYPTO_AUTH_SHA224_HMAC:
@@ -598,7 +649,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 				sess->auth.hmac.evp_algo, NULL) != 1)
 			return -EINVAL;
 		break;
-
+# endif
 	default:
 		return -ENOTSUP;
 	}
@@ -723,7 +774,11 @@ openssl_reset_session(struct openssl_session *sess)
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
 		EVP_PKEY_free(sess->auth.hmac.pkey);
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		EVP_MAC_CTX_free(sess->auth.hmac.ctx);
+# else
 		HMAC_CTX_free(sess->auth.hmac.ctx);
+# endif
 		break;
 	default:
 		break;
@@ -1262,6 +1317,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	return -EINVAL;
 }
 
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/** Process standard openssl auth algorithms with hmac */
+static int
+process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
+		int srclen, EVP_MAC_CTX *ctx)
+{
+	size_t dstlen;
+	struct rte_mbuf *m;
+	int l, n = srclen;
+	uint8_t *src;
+
+	for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+			m = m->next)
+		offset -= rte_pktmbuf_data_len(m);
+
+	if (m == 0)
+		goto process_auth_err;
+
+	src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+	l = rte_pktmbuf_data_len(m) - offset;
+	if (srclen <= l) {
+		if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
+			goto process_auth_err;
+		goto process_auth_final;
+	}
+
+	if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+		goto process_auth_err;
+
+	n -= l;
+
+	for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+		src = rte_pktmbuf_mtod(m, uint8_t *);
+		l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+		if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+			goto process_auth_err;
+		n -= l;
+	}
+
+process_auth_final:
+	if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
+		goto process_auth_err;
+
+	EVP_MAC_CTX_free(ctx);
+	return 0;
+
+process_auth_err:
+	EVP_MAC_CTX_free(ctx);
+	OPENSSL_LOG(ERR, "Process openssl auth failed");
+	return -EINVAL;
+}
+# else
 /** Process standard openssl auth algorithms with hmac */
 static int
 process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
@@ -1314,6 +1422,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	OPENSSL_LOG(ERR, "Process openssl auth failed");
 	return -EINVAL;
 }
+# endif
 
 /*----------------------------------------------------------------------------*/
 
@@ -1557,7 +1666,13 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 	uint8_t *dst;
 	int srclen, status;
 	EVP_MD_CTX *ctx_a;
+
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	EVP_MAC_CTX *ctx_h;
+	EVP_MAC *mac;
+# else
 	HMAC_CTX *ctx_h;
+# endif
 
 	srclen = op->sym->auth.data.length;
 
@@ -1573,12 +1688,24 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 		EVP_MD_CTX_destroy(ctx_a);
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+
+		mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+		ctx_h = EVP_MAC_CTX_new(mac);
+		ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
+		EVP_MAC_free(mac);
+		status = process_openssl_auth_hmac(mbuf_src, dst,
+				op->sym->auth.data.offset, srclen,
+				ctx_h);
+# else
+
 		ctx_h = HMAC_CTX_new();
 		HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
 		status = process_openssl_auth_hmac(mbuf_src, dst,
 				op->sym->auth.data.offset, srclen,
 				ctx_h);
 		HMAC_CTX_free(ctx_h);
+# endif
 		break;
 	default:
 		status = -1;
-- 
2.17.1