DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev v1] crypto/openssl: openssl EVP MAC routine api update
@ 2022-02-04 17:57 Kai Ji
  2022-02-07 15:24 ` [dpdk-dev v2] crypto/openssl: openssl 3.0 support on sym MAC routine Kai Ji
  0 siblings, 1 reply; 18+ messages in thread
From: Kai Ji @ 2022-02-04 17:57 UTC (permalink / raw)
  To: dev; +Cc: Kai Ji

This patch update the EVP MAC routine in crypto openssl pmd
to adopt openssl 3.0 library.

Signed-off-by: Kai Ji <kai.ji@intel.com>
---
 drivers/crypto/openssl/compat.h              |  12 ++
 drivers/crypto/openssl/openssl_pmd_private.h |   4 +
 drivers/crypto/openssl/rte_openssl_pmd.c     | 129 ++++++++++++++++++-
 3 files changed, 144 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h
index eecb7d3698..d3884334bd 100644
--- a/drivers/crypto/openssl/compat.h
+++ b/drivers/crypto/openssl/compat.h
@@ -192,6 +192,18 @@ get_dsa_priv_key(DSA *dsa, const BIGNUM **priv_key)
 	DSA_get0_key(dsa, NULL, priv_key);
 }
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/* Known DIGEST names (not a complete list) */
+#define OSSL_DIGEST_NAME_MD5            "MD5"
+#define OSSL_DIGEST_NAME_MD5_SHA1       "MD5-SHA1"
+#define OSSL_DIGEST_NAME_SHA1           "SHA1"
+#define OSSL_DIGEST_NAME_SHA2_224       "SHA2-224"
+#define OSSL_DIGEST_NAME_SHA2_256       "SHA2-256"
+#define OSSL_DIGEST_NAME_SHA2_384       "SHA2-384"
+#define OSSL_DIGEST_NAME_SHA2_512       "SHA2-512"
+
+#endif
+
 #endif /* version < 10100000 */
 
 #endif /* __RTA_COMPAT_H__ */
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index b2054b3754..86dc169aaf 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -134,8 +134,12 @@ struct openssl_session {
 				/**< pointer to EVP key */
 				const EVP_MD *evp_algo;
 				/**< pointer to EVP algorithm function */
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+				EVP_MAC_CTX * ctx;
+# else
 				HMAC_CTX *ctx;
 				/**< pointer to EVP context structure */
+# endif
 			} hmac;
 		};
 
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 5794ed8159..e930821a4b 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -39,6 +39,29 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
 }
 #endif
 
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static __rte_always_inline const char *
+get_digest_name(const struct rte_crypto_sym_xform *xform)
+{
+	switch (xform->auth.algo) {
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+		return OSSL_DIGEST_NAME_MD5;
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+		return OSSL_DIGEST_NAME_SHA1;
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_224;
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_256;
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_384;
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_512;
+	default:
+		return NULL;
+	}
+}
+#endif
+
 static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
 
 /*----------------------------------------------------------------------------*/
@@ -580,6 +603,34 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 		sess->auth.auth.ctx = EVP_MD_CTX_create();
 		break;
 
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
+
+		OSSL_PARAM params[2];
+		const char *algo = get_digest_name(xform);
+		EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+		sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
+		EVP_MAC_free(mac);
+		if (get_auth_algo(xform->auth.algo,
+				&sess->auth.hmac.evp_algo) != 0)
+			return -EINVAL;
+
+		params[0] = OSSL_PARAM_construct_utf8_string("digest",
+					(char *)algo, 0);
+		params[1] = OSSL_PARAM_construct_end();
+		if (EVP_MAC_init(sess->auth.hmac.ctx,
+				xform->auth.key.data,
+				xform->auth.key.length,
+				params) != 1)
+			return -EINVAL;
+		break;
+# else
 	case RTE_CRYPTO_AUTH_MD5_HMAC:
 	case RTE_CRYPTO_AUTH_SHA1_HMAC:
 	case RTE_CRYPTO_AUTH_SHA224_HMAC:
@@ -598,7 +649,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 				sess->auth.hmac.evp_algo, NULL) != 1)
 			return -EINVAL;
 		break;
-
+# endif
 	default:
 		return -ENOTSUP;
 	}
@@ -723,7 +774,11 @@ openssl_reset_session(struct openssl_session *sess)
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
 		EVP_PKEY_free(sess->auth.hmac.pkey);
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		EVP_MAC_CTX_free(sess->auth.hmac.ctx);
+# else
 		HMAC_CTX_free(sess->auth.hmac.ctx);
+# endif
 		break;
 	default:
 		break;
@@ -1262,6 +1317,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	return -EINVAL;
 }
 
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/** Process standard openssl auth algorithms with hmac */
+static int
+process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
+		int srclen, EVP_MAC_CTX *ctx)
+{
+	size_t dstlen;
+	struct rte_mbuf *m;
+	int l, n = srclen;
+	uint8_t *src;
+
+	for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+			m = m->next)
+		offset -= rte_pktmbuf_data_len(m);
+
+	if (m == 0)
+		goto process_auth_err;
+
+	src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+	l = rte_pktmbuf_data_len(m) - offset;
+	if (srclen <= l) {
+		if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
+			goto process_auth_err;
+		goto process_auth_final;
+	}
+
+	if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+		goto process_auth_err;
+
+	n -= l;
+
+	for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+		src = rte_pktmbuf_mtod(m, uint8_t *);
+		l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+		if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+			goto process_auth_err;
+		n -= l;
+	}
+
+process_auth_final:
+	if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
+		goto process_auth_err;
+
+	EVP_MAC_CTX_free(ctx);
+	return 0;
+
+process_auth_err:
+	EVP_MAC_CTX_free(ctx);
+	OPENSSL_LOG(ERR, "Process openssl auth failed");
+	return -EINVAL;
+}
+# else
 /** Process standard openssl auth algorithms with hmac */
 static int
 process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
@@ -1314,6 +1422,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	OPENSSL_LOG(ERR, "Process openssl auth failed");
 	return -EINVAL;
 }
+# endif
 
 /*----------------------------------------------------------------------------*/
 
@@ -1557,7 +1666,13 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 	uint8_t *dst;
 	int srclen, status;
 	EVP_MD_CTX *ctx_a;
+
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	EVP_MAC_CTX *ctx_h;
+	EVP_MAC *mac;
+# else
 	HMAC_CTX *ctx_h;
+# endif
 
 	srclen = op->sym->auth.data.length;
 
@@ -1573,12 +1688,24 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 		EVP_MD_CTX_destroy(ctx_a);
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+
+		mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+		ctx_h = EVP_MAC_CTX_new(mac);
+		ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
+		EVP_MAC_free(mac);
+		status = process_openssl_auth_hmac(mbuf_src, dst,
+				op->sym->auth.data.offset, srclen,
+				ctx_h);
+# else
+
 		ctx_h = HMAC_CTX_new();
 		HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
 		status = process_openssl_auth_hmac(mbuf_src, dst,
 				op->sym->auth.data.offset, srclen,
 				ctx_h);
 		HMAC_CTX_free(ctx_h);
+# endif
 		break;
 	default:
 		status = -1;
-- 
2.17.1


^ permalink raw reply	[flat|nested] 18+ messages in thread

* [dpdk-dev v2] crypto/openssl: openssl 3.0 support on sym MAC routine
  2022-02-04 17:57 [dpdk-dev v1] crypto/openssl: openssl EVP MAC routine api update Kai Ji
@ 2022-02-07 15:24 ` Kai Ji
  2022-02-07 15:40   ` Zhang, Roy Fan
  2022-02-17 17:45   ` [dpdk-dev v3] crypto/openssl: openssl 3.0 support on sym crypto routine Kai Ji
  0 siblings, 2 replies; 18+ messages in thread
From: Kai Ji @ 2022-02-07 15:24 UTC (permalink / raw)
  To: dev; +Cc: Kai Ji

This patch update the symmetric EVP MAC routine in crypto openssl pmd
to adopt openssl 3.0 library.

Signed-off-by: Kai Ji <kai.ji@intel.com>

v2:
- commit message update

---
 drivers/crypto/openssl/compat.h              |  12 ++
 drivers/crypto/openssl/openssl_pmd_private.h |   4 +
 drivers/crypto/openssl/rte_openssl_pmd.c     | 129 ++++++++++++++++++-
 3 files changed, 144 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h
index eecb7d3698..d3884334bd 100644
--- a/drivers/crypto/openssl/compat.h
+++ b/drivers/crypto/openssl/compat.h
@@ -192,6 +192,18 @@ get_dsa_priv_key(DSA *dsa, const BIGNUM **priv_key)
 	DSA_get0_key(dsa, NULL, priv_key);
 }

+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/* Known DIGEST names (not a complete list) */
+#define OSSL_DIGEST_NAME_MD5            "MD5"
+#define OSSL_DIGEST_NAME_MD5_SHA1       "MD5-SHA1"
+#define OSSL_DIGEST_NAME_SHA1           "SHA1"
+#define OSSL_DIGEST_NAME_SHA2_224       "SHA2-224"
+#define OSSL_DIGEST_NAME_SHA2_256       "SHA2-256"
+#define OSSL_DIGEST_NAME_SHA2_384       "SHA2-384"
+#define OSSL_DIGEST_NAME_SHA2_512       "SHA2-512"
+
+#endif
+
 #endif /* version < 10100000 */

 #endif /* __RTA_COMPAT_H__ */
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index b2054b3754..86dc169aaf 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -134,8 +134,12 @@ struct openssl_session {
 				/**< pointer to EVP key */
 				const EVP_MD *evp_algo;
 				/**< pointer to EVP algorithm function */
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+				EVP_MAC_CTX * ctx;
+# else
 				HMAC_CTX *ctx;
 				/**< pointer to EVP context structure */
+# endif
 			} hmac;
 		};

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 5794ed8159..e930821a4b 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -39,6 +39,29 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
 }
 #endif

+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static __rte_always_inline const char *
+get_digest_name(const struct rte_crypto_sym_xform *xform)
+{
+	switch (xform->auth.algo) {
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+		return OSSL_DIGEST_NAME_MD5;
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+		return OSSL_DIGEST_NAME_SHA1;
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_224;
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_256;
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_384;
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_512;
+	default:
+		return NULL;
+	}
+}
+#endif
+
 static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);

 /*----------------------------------------------------------------------------*/
@@ -580,6 +603,34 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 		sess->auth.auth.ctx = EVP_MD_CTX_create();
 		break;

+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
+
+		OSSL_PARAM params[2];
+		const char *algo = get_digest_name(xform);
+		EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+		sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
+		EVP_MAC_free(mac);
+		if (get_auth_algo(xform->auth.algo,
+				&sess->auth.hmac.evp_algo) != 0)
+			return -EINVAL;
+
+		params[0] = OSSL_PARAM_construct_utf8_string("digest",
+					(char *)algo, 0);
+		params[1] = OSSL_PARAM_construct_end();
+		if (EVP_MAC_init(sess->auth.hmac.ctx,
+				xform->auth.key.data,
+				xform->auth.key.length,
+				params) != 1)
+			return -EINVAL;
+		break;
+# else
 	case RTE_CRYPTO_AUTH_MD5_HMAC:
 	case RTE_CRYPTO_AUTH_SHA1_HMAC:
 	case RTE_CRYPTO_AUTH_SHA224_HMAC:
@@ -598,7 +649,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 				sess->auth.hmac.evp_algo, NULL) != 1)
 			return -EINVAL;
 		break;
-
+# endif
 	default:
 		return -ENOTSUP;
 	}
@@ -723,7 +774,11 @@ openssl_reset_session(struct openssl_session *sess)
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
 		EVP_PKEY_free(sess->auth.hmac.pkey);
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		EVP_MAC_CTX_free(sess->auth.hmac.ctx);
+# else
 		HMAC_CTX_free(sess->auth.hmac.ctx);
+# endif
 		break;
 	default:
 		break;
@@ -1262,6 +1317,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	return -EINVAL;
 }

+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/** Process standard openssl auth algorithms with hmac */
+static int
+process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
+		int srclen, EVP_MAC_CTX *ctx)
+{
+	size_t dstlen;
+	struct rte_mbuf *m;
+	int l, n = srclen;
+	uint8_t *src;
+
+	for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+			m = m->next)
+		offset -= rte_pktmbuf_data_len(m);
+
+	if (m == 0)
+		goto process_auth_err;
+
+	src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+	l = rte_pktmbuf_data_len(m) - offset;
+	if (srclen <= l) {
+		if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
+			goto process_auth_err;
+		goto process_auth_final;
+	}
+
+	if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+		goto process_auth_err;
+
+	n -= l;
+
+	for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+		src = rte_pktmbuf_mtod(m, uint8_t *);
+		l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+		if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+			goto process_auth_err;
+		n -= l;
+	}
+
+process_auth_final:
+	if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
+		goto process_auth_err;
+
+	EVP_MAC_CTX_free(ctx);
+	return 0;
+
+process_auth_err:
+	EVP_MAC_CTX_free(ctx);
+	OPENSSL_LOG(ERR, "Process openssl auth failed");
+	return -EINVAL;
+}
+# else
 /** Process standard openssl auth algorithms with hmac */
 static int
 process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
@@ -1314,6 +1422,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	OPENSSL_LOG(ERR, "Process openssl auth failed");
 	return -EINVAL;
 }
+# endif

 /*----------------------------------------------------------------------------*/

@@ -1557,7 +1666,13 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 	uint8_t *dst;
 	int srclen, status;
 	EVP_MD_CTX *ctx_a;
+
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	EVP_MAC_CTX *ctx_h;
+	EVP_MAC *mac;
+# else
 	HMAC_CTX *ctx_h;
+# endif

 	srclen = op->sym->auth.data.length;

@@ -1573,12 +1688,24 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 		EVP_MD_CTX_destroy(ctx_a);
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+
+		mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+		ctx_h = EVP_MAC_CTX_new(mac);
+		ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
+		EVP_MAC_free(mac);
+		status = process_openssl_auth_hmac(mbuf_src, dst,
+				op->sym->auth.data.offset, srclen,
+				ctx_h);
+# else
+
 		ctx_h = HMAC_CTX_new();
 		HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
 		status = process_openssl_auth_hmac(mbuf_src, dst,
 				op->sym->auth.data.offset, srclen,
 				ctx_h);
 		HMAC_CTX_free(ctx_h);
+# endif
 		break;
 	default:
 		status = -1;
--
2.17.1


^ permalink raw reply	[flat|nested] 18+ messages in thread

* RE: [dpdk-dev v2] crypto/openssl: openssl 3.0 support on sym MAC routine
  2022-02-07 15:24 ` [dpdk-dev v2] crypto/openssl: openssl 3.0 support on sym MAC routine Kai Ji
@ 2022-02-07 15:40   ` Zhang, Roy Fan
  2022-02-17 17:45   ` [dpdk-dev v3] crypto/openssl: openssl 3.0 support on sym crypto routine Kai Ji
  1 sibling, 0 replies; 18+ messages in thread
From: Zhang, Roy Fan @ 2022-02-07 15:40 UTC (permalink / raw)
  To: Ji, Kai, dev; +Cc: Ji, Kai, gakhil

> -----Original Message-----
> From: Kai Ji <kai.ji@intel.com>
> Sent: Monday, February 7, 2022 3:24 PM
> To: dev@dpdk.org
> Cc: Ji, Kai <kai.ji@intel.com>
> Subject: [dpdk-dev v2] crypto/openssl: openssl 3.0 support on sym MAC
> routine
> 
> This patch update the symmetric EVP MAC routine in crypto openssl pmd
> to adopt openssl 3.0 library.
> 
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> 
> v2:
> - commit message update
> 
> ---
Acked-by: Fan Zhang <roy.fan.zhang@intel.com>

^ permalink raw reply	[flat|nested] 18+ messages in thread

* [dpdk-dev v3] crypto/openssl: openssl 3.0 support on sym crypto routine
  2022-02-07 15:24 ` [dpdk-dev v2] crypto/openssl: openssl 3.0 support on sym MAC routine Kai Ji
  2022-02-07 15:40   ` Zhang, Roy Fan
@ 2022-02-17 17:45   ` Kai Ji
  2022-02-17 18:01     ` [EXT] " Akhil Goyal
  2022-02-18  9:44     ` [dpdk-dev v4] " Kai Ji
  1 sibling, 2 replies; 18+ messages in thread
From: Kai Ji @ 2022-02-17 17:45 UTC (permalink / raw)
  To: dev; +Cc: gakhil, roy.fan.zhang, Kai Ji

This patch update the symmetric EVP routine in crypto openssl pmd
to adopt openssl 3.0 library.

Signed-off-by: Kai Ji <kai.ji@intel.com>

v3:
- rebase to 22.03-RC1
- enable openssl 3.0 lagacy library of DES
- remove local ctx in combined op as EVP_CIPHER_CTX_copy refuse copy without
  a valid dup function pointer.

v2:
- minor code fix

---
 drivers/crypto/openssl/compat.h              |  12 ++
 drivers/crypto/openssl/openssl_pmd_private.h |   4 +
 drivers/crypto/openssl/rte_openssl_pmd.c     | 181 ++++++++++++++++++-
 3 files changed, 188 insertions(+), 9 deletions(-)

diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h
index eecb7d3698..d3884334bd 100644
--- a/drivers/crypto/openssl/compat.h
+++ b/drivers/crypto/openssl/compat.h
@@ -192,6 +192,18 @@ get_dsa_priv_key(DSA *dsa, const BIGNUM **priv_key)
 	DSA_get0_key(dsa, NULL, priv_key);
 }

+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/* Known DIGEST names (not a complete list) */
+#define OSSL_DIGEST_NAME_MD5            "MD5"
+#define OSSL_DIGEST_NAME_MD5_SHA1       "MD5-SHA1"
+#define OSSL_DIGEST_NAME_SHA1           "SHA1"
+#define OSSL_DIGEST_NAME_SHA2_224       "SHA2-224"
+#define OSSL_DIGEST_NAME_SHA2_256       "SHA2-256"
+#define OSSL_DIGEST_NAME_SHA2_384       "SHA2-384"
+#define OSSL_DIGEST_NAME_SHA2_512       "SHA2-512"
+
+#endif
+
 #endif /* version < 10100000 */

 #endif /* __RTA_COMPAT_H__ */
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index b2054b3754..86dc169aaf 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -134,8 +134,12 @@ struct openssl_session {
 				/**< pointer to EVP key */
 				const EVP_MD *evp_algo;
 				/**< pointer to EVP algorithm function */
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+				EVP_MAC_CTX * ctx;
+# else
 				HMAC_CTX *ctx;
 				/**< pointer to EVP context structure */
+# endif
 			} hmac;
 		};

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index d80e1052e2..14a6524b6c 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -39,6 +39,57 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
 }
 #endif

+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+
+OSSL_PROVIDER * legacy;
+OSSL_PROVIDER *deflt;
+
+static void ossl_load_legacy_provider(void)
+{
+	/* Load Multiple providers into the default (NULL) library context */
+	legacy = OSSL_PROVIDER_load(NULL, "legacy");
+	if (legacy == NULL) {
+		OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
+		return -EINVAL;
+	}
+
+	deflt = OSSL_PROVIDER_load(NULL, "default");
+	if (deflt == NULL) {
+		OPENSSL_LOG(ERR, "Failed to load Default provider\n");
+		OSSL_PROVIDER_unload(legacy);
+		return -EINVAL;
+	}
+}
+
+static void ossl_unload_legacy_provider(void)
+{
+	OSSL_PROVIDER_unload(legacy);
+	OSSL_PROVIDER_unload(deflt);
+}
+
+static __rte_always_inline const char *
+get_digest_name(const struct rte_crypto_sym_xform *xform)
+{
+	switch (xform->auth.algo) {
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+		return OSSL_DIGEST_NAME_MD5;
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+		return OSSL_DIGEST_NAME_SHA1;
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_224;
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_256;
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_384;
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_512;
+	default:
+		return NULL;
+	}
+}
+#endif
+
 static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);

 /*----------------------------------------------------------------------------*/
@@ -580,6 +631,34 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 		sess->auth.auth.ctx = EVP_MD_CTX_create();
 		break;

+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
+
+		OSSL_PARAM params[2];
+		const char *algo = get_digest_name(xform);
+		EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+		sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
+		EVP_MAC_free(mac);
+		if (get_auth_algo(xform->auth.algo,
+				&sess->auth.hmac.evp_algo) != 0)
+			return -EINVAL;
+
+		params[0] = OSSL_PARAM_construct_utf8_string("digest",
+					(char *)algo, 0);
+		params[1] = OSSL_PARAM_construct_end();
+		if (EVP_MAC_init(sess->auth.hmac.ctx,
+				xform->auth.key.data,
+				xform->auth.key.length,
+				params) != 1)
+			return -EINVAL;
+		break;
+# else
 	case RTE_CRYPTO_AUTH_MD5_HMAC:
 	case RTE_CRYPTO_AUTH_SHA1_HMAC:
 	case RTE_CRYPTO_AUTH_SHA224_HMAC:
@@ -598,7 +677,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 				sess->auth.hmac.evp_algo, NULL) != 1)
 			return -EINVAL;
 		break;
-
+# endif
 	default:
 		return -ENOTSUP;
 	}
@@ -723,7 +802,11 @@ openssl_reset_session(struct openssl_session *sess)
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
 		EVP_PKEY_free(sess->auth.hmac.pkey);
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		EVP_MAC_CTX_free(sess->auth.hmac.ctx);
+# else
 		HMAC_CTX_free(sess->auth.hmac.ctx);
+# endif
 		break;
 	default:
 		break;
@@ -1260,6 +1343,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	return -EINVAL;
 }

+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/** Process standard openssl auth algorithms with hmac */
+static int
+process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
+		int srclen, EVP_MAC_CTX *ctx)
+{
+	size_t dstlen;
+	struct rte_mbuf *m;
+	int l, n = srclen;
+	uint8_t *src;
+
+	for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+			m = m->next)
+		offset -= rte_pktmbuf_data_len(m);
+
+	if (m == 0)
+		goto process_auth_err;
+
+	src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+	l = rte_pktmbuf_data_len(m) - offset;
+	if (srclen <= l) {
+		if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
+			goto process_auth_err;
+		goto process_auth_final;
+	}
+
+	if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+		goto process_auth_err;
+
+	n -= l;
+
+	for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+		src = rte_pktmbuf_mtod(m, uint8_t *);
+		l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+		if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+			goto process_auth_err;
+		n -= l;
+	}
+
+process_auth_final:
+	if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
+		goto process_auth_err;
+
+	EVP_MAC_CTX_free(ctx);
+	return 0;
+
+process_auth_err:
+	EVP_MAC_CTX_free(ctx);
+	OPENSSL_LOG(ERR, "Process openssl auth failed");
+	return -EINVAL;
+}
+# else
 /** Process standard openssl auth algorithms with hmac */
 static int
 process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
@@ -1312,6 +1448,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	OPENSSL_LOG(ERR, "Process openssl auth failed");
 	return -EINVAL;
 }
+# endif

 /*----------------------------------------------------------------------------*/

@@ -1326,7 +1463,6 @@ process_openssl_combined_op
 	int srclen, aadlen, status = -1;
 	uint32_t offset;
 	uint8_t taglen;
-	EVP_CIPHER_CTX *ctx_copy;

 	/*
 	 * Segmented destination buffer is not supported for
@@ -1363,8 +1499,6 @@ process_openssl_combined_op
 	}

 	taglen = sess->auth.digest_length;
-	ctx_copy = EVP_CIPHER_CTX_new();
-	EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);

 	if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
 		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1372,12 +1506,12 @@ process_openssl_combined_op
 			status = process_openssl_auth_encryption_gcm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, ctx_copy);
+					dst, tag, sess->cipher.ctx);
 		else
 			status = process_openssl_auth_encryption_ccm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, taglen, ctx_copy);
+					dst, tag, taglen, sess->cipher.ctx);

 	} else {
 		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1385,15 +1519,14 @@ process_openssl_combined_op
 			status = process_openssl_auth_decryption_gcm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, ctx_copy);
+					dst, tag, sess->cipher.ctx);
 		else
 			status = process_openssl_auth_decryption_ccm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, taglen, ctx_copy);
+					dst, tag, taglen, sess->cipher.ctx);
 	}

-	EVP_CIPHER_CTX_free(ctx_copy);
 	if (status != 0) {
 		if (status == (-EFAULT) &&
 				sess->auth.operation ==
@@ -1555,7 +1688,13 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 	uint8_t *dst;
 	int srclen, status;
 	EVP_MD_CTX *ctx_a;
+
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	EVP_MAC_CTX *ctx_h;
+	EVP_MAC *mac;
+# else
 	HMAC_CTX *ctx_h;
+# endif

 	srclen = op->sym->auth.data.length;

@@ -1571,12 +1710,24 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 		EVP_MD_CTX_destroy(ctx_a);
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+
+		mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+		ctx_h = EVP_MAC_CTX_new(mac);
+		ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
+		EVP_MAC_free(mac);
+		status = process_openssl_auth_hmac(mbuf_src, dst,
+				op->sym->auth.data.offset, srclen,
+				ctx_h);
+# else
+
 		ctx_h = HMAC_CTX_new();
 		HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
 		status = process_openssl_auth_hmac(mbuf_src, dst,
 				op->sym->auth.data.offset, srclen,
 				ctx_h);
 		HMAC_CTX_free(ctx_h);
+# endif
 		break;
 	default:
 		status = -1;
@@ -2213,6 +2364,14 @@ cryptodev_openssl_create(const char *name,

 	rte_cryptodev_pmd_probing_finish(dev);

+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	/* Load lagacy provider
+	 * Some algorithms are no longer available in earlier version of openssl,
+	 * unless the legacy provider explicitly.loaded. e.g. DES
+	 */
+	ossl_load_legacy_provider();
+# endif
+
 	return 0;

 init_error:
@@ -2261,6 +2420,10 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev)
 	if (cryptodev == NULL)
 		return -ENODEV;

+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	ossl_unload_legacy_provider();
+# endif
+
 	return rte_cryptodev_pmd_destroy(cryptodev);
 }

--
2.17.1


^ permalink raw reply	[flat|nested] 18+ messages in thread

* RE: [EXT] [dpdk-dev v3] crypto/openssl: openssl 3.0 support on sym crypto routine
  2022-02-17 17:45   ` [dpdk-dev v3] crypto/openssl: openssl 3.0 support on sym crypto routine Kai Ji
@ 2022-02-17 18:01     ` Akhil Goyal
  2022-02-18  9:44     ` [dpdk-dev v4] " Kai Ji
  1 sibling, 0 replies; 18+ messages in thread
From: Akhil Goyal @ 2022-02-17 18:01 UTC (permalink / raw)
  To: Kai Ji, dev; +Cc: roy.fan.zhang

> This patch update the symmetric EVP routine in crypto openssl pmd
> to adopt openssl 3.0 library.
> 
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> 
> v3:
> - rebase to 22.03-RC1
> - enable openssl 3.0 lagacy library of DES
> - remove local ctx in combined op as EVP_CIPHER_CTX_copy refuse copy
> without
>   a valid dup function pointer.
> 
> v2:
> - minor code fix
> 
> ---
>  drivers/crypto/openssl/compat.h              |  12 ++
>  drivers/crypto/openssl/openssl_pmd_private.h |   4 +
>  drivers/crypto/openssl/rte_openssl_pmd.c     | 181 ++++++++++++++++++-
>  3 files changed, 188 insertions(+), 9 deletions(-)
> 
> diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h
> index eecb7d3698..d3884334bd 100644
> --- a/drivers/crypto/openssl/compat.h
> +++ b/drivers/crypto/openssl/compat.h
> @@ -192,6 +192,18 @@ get_dsa_priv_key(DSA *dsa, const BIGNUM
> **priv_key)
>  	DSA_get0_key(dsa, NULL, priv_key);
>  }
> 
> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +/* Known DIGEST names (not a complete list) */
> +#define OSSL_DIGEST_NAME_MD5            "MD5"
> +#define OSSL_DIGEST_NAME_MD5_SHA1       "MD5-SHA1"
> +#define OSSL_DIGEST_NAME_SHA1           "SHA1"
> +#define OSSL_DIGEST_NAME_SHA2_224       "SHA2-224"
> +#define OSSL_DIGEST_NAME_SHA2_256       "SHA2-256"
> +#define OSSL_DIGEST_NAME_SHA2_384       "SHA2-384"
> +#define OSSL_DIGEST_NAME_SHA2_512       "SHA2-512"
> +
> +#endif
> +
>  #endif /* version < 10100000 */
> 
>  #endif /* __RTA_COMPAT_H__ */
> diff --git a/drivers/crypto/openssl/openssl_pmd_private.h
> b/drivers/crypto/openssl/openssl_pmd_private.h
> index b2054b3754..86dc169aaf 100644
> --- a/drivers/crypto/openssl/openssl_pmd_private.h
> +++ b/drivers/crypto/openssl/openssl_pmd_private.h
> @@ -134,8 +134,12 @@ struct openssl_session {
>  				/**< pointer to EVP key */
>  				const EVP_MD *evp_algo;
>  				/**< pointer to EVP algorithm function */
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +				EVP_MAC_CTX * ctx;
> +# else
>  				HMAC_CTX *ctx;
>  				/**< pointer to EVP context structure */
> +# endif
>  			} hmac;
>  		};
> 
> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c
> b/drivers/crypto/openssl/rte_openssl_pmd.c
> index d80e1052e2..14a6524b6c 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
> @@ -39,6 +39,57 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
>  }
>  #endif
> 
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +#include <openssl/provider.h>
> +
> +OSSL_PROVIDER * legacy;
> +OSSL_PROVIDER *deflt;
> +
> +static void ossl_load_legacy_provider(void)
> +{
> +	/* Load Multiple providers into the default (NULL) library context */
> +	legacy = OSSL_PROVIDER_load(NULL, "legacy");
> +	if (legacy == NULL) {
> +		OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
> +		return -EINVAL;
> +	}
> +
> +	deflt = OSSL_PROVIDER_load(NULL, "default");
> +	if (deflt == NULL) {
> +		OPENSSL_LOG(ERR, "Failed to load Default provider\n");
> +		OSSL_PROVIDER_unload(legacy);
> +		return -EINVAL;
> +	}
> +}
> +
> +static void ossl_unload_legacy_provider(void)
> +{
> +	OSSL_PROVIDER_unload(legacy);
> +	OSSL_PROVIDER_unload(deflt);
> +}
> +
> +static __rte_always_inline const char *
> +get_digest_name(const struct rte_crypto_sym_xform *xform)
> +{
> +	switch (xform->auth.algo) {
> +	case RTE_CRYPTO_AUTH_MD5_HMAC:
> +		return OSSL_DIGEST_NAME_MD5;
> +	case RTE_CRYPTO_AUTH_SHA1_HMAC:
> +		return OSSL_DIGEST_NAME_SHA1;
> +	case RTE_CRYPTO_AUTH_SHA224_HMAC:
> +		return OSSL_DIGEST_NAME_SHA2_224;
> +	case RTE_CRYPTO_AUTH_SHA256_HMAC:
> +		return OSSL_DIGEST_NAME_SHA2_256;
> +	case RTE_CRYPTO_AUTH_SHA384_HMAC:
> +		return OSSL_DIGEST_NAME_SHA2_384;
> +	case RTE_CRYPTO_AUTH_SHA512_HMAC:
> +		return OSSL_DIGEST_NAME_SHA2_512;
> +	default:
> +		return NULL;
> +	}
> +}
> +#endif
> +
>  static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
> 
>  /*----------------------------------------------------------------------------*/
> @@ -580,6 +631,34 @@ openssl_set_session_auth_parameters(struct
> openssl_session *sess,
>  		sess->auth.auth.ctx = EVP_MD_CTX_create();
>  		break;
> 
> +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +	case RTE_CRYPTO_AUTH_MD5_HMAC:
> +	case RTE_CRYPTO_AUTH_SHA1_HMAC:
> +	case RTE_CRYPTO_AUTH_SHA224_HMAC:
> +	case RTE_CRYPTO_AUTH_SHA256_HMAC:
> +	case RTE_CRYPTO_AUTH_SHA384_HMAC:
> +	case RTE_CRYPTO_AUTH_SHA512_HMAC:
> +		sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
> +
> +		OSSL_PARAM params[2];
> +		const char *algo = get_digest_name(xform);
> +		EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
> +		sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
> +		EVP_MAC_free(mac);
> +		if (get_auth_algo(xform->auth.algo,
> +				&sess->auth.hmac.evp_algo) != 0)
> +			return -EINVAL;
> +
> +		params[0] = OSSL_PARAM_construct_utf8_string("digest",
> +					(char *)algo, 0);
> +		params[1] = OSSL_PARAM_construct_end();
> +		if (EVP_MAC_init(sess->auth.hmac.ctx,
> +				xform->auth.key.data,
> +				xform->auth.key.length,
> +				params) != 1)
> +			return -EINVAL;
> +		break;
> +# else
>  	case RTE_CRYPTO_AUTH_MD5_HMAC:
>  	case RTE_CRYPTO_AUTH_SHA1_HMAC:
>  	case RTE_CRYPTO_AUTH_SHA224_HMAC:
> @@ -598,7 +677,7 @@ openssl_set_session_auth_parameters(struct
> openssl_session *sess,
>  				sess->auth.hmac.evp_algo, NULL) != 1)
>  			return -EINVAL;
>  		break;
> -
> +# endif
>  	default:
>  		return -ENOTSUP;
>  	}
> @@ -723,7 +802,11 @@ openssl_reset_session(struct openssl_session *sess)
>  		break;
>  	case OPENSSL_AUTH_AS_HMAC:
>  		EVP_PKEY_free(sess->auth.hmac.pkey);
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +		EVP_MAC_CTX_free(sess->auth.hmac.ctx);
> +# else
>  		HMAC_CTX_free(sess->auth.hmac.ctx);
> +# endif
>  		break;
>  	default:
>  		break;
> @@ -1260,6 +1343,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src,
> uint8_t *dst, int offset,
>  	return -EINVAL;
>  }
> 
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +/** Process standard openssl auth algorithms with hmac */
> +static int
> +process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int
> offset,
> +		int srclen, EVP_MAC_CTX *ctx)
> +{
> +	size_t dstlen;
> +	struct rte_mbuf *m;
> +	int l, n = srclen;
> +	uint8_t *src;
> +
> +	for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
> +			m = m->next)
> +		offset -= rte_pktmbuf_data_len(m);
> +
> +	if (m == 0)
> +		goto process_auth_err;
> +
> +	src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
> +
> +	l = rte_pktmbuf_data_len(m) - offset;
> +	if (srclen <= l) {
> +		if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
> +			goto process_auth_err;
> +		goto process_auth_final;
> +	}
> +
> +	if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
> +		goto process_auth_err;
> +
> +	n -= l;
> +
> +	for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
> +		src = rte_pktmbuf_mtod(m, uint8_t *);
> +		l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
> +		if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
> +			goto process_auth_err;
> +		n -= l;
> +	}
> +
> +process_auth_final:
> +	if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
> +		goto process_auth_err;
> +
> +	EVP_MAC_CTX_free(ctx);
> +	return 0;
> +
> +process_auth_err:
> +	EVP_MAC_CTX_free(ctx);
> +	OPENSSL_LOG(ERR, "Process openssl auth failed");
> +	return -EINVAL;
> +}
> +# else
>  /** Process standard openssl auth algorithms with hmac */
>  static int
>  process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int
> offset,
> @@ -1312,6 +1448,7 @@ process_openssl_auth_hmac(struct rte_mbuf
> *mbuf_src, uint8_t *dst, int offset,
>  	OPENSSL_LOG(ERR, "Process openssl auth failed");
>  	return -EINVAL;
>  }
> +# endif
> 
>  /*----------------------------------------------------------------------------*/
> 
> @@ -1326,7 +1463,6 @@ process_openssl_combined_op
>  	int srclen, aadlen, status = -1;
>  	uint32_t offset;
>  	uint8_t taglen;
> -	EVP_CIPHER_CTX *ctx_copy;
> 
>  	/*
>  	 * Segmented destination buffer is not supported for
> @@ -1363,8 +1499,6 @@ process_openssl_combined_op
>  	}
> 
>  	taglen = sess->auth.digest_length;
> -	ctx_copy = EVP_CIPHER_CTX_new();
> -	EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
> 
>  	if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
>  		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
> @@ -1372,12 +1506,12 @@ process_openssl_combined_op
>  			status = process_openssl_auth_encryption_gcm(
>  					mbuf_src, offset, srclen,
>  					aad, aadlen, iv,
> -					dst, tag, ctx_copy);
> +					dst, tag, sess->cipher.ctx);
>  		else
>  			status = process_openssl_auth_encryption_ccm(
>  					mbuf_src, offset, srclen,
>  					aad, aadlen, iv,
> -					dst, tag, taglen, ctx_copy);
> +					dst, tag, taglen, sess->cipher.ctx);
> 
>  	} else {
>  		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
> @@ -1385,15 +1519,14 @@ process_openssl_combined_op
>  			status = process_openssl_auth_decryption_gcm(
>  					mbuf_src, offset, srclen,
>  					aad, aadlen, iv,
> -					dst, tag, ctx_copy);
> +					dst, tag, sess->cipher.ctx);
>  		else
>  			status = process_openssl_auth_decryption_ccm(
>  					mbuf_src, offset, srclen,
>  					aad, aadlen, iv,
> -					dst, tag, taglen, ctx_copy);
> +					dst, tag, taglen, sess->cipher.ctx);
>  	}
> 
> -	EVP_CIPHER_CTX_free(ctx_copy);
>  	if (status != 0) {
>  		if (status == (-EFAULT) &&
>  				sess->auth.operation ==
> @@ -1555,7 +1688,13 @@ process_openssl_auth_op(struct openssl_qp *qp,
> struct rte_crypto_op *op,
>  	uint8_t *dst;
>  	int srclen, status;
>  	EVP_MD_CTX *ctx_a;
> +
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +	EVP_MAC_CTX *ctx_h;
> +	EVP_MAC *mac;
> +# else
>  	HMAC_CTX *ctx_h;
> +# endif
> 
>  	srclen = op->sym->auth.data.length;
> 
> @@ -1571,12 +1710,24 @@ process_openssl_auth_op(struct openssl_qp *qp,
> struct rte_crypto_op *op,
>  		EVP_MD_CTX_destroy(ctx_a);
>  		break;
>  	case OPENSSL_AUTH_AS_HMAC:
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +
> +		mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
> +		ctx_h = EVP_MAC_CTX_new(mac);
> +		ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
> +		EVP_MAC_free(mac);
> +		status = process_openssl_auth_hmac(mbuf_src, dst,
> +				op->sym->auth.data.offset, srclen,
> +				ctx_h);
> +# else
> +
>  		ctx_h = HMAC_CTX_new();
>  		HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
>  		status = process_openssl_auth_hmac(mbuf_src, dst,
>  				op->sym->auth.data.offset, srclen,
>  				ctx_h);
>  		HMAC_CTX_free(ctx_h);
> +# endif
>  		break;
>  	default:
>  		status = -1;
> @@ -2213,6 +2364,14 @@ cryptodev_openssl_create(const char *name,
> 
>  	rte_cryptodev_pmd_probing_finish(dev);
> 
> +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +	/* Load lagacy provider
> +	 * Some algorithms are no longer available in earlier version of openssl,
> +	 * unless the legacy provider explicitly.loaded. e.g. DES
> +	 */
> +	ossl_load_legacy_provider();
> +# endif
> +

Please remove extra blank lines here and elsewhere.
Also run spell check.
%s/lagacy/legacy

>  	return 0;
> 
>  init_error:
> @@ -2261,6 +2420,10 @@ cryptodev_openssl_remove(struct rte_vdev_device
> *vdev)
>  	if (cryptodev == NULL)
>  		return -ENODEV;
> 
> +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +	ossl_unload_legacy_provider();
> +# endif
> +
>  	return rte_cryptodev_pmd_destroy(cryptodev);
>  }
> 
> --
> 2.17.1


^ permalink raw reply	[flat|nested] 18+ messages in thread

* [dpdk-dev v4] crypto/openssl: openssl 3.0 support on sym crypto routine
  2022-02-17 17:45   ` [dpdk-dev v3] crypto/openssl: openssl 3.0 support on sym crypto routine Kai Ji
  2022-02-17 18:01     ` [EXT] " Akhil Goyal
@ 2022-02-18  9:44     ` Kai Ji
  2022-02-18 11:51       ` [dpdk-dev v5] " Kai Ji
  1 sibling, 1 reply; 18+ messages in thread
From: Kai Ji @ 2022-02-18  9:44 UTC (permalink / raw)
  To: dev; +Cc: gakhil, roy.fan.zhang, Kai Ji

This patch update the symmetric EVP routine in crypto openssl pmd
to adopt openssl 3.0 library.

Signed-off-by: Kai Ji <kai.ji@intel.com>

v4:
- code comments addressed

v3:
- rebase to 22.03-RC1
- enable openssl 3.0 lagacy library of DES
- remove local ctx in combined op as EVP_CIPHER_CTX_copy refuse copy without
  a valid dup function pointer.

v2:
- minor code fix

---
 drivers/crypto/openssl/compat.h              |  10 ++
 drivers/crypto/openssl/openssl_pmd_private.h |   4 +
 drivers/crypto/openssl/rte_openssl_pmd.c     | 177 +++++++++++++++++--
 3 files changed, 181 insertions(+), 10 deletions(-)

diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h
index eecb7d3698..0674dd6c5d 100644
--- a/drivers/crypto/openssl/compat.h
+++ b/drivers/crypto/openssl/compat.h
@@ -192,6 +192,16 @@ get_dsa_priv_key(DSA *dsa, const BIGNUM **priv_key)
 	DSA_get0_key(dsa, NULL, priv_key);
 }

+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/* Known DIGEST names (not a complete list) */
+#define OSSL_DIGEST_NAME_MD5            "MD5"
+#define OSSL_DIGEST_NAME_MD5_SHA1       "MD5-SHA1"
+#define OSSL_DIGEST_NAME_SHA1           "SHA1"
+#define OSSL_DIGEST_NAME_SHA2_224       "SHA2-224"
+#define OSSL_DIGEST_NAME_SHA2_256       "SHA2-256"
+#define OSSL_DIGEST_NAME_SHA2_384       "SHA2-384"
+#define OSSL_DIGEST_NAME_SHA2_512       "SHA2-512"
+#endif
 #endif /* version < 10100000 */

 #endif /* __RTA_COMPAT_H__ */
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index b2054b3754..86dc169aaf 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -134,8 +134,12 @@ struct openssl_session {
 				/**< pointer to EVP key */
 				const EVP_MD *evp_algo;
 				/**< pointer to EVP algorithm function */
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+				EVP_MAC_CTX * ctx;
+# else
 				HMAC_CTX *ctx;
 				/**< pointer to EVP context structure */
+# endif
 			} hmac;
 		};

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 5794ed8159..2c5dea8cd3 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -39,6 +39,57 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
 }
 #endif

+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+
+OSSL_PROVIDER *legacy;
+OSSL_PROVIDER *deflt;
+
+static void ossl_load_legacy_provider(void)
+{
+	/* Load Multiple providers into the default (NULL) library context */
+	legacy = OSSL_PROVIDER_load(NULL, "legacy");
+	if (legacy == NULL) {
+		OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
+		return -EINVAL;
+	}
+
+	deflt = OSSL_PROVIDER_load(NULL, "default");
+	if (deflt == NULL) {
+		OPENSSL_LOG(ERR, "Failed to load Default provider\n");
+		OSSL_PROVIDER_unload(legacy);
+		return -EINVAL;
+	}
+}
+
+static void ossl_unload_legacy_provider(void)
+{
+	OSSL_PROVIDER_unload(legacy);
+	OSSL_PROVIDER_unload(deflt);
+}
+
+static __rte_always_inline const char *
+get_digest_name(const struct rte_crypto_sym_xform *xform)
+{
+	switch (xform->auth.algo) {
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+		return OSSL_DIGEST_NAME_MD5;
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+		return OSSL_DIGEST_NAME_SHA1;
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_224;
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_256;
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_384;
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_512;
+	default:
+		return NULL;
+	}
+}
+#endif
+
 static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);

 /*----------------------------------------------------------------------------*/
@@ -580,6 +631,34 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 		sess->auth.auth.ctx = EVP_MD_CTX_create();
 		break;

+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
+
+		OSSL_PARAM params[2];
+		const char *algo = get_digest_name(xform);
+		EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+		sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
+		EVP_MAC_free(mac);
+		if (get_auth_algo(xform->auth.algo,
+				&sess->auth.hmac.evp_algo) != 0)
+			return -EINVAL;
+
+		params[0] = OSSL_PARAM_construct_utf8_string("digest",
+					(char *)algo, 0);
+		params[1] = OSSL_PARAM_construct_end();
+		if (EVP_MAC_init(sess->auth.hmac.ctx,
+				xform->auth.key.data,
+				xform->auth.key.length,
+				params) != 1)
+			return -EINVAL;
+		break;
+# else
 	case RTE_CRYPTO_AUTH_MD5_HMAC:
 	case RTE_CRYPTO_AUTH_SHA1_HMAC:
 	case RTE_CRYPTO_AUTH_SHA224_HMAC:
@@ -598,7 +677,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 				sess->auth.hmac.evp_algo, NULL) != 1)
 			return -EINVAL;
 		break;
-
+# endif
 	default:
 		return -ENOTSUP;
 	}
@@ -723,7 +802,11 @@ openssl_reset_session(struct openssl_session *sess)
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
 		EVP_PKEY_free(sess->auth.hmac.pkey);
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		EVP_MAC_CTX_free(sess->auth.hmac.ctx);
+# else
 		HMAC_CTX_free(sess->auth.hmac.ctx);
+# endif
 		break;
 	default:
 		break;
@@ -1262,6 +1345,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	return -EINVAL;
 }

+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/** Process standard openssl auth algorithms with hmac */
+static int
+process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
+		int srclen, EVP_MAC_CTX *ctx)
+{
+	size_t dstlen;
+	struct rte_mbuf *m;
+	int l, n = srclen;
+	uint8_t *src;
+
+	for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+			m = m->next)
+		offset -= rte_pktmbuf_data_len(m);
+
+	if (m == 0)
+		goto process_auth_err;
+
+	src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+	l = rte_pktmbuf_data_len(m) - offset;
+	if (srclen <= l) {
+		if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
+			goto process_auth_err;
+		goto process_auth_final;
+	}
+
+	if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+		goto process_auth_err;
+
+	n -= l;
+
+	for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+		src = rte_pktmbuf_mtod(m, uint8_t *);
+		l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+		if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+			goto process_auth_err;
+		n -= l;
+	}
+
+process_auth_final:
+	if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
+		goto process_auth_err;
+
+	EVP_MAC_CTX_free(ctx);
+	return 0;
+
+process_auth_err:
+	EVP_MAC_CTX_free(ctx);
+	OPENSSL_LOG(ERR, "Process openssl auth failed");
+	return -EINVAL;
+}
+# else
 /** Process standard openssl auth algorithms with hmac */
 static int
 process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
@@ -1314,7 +1450,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	OPENSSL_LOG(ERR, "Process openssl auth failed");
 	return -EINVAL;
 }
-
+# endif
 /*----------------------------------------------------------------------------*/

 /** Process auth/cipher combined operation */
@@ -1328,7 +1464,6 @@ process_openssl_combined_op
 	int srclen, aadlen, status = -1;
 	uint32_t offset;
 	uint8_t taglen;
-	EVP_CIPHER_CTX *ctx_copy;

 	/*
 	 * Segmented destination buffer is not supported for
@@ -1365,8 +1500,6 @@ process_openssl_combined_op
 	}

 	taglen = sess->auth.digest_length;
-	ctx_copy = EVP_CIPHER_CTX_new();
-	EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);

 	if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
 		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1374,12 +1507,12 @@ process_openssl_combined_op
 			status = process_openssl_auth_encryption_gcm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, ctx_copy);
+					dst, tag, sess->cipher.ctx);
 		else
 			status = process_openssl_auth_encryption_ccm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, taglen, ctx_copy);
+					dst, tag, taglen, sess->cipher.ctx);

 	} else {
 		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1387,15 +1520,14 @@ process_openssl_combined_op
 			status = process_openssl_auth_decryption_gcm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, ctx_copy);
+					dst, tag, sess->cipher.ctx);
 		else
 			status = process_openssl_auth_decryption_ccm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, taglen, ctx_copy);
+					dst, tag, taglen, sess->cipher.ctx);
 	}

-	EVP_CIPHER_CTX_free(ctx_copy);
 	if (status != 0) {
 		if (status == (-EFAULT) &&
 				sess->auth.operation ==
@@ -1557,7 +1689,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 	uint8_t *dst;
 	int srclen, status;
 	EVP_MD_CTX *ctx_a;
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	EVP_MAC_CTX *ctx_h;
+	EVP_MAC *mac;
+# else
 	HMAC_CTX *ctx_h;
+# endif

 	srclen = op->sym->auth.data.length;

@@ -1573,12 +1710,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 		EVP_MD_CTX_destroy(ctx_a);
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+		ctx_h = EVP_MAC_CTX_new(mac);
+		ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
+		EVP_MAC_free(mac);
+		status = process_openssl_auth_hmac(mbuf_src, dst,
+				op->sym->auth.data.offset, srclen,
+				ctx_h);
+# else
 		ctx_h = HMAC_CTX_new();
 		HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
 		status = process_openssl_auth_hmac(mbuf_src, dst,
 				op->sym->auth.data.offset, srclen,
 				ctx_h);
 		HMAC_CTX_free(ctx_h);
+# endif
 		break;
 	default:
 		status = -1;
@@ -2215,6 +2362,13 @@ cryptodev_openssl_create(const char *name,

 	rte_cryptodev_pmd_probing_finish(dev);

+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	/* Load legacy provider
+	 * Some algorithms are no longer available in earlier version of openssl,
+	 * unless the legacy provider explicitly loaded. e.g. DES
+	 */
+	ossl_load_legacy_provider();
+# endif
 	return 0;

 init_error:
@@ -2263,6 +2417,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev)
 	if (cryptodev == NULL)
 		return -ENODEV;

+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	ossl_unload_legacy_provider();
+# endif
 	return rte_cryptodev_pmd_destroy(cryptodev);
 }

--
2.17.1


^ permalink raw reply	[flat|nested] 18+ messages in thread

* [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine
  2022-02-18  9:44     ` [dpdk-dev v4] " Kai Ji
@ 2022-02-18 11:51       ` Kai Ji
  2022-02-18 13:41         ` Zhang, Roy Fan
                           ` (2 more replies)
  0 siblings, 3 replies; 18+ messages in thread
From: Kai Ji @ 2022-02-18 11:51 UTC (permalink / raw)
  To: dev; +Cc: gakhil, roy.fan.zhang, Kai Ji

This patch update the symmetric EVP routine in crypto openssl pmd
to adopt openssl 3.0 library.

Signed-off-by: Kai Ji <kai.ji@intel.com>

v5:
- checkpatch fix

v4:
- code comments addressed

v3:
- rebase to 22.03-RC1
- enable openssl 3.0 lagacy library of DES
- remove local ctx in combined op as EVP_CIPHER_CTX_copy refuse copy without
  a valid dup function pointer.

v2:
- minor code fix

---
 drivers/crypto/openssl/compat.h              |  10 ++
 drivers/crypto/openssl/openssl_pmd_private.h |   4 +
 drivers/crypto/openssl/rte_openssl_pmd.c     | 177 +++++++++++++++++--
 3 files changed, 181 insertions(+), 10 deletions(-)

diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h
index eecb7d3698..0674dd6c5d 100644
--- a/drivers/crypto/openssl/compat.h
+++ b/drivers/crypto/openssl/compat.h
@@ -192,6 +192,16 @@ get_dsa_priv_key(DSA *dsa, const BIGNUM **priv_key)
 	DSA_get0_key(dsa, NULL, priv_key);
 }

+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/* Known DIGEST names (not a complete list) */
+#define OSSL_DIGEST_NAME_MD5            "MD5"
+#define OSSL_DIGEST_NAME_MD5_SHA1       "MD5-SHA1"
+#define OSSL_DIGEST_NAME_SHA1           "SHA1"
+#define OSSL_DIGEST_NAME_SHA2_224       "SHA2-224"
+#define OSSL_DIGEST_NAME_SHA2_256       "SHA2-256"
+#define OSSL_DIGEST_NAME_SHA2_384       "SHA2-384"
+#define OSSL_DIGEST_NAME_SHA2_512       "SHA2-512"
+#endif
 #endif /* version < 10100000 */

 #endif /* __RTA_COMPAT_H__ */
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index b2054b3754..86dc169aaf 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -134,8 +134,12 @@ struct openssl_session {
 				/**< pointer to EVP key */
 				const EVP_MD *evp_algo;
 				/**< pointer to EVP algorithm function */
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+				EVP_MAC_CTX * ctx;
+# else
 				HMAC_CTX *ctx;
 				/**< pointer to EVP context structure */
+# endif
 			} hmac;
 		};

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 5794ed8159..2c5dea8cd3 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -39,6 +39,57 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
 }
 #endif

+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+
+OSSL_PROVIDER * legacy;
+OSSL_PROVIDER *deflt;
+
+static void ossl_load_legacy_provider(void)
+{
+	/* Load Multiple providers into the default (NULL) library context */
+	legacy = OSSL_PROVIDER_load(NULL, "legacy");
+	if (legacy == NULL) {
+		OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
+		return -EINVAL;
+	}
+
+	deflt = OSSL_PROVIDER_load(NULL, "default");
+	if (deflt == NULL) {
+		OPENSSL_LOG(ERR, "Failed to load Default provider\n");
+		OSSL_PROVIDER_unload(legacy);
+		return -EINVAL;
+	}
+}
+
+static void ossl_unload_legacy_provider(void)
+{
+	OSSL_PROVIDER_unload(legacy);
+	OSSL_PROVIDER_unload(deflt);
+}
+
+static __rte_always_inline const char *
+get_digest_name(const struct rte_crypto_sym_xform *xform)
+{
+	switch (xform->auth.algo) {
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+		return OSSL_DIGEST_NAME_MD5;
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+		return OSSL_DIGEST_NAME_SHA1;
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_224;
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_256;
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_384;
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_512;
+	default:
+		return NULL;
+	}
+}
+#endif
+
 static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);

 /*----------------------------------------------------------------------------*/
@@ -580,6 +631,34 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 		sess->auth.auth.ctx = EVP_MD_CTX_create();
 		break;

+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
+
+		OSSL_PARAM params[2];
+		const char *algo = get_digest_name(xform);
+		EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+		sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
+		EVP_MAC_free(mac);
+		if (get_auth_algo(xform->auth.algo,
+				&sess->auth.hmac.evp_algo) != 0)
+			return -EINVAL;
+
+		params[0] = OSSL_PARAM_construct_utf8_string("digest",
+					(char *)algo, 0);
+		params[1] = OSSL_PARAM_construct_end();
+		if (EVP_MAC_init(sess->auth.hmac.ctx,
+				xform->auth.key.data,
+				xform->auth.key.length,
+				params) != 1)
+			return -EINVAL;
+		break;
+# else
 	case RTE_CRYPTO_AUTH_MD5_HMAC:
 	case RTE_CRYPTO_AUTH_SHA1_HMAC:
 	case RTE_CRYPTO_AUTH_SHA224_HMAC:
@@ -598,7 +677,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 				sess->auth.hmac.evp_algo, NULL) != 1)
 			return -EINVAL;
 		break;
-
+# endif
 	default:
 		return -ENOTSUP;
 	}
@@ -723,7 +802,11 @@ openssl_reset_session(struct openssl_session *sess)
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
 		EVP_PKEY_free(sess->auth.hmac.pkey);
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		EVP_MAC_CTX_free(sess->auth.hmac.ctx);
+# else
 		HMAC_CTX_free(sess->auth.hmac.ctx);
+# endif
 		break;
 	default:
 		break;
@@ -1262,6 +1345,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	return -EINVAL;
 }

+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/** Process standard openssl auth algorithms with hmac */
+static int
+process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
+		int srclen, EVP_MAC_CTX *ctx)
+{
+	size_t dstlen;
+	struct rte_mbuf *m;
+	int l, n = srclen;
+	uint8_t *src;
+
+	for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+			m = m->next)
+		offset -= rte_pktmbuf_data_len(m);
+
+	if (m == 0)
+		goto process_auth_err;
+
+	src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+	l = rte_pktmbuf_data_len(m) - offset;
+	if (srclen <= l) {
+		if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
+			goto process_auth_err;
+		goto process_auth_final;
+	}
+
+	if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+		goto process_auth_err;
+
+	n -= l;
+
+	for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+		src = rte_pktmbuf_mtod(m, uint8_t *);
+		l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+		if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+			goto process_auth_err;
+		n -= l;
+	}
+
+process_auth_final:
+	if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
+		goto process_auth_err;
+
+	EVP_MAC_CTX_free(ctx);
+	return 0;
+
+process_auth_err:
+	EVP_MAC_CTX_free(ctx);
+	OPENSSL_LOG(ERR, "Process openssl auth failed");
+	return -EINVAL;
+}
+# else
 /** Process standard openssl auth algorithms with hmac */
 static int
 process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
@@ -1314,7 +1450,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	OPENSSL_LOG(ERR, "Process openssl auth failed");
 	return -EINVAL;
 }
-
+# endif
 /*----------------------------------------------------------------------------*/

 /** Process auth/cipher combined operation */
@@ -1328,7 +1464,6 @@ process_openssl_combined_op
 	int srclen, aadlen, status = -1;
 	uint32_t offset;
 	uint8_t taglen;
-	EVP_CIPHER_CTX *ctx_copy;

 	/*
 	 * Segmented destination buffer is not supported for
@@ -1365,8 +1500,6 @@ process_openssl_combined_op
 	}

 	taglen = sess->auth.digest_length;
-	ctx_copy = EVP_CIPHER_CTX_new();
-	EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);

 	if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
 		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1374,12 +1507,12 @@ process_openssl_combined_op
 			status = process_openssl_auth_encryption_gcm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, ctx_copy);
+					dst, tag, sess->cipher.ctx);
 		else
 			status = process_openssl_auth_encryption_ccm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, taglen, ctx_copy);
+					dst, tag, taglen, sess->cipher.ctx);

 	} else {
 		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1387,15 +1520,14 @@ process_openssl_combined_op
 			status = process_openssl_auth_decryption_gcm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, ctx_copy);
+					dst, tag, sess->cipher.ctx);
 		else
 			status = process_openssl_auth_decryption_ccm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, taglen, ctx_copy);
+					dst, tag, taglen, sess->cipher.ctx);
 	}

-	EVP_CIPHER_CTX_free(ctx_copy);
 	if (status != 0) {
 		if (status == (-EFAULT) &&
 				sess->auth.operation ==
@@ -1557,7 +1689,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 	uint8_t *dst;
 	int srclen, status;
 	EVP_MD_CTX *ctx_a;
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	EVP_MAC_CTX *ctx_h;
+	EVP_MAC *mac;
+# else
 	HMAC_CTX *ctx_h;
+# endif

 	srclen = op->sym->auth.data.length;

@@ -1573,12 +1710,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 		EVP_MD_CTX_destroy(ctx_a);
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+		ctx_h = EVP_MAC_CTX_new(mac);
+		ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
+		EVP_MAC_free(mac);
+		status = process_openssl_auth_hmac(mbuf_src, dst,
+				op->sym->auth.data.offset, srclen,
+				ctx_h);
+# else
 		ctx_h = HMAC_CTX_new();
 		HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
 		status = process_openssl_auth_hmac(mbuf_src, dst,
 				op->sym->auth.data.offset, srclen,
 				ctx_h);
 		HMAC_CTX_free(ctx_h);
+# endif
 		break;
 	default:
 		status = -1;
@@ -2215,6 +2362,13 @@ cryptodev_openssl_create(const char *name,

 	rte_cryptodev_pmd_probing_finish(dev);

+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	/* Load legacy provider
+	 * Some algorithms are no longer available in earlier version of openssl,
+	 * unless the legacy provider explicitly loaded. e.g. DES
+	 */
+	ossl_load_legacy_provider();
+# endif
 	return 0;

 init_error:
@@ -2263,6 +2417,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev)
 	if (cryptodev == NULL)
 		return -ENODEV;

+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	ossl_unload_legacy_provider();
+# endif
 	return rte_cryptodev_pmd_destroy(cryptodev);
 }

--
2.17.1


^ permalink raw reply	[flat|nested] 18+ messages in thread

* RE: [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine
  2022-02-18 11:51       ` [dpdk-dev v5] " Kai Ji
@ 2022-02-18 13:41         ` Zhang, Roy Fan
  2022-02-24 19:02         ` [EXT] " Akhil Goyal
  2022-02-25 15:13         ` [dpdk-dev v6] " Kai Ji
  2 siblings, 0 replies; 18+ messages in thread
From: Zhang, Roy Fan @ 2022-02-18 13:41 UTC (permalink / raw)
  To: Ji, Kai, dev; +Cc: gakhil

> -----Original Message-----
> From: Ji, Kai <kai.ji@intel.com>
> Sent: Friday, February 18, 2022 11:51 AM
> To: dev@dpdk.org
> Cc: gakhil@marvell.com; Zhang, Roy Fan <roy.fan.zhang@intel.com>; Ji, Kai
> <kai.ji@intel.com>
> Subject: [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto
> routine
> 
> This patch update the symmetric EVP routine in crypto openssl pmd
> to adopt openssl 3.0 library.
> 
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> 
> v5:
> - checkpatch fix
> 
> v4:
> - code comments addressed
> 
> v3:
> - rebase to 22.03-RC1
> - enable openssl 3.0 lagacy library of DES
> - remove local ctx in combined op as EVP_CIPHER_CTX_copy refuse copy
> without
>   a valid dup function pointer.
> 
> v2:
> - minor code fix
> 
> ---
Acked-by: Fan Zhang <roy.fan.zhang@intel.com>

^ permalink raw reply	[flat|nested] 18+ messages in thread

* RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine
  2022-02-18 11:51       ` [dpdk-dev v5] " Kai Ji
  2022-02-18 13:41         ` Zhang, Roy Fan
@ 2022-02-24 19:02         ` Akhil Goyal
  2022-02-24 23:13           ` Ji, Kai
  2022-02-25 15:13         ` [dpdk-dev v6] " Kai Ji
  2 siblings, 1 reply; 18+ messages in thread
From: Akhil Goyal @ 2022-02-24 19:02 UTC (permalink / raw)
  To: Kai Ji, dev; +Cc: roy.fan.zhang

> This patch update the symmetric EVP routine in crypto openssl pmd
> to adopt openssl 3.0 library.
> 
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> 
> v5:
> - checkpatch fix
> 
> v4:
> - code comments addressed
> 
> v3:
> - rebase to 22.03-RC1
> - enable openssl 3.0 lagacy library of DES
> - remove local ctx in combined op as EVP_CIPHER_CTX_copy refuse copy
> without
>   a valid dup function pointer.
> 
> v2:
> - minor code fix
> 
> ---
Openssl driver is not getting compiled with openssl3.0
Are you ignoring the warnings?


      |  ^~
In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:12,
                 from ../drivers/crypto/openssl/rte_openssl_pmd.c:16:
/usr/local/include/openssl/dh.h:223:27: note: declared here
  223 | OSSL_DEPRECATEDIN_3_0 int DH_generate_key(DH *dh);
      |                           ^~~~~~~~~~~~~~~
../drivers/crypto/openssl/rte_openssl_pmd.c: In function 'process_openssl_rsa_op':
../drivers/crypto/openssl/rte_openssl_pmd.c:2068:3: error: 'RSA_public_encrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
 2068 |   ret = RSA_public_encrypt(op->rsa.message.length,
      |   ^~~
In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:11,
                 from ../drivers/crypto/openssl/rte_openssl_pmd.c:16:
/usr/local/include/openssl/rsa.h:282:5: note: declared here
  282 | int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
      |     ^~~~~~~~~~~~~~~~~~
../drivers/crypto/openssl/rte_openssl_pmd.c:2081:3: error: 'RSA_private_decrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
 2081 |   ret = RSA_private_decrypt(op->rsa.cipher.length,
      |   ^~~
In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:11,
                 from ../drivers/crypto/openssl/rte_openssl_pmd.c:16:
/usr/local/include/openssl/rsa.h:291:5: note: declared here
  291 | int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
      |     ^~~~~~~~~~~~~~~~~~~
../drivers/crypto/openssl/rte_openssl_pmd.c:2091:3: error: 'RSA_private_encrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
 2091 |   ret = RSA_private_encrypt(op->rsa.message.length,
      |   ^~~
In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:11,
                 from ../drivers/crypto/openssl/rte_openssl_pmd.c:16:
/usr/local/include/openssl/rsa.h:285:5: note: declared here
  285 | int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
      |     ^~~~~~~~~~~~~~~~~~~
../drivers/crypto/openssl/rte_openssl_pmd.c:2107:3: error: 'RSA_public_decrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
 2107 |   ret = RSA_public_decrypt(op->rsa.sign.length,
      |   ^~~
In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:11,
                 from ../drivers/crypto/openssl/rte_openssl_pmd.c:16:
/usr/local/include/openssl/rsa.h:288:5: note: declared here
  288 | int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
      |     ^~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
ninja: build stopped: subcommand failed.

^ permalink raw reply	[flat|nested] 18+ messages in thread

* RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine
  2022-02-24 19:02         ` [EXT] " Akhil Goyal
@ 2022-02-24 23:13           ` Ji, Kai
  2022-02-25  3:55             ` Akhil Goyal
  0 siblings, 1 reply; 18+ messages in thread
From: Ji, Kai @ 2022-02-24 23:13 UTC (permalink / raw)
  To: Akhil Goyal, dev; +Cc: Zhang, Roy Fan

Hi Akhil,

This patch was intend to support Openssl 3.0 on symmetric crypto algorithms only, where the deprecated APIs, compile warnings and failing test cases were fixed.
All the asymmetric crypto related issues stay untreated and will be fixed in the next patch. 

Regards

Kai 

> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Thursday, February 24, 2022 7:03 PM
> To: Ji, Kai <kai.ji@intel.com>; dev@dpdk.org
> Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com>
> Subject: RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym
> crypto routine
> 
> > This patch update the symmetric EVP routine in crypto openssl pmd to
> > adopt openssl 3.0 library.
> >
> > Signed-off-by: Kai Ji <kai.ji@intel.com>
> >
> > v5:
> > - checkpatch fix
> >
> > v4:
> > - code comments addressed
> >
> > v3:
> > - rebase to 22.03-RC1
> > - enable openssl 3.0 lagacy library of DES
> > - remove local ctx in combined op as EVP_CIPHER_CTX_copy refuse copy
> > without
> >   a valid dup function pointer.
> >
> > v2:
> > - minor code fix
> >
> > ---
> Openssl driver is not getting compiled with openssl3.0 Are you ignoring the
> warnings?
> 
> 
>       |  ^~
> In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:12,
>                  from ../drivers/crypto/openssl/rte_openssl_pmd.c:16:
> /usr/local/include/openssl/dh.h:223:27: note: declared here
>   223 | OSSL_DEPRECATEDIN_3_0 int DH_generate_key(DH *dh);
>       |                           ^~~~~~~~~~~~~~~
> ../drivers/crypto/openssl/rte_openssl_pmd.c: In function
> 'process_openssl_rsa_op':
> ../drivers/crypto/openssl/rte_openssl_pmd.c:2068:3: error:
> 'RSA_public_encrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-
> declarations]
>  2068 |   ret = RSA_public_encrypt(op->rsa.message.length,
>       |   ^~~
> In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:11,
>                  from ../drivers/crypto/openssl/rte_openssl_pmd.c:16:
> /usr/local/include/openssl/rsa.h:282:5: note: declared here
>   282 | int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char
> *to,
>       |     ^~~~~~~~~~~~~~~~~~
> ../drivers/crypto/openssl/rte_openssl_pmd.c:2081:3: error:
> 'RSA_private_decrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-
> declarations]
>  2081 |   ret = RSA_private_decrypt(op->rsa.cipher.length,
>       |   ^~~
> In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:11,
>                  from ../drivers/crypto/openssl/rte_openssl_pmd.c:16:
> /usr/local/include/openssl/rsa.h:291:5: note: declared here
>   291 | int RSA_private_decrypt(int flen, const unsigned char *from, unsigned
> char *to,
>       |     ^~~~~~~~~~~~~~~~~~~
> ../drivers/crypto/openssl/rte_openssl_pmd.c:2091:3: error:
> 'RSA_private_encrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-
> declarations]
>  2091 |   ret = RSA_private_encrypt(op->rsa.message.length,
>       |   ^~~
> In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:11,
>                  from ../drivers/crypto/openssl/rte_openssl_pmd.c:16:
> /usr/local/include/openssl/rsa.h:285:5: note: declared here
>   285 | int RSA_private_encrypt(int flen, const unsigned char *from, unsigned
> char *to,
>       |     ^~~~~~~~~~~~~~~~~~~
> ../drivers/crypto/openssl/rte_openssl_pmd.c:2107:3: error:
> 'RSA_public_decrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-
> declarations]
>  2107 |   ret = RSA_public_decrypt(op->rsa.sign.length,
>       |   ^~~
> In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:11,
>                  from ../drivers/crypto/openssl/rte_openssl_pmd.c:16:
> /usr/local/include/openssl/rsa.h:288:5: note: declared here
>   288 | int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char
> *to,
>       |     ^~~~~~~~~~~~~~~~~~
> cc1: all warnings being treated as errors
> ninja: build stopped: subcommand failed.

^ permalink raw reply	[flat|nested] 18+ messages in thread

* RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine
  2022-02-24 23:13           ` Ji, Kai
@ 2022-02-25  3:55             ` Akhil Goyal
  2022-02-25 10:19               ` Ji, Kai
  0 siblings, 1 reply; 18+ messages in thread
From: Akhil Goyal @ 2022-02-25  3:55 UTC (permalink / raw)
  To: Ji, Kai, dev; +Cc: Zhang, Roy Fan

Hi Kai,
> Hi Akhil,
> 
> This patch was intend to support Openssl 3.0 on symmetric crypto algorithms
> only, where the deprecated APIs, compile warnings and failing test cases were
> fixed.
> All the asymmetric crypto related issues stay untreated and will be fixed in the
> next patch.
> 
How can one verify if the driver is openssl 3.0 compliant?
Is there a way to bypass those warnings?
We cannot have build with warnings or we can have something in meson.build
to bypass those for openssl pmd.


^ permalink raw reply	[flat|nested] 18+ messages in thread

* RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine
  2022-02-25  3:55             ` Akhil Goyal
@ 2022-02-25 10:19               ` Ji, Kai
  2022-02-25 10:39                 ` Akhil Goyal
  0 siblings, 1 reply; 18+ messages in thread
From: Ji, Kai @ 2022-02-25 10:19 UTC (permalink / raw)
  To: Akhil Goyal, dev; +Cc: Zhang, Roy Fan

The warning messages are deprecated APIs warnings from openssl , not compiler warnings from gcc, the integrity of DPDK remain the same.
Alongside openssl pmd, the ccp and qat pmd also raise the same type of warnings once openssl 3.0 installed. 

In the current intel roadmap,  we will try to support 3.0 API fully for openssl and qat pmds by the end of year, so this patch is the first step.    
I think the warning messages are safe to stay, Unfortunately the fix ccp pmd driver is out of our reach. 

Regards

Kai 
 

> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Friday, February 25, 2022 3:56 AM
> To: Ji, Kai <kai.ji@intel.com>; dev@dpdk.org
> Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com>
> Subject: RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym
> crypto routine
> 
> Hi Kai,
> > Hi Akhil,
> >
> > This patch was intend to support Openssl 3.0 on symmetric crypto
> > algorithms only, where the deprecated APIs, compile warnings and
> > failing test cases were fixed.
> > All the asymmetric crypto related issues stay untreated and will be
> > fixed in the next patch.
> >
> How can one verify if the driver is openssl 3.0 compliant?
> Is there a way to bypass those warnings?
> We cannot have build with warnings or we can have something in meson.build to
> bypass those for openssl pmd.


^ permalink raw reply	[flat|nested] 18+ messages in thread

* RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine
  2022-02-25 10:19               ` Ji, Kai
@ 2022-02-25 10:39                 ` Akhil Goyal
  2022-02-25 11:19                   ` Ji, Kai
  2022-02-25 13:51                   ` Zhang, Roy Fan
  0 siblings, 2 replies; 18+ messages in thread
From: Akhil Goyal @ 2022-02-25 10:39 UTC (permalink / raw)
  To: Ji, Kai, dev; +Cc: Zhang, Roy Fan

Hi Kai,
> 
> The warning messages are deprecated APIs warnings from openssl , not
> compiler warnings from gcc, the integrity of DPDK remain the same.
> Alongside openssl pmd, the ccp and qat pmd also raise the same type of
> warnings once openssl 3.0 installed.
> 
> In the current intel roadmap,  we will try to support 3.0 API fully for openssl and
> qat pmds by the end of year, so this patch is the first step.
> I think the warning messages are safe to stay, Unfortunately the fix ccp pmd
> driver is out of our reach.
> 

When DPDK is compiled with openssl 3.0. I am seeing these errors in compilation.
So, compilation is broken and we cannot take this patch as is.
We have few options,
- fix all of these errors,
- add exception in meson.build for ignoring these errors.
- disable/skip compilation of PMDs if openssl version is >3.0

Adding only one type of APIs does not make sense, if the driver is not compiled.

In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:12,
                 from ../drivers/crypto/openssl/rte_openssl_pmd.c:16:
/usr/local/include/openssl/dh.h:223:27: note: declared here
  223 | OSSL_DEPRECATEDIN_3_0 int DH_generate_key(DH *dh);
      |                           ^~~~~~~~~~~~~~~
../drivers/crypto/openssl/rte_openssl_pmd.c: In function 'process_openssl_rsa_op':
../drivers/crypto/openssl/rte_openssl_pmd.c:2068:3: error: 'RSA_public_encrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
 2068 |   ret = RSA_public_encrypt(op->rsa.message.length,

Also, avoid top posting of comments!

^ permalink raw reply	[flat|nested] 18+ messages in thread

* RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine
  2022-02-25 10:39                 ` Akhil Goyal
@ 2022-02-25 11:19                   ` Ji, Kai
  2022-02-25 13:51                   ` Zhang, Roy Fan
  1 sibling, 0 replies; 18+ messages in thread
From: Ji, Kai @ 2022-02-25 11:19 UTC (permalink / raw)
  To: Akhil Goyal, dev; +Cc: Zhang, Roy Fan

HI Akhil,

> 
> When DPDK is compiled with openssl 3.0. I am seeing these errors in compilation.
> So, compilation is broken and we cannot take this patch as is.
> We have few options,
> - fix all of these errors,
> - add exception in meson.build for ignoring these errors.
> - disable/skip compilation of PMDs if openssl version is >3.0
> 
> Adding only one type of APIs does not make sense, if the driver is not compiled.
> 
> In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:12,
>                  from ../drivers/crypto/openssl/rte_openssl_pmd.c:16:
> /usr/local/include/openssl/dh.h:223:27: note: declared here
>   223 | OSSL_DEPRECATEDIN_3_0 int DH_generate_key(DH *dh);
>       |                           ^~~~~~~~~~~~~~~
> ../drivers/crypto/openssl/rte_openssl_pmd.c: In function
> 'process_openssl_rsa_op':
> ../drivers/crypto/openssl/rte_openssl_pmd.c:2068:3: error:
> 'RSA_public_encrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-
> declarations]
>  2068 |   ret = RSA_public_encrypt(op->rsa.message.length,
> 
> Also, avoid top posting of comments!


I will try to suppress the warning message in meson.build by EOB, otherwise the patch need to be deferred until next release. 

Regards

Kai  

^ permalink raw reply	[flat|nested] 18+ messages in thread

* RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine
  2022-02-25 10:39                 ` Akhil Goyal
  2022-02-25 11:19                   ` Ji, Kai
@ 2022-02-25 13:51                   ` Zhang, Roy Fan
  2022-02-28  5:35                     ` Namburu, Chandu-babu
  1 sibling, 1 reply; 18+ messages in thread
From: Zhang, Roy Fan @ 2022-02-25 13:51 UTC (permalink / raw)
  To: Akhil Goyal, Ji, Kai, dev; +Cc: chandu

Hi Akhil,

> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Friday, February 25, 2022 10:40 AM
> To: Ji, Kai <kai.ji@intel.com>; dev@dpdk.org
> Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com>
> Subject: RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym
> crypto routine
> 
> Hi Kai,
> >
> > The warning messages are deprecated APIs warnings from openssl , not
> > compiler warnings from gcc, the integrity of DPDK remain the same.
> > Alongside openssl pmd, the ccp and qat pmd also raise the same type of
> > warnings once openssl 3.0 installed.
> >
> > In the current intel roadmap,  we will try to support 3.0 API fully for openssl
> and
> > qat pmds by the end of year, so this patch is the first step.
> > I think the warning messages are safe to stay, Unfortunately the fix ccp
> pmd
> > driver is out of our reach.
> >
> 
> When DPDK is compiled with openssl 3.0. I am seeing these errors in
> compilation.
> So, compilation is broken and we cannot take this patch as is.
> We have few options,
> - fix all of these errors,
> - add exception in meson.build for ignoring these errors.
> - disable/skip compilation of PMDs if openssl version is >3.0
> 
> Adding only one type of APIs does not make sense, if the driver is not
> compiled.
> 
> In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:12,
>                  from ../drivers/crypto/openssl/rte_openssl_pmd.c:16:
> /usr/local/include/openssl/dh.h:223:27: note: declared here
>   223 | OSSL_DEPRECATEDIN_3_0 int DH_generate_key(DH *dh);
>       |                           ^~~~~~~~~~~~~~~
> ../drivers/crypto/openssl/rte_openssl_pmd.c: In function
> 'process_openssl_rsa_op':
> ../drivers/crypto/openssl/rte_openssl_pmd.c:2068:3: error:
> 'RSA_public_encrypt' is deprecated: Since OpenSSL 3.0 [-
> Werror=deprecated-declarations]
>  2068 |   ret = RSA_public_encrypt(op->rsa.message.length,

You are right. We will defer the change to next release so we can send along
with the asym openssl change Kai is working on. But since we have your attention
I would want to drag Chandubabu's attention too  as there are three PMDs uses
deprecated openssl lib APIs: openssl, qat, and ccp. Adding a suppress flag to meson
build file won't resolve the problem - we need to resolve them before the APIs are
gone for good.

> 
> Also, avoid top posting of comments!

^ permalink raw reply	[flat|nested] 18+ messages in thread

* [dpdk-dev v6] crypto/openssl: openssl 3.0 support on sym crypto routine
  2022-02-18 11:51       ` [dpdk-dev v5] " Kai Ji
  2022-02-18 13:41         ` Zhang, Roy Fan
  2022-02-24 19:02         ` [EXT] " Akhil Goyal
@ 2022-02-25 15:13         ` Kai Ji
  2022-02-25 17:35           ` Stephen Hemminger
  2 siblings, 1 reply; 18+ messages in thread
From: Kai Ji @ 2022-02-25 15:13 UTC (permalink / raw)
  To: dev; +Cc: gakhil, roy.fan.zhang, Kai Ji

This patch setup OPENSSL_API_COMPAT to suppress deprecated compile
warning messages in ccp, openssl and qat PMDs, also update the symmetric
EVP routine in crypto openssl pmd to adopt openssl 3.0 library.

Signed-off-by: Kai Ji <kai.ji@intel.com>
Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 drivers/common/qat/meson.build               |   1 +
 drivers/crypto/ccp/meson.build               |   1 +
 drivers/crypto/openssl/meson.build           |   1 +
 drivers/crypto/openssl/openssl_pmd_private.h |   4 +
 drivers/crypto/openssl/rte_openssl_pmd.c     | 187 ++++++++++++++++++-
 5 files changed, 184 insertions(+), 10 deletions(-)

diff --git a/drivers/common/qat/meson.build b/drivers/common/qat/meson.build
index af92271a75..f9bef9b2e1 100644
--- a/drivers/common/qat/meson.build
+++ b/drivers/common/qat/meson.build
@@ -86,4 +86,5 @@ if qat_crypto
     deps += ['security']
     ext_deps += libcrypto
     cflags += ['-DBUILD_QAT_SYM', '-DBUILD_QAT_ASYM']
+    cflags += ['-DOPENSSL_API_COMPAT=0x10100000L']
 endif
diff --git a/drivers/crypto/ccp/meson.build b/drivers/crypto/ccp/meson.build
index a4f3406009..fe89e17b14 100644
--- a/drivers/crypto/ccp/meson.build
+++ b/drivers/crypto/ccp/meson.build
@@ -23,3 +23,4 @@ sources = files(
 )
 
 ext_deps += dep
+cflags += ['-DOPENSSL_API_COMPAT=0x10100000L']
diff --git a/drivers/crypto/openssl/meson.build b/drivers/crypto/openssl/meson.build
index cd962da1d6..cef92fe57a 100644
--- a/drivers/crypto/openssl/meson.build
+++ b/drivers/crypto/openssl/meson.build
@@ -15,3 +15,4 @@ endif
 deps += 'bus_vdev'
 sources = files('rte_openssl_pmd.c', 'rte_openssl_pmd_ops.c')
 ext_deps += dep
+cflags += ['-DOPENSSL_API_COMPAT=0x10100000L']
\ No newline at end of file
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index b2054b3754..86dc169aaf 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -134,8 +134,12 @@ struct openssl_session {
 				/**< pointer to EVP key */
 				const EVP_MD *evp_algo;
 				/**< pointer to EVP algorithm function */
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+				EVP_MAC_CTX * ctx;
+# else
 				HMAC_CTX *ctx;
 				/**< pointer to EVP context structure */
+# endif
 			} hmac;
 		};
 
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 5794ed8159..5840ab472e 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -39,6 +39,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
 }
 #endif
 
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+
+#define MAX_OSSL_ALGO_NAME_SIZE		16
+
+OSSL_PROVIDER *legacy;
+OSSL_PROVIDER *deflt;
+
+static void ossl_load_legacy_provider(void)
+{
+	/* Load Multiple providers into the default (NULL) library context */
+	legacy = OSSL_PROVIDER_load(NULL, "legacy");
+	if (legacy == NULL) {
+		OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
+		return;
+	}
+
+	deflt = OSSL_PROVIDER_load(NULL, "default");
+	if (deflt == NULL) {
+		OPENSSL_LOG(ERR, "Failed to load Default provider\n");
+		OSSL_PROVIDER_unload(legacy);
+		return;
+	}
+}
+
+static void ossl_unload_legacy_provider(void)
+{
+	OSSL_PROVIDER_unload(legacy);
+	OSSL_PROVIDER_unload(deflt);
+}
+
+static __rte_always_inline const char *
+get_digest_name(const struct rte_crypto_sym_xform *xform)
+{
+	switch (xform->auth.algo) {
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+		return OSSL_DIGEST_NAME_MD5;
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+		return OSSL_DIGEST_NAME_SHA1;
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_224;
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_256;
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_384;
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_512;
+	default:
+		return NULL;
+	}
+}
+#endif
+
 static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
 
 /*----------------------------------------------------------------------------*/
@@ -580,6 +635,40 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 		sess->auth.auth.ctx = EVP_MD_CTX_create();
 		break;
 
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
+
+		OSSL_PARAM params[2];
+		const char *algo;
+		algo = get_digest_name(xform);
+		if (!algo)
+			return -EINVAL;
+		char algo_name[MAX_OSSL_ALGO_NAME_SIZE];
+		memcpy(algo_name, algo, (sizeof(algo)+1));
+
+		EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+		sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
+		EVP_MAC_free(mac);
+		if (get_auth_algo(xform->auth.algo,
+				&sess->auth.hmac.evp_algo) != 0)
+			return -EINVAL;
+
+		params[0] = OSSL_PARAM_construct_utf8_string("digest",
+					algo_name, 0);
+		params[1] = OSSL_PARAM_construct_end();
+		if (EVP_MAC_init(sess->auth.hmac.ctx,
+				xform->auth.key.data,
+				xform->auth.key.length,
+				params) != 1)
+			return -EINVAL;
+		break;
+# else
 	case RTE_CRYPTO_AUTH_MD5_HMAC:
 	case RTE_CRYPTO_AUTH_SHA1_HMAC:
 	case RTE_CRYPTO_AUTH_SHA224_HMAC:
@@ -598,7 +687,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 				sess->auth.hmac.evp_algo, NULL) != 1)
 			return -EINVAL;
 		break;
-
+# endif
 	default:
 		return -ENOTSUP;
 	}
@@ -723,7 +812,11 @@ openssl_reset_session(struct openssl_session *sess)
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
 		EVP_PKEY_free(sess->auth.hmac.pkey);
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		EVP_MAC_CTX_free(sess->auth.hmac.ctx);
+# else
 		HMAC_CTX_free(sess->auth.hmac.ctx);
+# endif
 		break;
 	default:
 		break;
@@ -1262,6 +1355,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	return -EINVAL;
 }
 
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/** Process standard openssl auth algorithms with hmac */
+static int
+process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
+		int srclen, EVP_MAC_CTX *ctx)
+{
+	size_t dstlen;
+	struct rte_mbuf *m;
+	int l, n = srclen;
+	uint8_t *src;
+
+	for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+			m = m->next)
+		offset -= rte_pktmbuf_data_len(m);
+
+	if (m == 0)
+		goto process_auth_err;
+
+	src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+	l = rte_pktmbuf_data_len(m) - offset;
+	if (srclen <= l) {
+		if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
+			goto process_auth_err;
+		goto process_auth_final;
+	}
+
+	if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+		goto process_auth_err;
+
+	n -= l;
+
+	for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+		src = rte_pktmbuf_mtod(m, uint8_t *);
+		l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+		if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+			goto process_auth_err;
+		n -= l;
+	}
+
+process_auth_final:
+	if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
+		goto process_auth_err;
+
+	EVP_MAC_CTX_free(ctx);
+	return 0;
+
+process_auth_err:
+	EVP_MAC_CTX_free(ctx);
+	OPENSSL_LOG(ERR, "Process openssl auth failed");
+	return -EINVAL;
+}
+# else
 /** Process standard openssl auth algorithms with hmac */
 static int
 process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
@@ -1314,7 +1460,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	OPENSSL_LOG(ERR, "Process openssl auth failed");
 	return -EINVAL;
 }
-
+# endif
 /*----------------------------------------------------------------------------*/
 
 /** Process auth/cipher combined operation */
@@ -1328,7 +1474,6 @@ process_openssl_combined_op
 	int srclen, aadlen, status = -1;
 	uint32_t offset;
 	uint8_t taglen;
-	EVP_CIPHER_CTX *ctx_copy;
 
 	/*
 	 * Segmented destination buffer is not supported for
@@ -1365,8 +1510,6 @@ process_openssl_combined_op
 	}
 
 	taglen = sess->auth.digest_length;
-	ctx_copy = EVP_CIPHER_CTX_new();
-	EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
 
 	if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
 		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1374,12 +1517,12 @@ process_openssl_combined_op
 			status = process_openssl_auth_encryption_gcm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, ctx_copy);
+					dst, tag, sess->cipher.ctx);
 		else
 			status = process_openssl_auth_encryption_ccm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, taglen, ctx_copy);
+					dst, tag, taglen, sess->cipher.ctx);
 
 	} else {
 		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1387,15 +1530,14 @@ process_openssl_combined_op
 			status = process_openssl_auth_decryption_gcm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, ctx_copy);
+					dst, tag, sess->cipher.ctx);
 		else
 			status = process_openssl_auth_decryption_ccm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, taglen, ctx_copy);
+					dst, tag, taglen, sess->cipher.ctx);
 	}
 
-	EVP_CIPHER_CTX_free(ctx_copy);
 	if (status != 0) {
 		if (status == (-EFAULT) &&
 				sess->auth.operation ==
@@ -1557,7 +1699,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 	uint8_t *dst;
 	int srclen, status;
 	EVP_MD_CTX *ctx_a;
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	EVP_MAC_CTX *ctx_h;
+	EVP_MAC *mac;
+# else
 	HMAC_CTX *ctx_h;
+# endif
 
 	srclen = op->sym->auth.data.length;
 
@@ -1573,12 +1720,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 		EVP_MD_CTX_destroy(ctx_a);
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+		ctx_h = EVP_MAC_CTX_new(mac);
+		ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
+		EVP_MAC_free(mac);
+		status = process_openssl_auth_hmac(mbuf_src, dst,
+				op->sym->auth.data.offset, srclen,
+				ctx_h);
+# else
 		ctx_h = HMAC_CTX_new();
 		HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
 		status = process_openssl_auth_hmac(mbuf_src, dst,
 				op->sym->auth.data.offset, srclen,
 				ctx_h);
 		HMAC_CTX_free(ctx_h);
+# endif
 		break;
 	default:
 		status = -1;
@@ -2215,6 +2372,13 @@ cryptodev_openssl_create(const char *name,
 
 	rte_cryptodev_pmd_probing_finish(dev);
 
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	/* Load legacy provider
+	 * Some algorithms are no longer available in earlier version of openssl,
+	 * unless the legacy provider explicitly loaded. e.g. DES
+	 */
+	ossl_load_legacy_provider();
+# endif
 	return 0;
 
 init_error:
@@ -2263,6 +2427,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev)
 	if (cryptodev == NULL)
 		return -ENODEV;
 
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	ossl_unload_legacy_provider();
+# endif
 	return rte_cryptodev_pmd_destroy(cryptodev);
 }
 
-- 
2.17.1


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [dpdk-dev v6] crypto/openssl: openssl 3.0 support on sym crypto routine
  2022-02-25 15:13         ` [dpdk-dev v6] " Kai Ji
@ 2022-02-25 17:35           ` Stephen Hemminger
  0 siblings, 0 replies; 18+ messages in thread
From: Stephen Hemminger @ 2022-02-25 17:35 UTC (permalink / raw)
  To: Kai Ji; +Cc: dev, gakhil, roy.fan.zhang

On Fri, 25 Feb 2022 23:13:56 +0800
Kai Ji <kai.ji@intel.com> wrote:

> +cflags += ['-DOPENSSL_API_COMPAT=0x10100000L']
> \ No newline at end of file

All files in DPDK should have newline at end of file.
How did this sneak in?

^ permalink raw reply	[flat|nested] 18+ messages in thread

* RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine
  2022-02-25 13:51                   ` Zhang, Roy Fan
@ 2022-02-28  5:35                     ` Namburu, Chandu-babu
  0 siblings, 0 replies; 18+ messages in thread
From: Namburu, Chandu-babu @ 2022-02-28  5:35 UTC (permalink / raw)
  To: Zhang, Roy Fan, Akhil Goyal, Ji, Kai, dev; +Cc: Sebastian, Selwin

[Public]

Hi Roy Fan,

-----Original Message-----
From: Zhang, Roy Fan <roy.fan.zhang@intel.com> 
Sent: Friday, February 25, 2022 7:21 PM
To: Akhil Goyal <gakhil@marvell.com>; Ji, Kai <kai.ji@intel.com>; dev@dpdk.org
Cc: Namburu, Chandu-babu <chandu@amd.com>
Subject: RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine

Hi Akhil,

> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Friday, February 25, 2022 10:40 AM
> To: Ji, Kai <kai.ji@intel.com>; dev@dpdk.org
> Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com>
> Subject: RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support 
> on sym crypto routine
> 
> Hi Kai,
> >
> > The warning messages are deprecated APIs warnings from openssl , not 
> > compiler warnings from gcc, the integrity of DPDK remain the same.
> > Alongside openssl pmd, the ccp and qat pmd also raise the same type 
> > of warnings once openssl 3.0 installed.
> >
> > In the current intel roadmap,  we will try to support 3.0 API fully 
> > for openssl
> and
> > qat pmds by the end of year, so this patch is the first step.
> > I think the warning messages are safe to stay, Unfortunately the fix 
> > ccp
> pmd
> > driver is out of our reach.
> >
> 
> When DPDK is compiled with openssl 3.0. I am seeing these errors in 
> compilation.
> So, compilation is broken and we cannot take this patch as is.
> We have few options,
> - fix all of these errors,
> - add exception in meson.build for ignoring these errors.
> - disable/skip compilation of PMDs if openssl version is >3.0
> 
> Adding only one type of APIs does not make sense, if the driver is not 
> compiled.
> 
> In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:12,
>                  from ../drivers/crypto/openssl/rte_openssl_pmd.c:16:
> /usr/local/include/openssl/dh.h:223:27: note: declared here
>   223 | OSSL_DEPRECATEDIN_3_0 int DH_generate_key(DH *dh);
>       |                           ^~~~~~~~~~~~~~~
> ../drivers/crypto/openssl/rte_openssl_pmd.c: In function
> 'process_openssl_rsa_op':
> ../drivers/crypto/openssl/rte_openssl_pmd.c:2068:3: error:
> 'RSA_public_encrypt' is deprecated: Since OpenSSL 3.0 [- 
> Werror=deprecated-declarations]
>  2068 |   ret = RSA_public_encrypt(op->rsa.message.length,

You are right. We will defer the change to next release so we can send along with the asym openssl change Kai is working on. But since we have your attention I would want to drag Chandubabu's attention too  as there are three PMDs uses deprecated openssl lib APIs: openssl, qat, and ccp. Adding a suppress flag to meson build file won't resolve the problem - we need to resolve them before the APIs are gone for good.

Thank you for bringing this to our attention, we will work on CCP changes to support 3.0 API's.

> 
> Also, avoid top posting of comments!

^ permalink raw reply	[flat|nested] 18+ messages in thread

end of thread, other threads:[~2022-02-28  5:35 UTC | newest]

Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-04 17:57 [dpdk-dev v1] crypto/openssl: openssl EVP MAC routine api update Kai Ji
2022-02-07 15:24 ` [dpdk-dev v2] crypto/openssl: openssl 3.0 support on sym MAC routine Kai Ji
2022-02-07 15:40   ` Zhang, Roy Fan
2022-02-17 17:45   ` [dpdk-dev v3] crypto/openssl: openssl 3.0 support on sym crypto routine Kai Ji
2022-02-17 18:01     ` [EXT] " Akhil Goyal
2022-02-18  9:44     ` [dpdk-dev v4] " Kai Ji
2022-02-18 11:51       ` [dpdk-dev v5] " Kai Ji
2022-02-18 13:41         ` Zhang, Roy Fan
2022-02-24 19:02         ` [EXT] " Akhil Goyal
2022-02-24 23:13           ` Ji, Kai
2022-02-25  3:55             ` Akhil Goyal
2022-02-25 10:19               ` Ji, Kai
2022-02-25 10:39                 ` Akhil Goyal
2022-02-25 11:19                   ` Ji, Kai
2022-02-25 13:51                   ` Zhang, Roy Fan
2022-02-28  5:35                     ` Namburu, Chandu-babu
2022-02-25 15:13         ` [dpdk-dev v6] " Kai Ji
2022-02-25 17:35           ` Stephen Hemminger

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).