From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id A07EEA034C; Fri, 25 Feb 2022 16:14:04 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 154364115C; Fri, 25 Feb 2022 16:14:04 +0100 (CET) Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mails.dpdk.org (Postfix) with ESMTP id D75714068B for ; Fri, 25 Feb 2022 16:14:01 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1645802042; x=1677338042; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=8Vqal3pZpXfK+/Ve+GxctRwJ6cqgWG4cDnDeCzImnmI=; b=CRblfgK2mw5JwxuitgcW1YAIFw4djh6/b1LmhrkqTGSB6Z9lMTECsPtA kvcOboKJXKCBrChh7JZ0mah4Rfvj3szut8vWHIdhr7TMI8lbUm9lut6C8 YiTEQ3F1SND5Du6jQmypB37UDrq88GJPAFVpy2VA7CgsLfIjSCe55QJCA 353+jOocP8cCftgniHDNl58pw2KyKDUdLrETdYQBgFdhEDLSoht5mf7ie sR3I0Ee+qucRqXmZbuMx77sbpL96gvB31QFzXBTnY7aNLZY8T7iUoiUTy mFr1vQ1sYtQRJzPri9N0jg2ZCwtzAYR3VMcSUyda5CmbThM1XvI/t/TOj g==; X-IronPort-AV: E=McAfee;i="6200,9189,10268"; a="252433631" X-IronPort-AV: E=Sophos;i="5.90,136,1643702400"; d="scan'208";a="252433631" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Feb 2022 07:14:00 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.90,136,1643702400"; d="scan'208";a="533601970" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by orsmga007.jf.intel.com with ESMTP; 25 Feb 2022 07:13:59 -0800 From: Kai Ji To: dev@dpdk.org Cc: gakhil@marvell.com, roy.fan.zhang@intel.com, Kai Ji Subject: [dpdk-dev v6] crypto/openssl: openssl 3.0 support on sym crypto routine Date: Fri, 25 Feb 2022 23:13:56 +0800 Message-Id: <20220225151356.73397-1-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220218115124.57745-1-kai.ji@intel.com> References: <20220218115124.57745-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch setup OPENSSL_API_COMPAT to suppress deprecated compile warning messages in ccp, openssl and qat PMDs, also update the symmetric EVP routine in crypto openssl pmd to adopt openssl 3.0 library. Signed-off-by: Kai Ji Acked-by: Fan Zhang --- drivers/common/qat/meson.build | 1 + drivers/crypto/ccp/meson.build | 1 + drivers/crypto/openssl/meson.build | 1 + drivers/crypto/openssl/openssl_pmd_private.h | 4 + drivers/crypto/openssl/rte_openssl_pmd.c | 187 ++++++++++++++++++- 5 files changed, 184 insertions(+), 10 deletions(-) diff --git a/drivers/common/qat/meson.build b/drivers/common/qat/meson.build index af92271a75..f9bef9b2e1 100644 --- a/drivers/common/qat/meson.build +++ b/drivers/common/qat/meson.build @@ -86,4 +86,5 @@ if qat_crypto deps += ['security'] ext_deps += libcrypto cflags += ['-DBUILD_QAT_SYM', '-DBUILD_QAT_ASYM'] + cflags += ['-DOPENSSL_API_COMPAT=0x10100000L'] endif diff --git a/drivers/crypto/ccp/meson.build b/drivers/crypto/ccp/meson.build index a4f3406009..fe89e17b14 100644 --- a/drivers/crypto/ccp/meson.build +++ b/drivers/crypto/ccp/meson.build @@ -23,3 +23,4 @@ sources = files( ) ext_deps += dep +cflags += ['-DOPENSSL_API_COMPAT=0x10100000L'] diff --git a/drivers/crypto/openssl/meson.build b/drivers/crypto/openssl/meson.build index cd962da1d6..cef92fe57a 100644 --- a/drivers/crypto/openssl/meson.build +++ b/drivers/crypto/openssl/meson.build @@ -15,3 +15,4 @@ endif deps += 'bus_vdev' sources = files('rte_openssl_pmd.c', 'rte_openssl_pmd_ops.c') ext_deps += dep +cflags += ['-DOPENSSL_API_COMPAT=0x10100000L'] \ No newline at end of file diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index b2054b3754..86dc169aaf 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -134,8 +134,12 @@ struct openssl_session { /**< pointer to EVP key */ const EVP_MD *evp_algo; /**< pointer to EVP algorithm function */ +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX * ctx; +# else HMAC_CTX *ctx; /**< pointer to EVP context structure */ +# endif } hmac; }; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 5794ed8159..5840ab472e 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -39,6 +39,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) } #endif +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + +#include +#include + +#define MAX_OSSL_ALGO_NAME_SIZE 16 + +OSSL_PROVIDER *legacy; +OSSL_PROVIDER *deflt; + +static void ossl_load_legacy_provider(void) +{ + /* Load Multiple providers into the default (NULL) library context */ + legacy = OSSL_PROVIDER_load(NULL, "legacy"); + if (legacy == NULL) { + OPENSSL_LOG(ERR, "Failed to load Legacy provider\n"); + return; + } + + deflt = OSSL_PROVIDER_load(NULL, "default"); + if (deflt == NULL) { + OPENSSL_LOG(ERR, "Failed to load Default provider\n"); + OSSL_PROVIDER_unload(legacy); + return; + } +} + +static void ossl_unload_legacy_provider(void) +{ + OSSL_PROVIDER_unload(legacy); + OSSL_PROVIDER_unload(deflt); +} + +static __rte_always_inline const char * +get_digest_name(const struct rte_crypto_sym_xform *xform) +{ + switch (xform->auth.algo) { + case RTE_CRYPTO_AUTH_MD5_HMAC: + return OSSL_DIGEST_NAME_MD5; + case RTE_CRYPTO_AUTH_SHA1_HMAC: + return OSSL_DIGEST_NAME_SHA1; + case RTE_CRYPTO_AUTH_SHA224_HMAC: + return OSSL_DIGEST_NAME_SHA2_224; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + return OSSL_DIGEST_NAME_SHA2_256; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + return OSSL_DIGEST_NAME_SHA2_384; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + return OSSL_DIGEST_NAME_SHA2_512; + default: + return NULL; + } +} +#endif + static int cryptodev_openssl_remove(struct rte_vdev_device *vdev); /*----------------------------------------------------------------------------*/ @@ -580,6 +635,40 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.auth.ctx = EVP_MD_CTX_create(); break; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + case RTE_CRYPTO_AUTH_MD5_HMAC: + case RTE_CRYPTO_AUTH_SHA1_HMAC: + case RTE_CRYPTO_AUTH_SHA224_HMAC: + case RTE_CRYPTO_AUTH_SHA256_HMAC: + case RTE_CRYPTO_AUTH_SHA384_HMAC: + case RTE_CRYPTO_AUTH_SHA512_HMAC: + sess->auth.mode = OPENSSL_AUTH_AS_HMAC; + + OSSL_PARAM params[2]; + const char *algo; + algo = get_digest_name(xform); + if (!algo) + return -EINVAL; + char algo_name[MAX_OSSL_ALGO_NAME_SIZE]; + memcpy(algo_name, algo, (sizeof(algo)+1)); + + EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac); + EVP_MAC_free(mac); + if (get_auth_algo(xform->auth.algo, + &sess->auth.hmac.evp_algo) != 0) + return -EINVAL; + + params[0] = OSSL_PARAM_construct_utf8_string("digest", + algo_name, 0); + params[1] = OSSL_PARAM_construct_end(); + if (EVP_MAC_init(sess->auth.hmac.ctx, + xform->auth.key.data, + xform->auth.key.length, + params) != 1) + return -EINVAL; + break; +# else case RTE_CRYPTO_AUTH_MD5_HMAC: case RTE_CRYPTO_AUTH_SHA1_HMAC: case RTE_CRYPTO_AUTH_SHA224_HMAC: @@ -598,7 +687,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.hmac.evp_algo, NULL) != 1) return -EINVAL; break; - +# endif default: return -ENOTSUP; } @@ -723,7 +812,11 @@ openssl_reset_session(struct openssl_session *sess) break; case OPENSSL_AUTH_AS_HMAC: EVP_PKEY_free(sess->auth.hmac.pkey); +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX_free(sess->auth.hmac.ctx); +# else HMAC_CTX_free(sess->auth.hmac.ctx); +# endif break; default: break; @@ -1262,6 +1355,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, return -EINVAL; } +# if OPENSSL_VERSION_NUMBER >= 0x30000000L +/** Process standard openssl auth algorithms with hmac */ +static int +process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, + int srclen, EVP_MAC_CTX *ctx) +{ + size_t dstlen; + struct rte_mbuf *m; + int l, n = srclen; + uint8_t *src; + + for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m); + m = m->next) + offset -= rte_pktmbuf_data_len(m); + + if (m == 0) + goto process_auth_err; + + src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset); + + l = rte_pktmbuf_data_len(m) - offset; + if (srclen <= l) { + if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1) + goto process_auth_err; + goto process_auth_final; + } + + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + + n -= l; + + for (m = m->next; (m != NULL) && (n > 0); m = m->next) { + src = rte_pktmbuf_mtod(m, uint8_t *); + l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n; + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + n -= l; + } + +process_auth_final: + if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1) + goto process_auth_err; + + EVP_MAC_CTX_free(ctx); + return 0; + +process_auth_err: + EVP_MAC_CTX_free(ctx); + OPENSSL_LOG(ERR, "Process openssl auth failed"); + return -EINVAL; +} +# else /** Process standard openssl auth algorithms with hmac */ static int process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, @@ -1314,7 +1460,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, OPENSSL_LOG(ERR, "Process openssl auth failed"); return -EINVAL; } - +# endif /*----------------------------------------------------------------------------*/ /** Process auth/cipher combined operation */ @@ -1328,7 +1474,6 @@ process_openssl_combined_op int srclen, aadlen, status = -1; uint32_t offset; uint8_t taglen; - EVP_CIPHER_CTX *ctx_copy; /* * Segmented destination buffer is not supported for @@ -1365,8 +1510,6 @@ process_openssl_combined_op } taglen = sess->auth.digest_length; - ctx_copy = EVP_CIPHER_CTX_new(); - EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx); if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1374,12 +1517,12 @@ process_openssl_combined_op status = process_openssl_auth_encryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_encryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } else { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1387,15 +1530,14 @@ process_openssl_combined_op status = process_openssl_auth_decryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_decryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } - EVP_CIPHER_CTX_free(ctx_copy); if (status != 0) { if (status == (-EFAULT) && sess->auth.operation == @@ -1557,7 +1699,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, uint8_t *dst; int srclen, status; EVP_MD_CTX *ctx_a; +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX *ctx_h; + EVP_MAC *mac; +# else HMAC_CTX *ctx_h; +# endif srclen = op->sym->auth.data.length; @@ -1573,12 +1720,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, EVP_MD_CTX_destroy(ctx_a); break; case OPENSSL_AUTH_AS_HMAC: +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + ctx_h = EVP_MAC_CTX_new(mac); + ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx); + EVP_MAC_free(mac); + status = process_openssl_auth_hmac(mbuf_src, dst, + op->sym->auth.data.offset, srclen, + ctx_h); +# else ctx_h = HMAC_CTX_new(); HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx); status = process_openssl_auth_hmac(mbuf_src, dst, op->sym->auth.data.offset, srclen, ctx_h); HMAC_CTX_free(ctx_h); +# endif break; default: status = -1; @@ -2215,6 +2372,13 @@ cryptodev_openssl_create(const char *name, rte_cryptodev_pmd_probing_finish(dev); +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + /* Load legacy provider + * Some algorithms are no longer available in earlier version of openssl, + * unless the legacy provider explicitly loaded. e.g. DES + */ + ossl_load_legacy_provider(); +# endif return 0; init_error: @@ -2263,6 +2427,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev) if (cryptodev == NULL) return -ENODEV; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + ossl_unload_legacy_provider(); +# endif return rte_cryptodev_pmd_destroy(cryptodev); } -- 2.17.1