From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 367A5A0505; Thu, 7 Apr 2022 18:36:56 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 024C84068B; Thu, 7 Apr 2022 18:36:56 +0200 (CEST) Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mails.dpdk.org (Postfix) with ESMTP id E6430410DC for ; Thu, 7 Apr 2022 18:36:53 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1649349414; x=1680885414; h=from:to:cc:subject:date:message-id; bh=XK3QfQRWgUxK81deiM1K3UZqp3b4rYJJEFHl20ajXAY=; b=IozYqPN7CMrudLYStieYL80+S4MLH6L9HAifzYS2xnfzRG02eLs+Qx9T QJ4XZCY3oHa9nMfmO6/2UGH2ArmYySUQTIGtDEavN2kPgMmQMI5rkP9dW rpZSWipnlZt+cc1CB3sqdO9wE9HbmjbIlYHhSSLTHp5X43H+oLq8L+TYn v+3CCjL0z7Sx1/fxp6m6x1V1j7LI04eCTAi2Q24kUXsy0Z1DwZmX435F3 +siDE+klQngm19woTaFxX20pdRA8liO6oeEyEyn2xXavkdFVUDVpjZbjF 7p96ZdjzO3EtJADTIF5n8Tlhe4mA+wB4NGVpTncdgyK57cUsQZqF1X1kV A==; X-IronPort-AV: E=McAfee;i="6400,9594,10310"; a="322067079" X-IronPort-AV: E=Sophos;i="5.90,242,1643702400"; d="scan'208";a="322067079" Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Apr 2022 09:36:53 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.90,242,1643702400"; d="scan'208";a="659132377" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by orsmga004.jf.intel.com with ESMTP; 07 Apr 2022 09:36:50 -0700 From: Kai Ji To: dev@dpdk.org Cc: gakhil@marvell.com, Kai Ji Subject: [dpdk-dev v1] crypto/openssl: openssl 3.0 support on asym crypto routine Date: Fri, 8 Apr 2022 00:36:48 +0800 Message-Id: <20220407163648.38583-1-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch update the asymmetric RSA and DH routine in crypto openssl pmd to adopt openssl 3.0 EVP library. Signed-off-by: Kai Ji --- drivers/crypto/openssl/compat.h | 43 ++- drivers/crypto/openssl/openssl_pmd_private.h | 11 + drivers/crypto/openssl/rte_openssl_pmd.c | 288 ++++++++++++++++++- drivers/crypto/openssl/rte_openssl_pmd_ops.c | 151 +++++++++- 4 files changed, 489 insertions(+), 4 deletions(-) diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h index eecb7d3698..80b1493a5f 100644 --- a/drivers/crypto/openssl/compat.h +++ b/drivers/crypto/openssl/compat.h @@ -104,8 +104,49 @@ get_dsa_priv_key(DSA *dsa, BIGNUM **priv_key) *priv_key = dsa->priv_key; } -#else +#elif (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static __rte_always_inline int +set_dsa_params(DSA *dsa, BIGNUM *p, BIGNUM *q, BIGNUM *g) +{ + return !(DSA_set0_pqg(dsa, p, q, g)); +} + +static __rte_always_inline void +set_dsa_priv_key(DSA *dsa, BIGNUM *priv_key) +{ + DSA_set0_key(dsa, NULL, priv_key); +} + +static __rte_always_inline void +set_dsa_sign(DSA_SIG *sign, BIGNUM *r, BIGNUM *s) +{ + DSA_SIG_set0(sign, r, s); +} + +static __rte_always_inline void +get_dsa_sign(DSA_SIG *sign, const BIGNUM **r, const BIGNUM **s) +{ + DSA_SIG_get0(sign, r, s); +} +static __rte_always_inline int +set_dsa_keys(DSA *dsa, BIGNUM *pub, BIGNUM *priv) +{ + return !(DSA_set0_key(dsa, pub, priv)); +} + +static __rte_always_inline void +set_dsa_pub_key(DSA *dsa, BIGNUM *pub_key) +{ + DSA_set0_key(dsa, pub_key, NULL); +} + +static __rte_always_inline void +get_dsa_priv_key(DSA *dsa, const BIGNUM **priv_key) +{ + DSA_get0_key(dsa, NULL, priv_key); +} +#else static __rte_always_inline int set_rsa_params(RSA *rsa, BIGNUM *p, BIGNUM *q) { diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index 86dc169aaf..aef12c3e21 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -12,6 +12,11 @@ #include #include +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +#include +#include +#endif + #define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl /**< Open SSL Crypto PMD device name */ @@ -157,6 +162,9 @@ struct openssl_asym_session { union { struct rsa { RSA *rsa; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + EVP_PKEY_CTX * ctx; +#endif } r; struct exp { BIGNUM *exp; @@ -170,6 +178,9 @@ struct openssl_asym_session { struct dh { DH *dh_key; uint32_t key_op; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD * param_bld; +#endif } dh; struct { DSA *dsa; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 5840ab472e..e423114c08 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -43,6 +43,7 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) #include #include +#include #define MAX_OSSL_ALGO_NAME_SIZE 16 @@ -1845,6 +1846,134 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop, return 0; } +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +/* process dh operation */ +static int +process_openssl_dh_op_evp(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_dh_op_param *op = &cop->asym->dh; + OSSL_PARAM_BLD *param_bld = sess->u.dh.param_bld; + OSSL_PARAM *params = NULL; + EVP_PKEY *dhpkey = NULL; + BIGNUM *priv_key = NULL; + BIGNUM *pub_key = NULL; + + EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); + if (dh_ctx == NULL || param_bld == NULL) { + cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; + return -1; + } + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (params == NULL) { + EVP_PKEY_CTX_free(dh_ctx); + cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; + return -1; + } + + if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE)) { + pub_key = BN_bin2bn(op->pub_key.data, op->pub_key.length, + pub_key); + if (pub_key == NULL) + goto err; + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, + pub_key)) { + OPENSSL_LOG(ERR, "Failed to set public key\n"); + BN_free(pub_key); + goto err; + } + } + + if ((sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE)) && + !(sess->u.dh.key_op & + (1 << RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE))) { + + priv_key = BN_bin2bn(op->priv_key.data, op->priv_key.length, + priv_key); + if (priv_key == NULL) + goto err; + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, + priv_key)) { + OPENSSL_LOG(ERR, "Failed to set private key\n"); + BN_free(priv_key); + goto err; + } + } + + if (EVP_PKEY_keygen_init(dh_ctx) != 1) + goto err; + + if (EVP_PKEY_CTX_set_params(dh_ctx, params) != 1) + goto err; + + if (EVP_PKEY_keygen(dh_ctx, &dhpkey) != 1) + goto err; + + if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE)) { + OPENSSL_LOG(DEBUG, "%s:%d updated pub key\n", __func__, __LINE__); + if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key)) + goto err; + /* output public key */ + op->pub_key.length = BN_bn2bin(pub_key, op->pub_key.data); + } + + if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE)) { + + OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n", __func__, __LINE__); + if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key)) + goto err; + + /* provide generated private key back to user */ + op->priv_key.length = BN_bn2bin(priv_key, op->priv_key.data); + } + + if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE)) { + size_t skey_len; + EVP_PKEY *peerkey = dhpkey; + EVP_PKEY_CTX *sc_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL); + + if (EVP_PKEY_derive_init(sc_ctx) <= 0) + goto err; + + if (EVP_PKEY_CTX_set_params(sc_ctx, params) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err; + } + + if (EVP_PKEY_derive_set_peer(sc_ctx, peerkey) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err; + } + /* Determine buffer length */ + if (EVP_PKEY_derive(sc_ctx, NULL, &skey_len) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err; + } + + if (EVP_PKEY_derive(sc_ctx, op->shared_secret.data, &skey_len) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err; + } + + op->shared_secret.length = skey_len; + EVP_PKEY_free(peerkey); + EVP_PKEY_CTX_free(sc_ctx); + } + + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + return 0; + + err: + EVP_PKEY_CTX_free(dh_ctx); + OSSL_PARAM_free(params); + OSSL_PARAM_BLD_free(param_bld); + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + return -1; +} +# else /* process dh operation */ static int process_openssl_dh_op(struct rte_crypto_op *cop, @@ -1857,6 +1986,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop, if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE)) { + /* compute shared secret using peer public key * and current private key * shared secret = peer_key ^ priv_key mod p @@ -1887,7 +2017,6 @@ process_openssl_dh_op(struct rte_crypto_op *cop, BN_free(priv_key); return 0; } - ret = DH_compute_key( op->shared_secret.data, peer_key, dh_key); @@ -1983,6 +2112,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop, return 0; } +#endif /* process modinv operation */ static int process_openssl_modinv_op(struct rte_crypto_op *cop, @@ -2048,6 +2178,153 @@ process_openssl_modexp_op(struct rte_crypto_op *cop, return 0; } +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +/* process rsa operations */ +static int +process_openssl_rsa_op_evp(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_asym_op *op = cop->asym; + uint32_t pad = (op->rsa.pad); + uint8_t *tmp; + + size_t outlen = 0; + EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx; + if (!rsa_ctx) + return -1; + + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + + switch (pad) { + case RTE_CRYPTO_RSA_PADDING_PKCS1_5: + pad = RSA_PKCS1_PADDING; + break; + case RTE_CRYPTO_RSA_PADDING_NONE: + pad = RSA_NO_PADDING; + break; + default: + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + OPENSSL_LOG(ERR, + "rsa pad type not supported %d\n", pad); + return -1; + } + + switch (op->rsa.op_type) { + case RTE_CRYPTO_ASYM_OP_ENCRYPT: + if (EVP_PKEY_encrypt_init(rsa_ctx) != 1) + goto err; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err; + + if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err; + + if (outlen <= 0) + goto err; + + if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err; + op->rsa.cipher.length = outlen; + + OPENSSL_LOG(DEBUG, + "length of encrypted text %zu\n", outlen); + break; + + case RTE_CRYPTO_ASYM_OP_DECRYPT: + if (EVP_PKEY_decrypt_init(rsa_ctx) != 1) + goto err; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err; + + if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen, + op->rsa.cipher.data, + op->rsa.cipher.length) <= 0) + goto err; + + if (outlen <= 0) + goto err; + + if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen, + op->rsa.cipher.data, + op->rsa.cipher.length) <= 0) + goto err; + op->rsa.message.length = outlen; + + OPENSSL_LOG(DEBUG, + "length of decrypted text %zu\n", outlen); + break; + case RTE_CRYPTO_ASYM_OP_SIGN: + if (EVP_PKEY_sign_init(rsa_ctx) <= 0) + goto err; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err; + + if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err; + op->rsa.sign.length = outlen; + break; + + case RTE_CRYPTO_ASYM_OP_VERIFY: + tmp = rte_malloc(NULL, op->rsa.sign.length, 0); + if (tmp == NULL) { + OPENSSL_LOG(ERR, "Memory allocation failed"); + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + } + + if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) { + rte_free(tmp); + goto err; + } + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) { + rte_free(tmp); + goto err; + } + + + if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen, + op->rsa.sign.data, + op->rsa.sign.length) <= 0) { + rte_free(tmp); + goto err; + } + + OPENSSL_LOG(DEBUG, + "Length of public_decrypt %zu " + "length of message %zd\n", + outlen, op->rsa.message.length); + if (CRYPTO_memcmp(tmp, op->rsa.message.data, + op->rsa.message.length)) { + OPENSSL_LOG(ERR, "RSA sign Verification failed"); + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + } + rte_free(tmp); + break; + + default: + /* allow ops with invalid args to be pushed to + * completion queue + */ + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + break; + } + + return 0; +err: + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + return -1; + +} +#else /* process rsa operations */ static int process_openssl_rsa_op(struct rte_crypto_op *cop, @@ -2147,6 +2424,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop, return 0; } +#endif static int process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, @@ -2158,7 +2436,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, switch (sess->xfrm_type) { case RTE_CRYPTO_ASYM_XFORM_RSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + retval = process_openssl_rsa_op_evp(op, sess); +# else retval = process_openssl_rsa_op(op, sess); +#endif break; case RTE_CRYPTO_ASYM_XFORM_MODEX: retval = process_openssl_modexp_op(op, sess); @@ -2167,7 +2449,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, retval = process_openssl_modinv_op(op, sess); break; case RTE_CRYPTO_ASYM_XFORM_DH: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + retval = process_openssl_dh_op_evp(op, sess); +# else retval = process_openssl_dh_op(op, sess); +#endif break; case RTE_CRYPTO_ASYM_XFORM_DSA: if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN) diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index 52715f86f8..26ca680661 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -11,6 +11,13 @@ #include "openssl_pmd_private.h" #include "compat.h" +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + +#include +#include +#include + +#endif static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { { /* MD5 HMAC */ @@ -820,6 +827,117 @@ static int openssl_set_asym_session_parameters( switch (xform->xform_type) { case RTE_CRYPTO_ASYM_XFORM_RSA: { + +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + BIGNUM *n = NULL; + BIGNUM *e = NULL; + BIGNUM *d = NULL; + BIGNUM *p = NULL, *q = NULL, *dmp1 = NULL; + BIGNUM *iqmp = NULL, *dmq1 = NULL; + OSSL_PARAM_BLD *param_bld = NULL; + + /* copy xfrm data into rsa struct */ + n = BN_bin2bn((const unsigned char *)xform->rsa.n.data, + xform->rsa.n.length, n); + e = BN_bin2bn((const unsigned char *)xform->rsa.e.data, + xform->rsa.e.length, e); + + param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_rsa; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_E, e)) { + OSSL_PARAM_BLD_free(param_bld); + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_rsa; + } + + if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) { + d = BN_bin2bn( + (const unsigned char *)xform->rsa.d.data, + xform->rsa.d.length, + d); + if (!d) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + } else { + p = BN_bin2bn((const unsigned char *) + xform->rsa.qt.p.data, + xform->rsa.qt.p.length, + p); + q = BN_bin2bn((const unsigned char *) + xform->rsa.qt.q.data, + xform->rsa.qt.q.length, + q); + dmp1 = BN_bin2bn((const unsigned char *) + xform->rsa.qt.dP.data, + xform->rsa.qt.dP.length, + dmp1); + dmq1 = BN_bin2bn((const unsigned char *) + xform->rsa.qt.dQ.data, + xform->rsa.qt.dQ.length, + dmq1); + iqmp = BN_bin2bn((const unsigned char *) + xform->rsa.qt.qInv.data, + xform->rsa.qt.qInv.length, + iqmp); + + if (!p || !q || !dmp1 || !dmq1 || !iqmp) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_FACTOR1, p) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_FACTOR2, q) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) { + OSSL_PARAM_BLD_free(param_bld); + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_rsa; + } + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n) + || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_D, d)) { + OSSL_PARAM_BLD_free(param_bld); + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_rsa; + } + + EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *rsa_ctx = NULL; + OSSL_PARAM *params = NULL; + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) + return -1; + + if (key_ctx == NULL + || EVP_PKEY_fromdata_init(key_ctx) <= 0 + || EVP_PKEY_fromdata(key_ctx, &pkey, + EVP_PKEY_KEYPAIR, params) <= 0) { + OSSL_PARAM_BLD_free(param_bld); + return -1; + } + rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL); + asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA; + asym_session->u.r.ctx = rsa_ctx; + break; +#else BIGNUM *n = NULL; BIGNUM *e = NULL; BIGNUM *d = NULL; @@ -904,6 +1022,7 @@ static int openssl_set_asym_session_parameters( asym_session->u.r.rsa = rsa; asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA; break; +#endif err_rsa: BN_clear_free(n); BN_clear_free(e); @@ -990,7 +1109,29 @@ static int openssl_set_asym_session_parameters( if (!p || !g) goto err_dh; - DH *dh = DH_new(); + DH *dh = NULL; + +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD *param_bld = NULL; + param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + return -1; + } + if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld, + "group", "ffdhe2048", 0)) + || (!OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_FFC_P, p)) + || (!OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_FFC_G, g))) { + OSSL_PARAM_BLD_free(param_bld); + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + return -1; + } + + asym_session->u.dh.param_bld = param_bld; +#else + dh = DH_new(); if (dh == NULL) { OPENSSL_LOG(ERR, "failed to allocate resources\n"); @@ -1001,7 +1142,7 @@ static int openssl_set_asym_session_parameters( DH_free(dh); goto err_dh; } - +#endif /* * setup xfrom for * public key generate, or @@ -1037,6 +1178,7 @@ static int openssl_set_asym_session_parameters( BN_free(p); BN_free(g); return -1; + } case RTE_CRYPTO_ASYM_XFORM_DSA: { @@ -1174,8 +1316,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess) { switch (sess->xfrm_type) { case RTE_CRYPTO_ASYM_XFORM_RSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + if (sess->u.r.ctx) + EVP_PKEY_CTX_free(sess->u.r.ctx); +#else if (sess->u.r.rsa) RSA_free(sess->u.r.rsa); +#endif break; case RTE_CRYPTO_ASYM_XFORM_MODEX: if (sess->u.e.ctx) { -- 2.17.1