From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 73B31A04FD; Mon, 16 May 2022 12:11:05 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 46C1A4282E; Mon, 16 May 2022 12:10:51 +0200 (CEST) Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mails.dpdk.org (Postfix) with ESMTP id DCF80410F6 for ; Mon, 16 May 2022 12:10:47 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1652695849; x=1684231849; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=gGz/I2SOyseC30DENfqUBMlYzVZU3edB8f062j9rasc=; b=K7K0g+RuDp7JZz+cza18VFM/k6Xs3ehRhCZjWPpjGkfGOI1rVMIwNpNj VYw9zRAC0yBCpg7fCSPBHyy1bDdMQs0CiNw0MY52P67ZBiMwSFbXg4vRx AwJJGgy6eNw7VUsu/JelHPEVkgBKqPKYNOuN8Lhubkl7550qDVF5pG8qq 9xoim+29mVKIDQnw0C1TC6Gwa2IGr0rQQbpSz4BKu8GDAqNsdoh2ABa8Q H3anxrsGom2xu1hRZBv4rVM7bR4qWSv4n0JOTP6TCsYL4JaBmsurZrPAr YUGRYdOHT3e82WyqFc24LuQUP3x5NpYOnWJr5Oh41xfwUqfeUWw2lLuSI w==; X-IronPort-AV: E=McAfee;i="6400,9594,10348"; a="252857803" X-IronPort-AV: E=Sophos;i="5.91,229,1647327600"; d="scan'208";a="252857803" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 May 2022 03:10:46 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.91,229,1647327600"; d="scan'208";a="568254345" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by orsmga007.jf.intel.com with ESMTP; 16 May 2022 03:10:45 -0700 From: Kai Ji To: dev@dpdk.org Cc: Kai Ji Subject: [dpdk-dev v2 3/5] crypto/openssl: 3.0 EVP update on RSA routine Date: Mon, 16 May 2022 18:10:37 +0800 Message-Id: <20220516101039.4537-4-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220516101039.4537-1-kai.ji@intel.com> References: <20220407163648.38583-1-kai.ji@intel.com> <20220516101039.4537-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch updates asymmetric RSA routine in crypto openssl pmd to adopt openssl 3.0 EVP apis. Signed-off-by: Kai Ji --- drivers/crypto/openssl/openssl_pmd_private.h | 7 + drivers/crypto/openssl/rte_openssl_pmd.c | 149 +++++++++++++++++++ drivers/crypto/openssl/rte_openssl_pmd_ops.c | 112 +++++++++++++- 3 files changed, 267 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index 86dc169aaf..d603626fdf 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -11,6 +11,10 @@ #include #include #include +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +#include +#include +#endif #define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl /**< Open SSL Crypto PMD device name */ @@ -157,6 +161,9 @@ struct openssl_asym_session { union { struct rsa { RSA *rsa; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + EVP_PKEY_CTX * ctx; +#endif } r; struct exp { BIGNUM *exp; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index db1f788d79..e8dd4f4a42 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -2047,6 +2047,150 @@ process_openssl_modexp_op(struct rte_crypto_op *cop, } /* process rsa operations */ +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static int +process_openssl_rsa_op_evp(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_asym_op *op = cop->asym; + uint32_t pad = (op->rsa.pad); + uint8_t *tmp; + size_t outlen = 0; + int ret = -1; + + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx; + if (!rsa_ctx) + return ret; + + switch (pad) { + case RTE_CRYPTO_RSA_PADDING_PKCS1_5: + pad = RSA_PKCS1_PADDING; + break; + case RTE_CRYPTO_RSA_PADDING_NONE: + pad = RSA_NO_PADDING; + break; + default: + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + OPENSSL_LOG(ERR, + "rsa pad type not supported %d\n", pad); + return ret; + } + + switch (op->rsa.op_type) { + case RTE_CRYPTO_ASYM_OP_ENCRYPT: + if (EVP_PKEY_encrypt_init(rsa_ctx) != 1) + goto err_rsa; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err_rsa; + + if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err_rsa; + + if (outlen <= 0) + goto err_rsa; + + if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err_rsa; + op->rsa.cipher.length = outlen; + + OPENSSL_LOG(DEBUG, + "length of encrypted text %zu\n", outlen); + break; + + case RTE_CRYPTO_ASYM_OP_DECRYPT: + if (EVP_PKEY_decrypt_init(rsa_ctx) != 1) + goto err_rsa; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err_rsa; + + if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen, + op->rsa.cipher.data, + op->rsa.cipher.length) <= 0) + goto err_rsa; + + if (outlen <= 0) + goto err_rsa; + + if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen, + op->rsa.cipher.data, + op->rsa.cipher.length) <= 0) + goto err_rsa; + op->rsa.message.length = outlen; + + OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n", outlen); + break; + + case RTE_CRYPTO_ASYM_OP_SIGN: + if (EVP_PKEY_sign_init(rsa_ctx) <= 0) + goto err_rsa; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err_rsa; + + if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err_rsa; + op->rsa.sign.length = outlen; + break; + + case RTE_CRYPTO_ASYM_OP_VERIFY: + tmp = rte_malloc(NULL, op->rsa.sign.length, 0); + if (tmp == NULL) { + OPENSSL_LOG(ERR, "Memory allocation failed"); + goto err_rsa; + } + + if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) { + rte_free(tmp); + goto err_rsa; + } + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) { + rte_free(tmp); + goto err_rsa; + } + + if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen, + op->rsa.sign.data, + op->rsa.sign.length) <= 0) { + rte_free(tmp); + goto err_rsa; + } + + OPENSSL_LOG(DEBUG, + "Length of public_decrypt %zu " + "length of message %zd\n", + outlen, op->rsa.message.length); + if (CRYPTO_memcmp(tmp, op->rsa.message.data, + op->rsa.message.length)) { + OPENSSL_LOG(ERR, "RSA sign Verification failed"); + } + rte_free(tmp); + break; + + default: + /* allow ops with invalid args to be pushed to + * completion queue + */ + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + goto err_rsa; + } + + ret = 0; + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; +err_rsa: + return ret; + +} +#else static int process_openssl_rsa_op(struct rte_crypto_op *cop, struct openssl_asym_session *sess) @@ -2145,6 +2289,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop, return 0; } +#endif static int process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, @@ -2156,7 +2301,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, switch (sess->xfrm_type) { case RTE_CRYPTO_ASYM_XFORM_RSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + retval = process_openssl_rsa_op_evp(op, sess); +# else retval = process_openssl_rsa_op(op, sess); +#endif break; case RTE_CRYPTO_ASYM_XFORM_MODEX: retval = process_openssl_modexp_op(op, sess); diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index 1cb07794bd..52a5119d47 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -10,7 +10,11 @@ #include "openssl_pmd_private.h" #include "compat.h" - +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +#include +#include +#include +#endif static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { { /* MD5 HMAC */ @@ -833,6 +837,106 @@ static int openssl_set_asym_session_parameters( if (!n || !e) goto err_rsa; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD * param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_rsa; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_E, e)) { + OSSL_PARAM_BLD_free(param_bld); + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_rsa; + } + + if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) { + d = BN_bin2bn( + (const unsigned char *)xform->rsa.d.data, + xform->rsa.d.length, + d); + if (!d) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + } else { + p = BN_bin2bn((const unsigned char *) + xform->rsa.qt.p.data, + xform->rsa.qt.p.length, + p); + q = BN_bin2bn((const unsigned char *) + xform->rsa.qt.q.data, + xform->rsa.qt.q.length, + q); + dmp1 = BN_bin2bn((const unsigned char *) + xform->rsa.qt.dP.data, + xform->rsa.qt.dP.length, + dmp1); + dmq1 = BN_bin2bn((const unsigned char *) + xform->rsa.qt.dQ.data, + xform->rsa.qt.dQ.length, + dmq1); + iqmp = BN_bin2bn((const unsigned char *) + xform->rsa.qt.qInv.data, + xform->rsa.qt.qInv.length, + iqmp); + + if (!p || !q || !dmp1 || !dmq1 || !iqmp) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_FACTOR1, p) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_FACTOR2, q) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n) + || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_D, d)) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *rsa_ctx = NULL; + OSSL_PARAM *params = NULL; + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + if (key_ctx == NULL + || EVP_PKEY_fromdata_init(key_ctx) <= 0 + || EVP_PKEY_fromdata(key_ctx, &pkey, + EVP_PKEY_KEYPAIR, params) <= 0) { + OSSL_PARAM_free(params); + goto err_rsa; + } + + rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL); + asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA; + asym_session->u.r.ctx = rsa_ctx; + EVP_PKEY_CTX_free(key_ctx); + OSSL_PARAM_free(params); + break; +#else RSA *rsa = RSA_new(); if (rsa == NULL) goto err_rsa; @@ -902,6 +1006,7 @@ static int openssl_set_asym_session_parameters( asym_session->u.r.rsa = rsa; asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA; break; +#endif err_rsa: BN_clear_free(n); BN_clear_free(e); @@ -1160,8 +1265,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess) { switch (sess->xfrm_type) { case RTE_CRYPTO_ASYM_XFORM_RSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + if (sess->u.r.ctx) + EVP_PKEY_CTX_free(sess->u.r.ctx); +#else if (sess->u.r.rsa) RSA_free(sess->u.r.rsa); +#endif break; case RTE_CRYPTO_ASYM_XFORM_MODEX: if (sess->u.e.ctx) { -- 2.17.1