DPDK patches and discussions
 help / color / mirror / Atom feed
From: Kai Ji <kai.ji@intel.com>
To: dev@dpdk.org
Cc: gakhil@marvell.com, Kai Ji <kai.ji@intel.com>
Subject: [dpdk-dev v3 1/4] crypto/openssl: 3.0 EVP update on HMAC routine
Date: Tue, 14 Jun 2022 00:40:20 +0800	[thread overview]
Message-ID: <20220613164023.70872-2-kai.ji@intel.com> (raw)
In-Reply-To: <20220613164023.70872-1-kai.ji@intel.com>

This patch update the symmetric HMAC routine in crypto openssl
pmd to adopt openssl 3.0 EVP apis.

Signed-off-by: Kai Ji <kai.ji@intel.com>
---
 drivers/crypto/openssl/openssl_pmd_private.h |   4 +
 drivers/crypto/openssl/rte_openssl_pmd.c     | 187 ++++++++++++++++++-
 2 files changed, 181 insertions(+), 10 deletions(-)

diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index b2054b3754..86dc169aaf 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -134,8 +134,12 @@ struct openssl_session {
 				/**< pointer to EVP key */
 				const EVP_MD *evp_algo;
 				/**< pointer to EVP algorithm function */
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+				EVP_MAC_CTX * ctx;
+# else
 				HMAC_CTX *ctx;
 				/**< pointer to EVP context structure */
+# endif
 			} hmac;
 		};
 
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 6ac2dfff5a..febfcb5a22 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -41,6 +41,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
 }
 #endif
 
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+
+#define MAX_OSSL_ALGO_NAME_SIZE		16
+
+OSSL_PROVIDER *legacy;
+OSSL_PROVIDER *deflt;
+
+static void ossl_load_legacy_provider(void)
+{
+	/* Load Multiple providers into the default (NULL) library context */
+	legacy = OSSL_PROVIDER_load(NULL, "legacy");
+	if (legacy == NULL) {
+		OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
+		return;
+	}
+
+	deflt = OSSL_PROVIDER_load(NULL, "default");
+	if (deflt == NULL) {
+		OPENSSL_LOG(ERR, "Failed to load Default provider\n");
+		OSSL_PROVIDER_unload(legacy);
+		return;
+	}
+}
+
+static void ossl_unload_legacy_provider(void)
+{
+	OSSL_PROVIDER_unload(legacy);
+	OSSL_PROVIDER_unload(deflt);
+}
+
+static __rte_always_inline const char *
+get_digest_name(const struct rte_crypto_sym_xform *xform)
+{
+	switch (xform->auth.algo) {
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+		return OSSL_DIGEST_NAME_MD5;
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+		return OSSL_DIGEST_NAME_SHA1;
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_224;
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_256;
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_384;
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		return OSSL_DIGEST_NAME_SHA2_512;
+	default:
+		return NULL;
+	}
+}
+#endif
+
 static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
 
 /*----------------------------------------------------------------------------*/
@@ -582,6 +637,40 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 		sess->auth.auth.ctx = EVP_MD_CTX_create();
 		break;
 
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
+
+		OSSL_PARAM params[2];
+		const char *algo;
+		algo = get_digest_name(xform);
+		if (!algo)
+			return -EINVAL;
+		char algo_name[MAX_OSSL_ALGO_NAME_SIZE];
+		memcpy(algo_name, algo, (sizeof(algo)+1));
+
+		EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+		sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
+		EVP_MAC_free(mac);
+		if (get_auth_algo(xform->auth.algo,
+				&sess->auth.hmac.evp_algo) != 0)
+			return -EINVAL;
+
+		params[0] = OSSL_PARAM_construct_utf8_string("digest",
+					algo_name, 0);
+		params[1] = OSSL_PARAM_construct_end();
+		if (EVP_MAC_init(sess->auth.hmac.ctx,
+				xform->auth.key.data,
+				xform->auth.key.length,
+				params) != 1)
+			return -EINVAL;
+		break;
+# else
 	case RTE_CRYPTO_AUTH_MD5_HMAC:
 	case RTE_CRYPTO_AUTH_SHA1_HMAC:
 	case RTE_CRYPTO_AUTH_SHA224_HMAC:
@@ -600,7 +689,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 				sess->auth.hmac.evp_algo, NULL) != 1)
 			return -EINVAL;
 		break;
-
+# endif
 	default:
 		return -ENOTSUP;
 	}
@@ -725,7 +814,11 @@ openssl_reset_session(struct openssl_session *sess)
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
 		EVP_PKEY_free(sess->auth.hmac.pkey);
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		EVP_MAC_CTX_free(sess->auth.hmac.ctx);
+# else
 		HMAC_CTX_free(sess->auth.hmac.ctx);
+# endif
 		break;
 	default:
 		break;
@@ -1262,6 +1355,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	return -EINVAL;
 }
 
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/** Process standard openssl auth algorithms with hmac */
+static int
+process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
+		int srclen, EVP_MAC_CTX *ctx)
+{
+	size_t dstlen;
+	struct rte_mbuf *m;
+	int l, n = srclen;
+	uint8_t *src;
+
+	for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+			m = m->next)
+		offset -= rte_pktmbuf_data_len(m);
+
+	if (m == 0)
+		goto process_auth_err;
+
+	src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+	l = rte_pktmbuf_data_len(m) - offset;
+	if (srclen <= l) {
+		if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
+			goto process_auth_err;
+		goto process_auth_final;
+	}
+
+	if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+		goto process_auth_err;
+
+	n -= l;
+
+	for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+		src = rte_pktmbuf_mtod(m, uint8_t *);
+		l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+		if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+			goto process_auth_err;
+		n -= l;
+	}
+
+process_auth_final:
+	if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
+		goto process_auth_err;
+
+	EVP_MAC_CTX_free(ctx);
+	return 0;
+
+process_auth_err:
+	EVP_MAC_CTX_free(ctx);
+	OPENSSL_LOG(ERR, "Process openssl auth failed");
+	return -EINVAL;
+}
+# else
 /** Process standard openssl auth algorithms with hmac */
 static int
 process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
@@ -1314,7 +1460,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	OPENSSL_LOG(ERR, "Process openssl auth failed");
 	return -EINVAL;
 }
-
+# endif
 /*----------------------------------------------------------------------------*/
 
 /** Process auth/cipher combined operation */
@@ -1328,7 +1474,6 @@ process_openssl_combined_op
 	int srclen, aadlen, status = -1;
 	uint32_t offset;
 	uint8_t taglen;
-	EVP_CIPHER_CTX *ctx_copy;
 
 	/*
 	 * Segmented destination buffer is not supported for
@@ -1365,8 +1510,6 @@ process_openssl_combined_op
 	}
 
 	taglen = sess->auth.digest_length;
-	ctx_copy = EVP_CIPHER_CTX_new();
-	EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
 
 	if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
 		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1374,12 +1517,12 @@ process_openssl_combined_op
 			status = process_openssl_auth_encryption_gcm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, ctx_copy);
+					dst, tag, sess->cipher.ctx);
 		else
 			status = process_openssl_auth_encryption_ccm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, taglen, ctx_copy);
+					dst, tag, taglen, sess->cipher.ctx);
 
 	} else {
 		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1387,15 +1530,14 @@ process_openssl_combined_op
 			status = process_openssl_auth_decryption_gcm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, ctx_copy);
+					dst, tag, sess->cipher.ctx);
 		else
 			status = process_openssl_auth_decryption_ccm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, taglen, ctx_copy);
+					dst, tag, taglen, sess->cipher.ctx);
 	}
 
-	EVP_CIPHER_CTX_free(ctx_copy);
 	if (status != 0) {
 		if (status == (-EFAULT) &&
 				sess->auth.operation ==
@@ -1557,7 +1699,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 	uint8_t *dst;
 	int srclen, status;
 	EVP_MD_CTX *ctx_a;
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	EVP_MAC_CTX *ctx_h;
+	EVP_MAC *mac;
+# else
 	HMAC_CTX *ctx_h;
+# endif
 
 	srclen = op->sym->auth.data.length;
 
@@ -1573,12 +1720,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 		EVP_MD_CTX_destroy(ctx_a);
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+		ctx_h = EVP_MAC_CTX_new(mac);
+		ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
+		EVP_MAC_free(mac);
+		status = process_openssl_auth_hmac(mbuf_src, dst,
+				op->sym->auth.data.offset, srclen,
+				ctx_h);
+# else
 		ctx_h = HMAC_CTX_new();
 		HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
 		status = process_openssl_auth_hmac(mbuf_src, dst,
 				op->sym->auth.data.offset, srclen,
 				ctx_h);
 		HMAC_CTX_free(ctx_h);
+# endif
 		break;
 	default:
 		status = -1;
@@ -2212,6 +2369,13 @@ cryptodev_openssl_create(const char *name,
 
 	rte_cryptodev_pmd_probing_finish(dev);
 
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	/* Load legacy provider
+	 * Some algorithms are no longer available in earlier version of openssl,
+	 * unless the legacy provider explicitly loaded. e.g. DES
+	 */
+	ossl_load_legacy_provider();
+# endif
 	return 0;
 
 init_error:
@@ -2260,6 +2424,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev)
 	if (cryptodev == NULL)
 		return -ENODEV;
 
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+	ossl_unload_legacy_provider();
+# endif
 	return rte_cryptodev_pmd_destroy(cryptodev);
 }
 
-- 
2.17.1


  reply	other threads:[~2022-06-13 16:40 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-07 16:36 [dpdk-dev v1] crypto/openssl: openssl 3.0 support on asym crypto routine Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 0/5] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-05-16 10:10   ` [dpdk-dev v2 1/5] drivers/crypto: suppress openssl deprecated api warning messages Kai Ji
2022-05-16 19:21     ` [EXT] " Akhil Goyal
2022-05-16 20:20       ` Stephen Hemminger
2022-05-17  6:52         ` Akhil Goyal
2022-05-16 10:10   ` [dpdk-dev v2 2/5] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-05-16 10:10   ` [dpdk-dev v2 3/5] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-05-16 10:10   ` [dpdk-dev v2 4/5] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-05-16 10:10   ` [dpdk-dev v2 5/5] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-13 16:40   ` [dpdk-dev v3 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-13 16:40     ` Kai Ji [this message]
2022-06-13 16:40     ` [dpdk-dev v3 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-06-13 16:40     ` [dpdk-dev v3 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-06-13 16:40     ` [dpdk-dev v3 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-14 13:25     ` [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-14 13:25       ` [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-06-17 10:04         ` Zhang, Roy Fan
2022-06-21  9:22         ` [EXT] " Akhil Goyal
2022-06-14 13:25       ` [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-06-17 10:04         ` Zhang, Roy Fan
2022-06-21  9:30         ` [EXT] " Akhil Goyal
2022-06-21 13:35           ` Ji, Kai
2022-06-14 13:25       ` [dpdk-dev v4 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-06-17 10:05         ` Zhang, Roy Fan
2022-06-14 13:25       ` [dpdk-dev v4 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-17 10:05         ` Zhang, Roy Fan
2022-06-21 10:16       ` [EXT] [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal
2022-06-21 13:55       ` [dpdk-dev v5 " Kai Ji
2022-06-21 13:55         ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
2022-06-21 13:55         ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA " Kai Ji
2022-06-21 13:55         ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
2022-06-21 13:55         ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
2022-06-21 15:42         ` [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-21 15:42           ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
2022-06-21 15:42           ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA " Kai Ji
2022-06-21 15:42           ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
2022-06-21 15:42           ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
2022-06-21 17:15           ` [EXT] [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220613164023.70872-2-kai.ji@intel.com \
    --to=kai.ji@intel.com \
    --cc=dev@dpdk.org \
    --cc=gakhil@marvell.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).