From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 55E19A0543; Mon, 13 Jun 2022 18:40:53 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 4F6DD4282C; Mon, 13 Jun 2022 18:40:40 +0200 (CEST) Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mails.dpdk.org (Postfix) with ESMTP id BF9A9410F6 for ; Mon, 13 Jun 2022 18:40:36 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1655138436; x=1686674436; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=HQdJYuDfNFf0Tawmo8DtkYYWxZ/MKMw09Geo0+qhaVo=; b=LaK6rmmI/8XLNHY1qO9gJYlqX90MSiZe7NL56w++chTiDFo9ArYMQdM2 PVTBloBMUtR9hYIcBSTSrlGr0uXk/aerJfkZDAfb4dfd+6WRLUHAhcrbw mOk+o60jXTCdyiXPKwWwOmdzHdcKBZNbzaZbnNj3KE2lz72LyHOWQ809F IbXvHxE3dJz/KPW9l5dLfL36GgTqS7rPVVlru1sdMspocn8qoKPWFh0pb pz+qrdqxJ3a6sswL/3VmSCuSkNyvjAWdMCwbrZgT9teLrxZjGWPhTuNwv ZxidIcvtFIPJZVt7F2xzw4M555p016xH3JVaB+FJ4z2+iK7RaLDUDgkl6 A==; X-IronPort-AV: E=McAfee;i="6400,9594,10377"; a="258171780" X-IronPort-AV: E=Sophos;i="5.91,297,1647327600"; d="scan'208";a="258171780" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jun 2022 09:40:36 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.91,297,1647327600"; d="scan'208";a="686141472" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by fmsmga002.fm.intel.com with ESMTP; 13 Jun 2022 09:40:32 -0700 From: Kai Ji To: dev@dpdk.org Cc: gakhil@marvell.com, Kai Ji Subject: [dpdk-dev v3 2/4] crypto/openssl: 3.0 EVP update on RSA routine Date: Tue, 14 Jun 2022 00:40:21 +0800 Message-Id: <20220613164023.70872-3-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220613164023.70872-1-kai.ji@intel.com> References: <20220516101039.4537-1-kai.ji@intel.com> <20220613164023.70872-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch updates asymmetric RSA routine in crypto openssl pmd to adopt openssl 3.0 EVP apis. Signed-off-by: Kai Ji --- drivers/crypto/openssl/openssl_pmd_private.h | 7 + drivers/crypto/openssl/rte_openssl_pmd.c | 149 +++++++++++++++++++ drivers/crypto/openssl/rte_openssl_pmd_ops.c | 112 +++++++++++++- 3 files changed, 267 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index 86dc169aaf..d603626fdf 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -11,6 +11,10 @@ #include #include #include +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +#include +#include +#endif #define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl /**< Open SSL Crypto PMD device name */ @@ -157,6 +161,9 @@ struct openssl_asym_session { union { struct rsa { RSA *rsa; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + EVP_PKEY_CTX * ctx; +#endif } r; struct exp { BIGNUM *exp; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index febfcb5a22..6c3fef6356 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -2046,6 +2046,150 @@ process_openssl_modexp_op(struct rte_crypto_op *cop, } /* process rsa operations */ +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static int +process_openssl_rsa_op_evp(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_asym_op *op = cop->asym; + uint32_t pad = (op->rsa.padding.type); + uint8_t *tmp; + size_t outlen = 0; + int ret = -1; + + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx; + if (!rsa_ctx) + return ret; + + switch (pad) { + case RTE_CRYPTO_RSA_PADDING_PKCS1_5: + pad = RSA_PKCS1_PADDING; + break; + case RTE_CRYPTO_RSA_PADDING_NONE: + pad = RSA_NO_PADDING; + break; + default: + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + OPENSSL_LOG(ERR, + "rsa pad type not supported %d\n", pad); + return ret; + } + + switch (op->rsa.op_type) { + case RTE_CRYPTO_ASYM_OP_ENCRYPT: + if (EVP_PKEY_encrypt_init(rsa_ctx) != 1) + goto err_rsa; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err_rsa; + + if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err_rsa; + + if (outlen <= 0) + goto err_rsa; + + if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err_rsa; + op->rsa.cipher.length = outlen; + + OPENSSL_LOG(DEBUG, + "length of encrypted text %zu\n", outlen); + break; + + case RTE_CRYPTO_ASYM_OP_DECRYPT: + if (EVP_PKEY_decrypt_init(rsa_ctx) != 1) + goto err_rsa; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err_rsa; + + if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen, + op->rsa.cipher.data, + op->rsa.cipher.length) <= 0) + goto err_rsa; + + if (outlen <= 0) + goto err_rsa; + + if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen, + op->rsa.cipher.data, + op->rsa.cipher.length) <= 0) + goto err_rsa; + op->rsa.message.length = outlen; + + OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n", outlen); + break; + + case RTE_CRYPTO_ASYM_OP_SIGN: + if (EVP_PKEY_sign_init(rsa_ctx) <= 0) + goto err_rsa; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err_rsa; + + if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err_rsa; + op->rsa.sign.length = outlen; + break; + + case RTE_CRYPTO_ASYM_OP_VERIFY: + tmp = rte_malloc(NULL, op->rsa.sign.length, 0); + if (tmp == NULL) { + OPENSSL_LOG(ERR, "Memory allocation failed"); + goto err_rsa; + } + + if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) { + rte_free(tmp); + goto err_rsa; + } + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) { + rte_free(tmp); + goto err_rsa; + } + + if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen, + op->rsa.sign.data, + op->rsa.sign.length) <= 0) { + rte_free(tmp); + goto err_rsa; + } + + OPENSSL_LOG(DEBUG, + "Length of public_decrypt %zu " + "length of message %zd\n", + outlen, op->rsa.message.length); + if (CRYPTO_memcmp(tmp, op->rsa.message.data, + op->rsa.message.length)) { + OPENSSL_LOG(ERR, "RSA sign Verification failed"); + } + rte_free(tmp); + break; + + default: + /* allow ops with invalid args to be pushed to + * completion queue + */ + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + goto err_rsa; + } + + ret = 0; + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; +err_rsa: + return ret; + +} +#else static int process_openssl_rsa_op(struct rte_crypto_op *cop, struct openssl_asym_session *sess) @@ -2144,6 +2288,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop, return 0; } +#endif static int process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, @@ -2155,7 +2300,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, switch (sess->xfrm_type) { case RTE_CRYPTO_ASYM_XFORM_RSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + retval = process_openssl_rsa_op_evp(op, sess); +# else retval = process_openssl_rsa_op(op, sess); +#endif break; case RTE_CRYPTO_ASYM_XFORM_MODEX: retval = process_openssl_modexp_op(op, sess); diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index 7d0da52a33..6d94da499e 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -12,7 +12,11 @@ #include "openssl_pmd_private.h" #include "compat.h" - +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +#include +#include +#include +#endif static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { { /* MD5 HMAC */ @@ -835,6 +839,106 @@ static int openssl_set_asym_session_parameters( if (!n || !e) goto err_rsa; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD * param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_rsa; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_E, e)) { + OSSL_PARAM_BLD_free(param_bld); + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_rsa; + } + + if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) { + d = BN_bin2bn( + (const unsigned char *)xform->rsa.d.data, + xform->rsa.d.length, + d); + if (!d) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + } else { + p = BN_bin2bn((const unsigned char *) + xform->rsa.qt.p.data, + xform->rsa.qt.p.length, + p); + q = BN_bin2bn((const unsigned char *) + xform->rsa.qt.q.data, + xform->rsa.qt.q.length, + q); + dmp1 = BN_bin2bn((const unsigned char *) + xform->rsa.qt.dP.data, + xform->rsa.qt.dP.length, + dmp1); + dmq1 = BN_bin2bn((const unsigned char *) + xform->rsa.qt.dQ.data, + xform->rsa.qt.dQ.length, + dmq1); + iqmp = BN_bin2bn((const unsigned char *) + xform->rsa.qt.qInv.data, + xform->rsa.qt.qInv.length, + iqmp); + + if (!p || !q || !dmp1 || !dmq1 || !iqmp) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_FACTOR1, p) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_FACTOR2, q) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n) + || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_D, d)) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *rsa_ctx = NULL; + OSSL_PARAM *params = NULL; + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + if (key_ctx == NULL + || EVP_PKEY_fromdata_init(key_ctx) <= 0 + || EVP_PKEY_fromdata(key_ctx, &pkey, + EVP_PKEY_KEYPAIR, params) <= 0) { + OSSL_PARAM_free(params); + goto err_rsa; + } + + rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL); + asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA; + asym_session->u.r.ctx = rsa_ctx; + EVP_PKEY_CTX_free(key_ctx); + OSSL_PARAM_free(params); + break; +#else RSA *rsa = RSA_new(); if (rsa == NULL) goto err_rsa; @@ -904,6 +1008,7 @@ static int openssl_set_asym_session_parameters( asym_session->u.r.rsa = rsa; asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA; break; +#endif err_rsa: BN_clear_free(n); BN_clear_free(e); @@ -1135,8 +1240,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess) { switch (sess->xfrm_type) { case RTE_CRYPTO_ASYM_XFORM_RSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + if (sess->u.r.ctx) + EVP_PKEY_CTX_free(sess->u.r.ctx); +#else if (sess->u.r.rsa) RSA_free(sess->u.r.rsa); +#endif break; case RTE_CRYPTO_ASYM_XFORM_MODEX: if (sess->u.e.ctx) { -- 2.17.1