DPDK patches and discussions
 help / color / mirror / Atom feed
From: Kai Ji <kai.ji@intel.com>
To: dev@dpdk.org
Cc: gakhil@marvell.com, Kai Ji <kai.ji@intel.com>
Subject: [dpdk-dev v3 3/4] crypto/openssl: 3.0 EVP update on DH routine
Date: Tue, 14 Jun 2022 00:40:22 +0800	[thread overview]
Message-ID: <20220613164023.70872-4-kai.ji@intel.com> (raw)
In-Reply-To: <20220613164023.70872-1-kai.ji@intel.com>

This patch updates asymmetric DH routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis.

Signed-off-by: Kai Ji <kai.ji@intel.com>
---
 drivers/crypto/openssl/openssl_pmd_private.h |   4 +
 drivers/crypto/openssl/rte_openssl_pmd.c     | 185 +++++++++++++++++++
 drivers/crypto/openssl/rte_openssl_pmd_ops.c |  47 ++++-
 3 files changed, 235 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index d603626fdf..8fdbc75511 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -177,6 +177,10 @@ struct openssl_asym_session {
 		struct dh {
 			DH *dh_key;
 			uint32_t key_op;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+			OSSL_PARAM_BLD * param_bld;
+			OSSL_PARAM_BLD *param_bld_peer;
+#endif
 		} dh;
 		struct {
 			DSA *dsa;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 6c3fef6356..fdf191b7ea 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -45,6 +45,7 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
 
 #include <openssl/provider.h>
 #include <openssl/core_names.h>
+#include <openssl/param_build.h>
 
 #define MAX_OSSL_ALGO_NAME_SIZE		16
 
@@ -1846,6 +1847,185 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop,
 }
 
 /* process dh operation */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_dh_op_evp(struct rte_crypto_op *cop,
+		struct openssl_asym_session *sess)
+{
+	struct rte_crypto_dh_op_param *op = &cop->asym->dh;
+	OSSL_PARAM_BLD *param_bld = sess->u.dh.param_bld;
+	OSSL_PARAM_BLD *param_bld_peer = sess->u.dh.param_bld_peer;
+	OSSL_PARAM *params = NULL;
+	EVP_PKEY *dhpkey = NULL;
+	EVP_PKEY *peerkey = NULL;
+	BIGNUM *priv_key = NULL;
+	BIGNUM *pub_key = NULL;
+	int ret = -1;
+
+	cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
+	EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+	if (dh_ctx == NULL || param_bld == NULL)
+		return ret;
+
+	if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) {
+		OSSL_PARAM *params_peer = NULL;
+
+		if (!param_bld_peer)
+			return ret;
+
+		pub_key = BN_bin2bn(op->pub_key.data, op->pub_key.length,
+					pub_key);
+		if (pub_key == NULL) {
+			OSSL_PARAM_BLD_free(param_bld_peer);
+			return ret;
+		}
+
+		if (!OSSL_PARAM_BLD_push_BN(param_bld_peer, OSSL_PKEY_PARAM_PUB_KEY,
+				pub_key)) {
+			OPENSSL_LOG(ERR, "Failed to set public key\n");
+			OSSL_PARAM_BLD_free(param_bld_peer);
+			BN_free(pub_key);
+			return ret;
+		}
+
+		params_peer = OSSL_PARAM_BLD_to_param(param_bld_peer);
+		if (!params_peer) {
+			OSSL_PARAM_BLD_free(param_bld_peer);
+			BN_free(pub_key);
+			return ret;
+		}
+
+		EVP_PKEY_CTX *peer_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+		if (EVP_PKEY_keygen_init(peer_ctx) != 1) {
+			OSSL_PARAM_free(params_peer);
+			BN_free(pub_key);
+			return ret;
+		}
+
+		if (EVP_PKEY_CTX_set_params(peer_ctx, params_peer) != 1) {
+			EVP_PKEY_CTX_free(peer_ctx);
+			OSSL_PARAM_free(params_peer);
+			BN_free(pub_key);
+			return ret;
+		}
+
+		if (EVP_PKEY_keygen(peer_ctx, &peerkey) != 1) {
+			EVP_PKEY_CTX_free(peer_ctx);
+			OSSL_PARAM_free(params_peer);
+			BN_free(pub_key);
+			return ret;
+		}
+
+		priv_key = BN_bin2bn(op->priv_key.data, op->priv_key.length,
+					priv_key);
+		if (priv_key == NULL) {
+			EVP_PKEY_CTX_free(peer_ctx);
+			OSSL_PARAM_free(params_peer);
+			BN_free(pub_key);
+			return ret;
+		}
+
+		if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY,
+				priv_key)) {
+			OPENSSL_LOG(ERR, "Failed to set private key\n");
+			EVP_PKEY_CTX_free(peer_ctx);
+			OSSL_PARAM_free(params_peer);
+			BN_free(pub_key);
+			BN_free(priv_key);
+			return ret;
+		}
+
+		OSSL_PARAM_free(params_peer);
+		EVP_PKEY_CTX_free(peer_ctx);
+	}
+
+	params = OSSL_PARAM_BLD_to_param(param_bld);
+	if (!params)
+		goto err_dh;
+
+	if (EVP_PKEY_keygen_init(dh_ctx) != 1)
+		goto err_dh;
+
+	if (EVP_PKEY_CTX_set_params(dh_ctx, params) != 1)
+		goto err_dh;
+
+	if (EVP_PKEY_keygen(dh_ctx, &dhpkey) != 1)
+		goto err_dh;
+
+	if (op->ke_type == RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE) {
+		OPENSSL_LOG(DEBUG, "%s:%d updated pub key\n", __func__, __LINE__);
+		if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key))
+			goto err_dh;
+				/* output public key */
+		op->pub_key.length = BN_bn2bin(pub_key, op->pub_key.data);
+	}
+
+	if (op->ke_type == RTE_CRYPTO_ASYM_KE_PRIV_KEY_GENERATE) {
+
+		OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n", __func__, __LINE__);
+		if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key))
+			goto err_dh;
+
+		/* provide generated private key back to user */
+		op->priv_key.length = BN_bn2bin(priv_key, op->priv_key.data);
+	}
+
+	if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) {
+		size_t skey_len;
+		EVP_PKEY_CTX *sc_ctx = EVP_PKEY_CTX_new(dhpkey, NULL);
+		if (!sc_ctx)
+			goto err_dh;
+
+		if (EVP_PKEY_derive_init(sc_ctx) <= 0) {
+			EVP_PKEY_CTX_free(sc_ctx);
+			goto err_dh;
+		}
+
+		if (!peerkey) {
+			EVP_PKEY_CTX_free(sc_ctx);
+			goto err_dh;
+		}
+
+		if (EVP_PKEY_derive_set_peer(sc_ctx, peerkey) <= 0) {
+			EVP_PKEY_CTX_free(sc_ctx);
+			goto err_dh;
+		}
+
+		/* Determine buffer length */
+		if (EVP_PKEY_derive(sc_ctx, NULL, &skey_len) <= 0) {
+			EVP_PKEY_CTX_free(sc_ctx);
+			goto err_dh;
+		}
+
+		if (EVP_PKEY_derive(sc_ctx, op->shared_secret.data, &skey_len) <= 0) {
+			EVP_PKEY_CTX_free(sc_ctx);
+			goto err_dh;
+		}
+
+		op->shared_secret.length = skey_len;
+		EVP_PKEY_CTX_free(sc_ctx);
+	}
+
+	cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+	ret = 0;
+
+ err_dh:
+	if (pub_key)
+		BN_free(pub_key);
+	if (priv_key)
+		BN_free(priv_key);
+	if (params)
+		OSSL_PARAM_free(params);
+	if (dhpkey)
+		EVP_PKEY_free(dhpkey);
+	if (peerkey)
+		EVP_PKEY_free(peerkey);
+
+	EVP_PKEY_CTX_free(dh_ctx);
+
+	return ret;
+}
+#else
 static int
 process_openssl_dh_op(struct rte_crypto_op *cop,
 		struct openssl_asym_session *sess)
@@ -1979,6 +2159,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
 
 	return 0;
 }
+#endif
 
 /* process modinv operation */
 static int
@@ -2313,7 +2494,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 		retval = process_openssl_modinv_op(op, sess);
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_DH:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+		retval = process_openssl_dh_op_evp(op, sess);
+# else
 		retval = process_openssl_dh_op(op, sess);
+#endif
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_DSA:
 		if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 6d94da499e..a1a42ef444 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -1095,7 +1095,46 @@ static int openssl_set_asym_session_parameters(
 		if (!p || !g)
 			goto err_dh;
 
-		DH *dh = DH_new();
+		DH *dh = NULL;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+		OSSL_PARAM_BLD *param_bld = NULL;
+		param_bld = OSSL_PARAM_BLD_new();
+		if (!param_bld) {
+			OPENSSL_LOG(ERR, "failed to allocate resources\n");
+			goto err_dh;
+		}
+		if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld,
+					"group", "ffdhe2048", 0))
+			|| (!OSSL_PARAM_BLD_push_BN(param_bld,
+					OSSL_PKEY_PARAM_FFC_P, p))
+			|| (!OSSL_PARAM_BLD_push_BN(param_bld,
+					OSSL_PKEY_PARAM_FFC_G, g))) {
+			OSSL_PARAM_BLD_free(param_bld);
+			goto err_dh;
+		}
+
+		OSSL_PARAM_BLD *param_bld_peer = NULL;
+		param_bld_peer = OSSL_PARAM_BLD_new();
+		if (!param_bld_peer) {
+			OPENSSL_LOG(ERR, "failed to allocate resources\n");
+			OSSL_PARAM_BLD_free(param_bld);
+			goto err_dh;
+		}
+		if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld_peer,
+					"group", "ffdhe2048", 0))
+			|| (!OSSL_PARAM_BLD_push_BN(param_bld_peer,
+					OSSL_PKEY_PARAM_FFC_P, p))
+			|| (!OSSL_PARAM_BLD_push_BN(param_bld_peer,
+					OSSL_PKEY_PARAM_FFC_G, g))) {
+			OSSL_PARAM_BLD_free(param_bld);
+			OSSL_PARAM_BLD_free(param_bld_peer);
+			goto err_dh;
+		}
+
+		asym_session->u.dh.param_bld = param_bld;
+		asym_session->u.dh.param_bld_peer = param_bld_peer;
+#else
+		dh = DH_new();
 		if (dh == NULL) {
 			OPENSSL_LOG(ERR,
 				"failed to allocate resources\n");
@@ -1106,6 +1145,7 @@ static int openssl_set_asym_session_parameters(
 			DH_free(dh);
 			goto err_dh;
 		}
+#endif
 		asym_session->u.dh.dh_key = dh;
 		asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DH;
 		break;
@@ -1261,8 +1301,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
 		}
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_DH:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+		sess->u.dh.param_bld = NULL;
+		sess->u.dh.param_bld_peer = NULL;
+#else
 		if (sess->u.dh.dh_key)
 			DH_free(sess->u.dh.dh_key);
+#endif
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_DSA:
 		if (sess->u.s.dsa)
-- 
2.17.1


  parent reply	other threads:[~2022-06-13 16:40 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-07 16:36 [dpdk-dev v1] crypto/openssl: openssl 3.0 support on asym crypto routine Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 0/5] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-05-16 10:10   ` [dpdk-dev v2 1/5] drivers/crypto: suppress openssl deprecated api warning messages Kai Ji
2022-05-16 19:21     ` [EXT] " Akhil Goyal
2022-05-16 20:20       ` Stephen Hemminger
2022-05-17  6:52         ` Akhil Goyal
2022-05-16 10:10   ` [dpdk-dev v2 2/5] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-05-16 10:10   ` [dpdk-dev v2 3/5] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-05-16 10:10   ` [dpdk-dev v2 4/5] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-05-16 10:10   ` [dpdk-dev v2 5/5] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-13 16:40   ` [dpdk-dev v3 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-13 16:40     ` [dpdk-dev v3 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-06-13 16:40     ` [dpdk-dev v3 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-06-13 16:40     ` Kai Ji [this message]
2022-06-13 16:40     ` [dpdk-dev v3 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-14 13:25     ` [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-14 13:25       ` [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-06-17 10:04         ` Zhang, Roy Fan
2022-06-21  9:22         ` [EXT] " Akhil Goyal
2022-06-14 13:25       ` [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-06-17 10:04         ` Zhang, Roy Fan
2022-06-21  9:30         ` [EXT] " Akhil Goyal
2022-06-21 13:35           ` Ji, Kai
2022-06-14 13:25       ` [dpdk-dev v4 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-06-17 10:05         ` Zhang, Roy Fan
2022-06-14 13:25       ` [dpdk-dev v4 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-17 10:05         ` Zhang, Roy Fan
2022-06-21 10:16       ` [EXT] [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal
2022-06-21 13:55       ` [dpdk-dev v5 " Kai Ji
2022-06-21 13:55         ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
2022-06-21 13:55         ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA " Kai Ji
2022-06-21 13:55         ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
2022-06-21 13:55         ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
2022-06-21 15:42         ` [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-21 15:42           ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
2022-06-21 15:42           ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA " Kai Ji
2022-06-21 15:42           ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
2022-06-21 15:42           ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
2022-06-21 17:15           ` [EXT] [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220613164023.70872-4-kai.ji@intel.com \
    --to=kai.ji@intel.com \
    --cc=dev@dpdk.org \
    --cc=gakhil@marvell.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).