From: Kai Ji <kai.ji@intel.com>
To: dev@dpdk.org
Cc: gakhil@marvell.com, Kai Ji <kai.ji@intel.com>
Subject: [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API
Date: Tue, 21 Jun 2022 21:55:33 +0800 [thread overview]
Message-ID: <20220621135536.62679-2-kai.ji@intel.com> (raw)
In-Reply-To: <20220621135536.62679-1-kai.ji@intel.com>
This patch update the symmetric HMAC routine in crypto openssl
pmd to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 4 +
drivers/crypto/openssl/rte_openssl_pmd.c | 187 ++++++++++++++++++-
2 files changed, 181 insertions(+), 10 deletions(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index b2054b3754..6bcfb584a4 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -134,7 +134,11 @@ struct openssl_session {
/**< pointer to EVP key */
const EVP_MD *evp_algo;
/**< pointer to EVP algorithm function */
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX * ctx;
+# else
HMAC_CTX *ctx;
+# endif
/**< pointer to EVP context structure */
} hmac;
};
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 6ac2dfff5a..06ede435dd 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -41,6 +41,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
}
#endif
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+
+#define MAX_OSSL_ALGO_NAME_SIZE 16
+
+OSSL_PROVIDER *legacy;
+OSSL_PROVIDER *deflt;
+
+static void ossl_legacy_provider_load(void)
+{
+ /* Load Multiple providers into the default (NULL) library context */
+ legacy = OSSL_PROVIDER_load(NULL, "legacy");
+ if (legacy == NULL) {
+ OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
+ return;
+ }
+
+ deflt = OSSL_PROVIDER_load(NULL, "default");
+ if (deflt == NULL) {
+ OPENSSL_LOG(ERR, "Failed to load Default provider\n");
+ OSSL_PROVIDER_unload(legacy);
+ return;
+ }
+}
+
+static void ossl_legacy_provider_unload(void)
+{
+ OSSL_PROVIDER_unload(legacy);
+ OSSL_PROVIDER_unload(deflt);
+}
+
+static __rte_always_inline const char *
+digest_name_get(enum rte_crypto_auth_algorithm algo)
+{
+ switch (algo) {
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ return OSSL_DIGEST_NAME_MD5;
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ return OSSL_DIGEST_NAME_SHA1;
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_224;
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_256;
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_384;
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_512;
+ default:
+ return NULL;
+ }
+}
+#endif
+
static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
/*----------------------------------------------------------------------------*/
@@ -582,6 +637,40 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
sess->auth.auth.ctx = EVP_MD_CTX_create();
break;
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
+
+ OSSL_PARAM params[2];
+ const char *algo;
+ algo = digest_name_get(xform->auth.algo);
+ if (!algo)
+ return -EINVAL;
+ char algo_name[MAX_OSSL_ALGO_NAME_SIZE];
+ rte_memcpy(algo_name, algo, (sizeof(algo)+1));
+
+ EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
+ EVP_MAC_free(mac);
+ if (get_auth_algo(xform->auth.algo,
+ &sess->auth.hmac.evp_algo) != 0)
+ return -EINVAL;
+
+ params[0] = OSSL_PARAM_construct_utf8_string("digest",
+ algo_name, 0);
+ params[1] = OSSL_PARAM_construct_end();
+ if (EVP_MAC_init(sess->auth.hmac.ctx,
+ xform->auth.key.data,
+ xform->auth.key.length,
+ params) != 1)
+ return -EINVAL;
+ break;
+# else
case RTE_CRYPTO_AUTH_MD5_HMAC:
case RTE_CRYPTO_AUTH_SHA1_HMAC:
case RTE_CRYPTO_AUTH_SHA224_HMAC:
@@ -600,7 +689,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
sess->auth.hmac.evp_algo, NULL) != 1)
return -EINVAL;
break;
-
+# endif
default:
return -ENOTSUP;
}
@@ -725,7 +814,11 @@ openssl_reset_session(struct openssl_session *sess)
break;
case OPENSSL_AUTH_AS_HMAC:
EVP_PKEY_free(sess->auth.hmac.pkey);
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX_free(sess->auth.hmac.ctx);
+# else
HMAC_CTX_free(sess->auth.hmac.ctx);
+# endif
break;
default:
break;
@@ -1262,6 +1355,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
return -EINVAL;
}
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/** Process standard openssl auth algorithms with hmac */
+static int
+process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
+ int srclen, EVP_MAC_CTX *ctx)
+{
+ size_t dstlen;
+ struct rte_mbuf *m;
+ int l, n = srclen;
+ uint8_t *src;
+
+ for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+ m = m->next)
+ offset -= rte_pktmbuf_data_len(m);
+
+ if (m == 0)
+ goto process_auth_err;
+
+ src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+ l = rte_pktmbuf_data_len(m) - offset;
+ if (srclen <= l) {
+ if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
+ goto process_auth_err;
+ goto process_auth_final;
+ }
+
+ if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+ goto process_auth_err;
+
+ n -= l;
+
+ for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+ src = rte_pktmbuf_mtod(m, uint8_t *);
+ l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+ if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+ goto process_auth_err;
+ n -= l;
+ }
+
+process_auth_final:
+ if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
+ goto process_auth_err;
+
+ EVP_MAC_CTX_free(ctx);
+ return 0;
+
+process_auth_err:
+ EVP_MAC_CTX_free(ctx);
+ OPENSSL_LOG(ERR, "Process openssl auth failed");
+ return -EINVAL;
+}
+# else
/** Process standard openssl auth algorithms with hmac */
static int
process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
@@ -1314,7 +1460,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
OPENSSL_LOG(ERR, "Process openssl auth failed");
return -EINVAL;
}
-
+# endif
/*----------------------------------------------------------------------------*/
/** Process auth/cipher combined operation */
@@ -1328,7 +1474,6 @@ process_openssl_combined_op
int srclen, aadlen, status = -1;
uint32_t offset;
uint8_t taglen;
- EVP_CIPHER_CTX *ctx_copy;
/*
* Segmented destination buffer is not supported for
@@ -1365,8 +1510,6 @@ process_openssl_combined_op
}
taglen = sess->auth.digest_length;
- ctx_copy = EVP_CIPHER_CTX_new();
- EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1374,12 +1517,12 @@ process_openssl_combined_op
status = process_openssl_auth_encryption_gcm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, ctx_copy);
+ dst, tag, sess->cipher.ctx);
else
status = process_openssl_auth_encryption_ccm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, taglen, ctx_copy);
+ dst, tag, taglen, sess->cipher.ctx);
} else {
if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1387,15 +1530,14 @@ process_openssl_combined_op
status = process_openssl_auth_decryption_gcm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, ctx_copy);
+ dst, tag, sess->cipher.ctx);
else
status = process_openssl_auth_decryption_ccm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, taglen, ctx_copy);
+ dst, tag, taglen, sess->cipher.ctx);
}
- EVP_CIPHER_CTX_free(ctx_copy);
if (status != 0) {
if (status == (-EFAULT) &&
sess->auth.operation ==
@@ -1557,7 +1699,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
uint8_t *dst;
int srclen, status;
EVP_MD_CTX *ctx_a;
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX *ctx_h;
+ EVP_MAC *mac;
+# else
HMAC_CTX *ctx_h;
+# endif
srclen = op->sym->auth.data.length;
@@ -1573,12 +1720,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
EVP_MD_CTX_destroy(ctx_a);
break;
case OPENSSL_AUTH_AS_HMAC:
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ ctx_h = EVP_MAC_CTX_new(mac);
+ ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
+ EVP_MAC_free(mac);
+ status = process_openssl_auth_hmac(mbuf_src, dst,
+ op->sym->auth.data.offset, srclen,
+ ctx_h);
+# else
ctx_h = HMAC_CTX_new();
HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
status = process_openssl_auth_hmac(mbuf_src, dst,
op->sym->auth.data.offset, srclen,
ctx_h);
HMAC_CTX_free(ctx_h);
+# endif
break;
default:
status = -1;
@@ -2212,6 +2369,13 @@ cryptodev_openssl_create(const char *name,
rte_cryptodev_pmd_probing_finish(dev);
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ /* Load legacy provider
+ * Some algorithms are no longer available in earlier version of openssl,
+ * unless the legacy provider explicitly loaded. e.g. DES
+ */
+ ossl_legacy_provider_load();
+# endif
return 0;
init_error:
@@ -2260,6 +2424,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev)
if (cryptodev == NULL)
return -ENODEV;
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ ossl_legacy_provider_unload();
+# endif
return rte_cryptodev_pmd_destroy(cryptodev);
}
--
2.17.1
next prev parent reply other threads:[~2022-06-21 13:55 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-07 16:36 [dpdk-dev v1] crypto/openssl: openssl 3.0 support on asym crypto routine Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 0/5] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 1/5] drivers/crypto: suppress openssl deprecated api warning messages Kai Ji
2022-05-16 19:21 ` [EXT] " Akhil Goyal
2022-05-16 20:20 ` Stephen Hemminger
2022-05-17 6:52 ` Akhil Goyal
2022-05-16 10:10 ` [dpdk-dev v2 2/5] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 3/5] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 4/5] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 5/5] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-14 13:25 ` [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-14 13:25 ` [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-06-17 10:04 ` Zhang, Roy Fan
2022-06-21 9:22 ` [EXT] " Akhil Goyal
2022-06-14 13:25 ` [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-06-17 10:04 ` Zhang, Roy Fan
2022-06-21 9:30 ` [EXT] " Akhil Goyal
2022-06-21 13:35 ` Ji, Kai
2022-06-14 13:25 ` [dpdk-dev v4 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-06-17 10:05 ` Zhang, Roy Fan
2022-06-14 13:25 ` [dpdk-dev v4 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-17 10:05 ` Zhang, Roy Fan
2022-06-21 10:16 ` [EXT] [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal
2022-06-21 13:55 ` [dpdk-dev v5 " Kai Ji
2022-06-21 13:55 ` Kai Ji [this message]
2022-06-21 13:55 ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA routine with 3.0 EVP API Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA " Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
2022-06-21 17:15 ` [EXT] [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220621135536.62679-2-kai.ji@intel.com \
--to=kai.ji@intel.com \
--cc=dev@dpdk.org \
--cc=gakhil@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).