From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 878FCA0545; Tue, 21 Jun 2022 15:55:58 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 1A640427EE; Tue, 21 Jun 2022 15:55:54 +0200 (CEST) Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by mails.dpdk.org (Postfix) with ESMTP id 0484740151 for ; Tue, 21 Jun 2022 15:55:51 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1655819752; x=1687355752; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=6SatTkFSnjAlEBM84WM2ClxlYCJlQis+da+ifB5HxMQ=; b=hSgWdarvdv1FTwzt9LrXPZ2S8TkgxC/Hn+XifO5AzXhW2kN0uwaezIum j1ej5MosGoSEPUSH2HXUrLbAyMMR1PVhrensZaHMyy0f+RBgO/Rgg+vqQ Usy4BGC4zGmsm36VJJbS4hR7l+yRAE5dtVURo2UsYRwGJAGHREmMIREIQ ML0a+utIRHoHjAcrc0Sf14b3Pe5AKkempLL/wY9iL614757q9DWfCQzMT 6KeabznW7g+FhQFn2gxlrSnGd/Vw6eeVi3SFxNL8v6D1xLtxbcUOTcfZQ ldNf2oCarbihb0eATj5WP1WI/MKBl3DMRSfqp/MMXkq9CsiDHY4tH7Qbl w==; X-IronPort-AV: E=McAfee;i="6400,9594,10384"; a="344114185" X-IronPort-AV: E=Sophos;i="5.92,209,1650956400"; d="scan'208";a="344114185" Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jun 2022 06:55:51 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.92,209,1650956400"; d="scan'208";a="714982198" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by orsmga004.jf.intel.com with ESMTP; 21 Jun 2022 06:55:49 -0700 From: Kai Ji To: dev@dpdk.org Cc: gakhil@marvell.com, Kai Ji Subject: [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Date: Tue, 21 Jun 2022 21:55:33 +0800 Message-Id: <20220621135536.62679-2-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220621135536.62679-1-kai.ji@intel.com> References: <20220614132542.76241-1-kai.ji@intel.com> <20220621135536.62679-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch update the symmetric HMAC routine in crypto openssl pmd to adopt openssl 3.0 EVP apis. Signed-off-by: Kai Ji --- drivers/crypto/openssl/openssl_pmd_private.h | 4 + drivers/crypto/openssl/rte_openssl_pmd.c | 187 ++++++++++++++++++- 2 files changed, 181 insertions(+), 10 deletions(-) diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index b2054b3754..6bcfb584a4 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -134,7 +134,11 @@ struct openssl_session { /**< pointer to EVP key */ const EVP_MD *evp_algo; /**< pointer to EVP algorithm function */ +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX * ctx; +# else HMAC_CTX *ctx; +# endif /**< pointer to EVP context structure */ } hmac; }; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 6ac2dfff5a..06ede435dd 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -41,6 +41,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) } #endif +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + +#include +#include + +#define MAX_OSSL_ALGO_NAME_SIZE 16 + +OSSL_PROVIDER *legacy; +OSSL_PROVIDER *deflt; + +static void ossl_legacy_provider_load(void) +{ + /* Load Multiple providers into the default (NULL) library context */ + legacy = OSSL_PROVIDER_load(NULL, "legacy"); + if (legacy == NULL) { + OPENSSL_LOG(ERR, "Failed to load Legacy provider\n"); + return; + } + + deflt = OSSL_PROVIDER_load(NULL, "default"); + if (deflt == NULL) { + OPENSSL_LOG(ERR, "Failed to load Default provider\n"); + OSSL_PROVIDER_unload(legacy); + return; + } +} + +static void ossl_legacy_provider_unload(void) +{ + OSSL_PROVIDER_unload(legacy); + OSSL_PROVIDER_unload(deflt); +} + +static __rte_always_inline const char * +digest_name_get(enum rte_crypto_auth_algorithm algo) +{ + switch (algo) { + case RTE_CRYPTO_AUTH_MD5_HMAC: + return OSSL_DIGEST_NAME_MD5; + case RTE_CRYPTO_AUTH_SHA1_HMAC: + return OSSL_DIGEST_NAME_SHA1; + case RTE_CRYPTO_AUTH_SHA224_HMAC: + return OSSL_DIGEST_NAME_SHA2_224; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + return OSSL_DIGEST_NAME_SHA2_256; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + return OSSL_DIGEST_NAME_SHA2_384; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + return OSSL_DIGEST_NAME_SHA2_512; + default: + return NULL; + } +} +#endif + static int cryptodev_openssl_remove(struct rte_vdev_device *vdev); /*----------------------------------------------------------------------------*/ @@ -582,6 +637,40 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.auth.ctx = EVP_MD_CTX_create(); break; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + case RTE_CRYPTO_AUTH_MD5_HMAC: + case RTE_CRYPTO_AUTH_SHA1_HMAC: + case RTE_CRYPTO_AUTH_SHA224_HMAC: + case RTE_CRYPTO_AUTH_SHA256_HMAC: + case RTE_CRYPTO_AUTH_SHA384_HMAC: + case RTE_CRYPTO_AUTH_SHA512_HMAC: + sess->auth.mode = OPENSSL_AUTH_AS_HMAC; + + OSSL_PARAM params[2]; + const char *algo; + algo = digest_name_get(xform->auth.algo); + if (!algo) + return -EINVAL; + char algo_name[MAX_OSSL_ALGO_NAME_SIZE]; + rte_memcpy(algo_name, algo, (sizeof(algo)+1)); + + EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac); + EVP_MAC_free(mac); + if (get_auth_algo(xform->auth.algo, + &sess->auth.hmac.evp_algo) != 0) + return -EINVAL; + + params[0] = OSSL_PARAM_construct_utf8_string("digest", + algo_name, 0); + params[1] = OSSL_PARAM_construct_end(); + if (EVP_MAC_init(sess->auth.hmac.ctx, + xform->auth.key.data, + xform->auth.key.length, + params) != 1) + return -EINVAL; + break; +# else case RTE_CRYPTO_AUTH_MD5_HMAC: case RTE_CRYPTO_AUTH_SHA1_HMAC: case RTE_CRYPTO_AUTH_SHA224_HMAC: @@ -600,7 +689,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.hmac.evp_algo, NULL) != 1) return -EINVAL; break; - +# endif default: return -ENOTSUP; } @@ -725,7 +814,11 @@ openssl_reset_session(struct openssl_session *sess) break; case OPENSSL_AUTH_AS_HMAC: EVP_PKEY_free(sess->auth.hmac.pkey); +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX_free(sess->auth.hmac.ctx); +# else HMAC_CTX_free(sess->auth.hmac.ctx); +# endif break; default: break; @@ -1262,6 +1355,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, return -EINVAL; } +# if OPENSSL_VERSION_NUMBER >= 0x30000000L +/** Process standard openssl auth algorithms with hmac */ +static int +process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, + int srclen, EVP_MAC_CTX *ctx) +{ + size_t dstlen; + struct rte_mbuf *m; + int l, n = srclen; + uint8_t *src; + + for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m); + m = m->next) + offset -= rte_pktmbuf_data_len(m); + + if (m == 0) + goto process_auth_err; + + src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset); + + l = rte_pktmbuf_data_len(m) - offset; + if (srclen <= l) { + if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1) + goto process_auth_err; + goto process_auth_final; + } + + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + + n -= l; + + for (m = m->next; (m != NULL) && (n > 0); m = m->next) { + src = rte_pktmbuf_mtod(m, uint8_t *); + l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n; + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + n -= l; + } + +process_auth_final: + if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1) + goto process_auth_err; + + EVP_MAC_CTX_free(ctx); + return 0; + +process_auth_err: + EVP_MAC_CTX_free(ctx); + OPENSSL_LOG(ERR, "Process openssl auth failed"); + return -EINVAL; +} +# else /** Process standard openssl auth algorithms with hmac */ static int process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, @@ -1314,7 +1460,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, OPENSSL_LOG(ERR, "Process openssl auth failed"); return -EINVAL; } - +# endif /*----------------------------------------------------------------------------*/ /** Process auth/cipher combined operation */ @@ -1328,7 +1474,6 @@ process_openssl_combined_op int srclen, aadlen, status = -1; uint32_t offset; uint8_t taglen; - EVP_CIPHER_CTX *ctx_copy; /* * Segmented destination buffer is not supported for @@ -1365,8 +1510,6 @@ process_openssl_combined_op } taglen = sess->auth.digest_length; - ctx_copy = EVP_CIPHER_CTX_new(); - EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx); if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1374,12 +1517,12 @@ process_openssl_combined_op status = process_openssl_auth_encryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_encryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } else { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1387,15 +1530,14 @@ process_openssl_combined_op status = process_openssl_auth_decryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_decryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } - EVP_CIPHER_CTX_free(ctx_copy); if (status != 0) { if (status == (-EFAULT) && sess->auth.operation == @@ -1557,7 +1699,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, uint8_t *dst; int srclen, status; EVP_MD_CTX *ctx_a; +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX *ctx_h; + EVP_MAC *mac; +# else HMAC_CTX *ctx_h; +# endif srclen = op->sym->auth.data.length; @@ -1573,12 +1720,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, EVP_MD_CTX_destroy(ctx_a); break; case OPENSSL_AUTH_AS_HMAC: +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + ctx_h = EVP_MAC_CTX_new(mac); + ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx); + EVP_MAC_free(mac); + status = process_openssl_auth_hmac(mbuf_src, dst, + op->sym->auth.data.offset, srclen, + ctx_h); +# else ctx_h = HMAC_CTX_new(); HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx); status = process_openssl_auth_hmac(mbuf_src, dst, op->sym->auth.data.offset, srclen, ctx_h); HMAC_CTX_free(ctx_h); +# endif break; default: status = -1; @@ -2212,6 +2369,13 @@ cryptodev_openssl_create(const char *name, rte_cryptodev_pmd_probing_finish(dev); +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + /* Load legacy provider + * Some algorithms are no longer available in earlier version of openssl, + * unless the legacy provider explicitly loaded. e.g. DES + */ + ossl_legacy_provider_load(); +# endif return 0; init_error: @@ -2260,6 +2424,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev) if (cryptodev == NULL) return -ENODEV; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + ossl_legacy_provider_unload(); +# endif return rte_cryptodev_pmd_destroy(cryptodev); } -- 2.17.1