* [dpdk-dev v1] crypto/openssl: openssl 3.0 support on asym crypto routine
@ 2022-04-07 16:36 Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 0/5] crypto/openssl: EVP api update for 3.0 lib Kai Ji
0 siblings, 1 reply; 39+ messages in thread
From: Kai Ji @ 2022-04-07 16:36 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch update the asymmetric RSA and DH routine in crypto
openssl pmd to adopt openssl 3.0 EVP library.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/compat.h | 43 ++-
drivers/crypto/openssl/openssl_pmd_private.h | 11 +
drivers/crypto/openssl/rte_openssl_pmd.c | 288 ++++++++++++++++++-
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 151 +++++++++-
4 files changed, 489 insertions(+), 4 deletions(-)
diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h
index eecb7d3698..80b1493a5f 100644
--- a/drivers/crypto/openssl/compat.h
+++ b/drivers/crypto/openssl/compat.h
@@ -104,8 +104,49 @@ get_dsa_priv_key(DSA *dsa, BIGNUM **priv_key)
*priv_key = dsa->priv_key;
}
-#else
+#elif (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static __rte_always_inline int
+set_dsa_params(DSA *dsa, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+ return !(DSA_set0_pqg(dsa, p, q, g));
+}
+
+static __rte_always_inline void
+set_dsa_priv_key(DSA *dsa, BIGNUM *priv_key)
+{
+ DSA_set0_key(dsa, NULL, priv_key);
+}
+
+static __rte_always_inline void
+set_dsa_sign(DSA_SIG *sign, BIGNUM *r, BIGNUM *s)
+{
+ DSA_SIG_set0(sign, r, s);
+}
+
+static __rte_always_inline void
+get_dsa_sign(DSA_SIG *sign, const BIGNUM **r, const BIGNUM **s)
+{
+ DSA_SIG_get0(sign, r, s);
+}
+static __rte_always_inline int
+set_dsa_keys(DSA *dsa, BIGNUM *pub, BIGNUM *priv)
+{
+ return !(DSA_set0_key(dsa, pub, priv));
+}
+
+static __rte_always_inline void
+set_dsa_pub_key(DSA *dsa, BIGNUM *pub_key)
+{
+ DSA_set0_key(dsa, pub_key, NULL);
+}
+
+static __rte_always_inline void
+get_dsa_priv_key(DSA *dsa, const BIGNUM **priv_key)
+{
+ DSA_get0_key(dsa, NULL, priv_key);
+}
+#else
static __rte_always_inline int
set_rsa_params(RSA *rsa, BIGNUM *p, BIGNUM *q)
{
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index 86dc169aaf..aef12c3e21 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -12,6 +12,11 @@
#include <openssl/dh.h>
#include <openssl/dsa.h>
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#endif
+
#define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl
/**< Open SSL Crypto PMD device name */
@@ -157,6 +162,9 @@ struct openssl_asym_session {
union {
struct rsa {
RSA *rsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ EVP_PKEY_CTX * ctx;
+#endif
} r;
struct exp {
BIGNUM *exp;
@@ -170,6 +178,9 @@ struct openssl_asym_session {
struct dh {
DH *dh_key;
uint32_t key_op;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld;
+#endif
} dh;
struct {
DSA *dsa;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 5840ab472e..e423114c08 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -43,6 +43,7 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
#include <openssl/provider.h>
#include <openssl/core_names.h>
+#include <openssl/param_build.h>
#define MAX_OSSL_ALGO_NAME_SIZE 16
@@ -1845,6 +1846,134 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop,
return 0;
}
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+/* process dh operation */
+static int
+process_openssl_dh_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dh_op_param *op = &cop->asym->dh;
+ OSSL_PARAM_BLD *param_bld = sess->u.dh.param_bld;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY *dhpkey = NULL;
+ BIGNUM *priv_key = NULL;
+ BIGNUM *pub_key = NULL;
+
+ EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+ if (dh_ctx == NULL || param_bld == NULL) {
+ cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
+ return -1;
+ }
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (params == NULL) {
+ EVP_PKEY_CTX_free(dh_ctx);
+ cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
+ return -1;
+ }
+
+ if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE)) {
+ pub_key = BN_bin2bn(op->pub_key.data, op->pub_key.length,
+ pub_key);
+ if (pub_key == NULL)
+ goto err;
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY,
+ pub_key)) {
+ OPENSSL_LOG(ERR, "Failed to set public key\n");
+ BN_free(pub_key);
+ goto err;
+ }
+ }
+
+ if ((sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE)) &&
+ !(sess->u.dh.key_op &
+ (1 << RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE))) {
+
+ priv_key = BN_bin2bn(op->priv_key.data, op->priv_key.length,
+ priv_key);
+ if (priv_key == NULL)
+ goto err;
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY,
+ priv_key)) {
+ OPENSSL_LOG(ERR, "Failed to set private key\n");
+ BN_free(priv_key);
+ goto err;
+ }
+ }
+
+ if (EVP_PKEY_keygen_init(dh_ctx) != 1)
+ goto err;
+
+ if (EVP_PKEY_CTX_set_params(dh_ctx, params) != 1)
+ goto err;
+
+ if (EVP_PKEY_keygen(dh_ctx, &dhpkey) != 1)
+ goto err;
+
+ if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE)) {
+ OPENSSL_LOG(DEBUG, "%s:%d updated pub key\n", __func__, __LINE__);
+ if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key))
+ goto err;
+ /* output public key */
+ op->pub_key.length = BN_bn2bin(pub_key, op->pub_key.data);
+ }
+
+ if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE)) {
+
+ OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n", __func__, __LINE__);
+ if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key))
+ goto err;
+
+ /* provide generated private key back to user */
+ op->priv_key.length = BN_bn2bin(priv_key, op->priv_key.data);
+ }
+
+ if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE)) {
+ size_t skey_len;
+ EVP_PKEY *peerkey = dhpkey;
+ EVP_PKEY_CTX *sc_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
+
+ if (EVP_PKEY_derive_init(sc_ctx) <= 0)
+ goto err;
+
+ if (EVP_PKEY_CTX_set_params(sc_ctx, params) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err;
+ }
+
+ if (EVP_PKEY_derive_set_peer(sc_ctx, peerkey) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err;
+ }
+ /* Determine buffer length */
+ if (EVP_PKEY_derive(sc_ctx, NULL, &skey_len) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err;
+ }
+
+ if (EVP_PKEY_derive(sc_ctx, op->shared_secret.data, &skey_len) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err;
+ }
+
+ op->shared_secret.length = skey_len;
+ EVP_PKEY_free(peerkey);
+ EVP_PKEY_CTX_free(sc_ctx);
+ }
+
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ return 0;
+
+ err:
+ EVP_PKEY_CTX_free(dh_ctx);
+ OSSL_PARAM_free(params);
+ OSSL_PARAM_BLD_free(param_bld);
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ return -1;
+}
+# else
/* process dh operation */
static int
process_openssl_dh_op(struct rte_crypto_op *cop,
@@ -1857,6 +1986,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
if (sess->u.dh.key_op &
(1 << RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE)) {
+
/* compute shared secret using peer public key
* and current private key
* shared secret = peer_key ^ priv_key mod p
@@ -1887,7 +2017,6 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
BN_free(priv_key);
return 0;
}
-
ret = DH_compute_key(
op->shared_secret.data,
peer_key, dh_key);
@@ -1983,6 +2112,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
/* process modinv operation */
static int
process_openssl_modinv_op(struct rte_crypto_op *cop,
@@ -2048,6 +2178,153 @@ process_openssl_modexp_op(struct rte_crypto_op *cop,
return 0;
}
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+/* process rsa operations */
+static int
+process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_asym_op *op = cop->asym;
+ uint32_t pad = (op->rsa.pad);
+ uint8_t *tmp;
+
+ size_t outlen = 0;
+ EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx;
+ if (!rsa_ctx)
+ return -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+
+ switch (pad) {
+ case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
+ pad = RSA_PKCS1_PADDING;
+ break;
+ case RTE_CRYPTO_RSA_PADDING_NONE:
+ pad = RSA_NO_PADDING;
+ break;
+ default:
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ OPENSSL_LOG(ERR,
+ "rsa pad type not supported %d\n", pad);
+ return -1;
+ }
+
+ switch (op->rsa.op_type) {
+ case RTE_CRYPTO_ASYM_OP_ENCRYPT:
+ if (EVP_PKEY_encrypt_init(rsa_ctx) != 1)
+ goto err;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err;
+
+ if (outlen <= 0)
+ goto err;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err;
+ op->rsa.cipher.length = outlen;
+
+ OPENSSL_LOG(DEBUG,
+ "length of encrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_DECRYPT:
+ if (EVP_PKEY_decrypt_init(rsa_ctx) != 1)
+ goto err;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err;
+
+ if (outlen <= 0)
+ goto err;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err;
+ op->rsa.message.length = outlen;
+
+ OPENSSL_LOG(DEBUG,
+ "length of decrypted text %zu\n", outlen);
+ break;
+ case RTE_CRYPTO_ASYM_OP_SIGN:
+ if (EVP_PKEY_sign_init(rsa_ctx) <= 0)
+ goto err;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err;
+
+ if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err;
+ op->rsa.sign.length = outlen;
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_VERIFY:
+ tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
+ if (tmp == NULL) {
+ OPENSSL_LOG(ERR, "Memory allocation failed");
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ }
+
+ if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
+ rte_free(tmp);
+ goto err;
+ }
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
+ rte_free(tmp);
+ goto err;
+ }
+
+
+ if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
+ op->rsa.sign.data,
+ op->rsa.sign.length) <= 0) {
+ rte_free(tmp);
+ goto err;
+ }
+
+ OPENSSL_LOG(DEBUG,
+ "Length of public_decrypt %zu "
+ "length of message %zd\n",
+ outlen, op->rsa.message.length);
+ if (CRYPTO_memcmp(tmp, op->rsa.message.data,
+ op->rsa.message.length)) {
+ OPENSSL_LOG(ERR, "RSA sign Verification failed");
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ }
+ rte_free(tmp);
+ break;
+
+ default:
+ /* allow ops with invalid args to be pushed to
+ * completion queue
+ */
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ break;
+ }
+
+ return 0;
+err:
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ return -1;
+
+}
+#else
/* process rsa operations */
static int
process_openssl_rsa_op(struct rte_crypto_op *cop,
@@ -2147,6 +2424,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
static int
process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
@@ -2158,7 +2436,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
switch (sess->xfrm_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_rsa_op_evp(op, sess);
+# else
retval = process_openssl_rsa_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_MODEX:
retval = process_openssl_modexp_op(op, sess);
@@ -2167,7 +2449,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
retval = process_openssl_modinv_op(op, sess);
break;
case RTE_CRYPTO_ASYM_XFORM_DH:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_dh_op_evp(op, sess);
+# else
retval = process_openssl_dh_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 52715f86f8..26ca680661 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -11,6 +11,13 @@
#include "openssl_pmd_private.h"
#include "compat.h"
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#include <openssl/param_build.h>
+
+#endif
static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
{ /* MD5 HMAC */
@@ -820,6 +827,117 @@ static int openssl_set_asym_session_parameters(
switch (xform->xform_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
{
+
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ BIGNUM *n = NULL;
+ BIGNUM *e = NULL;
+ BIGNUM *d = NULL;
+ BIGNUM *p = NULL, *q = NULL, *dmp1 = NULL;
+ BIGNUM *iqmp = NULL, *dmq1 = NULL;
+ OSSL_PARAM_BLD *param_bld = NULL;
+
+ /* copy xfrm data into rsa struct */
+ n = BN_bin2bn((const unsigned char *)xform->rsa.n.data,
+ xform->rsa.n.length, n);
+ e = BN_bin2bn((const unsigned char *)xform->rsa.e.data,
+ xform->rsa.e.length, e);
+
+ param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_rsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_E, e)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_rsa;
+ }
+
+ if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) {
+ d = BN_bin2bn(
+ (const unsigned char *)xform->rsa.d.data,
+ xform->rsa.d.length,
+ d);
+ if (!d) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+ } else {
+ p = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.p.data,
+ xform->rsa.qt.p.length,
+ p);
+ q = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.q.data,
+ xform->rsa.qt.q.length,
+ q);
+ dmp1 = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.dP.data,
+ xform->rsa.qt.dP.length,
+ dmp1);
+ dmq1 = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.dQ.data,
+ xform->rsa.qt.dQ.length,
+ dmq1);
+ iqmp = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.qInv.data,
+ xform->rsa.qt.qInv.length,
+ iqmp);
+
+ if (!p || !q || !dmp1 || !dmq1 || !iqmp) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_FACTOR1, p)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_FACTOR2, q)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_rsa;
+ }
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_D, d)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_rsa;
+ }
+
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *rsa_ctx = NULL;
+ OSSL_PARAM *params = NULL;
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params)
+ return -1;
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey,
+ EVP_PKEY_KEYPAIR, params) <= 0) {
+ OSSL_PARAM_BLD_free(param_bld);
+ return -1;
+ }
+ rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
+ asym_session->u.r.ctx = rsa_ctx;
+ break;
+#else
BIGNUM *n = NULL;
BIGNUM *e = NULL;
BIGNUM *d = NULL;
@@ -904,6 +1022,7 @@ static int openssl_set_asym_session_parameters(
asym_session->u.r.rsa = rsa;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
break;
+#endif
err_rsa:
BN_clear_free(n);
BN_clear_free(e);
@@ -990,7 +1109,29 @@ static int openssl_set_asym_session_parameters(
if (!p || !g)
goto err_dh;
- DH *dh = DH_new();
+ DH *dh = NULL;
+
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD *param_bld = NULL;
+ param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ return -1;
+ }
+ if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld,
+ "group", "ffdhe2048", 0))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_FFC_P, p))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_FFC_G, g))) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ return -1;
+ }
+
+ asym_session->u.dh.param_bld = param_bld;
+#else
+ dh = DH_new();
if (dh == NULL) {
OPENSSL_LOG(ERR,
"failed to allocate resources\n");
@@ -1001,7 +1142,7 @@ static int openssl_set_asym_session_parameters(
DH_free(dh);
goto err_dh;
}
-
+#endif
/*
* setup xfrom for
* public key generate, or
@@ -1037,6 +1178,7 @@ static int openssl_set_asym_session_parameters(
BN_free(p);
BN_free(g);
return -1;
+
}
case RTE_CRYPTO_ASYM_XFORM_DSA:
{
@@ -1174,8 +1316,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
{
switch (sess->xfrm_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ if (sess->u.r.ctx)
+ EVP_PKEY_CTX_free(sess->u.r.ctx);
+#else
if (sess->u.r.rsa)
RSA_free(sess->u.r.rsa);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_MODEX:
if (sess->u.e.ctx) {
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v2 0/5] crypto/openssl: EVP api update for 3.0 lib
2022-04-07 16:36 [dpdk-dev v1] crypto/openssl: openssl 3.0 support on asym crypto routine Kai Ji
@ 2022-05-16 10:10 ` Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 1/5] drivers/crypto: suppress openssl deprecated api warning messages Kai Ji
` (5 more replies)
0 siblings, 6 replies; 39+ messages in thread
From: Kai Ji @ 2022-05-16 10:10 UTC (permalink / raw)
To: dev; +Cc: Kai Ji
This patch set update openssl pmd deprecated APIs to EVP
APIs where supported in openssl 3.0 lib.
Depends-on: series-22684 ("cryptodev: move dh type from xform to dh op")
Kai Ji (5):
drivers/crypto: suppress openssl deprecated api warning messages
crypto/openssl: 3.0 EVP update on HMAC routine
crypto/openssl: 3.0 EVP update on RSA routine
crypto/openssl: 3.0 EVP update on DH routine
crypto/openssl: 3.0 EVP update on DSA routine
app/test/test_cryptodev_asym.c | 91 ++-
drivers/common/qat/meson.build | 1 +
drivers/crypto/ccp/meson.build | 1 +
drivers/crypto/openssl/compat.h | 12 +
drivers/crypto/openssl/openssl_pmd_private.h | 18 +
drivers/crypto/openssl/rte_openssl_pmd.c | 695 ++++++++++++++++++-
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 215 +++++-
7 files changed, 1007 insertions(+), 26 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v2 1/5] drivers/crypto: suppress openssl deprecated api warning messages
2022-05-16 10:10 ` [dpdk-dev v2 0/5] crypto/openssl: EVP api update for 3.0 lib Kai Ji
@ 2022-05-16 10:10 ` Kai Ji
2022-05-16 19:21 ` [EXT] " Akhil Goyal
2022-05-16 10:10 ` [dpdk-dev v2 2/5] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
` (4 subsequent siblings)
5 siblings, 1 reply; 39+ messages in thread
From: Kai Ji @ 2022-05-16 10:10 UTC (permalink / raw)
To: dev; +Cc: Kai Ji
Enable openssl_api_compat cflag to suppress deprecated api warning
messages in crypto pmd drivers: ccp, openssl and qat.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/common/qat/meson.build | 1 +
drivers/crypto/ccp/meson.build | 1 +
drivers/crypto/openssl/meson.build | 1 +
3 files changed, 3 insertions(+)
diff --git a/drivers/common/qat/meson.build b/drivers/common/qat/meson.build
index b7027f3164..6c3e7275ef 100644
--- a/drivers/common/qat/meson.build
+++ b/drivers/common/qat/meson.build
@@ -87,3 +87,4 @@ if qat_crypto
ext_deps += libcrypto
cflags += ['-DBUILD_QAT_SYM', '-DBUILD_QAT_ASYM']
endif
+cflags += ['-DOPENSSL_API_COMPAT=0x10100000L']
diff --git a/drivers/crypto/ccp/meson.build b/drivers/crypto/ccp/meson.build
index a4f3406009..fe89e17b14 100644
--- a/drivers/crypto/ccp/meson.build
+++ b/drivers/crypto/ccp/meson.build
@@ -23,3 +23,4 @@ sources = files(
)
ext_deps += dep
+cflags += ['-DOPENSSL_API_COMPAT=0x10100000L']
diff --git a/drivers/crypto/openssl/meson.build b/drivers/crypto/openssl/meson.build
index cd962da1d6..9a3dea2c04 100644
--- a/drivers/crypto/openssl/meson.build
+++ b/drivers/crypto/openssl/meson.build
@@ -15,3 +15,4 @@ endif
deps += 'bus_vdev'
sources = files('rte_openssl_pmd.c', 'rte_openssl_pmd_ops.c')
ext_deps += dep
+cflags += ['-DOPENSSL_API_COMPAT=0x10100000L']
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v2 2/5] crypto/openssl: 3.0 EVP update on HMAC routine
2022-05-16 10:10 ` [dpdk-dev v2 0/5] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 1/5] drivers/crypto: suppress openssl deprecated api warning messages Kai Ji
@ 2022-05-16 10:10 ` Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 3/5] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
` (3 subsequent siblings)
5 siblings, 0 replies; 39+ messages in thread
From: Kai Ji @ 2022-05-16 10:10 UTC (permalink / raw)
To: dev; +Cc: Kai Ji
This patch update the symmetric HMAC routine in crypto openssl
pmd to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 4 +
drivers/crypto/openssl/rte_openssl_pmd.c | 187 ++++++++++++++++++-
2 files changed, 181 insertions(+), 10 deletions(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index b2054b3754..86dc169aaf 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -134,8 +134,12 @@ struct openssl_session {
/**< pointer to EVP key */
const EVP_MD *evp_algo;
/**< pointer to EVP algorithm function */
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX * ctx;
+# else
HMAC_CTX *ctx;
/**< pointer to EVP context structure */
+# endif
} hmac;
};
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index d80e1052e2..db1f788d79 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -39,6 +39,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
}
#endif
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+
+#define MAX_OSSL_ALGO_NAME_SIZE 16
+
+OSSL_PROVIDER *legacy;
+OSSL_PROVIDER *deflt;
+
+static void ossl_load_legacy_provider(void)
+{
+ /* Load Multiple providers into the default (NULL) library context */
+ legacy = OSSL_PROVIDER_load(NULL, "legacy");
+ if (legacy == NULL) {
+ OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
+ return;
+ }
+
+ deflt = OSSL_PROVIDER_load(NULL, "default");
+ if (deflt == NULL) {
+ OPENSSL_LOG(ERR, "Failed to load Default provider\n");
+ OSSL_PROVIDER_unload(legacy);
+ return;
+ }
+}
+
+static void ossl_unload_legacy_provider(void)
+{
+ OSSL_PROVIDER_unload(legacy);
+ OSSL_PROVIDER_unload(deflt);
+}
+
+static __rte_always_inline const char *
+get_digest_name(const struct rte_crypto_sym_xform *xform)
+{
+ switch (xform->auth.algo) {
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ return OSSL_DIGEST_NAME_MD5;
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ return OSSL_DIGEST_NAME_SHA1;
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_224;
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_256;
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_384;
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_512;
+ default:
+ return NULL;
+ }
+}
+#endif
+
static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
/*----------------------------------------------------------------------------*/
@@ -580,6 +635,40 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
sess->auth.auth.ctx = EVP_MD_CTX_create();
break;
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
+
+ OSSL_PARAM params[2];
+ const char *algo;
+ algo = get_digest_name(xform);
+ if (!algo)
+ return -EINVAL;
+ char algo_name[MAX_OSSL_ALGO_NAME_SIZE];
+ memcpy(algo_name, algo, (sizeof(algo)+1));
+
+ EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
+ EVP_MAC_free(mac);
+ if (get_auth_algo(xform->auth.algo,
+ &sess->auth.hmac.evp_algo) != 0)
+ return -EINVAL;
+
+ params[0] = OSSL_PARAM_construct_utf8_string("digest",
+ algo_name, 0);
+ params[1] = OSSL_PARAM_construct_end();
+ if (EVP_MAC_init(sess->auth.hmac.ctx,
+ xform->auth.key.data,
+ xform->auth.key.length,
+ params) != 1)
+ return -EINVAL;
+ break;
+# else
case RTE_CRYPTO_AUTH_MD5_HMAC:
case RTE_CRYPTO_AUTH_SHA1_HMAC:
case RTE_CRYPTO_AUTH_SHA224_HMAC:
@@ -598,7 +687,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
sess->auth.hmac.evp_algo, NULL) != 1)
return -EINVAL;
break;
-
+# endif
default:
return -ENOTSUP;
}
@@ -723,7 +812,11 @@ openssl_reset_session(struct openssl_session *sess)
break;
case OPENSSL_AUTH_AS_HMAC:
EVP_PKEY_free(sess->auth.hmac.pkey);
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX_free(sess->auth.hmac.ctx);
+# else
HMAC_CTX_free(sess->auth.hmac.ctx);
+# endif
break;
default:
break;
@@ -1260,6 +1353,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
return -EINVAL;
}
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/** Process standard openssl auth algorithms with hmac */
+static int
+process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
+ int srclen, EVP_MAC_CTX *ctx)
+{
+ size_t dstlen;
+ struct rte_mbuf *m;
+ int l, n = srclen;
+ uint8_t *src;
+
+ for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+ m = m->next)
+ offset -= rte_pktmbuf_data_len(m);
+
+ if (m == 0)
+ goto process_auth_err;
+
+ src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+ l = rte_pktmbuf_data_len(m) - offset;
+ if (srclen <= l) {
+ if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
+ goto process_auth_err;
+ goto process_auth_final;
+ }
+
+ if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+ goto process_auth_err;
+
+ n -= l;
+
+ for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+ src = rte_pktmbuf_mtod(m, uint8_t *);
+ l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+ if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+ goto process_auth_err;
+ n -= l;
+ }
+
+process_auth_final:
+ if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
+ goto process_auth_err;
+
+ EVP_MAC_CTX_free(ctx);
+ return 0;
+
+process_auth_err:
+ EVP_MAC_CTX_free(ctx);
+ OPENSSL_LOG(ERR, "Process openssl auth failed");
+ return -EINVAL;
+}
+# else
/** Process standard openssl auth algorithms with hmac */
static int
process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
@@ -1312,7 +1458,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
OPENSSL_LOG(ERR, "Process openssl auth failed");
return -EINVAL;
}
-
+# endif
/*----------------------------------------------------------------------------*/
/** Process auth/cipher combined operation */
@@ -1326,7 +1472,6 @@ process_openssl_combined_op
int srclen, aadlen, status = -1;
uint32_t offset;
uint8_t taglen;
- EVP_CIPHER_CTX *ctx_copy;
/*
* Segmented destination buffer is not supported for
@@ -1363,8 +1508,6 @@ process_openssl_combined_op
}
taglen = sess->auth.digest_length;
- ctx_copy = EVP_CIPHER_CTX_new();
- EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1372,12 +1515,12 @@ process_openssl_combined_op
status = process_openssl_auth_encryption_gcm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, ctx_copy);
+ dst, tag, sess->cipher.ctx);
else
status = process_openssl_auth_encryption_ccm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, taglen, ctx_copy);
+ dst, tag, taglen, sess->cipher.ctx);
} else {
if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1385,15 +1528,14 @@ process_openssl_combined_op
status = process_openssl_auth_decryption_gcm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, ctx_copy);
+ dst, tag, sess->cipher.ctx);
else
status = process_openssl_auth_decryption_ccm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, taglen, ctx_copy);
+ dst, tag, taglen, sess->cipher.ctx);
}
- EVP_CIPHER_CTX_free(ctx_copy);
if (status != 0) {
if (status == (-EFAULT) &&
sess->auth.operation ==
@@ -1555,7 +1697,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
uint8_t *dst;
int srclen, status;
EVP_MD_CTX *ctx_a;
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX *ctx_h;
+ EVP_MAC *mac;
+# else
HMAC_CTX *ctx_h;
+# endif
srclen = op->sym->auth.data.length;
@@ -1571,12 +1718,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
EVP_MD_CTX_destroy(ctx_a);
break;
case OPENSSL_AUTH_AS_HMAC:
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ ctx_h = EVP_MAC_CTX_new(mac);
+ ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
+ EVP_MAC_free(mac);
+ status = process_openssl_auth_hmac(mbuf_src, dst,
+ op->sym->auth.data.offset, srclen,
+ ctx_h);
+# else
ctx_h = HMAC_CTX_new();
HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
status = process_openssl_auth_hmac(mbuf_src, dst,
op->sym->auth.data.offset, srclen,
ctx_h);
HMAC_CTX_free(ctx_h);
+# endif
break;
default:
status = -1;
@@ -2213,6 +2370,13 @@ cryptodev_openssl_create(const char *name,
rte_cryptodev_pmd_probing_finish(dev);
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ /* Load legacy provider
+ * Some algorithms are no longer available in earlier version of openssl,
+ * unless the legacy provider explicitly loaded. e.g. DES
+ */
+ ossl_load_legacy_provider();
+# endif
return 0;
init_error:
@@ -2261,6 +2425,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev)
if (cryptodev == NULL)
return -ENODEV;
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ ossl_unload_legacy_provider();
+# endif
return rte_cryptodev_pmd_destroy(cryptodev);
}
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v2 3/5] crypto/openssl: 3.0 EVP update on RSA routine
2022-05-16 10:10 ` [dpdk-dev v2 0/5] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 1/5] drivers/crypto: suppress openssl deprecated api warning messages Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 2/5] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
@ 2022-05-16 10:10 ` Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 4/5] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
` (2 subsequent siblings)
5 siblings, 0 replies; 39+ messages in thread
From: Kai Ji @ 2022-05-16 10:10 UTC (permalink / raw)
To: dev; +Cc: Kai Ji
This patch updates asymmetric RSA routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 7 +
drivers/crypto/openssl/rte_openssl_pmd.c | 149 +++++++++++++++++++
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 112 +++++++++++++-
3 files changed, 267 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index 86dc169aaf..d603626fdf 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -11,6 +11,10 @@
#include <openssl/rsa.h>
#include <openssl/dh.h>
#include <openssl/dsa.h>
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#endif
#define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl
/**< Open SSL Crypto PMD device name */
@@ -157,6 +161,9 @@ struct openssl_asym_session {
union {
struct rsa {
RSA *rsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ EVP_PKEY_CTX * ctx;
+#endif
} r;
struct exp {
BIGNUM *exp;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index db1f788d79..e8dd4f4a42 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -2047,6 +2047,150 @@ process_openssl_modexp_op(struct rte_crypto_op *cop,
}
/* process rsa operations */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_asym_op *op = cop->asym;
+ uint32_t pad = (op->rsa.pad);
+ uint8_t *tmp;
+ size_t outlen = 0;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx;
+ if (!rsa_ctx)
+ return ret;
+
+ switch (pad) {
+ case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
+ pad = RSA_PKCS1_PADDING;
+ break;
+ case RTE_CRYPTO_RSA_PADDING_NONE:
+ pad = RSA_NO_PADDING;
+ break;
+ default:
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ OPENSSL_LOG(ERR,
+ "rsa pad type not supported %d\n", pad);
+ return ret;
+ }
+
+ switch (op->rsa.op_type) {
+ case RTE_CRYPTO_ASYM_OP_ENCRYPT:
+ if (EVP_PKEY_encrypt_init(rsa_ctx) != 1)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+ op->rsa.cipher.length = outlen;
+
+ OPENSSL_LOG(DEBUG,
+ "length of encrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_DECRYPT:
+ if (EVP_PKEY_decrypt_init(rsa_ctx) != 1)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err_rsa;
+ op->rsa.message.length = outlen;
+
+ OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_SIGN:
+ if (EVP_PKEY_sign_init(rsa_ctx) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+ op->rsa.sign.length = outlen;
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_VERIFY:
+ tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
+ if (tmp == NULL) {
+ OPENSSL_LOG(ERR, "Memory allocation failed");
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
+ op->rsa.sign.data,
+ op->rsa.sign.length) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ OPENSSL_LOG(DEBUG,
+ "Length of public_decrypt %zu "
+ "length of message %zd\n",
+ outlen, op->rsa.message.length);
+ if (CRYPTO_memcmp(tmp, op->rsa.message.data,
+ op->rsa.message.length)) {
+ OPENSSL_LOG(ERR, "RSA sign Verification failed");
+ }
+ rte_free(tmp);
+ break;
+
+ default:
+ /* allow ops with invalid args to be pushed to
+ * completion queue
+ */
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ goto err_rsa;
+ }
+
+ ret = 0;
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+err_rsa:
+ return ret;
+
+}
+#else
static int
process_openssl_rsa_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -2145,6 +2289,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
static int
process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
@@ -2156,7 +2301,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
switch (sess->xfrm_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_rsa_op_evp(op, sess);
+# else
retval = process_openssl_rsa_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_MODEX:
retval = process_openssl_modexp_op(op, sess);
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 1cb07794bd..52a5119d47 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -10,7 +10,11 @@
#include "openssl_pmd_private.h"
#include "compat.h"
-
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#include <openssl/param_build.h>
+#endif
static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
{ /* MD5 HMAC */
@@ -833,6 +837,106 @@ static int openssl_set_asym_session_parameters(
if (!n || !e)
goto err_rsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_rsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_E, e)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_rsa;
+ }
+
+ if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) {
+ d = BN_bin2bn(
+ (const unsigned char *)xform->rsa.d.data,
+ xform->rsa.d.length,
+ d);
+ if (!d) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+ } else {
+ p = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.p.data,
+ xform->rsa.qt.p.length,
+ p);
+ q = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.q.data,
+ xform->rsa.qt.q.length,
+ q);
+ dmp1 = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.dP.data,
+ xform->rsa.qt.dP.length,
+ dmp1);
+ dmq1 = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.dQ.data,
+ xform->rsa.qt.dQ.length,
+ dmq1);
+ iqmp = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.qInv.data,
+ xform->rsa.qt.qInv.length,
+ iqmp);
+
+ if (!p || !q || !dmp1 || !dmq1 || !iqmp) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_FACTOR1, p)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_FACTOR2, q)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_D, d)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *rsa_ctx = NULL;
+ OSSL_PARAM *params = NULL;
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey,
+ EVP_PKEY_KEYPAIR, params) <= 0) {
+ OSSL_PARAM_free(params);
+ goto err_rsa;
+ }
+
+ rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
+ asym_session->u.r.ctx = rsa_ctx;
+ EVP_PKEY_CTX_free(key_ctx);
+ OSSL_PARAM_free(params);
+ break;
+#else
RSA *rsa = RSA_new();
if (rsa == NULL)
goto err_rsa;
@@ -902,6 +1006,7 @@ static int openssl_set_asym_session_parameters(
asym_session->u.r.rsa = rsa;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
break;
+#endif
err_rsa:
BN_clear_free(n);
BN_clear_free(e);
@@ -1160,8 +1265,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
{
switch (sess->xfrm_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ if (sess->u.r.ctx)
+ EVP_PKEY_CTX_free(sess->u.r.ctx);
+#else
if (sess->u.r.rsa)
RSA_free(sess->u.r.rsa);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_MODEX:
if (sess->u.e.ctx) {
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v2 4/5] crypto/openssl: 3.0 EVP update on DH routine
2022-05-16 10:10 ` [dpdk-dev v2 0/5] crypto/openssl: EVP api update for 3.0 lib Kai Ji
` (2 preceding siblings ...)
2022-05-16 10:10 ` [dpdk-dev v2 3/5] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
@ 2022-05-16 10:10 ` Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 5/5] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
5 siblings, 0 replies; 39+ messages in thread
From: Kai Ji @ 2022-05-16 10:10 UTC (permalink / raw)
To: dev; +Cc: Kai Ji
This patch updates asymmetric DH routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 4 +
drivers/crypto/openssl/rte_openssl_pmd.c | 186 ++++++++++++++++++-
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 47 ++++-
3 files changed, 235 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index d603626fdf..8fdbc75511 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -177,6 +177,10 @@ struct openssl_asym_session {
struct dh {
DH *dh_key;
uint32_t key_op;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld;
+ OSSL_PARAM_BLD *param_bld_peer;
+#endif
} dh;
struct {
DSA *dsa;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index e8dd4f4a42..691b000191 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -40,9 +40,9 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
-
#include <openssl/provider.h>
#include <openssl/core_names.h>
+#include <openssl/param_build.h>
#define MAX_OSSL_ALGO_NAME_SIZE 16
@@ -1844,6 +1844,185 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop,
}
/* process dh operation */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_dh_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dh_op_param *op = &cop->asym->dh;
+ OSSL_PARAM_BLD *param_bld = sess->u.dh.param_bld;
+ OSSL_PARAM_BLD *param_bld_peer = sess->u.dh.param_bld_peer;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY *dhpkey = NULL;
+ EVP_PKEY *peerkey = NULL;
+ BIGNUM *priv_key = NULL;
+ BIGNUM *pub_key = NULL;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
+ EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+ if (dh_ctx == NULL || param_bld == NULL)
+ return ret;
+
+ if (op->op_type == RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE) {
+ OSSL_PARAM *params_peer = NULL;
+
+ if (!param_bld_peer)
+ return ret;
+
+ pub_key = BN_bin2bn(op->pub_key.data, op->pub_key.length,
+ pub_key);
+ if (pub_key == NULL) {
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ return ret;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld_peer, OSSL_PKEY_PARAM_PUB_KEY,
+ pub_key)) {
+ OPENSSL_LOG(ERR, "Failed to set public key\n");
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ params_peer = OSSL_PARAM_BLD_to_param(param_bld_peer);
+ if (!params_peer) {
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ EVP_PKEY_CTX *peer_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+ if (EVP_PKEY_keygen_init(peer_ctx) != 1) {
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (EVP_PKEY_CTX_set_params(peer_ctx, params_peer) != 1) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (EVP_PKEY_keygen(peer_ctx, &peerkey) != 1) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ priv_key = BN_bin2bn(op->priv_key.data, op->priv_key.length,
+ priv_key);
+ if (priv_key == NULL) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY,
+ priv_key)) {
+ OPENSSL_LOG(ERR, "Failed to set private key\n");
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ BN_free(priv_key);
+ return ret;
+ }
+
+ OSSL_PARAM_free(params_peer);
+ EVP_PKEY_CTX_free(peer_ctx);
+ }
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params)
+ goto err_dh;
+
+ if (EVP_PKEY_keygen_init(dh_ctx) != 1)
+ goto err_dh;
+
+ if (EVP_PKEY_CTX_set_params(dh_ctx, params) != 1)
+ goto err_dh;
+
+ if (EVP_PKEY_keygen(dh_ctx, &dhpkey) != 1)
+ goto err_dh;
+
+ if (op->op_type == RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE) {
+ OPENSSL_LOG(DEBUG, "%s:%d updated pub key\n", __func__, __LINE__);
+ if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key))
+ goto err_dh;
+ /* output public key */
+ op->pub_key.length = BN_bn2bin(pub_key, op->pub_key.data);
+ }
+
+ if (op->op_type == RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE) {
+
+ OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n", __func__, __LINE__);
+ if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key))
+ goto err_dh;
+
+ /* provide generated private key back to user */
+ op->priv_key.length = BN_bn2bin(priv_key, op->priv_key.data);
+ }
+
+ if (op->op_type == RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE) {
+ size_t skey_len;
+ EVP_PKEY_CTX *sc_ctx = EVP_PKEY_CTX_new(dhpkey, NULL);
+ if (!sc_ctx)
+ goto err_dh;
+
+ if (EVP_PKEY_derive_init(sc_ctx) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (!peerkey) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (EVP_PKEY_derive_set_peer(sc_ctx, peerkey) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ /* Determine buffer length */
+ if (EVP_PKEY_derive(sc_ctx, NULL, &skey_len) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (EVP_PKEY_derive(sc_ctx, op->shared_secret.data, &skey_len) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ op->shared_secret.length = skey_len;
+ EVP_PKEY_CTX_free(sc_ctx);
+ }
+
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ ret = 0;
+
+ err_dh:
+ if (pub_key)
+ BN_free(pub_key);
+ if (priv_key)
+ BN_free(priv_key);
+ if (params)
+ OSSL_PARAM_free(params);
+ if (dhpkey)
+ EVP_PKEY_free(dhpkey);
+ if (peerkey)
+ EVP_PKEY_free(peerkey);
+
+ EVP_PKEY_CTX_free(dh_ctx);
+
+ return ret;
+}
+#else
static int
process_openssl_dh_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -1980,6 +2159,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
/* process modinv operation */
static int
@@ -2314,7 +2494,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
retval = process_openssl_modinv_op(op, sess);
break;
case RTE_CRYPTO_ASYM_XFORM_DH:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_dh_op_evp(op, sess);
+# else
retval = process_openssl_dh_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 52a5119d47..f77e9a9842 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -1093,7 +1093,46 @@ static int openssl_set_asym_session_parameters(
if (!p || !g)
goto err_dh;
- DH *dh = DH_new();
+ DH *dh = NULL;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD *param_bld = NULL;
+ param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_dh;
+ }
+ if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld,
+ "group", "ffdhe2048", 0))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_FFC_P, p))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_FFC_G, g))) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dh;
+ }
+
+ OSSL_PARAM_BLD *param_bld_peer = NULL;
+ param_bld_peer = OSSL_PARAM_BLD_new();
+ if (!param_bld_peer) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dh;
+ }
+ if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld_peer,
+ "group", "ffdhe2048", 0))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld_peer,
+ OSSL_PKEY_PARAM_FFC_P, p))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld_peer,
+ OSSL_PKEY_PARAM_FFC_G, g))) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ goto err_dh;
+ }
+
+ asym_session->u.dh.param_bld = param_bld;
+ asym_session->u.dh.param_bld_peer = param_bld_peer;
+#else
+ dh = DH_new();
if (dh == NULL) {
OPENSSL_LOG(ERR,
"failed to allocate resources\n");
@@ -1104,6 +1143,7 @@ static int openssl_set_asym_session_parameters(
DH_free(dh);
goto err_dh;
}
+#endif
/*
* setup xfrom for
@@ -1286,8 +1326,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
}
break;
case RTE_CRYPTO_ASYM_XFORM_DH:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ sess->u.dh.param_bld = NULL;
+ sess->u.dh.param_bld_peer = NULL;
+#else
if (sess->u.dh.dh_key)
DH_free(sess->u.dh.dh_key);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
if (sess->u.s.dsa)
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v2 5/5] crypto/openssl: 3.0 EVP update on DSA routine
2022-05-16 10:10 ` [dpdk-dev v2 0/5] crypto/openssl: EVP api update for 3.0 lib Kai Ji
` (3 preceding siblings ...)
2022-05-16 10:10 ` [dpdk-dev v2 4/5] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
@ 2022-05-16 10:10 ` Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
5 siblings, 0 replies; 39+ messages in thread
From: Kai Ji @ 2022-05-16 10:10 UTC (permalink / raw)
To: dev; +Cc: Kai Ji
This patch updates asymmetric DSA routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis. Divide the single combined dsa sign
test to two indiviual dsa sign and dsa verfiy tests.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
app/test/test_cryptodev_asym.c | 91 ++++++++--
drivers/crypto/openssl/compat.h | 12 ++
drivers/crypto/openssl/meson.build | 1 -
drivers/crypto/openssl/openssl_pmd_private.h | 3 +
drivers/crypto/openssl/rte_openssl_pmd.c | 175 +++++++++++++++++++
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 56 +++++-
6 files changed, 323 insertions(+), 15 deletions(-)
diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index 573af2a537..f8597df246 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -1639,7 +1639,7 @@ test_dh_keygenration(void)
}
static int
-test_dsa_sign(void)
+test_dsa_sign(struct rte_crypto_dsa_op_param *dsa_op)
{
struct crypto_testsuite_params_asym *ts_params = &testsuite_params;
struct rte_mempool *op_mpool = ts_params->op_mpool;
@@ -1649,9 +1649,6 @@ test_dsa_sign(void)
struct rte_crypto_op *op = NULL, *result_op = NULL;
void *sess = NULL;
int status = TEST_SUCCESS;
- uint8_t r[TEST_DH_MOD_LEN];
- uint8_t s[TEST_DH_MOD_LEN];
- uint8_t dgst[] = "35d81554afaad2cf18f3a1770d5fedc4ea5be344";
int ret;
ret = rte_cryptodev_asym_session_create(dev_id, &dsa_xform, sess_mpool, &sess);
@@ -1673,6 +1670,7 @@ test_dsa_sign(void)
goto error_exit;
}
asym_op = op->asym;
+ asym_op->dsa = *dsa_op;
debug_hexdump(stdout, "p: ", dsa_xform.dsa.p.data,
dsa_xform.dsa.p.length);
@@ -1686,13 +1684,6 @@ test_dsa_sign(void)
/* attach asymmetric crypto session to crypto operations */
rte_crypto_op_attach_asym_session(op, sess);
asym_op->dsa.op_type = RTE_CRYPTO_ASYM_OP_SIGN;
- asym_op->dsa.message.data = dgst;
- asym_op->dsa.message.length = sizeof(dgst);
- asym_op->dsa.r.length = sizeof(r);
- asym_op->dsa.r.data = r;
- asym_op->dsa.s.length = sizeof(s);
- asym_op->dsa.s.data = s;
-
RTE_LOG(DEBUG, USER1, "Process ASYM operation");
/* Process crypto operation */
@@ -1716,12 +1707,72 @@ test_dsa_sign(void)
}
asym_op = result_op->asym;
+ dsa_op->r.length = asym_op->dsa.r.length;
+ dsa_op->s.length = asym_op->dsa.s.length;
+
+ debug_hexdump(stdout, "r:",
+ asym_op->dsa.r.data, asym_op->dsa.r.length);
+ debug_hexdump(stdout, "s:",
+ asym_op->dsa.s.data, asym_op->dsa.s.length);
+error_exit:
+ if (sess != NULL)
+ rte_cryptodev_asym_session_free(dev_id, sess);
+ if (op != NULL)
+ rte_crypto_op_free(op);
+ return status;
+}
+
+
+static int
+test_dsa_verify(struct rte_crypto_dsa_op_param *dsa_op)
+{
+ struct crypto_testsuite_params_asym *ts_params = &testsuite_params;
+ struct rte_mempool *op_mpool = ts_params->op_mpool;
+ struct rte_mempool *sess_mpool = ts_params->session_mpool;
+ uint8_t dev_id = ts_params->valid_devs[0];
+ struct rte_crypto_asym_op *asym_op = NULL;
+ struct rte_crypto_op *op = NULL, *result_op = NULL;
+ void *sess = NULL;
+ int status = TEST_SUCCESS;
+ int ret;
+
+ ret = rte_cryptodev_asym_session_create(dev_id, &dsa_xform, sess_mpool, &sess);
+ if (ret < 0) {
+ RTE_LOG(ERR, USER1,
+ "line %u FAILED: %s", __LINE__,
+ "Session creation failed");
+ status = (ret == -ENOTSUP) ? TEST_SKIPPED : TEST_FAILED;
+ goto error_exit;
+ }
+ /* set up crypto op data structure */
+ op = rte_crypto_op_alloc(op_mpool, RTE_CRYPTO_OP_TYPE_ASYMMETRIC);
+ if (!op) {
+ RTE_LOG(ERR, USER1,
+ "line %u FAILED: %s",
+ __LINE__, "Failed to allocate asymmetric crypto "
+ "operation struct");
+ status = TEST_FAILED;
+ goto error_exit;
+ }
+ asym_op = op->asym;
+ asym_op->dsa = *dsa_op;
+
+ debug_hexdump(stdout, "p: ", dsa_xform.dsa.p.data,
+ dsa_xform.dsa.p.length);
+ debug_hexdump(stdout, "q: ", dsa_xform.dsa.q.data,
+ dsa_xform.dsa.q.length);
+ debug_hexdump(stdout, "g: ", dsa_xform.dsa.g.data,
+ dsa_xform.dsa.g.length);
+
+ /* attach asymmetric crypto session to crypto operations */
+ rte_crypto_op_attach_asym_session(op, sess);
debug_hexdump(stdout, "r:",
asym_op->dsa.r.data, asym_op->dsa.r.length);
debug_hexdump(stdout, "s:",
asym_op->dsa.s.data, asym_op->dsa.s.length);
+ RTE_LOG(DEBUG, USER1, "Process ASYM verify operation");
/* Test PMD DSA sign verification using signer public key */
asym_op->dsa.op_type = RTE_CRYPTO_ASYM_OP_VERIFY;
@@ -1767,8 +1818,22 @@ static int
test_dsa(void)
{
int status;
- status = test_dsa_sign();
- TEST_ASSERT_EQUAL(status, 0, "Test failed");
+ uint8_t r[TEST_DH_MOD_LEN];
+ uint8_t s[TEST_DH_MOD_LEN];
+ struct rte_crypto_dsa_op_param dsa_op;
+ uint8_t dgst[] = "35d81554afaad2cf18f3a1770d5fedc4ea5be344";
+
+ dsa_op.message.data = dgst;
+ dsa_op.message.length = sizeof(dgst);
+ dsa_op.r.data = r;
+ dsa_op.s.data = s;
+ dsa_op.r.length = sizeof(r);
+ dsa_op.s.length = sizeof(s);
+
+ status = test_dsa_sign(&dsa_op);
+ TEST_ASSERT_EQUAL(status, 0, "DSA sign test failed");
+ status = test_dsa_verify(&dsa_op);
+ TEST_ASSERT_EQUAL(status, 0, "DSA verify test failed");
return status;
}
diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h
index eecb7d3698..9f9167c4f1 100644
--- a/drivers/crypto/openssl/compat.h
+++ b/drivers/crypto/openssl/compat.h
@@ -104,6 +104,18 @@ get_dsa_priv_key(DSA *dsa, BIGNUM **priv_key)
*priv_key = dsa->priv_key;
}
+#elif (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static __rte_always_inline void
+set_dsa_sign(DSA_SIG *sign, BIGNUM *r, BIGNUM *s)
+{
+ DSA_SIG_set0(sign, r, s);
+}
+
+static __rte_always_inline void
+get_dsa_sign(DSA_SIG *sign, const BIGNUM **r, const BIGNUM **s)
+{
+ DSA_SIG_get0(sign, r, s);
+}
#else
static __rte_always_inline int
diff --git a/drivers/crypto/openssl/meson.build b/drivers/crypto/openssl/meson.build
index 9a3dea2c04..cd962da1d6 100644
--- a/drivers/crypto/openssl/meson.build
+++ b/drivers/crypto/openssl/meson.build
@@ -15,4 +15,3 @@ endif
deps += 'bus_vdev'
sources = files('rte_openssl_pmd.c', 'rte_openssl_pmd_ops.c')
ext_deps += dep
-cflags += ['-DOPENSSL_API_COMPAT=0x10100000L']
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index 8fdbc75511..b0e5cd109b 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -184,6 +184,9 @@ struct openssl_asym_session {
} dh;
struct {
DSA *dsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld;
+#endif
} s;
} u;
} __rte_cache_aligned;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 691b000191..45cc6a76b3 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -1761,6 +1761,171 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
}
/* process dsa sign operation */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_dsa_sign_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
+ EVP_PKEY_CTX *dsa_ctx;
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ EVP_PKEY *pkey = NULL;
+ OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld;
+ OSSL_PARAM *params = NULL;
+
+ size_t outlen;
+ unsigned char *dsa_sign_data;
+ const unsigned char *dsa_sign_data_p;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ return -1;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey,
+ EVP_PKEY_PUBLIC_KEY, params) <= 0)
+ goto err_dsa_sign;
+
+ dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (!dsa_ctx)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign_init(dsa_ctx) <= 0)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign(dsa_ctx, NULL, &outlen, op->message.data,
+ op->message.length) <= 0)
+ goto err_dsa_sign;
+
+ if (outlen <= 0)
+ goto err_dsa_sign;
+
+ dsa_sign_data = OPENSSL_malloc(outlen);
+ if (!dsa_sign_data)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign(dsa_ctx, dsa_sign_data, &outlen, op->message.data,
+ op->message.length) <= 0) {
+ free(dsa_sign_data);
+ goto err_dsa_sign;
+ }
+
+ dsa_sign_data_p = (const unsigned char *)dsa_sign_data;
+ DSA_SIG *sign = d2i_DSA_SIG(NULL, &dsa_sign_data_p, outlen);
+ if (!sign) {
+ OPENSSL_LOG(ERR, "%s:%d\n", __func__, __LINE__);
+ free(dsa_sign_data);
+ goto err_dsa_sign;
+ } else {
+ const BIGNUM *r = NULL, *s = NULL;
+ get_dsa_sign(sign, &r, &s);
+
+ op->r.length = BN_bn2bin(r, op->r.data);
+ op->s.length = BN_bn2bin(s, op->s.data);
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ }
+
+ DSA_SIG_free(sign);
+ free(dsa_sign_data);
+ return 0;
+
+err_dsa_sign:
+ if (params)
+ OSSL_PARAM_free(params);
+ if (key_ctx)
+ EVP_PKEY_CTX_free(key_ctx);
+ if (dsa_ctx)
+ EVP_PKEY_CTX_free(dsa_ctx);
+ return -1;
+}
+
+/* process dsa verify operation */
+static int
+process_openssl_dsa_verify_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
+ DSA_SIG *sign = DSA_SIG_new();
+ BIGNUM *r = NULL, *s = NULL;
+ BIGNUM *pub_key = NULL;
+ OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *dsa_ctx = NULL;
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ unsigned char *dsa_sig = NULL;
+ size_t sig_len;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, " %s:%d\n", __func__, __LINE__);
+ return -1;
+ }
+
+ r = BN_bin2bn(op->r.data, op->r.length, r);
+ s = BN_bin2bn(op->s.data, op->s.length, s);
+ pub_key = BN_bin2bn(op->y.data, op->y.length, pub_key);
+ if (!r || !s || !pub_key) {
+ BN_free(r);
+ BN_free(s);
+ BN_free(pub_key);
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ set_dsa_sign(sign, r, s);
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
+ goto err_dsa_verify;
+
+ dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (!dsa_ctx)
+ goto err_dsa_verify;
+
+ if (!sign)
+ goto err_dsa_verify;
+
+ sig_len = i2d_DSA_SIG(sign, &dsa_sig);
+ if (EVP_PKEY_verify_init(dsa_ctx) <= 0)
+ goto err_dsa_verify;
+
+ ret = EVP_PKEY_verify(dsa_ctx, dsa_sig, sig_len,
+ op->message.data, op->message.length);
+ if (ret == 1) {
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ ret = 0;
+ }
+
+err_dsa_verify:
+ if (sign)
+ DSA_SIG_free(sign);
+ if (params)
+ OSSL_PARAM_free(params);
+ if (key_ctx)
+ EVP_PKEY_CTX_free(key_ctx);
+ if (dsa_ctx)
+ EVP_PKEY_CTX_free(dsa_ctx);
+
+ return ret;
+}
+#else
static int
process_openssl_dsa_sign_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -1842,6 +2007,7 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
/* process dh operation */
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
@@ -2501,12 +2667,21 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
+ retval = process_openssl_dsa_sign_op_evp(op, sess);
+ else if (op->asym->dsa.op_type ==
+ RTE_CRYPTO_ASYM_OP_VERIFY)
+ retval =
+ process_openssl_dsa_verify_op_evp(op, sess);
+#else
if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
retval = process_openssl_dsa_sign_op(op, sess);
else if (op->asym->dsa.op_type ==
RTE_CRYPTO_ASYM_OP_VERIFY)
retval =
process_openssl_dsa_verify_op(op, sess);
+#endif
else
op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
break;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index f77e9a9842..a465574d48 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -1183,6 +1183,56 @@ static int openssl_set_asym_session_parameters(
}
case RTE_CRYPTO_ASYM_XFORM_DSA:
{
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ BIGNUM *p = NULL, *g = NULL;
+ BIGNUM *q = NULL, *priv_key = NULL;
+ BIGNUM *pub_key = BN_new();
+ BN_zero(pub_key);
+ OSSL_PARAM_BLD *param_bld = NULL;
+
+ p = BN_bin2bn((const unsigned char *)
+ xform->dsa.p.data,
+ xform->dsa.p.length,
+ p);
+
+ g = BN_bin2bn((const unsigned char *)
+ xform->dsa.g.data,
+ xform->dsa.g.length,
+ g);
+
+ q = BN_bin2bn((const unsigned char *)
+ xform->dsa.q.data,
+ xform->dsa.q.length,
+ q);
+ if (!p || !q || !g)
+ goto err_dsa;
+
+ priv_key = BN_bin2bn((const unsigned char *)
+ xform->dsa.x.data,
+ xform->dsa.x.length,
+ priv_key);
+ if (priv_key == NULL)
+ goto err_dsa;
+
+ param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_dsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, p)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, g)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, q)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_dsa;
+ }
+ asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA;
+ asym_session->u.s.param_bld = param_bld;
+
+ break;
+#else
BIGNUM *p = NULL, *g = NULL;
BIGNUM *q = NULL, *priv_key = NULL;
BIGNUM *pub_key = BN_new();
@@ -1242,7 +1292,7 @@ static int openssl_set_asym_session_parameters(
asym_session->u.s.dsa = dsa;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA;
break;
-
+#endif
err_dsa:
BN_free(p);
BN_free(q);
@@ -1335,8 +1385,12 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ sess->u.s.param_bld = NULL;
+#else
if (sess->u.s.dsa)
DSA_free(sess->u.s.dsa);
+#endif
break;
default:
break;
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* RE: [EXT] [dpdk-dev v2 1/5] drivers/crypto: suppress openssl deprecated api warning messages
2022-05-16 10:10 ` [dpdk-dev v2 1/5] drivers/crypto: suppress openssl deprecated api warning messages Kai Ji
@ 2022-05-16 19:21 ` Akhil Goyal
2022-05-16 20:20 ` Stephen Hemminger
0 siblings, 1 reply; 39+ messages in thread
From: Akhil Goyal @ 2022-05-16 19:21 UTC (permalink / raw)
To: Kai Ji, dev
Hi Kai,
> Enable openssl_api_compat cflag to suppress deprecated api warning
> messages in crypto pmd drivers: ccp, openssl and qat.
>
> Signed-off-by: Kai Ji <kai.ji@intel.com>
This patch may not be required if we use this
http://patches.dpdk.org/project/dpdk/patch/20220510150635.61975-1-heinrich.schuchardt@canonical.com/
> ---
> drivers/common/qat/meson.build | 1 +
> drivers/crypto/ccp/meson.build | 1 +
> drivers/crypto/openssl/meson.build | 1 +
> 3 files changed, 3 insertions(+)
>
> diff --git a/drivers/common/qat/meson.build
> b/drivers/common/qat/meson.build
> index b7027f3164..6c3e7275ef 100644
> --- a/drivers/common/qat/meson.build
> +++ b/drivers/common/qat/meson.build
> @@ -87,3 +87,4 @@ if qat_crypto
> ext_deps += libcrypto
> cflags += ['-DBUILD_QAT_SYM', '-DBUILD_QAT_ASYM']
> endif
> +cflags += ['-DOPENSSL_API_COMPAT=0x10100000L']
> diff --git a/drivers/crypto/ccp/meson.build b/drivers/crypto/ccp/meson.build
> index a4f3406009..fe89e17b14 100644
> --- a/drivers/crypto/ccp/meson.build
> +++ b/drivers/crypto/ccp/meson.build
> @@ -23,3 +23,4 @@ sources = files(
> )
>
> ext_deps += dep
> +cflags += ['-DOPENSSL_API_COMPAT=0x10100000L']
> diff --git a/drivers/crypto/openssl/meson.build
> b/drivers/crypto/openssl/meson.build
> index cd962da1d6..9a3dea2c04 100644
> --- a/drivers/crypto/openssl/meson.build
> +++ b/drivers/crypto/openssl/meson.build
> @@ -15,3 +15,4 @@ endif
> deps += 'bus_vdev'
> sources = files('rte_openssl_pmd.c', 'rte_openssl_pmd_ops.c')
> ext_deps += dep
> +cflags += ['-DOPENSSL_API_COMPAT=0x10100000L']
> --
> 2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* Re: [EXT] [dpdk-dev v2 1/5] drivers/crypto: suppress openssl deprecated api warning messages
2022-05-16 19:21 ` [EXT] " Akhil Goyal
@ 2022-05-16 20:20 ` Stephen Hemminger
2022-05-17 6:52 ` Akhil Goyal
0 siblings, 1 reply; 39+ messages in thread
From: Stephen Hemminger @ 2022-05-16 20:20 UTC (permalink / raw)
To: Akhil Goyal; +Cc: Kai Ji, dev
On Mon, 16 May 2022 19:21:01 +0000
Akhil Goyal <gakhil@marvell.com> wrote:
> Hi Kai,
> > Enable openssl_api_compat cflag to suppress deprecated api warning
> > messages in crypto pmd drivers: ccp, openssl and qat.
> >
> > Signed-off-by: Kai Ji <kai.ji@intel.com>
> This patch may not be required if we use this
> http://patches.dpdk.org/project/dpdk/patch/20220510150635.61975-1-heinrich.schuchardt@canonical.com/
>
Just to be devil's advocate. Why should DPDK continue to support older and
unsecure crypto algorithms? I would argue DPDK should deprecate the use of SNA256
and remove it in 22.11 release.
^ permalink raw reply [flat|nested] 39+ messages in thread
* RE: [EXT] [dpdk-dev v2 1/5] drivers/crypto: suppress openssl deprecated api warning messages
2022-05-16 20:20 ` Stephen Hemminger
@ 2022-05-17 6:52 ` Akhil Goyal
0 siblings, 0 replies; 39+ messages in thread
From: Akhil Goyal @ 2022-05-17 6:52 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: Kai Ji, dev
>
> Just to be devil's advocate. Why should DPDK continue to support older and
> unsecure crypto algorithms? I would argue DPDK should deprecate the use of
> SNA256
> and remove it in 22.11 release.
AFAIK Openssl 1.1 is not outdated and there are customers which are still
Not migrated to openssl 3.0. Hence cannot completely remove that.
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v3 0/4] crypto/openssl: EVP api update for 3.0 lib
2022-05-16 10:10 ` [dpdk-dev v2 0/5] crypto/openssl: EVP api update for 3.0 lib Kai Ji
` (4 preceding siblings ...)
2022-05-16 10:10 ` [dpdk-dev v2 5/5] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
@ 2022-06-13 16:40 ` Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
` (4 more replies)
5 siblings, 5 replies; 39+ messages in thread
From: Kai Ji @ 2022-06-13 16:40 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch set update openssl pmd deprecated APIs to EVP
APIs where supported in openssl 3.0 lib
---
v3:
- rebase to 22.07 rc1
v2:
- addin DSA routine
Kai Ji (4):
crypto/openssl: 3.0 EVP update on HMAC routine
crypto/openssl: 3.0 EVP update on RSA routine
crypto/openssl: 3.0 EVP update on DH routine
crypto/openssl: 3.0 EVP update on DSA routine
app/test/test_cryptodev_asym.c | 90 ++-
drivers/crypto/openssl/compat.h | 12 +
drivers/crypto/openssl/openssl_pmd_private.h | 18 +
drivers/crypto/openssl/rte_openssl_pmd.c | 698 ++++++++++++++++++-
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 231 +++++-
5 files changed, 1013 insertions(+), 36 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v3 1/4] crypto/openssl: 3.0 EVP update on HMAC routine
2022-06-13 16:40 ` [dpdk-dev v3 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
@ 2022-06-13 16:40 ` Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
` (3 subsequent siblings)
4 siblings, 0 replies; 39+ messages in thread
From: Kai Ji @ 2022-06-13 16:40 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch update the symmetric HMAC routine in crypto openssl
pmd to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 4 +
drivers/crypto/openssl/rte_openssl_pmd.c | 187 ++++++++++++++++++-
2 files changed, 181 insertions(+), 10 deletions(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index b2054b3754..86dc169aaf 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -134,8 +134,12 @@ struct openssl_session {
/**< pointer to EVP key */
const EVP_MD *evp_algo;
/**< pointer to EVP algorithm function */
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX * ctx;
+# else
HMAC_CTX *ctx;
/**< pointer to EVP context structure */
+# endif
} hmac;
};
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 6ac2dfff5a..febfcb5a22 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -41,6 +41,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
}
#endif
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+
+#define MAX_OSSL_ALGO_NAME_SIZE 16
+
+OSSL_PROVIDER *legacy;
+OSSL_PROVIDER *deflt;
+
+static void ossl_load_legacy_provider(void)
+{
+ /* Load Multiple providers into the default (NULL) library context */
+ legacy = OSSL_PROVIDER_load(NULL, "legacy");
+ if (legacy == NULL) {
+ OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
+ return;
+ }
+
+ deflt = OSSL_PROVIDER_load(NULL, "default");
+ if (deflt == NULL) {
+ OPENSSL_LOG(ERR, "Failed to load Default provider\n");
+ OSSL_PROVIDER_unload(legacy);
+ return;
+ }
+}
+
+static void ossl_unload_legacy_provider(void)
+{
+ OSSL_PROVIDER_unload(legacy);
+ OSSL_PROVIDER_unload(deflt);
+}
+
+static __rte_always_inline const char *
+get_digest_name(const struct rte_crypto_sym_xform *xform)
+{
+ switch (xform->auth.algo) {
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ return OSSL_DIGEST_NAME_MD5;
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ return OSSL_DIGEST_NAME_SHA1;
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_224;
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_256;
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_384;
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_512;
+ default:
+ return NULL;
+ }
+}
+#endif
+
static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
/*----------------------------------------------------------------------------*/
@@ -582,6 +637,40 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
sess->auth.auth.ctx = EVP_MD_CTX_create();
break;
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
+
+ OSSL_PARAM params[2];
+ const char *algo;
+ algo = get_digest_name(xform);
+ if (!algo)
+ return -EINVAL;
+ char algo_name[MAX_OSSL_ALGO_NAME_SIZE];
+ memcpy(algo_name, algo, (sizeof(algo)+1));
+
+ EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
+ EVP_MAC_free(mac);
+ if (get_auth_algo(xform->auth.algo,
+ &sess->auth.hmac.evp_algo) != 0)
+ return -EINVAL;
+
+ params[0] = OSSL_PARAM_construct_utf8_string("digest",
+ algo_name, 0);
+ params[1] = OSSL_PARAM_construct_end();
+ if (EVP_MAC_init(sess->auth.hmac.ctx,
+ xform->auth.key.data,
+ xform->auth.key.length,
+ params) != 1)
+ return -EINVAL;
+ break;
+# else
case RTE_CRYPTO_AUTH_MD5_HMAC:
case RTE_CRYPTO_AUTH_SHA1_HMAC:
case RTE_CRYPTO_AUTH_SHA224_HMAC:
@@ -600,7 +689,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
sess->auth.hmac.evp_algo, NULL) != 1)
return -EINVAL;
break;
-
+# endif
default:
return -ENOTSUP;
}
@@ -725,7 +814,11 @@ openssl_reset_session(struct openssl_session *sess)
break;
case OPENSSL_AUTH_AS_HMAC:
EVP_PKEY_free(sess->auth.hmac.pkey);
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX_free(sess->auth.hmac.ctx);
+# else
HMAC_CTX_free(sess->auth.hmac.ctx);
+# endif
break;
default:
break;
@@ -1262,6 +1355,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
return -EINVAL;
}
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/** Process standard openssl auth algorithms with hmac */
+static int
+process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
+ int srclen, EVP_MAC_CTX *ctx)
+{
+ size_t dstlen;
+ struct rte_mbuf *m;
+ int l, n = srclen;
+ uint8_t *src;
+
+ for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+ m = m->next)
+ offset -= rte_pktmbuf_data_len(m);
+
+ if (m == 0)
+ goto process_auth_err;
+
+ src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+ l = rte_pktmbuf_data_len(m) - offset;
+ if (srclen <= l) {
+ if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
+ goto process_auth_err;
+ goto process_auth_final;
+ }
+
+ if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+ goto process_auth_err;
+
+ n -= l;
+
+ for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+ src = rte_pktmbuf_mtod(m, uint8_t *);
+ l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+ if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+ goto process_auth_err;
+ n -= l;
+ }
+
+process_auth_final:
+ if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
+ goto process_auth_err;
+
+ EVP_MAC_CTX_free(ctx);
+ return 0;
+
+process_auth_err:
+ EVP_MAC_CTX_free(ctx);
+ OPENSSL_LOG(ERR, "Process openssl auth failed");
+ return -EINVAL;
+}
+# else
/** Process standard openssl auth algorithms with hmac */
static int
process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
@@ -1314,7 +1460,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
OPENSSL_LOG(ERR, "Process openssl auth failed");
return -EINVAL;
}
-
+# endif
/*----------------------------------------------------------------------------*/
/** Process auth/cipher combined operation */
@@ -1328,7 +1474,6 @@ process_openssl_combined_op
int srclen, aadlen, status = -1;
uint32_t offset;
uint8_t taglen;
- EVP_CIPHER_CTX *ctx_copy;
/*
* Segmented destination buffer is not supported for
@@ -1365,8 +1510,6 @@ process_openssl_combined_op
}
taglen = sess->auth.digest_length;
- ctx_copy = EVP_CIPHER_CTX_new();
- EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1374,12 +1517,12 @@ process_openssl_combined_op
status = process_openssl_auth_encryption_gcm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, ctx_copy);
+ dst, tag, sess->cipher.ctx);
else
status = process_openssl_auth_encryption_ccm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, taglen, ctx_copy);
+ dst, tag, taglen, sess->cipher.ctx);
} else {
if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1387,15 +1530,14 @@ process_openssl_combined_op
status = process_openssl_auth_decryption_gcm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, ctx_copy);
+ dst, tag, sess->cipher.ctx);
else
status = process_openssl_auth_decryption_ccm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, taglen, ctx_copy);
+ dst, tag, taglen, sess->cipher.ctx);
}
- EVP_CIPHER_CTX_free(ctx_copy);
if (status != 0) {
if (status == (-EFAULT) &&
sess->auth.operation ==
@@ -1557,7 +1699,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
uint8_t *dst;
int srclen, status;
EVP_MD_CTX *ctx_a;
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX *ctx_h;
+ EVP_MAC *mac;
+# else
HMAC_CTX *ctx_h;
+# endif
srclen = op->sym->auth.data.length;
@@ -1573,12 +1720,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
EVP_MD_CTX_destroy(ctx_a);
break;
case OPENSSL_AUTH_AS_HMAC:
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ ctx_h = EVP_MAC_CTX_new(mac);
+ ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
+ EVP_MAC_free(mac);
+ status = process_openssl_auth_hmac(mbuf_src, dst,
+ op->sym->auth.data.offset, srclen,
+ ctx_h);
+# else
ctx_h = HMAC_CTX_new();
HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
status = process_openssl_auth_hmac(mbuf_src, dst,
op->sym->auth.data.offset, srclen,
ctx_h);
HMAC_CTX_free(ctx_h);
+# endif
break;
default:
status = -1;
@@ -2212,6 +2369,13 @@ cryptodev_openssl_create(const char *name,
rte_cryptodev_pmd_probing_finish(dev);
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ /* Load legacy provider
+ * Some algorithms are no longer available in earlier version of openssl,
+ * unless the legacy provider explicitly loaded. e.g. DES
+ */
+ ossl_load_legacy_provider();
+# endif
return 0;
init_error:
@@ -2260,6 +2424,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev)
if (cryptodev == NULL)
return -ENODEV;
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ ossl_unload_legacy_provider();
+# endif
return rte_cryptodev_pmd_destroy(cryptodev);
}
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v3 2/4] crypto/openssl: 3.0 EVP update on RSA routine
2022-06-13 16:40 ` [dpdk-dev v3 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
@ 2022-06-13 16:40 ` Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
` (2 subsequent siblings)
4 siblings, 0 replies; 39+ messages in thread
From: Kai Ji @ 2022-06-13 16:40 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch updates asymmetric RSA routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 7 +
drivers/crypto/openssl/rte_openssl_pmd.c | 149 +++++++++++++++++++
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 112 +++++++++++++-
3 files changed, 267 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index 86dc169aaf..d603626fdf 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -11,6 +11,10 @@
#include <openssl/rsa.h>
#include <openssl/dh.h>
#include <openssl/dsa.h>
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#endif
#define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl
/**< Open SSL Crypto PMD device name */
@@ -157,6 +161,9 @@ struct openssl_asym_session {
union {
struct rsa {
RSA *rsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ EVP_PKEY_CTX * ctx;
+#endif
} r;
struct exp {
BIGNUM *exp;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index febfcb5a22..6c3fef6356 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -2046,6 +2046,150 @@ process_openssl_modexp_op(struct rte_crypto_op *cop,
}
/* process rsa operations */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_asym_op *op = cop->asym;
+ uint32_t pad = (op->rsa.padding.type);
+ uint8_t *tmp;
+ size_t outlen = 0;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx;
+ if (!rsa_ctx)
+ return ret;
+
+ switch (pad) {
+ case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
+ pad = RSA_PKCS1_PADDING;
+ break;
+ case RTE_CRYPTO_RSA_PADDING_NONE:
+ pad = RSA_NO_PADDING;
+ break;
+ default:
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ OPENSSL_LOG(ERR,
+ "rsa pad type not supported %d\n", pad);
+ return ret;
+ }
+
+ switch (op->rsa.op_type) {
+ case RTE_CRYPTO_ASYM_OP_ENCRYPT:
+ if (EVP_PKEY_encrypt_init(rsa_ctx) != 1)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+ op->rsa.cipher.length = outlen;
+
+ OPENSSL_LOG(DEBUG,
+ "length of encrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_DECRYPT:
+ if (EVP_PKEY_decrypt_init(rsa_ctx) != 1)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err_rsa;
+ op->rsa.message.length = outlen;
+
+ OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_SIGN:
+ if (EVP_PKEY_sign_init(rsa_ctx) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+ op->rsa.sign.length = outlen;
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_VERIFY:
+ tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
+ if (tmp == NULL) {
+ OPENSSL_LOG(ERR, "Memory allocation failed");
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
+ op->rsa.sign.data,
+ op->rsa.sign.length) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ OPENSSL_LOG(DEBUG,
+ "Length of public_decrypt %zu "
+ "length of message %zd\n",
+ outlen, op->rsa.message.length);
+ if (CRYPTO_memcmp(tmp, op->rsa.message.data,
+ op->rsa.message.length)) {
+ OPENSSL_LOG(ERR, "RSA sign Verification failed");
+ }
+ rte_free(tmp);
+ break;
+
+ default:
+ /* allow ops with invalid args to be pushed to
+ * completion queue
+ */
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ goto err_rsa;
+ }
+
+ ret = 0;
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+err_rsa:
+ return ret;
+
+}
+#else
static int
process_openssl_rsa_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -2144,6 +2288,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
static int
process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
@@ -2155,7 +2300,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
switch (sess->xfrm_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_rsa_op_evp(op, sess);
+# else
retval = process_openssl_rsa_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_MODEX:
retval = process_openssl_modexp_op(op, sess);
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 7d0da52a33..6d94da499e 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -12,7 +12,11 @@
#include "openssl_pmd_private.h"
#include "compat.h"
-
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#include <openssl/param_build.h>
+#endif
static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
{ /* MD5 HMAC */
@@ -835,6 +839,106 @@ static int openssl_set_asym_session_parameters(
if (!n || !e)
goto err_rsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_rsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_E, e)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_rsa;
+ }
+
+ if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) {
+ d = BN_bin2bn(
+ (const unsigned char *)xform->rsa.d.data,
+ xform->rsa.d.length,
+ d);
+ if (!d) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+ } else {
+ p = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.p.data,
+ xform->rsa.qt.p.length,
+ p);
+ q = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.q.data,
+ xform->rsa.qt.q.length,
+ q);
+ dmp1 = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.dP.data,
+ xform->rsa.qt.dP.length,
+ dmp1);
+ dmq1 = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.dQ.data,
+ xform->rsa.qt.dQ.length,
+ dmq1);
+ iqmp = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.qInv.data,
+ xform->rsa.qt.qInv.length,
+ iqmp);
+
+ if (!p || !q || !dmp1 || !dmq1 || !iqmp) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_FACTOR1, p)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_FACTOR2, q)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_D, d)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *rsa_ctx = NULL;
+ OSSL_PARAM *params = NULL;
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey,
+ EVP_PKEY_KEYPAIR, params) <= 0) {
+ OSSL_PARAM_free(params);
+ goto err_rsa;
+ }
+
+ rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
+ asym_session->u.r.ctx = rsa_ctx;
+ EVP_PKEY_CTX_free(key_ctx);
+ OSSL_PARAM_free(params);
+ break;
+#else
RSA *rsa = RSA_new();
if (rsa == NULL)
goto err_rsa;
@@ -904,6 +1008,7 @@ static int openssl_set_asym_session_parameters(
asym_session->u.r.rsa = rsa;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
break;
+#endif
err_rsa:
BN_clear_free(n);
BN_clear_free(e);
@@ -1135,8 +1240,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
{
switch (sess->xfrm_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ if (sess->u.r.ctx)
+ EVP_PKEY_CTX_free(sess->u.r.ctx);
+#else
if (sess->u.r.rsa)
RSA_free(sess->u.r.rsa);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_MODEX:
if (sess->u.e.ctx) {
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v3 3/4] crypto/openssl: 3.0 EVP update on DH routine
2022-06-13 16:40 ` [dpdk-dev v3 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
@ 2022-06-13 16:40 ` Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-14 13:25 ` [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
4 siblings, 0 replies; 39+ messages in thread
From: Kai Ji @ 2022-06-13 16:40 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch updates asymmetric DH routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 4 +
drivers/crypto/openssl/rte_openssl_pmd.c | 185 +++++++++++++++++++
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 47 ++++-
3 files changed, 235 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index d603626fdf..8fdbc75511 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -177,6 +177,10 @@ struct openssl_asym_session {
struct dh {
DH *dh_key;
uint32_t key_op;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld;
+ OSSL_PARAM_BLD *param_bld_peer;
+#endif
} dh;
struct {
DSA *dsa;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 6c3fef6356..fdf191b7ea 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -45,6 +45,7 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
#include <openssl/provider.h>
#include <openssl/core_names.h>
+#include <openssl/param_build.h>
#define MAX_OSSL_ALGO_NAME_SIZE 16
@@ -1846,6 +1847,185 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop,
}
/* process dh operation */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_dh_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dh_op_param *op = &cop->asym->dh;
+ OSSL_PARAM_BLD *param_bld = sess->u.dh.param_bld;
+ OSSL_PARAM_BLD *param_bld_peer = sess->u.dh.param_bld_peer;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY *dhpkey = NULL;
+ EVP_PKEY *peerkey = NULL;
+ BIGNUM *priv_key = NULL;
+ BIGNUM *pub_key = NULL;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
+ EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+ if (dh_ctx == NULL || param_bld == NULL)
+ return ret;
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) {
+ OSSL_PARAM *params_peer = NULL;
+
+ if (!param_bld_peer)
+ return ret;
+
+ pub_key = BN_bin2bn(op->pub_key.data, op->pub_key.length,
+ pub_key);
+ if (pub_key == NULL) {
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ return ret;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld_peer, OSSL_PKEY_PARAM_PUB_KEY,
+ pub_key)) {
+ OPENSSL_LOG(ERR, "Failed to set public key\n");
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ params_peer = OSSL_PARAM_BLD_to_param(param_bld_peer);
+ if (!params_peer) {
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ EVP_PKEY_CTX *peer_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+ if (EVP_PKEY_keygen_init(peer_ctx) != 1) {
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (EVP_PKEY_CTX_set_params(peer_ctx, params_peer) != 1) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (EVP_PKEY_keygen(peer_ctx, &peerkey) != 1) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ priv_key = BN_bin2bn(op->priv_key.data, op->priv_key.length,
+ priv_key);
+ if (priv_key == NULL) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY,
+ priv_key)) {
+ OPENSSL_LOG(ERR, "Failed to set private key\n");
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ BN_free(priv_key);
+ return ret;
+ }
+
+ OSSL_PARAM_free(params_peer);
+ EVP_PKEY_CTX_free(peer_ctx);
+ }
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params)
+ goto err_dh;
+
+ if (EVP_PKEY_keygen_init(dh_ctx) != 1)
+ goto err_dh;
+
+ if (EVP_PKEY_CTX_set_params(dh_ctx, params) != 1)
+ goto err_dh;
+
+ if (EVP_PKEY_keygen(dh_ctx, &dhpkey) != 1)
+ goto err_dh;
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE) {
+ OPENSSL_LOG(DEBUG, "%s:%d updated pub key\n", __func__, __LINE__);
+ if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key))
+ goto err_dh;
+ /* output public key */
+ op->pub_key.length = BN_bn2bin(pub_key, op->pub_key.data);
+ }
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_PRIV_KEY_GENERATE) {
+
+ OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n", __func__, __LINE__);
+ if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key))
+ goto err_dh;
+
+ /* provide generated private key back to user */
+ op->priv_key.length = BN_bn2bin(priv_key, op->priv_key.data);
+ }
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) {
+ size_t skey_len;
+ EVP_PKEY_CTX *sc_ctx = EVP_PKEY_CTX_new(dhpkey, NULL);
+ if (!sc_ctx)
+ goto err_dh;
+
+ if (EVP_PKEY_derive_init(sc_ctx) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (!peerkey) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (EVP_PKEY_derive_set_peer(sc_ctx, peerkey) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ /* Determine buffer length */
+ if (EVP_PKEY_derive(sc_ctx, NULL, &skey_len) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (EVP_PKEY_derive(sc_ctx, op->shared_secret.data, &skey_len) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ op->shared_secret.length = skey_len;
+ EVP_PKEY_CTX_free(sc_ctx);
+ }
+
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ ret = 0;
+
+ err_dh:
+ if (pub_key)
+ BN_free(pub_key);
+ if (priv_key)
+ BN_free(priv_key);
+ if (params)
+ OSSL_PARAM_free(params);
+ if (dhpkey)
+ EVP_PKEY_free(dhpkey);
+ if (peerkey)
+ EVP_PKEY_free(peerkey);
+
+ EVP_PKEY_CTX_free(dh_ctx);
+
+ return ret;
+}
+#else
static int
process_openssl_dh_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -1979,6 +2159,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
/* process modinv operation */
static int
@@ -2313,7 +2494,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
retval = process_openssl_modinv_op(op, sess);
break;
case RTE_CRYPTO_ASYM_XFORM_DH:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_dh_op_evp(op, sess);
+# else
retval = process_openssl_dh_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 6d94da499e..a1a42ef444 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -1095,7 +1095,46 @@ static int openssl_set_asym_session_parameters(
if (!p || !g)
goto err_dh;
- DH *dh = DH_new();
+ DH *dh = NULL;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD *param_bld = NULL;
+ param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_dh;
+ }
+ if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld,
+ "group", "ffdhe2048", 0))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_FFC_P, p))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_FFC_G, g))) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dh;
+ }
+
+ OSSL_PARAM_BLD *param_bld_peer = NULL;
+ param_bld_peer = OSSL_PARAM_BLD_new();
+ if (!param_bld_peer) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dh;
+ }
+ if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld_peer,
+ "group", "ffdhe2048", 0))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld_peer,
+ OSSL_PKEY_PARAM_FFC_P, p))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld_peer,
+ OSSL_PKEY_PARAM_FFC_G, g))) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ goto err_dh;
+ }
+
+ asym_session->u.dh.param_bld = param_bld;
+ asym_session->u.dh.param_bld_peer = param_bld_peer;
+#else
+ dh = DH_new();
if (dh == NULL) {
OPENSSL_LOG(ERR,
"failed to allocate resources\n");
@@ -1106,6 +1145,7 @@ static int openssl_set_asym_session_parameters(
DH_free(dh);
goto err_dh;
}
+#endif
asym_session->u.dh.dh_key = dh;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DH;
break;
@@ -1261,8 +1301,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
}
break;
case RTE_CRYPTO_ASYM_XFORM_DH:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ sess->u.dh.param_bld = NULL;
+ sess->u.dh.param_bld_peer = NULL;
+#else
if (sess->u.dh.dh_key)
DH_free(sess->u.dh.dh_key);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
if (sess->u.s.dsa)
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v3 4/4] crypto/openssl: 3.0 EVP update on DSA routine
2022-06-13 16:40 ` [dpdk-dev v3 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
` (2 preceding siblings ...)
2022-06-13 16:40 ` [dpdk-dev v3 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
@ 2022-06-13 16:40 ` Kai Ji
2022-06-14 13:25 ` [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
4 siblings, 0 replies; 39+ messages in thread
From: Kai Ji @ 2022-06-13 16:40 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch updates asymmetric DSA routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis. Divide the single combined dsa sign
test to two indiviual dsa sign and dsa verfiy tests.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
app/test/test_cryptodev_asym.c | 90 ++++++++--
drivers/crypto/openssl/compat.h | 12 ++
drivers/crypto/openssl/openssl_pmd_private.h | 3 +
drivers/crypto/openssl/rte_openssl_pmd.c | 177 ++++++++++++++++++-
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 72 +++++++-
5 files changed, 330 insertions(+), 24 deletions(-)
diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index 7bd7cde16e..c9c48d1e87 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -1642,7 +1642,7 @@ test_dh_keygenration(void)
}
static int
-test_dsa_sign(void)
+test_dsa_sign(struct rte_crypto_dsa_op_param *dsa_op)
{
struct crypto_testsuite_params_asym *ts_params = &testsuite_params;
struct rte_mempool *op_mpool = ts_params->op_mpool;
@@ -1652,9 +1652,6 @@ test_dsa_sign(void)
struct rte_crypto_op *op = NULL, *result_op = NULL;
void *sess = NULL;
int status = TEST_SUCCESS;
- uint8_t r[TEST_DH_MOD_LEN];
- uint8_t s[TEST_DH_MOD_LEN];
- uint8_t dgst[] = "35d81554afaad2cf18f3a1770d5fedc4ea5be344";
int ret;
ret = rte_cryptodev_asym_session_create(dev_id, &dsa_xform, sess_mpool, &sess);
@@ -1676,6 +1673,7 @@ test_dsa_sign(void)
goto error_exit;
}
asym_op = op->asym;
+ asym_op->dsa = *dsa_op;
debug_hexdump(stdout, "p: ", dsa_xform.dsa.p.data,
dsa_xform.dsa.p.length);
@@ -1689,13 +1687,6 @@ test_dsa_sign(void)
/* attach asymmetric crypto session to crypto operations */
rte_crypto_op_attach_asym_session(op, sess);
asym_op->dsa.op_type = RTE_CRYPTO_ASYM_OP_SIGN;
- asym_op->dsa.message.data = dgst;
- asym_op->dsa.message.length = sizeof(dgst);
- asym_op->dsa.r.length = sizeof(r);
- asym_op->dsa.r.data = r;
- asym_op->dsa.s.length = sizeof(s);
- asym_op->dsa.s.data = s;
-
RTE_LOG(DEBUG, USER1, "Process ASYM operation");
/* Process crypto operation */
@@ -1719,12 +1710,71 @@ test_dsa_sign(void)
}
asym_op = result_op->asym;
+ dsa_op->r.length = asym_op->dsa.r.length;
+ dsa_op->s.length = asym_op->dsa.s.length;
debug_hexdump(stdout, "r:",
asym_op->dsa.r.data, asym_op->dsa.r.length);
debug_hexdump(stdout, "s:",
asym_op->dsa.s.data, asym_op->dsa.s.length);
+error_exit:
+ if (sess != NULL)
+ rte_cryptodev_asym_session_free(dev_id, sess);
+ if (op != NULL)
+ rte_crypto_op_free(op);
+ return status;
+}
+
+static int
+test_dsa_verify(struct rte_crypto_dsa_op_param *dsa_op)
+{
+ struct crypto_testsuite_params_asym *ts_params = &testsuite_params;
+ struct rte_mempool *op_mpool = ts_params->op_mpool;
+ struct rte_mempool *sess_mpool = ts_params->session_mpool;
+ uint8_t dev_id = ts_params->valid_devs[0];
+ struct rte_crypto_asym_op *asym_op = NULL;
+ struct rte_crypto_op *op = NULL, *result_op = NULL;
+ void *sess = NULL;
+ int status = TEST_SUCCESS;
+ int ret;
+ ret = rte_cryptodev_asym_session_create(dev_id, &dsa_xform, sess_mpool, &sess);
+ if (ret < 0) {
+ RTE_LOG(ERR, USER1,
+ "line %u FAILED: %s", __LINE__,
+ "Session creation failed");
+ status = (ret == -ENOTSUP) ? TEST_SKIPPED : TEST_FAILED;
+ goto error_exit;
+ }
+ /* set up crypto op data structure */
+ op = rte_crypto_op_alloc(op_mpool, RTE_CRYPTO_OP_TYPE_ASYMMETRIC);
+ if (!op) {
+ RTE_LOG(ERR, USER1,
+ "line %u FAILED: %s",
+ __LINE__, "Failed to allocate asymmetric crypto "
+ "operation struct");
+ status = TEST_FAILED;
+ goto error_exit;
+ }
+ asym_op = op->asym;
+ asym_op->dsa = *dsa_op;
+
+ debug_hexdump(stdout, "p: ", dsa_xform.dsa.p.data,
+ dsa_xform.dsa.p.length);
+ debug_hexdump(stdout, "q: ", dsa_xform.dsa.q.data,
+ dsa_xform.dsa.q.length);
+ debug_hexdump(stdout, "g: ", dsa_xform.dsa.g.data,
+ dsa_xform.dsa.g.length);
+
+ /* attach asymmetric crypto session to crypto operations */
+ rte_crypto_op_attach_asym_session(op, sess);
+
+ debug_hexdump(stdout, "r:",
+ asym_op->dsa.r.data, asym_op->dsa.r.length);
+ debug_hexdump(stdout, "s:",
+ asym_op->dsa.s.data, asym_op->dsa.s.length);
+
+ RTE_LOG(DEBUG, USER1, "Process ASYM verify operation");
/* Test PMD DSA sign verification using signer public key */
asym_op->dsa.op_type = RTE_CRYPTO_ASYM_OP_VERIFY;
@@ -1770,8 +1820,22 @@ static int
test_dsa(void)
{
int status;
- status = test_dsa_sign();
- TEST_ASSERT_EQUAL(status, 0, "Test failed");
+ uint8_t r[TEST_DH_MOD_LEN];
+ uint8_t s[TEST_DH_MOD_LEN];
+ struct rte_crypto_dsa_op_param dsa_op;
+ uint8_t dgst[] = "35d81554afaad2cf18f3a1770d5fedc4ea5be344";
+
+ dsa_op.message.data = dgst;
+ dsa_op.message.length = sizeof(dgst);
+ dsa_op.r.data = r;
+ dsa_op.s.data = s;
+ dsa_op.r.length = sizeof(r);
+ dsa_op.s.length = sizeof(s);
+
+ status = test_dsa_sign(&dsa_op);
+ TEST_ASSERT_EQUAL(status, 0, "DSA sign test failed");
+ status = test_dsa_verify(&dsa_op);
+ TEST_ASSERT_EQUAL(status, 0, "DSA verify test failed");
return status;
}
diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h
index eecb7d3698..9f9167c4f1 100644
--- a/drivers/crypto/openssl/compat.h
+++ b/drivers/crypto/openssl/compat.h
@@ -104,6 +104,18 @@ get_dsa_priv_key(DSA *dsa, BIGNUM **priv_key)
*priv_key = dsa->priv_key;
}
+#elif (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static __rte_always_inline void
+set_dsa_sign(DSA_SIG *sign, BIGNUM *r, BIGNUM *s)
+{
+ DSA_SIG_set0(sign, r, s);
+}
+
+static __rte_always_inline void
+get_dsa_sign(DSA_SIG *sign, const BIGNUM **r, const BIGNUM **s)
+{
+ DSA_SIG_get0(sign, r, s);
+}
#else
static __rte_always_inline int
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index 8fdbc75511..b0e5cd109b 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -184,6 +184,9 @@ struct openssl_asym_session {
} dh;
struct {
DSA *dsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld;
+#endif
} s;
} u;
} __rte_cache_aligned;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index fdf191b7ea..0f8dd4f169 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -2,8 +2,6 @@
* Copyright(c) 2016-2017 Intel Corporation
*/
-#define OPENSSL_API_COMPAT 0x10100000L
-
#include <rte_common.h>
#include <rte_hexdump.h>
#include <rte_cryptodev.h>
@@ -1764,6 +1762,171 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
}
/* process dsa sign operation */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_dsa_sign_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
+ EVP_PKEY_CTX *dsa_ctx = NULL;
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ EVP_PKEY *pkey = NULL;
+ OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld;
+ OSSL_PARAM *params = NULL;
+
+ size_t outlen;
+ unsigned char *dsa_sign_data;
+ const unsigned char *dsa_sign_data_p;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ return -1;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey,
+ EVP_PKEY_PUBLIC_KEY, params) <= 0)
+ goto err_dsa_sign;
+
+ dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (!dsa_ctx)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign_init(dsa_ctx) <= 0)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign(dsa_ctx, NULL, &outlen, op->message.data,
+ op->message.length) <= 0)
+ goto err_dsa_sign;
+
+ if (outlen <= 0)
+ goto err_dsa_sign;
+
+ dsa_sign_data = OPENSSL_malloc(outlen);
+ if (!dsa_sign_data)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign(dsa_ctx, dsa_sign_data, &outlen, op->message.data,
+ op->message.length) <= 0) {
+ free(dsa_sign_data);
+ goto err_dsa_sign;
+ }
+
+ dsa_sign_data_p = (const unsigned char *)dsa_sign_data;
+ DSA_SIG *sign = d2i_DSA_SIG(NULL, &dsa_sign_data_p, outlen);
+ if (!sign) {
+ OPENSSL_LOG(ERR, "%s:%d\n", __func__, __LINE__);
+ free(dsa_sign_data);
+ goto err_dsa_sign;
+ } else {
+ const BIGNUM *r = NULL, *s = NULL;
+ get_dsa_sign(sign, &r, &s);
+
+ op->r.length = BN_bn2bin(r, op->r.data);
+ op->s.length = BN_bn2bin(s, op->s.data);
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ }
+
+ DSA_SIG_free(sign);
+ free(dsa_sign_data);
+ return 0;
+
+err_dsa_sign:
+ if (params)
+ OSSL_PARAM_free(params);
+ if (key_ctx)
+ EVP_PKEY_CTX_free(key_ctx);
+ if (dsa_ctx)
+ EVP_PKEY_CTX_free(dsa_ctx);
+ return -1;
+}
+
+/* process dsa verify operation */
+static int
+process_openssl_dsa_verify_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
+ DSA_SIG *sign = DSA_SIG_new();
+ BIGNUM *r = NULL, *s = NULL;
+ BIGNUM *pub_key = NULL;
+ OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *dsa_ctx = NULL;
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ unsigned char *dsa_sig = NULL;
+ size_t sig_len;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, " %s:%d\n", __func__, __LINE__);
+ return -1;
+ }
+
+ r = BN_bin2bn(op->r.data, op->r.length, r);
+ s = BN_bin2bn(op->s.data, op->s.length, s);
+ pub_key = BN_bin2bn(op->y.data, op->y.length, pub_key);
+ if (!r || !s || !pub_key) {
+ BN_free(r);
+ BN_free(s);
+ BN_free(pub_key);
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ set_dsa_sign(sign, r, s);
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
+ goto err_dsa_verify;
+
+ dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (!dsa_ctx)
+ goto err_dsa_verify;
+
+ if (!sign)
+ goto err_dsa_verify;
+
+ sig_len = i2d_DSA_SIG(sign, &dsa_sig);
+ if (EVP_PKEY_verify_init(dsa_ctx) <= 0)
+ goto err_dsa_verify;
+
+ ret = EVP_PKEY_verify(dsa_ctx, dsa_sig, sig_len,
+ op->message.data, op->message.length);
+ if (ret == 1) {
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ ret = 0;
+ }
+
+err_dsa_verify:
+ if (sign)
+ DSA_SIG_free(sign);
+ if (params)
+ OSSL_PARAM_free(params);
+ if (key_ctx)
+ EVP_PKEY_CTX_free(key_ctx);
+ if (dsa_ctx)
+ EVP_PKEY_CTX_free(dsa_ctx);
+
+ return ret;
+}
+#else
static int
process_openssl_dsa_sign_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -1845,6 +2008,7 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
/* process dh operation */
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
@@ -2501,6 +2665,14 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
+ retval = process_openssl_dsa_sign_op_evp(op, sess);
+ else if (op->asym->dsa.op_type ==
+ RTE_CRYPTO_ASYM_OP_VERIFY)
+ retval =
+ process_openssl_dsa_verify_op_evp(op, sess);
+#else
if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
retval = process_openssl_dsa_sign_op(op, sess);
else if (op->asym->dsa.op_type ==
@@ -2509,6 +2681,7 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
process_openssl_dsa_verify_op(op, sess);
else
op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+#endif
break;
default:
op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index a1a42ef444..59eb80fc72 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -812,13 +812,13 @@ static int openssl_set_asym_session_parameters(
struct openssl_asym_session *asym_session,
struct rte_crypto_asym_xform *xform)
{
- int ret = 0;
+ int ret = -1;
if ((xform->xform_type != RTE_CRYPTO_ASYM_XFORM_DH) &&
(xform->next != NULL)) {
OPENSSL_LOG(ERR, "chained xfrms are not supported on %s",
rte_crypto_asym_xform_strings[xform->xform_type]);
- return -1;
+ return ret;
}
switch (xform->xform_type) {
@@ -1003,7 +1003,7 @@ static int openssl_set_asym_session_parameters(
if (ret) {
OPENSSL_LOG(ERR, "Failed to load rsa keys\n");
RSA_free(rsa);
- return -1;
+ return ret;
}
asym_session->u.r.rsa = rsa;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
@@ -1029,7 +1029,7 @@ static int openssl_set_asym_session_parameters(
if (ctx == NULL) {
OPENSSL_LOG(ERR,
" failed to allocate resources\n");
- return -1;
+ return ret;
}
BN_CTX_start(ctx);
BIGNUM *mod = BN_CTX_get(ctx);
@@ -1037,7 +1037,7 @@ static int openssl_set_asym_session_parameters(
if (mod == NULL || exp == NULL) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
- return -1;
+ return ret;
}
mod = BN_bin2bn((const unsigned char *)
@@ -1060,14 +1060,14 @@ static int openssl_set_asym_session_parameters(
if (ctx == NULL) {
OPENSSL_LOG(ERR,
" failed to allocate resources\n");
- return -1;
+ return ret;
}
BN_CTX_start(ctx);
BIGNUM *mod = BN_CTX_get(ctx);
if (mod == NULL) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
- return -1;
+ return ret;
}
mod = BN_bin2bn((const unsigned char *)
@@ -1158,6 +1158,56 @@ static int openssl_set_asym_session_parameters(
}
case RTE_CRYPTO_ASYM_XFORM_DSA:
{
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ BIGNUM *p = NULL, *g = NULL;
+ BIGNUM *q = NULL, *priv_key = NULL;
+ BIGNUM *pub_key = BN_new();
+ BN_zero(pub_key);
+ OSSL_PARAM_BLD *param_bld = NULL;
+
+ p = BN_bin2bn((const unsigned char *)
+ xform->dsa.p.data,
+ xform->dsa.p.length,
+ p);
+
+ g = BN_bin2bn((const unsigned char *)
+ xform->dsa.g.data,
+ xform->dsa.g.length,
+ g);
+
+ q = BN_bin2bn((const unsigned char *)
+ xform->dsa.q.data,
+ xform->dsa.q.length,
+ q);
+ if (!p || !q || !g)
+ goto err_dsa;
+
+ priv_key = BN_bin2bn((const unsigned char *)
+ xform->dsa.x.data,
+ xform->dsa.x.length,
+ priv_key);
+ if (priv_key == NULL)
+ goto err_dsa;
+
+ param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_dsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, p)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, g)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, q)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_dsa;
+ }
+ asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA;
+ asym_session->u.s.param_bld = param_bld;
+
+ break;
+#else
BIGNUM *p = NULL, *g = NULL;
BIGNUM *q = NULL, *priv_key = NULL;
BIGNUM *pub_key = BN_new();
@@ -1217,7 +1267,7 @@ static int openssl_set_asym_session_parameters(
asym_session->u.s.dsa = dsa;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA;
break;
-
+#endif
err_dsa:
BN_free(p);
BN_free(q);
@@ -1227,7 +1277,7 @@ static int openssl_set_asym_session_parameters(
return -1;
}
default:
- return -1;
+ return ret;
}
return 0;
@@ -1310,8 +1360,12 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ sess->u.s.param_bld = NULL;
+#else
if (sess->u.s.dsa)
DSA_free(sess->u.s.dsa);
+#endif
break;
default:
break;
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib
2022-06-13 16:40 ` [dpdk-dev v3 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
` (3 preceding siblings ...)
2022-06-13 16:40 ` [dpdk-dev v3 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
@ 2022-06-14 13:25 ` Kai Ji
2022-06-14 13:25 ` [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
` (5 more replies)
4 siblings, 6 replies; 39+ messages in thread
From: Kai Ji @ 2022-06-14 13:25 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch set update openssl pmd deprecated APIs to EVP
APIs where supported in openssl 3.0 lib
---
v4:
- compilation issue fix
v3:
- rebase to 22.07 rc1
v2:
- addin DSA routine
---
Kai Ji (4):
crypto/openssl: 3.0 EVP update on HMAC routine
crypto/openssl: 3.0 EVP update on RSA routine
crypto/openssl: 3.0 EVP update on DH routine
crypto/openssl: 3.0 EVP update on DSA routine
app/test/test_cryptodev_asym.c | 90 ++-
drivers/crypto/openssl/compat.h | 12 +
drivers/crypto/openssl/openssl_pmd_private.h | 18 +
drivers/crypto/openssl/rte_openssl_pmd.c | 698 ++++++++++++++++++-
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 231 +++++-
5 files changed, 1013 insertions(+), 36 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC routine
2022-06-14 13:25 ` [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
@ 2022-06-14 13:25 ` Kai Ji
2022-06-17 10:04 ` Zhang, Roy Fan
2022-06-21 9:22 ` [EXT] " Akhil Goyal
2022-06-14 13:25 ` [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
` (4 subsequent siblings)
5 siblings, 2 replies; 39+ messages in thread
From: Kai Ji @ 2022-06-14 13:25 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch update the symmetric HMAC routine in crypto openssl
pmd to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 4 +
drivers/crypto/openssl/rte_openssl_pmd.c | 187 ++++++++++++++++++-
2 files changed, 181 insertions(+), 10 deletions(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index b2054b3754..86dc169aaf 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -134,8 +134,12 @@ struct openssl_session {
/**< pointer to EVP key */
const EVP_MD *evp_algo;
/**< pointer to EVP algorithm function */
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX * ctx;
+# else
HMAC_CTX *ctx;
/**< pointer to EVP context structure */
+# endif
} hmac;
};
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 6ac2dfff5a..5dbe6074eb 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -41,6 +41,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
}
#endif
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+
+#define MAX_OSSL_ALGO_NAME_SIZE 16
+
+OSSL_PROVIDER *legacy;
+OSSL_PROVIDER *deflt;
+
+static void ossl_load_legacy_provider(void)
+{
+ /* Load Multiple providers into the default (NULL) library context */
+ legacy = OSSL_PROVIDER_load(NULL, "legacy");
+ if (legacy == NULL) {
+ OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
+ return;
+ }
+
+ deflt = OSSL_PROVIDER_load(NULL, "default");
+ if (deflt == NULL) {
+ OPENSSL_LOG(ERR, "Failed to load Default provider\n");
+ OSSL_PROVIDER_unload(legacy);
+ return;
+ }
+}
+
+static void ossl_unload_legacy_provider(void)
+{
+ OSSL_PROVIDER_unload(legacy);
+ OSSL_PROVIDER_unload(deflt);
+}
+
+static __rte_always_inline const char *
+get_digest_name(const struct rte_crypto_sym_xform *xform)
+{
+ switch (xform->auth.algo) {
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ return OSSL_DIGEST_NAME_MD5;
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ return OSSL_DIGEST_NAME_SHA1;
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_224;
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_256;
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_384;
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_512;
+ default:
+ return NULL;
+ }
+}
+#endif
+
static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
/*----------------------------------------------------------------------------*/
@@ -582,6 +637,40 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
sess->auth.auth.ctx = EVP_MD_CTX_create();
break;
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
+
+ OSSL_PARAM params[2];
+ const char *algo;
+ algo = get_digest_name(xform);
+ if (!algo)
+ return -EINVAL;
+ char algo_name[MAX_OSSL_ALGO_NAME_SIZE];
+ rte_memcpy(algo_name, algo, (sizeof(algo)+1));
+
+ EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
+ EVP_MAC_free(mac);
+ if (get_auth_algo(xform->auth.algo,
+ &sess->auth.hmac.evp_algo) != 0)
+ return -EINVAL;
+
+ params[0] = OSSL_PARAM_construct_utf8_string("digest",
+ algo_name, 0);
+ params[1] = OSSL_PARAM_construct_end();
+ if (EVP_MAC_init(sess->auth.hmac.ctx,
+ xform->auth.key.data,
+ xform->auth.key.length,
+ params) != 1)
+ return -EINVAL;
+ break;
+# else
case RTE_CRYPTO_AUTH_MD5_HMAC:
case RTE_CRYPTO_AUTH_SHA1_HMAC:
case RTE_CRYPTO_AUTH_SHA224_HMAC:
@@ -600,7 +689,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
sess->auth.hmac.evp_algo, NULL) != 1)
return -EINVAL;
break;
-
+# endif
default:
return -ENOTSUP;
}
@@ -725,7 +814,11 @@ openssl_reset_session(struct openssl_session *sess)
break;
case OPENSSL_AUTH_AS_HMAC:
EVP_PKEY_free(sess->auth.hmac.pkey);
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX_free(sess->auth.hmac.ctx);
+# else
HMAC_CTX_free(sess->auth.hmac.ctx);
+# endif
break;
default:
break;
@@ -1262,6 +1355,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
return -EINVAL;
}
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/** Process standard openssl auth algorithms with hmac */
+static int
+process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
+ int srclen, EVP_MAC_CTX *ctx)
+{
+ size_t dstlen;
+ struct rte_mbuf *m;
+ int l, n = srclen;
+ uint8_t *src;
+
+ for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+ m = m->next)
+ offset -= rte_pktmbuf_data_len(m);
+
+ if (m == 0)
+ goto process_auth_err;
+
+ src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+ l = rte_pktmbuf_data_len(m) - offset;
+ if (srclen <= l) {
+ if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
+ goto process_auth_err;
+ goto process_auth_final;
+ }
+
+ if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+ goto process_auth_err;
+
+ n -= l;
+
+ for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+ src = rte_pktmbuf_mtod(m, uint8_t *);
+ l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+ if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+ goto process_auth_err;
+ n -= l;
+ }
+
+process_auth_final:
+ if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
+ goto process_auth_err;
+
+ EVP_MAC_CTX_free(ctx);
+ return 0;
+
+process_auth_err:
+ EVP_MAC_CTX_free(ctx);
+ OPENSSL_LOG(ERR, "Process openssl auth failed");
+ return -EINVAL;
+}
+# else
/** Process standard openssl auth algorithms with hmac */
static int
process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
@@ -1314,7 +1460,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
OPENSSL_LOG(ERR, "Process openssl auth failed");
return -EINVAL;
}
-
+# endif
/*----------------------------------------------------------------------------*/
/** Process auth/cipher combined operation */
@@ -1328,7 +1474,6 @@ process_openssl_combined_op
int srclen, aadlen, status = -1;
uint32_t offset;
uint8_t taglen;
- EVP_CIPHER_CTX *ctx_copy;
/*
* Segmented destination buffer is not supported for
@@ -1365,8 +1510,6 @@ process_openssl_combined_op
}
taglen = sess->auth.digest_length;
- ctx_copy = EVP_CIPHER_CTX_new();
- EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1374,12 +1517,12 @@ process_openssl_combined_op
status = process_openssl_auth_encryption_gcm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, ctx_copy);
+ dst, tag, sess->cipher.ctx);
else
status = process_openssl_auth_encryption_ccm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, taglen, ctx_copy);
+ dst, tag, taglen, sess->cipher.ctx);
} else {
if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1387,15 +1530,14 @@ process_openssl_combined_op
status = process_openssl_auth_decryption_gcm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, ctx_copy);
+ dst, tag, sess->cipher.ctx);
else
status = process_openssl_auth_decryption_ccm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, taglen, ctx_copy);
+ dst, tag, taglen, sess->cipher.ctx);
}
- EVP_CIPHER_CTX_free(ctx_copy);
if (status != 0) {
if (status == (-EFAULT) &&
sess->auth.operation ==
@@ -1557,7 +1699,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
uint8_t *dst;
int srclen, status;
EVP_MD_CTX *ctx_a;
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX *ctx_h;
+ EVP_MAC *mac;
+# else
HMAC_CTX *ctx_h;
+# endif
srclen = op->sym->auth.data.length;
@@ -1573,12 +1720,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
EVP_MD_CTX_destroy(ctx_a);
break;
case OPENSSL_AUTH_AS_HMAC:
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ ctx_h = EVP_MAC_CTX_new(mac);
+ ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
+ EVP_MAC_free(mac);
+ status = process_openssl_auth_hmac(mbuf_src, dst,
+ op->sym->auth.data.offset, srclen,
+ ctx_h);
+# else
ctx_h = HMAC_CTX_new();
HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
status = process_openssl_auth_hmac(mbuf_src, dst,
op->sym->auth.data.offset, srclen,
ctx_h);
HMAC_CTX_free(ctx_h);
+# endif
break;
default:
status = -1;
@@ -2212,6 +2369,13 @@ cryptodev_openssl_create(const char *name,
rte_cryptodev_pmd_probing_finish(dev);
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ /* Load legacy provider
+ * Some algorithms are no longer available in earlier version of openssl,
+ * unless the legacy provider explicitly loaded. e.g. DES
+ */
+ ossl_load_legacy_provider();
+# endif
return 0;
init_error:
@@ -2260,6 +2424,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev)
if (cryptodev == NULL)
return -ENODEV;
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ ossl_unload_legacy_provider();
+# endif
return rte_cryptodev_pmd_destroy(cryptodev);
}
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine
2022-06-14 13:25 ` [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-14 13:25 ` [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
@ 2022-06-14 13:25 ` Kai Ji
2022-06-17 10:04 ` Zhang, Roy Fan
2022-06-21 9:30 ` [EXT] " Akhil Goyal
2022-06-14 13:25 ` [dpdk-dev v4 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
` (3 subsequent siblings)
5 siblings, 2 replies; 39+ messages in thread
From: Kai Ji @ 2022-06-14 13:25 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch updates asymmetric RSA routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 7 +
drivers/crypto/openssl/rte_openssl_pmd.c | 149 +++++++++++++++++++
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 112 +++++++++++++-
3 files changed, 267 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index 86dc169aaf..d603626fdf 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -11,6 +11,10 @@
#include <openssl/rsa.h>
#include <openssl/dh.h>
#include <openssl/dsa.h>
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#endif
#define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl
/**< Open SSL Crypto PMD device name */
@@ -157,6 +161,9 @@ struct openssl_asym_session {
union {
struct rsa {
RSA *rsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ EVP_PKEY_CTX * ctx;
+#endif
} r;
struct exp {
BIGNUM *exp;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 5dbe6074eb..cac157aba3 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -2046,6 +2046,150 @@ process_openssl_modexp_op(struct rte_crypto_op *cop,
}
/* process rsa operations */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_asym_op *op = cop->asym;
+ uint32_t pad = (op->rsa.padding.type);
+ uint8_t *tmp;
+ size_t outlen = 0;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx;
+ if (!rsa_ctx)
+ return ret;
+
+ switch (pad) {
+ case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
+ pad = RSA_PKCS1_PADDING;
+ break;
+ case RTE_CRYPTO_RSA_PADDING_NONE:
+ pad = RSA_NO_PADDING;
+ break;
+ default:
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ OPENSSL_LOG(ERR,
+ "rsa pad type not supported %d\n", pad);
+ return ret;
+ }
+
+ switch (op->rsa.op_type) {
+ case RTE_CRYPTO_ASYM_OP_ENCRYPT:
+ if (EVP_PKEY_encrypt_init(rsa_ctx) != 1)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+ op->rsa.cipher.length = outlen;
+
+ OPENSSL_LOG(DEBUG,
+ "length of encrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_DECRYPT:
+ if (EVP_PKEY_decrypt_init(rsa_ctx) != 1)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err_rsa;
+ op->rsa.message.length = outlen;
+
+ OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_SIGN:
+ if (EVP_PKEY_sign_init(rsa_ctx) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+ op->rsa.sign.length = outlen;
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_VERIFY:
+ tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
+ if (tmp == NULL) {
+ OPENSSL_LOG(ERR, "Memory allocation failed");
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
+ op->rsa.sign.data,
+ op->rsa.sign.length) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ OPENSSL_LOG(DEBUG,
+ "Length of public_decrypt %zu "
+ "length of message %zd\n",
+ outlen, op->rsa.message.length);
+ if (CRYPTO_memcmp(tmp, op->rsa.message.data,
+ op->rsa.message.length)) {
+ OPENSSL_LOG(ERR, "RSA sign Verification failed");
+ }
+ rte_free(tmp);
+ break;
+
+ default:
+ /* allow ops with invalid args to be pushed to
+ * completion queue
+ */
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ goto err_rsa;
+ }
+
+ ret = 0;
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+err_rsa:
+ return ret;
+
+}
+#else
static int
process_openssl_rsa_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -2144,6 +2288,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
static int
process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
@@ -2155,7 +2300,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
switch (sess->xfrm_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_rsa_op_evp(op, sess);
+# else
retval = process_openssl_rsa_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_MODEX:
retval = process_openssl_modexp_op(op, sess);
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 7d0da52a33..6d94da499e 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -12,7 +12,11 @@
#include "openssl_pmd_private.h"
#include "compat.h"
-
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#include <openssl/param_build.h>
+#endif
static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
{ /* MD5 HMAC */
@@ -835,6 +839,106 @@ static int openssl_set_asym_session_parameters(
if (!n || !e)
goto err_rsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_rsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_E, e)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_rsa;
+ }
+
+ if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) {
+ d = BN_bin2bn(
+ (const unsigned char *)xform->rsa.d.data,
+ xform->rsa.d.length,
+ d);
+ if (!d) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+ } else {
+ p = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.p.data,
+ xform->rsa.qt.p.length,
+ p);
+ q = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.q.data,
+ xform->rsa.qt.q.length,
+ q);
+ dmp1 = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.dP.data,
+ xform->rsa.qt.dP.length,
+ dmp1);
+ dmq1 = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.dQ.data,
+ xform->rsa.qt.dQ.length,
+ dmq1);
+ iqmp = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.qInv.data,
+ xform->rsa.qt.qInv.length,
+ iqmp);
+
+ if (!p || !q || !dmp1 || !dmq1 || !iqmp) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_FACTOR1, p)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_FACTOR2, q)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_D, d)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *rsa_ctx = NULL;
+ OSSL_PARAM *params = NULL;
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey,
+ EVP_PKEY_KEYPAIR, params) <= 0) {
+ OSSL_PARAM_free(params);
+ goto err_rsa;
+ }
+
+ rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
+ asym_session->u.r.ctx = rsa_ctx;
+ EVP_PKEY_CTX_free(key_ctx);
+ OSSL_PARAM_free(params);
+ break;
+#else
RSA *rsa = RSA_new();
if (rsa == NULL)
goto err_rsa;
@@ -904,6 +1008,7 @@ static int openssl_set_asym_session_parameters(
asym_session->u.r.rsa = rsa;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
break;
+#endif
err_rsa:
BN_clear_free(n);
BN_clear_free(e);
@@ -1135,8 +1240,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
{
switch (sess->xfrm_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ if (sess->u.r.ctx)
+ EVP_PKEY_CTX_free(sess->u.r.ctx);
+#else
if (sess->u.r.rsa)
RSA_free(sess->u.r.rsa);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_MODEX:
if (sess->u.e.ctx) {
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v4 3/4] crypto/openssl: 3.0 EVP update on DH routine
2022-06-14 13:25 ` [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-14 13:25 ` [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-06-14 13:25 ` [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
@ 2022-06-14 13:25 ` Kai Ji
2022-06-17 10:05 ` Zhang, Roy Fan
2022-06-14 13:25 ` [dpdk-dev v4 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
` (2 subsequent siblings)
5 siblings, 1 reply; 39+ messages in thread
From: Kai Ji @ 2022-06-14 13:25 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch updates asymmetric DH routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 4 +
drivers/crypto/openssl/rte_openssl_pmd.c | 185 +++++++++++++++++++
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 47 ++++-
3 files changed, 235 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index d603626fdf..8fdbc75511 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -177,6 +177,10 @@ struct openssl_asym_session {
struct dh {
DH *dh_key;
uint32_t key_op;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld;
+ OSSL_PARAM_BLD *param_bld_peer;
+#endif
} dh;
struct {
DSA *dsa;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index cac157aba3..cbc525a021 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -45,6 +45,7 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
#include <openssl/provider.h>
#include <openssl/core_names.h>
+#include <openssl/param_build.h>
#define MAX_OSSL_ALGO_NAME_SIZE 16
@@ -1846,6 +1847,185 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop,
}
/* process dh operation */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_dh_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dh_op_param *op = &cop->asym->dh;
+ OSSL_PARAM_BLD *param_bld = sess->u.dh.param_bld;
+ OSSL_PARAM_BLD *param_bld_peer = sess->u.dh.param_bld_peer;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY *dhpkey = NULL;
+ EVP_PKEY *peerkey = NULL;
+ BIGNUM *priv_key = NULL;
+ BIGNUM *pub_key = NULL;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
+ EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+ if (dh_ctx == NULL || param_bld == NULL)
+ return ret;
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) {
+ OSSL_PARAM *params_peer = NULL;
+
+ if (!param_bld_peer)
+ return ret;
+
+ pub_key = BN_bin2bn(op->pub_key.data, op->pub_key.length,
+ pub_key);
+ if (pub_key == NULL) {
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ return ret;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld_peer, OSSL_PKEY_PARAM_PUB_KEY,
+ pub_key)) {
+ OPENSSL_LOG(ERR, "Failed to set public key\n");
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ params_peer = OSSL_PARAM_BLD_to_param(param_bld_peer);
+ if (!params_peer) {
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ EVP_PKEY_CTX *peer_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+ if (EVP_PKEY_keygen_init(peer_ctx) != 1) {
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (EVP_PKEY_CTX_set_params(peer_ctx, params_peer) != 1) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (EVP_PKEY_keygen(peer_ctx, &peerkey) != 1) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ priv_key = BN_bin2bn(op->priv_key.data, op->priv_key.length,
+ priv_key);
+ if (priv_key == NULL) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY,
+ priv_key)) {
+ OPENSSL_LOG(ERR, "Failed to set private key\n");
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ BN_free(priv_key);
+ return ret;
+ }
+
+ OSSL_PARAM_free(params_peer);
+ EVP_PKEY_CTX_free(peer_ctx);
+ }
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params)
+ goto err_dh;
+
+ if (EVP_PKEY_keygen_init(dh_ctx) != 1)
+ goto err_dh;
+
+ if (EVP_PKEY_CTX_set_params(dh_ctx, params) != 1)
+ goto err_dh;
+
+ if (EVP_PKEY_keygen(dh_ctx, &dhpkey) != 1)
+ goto err_dh;
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE) {
+ OPENSSL_LOG(DEBUG, "%s:%d updated pub key\n", __func__, __LINE__);
+ if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key))
+ goto err_dh;
+ /* output public key */
+ op->pub_key.length = BN_bn2bin(pub_key, op->pub_key.data);
+ }
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_PRIV_KEY_GENERATE) {
+
+ OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n", __func__, __LINE__);
+ if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key))
+ goto err_dh;
+
+ /* provide generated private key back to user */
+ op->priv_key.length = BN_bn2bin(priv_key, op->priv_key.data);
+ }
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) {
+ size_t skey_len;
+ EVP_PKEY_CTX *sc_ctx = EVP_PKEY_CTX_new(dhpkey, NULL);
+ if (!sc_ctx)
+ goto err_dh;
+
+ if (EVP_PKEY_derive_init(sc_ctx) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (!peerkey) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (EVP_PKEY_derive_set_peer(sc_ctx, peerkey) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ /* Determine buffer length */
+ if (EVP_PKEY_derive(sc_ctx, NULL, &skey_len) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (EVP_PKEY_derive(sc_ctx, op->shared_secret.data, &skey_len) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ op->shared_secret.length = skey_len;
+ EVP_PKEY_CTX_free(sc_ctx);
+ }
+
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ ret = 0;
+
+ err_dh:
+ if (pub_key)
+ BN_free(pub_key);
+ if (priv_key)
+ BN_free(priv_key);
+ if (params)
+ OSSL_PARAM_free(params);
+ if (dhpkey)
+ EVP_PKEY_free(dhpkey);
+ if (peerkey)
+ EVP_PKEY_free(peerkey);
+
+ EVP_PKEY_CTX_free(dh_ctx);
+
+ return ret;
+}
+#else
static int
process_openssl_dh_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -1979,6 +2159,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
/* process modinv operation */
static int
@@ -2313,7 +2494,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
retval = process_openssl_modinv_op(op, sess);
break;
case RTE_CRYPTO_ASYM_XFORM_DH:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_dh_op_evp(op, sess);
+# else
retval = process_openssl_dh_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 6d94da499e..a1a42ef444 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -1095,7 +1095,46 @@ static int openssl_set_asym_session_parameters(
if (!p || !g)
goto err_dh;
- DH *dh = DH_new();
+ DH *dh = NULL;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD *param_bld = NULL;
+ param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_dh;
+ }
+ if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld,
+ "group", "ffdhe2048", 0))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_FFC_P, p))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_FFC_G, g))) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dh;
+ }
+
+ OSSL_PARAM_BLD *param_bld_peer = NULL;
+ param_bld_peer = OSSL_PARAM_BLD_new();
+ if (!param_bld_peer) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dh;
+ }
+ if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld_peer,
+ "group", "ffdhe2048", 0))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld_peer,
+ OSSL_PKEY_PARAM_FFC_P, p))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld_peer,
+ OSSL_PKEY_PARAM_FFC_G, g))) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ goto err_dh;
+ }
+
+ asym_session->u.dh.param_bld = param_bld;
+ asym_session->u.dh.param_bld_peer = param_bld_peer;
+#else
+ dh = DH_new();
if (dh == NULL) {
OPENSSL_LOG(ERR,
"failed to allocate resources\n");
@@ -1106,6 +1145,7 @@ static int openssl_set_asym_session_parameters(
DH_free(dh);
goto err_dh;
}
+#endif
asym_session->u.dh.dh_key = dh;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DH;
break;
@@ -1261,8 +1301,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
}
break;
case RTE_CRYPTO_ASYM_XFORM_DH:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ sess->u.dh.param_bld = NULL;
+ sess->u.dh.param_bld_peer = NULL;
+#else
if (sess->u.dh.dh_key)
DH_free(sess->u.dh.dh_key);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
if (sess->u.s.dsa)
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v4 4/4] crypto/openssl: 3.0 EVP update on DSA routine
2022-06-14 13:25 ` [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
` (2 preceding siblings ...)
2022-06-14 13:25 ` [dpdk-dev v4 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
@ 2022-06-14 13:25 ` Kai Ji
2022-06-17 10:05 ` Zhang, Roy Fan
2022-06-21 10:16 ` [EXT] [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal
2022-06-21 13:55 ` [dpdk-dev v5 " Kai Ji
5 siblings, 1 reply; 39+ messages in thread
From: Kai Ji @ 2022-06-14 13:25 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch updates asymmetric DSA routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis. Divide the single combined dsa sign
test to two individual dsa sign and dsa verfiy tests.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
app/test/test_cryptodev_asym.c | 90 ++++++++--
drivers/crypto/openssl/compat.h | 12 ++
drivers/crypto/openssl/openssl_pmd_private.h | 3 +
drivers/crypto/openssl/rte_openssl_pmd.c | 177 ++++++++++++++++++-
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 72 +++++++-
5 files changed, 330 insertions(+), 24 deletions(-)
diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index 7bd7cde16e..c9c48d1e87 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -1642,7 +1642,7 @@ test_dh_keygenration(void)
}
static int
-test_dsa_sign(void)
+test_dsa_sign(struct rte_crypto_dsa_op_param *dsa_op)
{
struct crypto_testsuite_params_asym *ts_params = &testsuite_params;
struct rte_mempool *op_mpool = ts_params->op_mpool;
@@ -1652,9 +1652,6 @@ test_dsa_sign(void)
struct rte_crypto_op *op = NULL, *result_op = NULL;
void *sess = NULL;
int status = TEST_SUCCESS;
- uint8_t r[TEST_DH_MOD_LEN];
- uint8_t s[TEST_DH_MOD_LEN];
- uint8_t dgst[] = "35d81554afaad2cf18f3a1770d5fedc4ea5be344";
int ret;
ret = rte_cryptodev_asym_session_create(dev_id, &dsa_xform, sess_mpool, &sess);
@@ -1676,6 +1673,7 @@ test_dsa_sign(void)
goto error_exit;
}
asym_op = op->asym;
+ asym_op->dsa = *dsa_op;
debug_hexdump(stdout, "p: ", dsa_xform.dsa.p.data,
dsa_xform.dsa.p.length);
@@ -1689,13 +1687,6 @@ test_dsa_sign(void)
/* attach asymmetric crypto session to crypto operations */
rte_crypto_op_attach_asym_session(op, sess);
asym_op->dsa.op_type = RTE_CRYPTO_ASYM_OP_SIGN;
- asym_op->dsa.message.data = dgst;
- asym_op->dsa.message.length = sizeof(dgst);
- asym_op->dsa.r.length = sizeof(r);
- asym_op->dsa.r.data = r;
- asym_op->dsa.s.length = sizeof(s);
- asym_op->dsa.s.data = s;
-
RTE_LOG(DEBUG, USER1, "Process ASYM operation");
/* Process crypto operation */
@@ -1719,12 +1710,71 @@ test_dsa_sign(void)
}
asym_op = result_op->asym;
+ dsa_op->r.length = asym_op->dsa.r.length;
+ dsa_op->s.length = asym_op->dsa.s.length;
debug_hexdump(stdout, "r:",
asym_op->dsa.r.data, asym_op->dsa.r.length);
debug_hexdump(stdout, "s:",
asym_op->dsa.s.data, asym_op->dsa.s.length);
+error_exit:
+ if (sess != NULL)
+ rte_cryptodev_asym_session_free(dev_id, sess);
+ if (op != NULL)
+ rte_crypto_op_free(op);
+ return status;
+}
+
+static int
+test_dsa_verify(struct rte_crypto_dsa_op_param *dsa_op)
+{
+ struct crypto_testsuite_params_asym *ts_params = &testsuite_params;
+ struct rte_mempool *op_mpool = ts_params->op_mpool;
+ struct rte_mempool *sess_mpool = ts_params->session_mpool;
+ uint8_t dev_id = ts_params->valid_devs[0];
+ struct rte_crypto_asym_op *asym_op = NULL;
+ struct rte_crypto_op *op = NULL, *result_op = NULL;
+ void *sess = NULL;
+ int status = TEST_SUCCESS;
+ int ret;
+ ret = rte_cryptodev_asym_session_create(dev_id, &dsa_xform, sess_mpool, &sess);
+ if (ret < 0) {
+ RTE_LOG(ERR, USER1,
+ "line %u FAILED: %s", __LINE__,
+ "Session creation failed");
+ status = (ret == -ENOTSUP) ? TEST_SKIPPED : TEST_FAILED;
+ goto error_exit;
+ }
+ /* set up crypto op data structure */
+ op = rte_crypto_op_alloc(op_mpool, RTE_CRYPTO_OP_TYPE_ASYMMETRIC);
+ if (!op) {
+ RTE_LOG(ERR, USER1,
+ "line %u FAILED: %s",
+ __LINE__, "Failed to allocate asymmetric crypto "
+ "operation struct");
+ status = TEST_FAILED;
+ goto error_exit;
+ }
+ asym_op = op->asym;
+ asym_op->dsa = *dsa_op;
+
+ debug_hexdump(stdout, "p: ", dsa_xform.dsa.p.data,
+ dsa_xform.dsa.p.length);
+ debug_hexdump(stdout, "q: ", dsa_xform.dsa.q.data,
+ dsa_xform.dsa.q.length);
+ debug_hexdump(stdout, "g: ", dsa_xform.dsa.g.data,
+ dsa_xform.dsa.g.length);
+
+ /* attach asymmetric crypto session to crypto operations */
+ rte_crypto_op_attach_asym_session(op, sess);
+
+ debug_hexdump(stdout, "r:",
+ asym_op->dsa.r.data, asym_op->dsa.r.length);
+ debug_hexdump(stdout, "s:",
+ asym_op->dsa.s.data, asym_op->dsa.s.length);
+
+ RTE_LOG(DEBUG, USER1, "Process ASYM verify operation");
/* Test PMD DSA sign verification using signer public key */
asym_op->dsa.op_type = RTE_CRYPTO_ASYM_OP_VERIFY;
@@ -1770,8 +1820,22 @@ static int
test_dsa(void)
{
int status;
- status = test_dsa_sign();
- TEST_ASSERT_EQUAL(status, 0, "Test failed");
+ uint8_t r[TEST_DH_MOD_LEN];
+ uint8_t s[TEST_DH_MOD_LEN];
+ struct rte_crypto_dsa_op_param dsa_op;
+ uint8_t dgst[] = "35d81554afaad2cf18f3a1770d5fedc4ea5be344";
+
+ dsa_op.message.data = dgst;
+ dsa_op.message.length = sizeof(dgst);
+ dsa_op.r.data = r;
+ dsa_op.s.data = s;
+ dsa_op.r.length = sizeof(r);
+ dsa_op.s.length = sizeof(s);
+
+ status = test_dsa_sign(&dsa_op);
+ TEST_ASSERT_EQUAL(status, 0, "DSA sign test failed");
+ status = test_dsa_verify(&dsa_op);
+ TEST_ASSERT_EQUAL(status, 0, "DSA verify test failed");
return status;
}
diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h
index eecb7d3698..9f9167c4f1 100644
--- a/drivers/crypto/openssl/compat.h
+++ b/drivers/crypto/openssl/compat.h
@@ -104,6 +104,18 @@ get_dsa_priv_key(DSA *dsa, BIGNUM **priv_key)
*priv_key = dsa->priv_key;
}
+#elif (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static __rte_always_inline void
+set_dsa_sign(DSA_SIG *sign, BIGNUM *r, BIGNUM *s)
+{
+ DSA_SIG_set0(sign, r, s);
+}
+
+static __rte_always_inline void
+get_dsa_sign(DSA_SIG *sign, const BIGNUM **r, const BIGNUM **s)
+{
+ DSA_SIG_get0(sign, r, s);
+}
#else
static __rte_always_inline int
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index 8fdbc75511..b0e5cd109b 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -184,6 +184,9 @@ struct openssl_asym_session {
} dh;
struct {
DSA *dsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld;
+#endif
} s;
} u;
} __rte_cache_aligned;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index cbc525a021..900b393fa9 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -2,8 +2,6 @@
* Copyright(c) 2016-2017 Intel Corporation
*/
-#define OPENSSL_API_COMPAT 0x10100000L
-
#include <rte_common.h>
#include <rte_hexdump.h>
#include <rte_cryptodev.h>
@@ -1764,6 +1762,171 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
}
/* process dsa sign operation */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_dsa_sign_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
+ EVP_PKEY_CTX *dsa_ctx = NULL;
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ EVP_PKEY *pkey = NULL;
+ OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld;
+ OSSL_PARAM *params = NULL;
+
+ size_t outlen;
+ unsigned char *dsa_sign_data;
+ const unsigned char *dsa_sign_data_p;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ return -1;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey,
+ EVP_PKEY_PUBLIC_KEY, params) <= 0)
+ goto err_dsa_sign;
+
+ dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (!dsa_ctx)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign_init(dsa_ctx) <= 0)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign(dsa_ctx, NULL, &outlen, op->message.data,
+ op->message.length) <= 0)
+ goto err_dsa_sign;
+
+ if (outlen <= 0)
+ goto err_dsa_sign;
+
+ dsa_sign_data = OPENSSL_malloc(outlen);
+ if (!dsa_sign_data)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign(dsa_ctx, dsa_sign_data, &outlen, op->message.data,
+ op->message.length) <= 0) {
+ free(dsa_sign_data);
+ goto err_dsa_sign;
+ }
+
+ dsa_sign_data_p = (const unsigned char *)dsa_sign_data;
+ DSA_SIG *sign = d2i_DSA_SIG(NULL, &dsa_sign_data_p, outlen);
+ if (!sign) {
+ OPENSSL_LOG(ERR, "%s:%d\n", __func__, __LINE__);
+ free(dsa_sign_data);
+ goto err_dsa_sign;
+ } else {
+ const BIGNUM *r = NULL, *s = NULL;
+ get_dsa_sign(sign, &r, &s);
+
+ op->r.length = BN_bn2bin(r, op->r.data);
+ op->s.length = BN_bn2bin(s, op->s.data);
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ }
+
+ DSA_SIG_free(sign);
+ free(dsa_sign_data);
+ return 0;
+
+err_dsa_sign:
+ if (params)
+ OSSL_PARAM_free(params);
+ if (key_ctx)
+ EVP_PKEY_CTX_free(key_ctx);
+ if (dsa_ctx)
+ EVP_PKEY_CTX_free(dsa_ctx);
+ return -1;
+}
+
+/* process dsa verify operation */
+static int
+process_openssl_dsa_verify_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
+ DSA_SIG *sign = DSA_SIG_new();
+ BIGNUM *r = NULL, *s = NULL;
+ BIGNUM *pub_key = NULL;
+ OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *dsa_ctx = NULL;
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ unsigned char *dsa_sig = NULL;
+ size_t sig_len;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, " %s:%d\n", __func__, __LINE__);
+ return -1;
+ }
+
+ r = BN_bin2bn(op->r.data, op->r.length, r);
+ s = BN_bin2bn(op->s.data, op->s.length, s);
+ pub_key = BN_bin2bn(op->y.data, op->y.length, pub_key);
+ if (!r || !s || !pub_key) {
+ BN_free(r);
+ BN_free(s);
+ BN_free(pub_key);
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ set_dsa_sign(sign, r, s);
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
+ goto err_dsa_verify;
+
+ dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (!dsa_ctx)
+ goto err_dsa_verify;
+
+ if (!sign)
+ goto err_dsa_verify;
+
+ sig_len = i2d_DSA_SIG(sign, &dsa_sig);
+ if (EVP_PKEY_verify_init(dsa_ctx) <= 0)
+ goto err_dsa_verify;
+
+ ret = EVP_PKEY_verify(dsa_ctx, dsa_sig, sig_len,
+ op->message.data, op->message.length);
+ if (ret == 1) {
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ ret = 0;
+ }
+
+err_dsa_verify:
+ if (sign)
+ DSA_SIG_free(sign);
+ if (params)
+ OSSL_PARAM_free(params);
+ if (key_ctx)
+ EVP_PKEY_CTX_free(key_ctx);
+ if (dsa_ctx)
+ EVP_PKEY_CTX_free(dsa_ctx);
+
+ return ret;
+}
+#else
static int
process_openssl_dsa_sign_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -1845,6 +2008,7 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
/* process dh operation */
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
@@ -2501,6 +2665,14 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
+ retval = process_openssl_dsa_sign_op_evp(op, sess);
+ else if (op->asym->dsa.op_type ==
+ RTE_CRYPTO_ASYM_OP_VERIFY)
+ retval =
+ process_openssl_dsa_verify_op_evp(op, sess);
+#else
if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
retval = process_openssl_dsa_sign_op(op, sess);
else if (op->asym->dsa.op_type ==
@@ -2509,6 +2681,7 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
process_openssl_dsa_verify_op(op, sess);
else
op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+#endif
break;
default:
op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index a1a42ef444..59eb80fc72 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -812,13 +812,13 @@ static int openssl_set_asym_session_parameters(
struct openssl_asym_session *asym_session,
struct rte_crypto_asym_xform *xform)
{
- int ret = 0;
+ int ret = -1;
if ((xform->xform_type != RTE_CRYPTO_ASYM_XFORM_DH) &&
(xform->next != NULL)) {
OPENSSL_LOG(ERR, "chained xfrms are not supported on %s",
rte_crypto_asym_xform_strings[xform->xform_type]);
- return -1;
+ return ret;
}
switch (xform->xform_type) {
@@ -1003,7 +1003,7 @@ static int openssl_set_asym_session_parameters(
if (ret) {
OPENSSL_LOG(ERR, "Failed to load rsa keys\n");
RSA_free(rsa);
- return -1;
+ return ret;
}
asym_session->u.r.rsa = rsa;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
@@ -1029,7 +1029,7 @@ static int openssl_set_asym_session_parameters(
if (ctx == NULL) {
OPENSSL_LOG(ERR,
" failed to allocate resources\n");
- return -1;
+ return ret;
}
BN_CTX_start(ctx);
BIGNUM *mod = BN_CTX_get(ctx);
@@ -1037,7 +1037,7 @@ static int openssl_set_asym_session_parameters(
if (mod == NULL || exp == NULL) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
- return -1;
+ return ret;
}
mod = BN_bin2bn((const unsigned char *)
@@ -1060,14 +1060,14 @@ static int openssl_set_asym_session_parameters(
if (ctx == NULL) {
OPENSSL_LOG(ERR,
" failed to allocate resources\n");
- return -1;
+ return ret;
}
BN_CTX_start(ctx);
BIGNUM *mod = BN_CTX_get(ctx);
if (mod == NULL) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
- return -1;
+ return ret;
}
mod = BN_bin2bn((const unsigned char *)
@@ -1158,6 +1158,56 @@ static int openssl_set_asym_session_parameters(
}
case RTE_CRYPTO_ASYM_XFORM_DSA:
{
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ BIGNUM *p = NULL, *g = NULL;
+ BIGNUM *q = NULL, *priv_key = NULL;
+ BIGNUM *pub_key = BN_new();
+ BN_zero(pub_key);
+ OSSL_PARAM_BLD *param_bld = NULL;
+
+ p = BN_bin2bn((const unsigned char *)
+ xform->dsa.p.data,
+ xform->dsa.p.length,
+ p);
+
+ g = BN_bin2bn((const unsigned char *)
+ xform->dsa.g.data,
+ xform->dsa.g.length,
+ g);
+
+ q = BN_bin2bn((const unsigned char *)
+ xform->dsa.q.data,
+ xform->dsa.q.length,
+ q);
+ if (!p || !q || !g)
+ goto err_dsa;
+
+ priv_key = BN_bin2bn((const unsigned char *)
+ xform->dsa.x.data,
+ xform->dsa.x.length,
+ priv_key);
+ if (priv_key == NULL)
+ goto err_dsa;
+
+ param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_dsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, p)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, g)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, q)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_dsa;
+ }
+ asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA;
+ asym_session->u.s.param_bld = param_bld;
+
+ break;
+#else
BIGNUM *p = NULL, *g = NULL;
BIGNUM *q = NULL, *priv_key = NULL;
BIGNUM *pub_key = BN_new();
@@ -1217,7 +1267,7 @@ static int openssl_set_asym_session_parameters(
asym_session->u.s.dsa = dsa;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA;
break;
-
+#endif
err_dsa:
BN_free(p);
BN_free(q);
@@ -1227,7 +1277,7 @@ static int openssl_set_asym_session_parameters(
return -1;
}
default:
- return -1;
+ return ret;
}
return 0;
@@ -1310,8 +1360,12 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ sess->u.s.param_bld = NULL;
+#else
if (sess->u.s.dsa)
DSA_free(sess->u.s.dsa);
+#endif
break;
default:
break;
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* RE: [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC routine
2022-06-14 13:25 ` [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
@ 2022-06-17 10:04 ` Zhang, Roy Fan
2022-06-21 9:22 ` [EXT] " Akhil Goyal
1 sibling, 0 replies; 39+ messages in thread
From: Zhang, Roy Fan @ 2022-06-17 10:04 UTC (permalink / raw)
To: Ji, Kai, dev; +Cc: gakhil, Ji, Kai
> -----Original Message-----
> From: Kai Ji <kai.ji@intel.com>
> Sent: Tuesday, June 14, 2022 2:26 PM
> To: dev@dpdk.org
> Cc: gakhil@marvell.com; Ji, Kai <kai.ji@intel.com>
> Subject: [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC routine
>
> This patch update the symmetric HMAC routine in crypto openssl
> pmd to adopt openssl 3.0 EVP apis.
>
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> ---
Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
^ permalink raw reply [flat|nested] 39+ messages in thread
* RE: [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine
2022-06-14 13:25 ` [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
@ 2022-06-17 10:04 ` Zhang, Roy Fan
2022-06-21 9:30 ` [EXT] " Akhil Goyal
1 sibling, 0 replies; 39+ messages in thread
From: Zhang, Roy Fan @ 2022-06-17 10:04 UTC (permalink / raw)
To: Ji, Kai, dev; +Cc: gakhil, Ji, Kai
> -----Original Message-----
> From: Kai Ji <kai.ji@intel.com>
> Sent: Tuesday, June 14, 2022 2:26 PM
> To: dev@dpdk.org
> Cc: gakhil@marvell.com; Ji, Kai <kai.ji@intel.com>
> Subject: [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine
>
> This patch updates asymmetric RSA routine in crypto openssl pmd
> to adopt openssl 3.0 EVP apis.
>
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> ---
Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
^ permalink raw reply [flat|nested] 39+ messages in thread
* RE: [dpdk-dev v4 3/4] crypto/openssl: 3.0 EVP update on DH routine
2022-06-14 13:25 ` [dpdk-dev v4 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
@ 2022-06-17 10:05 ` Zhang, Roy Fan
0 siblings, 0 replies; 39+ messages in thread
From: Zhang, Roy Fan @ 2022-06-17 10:05 UTC (permalink / raw)
To: Ji, Kai, dev; +Cc: gakhil, Ji, Kai
> -----Original Message-----
> From: Kai Ji <kai.ji@intel.com>
> Sent: Tuesday, June 14, 2022 2:26 PM
> To: dev@dpdk.org
> Cc: gakhil@marvell.com; Ji, Kai <kai.ji@intel.com>
> Subject: [dpdk-dev v4 3/4] crypto/openssl: 3.0 EVP update on DH routine
>
> This patch updates asymmetric DH routine in crypto openssl pmd
> to adopt openssl 3.0 EVP apis.
>
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> ---
Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
^ permalink raw reply [flat|nested] 39+ messages in thread
* RE: [dpdk-dev v4 4/4] crypto/openssl: 3.0 EVP update on DSA routine
2022-06-14 13:25 ` [dpdk-dev v4 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
@ 2022-06-17 10:05 ` Zhang, Roy Fan
0 siblings, 0 replies; 39+ messages in thread
From: Zhang, Roy Fan @ 2022-06-17 10:05 UTC (permalink / raw)
To: Ji, Kai, dev; +Cc: gakhil, Ji, Kai
> -----Original Message-----
> From: Kai Ji <kai.ji@intel.com>
> Sent: Tuesday, June 14, 2022 2:26 PM
> To: dev@dpdk.org
> Cc: gakhil@marvell.com; Ji, Kai <kai.ji@intel.com>
> Subject: [dpdk-dev v4 4/4] crypto/openssl: 3.0 EVP update on DSA routine
>
> This patch updates asymmetric DSA routine in crypto openssl pmd
> to adopt openssl 3.0 EVP apis. Divide the single combined dsa sign
> test to two individual dsa sign and dsa verfiy tests.
>
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> ---
Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
^ permalink raw reply [flat|nested] 39+ messages in thread
* RE: [EXT] [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC routine
2022-06-14 13:25 ` [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-06-17 10:04 ` Zhang, Roy Fan
@ 2022-06-21 9:22 ` Akhil Goyal
1 sibling, 0 replies; 39+ messages in thread
From: Akhil Goyal @ 2022-06-21 9:22 UTC (permalink / raw)
To: Kai Ji, dev
> Subject: [EXT] [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC
> routine
Title should be
Crypto/openssl: update HMAC routine with 3.0 EVP API
>
> This patch update the symmetric HMAC routine in crypto openssl
> pmd to adopt openssl 3.0 EVP apis.
>
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> ---
> drivers/crypto/openssl/openssl_pmd_private.h | 4 +
> drivers/crypto/openssl/rte_openssl_pmd.c | 187 ++++++++++++++++++-
> 2 files changed, 181 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/crypto/openssl/openssl_pmd_private.h
> b/drivers/crypto/openssl/openssl_pmd_private.h
> index b2054b3754..86dc169aaf 100644
> --- a/drivers/crypto/openssl/openssl_pmd_private.h
> +++ b/drivers/crypto/openssl/openssl_pmd_private.h
> @@ -134,8 +134,12 @@ struct openssl_session {
> /**< pointer to EVP key */
> const EVP_MD *evp_algo;
> /**< pointer to EVP algorithm function */
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> + EVP_MAC_CTX * ctx;
> +# else
> HMAC_CTX *ctx;
> /**< pointer to EVP context structure */
> +# endif
Endif should be above comment.
> } hmac;
> };
>
> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c
> b/drivers/crypto/openssl/rte_openssl_pmd.c
> index 6ac2dfff5a..5dbe6074eb 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
> @@ -41,6 +41,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
> }
> #endif
>
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +
> +#include <openssl/provider.h>
> +#include <openssl/core_names.h>
> +
> +#define MAX_OSSL_ALGO_NAME_SIZE 16
> +
> +OSSL_PROVIDER *legacy;
> +OSSL_PROVIDER *deflt;
> +
> +static void ossl_load_legacy_provider(void)
Static void should be separate line.
Check for other functions as well.
verb should be in the end
Ossl_legacy_provider_load/unload
> +{
> + /* Load Multiple providers into the default (NULL) library context */
> + legacy = OSSL_PROVIDER_load(NULL, "legacy");
> + if (legacy == NULL) {
> + OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
> + return;
> + }
> +
> + deflt = OSSL_PROVIDER_load(NULL, "default");
> + if (deflt == NULL) {
> + OPENSSL_LOG(ERR, "Failed to load Default provider\n");
> + OSSL_PROVIDER_unload(legacy);
> + return;
> + }
> +}
> +
> +static void ossl_unload_legacy_provider(void)
> +{
> + OSSL_PROVIDER_unload(legacy);
> + OSSL_PROVIDER_unload(deflt);
> +}
> +
> +static __rte_always_inline const char *
> +get_digest_name(const struct rte_crypto_sym_xform *xform)
Digest_name_get
> +{
> + switch (xform->auth.algo) {
> + case RTE_CRYPTO_AUTH_MD5_HMAC:
> + return OSSL_DIGEST_NAME_MD5;
> + case RTE_CRYPTO_AUTH_SHA1_HMAC:
> + return OSSL_DIGEST_NAME_SHA1;
> + case RTE_CRYPTO_AUTH_SHA224_HMAC:
> + return OSSL_DIGEST_NAME_SHA2_224;
> + case RTE_CRYPTO_AUTH_SHA256_HMAC:
> + return OSSL_DIGEST_NAME_SHA2_256;
> + case RTE_CRYPTO_AUTH_SHA384_HMAC:
> + return OSSL_DIGEST_NAME_SHA2_384;
> + case RTE_CRYPTO_AUTH_SHA512_HMAC:
> + return OSSL_DIGEST_NAME_SHA2_512;
> + default:
> + return NULL;
> + }
> +}
> +#endif
> +
> static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
>
> /*----------------------------------------------------------------------------*/
> @@ -582,6 +637,40 @@ openssl_set_session_auth_parameters(struct
> openssl_session *sess,
> sess->auth.auth.ctx = EVP_MD_CTX_create();
> break;
>
> +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> + case RTE_CRYPTO_AUTH_MD5_HMAC:
> + case RTE_CRYPTO_AUTH_SHA1_HMAC:
> + case RTE_CRYPTO_AUTH_SHA224_HMAC:
> + case RTE_CRYPTO_AUTH_SHA256_HMAC:
> + case RTE_CRYPTO_AUTH_SHA384_HMAC:
> + case RTE_CRYPTO_AUTH_SHA512_HMAC:
> + sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
> +
> + OSSL_PARAM params[2];
> + const char *algo;
> + algo = get_digest_name(xform);
Pass xform->auth.algo directly
> + if (!algo)
> + return -EINVAL;
> + char algo_name[MAX_OSSL_ALGO_NAME_SIZE];
> + rte_memcpy(algo_name, algo, (sizeof(algo)+1));
> +
> + EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
> + sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
> + EVP_MAC_free(mac);
> + if (get_auth_algo(xform->auth.algo,
> + &sess->auth.hmac.evp_algo) != 0)
> + return -EINVAL;
> +
> + params[0] = OSSL_PARAM_construct_utf8_string("digest",
> + algo_name, 0);
> + params[1] = OSSL_PARAM_construct_end();
> + if (EVP_MAC_init(sess->auth.hmac.ctx,
> + xform->auth.key.data,
> + xform->auth.key.length,
> + params) != 1)
> + return -EINVAL;
> + break;
> +# else
> case RTE_CRYPTO_AUTH_MD5_HMAC:
> case RTE_CRYPTO_AUTH_SHA1_HMAC:
> case RTE_CRYPTO_AUTH_SHA224_HMAC:
> @@ -600,7 +689,7 @@ openssl_set_session_auth_parameters(struct
> openssl_session *sess,
> sess->auth.hmac.evp_algo, NULL) != 1)
> return -EINVAL;
> break;
> -
> +# endif
> default:
> return -ENOTSUP;
> }
> @@ -725,7 +814,11 @@ openssl_reset_session(struct openssl_session *sess)
> break;
> case OPENSSL_AUTH_AS_HMAC:
> EVP_PKEY_free(sess->auth.hmac.pkey);
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> + EVP_MAC_CTX_free(sess->auth.hmac.ctx);
> +# else
> HMAC_CTX_free(sess->auth.hmac.ctx);
> +# endif
> break;
> default:
> break;
> @@ -1262,6 +1355,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src,
> uint8_t *dst, int offset,
> return -EINVAL;
> }
>
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +/** Process standard openssl auth algorithms with hmac */
> +static int
> +process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int
> offset,
> + int srclen, EVP_MAC_CTX *ctx)
> +{
> + size_t dstlen;
> + struct rte_mbuf *m;
> + int l, n = srclen;
> + uint8_t *src;
> +
> + for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
> + m = m->next)
> + offset -= rte_pktmbuf_data_len(m);
> +
> + if (m == 0)
> + goto process_auth_err;
> +
> + src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
> +
> + l = rte_pktmbuf_data_len(m) - offset;
> + if (srclen <= l) {
> + if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
> + goto process_auth_err;
> + goto process_auth_final;
> + }
> +
> + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
> + goto process_auth_err;
> +
> + n -= l;
> +
> + for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
> + src = rte_pktmbuf_mtod(m, uint8_t *);
> + l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
> + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
> + goto process_auth_err;
> + n -= l;
> + }
> +
> +process_auth_final:
> + if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
> + goto process_auth_err;
> +
> + EVP_MAC_CTX_free(ctx);
> + return 0;
> +
> +process_auth_err:
> + EVP_MAC_CTX_free(ctx);
> + OPENSSL_LOG(ERR, "Process openssl auth failed");
> + return -EINVAL;
> +}
> +# else
> /** Process standard openssl auth algorithms with hmac */
> static int
> process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int
> offset,
> @@ -1314,7 +1460,7 @@ process_openssl_auth_hmac(struct rte_mbuf
> *mbuf_src, uint8_t *dst, int offset,
> OPENSSL_LOG(ERR, "Process openssl auth failed");
> return -EINVAL;
> }
> -
> +# endif
> /*----------------------------------------------------------------------------*/
>
> /** Process auth/cipher combined operation */
> @@ -1328,7 +1474,6 @@ process_openssl_combined_op
> int srclen, aadlen, status = -1;
> uint32_t offset;
> uint8_t taglen;
> - EVP_CIPHER_CTX *ctx_copy;
>
> /*
> * Segmented destination buffer is not supported for
> @@ -1365,8 +1510,6 @@ process_openssl_combined_op
> }
>
> taglen = sess->auth.digest_length;
> - ctx_copy = EVP_CIPHER_CTX_new();
> - EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
>
> if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
> if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
> @@ -1374,12 +1517,12 @@ process_openssl_combined_op
> status = process_openssl_auth_encryption_gcm(
> mbuf_src, offset, srclen,
> aad, aadlen, iv,
> - dst, tag, ctx_copy);
> + dst, tag, sess->cipher.ctx);
> else
> status = process_openssl_auth_encryption_ccm(
> mbuf_src, offset, srclen,
> aad, aadlen, iv,
> - dst, tag, taglen, ctx_copy);
> + dst, tag, taglen, sess->cipher.ctx);
>
> } else {
> if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
> @@ -1387,15 +1530,14 @@ process_openssl_combined_op
> status = process_openssl_auth_decryption_gcm(
> mbuf_src, offset, srclen,
> aad, aadlen, iv,
> - dst, tag, ctx_copy);
> + dst, tag, sess->cipher.ctx);
> else
> status = process_openssl_auth_decryption_ccm(
> mbuf_src, offset, srclen,
> aad, aadlen, iv,
> - dst, tag, taglen, ctx_copy);
> + dst, tag, taglen, sess->cipher.ctx);
> }
>
> - EVP_CIPHER_CTX_free(ctx_copy);
> if (status != 0) {
> if (status == (-EFAULT) &&
> sess->auth.operation ==
> @@ -1557,7 +1699,12 @@ process_openssl_auth_op(struct openssl_qp *qp,
> struct rte_crypto_op *op,
> uint8_t *dst;
> int srclen, status;
> EVP_MD_CTX *ctx_a;
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> + EVP_MAC_CTX *ctx_h;
> + EVP_MAC *mac;
> +# else
> HMAC_CTX *ctx_h;
> +# endif
>
> srclen = op->sym->auth.data.length;
>
> @@ -1573,12 +1720,22 @@ process_openssl_auth_op(struct openssl_qp *qp,
> struct rte_crypto_op *op,
> EVP_MD_CTX_destroy(ctx_a);
> break;
> case OPENSSL_AUTH_AS_HMAC:
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> + mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
> + ctx_h = EVP_MAC_CTX_new(mac);
> + ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
> + EVP_MAC_free(mac);
> + status = process_openssl_auth_hmac(mbuf_src, dst,
> + op->sym->auth.data.offset, srclen,
> + ctx_h);
> +# else
> ctx_h = HMAC_CTX_new();
> HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
> status = process_openssl_auth_hmac(mbuf_src, dst,
> op->sym->auth.data.offset, srclen,
> ctx_h);
> HMAC_CTX_free(ctx_h);
> +# endif
> break;
> default:
> status = -1;
> @@ -2212,6 +2369,13 @@ cryptodev_openssl_create(const char *name,
>
> rte_cryptodev_pmd_probing_finish(dev);
>
> +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> + /* Load legacy provider
> + * Some algorithms are no longer available in earlier version of openssl,
> + * unless the legacy provider explicitly loaded. e.g. DES
> + */
> + ossl_load_legacy_provider();
> +# endif
> return 0;
>
> init_error:
> @@ -2260,6 +2424,9 @@ cryptodev_openssl_remove(struct rte_vdev_device
> *vdev)
> if (cryptodev == NULL)
> return -ENODEV;
>
> +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> + ossl_unload_legacy_provider();
> +# endif
> return rte_cryptodev_pmd_destroy(cryptodev);
> }
>
> --
> 2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* RE: [EXT] [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine
2022-06-14 13:25 ` [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-06-17 10:04 ` Zhang, Roy Fan
@ 2022-06-21 9:30 ` Akhil Goyal
2022-06-21 13:35 ` Ji, Kai
1 sibling, 1 reply; 39+ messages in thread
From: Akhil Goyal @ 2022-06-21 9:30 UTC (permalink / raw)
To: Kai Ji, dev
> This patch updates asymmetric RSA routine in crypto openssl pmd
> to adopt openssl 3.0 EVP apis.
>
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> ---
> drivers/crypto/openssl/openssl_pmd_private.h | 7 +
> drivers/crypto/openssl/rte_openssl_pmd.c | 149 +++++++++++++++++++
> drivers/crypto/openssl/rte_openssl_pmd_ops.c | 112 +++++++++++++-
> 3 files changed, 267 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/crypto/openssl/openssl_pmd_private.h
> b/drivers/crypto/openssl/openssl_pmd_private.h
> index 86dc169aaf..d603626fdf 100644
> --- a/drivers/crypto/openssl/openssl_pmd_private.h
> +++ b/drivers/crypto/openssl/openssl_pmd_private.h
> @@ -11,6 +11,10 @@
> #include <openssl/rsa.h>
> #include <openssl/dh.h>
> #include <openssl/dsa.h>
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +#include <openssl/provider.h>
> +#include <openssl/core_names.h>
> +#endif
>
> #define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl
> /**< Open SSL Crypto PMD device name */
> @@ -157,6 +161,9 @@ struct openssl_asym_session {
> union {
> struct rsa {
> RSA *rsa;
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> + EVP_PKEY_CTX * ctx;
> +#endif
> } r;
> struct exp {
> BIGNUM *exp;
> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c
> b/drivers/crypto/openssl/rte_openssl_pmd.c
> index 5dbe6074eb..cac157aba3 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
> @@ -2046,6 +2046,150 @@ process_openssl_modexp_op(struct rte_crypto_op
> *cop,
> }
>
> /* process rsa operations */
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +static int
> +process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
> + struct openssl_asym_session *sess)
> +{
> + struct rte_crypto_asym_op *op = cop->asym;
> + uint32_t pad = (op->rsa.padding.type);
> + uint8_t *tmp;
> + size_t outlen = 0;
> + int ret = -1;
> +
> + cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
> + EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx;
> + if (!rsa_ctx)
> + return ret;
> +
> + switch (pad) {
> + case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
> + pad = RSA_PKCS1_PADDING;
> + break;
> + case RTE_CRYPTO_RSA_PADDING_NONE:
> + pad = RSA_NO_PADDING;
> + break;
> + default:
> + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
> + OPENSSL_LOG(ERR,
> + "rsa pad type not supported %d\n", pad);
> + return ret;
> + }
> +
> + switch (op->rsa.op_type) {
> + case RTE_CRYPTO_ASYM_OP_ENCRYPT:
> + if (EVP_PKEY_encrypt_init(rsa_ctx) != 1)
> + goto err_rsa;
> +
> + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
> + goto err_rsa;
> +
> + if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen,
> + op->rsa.message.data,
> + op-
> >rsa.message.length) <= 0)
Remove extra indentation here and below also.
Cop->status is not updated in case of failure gotos.
> + goto err_rsa;
> +
> + if (outlen <= 0)
> + goto err_rsa;
> +
> + if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen,
> + op->rsa.message.data,
> + op-
> >rsa.message.length) <= 0)
> + goto err_rsa;
> + op->rsa.cipher.length = outlen;
> +
> + OPENSSL_LOG(DEBUG,
> + "length of encrypted text %zu\n", outlen);
> + break;
> +
> + case RTE_CRYPTO_ASYM_OP_DECRYPT:
> + if (EVP_PKEY_decrypt_init(rsa_ctx) != 1)
> + goto err_rsa;
> +
> + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
> + goto err_rsa;
> +
> + if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen,
> + op->rsa.cipher.data,
> + op->rsa.cipher.length)
> <= 0)
> + goto err_rsa;
> +
> + if (outlen <= 0)
> + goto err_rsa;
> +
> + if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen,
> + op->rsa.cipher.data,
> + op->rsa.cipher.length)
> <= 0)
> + goto err_rsa;
> + op->rsa.message.length = outlen;
> +
> + OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n",
> outlen);
> + break;
> +
> + case RTE_CRYPTO_ASYM_OP_SIGN:
> + if (EVP_PKEY_sign_init(rsa_ctx) <= 0)
> + goto err_rsa;
> +
> + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
> + goto err_rsa;
> +
> + if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
> + op->rsa.message.data,
> + op-
> >rsa.message.length) <= 0)
> + goto err_rsa;
> + op->rsa.sign.length = outlen;
> + break;
> +
> + case RTE_CRYPTO_ASYM_OP_VERIFY:
> + tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
> + if (tmp == NULL) {
> + OPENSSL_LOG(ERR, "Memory allocation failed");
> + goto err_rsa;
> + }
> +
> + if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
> + rte_free(tmp);
> + goto err_rsa;
> + }
> +
> + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
> + rte_free(tmp);
> + goto err_rsa;
> + }
> +
> + if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
> + op->rsa.sign.data,
> + op->rsa.sign.length) <=
> 0) {
> + rte_free(tmp);
> + goto err_rsa;
> + }
> +
> + OPENSSL_LOG(DEBUG,
> + "Length of public_decrypt %zu "
> + "length of message %zd\n",
> + outlen, op->rsa.message.length);
> + if (CRYPTO_memcmp(tmp, op->rsa.message.data,
> + op->rsa.message.length)) {
> + OPENSSL_LOG(ERR, "RSA sign Verification failed");
> + }
> + rte_free(tmp);
> + break;
> +
> + default:
> + /* allow ops with invalid args to be pushed to
> + * completion queue
> + */
> + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
> + goto err_rsa;
> + }
> +
> + ret = 0;
> + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
> +err_rsa:
> + return ret;
> +
> +}
> +#else
> static int
> process_openssl_rsa_op(struct rte_crypto_op *cop,
> struct openssl_asym_session *sess)
> @@ -2144,6 +2288,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
>
> return 0;
> }
> +#endif
>
> static int
> process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
> @@ -2155,7 +2300,11 @@ process_asym_op(struct openssl_qp *qp, struct
> rte_crypto_op *op,
>
> switch (sess->xfrm_type) {
> case RTE_CRYPTO_ASYM_XFORM_RSA:
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> + retval = process_openssl_rsa_op_evp(op, sess);
> +# else
> retval = process_openssl_rsa_op(op, sess);
> +#endif
> break;
> case RTE_CRYPTO_ASYM_XFORM_MODEX:
> retval = process_openssl_modexp_op(op, sess);
> diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> index 7d0da52a33..6d94da499e 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> @@ -12,7 +12,11 @@
>
> #include "openssl_pmd_private.h"
> #include "compat.h"
> -
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +#include <openssl/provider.h>
> +#include <openssl/core_names.h>
> +#include <openssl/param_build.h>
> +#endif
>
> static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
> { /* MD5 HMAC */
> @@ -835,6 +839,106 @@ static int openssl_set_asym_session_parameters(
> if (!n || !e)
> goto err_rsa;
>
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> + OSSL_PARAM_BLD * param_bld = OSSL_PARAM_BLD_new();
> + if (!param_bld) {
> + OPENSSL_LOG(ERR, "failed to allocate resources\n");
> + goto err_rsa;
> + }
> +
> + if (!OSSL_PARAM_BLD_push_BN(param_bld,
> OSSL_PKEY_PARAM_RSA_N, n)
> + || !OSSL_PARAM_BLD_push_BN(param_bld,
> + OSSL_PKEY_PARAM_RSA_E, e)) {
> + OSSL_PARAM_BLD_free(param_bld);
> + OPENSSL_LOG(ERR, "failed to allocate resources\n");
> + goto err_rsa;
> + }
> +
> + if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) {
> + d = BN_bin2bn(
> + (const unsigned char *)xform->rsa.d.data,
> + xform->rsa.d.length,
> + d);
> + if (!d) {
> + OSSL_PARAM_BLD_free(param_bld);
> + goto err_rsa;
> + }
> + } else {
> + p = BN_bin2bn((const unsigned char *)
> + xform->rsa.qt.p.data,
> + xform->rsa.qt.p.length,
> + p);
> + q = BN_bin2bn((const unsigned char *)
> + xform->rsa.qt.q.data,
> + xform->rsa.qt.q.length,
> + q);
> + dmp1 = BN_bin2bn((const unsigned char *)
> + xform->rsa.qt.dP.data,
> + xform->rsa.qt.dP.length,
> + dmp1);
> + dmq1 = BN_bin2bn((const unsigned char *)
> + xform->rsa.qt.dQ.data,
> + xform->rsa.qt.dQ.length,
> + dmq1);
> + iqmp = BN_bin2bn((const unsigned char *)
> + xform->rsa.qt.qInv.data,
> + xform->rsa.qt.qInv.length,
> + iqmp);
> +
> + if (!p || !q || !dmp1 || !dmq1 || !iqmp) {
> + OSSL_PARAM_BLD_free(param_bld);
> + goto err_rsa;
> + }
> +
> + if (!OSSL_PARAM_BLD_push_BN(param_bld,
> +
> OSSL_PKEY_PARAM_RSA_FACTOR1, p)
> + || !OSSL_PARAM_BLD_push_BN(param_bld,
> +
> OSSL_PKEY_PARAM_RSA_FACTOR2, q)
> + || !OSSL_PARAM_BLD_push_BN(param_bld,
> +
> OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1)
> + || !OSSL_PARAM_BLD_push_BN(param_bld,
> +
> OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1)
> + || !OSSL_PARAM_BLD_push_BN(param_bld,
> +
> OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) {
> + OSSL_PARAM_BLD_free(param_bld);
> + goto err_rsa;
> + }
> + }
> +
> + if (!OSSL_PARAM_BLD_push_BN(param_bld,
> OSSL_PKEY_PARAM_RSA_N, n)
> + || !OSSL_PARAM_BLD_push_BN(param_bld,
> OSSL_PKEY_PARAM_RSA_E, e)
> + || !OSSL_PARAM_BLD_push_BN(param_bld,
> + OSSL_PKEY_PARAM_RSA_D,
> d)) {
> + OSSL_PARAM_BLD_free(param_bld);
> + goto err_rsa;
> + }
> +
> + EVP_PKEY_CTX *key_ctx =
> EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
> + EVP_PKEY *pkey = NULL;
> + EVP_PKEY_CTX *rsa_ctx = NULL;
> + OSSL_PARAM *params = NULL;
> +
> + params = OSSL_PARAM_BLD_to_param(param_bld);
> + if (!params) {
> + OSSL_PARAM_BLD_free(param_bld);
> + goto err_rsa;
> + }
> +
> + if (key_ctx == NULL
> + || EVP_PKEY_fromdata_init(key_ctx) <= 0
> + || EVP_PKEY_fromdata(key_ctx, &pkey,
> + EVP_PKEY_KEYPAIR, params) <= 0) {
Indentation not correct above.
> + OSSL_PARAM_free(params);
> + goto err_rsa;
> + }
> +
> + rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
> + asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
> + asym_session->u.r.ctx = rsa_ctx;
> + EVP_PKEY_CTX_free(key_ctx);
> + OSSL_PARAM_free(params);
> + break;
> +#else
> RSA *rsa = RSA_new();
> if (rsa == NULL)
> goto err_rsa;
> @@ -904,6 +1008,7 @@ static int openssl_set_asym_session_parameters(
> asym_session->u.r.rsa = rsa;
> asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
> break;
> +#endif
> err_rsa:
> BN_clear_free(n);
> BN_clear_free(e);
> @@ -1135,8 +1240,13 @@ static void openssl_reset_asym_session(struct
> openssl_asym_session *sess)
> {
> switch (sess->xfrm_type) {
> case RTE_CRYPTO_ASYM_XFORM_RSA:
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> + if (sess->u.r.ctx)
> + EVP_PKEY_CTX_free(sess->u.r.ctx);
> +#else
> if (sess->u.r.rsa)
> RSA_free(sess->u.r.rsa);
> +#endif
> break;
> case RTE_CRYPTO_ASYM_XFORM_MODEX:
> if (sess->u.e.ctx) {
> --
> 2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* RE: [EXT] [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib
2022-06-14 13:25 ` [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
` (3 preceding siblings ...)
2022-06-14 13:25 ` [dpdk-dev v4 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
@ 2022-06-21 10:16 ` Akhil Goyal
2022-06-21 13:55 ` [dpdk-dev v5 " Kai Ji
5 siblings, 0 replies; 39+ messages in thread
From: Akhil Goyal @ 2022-06-21 10:16 UTC (permalink / raw)
To: Kai Ji, dev
> This patch set update openssl pmd deprecated APIs to EVP
> APIs where supported in openssl 3.0 lib
>
> ---
> v4:
> - compilation issue fix
>
> v3:
> - rebase to 22.07 rc1
>
> v2:
> - addin DSA routine
>
> ---
>
> Kai Ji (4):
> crypto/openssl: 3.0 EVP update on HMAC routine
> crypto/openssl: 3.0 EVP update on RSA routine
> crypto/openssl: 3.0 EVP update on DH routine
> crypto/openssl: 3.0 EVP update on DSA routine
>
> app/test/test_cryptodev_asym.c | 90 ++-
> drivers/crypto/openssl/compat.h | 12 +
> drivers/crypto/openssl/openssl_pmd_private.h | 18 +
> drivers/crypto/openssl/rte_openssl_pmd.c | 698 ++++++++++++++++++-
> drivers/crypto/openssl/rte_openssl_pmd_ops.c | 231 +++++-
> 5 files changed, 1013 insertions(+), 36 deletions(-)
Add release notes too to highlight 3.0 support.
^ permalink raw reply [flat|nested] 39+ messages in thread
* RE: [EXT] [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine
2022-06-21 9:30 ` [EXT] " Akhil Goyal
@ 2022-06-21 13:35 ` Ji, Kai
0 siblings, 0 replies; 39+ messages in thread
From: Ji, Kai @ 2022-06-21 13:35 UTC (permalink / raw)
To: Akhil Goyal, dev
> -----Original Message-----
> > --- a/drivers/crypto/openssl/rte_openssl_pmd.c
> > +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
> > @@ -2046,6 +2046,150 @@ process_openssl_modexp_op(struct
> rte_crypto_op
> > *cop, }
> >
> > /* process rsa operations */
> > +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) static int
> > +process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
> > + struct openssl_asym_session *sess)
> > +{
> > + struct rte_crypto_asym_op *op = cop->asym;
> > + uint32_t pad = (op->rsa.padding.type);
> > + uint8_t *tmp;
> > + size_t outlen = 0;
> > + int ret = -1;
> > +
> > + cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
> > + EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx;
> > + if (!rsa_ctx)
> > + return ret;
> > +
> > + switch (pad) {
> > + case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
> > + pad = RSA_PKCS1_PADDING;
> > + break;
> > + case RTE_CRYPTO_RSA_PADDING_NONE:
> > + pad = RSA_NO_PADDING;
> > + break;
> > + default:
> > + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
> > + OPENSSL_LOG(ERR,
> > + "rsa pad type not supported %d\n", pad);
> > + return ret;
> > + }
> > +
> > + switch (op->rsa.op_type) {
> > + case RTE_CRYPTO_ASYM_OP_ENCRYPT:
> > + if (EVP_PKEY_encrypt_init(rsa_ctx) != 1)
> > + goto err_rsa;
> > +
> > + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
> > + goto err_rsa;
> > +
> > + if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen,
> > + op-
> >rsa.message.data,
> > + op-
> > >rsa.message.length) <= 0)
>
> Remove extra indentation here and below also.
>
> Cop->status is not updated in case of failure gotos.
>
Cop->status was assigned RTE_CRYPTO_OP_STATUS_ERROR at the top of this func, and only change to
RTE_CRYPTO_OP_STATUS_SUCCESS before the return when no failure.
>
> > + goto err_rsa;
> > +
> > + if (outlen <= 0)
> > + goto err_rsa;
> > +
> > + if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen,
> > + op-
> >rsa.message.data,
> > + op-
> > >rsa.message.length) <= 0)
> > + goto err_rsa;
> > + op->rsa.cipher.length = outlen;
> > +
> > + OPENSSL_LOG(DEBUG,
> > + "length of encrypted text %zu\n", outlen);
> > + break;
> > +
> > + case RTE_CRYPTO_ASYM_OP_DECRYPT:
> > + if (EVP_PKEY_decrypt_init(rsa_ctx) != 1)
> > + goto err_rsa;
> > +
> > + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
> > + goto err_rsa;
> > +
> > + if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen,
> > + op->rsa.cipher.data,
> > + op->rsa.cipher.length)
> > <= 0)
> > + goto err_rsa;
> > +
> > + if (outlen <= 0)
> > + goto err_rsa;
> > +
> > + if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data,
> &outlen,
> > + op->rsa.cipher.data,
> > + op->rsa.cipher.length)
> > <= 0)
> > + goto err_rsa;
> > + op->rsa.message.length = outlen;
> > +
> > + OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n",
> > outlen);
> > + break;
> > +
> > + case RTE_CRYPTO_ASYM_OP_SIGN:
> > + if (EVP_PKEY_sign_init(rsa_ctx) <= 0)
> > + goto err_rsa;
> > +
> > + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
> > + goto err_rsa;
> > +
> > + if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
> > + op-
> >rsa.message.data,
> > + op-
> > >rsa.message.length) <= 0)
> > + goto err_rsa;
> > + op->rsa.sign.length = outlen;
> > + break;
> > +
> > + case RTE_CRYPTO_ASYM_OP_VERIFY:
> > + tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
> > + if (tmp == NULL) {
> > + OPENSSL_LOG(ERR, "Memory allocation failed");
> > + goto err_rsa;
> > + }
> > +
> > + if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
> > + rte_free(tmp);
> > + goto err_rsa;
> > + }
> > +
> > + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
> > + rte_free(tmp);
> > + goto err_rsa;
> > + }
> > +
> > + if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
> > + op->rsa.sign.data,
> > + op->rsa.sign.length)
> <=
> > 0) {
> > + rte_free(tmp);
> > + goto err_rsa;
> > + }
> > +
> > + OPENSSL_LOG(DEBUG,
> > + "Length of public_decrypt %zu "
> > + "length of message %zd\n",
> > + outlen, op->rsa.message.length);
> > + if (CRYPTO_memcmp(tmp, op->rsa.message.data,
> > + op->rsa.message.length)) {
> > + OPENSSL_LOG(ERR, "RSA sign Verification failed");
> > + }
> > + rte_free(tmp);
> > + break;
> > +
> > + default:
> > + /* allow ops with invalid args to be pushed to
> > + * completion queue
> > + */
> > + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
> > + goto err_rsa;
> > + }
> > +
> > + ret = 0;
> > + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
> > +err_rsa:
> > + return ret;
> > +
> > +}
> > --
> > 2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib
2022-06-14 13:25 ` [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
` (4 preceding siblings ...)
2022-06-21 10:16 ` [EXT] [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal
@ 2022-06-21 13:55 ` Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
` (4 more replies)
5 siblings, 5 replies; 39+ messages in thread
From: Kai Ji @ 2022-06-21 13:55 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch set update openssl pmd deprecated APIs to EVP
APIs where supported in openssl 3.0 lib
---
v5:
- review comments fix and release notes update
v4:
- compilation issue fix
v3:
- rebase to 22.07 rc1
v2:
- addin DSA routine
---
Kai Ji (4):
crypto/openssl: update on HMAC routine with 3.0 EVP API
crypto/openssl: update on RSA routine with 3.0 EVP API
crypto/openssl: update on DH routine with 3.0 EVP API
crypto/openssl: update on DSA routine with 3.0 EVP API
app/test/test_cryptodev_asym.c | 90 ++-
doc/guides/rel_notes/release_22_07.rst | 4 +
drivers/crypto/openssl/compat.h | 12 +
drivers/crypto/openssl/openssl_pmd_private.h | 18 +
drivers/crypto/openssl/rte_openssl_pmd.c | 698 ++++++++++++++++++-
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 231 +++++-
6 files changed, 1017 insertions(+), 36 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API
2022-06-21 13:55 ` [dpdk-dev v5 " Kai Ji
@ 2022-06-21 13:55 ` Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA " Kai Ji
` (3 subsequent siblings)
4 siblings, 0 replies; 39+ messages in thread
From: Kai Ji @ 2022-06-21 13:55 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch update the symmetric HMAC routine in crypto openssl
pmd to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 4 +
drivers/crypto/openssl/rte_openssl_pmd.c | 187 ++++++++++++++++++-
2 files changed, 181 insertions(+), 10 deletions(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index b2054b3754..6bcfb584a4 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -134,7 +134,11 @@ struct openssl_session {
/**< pointer to EVP key */
const EVP_MD *evp_algo;
/**< pointer to EVP algorithm function */
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX * ctx;
+# else
HMAC_CTX *ctx;
+# endif
/**< pointer to EVP context structure */
} hmac;
};
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 6ac2dfff5a..06ede435dd 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -41,6 +41,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
}
#endif
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+
+#define MAX_OSSL_ALGO_NAME_SIZE 16
+
+OSSL_PROVIDER *legacy;
+OSSL_PROVIDER *deflt;
+
+static void ossl_legacy_provider_load(void)
+{
+ /* Load Multiple providers into the default (NULL) library context */
+ legacy = OSSL_PROVIDER_load(NULL, "legacy");
+ if (legacy == NULL) {
+ OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
+ return;
+ }
+
+ deflt = OSSL_PROVIDER_load(NULL, "default");
+ if (deflt == NULL) {
+ OPENSSL_LOG(ERR, "Failed to load Default provider\n");
+ OSSL_PROVIDER_unload(legacy);
+ return;
+ }
+}
+
+static void ossl_legacy_provider_unload(void)
+{
+ OSSL_PROVIDER_unload(legacy);
+ OSSL_PROVIDER_unload(deflt);
+}
+
+static __rte_always_inline const char *
+digest_name_get(enum rte_crypto_auth_algorithm algo)
+{
+ switch (algo) {
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ return OSSL_DIGEST_NAME_MD5;
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ return OSSL_DIGEST_NAME_SHA1;
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_224;
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_256;
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_384;
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_512;
+ default:
+ return NULL;
+ }
+}
+#endif
+
static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
/*----------------------------------------------------------------------------*/
@@ -582,6 +637,40 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
sess->auth.auth.ctx = EVP_MD_CTX_create();
break;
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
+
+ OSSL_PARAM params[2];
+ const char *algo;
+ algo = digest_name_get(xform->auth.algo);
+ if (!algo)
+ return -EINVAL;
+ char algo_name[MAX_OSSL_ALGO_NAME_SIZE];
+ rte_memcpy(algo_name, algo, (sizeof(algo)+1));
+
+ EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
+ EVP_MAC_free(mac);
+ if (get_auth_algo(xform->auth.algo,
+ &sess->auth.hmac.evp_algo) != 0)
+ return -EINVAL;
+
+ params[0] = OSSL_PARAM_construct_utf8_string("digest",
+ algo_name, 0);
+ params[1] = OSSL_PARAM_construct_end();
+ if (EVP_MAC_init(sess->auth.hmac.ctx,
+ xform->auth.key.data,
+ xform->auth.key.length,
+ params) != 1)
+ return -EINVAL;
+ break;
+# else
case RTE_CRYPTO_AUTH_MD5_HMAC:
case RTE_CRYPTO_AUTH_SHA1_HMAC:
case RTE_CRYPTO_AUTH_SHA224_HMAC:
@@ -600,7 +689,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
sess->auth.hmac.evp_algo, NULL) != 1)
return -EINVAL;
break;
-
+# endif
default:
return -ENOTSUP;
}
@@ -725,7 +814,11 @@ openssl_reset_session(struct openssl_session *sess)
break;
case OPENSSL_AUTH_AS_HMAC:
EVP_PKEY_free(sess->auth.hmac.pkey);
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX_free(sess->auth.hmac.ctx);
+# else
HMAC_CTX_free(sess->auth.hmac.ctx);
+# endif
break;
default:
break;
@@ -1262,6 +1355,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
return -EINVAL;
}
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/** Process standard openssl auth algorithms with hmac */
+static int
+process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
+ int srclen, EVP_MAC_CTX *ctx)
+{
+ size_t dstlen;
+ struct rte_mbuf *m;
+ int l, n = srclen;
+ uint8_t *src;
+
+ for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+ m = m->next)
+ offset -= rte_pktmbuf_data_len(m);
+
+ if (m == 0)
+ goto process_auth_err;
+
+ src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+ l = rte_pktmbuf_data_len(m) - offset;
+ if (srclen <= l) {
+ if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
+ goto process_auth_err;
+ goto process_auth_final;
+ }
+
+ if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+ goto process_auth_err;
+
+ n -= l;
+
+ for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+ src = rte_pktmbuf_mtod(m, uint8_t *);
+ l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+ if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+ goto process_auth_err;
+ n -= l;
+ }
+
+process_auth_final:
+ if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
+ goto process_auth_err;
+
+ EVP_MAC_CTX_free(ctx);
+ return 0;
+
+process_auth_err:
+ EVP_MAC_CTX_free(ctx);
+ OPENSSL_LOG(ERR, "Process openssl auth failed");
+ return -EINVAL;
+}
+# else
/** Process standard openssl auth algorithms with hmac */
static int
process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
@@ -1314,7 +1460,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
OPENSSL_LOG(ERR, "Process openssl auth failed");
return -EINVAL;
}
-
+# endif
/*----------------------------------------------------------------------------*/
/** Process auth/cipher combined operation */
@@ -1328,7 +1474,6 @@ process_openssl_combined_op
int srclen, aadlen, status = -1;
uint32_t offset;
uint8_t taglen;
- EVP_CIPHER_CTX *ctx_copy;
/*
* Segmented destination buffer is not supported for
@@ -1365,8 +1510,6 @@ process_openssl_combined_op
}
taglen = sess->auth.digest_length;
- ctx_copy = EVP_CIPHER_CTX_new();
- EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1374,12 +1517,12 @@ process_openssl_combined_op
status = process_openssl_auth_encryption_gcm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, ctx_copy);
+ dst, tag, sess->cipher.ctx);
else
status = process_openssl_auth_encryption_ccm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, taglen, ctx_copy);
+ dst, tag, taglen, sess->cipher.ctx);
} else {
if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1387,15 +1530,14 @@ process_openssl_combined_op
status = process_openssl_auth_decryption_gcm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, ctx_copy);
+ dst, tag, sess->cipher.ctx);
else
status = process_openssl_auth_decryption_ccm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, taglen, ctx_copy);
+ dst, tag, taglen, sess->cipher.ctx);
}
- EVP_CIPHER_CTX_free(ctx_copy);
if (status != 0) {
if (status == (-EFAULT) &&
sess->auth.operation ==
@@ -1557,7 +1699,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
uint8_t *dst;
int srclen, status;
EVP_MD_CTX *ctx_a;
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX *ctx_h;
+ EVP_MAC *mac;
+# else
HMAC_CTX *ctx_h;
+# endif
srclen = op->sym->auth.data.length;
@@ -1573,12 +1720,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
EVP_MD_CTX_destroy(ctx_a);
break;
case OPENSSL_AUTH_AS_HMAC:
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ ctx_h = EVP_MAC_CTX_new(mac);
+ ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
+ EVP_MAC_free(mac);
+ status = process_openssl_auth_hmac(mbuf_src, dst,
+ op->sym->auth.data.offset, srclen,
+ ctx_h);
+# else
ctx_h = HMAC_CTX_new();
HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
status = process_openssl_auth_hmac(mbuf_src, dst,
op->sym->auth.data.offset, srclen,
ctx_h);
HMAC_CTX_free(ctx_h);
+# endif
break;
default:
status = -1;
@@ -2212,6 +2369,13 @@ cryptodev_openssl_create(const char *name,
rte_cryptodev_pmd_probing_finish(dev);
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ /* Load legacy provider
+ * Some algorithms are no longer available in earlier version of openssl,
+ * unless the legacy provider explicitly loaded. e.g. DES
+ */
+ ossl_legacy_provider_load();
+# endif
return 0;
init_error:
@@ -2260,6 +2424,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev)
if (cryptodev == NULL)
return -ENODEV;
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ ossl_legacy_provider_unload();
+# endif
return rte_cryptodev_pmd_destroy(cryptodev);
}
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v5 2/4] crypto/openssl: update on RSA routine with 3.0 EVP API
2022-06-21 13:55 ` [dpdk-dev v5 " Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
@ 2022-06-21 13:55 ` Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
` (2 subsequent siblings)
4 siblings, 0 replies; 39+ messages in thread
From: Kai Ji @ 2022-06-21 13:55 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch updates asymmetric RSA routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 7 +
drivers/crypto/openssl/rte_openssl_pmd.c | 149 +++++++++++++++++++
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 112 +++++++++++++-
3 files changed, 267 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index 6bcfb584a4..9d4ac721a7 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -11,6 +11,10 @@
#include <openssl/rsa.h>
#include <openssl/dh.h>
#include <openssl/dsa.h>
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#endif
#define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl
/**< Open SSL Crypto PMD device name */
@@ -157,6 +161,9 @@ struct openssl_asym_session {
union {
struct rsa {
RSA *rsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ EVP_PKEY_CTX * ctx;
+#endif
} r;
struct exp {
BIGNUM *exp;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 06ede435dd..caa5d54c0a 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -2046,6 +2046,150 @@ process_openssl_modexp_op(struct rte_crypto_op *cop,
}
/* process rsa operations */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_asym_op *op = cop->asym;
+ uint32_t pad = (op->rsa.padding.type);
+ uint8_t *tmp;
+ size_t outlen = 0;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx;
+ if (!rsa_ctx)
+ return ret;
+
+ switch (pad) {
+ case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
+ pad = RSA_PKCS1_PADDING;
+ break;
+ case RTE_CRYPTO_RSA_PADDING_NONE:
+ pad = RSA_NO_PADDING;
+ break;
+ default:
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ OPENSSL_LOG(ERR,
+ "rsa pad type not supported %d\n", pad);
+ return ret;
+ }
+
+ switch (op->rsa.op_type) {
+ case RTE_CRYPTO_ASYM_OP_ENCRYPT:
+ if (EVP_PKEY_encrypt_init(rsa_ctx) != 1)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+ op->rsa.cipher.length = outlen;
+
+ OPENSSL_LOG(DEBUG,
+ "length of encrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_DECRYPT:
+ if (EVP_PKEY_decrypt_init(rsa_ctx) != 1)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err_rsa;
+ op->rsa.message.length = outlen;
+
+ OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_SIGN:
+ if (EVP_PKEY_sign_init(rsa_ctx) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+ op->rsa.sign.length = outlen;
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_VERIFY:
+ tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
+ if (tmp == NULL) {
+ OPENSSL_LOG(ERR, "Memory allocation failed");
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
+ op->rsa.sign.data,
+ op->rsa.sign.length) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ OPENSSL_LOG(DEBUG,
+ "Length of public_decrypt %zu "
+ "length of message %zd\n",
+ outlen, op->rsa.message.length);
+ if (CRYPTO_memcmp(tmp, op->rsa.message.data,
+ op->rsa.message.length)) {
+ OPENSSL_LOG(ERR, "RSA sign Verification failed");
+ }
+ rte_free(tmp);
+ break;
+
+ default:
+ /* allow ops with invalid args to be pushed to
+ * completion queue
+ */
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ goto err_rsa;
+ }
+
+ ret = 0;
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+err_rsa:
+ return ret;
+
+}
+#else
static int
process_openssl_rsa_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -2144,6 +2288,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
static int
process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
@@ -2155,7 +2300,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
switch (sess->xfrm_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_rsa_op_evp(op, sess);
+# else
retval = process_openssl_rsa_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_MODEX:
retval = process_openssl_modexp_op(op, sess);
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 7d0da52a33..e94e72c12b 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -12,7 +12,11 @@
#include "openssl_pmd_private.h"
#include "compat.h"
-
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#include <openssl/param_build.h>
+#endif
static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
{ /* MD5 HMAC */
@@ -835,6 +839,106 @@ static int openssl_set_asym_session_parameters(
if (!n || !e)
goto err_rsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_rsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_E, e)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_rsa;
+ }
+
+ if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) {
+ d = BN_bin2bn(
+ (const unsigned char *)xform->rsa.d.data,
+ xform->rsa.d.length,
+ d);
+ if (!d) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+ } else {
+ p = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.p.data,
+ xform->rsa.qt.p.length,
+ p);
+ q = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.q.data,
+ xform->rsa.qt.q.length,
+ q);
+ dmp1 = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.dP.data,
+ xform->rsa.qt.dP.length,
+ dmp1);
+ dmq1 = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.dQ.data,
+ xform->rsa.qt.dQ.length,
+ dmq1);
+ iqmp = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.qInv.data,
+ xform->rsa.qt.qInv.length,
+ iqmp);
+
+ if (!p || !q || !dmp1 || !dmq1 || !iqmp) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_FACTOR1, p)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_FACTOR2, q)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_D, d)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *rsa_ctx = NULL;
+ OSSL_PARAM *params = NULL;
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey,
+ EVP_PKEY_KEYPAIR, params) <= 0) {
+ OSSL_PARAM_free(params);
+ goto err_rsa;
+ }
+
+ rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
+ asym_session->u.r.ctx = rsa_ctx;
+ EVP_PKEY_CTX_free(key_ctx);
+ OSSL_PARAM_free(params);
+ break;
+#else
RSA *rsa = RSA_new();
if (rsa == NULL)
goto err_rsa;
@@ -904,6 +1008,7 @@ static int openssl_set_asym_session_parameters(
asym_session->u.r.rsa = rsa;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
break;
+#endif
err_rsa:
BN_clear_free(n);
BN_clear_free(e);
@@ -1135,8 +1240,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
{
switch (sess->xfrm_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ if (sess->u.r.ctx)
+ EVP_PKEY_CTX_free(sess->u.r.ctx);
+#else
if (sess->u.r.rsa)
RSA_free(sess->u.r.rsa);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_MODEX:
if (sess->u.e.ctx) {
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v5 3/4] crypto/openssl: update on DH routine with 3.0 EVP API
2022-06-21 13:55 ` [dpdk-dev v5 " Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA " Kai Ji
@ 2022-06-21 13:55 ` Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
4 siblings, 0 replies; 39+ messages in thread
From: Kai Ji @ 2022-06-21 13:55 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch updates asymmetric DH routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 4 +
drivers/crypto/openssl/rte_openssl_pmd.c | 185 +++++++++++++++++++
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 47 ++++-
3 files changed, 235 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index 9d4ac721a7..b952188c9d 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -177,6 +177,10 @@ struct openssl_asym_session {
struct dh {
DH *dh_key;
uint32_t key_op;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld;
+ OSSL_PARAM_BLD *param_bld_peer;
+#endif
} dh;
struct {
DSA *dsa;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index caa5d54c0a..375dc9cfdc 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -45,6 +45,7 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
#include <openssl/provider.h>
#include <openssl/core_names.h>
+#include <openssl/param_build.h>
#define MAX_OSSL_ALGO_NAME_SIZE 16
@@ -1846,6 +1847,185 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop,
}
/* process dh operation */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_dh_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dh_op_param *op = &cop->asym->dh;
+ OSSL_PARAM_BLD *param_bld = sess->u.dh.param_bld;
+ OSSL_PARAM_BLD *param_bld_peer = sess->u.dh.param_bld_peer;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY *dhpkey = NULL;
+ EVP_PKEY *peerkey = NULL;
+ BIGNUM *priv_key = NULL;
+ BIGNUM *pub_key = NULL;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
+ EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+ if (dh_ctx == NULL || param_bld == NULL)
+ return ret;
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) {
+ OSSL_PARAM *params_peer = NULL;
+
+ if (!param_bld_peer)
+ return ret;
+
+ pub_key = BN_bin2bn(op->pub_key.data, op->pub_key.length,
+ pub_key);
+ if (pub_key == NULL) {
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ return ret;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld_peer, OSSL_PKEY_PARAM_PUB_KEY,
+ pub_key)) {
+ OPENSSL_LOG(ERR, "Failed to set public key\n");
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ params_peer = OSSL_PARAM_BLD_to_param(param_bld_peer);
+ if (!params_peer) {
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ EVP_PKEY_CTX *peer_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+ if (EVP_PKEY_keygen_init(peer_ctx) != 1) {
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (EVP_PKEY_CTX_set_params(peer_ctx, params_peer) != 1) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (EVP_PKEY_keygen(peer_ctx, &peerkey) != 1) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ priv_key = BN_bin2bn(op->priv_key.data, op->priv_key.length,
+ priv_key);
+ if (priv_key == NULL) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY,
+ priv_key)) {
+ OPENSSL_LOG(ERR, "Failed to set private key\n");
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ BN_free(priv_key);
+ return ret;
+ }
+
+ OSSL_PARAM_free(params_peer);
+ EVP_PKEY_CTX_free(peer_ctx);
+ }
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params)
+ goto err_dh;
+
+ if (EVP_PKEY_keygen_init(dh_ctx) != 1)
+ goto err_dh;
+
+ if (EVP_PKEY_CTX_set_params(dh_ctx, params) != 1)
+ goto err_dh;
+
+ if (EVP_PKEY_keygen(dh_ctx, &dhpkey) != 1)
+ goto err_dh;
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE) {
+ OPENSSL_LOG(DEBUG, "%s:%d updated pub key\n", __func__, __LINE__);
+ if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key))
+ goto err_dh;
+ /* output public key */
+ op->pub_key.length = BN_bn2bin(pub_key, op->pub_key.data);
+ }
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_PRIV_KEY_GENERATE) {
+
+ OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n", __func__, __LINE__);
+ if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key))
+ goto err_dh;
+
+ /* provide generated private key back to user */
+ op->priv_key.length = BN_bn2bin(priv_key, op->priv_key.data);
+ }
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) {
+ size_t skey_len;
+ EVP_PKEY_CTX *sc_ctx = EVP_PKEY_CTX_new(dhpkey, NULL);
+ if (!sc_ctx)
+ goto err_dh;
+
+ if (EVP_PKEY_derive_init(sc_ctx) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (!peerkey) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (EVP_PKEY_derive_set_peer(sc_ctx, peerkey) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ /* Determine buffer length */
+ if (EVP_PKEY_derive(sc_ctx, NULL, &skey_len) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (EVP_PKEY_derive(sc_ctx, op->shared_secret.data, &skey_len) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ op->shared_secret.length = skey_len;
+ EVP_PKEY_CTX_free(sc_ctx);
+ }
+
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ ret = 0;
+
+ err_dh:
+ if (pub_key)
+ BN_free(pub_key);
+ if (priv_key)
+ BN_free(priv_key);
+ if (params)
+ OSSL_PARAM_free(params);
+ if (dhpkey)
+ EVP_PKEY_free(dhpkey);
+ if (peerkey)
+ EVP_PKEY_free(peerkey);
+
+ EVP_PKEY_CTX_free(dh_ctx);
+
+ return ret;
+}
+#else
static int
process_openssl_dh_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -1979,6 +2159,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
/* process modinv operation */
static int
@@ -2313,7 +2494,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
retval = process_openssl_modinv_op(op, sess);
break;
case RTE_CRYPTO_ASYM_XFORM_DH:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_dh_op_evp(op, sess);
+# else
retval = process_openssl_dh_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index e94e72c12b..6f5267a63a 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -1095,7 +1095,46 @@ static int openssl_set_asym_session_parameters(
if (!p || !g)
goto err_dh;
- DH *dh = DH_new();
+ DH *dh = NULL;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD *param_bld = NULL;
+ param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_dh;
+ }
+ if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld,
+ "group", "ffdhe2048", 0))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_FFC_P, p))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_FFC_G, g))) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dh;
+ }
+
+ OSSL_PARAM_BLD *param_bld_peer = NULL;
+ param_bld_peer = OSSL_PARAM_BLD_new();
+ if (!param_bld_peer) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dh;
+ }
+ if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld_peer,
+ "group", "ffdhe2048", 0))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld_peer,
+ OSSL_PKEY_PARAM_FFC_P, p))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld_peer,
+ OSSL_PKEY_PARAM_FFC_G, g))) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ goto err_dh;
+ }
+
+ asym_session->u.dh.param_bld = param_bld;
+ asym_session->u.dh.param_bld_peer = param_bld_peer;
+#else
+ dh = DH_new();
if (dh == NULL) {
OPENSSL_LOG(ERR,
"failed to allocate resources\n");
@@ -1106,6 +1145,7 @@ static int openssl_set_asym_session_parameters(
DH_free(dh);
goto err_dh;
}
+#endif
asym_session->u.dh.dh_key = dh;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DH;
break;
@@ -1261,8 +1301,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
}
break;
case RTE_CRYPTO_ASYM_XFORM_DH:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ sess->u.dh.param_bld = NULL;
+ sess->u.dh.param_bld_peer = NULL;
+#else
if (sess->u.dh.dh_key)
DH_free(sess->u.dh.dh_key);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
if (sess->u.s.dsa)
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v5 4/4] crypto/openssl: update on DSA routine with 3.0 EVP API
2022-06-21 13:55 ` [dpdk-dev v5 " Kai Ji
` (2 preceding siblings ...)
2022-06-21 13:55 ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
@ 2022-06-21 13:55 ` Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
4 siblings, 0 replies; 39+ messages in thread
From: Kai Ji @ 2022-06-21 13:55 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch updates asymmetric DSA routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis. Divide the single combined dsa sign
test to two individual dsa sign and dsa verfiy tests.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
app/test/test_cryptodev_asym.c | 90 ++++++++--
doc/guides/rel_notes/release_22_07.rst | 4 +
drivers/crypto/openssl/compat.h | 12 ++
drivers/crypto/openssl/openssl_pmd_private.h | 3 +
drivers/crypto/openssl/rte_openssl_pmd.c | 177 ++++++++++++++++++-
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 72 +++++++-
6 files changed, 334 insertions(+), 24 deletions(-)
diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index 7bd7cde16e..c9c48d1e87 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -1642,7 +1642,7 @@ test_dh_keygenration(void)
}
static int
-test_dsa_sign(void)
+test_dsa_sign(struct rte_crypto_dsa_op_param *dsa_op)
{
struct crypto_testsuite_params_asym *ts_params = &testsuite_params;
struct rte_mempool *op_mpool = ts_params->op_mpool;
@@ -1652,9 +1652,6 @@ test_dsa_sign(void)
struct rte_crypto_op *op = NULL, *result_op = NULL;
void *sess = NULL;
int status = TEST_SUCCESS;
- uint8_t r[TEST_DH_MOD_LEN];
- uint8_t s[TEST_DH_MOD_LEN];
- uint8_t dgst[] = "35d81554afaad2cf18f3a1770d5fedc4ea5be344";
int ret;
ret = rte_cryptodev_asym_session_create(dev_id, &dsa_xform, sess_mpool, &sess);
@@ -1676,6 +1673,7 @@ test_dsa_sign(void)
goto error_exit;
}
asym_op = op->asym;
+ asym_op->dsa = *dsa_op;
debug_hexdump(stdout, "p: ", dsa_xform.dsa.p.data,
dsa_xform.dsa.p.length);
@@ -1689,13 +1687,6 @@ test_dsa_sign(void)
/* attach asymmetric crypto session to crypto operations */
rte_crypto_op_attach_asym_session(op, sess);
asym_op->dsa.op_type = RTE_CRYPTO_ASYM_OP_SIGN;
- asym_op->dsa.message.data = dgst;
- asym_op->dsa.message.length = sizeof(dgst);
- asym_op->dsa.r.length = sizeof(r);
- asym_op->dsa.r.data = r;
- asym_op->dsa.s.length = sizeof(s);
- asym_op->dsa.s.data = s;
-
RTE_LOG(DEBUG, USER1, "Process ASYM operation");
/* Process crypto operation */
@@ -1719,12 +1710,71 @@ test_dsa_sign(void)
}
asym_op = result_op->asym;
+ dsa_op->r.length = asym_op->dsa.r.length;
+ dsa_op->s.length = asym_op->dsa.s.length;
debug_hexdump(stdout, "r:",
asym_op->dsa.r.data, asym_op->dsa.r.length);
debug_hexdump(stdout, "s:",
asym_op->dsa.s.data, asym_op->dsa.s.length);
+error_exit:
+ if (sess != NULL)
+ rte_cryptodev_asym_session_free(dev_id, sess);
+ if (op != NULL)
+ rte_crypto_op_free(op);
+ return status;
+}
+
+static int
+test_dsa_verify(struct rte_crypto_dsa_op_param *dsa_op)
+{
+ struct crypto_testsuite_params_asym *ts_params = &testsuite_params;
+ struct rte_mempool *op_mpool = ts_params->op_mpool;
+ struct rte_mempool *sess_mpool = ts_params->session_mpool;
+ uint8_t dev_id = ts_params->valid_devs[0];
+ struct rte_crypto_asym_op *asym_op = NULL;
+ struct rte_crypto_op *op = NULL, *result_op = NULL;
+ void *sess = NULL;
+ int status = TEST_SUCCESS;
+ int ret;
+ ret = rte_cryptodev_asym_session_create(dev_id, &dsa_xform, sess_mpool, &sess);
+ if (ret < 0) {
+ RTE_LOG(ERR, USER1,
+ "line %u FAILED: %s", __LINE__,
+ "Session creation failed");
+ status = (ret == -ENOTSUP) ? TEST_SKIPPED : TEST_FAILED;
+ goto error_exit;
+ }
+ /* set up crypto op data structure */
+ op = rte_crypto_op_alloc(op_mpool, RTE_CRYPTO_OP_TYPE_ASYMMETRIC);
+ if (!op) {
+ RTE_LOG(ERR, USER1,
+ "line %u FAILED: %s",
+ __LINE__, "Failed to allocate asymmetric crypto "
+ "operation struct");
+ status = TEST_FAILED;
+ goto error_exit;
+ }
+ asym_op = op->asym;
+ asym_op->dsa = *dsa_op;
+
+ debug_hexdump(stdout, "p: ", dsa_xform.dsa.p.data,
+ dsa_xform.dsa.p.length);
+ debug_hexdump(stdout, "q: ", dsa_xform.dsa.q.data,
+ dsa_xform.dsa.q.length);
+ debug_hexdump(stdout, "g: ", dsa_xform.dsa.g.data,
+ dsa_xform.dsa.g.length);
+
+ /* attach asymmetric crypto session to crypto operations */
+ rte_crypto_op_attach_asym_session(op, sess);
+
+ debug_hexdump(stdout, "r:",
+ asym_op->dsa.r.data, asym_op->dsa.r.length);
+ debug_hexdump(stdout, "s:",
+ asym_op->dsa.s.data, asym_op->dsa.s.length);
+
+ RTE_LOG(DEBUG, USER1, "Process ASYM verify operation");
/* Test PMD DSA sign verification using signer public key */
asym_op->dsa.op_type = RTE_CRYPTO_ASYM_OP_VERIFY;
@@ -1770,8 +1820,22 @@ static int
test_dsa(void)
{
int status;
- status = test_dsa_sign();
- TEST_ASSERT_EQUAL(status, 0, "Test failed");
+ uint8_t r[TEST_DH_MOD_LEN];
+ uint8_t s[TEST_DH_MOD_LEN];
+ struct rte_crypto_dsa_op_param dsa_op;
+ uint8_t dgst[] = "35d81554afaad2cf18f3a1770d5fedc4ea5be344";
+
+ dsa_op.message.data = dgst;
+ dsa_op.message.length = sizeof(dgst);
+ dsa_op.r.data = r;
+ dsa_op.s.data = s;
+ dsa_op.r.length = sizeof(r);
+ dsa_op.s.length = sizeof(s);
+
+ status = test_dsa_sign(&dsa_op);
+ TEST_ASSERT_EQUAL(status, 0, "DSA sign test failed");
+ status = test_dsa_verify(&dsa_op);
+ TEST_ASSERT_EQUAL(status, 0, "DSA verify test failed");
return status;
}
diff --git a/doc/guides/rel_notes/release_22_07.rst b/doc/guides/rel_notes/release_22_07.rst
index 6fc044edaa..180cbd84c4 100644
--- a/doc/guides/rel_notes/release_22_07.rst
+++ b/doc/guides/rel_notes/release_22_07.rst
@@ -215,6 +215,10 @@ New Features
Merged l3fwd-acl code into l3fwd as l3fwd-acl contains duplicate
and common functions to l3fwd.
+* **Update Openssl PMD with 3.0 EVP API
+
+ Update Openssl PMD deprecated APIs to EVP APIs where supported in Openssl
+ 3.0 lib.
Removed Items
-------------
diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h
index eecb7d3698..9f9167c4f1 100644
--- a/drivers/crypto/openssl/compat.h
+++ b/drivers/crypto/openssl/compat.h
@@ -104,6 +104,18 @@ get_dsa_priv_key(DSA *dsa, BIGNUM **priv_key)
*priv_key = dsa->priv_key;
}
+#elif (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static __rte_always_inline void
+set_dsa_sign(DSA_SIG *sign, BIGNUM *r, BIGNUM *s)
+{
+ DSA_SIG_set0(sign, r, s);
+}
+
+static __rte_always_inline void
+get_dsa_sign(DSA_SIG *sign, const BIGNUM **r, const BIGNUM **s)
+{
+ DSA_SIG_get0(sign, r, s);
+}
#else
static __rte_always_inline int
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index b952188c9d..5963a67a08 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -184,6 +184,9 @@ struct openssl_asym_session {
} dh;
struct {
DSA *dsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld;
+#endif
} s;
} u;
} __rte_cache_aligned;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 375dc9cfdc..84bca86894 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -2,8 +2,6 @@
* Copyright(c) 2016-2017 Intel Corporation
*/
-#define OPENSSL_API_COMPAT 0x10100000L
-
#include <rte_common.h>
#include <rte_hexdump.h>
#include <rte_cryptodev.h>
@@ -1764,6 +1762,171 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
}
/* process dsa sign operation */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_dsa_sign_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
+ EVP_PKEY_CTX *dsa_ctx = NULL;
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ EVP_PKEY *pkey = NULL;
+ OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld;
+ OSSL_PARAM *params = NULL;
+
+ size_t outlen;
+ unsigned char *dsa_sign_data;
+ const unsigned char *dsa_sign_data_p;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ return -1;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey,
+ EVP_PKEY_PUBLIC_KEY, params) <= 0)
+ goto err_dsa_sign;
+
+ dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (!dsa_ctx)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign_init(dsa_ctx) <= 0)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign(dsa_ctx, NULL, &outlen, op->message.data,
+ op->message.length) <= 0)
+ goto err_dsa_sign;
+
+ if (outlen <= 0)
+ goto err_dsa_sign;
+
+ dsa_sign_data = OPENSSL_malloc(outlen);
+ if (!dsa_sign_data)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign(dsa_ctx, dsa_sign_data, &outlen, op->message.data,
+ op->message.length) <= 0) {
+ free(dsa_sign_data);
+ goto err_dsa_sign;
+ }
+
+ dsa_sign_data_p = (const unsigned char *)dsa_sign_data;
+ DSA_SIG *sign = d2i_DSA_SIG(NULL, &dsa_sign_data_p, outlen);
+ if (!sign) {
+ OPENSSL_LOG(ERR, "%s:%d\n", __func__, __LINE__);
+ free(dsa_sign_data);
+ goto err_dsa_sign;
+ } else {
+ const BIGNUM *r = NULL, *s = NULL;
+ get_dsa_sign(sign, &r, &s);
+
+ op->r.length = BN_bn2bin(r, op->r.data);
+ op->s.length = BN_bn2bin(s, op->s.data);
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ }
+
+ DSA_SIG_free(sign);
+ free(dsa_sign_data);
+ return 0;
+
+err_dsa_sign:
+ if (params)
+ OSSL_PARAM_free(params);
+ if (key_ctx)
+ EVP_PKEY_CTX_free(key_ctx);
+ if (dsa_ctx)
+ EVP_PKEY_CTX_free(dsa_ctx);
+ return -1;
+}
+
+/* process dsa verify operation */
+static int
+process_openssl_dsa_verify_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
+ DSA_SIG *sign = DSA_SIG_new();
+ BIGNUM *r = NULL, *s = NULL;
+ BIGNUM *pub_key = NULL;
+ OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *dsa_ctx = NULL;
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ unsigned char *dsa_sig = NULL;
+ size_t sig_len;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, " %s:%d\n", __func__, __LINE__);
+ return -1;
+ }
+
+ r = BN_bin2bn(op->r.data, op->r.length, r);
+ s = BN_bin2bn(op->s.data, op->s.length, s);
+ pub_key = BN_bin2bn(op->y.data, op->y.length, pub_key);
+ if (!r || !s || !pub_key) {
+ BN_free(r);
+ BN_free(s);
+ BN_free(pub_key);
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ set_dsa_sign(sign, r, s);
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
+ goto err_dsa_verify;
+
+ dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (!dsa_ctx)
+ goto err_dsa_verify;
+
+ if (!sign)
+ goto err_dsa_verify;
+
+ sig_len = i2d_DSA_SIG(sign, &dsa_sig);
+ if (EVP_PKEY_verify_init(dsa_ctx) <= 0)
+ goto err_dsa_verify;
+
+ ret = EVP_PKEY_verify(dsa_ctx, dsa_sig, sig_len,
+ op->message.data, op->message.length);
+ if (ret == 1) {
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ ret = 0;
+ }
+
+err_dsa_verify:
+ if (sign)
+ DSA_SIG_free(sign);
+ if (params)
+ OSSL_PARAM_free(params);
+ if (key_ctx)
+ EVP_PKEY_CTX_free(key_ctx);
+ if (dsa_ctx)
+ EVP_PKEY_CTX_free(dsa_ctx);
+
+ return ret;
+}
+#else
static int
process_openssl_dsa_sign_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -1845,6 +2008,7 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
/* process dh operation */
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
@@ -2501,6 +2665,14 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
+ retval = process_openssl_dsa_sign_op_evp(op, sess);
+ else if (op->asym->dsa.op_type ==
+ RTE_CRYPTO_ASYM_OP_VERIFY)
+ retval =
+ process_openssl_dsa_verify_op_evp(op, sess);
+#else
if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
retval = process_openssl_dsa_sign_op(op, sess);
else if (op->asym->dsa.op_type ==
@@ -2509,6 +2681,7 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
process_openssl_dsa_verify_op(op, sess);
else
op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+#endif
break;
default:
op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 6f5267a63a..8d1f8e834a 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -812,13 +812,13 @@ static int openssl_set_asym_session_parameters(
struct openssl_asym_session *asym_session,
struct rte_crypto_asym_xform *xform)
{
- int ret = 0;
+ int ret = -1;
if ((xform->xform_type != RTE_CRYPTO_ASYM_XFORM_DH) &&
(xform->next != NULL)) {
OPENSSL_LOG(ERR, "chained xfrms are not supported on %s",
rte_crypto_asym_xform_strings[xform->xform_type]);
- return -1;
+ return ret;
}
switch (xform->xform_type) {
@@ -1003,7 +1003,7 @@ static int openssl_set_asym_session_parameters(
if (ret) {
OPENSSL_LOG(ERR, "Failed to load rsa keys\n");
RSA_free(rsa);
- return -1;
+ return ret;
}
asym_session->u.r.rsa = rsa;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
@@ -1029,7 +1029,7 @@ static int openssl_set_asym_session_parameters(
if (ctx == NULL) {
OPENSSL_LOG(ERR,
" failed to allocate resources\n");
- return -1;
+ return ret;
}
BN_CTX_start(ctx);
BIGNUM *mod = BN_CTX_get(ctx);
@@ -1037,7 +1037,7 @@ static int openssl_set_asym_session_parameters(
if (mod == NULL || exp == NULL) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
- return -1;
+ return ret;
}
mod = BN_bin2bn((const unsigned char *)
@@ -1060,14 +1060,14 @@ static int openssl_set_asym_session_parameters(
if (ctx == NULL) {
OPENSSL_LOG(ERR,
" failed to allocate resources\n");
- return -1;
+ return ret;
}
BN_CTX_start(ctx);
BIGNUM *mod = BN_CTX_get(ctx);
if (mod == NULL) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
- return -1;
+ return ret;
}
mod = BN_bin2bn((const unsigned char *)
@@ -1158,6 +1158,56 @@ static int openssl_set_asym_session_parameters(
}
case RTE_CRYPTO_ASYM_XFORM_DSA:
{
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ BIGNUM *p = NULL, *g = NULL;
+ BIGNUM *q = NULL, *priv_key = NULL;
+ BIGNUM *pub_key = BN_new();
+ BN_zero(pub_key);
+ OSSL_PARAM_BLD *param_bld = NULL;
+
+ p = BN_bin2bn((const unsigned char *)
+ xform->dsa.p.data,
+ xform->dsa.p.length,
+ p);
+
+ g = BN_bin2bn((const unsigned char *)
+ xform->dsa.g.data,
+ xform->dsa.g.length,
+ g);
+
+ q = BN_bin2bn((const unsigned char *)
+ xform->dsa.q.data,
+ xform->dsa.q.length,
+ q);
+ if (!p || !q || !g)
+ goto err_dsa;
+
+ priv_key = BN_bin2bn((const unsigned char *)
+ xform->dsa.x.data,
+ xform->dsa.x.length,
+ priv_key);
+ if (priv_key == NULL)
+ goto err_dsa;
+
+ param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_dsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, p)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, g)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, q)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_dsa;
+ }
+ asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA;
+ asym_session->u.s.param_bld = param_bld;
+
+ break;
+#else
BIGNUM *p = NULL, *g = NULL;
BIGNUM *q = NULL, *priv_key = NULL;
BIGNUM *pub_key = BN_new();
@@ -1217,7 +1267,7 @@ static int openssl_set_asym_session_parameters(
asym_session->u.s.dsa = dsa;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA;
break;
-
+#endif
err_dsa:
BN_free(p);
BN_free(q);
@@ -1227,7 +1277,7 @@ static int openssl_set_asym_session_parameters(
return -1;
}
default:
- return -1;
+ return ret;
}
return 0;
@@ -1310,8 +1360,12 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ sess->u.s.param_bld = NULL;
+#else
if (sess->u.s.dsa)
DSA_free(sess->u.s.dsa);
+#endif
break;
default:
break;
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib
2022-06-21 13:55 ` [dpdk-dev v5 " Kai Ji
` (3 preceding siblings ...)
2022-06-21 13:55 ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
@ 2022-06-21 15:42 ` Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
` (4 more replies)
4 siblings, 5 replies; 39+ messages in thread
From: Kai Ji @ 2022-06-21 15:42 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch set update openssl pmd deprecated APIs to EVP
APIs where supported in openssl 3.0 lib
---
v5:
- review comments fix and release notes update
v4:
- compilation issue fix
v3:
- rebase to 22.07 rc1
v2:
- addin DSA routine
---
Kai Ji (4):
crypto/openssl: update on HMAC routine with 3.0 EVP API
crypto/openssl: update on RSA routine with 3.0 EVP API
crypto/openssl: update on DH routine with 3.0 EVP API
crypto/openssl: update on DSA routine with 3.0 EVP API
app/test/test_cryptodev_asym.c | 90 ++-
doc/guides/rel_notes/release_22_07.rst | 4 +
drivers/crypto/openssl/compat.h | 12 +
drivers/crypto/openssl/openssl_pmd_private.h | 18 +
drivers/crypto/openssl/rte_openssl_pmd.c | 698 ++++++++++++++++++-
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 231 +++++-
6 files changed, 1017 insertions(+), 36 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API
2022-06-21 15:42 ` [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
@ 2022-06-21 15:42 ` Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA " Kai Ji
` (3 subsequent siblings)
4 siblings, 0 replies; 39+ messages in thread
From: Kai Ji @ 2022-06-21 15:42 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch update the symmetric HMAC routine in crypto openssl
pmd to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 4 +
drivers/crypto/openssl/rte_openssl_pmd.c | 187 ++++++++++++++++++-
2 files changed, 181 insertions(+), 10 deletions(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index b2054b3754..6bcfb584a4 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -134,7 +134,11 @@ struct openssl_session {
/**< pointer to EVP key */
const EVP_MD *evp_algo;
/**< pointer to EVP algorithm function */
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX * ctx;
+# else
HMAC_CTX *ctx;
+# endif
/**< pointer to EVP context structure */
} hmac;
};
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 6ac2dfff5a..06ede435dd 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -41,6 +41,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
}
#endif
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+
+#define MAX_OSSL_ALGO_NAME_SIZE 16
+
+OSSL_PROVIDER *legacy;
+OSSL_PROVIDER *deflt;
+
+static void ossl_legacy_provider_load(void)
+{
+ /* Load Multiple providers into the default (NULL) library context */
+ legacy = OSSL_PROVIDER_load(NULL, "legacy");
+ if (legacy == NULL) {
+ OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
+ return;
+ }
+
+ deflt = OSSL_PROVIDER_load(NULL, "default");
+ if (deflt == NULL) {
+ OPENSSL_LOG(ERR, "Failed to load Default provider\n");
+ OSSL_PROVIDER_unload(legacy);
+ return;
+ }
+}
+
+static void ossl_legacy_provider_unload(void)
+{
+ OSSL_PROVIDER_unload(legacy);
+ OSSL_PROVIDER_unload(deflt);
+}
+
+static __rte_always_inline const char *
+digest_name_get(enum rte_crypto_auth_algorithm algo)
+{
+ switch (algo) {
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ return OSSL_DIGEST_NAME_MD5;
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ return OSSL_DIGEST_NAME_SHA1;
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_224;
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_256;
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_384;
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_512;
+ default:
+ return NULL;
+ }
+}
+#endif
+
static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
/*----------------------------------------------------------------------------*/
@@ -582,6 +637,40 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
sess->auth.auth.ctx = EVP_MD_CTX_create();
break;
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
+
+ OSSL_PARAM params[2];
+ const char *algo;
+ algo = digest_name_get(xform->auth.algo);
+ if (!algo)
+ return -EINVAL;
+ char algo_name[MAX_OSSL_ALGO_NAME_SIZE];
+ rte_memcpy(algo_name, algo, (sizeof(algo)+1));
+
+ EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
+ EVP_MAC_free(mac);
+ if (get_auth_algo(xform->auth.algo,
+ &sess->auth.hmac.evp_algo) != 0)
+ return -EINVAL;
+
+ params[0] = OSSL_PARAM_construct_utf8_string("digest",
+ algo_name, 0);
+ params[1] = OSSL_PARAM_construct_end();
+ if (EVP_MAC_init(sess->auth.hmac.ctx,
+ xform->auth.key.data,
+ xform->auth.key.length,
+ params) != 1)
+ return -EINVAL;
+ break;
+# else
case RTE_CRYPTO_AUTH_MD5_HMAC:
case RTE_CRYPTO_AUTH_SHA1_HMAC:
case RTE_CRYPTO_AUTH_SHA224_HMAC:
@@ -600,7 +689,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
sess->auth.hmac.evp_algo, NULL) != 1)
return -EINVAL;
break;
-
+# endif
default:
return -ENOTSUP;
}
@@ -725,7 +814,11 @@ openssl_reset_session(struct openssl_session *sess)
break;
case OPENSSL_AUTH_AS_HMAC:
EVP_PKEY_free(sess->auth.hmac.pkey);
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX_free(sess->auth.hmac.ctx);
+# else
HMAC_CTX_free(sess->auth.hmac.ctx);
+# endif
break;
default:
break;
@@ -1262,6 +1355,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
return -EINVAL;
}
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/** Process standard openssl auth algorithms with hmac */
+static int
+process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
+ int srclen, EVP_MAC_CTX *ctx)
+{
+ size_t dstlen;
+ struct rte_mbuf *m;
+ int l, n = srclen;
+ uint8_t *src;
+
+ for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+ m = m->next)
+ offset -= rte_pktmbuf_data_len(m);
+
+ if (m == 0)
+ goto process_auth_err;
+
+ src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+ l = rte_pktmbuf_data_len(m) - offset;
+ if (srclen <= l) {
+ if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
+ goto process_auth_err;
+ goto process_auth_final;
+ }
+
+ if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+ goto process_auth_err;
+
+ n -= l;
+
+ for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+ src = rte_pktmbuf_mtod(m, uint8_t *);
+ l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+ if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+ goto process_auth_err;
+ n -= l;
+ }
+
+process_auth_final:
+ if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
+ goto process_auth_err;
+
+ EVP_MAC_CTX_free(ctx);
+ return 0;
+
+process_auth_err:
+ EVP_MAC_CTX_free(ctx);
+ OPENSSL_LOG(ERR, "Process openssl auth failed");
+ return -EINVAL;
+}
+# else
/** Process standard openssl auth algorithms with hmac */
static int
process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
@@ -1314,7 +1460,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
OPENSSL_LOG(ERR, "Process openssl auth failed");
return -EINVAL;
}
-
+# endif
/*----------------------------------------------------------------------------*/
/** Process auth/cipher combined operation */
@@ -1328,7 +1474,6 @@ process_openssl_combined_op
int srclen, aadlen, status = -1;
uint32_t offset;
uint8_t taglen;
- EVP_CIPHER_CTX *ctx_copy;
/*
* Segmented destination buffer is not supported for
@@ -1365,8 +1510,6 @@ process_openssl_combined_op
}
taglen = sess->auth.digest_length;
- ctx_copy = EVP_CIPHER_CTX_new();
- EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1374,12 +1517,12 @@ process_openssl_combined_op
status = process_openssl_auth_encryption_gcm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, ctx_copy);
+ dst, tag, sess->cipher.ctx);
else
status = process_openssl_auth_encryption_ccm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, taglen, ctx_copy);
+ dst, tag, taglen, sess->cipher.ctx);
} else {
if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1387,15 +1530,14 @@ process_openssl_combined_op
status = process_openssl_auth_decryption_gcm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, ctx_copy);
+ dst, tag, sess->cipher.ctx);
else
status = process_openssl_auth_decryption_ccm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, taglen, ctx_copy);
+ dst, tag, taglen, sess->cipher.ctx);
}
- EVP_CIPHER_CTX_free(ctx_copy);
if (status != 0) {
if (status == (-EFAULT) &&
sess->auth.operation ==
@@ -1557,7 +1699,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
uint8_t *dst;
int srclen, status;
EVP_MD_CTX *ctx_a;
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX *ctx_h;
+ EVP_MAC *mac;
+# else
HMAC_CTX *ctx_h;
+# endif
srclen = op->sym->auth.data.length;
@@ -1573,12 +1720,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
EVP_MD_CTX_destroy(ctx_a);
break;
case OPENSSL_AUTH_AS_HMAC:
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ ctx_h = EVP_MAC_CTX_new(mac);
+ ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
+ EVP_MAC_free(mac);
+ status = process_openssl_auth_hmac(mbuf_src, dst,
+ op->sym->auth.data.offset, srclen,
+ ctx_h);
+# else
ctx_h = HMAC_CTX_new();
HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
status = process_openssl_auth_hmac(mbuf_src, dst,
op->sym->auth.data.offset, srclen,
ctx_h);
HMAC_CTX_free(ctx_h);
+# endif
break;
default:
status = -1;
@@ -2212,6 +2369,13 @@ cryptodev_openssl_create(const char *name,
rte_cryptodev_pmd_probing_finish(dev);
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ /* Load legacy provider
+ * Some algorithms are no longer available in earlier version of openssl,
+ * unless the legacy provider explicitly loaded. e.g. DES
+ */
+ ossl_legacy_provider_load();
+# endif
return 0;
init_error:
@@ -2260,6 +2424,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev)
if (cryptodev == NULL)
return -ENODEV;
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ ossl_legacy_provider_unload();
+# endif
return rte_cryptodev_pmd_destroy(cryptodev);
}
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v5 2/4] crypto/openssl: update on RSA routine with 3.0 EVP API
2022-06-21 15:42 ` [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
@ 2022-06-21 15:42 ` Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
` (2 subsequent siblings)
4 siblings, 0 replies; 39+ messages in thread
From: Kai Ji @ 2022-06-21 15:42 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch updates asymmetric RSA routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 7 +
drivers/crypto/openssl/rte_openssl_pmd.c | 149 +++++++++++++++++++
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 112 +++++++++++++-
3 files changed, 267 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index 6bcfb584a4..9d4ac721a7 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -11,6 +11,10 @@
#include <openssl/rsa.h>
#include <openssl/dh.h>
#include <openssl/dsa.h>
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#endif
#define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl
/**< Open SSL Crypto PMD device name */
@@ -157,6 +161,9 @@ struct openssl_asym_session {
union {
struct rsa {
RSA *rsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ EVP_PKEY_CTX * ctx;
+#endif
} r;
struct exp {
BIGNUM *exp;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 06ede435dd..caa5d54c0a 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -2046,6 +2046,150 @@ process_openssl_modexp_op(struct rte_crypto_op *cop,
}
/* process rsa operations */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_asym_op *op = cop->asym;
+ uint32_t pad = (op->rsa.padding.type);
+ uint8_t *tmp;
+ size_t outlen = 0;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx;
+ if (!rsa_ctx)
+ return ret;
+
+ switch (pad) {
+ case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
+ pad = RSA_PKCS1_PADDING;
+ break;
+ case RTE_CRYPTO_RSA_PADDING_NONE:
+ pad = RSA_NO_PADDING;
+ break;
+ default:
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ OPENSSL_LOG(ERR,
+ "rsa pad type not supported %d\n", pad);
+ return ret;
+ }
+
+ switch (op->rsa.op_type) {
+ case RTE_CRYPTO_ASYM_OP_ENCRYPT:
+ if (EVP_PKEY_encrypt_init(rsa_ctx) != 1)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+ op->rsa.cipher.length = outlen;
+
+ OPENSSL_LOG(DEBUG,
+ "length of encrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_DECRYPT:
+ if (EVP_PKEY_decrypt_init(rsa_ctx) != 1)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err_rsa;
+ op->rsa.message.length = outlen;
+
+ OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_SIGN:
+ if (EVP_PKEY_sign_init(rsa_ctx) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+ op->rsa.sign.length = outlen;
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_VERIFY:
+ tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
+ if (tmp == NULL) {
+ OPENSSL_LOG(ERR, "Memory allocation failed");
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
+ op->rsa.sign.data,
+ op->rsa.sign.length) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ OPENSSL_LOG(DEBUG,
+ "Length of public_decrypt %zu "
+ "length of message %zd\n",
+ outlen, op->rsa.message.length);
+ if (CRYPTO_memcmp(tmp, op->rsa.message.data,
+ op->rsa.message.length)) {
+ OPENSSL_LOG(ERR, "RSA sign Verification failed");
+ }
+ rte_free(tmp);
+ break;
+
+ default:
+ /* allow ops with invalid args to be pushed to
+ * completion queue
+ */
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ goto err_rsa;
+ }
+
+ ret = 0;
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+err_rsa:
+ return ret;
+
+}
+#else
static int
process_openssl_rsa_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -2144,6 +2288,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
static int
process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
@@ -2155,7 +2300,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
switch (sess->xfrm_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_rsa_op_evp(op, sess);
+# else
retval = process_openssl_rsa_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_MODEX:
retval = process_openssl_modexp_op(op, sess);
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 7d0da52a33..e94e72c12b 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -12,7 +12,11 @@
#include "openssl_pmd_private.h"
#include "compat.h"
-
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#include <openssl/param_build.h>
+#endif
static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
{ /* MD5 HMAC */
@@ -835,6 +839,106 @@ static int openssl_set_asym_session_parameters(
if (!n || !e)
goto err_rsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_rsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_E, e)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_rsa;
+ }
+
+ if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) {
+ d = BN_bin2bn(
+ (const unsigned char *)xform->rsa.d.data,
+ xform->rsa.d.length,
+ d);
+ if (!d) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+ } else {
+ p = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.p.data,
+ xform->rsa.qt.p.length,
+ p);
+ q = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.q.data,
+ xform->rsa.qt.q.length,
+ q);
+ dmp1 = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.dP.data,
+ xform->rsa.qt.dP.length,
+ dmp1);
+ dmq1 = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.dQ.data,
+ xform->rsa.qt.dQ.length,
+ dmq1);
+ iqmp = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.qInv.data,
+ xform->rsa.qt.qInv.length,
+ iqmp);
+
+ if (!p || !q || !dmp1 || !dmq1 || !iqmp) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_FACTOR1, p)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_FACTOR2, q)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_D, d)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *rsa_ctx = NULL;
+ OSSL_PARAM *params = NULL;
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey,
+ EVP_PKEY_KEYPAIR, params) <= 0) {
+ OSSL_PARAM_free(params);
+ goto err_rsa;
+ }
+
+ rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
+ asym_session->u.r.ctx = rsa_ctx;
+ EVP_PKEY_CTX_free(key_ctx);
+ OSSL_PARAM_free(params);
+ break;
+#else
RSA *rsa = RSA_new();
if (rsa == NULL)
goto err_rsa;
@@ -904,6 +1008,7 @@ static int openssl_set_asym_session_parameters(
asym_session->u.r.rsa = rsa;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
break;
+#endif
err_rsa:
BN_clear_free(n);
BN_clear_free(e);
@@ -1135,8 +1240,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
{
switch (sess->xfrm_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ if (sess->u.r.ctx)
+ EVP_PKEY_CTX_free(sess->u.r.ctx);
+#else
if (sess->u.r.rsa)
RSA_free(sess->u.r.rsa);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_MODEX:
if (sess->u.e.ctx) {
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v5 3/4] crypto/openssl: update on DH routine with 3.0 EVP API
2022-06-21 15:42 ` [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA " Kai Ji
@ 2022-06-21 15:42 ` Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
2022-06-21 17:15 ` [EXT] [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal
4 siblings, 0 replies; 39+ messages in thread
From: Kai Ji @ 2022-06-21 15:42 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch updates asymmetric DH routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 4 +
drivers/crypto/openssl/rte_openssl_pmd.c | 185 +++++++++++++++++++
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 47 ++++-
3 files changed, 235 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index 9d4ac721a7..b952188c9d 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -177,6 +177,10 @@ struct openssl_asym_session {
struct dh {
DH *dh_key;
uint32_t key_op;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld;
+ OSSL_PARAM_BLD *param_bld_peer;
+#endif
} dh;
struct {
DSA *dsa;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index caa5d54c0a..375dc9cfdc 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -45,6 +45,7 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
#include <openssl/provider.h>
#include <openssl/core_names.h>
+#include <openssl/param_build.h>
#define MAX_OSSL_ALGO_NAME_SIZE 16
@@ -1846,6 +1847,185 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop,
}
/* process dh operation */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_dh_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dh_op_param *op = &cop->asym->dh;
+ OSSL_PARAM_BLD *param_bld = sess->u.dh.param_bld;
+ OSSL_PARAM_BLD *param_bld_peer = sess->u.dh.param_bld_peer;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY *dhpkey = NULL;
+ EVP_PKEY *peerkey = NULL;
+ BIGNUM *priv_key = NULL;
+ BIGNUM *pub_key = NULL;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
+ EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+ if (dh_ctx == NULL || param_bld == NULL)
+ return ret;
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) {
+ OSSL_PARAM *params_peer = NULL;
+
+ if (!param_bld_peer)
+ return ret;
+
+ pub_key = BN_bin2bn(op->pub_key.data, op->pub_key.length,
+ pub_key);
+ if (pub_key == NULL) {
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ return ret;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld_peer, OSSL_PKEY_PARAM_PUB_KEY,
+ pub_key)) {
+ OPENSSL_LOG(ERR, "Failed to set public key\n");
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ params_peer = OSSL_PARAM_BLD_to_param(param_bld_peer);
+ if (!params_peer) {
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ EVP_PKEY_CTX *peer_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+ if (EVP_PKEY_keygen_init(peer_ctx) != 1) {
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (EVP_PKEY_CTX_set_params(peer_ctx, params_peer) != 1) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (EVP_PKEY_keygen(peer_ctx, &peerkey) != 1) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ priv_key = BN_bin2bn(op->priv_key.data, op->priv_key.length,
+ priv_key);
+ if (priv_key == NULL) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY,
+ priv_key)) {
+ OPENSSL_LOG(ERR, "Failed to set private key\n");
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ BN_free(priv_key);
+ return ret;
+ }
+
+ OSSL_PARAM_free(params_peer);
+ EVP_PKEY_CTX_free(peer_ctx);
+ }
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params)
+ goto err_dh;
+
+ if (EVP_PKEY_keygen_init(dh_ctx) != 1)
+ goto err_dh;
+
+ if (EVP_PKEY_CTX_set_params(dh_ctx, params) != 1)
+ goto err_dh;
+
+ if (EVP_PKEY_keygen(dh_ctx, &dhpkey) != 1)
+ goto err_dh;
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE) {
+ OPENSSL_LOG(DEBUG, "%s:%d updated pub key\n", __func__, __LINE__);
+ if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key))
+ goto err_dh;
+ /* output public key */
+ op->pub_key.length = BN_bn2bin(pub_key, op->pub_key.data);
+ }
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_PRIV_KEY_GENERATE) {
+
+ OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n", __func__, __LINE__);
+ if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key))
+ goto err_dh;
+
+ /* provide generated private key back to user */
+ op->priv_key.length = BN_bn2bin(priv_key, op->priv_key.data);
+ }
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) {
+ size_t skey_len;
+ EVP_PKEY_CTX *sc_ctx = EVP_PKEY_CTX_new(dhpkey, NULL);
+ if (!sc_ctx)
+ goto err_dh;
+
+ if (EVP_PKEY_derive_init(sc_ctx) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (!peerkey) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (EVP_PKEY_derive_set_peer(sc_ctx, peerkey) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ /* Determine buffer length */
+ if (EVP_PKEY_derive(sc_ctx, NULL, &skey_len) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (EVP_PKEY_derive(sc_ctx, op->shared_secret.data, &skey_len) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ op->shared_secret.length = skey_len;
+ EVP_PKEY_CTX_free(sc_ctx);
+ }
+
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ ret = 0;
+
+ err_dh:
+ if (pub_key)
+ BN_free(pub_key);
+ if (priv_key)
+ BN_free(priv_key);
+ if (params)
+ OSSL_PARAM_free(params);
+ if (dhpkey)
+ EVP_PKEY_free(dhpkey);
+ if (peerkey)
+ EVP_PKEY_free(peerkey);
+
+ EVP_PKEY_CTX_free(dh_ctx);
+
+ return ret;
+}
+#else
static int
process_openssl_dh_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -1979,6 +2159,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
/* process modinv operation */
static int
@@ -2313,7 +2494,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
retval = process_openssl_modinv_op(op, sess);
break;
case RTE_CRYPTO_ASYM_XFORM_DH:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_dh_op_evp(op, sess);
+# else
retval = process_openssl_dh_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index e94e72c12b..6f5267a63a 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -1095,7 +1095,46 @@ static int openssl_set_asym_session_parameters(
if (!p || !g)
goto err_dh;
- DH *dh = DH_new();
+ DH *dh = NULL;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD *param_bld = NULL;
+ param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_dh;
+ }
+ if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld,
+ "group", "ffdhe2048", 0))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_FFC_P, p))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_FFC_G, g))) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dh;
+ }
+
+ OSSL_PARAM_BLD *param_bld_peer = NULL;
+ param_bld_peer = OSSL_PARAM_BLD_new();
+ if (!param_bld_peer) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dh;
+ }
+ if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld_peer,
+ "group", "ffdhe2048", 0))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld_peer,
+ OSSL_PKEY_PARAM_FFC_P, p))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld_peer,
+ OSSL_PKEY_PARAM_FFC_G, g))) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ goto err_dh;
+ }
+
+ asym_session->u.dh.param_bld = param_bld;
+ asym_session->u.dh.param_bld_peer = param_bld_peer;
+#else
+ dh = DH_new();
if (dh == NULL) {
OPENSSL_LOG(ERR,
"failed to allocate resources\n");
@@ -1106,6 +1145,7 @@ static int openssl_set_asym_session_parameters(
DH_free(dh);
goto err_dh;
}
+#endif
asym_session->u.dh.dh_key = dh;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DH;
break;
@@ -1261,8 +1301,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
}
break;
case RTE_CRYPTO_ASYM_XFORM_DH:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ sess->u.dh.param_bld = NULL;
+ sess->u.dh.param_bld_peer = NULL;
+#else
if (sess->u.dh.dh_key)
DH_free(sess->u.dh.dh_key);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
if (sess->u.s.dsa)
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* [dpdk-dev v5 4/4] crypto/openssl: update on DSA routine with 3.0 EVP API
2022-06-21 15:42 ` [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
` (2 preceding siblings ...)
2022-06-21 15:42 ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
@ 2022-06-21 15:42 ` Kai Ji
2022-06-21 17:15 ` [EXT] [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal
4 siblings, 0 replies; 39+ messages in thread
From: Kai Ji @ 2022-06-21 15:42 UTC (permalink / raw)
To: dev; +Cc: gakhil, Kai Ji
This patch updates asymmetric DSA routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis. Divide the single combined dsa sign
test to two individual dsa sign and dsa verfiy tests.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
app/test/test_cryptodev_asym.c | 90 ++++++++--
doc/guides/rel_notes/release_22_07.rst | 4 +
drivers/crypto/openssl/compat.h | 12 ++
drivers/crypto/openssl/openssl_pmd_private.h | 3 +
drivers/crypto/openssl/rte_openssl_pmd.c | 177 ++++++++++++++++++-
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 72 +++++++-
6 files changed, 334 insertions(+), 24 deletions(-)
diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index 7bd7cde16e..c9c48d1e87 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -1642,7 +1642,7 @@ test_dh_keygenration(void)
}
static int
-test_dsa_sign(void)
+test_dsa_sign(struct rte_crypto_dsa_op_param *dsa_op)
{
struct crypto_testsuite_params_asym *ts_params = &testsuite_params;
struct rte_mempool *op_mpool = ts_params->op_mpool;
@@ -1652,9 +1652,6 @@ test_dsa_sign(void)
struct rte_crypto_op *op = NULL, *result_op = NULL;
void *sess = NULL;
int status = TEST_SUCCESS;
- uint8_t r[TEST_DH_MOD_LEN];
- uint8_t s[TEST_DH_MOD_LEN];
- uint8_t dgst[] = "35d81554afaad2cf18f3a1770d5fedc4ea5be344";
int ret;
ret = rte_cryptodev_asym_session_create(dev_id, &dsa_xform, sess_mpool, &sess);
@@ -1676,6 +1673,7 @@ test_dsa_sign(void)
goto error_exit;
}
asym_op = op->asym;
+ asym_op->dsa = *dsa_op;
debug_hexdump(stdout, "p: ", dsa_xform.dsa.p.data,
dsa_xform.dsa.p.length);
@@ -1689,13 +1687,6 @@ test_dsa_sign(void)
/* attach asymmetric crypto session to crypto operations */
rte_crypto_op_attach_asym_session(op, sess);
asym_op->dsa.op_type = RTE_CRYPTO_ASYM_OP_SIGN;
- asym_op->dsa.message.data = dgst;
- asym_op->dsa.message.length = sizeof(dgst);
- asym_op->dsa.r.length = sizeof(r);
- asym_op->dsa.r.data = r;
- asym_op->dsa.s.length = sizeof(s);
- asym_op->dsa.s.data = s;
-
RTE_LOG(DEBUG, USER1, "Process ASYM operation");
/* Process crypto operation */
@@ -1719,12 +1710,71 @@ test_dsa_sign(void)
}
asym_op = result_op->asym;
+ dsa_op->r.length = asym_op->dsa.r.length;
+ dsa_op->s.length = asym_op->dsa.s.length;
debug_hexdump(stdout, "r:",
asym_op->dsa.r.data, asym_op->dsa.r.length);
debug_hexdump(stdout, "s:",
asym_op->dsa.s.data, asym_op->dsa.s.length);
+error_exit:
+ if (sess != NULL)
+ rte_cryptodev_asym_session_free(dev_id, sess);
+ if (op != NULL)
+ rte_crypto_op_free(op);
+ return status;
+}
+
+static int
+test_dsa_verify(struct rte_crypto_dsa_op_param *dsa_op)
+{
+ struct crypto_testsuite_params_asym *ts_params = &testsuite_params;
+ struct rte_mempool *op_mpool = ts_params->op_mpool;
+ struct rte_mempool *sess_mpool = ts_params->session_mpool;
+ uint8_t dev_id = ts_params->valid_devs[0];
+ struct rte_crypto_asym_op *asym_op = NULL;
+ struct rte_crypto_op *op = NULL, *result_op = NULL;
+ void *sess = NULL;
+ int status = TEST_SUCCESS;
+ int ret;
+ ret = rte_cryptodev_asym_session_create(dev_id, &dsa_xform, sess_mpool, &sess);
+ if (ret < 0) {
+ RTE_LOG(ERR, USER1,
+ "line %u FAILED: %s", __LINE__,
+ "Session creation failed");
+ status = (ret == -ENOTSUP) ? TEST_SKIPPED : TEST_FAILED;
+ goto error_exit;
+ }
+ /* set up crypto op data structure */
+ op = rte_crypto_op_alloc(op_mpool, RTE_CRYPTO_OP_TYPE_ASYMMETRIC);
+ if (!op) {
+ RTE_LOG(ERR, USER1,
+ "line %u FAILED: %s",
+ __LINE__, "Failed to allocate asymmetric crypto "
+ "operation struct");
+ status = TEST_FAILED;
+ goto error_exit;
+ }
+ asym_op = op->asym;
+ asym_op->dsa = *dsa_op;
+
+ debug_hexdump(stdout, "p: ", dsa_xform.dsa.p.data,
+ dsa_xform.dsa.p.length);
+ debug_hexdump(stdout, "q: ", dsa_xform.dsa.q.data,
+ dsa_xform.dsa.q.length);
+ debug_hexdump(stdout, "g: ", dsa_xform.dsa.g.data,
+ dsa_xform.dsa.g.length);
+
+ /* attach asymmetric crypto session to crypto operations */
+ rte_crypto_op_attach_asym_session(op, sess);
+
+ debug_hexdump(stdout, "r:",
+ asym_op->dsa.r.data, asym_op->dsa.r.length);
+ debug_hexdump(stdout, "s:",
+ asym_op->dsa.s.data, asym_op->dsa.s.length);
+
+ RTE_LOG(DEBUG, USER1, "Process ASYM verify operation");
/* Test PMD DSA sign verification using signer public key */
asym_op->dsa.op_type = RTE_CRYPTO_ASYM_OP_VERIFY;
@@ -1770,8 +1820,22 @@ static int
test_dsa(void)
{
int status;
- status = test_dsa_sign();
- TEST_ASSERT_EQUAL(status, 0, "Test failed");
+ uint8_t r[TEST_DH_MOD_LEN];
+ uint8_t s[TEST_DH_MOD_LEN];
+ struct rte_crypto_dsa_op_param dsa_op;
+ uint8_t dgst[] = "35d81554afaad2cf18f3a1770d5fedc4ea5be344";
+
+ dsa_op.message.data = dgst;
+ dsa_op.message.length = sizeof(dgst);
+ dsa_op.r.data = r;
+ dsa_op.s.data = s;
+ dsa_op.r.length = sizeof(r);
+ dsa_op.s.length = sizeof(s);
+
+ status = test_dsa_sign(&dsa_op);
+ TEST_ASSERT_EQUAL(status, 0, "DSA sign test failed");
+ status = test_dsa_verify(&dsa_op);
+ TEST_ASSERT_EQUAL(status, 0, "DSA verify test failed");
return status;
}
diff --git a/doc/guides/rel_notes/release_22_07.rst b/doc/guides/rel_notes/release_22_07.rst
index 6fc044edaa..92eb88d929 100644
--- a/doc/guides/rel_notes/release_22_07.rst
+++ b/doc/guides/rel_notes/release_22_07.rst
@@ -215,6 +215,10 @@ New Features
Merged l3fwd-acl code into l3fwd as l3fwd-acl contains duplicate
and common functions to l3fwd.
+* **Update Openssl PMD with 3.0 EVP API.**
+
+ Update Openssl PMD deprecated APIs to EVP APIs where supported in Openssl
+ 3.0 lib.
Removed Items
-------------
diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h
index eecb7d3698..9f9167c4f1 100644
--- a/drivers/crypto/openssl/compat.h
+++ b/drivers/crypto/openssl/compat.h
@@ -104,6 +104,18 @@ get_dsa_priv_key(DSA *dsa, BIGNUM **priv_key)
*priv_key = dsa->priv_key;
}
+#elif (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static __rte_always_inline void
+set_dsa_sign(DSA_SIG *sign, BIGNUM *r, BIGNUM *s)
+{
+ DSA_SIG_set0(sign, r, s);
+}
+
+static __rte_always_inline void
+get_dsa_sign(DSA_SIG *sign, const BIGNUM **r, const BIGNUM **s)
+{
+ DSA_SIG_get0(sign, r, s);
+}
#else
static __rte_always_inline int
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index b952188c9d..5963a67a08 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -184,6 +184,9 @@ struct openssl_asym_session {
} dh;
struct {
DSA *dsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld;
+#endif
} s;
} u;
} __rte_cache_aligned;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 375dc9cfdc..84bca86894 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -2,8 +2,6 @@
* Copyright(c) 2016-2017 Intel Corporation
*/
-#define OPENSSL_API_COMPAT 0x10100000L
-
#include <rte_common.h>
#include <rte_hexdump.h>
#include <rte_cryptodev.h>
@@ -1764,6 +1762,171 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
}
/* process dsa sign operation */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_dsa_sign_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
+ EVP_PKEY_CTX *dsa_ctx = NULL;
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ EVP_PKEY *pkey = NULL;
+ OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld;
+ OSSL_PARAM *params = NULL;
+
+ size_t outlen;
+ unsigned char *dsa_sign_data;
+ const unsigned char *dsa_sign_data_p;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ return -1;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey,
+ EVP_PKEY_PUBLIC_KEY, params) <= 0)
+ goto err_dsa_sign;
+
+ dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (!dsa_ctx)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign_init(dsa_ctx) <= 0)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign(dsa_ctx, NULL, &outlen, op->message.data,
+ op->message.length) <= 0)
+ goto err_dsa_sign;
+
+ if (outlen <= 0)
+ goto err_dsa_sign;
+
+ dsa_sign_data = OPENSSL_malloc(outlen);
+ if (!dsa_sign_data)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign(dsa_ctx, dsa_sign_data, &outlen, op->message.data,
+ op->message.length) <= 0) {
+ free(dsa_sign_data);
+ goto err_dsa_sign;
+ }
+
+ dsa_sign_data_p = (const unsigned char *)dsa_sign_data;
+ DSA_SIG *sign = d2i_DSA_SIG(NULL, &dsa_sign_data_p, outlen);
+ if (!sign) {
+ OPENSSL_LOG(ERR, "%s:%d\n", __func__, __LINE__);
+ free(dsa_sign_data);
+ goto err_dsa_sign;
+ } else {
+ const BIGNUM *r = NULL, *s = NULL;
+ get_dsa_sign(sign, &r, &s);
+
+ op->r.length = BN_bn2bin(r, op->r.data);
+ op->s.length = BN_bn2bin(s, op->s.data);
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ }
+
+ DSA_SIG_free(sign);
+ free(dsa_sign_data);
+ return 0;
+
+err_dsa_sign:
+ if (params)
+ OSSL_PARAM_free(params);
+ if (key_ctx)
+ EVP_PKEY_CTX_free(key_ctx);
+ if (dsa_ctx)
+ EVP_PKEY_CTX_free(dsa_ctx);
+ return -1;
+}
+
+/* process dsa verify operation */
+static int
+process_openssl_dsa_verify_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
+ DSA_SIG *sign = DSA_SIG_new();
+ BIGNUM *r = NULL, *s = NULL;
+ BIGNUM *pub_key = NULL;
+ OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *dsa_ctx = NULL;
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ unsigned char *dsa_sig = NULL;
+ size_t sig_len;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, " %s:%d\n", __func__, __LINE__);
+ return -1;
+ }
+
+ r = BN_bin2bn(op->r.data, op->r.length, r);
+ s = BN_bin2bn(op->s.data, op->s.length, s);
+ pub_key = BN_bin2bn(op->y.data, op->y.length, pub_key);
+ if (!r || !s || !pub_key) {
+ BN_free(r);
+ BN_free(s);
+ BN_free(pub_key);
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ set_dsa_sign(sign, r, s);
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
+ goto err_dsa_verify;
+
+ dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (!dsa_ctx)
+ goto err_dsa_verify;
+
+ if (!sign)
+ goto err_dsa_verify;
+
+ sig_len = i2d_DSA_SIG(sign, &dsa_sig);
+ if (EVP_PKEY_verify_init(dsa_ctx) <= 0)
+ goto err_dsa_verify;
+
+ ret = EVP_PKEY_verify(dsa_ctx, dsa_sig, sig_len,
+ op->message.data, op->message.length);
+ if (ret == 1) {
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ ret = 0;
+ }
+
+err_dsa_verify:
+ if (sign)
+ DSA_SIG_free(sign);
+ if (params)
+ OSSL_PARAM_free(params);
+ if (key_ctx)
+ EVP_PKEY_CTX_free(key_ctx);
+ if (dsa_ctx)
+ EVP_PKEY_CTX_free(dsa_ctx);
+
+ return ret;
+}
+#else
static int
process_openssl_dsa_sign_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -1845,6 +2008,7 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
/* process dh operation */
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
@@ -2501,6 +2665,14 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
+ retval = process_openssl_dsa_sign_op_evp(op, sess);
+ else if (op->asym->dsa.op_type ==
+ RTE_CRYPTO_ASYM_OP_VERIFY)
+ retval =
+ process_openssl_dsa_verify_op_evp(op, sess);
+#else
if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
retval = process_openssl_dsa_sign_op(op, sess);
else if (op->asym->dsa.op_type ==
@@ -2509,6 +2681,7 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
process_openssl_dsa_verify_op(op, sess);
else
op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+#endif
break;
default:
op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 6f5267a63a..8d1f8e834a 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -812,13 +812,13 @@ static int openssl_set_asym_session_parameters(
struct openssl_asym_session *asym_session,
struct rte_crypto_asym_xform *xform)
{
- int ret = 0;
+ int ret = -1;
if ((xform->xform_type != RTE_CRYPTO_ASYM_XFORM_DH) &&
(xform->next != NULL)) {
OPENSSL_LOG(ERR, "chained xfrms are not supported on %s",
rte_crypto_asym_xform_strings[xform->xform_type]);
- return -1;
+ return ret;
}
switch (xform->xform_type) {
@@ -1003,7 +1003,7 @@ static int openssl_set_asym_session_parameters(
if (ret) {
OPENSSL_LOG(ERR, "Failed to load rsa keys\n");
RSA_free(rsa);
- return -1;
+ return ret;
}
asym_session->u.r.rsa = rsa;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
@@ -1029,7 +1029,7 @@ static int openssl_set_asym_session_parameters(
if (ctx == NULL) {
OPENSSL_LOG(ERR,
" failed to allocate resources\n");
- return -1;
+ return ret;
}
BN_CTX_start(ctx);
BIGNUM *mod = BN_CTX_get(ctx);
@@ -1037,7 +1037,7 @@ static int openssl_set_asym_session_parameters(
if (mod == NULL || exp == NULL) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
- return -1;
+ return ret;
}
mod = BN_bin2bn((const unsigned char *)
@@ -1060,14 +1060,14 @@ static int openssl_set_asym_session_parameters(
if (ctx == NULL) {
OPENSSL_LOG(ERR,
" failed to allocate resources\n");
- return -1;
+ return ret;
}
BN_CTX_start(ctx);
BIGNUM *mod = BN_CTX_get(ctx);
if (mod == NULL) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
- return -1;
+ return ret;
}
mod = BN_bin2bn((const unsigned char *)
@@ -1158,6 +1158,56 @@ static int openssl_set_asym_session_parameters(
}
case RTE_CRYPTO_ASYM_XFORM_DSA:
{
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ BIGNUM *p = NULL, *g = NULL;
+ BIGNUM *q = NULL, *priv_key = NULL;
+ BIGNUM *pub_key = BN_new();
+ BN_zero(pub_key);
+ OSSL_PARAM_BLD *param_bld = NULL;
+
+ p = BN_bin2bn((const unsigned char *)
+ xform->dsa.p.data,
+ xform->dsa.p.length,
+ p);
+
+ g = BN_bin2bn((const unsigned char *)
+ xform->dsa.g.data,
+ xform->dsa.g.length,
+ g);
+
+ q = BN_bin2bn((const unsigned char *)
+ xform->dsa.q.data,
+ xform->dsa.q.length,
+ q);
+ if (!p || !q || !g)
+ goto err_dsa;
+
+ priv_key = BN_bin2bn((const unsigned char *)
+ xform->dsa.x.data,
+ xform->dsa.x.length,
+ priv_key);
+ if (priv_key == NULL)
+ goto err_dsa;
+
+ param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_dsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, p)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, g)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, q)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_dsa;
+ }
+ asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA;
+ asym_session->u.s.param_bld = param_bld;
+
+ break;
+#else
BIGNUM *p = NULL, *g = NULL;
BIGNUM *q = NULL, *priv_key = NULL;
BIGNUM *pub_key = BN_new();
@@ -1217,7 +1267,7 @@ static int openssl_set_asym_session_parameters(
asym_session->u.s.dsa = dsa;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA;
break;
-
+#endif
err_dsa:
BN_free(p);
BN_free(q);
@@ -1227,7 +1277,7 @@ static int openssl_set_asym_session_parameters(
return -1;
}
default:
- return -1;
+ return ret;
}
return 0;
@@ -1310,8 +1360,12 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ sess->u.s.param_bld = NULL;
+#else
if (sess->u.s.dsa)
DSA_free(sess->u.s.dsa);
+#endif
break;
default:
break;
--
2.17.1
^ permalink raw reply [flat|nested] 39+ messages in thread
* RE: [EXT] [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib
2022-06-21 15:42 ` [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
` (3 preceding siblings ...)
2022-06-21 15:42 ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
@ 2022-06-21 17:15 ` Akhil Goyal
4 siblings, 0 replies; 39+ messages in thread
From: Akhil Goyal @ 2022-06-21 17:15 UTC (permalink / raw)
To: Kai Ji, dev, roy.fan.zhang
> This patch set update openssl pmd deprecated APIs to EVP
> APIs where supported in openssl 3.0 lib
>
> ---
> v5:
> - review comments fix and release notes update
Acked-by: Akhil Goyal <gakhil@marvell.com>
Added Fan's Ack from previous version, updated release notes.
Applied to dpdk-next-crypto
Thanks.
^ permalink raw reply [flat|nested] 39+ messages in thread
end of thread, other threads:[~2022-06-21 17:15 UTC | newest]
Thread overview: 39+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-07 16:36 [dpdk-dev v1] crypto/openssl: openssl 3.0 support on asym crypto routine Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 0/5] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 1/5] drivers/crypto: suppress openssl deprecated api warning messages Kai Ji
2022-05-16 19:21 ` [EXT] " Akhil Goyal
2022-05-16 20:20 ` Stephen Hemminger
2022-05-17 6:52 ` Akhil Goyal
2022-05-16 10:10 ` [dpdk-dev v2 2/5] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 3/5] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 4/5] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 5/5] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-14 13:25 ` [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-14 13:25 ` [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-06-17 10:04 ` Zhang, Roy Fan
2022-06-21 9:22 ` [EXT] " Akhil Goyal
2022-06-14 13:25 ` [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-06-17 10:04 ` Zhang, Roy Fan
2022-06-21 9:30 ` [EXT] " Akhil Goyal
2022-06-21 13:35 ` Ji, Kai
2022-06-14 13:25 ` [dpdk-dev v4 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-06-17 10:05 ` Zhang, Roy Fan
2022-06-14 13:25 ` [dpdk-dev v4 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-17 10:05 ` Zhang, Roy Fan
2022-06-21 10:16 ` [EXT] [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal
2022-06-21 13:55 ` [dpdk-dev v5 " Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA " Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA " Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
2022-06-21 17:15 ` [EXT] [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).