From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 3790CA0545; Tue, 21 Jun 2022 17:42:33 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 8ECFD42905; Tue, 21 Jun 2022 17:42:26 +0200 (CEST) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mails.dpdk.org (Postfix) with ESMTP id 7D4134281E for ; Tue, 21 Jun 2022 17:42:23 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1655826143; x=1687362143; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=Ti87TBx+eEb88UXrkV1rChXyfZqJbZR+z2I2OTEcu2Q=; b=UHBYj6O7v1PeSWaeneGB3NtW3B6ZFSm/tvdOU7BzlHxszRUd82S0dexB UJR/sFM0qqoQB9lz+uVfbiOwoZ/PjhsA4RmxD30a9idZQaEHDg3Tq+uoM b4cIRT1Oa1klzwdQr5VTETKvTBAzVII+s44BI29L7mcIDizkT0GmL+9s0 /XCOWKxwWshnzizrK+ASSA6ERoRVMiQd9uwILlR4rIFp+ez12L1+TkjRC t6EW2u7yFjrBOvFzGeIwbfd35zoEVzRTmoz/UaV3GPDXIj8M4BemlDBO5 YzGZUdT/p82wpy50S/WSuTvMB8VEIPHcNj/YCo40iP0mvwwYWWe8dTCa6 g==; X-IronPort-AV: E=McAfee;i="6400,9594,10385"; a="305594208" X-IronPort-AV: E=Sophos;i="5.92,209,1650956400"; d="scan'208";a="305594208" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jun 2022 08:42:23 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.92,209,1650956400"; d="scan'208";a="729889030" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by fmsmga001.fm.intel.com with ESMTP; 21 Jun 2022 08:42:21 -0700 From: Kai Ji To: dev@dpdk.org Cc: gakhil@marvell.com, Kai Ji Subject: [dpdk-dev v5 2/4] crypto/openssl: update on RSA routine with 3.0 EVP API Date: Tue, 21 Jun 2022 23:42:12 +0800 Message-Id: <20220621154214.78176-3-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220621154214.78176-1-kai.ji@intel.com> References: <20220621135536.62679-1-kai.ji@intel.com> <20220621154214.78176-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch updates asymmetric RSA routine in crypto openssl pmd to adopt openssl 3.0 EVP apis. Signed-off-by: Kai Ji --- drivers/crypto/openssl/openssl_pmd_private.h | 7 + drivers/crypto/openssl/rte_openssl_pmd.c | 149 +++++++++++++++++++ drivers/crypto/openssl/rte_openssl_pmd_ops.c | 112 +++++++++++++- 3 files changed, 267 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index 6bcfb584a4..9d4ac721a7 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -11,6 +11,10 @@ #include #include #include +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +#include +#include +#endif #define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl /**< Open SSL Crypto PMD device name */ @@ -157,6 +161,9 @@ struct openssl_asym_session { union { struct rsa { RSA *rsa; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + EVP_PKEY_CTX * ctx; +#endif } r; struct exp { BIGNUM *exp; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 06ede435dd..caa5d54c0a 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -2046,6 +2046,150 @@ process_openssl_modexp_op(struct rte_crypto_op *cop, } /* process rsa operations */ +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static int +process_openssl_rsa_op_evp(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_asym_op *op = cop->asym; + uint32_t pad = (op->rsa.padding.type); + uint8_t *tmp; + size_t outlen = 0; + int ret = -1; + + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx; + if (!rsa_ctx) + return ret; + + switch (pad) { + case RTE_CRYPTO_RSA_PADDING_PKCS1_5: + pad = RSA_PKCS1_PADDING; + break; + case RTE_CRYPTO_RSA_PADDING_NONE: + pad = RSA_NO_PADDING; + break; + default: + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + OPENSSL_LOG(ERR, + "rsa pad type not supported %d\n", pad); + return ret; + } + + switch (op->rsa.op_type) { + case RTE_CRYPTO_ASYM_OP_ENCRYPT: + if (EVP_PKEY_encrypt_init(rsa_ctx) != 1) + goto err_rsa; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err_rsa; + + if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err_rsa; + + if (outlen <= 0) + goto err_rsa; + + if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err_rsa; + op->rsa.cipher.length = outlen; + + OPENSSL_LOG(DEBUG, + "length of encrypted text %zu\n", outlen); + break; + + case RTE_CRYPTO_ASYM_OP_DECRYPT: + if (EVP_PKEY_decrypt_init(rsa_ctx) != 1) + goto err_rsa; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err_rsa; + + if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen, + op->rsa.cipher.data, + op->rsa.cipher.length) <= 0) + goto err_rsa; + + if (outlen <= 0) + goto err_rsa; + + if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen, + op->rsa.cipher.data, + op->rsa.cipher.length) <= 0) + goto err_rsa; + op->rsa.message.length = outlen; + + OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n", outlen); + break; + + case RTE_CRYPTO_ASYM_OP_SIGN: + if (EVP_PKEY_sign_init(rsa_ctx) <= 0) + goto err_rsa; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err_rsa; + + if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err_rsa; + op->rsa.sign.length = outlen; + break; + + case RTE_CRYPTO_ASYM_OP_VERIFY: + tmp = rte_malloc(NULL, op->rsa.sign.length, 0); + if (tmp == NULL) { + OPENSSL_LOG(ERR, "Memory allocation failed"); + goto err_rsa; + } + + if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) { + rte_free(tmp); + goto err_rsa; + } + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) { + rte_free(tmp); + goto err_rsa; + } + + if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen, + op->rsa.sign.data, + op->rsa.sign.length) <= 0) { + rte_free(tmp); + goto err_rsa; + } + + OPENSSL_LOG(DEBUG, + "Length of public_decrypt %zu " + "length of message %zd\n", + outlen, op->rsa.message.length); + if (CRYPTO_memcmp(tmp, op->rsa.message.data, + op->rsa.message.length)) { + OPENSSL_LOG(ERR, "RSA sign Verification failed"); + } + rte_free(tmp); + break; + + default: + /* allow ops with invalid args to be pushed to + * completion queue + */ + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + goto err_rsa; + } + + ret = 0; + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; +err_rsa: + return ret; + +} +#else static int process_openssl_rsa_op(struct rte_crypto_op *cop, struct openssl_asym_session *sess) @@ -2144,6 +2288,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop, return 0; } +#endif static int process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, @@ -2155,7 +2300,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, switch (sess->xfrm_type) { case RTE_CRYPTO_ASYM_XFORM_RSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + retval = process_openssl_rsa_op_evp(op, sess); +# else retval = process_openssl_rsa_op(op, sess); +#endif break; case RTE_CRYPTO_ASYM_XFORM_MODEX: retval = process_openssl_modexp_op(op, sess); diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index 7d0da52a33..e94e72c12b 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -12,7 +12,11 @@ #include "openssl_pmd_private.h" #include "compat.h" - +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +#include +#include +#include +#endif static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { { /* MD5 HMAC */ @@ -835,6 +839,106 @@ static int openssl_set_asym_session_parameters( if (!n || !e) goto err_rsa; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD * param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_rsa; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_E, e)) { + OSSL_PARAM_BLD_free(param_bld); + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_rsa; + } + + if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) { + d = BN_bin2bn( + (const unsigned char *)xform->rsa.d.data, + xform->rsa.d.length, + d); + if (!d) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + } else { + p = BN_bin2bn((const unsigned char *) + xform->rsa.qt.p.data, + xform->rsa.qt.p.length, + p); + q = BN_bin2bn((const unsigned char *) + xform->rsa.qt.q.data, + xform->rsa.qt.q.length, + q); + dmp1 = BN_bin2bn((const unsigned char *) + xform->rsa.qt.dP.data, + xform->rsa.qt.dP.length, + dmp1); + dmq1 = BN_bin2bn((const unsigned char *) + xform->rsa.qt.dQ.data, + xform->rsa.qt.dQ.length, + dmq1); + iqmp = BN_bin2bn((const unsigned char *) + xform->rsa.qt.qInv.data, + xform->rsa.qt.qInv.length, + iqmp); + + if (!p || !q || !dmp1 || !dmq1 || !iqmp) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_FACTOR1, p) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_FACTOR2, q) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n) + || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_D, d)) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *rsa_ctx = NULL; + OSSL_PARAM *params = NULL; + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + if (key_ctx == NULL + || EVP_PKEY_fromdata_init(key_ctx) <= 0 + || EVP_PKEY_fromdata(key_ctx, &pkey, + EVP_PKEY_KEYPAIR, params) <= 0) { + OSSL_PARAM_free(params); + goto err_rsa; + } + + rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL); + asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA; + asym_session->u.r.ctx = rsa_ctx; + EVP_PKEY_CTX_free(key_ctx); + OSSL_PARAM_free(params); + break; +#else RSA *rsa = RSA_new(); if (rsa == NULL) goto err_rsa; @@ -904,6 +1008,7 @@ static int openssl_set_asym_session_parameters( asym_session->u.r.rsa = rsa; asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA; break; +#endif err_rsa: BN_clear_free(n); BN_clear_free(e); @@ -1135,8 +1240,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess) { switch (sess->xfrm_type) { case RTE_CRYPTO_ASYM_XFORM_RSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + if (sess->u.r.ctx) + EVP_PKEY_CTX_free(sess->u.r.ctx); +#else if (sess->u.r.rsa) RSA_free(sess->u.r.rsa); +#endif break; case RTE_CRYPTO_ASYM_XFORM_MODEX: if (sess->u.e.ctx) { -- 2.17.1