From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 1D9A0A0545; Tue, 21 Jun 2022 17:42:39 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 94A7442B6F; Tue, 21 Jun 2022 17:42:29 +0200 (CEST) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mails.dpdk.org (Postfix) with ESMTP id A5E794281E for ; Tue, 21 Jun 2022 17:42:24 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1655826144; x=1687362144; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=/+gbnO3cWAgFp0tnhjAs+JCD8HSIgEE4Nj1Wcte+wDw=; b=PAs18Wi0RLcdvQAWl/FdR11tS5dWUoQ6F9w5iuyTmYeuVDWM6kk/HwGy Vys/CoI4jQme1Pi4aj/l92v6sVlY4bwQ+zq22G6pRGTXblk99XOCPQ57c V8IXHozczoE5X7W5vf+QaIUlMnOtEvjpIdq1YxVCTn2tj/oy+6yIjDNX/ GWBn1HGlVObLPKNSMHI6aAGLlzShJu+Oh7hmaOg40ZUupoHtwPn93R9CX RRaX6Lsif9ILJpz0y5evRvMJhqxTEOaLoIzeTJWHvB5bQ1fKVHh6r7MGT ea9l5KijeR8X22bij1PkeeXyyNPUjlFTponO9tXqoiEPFujI/j3o+l9ds w==; X-IronPort-AV: E=McAfee;i="6400,9594,10385"; a="305594216" X-IronPort-AV: E=Sophos;i="5.92,209,1650956400"; d="scan'208";a="305594216" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jun 2022 08:42:24 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.92,209,1650956400"; d="scan'208";a="729889041" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by fmsmga001.fm.intel.com with ESMTP; 21 Jun 2022 08:42:23 -0700 From: Kai Ji To: dev@dpdk.org Cc: gakhil@marvell.com, Kai Ji Subject: [dpdk-dev v5 3/4] crypto/openssl: update on DH routine with 3.0 EVP API Date: Tue, 21 Jun 2022 23:42:13 +0800 Message-Id: <20220621154214.78176-4-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220621154214.78176-1-kai.ji@intel.com> References: <20220621135536.62679-1-kai.ji@intel.com> <20220621154214.78176-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch updates asymmetric DH routine in crypto openssl pmd to adopt openssl 3.0 EVP apis. Signed-off-by: Kai Ji --- drivers/crypto/openssl/openssl_pmd_private.h | 4 + drivers/crypto/openssl/rte_openssl_pmd.c | 185 +++++++++++++++++++ drivers/crypto/openssl/rte_openssl_pmd_ops.c | 47 ++++- 3 files changed, 235 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index 9d4ac721a7..b952188c9d 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -177,6 +177,10 @@ struct openssl_asym_session { struct dh { DH *dh_key; uint32_t key_op; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD * param_bld; + OSSL_PARAM_BLD *param_bld_peer; +#endif } dh; struct { DSA *dsa; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index caa5d54c0a..375dc9cfdc 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -45,6 +45,7 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) #include #include +#include #define MAX_OSSL_ALGO_NAME_SIZE 16 @@ -1846,6 +1847,185 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop, } /* process dh operation */ +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static int +process_openssl_dh_op_evp(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_dh_op_param *op = &cop->asym->dh; + OSSL_PARAM_BLD *param_bld = sess->u.dh.param_bld; + OSSL_PARAM_BLD *param_bld_peer = sess->u.dh.param_bld_peer; + OSSL_PARAM *params = NULL; + EVP_PKEY *dhpkey = NULL; + EVP_PKEY *peerkey = NULL; + BIGNUM *priv_key = NULL; + BIGNUM *pub_key = NULL; + int ret = -1; + + cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; + EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); + if (dh_ctx == NULL || param_bld == NULL) + return ret; + + if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) { + OSSL_PARAM *params_peer = NULL; + + if (!param_bld_peer) + return ret; + + pub_key = BN_bin2bn(op->pub_key.data, op->pub_key.length, + pub_key); + if (pub_key == NULL) { + OSSL_PARAM_BLD_free(param_bld_peer); + return ret; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld_peer, OSSL_PKEY_PARAM_PUB_KEY, + pub_key)) { + OPENSSL_LOG(ERR, "Failed to set public key\n"); + OSSL_PARAM_BLD_free(param_bld_peer); + BN_free(pub_key); + return ret; + } + + params_peer = OSSL_PARAM_BLD_to_param(param_bld_peer); + if (!params_peer) { + OSSL_PARAM_BLD_free(param_bld_peer); + BN_free(pub_key); + return ret; + } + + EVP_PKEY_CTX *peer_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); + if (EVP_PKEY_keygen_init(peer_ctx) != 1) { + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + return ret; + } + + if (EVP_PKEY_CTX_set_params(peer_ctx, params_peer) != 1) { + EVP_PKEY_CTX_free(peer_ctx); + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + return ret; + } + + if (EVP_PKEY_keygen(peer_ctx, &peerkey) != 1) { + EVP_PKEY_CTX_free(peer_ctx); + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + return ret; + } + + priv_key = BN_bin2bn(op->priv_key.data, op->priv_key.length, + priv_key); + if (priv_key == NULL) { + EVP_PKEY_CTX_free(peer_ctx); + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + return ret; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, + priv_key)) { + OPENSSL_LOG(ERR, "Failed to set private key\n"); + EVP_PKEY_CTX_free(peer_ctx); + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + BN_free(priv_key); + return ret; + } + + OSSL_PARAM_free(params_peer); + EVP_PKEY_CTX_free(peer_ctx); + } + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) + goto err_dh; + + if (EVP_PKEY_keygen_init(dh_ctx) != 1) + goto err_dh; + + if (EVP_PKEY_CTX_set_params(dh_ctx, params) != 1) + goto err_dh; + + if (EVP_PKEY_keygen(dh_ctx, &dhpkey) != 1) + goto err_dh; + + if (op->ke_type == RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE) { + OPENSSL_LOG(DEBUG, "%s:%d updated pub key\n", __func__, __LINE__); + if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key)) + goto err_dh; + /* output public key */ + op->pub_key.length = BN_bn2bin(pub_key, op->pub_key.data); + } + + if (op->ke_type == RTE_CRYPTO_ASYM_KE_PRIV_KEY_GENERATE) { + + OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n", __func__, __LINE__); + if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key)) + goto err_dh; + + /* provide generated private key back to user */ + op->priv_key.length = BN_bn2bin(priv_key, op->priv_key.data); + } + + if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) { + size_t skey_len; + EVP_PKEY_CTX *sc_ctx = EVP_PKEY_CTX_new(dhpkey, NULL); + if (!sc_ctx) + goto err_dh; + + if (EVP_PKEY_derive_init(sc_ctx) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + if (!peerkey) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + if (EVP_PKEY_derive_set_peer(sc_ctx, peerkey) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + /* Determine buffer length */ + if (EVP_PKEY_derive(sc_ctx, NULL, &skey_len) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + if (EVP_PKEY_derive(sc_ctx, op->shared_secret.data, &skey_len) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + op->shared_secret.length = skey_len; + EVP_PKEY_CTX_free(sc_ctx); + } + + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + ret = 0; + + err_dh: + if (pub_key) + BN_free(pub_key); + if (priv_key) + BN_free(priv_key); + if (params) + OSSL_PARAM_free(params); + if (dhpkey) + EVP_PKEY_free(dhpkey); + if (peerkey) + EVP_PKEY_free(peerkey); + + EVP_PKEY_CTX_free(dh_ctx); + + return ret; +} +#else static int process_openssl_dh_op(struct rte_crypto_op *cop, struct openssl_asym_session *sess) @@ -1979,6 +2159,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop, return 0; } +#endif /* process modinv operation */ static int @@ -2313,7 +2494,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, retval = process_openssl_modinv_op(op, sess); break; case RTE_CRYPTO_ASYM_XFORM_DH: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + retval = process_openssl_dh_op_evp(op, sess); +# else retval = process_openssl_dh_op(op, sess); +#endif break; case RTE_CRYPTO_ASYM_XFORM_DSA: if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN) diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index e94e72c12b..6f5267a63a 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -1095,7 +1095,46 @@ static int openssl_set_asym_session_parameters( if (!p || !g) goto err_dh; - DH *dh = DH_new(); + DH *dh = NULL; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD *param_bld = NULL; + param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_dh; + } + if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld, + "group", "ffdhe2048", 0)) + || (!OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_FFC_P, p)) + || (!OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_FFC_G, g))) { + OSSL_PARAM_BLD_free(param_bld); + goto err_dh; + } + + OSSL_PARAM_BLD *param_bld_peer = NULL; + param_bld_peer = OSSL_PARAM_BLD_new(); + if (!param_bld_peer) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + OSSL_PARAM_BLD_free(param_bld); + goto err_dh; + } + if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld_peer, + "group", "ffdhe2048", 0)) + || (!OSSL_PARAM_BLD_push_BN(param_bld_peer, + OSSL_PKEY_PARAM_FFC_P, p)) + || (!OSSL_PARAM_BLD_push_BN(param_bld_peer, + OSSL_PKEY_PARAM_FFC_G, g))) { + OSSL_PARAM_BLD_free(param_bld); + OSSL_PARAM_BLD_free(param_bld_peer); + goto err_dh; + } + + asym_session->u.dh.param_bld = param_bld; + asym_session->u.dh.param_bld_peer = param_bld_peer; +#else + dh = DH_new(); if (dh == NULL) { OPENSSL_LOG(ERR, "failed to allocate resources\n"); @@ -1106,6 +1145,7 @@ static int openssl_set_asym_session_parameters( DH_free(dh); goto err_dh; } +#endif asym_session->u.dh.dh_key = dh; asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DH; break; @@ -1261,8 +1301,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess) } break; case RTE_CRYPTO_ASYM_XFORM_DH: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + sess->u.dh.param_bld = NULL; + sess->u.dh.param_bld_peer = NULL; +#else if (sess->u.dh.dh_key) DH_free(sess->u.dh.dh_key); +#endif break; case RTE_CRYPTO_ASYM_XFORM_DSA: if (sess->u.s.dsa) -- 2.17.1