* [PATCH v2 00/14] cryptodev: rsa, dh, ecdh changes
@ 2022-05-25 15:53 Arek Kusztal
2022-05-25 15:53 ` [PATCH v2 01/14] cryptodev: redefine ec group enum Arek Kusztal
` (13 more replies)
0 siblings, 14 replies; 41+ messages in thread
From: Arek Kusztal @ 2022-05-25 15:53 UTC (permalink / raw)
To: dev; +Cc: gakhil, roy.fan.zhang, Arek Kusztal
This patchset introduces some of changes discussed on mailing list for 22.07 release in cryptodev asym.
Key changes:
- It fixes API for RSA (expescially signature paddings)
- Adds Elliptic-Curve Diffie-Hellman
- Adds Eliiptic-Curve point verification
- Adds RSA missing padding fields
- Adds asym op flags
- Fixes many API comments (like EC curves)
- Clarifies usage of NONE padding for singatures
v2:
- squashed commits
- added capabilities
- implemented sugestions from the mailing list
Arek Kusztal (14):
cryptodev: redefine ec group enum
cryptodev: reduce number of comments in asym xform
cryptodev: separate key exchange operation enum
cryptodev: remove comment about using ephemeral key in dsa
cryptodev: clarify usage of private key in dh
cryptodev: move dh type from xform to dh op
cryptodev: add elliptic curve diffie hellman
cryptodev: add public key verify option
cryptodev: add asym op flags
cryptodev: clarify usage of rsa padding hash
cryptodev: move RSA padding into separate struct
cryptodev: clarify rsa verify with none padding
cryptodev: add salt length and optional label
cryptodev: add asym algorithms capabilities
app/test-crypto-perf/main.c | 12 +-
app/test-eventdev/test_perf_common.c | 2 +-
app/test/test_cryptodev_asym.c | 234 ++++++++++++-----
app/test/test_event_crypto_adapter.c | 16 +-
drivers/common/cpt/cpt_ucode_asym.h | 4 +-
drivers/crypto/cnxk/cnxk_ae.h | 8 +-
drivers/crypto/octeontx/otx_cryptodev_ops.c | 4 +-
drivers/crypto/openssl/rte_openssl_pmd.c | 17 +-
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 155 ++++-------
drivers/crypto/qat/dev/qat_asym_pmd_gen1.c | 68 ++++-
drivers/crypto/qat/qat_asym.c | 12 +-
lib/cryptodev/rte_crypto_asym.h | 375 ++++++++++++++++++---------
lib/cryptodev/rte_cryptodev.c | 96 ++++++-
lib/cryptodev/rte_cryptodev.h | 75 +++++-
lib/cryptodev/version.map | 4 +
15 files changed, 742 insertions(+), 340 deletions(-)
--
2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* [PATCH v2 01/14] cryptodev: redefine ec group enum
2022-05-25 15:53 [PATCH v2 00/14] cryptodev: rsa, dh, ecdh changes Arek Kusztal
@ 2022-05-25 15:53 ` Arek Kusztal
2022-05-26 9:40 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 02/14] cryptodev: reduce number of comments in asym xform Arek Kusztal
` (12 subsequent siblings)
13 siblings, 1 reply; 41+ messages in thread
From: Arek Kusztal @ 2022-05-25 15:53 UTC (permalink / raw)
To: dev; +Cc: gakhil, roy.fan.zhang, Arek Kusztal
- EC enum was renamed to rte_crypto_curve_id.
Elliptic curve enum name was incorrectly associated
with group (it comes from current tls registry name).
- Clarified comments about TLS deprecation.
Some curves included are deprecated with TLS 1.3.
Comments to address it were added.
- Clarified FFDH groups usage.
Elliptic curves IDs in TLS are placed in the same registry
as FFDH. Cryptodev does not assign specific groups, and
if specific groups would be assigned by DPDK, it cannot be
TLS SupportedGroups registry, as it would conflict with
other protocols like IPSec.
- Added IANA reference.
Only few selected curves are included in previously
referenced rfc8422. IANA reference is added instead.
- Removed UNKNOWN ec group.
There is no default value, and there is no UNKNOWN
elliptic curve.
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
---
lib/cryptodev/rte_crypto_asym.h | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
index cd24d4b07b..7206652458 100644
--- a/lib/cryptodev/rte_crypto_asym.h
+++ b/lib/cryptodev/rte_crypto_asym.h
@@ -38,16 +38,20 @@ extern const char *
rte_crypto_asym_op_strings[];
/**
- * TLS named curves
- * https://tools.ietf.org/html/rfc8422
+ * List of elliptic curves. This enum aligns with
+ * TLS "Supported Groups" registry (previously known as
+ * NamedCurve registry). FFDH groups are not, and will not
+ * be included in this list.
+ * Deprecation for selected curve in tls does not deprecate
+ * the selected curve in Cryptodev.
+ * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
*/
-enum rte_crypto_ec_group {
- RTE_CRYPTO_EC_GROUP_UNKNOWN = 0,
+enum rte_crypto_curve_id {
RTE_CRYPTO_EC_GROUP_SECP192R1 = 19,
RTE_CRYPTO_EC_GROUP_SECP224R1 = 21,
RTE_CRYPTO_EC_GROUP_SECP256R1 = 23,
RTE_CRYPTO_EC_GROUP_SECP384R1 = 24,
- RTE_CRYPTO_EC_GROUP_SECP521R1 = 25,
+ RTE_CRYPTO_EC_GROUP_SECP521R1 = 25
};
/**
@@ -294,7 +298,7 @@ struct rte_crypto_dsa_xform {
*
*/
struct rte_crypto_ec_xform {
- enum rte_crypto_ec_group curve_id;
+ enum rte_crypto_curve_id curve_id;
/**< Pre-defined ec groups */
};
--
2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* [PATCH v2 02/14] cryptodev: reduce number of comments in asym xform
2022-05-25 15:53 [PATCH v2 00/14] cryptodev: rsa, dh, ecdh changes Arek Kusztal
2022-05-25 15:53 ` [PATCH v2 01/14] cryptodev: redefine ec group enum Arek Kusztal
@ 2022-05-25 15:53 ` Arek Kusztal
2022-05-26 9:52 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 03/14] cryptodev: separate key exchange operation enum Arek Kusztal
` (11 subsequent siblings)
13 siblings, 1 reply; 41+ messages in thread
From: Arek Kusztal @ 2022-05-25 15:53 UTC (permalink / raw)
To: dev; +Cc: gakhil, roy.fan.zhang, Arek Kusztal
- Reduced number of comments in asymmetric xform.
Information describing basic functionality of well known
algorithms are unnecessary.
- Removed NONE asymetric xform.
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
---
app/test/test_cryptodev_asym.c | 2 -
lib/cryptodev/rte_crypto_asym.h | 114 ++++++++++++++++------------------------
lib/cryptodev/rte_cryptodev.c | 1 -
3 files changed, 46 insertions(+), 71 deletions(-)
diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index 573af2a537..5aa9d65395 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -288,7 +288,6 @@ test_cryptodev_asym_ver(struct rte_crypto_op *op,
break;
case RTE_CRYPTO_ASYM_XFORM_DH:
case RTE_CRYPTO_ASYM_XFORM_DSA:
- case RTE_CRYPTO_ASYM_XFORM_NONE:
case RTE_CRYPTO_ASYM_XFORM_UNSPECIFIED:
default:
break;
@@ -440,7 +439,6 @@ test_cryptodev_asym_op(struct crypto_testsuite_params_asym *ts_params,
break;
case RTE_CRYPTO_ASYM_XFORM_DH:
case RTE_CRYPTO_ASYM_XFORM_DSA:
- case RTE_CRYPTO_ASYM_XFORM_NONE:
case RTE_CRYPTO_ASYM_XFORM_UNSPECIFIED:
default:
snprintf(test_msg, ASYM_TEST_MSG_LEN,
diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
index 7206652458..66ffb29743 100644
--- a/lib/cryptodev/rte_crypto_asym.h
+++ b/lib/cryptodev/rte_crypto_asym.h
@@ -38,6 +38,40 @@ extern const char *
rte_crypto_asym_op_strings[];
/**
+ * Buffer to hold crypto params required for asym operations.
+ *
+ * These buffers can be used for both input to PMD and output from PMD. When
+ * used for output from PMD, application has to ensure the buffer is large
+ * enough to hold the target data.
+ *
+ * If an operation requires the PMD to generate a random number,
+ * and the device supports CSRNG, 'data' should be set to NULL.
+ * The crypto parameter in question will not be used by the PMD,
+ * as it is internally generated.
+ */
+typedef struct rte_crypto_param_t {
+ uint8_t *data;
+ /**< pointer to buffer holding data */
+ rte_iova_t iova;
+ /**< IO address of data buffer */
+ size_t length;
+ /**< length of data in bytes */
+} rte_crypto_param;
+
+/** Unsigned big-integer in big-endian format */
+typedef rte_crypto_param rte_crypto_uint;
+
+/**
+ * Structure for elliptic curve point
+ */
+struct rte_crypto_ec_point {
+ rte_crypto_param x;
+ /**< X coordinate */
+ rte_crypto_param y;
+ /**< Y coordinate */
+};
+
+/**
* List of elliptic curves. This enum aligns with
* TLS "Supported Groups" registry (previously known as
* NamedCurve registry). FFDH groups are not, and will not
@@ -55,46 +89,23 @@ enum rte_crypto_curve_id {
};
/**
- * Asymmetric crypto transformation types.
- * Each xform type maps to one asymmetric algorithm
- * performing specific operation
- *
+ * Asymmetric crypto algorithms
*/
enum rte_crypto_asym_xform_type {
- RTE_CRYPTO_ASYM_XFORM_UNSPECIFIED = 0,
+ RTE_CRYPTO_ASYM_XFORM_UNSPECIFIED,
/**< Invalid xform. */
- RTE_CRYPTO_ASYM_XFORM_NONE,
- /**< Xform type None.
- * May be supported by PMD to support
- * passthrough op for debugging purpose.
- * if xform_type none , op_type is disregarded.
- */
RTE_CRYPTO_ASYM_XFORM_RSA,
- /**< RSA. Performs Encrypt, Decrypt, Sign and Verify.
- * Refer to rte_crypto_asym_op_type
- */
+ /**< RSA */
RTE_CRYPTO_ASYM_XFORM_DH,
- /**< Diffie-Hellman.
- * Performs Key Generate and Shared Secret Compute.
- * Refer to rte_crypto_asym_op_type
- */
+ /**< Diffie-Hellman */
RTE_CRYPTO_ASYM_XFORM_DSA,
- /**< Digital Signature Algorithm
- * Performs Signature Generation and Verification.
- * Refer to rte_crypto_asym_op_type
- */
+ /**< Digital Signature Algorithm */
RTE_CRYPTO_ASYM_XFORM_MODINV,
- /**< Modular Multiplicative Inverse
- * Perform Modular Multiplicative Inverse b^(-1) mod n
- */
+ /**< Modular Multiplicative Inverse */
RTE_CRYPTO_ASYM_XFORM_MODEX,
- /**< Modular Exponentiation
- * Perform Modular Exponentiation b^e mod n
- */
+ /**< Modular Exponentiation */
RTE_CRYPTO_ASYM_XFORM_ECDSA,
- /**< Elliptic Curve Digital Signature Algorithm
- * Perform Signature Generation and Verification.
- */
+ /**< Elliptic Curve Digital Signature Algorithm */
RTE_CRYPTO_ASYM_XFORM_ECPM,
/**< Elliptic Curve Point Multiplication */
RTE_CRYPTO_ASYM_XFORM_TYPE_LIST_END
@@ -126,11 +137,12 @@ enum rte_crypto_asym_op_type {
* Padding types for RSA signature.
*/
enum rte_crypto_rsa_padding_type {
- RTE_CRYPTO_RSA_PADDING_NONE = 0,
+ RTE_CRYPTO_RSA_PADDING_NONE,
/**< RSA no padding scheme */
RTE_CRYPTO_RSA_PADDING_PKCS1_5,
- /**< RSA PKCS#1 PKCS1-v1_5 padding scheme. For signatures block type 01,
- * for encryption block type 02 are used.
+ /**< RSA PKCS#1 PKCS1-v1_5 padding scheme.
+ * For signatures block type 01, for encryption
+ * block type 02 are used.
*/
RTE_CRYPTO_RSA_PADDING_OAEP,
/**< RSA PKCS#1 OAEP padding scheme */
@@ -156,40 +168,6 @@ enum rte_crypto_rsa_priv_key_type {
};
/**
- * Buffer to hold crypto params required for asym operations.
- *
- * These buffers can be used for both input to PMD and output from PMD. When
- * used for output from PMD, application has to ensure the buffer is large
- * enough to hold the target data.
- *
- * If an operation requires the PMD to generate a random number,
- * and the device supports CSRNG, 'data' should be set to NULL.
- * The crypto parameter in question will not be used by the PMD,
- * as it is internally generated.
- */
-typedef struct rte_crypto_param_t {
- uint8_t *data;
- /**< pointer to buffer holding data */
- rte_iova_t iova;
- /**< IO address of data buffer */
- size_t length;
- /**< length of data in bytes */
-} rte_crypto_param;
-
-/** Unsigned big-integer in big-endian format */
-typedef rte_crypto_param rte_crypto_uint;
-
-/**
- * Structure for elliptic curve point
- */
-struct rte_crypto_ec_point {
- rte_crypto_param x;
- /**< X coordinate */
- rte_crypto_param y;
- /**< Y coordinate */
-};
-
-/**
* Structure describing RSA private key in quintuple format.
* See PKCS V1.5 RSA Cryptography Standard.
*/
diff --git a/lib/cryptodev/rte_cryptodev.c b/lib/cryptodev/rte_cryptodev.c
index e16e6802aa..691625bd04 100644
--- a/lib/cryptodev/rte_cryptodev.c
+++ b/lib/cryptodev/rte_cryptodev.c
@@ -160,7 +160,6 @@ rte_crypto_aead_operation_strings[] = {
* Asymmetric crypto transform operation strings identifiers.
*/
const char *rte_crypto_asym_xform_strings[] = {
- [RTE_CRYPTO_ASYM_XFORM_NONE] = "none",
[RTE_CRYPTO_ASYM_XFORM_RSA] = "rsa",
[RTE_CRYPTO_ASYM_XFORM_MODEX] = "modexp",
[RTE_CRYPTO_ASYM_XFORM_MODINV] = "modinv",
--
2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* [PATCH v2 03/14] cryptodev: separate key exchange operation enum
2022-05-25 15:53 [PATCH v2 00/14] cryptodev: rsa, dh, ecdh changes Arek Kusztal
2022-05-25 15:53 ` [PATCH v2 01/14] cryptodev: redefine ec group enum Arek Kusztal
2022-05-25 15:53 ` [PATCH v2 02/14] cryptodev: reduce number of comments in asym xform Arek Kusztal
@ 2022-05-25 15:53 ` Arek Kusztal
2022-05-26 10:57 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 04/14] cryptodev: remove comment about using ephemeral key in dsa Arek Kusztal
` (10 subsequent siblings)
13 siblings, 1 reply; 41+ messages in thread
From: Arek Kusztal @ 2022-05-25 15:53 UTC (permalink / raw)
To: dev; +Cc: gakhil, roy.fan.zhang, Arek Kusztal
- Separated key exchange enum from asym op type.
Key exchange and asymmetric crypto operations like signatures,
encryption/decryption should not share same operation enum as
its use cases are unrelated and mutually exclusive.
Therefore op_type was separate into:
1) operation type
2) key exchange operation type
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
---
app/test/test_cryptodev_asym.c | 11 +++----
drivers/crypto/openssl/rte_openssl_pmd.c | 10 +++----
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 12 ++++----
lib/cryptodev/rte_crypto_asym.h | 45 +++++++++++++++++-----------
lib/cryptodev/rte_cryptodev.c | 14 ++++++---
5 files changed, 55 insertions(+), 37 deletions(-)
diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index 5aa9d65395..1b77aa2b6a 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -1062,7 +1062,7 @@ test_dh_gen_shared_sec(struct rte_crypto_asym_xform *xfrm)
asym_op = op->asym;
/* Setup a xform and op to generate private key only */
- xform.dh.type = RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE;
+ xform.dh.type = RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE;
xform.next = NULL;
asym_op->dh.priv_key.data = dh_test_params.priv_key.data;
asym_op->dh.priv_key.length = dh_test_params.priv_key.length;
@@ -1144,7 +1144,7 @@ test_dh_gen_priv_key(struct rte_crypto_asym_xform *xfrm)
asym_op = op->asym;
/* Setup a xform and op to generate private key only */
- xform.dh.type = RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE;
+ xform.dh.type = RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE;
xform.next = NULL;
asym_op->dh.priv_key.data = output;
asym_op->dh.priv_key.length = sizeof(output);
@@ -1227,7 +1227,7 @@ test_dh_gen_pub_key(struct rte_crypto_asym_xform *xfrm)
* using test private key
*
*/
- xform.dh.type = RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE;
+ xform.dh.type = RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE;
xform.next = NULL;
asym_op->dh.pub_key.data = output;
@@ -1317,9 +1317,10 @@ test_dh_gen_kp(struct rte_crypto_asym_xform *xfrm)
/* Setup a xform chain to generate
* private key first followed by
* public key
- */xform.dh.type = RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE;
+ */
+ xform.dh.type = RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE;
pub_key_xform.xform_type = RTE_CRYPTO_ASYM_XFORM_DH;
- pub_key_xform.dh.type = RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE;
+ pub_key_xform.dh.type = RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE;
xform.next = &pub_key_xform;
asym_op->dh.pub_key.data = out_pub_key;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index d80e1052e2..2a3930df0a 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -1697,7 +1697,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
int ret = 0;
if (sess->u.dh.key_op &
- (1 << RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE)) {
+ (1 << RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE)) {
/* compute shared secret using peer public key
* and current private key
* shared secret = peer_key ^ priv_key mod p
@@ -1754,9 +1754,9 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
* then first set DH with user provided private key
*/
if ((sess->u.dh.key_op &
- (1 << RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE)) &&
+ (1 << RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE)) &&
!(sess->u.dh.key_op &
- (1 << RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE))) {
+ (1 << RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE))) {
/* generate public key using user-provided private key
* pub_key = g ^ priv_key mod p
*/
@@ -1790,7 +1790,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
return 0;
}
- if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE)) {
+ if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE)) {
const BIGNUM *pub_key = NULL;
OPENSSL_LOG(DEBUG, "%s:%d update public key\n",
@@ -1805,7 +1805,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
}
if (sess->u.dh.key_op &
- (1 << RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE)) {
+ (1 << RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE)) {
const BIGNUM *priv_key = NULL;
OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n",
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 1cb07794bd..c975ef640a 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -533,10 +533,10 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
.xform_capa = {
.xform_type = RTE_CRYPTO_ASYM_XFORM_DH,
.op_types =
- ((1<<RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE) |
- (1 << RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE |
+ ((1<<RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE) |
+ (1 << RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE |
(1 <<
- RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE))),
+ RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE))),
{
.modlen = {
/* value 0 symbolizes no limit on min length */
@@ -1009,13 +1009,13 @@ static int openssl_set_asym_session_parameters(
asym_session->u.dh.key_op = (1 << xform->dh.type);
if (xform->dh.type ==
- RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE) {
+ RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE) {
/* check if next is pubkey */
if ((xform->next != NULL) &&
(xform->next->xform_type ==
RTE_CRYPTO_ASYM_XFORM_DH) &&
(xform->next->dh.type ==
- RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE)
+ RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE)
) {
/*
* setup op as pub/priv key
@@ -1023,7 +1023,7 @@ static int openssl_set_asym_session_parameters(
*/
asym_session->u.dh.key_op |=
(1 <<
- RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE);
+ RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE);
}
}
asym_session->u.dh.dh_key = dh;
diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
index 66ffb29743..2b427afa3f 100644
--- a/lib/cryptodev/rte_crypto_asym.h
+++ b/lib/cryptodev/rte_crypto_asym.h
@@ -33,6 +33,10 @@ struct rte_cryptodev_asym_session;
extern const char *
rte_crypto_asym_xform_strings[];
+/** asym key exchange operation type name strings */
+extern const char *
+rte_crypto_asym_ke_strings[];
+
/** asym operations type name strings */
extern const char *
rte_crypto_asym_op_strings[];
@@ -124,16 +128,22 @@ enum rte_crypto_asym_op_type {
/**< Signature Generation operation */
RTE_CRYPTO_ASYM_OP_VERIFY,
/**< Signature Verification operation */
- RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE,
- /**< DH Private Key generation operation */
- RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE,
- /**< DH Public Key generation operation */
- RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE,
- /**< DH Shared Secret compute operation */
RTE_CRYPTO_ASYM_OP_LIST_END
};
/**
+ * Asymmetric crypto key exchange operation type
+ */
+enum rte_crypto_asym_ke_type {
+ RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE,
+ /**< Private Key generation operation */
+ RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
+ /**< Public Key generation operation */
+ RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE
+ /**< Shared Secret compute operation */
+};
+
+/**
* Padding types for RSA signature.
*/
enum rte_crypto_rsa_padding_type {
@@ -238,7 +248,7 @@ struct rte_crypto_modinv_xform {
*
*/
struct rte_crypto_dh_xform {
- enum rte_crypto_asym_op_type type;
+ enum rte_crypto_asym_ke_type type;
/**< Setup xform for key generate or shared secret compute */
rte_crypto_uint p;
/**< Prime modulus data */
@@ -375,26 +385,27 @@ struct rte_crypto_rsa_op_param {
struct rte_crypto_dh_op_param {
rte_crypto_uint pub_key;
/**<
- * Output generated public key when xform type is
- * DH PUB_KEY_GENERATION.
- * Input peer public key when xform type is DH
- * SHARED_SECRET_COMPUTATION
+ * Output - generated public key, when xform type is
+ * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE.
*
+ * Input - peer's public key, when xform type is
+ * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
*/
rte_crypto_uint priv_key;
/**<
- * Output generated private key if xform type is
- * DH PRIVATE_KEY_GENERATION
- * Input when xform type is DH SHARED_SECRET_COMPUTATION.
+ * Output - generated private key, when xform type is
+ * RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE.
*
+ * Input - private key, when xform type is one of:
+ * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
+ * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
*/
rte_crypto_uint shared_secret;
/**<
- * Output with calculated shared secret
- * when dh xform set up with op type = SHARED_SECRET_COMPUTATION.
- *
+ * Output - calculated shared secret when xform type is
+ * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
*/
};
diff --git a/lib/cryptodev/rte_cryptodev.c b/lib/cryptodev/rte_cryptodev.c
index 691625bd04..af58f49d07 100644
--- a/lib/cryptodev/rte_cryptodev.c
+++ b/lib/cryptodev/rte_cryptodev.c
@@ -176,10 +176,16 @@ const char *rte_crypto_asym_op_strings[] = {
[RTE_CRYPTO_ASYM_OP_ENCRYPT] = "encrypt",
[RTE_CRYPTO_ASYM_OP_DECRYPT] = "decrypt",
[RTE_CRYPTO_ASYM_OP_SIGN] = "sign",
- [RTE_CRYPTO_ASYM_OP_VERIFY] = "verify",
- [RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE] = "priv_key_generate",
- [RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE] = "pub_key_generate",
- [RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE] = "sharedsecret_compute",
+ [RTE_CRYPTO_ASYM_OP_VERIFY] = "verify"
+};
+
+/**
+ * Asymmetric crypto key exchange operation strings identifiers.
+ */
+const char *rte_crypto_asym_ke_strings[] = {
+ [RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE] = "priv_key_generate",
+ [RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE] = "pub_key_generate",
+ [RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE] = "sharedsecret_compute"
};
/**
--
2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* [PATCH v2 04/14] cryptodev: remove comment about using ephemeral key in dsa
2022-05-25 15:53 [PATCH v2 00/14] cryptodev: rsa, dh, ecdh changes Arek Kusztal
` (2 preceding siblings ...)
2022-05-25 15:53 ` [PATCH v2 03/14] cryptodev: separate key exchange operation enum Arek Kusztal
@ 2022-05-25 15:53 ` Arek Kusztal
2022-05-26 11:02 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 05/14] cryptodev: clarify usage of private key in dh Arek Kusztal
` (9 subsequent siblings)
13 siblings, 1 reply; 41+ messages in thread
From: Arek Kusztal @ 2022-05-25 15:53 UTC (permalink / raw)
To: dev; +Cc: gakhil, roy.fan.zhang, Arek Kusztal
- Removed comment that stated dsa can be used with Diffie
Hellman ephemeral key.
DH and DSA integration allowed to use ephemeral keys for
random integer but not for private keys.
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
---
lib/cryptodev/rte_crypto_asym.h | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
index 2b427afa3f..ef8686fda8 100644
--- a/lib/cryptodev/rte_crypto_asym.h
+++ b/lib/cryptodev/rte_crypto_asym.h
@@ -270,13 +270,7 @@ struct rte_crypto_dsa_xform {
rte_crypto_uint g;
/**< Generator of the subgroup */
rte_crypto_uint x;
- /**< x: Private key of the signer in octet-string network
- * byte order format.
- * Used when app has pre-defined private key.
- * Valid only when xform chain is DSA ONLY.
- * if xform chain is DH private key generate + DSA, then DSA sign
- * compute will use internally generated key.
- */
+ /**< x: Private key of the signer */
};
/**
--
2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* [PATCH v2 05/14] cryptodev: clarify usage of private key in dh
2022-05-25 15:53 [PATCH v2 00/14] cryptodev: rsa, dh, ecdh changes Arek Kusztal
` (3 preceding siblings ...)
2022-05-25 15:53 ` [PATCH v2 04/14] cryptodev: remove comment about using ephemeral key in dsa Arek Kusztal
@ 2022-05-25 15:53 ` Arek Kusztal
2022-05-26 11:04 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 06/14] cryptodev: move dh type from xform to dh op Arek Kusztal
` (8 subsequent siblings)
13 siblings, 1 reply; 41+ messages in thread
From: Arek Kusztal @ 2022-05-25 15:53 UTC (permalink / raw)
To: dev; +Cc: gakhil, roy.fan.zhang, Arek Kusztal
- Clarified usage of private key in Diffie-Hellman.
CSRNG capable device should generate private key and then
use it for public key generation.
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
---
lib/cryptodev/rte_crypto_asym.h | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
index ef8686fda8..1a77a74478 100644
--- a/lib/cryptodev/rte_crypto_asym.h
+++ b/lib/cryptodev/rte_crypto_asym.h
@@ -394,6 +394,11 @@ struct rte_crypto_dh_op_param {
* Input - private key, when xform type is one of:
* RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
* RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
+ *
+ * In case priv_key.length is 0 and xform type is set with
+ * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE, CSRNG capable
+ * device will generate private key and use it for public
+ * key generation.
*/
rte_crypto_uint shared_secret;
--
2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* [PATCH v2 06/14] cryptodev: move dh type from xform to dh op
2022-05-25 15:53 [PATCH v2 00/14] cryptodev: rsa, dh, ecdh changes Arek Kusztal
` (4 preceding siblings ...)
2022-05-25 15:53 ` [PATCH v2 05/14] cryptodev: clarify usage of private key in dh Arek Kusztal
@ 2022-05-25 15:53 ` Arek Kusztal
2022-05-26 11:23 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 07/14] cryptodev: add elliptic curve diffie hellman Arek Kusztal
` (7 subsequent siblings)
13 siblings, 1 reply; 41+ messages in thread
From: Arek Kusztal @ 2022-05-25 15:53 UTC (permalink / raw)
To: dev; +Cc: gakhil, roy.fan.zhang, Arek Kusztal
- Moved dh operation type to dh operation struct.
Operation type (PUBLIC_KEY_GENERATION, SHARED_SECRET) should
be free to choose for any operation. One xform/session should
be enough to perform both DH operations, if op_type would be xform
member, session would have to be to be created twice for the same
group. Similar problem would be observed in sessionless case.
Additionally, it will help extend DH to support Elliptic Curves.
- Changed order of Diffie-Hellman operation phases.
Now it corresponds with the order of operations.
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
---
app/test/test_cryptodev_asym.c | 11 +++++------
drivers/crypto/openssl/rte_openssl_pmd.c | 15 ++++++---------
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 27 ---------------------------
lib/cryptodev/rte_crypto_asym.h | 22 ++++++++++------------
4 files changed, 21 insertions(+), 54 deletions(-)
diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index 1b77aa2b6a..a151051165 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -1062,8 +1062,8 @@ test_dh_gen_shared_sec(struct rte_crypto_asym_xform *xfrm)
asym_op = op->asym;
/* Setup a xform and op to generate private key only */
- xform.dh.type = RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE;
xform.next = NULL;
+ asym_op->dh.op_type = RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE;
asym_op->dh.priv_key.data = dh_test_params.priv_key.data;
asym_op->dh.priv_key.length = dh_test_params.priv_key.length;
asym_op->dh.pub_key.data = (uint8_t *)peer;
@@ -1144,8 +1144,8 @@ test_dh_gen_priv_key(struct rte_crypto_asym_xform *xfrm)
asym_op = op->asym;
/* Setup a xform and op to generate private key only */
- xform.dh.type = RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE;
xform.next = NULL;
+ asym_op->dh.op_type = RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE;
asym_op->dh.priv_key.data = output;
asym_op->dh.priv_key.length = sizeof(output);
@@ -1227,9 +1227,9 @@ test_dh_gen_pub_key(struct rte_crypto_asym_xform *xfrm)
* using test private key
*
*/
- xform.dh.type = RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE;
xform.next = NULL;
+ asym_op->dh.op_type = RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE;
asym_op->dh.pub_key.data = output;
asym_op->dh.pub_key.length = sizeof(output);
/* load pre-defined private key */
@@ -1318,15 +1318,14 @@ test_dh_gen_kp(struct rte_crypto_asym_xform *xfrm)
* private key first followed by
* public key
*/
- xform.dh.type = RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE;
pub_key_xform.xform_type = RTE_CRYPTO_ASYM_XFORM_DH;
- pub_key_xform.dh.type = RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE;
xform.next = &pub_key_xform;
+ asym_op->dh.op_type = RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE;
asym_op->dh.pub_key.data = out_pub_key;
asym_op->dh.pub_key.length = sizeof(out_pub_key);
asym_op->dh.priv_key.data = out_prv_key;
- asym_op->dh.priv_key.length = sizeof(out_prv_key);
+ asym_op->dh.priv_key.length = 0;
ret = rte_cryptodev_asym_session_create(dev_id, &xform, sess_mpool, &sess);
if (ret < 0) {
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 2a3930df0a..4e11770864 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -1692,12 +1692,12 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
{
struct rte_crypto_dh_op_param *op = &cop->asym->dh;
+ struct rte_crypto_asym_op *asym_op = cop->asym;
DH *dh_key = sess->u.dh.dh_key;
BIGNUM *priv_key = NULL;
int ret = 0;
- if (sess->u.dh.key_op &
- (1 << RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE)) {
+ if (asym_op->dh.op_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) {
/* compute shared secret using peer public key
* and current private key
* shared secret = peer_key ^ priv_key mod p
@@ -1753,10 +1753,8 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
* if user provides private key,
* then first set DH with user provided private key
*/
- if ((sess->u.dh.key_op &
- (1 << RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE)) &&
- !(sess->u.dh.key_op &
- (1 << RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE))) {
+ if (asym_op->dh.op_type == RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE &&
+ op->priv_key.length) {
/* generate public key using user-provided private key
* pub_key = g ^ priv_key mod p
*/
@@ -1790,7 +1788,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
return 0;
}
- if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE)) {
+ if (asym_op->dh.op_type == RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE) {
const BIGNUM *pub_key = NULL;
OPENSSL_LOG(DEBUG, "%s:%d update public key\n",
@@ -1804,8 +1802,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
op->pub_key.data);
}
- if (sess->u.dh.key_op &
- (1 << RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE)) {
+ if (asym_op->dh.op_type == RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE) {
const BIGNUM *priv_key = NULL;
OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n",
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index c975ef640a..16ec5e15eb 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -999,33 +999,6 @@ static int openssl_set_asym_session_parameters(
DH_free(dh);
goto err_dh;
}
-
- /*
- * setup xfrom for
- * public key generate, or
- * DH Priv key generate, or both
- * public and private key generate
- */
- asym_session->u.dh.key_op = (1 << xform->dh.type);
-
- if (xform->dh.type ==
- RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE) {
- /* check if next is pubkey */
- if ((xform->next != NULL) &&
- (xform->next->xform_type ==
- RTE_CRYPTO_ASYM_XFORM_DH) &&
- (xform->next->dh.type ==
- RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE)
- ) {
- /*
- * setup op as pub/priv key
- * pair generationi
- */
- asym_session->u.dh.key_op |=
- (1 <<
- RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE);
- }
- }
asym_session->u.dh.dh_key = dh;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DH;
break;
diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
index 1a77a74478..ffb0e8ed17 100644
--- a/lib/cryptodev/rte_crypto_asym.h
+++ b/lib/cryptodev/rte_crypto_asym.h
@@ -248,8 +248,6 @@ struct rte_crypto_modinv_xform {
*
*/
struct rte_crypto_dh_xform {
- enum rte_crypto_asym_ke_type type;
- /**< Setup xform for key generate or shared secret compute */
rte_crypto_uint p;
/**< Prime modulus data */
rte_crypto_uint g;
@@ -377,15 +375,8 @@ struct rte_crypto_rsa_op_param {
* @note:
*/
struct rte_crypto_dh_op_param {
- rte_crypto_uint pub_key;
- /**<
- * Output - generated public key, when xform type is
- * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE.
- *
- * Input - peer's public key, when xform type is
- * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
- */
-
+ enum rte_crypto_asym_ke_type op_type;
+ /**< Key exchange operation type */
rte_crypto_uint priv_key;
/**<
* Output - generated private key, when xform type is
@@ -400,7 +391,14 @@ struct rte_crypto_dh_op_param {
* device will generate private key and use it for public
* key generation.
*/
-
+ rte_crypto_uint pub_key;
+ /**<
+ * Output - generated public key, when xform type is
+ * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE.
+ *
+ * Input - peer's public key, when xform type is
+ * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
+ */
rte_crypto_uint shared_secret;
/**<
* Output - calculated shared secret when xform type is
--
2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* [PATCH v2 07/14] cryptodev: add elliptic curve diffie hellman
2022-05-25 15:53 [PATCH v2 00/14] cryptodev: rsa, dh, ecdh changes Arek Kusztal
` (5 preceding siblings ...)
2022-05-25 15:53 ` [PATCH v2 06/14] cryptodev: move dh type from xform to dh op Arek Kusztal
@ 2022-05-25 15:53 ` Arek Kusztal
2022-05-26 11:29 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 08/14] cryptodev: add public key verify option Arek Kusztal
` (6 subsequent siblings)
13 siblings, 1 reply; 41+ messages in thread
From: Arek Kusztal @ 2022-05-25 15:53 UTC (permalink / raw)
To: dev; +Cc: gakhil, roy.fan.zhang, Arek Kusztal
- Added elliptic curve Diffie-Hellman parameters.
Point multiplication allows the user to process every phase of
ECDH, but for phase 1, user should not really care about the generator.
The user does not even need to know what the generator looks like,
therefore setting ec xform would make this work.
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
---
lib/cryptodev/rte_crypto_asym.h | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
index ffb0e8ed17..0dab7c0593 100644
--- a/lib/cryptodev/rte_crypto_asym.h
+++ b/lib/cryptodev/rte_crypto_asym.h
@@ -112,6 +112,8 @@ enum rte_crypto_asym_xform_type {
/**< Elliptic Curve Digital Signature Algorithm */
RTE_CRYPTO_ASYM_XFORM_ECPM,
/**< Elliptic Curve Point Multiplication */
+ RTE_CRYPTO_ASYM_XFORM_ECDH,
+ /**< Elliptic Curve Diffie Hellman */
RTE_CRYPTO_ASYM_XFORM_TYPE_LIST_END
/**< End of list */
};
@@ -407,6 +409,42 @@ struct rte_crypto_dh_op_param {
};
/**
+ * Elliptic Curve Diffie-Hellman Operations params.
+ * @note:
+ */
+struct rte_crypto_ecdh_op_param {
+ enum rte_crypto_asym_ke_type op_type;
+ /**< Key exchange operation type */
+ rte_crypto_uint priv_key;
+ /**<
+ * Output - generated private key, when xform type is
+ * RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE.
+ *
+ * Input - private key, when xform type is one of:
+ * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
+ * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
+ *
+ * In case priv_key.length is 0 and xform type is set with
+ * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE, CSRNG capable
+ * device will generate private key and use it for public
+ * key generation.
+ */
+ struct rte_crypto_ec_point pub_key;
+ /**<
+ * Output - generated public key, when xform type is
+ * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE.
+ *
+ * Input - peer's public key, when xform type is
+ * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
+ */
+ struct rte_crypto_ec_point shared_secret;
+ /**<
+ * Output - calculated shared secret when xform type is
+ * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
+ */
+};
+
+/**
* DSA Operations params
*
*/
--
2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* [PATCH v2 08/14] cryptodev: add public key verify option
2022-05-25 15:53 [PATCH v2 00/14] cryptodev: rsa, dh, ecdh changes Arek Kusztal
` (6 preceding siblings ...)
2022-05-25 15:53 ` [PATCH v2 07/14] cryptodev: add elliptic curve diffie hellman Arek Kusztal
@ 2022-05-25 15:53 ` Arek Kusztal
2022-05-26 11:34 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 09/14] cryptodev: add asym op flags Arek Kusztal
` (5 subsequent siblings)
13 siblings, 1 reply; 41+ messages in thread
From: Arek Kusztal @ 2022-05-25 15:53 UTC (permalink / raw)
To: dev; +Cc: gakhil, roy.fan.zhang, Arek Kusztal
- Added key exchange public key verify option.
For some elliptic curves public point in DH exchange
needs to be checked, if it lays on the curve.
Modular exponentiation needs certain checks as well, though
mathematically much easier.
This commit adds verify option to asym_op operations.
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
---
lib/cryptodev/rte_crypto_asym.h | 9 ++++++---
lib/cryptodev/rte_cryptodev.c | 3 ++-
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
index 0dab7c0593..3eafaecbbe 100644
--- a/lib/cryptodev/rte_crypto_asym.h
+++ b/lib/cryptodev/rte_crypto_asym.h
@@ -141,8 +141,10 @@ enum rte_crypto_asym_ke_type {
/**< Private Key generation operation */
RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
/**< Public Key generation operation */
- RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE
+ RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE,
/**< Shared Secret compute operation */
+ RTE_CRYPTO_ASYM_KE_EC_PUBLIC_KEY_VERIFY,
+ /**< Public Key Verification */
};
/**
@@ -434,8 +436,9 @@ struct rte_crypto_ecdh_op_param {
* Output - generated public key, when xform type is
* RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE.
*
- * Input - peer's public key, when xform type is
- * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
+ * Input - peer's public key, when xform type is one of:
+ * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE,
+ * RTE_CRYPTO_ASYM_KE_EC_PUBLIC_KEY_VERIFY.
*/
struct rte_crypto_ec_point shared_secret;
/**<
diff --git a/lib/cryptodev/rte_cryptodev.c b/lib/cryptodev/rte_cryptodev.c
index af58f49d07..57ee6b3f07 100644
--- a/lib/cryptodev/rte_cryptodev.c
+++ b/lib/cryptodev/rte_cryptodev.c
@@ -185,7 +185,8 @@ const char *rte_crypto_asym_op_strings[] = {
const char *rte_crypto_asym_ke_strings[] = {
[RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE] = "priv_key_generate",
[RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE] = "pub_key_generate",
- [RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE] = "sharedsecret_compute"
+ [RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE] = "sharedsecret_compute",
+ [RTE_CRYPTO_ASYM_KE_EC_PUBLIC_KEY_VERIFY] = "pub_ec_key_verify"
};
/**
--
2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* [PATCH v2 09/14] cryptodev: add asym op flags
2022-05-25 15:53 [PATCH v2 00/14] cryptodev: rsa, dh, ecdh changes Arek Kusztal
` (7 preceding siblings ...)
2022-05-25 15:53 ` [PATCH v2 08/14] cryptodev: add public key verify option Arek Kusztal
@ 2022-05-25 15:53 ` Arek Kusztal
2022-05-26 11:46 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 10/14] cryptodev: clarify usage of rsa padding hash Arek Kusztal
` (4 subsequent siblings)
13 siblings, 1 reply; 41+ messages in thread
From: Arek Kusztal @ 2022-05-25 15:53 UTC (permalink / raw)
To: dev; +Cc: gakhil, roy.fan.zhang, Arek Kusztal
- Added flags to rte_crypto_asym_op struct.
It may be shared between different algorithms.
- Added Diffie-Hellman padding flags.
Diffie-Hellman padding is used in certain protocols,
in others, leading zero bytes need to be stripped.
Even same protocol may use a different approach - most
glaring example is TLS1.2 - TLS1.3.
For ease of use, and to avoid additional copy
on certain occasions, driver should be able to return both.
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
---
lib/cryptodev/rte_crypto_asym.h | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
index 3eafaecbbe..1a57c0c532 100644
--- a/lib/cryptodev/rte_crypto_asym.h
+++ b/lib/cryptodev/rte_crypto_asym.h
@@ -75,6 +75,19 @@ struct rte_crypto_ec_point {
/**< Y coordinate */
};
+#define RTE_CRYPTO_ASYM_FLAG_PUB_KEY_NO_PADDING RTE_BIT32(0)
+/**<
+ * If set to 1 - public key will be returned
+ * without leading zero bytes, otherwise it will be
+ * padded to the left with zero bytes (default)
+ */
+#define RTE_CRYPTO_ASYM_FLAG_SHARED_KEY_NO_PADDING RTE_BIT32(1)
+/**<
+ * If set to 1 - shared key will be returned
+ * without leading zero bytes, otherwise it will be
+ * padded to the left with zero bytes (default)
+ */
+
/**
* List of elliptic curves. This enum aligns with
* TLS "Supported Groups" registry (previously known as
@@ -589,6 +602,8 @@ struct rte_crypto_asym_op {
struct rte_crypto_ecdsa_op_param ecdsa;
struct rte_crypto_ecpm_op_param ecpm;
};
+ uint16_t flags;
+ /**< Asymmetric crypto operation flags */
};
#ifdef __cplusplus
--
2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* [PATCH v2 10/14] cryptodev: clarify usage of rsa padding hash
2022-05-25 15:53 [PATCH v2 00/14] cryptodev: rsa, dh, ecdh changes Arek Kusztal
` (8 preceding siblings ...)
2022-05-25 15:53 ` [PATCH v2 09/14] cryptodev: add asym op flags Arek Kusztal
@ 2022-05-25 15:53 ` Arek Kusztal
2022-05-26 11:56 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 11/14] cryptodev: move RSA padding into separate struct Arek Kusztal
` (3 subsequent siblings)
13 siblings, 1 reply; 41+ messages in thread
From: Arek Kusztal @ 2022-05-25 15:53 UTC (permalink / raw)
To: dev; +Cc: gakhil, roy.fan.zhang, Arek Kusztal
- Clarified usage of RSA padding hash.
It was not specified how to use hash for PKCS1_5
padding. This could lead to incorrect implementation.
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
---
lib/cryptodev/rte_crypto_asym.h | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
index 1a57c0c532..1758aaa875 100644
--- a/lib/cryptodev/rte_crypto_asym.h
+++ b/lib/cryptodev/rte_crypto_asym.h
@@ -371,10 +371,27 @@ struct rte_crypto_rsa_op_param {
/**< RSA padding scheme to be used for transform */
enum rte_crypto_auth_algorithm md;
- /**< Hash algorithm to be used for data hash if padding
- * scheme is either OAEP or PSS. Valid hash algorithms
- * are:
- * MD5, SHA1, SHA224, SHA256, SHA384, SHA512
+ /**<
+ * RSA padding hash function
+ *
+ * When a specific padding type is selected, the following rule apply:
+ * - RTE_CRYPTO_RSA_PADDING_NONE:
+ * This field is ignored by the PMD
+ *
+ * - RTE_CRYPTO_RSA_PADDING_PKCS1_5:
+ * When signing operation this field is used to determine value
+ * of the DigestInfo structure, therefore specifying which algorithm
+ * was used to create the message digest.
+ * When doing encryption/decryption this field is ignored for this
+ * padding type.
+ *
+ * - RTE_CRYPTO_RSA_PADDING_OAEP
+ * This field shall be set with the hash algorithm used
+ * in the padding scheme
+ *
+ * - RTE_CRYPTO_RSA_PADDING_PSS
+ * This field shall be set with the hash algorithm used
+ * in the padding scheme (and to create the input message digest)
*/
enum rte_crypto_auth_algorithm mgf1md;
--
2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* [PATCH v2 11/14] cryptodev: move RSA padding into separate struct
2022-05-25 15:53 [PATCH v2 00/14] cryptodev: rsa, dh, ecdh changes Arek Kusztal
` (9 preceding siblings ...)
2022-05-25 15:53 ` [PATCH v2 10/14] cryptodev: clarify usage of rsa padding hash Arek Kusztal
@ 2022-05-25 15:53 ` Arek Kusztal
2022-05-26 12:04 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 12/14] cryptodev: clarify rsa verify with none padding Arek Kusztal
` (2 subsequent siblings)
13 siblings, 1 reply; 41+ messages in thread
From: Arek Kusztal @ 2022-05-25 15:53 UTC (permalink / raw)
To: dev; +Cc: gakhil, roy.fan.zhang, Arek Kusztal
- move RSA padding into separate struct.
More padding members should be added into padding,
therefore having separate struct for padding parameters will
make this more readable.
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
---
app/test/test_cryptodev_asym.c | 10 ++--
drivers/common/cpt/cpt_ucode_asym.h | 4 +-
drivers/crypto/cnxk/cnxk_ae.h | 8 +--
drivers/crypto/octeontx/otx_cryptodev_ops.c | 4 +-
drivers/crypto/openssl/rte_openssl_pmd.c | 2 +-
drivers/crypto/qat/qat_asym.c | 12 ++---
lib/cryptodev/rte_crypto_asym.h | 76 ++++++++++++++++-------------
7 files changed, 61 insertions(+), 55 deletions(-)
diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index a151051165..072dbb30f4 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -94,7 +94,7 @@ queue_ops_rsa_sign_verify(void *sess)
asym_op->rsa.message.length = rsaplaintext.len;
asym_op->rsa.sign.length = 0;
asym_op->rsa.sign.data = output_buf;
- asym_op->rsa.pad = RTE_CRYPTO_RSA_PADDING_PKCS1_5;
+ asym_op->rsa.padding.type = RTE_CRYPTO_RSA_PADDING_PKCS1_5;
debug_hexdump(stdout, "message", asym_op->rsa.message.data,
asym_op->rsa.message.length);
@@ -126,7 +126,7 @@ queue_ops_rsa_sign_verify(void *sess)
/* Verify sign */
asym_op->rsa.op_type = RTE_CRYPTO_ASYM_OP_VERIFY;
- asym_op->rsa.pad = RTE_CRYPTO_RSA_PADDING_PKCS1_5;
+ asym_op->rsa.padding.type = RTE_CRYPTO_RSA_PADDING_PKCS1_5;
/* Process crypto operation */
if (rte_cryptodev_enqueue_burst(dev_id, 0, &op, 1) != 1) {
@@ -185,7 +185,7 @@ queue_ops_rsa_enc_dec(void *sess)
asym_op->rsa.cipher.data = cipher_buf;
asym_op->rsa.cipher.length = 0;
asym_op->rsa.message.length = rsaplaintext.len;
- asym_op->rsa.pad = RTE_CRYPTO_RSA_PADDING_PKCS1_5;
+ asym_op->rsa.padding.type = RTE_CRYPTO_RSA_PADDING_PKCS1_5;
debug_hexdump(stdout, "message", asym_op->rsa.message.data,
asym_op->rsa.message.length);
@@ -217,7 +217,7 @@ queue_ops_rsa_enc_dec(void *sess)
asym_op = result_op->asym;
asym_op->rsa.message.length = 0;
asym_op->rsa.op_type = RTE_CRYPTO_ASYM_OP_DECRYPT;
- asym_op->rsa.pad = RTE_CRYPTO_RSA_PADDING_PKCS1_5;
+ asym_op->rsa.padding.type = RTE_CRYPTO_RSA_PADDING_PKCS1_5;
/* Process crypto operation */
if (rte_cryptodev_enqueue_burst(dev_id, 0, &op, 1) != 1) {
@@ -413,7 +413,7 @@ test_cryptodev_asym_op(struct crypto_testsuite_params_asym *ts_params,
}
xform_tc.rsa.key_type = key_type;
- op->asym->rsa.pad = data_tc->rsa_data.padding;
+ op->asym->rsa.padding.type = data_tc->rsa_data.padding;
if (op->asym->rsa.op_type == RTE_CRYPTO_ASYM_OP_ENCRYPT) {
asym_op->rsa.message.data = data_tc->rsa_data.pt.data;
diff --git a/drivers/common/cpt/cpt_ucode_asym.h b/drivers/common/cpt/cpt_ucode_asym.h
index f5d91f2583..1105a0c125 100644
--- a/drivers/common/cpt/cpt_ucode_asym.h
+++ b/drivers/common/cpt/cpt_ucode_asym.h
@@ -327,7 +327,7 @@ cpt_rsa_prep(struct asym_op_params *rsa_params,
/* Result buffer */
rlen = mod_len;
- if (rsa_op.pad == RTE_CRYPTO_RSA_PADDING_NONE) {
+ if (rsa_op.padding.type == RTE_CRYPTO_RSA_PADDING_NONE) {
/* Use mod_exp operation for no_padding type */
vq_cmd_w0.s.opcode.minor = CPT_MINOR_OP_MODEX;
vq_cmd_w0.s.param2 = exp_len;
@@ -412,7 +412,7 @@ cpt_rsa_crt_prep(struct asym_op_params *rsa_params,
/* Result buffer */
rlen = mod_len;
- if (rsa_op.pad == RTE_CRYPTO_RSA_PADDING_NONE) {
+ if (rsa_op.padding.type == RTE_CRYPTO_RSA_PADDING_NONE) {
/*Use mod_exp operation for no_padding type */
vq_cmd_w0.s.opcode.minor = CPT_MINOR_OP_MODEX_CRT;
} else {
diff --git a/drivers/crypto/cnxk/cnxk_ae.h b/drivers/crypto/cnxk/cnxk_ae.h
index 10854c79c8..0562f72270 100644
--- a/drivers/crypto/cnxk/cnxk_ae.h
+++ b/drivers/crypto/cnxk/cnxk_ae.h
@@ -288,7 +288,7 @@ cnxk_ae_rsa_prep(struct rte_crypto_op *op, struct roc_ae_buf_ptr *meta_buf,
dptr += in_size;
dlen = total_key_len + in_size;
- if (rsa_op.pad == RTE_CRYPTO_RSA_PADDING_NONE) {
+ if (rsa_op.padding.type == RTE_CRYPTO_RSA_PADDING_NONE) {
/* Use mod_exp operation for no_padding type */
w4.s.opcode_minor = ROC_AE_MINOR_OP_MODEX;
w4.s.param2 = exp_len;
@@ -347,7 +347,7 @@ cnxk_ae_rsa_crt_prep(struct rte_crypto_op *op, struct roc_ae_buf_ptr *meta_buf,
dptr += in_size;
dlen = total_key_len + in_size;
- if (rsa_op.pad == RTE_CRYPTO_RSA_PADDING_NONE) {
+ if (rsa_op.padding.type == RTE_CRYPTO_RSA_PADDING_NONE) {
/*Use mod_exp operation for no_padding type */
w4.s.opcode_minor = ROC_AE_MINOR_OP_MODEX_CRT;
} else {
@@ -675,7 +675,7 @@ cnxk_ae_dequeue_rsa_op(struct rte_crypto_op *cop, uint8_t *rptr,
memcpy(rsa->cipher.data, rptr, rsa->cipher.length);
break;
case RTE_CRYPTO_ASYM_OP_DECRYPT:
- if (rsa->pad == RTE_CRYPTO_RSA_PADDING_NONE) {
+ if (rsa->padding.type == RTE_CRYPTO_RSA_PADDING_NONE) {
rsa->message.length = rsa_ctx->n.length;
memcpy(rsa->message.data, rptr, rsa->message.length);
} else {
@@ -695,7 +695,7 @@ cnxk_ae_dequeue_rsa_op(struct rte_crypto_op *cop, uint8_t *rptr,
memcpy(rsa->sign.data, rptr, rsa->sign.length);
break;
case RTE_CRYPTO_ASYM_OP_VERIFY:
- if (rsa->pad == RTE_CRYPTO_RSA_PADDING_NONE) {
+ if (rsa->padding.type == RTE_CRYPTO_RSA_PADDING_NONE) {
rsa->sign.length = rsa_ctx->n.length;
memcpy(rsa->sign.data, rptr, rsa->sign.length);
} else {
diff --git a/drivers/crypto/octeontx/otx_cryptodev_ops.c b/drivers/crypto/octeontx/otx_cryptodev_ops.c
index d5851d9987..914b17decf 100644
--- a/drivers/crypto/octeontx/otx_cryptodev_ops.c
+++ b/drivers/crypto/octeontx/otx_cryptodev_ops.c
@@ -736,7 +736,7 @@ otx_cpt_asym_rsa_op(struct rte_crypto_op *cop, struct cpt_request_info *req,
memcpy(rsa->cipher.data, req->rptr, rsa->cipher.length);
break;
case RTE_CRYPTO_ASYM_OP_DECRYPT:
- if (rsa->pad == RTE_CRYPTO_RSA_PADDING_NONE)
+ if (rsa->padding.type == RTE_CRYPTO_RSA_PADDING_NONE)
rsa->message.length = rsa_ctx->n.length;
else {
/* Get length of decrypted output */
@@ -753,7 +753,7 @@ otx_cpt_asym_rsa_op(struct rte_crypto_op *cop, struct cpt_request_info *req,
memcpy(rsa->sign.data, req->rptr, rsa->sign.length);
break;
case RTE_CRYPTO_ASYM_OP_VERIFY:
- if (rsa->pad == RTE_CRYPTO_RSA_PADDING_NONE)
+ if (rsa->padding.type == RTE_CRYPTO_RSA_PADDING_NONE)
rsa->sign.length = rsa_ctx->n.length;
else {
/* Get length of decrypted output */
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 4e11770864..0aa988d167 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -1894,7 +1894,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
int ret = 0;
struct rte_crypto_asym_op *op = cop->asym;
RSA *rsa = sess->u.r.rsa;
- uint32_t pad = (op->rsa.pad);
+ uint32_t pad = (op->rsa.padding.type);
uint8_t *tmp;
cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
diff --git a/drivers/crypto/qat/qat_asym.c b/drivers/crypto/qat/qat_asym.c
index 479d5308cf..5dd355d007 100644
--- a/drivers/crypto/qat/qat_asym.c
+++ b/drivers/crypto/qat/qat_asym.c
@@ -345,7 +345,7 @@ rsa_set_pub_input(struct rte_crypto_asym_op *asym_op,
alg_bytesize = qat_function.bytesize;
if (asym_op->rsa.op_type == RTE_CRYPTO_ASYM_OP_ENCRYPT) {
- switch (asym_op->rsa.pad) {
+ switch (asym_op->rsa.padding.type) {
case RTE_CRYPTO_RSA_PADDING_NONE:
SET_PKE_LN(cookie->input_array, asym_op->rsa.message,
alg_bytesize, 0);
@@ -358,7 +358,7 @@ rsa_set_pub_input(struct rte_crypto_asym_op *asym_op,
}
HEXDUMP("RSA Message", cookie->input_array[0], alg_bytesize);
} else {
- switch (asym_op->rsa.pad) {
+ switch (asym_op->rsa.padding.type) {
case RTE_CRYPTO_RSA_PADDING_NONE:
SET_PKE_LN(cookie->input_array, asym_op->rsa.sign,
alg_bytesize, 0);
@@ -454,7 +454,7 @@ rsa_set_priv_input(struct rte_crypto_asym_op *asym_op,
if (asym_op->rsa.op_type ==
RTE_CRYPTO_ASYM_OP_DECRYPT) {
- switch (asym_op->rsa.pad) {
+ switch (asym_op->rsa.padding.type) {
case RTE_CRYPTO_RSA_PADDING_NONE:
SET_PKE_LN(cookie->input_array, asym_op->rsa.cipher,
alg_bytesize, 0);
@@ -469,7 +469,7 @@ rsa_set_priv_input(struct rte_crypto_asym_op *asym_op,
} else if (asym_op->rsa.op_type ==
RTE_CRYPTO_ASYM_OP_SIGN) {
- switch (asym_op->rsa.pad) {
+ switch (asym_op->rsa.padding.type) {
case RTE_CRYPTO_RSA_PADDING_NONE:
SET_PKE_LN(cookie->input_array, asym_op->rsa.message,
alg_bytesize, 0);
@@ -529,7 +529,7 @@ rsa_collect(struct rte_crypto_asym_op *asym_op,
} else {
uint8_t *rsa_result = asym_op->rsa.cipher.data;
- switch (asym_op->rsa.pad) {
+ switch (asym_op->rsa.padding.type) {
case RTE_CRYPTO_RSA_PADDING_NONE:
rte_memcpy(rsa_result,
cookie->output_array[0],
@@ -547,7 +547,7 @@ rsa_collect(struct rte_crypto_asym_op *asym_op,
if (asym_op->rsa.op_type == RTE_CRYPTO_ASYM_OP_DECRYPT) {
uint8_t *rsa_result = asym_op->rsa.message.data;
- switch (asym_op->rsa.pad) {
+ switch (asym_op->rsa.padding.type) {
case RTE_CRYPTO_RSA_PADDING_NONE:
rte_memcpy(rsa_result,
cookie->output_array[0],
diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
index 1758aaa875..ee0988d3cf 100644
--- a/lib/cryptodev/rte_crypto_asym.h
+++ b/lib/cryptodev/rte_crypto_asym.h
@@ -212,6 +212,45 @@ struct rte_crypto_rsa_priv_key_qt {
};
/**
+ * RSA padding type
+ */
+struct rte_crypto_rsa_padding {
+ enum rte_crypto_rsa_padding_type type;
+ /**< RSA padding scheme to be used for transform */
+ enum rte_crypto_auth_algorithm md;
+ /**<
+ * RSA padding hash function
+ *
+ * When a specific padding type is selected, the following rule apply:
+ * - RTE_CRYPTO_RSA_PADDING_NONE:
+ * This field is ignored by the PMD
+ *
+ * - RTE_CRYPTO_RSA_PADDING_PKCS1_5:
+ * When signing operation this field is used to determine value
+ * of the DigestInfo structure, therefore specifying which algorithm
+ * was used to create the message digest.
+ * When doing encryption/decryption this field is ignored for this
+ * padding type.
+ *
+ * - RTE_CRYPTO_RSA_PADDING_OAEP
+ * This field shall be set with the hash algorithm used
+ * in the padding scheme
+ *
+ * - RTE_CRYPTO_RSA_PADDING_PSS
+ * This field shall be set with the hash algorithm used
+ * in the padding scheme (and to create the input message digest)
+ */
+ enum rte_crypto_auth_algorithm mgf1md;
+ /**<
+ * Hash algorithm to be used for mask generation if
+ * padding scheme is either OAEP or PSS. If padding
+ * scheme is unspecified data hash algorithm is used
+ * for mask generation. Valid hash algorithms are:
+ * MD5, SHA1, SHA224, SHA256, SHA384, SHA512
+ */
+};
+
+/**
* Asymmetric RSA transform data
*
* Structure describing RSA xform params
@@ -367,41 +406,8 @@ struct rte_crypto_rsa_op_param {
* All data is in Octet-string network byte order format.
*/
- enum rte_crypto_rsa_padding_type pad;
- /**< RSA padding scheme to be used for transform */
-
- enum rte_crypto_auth_algorithm md;
- /**<
- * RSA padding hash function
- *
- * When a specific padding type is selected, the following rule apply:
- * - RTE_CRYPTO_RSA_PADDING_NONE:
- * This field is ignored by the PMD
- *
- * - RTE_CRYPTO_RSA_PADDING_PKCS1_5:
- * When signing operation this field is used to determine value
- * of the DigestInfo structure, therefore specifying which algorithm
- * was used to create the message digest.
- * When doing encryption/decryption this field is ignored for this
- * padding type.
- *
- * - RTE_CRYPTO_RSA_PADDING_OAEP
- * This field shall be set with the hash algorithm used
- * in the padding scheme
- *
- * - RTE_CRYPTO_RSA_PADDING_PSS
- * This field shall be set with the hash algorithm used
- * in the padding scheme (and to create the input message digest)
- */
-
- enum rte_crypto_auth_algorithm mgf1md;
- /**<
- * Hash algorithm to be used for mask generation if
- * padding scheme is either OAEP or PSS. If padding
- * scheme is unspecified data hash algorithm is used
- * for mask generation. Valid hash algorithms are:
- * MD5, SHA1, SHA224, SHA256, SHA384, SHA512
- */
+ struct rte_crypto_rsa_padding padding;
+ /**< RSA padding information */
};
/**
--
2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* [PATCH v2 12/14] cryptodev: clarify rsa verify with none padding
2022-05-25 15:53 [PATCH v2 00/14] cryptodev: rsa, dh, ecdh changes Arek Kusztal
` (10 preceding siblings ...)
2022-05-25 15:53 ` [PATCH v2 11/14] cryptodev: move RSA padding into separate struct Arek Kusztal
@ 2022-05-25 15:53 ` Arek Kusztal
2022-05-26 12:06 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 13/14] cryptodev: add salt length and optional label Arek Kusztal
2022-05-25 15:53 ` [PATCH v2 14/14] cryptodev: add asym algorithms capabilities Arek Kusztal
13 siblings, 1 reply; 41+ messages in thread
From: Arek Kusztal @ 2022-05-25 15:53 UTC (permalink / raw)
To: dev; +Cc: gakhil, roy.fan.zhang, Arek Kusztal
- Clarified where should output be stored of signature
decryption with padding none.
PMD is not able to know what padding algorithm was used,
therefore decrypted signature should be returned to the user.
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
---
lib/cryptodev/rte_crypto_asym.h | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
index ee0988d3cf..9f7fba3758 100644
--- a/lib/cryptodev/rte_crypto_asym.h
+++ b/lib/cryptodev/rte_crypto_asym.h
@@ -372,8 +372,6 @@ struct rte_crypto_rsa_op_param {
* (i.e. must be at least RSA key size). The message.length
* field should be 0 and will be overwritten by the PMD
* with the decrypted length.
- *
- * All data is in Octet-string network byte order format.
*/
rte_crypto_param cipher;
@@ -388,7 +386,8 @@ struct rte_crypto_rsa_op_param {
* at least RSA key size). The cipher.length field should
* be 0 and will be overwritten by the PMD with the encrypted length.
*
- * All data is in Octet-string network byte order format.
+ * When RTE_CRYPTO_RSA_PADDING_NONE and RTE_CRYPTO_ASYM_OP_VERIFY
+ * selected, this is an output of decrypted signature.
*/
rte_crypto_param sign;
@@ -402,8 +401,6 @@ struct rte_crypto_rsa_op_param {
* with enough memory to hold signature output (i.e. must be
* at least RSA key size). The sign.length field should
* be 0 and will be overwritten by the PMD with the signature length.
- *
- * All data is in Octet-string network byte order format.
*/
struct rte_crypto_rsa_padding padding;
--
2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* [PATCH v2 13/14] cryptodev: add salt length and optional label
2022-05-25 15:53 [PATCH v2 00/14] cryptodev: rsa, dh, ecdh changes Arek Kusztal
` (11 preceding siblings ...)
2022-05-25 15:53 ` [PATCH v2 12/14] cryptodev: clarify rsa verify with none padding Arek Kusztal
@ 2022-05-25 15:53 ` Arek Kusztal
2022-05-26 12:08 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 14/14] cryptodev: add asym algorithms capabilities Arek Kusztal
13 siblings, 1 reply; 41+ messages in thread
From: Arek Kusztal @ 2022-05-25 15:53 UTC (permalink / raw)
To: dev; +Cc: gakhil, roy.fan.zhang, Arek Kusztal
- Added salt length and optional label.
Common parameters to PSS and OAEP padding for RSA.
- Fixed hash API in RSA padding.
Now it is specified how hash should be used with
particular RSA padding modes.
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
---
lib/cryptodev/rte_crypto_asym.h | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
index 9f7fba3758..d90a7a1957 100644
--- a/lib/cryptodev/rte_crypto_asym.h
+++ b/lib/cryptodev/rte_crypto_asym.h
@@ -217,7 +217,7 @@ struct rte_crypto_rsa_priv_key_qt {
struct rte_crypto_rsa_padding {
enum rte_crypto_rsa_padding_type type;
/**< RSA padding scheme to be used for transform */
- enum rte_crypto_auth_algorithm md;
+ enum rte_crypto_auth_algorithm hash;
/**<
* RSA padding hash function
*
@@ -240,7 +240,7 @@ struct rte_crypto_rsa_padding {
* This field shall be set with the hash algorithm used
* in the padding scheme (and to create the input message digest)
*/
- enum rte_crypto_auth_algorithm mgf1md;
+ enum rte_crypto_auth_algorithm mgf1hash;
/**<
* Hash algorithm to be used for mask generation if
* padding scheme is either OAEP or PSS. If padding
@@ -248,6 +248,21 @@ struct rte_crypto_rsa_padding {
* for mask generation. Valid hash algorithms are:
* MD5, SHA1, SHA224, SHA256, SHA384, SHA512
*/
+ uint16_t pss_saltlen;
+ /**<
+ * RSA PSS padding salt length
+ *
+ * Used only when RTE_CRYPTO_RSA_PADDING_PSS padding is selected,
+ * otherwise ignored.
+ */
+ rte_crypto_param oaep_label;
+ /**<
+ * RSA OAEP padding optional label
+ *
+ * Used only when RTE_CRYPTO_RSA_PADDING_OAEP padding is selected,
+ * otherwise ignored. If label.data == NULL, a default
+ * label (empty string) is used.
+ */
};
/**
--
2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* [PATCH v2 14/14] cryptodev: add asym algorithms capabilities
2022-05-25 15:53 [PATCH v2 00/14] cryptodev: rsa, dh, ecdh changes Arek Kusztal
` (12 preceding siblings ...)
2022-05-25 15:53 ` [PATCH v2 13/14] cryptodev: add salt length and optional label Arek Kusztal
@ 2022-05-25 15:53 ` Arek Kusztal
2022-05-26 12:54 ` [EXT] " Akhil Goyal
13 siblings, 1 reply; 41+ messages in thread
From: Arek Kusztal @ 2022-05-25 15:53 UTC (permalink / raw)
To: dev; +Cc: gakhil, roy.fan.zhang, Arek Kusztal
- Added asymmetric crypto algorithm specific capability struct.
Included fields like random number capability, padding flags etc.
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
---
app/test-crypto-perf/main.c | 12 +-
app/test-eventdev/test_perf_common.c | 2 +-
app/test/test_cryptodev_asym.c | 210 +++++++++++++++++++++------
app/test/test_event_crypto_adapter.c | 16 +-
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 128 +++++++---------
drivers/crypto/qat/dev/qat_asym_pmd_gen1.c | 68 +++++++--
lib/cryptodev/rte_crypto_asym.h | 48 ++++++
lib/cryptodev/rte_cryptodev.c | 80 +++++++++-
lib/cryptodev/rte_cryptodev.h | 75 +++++++++-
lib/cryptodev/version.map | 4 +
10 files changed, 495 insertions(+), 148 deletions(-)
diff --git a/app/test-crypto-perf/main.c b/app/test-crypto-perf/main.c
index 17e30a8e74..f8a4c9cdcf 100644
--- a/app/test-crypto-perf/main.c
+++ b/app/test-crypto-perf/main.c
@@ -364,8 +364,8 @@ cperf_verify_devices_capabilities(struct cperf_options *opts,
struct rte_cryptodev_sym_capability_idx cap_idx;
const struct rte_cryptodev_symmetric_capability *capability;
struct rte_cryptodev_asym_capability_idx asym_cap_idx;
- const struct rte_cryptodev_asymmetric_xform_capability *asym_capability;
-
+ const struct rte_cryptodev_asymmetric_capability *asym_capability;
+ struct rte_crypto_mod_capability mod_capa = {0};
uint8_t i, cdev_id;
int ret;
@@ -381,11 +381,11 @@ cperf_verify_devices_capabilities(struct cperf_options *opts,
if (asym_capability == NULL)
return -1;
- ret = rte_cryptodev_asym_xform_capability_check_modlen(
- asym_capability, opts->modex_data->modulus.len);
- if (ret != 0)
+ mod_capa.max_mod_size = opts->modex_data->modulus.len;
+ ret = rte_cryptodev_capa_check_mod(asym_capability,
+ mod_capa);
+ if (ret == 0)
return ret;
-
}
if (opts->op_type == CPERF_AUTH_ONLY ||
diff --git a/app/test-eventdev/test_perf_common.c b/app/test-eventdev/test_perf_common.c
index b41785492e..ac8e6410ab 100644
--- a/app/test-eventdev/test_perf_common.c
+++ b/app/test-eventdev/test_perf_common.c
@@ -846,7 +846,7 @@ cryptodev_sym_sess_create(struct prod_data *p, struct test_perf *t)
static void *
cryptodev_asym_sess_create(struct prod_data *p, struct test_perf *t)
{
- const struct rte_cryptodev_asymmetric_xform_capability *capability;
+ const struct rte_cryptodev_asymmetric_capability *capability;
struct rte_cryptodev_asym_capability_idx cap_idx;
struct rte_crypto_asym_xform xform;
void *sess;
diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index 072dbb30f4..c531265642 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -311,10 +311,11 @@ test_cryptodev_asym_op(struct crypto_testsuite_params_asym *ts_params,
struct rte_crypto_asym_xform xform_tc;
void *sess = NULL;
struct rte_cryptodev_asym_capability_idx cap_idx;
- const struct rte_cryptodev_asymmetric_xform_capability *capability;
+ const struct rte_cryptodev_asymmetric_capability *capability;
uint8_t dev_id = ts_params->valid_devs[0];
uint8_t input[TEST_DATA_SIZE] = {0};
uint8_t *result = NULL;
+ struct rte_crypto_mod_capability mod_capa = {0};
int ret, status = TEST_SUCCESS;
@@ -358,8 +359,10 @@ test_cryptodev_asym_op(struct crypto_testsuite_params_asym *ts_params,
asym_op->modex.base.length = data_tc->modex.base.len;
asym_op->modex.result.data = result;
asym_op->modex.result.length = data_tc->modex.result_len;
- if (rte_cryptodev_asym_xform_capability_check_modlen(capability,
- xform_tc.modex.modulus.length)) {
+
+ mod_capa.max_mod_size = xform_tc.modex.modulus.length;
+ if (!rte_cryptodev_capa_check_mod(capability,
+ mod_capa)) {
snprintf(test_msg, ASYM_TEST_MSG_LEN,
"line %u "
"FAILED: %s", __LINE__,
@@ -378,8 +381,10 @@ test_cryptodev_asym_op(struct crypto_testsuite_params_asym *ts_params,
asym_op->modinv.base.length = data_tc->modinv.base.len;
asym_op->modinv.result.data = result;
asym_op->modinv.result.length = data_tc->modinv.result_len;
- if (rte_cryptodev_asym_xform_capability_check_modlen(capability,
- xform_tc.modinv.modulus.length)) {
+
+ mod_capa.max_mod_size = xform_tc.modinv.modulus.length;
+ if (!rte_cryptodev_capa_check_mod(capability,
+ mod_capa)) {
snprintf(test_msg, ASYM_TEST_MSG_LEN,
"line %u "
"FAILED: %s", __LINE__,
@@ -963,38 +968,100 @@ ut_teardown_asym(void)
rte_cryptodev_stop(ts_params->valid_devs[0]);
}
-static inline void print_asym_capa(
- const struct rte_cryptodev_asymmetric_xform_capability *capa)
+static void
+print_rsa_capability(
+ const struct rte_cryptodev_asymmetric_capability *capa)
{
int i = 0;
+ printf("\nSupported paddings:");
+ for (; i < 32; i++) {
+ if (capa->rsa.padding & RTE_BIT32(i))
+ printf("\n - %s", rte_crypto_asym_rsa_padding[i]);
+ }
+ printf("\nSupported hash functions:");
+ for (i = 0; i < 32; i++) {
+ if (capa->rsa.hash & RTE_BIT32(i))
+ printf("\n - %s", rte_crypto_auth_algorithm_strings[i]);
+ }
+ printf("\nMaximum key size: ");
+ if (capa->rsa.max_key_size == 0)
+ printf("Unlimited");
+ else
+ printf("%hu", capa->rsa.max_key_size);
+}
+
+static void
+print_supported_curves(uint64_t curves)
+{
+ int i = 0;
+
+ printf("\nSupported elliptic curves:");
+ for (; i < 64; i++) {
+ if (curves & RTE_BIT64(i))
+ printf("\n - %s", rte_crypto_curves_strings[i]);
+ }
+}
+
+static inline void print_asym_capa(
+ const struct rte_cryptodev_asymmetric_capability *capa)
+{
printf("\nxform type: %s\n===================\n",
rte_crypto_asym_xform_strings[capa->xform_type]);
- printf("operation supported -");
- for (i = 0; i < RTE_CRYPTO_ASYM_OP_LIST_END; i++) {
- /* check supported operations */
- if (rte_cryptodev_asym_xform_capability_check_optype(capa, i))
- printf(" %s",
- rte_crypto_asym_op_strings[i]);
- }
- switch (capa->xform_type) {
- case RTE_CRYPTO_ASYM_XFORM_RSA:
- case RTE_CRYPTO_ASYM_XFORM_MODINV:
- case RTE_CRYPTO_ASYM_XFORM_MODEX:
- case RTE_CRYPTO_ASYM_XFORM_DH:
- case RTE_CRYPTO_ASYM_XFORM_DSA:
- printf(" modlen: min %d max %d increment %d",
- capa->modlen.min,
- capa->modlen.max,
- capa->modlen.increment);
+ switch (capa->xform_type) {
+ case RTE_CRYPTO_ASYM_XFORM_MODEX:
+ case RTE_CRYPTO_ASYM_XFORM_MODINV:
+ printf("Maximum size of modulus: ");
+ if (capa->mod.max_mod_size == 0)
+ printf("Unlimited");
+ else
+ printf("%hu", capa->mod.max_mod_size);
break;
- case RTE_CRYPTO_ASYM_XFORM_ECDSA:
- case RTE_CRYPTO_ASYM_XFORM_ECPM:
- default:
- break;
- }
- printf("\n");
+ case RTE_CRYPTO_ASYM_XFORM_RSA:
+ print_rsa_capability(capa);
+ break;
+ case RTE_CRYPTO_ASYM_XFORM_DH:
+ printf("Maximum group size: ");
+ if (capa->dh.max_group_size == 0)
+ printf("Unlimited");
+ else
+ printf("%hu", capa->dh.max_group_size);
+ printf("\nSupport for private key generation: ");
+ if (capa->dh.priv_key_gen)
+ printf("Yes");
+ else
+ printf("No");
+ break;
+ case RTE_CRYPTO_ASYM_XFORM_DSA:
+ printf("Maximum key size: ");
+ if (capa->dsa.max_key_size == 0)
+ printf("Unlimited");
+ else
+ printf("%hu", capa->dsa.max_key_size);
+ printf("\nSupport for random 'k' generation: ");
+ if (capa->dsa.random_k)
+ printf("Yes");
+ else
+ printf("No");
+ break;
+
+ break;
+ case RTE_CRYPTO_ASYM_XFORM_ECDSA:
+ print_supported_curves(capa->ecdsa.curves);
+ printf("\nSupport for random 'k' generation: ");
+ if (capa->ecdsa.random_k)
+ printf("Yes");
+ else
+ printf("No");
+ break;
+ case RTE_CRYPTO_ASYM_XFORM_ECPM:
+ print_supported_curves(capa->ecpm.curves);
+ break;
+ default:
+ break;
+ }
+ printf("\n");
}
static int
@@ -1006,7 +1073,7 @@ test_capability(void)
const struct rte_cryptodev_capabilities *dev_capa;
int i = 0;
struct rte_cryptodev_asym_capability_idx idx;
- const struct rte_cryptodev_asymmetric_xform_capability *capa;
+ const struct rte_cryptodev_asymmetric_capability *capa;
rte_cryptodev_info_get(dev_id, &dev_info);
if (!(dev_info.feature_flags &
@@ -1023,7 +1090,7 @@ test_capability(void)
dev_capa = &(dev_info.capabilities[i]);
if (dev_info.capabilities[i].op ==
RTE_CRYPTO_OP_TYPE_ASYMMETRIC) {
- idx.type = dev_capa->asym.xform_capa.xform_type;
+ idx.type = dev_capa->asym.xform_type;
capa = rte_cryptodev_asym_capability_get(dev_id,
(const struct
@@ -1386,10 +1453,11 @@ test_mod_inv(void)
void *sess = NULL;
int status = TEST_SUCCESS;
struct rte_cryptodev_asym_capability_idx cap_idx;
- const struct rte_cryptodev_asymmetric_xform_capability *capability;
+ const struct rte_cryptodev_asymmetric_capability *capability;
uint8_t input[TEST_DATA_SIZE] = {0};
int ret = 0;
uint8_t result[sizeof(mod_p)] = { 0 };
+ struct rte_crypto_mod_capability mod_capa = {0};
if (rte_cryptodev_asym_get_xform_enum(
&modinv_xform.xform_type, "modinv") < 0) {
@@ -1408,13 +1476,11 @@ test_mod_inv(void)
return TEST_SKIPPED;
}
- if (rte_cryptodev_asym_xform_capability_check_modlen(
- capability,
- modinv_xform.modinv.modulus.length)) {
- RTE_LOG(ERR, USER1,
- "Invalid MODULUS length specified\n");
- return TEST_SKIPPED;
- }
+ mod_capa.max_mod_size = modinv_xform.modinv.modulus.length;
+ if (!rte_cryptodev_capa_check_mod(capability, mod_capa)) {
+ RTE_LOG(ERR, USER1, "Invalid MODULUS length specified\n");
+ return TEST_SKIPPED;
+ }
ret = rte_cryptodev_asym_session_create(dev_id, &modinv_xform, sess_mpool, &sess);
if (ret < 0) {
@@ -1499,7 +1565,8 @@ test_mod_exp(void)
void *sess = NULL;
int status = TEST_SUCCESS;
struct rte_cryptodev_asym_capability_idx cap_idx;
- const struct rte_cryptodev_asymmetric_xform_capability *capability;
+ const struct rte_cryptodev_asymmetric_capability *capability;
+ struct rte_crypto_mod_capability mod_capa = {0};
uint8_t input[TEST_DATA_SIZE] = {0};
int ret = 0;
uint8_t result[sizeof(mod_p)] = { 0 };
@@ -1522,12 +1589,11 @@ test_mod_exp(void)
return TEST_SKIPPED;
}
- if (rte_cryptodev_asym_xform_capability_check_modlen(
- capability, modex_xform.modex.modulus.length)) {
- RTE_LOG(ERR, USER1,
- "Invalid MODULUS length specified\n");
- return TEST_SKIPPED;
- }
+ mod_capa.max_mod_size = modex_xform.modex.modulus.length;
+ if (!rte_cryptodev_capa_check_mod(capability, mod_capa)) {
+ RTE_LOG(ERR, USER1, "Invalid MODULUS length specified\n");
+ return TEST_SKIPPED;
+ }
/* Create op, create session, and process packets. 8< */
op = rte_crypto_op_alloc(op_mpool, RTE_CRYPTO_OP_TYPE_ASYMMETRIC);
@@ -1785,6 +1851,8 @@ test_ecdsa_sign_verify(enum curve curve_id)
struct rte_crypto_asym_xform xform;
struct rte_crypto_asym_op *asym_op;
struct rte_cryptodev_info dev_info;
+ struct rte_cryptodev_asym_capability_idx idx;
+ const struct rte_cryptodev_asymmetric_capability *capabilities;
struct rte_crypto_op *op = NULL;
int ret, status = TEST_SUCCESS;
@@ -1814,6 +1882,25 @@ test_ecdsa_sign_verify(enum curve curve_id)
rte_cryptodev_info_get(dev_id, &dev_info);
+ struct rte_crypto_ecdsa_capability capa = {
+ .curves = RTE_BIT32(input_params.curve),
+ .random_k = 0
+ };
+
+ idx.type = RTE_CRYPTO_ASYM_XFORM_ECDSA;
+ capabilities = rte_cryptodev_asym_capability_get(dev_id,
+ (const struct
+ rte_cryptodev_asym_capability_idx *) &idx);
+
+ if (capabilities == NULL) {
+ status = TEST_SKIPPED;
+ goto exit;
+ }
+ if (!rte_cryptodev_capa_check_ecdsa(capabilities, capa)) {
+ status = TEST_SKIPPED;
+ goto exit;
+ }
+
/* Setup crypto op data structure */
op = rte_crypto_op_alloc(op_mpool, RTE_CRYPTO_OP_TYPE_ASYMMETRIC);
if (op == NULL) {
@@ -1962,6 +2049,8 @@ test_ecdsa_sign_verify_all_curve(void)
status = test_ecdsa_sign_verify(curve_id);
if (status == TEST_SUCCESS) {
msg = "succeeded";
+ } else if (status == TEST_SKIPPED) {
+ continue;
} else {
msg = "failed";
overall_status = status;
@@ -1987,6 +2076,8 @@ test_ecpm(enum curve curve_id)
struct rte_crypto_asym_xform xform;
struct rte_crypto_asym_op *asym_op;
struct rte_cryptodev_info dev_info;
+ struct rte_cryptodev_asym_capability_idx idx;
+ const struct rte_cryptodev_asymmetric_capability *capabilities;
struct rte_crypto_op *op = NULL;
int ret, status = TEST_SUCCESS;
@@ -2016,6 +2107,24 @@ test_ecpm(enum curve curve_id)
rte_cryptodev_info_get(dev_id, &dev_info);
+ struct rte_crypto_ecdsa_capability capa = {
+ .curves = RTE_BIT32(input_params.curve)
+ };
+
+ idx.type = RTE_CRYPTO_ASYM_XFORM_ECPM;
+ capabilities = rte_cryptodev_asym_capability_get(dev_id,
+ (const struct
+ rte_cryptodev_asym_capability_idx *) &idx);
+
+ if (capabilities == NULL) {
+ status = TEST_SKIPPED;
+ goto exit;
+ }
+ if (!rte_cryptodev_capa_check_ecdsa(capabilities, capa)) {
+ status = TEST_SKIPPED;
+ goto exit;
+ }
+
/* Setup crypto op data structure */
op = rte_crypto_op_alloc(op_mpool, RTE_CRYPTO_OP_TYPE_ASYMMETRIC);
if (op == NULL) {
@@ -2124,6 +2233,8 @@ test_ecpm_all_curve(void)
status = test_ecpm(curve_id);
if (status == TEST_SUCCESS) {
msg = "succeeded";
+ } else if (status == TEST_SKIPPED) {
+ continue;
} else {
msg = "failed";
overall_status = status;
@@ -2162,7 +2273,12 @@ static struct unit_test_suite cryptodev_qat_asym_testsuite = {
.setup = testsuite_setup,
.teardown = testsuite_teardown,
.unit_test_cases = {
+ TEST_CASE_ST(ut_setup_asym, ut_teardown_asym, test_capability),
TEST_CASE_ST(ut_setup_asym, ut_teardown_asym, test_one_by_one),
+ TEST_CASE_ST(ut_setup_asym, ut_teardown_asym,
+ test_ecdsa_sign_verify_all_curve),
+ TEST_CASE_ST(ut_setup_asym, ut_teardown_asym,
+ test_ecpm_all_curve),
TEST_CASES_END() /**< NULL terminate unit test array */
}
};
diff --git a/app/test/test_event_crypto_adapter.c b/app/test/test_event_crypto_adapter.c
index 2ecc7e2cea..9a62241371 100644
--- a/app/test/test_event_crypto_adapter.c
+++ b/app/test/test_event_crypto_adapter.c
@@ -450,7 +450,7 @@ test_session_with_op_forward_mode(void)
static int
test_asym_op_forward_mode(uint8_t session_less)
{
- const struct rte_cryptodev_asymmetric_xform_capability *capability;
+ const struct rte_cryptodev_asymmetric_capability *capability;
struct rte_cryptodev_asym_capability_idx cap_idx;
struct rte_crypto_asym_xform xform_tc;
union rte_event_crypto_metadata m_data;
@@ -458,6 +458,7 @@ test_asym_op_forward_mode(uint8_t session_less)
struct rte_crypto_asym_op *asym_op;
struct rte_crypto_op *op;
uint8_t input[4096] = {0};
+ struct rte_crypto_mod_capability mod_capa = {0};
uint8_t *result = NULL;
struct rte_event ev;
void *sess = NULL;
@@ -503,8 +504,9 @@ test_asym_op_forward_mode(uint8_t session_less)
asym_op->modex.base.length = modex_test_case.base.len;
asym_op->modex.result.data = result;
asym_op->modex.result.length = modex_test_case.result_len;
- if (rte_cryptodev_asym_xform_capability_check_modlen(capability,
- xform_tc.modex.modulus.length)) {
+
+ mod_capa.max_mod_size = xform_tc.modex.modulus.length;
+ if (!rte_cryptodev_capa_check_mod(capability, mod_capa)) {
RTE_LOG(INFO, USER1,
"line %u FAILED: %s", __LINE__,
"Invalid MODULUS length specified");
@@ -784,7 +786,7 @@ test_session_with_op_new_mode(void)
static int
test_asym_op_new_mode(uint8_t session_less)
{
- const struct rte_cryptodev_asymmetric_xform_capability *capability;
+ const struct rte_cryptodev_asymmetric_capability *capability;
struct rte_cryptodev_asym_capability_idx cap_idx;
struct rte_crypto_asym_xform xform_tc;
union rte_event_crypto_metadata m_data;
@@ -792,6 +794,7 @@ test_asym_op_new_mode(uint8_t session_less)
struct rte_crypto_asym_op *asym_op;
struct rte_crypto_op *op;
uint8_t input[4096] = {0};
+ struct rte_crypto_mod_capability mod_capa = {0};
uint8_t *result = NULL;
void *sess = NULL;
uint32_t cap;
@@ -835,8 +838,9 @@ test_asym_op_new_mode(uint8_t session_less)
asym_op->modex.base.length = modex_test_case.base.len;
asym_op->modex.result.data = result;
asym_op->modex.result.length = modex_test_case.result_len;
- if (rte_cryptodev_asym_xform_capability_check_modlen(capability,
- xform_tc.modex.modulus.length)) {
+
+ mod_capa.max_mod_size = xform_tc.modex.modulus.length;
+ if (!rte_cryptodev_capa_check_mod(capability, mod_capa)) {
RTE_LOG(INFO, USER1,
"line %u FAILED: %s", __LINE__,
"Invalid MODULUS length specified");
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 16ec5e15eb..e734fc2a69 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -7,6 +7,7 @@
#include <rte_common.h>
#include <rte_malloc.h>
#include <cryptodev_pmd.h>
+#include <rte_bitops.h>
#include "openssl_pmd_private.h"
#include "compat.h"
@@ -470,103 +471,82 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
}, }
}, }
},
- { /* RSA */
+ { /* Modular exponentiation */
.op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
{.asym = {
- .xform_capa = {
- .xform_type = RTE_CRYPTO_ASYM_XFORM_RSA,
- .op_types = ((1 << RTE_CRYPTO_ASYM_OP_SIGN) |
- (1 << RTE_CRYPTO_ASYM_OP_VERIFY) |
- (1 << RTE_CRYPTO_ASYM_OP_ENCRYPT) |
- (1 << RTE_CRYPTO_ASYM_OP_DECRYPT)),
- {
- .modlen = {
- /* min length is based on openssl rsa keygen */
- .min = 30,
- /* value 0 symbolizes no limit on max length */
- .max = 0,
- .increment = 1
- }, }
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_MODEX,
+ .mod = {
+ .max_mod_size = 0
+ }
}
- },
}
},
- { /* modexp */
+ { /* Modular multiplicative inverse */
.op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
{.asym = {
- .xform_capa = {
- .xform_type = RTE_CRYPTO_ASYM_XFORM_MODEX,
- .op_types = 0,
- {
- .modlen = {
- /* value 0 symbolizes no limit on min length */
- .min = 0,
- /* value 0 symbolizes no limit on max length */
- .max = 0,
- .increment = 1
- }, }
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_MODINV,
+ .mod = {
+ .max_mod_size = 0
+ }
}
- },
}
},
- { /* modinv */
+ { /* RSA */
.op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
{.asym = {
- .xform_capa = {
- .xform_type = RTE_CRYPTO_ASYM_XFORM_MODINV,
- .op_types = 0,
- {
- .modlen = {
- /* value 0 symbolizes no limit on min length */
- .min = 0,
- /* value 0 symbolizes no limit on max length */
- .max = 0,
- .increment = 1
- }, }
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_RSA,
+ .rsa = {
+ .padding =
+ RTE_BIT32(RTE_CRYPTO_RSA_PADDING_NONE) |
+ RTE_BIT32(RTE_CRYPTO_RSA_PADDING_PKCS1_5),
+ .hash =
+ RTE_BIT32(RTE_CRYPTO_AUTH_MD5) |
+ RTE_BIT32(RTE_CRYPTO_AUTH_SHA1) |
+ RTE_BIT32(RTE_CRYPTO_AUTH_SHA224) |
+ RTE_BIT32(RTE_CRYPTO_AUTH_SHA256) |
+ RTE_BIT32(RTE_CRYPTO_AUTH_SHA384) |
+ RTE_BIT32(RTE_CRYPTO_AUTH_SHA512),
+ .max_key_size = 0
+ }
}
- },
}
},
- { /* dh */
+ { /* Diffie-Hellman */
.op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
{.asym = {
- .xform_capa = {
- .xform_type = RTE_CRYPTO_ASYM_XFORM_DH,
- .op_types =
- ((1<<RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE) |
- (1 << RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE |
- (1 <<
- RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE))),
- {
- .modlen = {
- /* value 0 symbolizes no limit on min length */
- .min = 0,
- /* value 0 symbolizes no limit on max length */
- .max = 0,
- .increment = 1
- }, }
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_DH,
+ .dh = {
+ .max_group_size = 0,
+ .priv_key_gen = 1
+ }
}
- },
}
},
- { /* dsa */
+ { /* DSA */
.op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
{.asym = {
- .xform_capa = {
- .xform_type = RTE_CRYPTO_ASYM_XFORM_DSA,
- .op_types =
- ((1<<RTE_CRYPTO_ASYM_OP_SIGN) |
- (1 << RTE_CRYPTO_ASYM_OP_VERIFY)),
- {
- .modlen = {
- /* value 0 symbolizes no limit on min length */
- .min = 0,
- /* value 0 symbolizes no limit on max length */
- .max = 0,
- .increment = 1
- }, }
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_DSA,
+ .dsa = {
+ .max_key_size = 0,
+ .random_k = 1
+ }
+ }
+ }
+ },
+ { /* ECDSA */
+ .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+ {.asym = {
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_ECDSA,
+ .ecdsa = {
+ .curves =
+ RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP192R1) |
+ RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP224R1) |
+ RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP256R1) |
+ RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP384R1) |
+ RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP521R1),
+ .random_k = 1
+ }
}
- },
}
},
diff --git a/drivers/crypto/qat/dev/qat_asym_pmd_gen1.c b/drivers/crypto/qat/dev/qat_asym_pmd_gen1.c
index 4499fdaf2d..d5144bca84 100644
--- a/drivers/crypto/qat/dev/qat_asym_pmd_gen1.c
+++ b/drivers/crypto/qat/dev/qat_asym_pmd_gen1.c
@@ -28,16 +28,64 @@ struct rte_cryptodev_ops qat_asym_crypto_ops_gen1 = {
};
static struct rte_cryptodev_capabilities qat_asym_crypto_caps_gen1[] = {
- QAT_ASYM_CAP(MODEX,
- 0, 1, 512, 1),
- QAT_ASYM_CAP(MODINV,
- 0, 1, 512, 1),
- QAT_ASYM_CAP(RSA,
- ((1 << RTE_CRYPTO_ASYM_OP_SIGN) |
- (1 << RTE_CRYPTO_ASYM_OP_VERIFY) |
- (1 << RTE_CRYPTO_ASYM_OP_ENCRYPT) |
- (1 << RTE_CRYPTO_ASYM_OP_DECRYPT)),
- 64, 512, 64),
+ { /* Modular exponentiation */
+ .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+ {.asym = {
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_MODEX,
+ .mod = {
+ .max_mod_size = 4096
+ }
+ }
+ }
+ },
+ { /* Modular multiplicative inverse */
+ .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+ {.asym = {
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_MODINV,
+ .mod = {
+ .max_mod_size = 4096
+ }
+ }
+ }
+ },
+ { /* RSA */
+ .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+ {.asym = {
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_RSA,
+ .rsa = {
+ .padding =
+ RTE_BIT32(RTE_CRYPTO_RSA_PADDING_NONE),
+ .hash = 0,
+ .max_key_size = 4096
+ }
+ }
+ }
+ },
+ { /* ECDSA */
+ .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+ {.asym = {
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_ECDSA,
+ .ecdsa = {
+ .curves =
+ RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP256R1) |
+ RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP521R1),
+ .random_k = 0
+ }
+ }
+ }
+ },
+ { /* ECPM */
+ .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+ {.asym = {
+ .xform_type = RTE_CRYPTO_ASYM_XFORM_ECPM,
+ .ecdsa = {
+ .curves =
+ RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP256R1) |
+ RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP521R1)
+ }
+ }
+ }
+ },
RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
};
diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
index d90a7a1957..41b22450d3 100644
--- a/lib/cryptodev/rte_crypto_asym.h
+++ b/lib/cryptodev/rte_crypto_asym.h
@@ -41,6 +41,14 @@ rte_crypto_asym_ke_strings[];
extern const char *
rte_crypto_asym_op_strings[];
+/** RSA padding type name strings */
+extern const char *
+rte_crypto_asym_rsa_padding[];
+
+/** Elliptic curves name strings */
+extern const char *
+rte_crypto_curves_strings[];
+
/**
* Buffer to hold crypto params required for asym operations.
*
@@ -265,6 +273,46 @@ struct rte_crypto_rsa_padding {
*/
};
+struct rte_crypto_mod_capability {
+ uint16_t max_mod_size;
+ /**< Maximum supported modulus size in bytes, 0 means no limit */
+};
+
+struct rte_crypto_rsa_capability {
+ uint32_t padding;
+ /**< List of supported paddings */
+ uint32_t hash;
+ /**< List of supported hash functions */
+ uint32_t max_key_size;
+ /**< Maximum supported key size in bytes, 0 means no limit */
+};
+
+struct rte_crypto_dh_capability {
+ uint16_t max_group_size;
+ /**< Maximum group in bytes, 0 means no limit */
+ uint8_t priv_key_gen;
+ /**< Does PMD supports private key generation generation */
+};
+
+struct rte_crypto_dsa_capability {
+ uint16_t max_key_size;
+ /**< Maximum supported key size in bytes, 0 means no limit */
+ uint8_t random_k;
+ /**< Does PMD supports random 'k' generation */
+};
+
+struct rte_crypto_ecdsa_capability {
+ uint64_t curves;
+ /**< Supported elliptic curve ids */
+ uint8_t random_k;
+ /**< Does PMD supports random 'k' generation */
+};
+
+struct rte_crypto_ecpm_capability {
+ uint64_t curves;
+ /**< Supported elliptic curve ids */
+};
+
/**
* Asymmetric RSA transform data
*
diff --git a/lib/cryptodev/rte_cryptodev.c b/lib/cryptodev/rte_cryptodev.c
index 57ee6b3f07..b1ad1112fe 100644
--- a/lib/cryptodev/rte_cryptodev.c
+++ b/lib/cryptodev/rte_cryptodev.c
@@ -190,6 +190,27 @@ const char *rte_crypto_asym_ke_strings[] = {
};
/**
+ * RSA padding string identifiers
+ */
+const char *rte_crypto_asym_rsa_padding[] = {
+ [RTE_CRYPTO_RSA_PADDING_NONE] = "RTE_CRYPTO_RSA_PADDING_NONE",
+ [RTE_CRYPTO_RSA_PADDING_PKCS1_5] = "RTE_CRYPTO_RSA_PADDING_PKCS1_5",
+ [RTE_CRYPTO_RSA_PADDING_OAEP] = "RTE_CRYPTO_RSA_PADDING_OAEP",
+ [RTE_CRYPTO_RSA_PADDING_PSS] = "RTE_CRYPTO_RSA_PADDING_PSS"
+};
+
+/**
+ * Elliptic curves string identifiers
+ */
+const char *rte_crypto_curves_strings[] = {
+ [RTE_CRYPTO_EC_GROUP_SECP192R1] = "RTE_CRYPTO_EC_GROUP_SECP192R1",
+ [RTE_CRYPTO_EC_GROUP_SECP224R1] = "RTE_CRYPTO_EC_GROUP_SECP224R1",
+ [RTE_CRYPTO_EC_GROUP_SECP256R1] = "RTE_CRYPTO_EC_GROUP_SECP256R1",
+ [RTE_CRYPTO_EC_GROUP_SECP384R1] = "RTE_CRYPTO_EC_GROUP_SECP384R1",
+ [RTE_CRYPTO_EC_GROUP_SECP521R1] = "RTE_CRYPTO_EC_GROUP_SECP521R1",
+};
+
+/**
* The private data structure stored in the sym session mempool private data.
*/
struct rte_cryptodev_sym_session_pool_private_data {
@@ -347,7 +368,7 @@ param_range_check(uint16_t size, const struct rte_crypto_param_range *range)
return -1;
}
-const struct rte_cryptodev_asymmetric_xform_capability *
+const struct rte_cryptodev_asymmetric_capability *
rte_cryptodev_asym_capability_get(uint8_t dev_id,
const struct rte_cryptodev_asym_capability_idx *idx)
{
@@ -363,8 +384,8 @@ rte_cryptodev_asym_capability_get(uint8_t dev_id,
if (capability->op != RTE_CRYPTO_OP_TYPE_ASYMMETRIC)
continue;
- if (capability->asym.xform_capa.xform_type == idx->type)
- return &capability->asym.xform_capa;
+ if (capability->asym.xform_type == idx->type)
+ return &capability->asym;
}
return NULL;
};
@@ -456,6 +477,59 @@ rte_cryptodev_asym_xform_capability_check_modlen(
return 0;
}
+int
+rte_cryptodev_capa_check_mod(
+ const struct rte_cryptodev_asymmetric_capability *capa,
+ struct rte_crypto_mod_capability mod)
+{
+ if (capa->mod.max_mod_size == 0)
+ return 1;
+
+ if (mod.max_mod_size <= capa->mod.max_mod_size)
+ return 1;
+ else
+ return 0;
+}
+
+int
+rte_cryptodev_capa_check_rsa(
+ const struct rte_cryptodev_asymmetric_capability *capa,
+ struct rte_crypto_rsa_capability rsa)
+{
+ if (rsa.padding != (capa->rsa.padding & rsa.padding))
+ return 0;
+ if (rsa.hash != (capa->rsa.hash & rsa.hash))
+ return 0;
+ if (capa->rsa.max_key_size == 0)
+ return 1;
+ if (rsa.max_key_size <= capa->rsa.max_key_size)
+ return 1;
+ else
+ return 0;
+}
+
+int
+rte_cryptodev_capa_check_ecdsa(
+ const struct rte_cryptodev_asymmetric_capability *capa,
+ struct rte_crypto_ecdsa_capability ecdsa)
+{
+ if (ecdsa.curves != (capa->ecdsa.curves & ecdsa.curves))
+ return 0;
+ if (ecdsa.random_k == 1 && capa->ecdsa.random_k == 0)
+ return 0;
+ return 1;
+}
+
+int
+rte_cryptodev_capa_check_ecpm(
+ const struct rte_cryptodev_asymmetric_capability *capa,
+ struct rte_crypto_ecpm_capability ecpm)
+{
+ if (ecpm.curves != (capa->ecpm.curves & ecpm.curves))
+ return 0;
+ return 1;
+}
+
/* spinlock for crypto device enq callbacks */
static rte_spinlock_t rte_cryptodev_callback_lock = RTE_SPINLOCK_INITIALIZER;
diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
index 2c2c2edeb7..6c5bd819b2 100644
--- a/lib/cryptodev/rte_cryptodev.h
+++ b/lib/cryptodev/rte_cryptodev.h
@@ -184,6 +184,19 @@ struct rte_cryptodev_asymmetric_xform_capability {
*
*/
struct rte_cryptodev_asymmetric_capability {
+ enum rte_crypto_asym_xform_type xform_type;
+ /**< Asymmetric transform type */
+ uint32_t op_types;
+ /**< bitmask for supported rte_crypto_asym_op_type */
+ union {
+ struct rte_crypto_mod_capability mod;
+ struct rte_crypto_rsa_capability rsa;
+ struct rte_crypto_dh_capability dh;
+ struct rte_crypto_dsa_capability dsa;
+ struct rte_crypto_ecdsa_capability ecdsa;
+ struct rte_crypto_ecpm_capability ecpm;
+ };
+
struct rte_cryptodev_asymmetric_xform_capability xform_capa;
};
@@ -247,7 +260,7 @@ rte_cryptodev_sym_capability_get(uint8_t dev_id,
* - Return NULL if the capability not exist.
*/
__rte_experimental
-const struct rte_cryptodev_asymmetric_xform_capability *
+const struct rte_cryptodev_asymmetric_capability *
rte_cryptodev_asym_capability_get(uint8_t dev_id,
const struct rte_cryptodev_asym_capability_idx *idx);
@@ -339,6 +352,66 @@ rte_cryptodev_asym_xform_capability_check_modlen(
uint16_t modlen);
/**
+ * Check if requested Modexp features are supported
+ *
+ * @param capability Description of the asymmetric crypto capability.
+ * @param mod Modexp requested capability.
+ *
+ * @return
+ * - Return 1 if the parameters are in range of the capability.
+ * - Return 0 if the parameters are out of range of the capability.
+ */
+__rte_experimental
+int
+rte_cryptodev_capa_check_mod(
+ const struct rte_cryptodev_asymmetric_capability *capa,
+ struct rte_crypto_mod_capability mod);
+/**
+ * Check if requested RSA features are supported
+ *
+ * @param capability Description of the asymmetric crypto capability.
+ * @param rsa RSA requested capability.
+ *
+ * @return
+ * - Return 1 if the parameters are in range of the capability.
+ * - Return 0 if the parameters are out of range of the capability.
+ */
+__rte_experimental
+int
+rte_cryptodev_capa_check_rsa(
+ const struct rte_cryptodev_asymmetric_capability *capa,
+ struct rte_crypto_rsa_capability rsa);
+/**
+ * Check if requested ECDSA features are supported
+ *
+ * @param capability Description of the asymmetric crypto capability.
+ * @param ecdsa ECDSA requested capability.
+ *
+ * @return
+ * - Return 1 if the parameters are in range of the capability.
+ * - Return 0 if the parameters are out of range of the capability.
+ */
+__rte_experimental
+int
+rte_cryptodev_capa_check_ecdsa(
+ const struct rte_cryptodev_asymmetric_capability *capa,
+ struct rte_crypto_ecdsa_capability ecdsa);
+/**
+ * Check if requested ECPM features are supported
+ *
+ * @param capability Description of the asymmetric crypto capability.
+ * @param ecpm ECPM requested capability.
+ *
+ * @return
+ * - Return 1 if the parameters are in range of the capability.
+ * - Return 0 if the parameters are out of range of the capability.
+ */
+__rte_experimental
+int
+rte_cryptodev_capa_check_ecpm(
+ const struct rte_cryptodev_asymmetric_capability *capa,
+ struct rte_crypto_ecpm_capability ecpm);
+/**
* Provide the cipher algorithm enum, given an algorithm string
*
* @param algo_enum A pointer to the cipher algorithm
diff --git a/lib/cryptodev/version.map b/lib/cryptodev/version.map
index f0abfaa47d..4d93b9a947 100644
--- a/lib/cryptodev/version.map
+++ b/lib/cryptodev/version.map
@@ -108,6 +108,10 @@ EXPERIMENTAL {
#added in 22.07
rte_cryptodev_session_event_mdata_set;
+ rte_cryptodev_capa_check_mod;
+ rte_cryptodev_capa_check_rsa;
+ rte_cryptodev_capa_check_ecdsa;
+ rte_cryptodev_capa_check_ecpm;
};
INTERNAL {
--
2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 01/14] cryptodev: redefine ec group enum
2022-05-25 15:53 ` [PATCH v2 01/14] cryptodev: redefine ec group enum Arek Kusztal
@ 2022-05-26 9:40 ` Akhil Goyal
0 siblings, 0 replies; 41+ messages in thread
From: Akhil Goyal @ 2022-05-26 9:40 UTC (permalink / raw)
To: Arek Kusztal, dev; +Cc: roy.fan.zhang
> - EC enum was renamed to rte_crypto_curve_id.
> Elliptic curve enum name was incorrectly associated
> with group (it comes from current tls registry name).
> - Clarified comments about TLS deprecation.
> Some curves included are deprecated with TLS 1.3.
> Comments to address it were added.
> - Clarified FFDH groups usage.
> Elliptic curves IDs in TLS are placed in the same registry
> as FFDH. Cryptodev does not assign specific groups, and
> if specific groups would be assigned by DPDK, it cannot be
> TLS SupportedGroups registry, as it would conflict with
> other protocols like IPSec.
> - Added IANA reference.
> Only few selected curves are included in previously
> referenced rfc8422. IANA reference is added instead.
> - Removed UNKNOWN ec group.
> There is no default value, and there is no UNKNOWN
> elliptic curve.
>
> Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> ---
> lib/cryptodev/rte_crypto_asym.h | 16 ++++++++++------
> 1 file changed, 10 insertions(+), 6 deletions(-)
>
> diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
> index cd24d4b07b..7206652458 100644
> --- a/lib/cryptodev/rte_crypto_asym.h
> +++ b/lib/cryptodev/rte_crypto_asym.h
> @@ -38,16 +38,20 @@ extern const char *
> rte_crypto_asym_op_strings[];
>
> /**
> - * TLS named curves
> - * https://datatracker.ietf.org/doc/html/rfc8422
> + * List of elliptic curves. This enum aligns with
> + * TLS "Supported Groups" registry (previously known as
> + * NamedCurve registry). FFDH groups are not, and will not
> + * be included in this list.
> + * Deprecation for selected curve in tls does not deprecate
Minor nit.
tls->TLS
With this fixed,
Acked-by: Akhil Goyal <gakhil@marvell.com>
> + * the selected curve in Cryptodev.
> + * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
> */
> -enum rte_crypto_ec_group {
> - RTE_CRYPTO_EC_GROUP_UNKNOWN = 0,
> +enum rte_crypto_curve_id {
> RTE_CRYPTO_EC_GROUP_SECP192R1 = 19,
> RTE_CRYPTO_EC_GROUP_SECP224R1 = 21,
> RTE_CRYPTO_EC_GROUP_SECP256R1 = 23,
> RTE_CRYPTO_EC_GROUP_SECP384R1 = 24,
> - RTE_CRYPTO_EC_GROUP_SECP521R1 = 25,
> + RTE_CRYPTO_EC_GROUP_SECP521R1 = 25
> };
>
> /**
> @@ -294,7 +298,7 @@ struct rte_crypto_dsa_xform {
> *
> */
> struct rte_crypto_ec_xform {
> - enum rte_crypto_ec_group curve_id;
> + enum rte_crypto_curve_id curve_id;
> /**< Pre-defined ec groups */
> };
>
> --
> 2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 02/14] cryptodev: reduce number of comments in asym xform
2022-05-25 15:53 ` [PATCH v2 02/14] cryptodev: reduce number of comments in asym xform Arek Kusztal
@ 2022-05-26 9:52 ` Akhil Goyal
2022-05-26 10:03 ` Kusztal, ArkadiuszX
0 siblings, 1 reply; 41+ messages in thread
From: Akhil Goyal @ 2022-05-26 9:52 UTC (permalink / raw)
To: Arek Kusztal, dev; +Cc: roy.fan.zhang
> - Reduced number of comments in asymmetric xform.
> Information describing basic functionality of well known
> algorithms are unnecessary.
> - Removed NONE asymetric xform.
I commented on v1 not to remove this and I do not see comment from your side
for removing it.
>
> Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> ---
> app/test/test_cryptodev_asym.c | 2 -
> lib/cryptodev/rte_crypto_asym.h | 114 ++++++++++++++++------------------------
> lib/cryptodev/rte_cryptodev.c | 1 -
> 3 files changed, 46 insertions(+), 71 deletions(-)
>
> diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
> index 573af2a537..5aa9d65395 100644
> --- a/app/test/test_cryptodev_asym.c
> +++ b/app/test/test_cryptodev_asym.c
> @@ -288,7 +288,6 @@ test_cryptodev_asym_ver(struct rte_crypto_op *op,
> break;
> case RTE_CRYPTO_ASYM_XFORM_DH:
> case RTE_CRYPTO_ASYM_XFORM_DSA:
> - case RTE_CRYPTO_ASYM_XFORM_NONE:
> case RTE_CRYPTO_ASYM_XFORM_UNSPECIFIED:
> default:
> break;
> @@ -440,7 +439,6 @@ test_cryptodev_asym_op(struct
> crypto_testsuite_params_asym *ts_params,
> break;
> case RTE_CRYPTO_ASYM_XFORM_DH:
> case RTE_CRYPTO_ASYM_XFORM_DSA:
> - case RTE_CRYPTO_ASYM_XFORM_NONE:
> case RTE_CRYPTO_ASYM_XFORM_UNSPECIFIED:
> default:
> snprintf(test_msg, ASYM_TEST_MSG_LEN,
> diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
> index 7206652458..66ffb29743 100644
> --- a/lib/cryptodev/rte_crypto_asym.h
> +++ b/lib/cryptodev/rte_crypto_asym.h
> @@ -38,6 +38,40 @@ extern const char *
> rte_crypto_asym_op_strings[];
>
> /**
> + * Buffer to hold crypto params required for asym operations.
> + *
> + * These buffers can be used for both input to PMD and output from PMD.
> When
> + * used for output from PMD, application has to ensure the buffer is large
> + * enough to hold the target data.
> + *
> + * If an operation requires the PMD to generate a random number,
> + * and the device supports CSRNG, 'data' should be set to NULL.
> + * The crypto parameter in question will not be used by the PMD,
> + * as it is internally generated.
> + */
> +typedef struct rte_crypto_param_t {
> + uint8_t *data;
> + /**< pointer to buffer holding data */
> + rte_iova_t iova;
> + /**< IO address of data buffer */
> + size_t length;
> + /**< length of data in bytes */
> +} rte_crypto_param;
> +
> +/** Unsigned big-integer in big-endian format */
> +typedef rte_crypto_param rte_crypto_uint;
> +
> +/**
> + * Structure for elliptic curve point
> + */
> +struct rte_crypto_ec_point {
> + rte_crypto_param x;
> + /**< X coordinate */
> + rte_crypto_param y;
> + /**< Y coordinate */
> +};
Why is this movement of code done?
> +
> +/**
> * List of elliptic curves. This enum aligns with
> * TLS "Supported Groups" registry (previously known as
> * NamedCurve registry). FFDH groups are not, and will not
> @@ -55,46 +89,23 @@ enum rte_crypto_curve_id {
> };
>
> /**
> - * Asymmetric crypto transformation types.
> - * Each xform type maps to one asymmetric algorithm
> - * performing specific operation
> - *
> + * Asymmetric crypto algorithms
Since you are deferring the change for xform, it is better to keep the
Above description as well. So no need for this above change.
> */
> enum rte_crypto_asym_xform_type {
> - RTE_CRYPTO_ASYM_XFORM_UNSPECIFIED = 0,
> + RTE_CRYPTO_ASYM_XFORM_UNSPECIFIED,
> /**< Invalid xform. */
> - RTE_CRYPTO_ASYM_XFORM_NONE,
> - /**< Xform type None.
> - * May be supported by PMD to support
> - * passthrough op for debugging purpose.
> - * if xform_type none , op_type is disregarded.
> - */
> RTE_CRYPTO_ASYM_XFORM_RSA,
> - /**< RSA. Performs Encrypt, Decrypt, Sign and Verify.
> - * Refer to rte_crypto_asym_op_type
> - */
> + /**< RSA */
I believe it is better to have a short one line description is good to have
For someone who is new to asymmetric cryptography.
You can remove "* Refer to rte_crypto_asym_op_type "
> RTE_CRYPTO_ASYM_XFORM_DH,
> - /**< Diffie-Hellman.
> - * Performs Key Generate and Shared Secret Compute.
> - * Refer to rte_crypto_asym_op_type
> - */
> + /**< Diffie-Hellman */
> RTE_CRYPTO_ASYM_XFORM_DSA,
> - /**< Digital Signature Algorithm
> - * Performs Signature Generation and Verification.
> - * Refer to rte_crypto_asym_op_type
> - */
> + /**< Digital Signature Algorithm */
> RTE_CRYPTO_ASYM_XFORM_MODINV,
> - /**< Modular Multiplicative Inverse
> - * Perform Modular Multiplicative Inverse b^(-1) mod n
> - */
> + /**< Modular Multiplicative Inverse */
> RTE_CRYPTO_ASYM_XFORM_MODEX,
> - /**< Modular Exponentiation
> - * Perform Modular Exponentiation b^e mod n
> - */
> + /**< Modular Exponentiation */
> RTE_CRYPTO_ASYM_XFORM_ECDSA,
> - /**< Elliptic Curve Digital Signature Algorithm
> - * Perform Signature Generation and Verification.
> - */
> + /**< Elliptic Curve Digital Signature Algorithm */
> RTE_CRYPTO_ASYM_XFORM_ECPM,
> /**< Elliptic Curve Point Multiplication */
> RTE_CRYPTO_ASYM_XFORM_TYPE_LIST_END
> @@ -126,11 +137,12 @@ enum rte_crypto_asym_op_type {
> * Padding types for RSA signature.
> */
> enum rte_crypto_rsa_padding_type {
> - RTE_CRYPTO_RSA_PADDING_NONE = 0,
> + RTE_CRYPTO_RSA_PADDING_NONE,
> /**< RSA no padding scheme */
> RTE_CRYPTO_RSA_PADDING_PKCS1_5,
> - /**< RSA PKCS#1 PKCS1-v1_5 padding scheme. For signatures block type
> 01,
> - * for encryption block type 02 are used.
> + /**< RSA PKCS#1 PKCS1-v1_5 padding scheme.
> + * For signatures block type 01, for encryption
> + * block type 02 are used.
> */
> RTE_CRYPTO_RSA_PADDING_OAEP,
> /**< RSA PKCS#1 OAEP padding scheme */
> @@ -156,40 +168,6 @@ enum rte_crypto_rsa_priv_key_type {
> };
>
> /**
> - * Buffer to hold crypto params required for asym operations.
> - *
> - * These buffers can be used for both input to PMD and output from PMD.
> When
> - * used for output from PMD, application has to ensure the buffer is large
> - * enough to hold the target data.
> - *
> - * If an operation requires the PMD to generate a random number,
> - * and the device supports CSRNG, 'data' should be set to NULL.
> - * The crypto parameter in question will not be used by the PMD,
> - * as it is internally generated.
> - */
> -typedef struct rte_crypto_param_t {
> - uint8_t *data;
> - /**< pointer to buffer holding data */
> - rte_iova_t iova;
> - /**< IO address of data buffer */
> - size_t length;
> - /**< length of data in bytes */
> -} rte_crypto_param;
> -
> -/** Unsigned big-integer in big-endian format */
> -typedef rte_crypto_param rte_crypto_uint;
> -
> -/**
> - * Structure for elliptic curve point
> - */
> -struct rte_crypto_ec_point {
> - rte_crypto_param x;
> - /**< X coordinate */
> - rte_crypto_param y;
> - /**< Y coordinate */
> -};
> -
> -/**
> * Structure describing RSA private key in quintuple format.
> * See PKCS V1.5 RSA Cryptography Standard.
> */
> diff --git a/lib/cryptodev/rte_cryptodev.c b/lib/cryptodev/rte_cryptodev.c
> index e16e6802aa..691625bd04 100644
> --- a/lib/cryptodev/rte_cryptodev.c
> +++ b/lib/cryptodev/rte_cryptodev.c
> @@ -160,7 +160,6 @@ rte_crypto_aead_operation_strings[] = {
> * Asymmetric crypto transform operation strings identifiers.
> */
> const char *rte_crypto_asym_xform_strings[] = {
> - [RTE_CRYPTO_ASYM_XFORM_NONE] = "none",
> [RTE_CRYPTO_ASYM_XFORM_RSA] = "rsa",
> [RTE_CRYPTO_ASYM_XFORM_MODEX] = "modexp",
> [RTE_CRYPTO_ASYM_XFORM_MODINV] = "modinv",
> --
> 2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 02/14] cryptodev: reduce number of comments in asym xform
2022-05-26 9:52 ` [EXT] " Akhil Goyal
@ 2022-05-26 10:03 ` Kusztal, ArkadiuszX
0 siblings, 0 replies; 41+ messages in thread
From: Kusztal, ArkadiuszX @ 2022-05-26 10:03 UTC (permalink / raw)
To: Akhil Goyal, dev; +Cc: Zhang, Roy Fan
> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Thursday, May 26, 2022 11:52 AM
> To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>; dev@dpdk.org
> Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com>
> Subject: RE: [EXT] [PATCH v2 02/14] cryptodev: reduce number of comments in
> asym xform
>
> > - Reduced number of comments in asymmetric xform.
> > Information describing basic functionality of well known algorithms
> > are unnecessary.
> > - Removed NONE asymetric xform.
>
> I commented on v1 not to remove this and I do not see comment from your side
> for removing it.
[Arek] - yeah, sorry for that, I will keep it in v3.
>
> >
> > Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> > ---
> > app/test/test_cryptodev_asym.c | 2 -
> > lib/cryptodev/rte_crypto_asym.h | 114 ++++++++++++++++-----------------------
> -
> > lib/cryptodev/rte_cryptodev.c | 1 -
> > 3 files changed, 46 insertions(+), 71 deletions(-)
> >
> > diff --git a/app/test/test_cryptodev_asym.c
> > b/app/test/test_cryptodev_asym.c index 573af2a537..5aa9d65395 100644
> > --- a/app/test/test_cryptodev_asym.c
> > +++ b/app/test/test_cryptodev_asym.c
> > @@ -288,7 +288,6 @@ test_cryptodev_asym_ver(struct rte_crypto_op *op,
> > break;
> > case RTE_CRYPTO_ASYM_XFORM_DH:
> > case RTE_CRYPTO_ASYM_XFORM_DSA:
> > - case RTE_CRYPTO_ASYM_XFORM_NONE:
> > case RTE_CRYPTO_ASYM_XFORM_UNSPECIFIED:
> > default:
> > break;
> > @@ -440,7 +439,6 @@ test_cryptodev_asym_op(struct
> > crypto_testsuite_params_asym *ts_params,
> > break;
> > case RTE_CRYPTO_ASYM_XFORM_DH:
> > case RTE_CRYPTO_ASYM_XFORM_DSA:
> > - case RTE_CRYPTO_ASYM_XFORM_NONE:
> > case RTE_CRYPTO_ASYM_XFORM_UNSPECIFIED:
> > default:
> > snprintf(test_msg, ASYM_TEST_MSG_LEN, diff --git
> > a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
> > index 7206652458..66ffb29743 100644
> > --- a/lib/cryptodev/rte_crypto_asym.h
> > +++ b/lib/cryptodev/rte_crypto_asym.h
> > @@ -38,6 +38,40 @@ extern const char * rte_crypto_asym_op_strings[];
> >
> > /**
> > + * Buffer to hold crypto params required for asym operations.
> > + *
> > + * These buffers can be used for both input to PMD and output from PMD.
> > When
> > + * used for output from PMD, application has to ensure the buffer is
> > +large
> > + * enough to hold the target data.
> > + *
> > + * If an operation requires the PMD to generate a random number,
> > + * and the device supports CSRNG, 'data' should be set to NULL.
> > + * The crypto parameter in question will not be used by the PMD,
> > + * as it is internally generated.
> > + */
> > +typedef struct rte_crypto_param_t {
> > + uint8_t *data;
> > + /**< pointer to buffer holding data */
> > + rte_iova_t iova;
> > + /**< IO address of data buffer */
> > + size_t length;
> > + /**< length of data in bytes */
> > +} rte_crypto_param;
> > +
> > +/** Unsigned big-integer in big-endian format */ typedef
> > +rte_crypto_param rte_crypto_uint;
> > +
> > +/**
> > + * Structure for elliptic curve point */ struct rte_crypto_ec_point
> > +{
> > + rte_crypto_param x;
> > + /**< X coordinate */
> > + rte_crypto_param y;
> > + /**< Y coordinate */
> > +};
>
> Why is this movement of code done?
[Arek] - well this was to be part of previous patches accepted in last release. It just look more clear having this structs on top. But this is matter of opinion, can be dropped from v3.
But we need to keep in mind that there is already structure like crypto_param -> crypto_vec, and we discussed last release to unify it. Especially that tot_len in rte_crypto_vec would be bit more useful in asymmetric cryptography than symmetric. But definitely not before RC1
>
> > +
> > +/**
> > * List of elliptic curves. This enum aligns with
> > * TLS "Supported Groups" registry (previously known as
> > * NamedCurve registry). FFDH groups are not, and will not @@ -55,46
> > +89,23 @@ enum rte_crypto_curve_id { };
> >
> > /**
> > - * Asymmetric crypto transformation types.
> > - * Each xform type maps to one asymmetric algorithm
> > - * performing specific operation
> > - *
> > + * Asymmetric crypto algorithms
>
> Since you are deferring the change for xform, it is better to keep the Above
> description as well. So no need for this above change.
+1
>
> > */
> > enum rte_crypto_asym_xform_type {
> > - RTE_CRYPTO_ASYM_XFORM_UNSPECIFIED = 0,
> > + RTE_CRYPTO_ASYM_XFORM_UNSPECIFIED,
> > /**< Invalid xform. */
> > - RTE_CRYPTO_ASYM_XFORM_NONE,
> > - /**< Xform type None.
> > - * May be supported by PMD to support
> > - * passthrough op for debugging purpose.
> > - * if xform_type none , op_type is disregarded.
> > - */
> > RTE_CRYPTO_ASYM_XFORM_RSA,
> > - /**< RSA. Performs Encrypt, Decrypt, Sign and Verify.
> > - * Refer to rte_crypto_asym_op_type
> > - */
> > + /**< RSA */
>
> I believe it is better to have a short one line description is good to have For
> someone who is new to asymmetric cryptography.
[Arek] - ok, so this patch probably could be dropped considering above comments.
>
> You can remove "* Refer to rte_crypto_asym_op_type "
>
> > RTE_CRYPTO_ASYM_XFORM_DH,
> > - /**< Diffie-Hellman.
> > - * Performs Key Generate and Shared Secret Compute.
> > - * Refer to rte_crypto_asym_op_type
> > - */
> > + /**< Diffie-Hellman */
> > RTE_CRYPTO_ASYM_XFORM_DSA,
> > - /**< Digital Signature Algorithm
> > - * Performs Signature Generation and Verification.
> > - * Refer to rte_crypto_asym_op_type
> > - */
> > + /**< Digital Signature Algorithm */
> > RTE_CRYPTO_ASYM_XFORM_MODINV,
> > - /**< Modular Multiplicative Inverse
> > - * Perform Modular Multiplicative Inverse b^(-1) mod n
> > - */
> > + /**< Modular Multiplicative Inverse */
> > RTE_CRYPTO_ASYM_XFORM_MODEX,
> > - /**< Modular Exponentiation
> > - * Perform Modular Exponentiation b^e mod n
> > - */
> > + /**< Modular Exponentiation */
> > RTE_CRYPTO_ASYM_XFORM_ECDSA,
> > - /**< Elliptic Curve Digital Signature Algorithm
> > - * Perform Signature Generation and Verification.
> > - */
> > + /**< Elliptic Curve Digital Signature Algorithm */
> > RTE_CRYPTO_ASYM_XFORM_ECPM,
> > /**< Elliptic Curve Point Multiplication */
> > RTE_CRYPTO_ASYM_XFORM_TYPE_LIST_END
> > @@ -126,11 +137,12 @@ enum rte_crypto_asym_op_type {
> > * Padding types for RSA signature.
> > */
> > enum rte_crypto_rsa_padding_type {
> > - RTE_CRYPTO_RSA_PADDING_NONE = 0,
> > + RTE_CRYPTO_RSA_PADDING_NONE,
> > /**< RSA no padding scheme */
> > RTE_CRYPTO_RSA_PADDING_PKCS1_5,
> > - /**< RSA PKCS#1 PKCS1-v1_5 padding scheme. For signatures block type
> > 01,
> > - * for encryption block type 02 are used.
> > + /**< RSA PKCS#1 PKCS1-v1_5 padding scheme.
> > + * For signatures block type 01, for encryption
> > + * block type 02 are used.
> > */
> > RTE_CRYPTO_RSA_PADDING_OAEP,
> > /**< RSA PKCS#1 OAEP padding scheme */ @@ -156,40 +168,6 @@
> enum
> > rte_crypto_rsa_priv_key_type { };
> >
> > /**
> > - * Buffer to hold crypto params required for asym operations.
> > - *
> > - * These buffers can be used for both input to PMD and output from PMD.
> > When
> > - * used for output from PMD, application has to ensure the buffer is
> > large
> > - * enough to hold the target data.
> > - *
> > - * If an operation requires the PMD to generate a random number,
> > - * and the device supports CSRNG, 'data' should be set to NULL.
> > - * The crypto parameter in question will not be used by the PMD,
> > - * as it is internally generated.
> > - */
> > -typedef struct rte_crypto_param_t {
> > - uint8_t *data;
> > - /**< pointer to buffer holding data */
> > - rte_iova_t iova;
> > - /**< IO address of data buffer */
> > - size_t length;
> > - /**< length of data in bytes */
> > -} rte_crypto_param;
> > -
> > -/** Unsigned big-integer in big-endian format */ -typedef
> > rte_crypto_param rte_crypto_uint;
> > -
> > -/**
> > - * Structure for elliptic curve point
> > - */
> > -struct rte_crypto_ec_point {
> > - rte_crypto_param x;
> > - /**< X coordinate */
> > - rte_crypto_param y;
> > - /**< Y coordinate */
> > -};
> > -
> > -/**
> > * Structure describing RSA private key in quintuple format.
> > * See PKCS V1.5 RSA Cryptography Standard.
> > */
> > diff --git a/lib/cryptodev/rte_cryptodev.c
> > b/lib/cryptodev/rte_cryptodev.c index e16e6802aa..691625bd04 100644
> > --- a/lib/cryptodev/rte_cryptodev.c
> > +++ b/lib/cryptodev/rte_cryptodev.c
> > @@ -160,7 +160,6 @@ rte_crypto_aead_operation_strings[] = {
> > * Asymmetric crypto transform operation strings identifiers.
> > */
> > const char *rte_crypto_asym_xform_strings[] = {
> > - [RTE_CRYPTO_ASYM_XFORM_NONE] = "none",
> > [RTE_CRYPTO_ASYM_XFORM_RSA] = "rsa",
> > [RTE_CRYPTO_ASYM_XFORM_MODEX] = "modexp",
> > [RTE_CRYPTO_ASYM_XFORM_MODINV] = "modinv",
> > --
> > 2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 03/14] cryptodev: separate key exchange operation enum
2022-05-25 15:53 ` [PATCH v2 03/14] cryptodev: separate key exchange operation enum Arek Kusztal
@ 2022-05-26 10:57 ` Akhil Goyal
2022-05-26 11:06 ` Kusztal, ArkadiuszX
0 siblings, 1 reply; 41+ messages in thread
From: Akhil Goyal @ 2022-05-26 10:57 UTC (permalink / raw)
To: Arek Kusztal, dev; +Cc: roy.fan.zhang
> /**
> + * Asymmetric crypto key exchange operation type
> + */
> +enum rte_crypto_asym_ke_type {
> + RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE,
Is it better to shorten it to
RTE_CRYPTO_ASYM_KE_PRIV_KEY_GENERATE
RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE
> + /**< Private Key generation operation */
> + RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
> + /**< Public Key generation operation */
> + RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE
> + /**< Shared Secret compute operation */
> +};
> +
> +/**
> * Padding types for RSA signature.
> */
> enum rte_crypto_rsa_padding_type {
> @@ -238,7 +248,7 @@ struct rte_crypto_modinv_xform {
> *
> */
> struct rte_crypto_dh_xform {
> - enum rte_crypto_asym_op_type type;
> + enum rte_crypto_asym_ke_type type;
> /**< Setup xform for key generate or shared secret compute */
> rte_crypto_uint p;
> /**< Prime modulus data */
> @@ -375,26 +385,27 @@ struct rte_crypto_rsa_op_param {
> struct rte_crypto_dh_op_param {
> rte_crypto_uint pub_key;
> /**<
> - * Output generated public key when xform type is
> - * DH PUB_KEY_GENERATION.
> - * Input peer public key when xform type is DH
> - * SHARED_SECRET_COMPUTATION
> + * Output - generated public key, when xform type is
It is not xform type, Right?
It should be key exchange type.
Check at other places also.
> + * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE.
> *
> + * Input - peer's public key, when xform type is
> + * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
> */
>
> rte_crypto_uint priv_key;
> /**<
> - * Output generated private key if xform type is
> - * DH PRIVATE_KEY_GENERATION
> - * Input when xform type is DH SHARED_SECRET_COMPUTATION.
> + * Output - generated private key, when xform type is
> + * RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE.
> *
> + * Input - private key, when xform type is one of:
> + * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
> + * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
> */
>
> rte_crypto_uint shared_secret;
> /**<
> - * Output with calculated shared secret
> - * when dh xform set up with op type =
> SHARED_SECRET_COMPUTATION.
> - *
> + * Output - calculated shared secret when xform type is
> + * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
> */
> };
>
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 04/14] cryptodev: remove comment about using ephemeral key in dsa
2022-05-25 15:53 ` [PATCH v2 04/14] cryptodev: remove comment about using ephemeral key in dsa Arek Kusztal
@ 2022-05-26 11:02 ` Akhil Goyal
0 siblings, 0 replies; 41+ messages in thread
From: Akhil Goyal @ 2022-05-26 11:02 UTC (permalink / raw)
To: Arek Kusztal, dev; +Cc: roy.fan.zhang
> -----Original Message-----
> From: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> Sent: Wednesday, May 25, 2022 9:23 PM
> To: dev@dpdk.org
> Cc: Akhil Goyal <gakhil@marvell.com>; roy.fan.zhang@intel.com; Arek Kusztal
> <arkadiuszx.kusztal@intel.com>
> Subject: [EXT] [PATCH v2 04/14] cryptodev: remove comment about using
> ephemeral key in dsa
>
> External Email
>
> ----------------------------------------------------------------------
> - Removed comment that stated dsa can be used with Diffie
> Hellman ephemeral key.
> DH and DSA integration allowed to use ephemeral keys for
> random integer but not for private keys.
>
> Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> ---
> lib/cryptodev/rte_crypto_asym.h | 8 +-------
> 1 file changed, 1 insertion(+), 7 deletions(-)
>
> diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
> index 2b427afa3f..ef8686fda8 100644
> --- a/lib/cryptodev/rte_crypto_asym.h
> +++ b/lib/cryptodev/rte_crypto_asym.h
> @@ -270,13 +270,7 @@ struct rte_crypto_dsa_xform {
> rte_crypto_uint g;
> /**< Generator of the subgroup */
> rte_crypto_uint x;
> - /**< x: Private key of the signer in octet-string network
> - * byte order format.
> - * Used when app has pre-defined private key.
> - * Valid only when xform chain is DSA ONLY.
> - * if xform chain is DH private key generate + DSA, then DSA sign
> - * compute will use internally generated key.
> - */
> + /**< x: Private key of the signer */
> };
Acked-by: Akhil Goyal <gakhil@marvell.com>
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 05/14] cryptodev: clarify usage of private key in dh
2022-05-25 15:53 ` [PATCH v2 05/14] cryptodev: clarify usage of private key in dh Arek Kusztal
@ 2022-05-26 11:04 ` Akhil Goyal
0 siblings, 0 replies; 41+ messages in thread
From: Akhil Goyal @ 2022-05-26 11:04 UTC (permalink / raw)
To: Arek Kusztal, dev; +Cc: roy.fan.zhang
> - Clarified usage of private key in Diffie-Hellman.
> CSRNG capable device should generate private key and then
> use it for public key generation.
>
> Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> ---
> lib/cryptodev/rte_crypto_asym.h | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
> index ef8686fda8..1a77a74478 100644
> --- a/lib/cryptodev/rte_crypto_asym.h
> +++ b/lib/cryptodev/rte_crypto_asym.h
> @@ -394,6 +394,11 @@ struct rte_crypto_dh_op_param {
> * Input - private key, when xform type is one of:
> * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
> * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
> + *
> + * In case priv_key.length is 0 and xform type is set with
> + * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE, CSRNG capable
> + * device will generate private key and use it for public
> + * key generation.
> */
Capability for CSRNG?
Acked-by: Akhil Goyal <gakhil@marvell.com>
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 03/14] cryptodev: separate key exchange operation enum
2022-05-26 10:57 ` [EXT] " Akhil Goyal
@ 2022-05-26 11:06 ` Kusztal, ArkadiuszX
2022-05-26 11:09 ` Akhil Goyal
0 siblings, 1 reply; 41+ messages in thread
From: Kusztal, ArkadiuszX @ 2022-05-26 11:06 UTC (permalink / raw)
To: Akhil Goyal, dev; +Cc: Zhang, Roy Fan
> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Thursday, May 26, 2022 12:58 PM
> To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>; dev@dpdk.org
> Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com>
> Subject: RE: [EXT] [PATCH v2 03/14] cryptodev: separate key exchange
> operation enum
>
> > /**
> > + * Asymmetric crypto key exchange operation type */ enum
> > +rte_crypto_asym_ke_type {
> > + RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE,
>
> Is it better to shorten it to
> RTE_CRYPTO_ASYM_KE_PRIV_KEY_GENERATE
> RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE
+1, Actually I am not big fan of having asym everywhere too.
RTE_CRYPTO_KE_PRIV_KEY_GENERATE would be equally good.
>
> > + /**< Private Key generation operation */
> > + RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
> > + /**< Public Key generation operation */
> > + RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE
> > + /**< Shared Secret compute operation */ };
> > +
> > +/**
> > * Padding types for RSA signature.
> > */
> > enum rte_crypto_rsa_padding_type {
> > @@ -238,7 +248,7 @@ struct rte_crypto_modinv_xform {
> > *
> > */
> > struct rte_crypto_dh_xform {
> > - enum rte_crypto_asym_op_type type;
> > + enum rte_crypto_asym_ke_type type;
> > /**< Setup xform for key generate or shared secret compute */
> > rte_crypto_uint p;
> > /**< Prime modulus data */
> > @@ -375,26 +385,27 @@ struct rte_crypto_rsa_op_param { struct
> > rte_crypto_dh_op_param {
> > rte_crypto_uint pub_key;
> > /**<
> > - * Output generated public key when xform type is
> > - * DH PUB_KEY_GENERATION.
> > - * Input peer public key when xform type is DH
> > - * SHARED_SECRET_COMPUTATION
> > + * Output - generated public key, when xform type is
>
> It is not xform type, Right?
> It should be key exchange type.
Yes, I meant xform op_type. Will change, leter it will be overwritten by move dh op patch too.
> Check at other places also.
>
> > + * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE.
> > *
> > + * Input - peer's public key, when xform type is
> > + * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
> > */
> >
> > rte_crypto_uint priv_key;
> > /**<
> > - * Output generated private key if xform type is
> > - * DH PRIVATE_KEY_GENERATION
> > - * Input when xform type is DH SHARED_SECRET_COMPUTATION.
> > + * Output - generated private key, when xform type is
> > + * RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE.
> > *
> > + * Input - private key, when xform type is one of:
> > + * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
> > + * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
> > */
> >
> > rte_crypto_uint shared_secret;
> > /**<
> > - * Output with calculated shared secret
> > - * when dh xform set up with op type =
> > SHARED_SECRET_COMPUTATION.
> > - *
> > + * Output - calculated shared secret when xform type is
> > + * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
> > */
> > };
> >
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 03/14] cryptodev: separate key exchange operation enum
2022-05-26 11:06 ` Kusztal, ArkadiuszX
@ 2022-05-26 11:09 ` Akhil Goyal
0 siblings, 0 replies; 41+ messages in thread
From: Akhil Goyal @ 2022-05-26 11:09 UTC (permalink / raw)
To: Kusztal, ArkadiuszX, dev; +Cc: Zhang, Roy Fan
> > > /**
> > > + * Asymmetric crypto key exchange operation type */ enum
> > > +rte_crypto_asym_ke_type {
> > > + RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE,
> >
> > Is it better to shorten it to
> > RTE_CRYPTO_ASYM_KE_PRIV_KEY_GENERATE
> > RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE
> +1, Actually I am not big fan of having asym everywhere too.
> RTE_CRYPTO_KE_PRIV_KEY_GENERATE would be equally good.
It is better to keep ASYM, or else people might relate with IKE
> >
> > > + /**< Private Key generation operation */
> > > + RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
> > > + /**< Public Key generation operation */
> > > + RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE
> > > + /**< Shared Secret compute operation */ };
> > > +
> > > +/**
> > > * Padding types for RSA signature.
> > > */
> > > enum rte_crypto_rsa_padding_type {
> > > @@ -238,7 +248,7 @@ struct rte_crypto_modinv_xform {
> > > *
> > > */
> > > struct rte_crypto_dh_xform {
> > > - enum rte_crypto_asym_op_type type;
> > > + enum rte_crypto_asym_ke_type type;
> > > /**< Setup xform for key generate or shared secret compute */
> > > rte_crypto_uint p;
> > > /**< Prime modulus data */
> > > @@ -375,26 +385,27 @@ struct rte_crypto_rsa_op_param { struct
> > > rte_crypto_dh_op_param {
> > > rte_crypto_uint pub_key;
> > > /**<
> > > - * Output generated public key when xform type is
> > > - * DH PUB_KEY_GENERATION.
> > > - * Input peer public key when xform type is DH
> > > - * SHARED_SECRET_COMPUTATION
> > > + * Output - generated public key, when xform type is
> >
> > It is not xform type, Right?
> > It should be key exchange type.
> Yes, I meant xform op_type. Will change, leter it will be overwritten by move dh
> op patch too.
OK
> > Check at other places also.
> >
> > > + * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE.
> > > *
> > > + * Input - peer's public key, when xform type is
> > > + * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
> > > */
> > >
> > > rte_crypto_uint priv_key;
> > > /**<
> > > - * Output generated private key if xform type is
> > > - * DH PRIVATE_KEY_GENERATION
> > > - * Input when xform type is DH SHARED_SECRET_COMPUTATION.
> > > + * Output - generated private key, when xform type is
> > > + * RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE.
> > > *
> > > + * Input - private key, when xform type is one of:
> > > + * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
> > > + * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
> > > */
> > >
> > > rte_crypto_uint shared_secret;
> > > /**<
> > > - * Output with calculated shared secret
> > > - * when dh xform set up with op type =
> > > SHARED_SECRET_COMPUTATION.
> > > - *
> > > + * Output - calculated shared secret when xform type is
> > > + * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
> > > */
> > > };
> > >
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 06/14] cryptodev: move dh type from xform to dh op
2022-05-25 15:53 ` [PATCH v2 06/14] cryptodev: move dh type from xform to dh op Arek Kusztal
@ 2022-05-26 11:23 ` Akhil Goyal
0 siblings, 0 replies; 41+ messages in thread
From: Akhil Goyal @ 2022-05-26 11:23 UTC (permalink / raw)
To: Arek Kusztal, dev; +Cc: roy.fan.zhang
> - Moved dh operation type to dh operation struct.
> Operation type (PUBLIC_KEY_GENERATION, SHARED_SECRET) should
> be free to choose for any operation. One xform/session should
> be enough to perform both DH operations, if op_type would be xform
> member, session would have to be to be created twice for the same
> group. Similar problem would be observed in sessionless case.
> Additionally, it will help extend DH to support Elliptic Curves.
> - Changed order of Diffie-Hellman operation phases.
> Now it corresponds with the order of operations.
>
> Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 07/14] cryptodev: add elliptic curve diffie hellman
2022-05-25 15:53 ` [PATCH v2 07/14] cryptodev: add elliptic curve diffie hellman Arek Kusztal
@ 2022-05-26 11:29 ` Akhil Goyal
2022-05-26 11:44 ` Kusztal, ArkadiuszX
0 siblings, 1 reply; 41+ messages in thread
From: Akhil Goyal @ 2022-05-26 11:29 UTC (permalink / raw)
To: Arek Kusztal, dev; +Cc: roy.fan.zhang
> - Added elliptic curve Diffie-Hellman parameters.
> Point multiplication allows the user to process every phase of
> ECDH, but for phase 1, user should not really care about the generator.
> The user does not even need to know what the generator looks like,
> therefore setting ec xform would make this work.
>
> Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> ---
> lib/cryptodev/rte_crypto_asym.h | 38
> ++++++++++++++++++++++++++++++++++++++
> 1 file changed, 38 insertions(+)
>
> diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
> index ffb0e8ed17..0dab7c0593 100644
> --- a/lib/cryptodev/rte_crypto_asym.h
> +++ b/lib/cryptodev/rte_crypto_asym.h
> @@ -112,6 +112,8 @@ enum rte_crypto_asym_xform_type {
> /**< Elliptic Curve Digital Signature Algorithm */
> RTE_CRYPTO_ASYM_XFORM_ECPM,
> /**< Elliptic Curve Point Multiplication */
> + RTE_CRYPTO_ASYM_XFORM_ECDH,
> + /**< Elliptic Curve Diffie Hellman */
> RTE_CRYPTO_ASYM_XFORM_TYPE_LIST_END
> /**< End of list */
> };
> @@ -407,6 +409,42 @@ struct rte_crypto_dh_op_param {
> };
>
> /**
> + * Elliptic Curve Diffie-Hellman Operations params.
> + * @note:
Note missing?
> + */
> +struct rte_crypto_ecdh_op_param {
> + enum rte_crypto_asym_ke_type op_type;
> + /**< Key exchange operation type */
> + rte_crypto_uint priv_key;
> + /**<
> + * Output - generated private key, when xform type is
> + * RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE.
> + *
> + * Input - private key, when xform type is one of:
> + * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
> + * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
> + *
> + * In case priv_key.length is 0 and xform type is set with
> + * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE, CSRNG capable
> + * device will generate private key and use it for public
> + * key generation.
> + */
You added the above CSRNG thing in pub key for DH and here in priv key?
> + struct rte_crypto_ec_point pub_key;
> + /**<
> + * Output - generated public key, when xform type is
> + * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE.
> + *
> + * Input - peer's public key, when xform type is
> + * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
Shouldn't this be for both RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE and
RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE
> + */
> + struct rte_crypto_ec_point shared_secret;
> + /**<
> + * Output - calculated shared secret when xform type is
> + * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
> + */
> +};
> +
> +/**
> * DSA Operations params
> *
> */
> --
> 2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 08/14] cryptodev: add public key verify option
2022-05-25 15:53 ` [PATCH v2 08/14] cryptodev: add public key verify option Arek Kusztal
@ 2022-05-26 11:34 ` Akhil Goyal
2022-05-26 11:46 ` Kusztal, ArkadiuszX
0 siblings, 1 reply; 41+ messages in thread
From: Akhil Goyal @ 2022-05-26 11:34 UTC (permalink / raw)
To: Arek Kusztal, dev; +Cc: roy.fan.zhang
> - Added key exchange public key verify option.
> For some elliptic curves public point in DH exchange
> needs to be checked, if it lays on the curve.
> Modular exponentiation needs certain checks as well, though
> mathematically much easier.
> This commit adds verify option to asym_op operations.
>
> Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> ---
> lib/cryptodev/rte_crypto_asym.h | 9 ++++++---
> lib/cryptodev/rte_cryptodev.c | 3 ++-
> 2 files changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
> index 0dab7c0593..3eafaecbbe 100644
> --- a/lib/cryptodev/rte_crypto_asym.h
> +++ b/lib/cryptodev/rte_crypto_asym.h
> @@ -141,8 +141,10 @@ enum rte_crypto_asym_ke_type {
> /**< Private Key generation operation */
> RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
> /**< Public Key generation operation */
> - RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE
> + RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE,
> /**< Shared Secret compute operation */
> + RTE_CRYPTO_ASYM_KE_EC_PUBLIC_KEY_VERIFY,
> + /**< Public Key Verification */
If this is not for DH and only for ECDH, then specify this in comments also.
But IMO, it will be OK to use RTE_CRYPTO_ASYM_KE_PUB_KEY_VERIFY.
If it is not valid to use it for DH, we can mention in comments.
> };
>
> /**
> @@ -434,8 +436,9 @@ struct rte_crypto_ecdh_op_param {
> * Output - generated public key, when xform type is
> * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE.
> *
> - * Input - peer's public key, when xform type is
> - * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
> + * Input - peer's public key, when xform type is one of:
> + * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE,
> + * RTE_CRYPTO_ASYM_KE_EC_PUBLIC_KEY_VERIFY.
> */
> struct rte_crypto_ec_point shared_secret;
> /**<
> diff --git a/lib/cryptodev/rte_cryptodev.c b/lib/cryptodev/rte_cryptodev.c
> index af58f49d07..57ee6b3f07 100644
> --- a/lib/cryptodev/rte_cryptodev.c
> +++ b/lib/cryptodev/rte_cryptodev.c
> @@ -185,7 +185,8 @@ const char *rte_crypto_asym_op_strings[] = {
> const char *rte_crypto_asym_ke_strings[] = {
> [RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE] =
> "priv_key_generate",
> [RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE] =
> "pub_key_generate",
> - [RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE] =
> "sharedsecret_compute"
> + [RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE] =
> "sharedsecret_compute",
> + [RTE_CRYPTO_ASYM_KE_EC_PUBLIC_KEY_VERIFY] =
> "pub_ec_key_verify"
> };
>
> /**
> --
> 2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 07/14] cryptodev: add elliptic curve diffie hellman
2022-05-26 11:29 ` [EXT] " Akhil Goyal
@ 2022-05-26 11:44 ` Kusztal, ArkadiuszX
0 siblings, 0 replies; 41+ messages in thread
From: Kusztal, ArkadiuszX @ 2022-05-26 11:44 UTC (permalink / raw)
To: Akhil Goyal, dev; +Cc: Zhang, Roy Fan
> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Thursday, May 26, 2022 1:29 PM
> To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>; dev@dpdk.org
> Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com>
> Subject: RE: [EXT] [PATCH v2 07/14] cryptodev: add elliptic curve diffie hellman
>
> > - Added elliptic curve Diffie-Hellman parameters.
> > Point multiplication allows the user to process every phase of ECDH,
> > but for phase 1, user should not really care about the generator.
> > The user does not even need to know what the generator looks like,
> > therefore setting ec xform would make this work.
> >
> > Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> > ---
> > lib/cryptodev/rte_crypto_asym.h | 38
> > ++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 38 insertions(+)
> >
> > diff --git a/lib/cryptodev/rte_crypto_asym.h
> > b/lib/cryptodev/rte_crypto_asym.h index ffb0e8ed17..0dab7c0593 100644
> > --- a/lib/cryptodev/rte_crypto_asym.h
> > +++ b/lib/cryptodev/rte_crypto_asym.h
> > @@ -112,6 +112,8 @@ enum rte_crypto_asym_xform_type {
> > /**< Elliptic Curve Digital Signature Algorithm */
> > RTE_CRYPTO_ASYM_XFORM_ECPM,
> > /**< Elliptic Curve Point Multiplication */
> > + RTE_CRYPTO_ASYM_XFORM_ECDH,
> > + /**< Elliptic Curve Diffie Hellman */
> > RTE_CRYPTO_ASYM_XFORM_TYPE_LIST_END
> > /**< End of list */
> > };
> > @@ -407,6 +409,42 @@ struct rte_crypto_dh_op_param { };
> >
> > /**
> > + * Elliptic Curve Diffie-Hellman Operations params.
> > + * @note:
>
> Note missing?
I will remove note.
>
> > + */
> > +struct rte_crypto_ecdh_op_param {
> > + enum rte_crypto_asym_ke_type op_type;
> > + /**< Key exchange operation type */
> > + rte_crypto_uint priv_key;
> > + /**<
> > + * Output - generated private key, when xform type is
> > + * RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE.
> > + *
> > + * Input - private key, when xform type is one of:
> > + * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
> > + * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
> > + *
> > + * In case priv_key.length is 0 and xform type is set with
> > + * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE, CSRNG capable
> > + * device will generate private key and use it for public
> > + * key generation.
> > + */
>
> You added the above CSRNG thing in pub key for DH and here in priv key?
Should be under priv key.I will change.
>
> > + struct rte_crypto_ec_point pub_key;
> > + /**<
> > + * Output - generated public key, when xform type is
> > + * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE.
> > + *
> > + * Input - peer's public key, when xform type is
> > + * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
> Shouldn't this be for both RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE and
> RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE
For priv_key yes, not for public.
>
> > + */
> > + struct rte_crypto_ec_point shared_secret;
> > + /**<
> > + * Output - calculated shared secret when xform type is
> > + * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
> > + */
> > +};
> > +
> > +/**
> > * DSA Operations params
> > *
> > */
> > --
> > 2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 08/14] cryptodev: add public key verify option
2022-05-26 11:34 ` [EXT] " Akhil Goyal
@ 2022-05-26 11:46 ` Kusztal, ArkadiuszX
0 siblings, 0 replies; 41+ messages in thread
From: Kusztal, ArkadiuszX @ 2022-05-26 11:46 UTC (permalink / raw)
To: Akhil Goyal, dev; +Cc: Zhang, Roy Fan
> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Thursday, May 26, 2022 1:34 PM
> To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>; dev@dpdk.org
> Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com>
> Subject: RE: [EXT] [PATCH v2 08/14] cryptodev: add public key verify option
>
> > - Added key exchange public key verify option.
> > For some elliptic curves public point in DH exchange needs to be
> > checked, if it lays on the curve.
> > Modular exponentiation needs certain checks as well, though
> > mathematically much easier.
> > This commit adds verify option to asym_op operations.
> >
> > Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> > ---
> > lib/cryptodev/rte_crypto_asym.h | 9 ++++++---
> > lib/cryptodev/rte_cryptodev.c | 3 ++-
> > 2 files changed, 8 insertions(+), 4 deletions(-)
> >
> > diff --git a/lib/cryptodev/rte_crypto_asym.h
> > b/lib/cryptodev/rte_crypto_asym.h index 0dab7c0593..3eafaecbbe 100644
> > --- a/lib/cryptodev/rte_crypto_asym.h
> > +++ b/lib/cryptodev/rte_crypto_asym.h
> > @@ -141,8 +141,10 @@ enum rte_crypto_asym_ke_type {
> > /**< Private Key generation operation */
> > RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
> > /**< Public Key generation operation */
> > - RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE
> > + RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE,
> > /**< Shared Secret compute operation */
> > + RTE_CRYPTO_ASYM_KE_EC_PUBLIC_KEY_VERIFY,
> > + /**< Public Key Verification */
>
> If this is not for DH and only for ECDH, then specify this in comments also.
> But IMO, it will be OK to use RTE_CRYPTO_ASYM_KE_PUB_KEY_VERIFY.
> If it is not valid to use it for DH, we can mention in comments.
+1
>
> > };
> >
> > /**
> > @@ -434,8 +436,9 @@ struct rte_crypto_ecdh_op_param {
> > * Output - generated public key, when xform type is
> > * RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE.
> > *
> > - * Input - peer's public key, when xform type is
> > - * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE.
> > + * Input - peer's public key, when xform type is one of:
> > + * RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE,
> > + * RTE_CRYPTO_ASYM_KE_EC_PUBLIC_KEY_VERIFY.
> > */
> > struct rte_crypto_ec_point shared_secret;
> > /**<
> > diff --git a/lib/cryptodev/rte_cryptodev.c
> > b/lib/cryptodev/rte_cryptodev.c index af58f49d07..57ee6b3f07 100644
> > --- a/lib/cryptodev/rte_cryptodev.c
> > +++ b/lib/cryptodev/rte_cryptodev.c
> > @@ -185,7 +185,8 @@ const char *rte_crypto_asym_op_strings[] = {
> > const char *rte_crypto_asym_ke_strings[] = {
> > [RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE] =
> "priv_key_generate",
> > [RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE] =
> "pub_key_generate",
> > - [RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE] =
> > "sharedsecret_compute"
> > + [RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE] =
> > "sharedsecret_compute",
> > + [RTE_CRYPTO_ASYM_KE_EC_PUBLIC_KEY_VERIFY] =
> > "pub_ec_key_verify"
> > };
> >
> > /**
> > --
> > 2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 09/14] cryptodev: add asym op flags
2022-05-25 15:53 ` [PATCH v2 09/14] cryptodev: add asym op flags Arek Kusztal
@ 2022-05-26 11:46 ` Akhil Goyal
0 siblings, 0 replies; 41+ messages in thread
From: Akhil Goyal @ 2022-05-26 11:46 UTC (permalink / raw)
To: Arek Kusztal, dev; +Cc: roy.fan.zhang
> - Added flags to rte_crypto_asym_op struct.
> It may be shared between different algorithms.
> - Added Diffie-Hellman padding flags.
> Diffie-Hellman padding is used in certain protocols,
> in others, leading zero bytes need to be stripped.
> Even same protocol may use a different approach - most
> glaring example is TLS1.2 - TLS1.3.
> For ease of use, and to avoid additional copy
> on certain occasions, driver should be able to return both.
>
> Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> ---
> lib/cryptodev/rte_crypto_asym.h | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
> index 3eafaecbbe..1a57c0c532 100644
> --- a/lib/cryptodev/rte_crypto_asym.h
> +++ b/lib/cryptodev/rte_crypto_asym.h
> @@ -75,6 +75,19 @@ struct rte_crypto_ec_point {
> /**< Y coordinate */
> };
>
> +#define RTE_CRYPTO_ASYM_FLAG_PUB_KEY_NO_PADDING
> RTE_BIT32(0)
> +/**<
> + * If set to 1 - public key will be returned
> + * without leading zero bytes, otherwise it will be
> + * padded to the left with zero bytes (default)
> + */
I think this comment need to be re-written something like
/* Flag to denote public key will be returned without leading zero bytes
* and if the flag is not set, public key will be padded to the left with zeros(default) */
> +#define RTE_CRYPTO_ASYM_FLAG_SHARED_KEY_NO_PADDING RTE_BIT32(1)
> +/**<
> + * If set to 1 - shared key will be returned
> + * without leading zero bytes, otherwise it will be
> + * padded to the left with zero bytes (default)
> + */
Similar comment for this one also.
> +
> /**
> * List of elliptic curves. This enum aligns with
> * TLS "Supported Groups" registry (previously known as
> @@ -589,6 +602,8 @@ struct rte_crypto_asym_op {
> struct rte_crypto_ecdsa_op_param ecdsa;
> struct rte_crypto_ecpm_op_param ecpm;
> };
> + uint16_t flags;
> + /**< Asymmetric crypto operation flags */
Give reference to flags
RTE_CRYPTO_ASYM_FLAG_*
> };
>
> #ifdef __cplusplus
> --
> 2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 10/14] cryptodev: clarify usage of rsa padding hash
2022-05-25 15:53 ` [PATCH v2 10/14] cryptodev: clarify usage of rsa padding hash Arek Kusztal
@ 2022-05-26 11:56 ` Akhil Goyal
0 siblings, 0 replies; 41+ messages in thread
From: Akhil Goyal @ 2022-05-26 11:56 UTC (permalink / raw)
To: Arek Kusztal, dev; +Cc: roy.fan.zhang
> - Clarified usage of RSA padding hash.
> It was not specified how to use hash for PKCS1_5
> padding. This could lead to incorrect implementation.
>
> Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> ---
> lib/cryptodev/rte_crypto_asym.h | 25 +++++++++++++++++++++----
> 1 file changed, 21 insertions(+), 4 deletions(-)
>
> diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
> index 1a57c0c532..1758aaa875 100644
> --- a/lib/cryptodev/rte_crypto_asym.h
> +++ b/lib/cryptodev/rte_crypto_asym.h
> @@ -371,10 +371,27 @@ struct rte_crypto_rsa_op_param {
> /**< RSA padding scheme to be used for transform */
>
> enum rte_crypto_auth_algorithm md;
> - /**< Hash algorithm to be used for data hash if padding
> - * scheme is either OAEP or PSS. Valid hash algorithms
> - * are:
> - * MD5, SHA1, SHA224, SHA256, SHA384, SHA512
> + /**<
> + * RSA padding hash function
Function->algorithm
> + *
> + * When a specific padding type is selected, the following rule apply:
> + * - RTE_CRYPTO_RSA_PADDING_NONE:
> + * This field is ignored by the PMD
> + *
> + * - RTE_CRYPTO_RSA_PADDING_PKCS1_5:
> + * When signing operation this field is used to determine value
For sign operation, this field is used...
> + * of the DigestInfo structure, therefore specifying which algorithm
> + * was used to create the message digest.
> + * When doing encryption/decryption this field is ignored for this
> + * padding type.
For encryption/decryption, this field is ignored.
> + *
> + * - RTE_CRYPTO_RSA_PADDING_OAEP
> + * This field shall be set with the hash algorithm used
> + * in the padding scheme
> + *
> + * - RTE_CRYPTO_RSA_PADDING_PSS
> + * This field shall be set with the hash algorithm used
> + * in the padding scheme (and to create the input message digest)
> */
>
> enum rte_crypto_auth_algorithm mgf1md;
> --
> 2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 11/14] cryptodev: move RSA padding into separate struct
2022-05-25 15:53 ` [PATCH v2 11/14] cryptodev: move RSA padding into separate struct Arek Kusztal
@ 2022-05-26 12:04 ` Akhil Goyal
2022-05-26 12:14 ` Kusztal, ArkadiuszX
0 siblings, 1 reply; 41+ messages in thread
From: Akhil Goyal @ 2022-05-26 12:04 UTC (permalink / raw)
To: Arek Kusztal, dev; +Cc: roy.fan.zhang
> /**
> + * RSA padding type
> + */
> +struct rte_crypto_rsa_padding {
> + enum rte_crypto_rsa_padding_type type;
> + /**< RSA padding scheme to be used for transform */
> + enum rte_crypto_auth_algorithm md;
> + /**<
> + * RSA padding hash function
> + *
> + * When a specific padding type is selected, the following rule apply:
> + * - RTE_CRYPTO_RSA_PADDING_NONE:
> + * This field is ignored by the PMD
> + *
> + * - RTE_CRYPTO_RSA_PADDING_PKCS1_5:
> + * When signing operation this field is used to determine value
> + * of the DigestInfo structure, therefore specifying which algorithm
> + * was used to create the message digest.
> + * When doing encryption/decryption this field is ignored for this
> + * padding type.
> + *
> + * - RTE_CRYPTO_RSA_PADDING_OAEP
> + * This field shall be set with the hash algorithm used
> + * in the padding scheme
> + *
> + * - RTE_CRYPTO_RSA_PADDING_PSS
> + * This field shall be set with the hash algorithm used
> + * in the padding scheme (and to create the input message digest)
> + */
Forgot to comment on previous patch about the valid algos for this.
They are removed in previous patch, but it should not be removed. Right?
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 12/14] cryptodev: clarify rsa verify with none padding
2022-05-25 15:53 ` [PATCH v2 12/14] cryptodev: clarify rsa verify with none padding Arek Kusztal
@ 2022-05-26 12:06 ` Akhil Goyal
2022-05-26 12:15 ` Kusztal, ArkadiuszX
0 siblings, 1 reply; 41+ messages in thread
From: Akhil Goyal @ 2022-05-26 12:06 UTC (permalink / raw)
To: Arek Kusztal, dev; +Cc: roy.fan.zhang
> - Clarified where should output be stored of signature
> decryption with padding none.
> PMD is not able to know what padding algorithm was used,
> therefore decrypted signature should be returned to the user.
>
> Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> ---
> lib/cryptodev/rte_crypto_asym.h | 7 ++-----
> 1 file changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
> index ee0988d3cf..9f7fba3758 100644
> --- a/lib/cryptodev/rte_crypto_asym.h
> +++ b/lib/cryptodev/rte_crypto_asym.h
> @@ -372,8 +372,6 @@ struct rte_crypto_rsa_op_param {
> * (i.e. must be at least RSA key size). The message.length
> * field should be 0 and will be overwritten by the PMD
> * with the decrypted length.
> - *
> - * All data is in Octet-string network byte order format.
> */
Patch description and title does not match with this change.
>
> rte_crypto_param cipher;
> @@ -388,7 +386,8 @@ struct rte_crypto_rsa_op_param {
> * at least RSA key size). The cipher.length field should
> * be 0 and will be overwritten by the PMD with the encrypted length.
> *
> - * All data is in Octet-string network byte order format.
> + * When RTE_CRYPTO_RSA_PADDING_NONE and
> RTE_CRYPTO_ASYM_OP_VERIFY
> + * selected, this is an output of decrypted signature.
> */
>
> rte_crypto_param sign;
> @@ -402,8 +401,6 @@ struct rte_crypto_rsa_op_param {
> * with enough memory to hold signature output (i.e. must be
> * at least RSA key size). The sign.length field should
> * be 0 and will be overwritten by the PMD with the signature length.
> - *
> - * All data is in Octet-string network byte order format.
> */
>
> struct rte_crypto_rsa_padding padding;
> --
> 2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 13/14] cryptodev: add salt length and optional label
2022-05-25 15:53 ` [PATCH v2 13/14] cryptodev: add salt length and optional label Arek Kusztal
@ 2022-05-26 12:08 ` Akhil Goyal
0 siblings, 0 replies; 41+ messages in thread
From: Akhil Goyal @ 2022-05-26 12:08 UTC (permalink / raw)
To: Arek Kusztal, dev; +Cc: roy.fan.zhang
> - Added salt length and optional label.
> Common parameters to PSS and OAEP padding for RSA.
> - Fixed hash API in RSA padding.
> Now it is specified how hash should be used with
> particular RSA padding modes.
>
> Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> ---
Acked-by: Akhil Goyal <gakhil@marvell.com>
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 11/14] cryptodev: move RSA padding into separate struct
2022-05-26 12:04 ` [EXT] " Akhil Goyal
@ 2022-05-26 12:14 ` Kusztal, ArkadiuszX
2022-05-26 12:19 ` Akhil Goyal
0 siblings, 1 reply; 41+ messages in thread
From: Kusztal, ArkadiuszX @ 2022-05-26 12:14 UTC (permalink / raw)
To: Akhil Goyal, dev; +Cc: Zhang, Roy Fan
> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Thursday, May 26, 2022 2:05 PM
> To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>; dev@dpdk.org
> Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com>
> Subject: RE: [EXT] [PATCH v2 11/14] cryptodev: move RSA padding into separate
> struct
>
> > /**
> > + * RSA padding type
> > + */
> > +struct rte_crypto_rsa_padding {
> > + enum rte_crypto_rsa_padding_type type;
> > + /**< RSA padding scheme to be used for transform */
> > + enum rte_crypto_auth_algorithm md;
> > + /**<
> > + * RSA padding hash function
> > + *
> > + * When a specific padding type is selected, the following rule apply:
> > + * - RTE_CRYPTO_RSA_PADDING_NONE:
> > + * This field is ignored by the PMD
> > + *
> > + * - RTE_CRYPTO_RSA_PADDING_PKCS1_5:
> > + * When signing operation this field is used to determine value
> > + * of the DigestInfo structure, therefore specifying which algorithm
> > + * was used to create the message digest.
> > + * When doing encryption/decryption this field is ignored for this
> > + * padding type.
> > + *
> > + * - RTE_CRYPTO_RSA_PADDING_OAEP
> > + * This field shall be set with the hash algorithm used
> > + * in the padding scheme
> > + *
> > + * - RTE_CRYPTO_RSA_PADDING_PSS
> > + * This field shall be set with the hash algorithm used
> > + * in the padding scheme (and to create the input message digest)
> > + */
> Forgot to comment on previous patch about the valid algos for this.
> They are removed in previous patch, but it should not be removed. Right?
Which hash functions are supported by RSA can be found in RSA standard, additionally our list was incomplete.
There is no Hash functions enum in Cryptodev -> we keep Hash functions together with mac aglorithms, so that's why it was probably included in the first place. But I would say we should not specify valid algs here.
>
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 12/14] cryptodev: clarify rsa verify with none padding
2022-05-26 12:06 ` [EXT] " Akhil Goyal
@ 2022-05-26 12:15 ` Kusztal, ArkadiuszX
0 siblings, 0 replies; 41+ messages in thread
From: Kusztal, ArkadiuszX @ 2022-05-26 12:15 UTC (permalink / raw)
To: Akhil Goyal, dev; +Cc: Zhang, Roy Fan
> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Thursday, May 26, 2022 2:07 PM
> To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>; dev@dpdk.org
> Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com>
> Subject: RE: [EXT] [PATCH v2 12/14] cryptodev: clarify rsa verify with none
> padding
>
> > - Clarified where should output be stored of signature decryption with
> > padding none.
> > PMD is not able to know what padding algorithm was used, therefore
> > decrypted signature should be returned to the user.
> >
> > Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> > ---
> > lib/cryptodev/rte_crypto_asym.h | 7 ++-----
> > 1 file changed, 2 insertions(+), 5 deletions(-)
> >
> > diff --git a/lib/cryptodev/rte_crypto_asym.h
> > b/lib/cryptodev/rte_crypto_asym.h index ee0988d3cf..9f7fba3758 100644
> > --- a/lib/cryptodev/rte_crypto_asym.h
> > +++ b/lib/cryptodev/rte_crypto_asym.h
> > @@ -372,8 +372,6 @@ struct rte_crypto_rsa_op_param {
> > * (i.e. must be at least RSA key size). The message.length
> > * field should be 0 and will be overwritten by the PMD
> > * with the decrypted length.
> > - *
> > - * All data is in Octet-string network byte order format.
> > */
> Patch description and title does not match with this change.
I will add a comment to commit message then.
>
> >
> > rte_crypto_param cipher;
> > @@ -388,7 +386,8 @@ struct rte_crypto_rsa_op_param {
> > * at least RSA key size). The cipher.length field should
> > * be 0 and will be overwritten by the PMD with the encrypted length.
> > *
> > - * All data is in Octet-string network byte order format.
> > + * When RTE_CRYPTO_RSA_PADDING_NONE and
> > RTE_CRYPTO_ASYM_OP_VERIFY
> > + * selected, this is an output of decrypted signature.
> > */
> >
> > rte_crypto_param sign;
> > @@ -402,8 +401,6 @@ struct rte_crypto_rsa_op_param {
> > * with enough memory to hold signature output (i.e. must be
> > * at least RSA key size). The sign.length field should
> > * be 0 and will be overwritten by the PMD with the signature length.
> > - *
> > - * All data is in Octet-string network byte order format.
> > */
> >
> > struct rte_crypto_rsa_padding padding;
> > --
> > 2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 11/14] cryptodev: move RSA padding into separate struct
2022-05-26 12:14 ` Kusztal, ArkadiuszX
@ 2022-05-26 12:19 ` Akhil Goyal
2022-05-26 12:35 ` Kusztal, ArkadiuszX
0 siblings, 1 reply; 41+ messages in thread
From: Akhil Goyal @ 2022-05-26 12:19 UTC (permalink / raw)
To: Kusztal, ArkadiuszX, dev; +Cc: Zhang, Roy Fan
> > > /**
> > > + * RSA padding type
> > > + */
> > > +struct rte_crypto_rsa_padding {
> > > + enum rte_crypto_rsa_padding_type type;
> > > + /**< RSA padding scheme to be used for transform */
> > > + enum rte_crypto_auth_algorithm md;
> > > + /**<
> > > + * RSA padding hash function
> > > + *
> > > + * When a specific padding type is selected, the following rule apply:
> > > + * - RTE_CRYPTO_RSA_PADDING_NONE:
> > > + * This field is ignored by the PMD
> > > + *
> > > + * - RTE_CRYPTO_RSA_PADDING_PKCS1_5:
> > > + * When signing operation this field is used to determine value
> > > + * of the DigestInfo structure, therefore specifying which algorithm
> > > + * was used to create the message digest.
> > > + * When doing encryption/decryption this field is ignored for this
> > > + * padding type.
> > > + *
> > > + * - RTE_CRYPTO_RSA_PADDING_OAEP
> > > + * This field shall be set with the hash algorithm used
> > > + * in the padding scheme
> > > + *
> > > + * - RTE_CRYPTO_RSA_PADDING_PSS
> > > + * This field shall be set with the hash algorithm used
> > > + * in the padding scheme (and to create the input message digest)
> > > + */
> > Forgot to comment on previous patch about the valid algos for this.
> > They are removed in previous patch, but it should not be removed. Right?
> Which hash functions are supported by RSA can be found in RSA standard,
> additionally our list was incomplete.
> There is no Hash functions enum in Cryptodev -> we keep Hash functions
> together with mac aglorithms, so that's why it was probably included in the first
> place. But I would say we should not specify valid algs here.
In that case, mgf1md comment should also be updated.
But again, if we are combining with mac algos, we should specify it. Right? This is not
RFC, it is our implementation of the RFC. If we are combining with mac algos, it makes
more sense to specify the valid algos.
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 11/14] cryptodev: move RSA padding into separate struct
2022-05-26 12:19 ` Akhil Goyal
@ 2022-05-26 12:35 ` Kusztal, ArkadiuszX
2022-05-26 12:41 ` Akhil Goyal
0 siblings, 1 reply; 41+ messages in thread
From: Kusztal, ArkadiuszX @ 2022-05-26 12:35 UTC (permalink / raw)
To: Akhil Goyal, dev; +Cc: Zhang, Roy Fan
> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Thursday, May 26, 2022 2:20 PM
> To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>; dev@dpdk.org
> Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com>
> Subject: RE: [EXT] [PATCH v2 11/14] cryptodev: move RSA padding into separate
> struct
>
> > > > /**
> > > > + * RSA padding type
> > > > + */
> > > > +struct rte_crypto_rsa_padding {
> > > > + enum rte_crypto_rsa_padding_type type;
> > > > + /**< RSA padding scheme to be used for transform */
> > > > + enum rte_crypto_auth_algorithm md;
> > > > + /**<
> > > > + * RSA padding hash function
> > > > + *
> > > > + * When a specific padding type is selected, the following rule apply:
> > > > + * - RTE_CRYPTO_RSA_PADDING_NONE:
> > > > + * This field is ignored by the PMD
> > > > + *
> > > > + * - RTE_CRYPTO_RSA_PADDING_PKCS1_5:
> > > > + * When signing operation this field is used to determine value
> > > > + * of the DigestInfo structure, therefore specifying which algorithm
> > > > + * was used to create the message digest.
> > > > + * When doing encryption/decryption this field is ignored for this
> > > > + * padding type.
> > > > + *
> > > > + * - RTE_CRYPTO_RSA_PADDING_OAEP
> > > > + * This field shall be set with the hash algorithm used
> > > > + * in the padding scheme
> > > > + *
> > > > + * - RTE_CRYPTO_RSA_PADDING_PSS
> > > > + * This field shall be set with the hash algorithm used
> > > > + * in the padding scheme (and to create the input message digest)
> > > > + */
> > > Forgot to comment on previous patch about the valid algos for this.
> > > They are removed in previous patch, but it should not be removed. Right?
> > Which hash functions are supported by RSA can be found in RSA
> > standard, additionally our list was incomplete.
> > There is no Hash functions enum in Cryptodev -> we keep Hash functions
> > together with mac aglorithms, so that's why it was probably included
> > in the first place. But I would say we should not specify valid algs here.
>
> In that case, mgf1md comment should also be updated.
> But again, if we are combining with mac algos, we should specify it. Right? This
> is not RFC, it is our implementation of the RFC. If we are combining with mac
> algos, it makes more sense to specify the valid algos.
Its actually not that big problem, though I thought it is stating the obvious.
So we can add it back again but with full RSA hash list (including 512/224 256), or we will add it when this will be added to rte_crypto_auth_algorithm?
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 11/14] cryptodev: move RSA padding into separate struct
2022-05-26 12:35 ` Kusztal, ArkadiuszX
@ 2022-05-26 12:41 ` Akhil Goyal
0 siblings, 0 replies; 41+ messages in thread
From: Akhil Goyal @ 2022-05-26 12:41 UTC (permalink / raw)
To: Kusztal, ArkadiuszX, dev; +Cc: Zhang, Roy Fan
> > > > > /**
> > > > > + * RSA padding type
> > > > > + */
> > > > > +struct rte_crypto_rsa_padding {
> > > > > + enum rte_crypto_rsa_padding_type type;
> > > > > + /**< RSA padding scheme to be used for transform */
> > > > > + enum rte_crypto_auth_algorithm md;
> > > > > + /**<
> > > > > + * RSA padding hash function
> > > > > + *
> > > > > + * When a specific padding type is selected, the following rule
> apply:
> > > > > + * - RTE_CRYPTO_RSA_PADDING_NONE:
> > > > > + * This field is ignored by the PMD
> > > > > + *
> > > > > + * - RTE_CRYPTO_RSA_PADDING_PKCS1_5:
> > > > > + * When signing operation this field is used to determine value
> > > > > + * of the DigestInfo structure, therefore specifying which
> algorithm
> > > > > + * was used to create the message digest.
> > > > > + * When doing encryption/decryption this field is ignored for
> this
> > > > > + * padding type.
> > > > > + *
> > > > > + * - RTE_CRYPTO_RSA_PADDING_OAEP
> > > > > + * This field shall be set with the hash algorithm used
> > > > > + * in the padding scheme
> > > > > + *
> > > > > + * - RTE_CRYPTO_RSA_PADDING_PSS
> > > > > + * This field shall be set with the hash algorithm used
> > > > > + * in the padding scheme (and to create the input message
> digest)
> > > > > + */
> > > > Forgot to comment on previous patch about the valid algos for this.
> > > > They are removed in previous patch, but it should not be removed. Right?
> > > Which hash functions are supported by RSA can be found in RSA
> > > standard, additionally our list was incomplete.
> > > There is no Hash functions enum in Cryptodev -> we keep Hash functions
> > > together with mac aglorithms, so that's why it was probably included
> > > in the first place. But I would say we should not specify valid algs here.
> >
> > In that case, mgf1md comment should also be updated.
> > But again, if we are combining with mac algos, we should specify it. Right?
> This
> > is not RFC, it is our implementation of the RFC. If we are combining with mac
> > algos, it makes more sense to specify the valid algos.
> Its actually not that big problem, though I thought it is stating the obvious.
> So we can add it back again but with full RSA hash list (including 512/224 256), or
> we will add it when this will be added to rte_crypto_auth_algorithm?
Whatever current support is there, it should be added to specify which all can be
Used from the rte_crypto_auth_algorithm enum. As not all can be blindly used.
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 14/14] cryptodev: add asym algorithms capabilities
2022-05-25 15:53 ` [PATCH v2 14/14] cryptodev: add asym algorithms capabilities Arek Kusztal
@ 2022-05-26 12:54 ` Akhil Goyal
2022-05-26 14:19 ` Kusztal, ArkadiuszX
0 siblings, 1 reply; 41+ messages in thread
From: Akhil Goyal @ 2022-05-26 12:54 UTC (permalink / raw)
To: Arek Kusztal, dev; +Cc: roy.fan.zhang
> - Added asymmetric crypto algorithm specific capability struct.
> Included fields like random number capability, padding flags etc.
>
> Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> ---
> app/test-crypto-perf/main.c | 12 +-
> app/test-eventdev/test_perf_common.c | 2 +-
> app/test/test_cryptodev_asym.c | 210 +++++++++++++++++++++------
> app/test/test_event_crypto_adapter.c | 16 +-
> drivers/crypto/openssl/rte_openssl_pmd_ops.c | 128 +++++++---------
> drivers/crypto/qat/dev/qat_asym_pmd_gen1.c | 68 +++++++--
> lib/cryptodev/rte_crypto_asym.h | 48 ++++++
> lib/cryptodev/rte_cryptodev.c | 80 +++++++++-
> lib/cryptodev/rte_cryptodev.h | 75 +++++++++-
> lib/cryptodev/version.map | 4 +
> 10 files changed, 495 insertions(+), 148 deletions(-)
This would also need a change in documentation.
>
> diff --git a/app/test-crypto-perf/main.c b/app/test-crypto-perf/main.c
> index 17e30a8e74..f8a4c9cdcf 100644
> --- a/app/test-crypto-perf/main.c
> +++ b/app/test-crypto-perf/main.c
> @@ -364,8 +364,8 @@ cperf_verify_devices_capabilities(struct cperf_options
> *opts,
> struct rte_cryptodev_sym_capability_idx cap_idx;
> const struct rte_cryptodev_symmetric_capability *capability;
> struct rte_cryptodev_asym_capability_idx asym_cap_idx;
> - const struct rte_cryptodev_asymmetric_xform_capability
> *asym_capability;
> -
> + const struct rte_cryptodev_asymmetric_capability *asym_capability;
> + struct rte_crypto_mod_capability mod_capa = {0};
>
> uint8_t i, cdev_id;
> int ret;
> @@ -381,11 +381,11 @@ cperf_verify_devices_capabilities(struct
> cperf_options *opts,
> if (asym_capability == NULL)
> return -1;
>
> - ret =
> rte_cryptodev_asym_xform_capability_check_modlen(
> - asym_capability, opts->modex_data-
> >modulus.len);
> - if (ret != 0)
> + mod_capa.max_mod_size = opts->modex_data-
> >modulus.len;
> + ret = rte_cryptodev_capa_check_mod(asym_capability,
> + mod_capa);
> + if (ret == 0)
> return ret;
> -
> }
>
> if (opts->op_type == CPERF_AUTH_ONLY ||
> diff --git a/app/test-eventdev/test_perf_common.c b/app/test-
> eventdev/test_perf_common.c
> index b41785492e..ac8e6410ab 100644
> --- a/app/test-eventdev/test_perf_common.c
> +++ b/app/test-eventdev/test_perf_common.c
> @@ -846,7 +846,7 @@ cryptodev_sym_sess_create(struct prod_data *p, struct
> test_perf *t)
> static void *
> cryptodev_asym_sess_create(struct prod_data *p, struct test_perf *t)
> {
> - const struct rte_cryptodev_asymmetric_xform_capability *capability;
> + const struct rte_cryptodev_asymmetric_capability *capability;
> struct rte_cryptodev_asym_capability_idx cap_idx;
> struct rte_crypto_asym_xform xform;
> void *sess;
> diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
> index 072dbb30f4..c531265642 100644
> --- a/app/test/test_cryptodev_asym.c
> +++ b/app/test/test_cryptodev_asym.c
> @@ -311,10 +311,11 @@ test_cryptodev_asym_op(struct
> crypto_testsuite_params_asym *ts_params,
> struct rte_crypto_asym_xform xform_tc;
> void *sess = NULL;
> struct rte_cryptodev_asym_capability_idx cap_idx;
> - const struct rte_cryptodev_asymmetric_xform_capability *capability;
> + const struct rte_cryptodev_asymmetric_capability *capability;
> uint8_t dev_id = ts_params->valid_devs[0];
> uint8_t input[TEST_DATA_SIZE] = {0};
> uint8_t *result = NULL;
> + struct rte_crypto_mod_capability mod_capa = {0};
>
> int ret, status = TEST_SUCCESS;
>
> @@ -358,8 +359,10 @@ test_cryptodev_asym_op(struct
> crypto_testsuite_params_asym *ts_params,
> asym_op->modex.base.length = data_tc->modex.base.len;
> asym_op->modex.result.data = result;
> asym_op->modex.result.length = data_tc->modex.result_len;
> - if
> (rte_cryptodev_asym_xform_capability_check_modlen(capability,
> - xform_tc.modex.modulus.length)) {
> +
> + mod_capa.max_mod_size = xform_tc.modex.modulus.length;
> + if (!rte_cryptodev_capa_check_mod(capability,
> + mod_capa)) {
> snprintf(test_msg, ASYM_TEST_MSG_LEN,
> "line %u "
> "FAILED: %s", __LINE__,
> @@ -378,8 +381,10 @@ test_cryptodev_asym_op(struct
> crypto_testsuite_params_asym *ts_params,
> asym_op->modinv.base.length = data_tc->modinv.base.len;
> asym_op->modinv.result.data = result;
> asym_op->modinv.result.length = data_tc->modinv.result_len;
> - if
> (rte_cryptodev_asym_xform_capability_check_modlen(capability,
> - xform_tc.modinv.modulus.length)) {
> +
> + mod_capa.max_mod_size = xform_tc.modinv.modulus.length;
> + if (!rte_cryptodev_capa_check_mod(capability,
> + mod_capa)) {
> snprintf(test_msg, ASYM_TEST_MSG_LEN,
> "line %u "
> "FAILED: %s", __LINE__,
> @@ -963,38 +968,100 @@ ut_teardown_asym(void)
> rte_cryptodev_stop(ts_params->valid_devs[0]);
> }
>
> -static inline void print_asym_capa(
> - const struct rte_cryptodev_asymmetric_xform_capability
> *capa)
> +static void
> +print_rsa_capability(
> + const struct rte_cryptodev_asymmetric_capability *capa)
> {
> int i = 0;
>
> + printf("\nSupported paddings:");
> + for (; i < 32; i++) {
> + if (capa->rsa.padding & RTE_BIT32(i))
> + printf("\n - %s", rte_crypto_asym_rsa_padding[i]);
> + }
> + printf("\nSupported hash functions:");
> + for (i = 0; i < 32; i++) {
> + if (capa->rsa.hash & RTE_BIT32(i))
> + printf("\n - %s", rte_crypto_auth_algorithm_strings[i]);
> + }
> + printf("\nMaximum key size: ");
> + if (capa->rsa.max_key_size == 0)
> + printf("Unlimited");
> + else
> + printf("%hu", capa->rsa.max_key_size);
> +}
> +
> +static void
> +print_supported_curves(uint64_t curves)
> +{
> + int i = 0;
> +
> + printf("\nSupported elliptic curves:");
> + for (; i < 64; i++) {
> + if (curves & RTE_BIT64(i))
> + printf("\n - %s", rte_crypto_curves_strings[i]);
> + }
> +}
> +
> +static inline void print_asym_capa(
> + const struct rte_cryptodev_asymmetric_capability *capa)
> +{
> printf("\nxform type: %s\n===================\n",
> rte_crypto_asym_xform_strings[capa->xform_type]);
> - printf("operation supported -");
>
> - for (i = 0; i < RTE_CRYPTO_ASYM_OP_LIST_END; i++) {
> - /* check supported operations */
> - if (rte_cryptodev_asym_xform_capability_check_optype(capa,
> i))
> - printf(" %s",
> - rte_crypto_asym_op_strings[i]);
> - }
> - switch (capa->xform_type) {
> - case RTE_CRYPTO_ASYM_XFORM_RSA:
> - case RTE_CRYPTO_ASYM_XFORM_MODINV:
> - case RTE_CRYPTO_ASYM_XFORM_MODEX:
> - case RTE_CRYPTO_ASYM_XFORM_DH:
> - case RTE_CRYPTO_ASYM_XFORM_DSA:
> - printf(" modlen: min %d max %d increment %d",
> - capa->modlen.min,
> - capa->modlen.max,
> - capa->modlen.increment);
> + switch (capa->xform_type) {
> + case RTE_CRYPTO_ASYM_XFORM_MODEX:
> + case RTE_CRYPTO_ASYM_XFORM_MODINV:
> + printf("Maximum size of modulus: ");
> + if (capa->mod.max_mod_size == 0)
> + printf("Unlimited");
> + else
> + printf("%hu", capa->mod.max_mod_size);
> break;
> - case RTE_CRYPTO_ASYM_XFORM_ECDSA:
> - case RTE_CRYPTO_ASYM_XFORM_ECPM:
> - default:
> - break;
> - }
> - printf("\n");
> + case RTE_CRYPTO_ASYM_XFORM_RSA:
> + print_rsa_capability(capa);
> + break;
> + case RTE_CRYPTO_ASYM_XFORM_DH:
ECDH?? I hope it will be added once it is tested in this app.
> + printf("Maximum group size: ");
> + if (capa->dh.max_group_size == 0)
> + printf("Unlimited");
> + else
> + printf("%hu", capa->dh.max_group_size);
> + printf("\nSupport for private key generation: ");
> + if (capa->dh.priv_key_gen)
> + printf("Yes");
> + else
> + printf("No");
> + break;
> + case RTE_CRYPTO_ASYM_XFORM_DSA:
> + printf("Maximum key size: ");
> + if (capa->dsa.max_key_size == 0)
> + printf("Unlimited");
> + else
> + printf("%hu", capa->dsa.max_key_size);
> + printf("\nSupport for random 'k' generation: ");
> + if (capa->dsa.random_k)
> + printf("Yes");
> + else
> + printf("No");
> + break;
> +
> + break;
> + case RTE_CRYPTO_ASYM_XFORM_ECDSA:
> + print_supported_curves(capa->ecdsa.curves);
> + printf("\nSupport for random 'k' generation: ");
> + if (capa->ecdsa.random_k)
> + printf("Yes");
> + else
> + printf("No");
> + break;
> + case RTE_CRYPTO_ASYM_XFORM_ECPM:
> + print_supported_curves(capa->ecpm.curves);
> + break;
> + default:
> + break;
> + }
> + printf("\n");
> }
>
> static int
> @@ -1006,7 +1073,7 @@ test_capability(void)
> const struct rte_cryptodev_capabilities *dev_capa;
> int i = 0;
> struct rte_cryptodev_asym_capability_idx idx;
> - const struct rte_cryptodev_asymmetric_xform_capability *capa;
> + const struct rte_cryptodev_asymmetric_capability *capa;
>
> rte_cryptodev_info_get(dev_id, &dev_info);
> if (!(dev_info.feature_flags &
> @@ -1023,7 +1090,7 @@ test_capability(void)
> dev_capa = &(dev_info.capabilities[i]);
> if (dev_info.capabilities[i].op ==
> RTE_CRYPTO_OP_TYPE_ASYMMETRIC) {
> - idx.type = dev_capa->asym.xform_capa.xform_type;
> + idx.type = dev_capa->asym.xform_type;
>
> capa = rte_cryptodev_asym_capability_get(dev_id,
> (const struct
> @@ -1386,10 +1453,11 @@ test_mod_inv(void)
> void *sess = NULL;
> int status = TEST_SUCCESS;
> struct rte_cryptodev_asym_capability_idx cap_idx;
> - const struct rte_cryptodev_asymmetric_xform_capability *capability;
> + const struct rte_cryptodev_asymmetric_capability *capability;
> uint8_t input[TEST_DATA_SIZE] = {0};
> int ret = 0;
> uint8_t result[sizeof(mod_p)] = { 0 };
> + struct rte_crypto_mod_capability mod_capa = {0};
>
> if (rte_cryptodev_asym_get_xform_enum(
> &modinv_xform.xform_type, "modinv") < 0) {
> @@ -1408,13 +1476,11 @@ test_mod_inv(void)
> return TEST_SKIPPED;
> }
>
> - if (rte_cryptodev_asym_xform_capability_check_modlen(
> - capability,
> - modinv_xform.modinv.modulus.length)) {
> - RTE_LOG(ERR, USER1,
> - "Invalid MODULUS length specified\n");
> - return TEST_SKIPPED;
> - }
> + mod_capa.max_mod_size = modinv_xform.modinv.modulus.length;
> + if (!rte_cryptodev_capa_check_mod(capability, mod_capa)) {
> + RTE_LOG(ERR, USER1, "Invalid MODULUS length specified\n");
> + return TEST_SKIPPED;
> + }
>
> ret = rte_cryptodev_asym_session_create(dev_id, &modinv_xform,
> sess_mpool, &sess);
> if (ret < 0) {
> @@ -1499,7 +1565,8 @@ test_mod_exp(void)
> void *sess = NULL;
> int status = TEST_SUCCESS;
> struct rte_cryptodev_asym_capability_idx cap_idx;
> - const struct rte_cryptodev_asymmetric_xform_capability *capability;
> + const struct rte_cryptodev_asymmetric_capability *capability;
> + struct rte_crypto_mod_capability mod_capa = {0};
> uint8_t input[TEST_DATA_SIZE] = {0};
> int ret = 0;
> uint8_t result[sizeof(mod_p)] = { 0 };
> @@ -1522,12 +1589,11 @@ test_mod_exp(void)
> return TEST_SKIPPED;
> }
>
> - if (rte_cryptodev_asym_xform_capability_check_modlen(
> - capability, modex_xform.modex.modulus.length)) {
> - RTE_LOG(ERR, USER1,
> - "Invalid MODULUS length specified\n");
> - return TEST_SKIPPED;
> - }
> + mod_capa.max_mod_size = modex_xform.modex.modulus.length;
> + if (!rte_cryptodev_capa_check_mod(capability, mod_capa)) {
> + RTE_LOG(ERR, USER1, "Invalid MODULUS length specified\n");
> + return TEST_SKIPPED;
> + }
>
> /* Create op, create session, and process packets. 8< */
> op = rte_crypto_op_alloc(op_mpool,
> RTE_CRYPTO_OP_TYPE_ASYMMETRIC);
> @@ -1785,6 +1851,8 @@ test_ecdsa_sign_verify(enum curve curve_id)
> struct rte_crypto_asym_xform xform;
> struct rte_crypto_asym_op *asym_op;
> struct rte_cryptodev_info dev_info;
> + struct rte_cryptodev_asym_capability_idx idx;
> + const struct rte_cryptodev_asymmetric_capability *capabilities;
> struct rte_crypto_op *op = NULL;
> int ret, status = TEST_SUCCESS;
>
> @@ -1814,6 +1882,25 @@ test_ecdsa_sign_verify(enum curve curve_id)
>
> rte_cryptodev_info_get(dev_id, &dev_info);
>
> + struct rte_crypto_ecdsa_capability capa = {
> + .curves = RTE_BIT32(input_params.curve),
> + .random_k = 0
> + };
> +
> + idx.type = RTE_CRYPTO_ASYM_XFORM_ECDSA;
> + capabilities = rte_cryptodev_asym_capability_get(dev_id,
> + (const struct
> + rte_cryptodev_asym_capability_idx *) &idx);
> +
> + if (capabilities == NULL) {
> + status = TEST_SKIPPED;
> + goto exit;
> + }
> + if (!rte_cryptodev_capa_check_ecdsa(capabilities, capa)) {
> + status = TEST_SKIPPED;
> + goto exit;
> + }
> +
> /* Setup crypto op data structure */
> op = rte_crypto_op_alloc(op_mpool,
> RTE_CRYPTO_OP_TYPE_ASYMMETRIC);
> if (op == NULL) {
> @@ -1962,6 +2049,8 @@ test_ecdsa_sign_verify_all_curve(void)
> status = test_ecdsa_sign_verify(curve_id);
> if (status == TEST_SUCCESS) {
> msg = "succeeded";
> + } else if (status == TEST_SKIPPED) {
> + continue;
> } else {
> msg = "failed";
> overall_status = status;
> @@ -1987,6 +2076,8 @@ test_ecpm(enum curve curve_id)
> struct rte_crypto_asym_xform xform;
> struct rte_crypto_asym_op *asym_op;
> struct rte_cryptodev_info dev_info;
> + struct rte_cryptodev_asym_capability_idx idx;
> + const struct rte_cryptodev_asymmetric_capability *capabilities;
> struct rte_crypto_op *op = NULL;
> int ret, status = TEST_SUCCESS;
>
> @@ -2016,6 +2107,24 @@ test_ecpm(enum curve curve_id)
>
> rte_cryptodev_info_get(dev_id, &dev_info);
>
> + struct rte_crypto_ecdsa_capability capa = {
> + .curves = RTE_BIT32(input_params.curve)
> + };
> +
> + idx.type = RTE_CRYPTO_ASYM_XFORM_ECPM;
> + capabilities = rte_cryptodev_asym_capability_get(dev_id,
> + (const struct
> + rte_cryptodev_asym_capability_idx *) &idx);
> +
> + if (capabilities == NULL) {
> + status = TEST_SKIPPED;
> + goto exit;
> + }
> + if (!rte_cryptodev_capa_check_ecdsa(capabilities, capa)) {
> + status = TEST_SKIPPED;
> + goto exit;
> + }
> +
> /* Setup crypto op data structure */
> op = rte_crypto_op_alloc(op_mpool,
> RTE_CRYPTO_OP_TYPE_ASYMMETRIC);
> if (op == NULL) {
> @@ -2124,6 +2233,8 @@ test_ecpm_all_curve(void)
> status = test_ecpm(curve_id);
> if (status == TEST_SUCCESS) {
> msg = "succeeded";
> + } else if (status == TEST_SKIPPED) {
> + continue;
> } else {
> msg = "failed";
> overall_status = status;
> @@ -2162,7 +2273,12 @@ static struct unit_test_suite
> cryptodev_qat_asym_testsuite = {
> .setup = testsuite_setup,
> .teardown = testsuite_teardown,
> .unit_test_cases = {
> + TEST_CASE_ST(ut_setup_asym, ut_teardown_asym,
> test_capability),
> TEST_CASE_ST(ut_setup_asym, ut_teardown_asym,
> test_one_by_one),
> + TEST_CASE_ST(ut_setup_asym, ut_teardown_asym,
> + test_ecdsa_sign_verify_all_curve),
> + TEST_CASE_ST(ut_setup_asym, ut_teardown_asym,
> + test_ecpm_all_curve),
> TEST_CASES_END() /**< NULL terminate unit test array */
> }
> };
I think patch need to be split for adding test app changes.
> diff --git a/app/test/test_event_crypto_adapter.c
> b/app/test/test_event_crypto_adapter.c
> index 2ecc7e2cea..9a62241371 100644
> --- a/app/test/test_event_crypto_adapter.c
> +++ b/app/test/test_event_crypto_adapter.c
> @@ -450,7 +450,7 @@ test_session_with_op_forward_mode(void)
> static int
> test_asym_op_forward_mode(uint8_t session_less)
> {
> - const struct rte_cryptodev_asymmetric_xform_capability *capability;
> + const struct rte_cryptodev_asymmetric_capability *capability;
> struct rte_cryptodev_asym_capability_idx cap_idx;
> struct rte_crypto_asym_xform xform_tc;
> union rte_event_crypto_metadata m_data;
> @@ -458,6 +458,7 @@ test_asym_op_forward_mode(uint8_t session_less)
> struct rte_crypto_asym_op *asym_op;
> struct rte_crypto_op *op;
> uint8_t input[4096] = {0};
> + struct rte_crypto_mod_capability mod_capa = {0};
> uint8_t *result = NULL;
> struct rte_event ev;
> void *sess = NULL;
> @@ -503,8 +504,9 @@ test_asym_op_forward_mode(uint8_t session_less)
> asym_op->modex.base.length = modex_test_case.base.len;
> asym_op->modex.result.data = result;
> asym_op->modex.result.length = modex_test_case.result_len;
> - if (rte_cryptodev_asym_xform_capability_check_modlen(capability,
> - xform_tc.modex.modulus.length)) {
> +
> + mod_capa.max_mod_size = xform_tc.modex.modulus.length;
> + if (!rte_cryptodev_capa_check_mod(capability, mod_capa)) {
> RTE_LOG(INFO, USER1,
> "line %u FAILED: %s", __LINE__,
> "Invalid MODULUS length specified");
> @@ -784,7 +786,7 @@ test_session_with_op_new_mode(void)
> static int
> test_asym_op_new_mode(uint8_t session_less)
> {
> - const struct rte_cryptodev_asymmetric_xform_capability *capability;
> + const struct rte_cryptodev_asymmetric_capability *capability;
> struct rte_cryptodev_asym_capability_idx cap_idx;
> struct rte_crypto_asym_xform xform_tc;
> union rte_event_crypto_metadata m_data;
> @@ -792,6 +794,7 @@ test_asym_op_new_mode(uint8_t session_less)
> struct rte_crypto_asym_op *asym_op;
> struct rte_crypto_op *op;
> uint8_t input[4096] = {0};
> + struct rte_crypto_mod_capability mod_capa = {0};
Can you move this above to maintain reverse Xmas tree?
> uint8_t *result = NULL;
> void *sess = NULL;
> uint32_t cap;
> @@ -835,8 +838,9 @@ test_asym_op_new_mode(uint8_t session_less)
> asym_op->modex.base.length = modex_test_case.base.len;
> asym_op->modex.result.data = result;
> asym_op->modex.result.length = modex_test_case.result_len;
> - if (rte_cryptodev_asym_xform_capability_check_modlen(capability,
> - xform_tc.modex.modulus.length)) {
> +
> + mod_capa.max_mod_size = xform_tc.modex.modulus.length;
> + if (!rte_cryptodev_capa_check_mod(capability, mod_capa)) {
> RTE_LOG(INFO, USER1,
> "line %u FAILED: %s", __LINE__,
> "Invalid MODULUS length specified");
> diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> index 16ec5e15eb..e734fc2a69 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> @@ -7,6 +7,7 @@
> #include <rte_common.h>
> #include <rte_malloc.h>
> #include <cryptodev_pmd.h>
> +#include <rte_bitops.h>
>
> #include "openssl_pmd_private.h"
> #include "compat.h"
> @@ -470,103 +471,82 @@ static const struct rte_cryptodev_capabilities
> openssl_pmd_capabilities[] = {
> }, }
> }, }
> },
> - { /* RSA */
> + { /* Modular exponentiation */
> .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> {.asym = {
> - .xform_capa = {
> - .xform_type =
> RTE_CRYPTO_ASYM_XFORM_RSA,
> - .op_types = ((1 <<
> RTE_CRYPTO_ASYM_OP_SIGN) |
> - (1 << RTE_CRYPTO_ASYM_OP_VERIFY)
> |
> - (1 <<
> RTE_CRYPTO_ASYM_OP_ENCRYPT) |
> - (1 <<
> RTE_CRYPTO_ASYM_OP_DECRYPT)),
> - {
> - .modlen = {
> - /* min length is based on openssl rsa keygen */
> - .min = 30,
> - /* value 0 symbolizes no limit on max length */
> - .max = 0,
> - .increment = 1
> - }, }
> + .xform_type = RTE_CRYPTO_ASYM_XFORM_MODEX,
> + .mod = {
> + .max_mod_size = 0
> + }
> }
> - },
> }
> },
> - { /* modexp */
> + { /* Modular multiplicative inverse */
> .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> {.asym = {
> - .xform_capa = {
> - .xform_type =
> RTE_CRYPTO_ASYM_XFORM_MODEX,
> - .op_types = 0,
> - {
> - .modlen = {
> - /* value 0 symbolizes no limit on min length */
> - .min = 0,
> - /* value 0 symbolizes no limit on max length */
> - .max = 0,
> - .increment = 1
> - }, }
> + .xform_type = RTE_CRYPTO_ASYM_XFORM_MODINV,
> + .mod = {
> + .max_mod_size = 0
> + }
> }
> - },
> }
> },
> - { /* modinv */
> + { /* RSA */
> .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> {.asym = {
> - .xform_capa = {
> - .xform_type =
> RTE_CRYPTO_ASYM_XFORM_MODINV,
> - .op_types = 0,
> - {
> - .modlen = {
> - /* value 0 symbolizes no limit on min length */
> - .min = 0,
> - /* value 0 symbolizes no limit on max length */
> - .max = 0,
> - .increment = 1
> - }, }
> + .xform_type = RTE_CRYPTO_ASYM_XFORM_RSA,
> + .rsa = {
> + .padding =
> +
> RTE_BIT32(RTE_CRYPTO_RSA_PADDING_NONE) |
> +
> RTE_BIT32(RTE_CRYPTO_RSA_PADDING_PKCS1_5),
> + .hash =
> + RTE_BIT32(RTE_CRYPTO_AUTH_MD5)
> |
> + RTE_BIT32(RTE_CRYPTO_AUTH_SHA1)
> |
> +
> RTE_BIT32(RTE_CRYPTO_AUTH_SHA224) |
> +
> RTE_BIT32(RTE_CRYPTO_AUTH_SHA256) |
> +
> RTE_BIT32(RTE_CRYPTO_AUTH_SHA384) |
> +
> RTE_BIT32(RTE_CRYPTO_AUTH_SHA512),
> + .max_key_size = 0
> + }
> }
> - },
> }
> },
> - { /* dh */
> + { /* Diffie-Hellman */
> .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> {.asym = {
> - .xform_capa = {
> - .xform_type =
> RTE_CRYPTO_ASYM_XFORM_DH,
> - .op_types =
> -
> ((1<<RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE) |
> - (1 <<
> RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE |
> - (1 <<
> -
> RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE))),
> - {
> - .modlen = {
> - /* value 0 symbolizes no limit on min length */
> - .min = 0,
> - /* value 0 symbolizes no limit on max length */
> - .max = 0,
> - .increment = 1
> - }, }
> + .xform_type = RTE_CRYPTO_ASYM_XFORM_DH,
> + .dh = {
> + .max_group_size = 0,
> + .priv_key_gen = 1
> + }
> }
> - },
> }
> },
> - { /* dsa */
> + { /* DSA */
> .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> {.asym = {
> - .xform_capa = {
> - .xform_type =
> RTE_CRYPTO_ASYM_XFORM_DSA,
> - .op_types =
> - ((1<<RTE_CRYPTO_ASYM_OP_SIGN) |
> - (1 << RTE_CRYPTO_ASYM_OP_VERIFY)),
> - {
> - .modlen = {
> - /* value 0 symbolizes no limit on min length */
> - .min = 0,
> - /* value 0 symbolizes no limit on max length */
> - .max = 0,
> - .increment = 1
> - }, }
> + .xform_type = RTE_CRYPTO_ASYM_XFORM_DSA,
> + .dsa = {
> + .max_key_size = 0,
> + .random_k = 1
> + }
> + }
> + }
> + },
> + { /* ECDSA */
> + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> + {.asym = {
> + .xform_type = RTE_CRYPTO_ASYM_XFORM_ECDSA,
> + .ecdsa = {
> + .curves =
> +
> RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP192R1) |
> +
> RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP224R1) |
> +
> RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP256R1) |
> +
> RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP384R1) |
> +
> RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP521R1),
> + .random_k = 1
> + }
> }
> - },
> }
> },
>
Do not combine PMD changes for capabilities in cryptodev patch for new APIs.
> diff --git a/drivers/crypto/qat/dev/qat_asym_pmd_gen1.c
> b/drivers/crypto/qat/dev/qat_asym_pmd_gen1.c
> index 4499fdaf2d..d5144bca84 100644
> --- a/drivers/crypto/qat/dev/qat_asym_pmd_gen1.c
> +++ b/drivers/crypto/qat/dev/qat_asym_pmd_gen1.c
> @@ -28,16 +28,64 @@ struct rte_cryptodev_ops qat_asym_crypto_ops_gen1 =
> {
> };
>
> static struct rte_cryptodev_capabilities qat_asym_crypto_caps_gen1[] = {
> - QAT_ASYM_CAP(MODEX,
> - 0, 1, 512, 1),
> - QAT_ASYM_CAP(MODINV,
> - 0, 1, 512, 1),
> - QAT_ASYM_CAP(RSA,
> - ((1 << RTE_CRYPTO_ASYM_OP_SIGN) |
> - (1 << RTE_CRYPTO_ASYM_OP_VERIFY) |
> - (1 << RTE_CRYPTO_ASYM_OP_ENCRYPT) |
> - (1 << RTE_CRYPTO_ASYM_OP_DECRYPT)),
> - 64, 512, 64),
> + { /* Modular exponentiation */
> + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> + {.asym = {
> + .xform_type = RTE_CRYPTO_ASYM_XFORM_MODEX,
> + .mod = {
> + .max_mod_size = 4096
> + }
> + }
> + }
> + },
> + { /* Modular multiplicative inverse */
> + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> + {.asym = {
> + .xform_type = RTE_CRYPTO_ASYM_XFORM_MODINV,
> + .mod = {
> + .max_mod_size = 4096
> + }
> + }
> + }
> + },
> + { /* RSA */
> + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> + {.asym = {
> + .xform_type = RTE_CRYPTO_ASYM_XFORM_RSA,
> + .rsa = {
> + .padding =
> +
> RTE_BIT32(RTE_CRYPTO_RSA_PADDING_NONE),
> + .hash = 0,
> + .max_key_size = 4096
> + }
> + }
> + }
> + },
> + { /* ECDSA */
> + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> + {.asym = {
> + .xform_type = RTE_CRYPTO_ASYM_XFORM_ECDSA,
> + .ecdsa = {
> + .curves =
> +
> RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP256R1) |
> +
> RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP521R1),
> + .random_k = 0
> + }
> + }
> + }
> + },
> + { /* ECPM */
> + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> + {.asym = {
> + .xform_type = RTE_CRYPTO_ASYM_XFORM_ECPM,
> + .ecdsa = {
> + .curves =
> +
> RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP256R1) |
> +
> RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP521R1)
> + }
> + }
> + }
> + },
> RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
> };
>
> diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
> index d90a7a1957..41b22450d3 100644
> --- a/lib/cryptodev/rte_crypto_asym.h
> +++ b/lib/cryptodev/rte_crypto_asym.h
> @@ -41,6 +41,14 @@ rte_crypto_asym_ke_strings[];
> extern const char *
> rte_crypto_asym_op_strings[];
>
> +/** RSA padding type name strings */
> +extern const char *
> +rte_crypto_asym_rsa_padding[];
rte_crypto_asym_rsa_padding_strings
> +
> +/** Elliptic curves name strings */
> +extern const char *
> +rte_crypto_curves_strings[];
> +
> /**
> * Buffer to hold crypto params required for asym operations.
> *
> @@ -265,6 +273,46 @@ struct rte_crypto_rsa_padding {
> */
> };
>
> +struct rte_crypto_mod_capability {
> + uint16_t max_mod_size;
> + /**< Maximum supported modulus size in bytes, 0 means no limit */
> +};
> +
> +struct rte_crypto_rsa_capability {
> + uint32_t padding;
> + /**< List of supported paddings */
How is this list supposed to work?
I believe this should be enum to specify a single value.
Driver can maintain a static array to list all supported ones.
And application can query if a particular capability which it intend to use
Is supported by the PMD.
> + uint32_t hash;
> + /**< List of supported hash functions */
Same comment here as well
> + uint32_t max_key_size;
> + /**< Maximum supported key size in bytes, 0 means no limit */
> +};
> +
> +struct rte_crypto_dh_capability {
> + uint16_t max_group_size;
> + /**< Maximum group in bytes, 0 means no limit */
Maximum group size in bytes ...
> + uint8_t priv_key_gen;
> + /**< Does PMD supports private key generation generation */
Is it a flag? Please comment it properly.
> +};
> +
> +struct rte_crypto_dsa_capability {
> + uint16_t max_key_size;
> + /**< Maximum supported key size in bytes, 0 means no limit */
> + uint8_t random_k;
> + /**< Does PMD supports random 'k' generation */
Comments should not ask questions.
> +};
> +
> +struct rte_crypto_ecdsa_capability {
> + uint64_t curves;
> + /**< Supported elliptic curve ids */
Shouldn't this also be enum?
> + uint8_t random_k;
> + /**< Does PMD supports random 'k' generation */
Same comment as above.
> +};
> +
> +struct rte_crypto_ecpm_capability {
> + uint64_t curves;
> + /**< Supported elliptic curve ids */
Enum??
> +};
> +
> /**
> * Asymmetric RSA transform data
> *
> diff --git a/lib/cryptodev/rte_cryptodev.c b/lib/cryptodev/rte_cryptodev.c
> index 57ee6b3f07..b1ad1112fe 100644
> --- a/lib/cryptodev/rte_cryptodev.c
> +++ b/lib/cryptodev/rte_cryptodev.c
> @@ -190,6 +190,27 @@ const char *rte_crypto_asym_ke_strings[] = {
> };
>
> /**
> + * RSA padding string identifiers
> + */
> +const char *rte_crypto_asym_rsa_padding[] = {
> + [RTE_CRYPTO_RSA_PADDING_NONE] =
> "RTE_CRYPTO_RSA_PADDING_NONE",
> + [RTE_CRYPTO_RSA_PADDING_PKCS1_5] =
> "RTE_CRYPTO_RSA_PADDING_PKCS1_5",
> + [RTE_CRYPTO_RSA_PADDING_OAEP] =
> "RTE_CRYPTO_RSA_PADDING_OAEP",
> + [RTE_CRYPTO_RSA_PADDING_PSS] =
> "RTE_CRYPTO_RSA_PADDING_PSS"
> +};
> +
> +/**
> + * Elliptic curves string identifiers
> + */
> +const char *rte_crypto_curves_strings[] = {
> + [RTE_CRYPTO_EC_GROUP_SECP192R1] =
> "RTE_CRYPTO_EC_GROUP_SECP192R1",
> + [RTE_CRYPTO_EC_GROUP_SECP224R1] =
> "RTE_CRYPTO_EC_GROUP_SECP224R1",
> + [RTE_CRYPTO_EC_GROUP_SECP256R1] =
> "RTE_CRYPTO_EC_GROUP_SECP256R1",
> + [RTE_CRYPTO_EC_GROUP_SECP384R1] =
> "RTE_CRYPTO_EC_GROUP_SECP384R1",
> + [RTE_CRYPTO_EC_GROUP_SECP521R1] =
> "RTE_CRYPTO_EC_GROUP_SECP521R1",
> +};
> +
> +/**
> * The private data structure stored in the sym session mempool private data.
> */
> struct rte_cryptodev_sym_session_pool_private_data {
> @@ -347,7 +368,7 @@ param_range_check(uint16_t size, const struct
> rte_crypto_param_range *range)
> return -1;
> }
>
> -const struct rte_cryptodev_asymmetric_xform_capability *
> +const struct rte_cryptodev_asymmetric_capability *
> rte_cryptodev_asym_capability_get(uint8_t dev_id,
> const struct rte_cryptodev_asym_capability_idx *idx)
> {
> @@ -363,8 +384,8 @@ rte_cryptodev_asym_capability_get(uint8_t dev_id,
> if (capability->op != RTE_CRYPTO_OP_TYPE_ASYMMETRIC)
> continue;
>
> - if (capability->asym.xform_capa.xform_type == idx->type)
> - return &capability->asym.xform_capa;
> + if (capability->asym.xform_type == idx->type)
> + return &capability->asym;
> }
> return NULL;
> };
> @@ -456,6 +477,59 @@ rte_cryptodev_asym_xform_capability_check_modlen(
> return 0;
> }
>
> +int
> +rte_cryptodev_capa_check_mod(
API name should be rte_cryptodev_mod_capa_check
Verb should come in the end.
Fix other APIs also.
> + const struct rte_cryptodev_asymmetric_capability *capa,
> + struct rte_crypto_mod_capability mod)
> +{
> + if (capa->mod.max_mod_size == 0)
> + return 1;
> +
> + if (mod.max_mod_size <= capa->mod.max_mod_size)
> + return 1;
> + else
> + return 0;
> +}
> +
> +int
> +rte_cryptodev_capa_check_rsa(
> + const struct rte_cryptodev_asymmetric_capability *capa,
> + struct rte_crypto_rsa_capability rsa)
> +{
> + if (rsa.padding != (capa->rsa.padding & rsa.padding))
> + return 0;
> + if (rsa.hash != (capa->rsa.hash & rsa.hash))
> + return 0;
> + if (capa->rsa.max_key_size == 0)
> + return 1;
> + if (rsa.max_key_size <= capa->rsa.max_key_size)
> + return 1;
> + else
> + return 0;
> +}
Can we have something similar to symmetric crypto/rte_security capabilities?
> +
> +int
> +rte_cryptodev_capa_check_ecdsa(
> + const struct rte_cryptodev_asymmetric_capability *capa,
> + struct rte_crypto_ecdsa_capability ecdsa)
> +{
> + if (ecdsa.curves != (capa->ecdsa.curves & ecdsa.curves))
> + return 0;
> + if (ecdsa.random_k == 1 && capa->ecdsa.random_k == 0)
> + return 0;
> + return 1;
> +}
> +
> +int
> +rte_cryptodev_capa_check_ecpm(
> + const struct rte_cryptodev_asymmetric_capability *capa,
> + struct rte_crypto_ecpm_capability ecpm)
> +{
> + if (ecpm.curves != (capa->ecpm.curves & ecpm.curves))
> + return 0;
> + return 1;
> +}
> +
> /* spinlock for crypto device enq callbacks */
> static rte_spinlock_t rte_cryptodev_callback_lock =
> RTE_SPINLOCK_INITIALIZER;
>
> diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
> index 2c2c2edeb7..6c5bd819b2 100644
> --- a/lib/cryptodev/rte_cryptodev.h
> +++ b/lib/cryptodev/rte_cryptodev.h
> @@ -184,6 +184,19 @@ struct rte_cryptodev_asymmetric_xform_capability {
> *
> */
> struct rte_cryptodev_asymmetric_capability {
> + enum rte_crypto_asym_xform_type xform_type;
> + /**< Asymmetric transform type */
> + uint32_t op_types;
> + /**< bitmask for supported rte_crypto_asym_op_type */
> + union {
> + struct rte_crypto_mod_capability mod;
> + struct rte_crypto_rsa_capability rsa;
> + struct rte_crypto_dh_capability dh;
> + struct rte_crypto_dsa_capability dsa;
> + struct rte_crypto_ecdsa_capability ecdsa;
> + struct rte_crypto_ecpm_capability ecpm;
> + };
> +
> struct rte_cryptodev_asymmetric_xform_capability xform_capa;
> };
>
> @@ -247,7 +260,7 @@ rte_cryptodev_sym_capability_get(uint8_t dev_id,
> * - Return NULL if the capability not exist.
> */
> __rte_experimental
> -const struct rte_cryptodev_asymmetric_xform_capability *
> +const struct rte_cryptodev_asymmetric_capability *
> rte_cryptodev_asym_capability_get(uint8_t dev_id,
> const struct rte_cryptodev_asym_capability_idx *idx);
>
> @@ -339,6 +352,66 @@ rte_cryptodev_asym_xform_capability_check_modlen(
> uint16_t modlen);
>
> /**
> + * Check if requested Modexp features are supported
> + *
> + * @param capability Description of the asymmetric crypto
> capability.
> + * @param mod Modexp requested capability.
> + *
> + * @return
> + * - Return 1 if the parameters are in range of the capability.
> + * - Return 0 if the parameters are out of range of the capability.
> + */
> +__rte_experimental
> +int
> +rte_cryptodev_capa_check_mod(
> + const struct rte_cryptodev_asymmetric_capability *capa,
> + struct rte_crypto_mod_capability mod);
> +/**
> + * Check if requested RSA features are supported
> + *
> + * @param capability Description of the asymmetric crypto
> capability.
> + * @param rsa RSA requested capability.
> + *
> + * @return
> + * - Return 1 if the parameters are in range of the capability.
> + * - Return 0 if the parameters are out of range of the capability.
> + */
> +__rte_experimental
> +int
> +rte_cryptodev_capa_check_rsa(
> + const struct rte_cryptodev_asymmetric_capability *capa,
> + struct rte_crypto_rsa_capability rsa);
> +/**
> + * Check if requested ECDSA features are supported
> + *
> + * @param capability Description of the asymmetric crypto
> capability.
> + * @param ecdsa ECDSA requested capability.
> + *
> + * @return
> + * - Return 1 if the parameters are in range of the capability.
> + * - Return 0 if the parameters are out of range of the capability.
> + */
> +__rte_experimental
> +int
> +rte_cryptodev_capa_check_ecdsa(
> + const struct rte_cryptodev_asymmetric_capability *capa,
> + struct rte_crypto_ecdsa_capability ecdsa);
> +/**
> + * Check if requested ECPM features are supported
> + *
> + * @param capability Description of the asymmetric crypto
> capability.
> + * @param ecpm ECPM requested capability.
> + *
> + * @return
> + * - Return 1 if the parameters are in range of the capability.
> + * - Return 0 if the parameters are out of range of the capability.
> + */
> +__rte_experimental
> +int
> +rte_cryptodev_capa_check_ecpm(
> + const struct rte_cryptodev_asymmetric_capability *capa,
> + struct rte_crypto_ecpm_capability ecpm);
> +/**
> * Provide the cipher algorithm enum, given an algorithm string
> *
> * @param algo_enum A pointer to the cipher algorithm
> diff --git a/lib/cryptodev/version.map b/lib/cryptodev/version.map
> index f0abfaa47d..4d93b9a947 100644
> --- a/lib/cryptodev/version.map
> +++ b/lib/cryptodev/version.map
> @@ -108,6 +108,10 @@ EXPERIMENTAL {
>
> #added in 22.07
> rte_cryptodev_session_event_mdata_set;
> + rte_cryptodev_capa_check_mod;
> + rte_cryptodev_capa_check_rsa;
> + rte_cryptodev_capa_check_ecdsa;
> + rte_cryptodev_capa_check_ecpm;
> };
>
> INTERNAL {
> --
> 2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 14/14] cryptodev: add asym algorithms capabilities
2022-05-26 12:54 ` [EXT] " Akhil Goyal
@ 2022-05-26 14:19 ` Kusztal, ArkadiuszX
2022-05-26 15:00 ` Akhil Goyal
0 siblings, 1 reply; 41+ messages in thread
From: Kusztal, ArkadiuszX @ 2022-05-26 14:19 UTC (permalink / raw)
To: Akhil Goyal, dev; +Cc: Zhang, Roy Fan
> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Thursday, May 26, 2022 2:54 PM
> To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>; dev@dpdk.org
> Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com>
> Subject: RE: [EXT] [PATCH v2 14/14] cryptodev: add asym algorithms capabilities
>
> > - Added asymmetric crypto algorithm specific capability struct.
> > Included fields like random number capability, padding flags etc.
> >
> > Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> > ---
> > app/test-crypto-perf/main.c | 12 +-
> > app/test-eventdev/test_perf_common.c | 2 +-
> > app/test/test_cryptodev_asym.c | 210 +++++++++++++++++++++------
> > app/test/test_event_crypto_adapter.c | 16 +-
> > drivers/crypto/openssl/rte_openssl_pmd_ops.c | 128 +++++++---------
> > drivers/crypto/qat/dev/qat_asym_pmd_gen1.c | 68 +++++++--
> > lib/cryptodev/rte_crypto_asym.h | 48 ++++++
> > lib/cryptodev/rte_cryptodev.c | 80 +++++++++-
> > lib/cryptodev/rte_cryptodev.h | 75 +++++++++-
> > lib/cryptodev/version.map | 4 +
> > 10 files changed, 495 insertions(+), 148 deletions(-)
>
> This would also need a change in documentation.
>
> >
> > diff --git a/app/test-crypto-perf/main.c b/app/test-crypto-perf/main.c
> > index 17e30a8e74..f8a4c9cdcf 100644
> > --- a/app/test-crypto-perf/main.c
> > +++ b/app/test-crypto-perf/main.c
> > @@ -364,8 +364,8 @@ cperf_verify_devices_capabilities(struct
> > cperf_options *opts,
> > struct rte_cryptodev_sym_capability_idx cap_idx;
> > const struct rte_cryptodev_symmetric_capability *capability;
> > struct rte_cryptodev_asym_capability_idx asym_cap_idx;
> > - const struct rte_cryptodev_asymmetric_xform_capability
> > *asym_capability;
> > -
> > + const struct rte_cryptodev_asymmetric_capability *asym_capability;
> > + struct rte_crypto_mod_capability mod_capa = {0};
> >
> > uint8_t i, cdev_id;
> > int ret;
> > @@ -381,11 +381,11 @@ cperf_verify_devices_capabilities(struct
> > cperf_options *opts,
> > if (asym_capability == NULL)
> > return -1;
> >
> > - ret =
> > rte_cryptodev_asym_xform_capability_check_modlen(
> > - asym_capability, opts->modex_data-
> > >modulus.len);
> > - if (ret != 0)
> > + mod_capa.max_mod_size = opts->modex_data-
> > >modulus.len;
> > + ret = rte_cryptodev_capa_check_mod(asym_capability,
> > + mod_capa);
> > + if (ret == 0)
> > return ret;
> > -
> > }
> >
> > if (opts->op_type == CPERF_AUTH_ONLY || diff --git
> > a/app/test-eventdev/test_perf_common.c b/app/test-
> > eventdev/test_perf_common.c index b41785492e..ac8e6410ab 100644
> > --- a/app/test-eventdev/test_perf_common.c
> > +++ b/app/test-eventdev/test_perf_common.c
> > @@ -846,7 +846,7 @@ cryptodev_sym_sess_create(struct prod_data *p,
> > struct test_perf *t) static void * cryptodev_asym_sess_create(struct
> > prod_data *p, struct test_perf *t) {
> > - const struct rte_cryptodev_asymmetric_xform_capability *capability;
> > + const struct rte_cryptodev_asymmetric_capability *capability;
> > struct rte_cryptodev_asym_capability_idx cap_idx;
> > struct rte_crypto_asym_xform xform;
> > void *sess;
> > diff --git a/app/test/test_cryptodev_asym.c
> > b/app/test/test_cryptodev_asym.c index 072dbb30f4..c531265642 100644
> > --- a/app/test/test_cryptodev_asym.c
> > +++ b/app/test/test_cryptodev_asym.c
> > @@ -311,10 +311,11 @@ test_cryptodev_asym_op(struct
> > crypto_testsuite_params_asym *ts_params,
> > struct rte_crypto_asym_xform xform_tc;
> > void *sess = NULL;
> > struct rte_cryptodev_asym_capability_idx cap_idx;
> > - const struct rte_cryptodev_asymmetric_xform_capability *capability;
> > + const struct rte_cryptodev_asymmetric_capability *capability;
> > uint8_t dev_id = ts_params->valid_devs[0];
> > uint8_t input[TEST_DATA_SIZE] = {0};
> > uint8_t *result = NULL;
> > + struct rte_crypto_mod_capability mod_capa = {0};
> >
> > int ret, status = TEST_SUCCESS;
> >
> > @@ -358,8 +359,10 @@ test_cryptodev_asym_op(struct
> > crypto_testsuite_params_asym *ts_params,
> > asym_op->modex.base.length = data_tc->modex.base.len;
> > asym_op->modex.result.data = result;
> > asym_op->modex.result.length = data_tc->modex.result_len;
> > - if
> > (rte_cryptodev_asym_xform_capability_check_modlen(capability,
> > - xform_tc.modex.modulus.length)) {
> > +
> > + mod_capa.max_mod_size = xform_tc.modex.modulus.length;
> > + if (!rte_cryptodev_capa_check_mod(capability,
> > + mod_capa)) {
> > snprintf(test_msg, ASYM_TEST_MSG_LEN,
> > "line %u "
> > "FAILED: %s", __LINE__,
> > @@ -378,8 +381,10 @@ test_cryptodev_asym_op(struct
> > crypto_testsuite_params_asym *ts_params,
> > asym_op->modinv.base.length = data_tc->modinv.base.len;
> > asym_op->modinv.result.data = result;
> > asym_op->modinv.result.length = data_tc->modinv.result_len;
> > - if
> > (rte_cryptodev_asym_xform_capability_check_modlen(capability,
> > - xform_tc.modinv.modulus.length)) {
> > +
> > + mod_capa.max_mod_size = xform_tc.modinv.modulus.length;
> > + if (!rte_cryptodev_capa_check_mod(capability,
> > + mod_capa)) {
> > snprintf(test_msg, ASYM_TEST_MSG_LEN,
> > "line %u "
> > "FAILED: %s", __LINE__,
> > @@ -963,38 +968,100 @@ ut_teardown_asym(void)
> > rte_cryptodev_stop(ts_params->valid_devs[0]);
> > }
> >
> > -static inline void print_asym_capa(
> > - const struct rte_cryptodev_asymmetric_xform_capability
> > *capa)
> > +static void
> > +print_rsa_capability(
> > + const struct rte_cryptodev_asymmetric_capability *capa)
> > {
> > int i = 0;
> >
> > + printf("\nSupported paddings:");
> > + for (; i < 32; i++) {
> > + if (capa->rsa.padding & RTE_BIT32(i))
> > + printf("\n - %s", rte_crypto_asym_rsa_padding[i]);
> > + }
> > + printf("\nSupported hash functions:");
> > + for (i = 0; i < 32; i++) {
> > + if (capa->rsa.hash & RTE_BIT32(i))
> > + printf("\n - %s", rte_crypto_auth_algorithm_strings[i]);
> > + }
> > + printf("\nMaximum key size: ");
> > + if (capa->rsa.max_key_size == 0)
> > + printf("Unlimited");
> > + else
> > + printf("%hu", capa->rsa.max_key_size); }
> > +
> > +static void
> > +print_supported_curves(uint64_t curves) {
> > + int i = 0;
> > +
> > + printf("\nSupported elliptic curves:");
> > + for (; i < 64; i++) {
> > + if (curves & RTE_BIT64(i))
> > + printf("\n - %s", rte_crypto_curves_strings[i]);
> > + }
> > +}
> > +
> > +static inline void print_asym_capa(
> > + const struct rte_cryptodev_asymmetric_capability *capa) {
> > printf("\nxform type: %s\n===================\n",
> > rte_crypto_asym_xform_strings[capa->xform_type]);
> > - printf("operation supported -");
> >
> > - for (i = 0; i < RTE_CRYPTO_ASYM_OP_LIST_END; i++) {
> > - /* check supported operations */
> > - if (rte_cryptodev_asym_xform_capability_check_optype(capa,
> > i))
> > - printf(" %s",
> > - rte_crypto_asym_op_strings[i]);
> > - }
> > - switch (capa->xform_type) {
> > - case RTE_CRYPTO_ASYM_XFORM_RSA:
> > - case RTE_CRYPTO_ASYM_XFORM_MODINV:
> > - case RTE_CRYPTO_ASYM_XFORM_MODEX:
> > - case RTE_CRYPTO_ASYM_XFORM_DH:
> > - case RTE_CRYPTO_ASYM_XFORM_DSA:
> > - printf(" modlen: min %d max %d increment %d",
> > - capa->modlen.min,
> > - capa->modlen.max,
> > - capa->modlen.increment);
> > + switch (capa->xform_type) {
> > + case RTE_CRYPTO_ASYM_XFORM_MODEX:
> > + case RTE_CRYPTO_ASYM_XFORM_MODINV:
> > + printf("Maximum size of modulus: ");
> > + if (capa->mod.max_mod_size == 0)
> > + printf("Unlimited");
> > + else
> > + printf("%hu", capa->mod.max_mod_size);
> > break;
> > - case RTE_CRYPTO_ASYM_XFORM_ECDSA:
> > - case RTE_CRYPTO_ASYM_XFORM_ECPM:
> > - default:
> > - break;
> > - }
> > - printf("\n");
> > + case RTE_CRYPTO_ASYM_XFORM_RSA:
> > + print_rsa_capability(capa);
> > + break;
> > + case RTE_CRYPTO_ASYM_XFORM_DH:
>
> ECDH?? I hope it will be added once it is tested in this app.
>
> > + printf("Maximum group size: ");
> > + if (capa->dh.max_group_size == 0)
> > + printf("Unlimited");
> > + else
> > + printf("%hu", capa->dh.max_group_size);
> > + printf("\nSupport for private key generation: ");
> > + if (capa->dh.priv_key_gen)
> > + printf("Yes");
> > + else
> > + printf("No");
> > + break;
> > + case RTE_CRYPTO_ASYM_XFORM_DSA:
> > + printf("Maximum key size: ");
> > + if (capa->dsa.max_key_size == 0)
> > + printf("Unlimited");
> > + else
> > + printf("%hu", capa->dsa.max_key_size);
> > + printf("\nSupport for random 'k' generation: ");
> > + if (capa->dsa.random_k)
> > + printf("Yes");
> > + else
> > + printf("No");
> > + break;
> > +
> > + break;
> > + case RTE_CRYPTO_ASYM_XFORM_ECDSA:
> > + print_supported_curves(capa->ecdsa.curves);
> > + printf("\nSupport for random 'k' generation: ");
> > + if (capa->ecdsa.random_k)
> > + printf("Yes");
> > + else
> > + printf("No");
> > + break;
> > + case RTE_CRYPTO_ASYM_XFORM_ECPM:
> > + print_supported_curves(capa->ecpm.curves);
> > + break;
> > + default:
> > + break;
> > + }
> > + printf("\n");
> > }
> >
> > static int
> > @@ -1006,7 +1073,7 @@ test_capability(void)
> > const struct rte_cryptodev_capabilities *dev_capa;
> > int i = 0;
> > struct rte_cryptodev_asym_capability_idx idx;
> > - const struct rte_cryptodev_asymmetric_xform_capability *capa;
> > + const struct rte_cryptodev_asymmetric_capability *capa;
> >
> > rte_cryptodev_info_get(dev_id, &dev_info);
> > if (!(dev_info.feature_flags &
> > @@ -1023,7 +1090,7 @@ test_capability(void)
> > dev_capa = &(dev_info.capabilities[i]);
> > if (dev_info.capabilities[i].op ==
> > RTE_CRYPTO_OP_TYPE_ASYMMETRIC) {
> > - idx.type = dev_capa->asym.xform_capa.xform_type;
> > + idx.type = dev_capa->asym.xform_type;
> >
> > capa = rte_cryptodev_asym_capability_get(dev_id,
> > (const struct
> > @@ -1386,10 +1453,11 @@ test_mod_inv(void)
> > void *sess = NULL;
> > int status = TEST_SUCCESS;
> > struct rte_cryptodev_asym_capability_idx cap_idx;
> > - const struct rte_cryptodev_asymmetric_xform_capability *capability;
> > + const struct rte_cryptodev_asymmetric_capability *capability;
> > uint8_t input[TEST_DATA_SIZE] = {0};
> > int ret = 0;
> > uint8_t result[sizeof(mod_p)] = { 0 };
> > + struct rte_crypto_mod_capability mod_capa = {0};
> >
> > if (rte_cryptodev_asym_get_xform_enum(
> > &modinv_xform.xform_type, "modinv") < 0) { @@ -1408,13
> +1476,11 @@
> > test_mod_inv(void)
> > return TEST_SKIPPED;
> > }
> >
> > - if (rte_cryptodev_asym_xform_capability_check_modlen(
> > - capability,
> > - modinv_xform.modinv.modulus.length)) {
> > - RTE_LOG(ERR, USER1,
> > - "Invalid MODULUS length specified\n");
> > - return TEST_SKIPPED;
> > - }
> > + mod_capa.max_mod_size = modinv_xform.modinv.modulus.length;
> > + if (!rte_cryptodev_capa_check_mod(capability, mod_capa)) {
> > + RTE_LOG(ERR, USER1, "Invalid MODULUS length specified\n");
> > + return TEST_SKIPPED;
> > + }
> >
> > ret = rte_cryptodev_asym_session_create(dev_id, &modinv_xform,
> > sess_mpool, &sess);
> > if (ret < 0) {
> > @@ -1499,7 +1565,8 @@ test_mod_exp(void)
> > void *sess = NULL;
> > int status = TEST_SUCCESS;
> > struct rte_cryptodev_asym_capability_idx cap_idx;
> > - const struct rte_cryptodev_asymmetric_xform_capability *capability;
> > + const struct rte_cryptodev_asymmetric_capability *capability;
> > + struct rte_crypto_mod_capability mod_capa = {0};
> > uint8_t input[TEST_DATA_SIZE] = {0};
> > int ret = 0;
> > uint8_t result[sizeof(mod_p)] = { 0 }; @@ -1522,12 +1589,11 @@
> > test_mod_exp(void)
> > return TEST_SKIPPED;
> > }
> >
> > - if (rte_cryptodev_asym_xform_capability_check_modlen(
> > - capability, modex_xform.modex.modulus.length)) {
> > - RTE_LOG(ERR, USER1,
> > - "Invalid MODULUS length specified\n");
> > - return TEST_SKIPPED;
> > - }
> > + mod_capa.max_mod_size = modex_xform.modex.modulus.length;
> > + if (!rte_cryptodev_capa_check_mod(capability, mod_capa)) {
> > + RTE_LOG(ERR, USER1, "Invalid MODULUS length specified\n");
> > + return TEST_SKIPPED;
> > + }
> >
> > /* Create op, create session, and process packets. 8< */
> > op = rte_crypto_op_alloc(op_mpool,
> > RTE_CRYPTO_OP_TYPE_ASYMMETRIC);
> > @@ -1785,6 +1851,8 @@ test_ecdsa_sign_verify(enum curve curve_id)
> > struct rte_crypto_asym_xform xform;
> > struct rte_crypto_asym_op *asym_op;
> > struct rte_cryptodev_info dev_info;
> > + struct rte_cryptodev_asym_capability_idx idx;
> > + const struct rte_cryptodev_asymmetric_capability *capabilities;
> > struct rte_crypto_op *op = NULL;
> > int ret, status = TEST_SUCCESS;
> >
> > @@ -1814,6 +1882,25 @@ test_ecdsa_sign_verify(enum curve curve_id)
> >
> > rte_cryptodev_info_get(dev_id, &dev_info);
> >
> > + struct rte_crypto_ecdsa_capability capa = {
> > + .curves = RTE_BIT32(input_params.curve),
> > + .random_k = 0
> > + };
> > +
> > + idx.type = RTE_CRYPTO_ASYM_XFORM_ECDSA;
> > + capabilities = rte_cryptodev_asym_capability_get(dev_id,
> > + (const struct
> > + rte_cryptodev_asym_capability_idx *) &idx);
> > +
> > + if (capabilities == NULL) {
> > + status = TEST_SKIPPED;
> > + goto exit;
> > + }
> > + if (!rte_cryptodev_capa_check_ecdsa(capabilities, capa)) {
> > + status = TEST_SKIPPED;
> > + goto exit;
> > + }
> > +
> > /* Setup crypto op data structure */
> > op = rte_crypto_op_alloc(op_mpool,
> > RTE_CRYPTO_OP_TYPE_ASYMMETRIC);
> > if (op == NULL) {
> > @@ -1962,6 +2049,8 @@ test_ecdsa_sign_verify_all_curve(void)
> > status = test_ecdsa_sign_verify(curve_id);
> > if (status == TEST_SUCCESS) {
> > msg = "succeeded";
> > + } else if (status == TEST_SKIPPED) {
> > + continue;
> > } else {
> > msg = "failed";
> > overall_status = status;
> > @@ -1987,6 +2076,8 @@ test_ecpm(enum curve curve_id)
> > struct rte_crypto_asym_xform xform;
> > struct rte_crypto_asym_op *asym_op;
> > struct rte_cryptodev_info dev_info;
> > + struct rte_cryptodev_asym_capability_idx idx;
> > + const struct rte_cryptodev_asymmetric_capability *capabilities;
> > struct rte_crypto_op *op = NULL;
> > int ret, status = TEST_SUCCESS;
> >
> > @@ -2016,6 +2107,24 @@ test_ecpm(enum curve curve_id)
> >
> > rte_cryptodev_info_get(dev_id, &dev_info);
> >
> > + struct rte_crypto_ecdsa_capability capa = {
> > + .curves = RTE_BIT32(input_params.curve)
> > + };
> > +
> > + idx.type = RTE_CRYPTO_ASYM_XFORM_ECPM;
> > + capabilities = rte_cryptodev_asym_capability_get(dev_id,
> > + (const struct
> > + rte_cryptodev_asym_capability_idx *) &idx);
> > +
> > + if (capabilities == NULL) {
> > + status = TEST_SKIPPED;
> > + goto exit;
> > + }
> > + if (!rte_cryptodev_capa_check_ecdsa(capabilities, capa)) {
> > + status = TEST_SKIPPED;
> > + goto exit;
> > + }
> > +
> > /* Setup crypto op data structure */
> > op = rte_crypto_op_alloc(op_mpool,
> > RTE_CRYPTO_OP_TYPE_ASYMMETRIC);
> > if (op == NULL) {
> > @@ -2124,6 +2233,8 @@ test_ecpm_all_curve(void)
> > status = test_ecpm(curve_id);
> > if (status == TEST_SUCCESS) {
> > msg = "succeeded";
> > + } else if (status == TEST_SKIPPED) {
> > + continue;
> > } else {
> > msg = "failed";
> > overall_status = status;
> > @@ -2162,7 +2273,12 @@ static struct unit_test_suite
> > cryptodev_qat_asym_testsuite = {
> > .setup = testsuite_setup,
> > .teardown = testsuite_teardown,
> > .unit_test_cases = {
> > + TEST_CASE_ST(ut_setup_asym, ut_teardown_asym,
> > test_capability),
> > TEST_CASE_ST(ut_setup_asym, ut_teardown_asym,
> test_one_by_one),
> > + TEST_CASE_ST(ut_setup_asym, ut_teardown_asym,
> > + test_ecdsa_sign_verify_all_curve),
> > + TEST_CASE_ST(ut_setup_asym, ut_teardown_asym,
> > + test_ecpm_all_curve),
> > TEST_CASES_END() /**< NULL terminate unit test array */
> > }
> > };
>
> I think patch need to be split for adding test app changes.
>
>
> > diff --git a/app/test/test_event_crypto_adapter.c
> > b/app/test/test_event_crypto_adapter.c
> > index 2ecc7e2cea..9a62241371 100644
> > --- a/app/test/test_event_crypto_adapter.c
> > +++ b/app/test/test_event_crypto_adapter.c
> > @@ -450,7 +450,7 @@ test_session_with_op_forward_mode(void)
> > static int
> > test_asym_op_forward_mode(uint8_t session_less) {
> > - const struct rte_cryptodev_asymmetric_xform_capability *capability;
> > + const struct rte_cryptodev_asymmetric_capability *capability;
> > struct rte_cryptodev_asym_capability_idx cap_idx;
> > struct rte_crypto_asym_xform xform_tc;
> > union rte_event_crypto_metadata m_data; @@ -458,6 +458,7 @@
> > test_asym_op_forward_mode(uint8_t session_less)
> > struct rte_crypto_asym_op *asym_op;
> > struct rte_crypto_op *op;
> > uint8_t input[4096] = {0};
> > + struct rte_crypto_mod_capability mod_capa = {0};
> > uint8_t *result = NULL;
> > struct rte_event ev;
> > void *sess = NULL;
> > @@ -503,8 +504,9 @@ test_asym_op_forward_mode(uint8_t session_less)
> > asym_op->modex.base.length = modex_test_case.base.len;
> > asym_op->modex.result.data = result;
> > asym_op->modex.result.length = modex_test_case.result_len;
> > - if (rte_cryptodev_asym_xform_capability_check_modlen(capability,
> > - xform_tc.modex.modulus.length)) {
> > +
> > + mod_capa.max_mod_size = xform_tc.modex.modulus.length;
> > + if (!rte_cryptodev_capa_check_mod(capability, mod_capa)) {
> > RTE_LOG(INFO, USER1,
> > "line %u FAILED: %s", __LINE__,
> > "Invalid MODULUS length specified"); @@ -784,7
> +786,7 @@
> > test_session_with_op_new_mode(void)
> > static int
> > test_asym_op_new_mode(uint8_t session_less) {
> > - const struct rte_cryptodev_asymmetric_xform_capability *capability;
> > + const struct rte_cryptodev_asymmetric_capability *capability;
> > struct rte_cryptodev_asym_capability_idx cap_idx;
> > struct rte_crypto_asym_xform xform_tc;
> > union rte_event_crypto_metadata m_data; @@ -792,6 +794,7 @@
> > test_asym_op_new_mode(uint8_t session_less)
> > struct rte_crypto_asym_op *asym_op;
> > struct rte_crypto_op *op;
> > uint8_t input[4096] = {0};
> > + struct rte_crypto_mod_capability mod_capa = {0};
>
> Can you move this above to maintain reverse Xmas tree?
>
> > uint8_t *result = NULL;
> > void *sess = NULL;
> > uint32_t cap;
> > @@ -835,8 +838,9 @@ test_asym_op_new_mode(uint8_t session_less)
> > asym_op->modex.base.length = modex_test_case.base.len;
> > asym_op->modex.result.data = result;
> > asym_op->modex.result.length = modex_test_case.result_len;
> > - if (rte_cryptodev_asym_xform_capability_check_modlen(capability,
> > - xform_tc.modex.modulus.length)) {
> > +
> > + mod_capa.max_mod_size = xform_tc.modex.modulus.length;
> > + if (!rte_cryptodev_capa_check_mod(capability, mod_capa)) {
> > RTE_LOG(INFO, USER1,
> > "line %u FAILED: %s", __LINE__,
> > "Invalid MODULUS length specified"); diff --git
> > a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> > b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> > index 16ec5e15eb..e734fc2a69 100644
> > --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> > +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> > @@ -7,6 +7,7 @@
> > #include <rte_common.h>
> > #include <rte_malloc.h>
> > #include <cryptodev_pmd.h>
> > +#include <rte_bitops.h>
> >
> > #include "openssl_pmd_private.h"
> > #include "compat.h"
> > @@ -470,103 +471,82 @@ static const struct rte_cryptodev_capabilities
> > openssl_pmd_capabilities[] = {
> > }, }
> > }, }
> > },
> > - { /* RSA */
> > + { /* Modular exponentiation */
> > .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > {.asym = {
> > - .xform_capa = {
> > - .xform_type =
> > RTE_CRYPTO_ASYM_XFORM_RSA,
> > - .op_types = ((1 <<
> > RTE_CRYPTO_ASYM_OP_SIGN) |
> > - (1 << RTE_CRYPTO_ASYM_OP_VERIFY)
> > |
> > - (1 <<
> > RTE_CRYPTO_ASYM_OP_ENCRYPT) |
> > - (1 <<
> > RTE_CRYPTO_ASYM_OP_DECRYPT)),
> > - {
> > - .modlen = {
> > - /* min length is based on openssl rsa keygen */
> > - .min = 30,
> > - /* value 0 symbolizes no limit on max length */
> > - .max = 0,
> > - .increment = 1
> > - }, }
> > + .xform_type = RTE_CRYPTO_ASYM_XFORM_MODEX,
> > + .mod = {
> > + .max_mod_size = 0
> > + }
> > }
> > - },
> > }
> > },
> > - { /* modexp */
> > + { /* Modular multiplicative inverse */
> > .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > {.asym = {
> > - .xform_capa = {
> > - .xform_type =
> > RTE_CRYPTO_ASYM_XFORM_MODEX,
> > - .op_types = 0,
> > - {
> > - .modlen = {
> > - /* value 0 symbolizes no limit on min length */
> > - .min = 0,
> > - /* value 0 symbolizes no limit on max length */
> > - .max = 0,
> > - .increment = 1
> > - }, }
> > + .xform_type = RTE_CRYPTO_ASYM_XFORM_MODINV,
> > + .mod = {
> > + .max_mod_size = 0
> > + }
> > }
> > - },
> > }
> > },
> > - { /* modinv */
> > + { /* RSA */
> > .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > {.asym = {
> > - .xform_capa = {
> > - .xform_type =
> > RTE_CRYPTO_ASYM_XFORM_MODINV,
> > - .op_types = 0,
> > - {
> > - .modlen = {
> > - /* value 0 symbolizes no limit on min length */
> > - .min = 0,
> > - /* value 0 symbolizes no limit on max length */
> > - .max = 0,
> > - .increment = 1
> > - }, }
> > + .xform_type = RTE_CRYPTO_ASYM_XFORM_RSA,
> > + .rsa = {
> > + .padding =
> > +
> > RTE_BIT32(RTE_CRYPTO_RSA_PADDING_NONE) |
> > +
> > RTE_BIT32(RTE_CRYPTO_RSA_PADDING_PKCS1_5),
> > + .hash =
> > + RTE_BIT32(RTE_CRYPTO_AUTH_MD5)
> > |
> > + RTE_BIT32(RTE_CRYPTO_AUTH_SHA1)
> > |
> > +
> > RTE_BIT32(RTE_CRYPTO_AUTH_SHA224) |
> > +
> > RTE_BIT32(RTE_CRYPTO_AUTH_SHA256) |
> > +
> > RTE_BIT32(RTE_CRYPTO_AUTH_SHA384) |
> > +
> > RTE_BIT32(RTE_CRYPTO_AUTH_SHA512),
> > + .max_key_size = 0
> > + }
> > }
> > - },
> > }
> > },
> > - { /* dh */
> > + { /* Diffie-Hellman */
> > .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > {.asym = {
> > - .xform_capa = {
> > - .xform_type =
> > RTE_CRYPTO_ASYM_XFORM_DH,
> > - .op_types =
> > -
> > ((1<<RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE) |
> > - (1 <<
> > RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE |
> > - (1 <<
> > -
> > RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE))),
> > - {
> > - .modlen = {
> > - /* value 0 symbolizes no limit on min length */
> > - .min = 0,
> > - /* value 0 symbolizes no limit on max length */
> > - .max = 0,
> > - .increment = 1
> > - }, }
> > + .xform_type = RTE_CRYPTO_ASYM_XFORM_DH,
> > + .dh = {
> > + .max_group_size = 0,
> > + .priv_key_gen = 1
> > + }
> > }
> > - },
> > }
> > },
> > - { /* dsa */
> > + { /* DSA */
> > .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > {.asym = {
> > - .xform_capa = {
> > - .xform_type =
> > RTE_CRYPTO_ASYM_XFORM_DSA,
> > - .op_types =
> > - ((1<<RTE_CRYPTO_ASYM_OP_SIGN) |
> > - (1 << RTE_CRYPTO_ASYM_OP_VERIFY)),
> > - {
> > - .modlen = {
> > - /* value 0 symbolizes no limit on min length */
> > - .min = 0,
> > - /* value 0 symbolizes no limit on max length */
> > - .max = 0,
> > - .increment = 1
> > - }, }
> > + .xform_type = RTE_CRYPTO_ASYM_XFORM_DSA,
> > + .dsa = {
> > + .max_key_size = 0,
> > + .random_k = 1
> > + }
> > + }
> > + }
> > + },
> > + { /* ECDSA */
> > + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > + {.asym = {
> > + .xform_type = RTE_CRYPTO_ASYM_XFORM_ECDSA,
> > + .ecdsa = {
> > + .curves =
> > +
> > RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP192R1) |
> > +
> > RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP224R1) |
> > +
> > RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP256R1) |
> > +
> > RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP384R1) |
> > +
> > RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP521R1),
> > + .random_k = 1
> > + }
> > }
> > - },
> > }
> > },
> >
>
> Do not combine PMD changes for capabilities in cryptodev patch for new APIs.
>
>
> > diff --git a/drivers/crypto/qat/dev/qat_asym_pmd_gen1.c
> > b/drivers/crypto/qat/dev/qat_asym_pmd_gen1.c
> > index 4499fdaf2d..d5144bca84 100644
> > --- a/drivers/crypto/qat/dev/qat_asym_pmd_gen1.c
> > +++ b/drivers/crypto/qat/dev/qat_asym_pmd_gen1.c
> > @@ -28,16 +28,64 @@ struct rte_cryptodev_ops qat_asym_crypto_ops_gen1
> > = { };
> >
> > static struct rte_cryptodev_capabilities qat_asym_crypto_caps_gen1[] = {
> > - QAT_ASYM_CAP(MODEX,
> > - 0, 1, 512, 1),
> > - QAT_ASYM_CAP(MODINV,
> > - 0, 1, 512, 1),
> > - QAT_ASYM_CAP(RSA,
> > - ((1 << RTE_CRYPTO_ASYM_OP_SIGN) |
> > - (1 << RTE_CRYPTO_ASYM_OP_VERIFY) |
> > - (1 << RTE_CRYPTO_ASYM_OP_ENCRYPT) |
> > - (1 << RTE_CRYPTO_ASYM_OP_DECRYPT)),
> > - 64, 512, 64),
> > + { /* Modular exponentiation */
> > + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > + {.asym = {
> > + .xform_type = RTE_CRYPTO_ASYM_XFORM_MODEX,
> > + .mod = {
> > + .max_mod_size = 4096
> > + }
> > + }
> > + }
> > + },
> > + { /* Modular multiplicative inverse */
> > + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > + {.asym = {
> > + .xform_type = RTE_CRYPTO_ASYM_XFORM_MODINV,
> > + .mod = {
> > + .max_mod_size = 4096
> > + }
> > + }
> > + }
> > + },
> > + { /* RSA */
> > + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > + {.asym = {
> > + .xform_type = RTE_CRYPTO_ASYM_XFORM_RSA,
> > + .rsa = {
> > + .padding =
> > +
> > RTE_BIT32(RTE_CRYPTO_RSA_PADDING_NONE),
> > + .hash = 0,
> > + .max_key_size = 4096
> > + }
> > + }
> > + }
> > + },
> > + { /* ECDSA */
> > + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > + {.asym = {
> > + .xform_type = RTE_CRYPTO_ASYM_XFORM_ECDSA,
> > + .ecdsa = {
> > + .curves =
> > +
> > RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP256R1) |
> > +
> > RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP521R1),
> > + .random_k = 0
> > + }
> > + }
> > + }
> > + },
> > + { /* ECPM */
> > + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > + {.asym = {
> > + .xform_type = RTE_CRYPTO_ASYM_XFORM_ECPM,
> > + .ecdsa = {
> > + .curves =
> > +
> > RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP256R1) |
> > +
> > RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP521R1)
> > + }
> > + }
> > + }
> > + },
> > RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
> > };
> >
> > diff --git a/lib/cryptodev/rte_crypto_asym.h
> > b/lib/cryptodev/rte_crypto_asym.h index d90a7a1957..41b22450d3 100644
> > --- a/lib/cryptodev/rte_crypto_asym.h
> > +++ b/lib/cryptodev/rte_crypto_asym.h
> > @@ -41,6 +41,14 @@ rte_crypto_asym_ke_strings[]; extern const char *
> > rte_crypto_asym_op_strings[];
> >
> > +/** RSA padding type name strings */
> > +extern const char *
> > +rte_crypto_asym_rsa_padding[];
>
> rte_crypto_asym_rsa_padding_strings
>
> > +
> > +/** Elliptic curves name strings */
> > +extern const char *
> > +rte_crypto_curves_strings[];
> > +
> > /**
> > * Buffer to hold crypto params required for asym operations.
> > *
> > @@ -265,6 +273,46 @@ struct rte_crypto_rsa_padding {
> > */
> > };
> >
> > +struct rte_crypto_mod_capability {
> > + uint16_t max_mod_size;
> > + /**< Maximum supported modulus size in bytes, 0 means no limit */ };
> > +
> > +struct rte_crypto_rsa_capability {
> > + uint32_t padding;
> > + /**< List of supported paddings */
> How is this list supposed to work?
> I believe this should be enum to specify a single value.
> Driver can maintain a static array to list all supported ones.
> And application can query if a particular capability which it intend to use Is
> supported by the PMD.
>
> > + uint32_t hash;
> > + /**< List of supported hash functions */
> Same comment here as well
>
> > + uint32_t max_key_size;
> > + /**< Maximum supported key size in bytes, 0 means no limit */ };
> > +
> > +struct rte_crypto_dh_capability {
> > + uint16_t max_group_size;
> > + /**< Maximum group in bytes, 0 means no limit */
> Maximum group size in bytes ...
>
> > + uint8_t priv_key_gen;
> > + /**< Does PMD supports private key generation generation */
> Is it a flag? Please comment it properly.
>
> > +};
> > +
> > +struct rte_crypto_dsa_capability {
> > + uint16_t max_key_size;
> > + /**< Maximum supported key size in bytes, 0 means no limit */
> > + uint8_t random_k;
> > + /**< Does PMD supports random 'k' generation */
>
> Comments should not ask questions.
>
> > +};
> > +
> > +struct rte_crypto_ecdsa_capability {
> > + uint64_t curves;
> > + /**< Supported elliptic curve ids */
> Shouldn't this also be enum?
>
> > + uint8_t random_k;
> > + /**< Does PMD supports random 'k' generation */
>
> Same comment as above.
> > +};
> > +
> > +struct rte_crypto_ecpm_capability {
> > + uint64_t curves;
> > + /**< Supported elliptic curve ids */
>
> Enum??
>
> > +};
> > +
> > /**
> > * Asymmetric RSA transform data
> > *
> > diff --git a/lib/cryptodev/rte_cryptodev.c
> > b/lib/cryptodev/rte_cryptodev.c index 57ee6b3f07..b1ad1112fe 100644
> > --- a/lib/cryptodev/rte_cryptodev.c
> > +++ b/lib/cryptodev/rte_cryptodev.c
> > @@ -190,6 +190,27 @@ const char *rte_crypto_asym_ke_strings[] = { };
> >
> > /**
> > + * RSA padding string identifiers
> > + */
> > +const char *rte_crypto_asym_rsa_padding[] = {
> > + [RTE_CRYPTO_RSA_PADDING_NONE] =
> > "RTE_CRYPTO_RSA_PADDING_NONE",
> > + [RTE_CRYPTO_RSA_PADDING_PKCS1_5] =
> > "RTE_CRYPTO_RSA_PADDING_PKCS1_5",
> > + [RTE_CRYPTO_RSA_PADDING_OAEP] =
> > "RTE_CRYPTO_RSA_PADDING_OAEP",
> > + [RTE_CRYPTO_RSA_PADDING_PSS] =
> > "RTE_CRYPTO_RSA_PADDING_PSS"
> > +};
> > +
> > +/**
> > + * Elliptic curves string identifiers */ const char
> > +*rte_crypto_curves_strings[] = {
> > + [RTE_CRYPTO_EC_GROUP_SECP192R1] =
> > "RTE_CRYPTO_EC_GROUP_SECP192R1",
> > + [RTE_CRYPTO_EC_GROUP_SECP224R1] =
> > "RTE_CRYPTO_EC_GROUP_SECP224R1",
> > + [RTE_CRYPTO_EC_GROUP_SECP256R1] =
> > "RTE_CRYPTO_EC_GROUP_SECP256R1",
> > + [RTE_CRYPTO_EC_GROUP_SECP384R1] =
> > "RTE_CRYPTO_EC_GROUP_SECP384R1",
> > + [RTE_CRYPTO_EC_GROUP_SECP521R1] =
> > "RTE_CRYPTO_EC_GROUP_SECP521R1",
> > +};
> > +
> > +/**
> > * The private data structure stored in the sym session mempool private data.
> > */
> > struct rte_cryptodev_sym_session_pool_private_data { @@ -347,7 +368,7
> > @@ param_range_check(uint16_t size, const struct
> > rte_crypto_param_range *range)
> > return -1;
> > }
> >
> > -const struct rte_cryptodev_asymmetric_xform_capability *
> > +const struct rte_cryptodev_asymmetric_capability *
> > rte_cryptodev_asym_capability_get(uint8_t dev_id,
> > const struct rte_cryptodev_asym_capability_idx *idx) { @@ -
> 363,8
> > +384,8 @@ rte_cryptodev_asym_capability_get(uint8_t dev_id,
> > if (capability->op != RTE_CRYPTO_OP_TYPE_ASYMMETRIC)
> > continue;
> >
> > - if (capability->asym.xform_capa.xform_type == idx->type)
> > - return &capability->asym.xform_capa;
> > + if (capability->asym.xform_type == idx->type)
> > + return &capability->asym;
> > }
> > return NULL;
> > };
> > @@ -456,6 +477,59 @@
> rte_cryptodev_asym_xform_capability_check_modlen(
> > return 0;
> > }
> >
> > +int
> > +rte_cryptodev_capa_check_mod(
>
> API name should be rte_cryptodev_mod_capa_check Verb should come in the
> end.
> Fix other APIs also.
>
> > + const struct rte_cryptodev_asymmetric_capability *capa,
> > + struct rte_crypto_mod_capability mod) {
> > + if (capa->mod.max_mod_size == 0)
> > + return 1;
> > +
> > + if (mod.max_mod_size <= capa->mod.max_mod_size)
> > + return 1;
> > + else
> > + return 0;
> > +}
> > +
> > +int
> > +rte_cryptodev_capa_check_rsa(
> > + const struct rte_cryptodev_asymmetric_capability *capa,
> > + struct rte_crypto_rsa_capability rsa) {
> > + if (rsa.padding != (capa->rsa.padding & rsa.padding))
> > + return 0;
> > + if (rsa.hash != (capa->rsa.hash & rsa.hash))
> > + return 0;
> > + if (capa->rsa.max_key_size == 0)
> > + return 1;
> > + if (rsa.max_key_size <= capa->rsa.max_key_size)
> > + return 1;
> > + else
> > + return 0;
> > +}
>
> Can we have something similar to symmetric crypto/rte_security capabilities?
In what way similar? There are mostly range checks in symmetric.
>
> > +
> > +int
> > +rte_cryptodev_capa_check_ecdsa(
> > + const struct rte_cryptodev_asymmetric_capability *capa,
> > + struct rte_crypto_ecdsa_capability ecdsa) {
> > + if (ecdsa.curves != (capa->ecdsa.curves & ecdsa.curves))
> > + return 0;
> > + if (ecdsa.random_k == 1 && capa->ecdsa.random_k == 0)
> > + return 0;
> > + return 1;
> > +}
> > +
> > +int
> > +rte_cryptodev_capa_check_ecpm(
> > + const struct rte_cryptodev_asymmetric_capability *capa,
> > + struct rte_crypto_ecpm_capability ecpm) {
> > + if (ecpm.curves != (capa->ecpm.curves & ecpm.curves))
> > + return 0;
> > + return 1;
> > +}
> > +
> > /* spinlock for crypto device enq callbacks */ static rte_spinlock_t
> > rte_cryptodev_callback_lock = RTE_SPINLOCK_INITIALIZER;
> >
> > diff --git a/lib/cryptodev/rte_cryptodev.h
> > b/lib/cryptodev/rte_cryptodev.h index 2c2c2edeb7..6c5bd819b2 100644
> > --- a/lib/cryptodev/rte_cryptodev.h
> > +++ b/lib/cryptodev/rte_cryptodev.h
> > @@ -184,6 +184,19 @@ struct rte_cryptodev_asymmetric_xform_capability {
> > *
> > */
> > struct rte_cryptodev_asymmetric_capability {
> > + enum rte_crypto_asym_xform_type xform_type;
> > + /**< Asymmetric transform type */
> > + uint32_t op_types;
> > + /**< bitmask for supported rte_crypto_asym_op_type */
> > + union {
> > + struct rte_crypto_mod_capability mod;
> > + struct rte_crypto_rsa_capability rsa;
> > + struct rte_crypto_dh_capability dh;
> > + struct rte_crypto_dsa_capability dsa;
> > + struct rte_crypto_ecdsa_capability ecdsa;
> > + struct rte_crypto_ecpm_capability ecpm;
> > + };
> > +
> > struct rte_cryptodev_asymmetric_xform_capability xform_capa; };
> >
> > @@ -247,7 +260,7 @@ rte_cryptodev_sym_capability_get(uint8_t dev_id,
> > * - Return NULL if the capability not exist.
> > */
> > __rte_experimental
> > -const struct rte_cryptodev_asymmetric_xform_capability *
> > +const struct rte_cryptodev_asymmetric_capability *
> > rte_cryptodev_asym_capability_get(uint8_t dev_id,
> > const struct rte_cryptodev_asym_capability_idx *idx);
> >
> > @@ -339,6 +352,66 @@
> rte_cryptodev_asym_xform_capability_check_modlen(
> > uint16_t modlen);
> >
> > /**
> > + * Check if requested Modexp features are supported
> > + *
> > + * @param capability Description of the asymmetric crypto
> > capability.
> > + * @param mod Modexp requested capability.
> > + *
> > + * @return
> > + * - Return 1 if the parameters are in range of the capability.
> > + * - Return 0 if the parameters are out of range of the capability.
> > + */
> > +__rte_experimental
> > +int
> > +rte_cryptodev_capa_check_mod(
> > + const struct rte_cryptodev_asymmetric_capability *capa,
> > + struct rte_crypto_mod_capability mod);
> > +/**
> > + * Check if requested RSA features are supported
> > + *
> > + * @param capability Description of the asymmetric crypto
> > capability.
> > + * @param rsa RSA requested capability.
> > + *
> > + * @return
> > + * - Return 1 if the parameters are in range of the capability.
> > + * - Return 0 if the parameters are out of range of the capability.
> > + */
> > +__rte_experimental
> > +int
> > +rte_cryptodev_capa_check_rsa(
> > + const struct rte_cryptodev_asymmetric_capability *capa,
> > + struct rte_crypto_rsa_capability rsa);
> > +/**
> > + * Check if requested ECDSA features are supported
> > + *
> > + * @param capability Description of the asymmetric crypto
> > capability.
> > + * @param ecdsa ECDSA requested capability.
> > + *
> > + * @return
> > + * - Return 1 if the parameters are in range of the capability.
> > + * - Return 0 if the parameters are out of range of the capability.
> > + */
> > +__rte_experimental
> > +int
> > +rte_cryptodev_capa_check_ecdsa(
> > + const struct rte_cryptodev_asymmetric_capability *capa,
> > + struct rte_crypto_ecdsa_capability ecdsa);
> > +/**
> > + * Check if requested ECPM features are supported
> > + *
> > + * @param capability Description of the asymmetric crypto
> > capability.
> > + * @param ecpm ECPM requested capability.
> > + *
> > + * @return
> > + * - Return 1 if the parameters are in range of the capability.
> > + * - Return 0 if the parameters are out of range of the capability.
> > + */
> > +__rte_experimental
> > +int
> > +rte_cryptodev_capa_check_ecpm(
> > + const struct rte_cryptodev_asymmetric_capability *capa,
> > + struct rte_crypto_ecpm_capability ecpm);
> > +/**
> > * Provide the cipher algorithm enum, given an algorithm string
> > *
> > * @param algo_enum A pointer to the cipher algorithm
> > diff --git a/lib/cryptodev/version.map b/lib/cryptodev/version.map
> > index f0abfaa47d..4d93b9a947 100644
> > --- a/lib/cryptodev/version.map
> > +++ b/lib/cryptodev/version.map
> > @@ -108,6 +108,10 @@ EXPERIMENTAL {
> >
> > #added in 22.07
> > rte_cryptodev_session_event_mdata_set;
> > + rte_cryptodev_capa_check_mod;
> > + rte_cryptodev_capa_check_rsa;
> > + rte_cryptodev_capa_check_ecdsa;
> > + rte_cryptodev_capa_check_ecpm;
> > };
> >
> > INTERNAL {
> > --
> > 2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: [EXT] [PATCH v2 14/14] cryptodev: add asym algorithms capabilities
2022-05-26 14:19 ` Kusztal, ArkadiuszX
@ 2022-05-26 15:00 ` Akhil Goyal
0 siblings, 0 replies; 41+ messages in thread
From: Akhil Goyal @ 2022-05-26 15:00 UTC (permalink / raw)
To: Kusztal, ArkadiuszX, dev; +Cc: Zhang, Roy Fan
> -----Original Message-----
> From: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>
> Sent: Thursday, May 26, 2022 7:49 PM
> To: Akhil Goyal <gakhil@marvell.com>; dev@dpdk.org
> Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com>
> Subject: RE: [EXT] [PATCH v2 14/14] cryptodev: add asym algorithms capabilities
>
>
>
> > -----Original Message-----
> > From: Akhil Goyal <gakhil@marvell.com>
> > Sent: Thursday, May 26, 2022 2:54 PM
> > To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>; dev@dpdk.org
> > Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com>
> > Subject: RE: [EXT] [PATCH v2 14/14] cryptodev: add asym algorithms
> capabilities
> >
> > > - Added asymmetric crypto algorithm specific capability struct.
> > > Included fields like random number capability, padding flags etc.
> > >
> > > Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> > > ---
> > > app/test-crypto-perf/main.c | 12 +-
> > > app/test-eventdev/test_perf_common.c | 2 +-
> > > app/test/test_cryptodev_asym.c | 210 +++++++++++++++++++++----
> --
> > > app/test/test_event_crypto_adapter.c | 16 +-
> > > drivers/crypto/openssl/rte_openssl_pmd_ops.c | 128 +++++++---------
> > > drivers/crypto/qat/dev/qat_asym_pmd_gen1.c | 68 +++++++--
> > > lib/cryptodev/rte_crypto_asym.h | 48 ++++++
> > > lib/cryptodev/rte_cryptodev.c | 80 +++++++++-
> > > lib/cryptodev/rte_cryptodev.h | 75 +++++++++-
> > > lib/cryptodev/version.map | 4 +
> > > 10 files changed, 495 insertions(+), 148 deletions(-)
> >
> > This would also need a change in documentation.
> >
> > >
> > > diff --git a/app/test-crypto-perf/main.c b/app/test-crypto-perf/main.c
> > > index 17e30a8e74..f8a4c9cdcf 100644
> > > --- a/app/test-crypto-perf/main.c
> > > +++ b/app/test-crypto-perf/main.c
> > > @@ -364,8 +364,8 @@ cperf_verify_devices_capabilities(struct
> > > cperf_options *opts,
> > > struct rte_cryptodev_sym_capability_idx cap_idx;
> > > const struct rte_cryptodev_symmetric_capability *capability;
> > > struct rte_cryptodev_asym_capability_idx asym_cap_idx;
> > > - const struct rte_cryptodev_asymmetric_xform_capability
> > > *asym_capability;
> > > -
> > > + const struct rte_cryptodev_asymmetric_capability *asym_capability;
> > > + struct rte_crypto_mod_capability mod_capa = {0};
> > >
> > > uint8_t i, cdev_id;
> > > int ret;
> > > @@ -381,11 +381,11 @@ cperf_verify_devices_capabilities(struct
> > > cperf_options *opts,
> > > if (asym_capability == NULL)
> > > return -1;
> > >
> > > - ret =
> > > rte_cryptodev_asym_xform_capability_check_modlen(
> > > - asym_capability, opts->modex_data-
> > > >modulus.len);
> > > - if (ret != 0)
> > > + mod_capa.max_mod_size = opts->modex_data-
> > > >modulus.len;
> > > + ret = rte_cryptodev_capa_check_mod(asym_capability,
> > > + mod_capa);
> > > + if (ret == 0)
> > > return ret;
> > > -
> > > }
> > >
> > > if (opts->op_type == CPERF_AUTH_ONLY || diff --git
> > > a/app/test-eventdev/test_perf_common.c b/app/test-
> > > eventdev/test_perf_common.c index b41785492e..ac8e6410ab 100644
> > > --- a/app/test-eventdev/test_perf_common.c
> > > +++ b/app/test-eventdev/test_perf_common.c
> > > @@ -846,7 +846,7 @@ cryptodev_sym_sess_create(struct prod_data *p,
> > > struct test_perf *t) static void * cryptodev_asym_sess_create(struct
> > > prod_data *p, struct test_perf *t) {
> > > - const struct rte_cryptodev_asymmetric_xform_capability *capability;
> > > + const struct rte_cryptodev_asymmetric_capability *capability;
> > > struct rte_cryptodev_asym_capability_idx cap_idx;
> > > struct rte_crypto_asym_xform xform;
> > > void *sess;
> > > diff --git a/app/test/test_cryptodev_asym.c
> > > b/app/test/test_cryptodev_asym.c index 072dbb30f4..c531265642 100644
> > > --- a/app/test/test_cryptodev_asym.c
> > > +++ b/app/test/test_cryptodev_asym.c
> > > @@ -311,10 +311,11 @@ test_cryptodev_asym_op(struct
> > > crypto_testsuite_params_asym *ts_params,
> > > struct rte_crypto_asym_xform xform_tc;
> > > void *sess = NULL;
> > > struct rte_cryptodev_asym_capability_idx cap_idx;
> > > - const struct rte_cryptodev_asymmetric_xform_capability *capability;
> > > + const struct rte_cryptodev_asymmetric_capability *capability;
> > > uint8_t dev_id = ts_params->valid_devs[0];
> > > uint8_t input[TEST_DATA_SIZE] = {0};
> > > uint8_t *result = NULL;
> > > + struct rte_crypto_mod_capability mod_capa = {0};
> > >
> > > int ret, status = TEST_SUCCESS;
> > >
> > > @@ -358,8 +359,10 @@ test_cryptodev_asym_op(struct
> > > crypto_testsuite_params_asym *ts_params,
> > > asym_op->modex.base.length = data_tc->modex.base.len;
> > > asym_op->modex.result.data = result;
> > > asym_op->modex.result.length = data_tc->modex.result_len;
> > > - if
> > > (rte_cryptodev_asym_xform_capability_check_modlen(capability,
> > > - xform_tc.modex.modulus.length)) {
> > > +
> > > + mod_capa.max_mod_size = xform_tc.modex.modulus.length;
> > > + if (!rte_cryptodev_capa_check_mod(capability,
> > > + mod_capa)) {
> > > snprintf(test_msg, ASYM_TEST_MSG_LEN,
> > > "line %u "
> > > "FAILED: %s", __LINE__,
> > > @@ -378,8 +381,10 @@ test_cryptodev_asym_op(struct
> > > crypto_testsuite_params_asym *ts_params,
> > > asym_op->modinv.base.length = data_tc->modinv.base.len;
> > > asym_op->modinv.result.data = result;
> > > asym_op->modinv.result.length = data_tc->modinv.result_len;
> > > - if
> > > (rte_cryptodev_asym_xform_capability_check_modlen(capability,
> > > - xform_tc.modinv.modulus.length)) {
> > > +
> > > + mod_capa.max_mod_size = xform_tc.modinv.modulus.length;
> > > + if (!rte_cryptodev_capa_check_mod(capability,
> > > + mod_capa)) {
> > > snprintf(test_msg, ASYM_TEST_MSG_LEN,
> > > "line %u "
> > > "FAILED: %s", __LINE__,
> > > @@ -963,38 +968,100 @@ ut_teardown_asym(void)
> > > rte_cryptodev_stop(ts_params->valid_devs[0]);
> > > }
> > >
> > > -static inline void print_asym_capa(
> > > - const struct rte_cryptodev_asymmetric_xform_capability
> > > *capa)
> > > +static void
> > > +print_rsa_capability(
> > > + const struct rte_cryptodev_asymmetric_capability *capa)
> > > {
> > > int i = 0;
> > >
> > > + printf("\nSupported paddings:");
> > > + for (; i < 32; i++) {
> > > + if (capa->rsa.padding & RTE_BIT32(i))
> > > + printf("\n - %s", rte_crypto_asym_rsa_padding[i]);
> > > + }
> > > + printf("\nSupported hash functions:");
> > > + for (i = 0; i < 32; i++) {
> > > + if (capa->rsa.hash & RTE_BIT32(i))
> > > + printf("\n - %s", rte_crypto_auth_algorithm_strings[i]);
> > > + }
> > > + printf("\nMaximum key size: ");
> > > + if (capa->rsa.max_key_size == 0)
> > > + printf("Unlimited");
> > > + else
> > > + printf("%hu", capa->rsa.max_key_size); }
> > > +
> > > +static void
> > > +print_supported_curves(uint64_t curves) {
> > > + int i = 0;
> > > +
> > > + printf("\nSupported elliptic curves:");
> > > + for (; i < 64; i++) {
> > > + if (curves & RTE_BIT64(i))
> > > + printf("\n - %s", rte_crypto_curves_strings[i]);
> > > + }
> > > +}
> > > +
> > > +static inline void print_asym_capa(
> > > + const struct rte_cryptodev_asymmetric_capability *capa) {
> > > printf("\nxform type: %s\n===================\n",
> > > rte_crypto_asym_xform_strings[capa->xform_type]);
> > > - printf("operation supported -");
> > >
> > > - for (i = 0; i < RTE_CRYPTO_ASYM_OP_LIST_END; i++) {
> > > - /* check supported operations */
> > > - if (rte_cryptodev_asym_xform_capability_check_optype(capa,
> > > i))
> > > - printf(" %s",
> > > - rte_crypto_asym_op_strings[i]);
> > > - }
> > > - switch (capa->xform_type) {
> > > - case RTE_CRYPTO_ASYM_XFORM_RSA:
> > > - case RTE_CRYPTO_ASYM_XFORM_MODINV:
> > > - case RTE_CRYPTO_ASYM_XFORM_MODEX:
> > > - case RTE_CRYPTO_ASYM_XFORM_DH:
> > > - case RTE_CRYPTO_ASYM_XFORM_DSA:
> > > - printf(" modlen: min %d max %d increment %d",
> > > - capa->modlen.min,
> > > - capa->modlen.max,
> > > - capa->modlen.increment);
> > > + switch (capa->xform_type) {
> > > + case RTE_CRYPTO_ASYM_XFORM_MODEX:
> > > + case RTE_CRYPTO_ASYM_XFORM_MODINV:
> > > + printf("Maximum size of modulus: ");
> > > + if (capa->mod.max_mod_size == 0)
> > > + printf("Unlimited");
> > > + else
> > > + printf("%hu", capa->mod.max_mod_size);
> > > break;
> > > - case RTE_CRYPTO_ASYM_XFORM_ECDSA:
> > > - case RTE_CRYPTO_ASYM_XFORM_ECPM:
> > > - default:
> > > - break;
> > > - }
> > > - printf("\n");
> > > + case RTE_CRYPTO_ASYM_XFORM_RSA:
> > > + print_rsa_capability(capa);
> > > + break;
> > > + case RTE_CRYPTO_ASYM_XFORM_DH:
> >
> > ECDH?? I hope it will be added once it is tested in this app.
> >
> > > + printf("Maximum group size: ");
> > > + if (capa->dh.max_group_size == 0)
> > > + printf("Unlimited");
> > > + else
> > > + printf("%hu", capa->dh.max_group_size);
> > > + printf("\nSupport for private key generation: ");
> > > + if (capa->dh.priv_key_gen)
> > > + printf("Yes");
> > > + else
> > > + printf("No");
> > > + break;
> > > + case RTE_CRYPTO_ASYM_XFORM_DSA:
> > > + printf("Maximum key size: ");
> > > + if (capa->dsa.max_key_size == 0)
> > > + printf("Unlimited");
> > > + else
> > > + printf("%hu", capa->dsa.max_key_size);
> > > + printf("\nSupport for random 'k' generation: ");
> > > + if (capa->dsa.random_k)
> > > + printf("Yes");
> > > + else
> > > + printf("No");
> > > + break;
> > > +
> > > + break;
> > > + case RTE_CRYPTO_ASYM_XFORM_ECDSA:
> > > + print_supported_curves(capa->ecdsa.curves);
> > > + printf("\nSupport for random 'k' generation: ");
> > > + if (capa->ecdsa.random_k)
> > > + printf("Yes");
> > > + else
> > > + printf("No");
> > > + break;
> > > + case RTE_CRYPTO_ASYM_XFORM_ECPM:
> > > + print_supported_curves(capa->ecpm.curves);
> > > + break;
> > > + default:
> > > + break;
> > > + }
> > > + printf("\n");
> > > }
> > >
> > > static int
> > > @@ -1006,7 +1073,7 @@ test_capability(void)
> > > const struct rte_cryptodev_capabilities *dev_capa;
> > > int i = 0;
> > > struct rte_cryptodev_asym_capability_idx idx;
> > > - const struct rte_cryptodev_asymmetric_xform_capability *capa;
> > > + const struct rte_cryptodev_asymmetric_capability *capa;
> > >
> > > rte_cryptodev_info_get(dev_id, &dev_info);
> > > if (!(dev_info.feature_flags &
> > > @@ -1023,7 +1090,7 @@ test_capability(void)
> > > dev_capa = &(dev_info.capabilities[i]);
> > > if (dev_info.capabilities[i].op ==
> > > RTE_CRYPTO_OP_TYPE_ASYMMETRIC) {
> > > - idx.type = dev_capa->asym.xform_capa.xform_type;
> > > + idx.type = dev_capa->asym.xform_type;
> > >
> > > capa = rte_cryptodev_asym_capability_get(dev_id,
> > > (const struct
> > > @@ -1386,10 +1453,11 @@ test_mod_inv(void)
> > > void *sess = NULL;
> > > int status = TEST_SUCCESS;
> > > struct rte_cryptodev_asym_capability_idx cap_idx;
> > > - const struct rte_cryptodev_asymmetric_xform_capability *capability;
> > > + const struct rte_cryptodev_asymmetric_capability *capability;
> > > uint8_t input[TEST_DATA_SIZE] = {0};
> > > int ret = 0;
> > > uint8_t result[sizeof(mod_p)] = { 0 };
> > > + struct rte_crypto_mod_capability mod_capa = {0};
> > >
> > > if (rte_cryptodev_asym_get_xform_enum(
> > > &modinv_xform.xform_type, "modinv") < 0) { @@ -1408,13
> > +1476,11 @@
> > > test_mod_inv(void)
> > > return TEST_SKIPPED;
> > > }
> > >
> > > - if (rte_cryptodev_asym_xform_capability_check_modlen(
> > > - capability,
> > > - modinv_xform.modinv.modulus.length)) {
> > > - RTE_LOG(ERR, USER1,
> > > - "Invalid MODULUS length specified\n");
> > > - return TEST_SKIPPED;
> > > - }
> > > + mod_capa.max_mod_size = modinv_xform.modinv.modulus.length;
> > > + if (!rte_cryptodev_capa_check_mod(capability, mod_capa)) {
> > > + RTE_LOG(ERR, USER1, "Invalid MODULUS length specified\n");
> > > + return TEST_SKIPPED;
> > > + }
> > >
> > > ret = rte_cryptodev_asym_session_create(dev_id, &modinv_xform,
> > > sess_mpool, &sess);
> > > if (ret < 0) {
> > > @@ -1499,7 +1565,8 @@ test_mod_exp(void)
> > > void *sess = NULL;
> > > int status = TEST_SUCCESS;
> > > struct rte_cryptodev_asym_capability_idx cap_idx;
> > > - const struct rte_cryptodev_asymmetric_xform_capability *capability;
> > > + const struct rte_cryptodev_asymmetric_capability *capability;
> > > + struct rte_crypto_mod_capability mod_capa = {0};
> > > uint8_t input[TEST_DATA_SIZE] = {0};
> > > int ret = 0;
> > > uint8_t result[sizeof(mod_p)] = { 0 }; @@ -1522,12 +1589,11 @@
> > > test_mod_exp(void)
> > > return TEST_SKIPPED;
> > > }
> > >
> > > - if (rte_cryptodev_asym_xform_capability_check_modlen(
> > > - capability, modex_xform.modex.modulus.length)) {
> > > - RTE_LOG(ERR, USER1,
> > > - "Invalid MODULUS length specified\n");
> > > - return TEST_SKIPPED;
> > > - }
> > > + mod_capa.max_mod_size = modex_xform.modex.modulus.length;
> > > + if (!rte_cryptodev_capa_check_mod(capability, mod_capa)) {
> > > + RTE_LOG(ERR, USER1, "Invalid MODULUS length specified\n");
> > > + return TEST_SKIPPED;
> > > + }
> > >
> > > /* Create op, create session, and process packets. 8< */
> > > op = rte_crypto_op_alloc(op_mpool,
> > > RTE_CRYPTO_OP_TYPE_ASYMMETRIC);
> > > @@ -1785,6 +1851,8 @@ test_ecdsa_sign_verify(enum curve curve_id)
> > > struct rte_crypto_asym_xform xform;
> > > struct rte_crypto_asym_op *asym_op;
> > > struct rte_cryptodev_info dev_info;
> > > + struct rte_cryptodev_asym_capability_idx idx;
> > > + const struct rte_cryptodev_asymmetric_capability *capabilities;
> > > struct rte_crypto_op *op = NULL;
> > > int ret, status = TEST_SUCCESS;
> > >
> > > @@ -1814,6 +1882,25 @@ test_ecdsa_sign_verify(enum curve curve_id)
> > >
> > > rte_cryptodev_info_get(dev_id, &dev_info);
> > >
> > > + struct rte_crypto_ecdsa_capability capa = {
> > > + .curves = RTE_BIT32(input_params.curve),
> > > + .random_k = 0
> > > + };
> > > +
> > > + idx.type = RTE_CRYPTO_ASYM_XFORM_ECDSA;
> > > + capabilities = rte_cryptodev_asym_capability_get(dev_id,
> > > + (const struct
> > > + rte_cryptodev_asym_capability_idx *) &idx);
> > > +
> > > + if (capabilities == NULL) {
> > > + status = TEST_SKIPPED;
> > > + goto exit;
> > > + }
> > > + if (!rte_cryptodev_capa_check_ecdsa(capabilities, capa)) {
> > > + status = TEST_SKIPPED;
> > > + goto exit;
> > > + }
> > > +
> > > /* Setup crypto op data structure */
> > > op = rte_crypto_op_alloc(op_mpool,
> > > RTE_CRYPTO_OP_TYPE_ASYMMETRIC);
> > > if (op == NULL) {
> > > @@ -1962,6 +2049,8 @@ test_ecdsa_sign_verify_all_curve(void)
> > > status = test_ecdsa_sign_verify(curve_id);
> > > if (status == TEST_SUCCESS) {
> > > msg = "succeeded";
> > > + } else if (status == TEST_SKIPPED) {
> > > + continue;
> > > } else {
> > > msg = "failed";
> > > overall_status = status;
> > > @@ -1987,6 +2076,8 @@ test_ecpm(enum curve curve_id)
> > > struct rte_crypto_asym_xform xform;
> > > struct rte_crypto_asym_op *asym_op;
> > > struct rte_cryptodev_info dev_info;
> > > + struct rte_cryptodev_asym_capability_idx idx;
> > > + const struct rte_cryptodev_asymmetric_capability *capabilities;
> > > struct rte_crypto_op *op = NULL;
> > > int ret, status = TEST_SUCCESS;
> > >
> > > @@ -2016,6 +2107,24 @@ test_ecpm(enum curve curve_id)
> > >
> > > rte_cryptodev_info_get(dev_id, &dev_info);
> > >
> > > + struct rte_crypto_ecdsa_capability capa = {
> > > + .curves = RTE_BIT32(input_params.curve)
> > > + };
> > > +
> > > + idx.type = RTE_CRYPTO_ASYM_XFORM_ECPM;
> > > + capabilities = rte_cryptodev_asym_capability_get(dev_id,
> > > + (const struct
> > > + rte_cryptodev_asym_capability_idx *) &idx);
> > > +
> > > + if (capabilities == NULL) {
> > > + status = TEST_SKIPPED;
> > > + goto exit;
> > > + }
> > > + if (!rte_cryptodev_capa_check_ecdsa(capabilities, capa)) {
> > > + status = TEST_SKIPPED;
> > > + goto exit;
> > > + }
> > > +
> > > /* Setup crypto op data structure */
> > > op = rte_crypto_op_alloc(op_mpool,
> > > RTE_CRYPTO_OP_TYPE_ASYMMETRIC);
> > > if (op == NULL) {
> > > @@ -2124,6 +2233,8 @@ test_ecpm_all_curve(void)
> > > status = test_ecpm(curve_id);
> > > if (status == TEST_SUCCESS) {
> > > msg = "succeeded";
> > > + } else if (status == TEST_SKIPPED) {
> > > + continue;
> > > } else {
> > > msg = "failed";
> > > overall_status = status;
> > > @@ -2162,7 +2273,12 @@ static struct unit_test_suite
> > > cryptodev_qat_asym_testsuite = {
> > > .setup = testsuite_setup,
> > > .teardown = testsuite_teardown,
> > > .unit_test_cases = {
> > > + TEST_CASE_ST(ut_setup_asym, ut_teardown_asym,
> > > test_capability),
> > > TEST_CASE_ST(ut_setup_asym, ut_teardown_asym,
> > test_one_by_one),
> > > + TEST_CASE_ST(ut_setup_asym, ut_teardown_asym,
> > > + test_ecdsa_sign_verify_all_curve),
> > > + TEST_CASE_ST(ut_setup_asym, ut_teardown_asym,
> > > + test_ecpm_all_curve),
> > > TEST_CASES_END() /**< NULL terminate unit test array */
> > > }
> > > };
> >
> > I think patch need to be split for adding test app changes.
> >
> >
> > > diff --git a/app/test/test_event_crypto_adapter.c
> > > b/app/test/test_event_crypto_adapter.c
> > > index 2ecc7e2cea..9a62241371 100644
> > > --- a/app/test/test_event_crypto_adapter.c
> > > +++ b/app/test/test_event_crypto_adapter.c
> > > @@ -450,7 +450,7 @@ test_session_with_op_forward_mode(void)
> > > static int
> > > test_asym_op_forward_mode(uint8_t session_less) {
> > > - const struct rte_cryptodev_asymmetric_xform_capability *capability;
> > > + const struct rte_cryptodev_asymmetric_capability *capability;
> > > struct rte_cryptodev_asym_capability_idx cap_idx;
> > > struct rte_crypto_asym_xform xform_tc;
> > > union rte_event_crypto_metadata m_data; @@ -458,6 +458,7 @@
> > > test_asym_op_forward_mode(uint8_t session_less)
> > > struct rte_crypto_asym_op *asym_op;
> > > struct rte_crypto_op *op;
> > > uint8_t input[4096] = {0};
> > > + struct rte_crypto_mod_capability mod_capa = {0};
> > > uint8_t *result = NULL;
> > > struct rte_event ev;
> > > void *sess = NULL;
> > > @@ -503,8 +504,9 @@ test_asym_op_forward_mode(uint8_t session_less)
> > > asym_op->modex.base.length = modex_test_case.base.len;
> > > asym_op->modex.result.data = result;
> > > asym_op->modex.result.length = modex_test_case.result_len;
> > > - if (rte_cryptodev_asym_xform_capability_check_modlen(capability,
> > > - xform_tc.modex.modulus.length)) {
> > > +
> > > + mod_capa.max_mod_size = xform_tc.modex.modulus.length;
> > > + if (!rte_cryptodev_capa_check_mod(capability, mod_capa)) {
> > > RTE_LOG(INFO, USER1,
> > > "line %u FAILED: %s", __LINE__,
> > > "Invalid MODULUS length specified"); @@ -784,7
> > +786,7 @@
> > > test_session_with_op_new_mode(void)
> > > static int
> > > test_asym_op_new_mode(uint8_t session_less) {
> > > - const struct rte_cryptodev_asymmetric_xform_capability *capability;
> > > + const struct rte_cryptodev_asymmetric_capability *capability;
> > > struct rte_cryptodev_asym_capability_idx cap_idx;
> > > struct rte_crypto_asym_xform xform_tc;
> > > union rte_event_crypto_metadata m_data; @@ -792,6 +794,7 @@
> > > test_asym_op_new_mode(uint8_t session_less)
> > > struct rte_crypto_asym_op *asym_op;
> > > struct rte_crypto_op *op;
> > > uint8_t input[4096] = {0};
> > > + struct rte_crypto_mod_capability mod_capa = {0};
> >
> > Can you move this above to maintain reverse Xmas tree?
> >
> > > uint8_t *result = NULL;
> > > void *sess = NULL;
> > > uint32_t cap;
> > > @@ -835,8 +838,9 @@ test_asym_op_new_mode(uint8_t session_less)
> > > asym_op->modex.base.length = modex_test_case.base.len;
> > > asym_op->modex.result.data = result;
> > > asym_op->modex.result.length = modex_test_case.result_len;
> > > - if (rte_cryptodev_asym_xform_capability_check_modlen(capability,
> > > - xform_tc.modex.modulus.length)) {
> > > +
> > > + mod_capa.max_mod_size = xform_tc.modex.modulus.length;
> > > + if (!rte_cryptodev_capa_check_mod(capability, mod_capa)) {
> > > RTE_LOG(INFO, USER1,
> > > "line %u FAILED: %s", __LINE__,
> > > "Invalid MODULUS length specified"); diff --git
> > > a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> > > b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> > > index 16ec5e15eb..e734fc2a69 100644
> > > --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> > > +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> > > @@ -7,6 +7,7 @@
> > > #include <rte_common.h>
> > > #include <rte_malloc.h>
> > > #include <cryptodev_pmd.h>
> > > +#include <rte_bitops.h>
> > >
> > > #include "openssl_pmd_private.h"
> > > #include "compat.h"
> > > @@ -470,103 +471,82 @@ static const struct rte_cryptodev_capabilities
> > > openssl_pmd_capabilities[] = {
> > > }, }
> > > }, }
> > > },
> > > - { /* RSA */
> > > + { /* Modular exponentiation */
> > > .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > > {.asym = {
> > > - .xform_capa = {
> > > - .xform_type =
> > > RTE_CRYPTO_ASYM_XFORM_RSA,
> > > - .op_types = ((1 <<
> > > RTE_CRYPTO_ASYM_OP_SIGN) |
> > > - (1 << RTE_CRYPTO_ASYM_OP_VERIFY)
> > > |
> > > - (1 <<
> > > RTE_CRYPTO_ASYM_OP_ENCRYPT) |
> > > - (1 <<
> > > RTE_CRYPTO_ASYM_OP_DECRYPT)),
> > > - {
> > > - .modlen = {
> > > - /* min length is based on openssl rsa keygen */
> > > - .min = 30,
> > > - /* value 0 symbolizes no limit on max length */
> > > - .max = 0,
> > > - .increment = 1
> > > - }, }
> > > + .xform_type = RTE_CRYPTO_ASYM_XFORM_MODEX,
> > > + .mod = {
> > > + .max_mod_size = 0
> > > + }
> > > }
> > > - },
> > > }
> > > },
> > > - { /* modexp */
> > > + { /* Modular multiplicative inverse */
> > > .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > > {.asym = {
> > > - .xform_capa = {
> > > - .xform_type =
> > > RTE_CRYPTO_ASYM_XFORM_MODEX,
> > > - .op_types = 0,
> > > - {
> > > - .modlen = {
> > > - /* value 0 symbolizes no limit on min length */
> > > - .min = 0,
> > > - /* value 0 symbolizes no limit on max length */
> > > - .max = 0,
> > > - .increment = 1
> > > - }, }
> > > + .xform_type = RTE_CRYPTO_ASYM_XFORM_MODINV,
> > > + .mod = {
> > > + .max_mod_size = 0
> > > + }
> > > }
> > > - },
> > > }
> > > },
> > > - { /* modinv */
> > > + { /* RSA */
> > > .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > > {.asym = {
> > > - .xform_capa = {
> > > - .xform_type =
> > > RTE_CRYPTO_ASYM_XFORM_MODINV,
> > > - .op_types = 0,
> > > - {
> > > - .modlen = {
> > > - /* value 0 symbolizes no limit on min length */
> > > - .min = 0,
> > > - /* value 0 symbolizes no limit on max length */
> > > - .max = 0,
> > > - .increment = 1
> > > - }, }
> > > + .xform_type = RTE_CRYPTO_ASYM_XFORM_RSA,
> > > + .rsa = {
> > > + .padding =
> > > +
> > > RTE_BIT32(RTE_CRYPTO_RSA_PADDING_NONE) |
> > > +
> > > RTE_BIT32(RTE_CRYPTO_RSA_PADDING_PKCS1_5),
> > > + .hash =
> > > + RTE_BIT32(RTE_CRYPTO_AUTH_MD5)
> > > |
> > > + RTE_BIT32(RTE_CRYPTO_AUTH_SHA1)
> > > |
> > > +
> > > RTE_BIT32(RTE_CRYPTO_AUTH_SHA224) |
> > > +
> > > RTE_BIT32(RTE_CRYPTO_AUTH_SHA256) |
> > > +
> > > RTE_BIT32(RTE_CRYPTO_AUTH_SHA384) |
> > > +
> > > RTE_BIT32(RTE_CRYPTO_AUTH_SHA512),
> > > + .max_key_size = 0
> > > + }
> > > }
> > > - },
> > > }
> > > },
> > > - { /* dh */
> > > + { /* Diffie-Hellman */
> > > .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > > {.asym = {
> > > - .xform_capa = {
> > > - .xform_type =
> > > RTE_CRYPTO_ASYM_XFORM_DH,
> > > - .op_types =
> > > -
> > > ((1<<RTE_CRYPTO_ASYM_KE_PRIVATE_KEY_GENERATE) |
> > > - (1 <<
> > > RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE |
> > > - (1 <<
> > > -
> > > RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE))),
> > > - {
> > > - .modlen = {
> > > - /* value 0 symbolizes no limit on min length */
> > > - .min = 0,
> > > - /* value 0 symbolizes no limit on max length */
> > > - .max = 0,
> > > - .increment = 1
> > > - }, }
> > > + .xform_type = RTE_CRYPTO_ASYM_XFORM_DH,
> > > + .dh = {
> > > + .max_group_size = 0,
> > > + .priv_key_gen = 1
> > > + }
> > > }
> > > - },
> > > }
> > > },
> > > - { /* dsa */
> > > + { /* DSA */
> > > .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > > {.asym = {
> > > - .xform_capa = {
> > > - .xform_type =
> > > RTE_CRYPTO_ASYM_XFORM_DSA,
> > > - .op_types =
> > > - ((1<<RTE_CRYPTO_ASYM_OP_SIGN) |
> > > - (1 << RTE_CRYPTO_ASYM_OP_VERIFY)),
> > > - {
> > > - .modlen = {
> > > - /* value 0 symbolizes no limit on min length */
> > > - .min = 0,
> > > - /* value 0 symbolizes no limit on max length */
> > > - .max = 0,
> > > - .increment = 1
> > > - }, }
> > > + .xform_type = RTE_CRYPTO_ASYM_XFORM_DSA,
> > > + .dsa = {
> > > + .max_key_size = 0,
> > > + .random_k = 1
> > > + }
> > > + }
> > > + }
> > > + },
> > > + { /* ECDSA */
> > > + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > > + {.asym = {
> > > + .xform_type = RTE_CRYPTO_ASYM_XFORM_ECDSA,
> > > + .ecdsa = {
> > > + .curves =
> > > +
> > > RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP192R1) |
> > > +
> > > RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP224R1) |
> > > +
> > > RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP256R1) |
> > > +
> > > RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP384R1) |
> > > +
> > > RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP521R1),
> > > + .random_k = 1
> > > + }
> > > }
> > > - },
> > > }
> > > },
> > >
> >
> > Do not combine PMD changes for capabilities in cryptodev patch for new APIs.
> >
> >
> > > diff --git a/drivers/crypto/qat/dev/qat_asym_pmd_gen1.c
> > > b/drivers/crypto/qat/dev/qat_asym_pmd_gen1.c
> > > index 4499fdaf2d..d5144bca84 100644
> > > --- a/drivers/crypto/qat/dev/qat_asym_pmd_gen1.c
> > > +++ b/drivers/crypto/qat/dev/qat_asym_pmd_gen1.c
> > > @@ -28,16 +28,64 @@ struct rte_cryptodev_ops
> qat_asym_crypto_ops_gen1
> > > = { };
> > >
> > > static struct rte_cryptodev_capabilities qat_asym_crypto_caps_gen1[] = {
> > > - QAT_ASYM_CAP(MODEX,
> > > - 0, 1, 512, 1),
> > > - QAT_ASYM_CAP(MODINV,
> > > - 0, 1, 512, 1),
> > > - QAT_ASYM_CAP(RSA,
> > > - ((1 << RTE_CRYPTO_ASYM_OP_SIGN) |
> > > - (1 << RTE_CRYPTO_ASYM_OP_VERIFY) |
> > > - (1 << RTE_CRYPTO_ASYM_OP_ENCRYPT) |
> > > - (1 << RTE_CRYPTO_ASYM_OP_DECRYPT)),
> > > - 64, 512, 64),
> > > + { /* Modular exponentiation */
> > > + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > > + {.asym = {
> > > + .xform_type = RTE_CRYPTO_ASYM_XFORM_MODEX,
> > > + .mod = {
> > > + .max_mod_size = 4096
> > > + }
> > > + }
> > > + }
> > > + },
> > > + { /* Modular multiplicative inverse */
> > > + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > > + {.asym = {
> > > + .xform_type = RTE_CRYPTO_ASYM_XFORM_MODINV,
> > > + .mod = {
> > > + .max_mod_size = 4096
> > > + }
> > > + }
> > > + }
> > > + },
> > > + { /* RSA */
> > > + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > > + {.asym = {
> > > + .xform_type = RTE_CRYPTO_ASYM_XFORM_RSA,
> > > + .rsa = {
> > > + .padding =
> > > +
> > > RTE_BIT32(RTE_CRYPTO_RSA_PADDING_NONE),
> > > + .hash = 0,
> > > + .max_key_size = 4096
> > > + }
> > > + }
> > > + }
> > > + },
> > > + { /* ECDSA */
> > > + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > > + {.asym = {
> > > + .xform_type = RTE_CRYPTO_ASYM_XFORM_ECDSA,
> > > + .ecdsa = {
> > > + .curves =
> > > +
> > > RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP256R1) |
> > > +
> > > RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP521R1),
> > > + .random_k = 0
> > > + }
> > > + }
> > > + }
> > > + },
> > > + { /* ECPM */
> > > + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
> > > + {.asym = {
> > > + .xform_type = RTE_CRYPTO_ASYM_XFORM_ECPM,
> > > + .ecdsa = {
> > > + .curves =
> > > +
> > > RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP256R1) |
> > > +
> > > RTE_BIT64(RTE_CRYPTO_EC_GROUP_SECP521R1)
> > > + }
> > > + }
> > > + }
> > > + },
> > > RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
> > > };
> > >
> > > diff --git a/lib/cryptodev/rte_crypto_asym.h
> > > b/lib/cryptodev/rte_crypto_asym.h index d90a7a1957..41b22450d3 100644
> > > --- a/lib/cryptodev/rte_crypto_asym.h
> > > +++ b/lib/cryptodev/rte_crypto_asym.h
> > > @@ -41,6 +41,14 @@ rte_crypto_asym_ke_strings[]; extern const char *
> > > rte_crypto_asym_op_strings[];
> > >
> > > +/** RSA padding type name strings */
> > > +extern const char *
> > > +rte_crypto_asym_rsa_padding[];
> >
> > rte_crypto_asym_rsa_padding_strings
> >
> > > +
> > > +/** Elliptic curves name strings */
> > > +extern const char *
> > > +rte_crypto_curves_strings[];
> > > +
> > > /**
> > > * Buffer to hold crypto params required for asym operations.
> > > *
> > > @@ -265,6 +273,46 @@ struct rte_crypto_rsa_padding {
> > > */
> > > };
> > >
> > > +struct rte_crypto_mod_capability {
> > > + uint16_t max_mod_size;
> > > + /**< Maximum supported modulus size in bytes, 0 means no limit */ };
> > > +
> > > +struct rte_crypto_rsa_capability {
> > > + uint32_t padding;
> > > + /**< List of supported paddings */
> > How is this list supposed to work?
> > I believe this should be enum to specify a single value.
> > Driver can maintain a static array to list all supported ones.
> > And application can query if a particular capability which it intend to use Is
> > supported by the PMD.
> >
> > > + uint32_t hash;
> > > + /**< List of supported hash functions */
> > Same comment here as well
> >
> > > + uint32_t max_key_size;
> > > + /**< Maximum supported key size in bytes, 0 means no limit */ };
> > > +
> > > +struct rte_crypto_dh_capability {
> > > + uint16_t max_group_size;
> > > + /**< Maximum group in bytes, 0 means no limit */
> > Maximum group size in bytes ...
> >
> > > + uint8_t priv_key_gen;
> > > + /**< Does PMD supports private key generation generation */
> > Is it a flag? Please comment it properly.
> >
> > > +};
> > > +
> > > +struct rte_crypto_dsa_capability {
> > > + uint16_t max_key_size;
> > > + /**< Maximum supported key size in bytes, 0 means no limit */
> > > + uint8_t random_k;
> > > + /**< Does PMD supports random 'k' generation */
> >
> > Comments should not ask questions.
> >
> > > +};
> > > +
> > > +struct rte_crypto_ecdsa_capability {
> > > + uint64_t curves;
> > > + /**< Supported elliptic curve ids */
> > Shouldn't this also be enum?
> >
> > > + uint8_t random_k;
> > > + /**< Does PMD supports random 'k' generation */
> >
> > Same comment as above.
> > > +};
> > > +
> > > +struct rte_crypto_ecpm_capability {
> > > + uint64_t curves;
> > > + /**< Supported elliptic curve ids */
> >
> > Enum??
> >
> > > +};
> > > +
> > > /**
> > > * Asymmetric RSA transform data
> > > *
> > > diff --git a/lib/cryptodev/rte_cryptodev.c
> > > b/lib/cryptodev/rte_cryptodev.c index 57ee6b3f07..b1ad1112fe 100644
> > > --- a/lib/cryptodev/rte_cryptodev.c
> > > +++ b/lib/cryptodev/rte_cryptodev.c
> > > @@ -190,6 +190,27 @@ const char *rte_crypto_asym_ke_strings[] = { };
> > >
> > > /**
> > > + * RSA padding string identifiers
> > > + */
> > > +const char *rte_crypto_asym_rsa_padding[] = {
> > > + [RTE_CRYPTO_RSA_PADDING_NONE] =
> > > "RTE_CRYPTO_RSA_PADDING_NONE",
> > > + [RTE_CRYPTO_RSA_PADDING_PKCS1_5] =
> > > "RTE_CRYPTO_RSA_PADDING_PKCS1_5",
> > > + [RTE_CRYPTO_RSA_PADDING_OAEP] =
> > > "RTE_CRYPTO_RSA_PADDING_OAEP",
> > > + [RTE_CRYPTO_RSA_PADDING_PSS] =
> > > "RTE_CRYPTO_RSA_PADDING_PSS"
> > > +};
> > > +
> > > +/**
> > > + * Elliptic curves string identifiers */ const char
> > > +*rte_crypto_curves_strings[] = {
> > > + [RTE_CRYPTO_EC_GROUP_SECP192R1] =
> > > "RTE_CRYPTO_EC_GROUP_SECP192R1",
> > > + [RTE_CRYPTO_EC_GROUP_SECP224R1] =
> > > "RTE_CRYPTO_EC_GROUP_SECP224R1",
> > > + [RTE_CRYPTO_EC_GROUP_SECP256R1] =
> > > "RTE_CRYPTO_EC_GROUP_SECP256R1",
> > > + [RTE_CRYPTO_EC_GROUP_SECP384R1] =
> > > "RTE_CRYPTO_EC_GROUP_SECP384R1",
> > > + [RTE_CRYPTO_EC_GROUP_SECP521R1] =
> > > "RTE_CRYPTO_EC_GROUP_SECP521R1",
> > > +};
> > > +
> > > +/**
> > > * The private data structure stored in the sym session mempool private
> data.
> > > */
> > > struct rte_cryptodev_sym_session_pool_private_data { @@ -347,7 +368,7
> > > @@ param_range_check(uint16_t size, const struct
> > > rte_crypto_param_range *range)
> > > return -1;
> > > }
> > >
> > > -const struct rte_cryptodev_asymmetric_xform_capability *
> > > +const struct rte_cryptodev_asymmetric_capability *
> > > rte_cryptodev_asym_capability_get(uint8_t dev_id,
> > > const struct rte_cryptodev_asym_capability_idx *idx) { @@ -
> > 363,8
> > > +384,8 @@ rte_cryptodev_asym_capability_get(uint8_t dev_id,
> > > if (capability->op != RTE_CRYPTO_OP_TYPE_ASYMMETRIC)
> > > continue;
> > >
> > > - if (capability->asym.xform_capa.xform_type == idx->type)
> > > - return &capability->asym.xform_capa;
> > > + if (capability->asym.xform_type == idx->type)
> > > + return &capability->asym;
> > > }
> > > return NULL;
> > > };
> > > @@ -456,6 +477,59 @@
> > rte_cryptodev_asym_xform_capability_check_modlen(
> > > return 0;
> > > }
> > >
> > > +int
> > > +rte_cryptodev_capa_check_mod(
> >
> > API name should be rte_cryptodev_mod_capa_check Verb should come in the
> > end.
> > Fix other APIs also.
> >
> > > + const struct rte_cryptodev_asymmetric_capability *capa,
> > > + struct rte_crypto_mod_capability mod) {
> > > + if (capa->mod.max_mod_size == 0)
> > > + return 1;
> > > +
> > > + if (mod.max_mod_size <= capa->mod.max_mod_size)
> > > + return 1;
> > > + else
> > > + return 0;
> > > +}
> > > +
> > > +int
> > > +rte_cryptodev_capa_check_rsa(
> > > + const struct rte_cryptodev_asymmetric_capability *capa,
> > > + struct rte_crypto_rsa_capability rsa) {
> > > + if (rsa.padding != (capa->rsa.padding & rsa.padding))
> > > + return 0;
> > > + if (rsa.hash != (capa->rsa.hash & rsa.hash))
> > > + return 0;
> > > + if (capa->rsa.max_key_size == 0)
> > > + return 1;
> > > + if (rsa.max_key_size <= capa->rsa.max_key_size)
> > > + return 1;
> > > + else
> > > + return 0;
> > > +}
> >
> > Can we have something similar to symmetric crypto/rte_security capabilities?
> In what way similar? There are mostly range checks in symmetric.
Please ignore this comment, I misinterpreted xforms with algos.
For each of the xforms we can have separate API to check.
All algos in that particular xform can be clubbed in same API.
> >
> > > +
> > > +int
> > > +rte_cryptodev_capa_check_ecdsa(
> > > + const struct rte_cryptodev_asymmetric_capability *capa,
> > > + struct rte_crypto_ecdsa_capability ecdsa) {
> > > + if (ecdsa.curves != (capa->ecdsa.curves & ecdsa.curves))
> > > + return 0;
> > > + if (ecdsa.random_k == 1 && capa->ecdsa.random_k == 0)
> > > + return 0;
> > > + return 1;
> > > +}
> > > +
> > > +int
> > > +rte_cryptodev_capa_check_ecpm(
> > > + const struct rte_cryptodev_asymmetric_capability *capa,
> > > + struct rte_crypto_ecpm_capability ecpm) {
> > > + if (ecpm.curves != (capa->ecpm.curves & ecpm.curves))
> > > + return 0;
> > > + return 1;
> > > +}
> > > +
> > > /* spinlock for crypto device enq callbacks */ static rte_spinlock_t
> > > rte_cryptodev_callback_lock = RTE_SPINLOCK_INITIALIZER;
> > >
> > > diff --git a/lib/cryptodev/rte_cryptodev.h
> > > b/lib/cryptodev/rte_cryptodev.h index 2c2c2edeb7..6c5bd819b2 100644
> > > --- a/lib/cryptodev/rte_cryptodev.h
> > > +++ b/lib/cryptodev/rte_cryptodev.h
> > > @@ -184,6 +184,19 @@ struct rte_cryptodev_asymmetric_xform_capability
> {
> > > *
> > > */
> > > struct rte_cryptodev_asymmetric_capability {
> > > + enum rte_crypto_asym_xform_type xform_type;
> > > + /**< Asymmetric transform type */
> > > + uint32_t op_types;
> > > + /**< bitmask for supported rte_crypto_asym_op_type */
> > > + union {
> > > + struct rte_crypto_mod_capability mod;
> > > + struct rte_crypto_rsa_capability rsa;
> > > + struct rte_crypto_dh_capability dh;
> > > + struct rte_crypto_dsa_capability dsa;
> > > + struct rte_crypto_ecdsa_capability ecdsa;
> > > + struct rte_crypto_ecpm_capability ecpm;
> > > + };
> > > +
> > > struct rte_cryptodev_asymmetric_xform_capability xform_capa; };
> > >
> > > @@ -247,7 +260,7 @@ rte_cryptodev_sym_capability_get(uint8_t dev_id,
> > > * - Return NULL if the capability not exist.
> > > */
> > > __rte_experimental
> > > -const struct rte_cryptodev_asymmetric_xform_capability *
> > > +const struct rte_cryptodev_asymmetric_capability *
> > > rte_cryptodev_asym_capability_get(uint8_t dev_id,
> > > const struct rte_cryptodev_asym_capability_idx *idx);
> > >
> > > @@ -339,6 +352,66 @@
> > rte_cryptodev_asym_xform_capability_check_modlen(
> > > uint16_t modlen);
> > >
> > > /**
> > > + * Check if requested Modexp features are supported
> > > + *
> > > + * @param capability Description of the asymmetric crypto
> > > capability.
> > > + * @param mod Modexp requested capability.
> > > + *
> > > + * @return
> > > + * - Return 1 if the parameters are in range of the capability.
> > > + * - Return 0 if the parameters are out of range of the capability.
> > > + */
> > > +__rte_experimental
> > > +int
> > > +rte_cryptodev_capa_check_mod(
> > > + const struct rte_cryptodev_asymmetric_capability *capa,
> > > + struct rte_crypto_mod_capability mod);
> > > +/**
> > > + * Check if requested RSA features are supported
> > > + *
> > > + * @param capability Description of the asymmetric crypto
> > > capability.
> > > + * @param rsa RSA requested capability.
> > > + *
> > > + * @return
> > > + * - Return 1 if the parameters are in range of the capability.
> > > + * - Return 0 if the parameters are out of range of the capability.
> > > + */
> > > +__rte_experimental
> > > +int
> > > +rte_cryptodev_capa_check_rsa(
> > > + const struct rte_cryptodev_asymmetric_capability *capa,
> > > + struct rte_crypto_rsa_capability rsa);
> > > +/**
> > > + * Check if requested ECDSA features are supported
> > > + *
> > > + * @param capability Description of the asymmetric crypto
> > > capability.
> > > + * @param ecdsa ECDSA requested capability.
> > > + *
> > > + * @return
> > > + * - Return 1 if the parameters are in range of the capability.
> > > + * - Return 0 if the parameters are out of range of the capability.
> > > + */
> > > +__rte_experimental
> > > +int
> > > +rte_cryptodev_capa_check_ecdsa(
> > > + const struct rte_cryptodev_asymmetric_capability *capa,
> > > + struct rte_crypto_ecdsa_capability ecdsa);
> > > +/**
> > > + * Check if requested ECPM features are supported
> > > + *
> > > + * @param capability Description of the asymmetric crypto
> > > capability.
> > > + * @param ecpm ECPM requested capability.
> > > + *
> > > + * @return
> > > + * - Return 1 if the parameters are in range of the capability.
> > > + * - Return 0 if the parameters are out of range of the capability.
> > > + */
> > > +__rte_experimental
> > > +int
> > > +rte_cryptodev_capa_check_ecpm(
> > > + const struct rte_cryptodev_asymmetric_capability *capa,
> > > + struct rte_crypto_ecpm_capability ecpm);
> > > +/**
> > > * Provide the cipher algorithm enum, given an algorithm string
> > > *
> > > * @param algo_enum A pointer to the cipher algorithm
> > > diff --git a/lib/cryptodev/version.map b/lib/cryptodev/version.map
> > > index f0abfaa47d..4d93b9a947 100644
> > > --- a/lib/cryptodev/version.map
> > > +++ b/lib/cryptodev/version.map
> > > @@ -108,6 +108,10 @@ EXPERIMENTAL {
> > >
> > > #added in 22.07
> > > rte_cryptodev_session_event_mdata_set;
> > > + rte_cryptodev_capa_check_mod;
> > > + rte_cryptodev_capa_check_rsa;
> > > + rte_cryptodev_capa_check_ecdsa;
> > > + rte_cryptodev_capa_check_ecpm;
> > > };
> > >
> > > INTERNAL {
> > > --
> > > 2.13.6
^ permalink raw reply [flat|nested] 41+ messages in thread
end of thread, other threads:[~2022-05-26 15:00 UTC | newest]
Thread overview: 41+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-25 15:53 [PATCH v2 00/14] cryptodev: rsa, dh, ecdh changes Arek Kusztal
2022-05-25 15:53 ` [PATCH v2 01/14] cryptodev: redefine ec group enum Arek Kusztal
2022-05-26 9:40 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 02/14] cryptodev: reduce number of comments in asym xform Arek Kusztal
2022-05-26 9:52 ` [EXT] " Akhil Goyal
2022-05-26 10:03 ` Kusztal, ArkadiuszX
2022-05-25 15:53 ` [PATCH v2 03/14] cryptodev: separate key exchange operation enum Arek Kusztal
2022-05-26 10:57 ` [EXT] " Akhil Goyal
2022-05-26 11:06 ` Kusztal, ArkadiuszX
2022-05-26 11:09 ` Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 04/14] cryptodev: remove comment about using ephemeral key in dsa Arek Kusztal
2022-05-26 11:02 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 05/14] cryptodev: clarify usage of private key in dh Arek Kusztal
2022-05-26 11:04 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 06/14] cryptodev: move dh type from xform to dh op Arek Kusztal
2022-05-26 11:23 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 07/14] cryptodev: add elliptic curve diffie hellman Arek Kusztal
2022-05-26 11:29 ` [EXT] " Akhil Goyal
2022-05-26 11:44 ` Kusztal, ArkadiuszX
2022-05-25 15:53 ` [PATCH v2 08/14] cryptodev: add public key verify option Arek Kusztal
2022-05-26 11:34 ` [EXT] " Akhil Goyal
2022-05-26 11:46 ` Kusztal, ArkadiuszX
2022-05-25 15:53 ` [PATCH v2 09/14] cryptodev: add asym op flags Arek Kusztal
2022-05-26 11:46 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 10/14] cryptodev: clarify usage of rsa padding hash Arek Kusztal
2022-05-26 11:56 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 11/14] cryptodev: move RSA padding into separate struct Arek Kusztal
2022-05-26 12:04 ` [EXT] " Akhil Goyal
2022-05-26 12:14 ` Kusztal, ArkadiuszX
2022-05-26 12:19 ` Akhil Goyal
2022-05-26 12:35 ` Kusztal, ArkadiuszX
2022-05-26 12:41 ` Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 12/14] cryptodev: clarify rsa verify with none padding Arek Kusztal
2022-05-26 12:06 ` [EXT] " Akhil Goyal
2022-05-26 12:15 ` Kusztal, ArkadiuszX
2022-05-25 15:53 ` [PATCH v2 13/14] cryptodev: add salt length and optional label Arek Kusztal
2022-05-26 12:08 ` [EXT] " Akhil Goyal
2022-05-25 15:53 ` [PATCH v2 14/14] cryptodev: add asym algorithms capabilities Arek Kusztal
2022-05-26 12:54 ` [EXT] " Akhil Goyal
2022-05-26 14:19 ` Kusztal, ArkadiuszX
2022-05-26 15:00 ` Akhil Goyal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).