* [dpdk-dev v1] crypto/openssl: openssl EVP MAC routine api update @ 2022-02-04 17:57 Kai Ji 2022-02-07 15:24 ` [dpdk-dev v2] crypto/openssl: openssl 3.0 support on sym MAC routine Kai Ji 0 siblings, 1 reply; 18+ messages in thread From: Kai Ji @ 2022-02-04 17:57 UTC (permalink / raw) To: dev; +Cc: Kai Ji This patch update the EVP MAC routine in crypto openssl pmd to adopt openssl 3.0 library. Signed-off-by: Kai Ji <kai.ji@intel.com> --- drivers/crypto/openssl/compat.h | 12 ++ drivers/crypto/openssl/openssl_pmd_private.h | 4 + drivers/crypto/openssl/rte_openssl_pmd.c | 129 ++++++++++++++++++- 3 files changed, 144 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h index eecb7d3698..d3884334bd 100644 --- a/drivers/crypto/openssl/compat.h +++ b/drivers/crypto/openssl/compat.h @@ -192,6 +192,18 @@ get_dsa_priv_key(DSA *dsa, const BIGNUM **priv_key) DSA_get0_key(dsa, NULL, priv_key); } +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +/* Known DIGEST names (not a complete list) */ +#define OSSL_DIGEST_NAME_MD5 "MD5" +#define OSSL_DIGEST_NAME_MD5_SHA1 "MD5-SHA1" +#define OSSL_DIGEST_NAME_SHA1 "SHA1" +#define OSSL_DIGEST_NAME_SHA2_224 "SHA2-224" +#define OSSL_DIGEST_NAME_SHA2_256 "SHA2-256" +#define OSSL_DIGEST_NAME_SHA2_384 "SHA2-384" +#define OSSL_DIGEST_NAME_SHA2_512 "SHA2-512" + +#endif + #endif /* version < 10100000 */ #endif /* __RTA_COMPAT_H__ */ diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index b2054b3754..86dc169aaf 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -134,8 +134,12 @@ struct openssl_session { /**< pointer to EVP key */ const EVP_MD *evp_algo; /**< pointer to EVP algorithm function */ +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX * ctx; +# else HMAC_CTX *ctx; /**< pointer to EVP context structure */ +# endif } hmac; }; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 5794ed8159..e930821a4b 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -39,6 +39,29 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) } #endif +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static __rte_always_inline const char * +get_digest_name(const struct rte_crypto_sym_xform *xform) +{ + switch (xform->auth.algo) { + case RTE_CRYPTO_AUTH_MD5_HMAC: + return OSSL_DIGEST_NAME_MD5; + case RTE_CRYPTO_AUTH_SHA1_HMAC: + return OSSL_DIGEST_NAME_SHA1; + case RTE_CRYPTO_AUTH_SHA224_HMAC: + return OSSL_DIGEST_NAME_SHA2_224; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + return OSSL_DIGEST_NAME_SHA2_256; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + return OSSL_DIGEST_NAME_SHA2_384; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + return OSSL_DIGEST_NAME_SHA2_512; + default: + return NULL; + } +} +#endif + static int cryptodev_openssl_remove(struct rte_vdev_device *vdev); /*----------------------------------------------------------------------------*/ @@ -580,6 +603,34 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.auth.ctx = EVP_MD_CTX_create(); break; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + case RTE_CRYPTO_AUTH_MD5_HMAC: + case RTE_CRYPTO_AUTH_SHA1_HMAC: + case RTE_CRYPTO_AUTH_SHA224_HMAC: + case RTE_CRYPTO_AUTH_SHA256_HMAC: + case RTE_CRYPTO_AUTH_SHA384_HMAC: + case RTE_CRYPTO_AUTH_SHA512_HMAC: + sess->auth.mode = OPENSSL_AUTH_AS_HMAC; + + OSSL_PARAM params[2]; + const char *algo = get_digest_name(xform); + EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac); + EVP_MAC_free(mac); + if (get_auth_algo(xform->auth.algo, + &sess->auth.hmac.evp_algo) != 0) + return -EINVAL; + + params[0] = OSSL_PARAM_construct_utf8_string("digest", + (char *)algo, 0); + params[1] = OSSL_PARAM_construct_end(); + if (EVP_MAC_init(sess->auth.hmac.ctx, + xform->auth.key.data, + xform->auth.key.length, + params) != 1) + return -EINVAL; + break; +# else case RTE_CRYPTO_AUTH_MD5_HMAC: case RTE_CRYPTO_AUTH_SHA1_HMAC: case RTE_CRYPTO_AUTH_SHA224_HMAC: @@ -598,7 +649,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.hmac.evp_algo, NULL) != 1) return -EINVAL; break; - +# endif default: return -ENOTSUP; } @@ -723,7 +774,11 @@ openssl_reset_session(struct openssl_session *sess) break; case OPENSSL_AUTH_AS_HMAC: EVP_PKEY_free(sess->auth.hmac.pkey); +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX_free(sess->auth.hmac.ctx); +# else HMAC_CTX_free(sess->auth.hmac.ctx); +# endif break; default: break; @@ -1262,6 +1317,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, return -EINVAL; } +# if OPENSSL_VERSION_NUMBER >= 0x30000000L +/** Process standard openssl auth algorithms with hmac */ +static int +process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, + int srclen, EVP_MAC_CTX *ctx) +{ + size_t dstlen; + struct rte_mbuf *m; + int l, n = srclen; + uint8_t *src; + + for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m); + m = m->next) + offset -= rte_pktmbuf_data_len(m); + + if (m == 0) + goto process_auth_err; + + src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset); + + l = rte_pktmbuf_data_len(m) - offset; + if (srclen <= l) { + if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1) + goto process_auth_err; + goto process_auth_final; + } + + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + + n -= l; + + for (m = m->next; (m != NULL) && (n > 0); m = m->next) { + src = rte_pktmbuf_mtod(m, uint8_t *); + l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n; + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + n -= l; + } + +process_auth_final: + if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1) + goto process_auth_err; + + EVP_MAC_CTX_free(ctx); + return 0; + +process_auth_err: + EVP_MAC_CTX_free(ctx); + OPENSSL_LOG(ERR, "Process openssl auth failed"); + return -EINVAL; +} +# else /** Process standard openssl auth algorithms with hmac */ static int process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, @@ -1314,6 +1422,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, OPENSSL_LOG(ERR, "Process openssl auth failed"); return -EINVAL; } +# endif /*----------------------------------------------------------------------------*/ @@ -1557,7 +1666,13 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, uint8_t *dst; int srclen, status; EVP_MD_CTX *ctx_a; + +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX *ctx_h; + EVP_MAC *mac; +# else HMAC_CTX *ctx_h; +# endif srclen = op->sym->auth.data.length; @@ -1573,12 +1688,24 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, EVP_MD_CTX_destroy(ctx_a); break; case OPENSSL_AUTH_AS_HMAC: +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + + mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + ctx_h = EVP_MAC_CTX_new(mac); + ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx); + EVP_MAC_free(mac); + status = process_openssl_auth_hmac(mbuf_src, dst, + op->sym->auth.data.offset, srclen, + ctx_h); +# else + ctx_h = HMAC_CTX_new(); HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx); status = process_openssl_auth_hmac(mbuf_src, dst, op->sym->auth.data.offset, srclen, ctx_h); HMAC_CTX_free(ctx_h); +# endif break; default: status = -1; -- 2.17.1 ^ permalink raw reply [flat|nested] 18+ messages in thread
* [dpdk-dev v2] crypto/openssl: openssl 3.0 support on sym MAC routine 2022-02-04 17:57 [dpdk-dev v1] crypto/openssl: openssl EVP MAC routine api update Kai Ji @ 2022-02-07 15:24 ` Kai Ji 2022-02-07 15:40 ` Zhang, Roy Fan 2022-02-17 17:45 ` [dpdk-dev v3] crypto/openssl: openssl 3.0 support on sym crypto routine Kai Ji 0 siblings, 2 replies; 18+ messages in thread From: Kai Ji @ 2022-02-07 15:24 UTC (permalink / raw) To: dev; +Cc: Kai Ji This patch update the symmetric EVP MAC routine in crypto openssl pmd to adopt openssl 3.0 library. Signed-off-by: Kai Ji <kai.ji@intel.com> v2: - commit message update --- drivers/crypto/openssl/compat.h | 12 ++ drivers/crypto/openssl/openssl_pmd_private.h | 4 + drivers/crypto/openssl/rte_openssl_pmd.c | 129 ++++++++++++++++++- 3 files changed, 144 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h index eecb7d3698..d3884334bd 100644 --- a/drivers/crypto/openssl/compat.h +++ b/drivers/crypto/openssl/compat.h @@ -192,6 +192,18 @@ get_dsa_priv_key(DSA *dsa, const BIGNUM **priv_key) DSA_get0_key(dsa, NULL, priv_key); } +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +/* Known DIGEST names (not a complete list) */ +#define OSSL_DIGEST_NAME_MD5 "MD5" +#define OSSL_DIGEST_NAME_MD5_SHA1 "MD5-SHA1" +#define OSSL_DIGEST_NAME_SHA1 "SHA1" +#define OSSL_DIGEST_NAME_SHA2_224 "SHA2-224" +#define OSSL_DIGEST_NAME_SHA2_256 "SHA2-256" +#define OSSL_DIGEST_NAME_SHA2_384 "SHA2-384" +#define OSSL_DIGEST_NAME_SHA2_512 "SHA2-512" + +#endif + #endif /* version < 10100000 */ #endif /* __RTA_COMPAT_H__ */ diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index b2054b3754..86dc169aaf 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -134,8 +134,12 @@ struct openssl_session { /**< pointer to EVP key */ const EVP_MD *evp_algo; /**< pointer to EVP algorithm function */ +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX * ctx; +# else HMAC_CTX *ctx; /**< pointer to EVP context structure */ +# endif } hmac; }; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 5794ed8159..e930821a4b 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -39,6 +39,29 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) } #endif +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static __rte_always_inline const char * +get_digest_name(const struct rte_crypto_sym_xform *xform) +{ + switch (xform->auth.algo) { + case RTE_CRYPTO_AUTH_MD5_HMAC: + return OSSL_DIGEST_NAME_MD5; + case RTE_CRYPTO_AUTH_SHA1_HMAC: + return OSSL_DIGEST_NAME_SHA1; + case RTE_CRYPTO_AUTH_SHA224_HMAC: + return OSSL_DIGEST_NAME_SHA2_224; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + return OSSL_DIGEST_NAME_SHA2_256; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + return OSSL_DIGEST_NAME_SHA2_384; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + return OSSL_DIGEST_NAME_SHA2_512; + default: + return NULL; + } +} +#endif + static int cryptodev_openssl_remove(struct rte_vdev_device *vdev); /*----------------------------------------------------------------------------*/ @@ -580,6 +603,34 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.auth.ctx = EVP_MD_CTX_create(); break; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + case RTE_CRYPTO_AUTH_MD5_HMAC: + case RTE_CRYPTO_AUTH_SHA1_HMAC: + case RTE_CRYPTO_AUTH_SHA224_HMAC: + case RTE_CRYPTO_AUTH_SHA256_HMAC: + case RTE_CRYPTO_AUTH_SHA384_HMAC: + case RTE_CRYPTO_AUTH_SHA512_HMAC: + sess->auth.mode = OPENSSL_AUTH_AS_HMAC; + + OSSL_PARAM params[2]; + const char *algo = get_digest_name(xform); + EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac); + EVP_MAC_free(mac); + if (get_auth_algo(xform->auth.algo, + &sess->auth.hmac.evp_algo) != 0) + return -EINVAL; + + params[0] = OSSL_PARAM_construct_utf8_string("digest", + (char *)algo, 0); + params[1] = OSSL_PARAM_construct_end(); + if (EVP_MAC_init(sess->auth.hmac.ctx, + xform->auth.key.data, + xform->auth.key.length, + params) != 1) + return -EINVAL; + break; +# else case RTE_CRYPTO_AUTH_MD5_HMAC: case RTE_CRYPTO_AUTH_SHA1_HMAC: case RTE_CRYPTO_AUTH_SHA224_HMAC: @@ -598,7 +649,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.hmac.evp_algo, NULL) != 1) return -EINVAL; break; - +# endif default: return -ENOTSUP; } @@ -723,7 +774,11 @@ openssl_reset_session(struct openssl_session *sess) break; case OPENSSL_AUTH_AS_HMAC: EVP_PKEY_free(sess->auth.hmac.pkey); +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX_free(sess->auth.hmac.ctx); +# else HMAC_CTX_free(sess->auth.hmac.ctx); +# endif break; default: break; @@ -1262,6 +1317,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, return -EINVAL; } +# if OPENSSL_VERSION_NUMBER >= 0x30000000L +/** Process standard openssl auth algorithms with hmac */ +static int +process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, + int srclen, EVP_MAC_CTX *ctx) +{ + size_t dstlen; + struct rte_mbuf *m; + int l, n = srclen; + uint8_t *src; + + for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m); + m = m->next) + offset -= rte_pktmbuf_data_len(m); + + if (m == 0) + goto process_auth_err; + + src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset); + + l = rte_pktmbuf_data_len(m) - offset; + if (srclen <= l) { + if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1) + goto process_auth_err; + goto process_auth_final; + } + + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + + n -= l; + + for (m = m->next; (m != NULL) && (n > 0); m = m->next) { + src = rte_pktmbuf_mtod(m, uint8_t *); + l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n; + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + n -= l; + } + +process_auth_final: + if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1) + goto process_auth_err; + + EVP_MAC_CTX_free(ctx); + return 0; + +process_auth_err: + EVP_MAC_CTX_free(ctx); + OPENSSL_LOG(ERR, "Process openssl auth failed"); + return -EINVAL; +} +# else /** Process standard openssl auth algorithms with hmac */ static int process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, @@ -1314,6 +1422,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, OPENSSL_LOG(ERR, "Process openssl auth failed"); return -EINVAL; } +# endif /*----------------------------------------------------------------------------*/ @@ -1557,7 +1666,13 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, uint8_t *dst; int srclen, status; EVP_MD_CTX *ctx_a; + +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX *ctx_h; + EVP_MAC *mac; +# else HMAC_CTX *ctx_h; +# endif srclen = op->sym->auth.data.length; @@ -1573,12 +1688,24 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, EVP_MD_CTX_destroy(ctx_a); break; case OPENSSL_AUTH_AS_HMAC: +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + + mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + ctx_h = EVP_MAC_CTX_new(mac); + ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx); + EVP_MAC_free(mac); + status = process_openssl_auth_hmac(mbuf_src, dst, + op->sym->auth.data.offset, srclen, + ctx_h); +# else + ctx_h = HMAC_CTX_new(); HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx); status = process_openssl_auth_hmac(mbuf_src, dst, op->sym->auth.data.offset, srclen, ctx_h); HMAC_CTX_free(ctx_h); +# endif break; default: status = -1; -- 2.17.1 ^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: [dpdk-dev v2] crypto/openssl: openssl 3.0 support on sym MAC routine 2022-02-07 15:24 ` [dpdk-dev v2] crypto/openssl: openssl 3.0 support on sym MAC routine Kai Ji @ 2022-02-07 15:40 ` Zhang, Roy Fan 2022-02-17 17:45 ` [dpdk-dev v3] crypto/openssl: openssl 3.0 support on sym crypto routine Kai Ji 1 sibling, 0 replies; 18+ messages in thread From: Zhang, Roy Fan @ 2022-02-07 15:40 UTC (permalink / raw) To: Ji, Kai, dev; +Cc: Ji, Kai, gakhil > -----Original Message----- > From: Kai Ji <kai.ji@intel.com> > Sent: Monday, February 7, 2022 3:24 PM > To: dev@dpdk.org > Cc: Ji, Kai <kai.ji@intel.com> > Subject: [dpdk-dev v2] crypto/openssl: openssl 3.0 support on sym MAC > routine > > This patch update the symmetric EVP MAC routine in crypto openssl pmd > to adopt openssl 3.0 library. > > Signed-off-by: Kai Ji <kai.ji@intel.com> > > v2: > - commit message update > > --- Acked-by: Fan Zhang <roy.fan.zhang@intel.com> ^ permalink raw reply [flat|nested] 18+ messages in thread
* [dpdk-dev v3] crypto/openssl: openssl 3.0 support on sym crypto routine 2022-02-07 15:24 ` [dpdk-dev v2] crypto/openssl: openssl 3.0 support on sym MAC routine Kai Ji 2022-02-07 15:40 ` Zhang, Roy Fan @ 2022-02-17 17:45 ` Kai Ji 2022-02-17 18:01 ` [EXT] " Akhil Goyal 2022-02-18 9:44 ` [dpdk-dev v4] " Kai Ji 1 sibling, 2 replies; 18+ messages in thread From: Kai Ji @ 2022-02-17 17:45 UTC (permalink / raw) To: dev; +Cc: gakhil, roy.fan.zhang, Kai Ji This patch update the symmetric EVP routine in crypto openssl pmd to adopt openssl 3.0 library. Signed-off-by: Kai Ji <kai.ji@intel.com> v3: - rebase to 22.03-RC1 - enable openssl 3.0 lagacy library of DES - remove local ctx in combined op as EVP_CIPHER_CTX_copy refuse copy without a valid dup function pointer. v2: - minor code fix --- drivers/crypto/openssl/compat.h | 12 ++ drivers/crypto/openssl/openssl_pmd_private.h | 4 + drivers/crypto/openssl/rte_openssl_pmd.c | 181 ++++++++++++++++++- 3 files changed, 188 insertions(+), 9 deletions(-) diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h index eecb7d3698..d3884334bd 100644 --- a/drivers/crypto/openssl/compat.h +++ b/drivers/crypto/openssl/compat.h @@ -192,6 +192,18 @@ get_dsa_priv_key(DSA *dsa, const BIGNUM **priv_key) DSA_get0_key(dsa, NULL, priv_key); } +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +/* Known DIGEST names (not a complete list) */ +#define OSSL_DIGEST_NAME_MD5 "MD5" +#define OSSL_DIGEST_NAME_MD5_SHA1 "MD5-SHA1" +#define OSSL_DIGEST_NAME_SHA1 "SHA1" +#define OSSL_DIGEST_NAME_SHA2_224 "SHA2-224" +#define OSSL_DIGEST_NAME_SHA2_256 "SHA2-256" +#define OSSL_DIGEST_NAME_SHA2_384 "SHA2-384" +#define OSSL_DIGEST_NAME_SHA2_512 "SHA2-512" + +#endif + #endif /* version < 10100000 */ #endif /* __RTA_COMPAT_H__ */ diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index b2054b3754..86dc169aaf 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -134,8 +134,12 @@ struct openssl_session { /**< pointer to EVP key */ const EVP_MD *evp_algo; /**< pointer to EVP algorithm function */ +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX * ctx; +# else HMAC_CTX *ctx; /**< pointer to EVP context structure */ +# endif } hmac; }; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index d80e1052e2..14a6524b6c 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -39,6 +39,57 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) } #endif +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +#include <openssl/provider.h> + +OSSL_PROVIDER * legacy; +OSSL_PROVIDER *deflt; + +static void ossl_load_legacy_provider(void) +{ + /* Load Multiple providers into the default (NULL) library context */ + legacy = OSSL_PROVIDER_load(NULL, "legacy"); + if (legacy == NULL) { + OPENSSL_LOG(ERR, "Failed to load Legacy provider\n"); + return -EINVAL; + } + + deflt = OSSL_PROVIDER_load(NULL, "default"); + if (deflt == NULL) { + OPENSSL_LOG(ERR, "Failed to load Default provider\n"); + OSSL_PROVIDER_unload(legacy); + return -EINVAL; + } +} + +static void ossl_unload_legacy_provider(void) +{ + OSSL_PROVIDER_unload(legacy); + OSSL_PROVIDER_unload(deflt); +} + +static __rte_always_inline const char * +get_digest_name(const struct rte_crypto_sym_xform *xform) +{ + switch (xform->auth.algo) { + case RTE_CRYPTO_AUTH_MD5_HMAC: + return OSSL_DIGEST_NAME_MD5; + case RTE_CRYPTO_AUTH_SHA1_HMAC: + return OSSL_DIGEST_NAME_SHA1; + case RTE_CRYPTO_AUTH_SHA224_HMAC: + return OSSL_DIGEST_NAME_SHA2_224; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + return OSSL_DIGEST_NAME_SHA2_256; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + return OSSL_DIGEST_NAME_SHA2_384; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + return OSSL_DIGEST_NAME_SHA2_512; + default: + return NULL; + } +} +#endif + static int cryptodev_openssl_remove(struct rte_vdev_device *vdev); /*----------------------------------------------------------------------------*/ @@ -580,6 +631,34 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.auth.ctx = EVP_MD_CTX_create(); break; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + case RTE_CRYPTO_AUTH_MD5_HMAC: + case RTE_CRYPTO_AUTH_SHA1_HMAC: + case RTE_CRYPTO_AUTH_SHA224_HMAC: + case RTE_CRYPTO_AUTH_SHA256_HMAC: + case RTE_CRYPTO_AUTH_SHA384_HMAC: + case RTE_CRYPTO_AUTH_SHA512_HMAC: + sess->auth.mode = OPENSSL_AUTH_AS_HMAC; + + OSSL_PARAM params[2]; + const char *algo = get_digest_name(xform); + EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac); + EVP_MAC_free(mac); + if (get_auth_algo(xform->auth.algo, + &sess->auth.hmac.evp_algo) != 0) + return -EINVAL; + + params[0] = OSSL_PARAM_construct_utf8_string("digest", + (char *)algo, 0); + params[1] = OSSL_PARAM_construct_end(); + if (EVP_MAC_init(sess->auth.hmac.ctx, + xform->auth.key.data, + xform->auth.key.length, + params) != 1) + return -EINVAL; + break; +# else case RTE_CRYPTO_AUTH_MD5_HMAC: case RTE_CRYPTO_AUTH_SHA1_HMAC: case RTE_CRYPTO_AUTH_SHA224_HMAC: @@ -598,7 +677,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.hmac.evp_algo, NULL) != 1) return -EINVAL; break; - +# endif default: return -ENOTSUP; } @@ -723,7 +802,11 @@ openssl_reset_session(struct openssl_session *sess) break; case OPENSSL_AUTH_AS_HMAC: EVP_PKEY_free(sess->auth.hmac.pkey); +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX_free(sess->auth.hmac.ctx); +# else HMAC_CTX_free(sess->auth.hmac.ctx); +# endif break; default: break; @@ -1260,6 +1343,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, return -EINVAL; } +# if OPENSSL_VERSION_NUMBER >= 0x30000000L +/** Process standard openssl auth algorithms with hmac */ +static int +process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, + int srclen, EVP_MAC_CTX *ctx) +{ + size_t dstlen; + struct rte_mbuf *m; + int l, n = srclen; + uint8_t *src; + + for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m); + m = m->next) + offset -= rte_pktmbuf_data_len(m); + + if (m == 0) + goto process_auth_err; + + src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset); + + l = rte_pktmbuf_data_len(m) - offset; + if (srclen <= l) { + if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1) + goto process_auth_err; + goto process_auth_final; + } + + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + + n -= l; + + for (m = m->next; (m != NULL) && (n > 0); m = m->next) { + src = rte_pktmbuf_mtod(m, uint8_t *); + l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n; + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + n -= l; + } + +process_auth_final: + if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1) + goto process_auth_err; + + EVP_MAC_CTX_free(ctx); + return 0; + +process_auth_err: + EVP_MAC_CTX_free(ctx); + OPENSSL_LOG(ERR, "Process openssl auth failed"); + return -EINVAL; +} +# else /** Process standard openssl auth algorithms with hmac */ static int process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, @@ -1312,6 +1448,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, OPENSSL_LOG(ERR, "Process openssl auth failed"); return -EINVAL; } +# endif /*----------------------------------------------------------------------------*/ @@ -1326,7 +1463,6 @@ process_openssl_combined_op int srclen, aadlen, status = -1; uint32_t offset; uint8_t taglen; - EVP_CIPHER_CTX *ctx_copy; /* * Segmented destination buffer is not supported for @@ -1363,8 +1499,6 @@ process_openssl_combined_op } taglen = sess->auth.digest_length; - ctx_copy = EVP_CIPHER_CTX_new(); - EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx); if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1372,12 +1506,12 @@ process_openssl_combined_op status = process_openssl_auth_encryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_encryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } else { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1385,15 +1519,14 @@ process_openssl_combined_op status = process_openssl_auth_decryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_decryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } - EVP_CIPHER_CTX_free(ctx_copy); if (status != 0) { if (status == (-EFAULT) && sess->auth.operation == @@ -1555,7 +1688,13 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, uint8_t *dst; int srclen, status; EVP_MD_CTX *ctx_a; + +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX *ctx_h; + EVP_MAC *mac; +# else HMAC_CTX *ctx_h; +# endif srclen = op->sym->auth.data.length; @@ -1571,12 +1710,24 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, EVP_MD_CTX_destroy(ctx_a); break; case OPENSSL_AUTH_AS_HMAC: +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + + mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + ctx_h = EVP_MAC_CTX_new(mac); + ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx); + EVP_MAC_free(mac); + status = process_openssl_auth_hmac(mbuf_src, dst, + op->sym->auth.data.offset, srclen, + ctx_h); +# else + ctx_h = HMAC_CTX_new(); HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx); status = process_openssl_auth_hmac(mbuf_src, dst, op->sym->auth.data.offset, srclen, ctx_h); HMAC_CTX_free(ctx_h); +# endif break; default: status = -1; @@ -2213,6 +2364,14 @@ cryptodev_openssl_create(const char *name, rte_cryptodev_pmd_probing_finish(dev); +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + /* Load lagacy provider + * Some algorithms are no longer available in earlier version of openssl, + * unless the legacy provider explicitly.loaded. e.g. DES + */ + ossl_load_legacy_provider(); +# endif + return 0; init_error: @@ -2261,6 +2420,10 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev) if (cryptodev == NULL) return -ENODEV; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + ossl_unload_legacy_provider(); +# endif + return rte_cryptodev_pmd_destroy(cryptodev); } -- 2.17.1 ^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: [EXT] [dpdk-dev v3] crypto/openssl: openssl 3.0 support on sym crypto routine 2022-02-17 17:45 ` [dpdk-dev v3] crypto/openssl: openssl 3.0 support on sym crypto routine Kai Ji @ 2022-02-17 18:01 ` Akhil Goyal 2022-02-18 9:44 ` [dpdk-dev v4] " Kai Ji 1 sibling, 0 replies; 18+ messages in thread From: Akhil Goyal @ 2022-02-17 18:01 UTC (permalink / raw) To: Kai Ji, dev; +Cc: roy.fan.zhang > This patch update the symmetric EVP routine in crypto openssl pmd > to adopt openssl 3.0 library. > > Signed-off-by: Kai Ji <kai.ji@intel.com> > > v3: > - rebase to 22.03-RC1 > - enable openssl 3.0 lagacy library of DES > - remove local ctx in combined op as EVP_CIPHER_CTX_copy refuse copy > without > a valid dup function pointer. > > v2: > - minor code fix > > --- > drivers/crypto/openssl/compat.h | 12 ++ > drivers/crypto/openssl/openssl_pmd_private.h | 4 + > drivers/crypto/openssl/rte_openssl_pmd.c | 181 ++++++++++++++++++- > 3 files changed, 188 insertions(+), 9 deletions(-) > > diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h > index eecb7d3698..d3884334bd 100644 > --- a/drivers/crypto/openssl/compat.h > +++ b/drivers/crypto/openssl/compat.h > @@ -192,6 +192,18 @@ get_dsa_priv_key(DSA *dsa, const BIGNUM > **priv_key) > DSA_get0_key(dsa, NULL, priv_key); > } > > +#if OPENSSL_VERSION_NUMBER >= 0x30000000L > +/* Known DIGEST names (not a complete list) */ > +#define OSSL_DIGEST_NAME_MD5 "MD5" > +#define OSSL_DIGEST_NAME_MD5_SHA1 "MD5-SHA1" > +#define OSSL_DIGEST_NAME_SHA1 "SHA1" > +#define OSSL_DIGEST_NAME_SHA2_224 "SHA2-224" > +#define OSSL_DIGEST_NAME_SHA2_256 "SHA2-256" > +#define OSSL_DIGEST_NAME_SHA2_384 "SHA2-384" > +#define OSSL_DIGEST_NAME_SHA2_512 "SHA2-512" > + > +#endif > + > #endif /* version < 10100000 */ > > #endif /* __RTA_COMPAT_H__ */ > diff --git a/drivers/crypto/openssl/openssl_pmd_private.h > b/drivers/crypto/openssl/openssl_pmd_private.h > index b2054b3754..86dc169aaf 100644 > --- a/drivers/crypto/openssl/openssl_pmd_private.h > +++ b/drivers/crypto/openssl/openssl_pmd_private.h > @@ -134,8 +134,12 @@ struct openssl_session { > /**< pointer to EVP key */ > const EVP_MD *evp_algo; > /**< pointer to EVP algorithm function */ > +# if OPENSSL_VERSION_NUMBER >= 0x30000000L > + EVP_MAC_CTX * ctx; > +# else > HMAC_CTX *ctx; > /**< pointer to EVP context structure */ > +# endif > } hmac; > }; > > diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c > b/drivers/crypto/openssl/rte_openssl_pmd.c > index d80e1052e2..14a6524b6c 100644 > --- a/drivers/crypto/openssl/rte_openssl_pmd.c > +++ b/drivers/crypto/openssl/rte_openssl_pmd.c > @@ -39,6 +39,57 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) > } > #endif > > +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) > +#include <openssl/provider.h> > + > +OSSL_PROVIDER * legacy; > +OSSL_PROVIDER *deflt; > + > +static void ossl_load_legacy_provider(void) > +{ > + /* Load Multiple providers into the default (NULL) library context */ > + legacy = OSSL_PROVIDER_load(NULL, "legacy"); > + if (legacy == NULL) { > + OPENSSL_LOG(ERR, "Failed to load Legacy provider\n"); > + return -EINVAL; > + } > + > + deflt = OSSL_PROVIDER_load(NULL, "default"); > + if (deflt == NULL) { > + OPENSSL_LOG(ERR, "Failed to load Default provider\n"); > + OSSL_PROVIDER_unload(legacy); > + return -EINVAL; > + } > +} > + > +static void ossl_unload_legacy_provider(void) > +{ > + OSSL_PROVIDER_unload(legacy); > + OSSL_PROVIDER_unload(deflt); > +} > + > +static __rte_always_inline const char * > +get_digest_name(const struct rte_crypto_sym_xform *xform) > +{ > + switch (xform->auth.algo) { > + case RTE_CRYPTO_AUTH_MD5_HMAC: > + return OSSL_DIGEST_NAME_MD5; > + case RTE_CRYPTO_AUTH_SHA1_HMAC: > + return OSSL_DIGEST_NAME_SHA1; > + case RTE_CRYPTO_AUTH_SHA224_HMAC: > + return OSSL_DIGEST_NAME_SHA2_224; > + case RTE_CRYPTO_AUTH_SHA256_HMAC: > + return OSSL_DIGEST_NAME_SHA2_256; > + case RTE_CRYPTO_AUTH_SHA384_HMAC: > + return OSSL_DIGEST_NAME_SHA2_384; > + case RTE_CRYPTO_AUTH_SHA512_HMAC: > + return OSSL_DIGEST_NAME_SHA2_512; > + default: > + return NULL; > + } > +} > +#endif > + > static int cryptodev_openssl_remove(struct rte_vdev_device *vdev); > > /*----------------------------------------------------------------------------*/ > @@ -580,6 +631,34 @@ openssl_set_session_auth_parameters(struct > openssl_session *sess, > sess->auth.auth.ctx = EVP_MD_CTX_create(); > break; > > +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) > + case RTE_CRYPTO_AUTH_MD5_HMAC: > + case RTE_CRYPTO_AUTH_SHA1_HMAC: > + case RTE_CRYPTO_AUTH_SHA224_HMAC: > + case RTE_CRYPTO_AUTH_SHA256_HMAC: > + case RTE_CRYPTO_AUTH_SHA384_HMAC: > + case RTE_CRYPTO_AUTH_SHA512_HMAC: > + sess->auth.mode = OPENSSL_AUTH_AS_HMAC; > + > + OSSL_PARAM params[2]; > + const char *algo = get_digest_name(xform); > + EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL); > + sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac); > + EVP_MAC_free(mac); > + if (get_auth_algo(xform->auth.algo, > + &sess->auth.hmac.evp_algo) != 0) > + return -EINVAL; > + > + params[0] = OSSL_PARAM_construct_utf8_string("digest", > + (char *)algo, 0); > + params[1] = OSSL_PARAM_construct_end(); > + if (EVP_MAC_init(sess->auth.hmac.ctx, > + xform->auth.key.data, > + xform->auth.key.length, > + params) != 1) > + return -EINVAL; > + break; > +# else > case RTE_CRYPTO_AUTH_MD5_HMAC: > case RTE_CRYPTO_AUTH_SHA1_HMAC: > case RTE_CRYPTO_AUTH_SHA224_HMAC: > @@ -598,7 +677,7 @@ openssl_set_session_auth_parameters(struct > openssl_session *sess, > sess->auth.hmac.evp_algo, NULL) != 1) > return -EINVAL; > break; > - > +# endif > default: > return -ENOTSUP; > } > @@ -723,7 +802,11 @@ openssl_reset_session(struct openssl_session *sess) > break; > case OPENSSL_AUTH_AS_HMAC: > EVP_PKEY_free(sess->auth.hmac.pkey); > +# if OPENSSL_VERSION_NUMBER >= 0x30000000L > + EVP_MAC_CTX_free(sess->auth.hmac.ctx); > +# else > HMAC_CTX_free(sess->auth.hmac.ctx); > +# endif > break; > default: > break; > @@ -1260,6 +1343,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, > uint8_t *dst, int offset, > return -EINVAL; > } > > +# if OPENSSL_VERSION_NUMBER >= 0x30000000L > +/** Process standard openssl auth algorithms with hmac */ > +static int > +process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int > offset, > + int srclen, EVP_MAC_CTX *ctx) > +{ > + size_t dstlen; > + struct rte_mbuf *m; > + int l, n = srclen; > + uint8_t *src; > + > + for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m); > + m = m->next) > + offset -= rte_pktmbuf_data_len(m); > + > + if (m == 0) > + goto process_auth_err; > + > + src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset); > + > + l = rte_pktmbuf_data_len(m) - offset; > + if (srclen <= l) { > + if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1) > + goto process_auth_err; > + goto process_auth_final; > + } > + > + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) > + goto process_auth_err; > + > + n -= l; > + > + for (m = m->next; (m != NULL) && (n > 0); m = m->next) { > + src = rte_pktmbuf_mtod(m, uint8_t *); > + l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n; > + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) > + goto process_auth_err; > + n -= l; > + } > + > +process_auth_final: > + if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1) > + goto process_auth_err; > + > + EVP_MAC_CTX_free(ctx); > + return 0; > + > +process_auth_err: > + EVP_MAC_CTX_free(ctx); > + OPENSSL_LOG(ERR, "Process openssl auth failed"); > + return -EINVAL; > +} > +# else > /** Process standard openssl auth algorithms with hmac */ > static int > process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int > offset, > @@ -1312,6 +1448,7 @@ process_openssl_auth_hmac(struct rte_mbuf > *mbuf_src, uint8_t *dst, int offset, > OPENSSL_LOG(ERR, "Process openssl auth failed"); > return -EINVAL; > } > +# endif > > /*----------------------------------------------------------------------------*/ > > @@ -1326,7 +1463,6 @@ process_openssl_combined_op > int srclen, aadlen, status = -1; > uint32_t offset; > uint8_t taglen; > - EVP_CIPHER_CTX *ctx_copy; > > /* > * Segmented destination buffer is not supported for > @@ -1363,8 +1499,6 @@ process_openssl_combined_op > } > > taglen = sess->auth.digest_length; > - ctx_copy = EVP_CIPHER_CTX_new(); > - EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx); > > if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { > if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || > @@ -1372,12 +1506,12 @@ process_openssl_combined_op > status = process_openssl_auth_encryption_gcm( > mbuf_src, offset, srclen, > aad, aadlen, iv, > - dst, tag, ctx_copy); > + dst, tag, sess->cipher.ctx); > else > status = process_openssl_auth_encryption_ccm( > mbuf_src, offset, srclen, > aad, aadlen, iv, > - dst, tag, taglen, ctx_copy); > + dst, tag, taglen, sess->cipher.ctx); > > } else { > if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || > @@ -1385,15 +1519,14 @@ process_openssl_combined_op > status = process_openssl_auth_decryption_gcm( > mbuf_src, offset, srclen, > aad, aadlen, iv, > - dst, tag, ctx_copy); > + dst, tag, sess->cipher.ctx); > else > status = process_openssl_auth_decryption_ccm( > mbuf_src, offset, srclen, > aad, aadlen, iv, > - dst, tag, taglen, ctx_copy); > + dst, tag, taglen, sess->cipher.ctx); > } > > - EVP_CIPHER_CTX_free(ctx_copy); > if (status != 0) { > if (status == (-EFAULT) && > sess->auth.operation == > @@ -1555,7 +1688,13 @@ process_openssl_auth_op(struct openssl_qp *qp, > struct rte_crypto_op *op, > uint8_t *dst; > int srclen, status; > EVP_MD_CTX *ctx_a; > + > +# if OPENSSL_VERSION_NUMBER >= 0x30000000L > + EVP_MAC_CTX *ctx_h; > + EVP_MAC *mac; > +# else > HMAC_CTX *ctx_h; > +# endif > > srclen = op->sym->auth.data.length; > > @@ -1571,12 +1710,24 @@ process_openssl_auth_op(struct openssl_qp *qp, > struct rte_crypto_op *op, > EVP_MD_CTX_destroy(ctx_a); > break; > case OPENSSL_AUTH_AS_HMAC: > +# if OPENSSL_VERSION_NUMBER >= 0x30000000L > + > + mac = EVP_MAC_fetch(NULL, "HMAC", NULL); > + ctx_h = EVP_MAC_CTX_new(mac); > + ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx); > + EVP_MAC_free(mac); > + status = process_openssl_auth_hmac(mbuf_src, dst, > + op->sym->auth.data.offset, srclen, > + ctx_h); > +# else > + > ctx_h = HMAC_CTX_new(); > HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx); > status = process_openssl_auth_hmac(mbuf_src, dst, > op->sym->auth.data.offset, srclen, > ctx_h); > HMAC_CTX_free(ctx_h); > +# endif > break; > default: > status = -1; > @@ -2213,6 +2364,14 @@ cryptodev_openssl_create(const char *name, > > rte_cryptodev_pmd_probing_finish(dev); > > +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) > + /* Load lagacy provider > + * Some algorithms are no longer available in earlier version of openssl, > + * unless the legacy provider explicitly.loaded. e.g. DES > + */ > + ossl_load_legacy_provider(); > +# endif > + Please remove extra blank lines here and elsewhere. Also run spell check. %s/lagacy/legacy > return 0; > > init_error: > @@ -2261,6 +2420,10 @@ cryptodev_openssl_remove(struct rte_vdev_device > *vdev) > if (cryptodev == NULL) > return -ENODEV; > > +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) > + ossl_unload_legacy_provider(); > +# endif > + > return rte_cryptodev_pmd_destroy(cryptodev); > } > > -- > 2.17.1 ^ permalink raw reply [flat|nested] 18+ messages in thread
* [dpdk-dev v4] crypto/openssl: openssl 3.0 support on sym crypto routine 2022-02-17 17:45 ` [dpdk-dev v3] crypto/openssl: openssl 3.0 support on sym crypto routine Kai Ji 2022-02-17 18:01 ` [EXT] " Akhil Goyal @ 2022-02-18 9:44 ` Kai Ji 2022-02-18 11:51 ` [dpdk-dev v5] " Kai Ji 1 sibling, 1 reply; 18+ messages in thread From: Kai Ji @ 2022-02-18 9:44 UTC (permalink / raw) To: dev; +Cc: gakhil, roy.fan.zhang, Kai Ji This patch update the symmetric EVP routine in crypto openssl pmd to adopt openssl 3.0 library. Signed-off-by: Kai Ji <kai.ji@intel.com> v4: - code comments addressed v3: - rebase to 22.03-RC1 - enable openssl 3.0 lagacy library of DES - remove local ctx in combined op as EVP_CIPHER_CTX_copy refuse copy without a valid dup function pointer. v2: - minor code fix --- drivers/crypto/openssl/compat.h | 10 ++ drivers/crypto/openssl/openssl_pmd_private.h | 4 + drivers/crypto/openssl/rte_openssl_pmd.c | 177 +++++++++++++++++-- 3 files changed, 181 insertions(+), 10 deletions(-) diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h index eecb7d3698..0674dd6c5d 100644 --- a/drivers/crypto/openssl/compat.h +++ b/drivers/crypto/openssl/compat.h @@ -192,6 +192,16 @@ get_dsa_priv_key(DSA *dsa, const BIGNUM **priv_key) DSA_get0_key(dsa, NULL, priv_key); } +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +/* Known DIGEST names (not a complete list) */ +#define OSSL_DIGEST_NAME_MD5 "MD5" +#define OSSL_DIGEST_NAME_MD5_SHA1 "MD5-SHA1" +#define OSSL_DIGEST_NAME_SHA1 "SHA1" +#define OSSL_DIGEST_NAME_SHA2_224 "SHA2-224" +#define OSSL_DIGEST_NAME_SHA2_256 "SHA2-256" +#define OSSL_DIGEST_NAME_SHA2_384 "SHA2-384" +#define OSSL_DIGEST_NAME_SHA2_512 "SHA2-512" +#endif #endif /* version < 10100000 */ #endif /* __RTA_COMPAT_H__ */ diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index b2054b3754..86dc169aaf 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -134,8 +134,12 @@ struct openssl_session { /**< pointer to EVP key */ const EVP_MD *evp_algo; /**< pointer to EVP algorithm function */ +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX * ctx; +# else HMAC_CTX *ctx; /**< pointer to EVP context structure */ +# endif } hmac; }; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 5794ed8159..2c5dea8cd3 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -39,6 +39,57 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) } #endif +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +#include <openssl/provider.h> + +OSSL_PROVIDER *legacy; +OSSL_PROVIDER *deflt; + +static void ossl_load_legacy_provider(void) +{ + /* Load Multiple providers into the default (NULL) library context */ + legacy = OSSL_PROVIDER_load(NULL, "legacy"); + if (legacy == NULL) { + OPENSSL_LOG(ERR, "Failed to load Legacy provider\n"); + return -EINVAL; + } + + deflt = OSSL_PROVIDER_load(NULL, "default"); + if (deflt == NULL) { + OPENSSL_LOG(ERR, "Failed to load Default provider\n"); + OSSL_PROVIDER_unload(legacy); + return -EINVAL; + } +} + +static void ossl_unload_legacy_provider(void) +{ + OSSL_PROVIDER_unload(legacy); + OSSL_PROVIDER_unload(deflt); +} + +static __rte_always_inline const char * +get_digest_name(const struct rte_crypto_sym_xform *xform) +{ + switch (xform->auth.algo) { + case RTE_CRYPTO_AUTH_MD5_HMAC: + return OSSL_DIGEST_NAME_MD5; + case RTE_CRYPTO_AUTH_SHA1_HMAC: + return OSSL_DIGEST_NAME_SHA1; + case RTE_CRYPTO_AUTH_SHA224_HMAC: + return OSSL_DIGEST_NAME_SHA2_224; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + return OSSL_DIGEST_NAME_SHA2_256; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + return OSSL_DIGEST_NAME_SHA2_384; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + return OSSL_DIGEST_NAME_SHA2_512; + default: + return NULL; + } +} +#endif + static int cryptodev_openssl_remove(struct rte_vdev_device *vdev); /*----------------------------------------------------------------------------*/ @@ -580,6 +631,34 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.auth.ctx = EVP_MD_CTX_create(); break; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + case RTE_CRYPTO_AUTH_MD5_HMAC: + case RTE_CRYPTO_AUTH_SHA1_HMAC: + case RTE_CRYPTO_AUTH_SHA224_HMAC: + case RTE_CRYPTO_AUTH_SHA256_HMAC: + case RTE_CRYPTO_AUTH_SHA384_HMAC: + case RTE_CRYPTO_AUTH_SHA512_HMAC: + sess->auth.mode = OPENSSL_AUTH_AS_HMAC; + + OSSL_PARAM params[2]; + const char *algo = get_digest_name(xform); + EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac); + EVP_MAC_free(mac); + if (get_auth_algo(xform->auth.algo, + &sess->auth.hmac.evp_algo) != 0) + return -EINVAL; + + params[0] = OSSL_PARAM_construct_utf8_string("digest", + (char *)algo, 0); + params[1] = OSSL_PARAM_construct_end(); + if (EVP_MAC_init(sess->auth.hmac.ctx, + xform->auth.key.data, + xform->auth.key.length, + params) != 1) + return -EINVAL; + break; +# else case RTE_CRYPTO_AUTH_MD5_HMAC: case RTE_CRYPTO_AUTH_SHA1_HMAC: case RTE_CRYPTO_AUTH_SHA224_HMAC: @@ -598,7 +677,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.hmac.evp_algo, NULL) != 1) return -EINVAL; break; - +# endif default: return -ENOTSUP; } @@ -723,7 +802,11 @@ openssl_reset_session(struct openssl_session *sess) break; case OPENSSL_AUTH_AS_HMAC: EVP_PKEY_free(sess->auth.hmac.pkey); +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX_free(sess->auth.hmac.ctx); +# else HMAC_CTX_free(sess->auth.hmac.ctx); +# endif break; default: break; @@ -1262,6 +1345,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, return -EINVAL; } +# if OPENSSL_VERSION_NUMBER >= 0x30000000L +/** Process standard openssl auth algorithms with hmac */ +static int +process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, + int srclen, EVP_MAC_CTX *ctx) +{ + size_t dstlen; + struct rte_mbuf *m; + int l, n = srclen; + uint8_t *src; + + for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m); + m = m->next) + offset -= rte_pktmbuf_data_len(m); + + if (m == 0) + goto process_auth_err; + + src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset); + + l = rte_pktmbuf_data_len(m) - offset; + if (srclen <= l) { + if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1) + goto process_auth_err; + goto process_auth_final; + } + + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + + n -= l; + + for (m = m->next; (m != NULL) && (n > 0); m = m->next) { + src = rte_pktmbuf_mtod(m, uint8_t *); + l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n; + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + n -= l; + } + +process_auth_final: + if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1) + goto process_auth_err; + + EVP_MAC_CTX_free(ctx); + return 0; + +process_auth_err: + EVP_MAC_CTX_free(ctx); + OPENSSL_LOG(ERR, "Process openssl auth failed"); + return -EINVAL; +} +# else /** Process standard openssl auth algorithms with hmac */ static int process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, @@ -1314,7 +1450,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, OPENSSL_LOG(ERR, "Process openssl auth failed"); return -EINVAL; } - +# endif /*----------------------------------------------------------------------------*/ /** Process auth/cipher combined operation */ @@ -1328,7 +1464,6 @@ process_openssl_combined_op int srclen, aadlen, status = -1; uint32_t offset; uint8_t taglen; - EVP_CIPHER_CTX *ctx_copy; /* * Segmented destination buffer is not supported for @@ -1365,8 +1500,6 @@ process_openssl_combined_op } taglen = sess->auth.digest_length; - ctx_copy = EVP_CIPHER_CTX_new(); - EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx); if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1374,12 +1507,12 @@ process_openssl_combined_op status = process_openssl_auth_encryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_encryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } else { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1387,15 +1520,14 @@ process_openssl_combined_op status = process_openssl_auth_decryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_decryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } - EVP_CIPHER_CTX_free(ctx_copy); if (status != 0) { if (status == (-EFAULT) && sess->auth.operation == @@ -1557,7 +1689,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, uint8_t *dst; int srclen, status; EVP_MD_CTX *ctx_a; +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX *ctx_h; + EVP_MAC *mac; +# else HMAC_CTX *ctx_h; +# endif srclen = op->sym->auth.data.length; @@ -1573,12 +1710,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, EVP_MD_CTX_destroy(ctx_a); break; case OPENSSL_AUTH_AS_HMAC: +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + ctx_h = EVP_MAC_CTX_new(mac); + ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx); + EVP_MAC_free(mac); + status = process_openssl_auth_hmac(mbuf_src, dst, + op->sym->auth.data.offset, srclen, + ctx_h); +# else ctx_h = HMAC_CTX_new(); HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx); status = process_openssl_auth_hmac(mbuf_src, dst, op->sym->auth.data.offset, srclen, ctx_h); HMAC_CTX_free(ctx_h); +# endif break; default: status = -1; @@ -2215,6 +2362,13 @@ cryptodev_openssl_create(const char *name, rte_cryptodev_pmd_probing_finish(dev); +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + /* Load legacy provider + * Some algorithms are no longer available in earlier version of openssl, + * unless the legacy provider explicitly loaded. e.g. DES + */ + ossl_load_legacy_provider(); +# endif return 0; init_error: @@ -2263,6 +2417,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev) if (cryptodev == NULL) return -ENODEV; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + ossl_unload_legacy_provider(); +# endif return rte_cryptodev_pmd_destroy(cryptodev); } -- 2.17.1 ^ permalink raw reply [flat|nested] 18+ messages in thread
* [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine 2022-02-18 9:44 ` [dpdk-dev v4] " Kai Ji @ 2022-02-18 11:51 ` Kai Ji 2022-02-18 13:41 ` Zhang, Roy Fan ` (2 more replies) 0 siblings, 3 replies; 18+ messages in thread From: Kai Ji @ 2022-02-18 11:51 UTC (permalink / raw) To: dev; +Cc: gakhil, roy.fan.zhang, Kai Ji This patch update the symmetric EVP routine in crypto openssl pmd to adopt openssl 3.0 library. Signed-off-by: Kai Ji <kai.ji@intel.com> v5: - checkpatch fix v4: - code comments addressed v3: - rebase to 22.03-RC1 - enable openssl 3.0 lagacy library of DES - remove local ctx in combined op as EVP_CIPHER_CTX_copy refuse copy without a valid dup function pointer. v2: - minor code fix --- drivers/crypto/openssl/compat.h | 10 ++ drivers/crypto/openssl/openssl_pmd_private.h | 4 + drivers/crypto/openssl/rte_openssl_pmd.c | 177 +++++++++++++++++-- 3 files changed, 181 insertions(+), 10 deletions(-) diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h index eecb7d3698..0674dd6c5d 100644 --- a/drivers/crypto/openssl/compat.h +++ b/drivers/crypto/openssl/compat.h @@ -192,6 +192,16 @@ get_dsa_priv_key(DSA *dsa, const BIGNUM **priv_key) DSA_get0_key(dsa, NULL, priv_key); } +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +/* Known DIGEST names (not a complete list) */ +#define OSSL_DIGEST_NAME_MD5 "MD5" +#define OSSL_DIGEST_NAME_MD5_SHA1 "MD5-SHA1" +#define OSSL_DIGEST_NAME_SHA1 "SHA1" +#define OSSL_DIGEST_NAME_SHA2_224 "SHA2-224" +#define OSSL_DIGEST_NAME_SHA2_256 "SHA2-256" +#define OSSL_DIGEST_NAME_SHA2_384 "SHA2-384" +#define OSSL_DIGEST_NAME_SHA2_512 "SHA2-512" +#endif #endif /* version < 10100000 */ #endif /* __RTA_COMPAT_H__ */ diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index b2054b3754..86dc169aaf 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -134,8 +134,12 @@ struct openssl_session { /**< pointer to EVP key */ const EVP_MD *evp_algo; /**< pointer to EVP algorithm function */ +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX * ctx; +# else HMAC_CTX *ctx; /**< pointer to EVP context structure */ +# endif } hmac; }; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 5794ed8159..2c5dea8cd3 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -39,6 +39,57 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) } #endif +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +#include <openssl/provider.h> + +OSSL_PROVIDER * legacy; +OSSL_PROVIDER *deflt; + +static void ossl_load_legacy_provider(void) +{ + /* Load Multiple providers into the default (NULL) library context */ + legacy = OSSL_PROVIDER_load(NULL, "legacy"); + if (legacy == NULL) { + OPENSSL_LOG(ERR, "Failed to load Legacy provider\n"); + return -EINVAL; + } + + deflt = OSSL_PROVIDER_load(NULL, "default"); + if (deflt == NULL) { + OPENSSL_LOG(ERR, "Failed to load Default provider\n"); + OSSL_PROVIDER_unload(legacy); + return -EINVAL; + } +} + +static void ossl_unload_legacy_provider(void) +{ + OSSL_PROVIDER_unload(legacy); + OSSL_PROVIDER_unload(deflt); +} + +static __rte_always_inline const char * +get_digest_name(const struct rte_crypto_sym_xform *xform) +{ + switch (xform->auth.algo) { + case RTE_CRYPTO_AUTH_MD5_HMAC: + return OSSL_DIGEST_NAME_MD5; + case RTE_CRYPTO_AUTH_SHA1_HMAC: + return OSSL_DIGEST_NAME_SHA1; + case RTE_CRYPTO_AUTH_SHA224_HMAC: + return OSSL_DIGEST_NAME_SHA2_224; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + return OSSL_DIGEST_NAME_SHA2_256; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + return OSSL_DIGEST_NAME_SHA2_384; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + return OSSL_DIGEST_NAME_SHA2_512; + default: + return NULL; + } +} +#endif + static int cryptodev_openssl_remove(struct rte_vdev_device *vdev); /*----------------------------------------------------------------------------*/ @@ -580,6 +631,34 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.auth.ctx = EVP_MD_CTX_create(); break; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + case RTE_CRYPTO_AUTH_MD5_HMAC: + case RTE_CRYPTO_AUTH_SHA1_HMAC: + case RTE_CRYPTO_AUTH_SHA224_HMAC: + case RTE_CRYPTO_AUTH_SHA256_HMAC: + case RTE_CRYPTO_AUTH_SHA384_HMAC: + case RTE_CRYPTO_AUTH_SHA512_HMAC: + sess->auth.mode = OPENSSL_AUTH_AS_HMAC; + + OSSL_PARAM params[2]; + const char *algo = get_digest_name(xform); + EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac); + EVP_MAC_free(mac); + if (get_auth_algo(xform->auth.algo, + &sess->auth.hmac.evp_algo) != 0) + return -EINVAL; + + params[0] = OSSL_PARAM_construct_utf8_string("digest", + (char *)algo, 0); + params[1] = OSSL_PARAM_construct_end(); + if (EVP_MAC_init(sess->auth.hmac.ctx, + xform->auth.key.data, + xform->auth.key.length, + params) != 1) + return -EINVAL; + break; +# else case RTE_CRYPTO_AUTH_MD5_HMAC: case RTE_CRYPTO_AUTH_SHA1_HMAC: case RTE_CRYPTO_AUTH_SHA224_HMAC: @@ -598,7 +677,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.hmac.evp_algo, NULL) != 1) return -EINVAL; break; - +# endif default: return -ENOTSUP; } @@ -723,7 +802,11 @@ openssl_reset_session(struct openssl_session *sess) break; case OPENSSL_AUTH_AS_HMAC: EVP_PKEY_free(sess->auth.hmac.pkey); +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX_free(sess->auth.hmac.ctx); +# else HMAC_CTX_free(sess->auth.hmac.ctx); +# endif break; default: break; @@ -1262,6 +1345,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, return -EINVAL; } +# if OPENSSL_VERSION_NUMBER >= 0x30000000L +/** Process standard openssl auth algorithms with hmac */ +static int +process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, + int srclen, EVP_MAC_CTX *ctx) +{ + size_t dstlen; + struct rte_mbuf *m; + int l, n = srclen; + uint8_t *src; + + for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m); + m = m->next) + offset -= rte_pktmbuf_data_len(m); + + if (m == 0) + goto process_auth_err; + + src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset); + + l = rte_pktmbuf_data_len(m) - offset; + if (srclen <= l) { + if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1) + goto process_auth_err; + goto process_auth_final; + } + + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + + n -= l; + + for (m = m->next; (m != NULL) && (n > 0); m = m->next) { + src = rte_pktmbuf_mtod(m, uint8_t *); + l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n; + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + n -= l; + } + +process_auth_final: + if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1) + goto process_auth_err; + + EVP_MAC_CTX_free(ctx); + return 0; + +process_auth_err: + EVP_MAC_CTX_free(ctx); + OPENSSL_LOG(ERR, "Process openssl auth failed"); + return -EINVAL; +} +# else /** Process standard openssl auth algorithms with hmac */ static int process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, @@ -1314,7 +1450,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, OPENSSL_LOG(ERR, "Process openssl auth failed"); return -EINVAL; } - +# endif /*----------------------------------------------------------------------------*/ /** Process auth/cipher combined operation */ @@ -1328,7 +1464,6 @@ process_openssl_combined_op int srclen, aadlen, status = -1; uint32_t offset; uint8_t taglen; - EVP_CIPHER_CTX *ctx_copy; /* * Segmented destination buffer is not supported for @@ -1365,8 +1500,6 @@ process_openssl_combined_op } taglen = sess->auth.digest_length; - ctx_copy = EVP_CIPHER_CTX_new(); - EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx); if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1374,12 +1507,12 @@ process_openssl_combined_op status = process_openssl_auth_encryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_encryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } else { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1387,15 +1520,14 @@ process_openssl_combined_op status = process_openssl_auth_decryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_decryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } - EVP_CIPHER_CTX_free(ctx_copy); if (status != 0) { if (status == (-EFAULT) && sess->auth.operation == @@ -1557,7 +1689,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, uint8_t *dst; int srclen, status; EVP_MD_CTX *ctx_a; +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX *ctx_h; + EVP_MAC *mac; +# else HMAC_CTX *ctx_h; +# endif srclen = op->sym->auth.data.length; @@ -1573,12 +1710,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, EVP_MD_CTX_destroy(ctx_a); break; case OPENSSL_AUTH_AS_HMAC: +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + ctx_h = EVP_MAC_CTX_new(mac); + ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx); + EVP_MAC_free(mac); + status = process_openssl_auth_hmac(mbuf_src, dst, + op->sym->auth.data.offset, srclen, + ctx_h); +# else ctx_h = HMAC_CTX_new(); HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx); status = process_openssl_auth_hmac(mbuf_src, dst, op->sym->auth.data.offset, srclen, ctx_h); HMAC_CTX_free(ctx_h); +# endif break; default: status = -1; @@ -2215,6 +2362,13 @@ cryptodev_openssl_create(const char *name, rte_cryptodev_pmd_probing_finish(dev); +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + /* Load legacy provider + * Some algorithms are no longer available in earlier version of openssl, + * unless the legacy provider explicitly loaded. e.g. DES + */ + ossl_load_legacy_provider(); +# endif return 0; init_error: @@ -2263,6 +2417,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev) if (cryptodev == NULL) return -ENODEV; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + ossl_unload_legacy_provider(); +# endif return rte_cryptodev_pmd_destroy(cryptodev); } -- 2.17.1 ^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine 2022-02-18 11:51 ` [dpdk-dev v5] " Kai Ji @ 2022-02-18 13:41 ` Zhang, Roy Fan 2022-02-24 19:02 ` [EXT] " Akhil Goyal 2022-02-25 15:13 ` [dpdk-dev v6] " Kai Ji 2 siblings, 0 replies; 18+ messages in thread From: Zhang, Roy Fan @ 2022-02-18 13:41 UTC (permalink / raw) To: Ji, Kai, dev; +Cc: gakhil > -----Original Message----- > From: Ji, Kai <kai.ji@intel.com> > Sent: Friday, February 18, 2022 11:51 AM > To: dev@dpdk.org > Cc: gakhil@marvell.com; Zhang, Roy Fan <roy.fan.zhang@intel.com>; Ji, Kai > <kai.ji@intel.com> > Subject: [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto > routine > > This patch update the symmetric EVP routine in crypto openssl pmd > to adopt openssl 3.0 library. > > Signed-off-by: Kai Ji <kai.ji@intel.com> > > v5: > - checkpatch fix > > v4: > - code comments addressed > > v3: > - rebase to 22.03-RC1 > - enable openssl 3.0 lagacy library of DES > - remove local ctx in combined op as EVP_CIPHER_CTX_copy refuse copy > without > a valid dup function pointer. > > v2: > - minor code fix > > --- Acked-by: Fan Zhang <roy.fan.zhang@intel.com> ^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine 2022-02-18 11:51 ` [dpdk-dev v5] " Kai Ji 2022-02-18 13:41 ` Zhang, Roy Fan @ 2022-02-24 19:02 ` Akhil Goyal 2022-02-24 23:13 ` Ji, Kai 2022-02-25 15:13 ` [dpdk-dev v6] " Kai Ji 2 siblings, 1 reply; 18+ messages in thread From: Akhil Goyal @ 2022-02-24 19:02 UTC (permalink / raw) To: Kai Ji, dev; +Cc: roy.fan.zhang > This patch update the symmetric EVP routine in crypto openssl pmd > to adopt openssl 3.0 library. > > Signed-off-by: Kai Ji <kai.ji@intel.com> > > v5: > - checkpatch fix > > v4: > - code comments addressed > > v3: > - rebase to 22.03-RC1 > - enable openssl 3.0 lagacy library of DES > - remove local ctx in combined op as EVP_CIPHER_CTX_copy refuse copy > without > a valid dup function pointer. > > v2: > - minor code fix > > --- Openssl driver is not getting compiled with openssl3.0 Are you ignoring the warnings? | ^~ In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:12, from ../drivers/crypto/openssl/rte_openssl_pmd.c:16: /usr/local/include/openssl/dh.h:223:27: note: declared here 223 | OSSL_DEPRECATEDIN_3_0 int DH_generate_key(DH *dh); | ^~~~~~~~~~~~~~~ ../drivers/crypto/openssl/rte_openssl_pmd.c: In function 'process_openssl_rsa_op': ../drivers/crypto/openssl/rte_openssl_pmd.c:2068:3: error: 'RSA_public_encrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 2068 | ret = RSA_public_encrypt(op->rsa.message.length, | ^~~ In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:11, from ../drivers/crypto/openssl/rte_openssl_pmd.c:16: /usr/local/include/openssl/rsa.h:282:5: note: declared here 282 | int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, | ^~~~~~~~~~~~~~~~~~ ../drivers/crypto/openssl/rte_openssl_pmd.c:2081:3: error: 'RSA_private_decrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 2081 | ret = RSA_private_decrypt(op->rsa.cipher.length, | ^~~ In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:11, from ../drivers/crypto/openssl/rte_openssl_pmd.c:16: /usr/local/include/openssl/rsa.h:291:5: note: declared here 291 | int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to, | ^~~~~~~~~~~~~~~~~~~ ../drivers/crypto/openssl/rte_openssl_pmd.c:2091:3: error: 'RSA_private_encrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 2091 | ret = RSA_private_encrypt(op->rsa.message.length, | ^~~ In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:11, from ../drivers/crypto/openssl/rte_openssl_pmd.c:16: /usr/local/include/openssl/rsa.h:285:5: note: declared here 285 | int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to, | ^~~~~~~~~~~~~~~~~~~ ../drivers/crypto/openssl/rte_openssl_pmd.c:2107:3: error: 'RSA_public_decrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 2107 | ret = RSA_public_decrypt(op->rsa.sign.length, | ^~~ In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:11, from ../drivers/crypto/openssl/rte_openssl_pmd.c:16: /usr/local/include/openssl/rsa.h:288:5: note: declared here 288 | int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, | ^~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors ninja: build stopped: subcommand failed. ^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine 2022-02-24 19:02 ` [EXT] " Akhil Goyal @ 2022-02-24 23:13 ` Ji, Kai 2022-02-25 3:55 ` Akhil Goyal 0 siblings, 1 reply; 18+ messages in thread From: Ji, Kai @ 2022-02-24 23:13 UTC (permalink / raw) To: Akhil Goyal, dev; +Cc: Zhang, Roy Fan Hi Akhil, This patch was intend to support Openssl 3.0 on symmetric crypto algorithms only, where the deprecated APIs, compile warnings and failing test cases were fixed. All the asymmetric crypto related issues stay untreated and will be fixed in the next patch. Regards Kai > -----Original Message----- > From: Akhil Goyal <gakhil@marvell.com> > Sent: Thursday, February 24, 2022 7:03 PM > To: Ji, Kai <kai.ji@intel.com>; dev@dpdk.org > Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com> > Subject: RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym > crypto routine > > > This patch update the symmetric EVP routine in crypto openssl pmd to > > adopt openssl 3.0 library. > > > > Signed-off-by: Kai Ji <kai.ji@intel.com> > > > > v5: > > - checkpatch fix > > > > v4: > > - code comments addressed > > > > v3: > > - rebase to 22.03-RC1 > > - enable openssl 3.0 lagacy library of DES > > - remove local ctx in combined op as EVP_CIPHER_CTX_copy refuse copy > > without > > a valid dup function pointer. > > > > v2: > > - minor code fix > > > > --- > Openssl driver is not getting compiled with openssl3.0 Are you ignoring the > warnings? > > > | ^~ > In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:12, > from ../drivers/crypto/openssl/rte_openssl_pmd.c:16: > /usr/local/include/openssl/dh.h:223:27: note: declared here > 223 | OSSL_DEPRECATEDIN_3_0 int DH_generate_key(DH *dh); > | ^~~~~~~~~~~~~~~ > ../drivers/crypto/openssl/rte_openssl_pmd.c: In function > 'process_openssl_rsa_op': > ../drivers/crypto/openssl/rte_openssl_pmd.c:2068:3: error: > 'RSA_public_encrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated- > declarations] > 2068 | ret = RSA_public_encrypt(op->rsa.message.length, > | ^~~ > In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:11, > from ../drivers/crypto/openssl/rte_openssl_pmd.c:16: > /usr/local/include/openssl/rsa.h:282:5: note: declared here > 282 | int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char > *to, > | ^~~~~~~~~~~~~~~~~~ > ../drivers/crypto/openssl/rte_openssl_pmd.c:2081:3: error: > 'RSA_private_decrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated- > declarations] > 2081 | ret = RSA_private_decrypt(op->rsa.cipher.length, > | ^~~ > In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:11, > from ../drivers/crypto/openssl/rte_openssl_pmd.c:16: > /usr/local/include/openssl/rsa.h:291:5: note: declared here > 291 | int RSA_private_decrypt(int flen, const unsigned char *from, unsigned > char *to, > | ^~~~~~~~~~~~~~~~~~~ > ../drivers/crypto/openssl/rte_openssl_pmd.c:2091:3: error: > 'RSA_private_encrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated- > declarations] > 2091 | ret = RSA_private_encrypt(op->rsa.message.length, > | ^~~ > In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:11, > from ../drivers/crypto/openssl/rte_openssl_pmd.c:16: > /usr/local/include/openssl/rsa.h:285:5: note: declared here > 285 | int RSA_private_encrypt(int flen, const unsigned char *from, unsigned > char *to, > | ^~~~~~~~~~~~~~~~~~~ > ../drivers/crypto/openssl/rte_openssl_pmd.c:2107:3: error: > 'RSA_public_decrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated- > declarations] > 2107 | ret = RSA_public_decrypt(op->rsa.sign.length, > | ^~~ > In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:11, > from ../drivers/crypto/openssl/rte_openssl_pmd.c:16: > /usr/local/include/openssl/rsa.h:288:5: note: declared here > 288 | int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char > *to, > | ^~~~~~~~~~~~~~~~~~ > cc1: all warnings being treated as errors > ninja: build stopped: subcommand failed. ^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine 2022-02-24 23:13 ` Ji, Kai @ 2022-02-25 3:55 ` Akhil Goyal 2022-02-25 10:19 ` Ji, Kai 0 siblings, 1 reply; 18+ messages in thread From: Akhil Goyal @ 2022-02-25 3:55 UTC (permalink / raw) To: Ji, Kai, dev; +Cc: Zhang, Roy Fan Hi Kai, > Hi Akhil, > > This patch was intend to support Openssl 3.0 on symmetric crypto algorithms > only, where the deprecated APIs, compile warnings and failing test cases were > fixed. > All the asymmetric crypto related issues stay untreated and will be fixed in the > next patch. > How can one verify if the driver is openssl 3.0 compliant? Is there a way to bypass those warnings? We cannot have build with warnings or we can have something in meson.build to bypass those for openssl pmd. ^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine 2022-02-25 3:55 ` Akhil Goyal @ 2022-02-25 10:19 ` Ji, Kai 2022-02-25 10:39 ` Akhil Goyal 0 siblings, 1 reply; 18+ messages in thread From: Ji, Kai @ 2022-02-25 10:19 UTC (permalink / raw) To: Akhil Goyal, dev; +Cc: Zhang, Roy Fan The warning messages are deprecated APIs warnings from openssl , not compiler warnings from gcc, the integrity of DPDK remain the same. Alongside openssl pmd, the ccp and qat pmd also raise the same type of warnings once openssl 3.0 installed. In the current intel roadmap, we will try to support 3.0 API fully for openssl and qat pmds by the end of year, so this patch is the first step. I think the warning messages are safe to stay, Unfortunately the fix ccp pmd driver is out of our reach. Regards Kai > -----Original Message----- > From: Akhil Goyal <gakhil@marvell.com> > Sent: Friday, February 25, 2022 3:56 AM > To: Ji, Kai <kai.ji@intel.com>; dev@dpdk.org > Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com> > Subject: RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym > crypto routine > > Hi Kai, > > Hi Akhil, > > > > This patch was intend to support Openssl 3.0 on symmetric crypto > > algorithms only, where the deprecated APIs, compile warnings and > > failing test cases were fixed. > > All the asymmetric crypto related issues stay untreated and will be > > fixed in the next patch. > > > How can one verify if the driver is openssl 3.0 compliant? > Is there a way to bypass those warnings? > We cannot have build with warnings or we can have something in meson.build to > bypass those for openssl pmd. ^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine 2022-02-25 10:19 ` Ji, Kai @ 2022-02-25 10:39 ` Akhil Goyal 2022-02-25 11:19 ` Ji, Kai 2022-02-25 13:51 ` Zhang, Roy Fan 0 siblings, 2 replies; 18+ messages in thread From: Akhil Goyal @ 2022-02-25 10:39 UTC (permalink / raw) To: Ji, Kai, dev; +Cc: Zhang, Roy Fan Hi Kai, > > The warning messages are deprecated APIs warnings from openssl , not > compiler warnings from gcc, the integrity of DPDK remain the same. > Alongside openssl pmd, the ccp and qat pmd also raise the same type of > warnings once openssl 3.0 installed. > > In the current intel roadmap, we will try to support 3.0 API fully for openssl and > qat pmds by the end of year, so this patch is the first step. > I think the warning messages are safe to stay, Unfortunately the fix ccp pmd > driver is out of our reach. > When DPDK is compiled with openssl 3.0. I am seeing these errors in compilation. So, compilation is broken and we cannot take this patch as is. We have few options, - fix all of these errors, - add exception in meson.build for ignoring these errors. - disable/skip compilation of PMDs if openssl version is >3.0 Adding only one type of APIs does not make sense, if the driver is not compiled. In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:12, from ../drivers/crypto/openssl/rte_openssl_pmd.c:16: /usr/local/include/openssl/dh.h:223:27: note: declared here 223 | OSSL_DEPRECATEDIN_3_0 int DH_generate_key(DH *dh); | ^~~~~~~~~~~~~~~ ../drivers/crypto/openssl/rte_openssl_pmd.c: In function 'process_openssl_rsa_op': ../drivers/crypto/openssl/rte_openssl_pmd.c:2068:3: error: 'RSA_public_encrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations] 2068 | ret = RSA_public_encrypt(op->rsa.message.length, Also, avoid top posting of comments! ^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine 2022-02-25 10:39 ` Akhil Goyal @ 2022-02-25 11:19 ` Ji, Kai 2022-02-25 13:51 ` Zhang, Roy Fan 1 sibling, 0 replies; 18+ messages in thread From: Ji, Kai @ 2022-02-25 11:19 UTC (permalink / raw) To: Akhil Goyal, dev; +Cc: Zhang, Roy Fan HI Akhil, > > When DPDK is compiled with openssl 3.0. I am seeing these errors in compilation. > So, compilation is broken and we cannot take this patch as is. > We have few options, > - fix all of these errors, > - add exception in meson.build for ignoring these errors. > - disable/skip compilation of PMDs if openssl version is >3.0 > > Adding only one type of APIs does not make sense, if the driver is not compiled. > > In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:12, > from ../drivers/crypto/openssl/rte_openssl_pmd.c:16: > /usr/local/include/openssl/dh.h:223:27: note: declared here > 223 | OSSL_DEPRECATEDIN_3_0 int DH_generate_key(DH *dh); > | ^~~~~~~~~~~~~~~ > ../drivers/crypto/openssl/rte_openssl_pmd.c: In function > 'process_openssl_rsa_op': > ../drivers/crypto/openssl/rte_openssl_pmd.c:2068:3: error: > 'RSA_public_encrypt' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated- > declarations] > 2068 | ret = RSA_public_encrypt(op->rsa.message.length, > > Also, avoid top posting of comments! I will try to suppress the warning message in meson.build by EOB, otherwise the patch need to be deferred until next release. Regards Kai ^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine 2022-02-25 10:39 ` Akhil Goyal 2022-02-25 11:19 ` Ji, Kai @ 2022-02-25 13:51 ` Zhang, Roy Fan 2022-02-28 5:35 ` Namburu, Chandu-babu 1 sibling, 1 reply; 18+ messages in thread From: Zhang, Roy Fan @ 2022-02-25 13:51 UTC (permalink / raw) To: Akhil Goyal, Ji, Kai, dev; +Cc: chandu Hi Akhil, > -----Original Message----- > From: Akhil Goyal <gakhil@marvell.com> > Sent: Friday, February 25, 2022 10:40 AM > To: Ji, Kai <kai.ji@intel.com>; dev@dpdk.org > Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com> > Subject: RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym > crypto routine > > Hi Kai, > > > > The warning messages are deprecated APIs warnings from openssl , not > > compiler warnings from gcc, the integrity of DPDK remain the same. > > Alongside openssl pmd, the ccp and qat pmd also raise the same type of > > warnings once openssl 3.0 installed. > > > > In the current intel roadmap, we will try to support 3.0 API fully for openssl > and > > qat pmds by the end of year, so this patch is the first step. > > I think the warning messages are safe to stay, Unfortunately the fix ccp > pmd > > driver is out of our reach. > > > > When DPDK is compiled with openssl 3.0. I am seeing these errors in > compilation. > So, compilation is broken and we cannot take this patch as is. > We have few options, > - fix all of these errors, > - add exception in meson.build for ignoring these errors. > - disable/skip compilation of PMDs if openssl version is >3.0 > > Adding only one type of APIs does not make sense, if the driver is not > compiled. > > In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:12, > from ../drivers/crypto/openssl/rte_openssl_pmd.c:16: > /usr/local/include/openssl/dh.h:223:27: note: declared here > 223 | OSSL_DEPRECATEDIN_3_0 int DH_generate_key(DH *dh); > | ^~~~~~~~~~~~~~~ > ../drivers/crypto/openssl/rte_openssl_pmd.c: In function > 'process_openssl_rsa_op': > ../drivers/crypto/openssl/rte_openssl_pmd.c:2068:3: error: > 'RSA_public_encrypt' is deprecated: Since OpenSSL 3.0 [- > Werror=deprecated-declarations] > 2068 | ret = RSA_public_encrypt(op->rsa.message.length, You are right. We will defer the change to next release so we can send along with the asym openssl change Kai is working on. But since we have your attention I would want to drag Chandubabu's attention too as there are three PMDs uses deprecated openssl lib APIs: openssl, qat, and ccp. Adding a suppress flag to meson build file won't resolve the problem - we need to resolve them before the APIs are gone for good. > > Also, avoid top posting of comments! ^ permalink raw reply [flat|nested] 18+ messages in thread
* RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine 2022-02-25 13:51 ` Zhang, Roy Fan @ 2022-02-28 5:35 ` Namburu, Chandu-babu 0 siblings, 0 replies; 18+ messages in thread From: Namburu, Chandu-babu @ 2022-02-28 5:35 UTC (permalink / raw) To: Zhang, Roy Fan, Akhil Goyal, Ji, Kai, dev; +Cc: Sebastian, Selwin [Public] Hi Roy Fan, -----Original Message----- From: Zhang, Roy Fan <roy.fan.zhang@intel.com> Sent: Friday, February 25, 2022 7:21 PM To: Akhil Goyal <gakhil@marvell.com>; Ji, Kai <kai.ji@intel.com>; dev@dpdk.org Cc: Namburu, Chandu-babu <chandu@amd.com> Subject: RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support on sym crypto routine Hi Akhil, > -----Original Message----- > From: Akhil Goyal <gakhil@marvell.com> > Sent: Friday, February 25, 2022 10:40 AM > To: Ji, Kai <kai.ji@intel.com>; dev@dpdk.org > Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com> > Subject: RE: [EXT] [dpdk-dev v5] crypto/openssl: openssl 3.0 support > on sym crypto routine > > Hi Kai, > > > > The warning messages are deprecated APIs warnings from openssl , not > > compiler warnings from gcc, the integrity of DPDK remain the same. > > Alongside openssl pmd, the ccp and qat pmd also raise the same type > > of warnings once openssl 3.0 installed. > > > > In the current intel roadmap, we will try to support 3.0 API fully > > for openssl > and > > qat pmds by the end of year, so this patch is the first step. > > I think the warning messages are safe to stay, Unfortunately the fix > > ccp > pmd > > driver is out of our reach. > > > > When DPDK is compiled with openssl 3.0. I am seeing these errors in > compilation. > So, compilation is broken and we cannot take this patch as is. > We have few options, > - fix all of these errors, > - add exception in meson.build for ignoring these errors. > - disable/skip compilation of PMDs if openssl version is >3.0 > > Adding only one type of APIs does not make sense, if the driver is not > compiled. > > In file included from ../drivers/crypto/openssl/openssl_pmd_private.h:12, > from ../drivers/crypto/openssl/rte_openssl_pmd.c:16: > /usr/local/include/openssl/dh.h:223:27: note: declared here > 223 | OSSL_DEPRECATEDIN_3_0 int DH_generate_key(DH *dh); > | ^~~~~~~~~~~~~~~ > ../drivers/crypto/openssl/rte_openssl_pmd.c: In function > 'process_openssl_rsa_op': > ../drivers/crypto/openssl/rte_openssl_pmd.c:2068:3: error: > 'RSA_public_encrypt' is deprecated: Since OpenSSL 3.0 [- > Werror=deprecated-declarations] > 2068 | ret = RSA_public_encrypt(op->rsa.message.length, You are right. We will defer the change to next release so we can send along with the asym openssl change Kai is working on. But since we have your attention I would want to drag Chandubabu's attention too as there are three PMDs uses deprecated openssl lib APIs: openssl, qat, and ccp. Adding a suppress flag to meson build file won't resolve the problem - we need to resolve them before the APIs are gone for good. Thank you for bringing this to our attention, we will work on CCP changes to support 3.0 API's. > > Also, avoid top posting of comments! ^ permalink raw reply [flat|nested] 18+ messages in thread
* [dpdk-dev v6] crypto/openssl: openssl 3.0 support on sym crypto routine 2022-02-18 11:51 ` [dpdk-dev v5] " Kai Ji 2022-02-18 13:41 ` Zhang, Roy Fan 2022-02-24 19:02 ` [EXT] " Akhil Goyal @ 2022-02-25 15:13 ` Kai Ji 2022-02-25 17:35 ` Stephen Hemminger 2 siblings, 1 reply; 18+ messages in thread From: Kai Ji @ 2022-02-25 15:13 UTC (permalink / raw) To: dev; +Cc: gakhil, roy.fan.zhang, Kai Ji This patch setup OPENSSL_API_COMPAT to suppress deprecated compile warning messages in ccp, openssl and qat PMDs, also update the symmetric EVP routine in crypto openssl pmd to adopt openssl 3.0 library. Signed-off-by: Kai Ji <kai.ji@intel.com> Acked-by: Fan Zhang <roy.fan.zhang@intel.com> --- drivers/common/qat/meson.build | 1 + drivers/crypto/ccp/meson.build | 1 + drivers/crypto/openssl/meson.build | 1 + drivers/crypto/openssl/openssl_pmd_private.h | 4 + drivers/crypto/openssl/rte_openssl_pmd.c | 187 ++++++++++++++++++- 5 files changed, 184 insertions(+), 10 deletions(-) diff --git a/drivers/common/qat/meson.build b/drivers/common/qat/meson.build index af92271a75..f9bef9b2e1 100644 --- a/drivers/common/qat/meson.build +++ b/drivers/common/qat/meson.build @@ -86,4 +86,5 @@ if qat_crypto deps += ['security'] ext_deps += libcrypto cflags += ['-DBUILD_QAT_SYM', '-DBUILD_QAT_ASYM'] + cflags += ['-DOPENSSL_API_COMPAT=0x10100000L'] endif diff --git a/drivers/crypto/ccp/meson.build b/drivers/crypto/ccp/meson.build index a4f3406009..fe89e17b14 100644 --- a/drivers/crypto/ccp/meson.build +++ b/drivers/crypto/ccp/meson.build @@ -23,3 +23,4 @@ sources = files( ) ext_deps += dep +cflags += ['-DOPENSSL_API_COMPAT=0x10100000L'] diff --git a/drivers/crypto/openssl/meson.build b/drivers/crypto/openssl/meson.build index cd962da1d6..cef92fe57a 100644 --- a/drivers/crypto/openssl/meson.build +++ b/drivers/crypto/openssl/meson.build @@ -15,3 +15,4 @@ endif deps += 'bus_vdev' sources = files('rte_openssl_pmd.c', 'rte_openssl_pmd_ops.c') ext_deps += dep +cflags += ['-DOPENSSL_API_COMPAT=0x10100000L'] \ No newline at end of file diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index b2054b3754..86dc169aaf 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -134,8 +134,12 @@ struct openssl_session { /**< pointer to EVP key */ const EVP_MD *evp_algo; /**< pointer to EVP algorithm function */ +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX * ctx; +# else HMAC_CTX *ctx; /**< pointer to EVP context structure */ +# endif } hmac; }; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 5794ed8159..5840ab472e 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -39,6 +39,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) } #endif +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + +#include <openssl/provider.h> +#include <openssl/core_names.h> + +#define MAX_OSSL_ALGO_NAME_SIZE 16 + +OSSL_PROVIDER *legacy; +OSSL_PROVIDER *deflt; + +static void ossl_load_legacy_provider(void) +{ + /* Load Multiple providers into the default (NULL) library context */ + legacy = OSSL_PROVIDER_load(NULL, "legacy"); + if (legacy == NULL) { + OPENSSL_LOG(ERR, "Failed to load Legacy provider\n"); + return; + } + + deflt = OSSL_PROVIDER_load(NULL, "default"); + if (deflt == NULL) { + OPENSSL_LOG(ERR, "Failed to load Default provider\n"); + OSSL_PROVIDER_unload(legacy); + return; + } +} + +static void ossl_unload_legacy_provider(void) +{ + OSSL_PROVIDER_unload(legacy); + OSSL_PROVIDER_unload(deflt); +} + +static __rte_always_inline const char * +get_digest_name(const struct rte_crypto_sym_xform *xform) +{ + switch (xform->auth.algo) { + case RTE_CRYPTO_AUTH_MD5_HMAC: + return OSSL_DIGEST_NAME_MD5; + case RTE_CRYPTO_AUTH_SHA1_HMAC: + return OSSL_DIGEST_NAME_SHA1; + case RTE_CRYPTO_AUTH_SHA224_HMAC: + return OSSL_DIGEST_NAME_SHA2_224; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + return OSSL_DIGEST_NAME_SHA2_256; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + return OSSL_DIGEST_NAME_SHA2_384; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + return OSSL_DIGEST_NAME_SHA2_512; + default: + return NULL; + } +} +#endif + static int cryptodev_openssl_remove(struct rte_vdev_device *vdev); /*----------------------------------------------------------------------------*/ @@ -580,6 +635,40 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.auth.ctx = EVP_MD_CTX_create(); break; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + case RTE_CRYPTO_AUTH_MD5_HMAC: + case RTE_CRYPTO_AUTH_SHA1_HMAC: + case RTE_CRYPTO_AUTH_SHA224_HMAC: + case RTE_CRYPTO_AUTH_SHA256_HMAC: + case RTE_CRYPTO_AUTH_SHA384_HMAC: + case RTE_CRYPTO_AUTH_SHA512_HMAC: + sess->auth.mode = OPENSSL_AUTH_AS_HMAC; + + OSSL_PARAM params[2]; + const char *algo; + algo = get_digest_name(xform); + if (!algo) + return -EINVAL; + char algo_name[MAX_OSSL_ALGO_NAME_SIZE]; + memcpy(algo_name, algo, (sizeof(algo)+1)); + + EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac); + EVP_MAC_free(mac); + if (get_auth_algo(xform->auth.algo, + &sess->auth.hmac.evp_algo) != 0) + return -EINVAL; + + params[0] = OSSL_PARAM_construct_utf8_string("digest", + algo_name, 0); + params[1] = OSSL_PARAM_construct_end(); + if (EVP_MAC_init(sess->auth.hmac.ctx, + xform->auth.key.data, + xform->auth.key.length, + params) != 1) + return -EINVAL; + break; +# else case RTE_CRYPTO_AUTH_MD5_HMAC: case RTE_CRYPTO_AUTH_SHA1_HMAC: case RTE_CRYPTO_AUTH_SHA224_HMAC: @@ -598,7 +687,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.hmac.evp_algo, NULL) != 1) return -EINVAL; break; - +# endif default: return -ENOTSUP; } @@ -723,7 +812,11 @@ openssl_reset_session(struct openssl_session *sess) break; case OPENSSL_AUTH_AS_HMAC: EVP_PKEY_free(sess->auth.hmac.pkey); +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX_free(sess->auth.hmac.ctx); +# else HMAC_CTX_free(sess->auth.hmac.ctx); +# endif break; default: break; @@ -1262,6 +1355,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, return -EINVAL; } +# if OPENSSL_VERSION_NUMBER >= 0x30000000L +/** Process standard openssl auth algorithms with hmac */ +static int +process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, + int srclen, EVP_MAC_CTX *ctx) +{ + size_t dstlen; + struct rte_mbuf *m; + int l, n = srclen; + uint8_t *src; + + for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m); + m = m->next) + offset -= rte_pktmbuf_data_len(m); + + if (m == 0) + goto process_auth_err; + + src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset); + + l = rte_pktmbuf_data_len(m) - offset; + if (srclen <= l) { + if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1) + goto process_auth_err; + goto process_auth_final; + } + + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + + n -= l; + + for (m = m->next; (m != NULL) && (n > 0); m = m->next) { + src = rte_pktmbuf_mtod(m, uint8_t *); + l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n; + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + n -= l; + } + +process_auth_final: + if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1) + goto process_auth_err; + + EVP_MAC_CTX_free(ctx); + return 0; + +process_auth_err: + EVP_MAC_CTX_free(ctx); + OPENSSL_LOG(ERR, "Process openssl auth failed"); + return -EINVAL; +} +# else /** Process standard openssl auth algorithms with hmac */ static int process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, @@ -1314,7 +1460,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, OPENSSL_LOG(ERR, "Process openssl auth failed"); return -EINVAL; } - +# endif /*----------------------------------------------------------------------------*/ /** Process auth/cipher combined operation */ @@ -1328,7 +1474,6 @@ process_openssl_combined_op int srclen, aadlen, status = -1; uint32_t offset; uint8_t taglen; - EVP_CIPHER_CTX *ctx_copy; /* * Segmented destination buffer is not supported for @@ -1365,8 +1510,6 @@ process_openssl_combined_op } taglen = sess->auth.digest_length; - ctx_copy = EVP_CIPHER_CTX_new(); - EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx); if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1374,12 +1517,12 @@ process_openssl_combined_op status = process_openssl_auth_encryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_encryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } else { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1387,15 +1530,14 @@ process_openssl_combined_op status = process_openssl_auth_decryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_decryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } - EVP_CIPHER_CTX_free(ctx_copy); if (status != 0) { if (status == (-EFAULT) && sess->auth.operation == @@ -1557,7 +1699,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, uint8_t *dst; int srclen, status; EVP_MD_CTX *ctx_a; +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX *ctx_h; + EVP_MAC *mac; +# else HMAC_CTX *ctx_h; +# endif srclen = op->sym->auth.data.length; @@ -1573,12 +1720,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, EVP_MD_CTX_destroy(ctx_a); break; case OPENSSL_AUTH_AS_HMAC: +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + ctx_h = EVP_MAC_CTX_new(mac); + ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx); + EVP_MAC_free(mac); + status = process_openssl_auth_hmac(mbuf_src, dst, + op->sym->auth.data.offset, srclen, + ctx_h); +# else ctx_h = HMAC_CTX_new(); HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx); status = process_openssl_auth_hmac(mbuf_src, dst, op->sym->auth.data.offset, srclen, ctx_h); HMAC_CTX_free(ctx_h); +# endif break; default: status = -1; @@ -2215,6 +2372,13 @@ cryptodev_openssl_create(const char *name, rte_cryptodev_pmd_probing_finish(dev); +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + /* Load legacy provider + * Some algorithms are no longer available in earlier version of openssl, + * unless the legacy provider explicitly loaded. e.g. DES + */ + ossl_load_legacy_provider(); +# endif return 0; init_error: @@ -2263,6 +2427,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev) if (cryptodev == NULL) return -ENODEV; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + ossl_unload_legacy_provider(); +# endif return rte_cryptodev_pmd_destroy(cryptodev); } -- 2.17.1 ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [dpdk-dev v6] crypto/openssl: openssl 3.0 support on sym crypto routine 2022-02-25 15:13 ` [dpdk-dev v6] " Kai Ji @ 2022-02-25 17:35 ` Stephen Hemminger 0 siblings, 0 replies; 18+ messages in thread From: Stephen Hemminger @ 2022-02-25 17:35 UTC (permalink / raw) To: Kai Ji; +Cc: dev, gakhil, roy.fan.zhang On Fri, 25 Feb 2022 23:13:56 +0800 Kai Ji <kai.ji@intel.com> wrote: > +cflags += ['-DOPENSSL_API_COMPAT=0x10100000L'] > \ No newline at end of file All files in DPDK should have newline at end of file. How did this sneak in? ^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2022-02-28 5:35 UTC | newest] Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-02-04 17:57 [dpdk-dev v1] crypto/openssl: openssl EVP MAC routine api update Kai Ji 2022-02-07 15:24 ` [dpdk-dev v2] crypto/openssl: openssl 3.0 support on sym MAC routine Kai Ji 2022-02-07 15:40 ` Zhang, Roy Fan 2022-02-17 17:45 ` [dpdk-dev v3] crypto/openssl: openssl 3.0 support on sym crypto routine Kai Ji 2022-02-17 18:01 ` [EXT] " Akhil Goyal 2022-02-18 9:44 ` [dpdk-dev v4] " Kai Ji 2022-02-18 11:51 ` [dpdk-dev v5] " Kai Ji 2022-02-18 13:41 ` Zhang, Roy Fan 2022-02-24 19:02 ` [EXT] " Akhil Goyal 2022-02-24 23:13 ` Ji, Kai 2022-02-25 3:55 ` Akhil Goyal 2022-02-25 10:19 ` Ji, Kai 2022-02-25 10:39 ` Akhil Goyal 2022-02-25 11:19 ` Ji, Kai 2022-02-25 13:51 ` Zhang, Roy Fan 2022-02-28 5:35 ` Namburu, Chandu-babu 2022-02-25 15:13 ` [dpdk-dev v6] " Kai Ji 2022-02-25 17:35 ` Stephen Hemminger
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).