DPDK usage discussions
 help / color / mirror / Atom feed
* Fw: OpenSSL Crypto Poll Mode Driver
       [not found] <DB9P195MB12252F3886270BDBBE4047D2B2E09@DB9P195MB1225.EURP195.PROD.OUTLOOK.COM>
@ 2022-04-01 11:17 ` ossama ahmed
  2022-04-01 13:40   ` Kusztal, ArkadiuszX
  0 siblings, 1 reply; 4+ messages in thread
From: ossama ahmed @ 2022-04-01 11:17 UTC (permalink / raw)
  To: users

[-- Attachment #1: Type: text/plain, Size: 4742 bytes --]



Sent from Outlook<http://aka.ms/weboutlook>

________________________________
From: ossama ahmed
Sent: Friday, April 1, 2022 11:10 AM
To: users-request@dpdk.org <users-request@dpdk.org>
Subject: OpenSSL Crypto Poll Mode Driver

Hello,

I would like to highlight following issues in OpenSSL Crypto Poll Mode Driver and OpenSSL vdev related to RSA Sign and Verify operations.

ISSUES:
ISSUE1 (RSA_private_encrypt and RSA_public_decrypt)

With respect to https://www.openssl.org/docs/manmaster/man3/RSA_private_encrypt.html .Both of the functions are deprecated. Applications should instead use EVP_PKEY_sign_init_ex, EVP_PKEY_sign, EVP_PKEY_verify_recover_init, and EVP_PKEY_verify_recover.

Although I understand that due to compatibility reasons, DPDK is using native (in my case on Ubuntu 20.04.1 its 1.1.1f version of) OpenSSL but With respect
to OpenSSL's version 1.1.1f APIs "RSA_private_encrypt" and "RSA_public_decrypt" but in case of RSA_PKCS1_PADDING it is recomended that when generating or verifying
PKCS #1 signatures, RSA_sign(3) and RSA_verify(3) should be used.

POSSIBLE SOLUTION
1. Use RSA_sign, RSA_verify, EVP_DigestSignFinal, EVP_DigestSign etc instead.

2. Append algorithm identifier field to digest before signing. Details can be found in section EMSA-PKCS1-v1_5 availbel on https://datatracker.ietf.org/doc/html/rfc8017#section-9.2

For example in case if RSA is using SHA256 for digest generation then DigestInfo value is:
SHA-256: (0x)30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || H where H is the digest of data
Hence appropriate AIDs (i.e algorithm identifiers) must be appended to digest. Once this done then in case of RSA_PKCS1_PADDING, APIs RSA_private_encrypt and RSA_public_decrypt are compatible with RSA_sign, RSA_verify, EVP_DigestSignFinal, EVP_DigestSign and verify respectively.

ISSUE2 (OpenSSL Crypto Poll Mode Driver vs RSA PSS Padding)
Current DPDK's OpenSSL Crypto Poll Mode Driver fails to verify signature generated using RSA PSS Padding. Also with respect to latest version of DPDK there is no handling available in OpenSSL Crypto Poll Mode Driver for RTE_CRYPTO_RSA_PADDING_PSS. Current implementation handles only RTE_CRYPTO_RSA_PADDING_NONE and
RTE_CRYPTO_RSA_PADDING_PKCS1_5 for signing and verification.

1. EVP_DigestSignFinal, EVP_DigestSign etc instead.

2. As coded in OpenSSL (crypto/rsa/rsa_pmeth.c +268):
else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
            int ret;
            if (!setup_tbuf(rctx, ctx))
                return -1;
            ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa, RSA_NO_PADDING);

            if (ret <= 0)
                return 0;
            ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md, rctx->mgf1md, rctx->tbuf, rctx->saltlen);
            if (ret <= 0)
                return 0;
            return 1;
        }
However, in order to use above implementation changes are required in OpenSSL Crypto Poll Mode Driver (drivers/crypto/openssl/rte_openssl_pmd.c +1945) for example

       case RTE_CRYPTO_ASYM_OP_VERIFY:
                tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
                if (tmp == NULL) {
                        OPENSSL_LOG(ERR, "Memory allocation failed");
                        cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
                        break;
                }
                ret = RSA_public_decrypt(op->rsa.sign.length,
                                op->rsa.sign.data,
                                tmp,
                                rsa,
                                pad);

                OPENSSL_LOG(DEBUG,
                                "Length of public_decrypt %d "
                                "length of message %zd\n",
                                ret, op->rsa.message.length);
                //FIXME
                if(pad == RSA_NO_PADDING && ret)
                        memcpy(op->rsa.message.data, tmp, op->rsa.sign.length);
                else if ((ret <= 0) || (CRYPTO_memcmp(tmp, op->rsa.message.data,
                                op->rsa.message.length))) {
                        OPENSSL_LOG(ERR, "RSA sign Verification failed");
                        cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
                }
                //FIXME
                rte_free(tmp);
                break;

                Complete details are availble in section 8.1.2 of https://datatracker.ietf.org/doc/html/rfc8017#section-8.1.2


I have handled the above mentioned issues in DPDK using my own custom implementation. I would love to share details if required for further clarification

Regards,
Ossama Ahmed Mughal

<http://aka.ms/weboutlook>

[-- Attachment #2: Type: text/html, Size: 10211 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* RE: OpenSSL Crypto Poll Mode Driver
  2022-04-01 11:17 ` Fw: OpenSSL Crypto Poll Mode Driver ossama ahmed
@ 2022-04-01 13:40   ` Kusztal, ArkadiuszX
  2022-04-01 14:20     ` Ji, Kai
  0 siblings, 1 reply; 4+ messages in thread
From: Kusztal, ArkadiuszX @ 2022-04-01 13:40 UTC (permalink / raw)
  To: ossama ahmed, users; +Cc: Zhang, Roy Fan, Ji, Kai

[-- Attachment #1: Type: text/plain, Size: 5874 bytes --]

Hi Ossama,

Please see answers inline with [Arek]

From: ossama ahmed <ossamaahmedmughal@hotmail.com>
Sent: Friday, April 1, 2022 1:18 PM
To: users@dpdk.org
Subject: Fw: OpenSSL Crypto Poll Mode Driver




Sent from Outlook<http://aka.ms/weboutlook>

________________________________
From: ossama ahmed
Sent: Friday, April 1, 2022 11:10 AM
To: users-request@dpdk.org<mailto:users-request@dpdk.org> <users-request@dpdk.org<mailto:users-request@dpdk.org>>
Subject: OpenSSL Crypto Poll Mode Driver

Hello,

I would like to highlight following issues in OpenSSL Crypto Poll Mode Driver and OpenSSL vdev related to RSA Sign and Verify operations.

ISSUES:
ISSUE1 (RSA_private_encrypt and RSA_public_decrypt)

With respect to https://www.openssl.org/docs/manmaster/man3/RSA_private_encrypt.html .Both of the functions are deprecated. Applications should instead use EVP_PKEY_sign_init_ex, EVP_PKEY_sign, EVP_PKEY_verify_recover_init, and EVP_PKEY_verify_recover.

Although I understand that due to compatibility reasons, DPDK is using native (in my case on Ubuntu 20.04.1 its 1.1.1f version of) OpenSSL but With respect
to OpenSSL's version 1.1.1f APIs "RSA_private_encrypt" and "RSA_public_decrypt" but in case of RSA_PKCS1_PADDING it is recomended that when generating or verifying
PKCS #1 signatures, RSA_sign(3) and RSA_verify(3) should be used.

POSSIBLE SOLUTION
1. Use RSA_sign, RSA_verify, EVP_DigestSignFinal, EVP_DigestSign etc instead.

[Arek] - RSA_sign and RSA_verify are now deprecated too.

2. Append algorithm identifier field to digest before signing. Details can be found in section EMSA-PKCS1-v1_5 availbel on https://datatracker.ietf.org/doc/html/rfc8017#section-9.2

For example in case if RSA is using SHA256 for digest generation then DigestInfo value is:
SHA-256: (0x)30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || H where H is the digest of data
Hence appropriate AIDs (i.e algorithm identifiers) must be appended to digest. Once this done then in case of RSA_PKCS1_PADDING, APIs RSA_private_encrypt and RSA_public_decrypt are compatible with RSA_sign, RSA_verify, EVP_DigestSignFinal, EVP_DigestSign and verify respectively.


[Arek] - yes, you are perfectly correct, this Is general Cryptodev API problem. Proposals to fix that were sent already:
https://patchwork.dpdk.org/project/dpdk/list/?series=22203.
When PKCS1 we should not worry about algorithmIdentifier from user perspective, although there was an option to do PKCS1 padding without it too (pre tls1.2 PKCS1.5 padding was used with 36 bytes hash concatenation for example), discussion was started on dev mailing list. As for OpenSSL PMD simultaneously we are working to fix that.


ISSUE2 (OpenSSL Crypto Poll Mode Driver vs RSA PSS Padding)
Current DPDK's OpenSSL Crypto Poll Mode Driver fails to verify signature generated using RSA PSS Padding. Also with respect to latest version of DPDK there is no handling available in OpenSSL Crypto Poll Mode Driver for RTE_CRYPTO_RSA_PADDING_PSS. Current implementation handles only RTE_CRYPTO_RSA_PADDING_NONE and
RTE_CRYPTO_RSA_PADDING_PKCS1_5 for signing and verification.

[Arek] - yes, PSS should be implemented too. Registration of openssl random engine should allow us to check known answer tests too not only PWCT, could you resend your proposal to dev list?

1. EVP_DigestSignFinal, EVP_DigestSign etc instead.

2. As coded in OpenSSL (crypto/rsa/rsa_pmeth.c +268):
else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
            int ret;
            if (!setup_tbuf(rctx, ctx))
                return -1;
            ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa, RSA_NO_PADDING);

            if (ret <= 0)
                return 0;
            ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md, rctx->mgf1md, rctx->tbuf, rctx->saltlen);
[Arek] - whole openssl low level api is deprecated now, these functions as well so we wont be using it.
            if (ret <= 0)
                return 0;
            return 1;
        }
However, in order to use above implementation changes are required in OpenSSL Crypto Poll Mode Driver (drivers/crypto/openssl/rte_openssl_pmd.c +1945) for example

       case RTE_CRYPTO_ASYM_OP_VERIFY:
                tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
                if (tmp == NULL) {
                        OPENSSL_LOG(ERR, "Memory allocation failed");
                        cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
                        break;
                }
                ret = RSA_public_decrypt(op->rsa.sign.length,
                                op->rsa.sign.data,
                                tmp,
                                rsa,
                                pad);

                OPENSSL_LOG(DEBUG,
                                "Length of public_decrypt %d "
                                "length of message %zd\n",
                                ret, op->rsa.message.length);
                //FIXME
                if(pad == RSA_NO_PADDING && ret)
                        memcpy(op->rsa.message.data, tmp, op->rsa.sign.length);
                else if ((ret <= 0) || (CRYPTO_memcmp(tmp, op->rsa.message.data,
                                op->rsa.message.length))) {
                        OPENSSL_LOG(ERR, "RSA sign Verification failed");
                        cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
                }
                //FIXME
                rte_free(tmp);
                break;

                Complete details are availble in section 8.1.2 of https://datatracker.ietf.org/doc/html/rfc8017#section-8.1.2


I have handled the above mentioned issues in DPDK using my own custom implementation. I would love to share details if required for further clarification

Regards,
Ossama Ahmed Mughal



[-- Attachment #2: Type: text/html, Size: 16070 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* RE: OpenSSL Crypto Poll Mode Driver
  2022-04-01 13:40   ` Kusztal, ArkadiuszX
@ 2022-04-01 14:20     ` Ji, Kai
  2022-04-01 15:22       ` ossama ahmed
  0 siblings, 1 reply; 4+ messages in thread
From: Ji, Kai @ 2022-04-01 14:20 UTC (permalink / raw)
  To: Kusztal, ArkadiuszX, ossama ahmed, users; +Cc: Zhang, Roy Fan

[-- Attachment #1: Type: text/plain, Size: 6848 bytes --]

FYI:  The support of Openssl 3.0 lib in Openssl cryptodev PMD is working in progress, the following API changes current made into RSA routine in PMD:

Deprecated RSA_private_encrypt() & RSA_public_decrypt()  replaced with EVP_PKEY_encrypt() & EVP_PKEY_decrypt() for rsa enc/dec ops
Deprecated  RSA_sing() & RSA_verify() replaced with  EVP_PKEY_sign() & EVP_PKEY_verify_recover() for rsa sign/verfy ops

The EVP APIs offer flexible configurations where digest algorithm/ padding can be defined. E.g:

EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING)
EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()

Regards

Kai

From: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>
Sent: Friday, April 1, 2022 2:41 PM
To: ossama ahmed <ossamaahmedmughal@hotmail.com>; users@dpdk.org
Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com>; Ji, Kai <kai.ji@intel.com>
Subject: RE: OpenSSL Crypto Poll Mode Driver

Hi Ossama,

Please see answers inline with [Arek]

From: ossama ahmed <ossamaahmedmughal@hotmail.com<mailto:ossamaahmedmughal@hotmail.com>>
Sent: Friday, April 1, 2022 1:18 PM
To: users@dpdk.org<mailto:users@dpdk.org>
Subject: Fw: OpenSSL Crypto Poll Mode Driver




Sent from Outlook<http://aka.ms/weboutlook>

________________________________
From: ossama ahmed
Sent: Friday, April 1, 2022 11:10 AM
To: users-request@dpdk.org<mailto:users-request@dpdk.org> <users-request@dpdk.org<mailto:users-request@dpdk.org>>
Subject: OpenSSL Crypto Poll Mode Driver

Hello,

I would like to highlight following issues in OpenSSL Crypto Poll Mode Driver and OpenSSL vdev related to RSA Sign and Verify operations.

ISSUES:
ISSUE1 (RSA_private_encrypt and RSA_public_decrypt)

With respect to https://www.openssl.org/docs/manmaster/man3/RSA_private_encrypt.html .Both of the functions are deprecated. Applications should instead use EVP_PKEY_sign_init_ex, EVP_PKEY_sign, EVP_PKEY_verify_recover_init, and EVP_PKEY_verify_recover.

Although I understand that due to compatibility reasons, DPDK is using native (in my case on Ubuntu 20.04.1 its 1.1.1f version of) OpenSSL but With respect
to OpenSSL's version 1.1.1f APIs "RSA_private_encrypt" and "RSA_public_decrypt" but in case of RSA_PKCS1_PADDING it is recomended that when generating or verifying
PKCS #1 signatures, RSA_sign(3) and RSA_verify(3) should be used.

POSSIBLE SOLUTION
1. Use RSA_sign, RSA_verify, EVP_DigestSignFinal, EVP_DigestSign etc instead.

[Arek] - RSA_sign and RSA_verify are now deprecated too.

2. Append algorithm identifier field to digest before signing. Details can be found in section EMSA-PKCS1-v1_5 availbel on https://datatracker.ietf.org/doc/html/rfc8017#section-9.2

For example in case if RSA is using SHA256 for digest generation then DigestInfo value is:
SHA-256: (0x)30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || H where H is the digest of data
Hence appropriate AIDs (i.e algorithm identifiers) must be appended to digest. Once this done then in case of RSA_PKCS1_PADDING, APIs RSA_private_encrypt and RSA_public_decrypt are compatible with RSA_sign, RSA_verify, EVP_DigestSignFinal, EVP_DigestSign and verify respectively.


[Arek] - yes, you are perfectly correct, this Is general Cryptodev API problem. Proposals to fix that were sent already:
https://patchwork.dpdk.org/project/dpdk/list/?series=22203.
When PKCS1 we should not worry about algorithmIdentifier from user perspective, although there was an option to do PKCS1 padding without it too (pre tls1.2 PKCS1.5 padding was used with 36 bytes hash concatenation for example), discussion was started on dev mailing list. As for OpenSSL PMD simultaneously we are working to fix that.


ISSUE2 (OpenSSL Crypto Poll Mode Driver vs RSA PSS Padding)
Current DPDK's OpenSSL Crypto Poll Mode Driver fails to verify signature generated using RSA PSS Padding. Also with respect to latest version of DPDK there is no handling available in OpenSSL Crypto Poll Mode Driver for RTE_CRYPTO_RSA_PADDING_PSS. Current implementation handles only RTE_CRYPTO_RSA_PADDING_NONE and
RTE_CRYPTO_RSA_PADDING_PKCS1_5 for signing and verification.

[Arek] - yes, PSS should be implemented too. Registration of openssl random engine should allow us to check known answer tests too not only PWCT, could you resend your proposal to dev list?

1. EVP_DigestSignFinal, EVP_DigestSign etc instead.

2. As coded in OpenSSL (crypto/rsa/rsa_pmeth.c +268):
else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
            int ret;
            if (!setup_tbuf(rctx, ctx))
                return -1;
            ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa, RSA_NO_PADDING);

            if (ret <= 0)
                return 0;
            ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md, rctx->mgf1md, rctx->tbuf, rctx->saltlen);
[Arek] - whole openssl low level api is deprecated now, these functions as well so we wont be using it.
            if (ret <= 0)
                return 0;
            return 1;
        }
However, in order to use above implementation changes are required in OpenSSL Crypto Poll Mode Driver (drivers/crypto/openssl/rte_openssl_pmd.c +1945) for example

       case RTE_CRYPTO_ASYM_OP_VERIFY:
                tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
                if (tmp == NULL) {
                        OPENSSL_LOG(ERR, "Memory allocation failed");
                        cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
                        break;
                }
                ret = RSA_public_decrypt(op->rsa.sign.length,
                                op->rsa.sign.data,
                                tmp,
                                rsa,
                                pad);

                OPENSSL_LOG(DEBUG,
                                "Length of public_decrypt %d "
                                "length of message %zd\n",
                                ret, op->rsa.message.length);
                //FIXME
                if(pad == RSA_NO_PADDING && ret)
                        memcpy(op->rsa.message.data, tmp, op->rsa.sign.length);
                else if ((ret <= 0) || (CRYPTO_memcmp(tmp, op->rsa.message.data,
                                op->rsa.message.length))) {
                        OPENSSL_LOG(ERR, "RSA sign Verification failed");
                        cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
                }
                //FIXME
                rte_free(tmp);
                break;

                Complete details are availble in section 8.1.2 of https://datatracker.ietf.org/doc/html/rfc8017#section-8.1.2


I have handled the above mentioned issues in DPDK using my own custom implementation. I would love to share details if required for further clarification

Regards,
Ossama Ahmed Mughal



[-- Attachment #2: Type: text/html, Size: 21141 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: OpenSSL Crypto Poll Mode Driver
  2022-04-01 14:20     ` Ji, Kai
@ 2022-04-01 15:22       ` ossama ahmed
  0 siblings, 0 replies; 4+ messages in thread
From: ossama ahmed @ 2022-04-01 15:22 UTC (permalink / raw)
  To: Ji, Kai, Kusztal, ArkadiuszX, users; +Cc: Zhang, Roy Fan

[-- Attachment #1: Type: text/plain, Size: 7569 bytes --]

Thanks for your response. Let me go through these details and will ping you in case of any query.

Get Outlook for Android<https://aka.ms/AAb9ysg>
________________________________
From: Ji, Kai <kai.ji@intel.com>
Sent: Friday, April 1, 2022 7:20:52 PM
To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>; ossama ahmed <ossamaahmedmughal@hotmail.com>; users@dpdk.org <users@dpdk.org>
Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com>
Subject: RE: OpenSSL Crypto Poll Mode Driver


FYI:  The support of Openssl 3.0 lib in Openssl cryptodev PMD is working in progress, the following API changes current made into RSA routine in PMD:



Deprecated RSA_private_encrypt() & RSA_public_decrypt()  replaced with EVP_PKEY_encrypt() & EVP_PKEY_decrypt() for rsa enc/dec ops

Deprecated  RSA_sing() & RSA_verify() replaced with  EVP_PKEY_sign() & EVP_PKEY_verify_recover() for rsa sign/verfy ops



The EVP APIs offer flexible configurations where digest algorithm/ padding can be defined. E.g:



EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING)

EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()



Regards



Kai



From: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>
Sent: Friday, April 1, 2022 2:41 PM
To: ossama ahmed <ossamaahmedmughal@hotmail.com>; users@dpdk.org
Cc: Zhang, Roy Fan <roy.fan.zhang@intel.com>; Ji, Kai <kai.ji@intel.com>
Subject: RE: OpenSSL Crypto Poll Mode Driver



Hi Ossama,



Please see answers inline with [Arek]



From: ossama ahmed <ossamaahmedmughal@hotmail.com<mailto:ossamaahmedmughal@hotmail.com>>
Sent: Friday, April 1, 2022 1:18 PM
To: users@dpdk.org<mailto:users@dpdk.org>
Subject: Fw: OpenSSL Crypto Poll Mode Driver







Sent from Outlook<http://aka.ms/weboutlook>

________________________________

From: ossama ahmed
Sent: Friday, April 1, 2022 11:10 AM
To: users-request@dpdk.org<mailto:users-request@dpdk.org> <users-request@dpdk.org<mailto:users-request@dpdk.org>>
Subject: OpenSSL Crypto Poll Mode Driver



Hello,



I would like to highlight following issues in OpenSSL Crypto Poll Mode Driver and OpenSSL vdev related to RSA Sign and Verify operations.



ISSUES:

ISSUE1 (RSA_private_encrypt and RSA_public_decrypt)



With respect to https://www.openssl.org/docs/manmaster/man3/RSA_private_encrypt.html .Both of the functions are deprecated. Applications should instead use EVP_PKEY_sign_init_ex, EVP_PKEY_sign, EVP_PKEY_verify_recover_init, and EVP_PKEY_verify_recover.



Although I understand that due to compatibility reasons, DPDK is using native (in my case on Ubuntu 20.04.1 its 1.1.1f version of) OpenSSL but With respect

to OpenSSL's version 1.1.1f APIs "RSA_private_encrypt" and "RSA_public_decrypt" but in case of RSA_PKCS1_PADDING it is recomended that when generating or verifying

PKCS #1 signatures, RSA_sign(3) and RSA_verify(3) should be used.



POSSIBLE SOLUTION

1. Use RSA_sign, RSA_verify, EVP_DigestSignFinal, EVP_DigestSign etc instead.



[Arek] – RSA_sign and RSA_verify are now deprecated too.



2. Append algorithm identifier field to digest before signing. Details can be found in section EMSA-PKCS1-v1_5 availbel on https://datatracker.ietf.org/doc/html/rfc8017#section-9.2



For example in case if RSA is using SHA256 for digest generation then DigestInfo value is:

SHA-256: (0x)30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || H where H is the digest of data

Hence appropriate AIDs (i.e algorithm identifiers) must be appended to digest. Once this done then in case of RSA_PKCS1_PADDING, APIs RSA_private_encrypt and RSA_public_decrypt are compatible with RSA_sign, RSA_verify, EVP_DigestSignFinal, EVP_DigestSign and verify respectively.





[Arek] – yes, you are perfectly correct, this Is general Cryptodev API problem. Proposals to fix that were sent already:

https://patchwork.dpdk.org/project/dpdk/list/?series=22203.

When PKCS1 we should not worry about algorithmIdentifier from user perspective, although there was an option to do PKCS1 padding without it too (pre tls1.2 PKCS1.5 padding was used with 36 bytes hash concatenation for example), discussion was started on dev mailing list. As for OpenSSL PMD simultaneously we are working to fix that.





ISSUE2 (OpenSSL Crypto Poll Mode Driver vs RSA PSS Padding)

Current DPDK's OpenSSL Crypto Poll Mode Driver fails to verify signature generated using RSA PSS Padding. Also with respect to latest version of DPDK there is no handling available in OpenSSL Crypto Poll Mode Driver for RTE_CRYPTO_RSA_PADDING_PSS. Current implementation handles only RTE_CRYPTO_RSA_PADDING_NONE and

RTE_CRYPTO_RSA_PADDING_PKCS1_5 for signing and verification.



[Arek] – yes, PSS should be implemented too. Registration of openssl random engine should allow us to check known answer tests too not only PWCT, could you resend your proposal to dev list?



1. EVP_DigestSignFinal, EVP_DigestSign etc instead.



2. As coded in OpenSSL (crypto/rsa/rsa_pmeth.c +268):

else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {

            int ret;

            if (!setup_tbuf(rctx, ctx))

                return -1;

            ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa, RSA_NO_PADDING);



            if (ret <= 0)

                return 0;

            ret = RSA_verify_PKCS1_PSS_mgf1(rsa, tbs, rctx->md, rctx->mgf1md, rctx->tbuf, rctx->saltlen);

[Arek] – whole openssl low level api is deprecated now, these functions as well so we wont be using it.

            if (ret <= 0)

                return 0;

            return 1;

        }

However, in order to use above implementation changes are required in OpenSSL Crypto Poll Mode Driver (drivers/crypto/openssl/rte_openssl_pmd.c +1945) for example



       case RTE_CRYPTO_ASYM_OP_VERIFY:

                tmp = rte_malloc(NULL, op->rsa.sign.length, 0);

                if (tmp == NULL) {

                        OPENSSL_LOG(ERR, "Memory allocation failed");

                        cop->status = RTE_CRYPTO_OP_STATUS_ERROR;

                        break;

                }

                ret = RSA_public_decrypt(op->rsa.sign.length,

                                op->rsa.sign.data,

                                tmp,

                                rsa,

                                pad);



                OPENSSL_LOG(DEBUG,

                                "Length of public_decrypt %d "

                                "length of message %zd\n",

                                ret, op->rsa.message.length);

                //FIXME

                if(pad == RSA_NO_PADDING && ret)

                        memcpy(op->rsa.message.data, tmp, op->rsa.sign.length);

                else if ((ret <= 0) || (CRYPTO_memcmp(tmp, op->rsa.message.data,

                                op->rsa.message.length))) {

                        OPENSSL_LOG(ERR, "RSA sign Verification failed");

                        cop->status = RTE_CRYPTO_OP_STATUS_ERROR;

                }

                //FIXME

                rte_free(tmp);

                break;



                Complete details are availble in section 8.1.2 of https://datatracker.ietf.org/doc/html/rfc8017#section-8.1.2





I have handled the above mentioned issues in DPDK using my own custom implementation. I would love to share details if required for further clarification



Regards,

Ossama Ahmed Mughal



[-- Attachment #2: Type: text/html, Size: 19984 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-04-01 15:22 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <DB9P195MB12252F3886270BDBBE4047D2B2E09@DB9P195MB1225.EURP195.PROD.OUTLOOK.COM>
2022-04-01 11:17 ` Fw: OpenSSL Crypto Poll Mode Driver ossama ahmed
2022-04-01 13:40   ` Kusztal, ArkadiuszX
2022-04-01 14:20     ` Ji, Kai
2022-04-01 15:22       ` ossama ahmed

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).