@@ -1639,7 +1639,7 @@ test_dh_keygenration(void)
}
static int
-test_dsa_sign(void)
+test_dsa_sign(struct rte_crypto_dsa_op_param *dsa_op)
{
struct crypto_testsuite_params_asym *ts_params = &testsuite_params;
struct rte_mempool *op_mpool = ts_params->op_mpool;
@@ -1649,9 +1649,6 @@ test_dsa_sign(void)
struct rte_crypto_op *op = NULL, *result_op = NULL;
void *sess = NULL;
int status = TEST_SUCCESS;
- uint8_t r[TEST_DH_MOD_LEN];
- uint8_t s[TEST_DH_MOD_LEN];
- uint8_t dgst[] = "35d81554afaad2cf18f3a1770d5fedc4ea5be344";
int ret;
ret = rte_cryptodev_asym_session_create(dev_id, &dsa_xform, sess_mpool, &sess);
@@ -1673,6 +1670,7 @@ test_dsa_sign(void)
goto error_exit;
}
asym_op = op->asym;
+ asym_op->dsa = *dsa_op;
debug_hexdump(stdout, "p: ", dsa_xform.dsa.p.data,
dsa_xform.dsa.p.length);
@@ -1686,13 +1684,6 @@ test_dsa_sign(void)
/* attach asymmetric crypto session to crypto operations */
rte_crypto_op_attach_asym_session(op, sess);
asym_op->dsa.op_type = RTE_CRYPTO_ASYM_OP_SIGN;
- asym_op->dsa.message.data = dgst;
- asym_op->dsa.message.length = sizeof(dgst);
- asym_op->dsa.r.length = sizeof(r);
- asym_op->dsa.r.data = r;
- asym_op->dsa.s.length = sizeof(s);
- asym_op->dsa.s.data = s;
-
RTE_LOG(DEBUG, USER1, "Process ASYM operation");
/* Process crypto operation */
@@ -1716,12 +1707,72 @@ test_dsa_sign(void)
}
asym_op = result_op->asym;
+ dsa_op->r.length = asym_op->dsa.r.length;
+ dsa_op->s.length = asym_op->dsa.s.length;
+
+ debug_hexdump(stdout, "r:",
+ asym_op->dsa.r.data, asym_op->dsa.r.length);
+ debug_hexdump(stdout, "s:",
+ asym_op->dsa.s.data, asym_op->dsa.s.length);
+error_exit:
+ if (sess != NULL)
+ rte_cryptodev_asym_session_free(dev_id, sess);
+ if (op != NULL)
+ rte_crypto_op_free(op);
+ return status;
+}
+
+
+static int
+test_dsa_verify(struct rte_crypto_dsa_op_param *dsa_op)
+{
+ struct crypto_testsuite_params_asym *ts_params = &testsuite_params;
+ struct rte_mempool *op_mpool = ts_params->op_mpool;
+ struct rte_mempool *sess_mpool = ts_params->session_mpool;
+ uint8_t dev_id = ts_params->valid_devs[0];
+ struct rte_crypto_asym_op *asym_op = NULL;
+ struct rte_crypto_op *op = NULL, *result_op = NULL;
+ void *sess = NULL;
+ int status = TEST_SUCCESS;
+ int ret;
+
+ ret = rte_cryptodev_asym_session_create(dev_id, &dsa_xform, sess_mpool, &sess);
+ if (ret < 0) {
+ RTE_LOG(ERR, USER1,
+ "line %u FAILED: %s", __LINE__,
+ "Session creation failed");
+ status = (ret == -ENOTSUP) ? TEST_SKIPPED : TEST_FAILED;
+ goto error_exit;
+ }
+ /* set up crypto op data structure */
+ op = rte_crypto_op_alloc(op_mpool, RTE_CRYPTO_OP_TYPE_ASYMMETRIC);
+ if (!op) {
+ RTE_LOG(ERR, USER1,
+ "line %u FAILED: %s",
+ __LINE__, "Failed to allocate asymmetric crypto "
+ "operation struct");
+ status = TEST_FAILED;
+ goto error_exit;
+ }
+ asym_op = op->asym;
+ asym_op->dsa = *dsa_op;
+
+ debug_hexdump(stdout, "p: ", dsa_xform.dsa.p.data,
+ dsa_xform.dsa.p.length);
+ debug_hexdump(stdout, "q: ", dsa_xform.dsa.q.data,
+ dsa_xform.dsa.q.length);
+ debug_hexdump(stdout, "g: ", dsa_xform.dsa.g.data,
+ dsa_xform.dsa.g.length);
+
+ /* attach asymmetric crypto session to crypto operations */
+ rte_crypto_op_attach_asym_session(op, sess);
debug_hexdump(stdout, "r:",
asym_op->dsa.r.data, asym_op->dsa.r.length);
debug_hexdump(stdout, "s:",
asym_op->dsa.s.data, asym_op->dsa.s.length);
+ RTE_LOG(DEBUG, USER1, "Process ASYM verify operation");
/* Test PMD DSA sign verification using signer public key */
asym_op->dsa.op_type = RTE_CRYPTO_ASYM_OP_VERIFY;
@@ -1767,8 +1818,22 @@ static int
test_dsa(void)
{
int status;
- status = test_dsa_sign();
- TEST_ASSERT_EQUAL(status, 0, "Test failed");
+ uint8_t r[TEST_DH_MOD_LEN];
+ uint8_t s[TEST_DH_MOD_LEN];
+ struct rte_crypto_dsa_op_param dsa_op;
+ uint8_t dgst[] = "35d81554afaad2cf18f3a1770d5fedc4ea5be344";
+
+ dsa_op.message.data = dgst;
+ dsa_op.message.length = sizeof(dgst);
+ dsa_op.r.data = r;
+ dsa_op.s.data = s;
+ dsa_op.r.length = sizeof(r);
+ dsa_op.s.length = sizeof(s);
+
+ status = test_dsa_sign(&dsa_op);
+ TEST_ASSERT_EQUAL(status, 0, "DSA sign test failed");
+ status = test_dsa_verify(&dsa_op);
+ TEST_ASSERT_EQUAL(status, 0, "DSA verify test failed");
return status;
}
@@ -104,6 +104,18 @@ get_dsa_priv_key(DSA *dsa, BIGNUM **priv_key)
*priv_key = dsa->priv_key;
}
+#elif (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static __rte_always_inline void
+set_dsa_sign(DSA_SIG *sign, BIGNUM *r, BIGNUM *s)
+{
+ DSA_SIG_set0(sign, r, s);
+}
+
+static __rte_always_inline void
+get_dsa_sign(DSA_SIG *sign, const BIGNUM **r, const BIGNUM **s)
+{
+ DSA_SIG_get0(sign, r, s);
+}
#else
static __rte_always_inline int
@@ -15,4 +15,3 @@ endif
deps += 'bus_vdev'
sources = files('rte_openssl_pmd.c', 'rte_openssl_pmd_ops.c')
ext_deps += dep
-cflags += ['-DOPENSSL_API_COMPAT=0x10100000L']
@@ -184,6 +184,9 @@ struct openssl_asym_session {
} dh;
struct {
DSA *dsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld;
+#endif
} s;
} u;
} __rte_cache_aligned;
@@ -1761,6 +1761,171 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
}
/* process dsa sign operation */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_dsa_sign_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
+ EVP_PKEY_CTX *dsa_ctx;
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ EVP_PKEY *pkey = NULL;
+ OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld;
+ OSSL_PARAM *params = NULL;
+
+ size_t outlen;
+ unsigned char *dsa_sign_data;
+ const unsigned char *dsa_sign_data_p;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ return -1;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey,
+ EVP_PKEY_PUBLIC_KEY, params) <= 0)
+ goto err_dsa_sign;
+
+ dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (!dsa_ctx)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign_init(dsa_ctx) <= 0)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign(dsa_ctx, NULL, &outlen, op->message.data,
+ op->message.length) <= 0)
+ goto err_dsa_sign;
+
+ if (outlen <= 0)
+ goto err_dsa_sign;
+
+ dsa_sign_data = OPENSSL_malloc(outlen);
+ if (!dsa_sign_data)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign(dsa_ctx, dsa_sign_data, &outlen, op->message.data,
+ op->message.length) <= 0) {
+ free(dsa_sign_data);
+ goto err_dsa_sign;
+ }
+
+ dsa_sign_data_p = (const unsigned char *)dsa_sign_data;
+ DSA_SIG *sign = d2i_DSA_SIG(NULL, &dsa_sign_data_p, outlen);
+ if (!sign) {
+ OPENSSL_LOG(ERR, "%s:%d\n", __func__, __LINE__);
+ free(dsa_sign_data);
+ goto err_dsa_sign;
+ } else {
+ const BIGNUM *r = NULL, *s = NULL;
+ get_dsa_sign(sign, &r, &s);
+
+ op->r.length = BN_bn2bin(r, op->r.data);
+ op->s.length = BN_bn2bin(s, op->s.data);
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ }
+
+ DSA_SIG_free(sign);
+ free(dsa_sign_data);
+ return 0;
+
+err_dsa_sign:
+ if (params)
+ OSSL_PARAM_free(params);
+ if (key_ctx)
+ EVP_PKEY_CTX_free(key_ctx);
+ if (dsa_ctx)
+ EVP_PKEY_CTX_free(dsa_ctx);
+ return -1;
+}
+
+/* process dsa verify operation */
+static int
+process_openssl_dsa_verify_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
+ DSA_SIG *sign = DSA_SIG_new();
+ BIGNUM *r = NULL, *s = NULL;
+ BIGNUM *pub_key = NULL;
+ OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *dsa_ctx = NULL;
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ unsigned char *dsa_sig = NULL;
+ size_t sig_len;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, " %s:%d\n", __func__, __LINE__);
+ return -1;
+ }
+
+ r = BN_bin2bn(op->r.data, op->r.length, r);
+ s = BN_bin2bn(op->s.data, op->s.length, s);
+ pub_key = BN_bin2bn(op->y.data, op->y.length, pub_key);
+ if (!r || !s || !pub_key) {
+ BN_free(r);
+ BN_free(s);
+ BN_free(pub_key);
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ set_dsa_sign(sign, r, s);
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
+ goto err_dsa_verify;
+
+ dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (!dsa_ctx)
+ goto err_dsa_verify;
+
+ if (!sign)
+ goto err_dsa_verify;
+
+ sig_len = i2d_DSA_SIG(sign, &dsa_sig);
+ if (EVP_PKEY_verify_init(dsa_ctx) <= 0)
+ goto err_dsa_verify;
+
+ ret = EVP_PKEY_verify(dsa_ctx, dsa_sig, sig_len,
+ op->message.data, op->message.length);
+ if (ret == 1) {
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ ret = 0;
+ }
+
+err_dsa_verify:
+ if (sign)
+ DSA_SIG_free(sign);
+ if (params)
+ OSSL_PARAM_free(params);
+ if (key_ctx)
+ EVP_PKEY_CTX_free(key_ctx);
+ if (dsa_ctx)
+ EVP_PKEY_CTX_free(dsa_ctx);
+
+ return ret;
+}
+#else
static int
process_openssl_dsa_sign_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -1842,6 +2007,7 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
/* process dh operation */
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
@@ -2501,12 +2667,21 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
+ retval = process_openssl_dsa_sign_op_evp(op, sess);
+ else if (op->asym->dsa.op_type ==
+ RTE_CRYPTO_ASYM_OP_VERIFY)
+ retval =
+ process_openssl_dsa_verify_op_evp(op, sess);
+#else
if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
retval = process_openssl_dsa_sign_op(op, sess);
else if (op->asym->dsa.op_type ==
RTE_CRYPTO_ASYM_OP_VERIFY)
retval =
process_openssl_dsa_verify_op(op, sess);
+#endif
else
op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
break;
@@ -1183,6 +1183,56 @@ static int openssl_set_asym_session_parameters(
}
case RTE_CRYPTO_ASYM_XFORM_DSA:
{
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ BIGNUM *p = NULL, *g = NULL;
+ BIGNUM *q = NULL, *priv_key = NULL;
+ BIGNUM *pub_key = BN_new();
+ BN_zero(pub_key);
+ OSSL_PARAM_BLD *param_bld = NULL;
+
+ p = BN_bin2bn((const unsigned char *)
+ xform->dsa.p.data,
+ xform->dsa.p.length,
+ p);
+
+ g = BN_bin2bn((const unsigned char *)
+ xform->dsa.g.data,
+ xform->dsa.g.length,
+ g);
+
+ q = BN_bin2bn((const unsigned char *)
+ xform->dsa.q.data,
+ xform->dsa.q.length,
+ q);
+ if (!p || !q || !g)
+ goto err_dsa;
+
+ priv_key = BN_bin2bn((const unsigned char *)
+ xform->dsa.x.data,
+ xform->dsa.x.length,
+ priv_key);
+ if (priv_key == NULL)
+ goto err_dsa;
+
+ param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_dsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, p)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, g)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, q)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_dsa;
+ }
+ asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA;
+ asym_session->u.s.param_bld = param_bld;
+
+ break;
+#else
BIGNUM *p = NULL, *g = NULL;
BIGNUM *q = NULL, *priv_key = NULL;
BIGNUM *pub_key = BN_new();
@@ -1242,7 +1292,7 @@ static int openssl_set_asym_session_parameters(
asym_session->u.s.dsa = dsa;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA;
break;
-
+#endif
err_dsa:
BN_free(p);
BN_free(q);
@@ -1335,8 +1385,12 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ sess->u.s.param_bld = NULL;
+#else
if (sess->u.s.dsa)
DSA_free(sess->u.s.dsa);
+#endif
break;
default:
break;