diff mbox series

[21/40] cryptodev: add public key verify option

Message ID 20220520055445.40063-22-arkadiuszx.kusztal@intel.com (mailing list archive)
State Changes Requested
Delegated to: akhil goyal
Headers show
Series cryptodev: rsa, dh, ecdh changes | expand

Checks

Context Check Description
ci/checkpatch warning coding style issues

Commit Message

Kusztal, ArkadiuszX May 20, 2022, 5:54 a.m. UTC
- Added key exchange public key verify option.
For some elliptic curves public point in DH exchange
needs to be checked, if it lays on the curve.
Modular exponentiation needs certain checks as well, though
mathematically much easier.
This commit adds verify option to asym_op operations.

Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
---
 lib/cryptodev/rte_crypto_asym.h | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Comments

Akhil Goyal May 24, 2022, 12:12 p.m. UTC | #1
> - Added key exchange public key verify option.
> For some elliptic curves public point in DH exchange
> needs to be checked, if it lays on the curve.
> Modular exponentiation needs certain checks as well, though
> mathematically much easier.
> This commit adds verify option to asym_op operations.
> 
> Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> ---
>  lib/cryptodev/rte_crypto_asym.h | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
> index 09edf2ac3d..73ff9ff815 100644
> --- a/lib/cryptodev/rte_crypto_asym.h
> +++ b/lib/cryptodev/rte_crypto_asym.h
> @@ -110,8 +110,10 @@ enum rte_crypto_asym_ke_type {
>  	/**< Private Key generation operation */
>  	RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
>  	/**< Public Key generation operation */
> -	RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE
> +	RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE,
>  	/**< Shared Secret compute operation */
> +	RTE_CRYPTO_ASYM_OP_DH_KEY_VERIFY
> +	/**< Public Key Verification */

Shouldn't this be RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_VERIFY ??

>  };
> 
>  /**
> @@ -397,6 +399,10 @@ struct rte_crypto_dh_op_param {
>  	 * For ECDH it is a point on the curve.
>  	 * Output for RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE
>  	 * Input for RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE
> +	 *
> +	 * VERIFY option can be used only for elliptic curve
> +	 * point validation, for FFDH (DH) it is user's reponsibility
> +	 * to check the public key accordingly.

What is expected from the user? Please be specific.
Add reference to the ke_type for which this comment id valid.

>  	 */
>  	union {
>  		rte_crypto_uint shared_secret;
> --
> 2.13.6
Kusztal, ArkadiuszX May 24, 2022, 2:59 p.m. UTC | #2
> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Tuesday, May 24, 2022 2:12 PM
> To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>; dev@dpdk.org
> Cc: Anoob Joseph <anoobj@marvell.com>; Zhang, Roy Fan
> <roy.fan.zhang@intel.com>
> Subject: RE: [EXT] [PATCH 21/40] cryptodev: add public key verify option
> 
> > - Added key exchange public key verify option.
> > For some elliptic curves public point in DH exchange needs to be
> > checked, if it lays on the curve.
> > Modular exponentiation needs certain checks as well, though
> > mathematically much easier.
> > This commit adds verify option to asym_op operations.
> >
> > Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> > ---
> >  lib/cryptodev/rte_crypto_asym.h | 8 +++++++-
> >  1 file changed, 7 insertions(+), 1 deletion(-)
> >
> > diff --git a/lib/cryptodev/rte_crypto_asym.h
> > b/lib/cryptodev/rte_crypto_asym.h index 09edf2ac3d..73ff9ff815 100644
> > --- a/lib/cryptodev/rte_crypto_asym.h
> > +++ b/lib/cryptodev/rte_crypto_asym.h
> > @@ -110,8 +110,10 @@ enum rte_crypto_asym_ke_type {
> >  	/**< Private Key generation operation */
> >  	RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
> >  	/**< Public Key generation operation */
> > -	RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE
> > +	RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE,
> >  	/**< Shared Secret compute operation */
> > +	RTE_CRYPTO_ASYM_OP_DH_KEY_VERIFY
> > +	/**< Public Key Verification */
> 
> Shouldn't this be RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_VERIFY ??
[Arek] - ah, yes. Sorry for that.
> 
> >  };
> >
> >  /**
> > @@ -397,6 +399,10 @@ struct rte_crypto_dh_op_param {
> >  	 * For ECDH it is a point on the curve.
> >  	 * Output for RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE
> >  	 * Input for RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE
> > +	 *
> > +	 * VERIFY option can be used only for elliptic curve
> > +	 * point validation, for FFDH (DH) it is user's reponsibility
> > +	 * to check the public key accordingly.
> 
> What is expected from the user? Please be specific.
[Arek] - Well, this depends on protocol, usually it is size check for FFDH and zero check for x25519/448. Not sure how much information should be provided here.
> Add reference to the ke_type for which this comment id valid.

> 
> >  	 */
> >  	union {
> >  		rte_crypto_uint shared_secret;
> > --
> > 2.13.6
Akhil Goyal May 25, 2022, 6 a.m. UTC | #3
> > >
> > >  /**
> > > @@ -397,6 +399,10 @@ struct rte_crypto_dh_op_param {
> > >  	 * For ECDH it is a point on the curve.
> > >  	 * Output for RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE
> > >  	 * Input for RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE
> > > +	 *
> > > +	 * VERIFY option can be used only for elliptic curve
> > > +	 * point validation, for FFDH (DH) it is user's reponsibility
> > > +	 * to check the public key accordingly.
> >
> > What is expected from the user? Please be specific.
> [Arek] - Well, this depends on protocol, usually it is size check for FFDH and zero
> check for x25519/448. Not sure how much information should be provided here.
I can understand we cannot specify everything here.
How about adding in documentation a section to give details?

> > Add reference to the ke_type for which this comment id valid.
> 
> >
> > >  	 */
> > >  	union {
> > >  		rte_crypto_uint shared_secret;
> > > --
> > > 2.13.6
Kusztal, ArkadiuszX May 25, 2022, 6:30 a.m. UTC | #4
> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Wednesday, May 25, 2022 8:00 AM
> To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>; dev@dpdk.org
> Cc: Anoob Joseph <anoobj@marvell.com>; Zhang, Roy Fan
> <roy.fan.zhang@intel.com>
> Subject: RE: [EXT] [PATCH 21/40] cryptodev: add public key verify option
> 
> > > >
> > > >  /**
> > > > @@ -397,6 +399,10 @@ struct rte_crypto_dh_op_param {
> > > >  	 * For ECDH it is a point on the curve.
> > > >  	 * Output for RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE
> > > >  	 * Input for RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE
> > > > +	 *
> > > > +	 * VERIFY option can be used only for elliptic curve
> > > > +	 * point validation, for FFDH (DH) it is user's reponsibility
> > > > +	 * to check the public key accordingly.
> > >
> > > What is expected from the user? Please be specific.
> > [Arek] - Well, this depends on protocol, usually it is size check for
> > FFDH and zero check for x25519/448. Not sure how much information should
> be provided here.
> I can understand we cannot specify everything here.
> How about adding in documentation a section to give details?
[Arek] - actually I came with another idea.
I have added ECDH param, VERIFY is valid only for ecdh_op and verify is:
RTE_CRYPTO_ASYM_KE_EC_PUBLIC_KEY_VERIFY, so it is not included in dh_op_param.
I doubt there will be any hw acceleration for anything else than EC point verification + I doubt there will be 4 steps verification (that's why I have not included it in flags). I have spilt DH into DH and ECDH, as it probably will be easier when adding sm2 key exchange (instead of extending union fields)

+ Kai
> 
> > > Add reference to the ke_type for which this comment id valid.
> >
> > >
> > > >  	 */
> > > >  	union {
> > > >  		rte_crypto_uint shared_secret;
> > > > --
> > > > 2.13.6
diff mbox series

Patch

diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
index 09edf2ac3d..73ff9ff815 100644
--- a/lib/cryptodev/rte_crypto_asym.h
+++ b/lib/cryptodev/rte_crypto_asym.h
@@ -110,8 +110,10 @@  enum rte_crypto_asym_ke_type {
 	/**< Private Key generation operation */
 	RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE,
 	/**< Public Key generation operation */
-	RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE
+	RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE,
 	/**< Shared Secret compute operation */
+	RTE_CRYPTO_ASYM_OP_DH_KEY_VERIFY
+	/**< Public Key Verification */
 };
 
 /**
@@ -397,6 +399,10 @@  struct rte_crypto_dh_op_param {
 	 * For ECDH it is a point on the curve.
 	 * Output for RTE_CRYPTO_ASYM_KE_PUBLIC_KEY_GENERATE
 	 * Input for RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE
+	 *
+	 * VERIFY option can be used only for elliptic curve
+	 * point validation, for FFDH (DH) it is user's reponsibility
+	 * to check the public key accordingly.
 	 */
 	union {
 		rte_crypto_uint shared_secret;