From patchwork Mon May 16 10:10:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ji, Kai" X-Patchwork-Id: 111172 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id AB4BDA04FF; Mon, 16 May 2022 12:10:53 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 7E85742823; Mon, 16 May 2022 12:10:49 +0200 (CEST) Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mails.dpdk.org (Postfix) with ESMTP id 3FC9D40A79 for ; Mon, 16 May 2022 12:10:47 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1652695847; x=1684231847; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=CvnHm7ILlfkYLB2LGEhjzZ+YmiyIhX7f87XPekEewJU=; b=EgyH+W10xHAbb73onmN7t/jA9O5br9Uupw1eqD/sQ7B0/wZnQLgPmw+S Ji34yVyI+UBGAcnyGucyaYUDJm6MSB+qRXix6CC9rKEgqkFF1K6VVn39k X/kAfnRQbYyIY39h0a1qQggoLUpQ+aAHDg3k82j+3oi3q4mbXzJcVm9po ViWVzdrJMU0Q1ycBz/t9gk1spAAnScFLTqcETSK4oZsp8jEookhWM607G 4NQOe0EEis1xZXZMHxUD10bu9+4TpVEfcHh5zRB8WCYnzsz206wa96y4Z LyTfM3YAgQi2yWi/leI68yDMls+5OG1f0i0/sQIsSRJK4srLG58pAn4vs Q==; X-IronPort-AV: E=McAfee;i="6400,9594,10348"; a="252857794" X-IronPort-AV: E=Sophos;i="5.91,229,1647327600"; d="scan'208";a="252857794" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 May 2022 03:10:43 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.91,229,1647327600"; d="scan'208";a="568254333" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by orsmga007.jf.intel.com with ESMTP; 16 May 2022 03:10:43 -0700 From: Kai Ji To: dev@dpdk.org Cc: Kai Ji Subject: [dpdk-dev v2 1/5] drivers/crypto: suppress openssl deprecated api warning messages Date: Mon, 16 May 2022 18:10:35 +0800 Message-Id: <20220516101039.4537-2-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220516101039.4537-1-kai.ji@intel.com> References: <20220407163648.38583-1-kai.ji@intel.com> <20220516101039.4537-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Enable openssl_api_compat cflag to suppress deprecated api warning messages in crypto pmd drivers: ccp, openssl and qat. Signed-off-by: Kai Ji --- drivers/common/qat/meson.build | 1 + drivers/crypto/ccp/meson.build | 1 + drivers/crypto/openssl/meson.build | 1 + 3 files changed, 3 insertions(+) diff --git a/drivers/common/qat/meson.build b/drivers/common/qat/meson.build index b7027f3164..6c3e7275ef 100644 --- a/drivers/common/qat/meson.build +++ b/drivers/common/qat/meson.build @@ -87,3 +87,4 @@ if qat_crypto ext_deps += libcrypto cflags += ['-DBUILD_QAT_SYM', '-DBUILD_QAT_ASYM'] endif +cflags += ['-DOPENSSL_API_COMPAT=0x10100000L'] diff --git a/drivers/crypto/ccp/meson.build b/drivers/crypto/ccp/meson.build index a4f3406009..fe89e17b14 100644 --- a/drivers/crypto/ccp/meson.build +++ b/drivers/crypto/ccp/meson.build @@ -23,3 +23,4 @@ sources = files( ) ext_deps += dep +cflags += ['-DOPENSSL_API_COMPAT=0x10100000L'] diff --git a/drivers/crypto/openssl/meson.build b/drivers/crypto/openssl/meson.build index cd962da1d6..9a3dea2c04 100644 --- a/drivers/crypto/openssl/meson.build +++ b/drivers/crypto/openssl/meson.build @@ -15,3 +15,4 @@ endif deps += 'bus_vdev' sources = files('rte_openssl_pmd.c', 'rte_openssl_pmd_ops.c') ext_deps += dep +cflags += ['-DOPENSSL_API_COMPAT=0x10100000L'] From patchwork Mon May 16 10:10:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ji, Kai" X-Patchwork-Id: 111173 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 084ACA04FD; Mon, 16 May 2022 12:11:00 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 5FB6842831; Mon, 16 May 2022 12:10:50 +0200 (CEST) Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mails.dpdk.org (Postfix) with ESMTP id B1E1640A7A for ; Mon, 16 May 2022 12:10:47 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1652695848; x=1684231848; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=QMNcumA4b4szR13JAm7fAyFFYDcJpfn7on0nm27ueYw=; b=HDmDUO5zRHw78SVHHiRBGyHHO0q/eXm8U2H/+HWMBhVuB2zbYfYArkGe fA1KsXS+rdRuv7gTToex+s5UoCgIC9cUbar14OcprJGprCws7UoYs+PM1 8g7xH7gJJdf+i8UuI7W2gAl6iDBcnjivPWnUQk8sAfuwrdghEVRKum+34 78it8e2kvHN8Mbbzsswc4hVZG1EkrRXw7GYx1A9ZhrTQEsJroR1TXb+Op zkcPjaEiO/3werha5PLq8rY890WLfkmCInjbre5d3rE/yIkj8Z312weDJ O6p7/1JS3w7fB6K3AtJteqihMpfYHT3+F1FHUMQv6NyvhISVogDYu5z3o Q==; X-IronPort-AV: E=McAfee;i="6400,9594,10348"; a="252857797" X-IronPort-AV: E=Sophos;i="5.91,229,1647327600"; d="scan'208";a="252857797" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 May 2022 03:10:45 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.91,229,1647327600"; d="scan'208";a="568254340" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by orsmga007.jf.intel.com with ESMTP; 16 May 2022 03:10:43 -0700 From: Kai Ji To: dev@dpdk.org Cc: Kai Ji Subject: [dpdk-dev v2 2/5] crypto/openssl: 3.0 EVP update on HMAC routine Date: Mon, 16 May 2022 18:10:36 +0800 Message-Id: <20220516101039.4537-3-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220516101039.4537-1-kai.ji@intel.com> References: <20220407163648.38583-1-kai.ji@intel.com> <20220516101039.4537-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch update the symmetric HMAC routine in crypto openssl pmd to adopt openssl 3.0 EVP apis. Signed-off-by: Kai Ji --- drivers/crypto/openssl/openssl_pmd_private.h | 4 + drivers/crypto/openssl/rte_openssl_pmd.c | 187 ++++++++++++++++++- 2 files changed, 181 insertions(+), 10 deletions(-) diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index b2054b3754..86dc169aaf 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -134,8 +134,12 @@ struct openssl_session { /**< pointer to EVP key */ const EVP_MD *evp_algo; /**< pointer to EVP algorithm function */ +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX * ctx; +# else HMAC_CTX *ctx; /**< pointer to EVP context structure */ +# endif } hmac; }; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index d80e1052e2..db1f788d79 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -39,6 +39,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) } #endif +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + +#include +#include + +#define MAX_OSSL_ALGO_NAME_SIZE 16 + +OSSL_PROVIDER *legacy; +OSSL_PROVIDER *deflt; + +static void ossl_load_legacy_provider(void) +{ + /* Load Multiple providers into the default (NULL) library context */ + legacy = OSSL_PROVIDER_load(NULL, "legacy"); + if (legacy == NULL) { + OPENSSL_LOG(ERR, "Failed to load Legacy provider\n"); + return; + } + + deflt = OSSL_PROVIDER_load(NULL, "default"); + if (deflt == NULL) { + OPENSSL_LOG(ERR, "Failed to load Default provider\n"); + OSSL_PROVIDER_unload(legacy); + return; + } +} + +static void ossl_unload_legacy_provider(void) +{ + OSSL_PROVIDER_unload(legacy); + OSSL_PROVIDER_unload(deflt); +} + +static __rte_always_inline const char * +get_digest_name(const struct rte_crypto_sym_xform *xform) +{ + switch (xform->auth.algo) { + case RTE_CRYPTO_AUTH_MD5_HMAC: + return OSSL_DIGEST_NAME_MD5; + case RTE_CRYPTO_AUTH_SHA1_HMAC: + return OSSL_DIGEST_NAME_SHA1; + case RTE_CRYPTO_AUTH_SHA224_HMAC: + return OSSL_DIGEST_NAME_SHA2_224; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + return OSSL_DIGEST_NAME_SHA2_256; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + return OSSL_DIGEST_NAME_SHA2_384; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + return OSSL_DIGEST_NAME_SHA2_512; + default: + return NULL; + } +} +#endif + static int cryptodev_openssl_remove(struct rte_vdev_device *vdev); /*----------------------------------------------------------------------------*/ @@ -580,6 +635,40 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.auth.ctx = EVP_MD_CTX_create(); break; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + case RTE_CRYPTO_AUTH_MD5_HMAC: + case RTE_CRYPTO_AUTH_SHA1_HMAC: + case RTE_CRYPTO_AUTH_SHA224_HMAC: + case RTE_CRYPTO_AUTH_SHA256_HMAC: + case RTE_CRYPTO_AUTH_SHA384_HMAC: + case RTE_CRYPTO_AUTH_SHA512_HMAC: + sess->auth.mode = OPENSSL_AUTH_AS_HMAC; + + OSSL_PARAM params[2]; + const char *algo; + algo = get_digest_name(xform); + if (!algo) + return -EINVAL; + char algo_name[MAX_OSSL_ALGO_NAME_SIZE]; + memcpy(algo_name, algo, (sizeof(algo)+1)); + + EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac); + EVP_MAC_free(mac); + if (get_auth_algo(xform->auth.algo, + &sess->auth.hmac.evp_algo) != 0) + return -EINVAL; + + params[0] = OSSL_PARAM_construct_utf8_string("digest", + algo_name, 0); + params[1] = OSSL_PARAM_construct_end(); + if (EVP_MAC_init(sess->auth.hmac.ctx, + xform->auth.key.data, + xform->auth.key.length, + params) != 1) + return -EINVAL; + break; +# else case RTE_CRYPTO_AUTH_MD5_HMAC: case RTE_CRYPTO_AUTH_SHA1_HMAC: case RTE_CRYPTO_AUTH_SHA224_HMAC: @@ -598,7 +687,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.hmac.evp_algo, NULL) != 1) return -EINVAL; break; - +# endif default: return -ENOTSUP; } @@ -723,7 +812,11 @@ openssl_reset_session(struct openssl_session *sess) break; case OPENSSL_AUTH_AS_HMAC: EVP_PKEY_free(sess->auth.hmac.pkey); +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX_free(sess->auth.hmac.ctx); +# else HMAC_CTX_free(sess->auth.hmac.ctx); +# endif break; default: break; @@ -1260,6 +1353,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, return -EINVAL; } +# if OPENSSL_VERSION_NUMBER >= 0x30000000L +/** Process standard openssl auth algorithms with hmac */ +static int +process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, + int srclen, EVP_MAC_CTX *ctx) +{ + size_t dstlen; + struct rte_mbuf *m; + int l, n = srclen; + uint8_t *src; + + for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m); + m = m->next) + offset -= rte_pktmbuf_data_len(m); + + if (m == 0) + goto process_auth_err; + + src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset); + + l = rte_pktmbuf_data_len(m) - offset; + if (srclen <= l) { + if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1) + goto process_auth_err; + goto process_auth_final; + } + + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + + n -= l; + + for (m = m->next; (m != NULL) && (n > 0); m = m->next) { + src = rte_pktmbuf_mtod(m, uint8_t *); + l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n; + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + n -= l; + } + +process_auth_final: + if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1) + goto process_auth_err; + + EVP_MAC_CTX_free(ctx); + return 0; + +process_auth_err: + EVP_MAC_CTX_free(ctx); + OPENSSL_LOG(ERR, "Process openssl auth failed"); + return -EINVAL; +} +# else /** Process standard openssl auth algorithms with hmac */ static int process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, @@ -1312,7 +1458,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, OPENSSL_LOG(ERR, "Process openssl auth failed"); return -EINVAL; } - +# endif /*----------------------------------------------------------------------------*/ /** Process auth/cipher combined operation */ @@ -1326,7 +1472,6 @@ process_openssl_combined_op int srclen, aadlen, status = -1; uint32_t offset; uint8_t taglen; - EVP_CIPHER_CTX *ctx_copy; /* * Segmented destination buffer is not supported for @@ -1363,8 +1508,6 @@ process_openssl_combined_op } taglen = sess->auth.digest_length; - ctx_copy = EVP_CIPHER_CTX_new(); - EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx); if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1372,12 +1515,12 @@ process_openssl_combined_op status = process_openssl_auth_encryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_encryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } else { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1385,15 +1528,14 @@ process_openssl_combined_op status = process_openssl_auth_decryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_decryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } - EVP_CIPHER_CTX_free(ctx_copy); if (status != 0) { if (status == (-EFAULT) && sess->auth.operation == @@ -1555,7 +1697,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, uint8_t *dst; int srclen, status; EVP_MD_CTX *ctx_a; +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX *ctx_h; + EVP_MAC *mac; +# else HMAC_CTX *ctx_h; +# endif srclen = op->sym->auth.data.length; @@ -1571,12 +1718,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, EVP_MD_CTX_destroy(ctx_a); break; case OPENSSL_AUTH_AS_HMAC: +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + ctx_h = EVP_MAC_CTX_new(mac); + ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx); + EVP_MAC_free(mac); + status = process_openssl_auth_hmac(mbuf_src, dst, + op->sym->auth.data.offset, srclen, + ctx_h); +# else ctx_h = HMAC_CTX_new(); HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx); status = process_openssl_auth_hmac(mbuf_src, dst, op->sym->auth.data.offset, srclen, ctx_h); HMAC_CTX_free(ctx_h); +# endif break; default: status = -1; @@ -2213,6 +2370,13 @@ cryptodev_openssl_create(const char *name, rte_cryptodev_pmd_probing_finish(dev); +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + /* Load legacy provider + * Some algorithms are no longer available in earlier version of openssl, + * unless the legacy provider explicitly loaded. e.g. DES + */ + ossl_load_legacy_provider(); +# endif return 0; init_error: @@ -2261,6 +2425,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev) if (cryptodev == NULL) return -ENODEV; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + ossl_unload_legacy_provider(); +# endif return rte_cryptodev_pmd_destroy(cryptodev); } From patchwork Mon May 16 10:10:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ji, Kai" X-Patchwork-Id: 111174 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 73B31A04FD; Mon, 16 May 2022 12:11:05 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 46C1A4282E; Mon, 16 May 2022 12:10:51 +0200 (CEST) Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mails.dpdk.org (Postfix) with ESMTP id DCF80410F6 for ; Mon, 16 May 2022 12:10:47 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1652695849; x=1684231849; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=gGz/I2SOyseC30DENfqUBMlYzVZU3edB8f062j9rasc=; b=K7K0g+RuDp7JZz+cza18VFM/k6Xs3ehRhCZjWPpjGkfGOI1rVMIwNpNj VYw9zRAC0yBCpg7fCSPBHyy1bDdMQs0CiNw0MY52P67ZBiMwSFbXg4vRx AwJJGgy6eNw7VUsu/JelHPEVkgBKqPKYNOuN8Lhubkl7550qDVF5pG8qq 9xoim+29mVKIDQnw0C1TC6Gwa2IGr0rQQbpSz4BKu8GDAqNsdoh2ABa8Q H3anxrsGom2xu1hRZBv4rVM7bR4qWSv4n0JOTP6TCsYL4JaBmsurZrPAr YUGRYdOHT3e82WyqFc24LuQUP3x5NpYOnWJr5Oh41xfwUqfeUWw2lLuSI w==; X-IronPort-AV: E=McAfee;i="6400,9594,10348"; a="252857803" X-IronPort-AV: E=Sophos;i="5.91,229,1647327600"; d="scan'208";a="252857803" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 May 2022 03:10:46 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.91,229,1647327600"; d="scan'208";a="568254345" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by orsmga007.jf.intel.com with ESMTP; 16 May 2022 03:10:45 -0700 From: Kai Ji To: dev@dpdk.org Cc: Kai Ji Subject: [dpdk-dev v2 3/5] crypto/openssl: 3.0 EVP update on RSA routine Date: Mon, 16 May 2022 18:10:37 +0800 Message-Id: <20220516101039.4537-4-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220516101039.4537-1-kai.ji@intel.com> References: <20220407163648.38583-1-kai.ji@intel.com> <20220516101039.4537-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch updates asymmetric RSA routine in crypto openssl pmd to adopt openssl 3.0 EVP apis. Signed-off-by: Kai Ji --- drivers/crypto/openssl/openssl_pmd_private.h | 7 + drivers/crypto/openssl/rte_openssl_pmd.c | 149 +++++++++++++++++++ drivers/crypto/openssl/rte_openssl_pmd_ops.c | 112 +++++++++++++- 3 files changed, 267 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index 86dc169aaf..d603626fdf 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -11,6 +11,10 @@ #include #include #include +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +#include +#include +#endif #define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl /**< Open SSL Crypto PMD device name */ @@ -157,6 +161,9 @@ struct openssl_asym_session { union { struct rsa { RSA *rsa; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + EVP_PKEY_CTX * ctx; +#endif } r; struct exp { BIGNUM *exp; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index db1f788d79..e8dd4f4a42 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -2047,6 +2047,150 @@ process_openssl_modexp_op(struct rte_crypto_op *cop, } /* process rsa operations */ +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static int +process_openssl_rsa_op_evp(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_asym_op *op = cop->asym; + uint32_t pad = (op->rsa.pad); + uint8_t *tmp; + size_t outlen = 0; + int ret = -1; + + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx; + if (!rsa_ctx) + return ret; + + switch (pad) { + case RTE_CRYPTO_RSA_PADDING_PKCS1_5: + pad = RSA_PKCS1_PADDING; + break; + case RTE_CRYPTO_RSA_PADDING_NONE: + pad = RSA_NO_PADDING; + break; + default: + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + OPENSSL_LOG(ERR, + "rsa pad type not supported %d\n", pad); + return ret; + } + + switch (op->rsa.op_type) { + case RTE_CRYPTO_ASYM_OP_ENCRYPT: + if (EVP_PKEY_encrypt_init(rsa_ctx) != 1) + goto err_rsa; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err_rsa; + + if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err_rsa; + + if (outlen <= 0) + goto err_rsa; + + if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err_rsa; + op->rsa.cipher.length = outlen; + + OPENSSL_LOG(DEBUG, + "length of encrypted text %zu\n", outlen); + break; + + case RTE_CRYPTO_ASYM_OP_DECRYPT: + if (EVP_PKEY_decrypt_init(rsa_ctx) != 1) + goto err_rsa; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err_rsa; + + if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen, + op->rsa.cipher.data, + op->rsa.cipher.length) <= 0) + goto err_rsa; + + if (outlen <= 0) + goto err_rsa; + + if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen, + op->rsa.cipher.data, + op->rsa.cipher.length) <= 0) + goto err_rsa; + op->rsa.message.length = outlen; + + OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n", outlen); + break; + + case RTE_CRYPTO_ASYM_OP_SIGN: + if (EVP_PKEY_sign_init(rsa_ctx) <= 0) + goto err_rsa; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err_rsa; + + if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err_rsa; + op->rsa.sign.length = outlen; + break; + + case RTE_CRYPTO_ASYM_OP_VERIFY: + tmp = rte_malloc(NULL, op->rsa.sign.length, 0); + if (tmp == NULL) { + OPENSSL_LOG(ERR, "Memory allocation failed"); + goto err_rsa; + } + + if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) { + rte_free(tmp); + goto err_rsa; + } + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) { + rte_free(tmp); + goto err_rsa; + } + + if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen, + op->rsa.sign.data, + op->rsa.sign.length) <= 0) { + rte_free(tmp); + goto err_rsa; + } + + OPENSSL_LOG(DEBUG, + "Length of public_decrypt %zu " + "length of message %zd\n", + outlen, op->rsa.message.length); + if (CRYPTO_memcmp(tmp, op->rsa.message.data, + op->rsa.message.length)) { + OPENSSL_LOG(ERR, "RSA sign Verification failed"); + } + rte_free(tmp); + break; + + default: + /* allow ops with invalid args to be pushed to + * completion queue + */ + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + goto err_rsa; + } + + ret = 0; + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; +err_rsa: + return ret; + +} +#else static int process_openssl_rsa_op(struct rte_crypto_op *cop, struct openssl_asym_session *sess) @@ -2145,6 +2289,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop, return 0; } +#endif static int process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, @@ -2156,7 +2301,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, switch (sess->xfrm_type) { case RTE_CRYPTO_ASYM_XFORM_RSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + retval = process_openssl_rsa_op_evp(op, sess); +# else retval = process_openssl_rsa_op(op, sess); +#endif break; case RTE_CRYPTO_ASYM_XFORM_MODEX: retval = process_openssl_modexp_op(op, sess); diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index 1cb07794bd..52a5119d47 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -10,7 +10,11 @@ #include "openssl_pmd_private.h" #include "compat.h" - +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +#include +#include +#include +#endif static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { { /* MD5 HMAC */ @@ -833,6 +837,106 @@ static int openssl_set_asym_session_parameters( if (!n || !e) goto err_rsa; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD * param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_rsa; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_E, e)) { + OSSL_PARAM_BLD_free(param_bld); + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_rsa; + } + + if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) { + d = BN_bin2bn( + (const unsigned char *)xform->rsa.d.data, + xform->rsa.d.length, + d); + if (!d) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + } else { + p = BN_bin2bn((const unsigned char *) + xform->rsa.qt.p.data, + xform->rsa.qt.p.length, + p); + q = BN_bin2bn((const unsigned char *) + xform->rsa.qt.q.data, + xform->rsa.qt.q.length, + q); + dmp1 = BN_bin2bn((const unsigned char *) + xform->rsa.qt.dP.data, + xform->rsa.qt.dP.length, + dmp1); + dmq1 = BN_bin2bn((const unsigned char *) + xform->rsa.qt.dQ.data, + xform->rsa.qt.dQ.length, + dmq1); + iqmp = BN_bin2bn((const unsigned char *) + xform->rsa.qt.qInv.data, + xform->rsa.qt.qInv.length, + iqmp); + + if (!p || !q || !dmp1 || !dmq1 || !iqmp) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_FACTOR1, p) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_FACTOR2, q) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n) + || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_D, d)) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *rsa_ctx = NULL; + OSSL_PARAM *params = NULL; + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + if (key_ctx == NULL + || EVP_PKEY_fromdata_init(key_ctx) <= 0 + || EVP_PKEY_fromdata(key_ctx, &pkey, + EVP_PKEY_KEYPAIR, params) <= 0) { + OSSL_PARAM_free(params); + goto err_rsa; + } + + rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL); + asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA; + asym_session->u.r.ctx = rsa_ctx; + EVP_PKEY_CTX_free(key_ctx); + OSSL_PARAM_free(params); + break; +#else RSA *rsa = RSA_new(); if (rsa == NULL) goto err_rsa; @@ -902,6 +1006,7 @@ static int openssl_set_asym_session_parameters( asym_session->u.r.rsa = rsa; asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA; break; +#endif err_rsa: BN_clear_free(n); BN_clear_free(e); @@ -1160,8 +1265,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess) { switch (sess->xfrm_type) { case RTE_CRYPTO_ASYM_XFORM_RSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + if (sess->u.r.ctx) + EVP_PKEY_CTX_free(sess->u.r.ctx); +#else if (sess->u.r.rsa) RSA_free(sess->u.r.rsa); +#endif break; case RTE_CRYPTO_ASYM_XFORM_MODEX: if (sess->u.e.ctx) { From patchwork Mon May 16 10:10:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ji, Kai" X-Patchwork-Id: 111175 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 01072A04FD; Mon, 16 May 2022 12:11:11 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 3840942B6B; Mon, 16 May 2022 12:10:52 +0200 (CEST) Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mails.dpdk.org (Postfix) with ESMTP id 5BDCC42686 for ; Mon, 16 May 2022 12:10:49 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1652695849; x=1684231849; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=0nmOVshq5a2p4bX6MNcf5Jz5FOb5x07ebkM0kmBLUqc=; b=U5oDQv5DKTdiKlwAVx315agNEUi9fSvcs33tSAbyrqiHy172kH+BvOMg HOBG/kzwfORTT/tuItdYqGgg7tGVIH0tGb56wt4+q9hZCcUge4RhXhZGh DwX95TCD7sTowoUJMmNGSba9jNv75SlfGCD1RG952/of2dfLwnWJAXQrf UrQizfM5bCXzXtd+nK70c/h0JimUkUvZtCL/tnxNqza9KeWkNY9M4yD0x 16VqR9XqIrbwBIVOnrlEwkTaAvWXLQFYLaHdEoS6fAtT2SMzUSsd+IeIt mmtDkG47fmMLLarukb2eOC4mCw2IKtzsB9NJqblgEGA8C1qO/d44HEo8Q w==; X-IronPort-AV: E=McAfee;i="6400,9594,10348"; a="252857805" X-IronPort-AV: E=Sophos;i="5.91,229,1647327600"; d="scan'208";a="252857805" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 May 2022 03:10:47 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.91,229,1647327600"; d="scan'208";a="568254354" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by orsmga007.jf.intel.com with ESMTP; 16 May 2022 03:10:46 -0700 From: Kai Ji To: dev@dpdk.org Cc: Kai Ji Subject: [dpdk-dev v2 4/5] crypto/openssl: 3.0 EVP update on DH routine Date: Mon, 16 May 2022 18:10:38 +0800 Message-Id: <20220516101039.4537-5-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220516101039.4537-1-kai.ji@intel.com> References: <20220407163648.38583-1-kai.ji@intel.com> <20220516101039.4537-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch updates asymmetric DH routine in crypto openssl pmd to adopt openssl 3.0 EVP apis. Signed-off-by: Kai Ji --- drivers/crypto/openssl/openssl_pmd_private.h | 4 + drivers/crypto/openssl/rte_openssl_pmd.c | 186 ++++++++++++++++++- drivers/crypto/openssl/rte_openssl_pmd_ops.c | 47 ++++- 3 files changed, 235 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index d603626fdf..8fdbc75511 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -177,6 +177,10 @@ struct openssl_asym_session { struct dh { DH *dh_key; uint32_t key_op; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD * param_bld; + OSSL_PARAM_BLD *param_bld_peer; +#endif } dh; struct { DSA *dsa; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index e8dd4f4a42..691b000191 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -40,9 +40,9 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) #endif #if (OPENSSL_VERSION_NUMBER >= 0x30000000L) - #include #include +#include #define MAX_OSSL_ALGO_NAME_SIZE 16 @@ -1844,6 +1844,185 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop, } /* process dh operation */ +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static int +process_openssl_dh_op_evp(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_dh_op_param *op = &cop->asym->dh; + OSSL_PARAM_BLD *param_bld = sess->u.dh.param_bld; + OSSL_PARAM_BLD *param_bld_peer = sess->u.dh.param_bld_peer; + OSSL_PARAM *params = NULL; + EVP_PKEY *dhpkey = NULL; + EVP_PKEY *peerkey = NULL; + BIGNUM *priv_key = NULL; + BIGNUM *pub_key = NULL; + int ret = -1; + + cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; + EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); + if (dh_ctx == NULL || param_bld == NULL) + return ret; + + if (op->op_type == RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE) { + OSSL_PARAM *params_peer = NULL; + + if (!param_bld_peer) + return ret; + + pub_key = BN_bin2bn(op->pub_key.data, op->pub_key.length, + pub_key); + if (pub_key == NULL) { + OSSL_PARAM_BLD_free(param_bld_peer); + return ret; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld_peer, OSSL_PKEY_PARAM_PUB_KEY, + pub_key)) { + OPENSSL_LOG(ERR, "Failed to set public key\n"); + OSSL_PARAM_BLD_free(param_bld_peer); + BN_free(pub_key); + return ret; + } + + params_peer = OSSL_PARAM_BLD_to_param(param_bld_peer); + if (!params_peer) { + OSSL_PARAM_BLD_free(param_bld_peer); + BN_free(pub_key); + return ret; + } + + EVP_PKEY_CTX *peer_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); + if (EVP_PKEY_keygen_init(peer_ctx) != 1) { + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + return ret; + } + + if (EVP_PKEY_CTX_set_params(peer_ctx, params_peer) != 1) { + EVP_PKEY_CTX_free(peer_ctx); + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + return ret; + } + + if (EVP_PKEY_keygen(peer_ctx, &peerkey) != 1) { + EVP_PKEY_CTX_free(peer_ctx); + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + return ret; + } + + priv_key = BN_bin2bn(op->priv_key.data, op->priv_key.length, + priv_key); + if (priv_key == NULL) { + EVP_PKEY_CTX_free(peer_ctx); + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + return ret; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, + priv_key)) { + OPENSSL_LOG(ERR, "Failed to set private key\n"); + EVP_PKEY_CTX_free(peer_ctx); + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + BN_free(priv_key); + return ret; + } + + OSSL_PARAM_free(params_peer); + EVP_PKEY_CTX_free(peer_ctx); + } + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) + goto err_dh; + + if (EVP_PKEY_keygen_init(dh_ctx) != 1) + goto err_dh; + + if (EVP_PKEY_CTX_set_params(dh_ctx, params) != 1) + goto err_dh; + + if (EVP_PKEY_keygen(dh_ctx, &dhpkey) != 1) + goto err_dh; + + if (op->op_type == RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE) { + OPENSSL_LOG(DEBUG, "%s:%d updated pub key\n", __func__, __LINE__); + if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key)) + goto err_dh; + /* output public key */ + op->pub_key.length = BN_bn2bin(pub_key, op->pub_key.data); + } + + if (op->op_type == RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE) { + + OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n", __func__, __LINE__); + if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key)) + goto err_dh; + + /* provide generated private key back to user */ + op->priv_key.length = BN_bn2bin(priv_key, op->priv_key.data); + } + + if (op->op_type == RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE) { + size_t skey_len; + EVP_PKEY_CTX *sc_ctx = EVP_PKEY_CTX_new(dhpkey, NULL); + if (!sc_ctx) + goto err_dh; + + if (EVP_PKEY_derive_init(sc_ctx) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + if (!peerkey) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + if (EVP_PKEY_derive_set_peer(sc_ctx, peerkey) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + /* Determine buffer length */ + if (EVP_PKEY_derive(sc_ctx, NULL, &skey_len) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + if (EVP_PKEY_derive(sc_ctx, op->shared_secret.data, &skey_len) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + op->shared_secret.length = skey_len; + EVP_PKEY_CTX_free(sc_ctx); + } + + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + ret = 0; + + err_dh: + if (pub_key) + BN_free(pub_key); + if (priv_key) + BN_free(priv_key); + if (params) + OSSL_PARAM_free(params); + if (dhpkey) + EVP_PKEY_free(dhpkey); + if (peerkey) + EVP_PKEY_free(peerkey); + + EVP_PKEY_CTX_free(dh_ctx); + + return ret; +} +#else static int process_openssl_dh_op(struct rte_crypto_op *cop, struct openssl_asym_session *sess) @@ -1980,6 +2159,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop, return 0; } +#endif /* process modinv operation */ static int @@ -2314,7 +2494,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, retval = process_openssl_modinv_op(op, sess); break; case RTE_CRYPTO_ASYM_XFORM_DH: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + retval = process_openssl_dh_op_evp(op, sess); +# else retval = process_openssl_dh_op(op, sess); +#endif break; case RTE_CRYPTO_ASYM_XFORM_DSA: if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN) diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index 52a5119d47..f77e9a9842 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -1093,7 +1093,46 @@ static int openssl_set_asym_session_parameters( if (!p || !g) goto err_dh; - DH *dh = DH_new(); + DH *dh = NULL; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD *param_bld = NULL; + param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_dh; + } + if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld, + "group", "ffdhe2048", 0)) + || (!OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_FFC_P, p)) + || (!OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_FFC_G, g))) { + OSSL_PARAM_BLD_free(param_bld); + goto err_dh; + } + + OSSL_PARAM_BLD *param_bld_peer = NULL; + param_bld_peer = OSSL_PARAM_BLD_new(); + if (!param_bld_peer) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + OSSL_PARAM_BLD_free(param_bld); + goto err_dh; + } + if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld_peer, + "group", "ffdhe2048", 0)) + || (!OSSL_PARAM_BLD_push_BN(param_bld_peer, + OSSL_PKEY_PARAM_FFC_P, p)) + || (!OSSL_PARAM_BLD_push_BN(param_bld_peer, + OSSL_PKEY_PARAM_FFC_G, g))) { + OSSL_PARAM_BLD_free(param_bld); + OSSL_PARAM_BLD_free(param_bld_peer); + goto err_dh; + } + + asym_session->u.dh.param_bld = param_bld; + asym_session->u.dh.param_bld_peer = param_bld_peer; +#else + dh = DH_new(); if (dh == NULL) { OPENSSL_LOG(ERR, "failed to allocate resources\n"); @@ -1104,6 +1143,7 @@ static int openssl_set_asym_session_parameters( DH_free(dh); goto err_dh; } +#endif /* * setup xfrom for @@ -1286,8 +1326,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess) } break; case RTE_CRYPTO_ASYM_XFORM_DH: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + sess->u.dh.param_bld = NULL; + sess->u.dh.param_bld_peer = NULL; +#else if (sess->u.dh.dh_key) DH_free(sess->u.dh.dh_key); +#endif break; case RTE_CRYPTO_ASYM_XFORM_DSA: if (sess->u.s.dsa) From patchwork Mon May 16 10:10:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ji, Kai" X-Patchwork-Id: 111176 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 1AD6EA04FD; Mon, 16 May 2022 12:11:16 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 383BC42B6F; Mon, 16 May 2022 12:10:53 +0200 (CEST) Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mails.dpdk.org (Postfix) with ESMTP id 1E6E34282E for ; Mon, 16 May 2022 12:10:49 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1652695850; x=1684231850; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=Qmt45kPB3gPW54qcmLVlsWmjLegALCLS4xqa2EHuVfQ=; b=f4GfvqDTaTuKm2bY5BQZ3x8EJyFyEs3/8TLkZAMhZuAfaBe4CVGjhrqx wnjY6vip4clfP56BvhdzmDB1fKNBIedjNPWFWbYYx9cMtzGLYhC0YMFcJ ze2RPaawf/X8D0IdCuGzVJ4QB33KsrrluFRmyCQmLu1QkFNRgq08bFM13 VWozNUzDFX9v1PLGQzvbLUS7cpFk3HkR88G27ZiaDgoJdYoLOw0thiyE0 oPadfHLzarLwNgcwpm3kU2CY/5Y1oN2jXBdJQE46aX0M8Hsf5wIUb6Pq/ QDSlPq0lsxmxOjgC/hey1wwJ2vIVZZ1S7MjAs9jrN0P9t1u5STv/Sk6Wa w==; X-IronPort-AV: E=McAfee;i="6400,9594,10348"; a="252857808" X-IronPort-AV: E=Sophos;i="5.91,229,1647327600"; d="scan'208";a="252857808" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 May 2022 03:10:48 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.91,229,1647327600"; d="scan'208";a="568254363" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by orsmga007.jf.intel.com with ESMTP; 16 May 2022 03:10:47 -0700 From: Kai Ji To: dev@dpdk.org Cc: Kai Ji Subject: [dpdk-dev v2 5/5] crypto/openssl: 3.0 EVP update on DSA routine Date: Mon, 16 May 2022 18:10:39 +0800 Message-Id: <20220516101039.4537-6-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220516101039.4537-1-kai.ji@intel.com> References: <20220407163648.38583-1-kai.ji@intel.com> <20220516101039.4537-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch updates asymmetric DSA routine in crypto openssl pmd to adopt openssl 3.0 EVP apis. Divide the single combined dsa sign test to two indiviual dsa sign and dsa verfiy tests. Signed-off-by: Kai Ji --- app/test/test_cryptodev_asym.c | 91 ++++++++-- drivers/crypto/openssl/compat.h | 12 ++ drivers/crypto/openssl/meson.build | 1 - drivers/crypto/openssl/openssl_pmd_private.h | 3 + drivers/crypto/openssl/rte_openssl_pmd.c | 175 +++++++++++++++++++ drivers/crypto/openssl/rte_openssl_pmd_ops.c | 56 +++++- 6 files changed, 323 insertions(+), 15 deletions(-) diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c index 573af2a537..f8597df246 100644 --- a/app/test/test_cryptodev_asym.c +++ b/app/test/test_cryptodev_asym.c @@ -1639,7 +1639,7 @@ test_dh_keygenration(void) } static int -test_dsa_sign(void) +test_dsa_sign(struct rte_crypto_dsa_op_param *dsa_op) { struct crypto_testsuite_params_asym *ts_params = &testsuite_params; struct rte_mempool *op_mpool = ts_params->op_mpool; @@ -1649,9 +1649,6 @@ test_dsa_sign(void) struct rte_crypto_op *op = NULL, *result_op = NULL; void *sess = NULL; int status = TEST_SUCCESS; - uint8_t r[TEST_DH_MOD_LEN]; - uint8_t s[TEST_DH_MOD_LEN]; - uint8_t dgst[] = "35d81554afaad2cf18f3a1770d5fedc4ea5be344"; int ret; ret = rte_cryptodev_asym_session_create(dev_id, &dsa_xform, sess_mpool, &sess); @@ -1673,6 +1670,7 @@ test_dsa_sign(void) goto error_exit; } asym_op = op->asym; + asym_op->dsa = *dsa_op; debug_hexdump(stdout, "p: ", dsa_xform.dsa.p.data, dsa_xform.dsa.p.length); @@ -1686,13 +1684,6 @@ test_dsa_sign(void) /* attach asymmetric crypto session to crypto operations */ rte_crypto_op_attach_asym_session(op, sess); asym_op->dsa.op_type = RTE_CRYPTO_ASYM_OP_SIGN; - asym_op->dsa.message.data = dgst; - asym_op->dsa.message.length = sizeof(dgst); - asym_op->dsa.r.length = sizeof(r); - asym_op->dsa.r.data = r; - asym_op->dsa.s.length = sizeof(s); - asym_op->dsa.s.data = s; - RTE_LOG(DEBUG, USER1, "Process ASYM operation"); /* Process crypto operation */ @@ -1716,12 +1707,72 @@ test_dsa_sign(void) } asym_op = result_op->asym; + dsa_op->r.length = asym_op->dsa.r.length; + dsa_op->s.length = asym_op->dsa.s.length; + + debug_hexdump(stdout, "r:", + asym_op->dsa.r.data, asym_op->dsa.r.length); + debug_hexdump(stdout, "s:", + asym_op->dsa.s.data, asym_op->dsa.s.length); +error_exit: + if (sess != NULL) + rte_cryptodev_asym_session_free(dev_id, sess); + if (op != NULL) + rte_crypto_op_free(op); + return status; +} + + +static int +test_dsa_verify(struct rte_crypto_dsa_op_param *dsa_op) +{ + struct crypto_testsuite_params_asym *ts_params = &testsuite_params; + struct rte_mempool *op_mpool = ts_params->op_mpool; + struct rte_mempool *sess_mpool = ts_params->session_mpool; + uint8_t dev_id = ts_params->valid_devs[0]; + struct rte_crypto_asym_op *asym_op = NULL; + struct rte_crypto_op *op = NULL, *result_op = NULL; + void *sess = NULL; + int status = TEST_SUCCESS; + int ret; + + ret = rte_cryptodev_asym_session_create(dev_id, &dsa_xform, sess_mpool, &sess); + if (ret < 0) { + RTE_LOG(ERR, USER1, + "line %u FAILED: %s", __LINE__, + "Session creation failed"); + status = (ret == -ENOTSUP) ? TEST_SKIPPED : TEST_FAILED; + goto error_exit; + } + /* set up crypto op data structure */ + op = rte_crypto_op_alloc(op_mpool, RTE_CRYPTO_OP_TYPE_ASYMMETRIC); + if (!op) { + RTE_LOG(ERR, USER1, + "line %u FAILED: %s", + __LINE__, "Failed to allocate asymmetric crypto " + "operation struct"); + status = TEST_FAILED; + goto error_exit; + } + asym_op = op->asym; + asym_op->dsa = *dsa_op; + + debug_hexdump(stdout, "p: ", dsa_xform.dsa.p.data, + dsa_xform.dsa.p.length); + debug_hexdump(stdout, "q: ", dsa_xform.dsa.q.data, + dsa_xform.dsa.q.length); + debug_hexdump(stdout, "g: ", dsa_xform.dsa.g.data, + dsa_xform.dsa.g.length); + + /* attach asymmetric crypto session to crypto operations */ + rte_crypto_op_attach_asym_session(op, sess); debug_hexdump(stdout, "r:", asym_op->dsa.r.data, asym_op->dsa.r.length); debug_hexdump(stdout, "s:", asym_op->dsa.s.data, asym_op->dsa.s.length); + RTE_LOG(DEBUG, USER1, "Process ASYM verify operation"); /* Test PMD DSA sign verification using signer public key */ asym_op->dsa.op_type = RTE_CRYPTO_ASYM_OP_VERIFY; @@ -1767,8 +1818,22 @@ static int test_dsa(void) { int status; - status = test_dsa_sign(); - TEST_ASSERT_EQUAL(status, 0, "Test failed"); + uint8_t r[TEST_DH_MOD_LEN]; + uint8_t s[TEST_DH_MOD_LEN]; + struct rte_crypto_dsa_op_param dsa_op; + uint8_t dgst[] = "35d81554afaad2cf18f3a1770d5fedc4ea5be344"; + + dsa_op.message.data = dgst; + dsa_op.message.length = sizeof(dgst); + dsa_op.r.data = r; + dsa_op.s.data = s; + dsa_op.r.length = sizeof(r); + dsa_op.s.length = sizeof(s); + + status = test_dsa_sign(&dsa_op); + TEST_ASSERT_EQUAL(status, 0, "DSA sign test failed"); + status = test_dsa_verify(&dsa_op); + TEST_ASSERT_EQUAL(status, 0, "DSA verify test failed"); return status; } diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h index eecb7d3698..9f9167c4f1 100644 --- a/drivers/crypto/openssl/compat.h +++ b/drivers/crypto/openssl/compat.h @@ -104,6 +104,18 @@ get_dsa_priv_key(DSA *dsa, BIGNUM **priv_key) *priv_key = dsa->priv_key; } +#elif (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static __rte_always_inline void +set_dsa_sign(DSA_SIG *sign, BIGNUM *r, BIGNUM *s) +{ + DSA_SIG_set0(sign, r, s); +} + +static __rte_always_inline void +get_dsa_sign(DSA_SIG *sign, const BIGNUM **r, const BIGNUM **s) +{ + DSA_SIG_get0(sign, r, s); +} #else static __rte_always_inline int diff --git a/drivers/crypto/openssl/meson.build b/drivers/crypto/openssl/meson.build index 9a3dea2c04..cd962da1d6 100644 --- a/drivers/crypto/openssl/meson.build +++ b/drivers/crypto/openssl/meson.build @@ -15,4 +15,3 @@ endif deps += 'bus_vdev' sources = files('rte_openssl_pmd.c', 'rte_openssl_pmd_ops.c') ext_deps += dep -cflags += ['-DOPENSSL_API_COMPAT=0x10100000L'] diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index 8fdbc75511..b0e5cd109b 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -184,6 +184,9 @@ struct openssl_asym_session { } dh; struct { DSA *dsa; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD * param_bld; +#endif } s; } u; } __rte_cache_aligned; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 691b000191..45cc6a76b3 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -1761,6 +1761,171 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, } /* process dsa sign operation */ +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static int +process_openssl_dsa_sign_op_evp(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_dsa_op_param *op = &cop->asym->dsa; + EVP_PKEY_CTX *dsa_ctx; + EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL); + EVP_PKEY *pkey = NULL; + OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld; + OSSL_PARAM *params = NULL; + + size_t outlen; + unsigned char *dsa_sign_data; + const unsigned char *dsa_sign_data_p; + + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) { + OSSL_PARAM_BLD_free(param_bld); + return -1; + } + + if (key_ctx == NULL + || EVP_PKEY_fromdata_init(key_ctx) <= 0 + || EVP_PKEY_fromdata(key_ctx, &pkey, + EVP_PKEY_PUBLIC_KEY, params) <= 0) + goto err_dsa_sign; + + dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL); + if (!dsa_ctx) + goto err_dsa_sign; + + if (EVP_PKEY_sign_init(dsa_ctx) <= 0) + goto err_dsa_sign; + + if (EVP_PKEY_sign(dsa_ctx, NULL, &outlen, op->message.data, + op->message.length) <= 0) + goto err_dsa_sign; + + if (outlen <= 0) + goto err_dsa_sign; + + dsa_sign_data = OPENSSL_malloc(outlen); + if (!dsa_sign_data) + goto err_dsa_sign; + + if (EVP_PKEY_sign(dsa_ctx, dsa_sign_data, &outlen, op->message.data, + op->message.length) <= 0) { + free(dsa_sign_data); + goto err_dsa_sign; + } + + dsa_sign_data_p = (const unsigned char *)dsa_sign_data; + DSA_SIG *sign = d2i_DSA_SIG(NULL, &dsa_sign_data_p, outlen); + if (!sign) { + OPENSSL_LOG(ERR, "%s:%d\n", __func__, __LINE__); + free(dsa_sign_data); + goto err_dsa_sign; + } else { + const BIGNUM *r = NULL, *s = NULL; + get_dsa_sign(sign, &r, &s); + + op->r.length = BN_bn2bin(r, op->r.data); + op->s.length = BN_bn2bin(s, op->s.data); + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + } + + DSA_SIG_free(sign); + free(dsa_sign_data); + return 0; + +err_dsa_sign: + if (params) + OSSL_PARAM_free(params); + if (key_ctx) + EVP_PKEY_CTX_free(key_ctx); + if (dsa_ctx) + EVP_PKEY_CTX_free(dsa_ctx); + return -1; +} + +/* process dsa verify operation */ +static int +process_openssl_dsa_verify_op_evp(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_dsa_op_param *op = &cop->asym->dsa; + DSA_SIG *sign = DSA_SIG_new(); + BIGNUM *r = NULL, *s = NULL; + BIGNUM *pub_key = NULL; + OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld; + OSSL_PARAM *params = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *dsa_ctx = NULL; + EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL); + unsigned char *dsa_sig = NULL; + size_t sig_len; + int ret = -1; + + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + if (!param_bld) { + OPENSSL_LOG(ERR, " %s:%d\n", __func__, __LINE__); + return -1; + } + + r = BN_bin2bn(op->r.data, op->r.length, r); + s = BN_bin2bn(op->s.data, op->s.length, s); + pub_key = BN_bin2bn(op->y.data, op->y.length, pub_key); + if (!r || !s || !pub_key) { + BN_free(r); + BN_free(s); + BN_free(pub_key); + OSSL_PARAM_BLD_free(param_bld); + goto err_dsa_verify; + } + + set_dsa_sign(sign, r, s); + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key)) { + OSSL_PARAM_BLD_free(param_bld); + goto err_dsa_verify; + } + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) { + OSSL_PARAM_BLD_free(param_bld); + goto err_dsa_verify; + } + + if (key_ctx == NULL + || EVP_PKEY_fromdata_init(key_ctx) <= 0 + || EVP_PKEY_fromdata(key_ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) + goto err_dsa_verify; + + dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL); + if (!dsa_ctx) + goto err_dsa_verify; + + if (!sign) + goto err_dsa_verify; + + sig_len = i2d_DSA_SIG(sign, &dsa_sig); + if (EVP_PKEY_verify_init(dsa_ctx) <= 0) + goto err_dsa_verify; + + ret = EVP_PKEY_verify(dsa_ctx, dsa_sig, sig_len, + op->message.data, op->message.length); + if (ret == 1) { + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + ret = 0; + } + +err_dsa_verify: + if (sign) + DSA_SIG_free(sign); + if (params) + OSSL_PARAM_free(params); + if (key_ctx) + EVP_PKEY_CTX_free(key_ctx); + if (dsa_ctx) + EVP_PKEY_CTX_free(dsa_ctx); + + return ret; +} +#else static int process_openssl_dsa_sign_op(struct rte_crypto_op *cop, struct openssl_asym_session *sess) @@ -1842,6 +2007,7 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop, return 0; } +#endif /* process dh operation */ #if (OPENSSL_VERSION_NUMBER >= 0x30000000L) @@ -2501,12 +2667,21 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, #endif break; case RTE_CRYPTO_ASYM_XFORM_DSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN) + retval = process_openssl_dsa_sign_op_evp(op, sess); + else if (op->asym->dsa.op_type == + RTE_CRYPTO_ASYM_OP_VERIFY) + retval = + process_openssl_dsa_verify_op_evp(op, sess); +#else if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN) retval = process_openssl_dsa_sign_op(op, sess); else if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_VERIFY) retval = process_openssl_dsa_verify_op(op, sess); +#endif else op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; break; diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index f77e9a9842..a465574d48 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -1183,6 +1183,56 @@ static int openssl_set_asym_session_parameters( } case RTE_CRYPTO_ASYM_XFORM_DSA: { +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + BIGNUM *p = NULL, *g = NULL; + BIGNUM *q = NULL, *priv_key = NULL; + BIGNUM *pub_key = BN_new(); + BN_zero(pub_key); + OSSL_PARAM_BLD *param_bld = NULL; + + p = BN_bin2bn((const unsigned char *) + xform->dsa.p.data, + xform->dsa.p.length, + p); + + g = BN_bin2bn((const unsigned char *) + xform->dsa.g.data, + xform->dsa.g.length, + g); + + q = BN_bin2bn((const unsigned char *) + xform->dsa.q.data, + xform->dsa.q.length, + q); + if (!p || !q || !g) + goto err_dsa; + + priv_key = BN_bin2bn((const unsigned char *) + xform->dsa.x.data, + xform->dsa.x.length, + priv_key); + if (priv_key == NULL) + goto err_dsa; + + param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_dsa; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, p) + || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, g) + || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, q) + || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key)) { + OSSL_PARAM_BLD_free(param_bld); + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_dsa; + } + asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA; + asym_session->u.s.param_bld = param_bld; + + break; +#else BIGNUM *p = NULL, *g = NULL; BIGNUM *q = NULL, *priv_key = NULL; BIGNUM *pub_key = BN_new(); @@ -1242,7 +1292,7 @@ static int openssl_set_asym_session_parameters( asym_session->u.s.dsa = dsa; asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA; break; - +#endif err_dsa: BN_free(p); BN_free(q); @@ -1335,8 +1385,12 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess) #endif break; case RTE_CRYPTO_ASYM_XFORM_DSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + sess->u.s.param_bld = NULL; +#else if (sess->u.s.dsa) DSA_free(sess->u.s.dsa); +#endif break; default: break;