From patchwork Mon May 16 10:10:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ji, Kai" X-Patchwork-Id: 111173 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 084ACA04FD; Mon, 16 May 2022 12:11:00 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 5FB6842831; Mon, 16 May 2022 12:10:50 +0200 (CEST) Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mails.dpdk.org (Postfix) with ESMTP id B1E1640A7A for ; Mon, 16 May 2022 12:10:47 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1652695848; x=1684231848; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=QMNcumA4b4szR13JAm7fAyFFYDcJpfn7on0nm27ueYw=; b=HDmDUO5zRHw78SVHHiRBGyHHO0q/eXm8U2H/+HWMBhVuB2zbYfYArkGe fA1KsXS+rdRuv7gTToex+s5UoCgIC9cUbar14OcprJGprCws7UoYs+PM1 8g7xH7gJJdf+i8UuI7W2gAl6iDBcnjivPWnUQk8sAfuwrdghEVRKum+34 78it8e2kvHN8Mbbzsswc4hVZG1EkrRXw7GYx1A9ZhrTQEsJroR1TXb+Op zkcPjaEiO/3werha5PLq8rY890WLfkmCInjbre5d3rE/yIkj8Z312weDJ O6p7/1JS3w7fB6K3AtJteqihMpfYHT3+F1FHUMQv6NyvhISVogDYu5z3o Q==; X-IronPort-AV: E=McAfee;i="6400,9594,10348"; a="252857797" X-IronPort-AV: E=Sophos;i="5.91,229,1647327600"; d="scan'208";a="252857797" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 16 May 2022 03:10:45 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.91,229,1647327600"; d="scan'208";a="568254340" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by orsmga007.jf.intel.com with ESMTP; 16 May 2022 03:10:43 -0700 From: Kai Ji To: dev@dpdk.org Cc: Kai Ji Subject: [dpdk-dev v2 2/5] crypto/openssl: 3.0 EVP update on HMAC routine Date: Mon, 16 May 2022 18:10:36 +0800 Message-Id: <20220516101039.4537-3-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220516101039.4537-1-kai.ji@intel.com> References: <20220407163648.38583-1-kai.ji@intel.com> <20220516101039.4537-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch update the symmetric HMAC routine in crypto openssl pmd to adopt openssl 3.0 EVP apis. Signed-off-by: Kai Ji --- drivers/crypto/openssl/openssl_pmd_private.h | 4 + drivers/crypto/openssl/rte_openssl_pmd.c | 187 ++++++++++++++++++- 2 files changed, 181 insertions(+), 10 deletions(-) diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index b2054b3754..86dc169aaf 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -134,8 +134,12 @@ struct openssl_session { /**< pointer to EVP key */ const EVP_MD *evp_algo; /**< pointer to EVP algorithm function */ +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX * ctx; +# else HMAC_CTX *ctx; /**< pointer to EVP context structure */ +# endif } hmac; }; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index d80e1052e2..db1f788d79 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -39,6 +39,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) } #endif +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + +#include +#include + +#define MAX_OSSL_ALGO_NAME_SIZE 16 + +OSSL_PROVIDER *legacy; +OSSL_PROVIDER *deflt; + +static void ossl_load_legacy_provider(void) +{ + /* Load Multiple providers into the default (NULL) library context */ + legacy = OSSL_PROVIDER_load(NULL, "legacy"); + if (legacy == NULL) { + OPENSSL_LOG(ERR, "Failed to load Legacy provider\n"); + return; + } + + deflt = OSSL_PROVIDER_load(NULL, "default"); + if (deflt == NULL) { + OPENSSL_LOG(ERR, "Failed to load Default provider\n"); + OSSL_PROVIDER_unload(legacy); + return; + } +} + +static void ossl_unload_legacy_provider(void) +{ + OSSL_PROVIDER_unload(legacy); + OSSL_PROVIDER_unload(deflt); +} + +static __rte_always_inline const char * +get_digest_name(const struct rte_crypto_sym_xform *xform) +{ + switch (xform->auth.algo) { + case RTE_CRYPTO_AUTH_MD5_HMAC: + return OSSL_DIGEST_NAME_MD5; + case RTE_CRYPTO_AUTH_SHA1_HMAC: + return OSSL_DIGEST_NAME_SHA1; + case RTE_CRYPTO_AUTH_SHA224_HMAC: + return OSSL_DIGEST_NAME_SHA2_224; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + return OSSL_DIGEST_NAME_SHA2_256; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + return OSSL_DIGEST_NAME_SHA2_384; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + return OSSL_DIGEST_NAME_SHA2_512; + default: + return NULL; + } +} +#endif + static int cryptodev_openssl_remove(struct rte_vdev_device *vdev); /*----------------------------------------------------------------------------*/ @@ -580,6 +635,40 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.auth.ctx = EVP_MD_CTX_create(); break; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + case RTE_CRYPTO_AUTH_MD5_HMAC: + case RTE_CRYPTO_AUTH_SHA1_HMAC: + case RTE_CRYPTO_AUTH_SHA224_HMAC: + case RTE_CRYPTO_AUTH_SHA256_HMAC: + case RTE_CRYPTO_AUTH_SHA384_HMAC: + case RTE_CRYPTO_AUTH_SHA512_HMAC: + sess->auth.mode = OPENSSL_AUTH_AS_HMAC; + + OSSL_PARAM params[2]; + const char *algo; + algo = get_digest_name(xform); + if (!algo) + return -EINVAL; + char algo_name[MAX_OSSL_ALGO_NAME_SIZE]; + memcpy(algo_name, algo, (sizeof(algo)+1)); + + EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac); + EVP_MAC_free(mac); + if (get_auth_algo(xform->auth.algo, + &sess->auth.hmac.evp_algo) != 0) + return -EINVAL; + + params[0] = OSSL_PARAM_construct_utf8_string("digest", + algo_name, 0); + params[1] = OSSL_PARAM_construct_end(); + if (EVP_MAC_init(sess->auth.hmac.ctx, + xform->auth.key.data, + xform->auth.key.length, + params) != 1) + return -EINVAL; + break; +# else case RTE_CRYPTO_AUTH_MD5_HMAC: case RTE_CRYPTO_AUTH_SHA1_HMAC: case RTE_CRYPTO_AUTH_SHA224_HMAC: @@ -598,7 +687,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.hmac.evp_algo, NULL) != 1) return -EINVAL; break; - +# endif default: return -ENOTSUP; } @@ -723,7 +812,11 @@ openssl_reset_session(struct openssl_session *sess) break; case OPENSSL_AUTH_AS_HMAC: EVP_PKEY_free(sess->auth.hmac.pkey); +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX_free(sess->auth.hmac.ctx); +# else HMAC_CTX_free(sess->auth.hmac.ctx); +# endif break; default: break; @@ -1260,6 +1353,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, return -EINVAL; } +# if OPENSSL_VERSION_NUMBER >= 0x30000000L +/** Process standard openssl auth algorithms with hmac */ +static int +process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, + int srclen, EVP_MAC_CTX *ctx) +{ + size_t dstlen; + struct rte_mbuf *m; + int l, n = srclen; + uint8_t *src; + + for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m); + m = m->next) + offset -= rte_pktmbuf_data_len(m); + + if (m == 0) + goto process_auth_err; + + src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset); + + l = rte_pktmbuf_data_len(m) - offset; + if (srclen <= l) { + if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1) + goto process_auth_err; + goto process_auth_final; + } + + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + + n -= l; + + for (m = m->next; (m != NULL) && (n > 0); m = m->next) { + src = rte_pktmbuf_mtod(m, uint8_t *); + l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n; + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + n -= l; + } + +process_auth_final: + if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1) + goto process_auth_err; + + EVP_MAC_CTX_free(ctx); + return 0; + +process_auth_err: + EVP_MAC_CTX_free(ctx); + OPENSSL_LOG(ERR, "Process openssl auth failed"); + return -EINVAL; +} +# else /** Process standard openssl auth algorithms with hmac */ static int process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, @@ -1312,7 +1458,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, OPENSSL_LOG(ERR, "Process openssl auth failed"); return -EINVAL; } - +# endif /*----------------------------------------------------------------------------*/ /** Process auth/cipher combined operation */ @@ -1326,7 +1472,6 @@ process_openssl_combined_op int srclen, aadlen, status = -1; uint32_t offset; uint8_t taglen; - EVP_CIPHER_CTX *ctx_copy; /* * Segmented destination buffer is not supported for @@ -1363,8 +1508,6 @@ process_openssl_combined_op } taglen = sess->auth.digest_length; - ctx_copy = EVP_CIPHER_CTX_new(); - EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx); if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1372,12 +1515,12 @@ process_openssl_combined_op status = process_openssl_auth_encryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_encryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } else { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1385,15 +1528,14 @@ process_openssl_combined_op status = process_openssl_auth_decryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_decryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } - EVP_CIPHER_CTX_free(ctx_copy); if (status != 0) { if (status == (-EFAULT) && sess->auth.operation == @@ -1555,7 +1697,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, uint8_t *dst; int srclen, status; EVP_MD_CTX *ctx_a; +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX *ctx_h; + EVP_MAC *mac; +# else HMAC_CTX *ctx_h; +# endif srclen = op->sym->auth.data.length; @@ -1571,12 +1718,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, EVP_MD_CTX_destroy(ctx_a); break; case OPENSSL_AUTH_AS_HMAC: +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + ctx_h = EVP_MAC_CTX_new(mac); + ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx); + EVP_MAC_free(mac); + status = process_openssl_auth_hmac(mbuf_src, dst, + op->sym->auth.data.offset, srclen, + ctx_h); +# else ctx_h = HMAC_CTX_new(); HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx); status = process_openssl_auth_hmac(mbuf_src, dst, op->sym->auth.data.offset, srclen, ctx_h); HMAC_CTX_free(ctx_h); +# endif break; default: status = -1; @@ -2213,6 +2370,13 @@ cryptodev_openssl_create(const char *name, rte_cryptodev_pmd_probing_finish(dev); +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + /* Load legacy provider + * Some algorithms are no longer available in earlier version of openssl, + * unless the legacy provider explicitly loaded. e.g. DES + */ + ossl_load_legacy_provider(); +# endif return 0; init_error: @@ -2261,6 +2425,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev) if (cryptodev == NULL) return -ENODEV; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + ossl_unload_legacy_provider(); +# endif return rte_cryptodev_pmd_destroy(cryptodev); }