[v4,2/4] crypto/openssl: 3.0 EVP update on RSA routine
Checks
Commit Message
This patch updates asymmetric RSA routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 7 +
drivers/crypto/openssl/rte_openssl_pmd.c | 149 +++++++++++++++++++
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 112 +++++++++++++-
3 files changed, 267 insertions(+), 1 deletion(-)
Comments
> -----Original Message-----
> From: Kai Ji <kai.ji@intel.com>
> Sent: Tuesday, June 14, 2022 2:26 PM
> To: dev@dpdk.org
> Cc: gakhil@marvell.com; Ji, Kai <kai.ji@intel.com>
> Subject: [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine
>
> This patch updates asymmetric RSA routine in crypto openssl pmd
> to adopt openssl 3.0 EVP apis.
>
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> ---
Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
> This patch updates asymmetric RSA routine in crypto openssl pmd
> to adopt openssl 3.0 EVP apis.
>
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> ---
> drivers/crypto/openssl/openssl_pmd_private.h | 7 +
> drivers/crypto/openssl/rte_openssl_pmd.c | 149 +++++++++++++++++++
> drivers/crypto/openssl/rte_openssl_pmd_ops.c | 112 +++++++++++++-
> 3 files changed, 267 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/crypto/openssl/openssl_pmd_private.h
> b/drivers/crypto/openssl/openssl_pmd_private.h
> index 86dc169aaf..d603626fdf 100644
> --- a/drivers/crypto/openssl/openssl_pmd_private.h
> +++ b/drivers/crypto/openssl/openssl_pmd_private.h
> @@ -11,6 +11,10 @@
> #include <openssl/rsa.h>
> #include <openssl/dh.h>
> #include <openssl/dsa.h>
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +#include <openssl/provider.h>
> +#include <openssl/core_names.h>
> +#endif
>
> #define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl
> /**< Open SSL Crypto PMD device name */
> @@ -157,6 +161,9 @@ struct openssl_asym_session {
> union {
> struct rsa {
> RSA *rsa;
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> + EVP_PKEY_CTX * ctx;
> +#endif
> } r;
> struct exp {
> BIGNUM *exp;
> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c
> b/drivers/crypto/openssl/rte_openssl_pmd.c
> index 5dbe6074eb..cac157aba3 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
> @@ -2046,6 +2046,150 @@ process_openssl_modexp_op(struct rte_crypto_op
> *cop,
> }
>
> /* process rsa operations */
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +static int
> +process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
> + struct openssl_asym_session *sess)
> +{
> + struct rte_crypto_asym_op *op = cop->asym;
> + uint32_t pad = (op->rsa.padding.type);
> + uint8_t *tmp;
> + size_t outlen = 0;
> + int ret = -1;
> +
> + cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
> + EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx;
> + if (!rsa_ctx)
> + return ret;
> +
> + switch (pad) {
> + case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
> + pad = RSA_PKCS1_PADDING;
> + break;
> + case RTE_CRYPTO_RSA_PADDING_NONE:
> + pad = RSA_NO_PADDING;
> + break;
> + default:
> + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
> + OPENSSL_LOG(ERR,
> + "rsa pad type not supported %d\n", pad);
> + return ret;
> + }
> +
> + switch (op->rsa.op_type) {
> + case RTE_CRYPTO_ASYM_OP_ENCRYPT:
> + if (EVP_PKEY_encrypt_init(rsa_ctx) != 1)
> + goto err_rsa;
> +
> + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
> + goto err_rsa;
> +
> + if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen,
> + op->rsa.message.data,
> + op-
> >rsa.message.length) <= 0)
Remove extra indentation here and below also.
Cop->status is not updated in case of failure gotos.
> + goto err_rsa;
> +
> + if (outlen <= 0)
> + goto err_rsa;
> +
> + if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen,
> + op->rsa.message.data,
> + op-
> >rsa.message.length) <= 0)
> + goto err_rsa;
> + op->rsa.cipher.length = outlen;
> +
> + OPENSSL_LOG(DEBUG,
> + "length of encrypted text %zu\n", outlen);
> + break;
> +
> + case RTE_CRYPTO_ASYM_OP_DECRYPT:
> + if (EVP_PKEY_decrypt_init(rsa_ctx) != 1)
> + goto err_rsa;
> +
> + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
> + goto err_rsa;
> +
> + if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen,
> + op->rsa.cipher.data,
> + op->rsa.cipher.length)
> <= 0)
> + goto err_rsa;
> +
> + if (outlen <= 0)
> + goto err_rsa;
> +
> + if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen,
> + op->rsa.cipher.data,
> + op->rsa.cipher.length)
> <= 0)
> + goto err_rsa;
> + op->rsa.message.length = outlen;
> +
> + OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n",
> outlen);
> + break;
> +
> + case RTE_CRYPTO_ASYM_OP_SIGN:
> + if (EVP_PKEY_sign_init(rsa_ctx) <= 0)
> + goto err_rsa;
> +
> + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
> + goto err_rsa;
> +
> + if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
> + op->rsa.message.data,
> + op-
> >rsa.message.length) <= 0)
> + goto err_rsa;
> + op->rsa.sign.length = outlen;
> + break;
> +
> + case RTE_CRYPTO_ASYM_OP_VERIFY:
> + tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
> + if (tmp == NULL) {
> + OPENSSL_LOG(ERR, "Memory allocation failed");
> + goto err_rsa;
> + }
> +
> + if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
> + rte_free(tmp);
> + goto err_rsa;
> + }
> +
> + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
> + rte_free(tmp);
> + goto err_rsa;
> + }
> +
> + if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
> + op->rsa.sign.data,
> + op->rsa.sign.length) <=
> 0) {
> + rte_free(tmp);
> + goto err_rsa;
> + }
> +
> + OPENSSL_LOG(DEBUG,
> + "Length of public_decrypt %zu "
> + "length of message %zd\n",
> + outlen, op->rsa.message.length);
> + if (CRYPTO_memcmp(tmp, op->rsa.message.data,
> + op->rsa.message.length)) {
> + OPENSSL_LOG(ERR, "RSA sign Verification failed");
> + }
> + rte_free(tmp);
> + break;
> +
> + default:
> + /* allow ops with invalid args to be pushed to
> + * completion queue
> + */
> + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
> + goto err_rsa;
> + }
> +
> + ret = 0;
> + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
> +err_rsa:
> + return ret;
> +
> +}
> +#else
> static int
> process_openssl_rsa_op(struct rte_crypto_op *cop,
> struct openssl_asym_session *sess)
> @@ -2144,6 +2288,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
>
> return 0;
> }
> +#endif
>
> static int
> process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
> @@ -2155,7 +2300,11 @@ process_asym_op(struct openssl_qp *qp, struct
> rte_crypto_op *op,
>
> switch (sess->xfrm_type) {
> case RTE_CRYPTO_ASYM_XFORM_RSA:
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> + retval = process_openssl_rsa_op_evp(op, sess);
> +# else
> retval = process_openssl_rsa_op(op, sess);
> +#endif
> break;
> case RTE_CRYPTO_ASYM_XFORM_MODEX:
> retval = process_openssl_modexp_op(op, sess);
> diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> index 7d0da52a33..6d94da499e 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> @@ -12,7 +12,11 @@
>
> #include "openssl_pmd_private.h"
> #include "compat.h"
> -
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +#include <openssl/provider.h>
> +#include <openssl/core_names.h>
> +#include <openssl/param_build.h>
> +#endif
>
> static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
> { /* MD5 HMAC */
> @@ -835,6 +839,106 @@ static int openssl_set_asym_session_parameters(
> if (!n || !e)
> goto err_rsa;
>
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> + OSSL_PARAM_BLD * param_bld = OSSL_PARAM_BLD_new();
> + if (!param_bld) {
> + OPENSSL_LOG(ERR, "failed to allocate resources\n");
> + goto err_rsa;
> + }
> +
> + if (!OSSL_PARAM_BLD_push_BN(param_bld,
> OSSL_PKEY_PARAM_RSA_N, n)
> + || !OSSL_PARAM_BLD_push_BN(param_bld,
> + OSSL_PKEY_PARAM_RSA_E, e)) {
> + OSSL_PARAM_BLD_free(param_bld);
> + OPENSSL_LOG(ERR, "failed to allocate resources\n");
> + goto err_rsa;
> + }
> +
> + if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) {
> + d = BN_bin2bn(
> + (const unsigned char *)xform->rsa.d.data,
> + xform->rsa.d.length,
> + d);
> + if (!d) {
> + OSSL_PARAM_BLD_free(param_bld);
> + goto err_rsa;
> + }
> + } else {
> + p = BN_bin2bn((const unsigned char *)
> + xform->rsa.qt.p.data,
> + xform->rsa.qt.p.length,
> + p);
> + q = BN_bin2bn((const unsigned char *)
> + xform->rsa.qt.q.data,
> + xform->rsa.qt.q.length,
> + q);
> + dmp1 = BN_bin2bn((const unsigned char *)
> + xform->rsa.qt.dP.data,
> + xform->rsa.qt.dP.length,
> + dmp1);
> + dmq1 = BN_bin2bn((const unsigned char *)
> + xform->rsa.qt.dQ.data,
> + xform->rsa.qt.dQ.length,
> + dmq1);
> + iqmp = BN_bin2bn((const unsigned char *)
> + xform->rsa.qt.qInv.data,
> + xform->rsa.qt.qInv.length,
> + iqmp);
> +
> + if (!p || !q || !dmp1 || !dmq1 || !iqmp) {
> + OSSL_PARAM_BLD_free(param_bld);
> + goto err_rsa;
> + }
> +
> + if (!OSSL_PARAM_BLD_push_BN(param_bld,
> +
> OSSL_PKEY_PARAM_RSA_FACTOR1, p)
> + || !OSSL_PARAM_BLD_push_BN(param_bld,
> +
> OSSL_PKEY_PARAM_RSA_FACTOR2, q)
> + || !OSSL_PARAM_BLD_push_BN(param_bld,
> +
> OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1)
> + || !OSSL_PARAM_BLD_push_BN(param_bld,
> +
> OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1)
> + || !OSSL_PARAM_BLD_push_BN(param_bld,
> +
> OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) {
> + OSSL_PARAM_BLD_free(param_bld);
> + goto err_rsa;
> + }
> + }
> +
> + if (!OSSL_PARAM_BLD_push_BN(param_bld,
> OSSL_PKEY_PARAM_RSA_N, n)
> + || !OSSL_PARAM_BLD_push_BN(param_bld,
> OSSL_PKEY_PARAM_RSA_E, e)
> + || !OSSL_PARAM_BLD_push_BN(param_bld,
> + OSSL_PKEY_PARAM_RSA_D,
> d)) {
> + OSSL_PARAM_BLD_free(param_bld);
> + goto err_rsa;
> + }
> +
> + EVP_PKEY_CTX *key_ctx =
> EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
> + EVP_PKEY *pkey = NULL;
> + EVP_PKEY_CTX *rsa_ctx = NULL;
> + OSSL_PARAM *params = NULL;
> +
> + params = OSSL_PARAM_BLD_to_param(param_bld);
> + if (!params) {
> + OSSL_PARAM_BLD_free(param_bld);
> + goto err_rsa;
> + }
> +
> + if (key_ctx == NULL
> + || EVP_PKEY_fromdata_init(key_ctx) <= 0
> + || EVP_PKEY_fromdata(key_ctx, &pkey,
> + EVP_PKEY_KEYPAIR, params) <= 0) {
Indentation not correct above.
> + OSSL_PARAM_free(params);
> + goto err_rsa;
> + }
> +
> + rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
> + asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
> + asym_session->u.r.ctx = rsa_ctx;
> + EVP_PKEY_CTX_free(key_ctx);
> + OSSL_PARAM_free(params);
> + break;
> +#else
> RSA *rsa = RSA_new();
> if (rsa == NULL)
> goto err_rsa;
> @@ -904,6 +1008,7 @@ static int openssl_set_asym_session_parameters(
> asym_session->u.r.rsa = rsa;
> asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
> break;
> +#endif
> err_rsa:
> BN_clear_free(n);
> BN_clear_free(e);
> @@ -1135,8 +1240,13 @@ static void openssl_reset_asym_session(struct
> openssl_asym_session *sess)
> {
> switch (sess->xfrm_type) {
> case RTE_CRYPTO_ASYM_XFORM_RSA:
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> + if (sess->u.r.ctx)
> + EVP_PKEY_CTX_free(sess->u.r.ctx);
> +#else
> if (sess->u.r.rsa)
> RSA_free(sess->u.r.rsa);
> +#endif
> break;
> case RTE_CRYPTO_ASYM_XFORM_MODEX:
> if (sess->u.e.ctx) {
> --
> 2.17.1
> -----Original Message-----
> > --- a/drivers/crypto/openssl/rte_openssl_pmd.c
> > +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
> > @@ -2046,6 +2046,150 @@ process_openssl_modexp_op(struct
> rte_crypto_op
> > *cop, }
> >
> > /* process rsa operations */
> > +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) static int
> > +process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
> > + struct openssl_asym_session *sess)
> > +{
> > + struct rte_crypto_asym_op *op = cop->asym;
> > + uint32_t pad = (op->rsa.padding.type);
> > + uint8_t *tmp;
> > + size_t outlen = 0;
> > + int ret = -1;
> > +
> > + cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
> > + EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx;
> > + if (!rsa_ctx)
> > + return ret;
> > +
> > + switch (pad) {
> > + case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
> > + pad = RSA_PKCS1_PADDING;
> > + break;
> > + case RTE_CRYPTO_RSA_PADDING_NONE:
> > + pad = RSA_NO_PADDING;
> > + break;
> > + default:
> > + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
> > + OPENSSL_LOG(ERR,
> > + "rsa pad type not supported %d\n", pad);
> > + return ret;
> > + }
> > +
> > + switch (op->rsa.op_type) {
> > + case RTE_CRYPTO_ASYM_OP_ENCRYPT:
> > + if (EVP_PKEY_encrypt_init(rsa_ctx) != 1)
> > + goto err_rsa;
> > +
> > + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
> > + goto err_rsa;
> > +
> > + if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen,
> > + op-
> >rsa.message.data,
> > + op-
> > >rsa.message.length) <= 0)
>
> Remove extra indentation here and below also.
>
> Cop->status is not updated in case of failure gotos.
>
Cop->status was assigned RTE_CRYPTO_OP_STATUS_ERROR at the top of this func, and only change to
RTE_CRYPTO_OP_STATUS_SUCCESS before the return when no failure.
>
> > + goto err_rsa;
> > +
> > + if (outlen <= 0)
> > + goto err_rsa;
> > +
> > + if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen,
> > + op-
> >rsa.message.data,
> > + op-
> > >rsa.message.length) <= 0)
> > + goto err_rsa;
> > + op->rsa.cipher.length = outlen;
> > +
> > + OPENSSL_LOG(DEBUG,
> > + "length of encrypted text %zu\n", outlen);
> > + break;
> > +
> > + case RTE_CRYPTO_ASYM_OP_DECRYPT:
> > + if (EVP_PKEY_decrypt_init(rsa_ctx) != 1)
> > + goto err_rsa;
> > +
> > + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
> > + goto err_rsa;
> > +
> > + if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen,
> > + op->rsa.cipher.data,
> > + op->rsa.cipher.length)
> > <= 0)
> > + goto err_rsa;
> > +
> > + if (outlen <= 0)
> > + goto err_rsa;
> > +
> > + if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data,
> &outlen,
> > + op->rsa.cipher.data,
> > + op->rsa.cipher.length)
> > <= 0)
> > + goto err_rsa;
> > + op->rsa.message.length = outlen;
> > +
> > + OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n",
> > outlen);
> > + break;
> > +
> > + case RTE_CRYPTO_ASYM_OP_SIGN:
> > + if (EVP_PKEY_sign_init(rsa_ctx) <= 0)
> > + goto err_rsa;
> > +
> > + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
> > + goto err_rsa;
> > +
> > + if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
> > + op-
> >rsa.message.data,
> > + op-
> > >rsa.message.length) <= 0)
> > + goto err_rsa;
> > + op->rsa.sign.length = outlen;
> > + break;
> > +
> > + case RTE_CRYPTO_ASYM_OP_VERIFY:
> > + tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
> > + if (tmp == NULL) {
> > + OPENSSL_LOG(ERR, "Memory allocation failed");
> > + goto err_rsa;
> > + }
> > +
> > + if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
> > + rte_free(tmp);
> > + goto err_rsa;
> > + }
> > +
> > + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
> > + rte_free(tmp);
> > + goto err_rsa;
> > + }
> > +
> > + if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
> > + op->rsa.sign.data,
> > + op->rsa.sign.length)
> <=
> > 0) {
> > + rte_free(tmp);
> > + goto err_rsa;
> > + }
> > +
> > + OPENSSL_LOG(DEBUG,
> > + "Length of public_decrypt %zu "
> > + "length of message %zd\n",
> > + outlen, op->rsa.message.length);
> > + if (CRYPTO_memcmp(tmp, op->rsa.message.data,
> > + op->rsa.message.length)) {
> > + OPENSSL_LOG(ERR, "RSA sign Verification failed");
> > + }
> > + rte_free(tmp);
> > + break;
> > +
> > + default:
> > + /* allow ops with invalid args to be pushed to
> > + * completion queue
> > + */
> > + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
> > + goto err_rsa;
> > + }
> > +
> > + ret = 0;
> > + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
> > +err_rsa:
> > + return ret;
> > +
> > +}
> > --
> > 2.17.1
@@ -11,6 +11,10 @@
#include <openssl/rsa.h>
#include <openssl/dh.h>
#include <openssl/dsa.h>
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#endif
#define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl
/**< Open SSL Crypto PMD device name */
@@ -157,6 +161,9 @@ struct openssl_asym_session {
union {
struct rsa {
RSA *rsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ EVP_PKEY_CTX * ctx;
+#endif
} r;
struct exp {
BIGNUM *exp;
@@ -2046,6 +2046,150 @@ process_openssl_modexp_op(struct rte_crypto_op *cop,
}
/* process rsa operations */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_asym_op *op = cop->asym;
+ uint32_t pad = (op->rsa.padding.type);
+ uint8_t *tmp;
+ size_t outlen = 0;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx;
+ if (!rsa_ctx)
+ return ret;
+
+ switch (pad) {
+ case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
+ pad = RSA_PKCS1_PADDING;
+ break;
+ case RTE_CRYPTO_RSA_PADDING_NONE:
+ pad = RSA_NO_PADDING;
+ break;
+ default:
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ OPENSSL_LOG(ERR,
+ "rsa pad type not supported %d\n", pad);
+ return ret;
+ }
+
+ switch (op->rsa.op_type) {
+ case RTE_CRYPTO_ASYM_OP_ENCRYPT:
+ if (EVP_PKEY_encrypt_init(rsa_ctx) != 1)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+ op->rsa.cipher.length = outlen;
+
+ OPENSSL_LOG(DEBUG,
+ "length of encrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_DECRYPT:
+ if (EVP_PKEY_decrypt_init(rsa_ctx) != 1)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err_rsa;
+ op->rsa.message.length = outlen;
+
+ OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_SIGN:
+ if (EVP_PKEY_sign_init(rsa_ctx) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+ op->rsa.sign.length = outlen;
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_VERIFY:
+ tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
+ if (tmp == NULL) {
+ OPENSSL_LOG(ERR, "Memory allocation failed");
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
+ op->rsa.sign.data,
+ op->rsa.sign.length) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ OPENSSL_LOG(DEBUG,
+ "Length of public_decrypt %zu "
+ "length of message %zd\n",
+ outlen, op->rsa.message.length);
+ if (CRYPTO_memcmp(tmp, op->rsa.message.data,
+ op->rsa.message.length)) {
+ OPENSSL_LOG(ERR, "RSA sign Verification failed");
+ }
+ rte_free(tmp);
+ break;
+
+ default:
+ /* allow ops with invalid args to be pushed to
+ * completion queue
+ */
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ goto err_rsa;
+ }
+
+ ret = 0;
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+err_rsa:
+ return ret;
+
+}
+#else
static int
process_openssl_rsa_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -2144,6 +2288,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
static int
process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
@@ -2155,7 +2300,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
switch (sess->xfrm_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_rsa_op_evp(op, sess);
+# else
retval = process_openssl_rsa_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_MODEX:
retval = process_openssl_modexp_op(op, sess);
@@ -12,7 +12,11 @@
#include "openssl_pmd_private.h"
#include "compat.h"
-
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#include <openssl/param_build.h>
+#endif
static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
{ /* MD5 HMAC */
@@ -835,6 +839,106 @@ static int openssl_set_asym_session_parameters(
if (!n || !e)
goto err_rsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_rsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_E, e)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_rsa;
+ }
+
+ if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) {
+ d = BN_bin2bn(
+ (const unsigned char *)xform->rsa.d.data,
+ xform->rsa.d.length,
+ d);
+ if (!d) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+ } else {
+ p = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.p.data,
+ xform->rsa.qt.p.length,
+ p);
+ q = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.q.data,
+ xform->rsa.qt.q.length,
+ q);
+ dmp1 = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.dP.data,
+ xform->rsa.qt.dP.length,
+ dmp1);
+ dmq1 = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.dQ.data,
+ xform->rsa.qt.dQ.length,
+ dmq1);
+ iqmp = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.qInv.data,
+ xform->rsa.qt.qInv.length,
+ iqmp);
+
+ if (!p || !q || !dmp1 || !dmq1 || !iqmp) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_FACTOR1, p)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_FACTOR2, q)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_D, d)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *rsa_ctx = NULL;
+ OSSL_PARAM *params = NULL;
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey,
+ EVP_PKEY_KEYPAIR, params) <= 0) {
+ OSSL_PARAM_free(params);
+ goto err_rsa;
+ }
+
+ rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
+ asym_session->u.r.ctx = rsa_ctx;
+ EVP_PKEY_CTX_free(key_ctx);
+ OSSL_PARAM_free(params);
+ break;
+#else
RSA *rsa = RSA_new();
if (rsa == NULL)
goto err_rsa;
@@ -904,6 +1008,7 @@ static int openssl_set_asym_session_parameters(
asym_session->u.r.rsa = rsa;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
break;
+#endif
err_rsa:
BN_clear_free(n);
BN_clear_free(e);
@@ -1135,8 +1240,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
{
switch (sess->xfrm_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ if (sess->u.r.ctx)
+ EVP_PKEY_CTX_free(sess->u.r.ctx);
+#else
if (sess->u.r.rsa)
RSA_free(sess->u.r.rsa);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_MODEX:
if (sess->u.e.ctx) {