From patchwork Mon Jun 13 16:40:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ji, Kai" X-Patchwork-Id: 112702 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 6BB63A0543; Mon, 13 Jun 2022 18:40:39 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 8965C410F6; Mon, 13 Jun 2022 18:40:38 +0200 (CEST) Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mails.dpdk.org (Postfix) with ESMTP id 50BE94069C for ; Mon, 13 Jun 2022 18:40:32 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1655138436; x=1686674436; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=QNQGvxkRyN7NC/pPzxiybcszN8OsdoLlbLw2PAtZrd0=; b=Tu/w2Q28iihmyppdi7RZuwBLK3c2qR3fBGm0H/gBAnP1kQzSv+BGW8pT iI63LpOUrqvrFm8qHf+ZUmry5D0S46bpR+zeiPu/ClLjZhzokKCm1FQWH 2Myt8AL8tkw/b7cYsb+C3k1HwqtBkjeW8+UmisR7NEf3fx2O02++EhfP8 Ow8GMjrXxkjwk97BjXgDZHcLBwD3SlEJVXnhVGPefCKdRlhrfbm+PF6NR DKd81hqx2cJXqQuVZHHEpuxjbQxVpuTQfBNqDhG/HL3xTSfH/o8BMpgt7 rQg+JO9FspvfseXavuCNx8jDQqly+XZSlSsX/lChwznR7DdkNSJtbKivX A==; X-IronPort-AV: E=McAfee;i="6400,9594,10377"; a="258171775" X-IronPort-AV: E=Sophos;i="5.91,297,1647327600"; d="scan'208";a="258171775" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jun 2022 09:40:32 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.91,297,1647327600"; d="scan'208";a="686141438" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by fmsmga002.fm.intel.com with ESMTP; 13 Jun 2022 09:40:31 -0700 From: Kai Ji To: dev@dpdk.org Cc: gakhil@marvell.com, Kai Ji Subject: [dpdk-dev v3 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Date: Tue, 14 Jun 2022 00:40:20 +0800 Message-Id: <20220613164023.70872-2-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220613164023.70872-1-kai.ji@intel.com> References: <20220516101039.4537-1-kai.ji@intel.com> <20220613164023.70872-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch update the symmetric HMAC routine in crypto openssl pmd to adopt openssl 3.0 EVP apis. Signed-off-by: Kai Ji --- drivers/crypto/openssl/openssl_pmd_private.h | 4 + drivers/crypto/openssl/rte_openssl_pmd.c | 187 ++++++++++++++++++- 2 files changed, 181 insertions(+), 10 deletions(-) diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index b2054b3754..86dc169aaf 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -134,8 +134,12 @@ struct openssl_session { /**< pointer to EVP key */ const EVP_MD *evp_algo; /**< pointer to EVP algorithm function */ +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX * ctx; +# else HMAC_CTX *ctx; /**< pointer to EVP context structure */ +# endif } hmac; }; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 6ac2dfff5a..febfcb5a22 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -41,6 +41,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) } #endif +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + +#include +#include + +#define MAX_OSSL_ALGO_NAME_SIZE 16 + +OSSL_PROVIDER *legacy; +OSSL_PROVIDER *deflt; + +static void ossl_load_legacy_provider(void) +{ + /* Load Multiple providers into the default (NULL) library context */ + legacy = OSSL_PROVIDER_load(NULL, "legacy"); + if (legacy == NULL) { + OPENSSL_LOG(ERR, "Failed to load Legacy provider\n"); + return; + } + + deflt = OSSL_PROVIDER_load(NULL, "default"); + if (deflt == NULL) { + OPENSSL_LOG(ERR, "Failed to load Default provider\n"); + OSSL_PROVIDER_unload(legacy); + return; + } +} + +static void ossl_unload_legacy_provider(void) +{ + OSSL_PROVIDER_unload(legacy); + OSSL_PROVIDER_unload(deflt); +} + +static __rte_always_inline const char * +get_digest_name(const struct rte_crypto_sym_xform *xform) +{ + switch (xform->auth.algo) { + case RTE_CRYPTO_AUTH_MD5_HMAC: + return OSSL_DIGEST_NAME_MD5; + case RTE_CRYPTO_AUTH_SHA1_HMAC: + return OSSL_DIGEST_NAME_SHA1; + case RTE_CRYPTO_AUTH_SHA224_HMAC: + return OSSL_DIGEST_NAME_SHA2_224; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + return OSSL_DIGEST_NAME_SHA2_256; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + return OSSL_DIGEST_NAME_SHA2_384; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + return OSSL_DIGEST_NAME_SHA2_512; + default: + return NULL; + } +} +#endif + static int cryptodev_openssl_remove(struct rte_vdev_device *vdev); /*----------------------------------------------------------------------------*/ @@ -582,6 +637,40 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.auth.ctx = EVP_MD_CTX_create(); break; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + case RTE_CRYPTO_AUTH_MD5_HMAC: + case RTE_CRYPTO_AUTH_SHA1_HMAC: + case RTE_CRYPTO_AUTH_SHA224_HMAC: + case RTE_CRYPTO_AUTH_SHA256_HMAC: + case RTE_CRYPTO_AUTH_SHA384_HMAC: + case RTE_CRYPTO_AUTH_SHA512_HMAC: + sess->auth.mode = OPENSSL_AUTH_AS_HMAC; + + OSSL_PARAM params[2]; + const char *algo; + algo = get_digest_name(xform); + if (!algo) + return -EINVAL; + char algo_name[MAX_OSSL_ALGO_NAME_SIZE]; + memcpy(algo_name, algo, (sizeof(algo)+1)); + + EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac); + EVP_MAC_free(mac); + if (get_auth_algo(xform->auth.algo, + &sess->auth.hmac.evp_algo) != 0) + return -EINVAL; + + params[0] = OSSL_PARAM_construct_utf8_string("digest", + algo_name, 0); + params[1] = OSSL_PARAM_construct_end(); + if (EVP_MAC_init(sess->auth.hmac.ctx, + xform->auth.key.data, + xform->auth.key.length, + params) != 1) + return -EINVAL; + break; +# else case RTE_CRYPTO_AUTH_MD5_HMAC: case RTE_CRYPTO_AUTH_SHA1_HMAC: case RTE_CRYPTO_AUTH_SHA224_HMAC: @@ -600,7 +689,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.hmac.evp_algo, NULL) != 1) return -EINVAL; break; - +# endif default: return -ENOTSUP; } @@ -725,7 +814,11 @@ openssl_reset_session(struct openssl_session *sess) break; case OPENSSL_AUTH_AS_HMAC: EVP_PKEY_free(sess->auth.hmac.pkey); +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX_free(sess->auth.hmac.ctx); +# else HMAC_CTX_free(sess->auth.hmac.ctx); +# endif break; default: break; @@ -1262,6 +1355,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, return -EINVAL; } +# if OPENSSL_VERSION_NUMBER >= 0x30000000L +/** Process standard openssl auth algorithms with hmac */ +static int +process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, + int srclen, EVP_MAC_CTX *ctx) +{ + size_t dstlen; + struct rte_mbuf *m; + int l, n = srclen; + uint8_t *src; + + for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m); + m = m->next) + offset -= rte_pktmbuf_data_len(m); + + if (m == 0) + goto process_auth_err; + + src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset); + + l = rte_pktmbuf_data_len(m) - offset; + if (srclen <= l) { + if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1) + goto process_auth_err; + goto process_auth_final; + } + + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + + n -= l; + + for (m = m->next; (m != NULL) && (n > 0); m = m->next) { + src = rte_pktmbuf_mtod(m, uint8_t *); + l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n; + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + n -= l; + } + +process_auth_final: + if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1) + goto process_auth_err; + + EVP_MAC_CTX_free(ctx); + return 0; + +process_auth_err: + EVP_MAC_CTX_free(ctx); + OPENSSL_LOG(ERR, "Process openssl auth failed"); + return -EINVAL; +} +# else /** Process standard openssl auth algorithms with hmac */ static int process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, @@ -1314,7 +1460,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, OPENSSL_LOG(ERR, "Process openssl auth failed"); return -EINVAL; } - +# endif /*----------------------------------------------------------------------------*/ /** Process auth/cipher combined operation */ @@ -1328,7 +1474,6 @@ process_openssl_combined_op int srclen, aadlen, status = -1; uint32_t offset; uint8_t taglen; - EVP_CIPHER_CTX *ctx_copy; /* * Segmented destination buffer is not supported for @@ -1365,8 +1510,6 @@ process_openssl_combined_op } taglen = sess->auth.digest_length; - ctx_copy = EVP_CIPHER_CTX_new(); - EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx); if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1374,12 +1517,12 @@ process_openssl_combined_op status = process_openssl_auth_encryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_encryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } else { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1387,15 +1530,14 @@ process_openssl_combined_op status = process_openssl_auth_decryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_decryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } - EVP_CIPHER_CTX_free(ctx_copy); if (status != 0) { if (status == (-EFAULT) && sess->auth.operation == @@ -1557,7 +1699,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, uint8_t *dst; int srclen, status; EVP_MD_CTX *ctx_a; +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX *ctx_h; + EVP_MAC *mac; +# else HMAC_CTX *ctx_h; +# endif srclen = op->sym->auth.data.length; @@ -1573,12 +1720,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, EVP_MD_CTX_destroy(ctx_a); break; case OPENSSL_AUTH_AS_HMAC: +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + ctx_h = EVP_MAC_CTX_new(mac); + ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx); + EVP_MAC_free(mac); + status = process_openssl_auth_hmac(mbuf_src, dst, + op->sym->auth.data.offset, srclen, + ctx_h); +# else ctx_h = HMAC_CTX_new(); HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx); status = process_openssl_auth_hmac(mbuf_src, dst, op->sym->auth.data.offset, srclen, ctx_h); HMAC_CTX_free(ctx_h); +# endif break; default: status = -1; @@ -2212,6 +2369,13 @@ cryptodev_openssl_create(const char *name, rte_cryptodev_pmd_probing_finish(dev); +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + /* Load legacy provider + * Some algorithms are no longer available in earlier version of openssl, + * unless the legacy provider explicitly loaded. e.g. DES + */ + ossl_load_legacy_provider(); +# endif return 0; init_error: @@ -2260,6 +2424,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev) if (cryptodev == NULL) return -ENODEV; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + ossl_unload_legacy_provider(); +# endif return rte_cryptodev_pmd_destroy(cryptodev); } From patchwork Mon Jun 13 16:40:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ji, Kai" X-Patchwork-Id: 112704 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 55E19A0543; Mon, 13 Jun 2022 18:40:53 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 4F6DD4282C; Mon, 13 Jun 2022 18:40:40 +0200 (CEST) Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mails.dpdk.org (Postfix) with ESMTP id BF9A9410F6 for ; Mon, 13 Jun 2022 18:40:36 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1655138436; x=1686674436; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=HQdJYuDfNFf0Tawmo8DtkYYWxZ/MKMw09Geo0+qhaVo=; b=LaK6rmmI/8XLNHY1qO9gJYlqX90MSiZe7NL56w++chTiDFo9ArYMQdM2 PVTBloBMUtR9hYIcBSTSrlGr0uXk/aerJfkZDAfb4dfd+6WRLUHAhcrbw mOk+o60jXTCdyiXPKwWwOmdzHdcKBZNbzaZbnNj3KE2lz72LyHOWQ809F IbXvHxE3dJz/KPW9l5dLfL36GgTqS7rPVVlru1sdMspocn8qoKPWFh0pb pz+qrdqxJ3a6sswL/3VmSCuSkNyvjAWdMCwbrZgT9teLrxZjGWPhTuNwv ZxidIcvtFIPJZVt7F2xzw4M555p016xH3JVaB+FJ4z2+iK7RaLDUDgkl6 A==; X-IronPort-AV: E=McAfee;i="6400,9594,10377"; a="258171780" X-IronPort-AV: E=Sophos;i="5.91,297,1647327600"; d="scan'208";a="258171780" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jun 2022 09:40:36 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.91,297,1647327600"; d="scan'208";a="686141472" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by fmsmga002.fm.intel.com with ESMTP; 13 Jun 2022 09:40:32 -0700 From: Kai Ji To: dev@dpdk.org Cc: gakhil@marvell.com, Kai Ji Subject: [dpdk-dev v3 2/4] crypto/openssl: 3.0 EVP update on RSA routine Date: Tue, 14 Jun 2022 00:40:21 +0800 Message-Id: <20220613164023.70872-3-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220613164023.70872-1-kai.ji@intel.com> References: <20220516101039.4537-1-kai.ji@intel.com> <20220613164023.70872-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch updates asymmetric RSA routine in crypto openssl pmd to adopt openssl 3.0 EVP apis. Signed-off-by: Kai Ji --- drivers/crypto/openssl/openssl_pmd_private.h | 7 + drivers/crypto/openssl/rte_openssl_pmd.c | 149 +++++++++++++++++++ drivers/crypto/openssl/rte_openssl_pmd_ops.c | 112 +++++++++++++- 3 files changed, 267 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index 86dc169aaf..d603626fdf 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -11,6 +11,10 @@ #include #include #include +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +#include +#include +#endif #define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl /**< Open SSL Crypto PMD device name */ @@ -157,6 +161,9 @@ struct openssl_asym_session { union { struct rsa { RSA *rsa; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + EVP_PKEY_CTX * ctx; +#endif } r; struct exp { BIGNUM *exp; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index febfcb5a22..6c3fef6356 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -2046,6 +2046,150 @@ process_openssl_modexp_op(struct rte_crypto_op *cop, } /* process rsa operations */ +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static int +process_openssl_rsa_op_evp(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_asym_op *op = cop->asym; + uint32_t pad = (op->rsa.padding.type); + uint8_t *tmp; + size_t outlen = 0; + int ret = -1; + + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx; + if (!rsa_ctx) + return ret; + + switch (pad) { + case RTE_CRYPTO_RSA_PADDING_PKCS1_5: + pad = RSA_PKCS1_PADDING; + break; + case RTE_CRYPTO_RSA_PADDING_NONE: + pad = RSA_NO_PADDING; + break; + default: + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + OPENSSL_LOG(ERR, + "rsa pad type not supported %d\n", pad); + return ret; + } + + switch (op->rsa.op_type) { + case RTE_CRYPTO_ASYM_OP_ENCRYPT: + if (EVP_PKEY_encrypt_init(rsa_ctx) != 1) + goto err_rsa; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err_rsa; + + if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err_rsa; + + if (outlen <= 0) + goto err_rsa; + + if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err_rsa; + op->rsa.cipher.length = outlen; + + OPENSSL_LOG(DEBUG, + "length of encrypted text %zu\n", outlen); + break; + + case RTE_CRYPTO_ASYM_OP_DECRYPT: + if (EVP_PKEY_decrypt_init(rsa_ctx) != 1) + goto err_rsa; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err_rsa; + + if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen, + op->rsa.cipher.data, + op->rsa.cipher.length) <= 0) + goto err_rsa; + + if (outlen <= 0) + goto err_rsa; + + if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen, + op->rsa.cipher.data, + op->rsa.cipher.length) <= 0) + goto err_rsa; + op->rsa.message.length = outlen; + + OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n", outlen); + break; + + case RTE_CRYPTO_ASYM_OP_SIGN: + if (EVP_PKEY_sign_init(rsa_ctx) <= 0) + goto err_rsa; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err_rsa; + + if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err_rsa; + op->rsa.sign.length = outlen; + break; + + case RTE_CRYPTO_ASYM_OP_VERIFY: + tmp = rte_malloc(NULL, op->rsa.sign.length, 0); + if (tmp == NULL) { + OPENSSL_LOG(ERR, "Memory allocation failed"); + goto err_rsa; + } + + if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) { + rte_free(tmp); + goto err_rsa; + } + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) { + rte_free(tmp); + goto err_rsa; + } + + if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen, + op->rsa.sign.data, + op->rsa.sign.length) <= 0) { + rte_free(tmp); + goto err_rsa; + } + + OPENSSL_LOG(DEBUG, + "Length of public_decrypt %zu " + "length of message %zd\n", + outlen, op->rsa.message.length); + if (CRYPTO_memcmp(tmp, op->rsa.message.data, + op->rsa.message.length)) { + OPENSSL_LOG(ERR, "RSA sign Verification failed"); + } + rte_free(tmp); + break; + + default: + /* allow ops with invalid args to be pushed to + * completion queue + */ + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + goto err_rsa; + } + + ret = 0; + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; +err_rsa: + return ret; + +} +#else static int process_openssl_rsa_op(struct rte_crypto_op *cop, struct openssl_asym_session *sess) @@ -2144,6 +2288,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop, return 0; } +#endif static int process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, @@ -2155,7 +2300,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, switch (sess->xfrm_type) { case RTE_CRYPTO_ASYM_XFORM_RSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + retval = process_openssl_rsa_op_evp(op, sess); +# else retval = process_openssl_rsa_op(op, sess); +#endif break; case RTE_CRYPTO_ASYM_XFORM_MODEX: retval = process_openssl_modexp_op(op, sess); diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index 7d0da52a33..6d94da499e 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -12,7 +12,11 @@ #include "openssl_pmd_private.h" #include "compat.h" - +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +#include +#include +#include +#endif static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { { /* MD5 HMAC */ @@ -835,6 +839,106 @@ static int openssl_set_asym_session_parameters( if (!n || !e) goto err_rsa; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD * param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_rsa; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_E, e)) { + OSSL_PARAM_BLD_free(param_bld); + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_rsa; + } + + if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) { + d = BN_bin2bn( + (const unsigned char *)xform->rsa.d.data, + xform->rsa.d.length, + d); + if (!d) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + } else { + p = BN_bin2bn((const unsigned char *) + xform->rsa.qt.p.data, + xform->rsa.qt.p.length, + p); + q = BN_bin2bn((const unsigned char *) + xform->rsa.qt.q.data, + xform->rsa.qt.q.length, + q); + dmp1 = BN_bin2bn((const unsigned char *) + xform->rsa.qt.dP.data, + xform->rsa.qt.dP.length, + dmp1); + dmq1 = BN_bin2bn((const unsigned char *) + xform->rsa.qt.dQ.data, + xform->rsa.qt.dQ.length, + dmq1); + iqmp = BN_bin2bn((const unsigned char *) + xform->rsa.qt.qInv.data, + xform->rsa.qt.qInv.length, + iqmp); + + if (!p || !q || !dmp1 || !dmq1 || !iqmp) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_FACTOR1, p) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_FACTOR2, q) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n) + || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_D, d)) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *rsa_ctx = NULL; + OSSL_PARAM *params = NULL; + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + if (key_ctx == NULL + || EVP_PKEY_fromdata_init(key_ctx) <= 0 + || EVP_PKEY_fromdata(key_ctx, &pkey, + EVP_PKEY_KEYPAIR, params) <= 0) { + OSSL_PARAM_free(params); + goto err_rsa; + } + + rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL); + asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA; + asym_session->u.r.ctx = rsa_ctx; + EVP_PKEY_CTX_free(key_ctx); + OSSL_PARAM_free(params); + break; +#else RSA *rsa = RSA_new(); if (rsa == NULL) goto err_rsa; @@ -904,6 +1008,7 @@ static int openssl_set_asym_session_parameters( asym_session->u.r.rsa = rsa; asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA; break; +#endif err_rsa: BN_clear_free(n); BN_clear_free(e); @@ -1135,8 +1240,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess) { switch (sess->xfrm_type) { case RTE_CRYPTO_ASYM_XFORM_RSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + if (sess->u.r.ctx) + EVP_PKEY_CTX_free(sess->u.r.ctx); +#else if (sess->u.r.rsa) RSA_free(sess->u.r.rsa); +#endif break; case RTE_CRYPTO_ASYM_XFORM_MODEX: if (sess->u.e.ctx) { From patchwork Mon Jun 13 16:40:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ji, Kai" X-Patchwork-Id: 112703 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 90EBBA0543; Mon, 13 Jun 2022 18:40:46 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 7254F4281B; Mon, 13 Jun 2022 18:40:39 +0200 (CEST) Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mails.dpdk.org (Postfix) with ESMTP id 7DDF5410E5 for ; Mon, 13 Jun 2022 18:40:36 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1655138436; x=1686674436; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=u+Wm1IXrvQPjR8/4hQWzrf2uKEY1dMRVxGoewxCMkhQ=; b=oCkgvPYl36D3ZkfNVuNGFpprmvu4oAsLDqHaZLfqMp+YGshYOXLxtGWL sIPHEmEqfVQ6kh3OIBkA/d/R80ULX6ZEpsNYSHVlrTs/+x6sUz94u3kbW AWN+fqvj/70lIBegfy1gYUblRpLFUimdMx7581pyBslSpCWfcJFh9qRfu s5eRFVhhLvS0FRG9RZ6MayxirEU3TZWWmwnM1wTeMgE0TyC4OeaSATJPT kjILC+Q8xb2vqP1ZoiVN4mi3vPZFT07KlwVTNR6kB7/vaJ0ZEsTb1GRlt WP9GsA5lQaM+4O17Pq6EoQJs1Jg9JcX9rsku+atETSW18AZGAF5SN9hFb A==; X-IronPort-AV: E=McAfee;i="6400,9594,10377"; a="364670082" X-IronPort-AV: E=Sophos;i="5.91,297,1647327600"; d="scan'208";a="364670082" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jun 2022 09:40:35 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.91,297,1647327600"; d="scan'208";a="686141504" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by fmsmga002.fm.intel.com with ESMTP; 13 Jun 2022 09:40:33 -0700 From: Kai Ji To: dev@dpdk.org Cc: gakhil@marvell.com, Kai Ji Subject: [dpdk-dev v3 3/4] crypto/openssl: 3.0 EVP update on DH routine Date: Tue, 14 Jun 2022 00:40:22 +0800 Message-Id: <20220613164023.70872-4-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220613164023.70872-1-kai.ji@intel.com> References: <20220516101039.4537-1-kai.ji@intel.com> <20220613164023.70872-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch updates asymmetric DH routine in crypto openssl pmd to adopt openssl 3.0 EVP apis. Signed-off-by: Kai Ji --- drivers/crypto/openssl/openssl_pmd_private.h | 4 + drivers/crypto/openssl/rte_openssl_pmd.c | 185 +++++++++++++++++++ drivers/crypto/openssl/rte_openssl_pmd_ops.c | 47 ++++- 3 files changed, 235 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index d603626fdf..8fdbc75511 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -177,6 +177,10 @@ struct openssl_asym_session { struct dh { DH *dh_key; uint32_t key_op; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD * param_bld; + OSSL_PARAM_BLD *param_bld_peer; +#endif } dh; struct { DSA *dsa; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 6c3fef6356..fdf191b7ea 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -45,6 +45,7 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) #include #include +#include #define MAX_OSSL_ALGO_NAME_SIZE 16 @@ -1846,6 +1847,185 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop, } /* process dh operation */ +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static int +process_openssl_dh_op_evp(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_dh_op_param *op = &cop->asym->dh; + OSSL_PARAM_BLD *param_bld = sess->u.dh.param_bld; + OSSL_PARAM_BLD *param_bld_peer = sess->u.dh.param_bld_peer; + OSSL_PARAM *params = NULL; + EVP_PKEY *dhpkey = NULL; + EVP_PKEY *peerkey = NULL; + BIGNUM *priv_key = NULL; + BIGNUM *pub_key = NULL; + int ret = -1; + + cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; + EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); + if (dh_ctx == NULL || param_bld == NULL) + return ret; + + if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) { + OSSL_PARAM *params_peer = NULL; + + if (!param_bld_peer) + return ret; + + pub_key = BN_bin2bn(op->pub_key.data, op->pub_key.length, + pub_key); + if (pub_key == NULL) { + OSSL_PARAM_BLD_free(param_bld_peer); + return ret; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld_peer, OSSL_PKEY_PARAM_PUB_KEY, + pub_key)) { + OPENSSL_LOG(ERR, "Failed to set public key\n"); + OSSL_PARAM_BLD_free(param_bld_peer); + BN_free(pub_key); + return ret; + } + + params_peer = OSSL_PARAM_BLD_to_param(param_bld_peer); + if (!params_peer) { + OSSL_PARAM_BLD_free(param_bld_peer); + BN_free(pub_key); + return ret; + } + + EVP_PKEY_CTX *peer_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); + if (EVP_PKEY_keygen_init(peer_ctx) != 1) { + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + return ret; + } + + if (EVP_PKEY_CTX_set_params(peer_ctx, params_peer) != 1) { + EVP_PKEY_CTX_free(peer_ctx); + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + return ret; + } + + if (EVP_PKEY_keygen(peer_ctx, &peerkey) != 1) { + EVP_PKEY_CTX_free(peer_ctx); + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + return ret; + } + + priv_key = BN_bin2bn(op->priv_key.data, op->priv_key.length, + priv_key); + if (priv_key == NULL) { + EVP_PKEY_CTX_free(peer_ctx); + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + return ret; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, + priv_key)) { + OPENSSL_LOG(ERR, "Failed to set private key\n"); + EVP_PKEY_CTX_free(peer_ctx); + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + BN_free(priv_key); + return ret; + } + + OSSL_PARAM_free(params_peer); + EVP_PKEY_CTX_free(peer_ctx); + } + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) + goto err_dh; + + if (EVP_PKEY_keygen_init(dh_ctx) != 1) + goto err_dh; + + if (EVP_PKEY_CTX_set_params(dh_ctx, params) != 1) + goto err_dh; + + if (EVP_PKEY_keygen(dh_ctx, &dhpkey) != 1) + goto err_dh; + + if (op->ke_type == RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE) { + OPENSSL_LOG(DEBUG, "%s:%d updated pub key\n", __func__, __LINE__); + if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key)) + goto err_dh; + /* output public key */ + op->pub_key.length = BN_bn2bin(pub_key, op->pub_key.data); + } + + if (op->ke_type == RTE_CRYPTO_ASYM_KE_PRIV_KEY_GENERATE) { + + OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n", __func__, __LINE__); + if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key)) + goto err_dh; + + /* provide generated private key back to user */ + op->priv_key.length = BN_bn2bin(priv_key, op->priv_key.data); + } + + if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) { + size_t skey_len; + EVP_PKEY_CTX *sc_ctx = EVP_PKEY_CTX_new(dhpkey, NULL); + if (!sc_ctx) + goto err_dh; + + if (EVP_PKEY_derive_init(sc_ctx) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + if (!peerkey) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + if (EVP_PKEY_derive_set_peer(sc_ctx, peerkey) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + /* Determine buffer length */ + if (EVP_PKEY_derive(sc_ctx, NULL, &skey_len) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + if (EVP_PKEY_derive(sc_ctx, op->shared_secret.data, &skey_len) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + op->shared_secret.length = skey_len; + EVP_PKEY_CTX_free(sc_ctx); + } + + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + ret = 0; + + err_dh: + if (pub_key) + BN_free(pub_key); + if (priv_key) + BN_free(priv_key); + if (params) + OSSL_PARAM_free(params); + if (dhpkey) + EVP_PKEY_free(dhpkey); + if (peerkey) + EVP_PKEY_free(peerkey); + + EVP_PKEY_CTX_free(dh_ctx); + + return ret; +} +#else static int process_openssl_dh_op(struct rte_crypto_op *cop, struct openssl_asym_session *sess) @@ -1979,6 +2159,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop, return 0; } +#endif /* process modinv operation */ static int @@ -2313,7 +2494,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, retval = process_openssl_modinv_op(op, sess); break; case RTE_CRYPTO_ASYM_XFORM_DH: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + retval = process_openssl_dh_op_evp(op, sess); +# else retval = process_openssl_dh_op(op, sess); +#endif break; case RTE_CRYPTO_ASYM_XFORM_DSA: if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN) diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index 6d94da499e..a1a42ef444 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -1095,7 +1095,46 @@ static int openssl_set_asym_session_parameters( if (!p || !g) goto err_dh; - DH *dh = DH_new(); + DH *dh = NULL; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD *param_bld = NULL; + param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_dh; + } + if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld, + "group", "ffdhe2048", 0)) + || (!OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_FFC_P, p)) + || (!OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_FFC_G, g))) { + OSSL_PARAM_BLD_free(param_bld); + goto err_dh; + } + + OSSL_PARAM_BLD *param_bld_peer = NULL; + param_bld_peer = OSSL_PARAM_BLD_new(); + if (!param_bld_peer) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + OSSL_PARAM_BLD_free(param_bld); + goto err_dh; + } + if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld_peer, + "group", "ffdhe2048", 0)) + || (!OSSL_PARAM_BLD_push_BN(param_bld_peer, + OSSL_PKEY_PARAM_FFC_P, p)) + || (!OSSL_PARAM_BLD_push_BN(param_bld_peer, + OSSL_PKEY_PARAM_FFC_G, g))) { + OSSL_PARAM_BLD_free(param_bld); + OSSL_PARAM_BLD_free(param_bld_peer); + goto err_dh; + } + + asym_session->u.dh.param_bld = param_bld; + asym_session->u.dh.param_bld_peer = param_bld_peer; +#else + dh = DH_new(); if (dh == NULL) { OPENSSL_LOG(ERR, "failed to allocate resources\n"); @@ -1106,6 +1145,7 @@ static int openssl_set_asym_session_parameters( DH_free(dh); goto err_dh; } +#endif asym_session->u.dh.dh_key = dh; asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DH; break; @@ -1261,8 +1301,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess) } break; case RTE_CRYPTO_ASYM_XFORM_DH: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + sess->u.dh.param_bld = NULL; + sess->u.dh.param_bld_peer = NULL; +#else if (sess->u.dh.dh_key) DH_free(sess->u.dh.dh_key); +#endif break; case RTE_CRYPTO_ASYM_XFORM_DSA: if (sess->u.s.dsa) From patchwork Mon Jun 13 16:40:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ji, Kai" X-Patchwork-Id: 112705 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id D1E46A0543; Mon, 13 Jun 2022 18:41:02 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 9863042B70; Mon, 13 Jun 2022 18:40:41 +0200 (CEST) Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mails.dpdk.org (Postfix) with ESMTP id 5EE944069C for ; Mon, 13 Jun 2022 18:40:37 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1655138437; x=1686674437; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=IOPKy+8ucJeXBLrHwmA5tF+93KloUZ8wUd2RTgyW7o0=; b=VY7+pyFBLpb2fioYDXzhCegNQJoJr/OUdsdp3CCNNL+F7pY30bEPu1wx lz5f+4jpVgxpC0Xj/Ltx6Z8F+nR9X2QSL79yj1jxi+7YqqSmg0F8J7P+Y WWasGabIjiEO+MsV4EjXT+9rVrwOAXOc9kNr3x5RHPlDES0VRDaWLlpx0 fBRi5zQb8lgs9leqxTwzinAYVjUykr4Gbcb3HmUXm/d+IlyqqT7uoM+Ur F3P3hBP32vL0TzeEV8v+wF2jt/ARR2cK+hd2LSRlaOX+RmPZ7SVaavcax x/l0/Gdh35WFXww8xo/m6/DtJWRTwXrAJLHd5ga4hGp8v3HBzbl6bwTCA w==; X-IronPort-AV: E=McAfee;i="6400,9594,10377"; a="364670089" X-IronPort-AV: E=Sophos;i="5.91,297,1647327600"; d="scan'208";a="364670089" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jun 2022 09:40:36 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.91,297,1647327600"; d="scan'208";a="686141551" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by fmsmga002.fm.intel.com with ESMTP; 13 Jun 2022 09:40:35 -0700 From: Kai Ji To: dev@dpdk.org Cc: gakhil@marvell.com, Kai Ji Subject: [dpdk-dev v3 4/4] crypto/openssl: 3.0 EVP update on DSA routine Date: Tue, 14 Jun 2022 00:40:23 +0800 Message-Id: <20220613164023.70872-5-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220613164023.70872-1-kai.ji@intel.com> References: <20220516101039.4537-1-kai.ji@intel.com> <20220613164023.70872-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch updates asymmetric DSA routine in crypto openssl pmd to adopt openssl 3.0 EVP apis. Divide the single combined dsa sign test to two indiviual dsa sign and dsa verfiy tests. Signed-off-by: Kai Ji --- app/test/test_cryptodev_asym.c | 90 ++++++++-- drivers/crypto/openssl/compat.h | 12 ++ drivers/crypto/openssl/openssl_pmd_private.h | 3 + drivers/crypto/openssl/rte_openssl_pmd.c | 177 ++++++++++++++++++- drivers/crypto/openssl/rte_openssl_pmd_ops.c | 72 +++++++- 5 files changed, 330 insertions(+), 24 deletions(-) diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c index 7bd7cde16e..c9c48d1e87 100644 --- a/app/test/test_cryptodev_asym.c +++ b/app/test/test_cryptodev_asym.c @@ -1642,7 +1642,7 @@ test_dh_keygenration(void) } static int -test_dsa_sign(void) +test_dsa_sign(struct rte_crypto_dsa_op_param *dsa_op) { struct crypto_testsuite_params_asym *ts_params = &testsuite_params; struct rte_mempool *op_mpool = ts_params->op_mpool; @@ -1652,9 +1652,6 @@ test_dsa_sign(void) struct rte_crypto_op *op = NULL, *result_op = NULL; void *sess = NULL; int status = TEST_SUCCESS; - uint8_t r[TEST_DH_MOD_LEN]; - uint8_t s[TEST_DH_MOD_LEN]; - uint8_t dgst[] = "35d81554afaad2cf18f3a1770d5fedc4ea5be344"; int ret; ret = rte_cryptodev_asym_session_create(dev_id, &dsa_xform, sess_mpool, &sess); @@ -1676,6 +1673,7 @@ test_dsa_sign(void) goto error_exit; } asym_op = op->asym; + asym_op->dsa = *dsa_op; debug_hexdump(stdout, "p: ", dsa_xform.dsa.p.data, dsa_xform.dsa.p.length); @@ -1689,13 +1687,6 @@ test_dsa_sign(void) /* attach asymmetric crypto session to crypto operations */ rte_crypto_op_attach_asym_session(op, sess); asym_op->dsa.op_type = RTE_CRYPTO_ASYM_OP_SIGN; - asym_op->dsa.message.data = dgst; - asym_op->dsa.message.length = sizeof(dgst); - asym_op->dsa.r.length = sizeof(r); - asym_op->dsa.r.data = r; - asym_op->dsa.s.length = sizeof(s); - asym_op->dsa.s.data = s; - RTE_LOG(DEBUG, USER1, "Process ASYM operation"); /* Process crypto operation */ @@ -1719,12 +1710,71 @@ test_dsa_sign(void) } asym_op = result_op->asym; + dsa_op->r.length = asym_op->dsa.r.length; + dsa_op->s.length = asym_op->dsa.s.length; debug_hexdump(stdout, "r:", asym_op->dsa.r.data, asym_op->dsa.r.length); debug_hexdump(stdout, "s:", asym_op->dsa.s.data, asym_op->dsa.s.length); +error_exit: + if (sess != NULL) + rte_cryptodev_asym_session_free(dev_id, sess); + if (op != NULL) + rte_crypto_op_free(op); + return status; +} + +static int +test_dsa_verify(struct rte_crypto_dsa_op_param *dsa_op) +{ + struct crypto_testsuite_params_asym *ts_params = &testsuite_params; + struct rte_mempool *op_mpool = ts_params->op_mpool; + struct rte_mempool *sess_mpool = ts_params->session_mpool; + uint8_t dev_id = ts_params->valid_devs[0]; + struct rte_crypto_asym_op *asym_op = NULL; + struct rte_crypto_op *op = NULL, *result_op = NULL; + void *sess = NULL; + int status = TEST_SUCCESS; + int ret; + ret = rte_cryptodev_asym_session_create(dev_id, &dsa_xform, sess_mpool, &sess); + if (ret < 0) { + RTE_LOG(ERR, USER1, + "line %u FAILED: %s", __LINE__, + "Session creation failed"); + status = (ret == -ENOTSUP) ? TEST_SKIPPED : TEST_FAILED; + goto error_exit; + } + /* set up crypto op data structure */ + op = rte_crypto_op_alloc(op_mpool, RTE_CRYPTO_OP_TYPE_ASYMMETRIC); + if (!op) { + RTE_LOG(ERR, USER1, + "line %u FAILED: %s", + __LINE__, "Failed to allocate asymmetric crypto " + "operation struct"); + status = TEST_FAILED; + goto error_exit; + } + asym_op = op->asym; + asym_op->dsa = *dsa_op; + + debug_hexdump(stdout, "p: ", dsa_xform.dsa.p.data, + dsa_xform.dsa.p.length); + debug_hexdump(stdout, "q: ", dsa_xform.dsa.q.data, + dsa_xform.dsa.q.length); + debug_hexdump(stdout, "g: ", dsa_xform.dsa.g.data, + dsa_xform.dsa.g.length); + + /* attach asymmetric crypto session to crypto operations */ + rte_crypto_op_attach_asym_session(op, sess); + + debug_hexdump(stdout, "r:", + asym_op->dsa.r.data, asym_op->dsa.r.length); + debug_hexdump(stdout, "s:", + asym_op->dsa.s.data, asym_op->dsa.s.length); + + RTE_LOG(DEBUG, USER1, "Process ASYM verify operation"); /* Test PMD DSA sign verification using signer public key */ asym_op->dsa.op_type = RTE_CRYPTO_ASYM_OP_VERIFY; @@ -1770,8 +1820,22 @@ static int test_dsa(void) { int status; - status = test_dsa_sign(); - TEST_ASSERT_EQUAL(status, 0, "Test failed"); + uint8_t r[TEST_DH_MOD_LEN]; + uint8_t s[TEST_DH_MOD_LEN]; + struct rte_crypto_dsa_op_param dsa_op; + uint8_t dgst[] = "35d81554afaad2cf18f3a1770d5fedc4ea5be344"; + + dsa_op.message.data = dgst; + dsa_op.message.length = sizeof(dgst); + dsa_op.r.data = r; + dsa_op.s.data = s; + dsa_op.r.length = sizeof(r); + dsa_op.s.length = sizeof(s); + + status = test_dsa_sign(&dsa_op); + TEST_ASSERT_EQUAL(status, 0, "DSA sign test failed"); + status = test_dsa_verify(&dsa_op); + TEST_ASSERT_EQUAL(status, 0, "DSA verify test failed"); return status; } diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h index eecb7d3698..9f9167c4f1 100644 --- a/drivers/crypto/openssl/compat.h +++ b/drivers/crypto/openssl/compat.h @@ -104,6 +104,18 @@ get_dsa_priv_key(DSA *dsa, BIGNUM **priv_key) *priv_key = dsa->priv_key; } +#elif (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static __rte_always_inline void +set_dsa_sign(DSA_SIG *sign, BIGNUM *r, BIGNUM *s) +{ + DSA_SIG_set0(sign, r, s); +} + +static __rte_always_inline void +get_dsa_sign(DSA_SIG *sign, const BIGNUM **r, const BIGNUM **s) +{ + DSA_SIG_get0(sign, r, s); +} #else static __rte_always_inline int diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index 8fdbc75511..b0e5cd109b 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -184,6 +184,9 @@ struct openssl_asym_session { } dh; struct { DSA *dsa; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD * param_bld; +#endif } s; } u; } __rte_cache_aligned; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index fdf191b7ea..0f8dd4f169 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -2,8 +2,6 @@ * Copyright(c) 2016-2017 Intel Corporation */ -#define OPENSSL_API_COMPAT 0x10100000L - #include #include #include @@ -1764,6 +1762,171 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, } /* process dsa sign operation */ +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static int +process_openssl_dsa_sign_op_evp(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_dsa_op_param *op = &cop->asym->dsa; + EVP_PKEY_CTX *dsa_ctx = NULL; + EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL); + EVP_PKEY *pkey = NULL; + OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld; + OSSL_PARAM *params = NULL; + + size_t outlen; + unsigned char *dsa_sign_data; + const unsigned char *dsa_sign_data_p; + + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) { + OSSL_PARAM_BLD_free(param_bld); + return -1; + } + + if (key_ctx == NULL + || EVP_PKEY_fromdata_init(key_ctx) <= 0 + || EVP_PKEY_fromdata(key_ctx, &pkey, + EVP_PKEY_PUBLIC_KEY, params) <= 0) + goto err_dsa_sign; + + dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL); + if (!dsa_ctx) + goto err_dsa_sign; + + if (EVP_PKEY_sign_init(dsa_ctx) <= 0) + goto err_dsa_sign; + + if (EVP_PKEY_sign(dsa_ctx, NULL, &outlen, op->message.data, + op->message.length) <= 0) + goto err_dsa_sign; + + if (outlen <= 0) + goto err_dsa_sign; + + dsa_sign_data = OPENSSL_malloc(outlen); + if (!dsa_sign_data) + goto err_dsa_sign; + + if (EVP_PKEY_sign(dsa_ctx, dsa_sign_data, &outlen, op->message.data, + op->message.length) <= 0) { + free(dsa_sign_data); + goto err_dsa_sign; + } + + dsa_sign_data_p = (const unsigned char *)dsa_sign_data; + DSA_SIG *sign = d2i_DSA_SIG(NULL, &dsa_sign_data_p, outlen); + if (!sign) { + OPENSSL_LOG(ERR, "%s:%d\n", __func__, __LINE__); + free(dsa_sign_data); + goto err_dsa_sign; + } else { + const BIGNUM *r = NULL, *s = NULL; + get_dsa_sign(sign, &r, &s); + + op->r.length = BN_bn2bin(r, op->r.data); + op->s.length = BN_bn2bin(s, op->s.data); + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + } + + DSA_SIG_free(sign); + free(dsa_sign_data); + return 0; + +err_dsa_sign: + if (params) + OSSL_PARAM_free(params); + if (key_ctx) + EVP_PKEY_CTX_free(key_ctx); + if (dsa_ctx) + EVP_PKEY_CTX_free(dsa_ctx); + return -1; +} + +/* process dsa verify operation */ +static int +process_openssl_dsa_verify_op_evp(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_dsa_op_param *op = &cop->asym->dsa; + DSA_SIG *sign = DSA_SIG_new(); + BIGNUM *r = NULL, *s = NULL; + BIGNUM *pub_key = NULL; + OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld; + OSSL_PARAM *params = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *dsa_ctx = NULL; + EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL); + unsigned char *dsa_sig = NULL; + size_t sig_len; + int ret = -1; + + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + if (!param_bld) { + OPENSSL_LOG(ERR, " %s:%d\n", __func__, __LINE__); + return -1; + } + + r = BN_bin2bn(op->r.data, op->r.length, r); + s = BN_bin2bn(op->s.data, op->s.length, s); + pub_key = BN_bin2bn(op->y.data, op->y.length, pub_key); + if (!r || !s || !pub_key) { + BN_free(r); + BN_free(s); + BN_free(pub_key); + OSSL_PARAM_BLD_free(param_bld); + goto err_dsa_verify; + } + + set_dsa_sign(sign, r, s); + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key)) { + OSSL_PARAM_BLD_free(param_bld); + goto err_dsa_verify; + } + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) { + OSSL_PARAM_BLD_free(param_bld); + goto err_dsa_verify; + } + + if (key_ctx == NULL + || EVP_PKEY_fromdata_init(key_ctx) <= 0 + || EVP_PKEY_fromdata(key_ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) + goto err_dsa_verify; + + dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL); + if (!dsa_ctx) + goto err_dsa_verify; + + if (!sign) + goto err_dsa_verify; + + sig_len = i2d_DSA_SIG(sign, &dsa_sig); + if (EVP_PKEY_verify_init(dsa_ctx) <= 0) + goto err_dsa_verify; + + ret = EVP_PKEY_verify(dsa_ctx, dsa_sig, sig_len, + op->message.data, op->message.length); + if (ret == 1) { + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + ret = 0; + } + +err_dsa_verify: + if (sign) + DSA_SIG_free(sign); + if (params) + OSSL_PARAM_free(params); + if (key_ctx) + EVP_PKEY_CTX_free(key_ctx); + if (dsa_ctx) + EVP_PKEY_CTX_free(dsa_ctx); + + return ret; +} +#else static int process_openssl_dsa_sign_op(struct rte_crypto_op *cop, struct openssl_asym_session *sess) @@ -1845,6 +2008,7 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop, return 0; } +#endif /* process dh operation */ #if (OPENSSL_VERSION_NUMBER >= 0x30000000L) @@ -2501,6 +2665,14 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, #endif break; case RTE_CRYPTO_ASYM_XFORM_DSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN) + retval = process_openssl_dsa_sign_op_evp(op, sess); + else if (op->asym->dsa.op_type == + RTE_CRYPTO_ASYM_OP_VERIFY) + retval = + process_openssl_dsa_verify_op_evp(op, sess); +#else if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN) retval = process_openssl_dsa_sign_op(op, sess); else if (op->asym->dsa.op_type == @@ -2509,6 +2681,7 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, process_openssl_dsa_verify_op(op, sess); else op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; +#endif break; default: op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index a1a42ef444..59eb80fc72 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -812,13 +812,13 @@ static int openssl_set_asym_session_parameters( struct openssl_asym_session *asym_session, struct rte_crypto_asym_xform *xform) { - int ret = 0; + int ret = -1; if ((xform->xform_type != RTE_CRYPTO_ASYM_XFORM_DH) && (xform->next != NULL)) { OPENSSL_LOG(ERR, "chained xfrms are not supported on %s", rte_crypto_asym_xform_strings[xform->xform_type]); - return -1; + return ret; } switch (xform->xform_type) { @@ -1003,7 +1003,7 @@ static int openssl_set_asym_session_parameters( if (ret) { OPENSSL_LOG(ERR, "Failed to load rsa keys\n"); RSA_free(rsa); - return -1; + return ret; } asym_session->u.r.rsa = rsa; asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA; @@ -1029,7 +1029,7 @@ static int openssl_set_asym_session_parameters( if (ctx == NULL) { OPENSSL_LOG(ERR, " failed to allocate resources\n"); - return -1; + return ret; } BN_CTX_start(ctx); BIGNUM *mod = BN_CTX_get(ctx); @@ -1037,7 +1037,7 @@ static int openssl_set_asym_session_parameters( if (mod == NULL || exp == NULL) { BN_CTX_end(ctx); BN_CTX_free(ctx); - return -1; + return ret; } mod = BN_bin2bn((const unsigned char *) @@ -1060,14 +1060,14 @@ static int openssl_set_asym_session_parameters( if (ctx == NULL) { OPENSSL_LOG(ERR, " failed to allocate resources\n"); - return -1; + return ret; } BN_CTX_start(ctx); BIGNUM *mod = BN_CTX_get(ctx); if (mod == NULL) { BN_CTX_end(ctx); BN_CTX_free(ctx); - return -1; + return ret; } mod = BN_bin2bn((const unsigned char *) @@ -1158,6 +1158,56 @@ static int openssl_set_asym_session_parameters( } case RTE_CRYPTO_ASYM_XFORM_DSA: { +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + BIGNUM *p = NULL, *g = NULL; + BIGNUM *q = NULL, *priv_key = NULL; + BIGNUM *pub_key = BN_new(); + BN_zero(pub_key); + OSSL_PARAM_BLD *param_bld = NULL; + + p = BN_bin2bn((const unsigned char *) + xform->dsa.p.data, + xform->dsa.p.length, + p); + + g = BN_bin2bn((const unsigned char *) + xform->dsa.g.data, + xform->dsa.g.length, + g); + + q = BN_bin2bn((const unsigned char *) + xform->dsa.q.data, + xform->dsa.q.length, + q); + if (!p || !q || !g) + goto err_dsa; + + priv_key = BN_bin2bn((const unsigned char *) + xform->dsa.x.data, + xform->dsa.x.length, + priv_key); + if (priv_key == NULL) + goto err_dsa; + + param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_dsa; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, p) + || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, g) + || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, q) + || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key)) { + OSSL_PARAM_BLD_free(param_bld); + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_dsa; + } + asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA; + asym_session->u.s.param_bld = param_bld; + + break; +#else BIGNUM *p = NULL, *g = NULL; BIGNUM *q = NULL, *priv_key = NULL; BIGNUM *pub_key = BN_new(); @@ -1217,7 +1267,7 @@ static int openssl_set_asym_session_parameters( asym_session->u.s.dsa = dsa; asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA; break; - +#endif err_dsa: BN_free(p); BN_free(q); @@ -1227,7 +1277,7 @@ static int openssl_set_asym_session_parameters( return -1; } default: - return -1; + return ret; } return 0; @@ -1310,8 +1360,12 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess) #endif break; case RTE_CRYPTO_ASYM_XFORM_DSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + sess->u.s.param_bld = NULL; +#else if (sess->u.s.dsa) DSA_free(sess->u.s.dsa); +#endif break; default: break;