From mboxrd@z Thu Jan 1 00:00:00 1970 From: Shally Verma Subject: [PATCH v2 5/6] crypto/openssl: add asym crypto support Date: Thu, 5 Apr 2018 16:54:48 +0530 Message-ID: <1522927489-23668-6-git-send-email-shally.verma@caviumnetworks.com> References: <1522927489-23668-1-git-send-email-shally.verma@caviumnetworks.com> Mime-Version: 1.0 Content-Type: text/plain Cc: declan.doherty@intel.com, fiona.trahe@intel.com, pathreya@caviumnetworks.com, ssahu@caviumnetworks.com, agupta@caviumnetworks.com, dev@dpdk.org, Sunila Sahu , Ashish Gupta To: pablo.de.lara.guarch@intel.com Return-path: Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0073.outbound.protection.outlook.com [104.47.36.73]) by dpdk.org (Postfix) with ESMTP id 610991CB4B for ; Thu, 5 Apr 2018 13:26:19 +0200 (CEST) In-Reply-To: <1522927489-23668-1-git-send-email-shally.verma@caviumnetworks.com> List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add asymmetric crypto operation support in openssl PMD. Current list of supported asym xforms: * RSA * DSA * Deffie-hellman * Modular Operations changes from v1: - resolve new line error in dod/guides/cryptodevs/openssl.rst Signed-off-by: Shally Verma Signed-off-by: Sunila Sahu Signed-off-by: Ashish Gupta -- Please apply asymmetric crypto API patches before compilation --- doc/guides/cryptodevs/features/openssl.ini | 11 + doc/guides/cryptodevs/openssl.rst | 1 + drivers/crypto/openssl/rte_openssl_pmd.c | 377 ++++++++++++++++++++- drivers/crypto/openssl/rte_openssl_pmd_ops.c | 400 ++++++++++++++++++++++- drivers/crypto/openssl/rte_openssl_pmd_private.h | 29 ++ 5 files changed, 806 insertions(+), 12 deletions(-) diff --git a/doc/guides/cryptodevs/features/openssl.ini b/doc/guides/cryptodevs/features/openssl.ini index 6915658..bef5c7f 100644 --- a/doc/guides/cryptodevs/features/openssl.ini +++ b/doc/guides/cryptodevs/features/openssl.ini @@ -7,6 +7,7 @@ Symmetric crypto = Y Sym operation chaining = Y Mbuf scatter gather = Y +Asymmetric crypto = Y ; ; Supported crypto algorithms of the 'openssl' crypto driver. @@ -49,3 +50,13 @@ AES GCM (256) = Y AES CCM (128) = Y AES CCM (192) = Y AES CCM (256) = Y + +; +; Supported Asymmetric algorithms of the 'openssl' crypto driver. +; +[Asymmetric] +RSA = Y +DSA = Y +Modular Exponentiation = Y +Modular Inversion = Y +Deffie-hellman = Y diff --git a/doc/guides/cryptodevs/openssl.rst b/doc/guides/cryptodevs/openssl.rst index 427fc80..4f90be8 100644 --- a/doc/guides/cryptodevs/openssl.rst +++ b/doc/guides/cryptodevs/openssl.rst @@ -80,6 +80,7 @@ crypto processing. Test name is cryptodev_openssl_autotest. For performance test cryptodev_openssl_perftest can be used. +For asymmetric crypto operations testing, run cryptodev_openssl_asym_autotest To verify real traffic l2fwd-crypto example can be used with this command: diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index f584d0d..527e427 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -727,19 +727,35 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) } /** Provide session for operation */ -static struct openssl_session * +static void * get_session(struct openssl_qp *qp, struct rte_crypto_op *op) { struct openssl_session *sess = NULL; + struct openssl_asym_session *asym_sess = NULL; if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) { - /* get existing session */ - if (likely(op->sym->session != NULL)) - sess = (struct openssl_session *) - get_session_private_data( - op->sym->session, - cryptodev_driver_id); + if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) { + /* get existing session */ + if (likely(op->sym->session != NULL)) + sess = (struct openssl_session *) + get_session_private_data( + op->sym->session, + cryptodev_driver_id); + } else { + if (likely(op->asym->session != NULL)) + asym_sess = (struct openssl_asym_session *) + get_asym_session_private_data( + op->asym->session, + cryptodev_driver_id); + if (asym_sess == NULL) + op->status = + RTE_CRYPTO_OP_STATUS_INVALID_SESSION; + return asym_sess; + } } else { + if (op->type == RTE_CRYPTO_OP_TYPE_ASYMMETRIC) + return NULL; /* sessionless asymmetric not supported */ + /* provide internal session */ void *_sess = NULL; void *_sess_private_data = NULL; @@ -1525,6 +1541,341 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) op->status = RTE_CRYPTO_OP_STATUS_ERROR; } +static int process_openssl_modinv_op(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_asym_op *op = cop->asym; + BIGNUM *base = BN_CTX_get(sess->u.m.ctx); + BIGNUM *res = BN_CTX_get(sess->u.m.ctx); + + if (unlikely(base == NULL || res == NULL)) { + if (base) + BN_free(base); + if (res) + BN_free(res); + cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; + return -1; + } + + base = BN_bin2bn((const unsigned char *)op->modinv.base.data, + op->modinv.base.length, base); + + if (BN_mod_inverse(res, base, sess->u.m.modulus, sess->u.m.ctx)) { + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + op->modinv.base.length = BN_bn2bin(res, op->modinv.base.data); + } else { + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + } + + return 0; +} + +static int process_openssl_modexp_op(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_asym_op *op = cop->asym; + BIGNUM *base = BN_CTX_get(sess->u.e.ctx); + BIGNUM *res = BN_CTX_get(sess->u.e.ctx); + + if (unlikely(base == NULL || res == NULL)) { + if (base) + BN_free(base); + if (res) + BN_free(res); + cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; + return -1; + } + + base = BN_bin2bn((const unsigned char *)op->modinv.base.data, + op->modinv.base.length, base); + + if (BN_mod_exp(res, base, sess->u.e.exp, + sess->u.e.mod, sess->u.e.ctx)) { + op->modinv.base.length = BN_bn2bin(res, op->modinv.base.data); + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + } else { + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + } + + return 0; +} + +/* process rsa operations */ +static int process_openssl_rsa_op(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + int ret = 0; + struct rte_crypto_asym_op *op = cop->asym; + RSA *rsa = sess->u.r.rsa; + uint32_t pad = (op->rsa.pad); + + switch (pad) { + case RTE_CRYPTO_RSA_PKCS1_V1_5_BT1: + case RTE_CRYPTO_RSA_PKCS1_V1_5_BT2: + pad = RSA_PKCS1_PADDING; + break; + case RTE_CRYPTO_RSA_PADDING_PSS: + pad = RSA_PKCS1_PSS_PADDING; + /* fall through */ + case RTE_CRYPTO_RSA_PADDING_OAEP: + pad = RSA_PKCS1_OAEP_PADDING; + /* fall through */ + default: + pad = RSA_NO_PADDING; + break; + } + + switch (op->rsa.op_type) { + case RTE_CRYPTO_ASYM_OP_ENCRYPT: + ret = RSA_public_encrypt(op->rsa.message.length, + op->rsa.message.data, + op->rsa.message.data, + rsa, + pad); + + op->rsa.message.length = ret; + OPENSSL_LOG_DBG("length of encrypted text %d\n", ret); + break; + + case RTE_CRYPTO_ASYM_OP_DECRYPT: + ret = RSA_private_decrypt(op->rsa.message.length, + op->rsa.message.data, + op->rsa.message.data, + rsa, + pad); + op->rsa.message.length = ret; + break; + + case RTE_CRYPTO_ASYM_OP_SIGN: + ret = RSA_private_encrypt(op->rsa.message.length, + op->rsa.message.data, + op->rsa.sign.data, + rsa, + pad); + op->rsa.sign.length = ret; + break; + + case RTE_CRYPTO_ASYM_OP_VERIFY: + ret = RSA_public_decrypt(op->rsa.sign.length, + op->rsa.sign.data, + op->rsa.sign.data, + rsa, + pad); + + OPENSSL_LOG_DBG( + "Length of public_decrypt %d length of message %d\n", + ret, op->rsa.message.length); + + if (memcmp(op->rsa.sign.data, op->rsa.message.data, + op->rsa.message.length)) { + OPENSSL_LOG_ERR("RSA sign Verification failed"); + ret = -1; + } + break; + default: + /* allow ops with invalid args to be pushed to + * completion queue + */ + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + break; + } + + if (ret < 0) { + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + ret = 0; + } + + ret = 0; + return ret; +} + +static int +process_openssl_dh_op(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_dh_op_param *op = &cop->asym->dh; + DH *dh_key = sess->u.dh.dh_key; + + if (sess->u.dh.key_op & + (1 << RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE)) { + BIGNUM *peer_key = NULL; + + /* copy private key and peer key and compute shared secret */ + peer_key = BN_bin2bn(op->pub_key.data, + op->pub_key.length, + peer_key); + if (peer_key == NULL) { + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + return 0; + } + dh_key->priv_key = BN_bin2bn(op->priv_key.data, + op->priv_key.length, + dh_key->priv_key); + op->shared_secret.length = DH_compute_key( + op->shared_secret.data, + peer_key, dh_key); + if (!(op->shared_secret.length)) { + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + BN_free(peer_key); + return 0; + } + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + BN_free(peer_key); + return 0; + } + + if ((sess->u.dh.key_op & + (1 << RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE)) && + !(sess->u.dh.key_op & + (1 << RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE))) { + /* generate public key using user-pass private key */ + dh_key->priv_key = BN_bin2bn(op->priv_key.data, + op->priv_key.length, + dh_key->priv_key); + if (dh_key->priv_key == NULL) { + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + return 0; + } + } + + /* generate public and private key pair */ + if (!DH_generate_key(dh_key)) { + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + return 0; + } + + if (sess->u.dh.key_op & + (1 << RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE)) { + OPENSSL_LOG_DBG("%s:%d updated priv key\n", + __func__, __LINE__); + + op->priv_key.length = BN_bn2bin(dh_key->priv_key, + op->priv_key.data); + } + + if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE)) { + OPENSSL_LOG_DBG("%s:%d update public key\n", + __func__, __LINE__); + + op->pub_key.length = BN_bn2bin(dh_key->pub_key, + op->pub_key.data); + } + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + + return 0; +} + +static int +process_openssl_dsa_sign_op(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_dsa_op_param *op = &cop->asym->dsa; + DSA *dsa = sess->u.s.dsa; + DSA_SIG *sign; + + sign = DSA_do_sign(op->message.data, + op->message.length, + dsa); + + if (sign == NULL) { + OPENSSL_LOG_ERR("%s:%d\n", __func__, __LINE__); + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + } else { + op->r.length = BN_bn2bin(sign->r, op->r.data); + op->s.length = BN_bn2bin(sign->s, op->s.data); + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + } + + DSA_SIG_free(sign); + return 0; +} + +static int +process_openssl_dsa_verify_op(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_dsa_op_param *op = &cop->asym->dsa; + DSA *dsa = sess->u.s.dsa; + int ret; + DSA_SIG *sign = DSA_SIG_new(); + + if (sign == NULL) { + OPENSSL_LOG_ERR(" %s:%d\n", __func__, __LINE__); + return -1; + } + + sign->r = BN_bin2bn(op->r.data, + op->r.length, + sign->r); + sign->s = BN_bin2bn(op->s.data, + op->s.length, + sign->s); + + dsa->pub_key = BN_bin2bn(op->y.data, + op->y.length, + dsa->pub_key); + + ret = DSA_do_verify(op->message.data, + op->message.length, + sign, + dsa); + + if (ret != 1) + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + else + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + + DSA_SIG_free(sign); + + return 0; +} + + +static int +process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, + struct openssl_asym_session *sess) +{ + int retval = 0; + + op->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; + + switch (sess->xfrm_type) { + case RTE_CRYPTO_ASYM_XFORM_RSA: + retval = process_openssl_rsa_op(op, sess); + break; + case RTE_CRYPTO_ASYM_XFORM_MODEX: + retval = process_openssl_modexp_op(op, sess); + break; + case RTE_CRYPTO_ASYM_XFORM_MODINV: + retval = process_openssl_modinv_op(op, sess); + break; + case RTE_CRYPTO_ASYM_XFORM_DH: + retval = process_openssl_dh_op(op, sess); + break; + case RTE_CRYPTO_ASYM_XFORM_DSA: + if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN) + retval = process_openssl_dsa_sign_op(op, sess); + else if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_VERIFY) + retval = process_openssl_dsa_verify_op(op, sess); + else + op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + break; + default: + op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + break; + } + if (!retval) { + /* op processed so push to completion queue as processed */ + retval = rte_ring_enqueue(qp->processed_ops, (void *)op); + if (retval) + /* return error if failed to put in completion queue */ + retval = -1; + } + + return retval; +} + + /** Process crypto operation for mbuf */ static int process_op(struct openssl_qp *qp, struct rte_crypto_op *op, @@ -1597,7 +1948,7 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) openssl_pmd_enqueue_burst(void *queue_pair, struct rte_crypto_op **ops, uint16_t nb_ops) { - struct openssl_session *sess; + void *sess; struct openssl_qp *qp = queue_pair; int i, retval; @@ -1606,7 +1957,12 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) if (unlikely(sess == NULL)) goto enqueue_err; - retval = process_op(qp, ops[i], sess); + if (ops[i]->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) + retval = process_op(qp, ops[i], + (struct openssl_session *) sess); + else + retval = process_asym_op(qp, ops[i], + (struct openssl_asym_session *) sess); if (unlikely(retval < 0)) goto enqueue_err; } @@ -1660,7 +2016,8 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO | RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING | RTE_CRYPTODEV_FF_CPU_AESNI | - RTE_CRYPTODEV_FF_MBUF_SCATTER_GATHER; + RTE_CRYPTODEV_FF_MBUF_SCATTER_GATHER | + RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO; /* Set vector instructions mode supported */ internals = dev->data->dev_private; diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index 1cb87d5..ae8c44d 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -469,6 +469,110 @@ }, } }, } }, + { /* RSA */ + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC, + {.asym = { + .xform_type = RTE_CRYPTO_ASYM_XFORM_RSA, + .xfrm_capa = { + .xform_type = RTE_CRYPTO_ASYM_XFORM_RSA, + .op_types = ((1 << RTE_CRYPTO_ASYM_OP_SIGN) | + (1 << RTE_CRYPTO_ASYM_OP_VERIFY) | + (1 << RTE_CRYPTO_ASYM_OP_ENCRYPT) | + (1 << RTE_CRYPTO_ASYM_OP_DECRYPT)), + { + .modlen = { + /* min length is based on openssl rsa keygen */ + .min = 30, + /* value 0 symbolizes no limit on max length */ + .max = 0, + .increment = 1 + }, } + } + }, + } + }, + { /* modexp */ + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC, + {.asym = { + .xform_type = RTE_CRYPTO_ASYM_XFORM_MODEX, + .xfrm_capa = { + .xform_type = RTE_CRYPTO_ASYM_XFORM_MODEX, + .op_types = 0, + { + .modlen = { + /* min length is based on openssl rsa keygen */ + .min = 0, + /* value 0 symbolizes no limit on max length */ + .max = 0, + .increment = 1 + }, } + } + }, + } + }, + { /* modinv */ + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC, + {.asym = { + .xform_type = RTE_CRYPTO_ASYM_XFORM_MODINV, + .xfrm_capa = { + .xform_type = RTE_CRYPTO_ASYM_XFORM_MODINV, + .op_types = 0, + { + .modlen = { + /* min length is based on openssl rsa keygen */ + .min = 0, + /* value 0 symbolizes no limit on max length */ + .max = 0, + .increment = 1 + }, } + } + }, + } + }, + { /* dh */ + .op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC, + {.asym = { + .xform_type = RTE_CRYPTO_ASYM_XFORM_DH, + .xfrm_capa = { + .xform_type = RTE_CRYPTO_ASYM_XFORM_DH, + .op_types = + ((1<data->nb_queue_pairs; } -/** Returns the size of the session structure */ +/** Returns the size of symmetric session structure */ static unsigned openssl_pmd_session_get_size(struct rte_cryptodev *dev __rte_unused) { return sizeof(struct openssl_session); } +/** Returns the size of the session structure */ +static unsigned +openssl_pmd_asym_session_get_size(struct rte_cryptodev *dev __rte_unused) +{ + return sizeof(struct openssl_asym_session); +} + /** Configure the session from a crypto xform chain */ static int openssl_pmd_session_configure(struct rte_cryptodev *dev __rte_unused, @@ -713,6 +824,236 @@ return 0; } +static int openssl_set_asym_session_parameters( + struct openssl_asym_session *asym_session, + struct rte_crypto_asym_xform *xform) +{ + + if ((xform->xform_type != RTE_CRYPTO_ASYM_XFORM_DH) && + (xform->next != NULL)) { + OPENSSL_LOG_ERR("chained xfrms are not supported on %s", + rte_crypto_asym_xform_strings[xform->xform_type]); + return -1; + } + + switch (xform->xform_type) { + case RTE_CRYPTO_ASYM_XFORM_RSA: + { + struct rte_crypto_rsa_xform *xfrm = &(xform->rsa); + asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA; + + RSA *rsa = RSA_new(); + if (rsa == NULL) + return -1; + /* copy xfrm data into rsa struct */ + rsa->n = BN_bin2bn((const unsigned char *)xfrm->n.data, + xfrm->n.length, rsa->n); + rsa->e = BN_bin2bn((const unsigned char *)xfrm->e.data, + xfrm->e.length, rsa->e); + if (xfrm->key_type == RTE_RSA_KEY_TYPE_EXP) { + rsa->d = BN_bin2bn((const unsigned char *)xfrm->d.data, + xfrm->d.length, + rsa->d); + } else { + rsa->p = BN_bin2bn( + (const unsigned char *)xfrm->qt.p.data, + xfrm->qt.p.length, + rsa->p); + rsa->q = BN_bin2bn( + (const unsigned char *)xfrm->qt.q.data, + xfrm->qt.q.length, + rsa->q); + rsa->dmp1 = BN_bin2bn( + (const unsigned char *)xfrm->qt.dP.data, + xfrm->qt.dP.length, + rsa->dmp1); + rsa->dmq1 = BN_bin2bn( + (const unsigned char *)xfrm->qt.dQ.data, + xfrm->qt.dQ.length, + rsa->dmq1); + rsa->iqmp = BN_bin2bn( + (const unsigned char *) + xfrm->qt.qInv.data, + xfrm->qt.qInv.length, + rsa->iqmp); + } + asym_session->u.r.rsa = rsa; + break; + } + case RTE_CRYPTO_ASYM_XFORM_MODEX: + { + struct rte_crypto_modex_xform *xfrm = &(xform->modex); + + asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_MODEX; + + BN_CTX *ctx = BN_CTX_new(); + if (ctx == NULL) { + OPENSSL_LOG_ERR(" failed to allocate resources\n"); + return -1; + } + BN_CTX_start(ctx); + BIGNUM *mod = BN_CTX_get(ctx); + BIGNUM *exp = BN_CTX_get(ctx); + if (mod == NULL || exp == NULL) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + return -1; + } + mod = BN_bin2bn((const unsigned char *)xfrm->modulus.data, + xfrm->modulus.length, mod); + exp = BN_bin2bn((const unsigned char *)xfrm->exponent.data, + xfrm->exponent.length, exp); + asym_session->u.e.ctx = ctx; + asym_session->u.e.mod = mod; + asym_session->u.e.exp = exp; + break; + } + case RTE_CRYPTO_ASYM_XFORM_MODINV: + { + struct rte_crypto_modinv_xform *xfrm = &(xform->modinv); + + asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_MODINV; + + BN_CTX *ctx = BN_CTX_new(); + if (ctx == NULL) { + OPENSSL_LOG_ERR(" failed to allocate resources\n"); + return -1; + } + BN_CTX_start(ctx); + BIGNUM *mod = BN_CTX_get(ctx); + if (mod == NULL) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + return -1; + } + + mod = BN_bin2bn((const unsigned char *) + xfrm->modulus.data, + xfrm->modulus.length, + mod); + asym_session->u.m.ctx = ctx; + asym_session->u.m.modulus = mod; + break; + } + case RTE_CRYPTO_ASYM_XFORM_DH: + { + asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DH; + + asym_session->u.dh.dh_key = DH_new(); + DH *dh = asym_session->u.dh.dh_key; + if (dh == NULL) { + OPENSSL_LOG_ERR(" failed to allocate resources\n"); + return -1; + } + + dh->p = BN_bin2bn((const unsigned char *) + xform->dh.p.data, + xform->dh.p.length, + dh->p); + + dh->g = BN_bin2bn((const unsigned char *) + xform->dh.g.data, + xform->dh.g.length, + dh->g); + + /* setup xfrom for + * public key generate, or + * DH Priv key generate, or both + * public and private key generate + */ + asym_session->u.dh.key_op = (1 << xform->dh.type); + + if (xform->dh.type == RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE) { + /* check if next is pubkey */ + if ((xform->next != NULL) && + (xform->next->xform_type == + RTE_CRYPTO_ASYM_XFORM_DH) && + (xform->next->dh.type == + RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE)) { + /* setup op as pub/priv key pair generation */ + asym_session->u.dh.key_op |= + (1 << RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE); + } + } + break; + } + case RTE_CRYPTO_ASYM_XFORM_DSA: + { + asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA; + + asym_session->u.s.dsa = DSA_new(); + DSA *dsa = asym_session->u.s.dsa; + if (dsa == NULL) { + OPENSSL_LOG_ERR( + " failed to allocate resources\n"); + return -1; + } + + dsa->p = BN_bin2bn((const unsigned char *) + xform->dsa.p.data, + xform->dsa.p.length, + dsa->p); + + dsa->g = BN_bin2bn((const unsigned char *) + xform->dsa.g.data, + xform->dsa.g.length, + dsa->g); + + dsa->q = BN_bin2bn((const unsigned char *) + xform->dsa.q.data, + xform->dsa.q.length, + dsa->q); + + dsa->priv_key = BN_bin2bn((const unsigned char *) + xform->dsa.x.data, + xform->dsa.x.length, + dsa->priv_key); + + break; + } + default: + return -1; + } + + return 0; +} + +/** Configure the session from a crypto xform chain */ +static int +openssl_pmd_asym_session_configure(struct rte_cryptodev *dev __rte_unused, + struct rte_crypto_asym_xform *xform, + struct rte_cryptodev_asym_session *sess, + struct rte_mempool *mempool) +{ + void *asym_sess_private_data; + int ret; + + if (unlikely(sess == NULL)) { + OPENSSL_LOG_ERR("invalid asymmetric session struct"); + return -EINVAL; + } + + if (rte_mempool_get(mempool, &asym_sess_private_data)) { + CDEV_LOG_ERR( + "Couldn't get object from session mempool"); + return -ENOMEM; + } + + ret = openssl_set_asym_session_parameters(asym_sess_private_data, + xform); + if (ret != 0) { + OPENSSL_LOG_ERR("failed configure session parameters"); + + /* Return session to mempool */ + rte_mempool_put(mempool, asym_sess_private_data); + return ret; + } + + set_asym_session_private_data(sess, dev->driver_id, + asym_sess_private_data); + + return 0; +} /** Clear the memory of session so it doesn't leave key material behind */ static void @@ -732,6 +1073,58 @@ } } +static void openssl_reset_asym_session(struct openssl_asym_session *sess) +{ + switch (sess->xfrm_type) { + case RTE_CRYPTO_ASYM_XFORM_RSA: + if (sess->u.r.rsa) + RSA_free(sess->u.r.rsa); + break; + case RTE_CRYPTO_ASYM_XFORM_MODEX: + if (sess->u.e.ctx) { + BN_CTX_end(sess->u.e.ctx); + BN_CTX_free(sess->u.e.ctx); + } + break; + case RTE_CRYPTO_ASYM_XFORM_MODINV: + if (sess->u.m.ctx) { + BN_CTX_end(sess->u.m.ctx); + BN_CTX_free(sess->u.m.ctx); + } + break; + case RTE_CRYPTO_ASYM_XFORM_DH: + if (sess->u.dh.dh_key) + DH_free(sess->u.dh.dh_key); + break; + case RTE_CRYPTO_ASYM_XFORM_DSA: + if (sess->u.s.dsa) + DSA_free(sess->u.s.dsa); + break; + default: + break; + } +} + +/** Clear the memory of asymmetric session + * so it doesn't leave key material behind + */ +static void +openssl_pmd_asym_session_clear(struct rte_cryptodev *dev, + struct rte_cryptodev_asym_session *sess) +{ + uint8_t index = dev->driver_id; + void *sess_priv = get_asym_session_private_data(sess, index); + + /* Zero out the whole structure */ + if (sess_priv) { + openssl_reset_asym_session(sess_priv); + memset(sess_priv, 0, sizeof(struct openssl_asym_session)); + struct rte_mempool *sess_mp = rte_mempool_from_obj(sess_priv); + set_asym_session_private_data(sess, index, NULL); + rte_mempool_put(sess_mp, sess_priv); + } +} + struct rte_cryptodev_ops openssl_pmd_ops = { .dev_configure = openssl_pmd_config, .dev_start = openssl_pmd_start, @@ -750,8 +1143,11 @@ struct rte_cryptodev_ops openssl_pmd_ops = { .queue_pair_count = openssl_pmd_qp_count, .session_get_size = openssl_pmd_session_get_size, + .asym_session_get_size = openssl_pmd_asym_session_get_size, .session_configure = openssl_pmd_session_configure, - .session_clear = openssl_pmd_session_clear + .asym_session_configure = openssl_pmd_asym_session_configure, + .session_clear = openssl_pmd_session_clear, + .asym_session_clear = openssl_pmd_asym_session_clear }; struct rte_cryptodev_ops *rte_openssl_pmd_ops = &openssl_pmd_ops; diff --git a/drivers/crypto/openssl/rte_openssl_pmd_private.h b/drivers/crypto/openssl/rte_openssl_pmd_private.h index bc8dc7c..ebc9dee 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_private.h +++ b/drivers/crypto/openssl/rte_openssl_pmd_private.h @@ -8,6 +8,10 @@ #include #include #include +#include +#include +#include + #define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl /**< Open SSL Crypto PMD device name */ @@ -157,6 +161,31 @@ struct openssl_session { } __rte_cache_aligned; +/** OPENSSL crypto private asymmetric session structure */ +struct openssl_asym_session { + enum rte_crypto_asym_xform_type xfrm_type; + union { + struct rsa { + RSA *rsa; + } r; + struct exp { + BIGNUM *exp; + BIGNUM *mod; + BN_CTX *ctx; + } e; + struct mod { + BIGNUM *modulus; + BN_CTX *ctx; + } m; + struct dh { + DH *dh_key; + uint32_t key_op; + } dh; + struct { + DSA *dsa; + } s; + } u; +} __rte_cache_aligned; /** Set and validate OPENSSL crypto session parameters */ extern int openssl_set_session_parameters(struct openssl_session *sess, -- 1.9.1