From: Kai Ji <kai.ji@intel.com>
To: dev@dpdk.org
Cc: Kai Ji <kai.ji@intel.com>
Subject: [dpdk-dev v2 4/5] crypto/openssl: 3.0 EVP update on DH routine
Date: Mon, 16 May 2022 18:10:38 +0800 [thread overview]
Message-ID: <20220516101039.4537-5-kai.ji@intel.com> (raw)
In-Reply-To: <20220516101039.4537-1-kai.ji@intel.com>
This patch updates asymmetric DH routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 4 +
drivers/crypto/openssl/rte_openssl_pmd.c | 186 ++++++++++++++++++-
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 47 ++++-
3 files changed, 235 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index d603626fdf..8fdbc75511 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -177,6 +177,10 @@ struct openssl_asym_session {
struct dh {
DH *dh_key;
uint32_t key_op;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld;
+ OSSL_PARAM_BLD *param_bld_peer;
+#endif
} dh;
struct {
DSA *dsa;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index e8dd4f4a42..691b000191 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -40,9 +40,9 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
-
#include <openssl/provider.h>
#include <openssl/core_names.h>
+#include <openssl/param_build.h>
#define MAX_OSSL_ALGO_NAME_SIZE 16
@@ -1844,6 +1844,185 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop,
}
/* process dh operation */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_dh_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dh_op_param *op = &cop->asym->dh;
+ OSSL_PARAM_BLD *param_bld = sess->u.dh.param_bld;
+ OSSL_PARAM_BLD *param_bld_peer = sess->u.dh.param_bld_peer;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY *dhpkey = NULL;
+ EVP_PKEY *peerkey = NULL;
+ BIGNUM *priv_key = NULL;
+ BIGNUM *pub_key = NULL;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
+ EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+ if (dh_ctx == NULL || param_bld == NULL)
+ return ret;
+
+ if (op->op_type == RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE) {
+ OSSL_PARAM *params_peer = NULL;
+
+ if (!param_bld_peer)
+ return ret;
+
+ pub_key = BN_bin2bn(op->pub_key.data, op->pub_key.length,
+ pub_key);
+ if (pub_key == NULL) {
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ return ret;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld_peer, OSSL_PKEY_PARAM_PUB_KEY,
+ pub_key)) {
+ OPENSSL_LOG(ERR, "Failed to set public key\n");
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ params_peer = OSSL_PARAM_BLD_to_param(param_bld_peer);
+ if (!params_peer) {
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ EVP_PKEY_CTX *peer_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+ if (EVP_PKEY_keygen_init(peer_ctx) != 1) {
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (EVP_PKEY_CTX_set_params(peer_ctx, params_peer) != 1) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (EVP_PKEY_keygen(peer_ctx, &peerkey) != 1) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ priv_key = BN_bin2bn(op->priv_key.data, op->priv_key.length,
+ priv_key);
+ if (priv_key == NULL) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY,
+ priv_key)) {
+ OPENSSL_LOG(ERR, "Failed to set private key\n");
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ BN_free(priv_key);
+ return ret;
+ }
+
+ OSSL_PARAM_free(params_peer);
+ EVP_PKEY_CTX_free(peer_ctx);
+ }
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params)
+ goto err_dh;
+
+ if (EVP_PKEY_keygen_init(dh_ctx) != 1)
+ goto err_dh;
+
+ if (EVP_PKEY_CTX_set_params(dh_ctx, params) != 1)
+ goto err_dh;
+
+ if (EVP_PKEY_keygen(dh_ctx, &dhpkey) != 1)
+ goto err_dh;
+
+ if (op->op_type == RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE) {
+ OPENSSL_LOG(DEBUG, "%s:%d updated pub key\n", __func__, __LINE__);
+ if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key))
+ goto err_dh;
+ /* output public key */
+ op->pub_key.length = BN_bn2bin(pub_key, op->pub_key.data);
+ }
+
+ if (op->op_type == RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE) {
+
+ OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n", __func__, __LINE__);
+ if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key))
+ goto err_dh;
+
+ /* provide generated private key back to user */
+ op->priv_key.length = BN_bn2bin(priv_key, op->priv_key.data);
+ }
+
+ if (op->op_type == RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE) {
+ size_t skey_len;
+ EVP_PKEY_CTX *sc_ctx = EVP_PKEY_CTX_new(dhpkey, NULL);
+ if (!sc_ctx)
+ goto err_dh;
+
+ if (EVP_PKEY_derive_init(sc_ctx) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (!peerkey) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (EVP_PKEY_derive_set_peer(sc_ctx, peerkey) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ /* Determine buffer length */
+ if (EVP_PKEY_derive(sc_ctx, NULL, &skey_len) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (EVP_PKEY_derive(sc_ctx, op->shared_secret.data, &skey_len) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ op->shared_secret.length = skey_len;
+ EVP_PKEY_CTX_free(sc_ctx);
+ }
+
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ ret = 0;
+
+ err_dh:
+ if (pub_key)
+ BN_free(pub_key);
+ if (priv_key)
+ BN_free(priv_key);
+ if (params)
+ OSSL_PARAM_free(params);
+ if (dhpkey)
+ EVP_PKEY_free(dhpkey);
+ if (peerkey)
+ EVP_PKEY_free(peerkey);
+
+ EVP_PKEY_CTX_free(dh_ctx);
+
+ return ret;
+}
+#else
static int
process_openssl_dh_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -1980,6 +2159,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
/* process modinv operation */
static int
@@ -2314,7 +2494,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
retval = process_openssl_modinv_op(op, sess);
break;
case RTE_CRYPTO_ASYM_XFORM_DH:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_dh_op_evp(op, sess);
+# else
retval = process_openssl_dh_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 52a5119d47..f77e9a9842 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -1093,7 +1093,46 @@ static int openssl_set_asym_session_parameters(
if (!p || !g)
goto err_dh;
- DH *dh = DH_new();
+ DH *dh = NULL;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD *param_bld = NULL;
+ param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_dh;
+ }
+ if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld,
+ "group", "ffdhe2048", 0))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_FFC_P, p))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_FFC_G, g))) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dh;
+ }
+
+ OSSL_PARAM_BLD *param_bld_peer = NULL;
+ param_bld_peer = OSSL_PARAM_BLD_new();
+ if (!param_bld_peer) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dh;
+ }
+ if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld_peer,
+ "group", "ffdhe2048", 0))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld_peer,
+ OSSL_PKEY_PARAM_FFC_P, p))
+ || (!OSSL_PARAM_BLD_push_BN(param_bld_peer,
+ OSSL_PKEY_PARAM_FFC_G, g))) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ goto err_dh;
+ }
+
+ asym_session->u.dh.param_bld = param_bld;
+ asym_session->u.dh.param_bld_peer = param_bld_peer;
+#else
+ dh = DH_new();
if (dh == NULL) {
OPENSSL_LOG(ERR,
"failed to allocate resources\n");
@@ -1104,6 +1143,7 @@ static int openssl_set_asym_session_parameters(
DH_free(dh);
goto err_dh;
}
+#endif
/*
* setup xfrom for
@@ -1286,8 +1326,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
}
break;
case RTE_CRYPTO_ASYM_XFORM_DH:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ sess->u.dh.param_bld = NULL;
+ sess->u.dh.param_bld_peer = NULL;
+#else
if (sess->u.dh.dh_key)
DH_free(sess->u.dh.dh_key);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
if (sess->u.s.dsa)
--
2.17.1
next prev parent reply other threads:[~2022-05-16 10:11 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-07 16:36 [dpdk-dev v1] crypto/openssl: openssl 3.0 support on asym crypto routine Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 0/5] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 1/5] drivers/crypto: suppress openssl deprecated api warning messages Kai Ji
2022-05-16 19:21 ` [EXT] " Akhil Goyal
2022-05-16 20:20 ` Stephen Hemminger
2022-05-17 6:52 ` Akhil Goyal
2022-05-16 10:10 ` [dpdk-dev v2 2/5] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 3/5] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-05-16 10:10 ` Kai Ji [this message]
2022-05-16 10:10 ` [dpdk-dev v2 5/5] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-14 13:25 ` [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-14 13:25 ` [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-06-17 10:04 ` Zhang, Roy Fan
2022-06-21 9:22 ` [EXT] " Akhil Goyal
2022-06-14 13:25 ` [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-06-17 10:04 ` Zhang, Roy Fan
2022-06-21 9:30 ` [EXT] " Akhil Goyal
2022-06-21 13:35 ` Ji, Kai
2022-06-14 13:25 ` [dpdk-dev v4 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-06-17 10:05 ` Zhang, Roy Fan
2022-06-14 13:25 ` [dpdk-dev v4 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-17 10:05 ` Zhang, Roy Fan
2022-06-21 10:16 ` [EXT] [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal
2022-06-21 13:55 ` [dpdk-dev v5 " Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA " Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA " Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
2022-06-21 17:15 ` [EXT] [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220516101039.4537-5-kai.ji@intel.com \
--to=kai.ji@intel.com \
--cc=dev@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.