From: Kai Ji <kai.ji@intel.com>
To: dev@dpdk.org
Cc: gakhil@marvell.com, Kai Ji <kai.ji@intel.com>
Subject: [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine
Date: Tue, 14 Jun 2022 21:25:40 +0800 [thread overview]
Message-ID: <20220614132542.76241-3-kai.ji@intel.com> (raw)
In-Reply-To: <20220614132542.76241-1-kai.ji@intel.com>
This patch updates asymmetric RSA routine in crypto openssl pmd
to adopt openssl 3.0 EVP apis.
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/openssl_pmd_private.h | 7 +
drivers/crypto/openssl/rte_openssl_pmd.c | 149 +++++++++++++++++++
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 112 +++++++++++++-
3 files changed, 267 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index 86dc169aaf..d603626fdf 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -11,6 +11,10 @@
#include <openssl/rsa.h>
#include <openssl/dh.h>
#include <openssl/dsa.h>
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#endif
#define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl
/**< Open SSL Crypto PMD device name */
@@ -157,6 +161,9 @@ struct openssl_asym_session {
union {
struct rsa {
RSA *rsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ EVP_PKEY_CTX * ctx;
+#endif
} r;
struct exp {
BIGNUM *exp;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 5dbe6074eb..cac157aba3 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -2046,6 +2046,150 @@ process_openssl_modexp_op(struct rte_crypto_op *cop,
}
/* process rsa operations */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_asym_op *op = cop->asym;
+ uint32_t pad = (op->rsa.padding.type);
+ uint8_t *tmp;
+ size_t outlen = 0;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx;
+ if (!rsa_ctx)
+ return ret;
+
+ switch (pad) {
+ case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
+ pad = RSA_PKCS1_PADDING;
+ break;
+ case RTE_CRYPTO_RSA_PADDING_NONE:
+ pad = RSA_NO_PADDING;
+ break;
+ default:
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ OPENSSL_LOG(ERR,
+ "rsa pad type not supported %d\n", pad);
+ return ret;
+ }
+
+ switch (op->rsa.op_type) {
+ case RTE_CRYPTO_ASYM_OP_ENCRYPT:
+ if (EVP_PKEY_encrypt_init(rsa_ctx) != 1)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+ op->rsa.cipher.length = outlen;
+
+ OPENSSL_LOG(DEBUG,
+ "length of encrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_DECRYPT:
+ if (EVP_PKEY_decrypt_init(rsa_ctx) != 1)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err_rsa;
+ op->rsa.message.length = outlen;
+
+ OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_SIGN:
+ if (EVP_PKEY_sign_init(rsa_ctx) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+ op->rsa.sign.length = outlen;
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_VERIFY:
+ tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
+ if (tmp == NULL) {
+ OPENSSL_LOG(ERR, "Memory allocation failed");
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
+ op->rsa.sign.data,
+ op->rsa.sign.length) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ OPENSSL_LOG(DEBUG,
+ "Length of public_decrypt %zu "
+ "length of message %zd\n",
+ outlen, op->rsa.message.length);
+ if (CRYPTO_memcmp(tmp, op->rsa.message.data,
+ op->rsa.message.length)) {
+ OPENSSL_LOG(ERR, "RSA sign Verification failed");
+ }
+ rte_free(tmp);
+ break;
+
+ default:
+ /* allow ops with invalid args to be pushed to
+ * completion queue
+ */
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ goto err_rsa;
+ }
+
+ ret = 0;
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+err_rsa:
+ return ret;
+
+}
+#else
static int
process_openssl_rsa_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
@@ -2144,6 +2288,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
return 0;
}
+#endif
static int
process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
@@ -2155,7 +2300,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
switch (sess->xfrm_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_rsa_op_evp(op, sess);
+# else
retval = process_openssl_rsa_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_MODEX:
retval = process_openssl_modexp_op(op, sess);
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 7d0da52a33..6d94da499e 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -12,7 +12,11 @@
#include "openssl_pmd_private.h"
#include "compat.h"
-
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#include <openssl/param_build.h>
+#endif
static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
{ /* MD5 HMAC */
@@ -835,6 +839,106 @@ static int openssl_set_asym_session_parameters(
if (!n || !e)
goto err_rsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ OSSL_PARAM_BLD * param_bld = OSSL_PARAM_BLD_new();
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_rsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_E, e)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ OPENSSL_LOG(ERR, "failed to allocate resources\n");
+ goto err_rsa;
+ }
+
+ if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) {
+ d = BN_bin2bn(
+ (const unsigned char *)xform->rsa.d.data,
+ xform->rsa.d.length,
+ d);
+ if (!d) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+ } else {
+ p = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.p.data,
+ xform->rsa.qt.p.length,
+ p);
+ q = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.q.data,
+ xform->rsa.qt.q.length,
+ q);
+ dmp1 = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.dP.data,
+ xform->rsa.qt.dP.length,
+ dmp1);
+ dmq1 = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.dQ.data,
+ xform->rsa.qt.dQ.length,
+ dmq1);
+ iqmp = BN_bin2bn((const unsigned char *)
+ xform->rsa.qt.qInv.data,
+ xform->rsa.qt.qInv.length,
+ iqmp);
+
+ if (!p || !q || !dmp1 || !dmq1 || !iqmp) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_FACTOR1, p)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_FACTOR2, q)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+ || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e)
+ || !OSSL_PARAM_BLD_push_BN(param_bld,
+ OSSL_PKEY_PARAM_RSA_D, d)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *rsa_ctx = NULL;
+ OSSL_PARAM *params = NULL;
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_rsa;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey,
+ EVP_PKEY_KEYPAIR, params) <= 0) {
+ OSSL_PARAM_free(params);
+ goto err_rsa;
+ }
+
+ rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
+ asym_session->u.r.ctx = rsa_ctx;
+ EVP_PKEY_CTX_free(key_ctx);
+ OSSL_PARAM_free(params);
+ break;
+#else
RSA *rsa = RSA_new();
if (rsa == NULL)
goto err_rsa;
@@ -904,6 +1008,7 @@ static int openssl_set_asym_session_parameters(
asym_session->u.r.rsa = rsa;
asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
break;
+#endif
err_rsa:
BN_clear_free(n);
BN_clear_free(e);
@@ -1135,8 +1240,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
{
switch (sess->xfrm_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ if (sess->u.r.ctx)
+ EVP_PKEY_CTX_free(sess->u.r.ctx);
+#else
if (sess->u.r.rsa)
RSA_free(sess->u.r.rsa);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_MODEX:
if (sess->u.e.ctx) {
--
2.17.1
next prev parent reply other threads:[~2022-06-14 13:26 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-07 16:36 [dpdk-dev v1] crypto/openssl: openssl 3.0 support on asym crypto routine Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 0/5] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 1/5] drivers/crypto: suppress openssl deprecated api warning messages Kai Ji
2022-05-16 19:21 ` [EXT] " Akhil Goyal
2022-05-16 20:20 ` Stephen Hemminger
2022-05-17 6:52 ` Akhil Goyal
2022-05-16 10:10 ` [dpdk-dev v2 2/5] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 3/5] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 4/5] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 5/5] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-06-13 16:40 ` [dpdk-dev v3 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-14 13:25 ` [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-14 13:25 ` [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-06-17 10:04 ` Zhang, Roy Fan
2022-06-21 9:22 ` [EXT] " Akhil Goyal
2022-06-14 13:25 ` Kai Ji [this message]
2022-06-17 10:04 ` [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine Zhang, Roy Fan
2022-06-21 9:30 ` [EXT] " Akhil Goyal
2022-06-21 13:35 ` Ji, Kai
2022-06-14 13:25 ` [dpdk-dev v4 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-06-17 10:05 ` Zhang, Roy Fan
2022-06-14 13:25 ` [dpdk-dev v4 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-17 10:05 ` Zhang, Roy Fan
2022-06-21 10:16 ` [EXT] [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal
2022-06-21 13:55 ` [dpdk-dev v5 " Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA " Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
2022-06-21 13:55 ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA " Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
2022-06-21 15:42 ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
2022-06-21 17:15 ` [EXT] [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220614132542.76241-3-kai.ji@intel.com \
--to=kai.ji@intel.com \
--cc=dev@dpdk.org \
--cc=gakhil@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.