All of lore.kernel.org
 help / color / mirror / Atom feed
From: Akhil Goyal <gakhil@marvell.com>
To: Kai Ji <kai.ji@intel.com>, "dev@dpdk.org" <dev@dpdk.org>
Subject: RE: [EXT] [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC routine
Date: Tue, 21 Jun 2022 09:22:13 +0000	[thread overview]
Message-ID: <CO6PR18MB448484C754C803F62FE759B5D8B39@CO6PR18MB4484.namprd18.prod.outlook.com> (raw)
In-Reply-To: <20220614132542.76241-2-kai.ji@intel.com>

> Subject: [EXT] [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC
> routine
Title should be 
Crypto/openssl: update HMAC routine with 3.0 EVP API

> 
> This patch update the symmetric HMAC routine in crypto openssl
> pmd to adopt openssl 3.0 EVP apis.
> 
> Signed-off-by: Kai Ji <kai.ji@intel.com>
> ---
>  drivers/crypto/openssl/openssl_pmd_private.h |   4 +
>  drivers/crypto/openssl/rte_openssl_pmd.c     | 187 ++++++++++++++++++-
>  2 files changed, 181 insertions(+), 10 deletions(-)
> 
> diff --git a/drivers/crypto/openssl/openssl_pmd_private.h
> b/drivers/crypto/openssl/openssl_pmd_private.h
> index b2054b3754..86dc169aaf 100644
> --- a/drivers/crypto/openssl/openssl_pmd_private.h
> +++ b/drivers/crypto/openssl/openssl_pmd_private.h
> @@ -134,8 +134,12 @@ struct openssl_session {
>  				/**< pointer to EVP key */
>  				const EVP_MD *evp_algo;
>  				/**< pointer to EVP algorithm function */
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +				EVP_MAC_CTX * ctx;
> +# else
>  				HMAC_CTX *ctx;
>  				/**< pointer to EVP context structure */
> +# endif

Endif should be above comment.
>  			} hmac;
>  		};
> 
> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c
> b/drivers/crypto/openssl/rte_openssl_pmd.c
> index 6ac2dfff5a..5dbe6074eb 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
> @@ -41,6 +41,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
>  }
>  #endif
> 
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +
> +#include <openssl/provider.h>
> +#include <openssl/core_names.h>
> +
> +#define MAX_OSSL_ALGO_NAME_SIZE		16
> +
> +OSSL_PROVIDER *legacy;
> +OSSL_PROVIDER *deflt;
> +
> +static void ossl_load_legacy_provider(void)

Static void should be separate line.
Check for other functions as well.

verb should be in the end
Ossl_legacy_provider_load/unload

> +{
> +	/* Load Multiple providers into the default (NULL) library context */
> +	legacy = OSSL_PROVIDER_load(NULL, "legacy");
> +	if (legacy == NULL) {
> +		OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
> +		return;
> +	}
> +
> +	deflt = OSSL_PROVIDER_load(NULL, "default");
> +	if (deflt == NULL) {
> +		OPENSSL_LOG(ERR, "Failed to load Default provider\n");
> +		OSSL_PROVIDER_unload(legacy);
> +		return;
> +	}
> +}
> +
> +static void ossl_unload_legacy_provider(void)
> +{
> +	OSSL_PROVIDER_unload(legacy);
> +	OSSL_PROVIDER_unload(deflt);
> +}
> +
> +static __rte_always_inline const char *
> +get_digest_name(const struct rte_crypto_sym_xform *xform)

Digest_name_get

> +{
> +	switch (xform->auth.algo) {
> +	case RTE_CRYPTO_AUTH_MD5_HMAC:
> +		return OSSL_DIGEST_NAME_MD5;
> +	case RTE_CRYPTO_AUTH_SHA1_HMAC:
> +		return OSSL_DIGEST_NAME_SHA1;
> +	case RTE_CRYPTO_AUTH_SHA224_HMAC:
> +		return OSSL_DIGEST_NAME_SHA2_224;
> +	case RTE_CRYPTO_AUTH_SHA256_HMAC:
> +		return OSSL_DIGEST_NAME_SHA2_256;
> +	case RTE_CRYPTO_AUTH_SHA384_HMAC:
> +		return OSSL_DIGEST_NAME_SHA2_384;
> +	case RTE_CRYPTO_AUTH_SHA512_HMAC:
> +		return OSSL_DIGEST_NAME_SHA2_512;
> +	default:
> +		return NULL;
> +	}
> +}
> +#endif
> +
>  static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
> 
>  /*----------------------------------------------------------------------------*/
> @@ -582,6 +637,40 @@ openssl_set_session_auth_parameters(struct
> openssl_session *sess,
>  		sess->auth.auth.ctx = EVP_MD_CTX_create();
>  		break;
> 
> +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +	case RTE_CRYPTO_AUTH_MD5_HMAC:
> +	case RTE_CRYPTO_AUTH_SHA1_HMAC:
> +	case RTE_CRYPTO_AUTH_SHA224_HMAC:
> +	case RTE_CRYPTO_AUTH_SHA256_HMAC:
> +	case RTE_CRYPTO_AUTH_SHA384_HMAC:
> +	case RTE_CRYPTO_AUTH_SHA512_HMAC:
> +		sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
> +
> +		OSSL_PARAM params[2];
> +		const char *algo;
> +		algo = get_digest_name(xform);

Pass xform->auth.algo directly

> +		if (!algo)
> +			return -EINVAL;
> +		char algo_name[MAX_OSSL_ALGO_NAME_SIZE];
> +		rte_memcpy(algo_name, algo, (sizeof(algo)+1));
> +
> +		EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
> +		sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
> +		EVP_MAC_free(mac);
> +		if (get_auth_algo(xform->auth.algo,
> +				&sess->auth.hmac.evp_algo) != 0)
> +			return -EINVAL;
> +
> +		params[0] = OSSL_PARAM_construct_utf8_string("digest",
> +					algo_name, 0);
> +		params[1] = OSSL_PARAM_construct_end();
> +		if (EVP_MAC_init(sess->auth.hmac.ctx,
> +				xform->auth.key.data,
> +				xform->auth.key.length,
> +				params) != 1)
> +			return -EINVAL;
> +		break;
> +# else
>  	case RTE_CRYPTO_AUTH_MD5_HMAC:
>  	case RTE_CRYPTO_AUTH_SHA1_HMAC:
>  	case RTE_CRYPTO_AUTH_SHA224_HMAC:
> @@ -600,7 +689,7 @@ openssl_set_session_auth_parameters(struct
> openssl_session *sess,
>  				sess->auth.hmac.evp_algo, NULL) != 1)
>  			return -EINVAL;
>  		break;
> -
> +# endif
>  	default:
>  		return -ENOTSUP;
>  	}
> @@ -725,7 +814,11 @@ openssl_reset_session(struct openssl_session *sess)
>  		break;
>  	case OPENSSL_AUTH_AS_HMAC:
>  		EVP_PKEY_free(sess->auth.hmac.pkey);
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +		EVP_MAC_CTX_free(sess->auth.hmac.ctx);
> +# else
>  		HMAC_CTX_free(sess->auth.hmac.ctx);
> +# endif
>  		break;
>  	default:
>  		break;
> @@ -1262,6 +1355,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src,
> uint8_t *dst, int offset,
>  	return -EINVAL;
>  }
> 
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +/** Process standard openssl auth algorithms with hmac */
> +static int
> +process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int
> offset,
> +		int srclen, EVP_MAC_CTX *ctx)
> +{
> +	size_t dstlen;
> +	struct rte_mbuf *m;
> +	int l, n = srclen;
> +	uint8_t *src;
> +
> +	for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
> +			m = m->next)
> +		offset -= rte_pktmbuf_data_len(m);
> +
> +	if (m == 0)
> +		goto process_auth_err;
> +
> +	src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
> +
> +	l = rte_pktmbuf_data_len(m) - offset;
> +	if (srclen <= l) {
> +		if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
> +			goto process_auth_err;
> +		goto process_auth_final;
> +	}
> +
> +	if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
> +		goto process_auth_err;
> +
> +	n -= l;
> +
> +	for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
> +		src = rte_pktmbuf_mtod(m, uint8_t *);
> +		l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
> +		if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
> +			goto process_auth_err;
> +		n -= l;
> +	}
> +
> +process_auth_final:
> +	if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
> +		goto process_auth_err;
> +
> +	EVP_MAC_CTX_free(ctx);
> +	return 0;
> +
> +process_auth_err:
> +	EVP_MAC_CTX_free(ctx);
> +	OPENSSL_LOG(ERR, "Process openssl auth failed");
> +	return -EINVAL;
> +}
> +# else
>  /** Process standard openssl auth algorithms with hmac */
>  static int
>  process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int
> offset,
> @@ -1314,7 +1460,7 @@ process_openssl_auth_hmac(struct rte_mbuf
> *mbuf_src, uint8_t *dst, int offset,
>  	OPENSSL_LOG(ERR, "Process openssl auth failed");
>  	return -EINVAL;
>  }
> -
> +# endif
>  /*----------------------------------------------------------------------------*/
> 
>  /** Process auth/cipher combined operation */
> @@ -1328,7 +1474,6 @@ process_openssl_combined_op
>  	int srclen, aadlen, status = -1;
>  	uint32_t offset;
>  	uint8_t taglen;
> -	EVP_CIPHER_CTX *ctx_copy;
> 
>  	/*
>  	 * Segmented destination buffer is not supported for
> @@ -1365,8 +1510,6 @@ process_openssl_combined_op
>  	}
> 
>  	taglen = sess->auth.digest_length;
> -	ctx_copy = EVP_CIPHER_CTX_new();
> -	EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
> 
>  	if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
>  		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
> @@ -1374,12 +1517,12 @@ process_openssl_combined_op
>  			status = process_openssl_auth_encryption_gcm(
>  					mbuf_src, offset, srclen,
>  					aad, aadlen, iv,
> -					dst, tag, ctx_copy);
> +					dst, tag, sess->cipher.ctx);
>  		else
>  			status = process_openssl_auth_encryption_ccm(
>  					mbuf_src, offset, srclen,
>  					aad, aadlen, iv,
> -					dst, tag, taglen, ctx_copy);
> +					dst, tag, taglen, sess->cipher.ctx);
> 
>  	} else {
>  		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
> @@ -1387,15 +1530,14 @@ process_openssl_combined_op
>  			status = process_openssl_auth_decryption_gcm(
>  					mbuf_src, offset, srclen,
>  					aad, aadlen, iv,
> -					dst, tag, ctx_copy);
> +					dst, tag, sess->cipher.ctx);
>  		else
>  			status = process_openssl_auth_decryption_ccm(
>  					mbuf_src, offset, srclen,
>  					aad, aadlen, iv,
> -					dst, tag, taglen, ctx_copy);
> +					dst, tag, taglen, sess->cipher.ctx);
>  	}
> 
> -	EVP_CIPHER_CTX_free(ctx_copy);
>  	if (status != 0) {
>  		if (status == (-EFAULT) &&
>  				sess->auth.operation ==
> @@ -1557,7 +1699,12 @@ process_openssl_auth_op(struct openssl_qp *qp,
> struct rte_crypto_op *op,
>  	uint8_t *dst;
>  	int srclen, status;
>  	EVP_MD_CTX *ctx_a;
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +	EVP_MAC_CTX *ctx_h;
> +	EVP_MAC *mac;
> +# else
>  	HMAC_CTX *ctx_h;
> +# endif
> 
>  	srclen = op->sym->auth.data.length;
> 
> @@ -1573,12 +1720,22 @@ process_openssl_auth_op(struct openssl_qp *qp,
> struct rte_crypto_op *op,
>  		EVP_MD_CTX_destroy(ctx_a);
>  		break;
>  	case OPENSSL_AUTH_AS_HMAC:
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +		mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
> +		ctx_h = EVP_MAC_CTX_new(mac);
> +		ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
> +		EVP_MAC_free(mac);
> +		status = process_openssl_auth_hmac(mbuf_src, dst,
> +				op->sym->auth.data.offset, srclen,
> +				ctx_h);
> +# else
>  		ctx_h = HMAC_CTX_new();
>  		HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
>  		status = process_openssl_auth_hmac(mbuf_src, dst,
>  				op->sym->auth.data.offset, srclen,
>  				ctx_h);
>  		HMAC_CTX_free(ctx_h);
> +# endif
>  		break;
>  	default:
>  		status = -1;
> @@ -2212,6 +2369,13 @@ cryptodev_openssl_create(const char *name,
> 
>  	rte_cryptodev_pmd_probing_finish(dev);
> 
> +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +	/* Load legacy provider
> +	 * Some algorithms are no longer available in earlier version of openssl,
> +	 * unless the legacy provider explicitly loaded. e.g. DES
> +	 */
> +	ossl_load_legacy_provider();
> +# endif
>  	return 0;
> 
>  init_error:
> @@ -2260,6 +2424,9 @@ cryptodev_openssl_remove(struct rte_vdev_device
> *vdev)
>  	if (cryptodev == NULL)
>  		return -ENODEV;
> 
> +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +	ossl_unload_legacy_provider();
> +# endif
>  	return rte_cryptodev_pmd_destroy(cryptodev);
>  }
> 
> --
> 2.17.1


  parent reply	other threads:[~2022-06-21  9:22 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-07 16:36 [dpdk-dev v1] crypto/openssl: openssl 3.0 support on asym crypto routine Kai Ji
2022-05-16 10:10 ` [dpdk-dev v2 0/5] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-05-16 10:10   ` [dpdk-dev v2 1/5] drivers/crypto: suppress openssl deprecated api warning messages Kai Ji
2022-05-16 19:21     ` [EXT] " Akhil Goyal
2022-05-16 20:20       ` Stephen Hemminger
2022-05-17  6:52         ` Akhil Goyal
2022-05-16 10:10   ` [dpdk-dev v2 2/5] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-05-16 10:10   ` [dpdk-dev v2 3/5] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-05-16 10:10   ` [dpdk-dev v2 4/5] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-05-16 10:10   ` [dpdk-dev v2 5/5] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-13 16:40   ` [dpdk-dev v3 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-13 16:40     ` [dpdk-dev v3 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-06-13 16:40     ` [dpdk-dev v3 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-06-13 16:40     ` [dpdk-dev v3 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-06-13 16:40     ` [dpdk-dev v3 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-14 13:25     ` [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-14 13:25       ` [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC routine Kai Ji
2022-06-17 10:04         ` Zhang, Roy Fan
2022-06-21  9:22         ` Akhil Goyal [this message]
2022-06-14 13:25       ` [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine Kai Ji
2022-06-17 10:04         ` Zhang, Roy Fan
2022-06-21  9:30         ` [EXT] " Akhil Goyal
2022-06-21 13:35           ` Ji, Kai
2022-06-14 13:25       ` [dpdk-dev v4 3/4] crypto/openssl: 3.0 EVP update on DH routine Kai Ji
2022-06-17 10:05         ` Zhang, Roy Fan
2022-06-14 13:25       ` [dpdk-dev v4 4/4] crypto/openssl: 3.0 EVP update on DSA routine Kai Ji
2022-06-17 10:05         ` Zhang, Roy Fan
2022-06-21 10:16       ` [EXT] [dpdk-dev v4 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal
2022-06-21 13:55       ` [dpdk-dev v5 " Kai Ji
2022-06-21 13:55         ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
2022-06-21 13:55         ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA " Kai Ji
2022-06-21 13:55         ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
2022-06-21 13:55         ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
2022-06-21 15:42         ` [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Kai Ji
2022-06-21 15:42           ` [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Kai Ji
2022-06-21 15:42           ` [dpdk-dev v5 2/4] crypto/openssl: update on RSA " Kai Ji
2022-06-21 15:42           ` [dpdk-dev v5 3/4] crypto/openssl: update on DH " Kai Ji
2022-06-21 15:42           ` [dpdk-dev v5 4/4] crypto/openssl: update on DSA " Kai Ji
2022-06-21 17:15           ` [EXT] [dpdk-dev v5 0/4] crypto/openssl: EVP api update for 3.0 lib Akhil Goyal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CO6PR18MB448484C754C803F62FE759B5D8B39@CO6PR18MB4484.namprd18.prod.outlook.com \
    --to=gakhil@marvell.com \
    --cc=dev@dpdk.org \
    --cc=kai.ji@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.