[PATCH] config: add openssl in arm64-dpaa2-linuxapp-gcc

[PATCH] config: add openssl in arm64-dpaa2-linuxapp-gcc

[Akhil Goyal]

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
---
 config/defconfig_arm64-dpaa2-linuxapp-gcc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/config/defconfig_arm64-dpaa2-linuxapp-gcc b/config/defconfig_arm64-dpaa2-linuxapp-gcc
index 8a42944..7de2d4e 100644
--- a/config/defconfig_arm64-dpaa2-linuxapp-gcc
+++ b/config/defconfig_arm64-dpaa2-linuxapp-gcc
@@ -90,3 +90,9 @@ CONFIG_RTE_DPAA2_SEC_PMD_MAX_NB_SESSIONS=2048
 #
 CONFIG_RTE_LIBRTE_PMD_DPAA2_EVENTDEV=y
 CONFIG_RTE_LIBRTE_PMD_DPAA2_EVENTDEV_DEBUG=n
+
+#
+# Compile PMD for Software backed device
+#
+CONFIG_RTE_LIBRTE_PMD_OPENSSL=y
+CONFIG_RTE_LIBRTE_PMD_OPENSSL_DEBUG=n
-- 
2.9.3

[PATCH] crypto/openssl: add openssl path for cross compile

[Akhil Goyal]

OPENSSL_PATH should be defined in case openssl
driver is cross compiled

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
---
 doc/guides/cryptodevs/openssl.rst | 4 ++++
 drivers/crypto/openssl/Makefile   | 1 +
 mk/rte.app.mk                     | 2 +-
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/doc/guides/cryptodevs/openssl.rst b/doc/guides/cryptodevs/openssl.rst
index f18a456..08cc9ba 100644
--- a/doc/guides/cryptodevs/openssl.rst
+++ b/doc/guides/cryptodevs/openssl.rst
@@ -88,6 +88,10 @@ sudo apt-get install libc6-dev-i386 (for i686-native-linuxapp-gcc target)
 This code was also verified on Fedora 24.
 This code was NOT yet verified on FreeBSD.
 
+In case openssl is cross compiled, openssl can be installed separately
+and path for openssl install directory can be given as
+export OPENSSL_PATH=<openssl install dir>
+
 Initialization
 --------------
 
diff --git a/drivers/crypto/openssl/Makefile b/drivers/crypto/openssl/Makefile
index e5fdfb5..7297173 100644
--- a/drivers/crypto/openssl/Makefile
+++ b/drivers/crypto/openssl/Makefile
@@ -35,6 +35,7 @@ LIB = librte_pmd_openssl.a
 
 # build flags
 CFLAGS += -O3
+CFLAGS += -I${OPENSSL_PATH}/include/
 CFLAGS += $(WERROR_FLAGS)
 
 # library version
diff --git a/mk/rte.app.mk b/mk/rte.app.mk
index c25fdd9..ed38f3b 100644
--- a/mk/rte.app.mk
+++ b/mk/rte.app.mk
@@ -151,7 +151,7 @@ _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_MB)    += -lrte_pmd_aesni_mb
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_MB)    += -L$(AESNI_MULTI_BUFFER_LIB_PATH) -lIPSec_MB
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_GCM)   += -lrte_pmd_aesni_gcm
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_GCM)   += -L$(AESNI_MULTI_BUFFER_LIB_PATH) -lIPSec_MB
-_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_OPENSSL)     += -lrte_pmd_openssl -lcrypto
+_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_OPENSSL)     += -L${OPENSSL_PATH}/lib -lrte_pmd_openssl -lcrypto
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_NULL_CRYPTO) += -lrte_pmd_null_crypto
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_QAT)         += -lrte_pmd_qat -lcrypto
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_SNOW3G)      += -lrte_pmd_snow3g
-- 
2.9.3

[PATCH] crypto/openssl: performance improvements

[Akhil Goyal]

key and algo are added in the openssl ctx during
session initialization instead of adding it for
each packet.

Also in case of HMAC the openssl APIs HMAC_XXX give
better performance for all HMAC cases.

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
---
Tested on arm and xeon machines
autotest passed with no issues,
perftest passed with improved performance numbers,
l2fwd-crypto passed with improved performance 

 drivers/crypto/openssl/rte_openssl_pmd.c         | 95 +++++++++++++++---------
 drivers/crypto/openssl/rte_openssl_pmd_private.h |  3 +-
 2 files changed, 63 insertions(+), 35 deletions(-)

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 0bd5f98..b11a7fb 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -39,6 +39,7 @@
 #include <rte_malloc.h>
 #include <rte_cpuflags.h>
 
+#include <openssl/hmac.h>
 #include <openssl/evp.h>
 
 #include "rte_openssl_pmd_private.h"
@@ -307,6 +308,22 @@ openssl_set_session_cipher_parameters(struct openssl_session *sess,
 
 		get_cipher_key(xform->cipher.key.data, sess->cipher.key.length,
 			sess->cipher.key.data);
+		if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
+			if (EVP_EncryptInit_ex(sess->cipher.ctx,
+					sess->cipher.evp_algo,
+					NULL, xform->cipher.key.data,
+					NULL) != 1) {
+				return -EINVAL;
+			}
+		} else if (sess->cipher.direction ==
+				RTE_CRYPTO_CIPHER_OP_DECRYPT) {
+			if (EVP_DecryptInit_ex(sess->cipher.ctx,
+					sess->cipher.evp_algo,
+					NULL, xform->cipher.key.data,
+					NULL) != 1) {
+				return -EINVAL;
+			}
+		}
 
 		break;
 
@@ -333,6 +350,23 @@ openssl_set_session_cipher_parameters(struct openssl_session *sess,
 
 		get_cipher_key(xform->cipher.key.data, sess->cipher.key.length,
 			sess->cipher.key.data);
+		if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
+			if (EVP_EncryptInit_ex(sess->cipher.ctx,
+					sess->cipher.evp_algo,
+					NULL, xform->cipher.key.data,
+					NULL) != 1) {
+				return -EINVAL;
+			}
+		} else if (sess->cipher.direction ==
+				RTE_CRYPTO_CIPHER_OP_DECRYPT) {
+			if (EVP_DecryptInit_ex(sess->cipher.ctx,
+					sess->cipher.evp_algo,
+					NULL, xform->cipher.key.data,
+					NULL) != 1) {
+				return -EINVAL;
+			}
+		}
+
 		break;
 	default:
 		sess->cipher.algo = RTE_CRYPTO_CIPHER_NULL;
@@ -403,12 +437,16 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 	case RTE_CRYPTO_AUTH_SHA384_HMAC:
 	case RTE_CRYPTO_AUTH_SHA512_HMAC:
 		sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
-		sess->auth.hmac.ctx = EVP_MD_CTX_create();
+		HMAC_CTX_init(&sess->auth.hmac.ctx);
 		if (get_auth_algo(xform->auth.algo,
 				&sess->auth.hmac.evp_algo) != 0)
 			return -EINVAL;
-		sess->auth.hmac.pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
-				xform->auth.key.data, xform->auth.key.length);
+
+		if (HMAC_Init_ex(&sess->auth.hmac.ctx,
+				xform->auth.key.data,
+				xform->auth.key.length,
+				sess->auth.hmac.evp_algo, NULL) != 1)
+			return -EINVAL;
 		break;
 
 	default:
@@ -547,7 +585,7 @@ openssl_reset_session(struct openssl_session *sess)
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
 		EVP_PKEY_free(sess->auth.hmac.pkey);
-		EVP_MD_CTX_destroy(sess->auth.hmac.ctx);
+		HMAC_CTX_cleanup(&sess->auth.hmac.ctx);
 		break;
 	default:
 		break;
@@ -693,12 +731,11 @@ process_openssl_decryption_update(struct rte_mbuf *mbuf_src, int offset,
 /** Process standard openssl cipher encryption */
 static int
 process_openssl_cipher_encrypt(struct rte_mbuf *mbuf_src, uint8_t *dst,
-		int offset, uint8_t *iv, uint8_t *key, int srclen,
-		EVP_CIPHER_CTX *ctx, const EVP_CIPHER *algo)
+		int offset, uint8_t *iv, int srclen, EVP_CIPHER_CTX *ctx)
 {
 	int totlen;
 
-	if (EVP_EncryptInit_ex(ctx, algo, NULL, key, iv) <= 0)
+	if (EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0)
 		goto process_cipher_encrypt_err;
 
 	EVP_CIPHER_CTX_set_padding(ctx, 0);
@@ -743,12 +780,11 @@ process_openssl_cipher_bpi_encrypt(uint8_t *src, uint8_t *dst,
 /** Process standard openssl cipher decryption */
 static int
 process_openssl_cipher_decrypt(struct rte_mbuf *mbuf_src, uint8_t *dst,
-		int offset, uint8_t *iv, uint8_t *key, int srclen,
-		EVP_CIPHER_CTX *ctx, const EVP_CIPHER *algo)
+		int offset, uint8_t *iv, int srclen, EVP_CIPHER_CTX *ctx)
 {
 	int totlen;
 
-	if (EVP_DecryptInit_ex(ctx, algo, NULL, key, iv) <= 0)
+	if (EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0)
 		goto process_cipher_decrypt_err;
 
 	EVP_CIPHER_CTX_set_padding(ctx, 0);
@@ -971,10 +1007,9 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 /** Process standard openssl auth algorithms with hmac */
 static int
 process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
-		__rte_unused uint8_t *iv, EVP_PKEY *pkey,
-		int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo)
+		int srclen, HMAC_CTX *ctx)
 {
-	size_t dstlen;
+	unsigned int dstlen;
 	struct rte_mbuf *m;
 	int l, n = srclen;
 	uint8_t *src;
@@ -986,19 +1021,16 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	if (m == 0)
 		goto process_auth_err;
 
-	if (EVP_DigestSignInit(ctx, NULL, algo, NULL, pkey) <= 0)
-		goto process_auth_err;
-
 	src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
 
 	l = rte_pktmbuf_data_len(m) - offset;
 	if (srclen <= l) {
-		if (EVP_DigestSignUpdate(ctx, (char *)src, srclen) <= 0)
+		if (HMAC_Update(ctx, (unsigned char *)src, srclen) != 1)
 			goto process_auth_err;
 		goto process_auth_final;
 	}
 
-	if (EVP_DigestSignUpdate(ctx, (char *)src, l) <= 0)
+	if (HMAC_Update(ctx, (unsigned char *)src, l) != 1)
 		goto process_auth_err;
 
 	n -= l;
@@ -1006,13 +1038,16 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
 		src = rte_pktmbuf_mtod(m, uint8_t *);
 		l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
-		if (EVP_DigestSignUpdate(ctx, (char *)src, l) <= 0)
+		if (HMAC_Update(ctx, (unsigned char *)src, l) != 1)
 			goto process_auth_err;
 		n -= l;
 	}
 
 process_auth_final:
-	if (EVP_DigestSignFinal(ctx, dst, &dstlen) <= 0)
+	if (HMAC_Final(ctx, dst, &dstlen) != 1)
+		goto process_auth_err;
+
+	if (unlikely(HMAC_Init_ex(ctx, NULL, 0, NULL, NULL) != 1))
 		goto process_auth_err;
 
 	return 0;
@@ -1122,15 +1157,11 @@ process_openssl_cipher_op
 		if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
 			status = process_openssl_cipher_encrypt(mbuf_src, dst,
 					op->sym->cipher.data.offset, iv,
-					sess->cipher.key.data, srclen,
-					sess->cipher.ctx,
-					sess->cipher.evp_algo);
+					srclen, sess->cipher.ctx);
 		else
 			status = process_openssl_cipher_decrypt(mbuf_src, dst,
 					op->sym->cipher.data.offset, iv,
-					sess->cipher.key.data, srclen,
-					sess->cipher.ctx,
-					sess->cipher.evp_algo);
+					srclen, sess->cipher.ctx);
 	else
 		status = process_openssl_cipher_des3ctr(mbuf_src, dst,
 				op->sym->cipher.data.offset, iv,
@@ -1174,8 +1205,7 @@ process_openssl_docsis_bpi_op(struct rte_crypto_op *op,
 			/* Encrypt with the block aligned stream with CBC mode */
 			status = process_openssl_cipher_encrypt(mbuf_src, dst,
 					op->sym->cipher.data.offset, iv,
-					sess->cipher.key.data, srclen,
-					sess->cipher.ctx, sess->cipher.evp_algo);
+					srclen, sess->cipher.ctx);
 			if (last_block_len) {
 				/* Point at last block */
 				dst += srclen;
@@ -1225,9 +1255,7 @@ process_openssl_docsis_bpi_op(struct rte_crypto_op *op,
 			/* Decrypt with CBC mode */
 			status |= process_openssl_cipher_decrypt(mbuf_src, dst,
 					op->sym->cipher.data.offset, iv,
-					sess->cipher.key.data, srclen,
-					sess->cipher.ctx,
-					sess->cipher.evp_algo);
+					srclen, sess->cipher.ctx);
 		}
 	}
 
@@ -1265,9 +1293,8 @@ process_openssl_auth_op
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
 		status = process_openssl_auth_hmac(mbuf_src, dst,
-				op->sym->auth.data.offset, NULL,
-				sess->auth.hmac.pkey, srclen,
-				sess->auth.hmac.ctx, sess->auth.hmac.evp_algo);
+				op->sym->auth.data.offset, srclen,
+				&sess->auth.hmac.ctx);
 		break;
 	default:
 		status = -1;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_private.h b/drivers/crypto/openssl/rte_openssl_pmd_private.h
index b7f7475..e36741e 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_private.h
+++ b/drivers/crypto/openssl/rte_openssl_pmd_private.h
@@ -34,6 +34,7 @@
 #define _OPENSSL_PMD_PRIVATE_H_
 
 #include <openssl/evp.h>
+#include <openssl/hmac.h>
 #include <openssl/des.h>
 
 #define CRYPTODEV_NAME_OPENSSL_PMD	crypto_openssl
@@ -164,7 +165,7 @@ struct openssl_session {
 				/**< pointer to EVP key */
 				const EVP_MD *evp_algo;
 				/**< pointer to EVP algorithm function */
-				EVP_MD_CTX *ctx;
+				HMAC_CTX ctx;
 				/**< pointer to EVP context structure */
 			} hmac;
 		};
-- 
2.9.3

Re: [PATCH] crypto/openssl: performance improvements

[De Lara Guarch, Pablo]

Hi Akhil,

> -----Original Message-----
> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> Sent: Friday, July 28, 2017 12:08 PM
> To: dev@dpdk.org; Doherty, Declan <declan.doherty@intel.com>
> Cc: De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>;
> hemant.agrawal@nxp.com; Akhil Goyal <akhil.goyal@nxp.com>
> Subject: [PATCH] crypto/openssl: performance improvements
> 
> key and algo are added in the openssl ctx during session initialization
> instead of adding it for each packet.
> 
> Also in case of HMAC the openssl APIs HMAC_XXX give better performance
> for all HMAC cases.
> 
> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>

I assume that this and the other patches are meant to be for 17.11, right?

Thanks,
Pablo

Re: [PATCH] crypto/openssl: performance improvements

[Akhil Goyal]

On 7/28/2017 5:28 PM, De Lara Guarch, Pablo wrote:
> Hi Akhil,
> 
>> -----Original Message-----
>> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
>> Sent: Friday, July 28, 2017 12:08 PM
>> To: dev@dpdk.org; Doherty, Declan <declan.doherty@intel.com>
>> Cc: De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>;
>> hemant.agrawal@nxp.com; Akhil Goyal <akhil.goyal@nxp.com>
>> Subject: [PATCH] crypto/openssl: performance improvements
>>
>> key and algo are added in the openssl ctx during session initialization
>> instead of adding it for each packet.
>>
>> Also in case of HMAC the openssl APIs HMAC_XXX give better performance
>> for all HMAC cases.
>>
>> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
> 
> I assume that this and the other patches are meant to be for 17.11, right?
> 
yes, they are for 17.11.
But, I don't mind if these can be considered for 17.08.

-Akhil

Re: [PATCH] crypto/openssl: performance improvements

[De Lara Guarch, Pablo]

> -----Original Message-----
> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Akhil Goyal
> Sent: Friday, July 28, 2017 1:03 PM
> To: De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>;
> dev@dpdk.org; Doherty, Declan <declan.doherty@intel.com>
> Cc: hemant.agrawal@nxp.com
> Subject: Re: [dpdk-dev] [PATCH] crypto/openssl: performance
> improvements
> 
> On 7/28/2017 5:28 PM, De Lara Guarch, Pablo wrote:
> > Hi Akhil,
> >
> >> -----Original Message-----
> >> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> >> Sent: Friday, July 28, 2017 12:08 PM
> >> To: dev@dpdk.org; Doherty, Declan <declan.doherty@intel.com>
> >> Cc: De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>;
> >> hemant.agrawal@nxp.com; Akhil Goyal <akhil.goyal@nxp.com>
> >> Subject: [PATCH] crypto/openssl: performance improvements
> >>
> >> key and algo are added in the openssl ctx during session
> >> initialization instead of adding it for each packet.
> >>
> >> Also in case of HMAC the openssl APIs HMAC_XXX give better
> >> performance for all HMAC cases.
> >>
> >> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
> >
> > I assume that this and the other patches are meant to be for 17.11, right?
> >
> yes, they are for 17.11.
> But, I don't mind if these can be considered for 17.08.

Unfortunately, at this stage, it is too late to include these sorts of patches in this release.
Just wanted to double check with you.

Thanks,
Pablo

> 
> -Akhil
> 
> 

Re: [PATCH] crypto/openssl: performance improvements

[De Lara Guarch, Pablo]

Hi Akhil,

> -----Original Message-----
> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> Sent: Friday, July 28, 2017 12:08 PM
> To: dev@dpdk.org; Doherty, Declan <declan.doherty@intel.com>
> Cc: De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>;
> hemant.agrawal@nxp.com; Akhil Goyal <akhil.goyal@nxp.com>
> Subject: [PATCH] crypto/openssl: performance improvements
> 
> key and algo are added in the openssl ctx during session initialization
> instead of adding it for each packet.
> 
> Also in case of HMAC the openssl APIs HMAC_XXX give better performance
> for all HMAC cases.
> 
> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>

Thanks for the patch, nice optimization!
Could you split this into two patches, as you are doing two different things here?
One for the first sentence and another one for the second sentence.
Also, as you do that, could you rename the title to be more explicit?
Like: crypto/openssl: initialize cipher key at session init

Finally, I was looking at GCM, and I think it could benefit from this.
I will send a separate patch for it, unless you want to integrate it in this patchset yourself.

Thanks,
Pablo

Re: [PATCH] crypto/openssl: performance improvements

[Akhil Goyal]

On 8/14/2017 7:47 PM, De Lara Guarch, Pablo wrote:
> Hi Akhil,
> 
>> -----Original Message-----
>> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
>> Sent: Friday, July 28, 2017 12:08 PM
>> To: dev@dpdk.org; Doherty, Declan <declan.doherty@intel.com>
>> Cc: De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>;
>> hemant.agrawal@nxp.com; Akhil Goyal <akhil.goyal@nxp.com>
>> Subject: [PATCH] crypto/openssl: performance improvements
>>
>> key and algo are added in the openssl ctx during session initialization
>> instead of adding it for each packet.
>>
>> Also in case of HMAC the openssl APIs HMAC_XXX give better performance
>> for all HMAC cases.
>>
>> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
> 
> Thanks for the patch, nice optimization!
> Could you split this into two patches, as you are doing two different things here?
> One for the first sentence and another one for the second sentence.
> Also, as you do that, could you rename the title to be more explicit?
> Like: crypto/openssl: initialize cipher key at session init
> 
> Finally, I was looking at GCM, and I think it could benefit from this.
> I will send a separate patch for it, unless you want to integrate it in this patchset yourself.
> 

Ok I would split the patches.
For GCM I will try to incorporate in this patchset, if I get some 
performance improvement, or I would send a different patch later if some 
issue comes.

Thanks,
Akhil

Re: [PATCH] crypto/openssl: performance improvements

[De Lara Guarch, Pablo]

Hi,

> -----Original Message-----
> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> Sent: Tuesday, August 15, 2017 7:45 AM
> To: De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>;
> dev@dpdk.org; Doherty, Declan <declan.doherty@intel.com>
> Cc: hemant.agrawal@nxp.com
> Subject: Re: [PATCH] crypto/openssl: performance improvements
> 
> On 8/14/2017 7:47 PM, De Lara Guarch, Pablo wrote:
> > Hi Akhil,
> >
> >> -----Original Message-----
> >> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> >> Sent: Friday, July 28, 2017 12:08 PM
> >> To: dev@dpdk.org; Doherty, Declan <declan.doherty@intel.com>
> >> Cc: De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>;
> >> hemant.agrawal@nxp.com; Akhil Goyal <akhil.goyal@nxp.com>
> >> Subject: [PATCH] crypto/openssl: performance improvements
> >>
> >> key and algo are added in the openssl ctx during session
> >> initialization instead of adding it for each packet.
> >>
> >> Also in case of HMAC the openssl APIs HMAC_XXX give better
> >> performance for all HMAC cases.
> >>
> >> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
> >
> > Thanks for the patch, nice optimization!
> > Could you split this into two patches, as you are doing two different
> things here?
> > One for the first sentence and another one for the second sentence.
> > Also, as you do that, could you rename the title to be more explicit?
> > Like: crypto/openssl: initialize cipher key at session init
> >
> > Finally, I was looking at GCM, and I think it could benefit from this.
> > I will send a separate patch for it, unless you want to integrate it in this
> patchset yourself.
> >
> 
> Ok I would split the patches.
> For GCM I will try to incorporate in this patchset, if I get some performance
> improvement, or I would send a different patch later if some issue comes.

Thanks Ahkil. Since I am working on AES-CCM for this PMD, I have the change
already done. I have seen performance improvements, but it is not as straight forward
as the cipher algorithms, because GMAC is also affected, which is in a different code path,
but requires GCM to be set.

> 
> Thanks,
> Akhil
> 

Re: [PATCH] crypto/openssl: performance improvements

[Akhil Goyal]

Hi Pablo,
On 8/15/2017 12:56 PM, De Lara Guarch, Pablo wrote:
> Hi,
> 
>> -----Original Message-----
>> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
>> Sent: Tuesday, August 15, 2017 7:45 AM
>> To: De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>;
>> dev@dpdk.org; Doherty, Declan <declan.doherty@intel.com>
>> Cc: hemant.agrawal@nxp.com
>> Subject: Re: [PATCH] crypto/openssl: performance improvements
>>
>> On 8/14/2017 7:47 PM, De Lara Guarch, Pablo wrote:
>>> Hi Akhil,
>>>
>>>> -----Original Message-----
>>>> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
>>>> Sent: Friday, July 28, 2017 12:08 PM
>>>> To: dev@dpdk.org; Doherty, Declan <declan.doherty@intel.com>
>>>> Cc: De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>;
>>>> hemant.agrawal@nxp.com; Akhil Goyal <akhil.goyal@nxp.com>
>>>> Subject: [PATCH] crypto/openssl: performance improvements
>>>>
>>>> key and algo are added in the openssl ctx during session
>>>> initialization instead of adding it for each packet.
>>>>
>>>> Also in case of HMAC the openssl APIs HMAC_XXX give better
>>>> performance for all HMAC cases.
>>>>
>>>> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
>>>
>>> Thanks for the patch, nice optimization!
>>> Could you split this into two patches, as you are doing two different
>> things here?
>>> One for the first sentence and another one for the second sentence.
>>> Also, as you do that, could you rename the title to be more explicit?
>>> Like: crypto/openssl: initialize cipher key at session init
>>>
>>> Finally, I was looking at GCM, and I think it could benefit from this.
>>> I will send a separate patch for it, unless you want to integrate it in this
>> patchset yourself.
>>>
>>
>> Ok I would split the patches.
>> For GCM I will try to incorporate in this patchset, if I get some performance
>> improvement, or I would send a different patch later if some issue comes.
> 
> Thanks Ahkil. Since I am working on AES-CCM for this PMD, I have the change
> already done. I have seen performance improvements, but it is not as straight forward
> as the cipher algorithms, because GMAC is also affected, which is in a different code path,
> but requires GCM to be set.
> 

If you have the change and it is working fine, then you can send your 
patch, no issues in that.

Thanks,
Akhil

[PATCH v2 1/2] crypto/openssl: replace evp APIs with HMAC APIs

[Akhil Goyal]

in case of HMAC the openssl APIs HMAC_XXX give
better performance for all HMAC cases as compared with
EVP_XXX

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
---
changes in v2:
patch split in two patches as per Pablo's recommendations

 drivers/crypto/openssl/rte_openssl_pmd.c         | 37 +++++++++++++-----------
 drivers/crypto/openssl/rte_openssl_pmd_private.h |  3 +-
 2 files changed, 22 insertions(+), 18 deletions(-)

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 0bd5f98..889d632 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -39,6 +39,7 @@
 #include <rte_malloc.h>
 #include <rte_cpuflags.h>
 
+#include <openssl/hmac.h>
 #include <openssl/evp.h>
 
 #include "rte_openssl_pmd_private.h"
@@ -403,12 +404,16 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 	case RTE_CRYPTO_AUTH_SHA384_HMAC:
 	case RTE_CRYPTO_AUTH_SHA512_HMAC:
 		sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
-		sess->auth.hmac.ctx = EVP_MD_CTX_create();
+		HMAC_CTX_init(&sess->auth.hmac.ctx);
 		if (get_auth_algo(xform->auth.algo,
 				&sess->auth.hmac.evp_algo) != 0)
 			return -EINVAL;
-		sess->auth.hmac.pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
-				xform->auth.key.data, xform->auth.key.length);
+
+		if (HMAC_Init_ex(&sess->auth.hmac.ctx,
+				xform->auth.key.data,
+				xform->auth.key.length,
+				sess->auth.hmac.evp_algo, NULL) != 1)
+			return -EINVAL;
 		break;
 
 	default:
@@ -547,7 +552,7 @@ openssl_reset_session(struct openssl_session *sess)
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
 		EVP_PKEY_free(sess->auth.hmac.pkey);
-		EVP_MD_CTX_destroy(sess->auth.hmac.ctx);
+		HMAC_CTX_cleanup(&sess->auth.hmac.ctx);
 		break;
 	default:
 		break;
@@ -971,10 +976,9 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 /** Process standard openssl auth algorithms with hmac */
 static int
 process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
-		__rte_unused uint8_t *iv, EVP_PKEY *pkey,
-		int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo)
+		int srclen, HMAC_CTX *ctx)
 {
-	size_t dstlen;
+	unsigned int dstlen;
 	struct rte_mbuf *m;
 	int l, n = srclen;
 	uint8_t *src;
@@ -986,19 +990,16 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	if (m == 0)
 		goto process_auth_err;
 
-	if (EVP_DigestSignInit(ctx, NULL, algo, NULL, pkey) <= 0)
-		goto process_auth_err;
-
 	src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
 
 	l = rte_pktmbuf_data_len(m) - offset;
 	if (srclen <= l) {
-		if (EVP_DigestSignUpdate(ctx, (char *)src, srclen) <= 0)
+		if (HMAC_Update(ctx, (unsigned char *)src, srclen) != 1)
 			goto process_auth_err;
 		goto process_auth_final;
 	}
 
-	if (EVP_DigestSignUpdate(ctx, (char *)src, l) <= 0)
+	if (HMAC_Update(ctx, (unsigned char *)src, l) != 1)
 		goto process_auth_err;
 
 	n -= l;
@@ -1006,13 +1007,16 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
 		src = rte_pktmbuf_mtod(m, uint8_t *);
 		l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
-		if (EVP_DigestSignUpdate(ctx, (char *)src, l) <= 0)
+		if (HMAC_Update(ctx, (unsigned char *)src, l) != 1)
 			goto process_auth_err;
 		n -= l;
 	}
 
 process_auth_final:
-	if (EVP_DigestSignFinal(ctx, dst, &dstlen) <= 0)
+	if (HMAC_Final(ctx, dst, &dstlen) != 1)
+		goto process_auth_err;
+
+	if (unlikely(HMAC_Init_ex(ctx, NULL, 0, NULL, NULL) != 1))
 		goto process_auth_err;
 
 	return 0;
@@ -1265,9 +1269,8 @@ process_openssl_auth_op
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
 		status = process_openssl_auth_hmac(mbuf_src, dst,
-				op->sym->auth.data.offset, NULL,
-				sess->auth.hmac.pkey, srclen,
-				sess->auth.hmac.ctx, sess->auth.hmac.evp_algo);
+				op->sym->auth.data.offset, srclen,
+				&sess->auth.hmac.ctx);
 		break;
 	default:
 		status = -1;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_private.h b/drivers/crypto/openssl/rte_openssl_pmd_private.h
index b7f7475..e36741e 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_private.h
+++ b/drivers/crypto/openssl/rte_openssl_pmd_private.h
@@ -34,6 +34,7 @@
 #define _OPENSSL_PMD_PRIVATE_H_
 
 #include <openssl/evp.h>
+#include <openssl/hmac.h>
 #include <openssl/des.h>
 
 #define CRYPTODEV_NAME_OPENSSL_PMD	crypto_openssl
@@ -164,7 +165,7 @@ struct openssl_session {
 				/**< pointer to EVP key */
 				const EVP_MD *evp_algo;
 				/**< pointer to EVP algorithm function */
-				EVP_MD_CTX *ctx;
+				HMAC_CTX ctx;
 				/**< pointer to EVP context structure */
 			} hmac;
 		};
-- 
2.9.3

[PATCH v2 2/2] crypto/openssl: performance improvements

[Akhil Goyal]

key and algo are added in the openssl ctx during
session initialization instead of adding it for
each packet.

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
---
 drivers/crypto/openssl/rte_openssl_pmd.c | 58 ++++++++++++++++++++++----------
 1 file changed, 41 insertions(+), 17 deletions(-)

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 889d632..b11a7fb 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -308,6 +308,22 @@ openssl_set_session_cipher_parameters(struct openssl_session *sess,
 
 		get_cipher_key(xform->cipher.key.data, sess->cipher.key.length,
 			sess->cipher.key.data);
+		if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
+			if (EVP_EncryptInit_ex(sess->cipher.ctx,
+					sess->cipher.evp_algo,
+					NULL, xform->cipher.key.data,
+					NULL) != 1) {
+				return -EINVAL;
+			}
+		} else if (sess->cipher.direction ==
+				RTE_CRYPTO_CIPHER_OP_DECRYPT) {
+			if (EVP_DecryptInit_ex(sess->cipher.ctx,
+					sess->cipher.evp_algo,
+					NULL, xform->cipher.key.data,
+					NULL) != 1) {
+				return -EINVAL;
+			}
+		}
 
 		break;
 
@@ -334,6 +350,23 @@ openssl_set_session_cipher_parameters(struct openssl_session *sess,
 
 		get_cipher_key(xform->cipher.key.data, sess->cipher.key.length,
 			sess->cipher.key.data);
+		if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
+			if (EVP_EncryptInit_ex(sess->cipher.ctx,
+					sess->cipher.evp_algo,
+					NULL, xform->cipher.key.data,
+					NULL) != 1) {
+				return -EINVAL;
+			}
+		} else if (sess->cipher.direction ==
+				RTE_CRYPTO_CIPHER_OP_DECRYPT) {
+			if (EVP_DecryptInit_ex(sess->cipher.ctx,
+					sess->cipher.evp_algo,
+					NULL, xform->cipher.key.data,
+					NULL) != 1) {
+				return -EINVAL;
+			}
+		}
+
 		break;
 	default:
 		sess->cipher.algo = RTE_CRYPTO_CIPHER_NULL;
@@ -698,12 +731,11 @@ process_openssl_decryption_update(struct rte_mbuf *mbuf_src, int offset,
 /** Process standard openssl cipher encryption */
 static int
 process_openssl_cipher_encrypt(struct rte_mbuf *mbuf_src, uint8_t *dst,
-		int offset, uint8_t *iv, uint8_t *key, int srclen,
-		EVP_CIPHER_CTX *ctx, const EVP_CIPHER *algo)
+		int offset, uint8_t *iv, int srclen, EVP_CIPHER_CTX *ctx)
 {
 	int totlen;
 
-	if (EVP_EncryptInit_ex(ctx, algo, NULL, key, iv) <= 0)
+	if (EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0)
 		goto process_cipher_encrypt_err;
 
 	EVP_CIPHER_CTX_set_padding(ctx, 0);
@@ -748,12 +780,11 @@ process_openssl_cipher_bpi_encrypt(uint8_t *src, uint8_t *dst,
 /** Process standard openssl cipher decryption */
 static int
 process_openssl_cipher_decrypt(struct rte_mbuf *mbuf_src, uint8_t *dst,
-		int offset, uint8_t *iv, uint8_t *key, int srclen,
-		EVP_CIPHER_CTX *ctx, const EVP_CIPHER *algo)
+		int offset, uint8_t *iv, int srclen, EVP_CIPHER_CTX *ctx)
 {
 	int totlen;
 
-	if (EVP_DecryptInit_ex(ctx, algo, NULL, key, iv) <= 0)
+	if (EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0)
 		goto process_cipher_decrypt_err;
 
 	EVP_CIPHER_CTX_set_padding(ctx, 0);
@@ -1126,15 +1157,11 @@ process_openssl_cipher_op
 		if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
 			status = process_openssl_cipher_encrypt(mbuf_src, dst,
 					op->sym->cipher.data.offset, iv,
-					sess->cipher.key.data, srclen,
-					sess->cipher.ctx,
-					sess->cipher.evp_algo);
+					srclen, sess->cipher.ctx);
 		else
 			status = process_openssl_cipher_decrypt(mbuf_src, dst,
 					op->sym->cipher.data.offset, iv,
-					sess->cipher.key.data, srclen,
-					sess->cipher.ctx,
-					sess->cipher.evp_algo);
+					srclen, sess->cipher.ctx);
 	else
 		status = process_openssl_cipher_des3ctr(mbuf_src, dst,
 				op->sym->cipher.data.offset, iv,
@@ -1178,8 +1205,7 @@ process_openssl_docsis_bpi_op(struct rte_crypto_op *op,
 			/* Encrypt with the block aligned stream with CBC mode */
 			status = process_openssl_cipher_encrypt(mbuf_src, dst,
 					op->sym->cipher.data.offset, iv,
-					sess->cipher.key.data, srclen,
-					sess->cipher.ctx, sess->cipher.evp_algo);
+					srclen, sess->cipher.ctx);
 			if (last_block_len) {
 				/* Point at last block */
 				dst += srclen;
@@ -1229,9 +1255,7 @@ process_openssl_docsis_bpi_op(struct rte_crypto_op *op,
 			/* Decrypt with CBC mode */
 			status |= process_openssl_cipher_decrypt(mbuf_src, dst,
 					op->sym->cipher.data.offset, iv,
-					sess->cipher.key.data, srclen,
-					sess->cipher.ctx,
-					sess->cipher.evp_algo);
+					srclen, sess->cipher.ctx);
 		}
 	}
 
-- 
2.9.3

[PATCH v2] crypto/openssl: add openssl path for cross compile

[Akhil Goyal]

OPENSSL_PATH should be defined in case openssl
driver is cross compiled

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
---
changes in v2:
made changes to support shared build also.

 doc/guides/cryptodevs/openssl.rst | 4 ++++
 drivers/crypto/openssl/Makefile   | 3 ++-
 mk/rte.app.mk                     | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/doc/guides/cryptodevs/openssl.rst b/doc/guides/cryptodevs/openssl.rst
index f18a456..08cc9ba 100644
--- a/doc/guides/cryptodevs/openssl.rst
+++ b/doc/guides/cryptodevs/openssl.rst
@@ -88,6 +88,10 @@ sudo apt-get install libc6-dev-i386 (for i686-native-linuxapp-gcc target)
 This code was also verified on Fedora 24.
 This code was NOT yet verified on FreeBSD.
 
+In case openssl is cross compiled, openssl can be installed separately
+and path for openssl install directory can be given as
+export OPENSSL_PATH=<openssl install dir>
+
 Initialization
 --------------
 
diff --git a/drivers/crypto/openssl/Makefile b/drivers/crypto/openssl/Makefile
index e5fdfb5..2781a76 100644
--- a/drivers/crypto/openssl/Makefile
+++ b/drivers/crypto/openssl/Makefile
@@ -35,6 +35,7 @@ LIB = librte_pmd_openssl.a
 
 # build flags
 CFLAGS += -O3
+CFLAGS += -I${OPENSSL_PATH}/include/
 CFLAGS += $(WERROR_FLAGS)
 
 # library version
@@ -44,7 +45,7 @@ LIBABIVER := 1
 EXPORT_MAP := rte_pmd_openssl_version.map
 
 # external library dependencies
-LDLIBS += -lcrypto
+LDLIBS += -L${OPENSSL_PATH}/lib/ -lcrypto
 
 # library source files
 SRCS-$(CONFIG_RTE_LIBRTE_PMD_OPENSSL) += rte_openssl_pmd.c
diff --git a/mk/rte.app.mk b/mk/rte.app.mk
index c25fdd9..ed38f3b 100644
--- a/mk/rte.app.mk
+++ b/mk/rte.app.mk
@@ -151,7 +151,7 @@ _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_MB)    += -lrte_pmd_aesni_mb
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_MB)    += -L$(AESNI_MULTI_BUFFER_LIB_PATH) -lIPSec_MB
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_GCM)   += -lrte_pmd_aesni_gcm
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_GCM)   += -L$(AESNI_MULTI_BUFFER_LIB_PATH) -lIPSec_MB
-_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_OPENSSL)     += -lrte_pmd_openssl -lcrypto
+_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_OPENSSL)     += -L${OPENSSL_PATH}/lib -lrte_pmd_openssl -lcrypto
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_NULL_CRYPTO) += -lrte_pmd_null_crypto
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_QAT)         += -lrte_pmd_qat -lcrypto
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_SNOW3G)      += -lrte_pmd_snow3g
-- 
2.9.3

Re: [PATCH] config: add openssl in arm64-dpaa2-linuxapp-gcc

[De Lara Guarch, Pablo]

> -----Original Message-----
> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> Sent: Friday, July 28, 2017 12:08 PM
> To: dev@dpdk.org; Doherty, Declan <declan.doherty@intel.com>
> Cc: De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>;
> hemant.agrawal@nxp.com; Akhil Goyal <akhil.goyal@nxp.com>
> Subject: [PATCH] config: add openssl in arm64-dpaa2-linuxapp-gcc
> 
> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
> ---
>  config/defconfig_arm64-dpaa2-linuxapp-gcc | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/config/defconfig_arm64-dpaa2-linuxapp-gcc
> b/config/defconfig_arm64-dpaa2-linuxapp-gcc
> index 8a42944..7de2d4e 100644
> --- a/config/defconfig_arm64-dpaa2-linuxapp-gcc
> +++ b/config/defconfig_arm64-dpaa2-linuxapp-gcc
> @@ -90,3 +90,9 @@
> CONFIG_RTE_DPAA2_SEC_PMD_MAX_NB_SESSIONS=2048
>  #
>  CONFIG_RTE_LIBRTE_PMD_DPAA2_EVENTDEV=y
>  CONFIG_RTE_LIBRTE_PMD_DPAA2_EVENTDEV_DEBUG=n
> +
> +#
> +# Compile PMD for Software backed device #
> +CONFIG_RTE_LIBRTE_PMD_OPENSSL=y
> CONFIG_RTE_LIBRTE_PMD_OPENSSL_DEBUG=n
> --
> 2.9.3

Is OpenSSL installed by default in that system, so this can be enabled by default for this target?

Pablo

Re: [PATCH v2 1/2] crypto/openssl: replace evp APIs with HMAC APIs

[De Lara Guarch, Pablo]

> -----Original Message-----
> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> Sent: Tuesday, August 29, 2017 7:59 AM
> To: dev@dpdk.org; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>
> Cc: hemant.agrawal@nxp.com; Doherty, Declan
> <declan.doherty@intel.com>; Akhil Goyal <akhil.goyal@nxp.com>
> Subject: [PATCH v2 1/2] crypto/openssl: replace evp APIs with HMAC APIs
> 
> in case of HMAC the openssl APIs HMAC_XXX give better performance for
> all HMAC cases as compared with EVP_XXX
> 
> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>

Reviewed-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>

Re: [PATCH v2 2/2] crypto/openssl: performance improvements

[De Lara Guarch, Pablo]

> -----Original Message-----
> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> Sent: Tuesday, August 29, 2017 7:59 AM
> To: dev@dpdk.org; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>
> Cc: hemant.agrawal@nxp.com; Doherty, Declan
> <declan.doherty@intel.com>; Akhil Goyal <akhil.goyal@nxp.com>
> Subject: [PATCH v2 2/2] crypto/openssl: performance improvements
> 
> key and algo are added in the openssl ctx during session initialization
> instead of adding it for each packet.
> 
> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>

Could you modify the title to specify what you are improving?

Apart from that,

Reviewed-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>

[PATCH v3 1/2] crypto/openssl: replace evp APIs with HMAC APIs

[Akhil Goyal]

in case of HMAC the openssl APIs HMAC_XXX give
better performance for all HMAC cases as compared with
EVP_XXX

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Reviewed-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
---
 drivers/crypto/openssl/rte_openssl_pmd.c         | 37 +++++++++++++-----------
 drivers/crypto/openssl/rte_openssl_pmd_private.h |  3 +-
 2 files changed, 22 insertions(+), 18 deletions(-)

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 0bd5f98..889d632 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -39,6 +39,7 @@
 #include <rte_malloc.h>
 #include <rte_cpuflags.h>
 
+#include <openssl/hmac.h>
 #include <openssl/evp.h>
 
 #include "rte_openssl_pmd_private.h"
@@ -403,12 +404,16 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
 	case RTE_CRYPTO_AUTH_SHA384_HMAC:
 	case RTE_CRYPTO_AUTH_SHA512_HMAC:
 		sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
-		sess->auth.hmac.ctx = EVP_MD_CTX_create();
+		HMAC_CTX_init(&sess->auth.hmac.ctx);
 		if (get_auth_algo(xform->auth.algo,
 				&sess->auth.hmac.evp_algo) != 0)
 			return -EINVAL;
-		sess->auth.hmac.pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
-				xform->auth.key.data, xform->auth.key.length);
+
+		if (HMAC_Init_ex(&sess->auth.hmac.ctx,
+				xform->auth.key.data,
+				xform->auth.key.length,
+				sess->auth.hmac.evp_algo, NULL) != 1)
+			return -EINVAL;
 		break;
 
 	default:
@@ -547,7 +552,7 @@ openssl_reset_session(struct openssl_session *sess)
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
 		EVP_PKEY_free(sess->auth.hmac.pkey);
-		EVP_MD_CTX_destroy(sess->auth.hmac.ctx);
+		HMAC_CTX_cleanup(&sess->auth.hmac.ctx);
 		break;
 	default:
 		break;
@@ -971,10 +976,9 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 /** Process standard openssl auth algorithms with hmac */
 static int
 process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
-		__rte_unused uint8_t *iv, EVP_PKEY *pkey,
-		int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo)
+		int srclen, HMAC_CTX *ctx)
 {
-	size_t dstlen;
+	unsigned int dstlen;
 	struct rte_mbuf *m;
 	int l, n = srclen;
 	uint8_t *src;
@@ -986,19 +990,16 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	if (m == 0)
 		goto process_auth_err;
 
-	if (EVP_DigestSignInit(ctx, NULL, algo, NULL, pkey) <= 0)
-		goto process_auth_err;
-
 	src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
 
 	l = rte_pktmbuf_data_len(m) - offset;
 	if (srclen <= l) {
-		if (EVP_DigestSignUpdate(ctx, (char *)src, srclen) <= 0)
+		if (HMAC_Update(ctx, (unsigned char *)src, srclen) != 1)
 			goto process_auth_err;
 		goto process_auth_final;
 	}
 
-	if (EVP_DigestSignUpdate(ctx, (char *)src, l) <= 0)
+	if (HMAC_Update(ctx, (unsigned char *)src, l) != 1)
 		goto process_auth_err;
 
 	n -= l;
@@ -1006,13 +1007,16 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
 	for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
 		src = rte_pktmbuf_mtod(m, uint8_t *);
 		l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
-		if (EVP_DigestSignUpdate(ctx, (char *)src, l) <= 0)
+		if (HMAC_Update(ctx, (unsigned char *)src, l) != 1)
 			goto process_auth_err;
 		n -= l;
 	}
 
 process_auth_final:
-	if (EVP_DigestSignFinal(ctx, dst, &dstlen) <= 0)
+	if (HMAC_Final(ctx, dst, &dstlen) != 1)
+		goto process_auth_err;
+
+	if (unlikely(HMAC_Init_ex(ctx, NULL, 0, NULL, NULL) != 1))
 		goto process_auth_err;
 
 	return 0;
@@ -1265,9 +1269,8 @@ process_openssl_auth_op
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
 		status = process_openssl_auth_hmac(mbuf_src, dst,
-				op->sym->auth.data.offset, NULL,
-				sess->auth.hmac.pkey, srclen,
-				sess->auth.hmac.ctx, sess->auth.hmac.evp_algo);
+				op->sym->auth.data.offset, srclen,
+				&sess->auth.hmac.ctx);
 		break;
 	default:
 		status = -1;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_private.h b/drivers/crypto/openssl/rte_openssl_pmd_private.h
index b7f7475..e36741e 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_private.h
+++ b/drivers/crypto/openssl/rte_openssl_pmd_private.h
@@ -34,6 +34,7 @@
 #define _OPENSSL_PMD_PRIVATE_H_
 
 #include <openssl/evp.h>
+#include <openssl/hmac.h>
 #include <openssl/des.h>
 
 #define CRYPTODEV_NAME_OPENSSL_PMD	crypto_openssl
@@ -164,7 +165,7 @@ struct openssl_session {
 				/**< pointer to EVP key */
 				const EVP_MD *evp_algo;
 				/**< pointer to EVP algorithm function */
-				EVP_MD_CTX *ctx;
+				HMAC_CTX ctx;
 				/**< pointer to EVP context structure */
 			} hmac;
 		};
-- 
2.9.3

[PATCH v3 2/2] crypto/openssl: key and algo updated during session init

[Akhil Goyal]

key and algo are added in the openssl ctx during
session initialization instead of adding it for
each packet.
This would give performance improvement.

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Reviewed-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
changes in v3:
updated patch title
---
 drivers/crypto/openssl/rte_openssl_pmd.c | 58 ++++++++++++++++++++++----------
 1 file changed, 41 insertions(+), 17 deletions(-)

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 889d632..b11a7fb 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -308,6 +308,22 @@ openssl_set_session_cipher_parameters(struct openssl_session *sess,
 
 		get_cipher_key(xform->cipher.key.data, sess->cipher.key.length,
 			sess->cipher.key.data);
+		if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
+			if (EVP_EncryptInit_ex(sess->cipher.ctx,
+					sess->cipher.evp_algo,
+					NULL, xform->cipher.key.data,
+					NULL) != 1) {
+				return -EINVAL;
+			}
+		} else if (sess->cipher.direction ==
+				RTE_CRYPTO_CIPHER_OP_DECRYPT) {
+			if (EVP_DecryptInit_ex(sess->cipher.ctx,
+					sess->cipher.evp_algo,
+					NULL, xform->cipher.key.data,
+					NULL) != 1) {
+				return -EINVAL;
+			}
+		}
 
 		break;
 
@@ -334,6 +350,23 @@ openssl_set_session_cipher_parameters(struct openssl_session *sess,
 
 		get_cipher_key(xform->cipher.key.data, sess->cipher.key.length,
 			sess->cipher.key.data);
+		if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
+			if (EVP_EncryptInit_ex(sess->cipher.ctx,
+					sess->cipher.evp_algo,
+					NULL, xform->cipher.key.data,
+					NULL) != 1) {
+				return -EINVAL;
+			}
+		} else if (sess->cipher.direction ==
+				RTE_CRYPTO_CIPHER_OP_DECRYPT) {
+			if (EVP_DecryptInit_ex(sess->cipher.ctx,
+					sess->cipher.evp_algo,
+					NULL, xform->cipher.key.data,
+					NULL) != 1) {
+				return -EINVAL;
+			}
+		}
+
 		break;
 	default:
 		sess->cipher.algo = RTE_CRYPTO_CIPHER_NULL;
@@ -698,12 +731,11 @@ process_openssl_decryption_update(struct rte_mbuf *mbuf_src, int offset,
 /** Process standard openssl cipher encryption */
 static int
 process_openssl_cipher_encrypt(struct rte_mbuf *mbuf_src, uint8_t *dst,
-		int offset, uint8_t *iv, uint8_t *key, int srclen,
-		EVP_CIPHER_CTX *ctx, const EVP_CIPHER *algo)
+		int offset, uint8_t *iv, int srclen, EVP_CIPHER_CTX *ctx)
 {
 	int totlen;
 
-	if (EVP_EncryptInit_ex(ctx, algo, NULL, key, iv) <= 0)
+	if (EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0)
 		goto process_cipher_encrypt_err;
 
 	EVP_CIPHER_CTX_set_padding(ctx, 0);
@@ -748,12 +780,11 @@ process_openssl_cipher_bpi_encrypt(uint8_t *src, uint8_t *dst,
 /** Process standard openssl cipher decryption */
 static int
 process_openssl_cipher_decrypt(struct rte_mbuf *mbuf_src, uint8_t *dst,
-		int offset, uint8_t *iv, uint8_t *key, int srclen,
-		EVP_CIPHER_CTX *ctx, const EVP_CIPHER *algo)
+		int offset, uint8_t *iv, int srclen, EVP_CIPHER_CTX *ctx)
 {
 	int totlen;
 
-	if (EVP_DecryptInit_ex(ctx, algo, NULL, key, iv) <= 0)
+	if (EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0)
 		goto process_cipher_decrypt_err;
 
 	EVP_CIPHER_CTX_set_padding(ctx, 0);
@@ -1126,15 +1157,11 @@ process_openssl_cipher_op
 		if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
 			status = process_openssl_cipher_encrypt(mbuf_src, dst,
 					op->sym->cipher.data.offset, iv,
-					sess->cipher.key.data, srclen,
-					sess->cipher.ctx,
-					sess->cipher.evp_algo);
+					srclen, sess->cipher.ctx);
 		else
 			status = process_openssl_cipher_decrypt(mbuf_src, dst,
 					op->sym->cipher.data.offset, iv,
-					sess->cipher.key.data, srclen,
-					sess->cipher.ctx,
-					sess->cipher.evp_algo);
+					srclen, sess->cipher.ctx);
 	else
 		status = process_openssl_cipher_des3ctr(mbuf_src, dst,
 				op->sym->cipher.data.offset, iv,
@@ -1178,8 +1205,7 @@ process_openssl_docsis_bpi_op(struct rte_crypto_op *op,
 			/* Encrypt with the block aligned stream with CBC mode */
 			status = process_openssl_cipher_encrypt(mbuf_src, dst,
 					op->sym->cipher.data.offset, iv,
-					sess->cipher.key.data, srclen,
-					sess->cipher.ctx, sess->cipher.evp_algo);
+					srclen, sess->cipher.ctx);
 			if (last_block_len) {
 				/* Point at last block */
 				dst += srclen;
@@ -1229,9 +1255,7 @@ process_openssl_docsis_bpi_op(struct rte_crypto_op *op,
 			/* Decrypt with CBC mode */
 			status |= process_openssl_cipher_decrypt(mbuf_src, dst,
 					op->sym->cipher.data.offset, iv,
-					sess->cipher.key.data, srclen,
-					sess->cipher.ctx,
-					sess->cipher.evp_algo);
+					srclen, sess->cipher.ctx);
 		}
 	}
 
-- 
2.9.3

Re: [PATCH] config: add openssl in arm64-dpaa2-linuxapp-gcc

[Akhil Goyal]

Hi Pablo,
On 9/4/2017 8:18 PM, De Lara Guarch, Pablo wrote:
> 
> 
>> -----Original Message-----
>> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
>> Sent: Friday, July 28, 2017 12:08 PM
>> To: dev@dpdk.org; Doherty, Declan <declan.doherty@intel.com>
>> Cc: De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>;
>> hemant.agrawal@nxp.com; Akhil Goyal <akhil.goyal@nxp.com>
>> Subject: [PATCH] config: add openssl in arm64-dpaa2-linuxapp-gcc
>>
>> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
>> ---
>>   config/defconfig_arm64-dpaa2-linuxapp-gcc | 6 ++++++
>>   1 file changed, 6 insertions(+)
>>
>> diff --git a/config/defconfig_arm64-dpaa2-linuxapp-gcc
>> b/config/defconfig_arm64-dpaa2-linuxapp-gcc
>> index 8a42944..7de2d4e 100644
>> --- a/config/defconfig_arm64-dpaa2-linuxapp-gcc
>> +++ b/config/defconfig_arm64-dpaa2-linuxapp-gcc
>> @@ -90,3 +90,9 @@
>> CONFIG_RTE_DPAA2_SEC_PMD_MAX_NB_SESSIONS=2048
>>   #
>>   CONFIG_RTE_LIBRTE_PMD_DPAA2_EVENTDEV=y
>>   CONFIG_RTE_LIBRTE_PMD_DPAA2_EVENTDEV_DEBUG=n
>> +
>> +#
>> +# Compile PMD for Software backed device #
>> +CONFIG_RTE_LIBRTE_PMD_OPENSSL=y
>> CONFIG_RTE_LIBRTE_PMD_OPENSSL_DEBUG=n
>> --
>> 2.9.3
> 
> Is OpenSSL installed by default in that system, so this can be enabled by default for this target?
> 
yes this is installed by default.

-Akhil

Re: [PATCH v2] crypto/openssl: add openssl path for cross compile

[De Lara Guarch, Pablo]

Hi Akhil,

> -----Original Message-----
> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> Sent: Tuesday, August 29, 2017 8:02 AM
> To: dev@dpdk.org; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>
> Cc: hemant.agrawal@nxp.com; Doherty, Declan
> <declan.doherty@intel.com>; Akhil Goyal <akhil.goyal@nxp.com>
> Subject: [PATCH v2] crypto/openssl: add openssl path for cross compile
> 
> OPENSSL_PATH should be defined in case openssl driver is cross compiled
> 
> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
> ---

...

> --- a/mk/rte.app.mk
> +++ b/mk/rte.app.mk
> @@ -151,7 +151,7 @@ _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_MB)
> += -lrte_pmd_aesni_mb
>  _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_MB)    += -
> L$(AESNI_MULTI_BUFFER_LIB_PATH) -lIPSec_MB
>  _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_GCM)   += -
> lrte_pmd_aesni_gcm
>  _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_GCM)   += -
> L$(AESNI_MULTI_BUFFER_LIB_PATH) -lIPSec_MB
> -_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_OPENSSL)     += -lrte_pmd_openssl -
> lcrypto
> +_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_OPENSSL)     += -
> L${OPENSSL_PATH}/lib -lrte_pmd_openssl -lcrypto

I am getting the following messages when compiling:

/usr/bin/ld: skipping incompatible /lib/libcrypto.so when searching for -lcrypto
/usr/bin/ld: skipping incompatible /lib/librt.so when searching for -lrt
/usr/bin/ld: skipping incompatible /lib/libm.so when searching for -lm

Since, OPENSSL_PATH is not defined in my system, it is trying to link against libraries in /lib/.
I suggest adding a condition to add the openssl directory only if OPENSSL_PATH is defined:

+ifeq ($(OPENSSL_PATH),)
+_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_OPENSSL)     += -lrte_pmd_openssl -lcrypto
+else
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_OPENSSL)     += -L${OPENSSL_PATH}/lib -lrte_pmd_openssl -lcrypto
+endif

Would this work for you?

Thanks,
Pablo

Re: [PATCH v2] crypto/openssl: add openssl path for cross compile

[Akhil Goyal]

Hi Pablo,
On 9/5/2017 1:52 PM, De Lara Guarch, Pablo wrote:
> Hi Akhil,
> 
>> -----Original Message-----
>> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
>> Sent: Tuesday, August 29, 2017 8:02 AM
>> To: dev@dpdk.org; De Lara Guarch, Pablo
>> <pablo.de.lara.guarch@intel.com>
>> Cc: hemant.agrawal@nxp.com; Doherty, Declan
>> <declan.doherty@intel.com>; Akhil Goyal <akhil.goyal@nxp.com>
>> Subject: [PATCH v2] crypto/openssl: add openssl path for cross compile
>>
>> OPENSSL_PATH should be defined in case openssl driver is cross compiled
>>
>> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
>> ---
> 
> ...
> 
>> --- a/mk/rte.app.mk
>> +++ b/mk/rte.app.mk
>> @@ -151,7 +151,7 @@ _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_MB)
>> += -lrte_pmd_aesni_mb
>>   _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_MB)    += -
>> L$(AESNI_MULTI_BUFFER_LIB_PATH) -lIPSec_MB
>>   _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_GCM)   += -
>> lrte_pmd_aesni_gcm
>>   _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_GCM)   += -
>> L$(AESNI_MULTI_BUFFER_LIB_PATH) -lIPSec_MB
>> -_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_OPENSSL)     += -lrte_pmd_openssl -
>> lcrypto
>> +_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_OPENSSL)     += -
>> L${OPENSSL_PATH}/lib -lrte_pmd_openssl -lcrypto
> 
> I am getting the following messages when compiling:
> 
> /usr/bin/ld: skipping incompatible /lib/libcrypto.so when searching for -lcrypto
> /usr/bin/ld: skipping incompatible /lib/librt.so when searching for -lrt
> /usr/bin/ld: skipping incompatible /lib/libm.so when searching for -lm
> 
> Since, OPENSSL_PATH is not defined in my system, it is trying to link against libraries in /lib/.
> I suggest adding a condition to add the openssl directory only if OPENSSL_PATH is defined:
> 
> +ifeq ($(OPENSSL_PATH),)
> +_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_OPENSSL)     += -lrte_pmd_openssl -lcrypto
> +else
>   _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_OPENSSL)     += -L${OPENSSL_PATH}/lib -lrte_pmd_openssl -lcrypto
> +endif
> 
> Would this work for you?
> 
Thanks for the suggestion.
yes this would be fine. I will update the patch accordingly.

-Akhil

[PATCH v3] crypto/openssl: add openssl path for cross compile

[Akhil Goyal]

OPENSSL_PATH should be defined in case openssl
driver is cross compiled

Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
---
changes in v3:
make OPENSSL_PATH usage conditional if it is not set as suggested by Pablo
 doc/guides/cryptodevs/openssl.rst | 4 ++++
 drivers/crypto/openssl/Makefile   | 7 +++++++
 mk/rte.app.mk                     | 4 ++++
 3 files changed, 15 insertions(+)

diff --git a/doc/guides/cryptodevs/openssl.rst b/doc/guides/cryptodevs/openssl.rst
index f18a456..08cc9ba 100644
--- a/doc/guides/cryptodevs/openssl.rst
+++ b/doc/guides/cryptodevs/openssl.rst
@@ -88,6 +88,10 @@ sudo apt-get install libc6-dev-i386 (for i686-native-linuxapp-gcc target)
 This code was also verified on Fedora 24.
 This code was NOT yet verified on FreeBSD.
 
+In case openssl is cross compiled, openssl can be installed separately
+and path for openssl install directory can be given as
+export OPENSSL_PATH=<openssl install dir>
+
 Initialization
 --------------
 
diff --git a/drivers/crypto/openssl/Makefile b/drivers/crypto/openssl/Makefile
index e5fdfb5..a6f13e0 100644
--- a/drivers/crypto/openssl/Makefile
+++ b/drivers/crypto/openssl/Makefile
@@ -35,6 +35,9 @@ LIB = librte_pmd_openssl.a
 
 # build flags
 CFLAGS += -O3
+ifneq ($(OPENSSL_PATH),)
+CFLAGS += -I${OPENSSL_PATH}/include/
+endif
 CFLAGS += $(WERROR_FLAGS)
 
 # library version
@@ -44,7 +47,11 @@ LIBABIVER := 1
 EXPORT_MAP := rte_pmd_openssl_version.map
 
 # external library dependencies
+ifneq ($(OPENSSL_PATH),)
+LDLIBS += -L${OPENSSL_PATH}/lib/ -lcrypto
+else
 LDLIBS += -lcrypto
+endif
 
 # library source files
 SRCS-$(CONFIG_RTE_LIBRTE_PMD_OPENSSL) += rte_openssl_pmd.c
diff --git a/mk/rte.app.mk b/mk/rte.app.mk
index c25fdd9..799aa99 100644
--- a/mk/rte.app.mk
+++ b/mk/rte.app.mk
@@ -151,7 +151,11 @@ _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_MB)    += -lrte_pmd_aesni_mb
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_MB)    += -L$(AESNI_MULTI_BUFFER_LIB_PATH) -lIPSec_MB
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_GCM)   += -lrte_pmd_aesni_gcm
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_AESNI_GCM)   += -L$(AESNI_MULTI_BUFFER_LIB_PATH) -lIPSec_MB
+ifeq ($(OPENSSL_PATH),)
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_OPENSSL)     += -lrte_pmd_openssl -lcrypto
+else
+_LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_OPENSSL)     += -L${OPENSSL_PATH}/lib -lrte_pmd_openssl -lcrypto
+endif # ($(OPENSSL_PATH),)
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_NULL_CRYPTO) += -lrte_pmd_null_crypto
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_QAT)         += -lrte_pmd_qat -lcrypto
 _LDLIBS-$(CONFIG_RTE_LIBRTE_PMD_SNOW3G)      += -lrte_pmd_snow3g
-- 
2.9.3

Re: [PATCH v3] crypto/openssl: add openssl path for cross compile

[De Lara Guarch, Pablo]

> -----Original Message-----
> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> Sent: Tuesday, September 5, 2017 10:03 AM
> To: dev@dpdk.org; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>
> Cc: hemant.agrawal@nxp.com; Doherty, Declan
> <declan.doherty@intel.com>; Akhil Goyal <akhil.goyal@nxp.com>
> Subject: [PATCH v3] crypto/openssl: add openssl path for cross compile
> 
> OPENSSL_PATH should be defined in case openssl driver is cross compiled
> 
> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>

Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>

Re: [PATCH v3] crypto/openssl: add openssl path for cross compile

[De Lara Guarch, Pablo]

> -----Original Message-----
> From: De Lara Guarch, Pablo
> Sent: Wednesday, September 6, 2017 10:27 AM
> To: 'Akhil Goyal' <akhil.goyal@nxp.com>; dev@dpdk.org
> Cc: hemant.agrawal@nxp.com; Doherty, Declan
> <declan.doherty@intel.com>
> Subject: RE: [PATCH v3] crypto/openssl: add openssl path for cross compile
> 
> 
> 
> > -----Original Message-----
> > From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> > Sent: Tuesday, September 5, 2017 10:03 AM
> > To: dev@dpdk.org; De Lara Guarch, Pablo
> > <pablo.de.lara.guarch@intel.com>
> > Cc: hemant.agrawal@nxp.com; Doherty, Declan
> > <declan.doherty@intel.com>; Akhil Goyal <akhil.goyal@nxp.com>
> > Subject: [PATCH v3] crypto/openssl: add openssl path for cross compile
> >
> > OPENSSL_PATH should be defined in case openssl driver is cross
> > compiled
> >
> > Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
> 
> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>

Applied to dpdk-next-crypto.
Thanks,

Pablo

Re: [PATCH v3 2/2] crypto/openssl: key and algo updated during session init

[De Lara Guarch, Pablo]

> -----Original Message-----
> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> Sent: Tuesday, September 5, 2017 6:58 AM
> To: dev@dpdk.org; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>
> Cc: hemant.agrawal@nxp.com; Doherty, Declan
> <declan.doherty@intel.com>; Akhil Goyal <akhil.goyal@nxp.com>
> Subject: [PATCH v3 2/2] crypto/openssl: key and algo updated during
> session init
> 
> key and algo are added in the openssl ctx during session initialization
> instead of adding it for each packet.
> This would give performance improvement.
> 
> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
> Reviewed-by: Pablo de Lara <pablo.de.lara.guarch@intel.com> changes in
> v3:
> updated patch title

Applied to dpdk-next-crypto.
Thanks,

Pablo

Re: [PATCH] config: add openssl in arm64-dpaa2-linuxapp-gcc

[De Lara Guarch, Pablo]

> -----Original Message-----
> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> Sent: Tuesday, September 5, 2017 6:59 AM
> To: De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>;
> dev@dpdk.org; Doherty, Declan <declan.doherty@intel.com>
> Cc: hemant.agrawal@nxp.com
> Subject: Re: [PATCH] config: add openssl in arm64-dpaa2-linuxapp-gcc
> 
> Hi Pablo,
> On 9/4/2017 8:18 PM, De Lara Guarch, Pablo wrote:
> >
> >
> >> -----Original Message-----
> >> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> >> Sent: Friday, July 28, 2017 12:08 PM
> >> To: dev@dpdk.org; Doherty, Declan <declan.doherty@intel.com>
> >> Cc: De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>;
> >> hemant.agrawal@nxp.com; Akhil Goyal <akhil.goyal@nxp.com>
> >> Subject: [PATCH] config: add openssl in arm64-dpaa2-linuxapp-gcc
> >>
> >> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
> >> ---
> >>   config/defconfig_arm64-dpaa2-linuxapp-gcc | 6 ++++++
> >>   1 file changed, 6 insertions(+)
> >>
> >> diff --git a/config/defconfig_arm64-dpaa2-linuxapp-gcc
> >> b/config/defconfig_arm64-dpaa2-linuxapp-gcc
> >> index 8a42944..7de2d4e 100644
> >> --- a/config/defconfig_arm64-dpaa2-linuxapp-gcc
> >> +++ b/config/defconfig_arm64-dpaa2-linuxapp-gcc
> >> @@ -90,3 +90,9 @@
> >> CONFIG_RTE_DPAA2_SEC_PMD_MAX_NB_SESSIONS=2048
> >>   #
> >>   CONFIG_RTE_LIBRTE_PMD_DPAA2_EVENTDEV=y
> >>   CONFIG_RTE_LIBRTE_PMD_DPAA2_EVENTDEV_DEBUG=n
> >> +
> >> +#
> >> +# Compile PMD for Software backed device #
> >> +CONFIG_RTE_LIBRTE_PMD_OPENSSL=y
> >> CONFIG_RTE_LIBRTE_PMD_OPENSSL_DEBUG=n
> >> --
> >> 2.9.3
> >
> > Is OpenSSL installed by default in that system, so this can be enabled by
> default for this target?
> >
> yes this is installed by default.

Thanks for the reply.

Applied to dpdk-next-crypto.
Thanks,

Pablo
> 
> -Akhil

Re: [PATCH v2 1/2] crypto/openssl: replace evp APIs with HMAC APIs

[De Lara Guarch, Pablo]

Hi Akhil,

> -----Original Message-----
> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> Sent: Tuesday, August 29, 2017 7:59 AM
> To: dev@dpdk.org; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>
> Cc: hemant.agrawal@nxp.com; Doherty, Declan
> <declan.doherty@intel.com>; Akhil Goyal <akhil.goyal@nxp.com>
> Subject: [PATCH v2 1/2] crypto/openssl: replace evp APIs with HMAC APIs
> 
> in case of HMAC the openssl APIs HMAC_XXX give better performance for
> all HMAC cases as compared with EVP_XXX
> 
> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
> ---
> changes in v2:
> patch split in two patches as per Pablo's recommendations
> 
>  drivers/crypto/openssl/rte_openssl_pmd.c         | 37 +++++++++++++-------

I just come across an issue with this patch on openssl 1.1.0 (below).
Unfortunately, I have already applied the patch in the subtree, but if you could send a patch to fix this,
I can integrate as part of that patch.

Thanks,
Pablo

drivers/crypto/openssl/rte_openssl_pmd_private.h:168:14: error: field 'ctx' has incomplete type
     HMAC_CTX ctx;
              ^~~
In file included from drivers/crypto/openssl/rte_openssl_pmd_ops.c:39:0:
drivers/crypto/openssl/rte_openssl_pmd_private.h:168:14: error: field 'ctx' has incomplete type
     HMAC_CTX ctx;
              ^~~
drivers/crypto/openssl/rte_openssl_pmd.c: In function 'openssl_set_session_auth_parameters':
drivers/crypto/openssl/rte_openssl_pmd.c:440:3: error: implicit declaration of function 'HMAC_CTX_init'; did you mean 'HMAC_CTX_new'? [-Werror=implicit-function-declaration]
   HMAC_CTX_init(&sess->auth.hmac.ctx);
   ^~~~~~~~~~~~~
   HMAC_CTX_new

drivers/crypto/openssl/rte_openssl_pmd.c:440:3: error: nested extern declaration of 'HMAC_CTX_init' [-Werror=nested-externs]
make[4]: *** [mk/internal/rte.compile-pre.mk:140: rte_openssl_pmd_ops.o] Error 1
make[4]: *** Waiting for unfinished jobs....
drivers/crypto/openssl/rte_openssl_pmd.c: In function 'openssl_reset_session':
drivers/crypto/openssl/rte_openssl_pmd.c:588:3: error: implicit declaration of function 'HMAC_CTX_cleanup'; did you mean 'HMAC_CTX_get_md'? [-Werror=implicit-function-declaration]
   HMAC_CTX_cleanup(&sess->auth.hmac.ctx);
   ^~~~~~~~~~~~~~~~
   HMAC_CTX_get_md
drivers/crypto/openssl/rte_openssl_pmd.c:588:3: error: nested extern declaration of 'HMAC_CTX_cleanup' [-Werror=nested-externs]
cc1: all warnings being treated as errors
make[4]: *** [mk/internal/rte.compile-pre.mk:140: rte_openssl_pmd.o] Error 1

Re: [PATCH v2 1/2] crypto/openssl: replace evp APIs with HMAC APIs

[Akhil Goyal]

Hi Pablo,
On 9/8/2017 7:33 PM, De Lara Guarch, Pablo wrote:
> Hi Akhil,
> 
>> -----Original Message-----
>> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
>> Sent: Tuesday, August 29, 2017 7:59 AM
>> To: dev@dpdk.org; De Lara Guarch, Pablo
>> <pablo.de.lara.guarch@intel.com>
>> Cc: hemant.agrawal@nxp.com; Doherty, Declan
>> <declan.doherty@intel.com>; Akhil Goyal <akhil.goyal@nxp.com>
>> Subject: [PATCH v2 1/2] crypto/openssl: replace evp APIs with HMAC APIs
>>
>> in case of HMAC the openssl APIs HMAC_XXX give better performance for
>> all HMAC cases as compared with EVP_XXX
>>
>> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
>> ---
>> changes in v2:
>> patch split in two patches as per Pablo's recommendations
>>
>>   drivers/crypto/openssl/rte_openssl_pmd.c         | 37 +++++++++++++-------
> 
> I just come across an issue with this patch on openssl 1.1.0 (below).
> Unfortunately, I have already applied the patch in the subtree, but if you could send a patch to fix this,
> I can integrate as part of that patch.
> 
> Thanks,
> Pablo
> 
> drivers/crypto/openssl/rte_openssl_pmd_private.h:168:14: error: field 'ctx' has incomplete type
>       HMAC_CTX ctx;
>                ^~~
> In file included from drivers/crypto/openssl/rte_openssl_pmd_ops.c:39:0:
> drivers/crypto/openssl/rte_openssl_pmd_private.h:168:14: error: field 'ctx' has incomplete type
>       HMAC_CTX ctx;
>                ^~~
> drivers/crypto/openssl/rte_openssl_pmd.c: In function 'openssl_set_session_auth_parameters':
> drivers/crypto/openssl/rte_openssl_pmd.c:440:3: error: implicit declaration of function 'HMAC_CTX_init'; did you mean 'HMAC_CTX_new'? [-Werror=implicit-function-declaration]
>     HMAC_CTX_init(&sess->auth.hmac.ctx);
>     ^~~~~~~~~~~~~
>     HMAC_CTX_new
> 
> drivers/crypto/openssl/rte_openssl_pmd.c:440:3: error: nested extern declaration of 'HMAC_CTX_init' [-Werror=nested-externs]
> make[4]: *** [mk/internal/rte.compile-pre.mk:140: rte_openssl_pmd_ops.o] Error 1
> make[4]: *** Waiting for unfinished jobs....
> drivers/crypto/openssl/rte_openssl_pmd.c: In function 'openssl_reset_session':
> drivers/crypto/openssl/rte_openssl_pmd.c:588:3: error: implicit declaration of function 'HMAC_CTX_cleanup'; did you mean 'HMAC_CTX_get_md'? [-Werror=implicit-function-declaration]
>     HMAC_CTX_cleanup(&sess->auth.hmac.ctx);
>     ^~~~~~~~~~~~~~~~
>     HMAC_CTX_get_md
> drivers/crypto/openssl/rte_openssl_pmd.c:588:3: error: nested extern declaration of 'HMAC_CTX_cleanup' [-Werror=nested-externs]
> cc1: all warnings being treated as errors
> make[4]: *** [mk/internal/rte.compile-pre.mk:140: rte_openssl_pmd.o] Error 1
> 

I will look into this and will send the patch ASAP.

Regards,
Akhil

Re: [PATCH v2 1/2] crypto/openssl: replace evp APIs with HMAC APIs

[Akhil Goyal]

Hi Pablo,

On 9/8/2017 7:33 PM, De Lara Guarch, Pablo wrote:
> Hi Akhil,
> 
>> -----Original Message-----
>> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
>> Sent: Tuesday, August 29, 2017 7:59 AM
>> To: dev@dpdk.org; De Lara Guarch, Pablo
>> <pablo.de.lara.guarch@intel.com>
>> Cc: hemant.agrawal@nxp.com; Doherty, Declan
>> <declan.doherty@intel.com>; Akhil Goyal <akhil.goyal@nxp.com>
>> Subject: [PATCH v2 1/2] crypto/openssl: replace evp APIs with HMAC APIs
>>
>> in case of HMAC the openssl APIs HMAC_XXX give better performance for
>> all HMAC cases as compared with EVP_XXX
>>
>> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
>> ---
>> changes in v2:
>> patch split in two patches as per Pablo's recommendations
>>
>>   drivers/crypto/openssl/rte_openssl_pmd.c         | 37 +++++++++++++-------
> 
> I just come across an issue with this patch on openssl 1.1.0 (below).
> Unfortunately, I have already applied the patch in the subtree, but if you could send a patch to fix this,
> I can integrate as part of that patch.
> 
I have sent a patch to fix this.
http://dpdk.org/dev/patchwork/patch/28995/

Thanks,
Akhil

Re: [PATCH] config: add openssl in arm64-dpaa2-linuxapp-gcc

[Thomas Monjalon]

06/09/2017 12:25, De Lara Guarch, Pablo:
> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> > 
> > Hi Pablo,
> > On 9/4/2017 8:18 PM, De Lara Guarch, Pablo wrote:
> > > From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> > >> --- a/config/defconfig_arm64-dpaa2-linuxapp-gcc
> > >> +++ b/config/defconfig_arm64-dpaa2-linuxapp-gcc
> > >> @@ -90,3 +90,9 @@
> > >> CONFIG_RTE_DPAA2_SEC_PMD_MAX_NB_SESSIONS=2048
> > >>   #
> > >>   CONFIG_RTE_LIBRTE_PMD_DPAA2_EVENTDEV=y
> > >>   CONFIG_RTE_LIBRTE_PMD_DPAA2_EVENTDEV_DEBUG=n
> > >> +
> > >> +#
> > >> +# Compile PMD for Software backed device #
> > >> +CONFIG_RTE_LIBRTE_PMD_OPENSSL=y
> > >> CONFIG_RTE_LIBRTE_PMD_OPENSSL_DEBUG=n
> > >> --
> > >> 2.9.3
> > >
> > > Is OpenSSL installed by default in that system, so this can be enabled by
> > default for this target?
> > >
> > yes this is installed by default.
> 
> Thanks for the reply.
> 
> Applied to dpdk-next-crypto.
> Thanks,

Where is it installed by default?
On your machine? In your build system?
It is at least not installed on my machine when I compile this target.

This file is a defconfig, not your preferred config.

This patch should be dropped.

Re: [PATCH v3] crypto/openssl: add openssl path for cross compile

[Thomas Monjalon]

05/09/2017 11:02, Akhil Goyal:
> OPENSSL_PATH should be defined in case openssl
> driver is cross compiled

No: in case OpenSSL cannot be found automatically,
you should use EXTRA_CFLAGS and EXTRA_LDFLAGS.

It is the same for other standard dependencies like
libnuma, libpcap, libzip, etc.

Re: [PATCH v3] crypto/openssl: add openssl path for cross compile

[Hemant Agrawal]

On 10/12/2017 6:36 PM, Thomas Monjalon wrote:
> 05/09/2017 11:02, Akhil Goyal:
>> OPENSSL_PATH should be defined in case openssl
>> driver is cross compiled
>
> No: in case OpenSSL cannot be found automatically,
> you should use EXTRA_CFLAGS and EXTRA_LDFLAGS.
>
> It is the same for other standard dependencies like
> libnuma, libpcap, libzip, etc.
>
Pablo/Thomas,
	We are ok to drop this patch.

Regards,
Hemant

Re: [PATCH] config: add openssl in arm64-dpaa2-linuxapp-gcc

[Hemant Agrawal]

On 10/12/2017 6:31 PM, Thomas Monjalon wrote:
> 06/09/2017 12:25, De Lara Guarch, Pablo:
>> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
>>>
>>> Hi Pablo,
>>> On 9/4/2017 8:18 PM, De Lara Guarch, Pablo wrote:
>>>> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
>>>>> --- a/config/defconfig_arm64-dpaa2-linuxapp-gcc
>>>>> +++ b/config/defconfig_arm64-dpaa2-linuxapp-gcc
>>>>> @@ -90,3 +90,9 @@
>>>>> CONFIG_RTE_DPAA2_SEC_PMD_MAX_NB_SESSIONS=2048
>>>>>   #
>>>>>   CONFIG_RTE_LIBRTE_PMD_DPAA2_EVENTDEV=y
>>>>>   CONFIG_RTE_LIBRTE_PMD_DPAA2_EVENTDEV_DEBUG=n
>>>>> +
>>>>> +#
>>>>> +# Compile PMD for Software backed device #
>>>>> +CONFIG_RTE_LIBRTE_PMD_OPENSSL=y
>>>>> CONFIG_RTE_LIBRTE_PMD_OPENSSL_DEBUG=n
>>>>> --
>>>>> 2.9.3
>>>>
>>>> Is OpenSSL installed by default in that system, so this can be enabled by
>>> default for this target?
>>>>
>>> yes this is installed by default.
>>
>> Thanks for the reply.
>>
>> Applied to dpdk-next-crypto.
>> Thanks,
>
> Where is it installed by default?
> On your machine? In your build system?
> It is at least not installed on my machine when I compile this target.
>
> This file is a defconfig, not your preferred config.
>
> This patch should be dropped.
>
ok to drop.

Re: [PATCH v3] crypto/openssl: add openssl path for cross compile

[Thomas Monjalon]

12/10/2017 15:31, Hemant Agrawal:
> On 10/12/2017 6:36 PM, Thomas Monjalon wrote:
> > 05/09/2017 11:02, Akhil Goyal:
> >> OPENSSL_PATH should be defined in case openssl
> >> driver is cross compiled
> >
> > No: in case OpenSSL cannot be found automatically,
> > you should use EXTRA_CFLAGS and EXTRA_LDFLAGS.
> >
> > It is the same for other standard dependencies like
> > libnuma, libpcap, libzip, etc.
> >
> Pablo/Thomas,
> 	We are ok to drop this patch.

OK, thanks a lot for confirming. Appreciated