[dpdk-dev] [PATCH v3 5/6] crypto/openssl: add asym crypto support

Shally Verma shally.verma at caviumnetworks.com
Wed May 16 08:05:12 CEST 2018


Add asymmetric crypto operation support in openssl PMD.
Current list of supported asym xforms:
* RSA
* DSA
* Deffie-hellman
* Modular Operations

changes from v2:
- Update the pmd capability as per new capability structure

changes from v1:
- resolve new line error in dod/guides/cryptodevs/openssl.rst

Signed-off-by: Shally Verma <shally.verma at caviumnetworks.com>
Signed-off-by: Sunila Sahu <sunila.sahu at caviumnetworks.com>
Signed-off-by: Ashish Gupta <ashish.gupta at caviumnetworks.com>
---
 doc/guides/cryptodevs/features/openssl.ini       |  11 +
 doc/guides/cryptodevs/openssl.rst                |   1 +
 drivers/crypto/openssl/rte_openssl_pmd.c         | 377 ++++++++++++++++++++-
 drivers/crypto/openssl/rte_openssl_pmd_ops.c     | 395 ++++++++++++++++++++++-
 drivers/crypto/openssl/rte_openssl_pmd_private.h |  29 ++
 5 files changed, 801 insertions(+), 12 deletions(-)

diff --git a/doc/guides/cryptodevs/features/openssl.ini b/doc/guides/cryptodevs/features/openssl.ini
index 691565865..bef5c7f79 100644
--- a/doc/guides/cryptodevs/features/openssl.ini
+++ b/doc/guides/cryptodevs/features/openssl.ini
@@ -7,6 +7,7 @@
 Symmetric crypto       = Y
 Sym operation chaining = Y
 Mbuf scatter gather    = Y
+Asymmetric crypto	   = Y
 
 ;
 ; Supported crypto algorithms of the 'openssl' crypto driver.
@@ -49,3 +50,13 @@ AES GCM (256) = Y
 AES CCM (128) = Y
 AES CCM (192) = Y
 AES CCM (256) = Y
+
+;
+; Supported Asymmetric algorithms of the 'openssl' crypto driver.
+;
+[Asymmetric]
+RSA = Y
+DSA = Y
+Modular Exponentiation = Y
+Modular Inversion = Y
+Deffie-hellman = Y
diff --git a/doc/guides/cryptodevs/openssl.rst b/doc/guides/cryptodevs/openssl.rst
index 427fc807c..4f90be888 100644
--- a/doc/guides/cryptodevs/openssl.rst
+++ b/doc/guides/cryptodevs/openssl.rst
@@ -80,6 +80,7 @@ crypto processing.
 
 Test name is cryptodev_openssl_autotest.
 For performance test cryptodev_openssl_perftest can be used.
+For asymmetric crypto operations testing, run cryptodev_openssl_asym_autotest
 
 To verify real traffic l2fwd-crypto example can be used with this command:
 
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index f584d0d6f..527e42773 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -727,19 +727,35 @@ openssl_reset_session(struct openssl_session *sess)
 }
 
 /** Provide session for operation */
-static struct openssl_session *
+static void  *
 get_session(struct openssl_qp *qp, struct rte_crypto_op *op)
 {
 	struct openssl_session *sess = NULL;
+	struct openssl_asym_session *asym_sess = NULL;
 
 	if (op->sess_type == RTE_CRYPTO_OP_WITH_SESSION) {
-		/* get existing session */
-		if (likely(op->sym->session != NULL))
-			sess = (struct openssl_session *)
-					get_session_private_data(
-					op->sym->session,
-					cryptodev_driver_id);
+		if (op->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC) {
+			/* get existing session */
+			if (likely(op->sym->session != NULL))
+				sess = (struct openssl_session *)
+						get_session_private_data(
+						op->sym->session,
+						cryptodev_driver_id);
+		} else {
+			if (likely(op->asym->session != NULL))
+				asym_sess = (struct openssl_asym_session *)
+						get_asym_session_private_data(
+						op->asym->session,
+						cryptodev_driver_id);
+			if (asym_sess == NULL)
+				op->status =
+					RTE_CRYPTO_OP_STATUS_INVALID_SESSION;
+			return asym_sess;
+		}
 	} else {
+		if (op->type == RTE_CRYPTO_OP_TYPE_ASYMMETRIC)
+			return NULL; /* sessionless asymmetric not supported */
+
 		/* provide internal session */
 		void *_sess = NULL;
 		void *_sess_private_data = NULL;
@@ -1525,6 +1541,341 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 		op->status = RTE_CRYPTO_OP_STATUS_ERROR;
 }
 
+static int process_openssl_modinv_op(struct rte_crypto_op *cop,
+				  struct openssl_asym_session *sess)
+{
+	struct rte_crypto_asym_op *op = cop->asym;
+	BIGNUM *base = BN_CTX_get(sess->u.m.ctx);
+	BIGNUM *res = BN_CTX_get(sess->u.m.ctx);
+
+	if (unlikely(base == NULL || res == NULL)) {
+		if (base)
+			BN_free(base);
+		if (res)
+			BN_free(res);
+		cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
+		return -1;
+	}
+
+	base = BN_bin2bn((const unsigned char *)op->modinv.base.data,
+					  op->modinv.base.length, base);
+
+	if (BN_mod_inverse(res, base, sess->u.m.modulus, sess->u.m.ctx)) {
+		cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+		op->modinv.base.length = BN_bn2bin(res, op->modinv.base.data);
+	} else {
+		cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+	}
+
+	return 0;
+}
+
+static int process_openssl_modexp_op(struct rte_crypto_op *cop,
+				  struct openssl_asym_session *sess)
+{
+	struct rte_crypto_asym_op *op = cop->asym;
+	BIGNUM *base = BN_CTX_get(sess->u.e.ctx);
+	BIGNUM *res = BN_CTX_get(sess->u.e.ctx);
+
+	if (unlikely(base == NULL || res == NULL)) {
+		if (base)
+			BN_free(base);
+		if (res)
+			BN_free(res);
+		cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
+		return -1;
+	}
+
+	base = BN_bin2bn((const unsigned char *)op->modinv.base.data,
+					  op->modinv.base.length, base);
+
+	if (BN_mod_exp(res, base, sess->u.e.exp,
+				sess->u.e.mod, sess->u.e.ctx)) {
+		op->modinv.base.length = BN_bn2bin(res, op->modinv.base.data);
+		cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+	} else {
+		cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+	}
+
+	return 0;
+}
+
+/* process rsa operations */
+static int process_openssl_rsa_op(struct rte_crypto_op *cop,
+				  struct openssl_asym_session *sess)
+{
+	int ret = 0;
+	struct rte_crypto_asym_op *op = cop->asym;
+	RSA *rsa = sess->u.r.rsa;
+	uint32_t pad = (op->rsa.pad);
+
+	switch (pad) {
+	case RTE_CRYPTO_RSA_PKCS1_V1_5_BT1:
+	case RTE_CRYPTO_RSA_PKCS1_V1_5_BT2:
+		pad = RSA_PKCS1_PADDING;
+		break;
+	case RTE_CRYPTO_RSA_PADDING_PSS:
+		pad = RSA_PKCS1_PSS_PADDING;
+		/* fall through */
+	case RTE_CRYPTO_RSA_PADDING_OAEP:
+		pad = RSA_PKCS1_OAEP_PADDING;
+		/* fall through */
+	default:
+		pad = RSA_NO_PADDING;
+		break;
+	}
+
+	switch (op->rsa.op_type) {
+	case RTE_CRYPTO_ASYM_OP_ENCRYPT:
+		ret = RSA_public_encrypt(op->rsa.message.length,
+							op->rsa.message.data,
+							op->rsa.message.data,
+							rsa,
+							pad);
+
+		op->rsa.message.length = ret;
+		OPENSSL_LOG_DBG("length of encrypted text %d\n", ret);
+		break;
+
+	case RTE_CRYPTO_ASYM_OP_DECRYPT:
+		ret = RSA_private_decrypt(op->rsa.message.length,
+							op->rsa.message.data,
+							op->rsa.message.data,
+							rsa,
+							pad);
+		op->rsa.message.length = ret;
+		break;
+
+	case RTE_CRYPTO_ASYM_OP_SIGN:
+		ret = RSA_private_encrypt(op->rsa.message.length,
+							op->rsa.message.data,
+							op->rsa.sign.data,
+							rsa,
+							pad);
+		op->rsa.sign.length = ret;
+		break;
+
+	case RTE_CRYPTO_ASYM_OP_VERIFY:
+		ret = RSA_public_decrypt(op->rsa.sign.length,
+							op->rsa.sign.data,
+							op->rsa.sign.data,
+							rsa,
+							pad);
+
+		OPENSSL_LOG_DBG(
+			"Length of public_decrypt %d length of message %d\n",
+			ret, op->rsa.message.length);
+
+		if (memcmp(op->rsa.sign.data, op->rsa.message.data,
+					op->rsa.message.length)) {
+			OPENSSL_LOG_ERR("RSA sign Verification failed");
+			ret = -1;
+		}
+		break;
+	default:
+			/* allow ops with invalid args to be pushed to
+			 * completion queue
+			 */
+			cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+		break;
+	}
+
+	if (ret < 0) {
+		cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+		ret = 0;
+	}
+
+	ret = 0;
+	return ret;
+}
+
+static int
+process_openssl_dh_op(struct rte_crypto_op *cop,
+		      struct openssl_asym_session *sess)
+{
+	struct rte_crypto_dh_op_param *op = &cop->asym->dh;
+	DH *dh_key = sess->u.dh.dh_key;
+
+	if (sess->u.dh.key_op &
+	   (1 << RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE)) {
+		BIGNUM *peer_key = NULL;
+
+		/* copy private key and peer key and compute shared secret */
+		peer_key = BN_bin2bn(op->pub_key.data,
+				     op->pub_key.length,
+				     peer_key);
+		if (peer_key == NULL) {
+			cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+			return 0;
+		}
+		dh_key->priv_key = BN_bin2bn(op->priv_key.data,
+					     op->priv_key.length,
+					     dh_key->priv_key);
+		op->shared_secret.length = DH_compute_key(
+					op->shared_secret.data,
+					peer_key, dh_key);
+		if (!(op->shared_secret.length)) {
+			cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+			BN_free(peer_key);
+			return 0;
+		}
+		cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+		BN_free(peer_key);
+		return 0;
+	}
+
+	if ((sess->u.dh.key_op &
+	    (1 << RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE)) &&
+	    !(sess->u.dh.key_op &
+	    (1 << RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE))) {
+		/* generate public key using user-pass private key */
+		dh_key->priv_key = BN_bin2bn(op->priv_key.data,
+					     op->priv_key.length,
+					     dh_key->priv_key);
+		if (dh_key->priv_key == NULL) {
+			cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+			return 0;
+		}
+	}
+
+	/* generate public and private key pair */
+	if (!DH_generate_key(dh_key)) {
+		cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+		return 0;
+	}
+
+	if (sess->u.dh.key_op &
+	  (1 << RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE)) {
+		OPENSSL_LOG_DBG("%s:%d updated priv key\n",
+				__func__, __LINE__);
+
+		op->priv_key.length = BN_bn2bin(dh_key->priv_key,
+						op->priv_key.data);
+	}
+
+	if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE)) {
+		OPENSSL_LOG_DBG("%s:%d update public key\n",
+				__func__, __LINE__);
+
+		op->pub_key.length = BN_bn2bin(dh_key->pub_key,
+					       op->pub_key.data);
+	}
+	cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+
+	return 0;
+}
+
+static int
+process_openssl_dsa_sign_op(struct rte_crypto_op *cop,
+			     struct openssl_asym_session *sess)
+{
+	struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
+	DSA *dsa = sess->u.s.dsa;
+	DSA_SIG *sign;
+
+	sign = DSA_do_sign(op->message.data,
+			   op->message.length,
+			   dsa);
+
+	if (sign == NULL) {
+		OPENSSL_LOG_ERR("%s:%d\n", __func__, __LINE__);
+		cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+	} else {
+		op->r.length = BN_bn2bin(sign->r, op->r.data);
+		op->s.length = BN_bn2bin(sign->s, op->s.data);
+		cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+	}
+
+	DSA_SIG_free(sign);
+	return 0;
+}
+
+static int
+process_openssl_dsa_verify_op(struct rte_crypto_op *cop,
+			       struct openssl_asym_session *sess)
+{
+	struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
+	DSA *dsa = sess->u.s.dsa;
+	int ret;
+	DSA_SIG *sign = DSA_SIG_new();
+
+	if (sign == NULL) {
+		OPENSSL_LOG_ERR(" %s:%d\n", __func__, __LINE__);
+		return -1;
+	}
+
+	sign->r = BN_bin2bn(op->r.data,
+			    op->r.length,
+			    sign->r);
+	sign->s = BN_bin2bn(op->s.data,
+			    op->s.length,
+			    sign->s);
+
+	dsa->pub_key = BN_bin2bn(op->y.data,
+			    op->y.length,
+			    dsa->pub_key);
+
+	ret = DSA_do_verify(op->message.data,
+			    op->message.length,
+			    sign,
+			    dsa);
+
+	if (ret != 1)
+		cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+	else
+		cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+
+	DSA_SIG_free(sign);
+
+	return 0;
+}
+
+
+static int
+process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
+		struct openssl_asym_session *sess)
+{
+	int retval = 0;
+
+	op->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
+
+	switch (sess->xfrm_type) {
+	case RTE_CRYPTO_ASYM_XFORM_RSA:
+		retval = process_openssl_rsa_op(op, sess);
+	break;
+	case RTE_CRYPTO_ASYM_XFORM_MODEX:
+		retval = process_openssl_modexp_op(op, sess);
+	break;
+	case RTE_CRYPTO_ASYM_XFORM_MODINV:
+		retval = process_openssl_modinv_op(op, sess);
+	break;
+	case RTE_CRYPTO_ASYM_XFORM_DH:
+		retval = process_openssl_dh_op(op, sess);
+	break;
+	case RTE_CRYPTO_ASYM_XFORM_DSA:
+		if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
+			retval = process_openssl_dsa_sign_op(op, sess);
+		else if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_VERIFY)
+			retval = process_openssl_dsa_verify_op(op, sess);
+		else
+			op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+	break;
+	default:
+		op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+		break;
+	}
+	if (!retval) {
+		/* op processed so push to completion queue as processed */
+		retval = rte_ring_enqueue(qp->processed_ops, (void *)op);
+		if (retval)
+			/* return error if failed to put in completion queue */
+			retval = -1;
+	}
+
+	return retval;
+}
+
+
 /** Process crypto operation for mbuf */
 static int
 process_op(struct openssl_qp *qp, struct rte_crypto_op *op,
@@ -1597,7 +1948,7 @@ static uint16_t
 openssl_pmd_enqueue_burst(void *queue_pair, struct rte_crypto_op **ops,
 		uint16_t nb_ops)
 {
-	struct openssl_session *sess;
+	void *sess;
 	struct openssl_qp *qp = queue_pair;
 	int i, retval;
 
@@ -1606,7 +1957,12 @@ openssl_pmd_enqueue_burst(void *queue_pair, struct rte_crypto_op **ops,
 		if (unlikely(sess == NULL))
 			goto enqueue_err;
 
-		retval = process_op(qp, ops[i], sess);
+		if (ops[i]->type == RTE_CRYPTO_OP_TYPE_SYMMETRIC)
+			retval = process_op(qp, ops[i],
+					(struct openssl_session *) sess);
+		else
+			retval = process_asym_op(qp, ops[i],
+					(struct openssl_asym_session *) sess);
 		if (unlikely(retval < 0))
 			goto enqueue_err;
 	}
@@ -1660,7 +2016,8 @@ cryptodev_openssl_create(const char *name,
 	dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
 			RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING |
 			RTE_CRYPTODEV_FF_CPU_AESNI |
-			RTE_CRYPTODEV_FF_MBUF_SCATTER_GATHER;
+			RTE_CRYPTODEV_FF_MBUF_SCATTER_GATHER |
+			RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO;
 
 	/* Set vector instructions mode supported */
 	internals = dev->data->dev_private;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 1cb87d59a..76f7410cb 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -469,6 +469,105 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
 			}, }
 		}, }
 	},
+	{	/* RSA */
+		.op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+		{.asym = {
+			.xfrm_capa = {
+				.xform_type = RTE_CRYPTO_ASYM_XFORM_RSA,
+				.op_types = ((1 << RTE_CRYPTO_ASYM_OP_SIGN) |
+					(1 << RTE_CRYPTO_ASYM_OP_VERIFY) |
+					(1 << RTE_CRYPTO_ASYM_OP_ENCRYPT) |
+					(1 << RTE_CRYPTO_ASYM_OP_DECRYPT)),
+				{
+				.modlen = {
+				/* min length is based on openssl rsa keygen */
+				.min = 30,
+				/* value 0 symbolizes no limit on max length */
+				.max = 0,
+				.increment = 1
+				}, }
+			}
+		},
+		}
+	},
+	{	/* modexp */
+		.op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+		{.asym = {
+			.xfrm_capa = {
+				.xform_type = RTE_CRYPTO_ASYM_XFORM_MODEX,
+				.op_types = 0,
+				{
+				.modlen = {
+				/* min length is based on openssl rsa keygen */
+				.min = 0,
+				/* value 0 symbolizes no limit on max length */
+				.max = 0,
+				.increment = 1
+				}, }
+			}
+		},
+		}
+	},
+	{	/* modinv */
+		.op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+		{.asym = {
+			.xfrm_capa = {
+				.xform_type = RTE_CRYPTO_ASYM_XFORM_MODINV,
+				.op_types = 0,
+				{
+				.modlen = {
+				/* min length is based on openssl rsa keygen */
+				.min = 0,
+				/* value 0 symbolizes no limit on max length */
+				.max = 0,
+				.increment = 1
+				}, }
+			}
+		},
+		}
+	},
+	{	/* dh */
+		.op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+		{.asym = {
+			.xfrm_capa = {
+				.xform_type = RTE_CRYPTO_ASYM_XFORM_DH,
+				.op_types =
+				((1<<RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE) |
+				(1 << RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE |
+				(1 <<
+				RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE))),
+				{
+				.modlen = {
+				/* min length is based on openssl rsa keygen */
+				.min = 0,
+				/* value 0 symbolizes no limit on max length */
+				.max = 0,
+				.increment = 1
+				}, }
+			}
+		},
+		}
+	},
+	{	/* dsa */
+		.op = RTE_CRYPTO_OP_TYPE_ASYMMETRIC,
+		{.asym = {
+			.xfrm_capa = {
+				.xform_type = RTE_CRYPTO_ASYM_XFORM_DSA,
+				.op_types =
+				((1<<RTE_CRYPTO_ASYM_OP_SIGN) |
+				(1 << RTE_CRYPTO_ASYM_OP_VERIFY)),
+				{
+				.modlen = {
+				/* min length is based on openssl rsa keygen */
+				.min = 0,
+				/* value 0 symbolizes no limit on max length */
+				.max = 0,
+				.increment = 1
+				}, }
+			}
+		},
+		}
+	},
 
 	RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
 };
@@ -670,13 +769,20 @@ openssl_pmd_qp_count(struct rte_cryptodev *dev)
 	return dev->data->nb_queue_pairs;
 }
 
-/** Returns the size of the session structure */
+/** Returns the size of symmetric session structure */
 static unsigned
 openssl_pmd_session_get_size(struct rte_cryptodev *dev __rte_unused)
 {
 	return sizeof(struct openssl_session);
 }
 
+/** Returns the size of the session structure */
+static unsigned
+openssl_pmd_asym_session_get_size(struct rte_cryptodev *dev __rte_unused)
+{
+	return sizeof(struct openssl_asym_session);
+}
+
 /** Configure the session from a crypto xform chain */
 static int
 openssl_pmd_session_configure(struct rte_cryptodev *dev __rte_unused,
@@ -713,6 +819,236 @@ openssl_pmd_session_configure(struct rte_cryptodev *dev __rte_unused,
 	return 0;
 }
 
+static int openssl_set_asym_session_parameters(
+				struct openssl_asym_session *asym_session,
+				struct rte_crypto_asym_xform *xform)
+{
+
+	if ((xform->xform_type != RTE_CRYPTO_ASYM_XFORM_DH) &&
+		(xform->next != NULL)) {
+		OPENSSL_LOG_ERR("chained xfrms are not supported on %s",
+			rte_crypto_asym_xform_strings[xform->xform_type]);
+		return -1;
+	}
+
+	switch (xform->xform_type) {
+	case RTE_CRYPTO_ASYM_XFORM_RSA:
+	{
+		struct rte_crypto_rsa_xform *xfrm = &(xform->rsa);
+		asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
+
+		RSA *rsa = RSA_new();
+		if (rsa == NULL)
+			return -1;
+		/* copy xfrm data into rsa struct */
+		rsa->n = BN_bin2bn((const unsigned char *)xfrm->n.data,
+							xfrm->n.length, rsa->n);
+		rsa->e = BN_bin2bn((const unsigned char *)xfrm->e.data,
+							xfrm->e.length, rsa->e);
+		if (xfrm->key_type == RTE_RSA_KEY_TYPE_EXP) {
+			rsa->d = BN_bin2bn((const unsigned char *)xfrm->d.data,
+							xfrm->d.length,
+							rsa->d);
+		} else {
+			rsa->p = BN_bin2bn(
+					(const unsigned char *)xfrm->qt.p.data,
+							xfrm->qt.p.length,
+							rsa->p);
+			rsa->q = BN_bin2bn(
+					(const unsigned char *)xfrm->qt.q.data,
+							xfrm->qt.q.length,
+							rsa->q);
+			rsa->dmp1 = BN_bin2bn(
+					(const unsigned char *)xfrm->qt.dP.data,
+							xfrm->qt.dP.length,
+							rsa->dmp1);
+			rsa->dmq1 = BN_bin2bn(
+					(const unsigned char *)xfrm->qt.dQ.data,
+							xfrm->qt.dQ.length,
+							rsa->dmq1);
+			rsa->iqmp = BN_bin2bn(
+					(const unsigned char *)
+							xfrm->qt.qInv.data,
+							xfrm->qt.qInv.length,
+							rsa->iqmp);
+		}
+		asym_session->u.r.rsa = rsa;
+		break;
+	}
+	case RTE_CRYPTO_ASYM_XFORM_MODEX:
+	{
+		struct rte_crypto_modex_xform *xfrm = &(xform->modex);
+
+		asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_MODEX;
+
+		BN_CTX *ctx = BN_CTX_new();
+		if (ctx == NULL) {
+			OPENSSL_LOG_ERR(" failed to allocate resources\n");
+			return -1;
+		}
+		BN_CTX_start(ctx);
+		BIGNUM *mod = BN_CTX_get(ctx);
+		BIGNUM *exp = BN_CTX_get(ctx);
+		if (mod == NULL || exp == NULL) {
+			BN_CTX_end(ctx);
+			BN_CTX_free(ctx);
+			return -1;
+		}
+		mod = BN_bin2bn((const unsigned char *)xfrm->modulus.data,
+						 xfrm->modulus.length, mod);
+		exp = BN_bin2bn((const unsigned char *)xfrm->exponent.data,
+						 xfrm->exponent.length, exp);
+		asym_session->u.e.ctx = ctx;
+		asym_session->u.e.mod = mod;
+		asym_session->u.e.exp = exp;
+		break;
+	}
+	case RTE_CRYPTO_ASYM_XFORM_MODINV:
+	{
+		struct rte_crypto_modinv_xform *xfrm = &(xform->modinv);
+
+		asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_MODINV;
+
+		BN_CTX *ctx = BN_CTX_new();
+		if (ctx == NULL) {
+			OPENSSL_LOG_ERR(" failed to allocate resources\n");
+			return -1;
+		}
+		BN_CTX_start(ctx);
+		BIGNUM *mod = BN_CTX_get(ctx);
+		if (mod == NULL) {
+			BN_CTX_end(ctx);
+			BN_CTX_free(ctx);
+			return -1;
+		}
+
+		mod = BN_bin2bn((const unsigned char *)
+						 xfrm->modulus.data,
+						 xfrm->modulus.length,
+						 mod);
+		asym_session->u.m.ctx = ctx;
+		asym_session->u.m.modulus = mod;
+		break;
+	}
+	case RTE_CRYPTO_ASYM_XFORM_DH:
+	{
+		asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DH;
+
+		asym_session->u.dh.dh_key = DH_new();
+		DH *dh = asym_session->u.dh.dh_key;
+		if (dh == NULL) {
+			OPENSSL_LOG_ERR(" failed to allocate resources\n");
+			return -1;
+		}
+
+		dh->p = BN_bin2bn((const unsigned char *)
+						 xform->dh.p.data,
+						 xform->dh.p.length,
+						 dh->p);
+
+		dh->g = BN_bin2bn((const unsigned char *)
+						 xform->dh.g.data,
+						 xform->dh.g.length,
+						 dh->g);
+
+		/* setup xfrom for
+		 * public key generate, or
+		 * DH Priv key generate, or both
+		 * public and private key generate
+		 */
+		asym_session->u.dh.key_op = (1 << xform->dh.type);
+
+		if (xform->dh.type == RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE) {
+			/* check if next is pubkey */
+			if ((xform->next != NULL) &&
+			   (xform->next->xform_type ==
+			   RTE_CRYPTO_ASYM_XFORM_DH) &&
+			   (xform->next->dh.type ==
+			   RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE)) {
+			    /* setup op as pub/priv key pair generation */
+				asym_session->u.dh.key_op |=
+				(1 << RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE);
+			}
+		}
+		break;
+	}
+	case RTE_CRYPTO_ASYM_XFORM_DSA:
+	{
+		asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA;
+
+		asym_session->u.s.dsa = DSA_new();
+		DSA *dsa = asym_session->u.s.dsa;
+		if (dsa == NULL) {
+			OPENSSL_LOG_ERR(
+				" failed to allocate resources\n");
+			return -1;
+		}
+
+		dsa->p = BN_bin2bn((const unsigned char *)
+				    xform->dsa.p.data,
+				    xform->dsa.p.length,
+				    dsa->p);
+
+		dsa->g = BN_bin2bn((const unsigned char *)
+				    xform->dsa.g.data,
+				    xform->dsa.g.length,
+				    dsa->g);
+
+		dsa->q = BN_bin2bn((const unsigned char *)
+				    xform->dsa.q.data,
+				    xform->dsa.q.length,
+				    dsa->q);
+
+		dsa->priv_key = BN_bin2bn((const unsigned char *)
+				    xform->dsa.x.data,
+				    xform->dsa.x.length,
+				    dsa->priv_key);
+
+		break;
+	}
+	default:
+		return -1;
+	}
+
+	return 0;
+}
+
+/** Configure the session from a crypto xform chain */
+static int
+openssl_pmd_asym_session_configure(struct rte_cryptodev *dev __rte_unused,
+		struct rte_crypto_asym_xform *xform,
+		struct rte_cryptodev_asym_session *sess,
+		struct rte_mempool *mempool)
+{
+	void *asym_sess_private_data;
+	int ret;
+
+	if (unlikely(sess == NULL)) {
+		OPENSSL_LOG_ERR("invalid asymmetric session struct");
+		return -EINVAL;
+	}
+
+	if (rte_mempool_get(mempool, &asym_sess_private_data)) {
+		CDEV_LOG_ERR(
+			"Couldn't get object from session mempool");
+		return -ENOMEM;
+	}
+
+	ret = openssl_set_asym_session_parameters(asym_sess_private_data,
+									xform);
+	if (ret != 0) {
+		OPENSSL_LOG_ERR("failed configure session parameters");
+
+		/* Return session to mempool */
+		rte_mempool_put(mempool, asym_sess_private_data);
+		return ret;
+	}
+
+	set_asym_session_private_data(sess, dev->driver_id,
+			asym_sess_private_data);
+
+	return 0;
+}
 
 /** Clear the memory of session so it doesn't leave key material behind */
 static void
@@ -732,6 +1068,58 @@ openssl_pmd_session_clear(struct rte_cryptodev *dev,
 	}
 }
 
+static void openssl_reset_asym_session(struct openssl_asym_session *sess)
+{
+	switch (sess->xfrm_type) {
+	case RTE_CRYPTO_ASYM_XFORM_RSA:
+		if (sess->u.r.rsa)
+			RSA_free(sess->u.r.rsa);
+		break;
+	case RTE_CRYPTO_ASYM_XFORM_MODEX:
+		if (sess->u.e.ctx) {
+			BN_CTX_end(sess->u.e.ctx);
+			BN_CTX_free(sess->u.e.ctx);
+		}
+		break;
+	case RTE_CRYPTO_ASYM_XFORM_MODINV:
+		if (sess->u.m.ctx) {
+			BN_CTX_end(sess->u.m.ctx);
+			BN_CTX_free(sess->u.m.ctx);
+		}
+		break;
+	case RTE_CRYPTO_ASYM_XFORM_DH:
+		if (sess->u.dh.dh_key)
+			DH_free(sess->u.dh.dh_key);
+		break;
+	case RTE_CRYPTO_ASYM_XFORM_DSA:
+		if (sess->u.s.dsa)
+			DSA_free(sess->u.s.dsa);
+		break;
+	default:
+		break;
+	}
+}
+
+/** Clear the memory of asymmetric session
+ * so it doesn't leave key material behind
+ */
+static void
+openssl_pmd_asym_session_clear(struct rte_cryptodev *dev,
+		struct rte_cryptodev_asym_session *sess)
+{
+	uint8_t index = dev->driver_id;
+	void *sess_priv = get_asym_session_private_data(sess, index);
+
+	/* Zero out the whole structure */
+	if (sess_priv) {
+		openssl_reset_asym_session(sess_priv);
+		memset(sess_priv, 0, sizeof(struct openssl_asym_session));
+		struct rte_mempool *sess_mp = rte_mempool_from_obj(sess_priv);
+		set_asym_session_private_data(sess, index, NULL);
+		rte_mempool_put(sess_mp, sess_priv);
+	}
+}
+
 struct rte_cryptodev_ops openssl_pmd_ops = {
 		.dev_configure		= openssl_pmd_config,
 		.dev_start		= openssl_pmd_start,
@@ -750,8 +1138,11 @@ struct rte_cryptodev_ops openssl_pmd_ops = {
 		.queue_pair_count	= openssl_pmd_qp_count,
 
 		.session_get_size	= openssl_pmd_session_get_size,
+		.asym_session_get_size	= openssl_pmd_asym_session_get_size,
 		.session_configure	= openssl_pmd_session_configure,
-		.session_clear		= openssl_pmd_session_clear
+		.asym_session_configure	= openssl_pmd_asym_session_configure,
+		.session_clear		= openssl_pmd_session_clear,
+		.asym_session_clear	= openssl_pmd_asym_session_clear
 };
 
 struct rte_cryptodev_ops *rte_openssl_pmd_ops = &openssl_pmd_ops;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_private.h b/drivers/crypto/openssl/rte_openssl_pmd_private.h
index bc8dc7cdc..ebc9dee53 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_private.h
+++ b/drivers/crypto/openssl/rte_openssl_pmd_private.h
@@ -8,6 +8,10 @@
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/des.h>
+#include <openssl/rsa.h>
+#include <openssl/dh.h>
+#include <openssl/dsa.h>
+
 
 #define CRYPTODEV_NAME_OPENSSL_PMD	crypto_openssl
 /**< Open SSL Crypto PMD device name */
@@ -157,6 +161,31 @@ struct openssl_session {
 
 } __rte_cache_aligned;
 
+/** OPENSSL crypto private asymmetric session structure */
+struct openssl_asym_session {
+	enum rte_crypto_asym_xform_type xfrm_type;
+	union {
+		struct rsa {
+			RSA *rsa;
+		} r;
+		struct exp {
+			BIGNUM *exp;
+			BIGNUM *mod;
+			BN_CTX *ctx;
+		} e;
+		struct mod {
+			BIGNUM *modulus;
+			BN_CTX *ctx;
+		} m;
+		struct dh {
+			DH *dh_key;
+			uint32_t key_op;
+		} dh;
+		struct {
+			DSA *dsa;
+		} s;
+	} u;
+} __rte_cache_aligned;
 /** Set and validate OPENSSL crypto session parameters */
 extern int
 openssl_set_session_parameters(struct openssl_session *sess,
-- 
2.14.3



More information about the dev mailing list