[EXT] [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine

Akhil Goyal gakhil at marvell.com
Tue Jun 21 11:30:07 CEST 2022
Previous message (by thread): [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine
Next message (by thread): [EXT] [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> This patch updates asymmetric RSA routine in crypto openssl pmd
> to adopt openssl 3.0 EVP apis.
> 
> Signed-off-by: Kai Ji <kai.ji at intel.com>
> ---
>  drivers/crypto/openssl/openssl_pmd_private.h |   7 +
>  drivers/crypto/openssl/rte_openssl_pmd.c     | 149 +++++++++++++++++++
>  drivers/crypto/openssl/rte_openssl_pmd_ops.c | 112 +++++++++++++-
>  3 files changed, 267 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/crypto/openssl/openssl_pmd_private.h
> b/drivers/crypto/openssl/openssl_pmd_private.h
> index 86dc169aaf..d603626fdf 100644
> --- a/drivers/crypto/openssl/openssl_pmd_private.h
> +++ b/drivers/crypto/openssl/openssl_pmd_private.h
> @@ -11,6 +11,10 @@
>  #include <openssl/rsa.h>
>  #include <openssl/dh.h>
>  #include <openssl/dsa.h>
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +#include <openssl/provider.h>
> +#include <openssl/core_names.h>
> +#endif
> 
>  #define CRYPTODEV_NAME_OPENSSL_PMD	crypto_openssl
>  /**< Open SSL Crypto PMD device name */
> @@ -157,6 +161,9 @@ struct openssl_asym_session {
>  	union {
>  		struct rsa {
>  			RSA *rsa;
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +			EVP_PKEY_CTX * ctx;
> +#endif
>  		} r;
>  		struct exp {
>  			BIGNUM *exp;
> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c
> b/drivers/crypto/openssl/rte_openssl_pmd.c
> index 5dbe6074eb..cac157aba3 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
> @@ -2046,6 +2046,150 @@ process_openssl_modexp_op(struct rte_crypto_op
> *cop,
>  }
> 
>  /* process rsa operations */
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +static int
> +process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
> +		struct openssl_asym_session *sess)
> +{
> +	struct rte_crypto_asym_op *op = cop->asym;
> +	uint32_t pad = (op->rsa.padding.type);
> +	uint8_t *tmp;
> +	size_t outlen = 0;
> +	int ret = -1;
> +
> +	cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
> +	EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx;
> +	if (!rsa_ctx)
> +		return ret;
> +
> +	switch (pad) {
> +	case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
> +		pad = RSA_PKCS1_PADDING;
> +		break;
> +	case RTE_CRYPTO_RSA_PADDING_NONE:
> +		pad = RSA_NO_PADDING;
> +		break;
> +	default:
> +		cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
> +		OPENSSL_LOG(ERR,
> +				"rsa pad type not supported %d\n", pad);
> +		return ret;
> +	}
> +
> +	switch (op->rsa.op_type) {
> +	case RTE_CRYPTO_ASYM_OP_ENCRYPT:
> +		if (EVP_PKEY_encrypt_init(rsa_ctx) != 1)
> +			goto err_rsa;
> +
> +		if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
> +			goto err_rsa;
> +
> +		if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen,
> +							op->rsa.message.data,
> +							op-
> >rsa.message.length) <= 0)

Remove extra indentation here and below also.

Cop->status is not updated in case of failure gotos.


> +			goto err_rsa;
> +
> +		if (outlen <= 0)
> +			goto err_rsa;
> +
> +		if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen,
> +							op->rsa.message.data,
> +							op-
> >rsa.message.length) <= 0)
> +			goto err_rsa;
> +		op->rsa.cipher.length = outlen;
> +
> +		OPENSSL_LOG(DEBUG,
> +				"length of encrypted text %zu\n", outlen);
> +		break;
> +
> +	case RTE_CRYPTO_ASYM_OP_DECRYPT:
> +		if (EVP_PKEY_decrypt_init(rsa_ctx) != 1)
> +			goto err_rsa;
> +
> +		if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
> +			goto err_rsa;
> +
> +		if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen,
> +							op->rsa.cipher.data,
> +							op->rsa.cipher.length)
> <= 0)
> +			goto err_rsa;
> +
> +		if (outlen <= 0)
> +			goto err_rsa;
> +
> +		if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen,
> +							op->rsa.cipher.data,
> +							op->rsa.cipher.length)
> <= 0)
> +			goto err_rsa;
> +		op->rsa.message.length = outlen;
> +
> +		OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n",
> outlen);
> +		break;
> +
> +	case RTE_CRYPTO_ASYM_OP_SIGN:
> +		if (EVP_PKEY_sign_init(rsa_ctx) <= 0)
> +			goto err_rsa;
> +
> +		if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
> +			goto err_rsa;
> +
> +		if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
> +							op->rsa.message.data,
> +							op-
> >rsa.message.length) <= 0)
> +			goto err_rsa;
> +		op->rsa.sign.length = outlen;
> +		break;
> +
> +	case RTE_CRYPTO_ASYM_OP_VERIFY:
> +		tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
> +		if (tmp == NULL) {
> +			OPENSSL_LOG(ERR, "Memory allocation failed");
> +			goto err_rsa;
> +		}
> +
> +		if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
> +			rte_free(tmp);
> +			goto err_rsa;
> +		}
> +
> +		if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
> +			rte_free(tmp);
> +			goto err_rsa;
> +		}
> +
> +		if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
> +							op->rsa.sign.data,
> +							op->rsa.sign.length) <=
> 0) {
> +			rte_free(tmp);
> +			goto err_rsa;
> +		}
> +
> +		OPENSSL_LOG(DEBUG,
> +				"Length of public_decrypt %zu "
> +				"length of message %zd\n",
> +				outlen, op->rsa.message.length);
> +		if (CRYPTO_memcmp(tmp, op->rsa.message.data,
> +				op->rsa.message.length)) {
> +			OPENSSL_LOG(ERR, "RSA sign Verification failed");
> +		}
> +		rte_free(tmp);
> +		break;
> +
> +	default:
> +		/* allow ops with invalid args to be pushed to
> +		 * completion queue
> +		 */
> +		cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
> +		goto err_rsa;
> +	}
> +
> +	ret = 0;
> +	cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
> +err_rsa:
> +	return ret;
> +
> +}
> +#else
>  static int
>  process_openssl_rsa_op(struct rte_crypto_op *cop,
>  		struct openssl_asym_session *sess)
> @@ -2144,6 +2288,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
> 
>  	return 0;
>  }
> +#endif
> 
>  static int
>  process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
> @@ -2155,7 +2300,11 @@ process_asym_op(struct openssl_qp *qp, struct
> rte_crypto_op *op,
> 
>  	switch (sess->xfrm_type) {
>  	case RTE_CRYPTO_ASYM_XFORM_RSA:
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +		retval = process_openssl_rsa_op_evp(op, sess);
> +# else
>  		retval = process_openssl_rsa_op(op, sess);
> +#endif
>  		break;
>  	case RTE_CRYPTO_ASYM_XFORM_MODEX:
>  		retval = process_openssl_modexp_op(op, sess);
> diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> index 7d0da52a33..6d94da499e 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> @@ -12,7 +12,11 @@
> 
>  #include "openssl_pmd_private.h"
>  #include "compat.h"
> -
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +#include <openssl/provider.h>
> +#include <openssl/core_names.h>
> +#include <openssl/param_build.h>
> +#endif
> 
>  static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
>  	{	/* MD5 HMAC */
> @@ -835,6 +839,106 @@ static int openssl_set_asym_session_parameters(
>  		if (!n || !e)
>  			goto err_rsa;
> 
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +		OSSL_PARAM_BLD * param_bld = OSSL_PARAM_BLD_new();
> +		if (!param_bld) {
> +			OPENSSL_LOG(ERR, "failed to allocate resources\n");
> +			goto err_rsa;
> +		}
> +
> +		if (!OSSL_PARAM_BLD_push_BN(param_bld,
> OSSL_PKEY_PARAM_RSA_N, n)
> +			|| !OSSL_PARAM_BLD_push_BN(param_bld,
> +					OSSL_PKEY_PARAM_RSA_E, e)) {
> +			OSSL_PARAM_BLD_free(param_bld);
> +			OPENSSL_LOG(ERR, "failed to allocate resources\n");
> +			goto err_rsa;
> +		}
> +
> +		if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) {
> +			d = BN_bin2bn(
> +			(const unsigned char *)xform->rsa.d.data,
> +			xform->rsa.d.length,
> +			d);
> +			if (!d) {
> +				OSSL_PARAM_BLD_free(param_bld);
> +				goto err_rsa;
> +			}
> +		} else {
> +			p = BN_bin2bn((const unsigned char *)
> +					xform->rsa.qt.p.data,
> +					xform->rsa.qt.p.length,
> +					p);
> +			q = BN_bin2bn((const unsigned char *)
> +					xform->rsa.qt.q.data,
> +					xform->rsa.qt.q.length,
> +					q);
> +			dmp1 = BN_bin2bn((const unsigned char *)
> +					xform->rsa.qt.dP.data,
> +					xform->rsa.qt.dP.length,
> +					dmp1);
> +			dmq1 = BN_bin2bn((const unsigned char *)
> +					xform->rsa.qt.dQ.data,
> +					xform->rsa.qt.dQ.length,
> +					dmq1);
> +			iqmp = BN_bin2bn((const unsigned char *)
> +					xform->rsa.qt.qInv.data,
> +					xform->rsa.qt.qInv.length,
> +					iqmp);
> +
> +			if (!p || !q || !dmp1 || !dmq1 || !iqmp) {
> +				OSSL_PARAM_BLD_free(param_bld);
> +				goto err_rsa;
> +			}
> +
> +			if (!OSSL_PARAM_BLD_push_BN(param_bld,
> +
> 	OSSL_PKEY_PARAM_RSA_FACTOR1, p)
> +				|| !OSSL_PARAM_BLD_push_BN(param_bld,
> +
> 	OSSL_PKEY_PARAM_RSA_FACTOR2, q)
> +				|| !OSSL_PARAM_BLD_push_BN(param_bld,
> +
> 	OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1)
> +				|| !OSSL_PARAM_BLD_push_BN(param_bld,
> +
> 	OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1)
> +				|| !OSSL_PARAM_BLD_push_BN(param_bld,
> +
> 	OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) {
> +				OSSL_PARAM_BLD_free(param_bld);
> +				goto err_rsa;
> +			}
> +		}
> +
> +		if (!OSSL_PARAM_BLD_push_BN(param_bld,
> OSSL_PKEY_PARAM_RSA_N, n)
> +			|| !OSSL_PARAM_BLD_push_BN(param_bld,
> OSSL_PKEY_PARAM_RSA_E, e)
> +			|| !OSSL_PARAM_BLD_push_BN(param_bld,
> +						OSSL_PKEY_PARAM_RSA_D,
> d)) {
> +			OSSL_PARAM_BLD_free(param_bld);
> +			goto err_rsa;
> +		}
> +
> +		EVP_PKEY_CTX *key_ctx =
> EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
> +		EVP_PKEY *pkey = NULL;
> +		EVP_PKEY_CTX *rsa_ctx = NULL;
> +		OSSL_PARAM *params = NULL;
> +
> +		params = OSSL_PARAM_BLD_to_param(param_bld);
> +		if (!params) {
> +			OSSL_PARAM_BLD_free(param_bld);
> +			goto err_rsa;
> +		}
> +
> +		if (key_ctx == NULL
> +			|| EVP_PKEY_fromdata_init(key_ctx) <= 0
> +			|| EVP_PKEY_fromdata(key_ctx, &pkey,
> +					EVP_PKEY_KEYPAIR, params) <= 0) {

Indentation not correct above.


> +			OSSL_PARAM_free(params);
> +			goto err_rsa;
> +		}
> +
> +		rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
> +		asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
> +		asym_session->u.r.ctx = rsa_ctx;
> +		EVP_PKEY_CTX_free(key_ctx);
> +		OSSL_PARAM_free(params);
> +		break;
> +#else
>  		RSA *rsa = RSA_new();
>  		if (rsa == NULL)
>  			goto err_rsa;
> @@ -904,6 +1008,7 @@ static int openssl_set_asym_session_parameters(
>  		asym_session->u.r.rsa = rsa;
>  		asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
>  		break;
> +#endif
>  err_rsa:
>  		BN_clear_free(n);
>  		BN_clear_free(e);
> @@ -1135,8 +1240,13 @@ static void openssl_reset_asym_session(struct
> openssl_asym_session *sess)
>  {
>  	switch (sess->xfrm_type) {
>  	case RTE_CRYPTO_ASYM_XFORM_RSA:
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +		if (sess->u.r.ctx)
> +			EVP_PKEY_CTX_free(sess->u.r.ctx);
> +#else
>  		if (sess->u.r.rsa)
>  			RSA_free(sess->u.r.rsa);
> +#endif
>  		break;
>  	case RTE_CRYPTO_ASYM_XFORM_MODEX:
>  		if (sess->u.e.ctx) {
> --
> 2.17.1
Previous message (by thread): [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine
Next message (by thread): [EXT] [dpdk-dev v4 2/4] crypto/openssl: 3.0 EVP update on RSA routine
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the dev mailing list