[v1] crypto/openssl: EVP_PKEY routine update in rsa op
Checks
Commit Message
EVP_PKEY function need to be called twice for rsa sign and verify
operations. This patch also remove the OPENSSL_API_COMPAT as all
the deprecated APIs are avoid if 3.0 lib is present.
Fixes: d7bd42f6db19 ("crypto/openssl: update RSA routine with 3.0 EVP API")
Cc: kai.ji@intel.com
Signed-off-by: Kai Ji <kai.ji@intel.com>
---
drivers/crypto/openssl/rte_openssl_pmd.c | 32 ++++++++++++++------
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 2 --
2 files changed, 22 insertions(+), 12 deletions(-)
Comments
> EVP_PKEY function need to be called twice for rsa sign and verify
> operations. This patch also remove the OPENSSL_API_COMPAT as all
> the deprecated APIs are avoid if 3.0 lib is present.
>
> Fixes: d7bd42f6db19 ("crypto/openssl: update RSA routine with 3.0 EVP API")
> Cc: kai.ji@intel.com
No need to self cc
>
> Signed-off-by: Kai Ji <kai.ji@intel.com>
Applied to dpdk-next-crypto
Thanks.
30/06/2022 12:38, Kai Ji:
> EVP_PKEY function need to be called twice for rsa sign and verify
> operations. This patch also remove the OPENSSL_API_COMPAT as all
> the deprecated APIs are avoid if 3.0 lib is present.
I prefer not pulling this patch for now because it is not clear.
1/ What is fixed exactly? All RSA sign and verify were broken?
2/ Do you mean OpenSSL 3 is required?
Hi Thomas,
> -----Original Message-----
> From: Thomas Monjalon <thomas@monjalon.net>
> Sent: Monday, July 4, 2022 8:45 PM
> To: Ji, Kai <kai.ji@intel.com>
> Cc: dev@dpdk.org; gakhil@marvell.com
> Subject: Re: [dpdk-dev v1] crypto/openssl: EVP_PKEY routine update in rsa
> op
>
> 30/06/2022 12:38, Kai Ji:
> > EVP_PKEY function need to be called twice for rsa sign and verify
> > operations. This patch also remove the OPENSSL_API_COMPAT as all the
> > deprecated APIs are avoid if 3.0 lib is present.
>
> I prefer not pulling this patch for now because it is not clear.
>
> 1/ What is fixed exactly? All RSA sign and verify were broken?
No, this patch fix the 3.0 EVP API in RSA sign and verify routine, original openssl 1.x rsa sign and verify routines are untouched.
The original patch set for Openssl 3.0 EVP API is here:
http://patchwork.dpdk.org/project/dpdk/patch/20220621154214.78176-3-kai.ji@intel.com/
> 2/ Do you mean OpenSSL 3 is required?
No, this branch code will be only executed when Openssl 3.0 lib is detected on the host.
>
>
05/07/2022 12:43, Ji, Kai:
> From: Thomas Monjalon <thomas@monjalon.net>
> > 30/06/2022 12:38, Kai Ji:
> > > EVP_PKEY function need to be called twice for rsa sign and verify
> > > operations. This patch also remove the OPENSSL_API_COMPAT as all the
> > > deprecated APIs are avoid if 3.0 lib is present.
> >
> > I prefer not pulling this patch for now because it is not clear.
> >
> > 1/ What is fixed exactly? All RSA sign and verify were broken?
> No, this patch fix the 3.0 EVP API in RSA sign and verify routine, original openssl 1.x rsa sign and verify routines are untouched.
> The original patch set for Openssl 3.0 EVP API is here:
> http://patchwork.dpdk.org/project/dpdk/patch/20220621154214.78176-3-kai.ji@intel.com/
>
>
> > 2/ Do you mean OpenSSL 3 is required?
> No, this branch code will be only executed when Openssl 3.0 lib is detected on the host.
OK, please could you reword the commit message
so I can apply it to the commit?
Thanks
@@ -1788,7 +1788,7 @@ process_openssl_dsa_sign_op_evp(struct rte_crypto_op *cop,
if (key_ctx == NULL
|| EVP_PKEY_fromdata_init(key_ctx) <= 0
|| EVP_PKEY_fromdata(key_ctx, &pkey,
- EVP_PKEY_PUBLIC_KEY, params) <= 0)
+ EVP_PKEY_KEYPAIR, params) <= 0)
goto err_dsa_sign;
dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
@@ -2478,6 +2478,14 @@ process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
goto err_rsa;
+ if (EVP_PKEY_sign(rsa_ctx, NULL, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
op->rsa.message.data,
op->rsa.message.length) <= 0)
@@ -2486,19 +2494,23 @@ process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
break;
case RTE_CRYPTO_ASYM_OP_VERIFY:
- tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
- if (tmp == NULL) {
- OPENSSL_LOG(ERR, "Memory allocation failed");
+ if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0)
goto err_rsa;
- }
- if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
- rte_free(tmp);
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
goto err_rsa;
- }
- if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
- rte_free(tmp);
+ if (EVP_PKEY_verify_recover(rsa_ctx, NULL, &outlen,
+ op->rsa.sign.data,
+ op->rsa.sign.length) <= 0)
+ goto err_rsa;
+
+ if ((outlen <= 0) || (outlen != op->rsa.sign.length))
+ goto err_rsa;
+
+ tmp = OPENSSL_malloc(outlen);
+ if (tmp == NULL) {
+ OPENSSL_LOG(ERR, "Memory allocation failed");
goto err_rsa;
}
@@ -2,8 +2,6 @@
* Copyright(c) 2016-2017 Intel Corporation
*/
-#define OPENSSL_API_COMPAT 0x10100000L
-
#include <string.h>
#include <rte_common.h>