diff mbox series

[v1] crypto/openssl: EVP_PKEY routine update in rsa op

Message ID	20220630103848.36515-1-kai.ji@intel.com (mailing list archive)
State	Superseded, archived
Delegated to:	akhil goyal
Headers	From: Kai Ji <kai.ji@intel.com> To: dev@dpdk.org Cc: gakhil@marvell.com, Kai Ji <kai.ji@intel.com> Subject: [dpdk-dev v1] crypto/openssl: EVP_PKEY routine update in rsa op Date: Thu, 30 Jun 2022 18:38:48 +0800 Message-Id: <20220630103848.36515-1-kai.ji@intel.com> Precedence: list Errors-To: dev-bounces@dpdk.org
Series	[v1] crypto/openssl: EVP_PKEY routine update in rsa op \| [v1] crypto/openssl: EVP_PKEY routine update in rsa op

Checks

Context	Check	Description
ci/checkpatch	warning	coding style issues
ci/Intel-compilation	success	Compilation OK
ci/intel-Testing	success	Testing PASS
ci/iol-intel-Performance	success	Performance Testing PASS
ci/github-robot: build	success	github build: passed
ci/iol-intel-Functional	success	Functional Testing PASS
ci/iol-aarch64-unit-testing	success	Testing PASS
ci/iol-aarch64-compile-testing	success	Testing PASS
ci/iol-x86_64-compile-testing	success	Testing PASS
ci/iol-x86_64-unit-testing	success	Testing PASS
ci/iol-abi-testing	success	Testing PASS

Commit Message

Ji, Kai June 30, 2022, 10:38 a.m. UTC

  EVP_PKEY function need to be called twice for rsa sign and verify
operations. This patch also remove the OPENSSL_API_COMPAT as all
the deprecated APIs are avoid if 3.0 lib is present.

Fixes: d7bd42f6db19 ("crypto/openssl: update RSA routine with 3.0 EVP API")
Cc: kai.ji@intel.com

Signed-off-by: Kai Ji <kai.ji@intel.com>
---
 drivers/crypto/openssl/rte_openssl_pmd.c     | 32 ++++++++++++++------
 drivers/crypto/openssl/rte_openssl_pmd_ops.c |  2 --
 2 files changed, 22 insertions(+), 12 deletions(-)

Comments

Akhil Goyal July 1, 2022, 7:14 p.m. UTC | #1

> EVP_PKEY function need to be called twice for rsa sign and verify
> operations. This patch also remove the OPENSSL_API_COMPAT as all
> the deprecated APIs are avoid if 3.0 lib is present.
> 
> Fixes: d7bd42f6db19 ("crypto/openssl: update RSA routine with 3.0 EVP API")
> Cc: kai.ji@intel.com
No need to self cc
> 
> Signed-off-by: Kai Ji <kai.ji@intel.com>
Applied to dpdk-next-crypto

Thanks.

Thomas Monjalon July 4, 2022, 7:45 p.m. UTC | #2

30/06/2022 12:38, Kai Ji:
> EVP_PKEY function need to be called twice for rsa sign and verify
> operations. This patch also remove the OPENSSL_API_COMPAT as all
> the deprecated APIs are avoid if 3.0 lib is present.

I prefer not pulling this patch for now because it is not clear.

1/ What is fixed exactly? All RSA sign and verify were broken?
2/ Do you mean OpenSSL 3 is required?

Ji, Kai July 5, 2022, 10:43 a.m. UTC | #3

Hi Thomas, 

> -----Original Message-----
> From: Thomas Monjalon <thomas@monjalon.net>
> Sent: Monday, July 4, 2022 8:45 PM
> To: Ji, Kai <kai.ji@intel.com>
> Cc: dev@dpdk.org; gakhil@marvell.com
> Subject: Re: [dpdk-dev v1] crypto/openssl: EVP_PKEY routine update in rsa
> op
> 
> 30/06/2022 12:38, Kai Ji:
> > EVP_PKEY function need to be called twice for rsa sign and verify
> > operations. This patch also remove the OPENSSL_API_COMPAT as all the
> > deprecated APIs are avoid if 3.0 lib is present.
> 
> I prefer not pulling this patch for now because it is not clear.
> 
> 1/ What is fixed exactly? All RSA sign and verify were broken?
No, this patch fix the 3.0 EVP API in RSA sign and verify routine,  original openssl 1.x rsa sign and verify routines are untouched. 
The original patch set for Openssl 3.0 EVP API is here: 
http://patchwork.dpdk.org/project/dpdk/patch/20220621154214.78176-3-kai.ji@intel.com/


> 2/ Do you mean OpenSSL 3 is required?
No, this branch code will be only executed when Openssl 3.0 lib is detected on the host.  

> 
>

Thomas Monjalon July 5, 2022, 10:55 a.m. UTC | #4

05/07/2022 12:43, Ji, Kai:
> From: Thomas Monjalon <thomas@monjalon.net>
> > 30/06/2022 12:38, Kai Ji:
> > > EVP_PKEY function need to be called twice for rsa sign and verify
> > > operations. This patch also remove the OPENSSL_API_COMPAT as all the
> > > deprecated APIs are avoid if 3.0 lib is present.
> > 
> > I prefer not pulling this patch for now because it is not clear.
> > 
> > 1/ What is fixed exactly? All RSA sign and verify were broken?
> No, this patch fix the 3.0 EVP API in RSA sign and verify routine,  original openssl 1.x rsa sign and verify routines are untouched. 
> The original patch set for Openssl 3.0 EVP API is here: 
> http://patchwork.dpdk.org/project/dpdk/patch/20220621154214.78176-3-kai.ji@intel.com/
> 
> 
> > 2/ Do you mean OpenSSL 3 is required?
> No, this branch code will be only executed when Openssl 3.0 lib is detected on the host.  

OK, please could you reword the commit message
so I can apply it to the commit?
Thanks

diff mbox series

Patch

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 84bca86894..e01dacc98d 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -1788,7 +1788,7 @@  process_openssl_dsa_sign_op_evp(struct rte_crypto_op *cop,
 	if (key_ctx == NULL
 		|| EVP_PKEY_fromdata_init(key_ctx) <= 0
 		|| EVP_PKEY_fromdata(key_ctx, &pkey,
-						EVP_PKEY_PUBLIC_KEY, params) <= 0)
+			EVP_PKEY_KEYPAIR, params) <= 0)
 		goto err_dsa_sign;
 
 	dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
@@ -2478,6 +2478,14 @@  process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
 		if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
 			goto err_rsa;
 
+		if (EVP_PKEY_sign(rsa_ctx, NULL, &outlen,
+				op->rsa.message.data,
+				op->rsa.message.length) <= 0)
+			goto err_rsa;
+
+		if (outlen <= 0)
+			goto err_rsa;
+
 		if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
 				op->rsa.message.data,
 				op->rsa.message.length) <= 0)
@@ -2486,19 +2494,23 @@  process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
 		break;
 
 	case RTE_CRYPTO_ASYM_OP_VERIFY:
-		tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
-		if (tmp == NULL) {
-			OPENSSL_LOG(ERR, "Memory allocation failed");
+		if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0)
 			goto err_rsa;
-		}
 
-		if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
-			rte_free(tmp);
+		if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
 			goto err_rsa;
-		}
 
-		if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
-			rte_free(tmp);
+		if (EVP_PKEY_verify_recover(rsa_ctx, NULL, &outlen,
+				op->rsa.sign.data,
+				op->rsa.sign.length) <= 0)
+			goto err_rsa;
+
+		if ((outlen <= 0) || (outlen != op->rsa.sign.length))
+			goto err_rsa;
+
+		tmp = OPENSSL_malloc(outlen);
+		if (tmp == NULL) {
+			OPENSSL_LOG(ERR, "Memory allocation failed");
 			goto err_rsa;
 		}
 
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 8d1f8e834a..3e24ef94f7 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -2,8 +2,6 @@ 
  * Copyright(c) 2016-2017 Intel Corporation
  */
 
-#define OPENSSL_API_COMPAT 0x10100000L
-
 #include <string.h>
 
 #include <rte_common.h>