From patchwork Tue Jun 21 15:42:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ji, Kai" X-Patchwork-Id: 113189 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 9D973A0545; Tue, 21 Jun 2022 17:42:27 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 7F3D14281E; Tue, 21 Jun 2022 17:42:25 +0200 (CEST) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mails.dpdk.org (Postfix) with ESMTP id E744F40151 for ; Tue, 21 Jun 2022 17:42:21 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1655826142; x=1687362142; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=6SatTkFSnjAlEBM84WM2ClxlYCJlQis+da+ifB5HxMQ=; b=S/y3IQvMHV0uL4cEuQDu7kbWhqEhcrRa9a3/3suJrpUt0zr2d0Mkw6Dd RJTipAhVk4PJVdhDrWr8ly2lgatLjYOMBTQ6phAncJFfNx576eBvbuGk2 tLMpocAtZfxdUWA3M0BFUrD02P9QMveTy8Ttu65g97vw6zZGhaqEM+Nex eM+GWwTUIHMLWEhaZ1+FDgEcyHMJLG3CQU5F0grob2mMhUowyq6JpU3+W JVXM72hjAwiE+F+XeC64qvjux2LHUNv2FJK3NbnRutW4WSat33zv6EVzf XXm2agAFG2Y0aNGmyHXEl5qJlslOPb6GcdtVqUdkVJ/2qDSBk5vGUznHq A==; X-IronPort-AV: E=McAfee;i="6400,9594,10385"; a="305594203" X-IronPort-AV: E=Sophos;i="5.92,209,1650956400"; d="scan'208";a="305594203" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jun 2022 08:42:21 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.92,209,1650956400"; d="scan'208";a="729889022" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by fmsmga001.fm.intel.com with ESMTP; 21 Jun 2022 08:42:20 -0700 From: Kai Ji To: dev@dpdk.org Cc: gakhil@marvell.com, Kai Ji Subject: [dpdk-dev v5 1/4] crypto/openssl: update on HMAC routine with 3.0 EVP API Date: Tue, 21 Jun 2022 23:42:11 +0800 Message-Id: <20220621154214.78176-2-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220621154214.78176-1-kai.ji@intel.com> References: <20220621135536.62679-1-kai.ji@intel.com> <20220621154214.78176-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch update the symmetric HMAC routine in crypto openssl pmd to adopt openssl 3.0 EVP apis. Signed-off-by: Kai Ji --- drivers/crypto/openssl/openssl_pmd_private.h | 4 + drivers/crypto/openssl/rte_openssl_pmd.c | 187 ++++++++++++++++++- 2 files changed, 181 insertions(+), 10 deletions(-) diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index b2054b3754..6bcfb584a4 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -134,7 +134,11 @@ struct openssl_session { /**< pointer to EVP key */ const EVP_MD *evp_algo; /**< pointer to EVP algorithm function */ +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX * ctx; +# else HMAC_CTX *ctx; +# endif /**< pointer to EVP context structure */ } hmac; }; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 6ac2dfff5a..06ede435dd 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -41,6 +41,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) } #endif +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + +#include +#include + +#define MAX_OSSL_ALGO_NAME_SIZE 16 + +OSSL_PROVIDER *legacy; +OSSL_PROVIDER *deflt; + +static void ossl_legacy_provider_load(void) +{ + /* Load Multiple providers into the default (NULL) library context */ + legacy = OSSL_PROVIDER_load(NULL, "legacy"); + if (legacy == NULL) { + OPENSSL_LOG(ERR, "Failed to load Legacy provider\n"); + return; + } + + deflt = OSSL_PROVIDER_load(NULL, "default"); + if (deflt == NULL) { + OPENSSL_LOG(ERR, "Failed to load Default provider\n"); + OSSL_PROVIDER_unload(legacy); + return; + } +} + +static void ossl_legacy_provider_unload(void) +{ + OSSL_PROVIDER_unload(legacy); + OSSL_PROVIDER_unload(deflt); +} + +static __rte_always_inline const char * +digest_name_get(enum rte_crypto_auth_algorithm algo) +{ + switch (algo) { + case RTE_CRYPTO_AUTH_MD5_HMAC: + return OSSL_DIGEST_NAME_MD5; + case RTE_CRYPTO_AUTH_SHA1_HMAC: + return OSSL_DIGEST_NAME_SHA1; + case RTE_CRYPTO_AUTH_SHA224_HMAC: + return OSSL_DIGEST_NAME_SHA2_224; + case RTE_CRYPTO_AUTH_SHA256_HMAC: + return OSSL_DIGEST_NAME_SHA2_256; + case RTE_CRYPTO_AUTH_SHA384_HMAC: + return OSSL_DIGEST_NAME_SHA2_384; + case RTE_CRYPTO_AUTH_SHA512_HMAC: + return OSSL_DIGEST_NAME_SHA2_512; + default: + return NULL; + } +} +#endif + static int cryptodev_openssl_remove(struct rte_vdev_device *vdev); /*----------------------------------------------------------------------------*/ @@ -582,6 +637,40 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.auth.ctx = EVP_MD_CTX_create(); break; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + case RTE_CRYPTO_AUTH_MD5_HMAC: + case RTE_CRYPTO_AUTH_SHA1_HMAC: + case RTE_CRYPTO_AUTH_SHA224_HMAC: + case RTE_CRYPTO_AUTH_SHA256_HMAC: + case RTE_CRYPTO_AUTH_SHA384_HMAC: + case RTE_CRYPTO_AUTH_SHA512_HMAC: + sess->auth.mode = OPENSSL_AUTH_AS_HMAC; + + OSSL_PARAM params[2]; + const char *algo; + algo = digest_name_get(xform->auth.algo); + if (!algo) + return -EINVAL; + char algo_name[MAX_OSSL_ALGO_NAME_SIZE]; + rte_memcpy(algo_name, algo, (sizeof(algo)+1)); + + EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac); + EVP_MAC_free(mac); + if (get_auth_algo(xform->auth.algo, + &sess->auth.hmac.evp_algo) != 0) + return -EINVAL; + + params[0] = OSSL_PARAM_construct_utf8_string("digest", + algo_name, 0); + params[1] = OSSL_PARAM_construct_end(); + if (EVP_MAC_init(sess->auth.hmac.ctx, + xform->auth.key.data, + xform->auth.key.length, + params) != 1) + return -EINVAL; + break; +# else case RTE_CRYPTO_AUTH_MD5_HMAC: case RTE_CRYPTO_AUTH_SHA1_HMAC: case RTE_CRYPTO_AUTH_SHA224_HMAC: @@ -600,7 +689,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, sess->auth.hmac.evp_algo, NULL) != 1) return -EINVAL; break; - +# endif default: return -ENOTSUP; } @@ -725,7 +814,11 @@ openssl_reset_session(struct openssl_session *sess) break; case OPENSSL_AUTH_AS_HMAC: EVP_PKEY_free(sess->auth.hmac.pkey); +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX_free(sess->auth.hmac.ctx); +# else HMAC_CTX_free(sess->auth.hmac.ctx); +# endif break; default: break; @@ -1262,6 +1355,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, return -EINVAL; } +# if OPENSSL_VERSION_NUMBER >= 0x30000000L +/** Process standard openssl auth algorithms with hmac */ +static int +process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, + int srclen, EVP_MAC_CTX *ctx) +{ + size_t dstlen; + struct rte_mbuf *m; + int l, n = srclen; + uint8_t *src; + + for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m); + m = m->next) + offset -= rte_pktmbuf_data_len(m); + + if (m == 0) + goto process_auth_err; + + src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset); + + l = rte_pktmbuf_data_len(m) - offset; + if (srclen <= l) { + if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1) + goto process_auth_err; + goto process_auth_final; + } + + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + + n -= l; + + for (m = m->next; (m != NULL) && (n > 0); m = m->next) { + src = rte_pktmbuf_mtod(m, uint8_t *); + l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n; + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1) + goto process_auth_err; + n -= l; + } + +process_auth_final: + if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1) + goto process_auth_err; + + EVP_MAC_CTX_free(ctx); + return 0; + +process_auth_err: + EVP_MAC_CTX_free(ctx); + OPENSSL_LOG(ERR, "Process openssl auth failed"); + return -EINVAL; +} +# else /** Process standard openssl auth algorithms with hmac */ static int process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, @@ -1314,7 +1460,7 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, OPENSSL_LOG(ERR, "Process openssl auth failed"); return -EINVAL; } - +# endif /*----------------------------------------------------------------------------*/ /** Process auth/cipher combined operation */ @@ -1328,7 +1474,6 @@ process_openssl_combined_op int srclen, aadlen, status = -1; uint32_t offset; uint8_t taglen; - EVP_CIPHER_CTX *ctx_copy; /* * Segmented destination buffer is not supported for @@ -1365,8 +1510,6 @@ process_openssl_combined_op } taglen = sess->auth.digest_length; - ctx_copy = EVP_CIPHER_CTX_new(); - EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx); if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1374,12 +1517,12 @@ process_openssl_combined_op status = process_openssl_auth_encryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_encryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } else { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1387,15 +1530,14 @@ process_openssl_combined_op status = process_openssl_auth_decryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, ctx_copy); + dst, tag, sess->cipher.ctx); else status = process_openssl_auth_decryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, ctx_copy); + dst, tag, taglen, sess->cipher.ctx); } - EVP_CIPHER_CTX_free(ctx_copy); if (status != 0) { if (status == (-EFAULT) && sess->auth.operation == @@ -1557,7 +1699,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, uint8_t *dst; int srclen, status; EVP_MD_CTX *ctx_a; +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MAC_CTX *ctx_h; + EVP_MAC *mac; +# else HMAC_CTX *ctx_h; +# endif srclen = op->sym->auth.data.length; @@ -1573,12 +1720,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, EVP_MD_CTX_destroy(ctx_a); break; case OPENSSL_AUTH_AS_HMAC: +# if OPENSSL_VERSION_NUMBER >= 0x30000000L + mac = EVP_MAC_fetch(NULL, "HMAC", NULL); + ctx_h = EVP_MAC_CTX_new(mac); + ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx); + EVP_MAC_free(mac); + status = process_openssl_auth_hmac(mbuf_src, dst, + op->sym->auth.data.offset, srclen, + ctx_h); +# else ctx_h = HMAC_CTX_new(); HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx); status = process_openssl_auth_hmac(mbuf_src, dst, op->sym->auth.data.offset, srclen, ctx_h); HMAC_CTX_free(ctx_h); +# endif break; default: status = -1; @@ -2212,6 +2369,13 @@ cryptodev_openssl_create(const char *name, rte_cryptodev_pmd_probing_finish(dev); +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + /* Load legacy provider + * Some algorithms are no longer available in earlier version of openssl, + * unless the legacy provider explicitly loaded. e.g. DES + */ + ossl_legacy_provider_load(); +# endif return 0; init_error: @@ -2260,6 +2424,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev) if (cryptodev == NULL) return -ENODEV; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + ossl_legacy_provider_unload(); +# endif return rte_cryptodev_pmd_destroy(cryptodev); } From patchwork Tue Jun 21 15:42:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ji, Kai" X-Patchwork-Id: 113190 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 3790CA0545; Tue, 21 Jun 2022 17:42:33 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 8ECFD42905; Tue, 21 Jun 2022 17:42:26 +0200 (CEST) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mails.dpdk.org (Postfix) with ESMTP id 7D4134281E for ; Tue, 21 Jun 2022 17:42:23 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1655826143; x=1687362143; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=Ti87TBx+eEb88UXrkV1rChXyfZqJbZR+z2I2OTEcu2Q=; b=UHBYj6O7v1PeSWaeneGB3NtW3B6ZFSm/tvdOU7BzlHxszRUd82S0dexB UJR/sFM0qqoQB9lz+uVfbiOwoZ/PjhsA4RmxD30a9idZQaEHDg3Tq+uoM b4cIRT1Oa1klzwdQr5VTETKvTBAzVII+s44BI29L7mcIDizkT0GmL+9s0 /XCOWKxwWshnzizrK+ASSA6ERoRVMiQd9uwILlR4rIFp+ez12L1+TkjRC t6EW2u7yFjrBOvFzGeIwbfd35zoEVzRTmoz/UaV3GPDXIj8M4BemlDBO5 YzGZUdT/p82wpy50S/WSuTvMB8VEIPHcNj/YCo40iP0mvwwYWWe8dTCa6 g==; X-IronPort-AV: E=McAfee;i="6400,9594,10385"; a="305594208" X-IronPort-AV: E=Sophos;i="5.92,209,1650956400"; d="scan'208";a="305594208" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jun 2022 08:42:23 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.92,209,1650956400"; d="scan'208";a="729889030" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by fmsmga001.fm.intel.com with ESMTP; 21 Jun 2022 08:42:21 -0700 From: Kai Ji To: dev@dpdk.org Cc: gakhil@marvell.com, Kai Ji Subject: [dpdk-dev v5 2/4] crypto/openssl: update on RSA routine with 3.0 EVP API Date: Tue, 21 Jun 2022 23:42:12 +0800 Message-Id: <20220621154214.78176-3-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220621154214.78176-1-kai.ji@intel.com> References: <20220621135536.62679-1-kai.ji@intel.com> <20220621154214.78176-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch updates asymmetric RSA routine in crypto openssl pmd to adopt openssl 3.0 EVP apis. Signed-off-by: Kai Ji --- drivers/crypto/openssl/openssl_pmd_private.h | 7 + drivers/crypto/openssl/rte_openssl_pmd.c | 149 +++++++++++++++++++ drivers/crypto/openssl/rte_openssl_pmd_ops.c | 112 +++++++++++++- 3 files changed, 267 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index 6bcfb584a4..9d4ac721a7 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -11,6 +11,10 @@ #include #include #include +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +#include +#include +#endif #define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl /**< Open SSL Crypto PMD device name */ @@ -157,6 +161,9 @@ struct openssl_asym_session { union { struct rsa { RSA *rsa; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + EVP_PKEY_CTX * ctx; +#endif } r; struct exp { BIGNUM *exp; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 06ede435dd..caa5d54c0a 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -2046,6 +2046,150 @@ process_openssl_modexp_op(struct rte_crypto_op *cop, } /* process rsa operations */ +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static int +process_openssl_rsa_op_evp(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_asym_op *op = cop->asym; + uint32_t pad = (op->rsa.padding.type); + uint8_t *tmp; + size_t outlen = 0; + int ret = -1; + + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx; + if (!rsa_ctx) + return ret; + + switch (pad) { + case RTE_CRYPTO_RSA_PADDING_PKCS1_5: + pad = RSA_PKCS1_PADDING; + break; + case RTE_CRYPTO_RSA_PADDING_NONE: + pad = RSA_NO_PADDING; + break; + default: + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + OPENSSL_LOG(ERR, + "rsa pad type not supported %d\n", pad); + return ret; + } + + switch (op->rsa.op_type) { + case RTE_CRYPTO_ASYM_OP_ENCRYPT: + if (EVP_PKEY_encrypt_init(rsa_ctx) != 1) + goto err_rsa; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err_rsa; + + if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err_rsa; + + if (outlen <= 0) + goto err_rsa; + + if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err_rsa; + op->rsa.cipher.length = outlen; + + OPENSSL_LOG(DEBUG, + "length of encrypted text %zu\n", outlen); + break; + + case RTE_CRYPTO_ASYM_OP_DECRYPT: + if (EVP_PKEY_decrypt_init(rsa_ctx) != 1) + goto err_rsa; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err_rsa; + + if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen, + op->rsa.cipher.data, + op->rsa.cipher.length) <= 0) + goto err_rsa; + + if (outlen <= 0) + goto err_rsa; + + if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen, + op->rsa.cipher.data, + op->rsa.cipher.length) <= 0) + goto err_rsa; + op->rsa.message.length = outlen; + + OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n", outlen); + break; + + case RTE_CRYPTO_ASYM_OP_SIGN: + if (EVP_PKEY_sign_init(rsa_ctx) <= 0) + goto err_rsa; + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) + goto err_rsa; + + if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen, + op->rsa.message.data, + op->rsa.message.length) <= 0) + goto err_rsa; + op->rsa.sign.length = outlen; + break; + + case RTE_CRYPTO_ASYM_OP_VERIFY: + tmp = rte_malloc(NULL, op->rsa.sign.length, 0); + if (tmp == NULL) { + OPENSSL_LOG(ERR, "Memory allocation failed"); + goto err_rsa; + } + + if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) { + rte_free(tmp); + goto err_rsa; + } + + if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) { + rte_free(tmp); + goto err_rsa; + } + + if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen, + op->rsa.sign.data, + op->rsa.sign.length) <= 0) { + rte_free(tmp); + goto err_rsa; + } + + OPENSSL_LOG(DEBUG, + "Length of public_decrypt %zu " + "length of message %zd\n", + outlen, op->rsa.message.length); + if (CRYPTO_memcmp(tmp, op->rsa.message.data, + op->rsa.message.length)) { + OPENSSL_LOG(ERR, "RSA sign Verification failed"); + } + rte_free(tmp); + break; + + default: + /* allow ops with invalid args to be pushed to + * completion queue + */ + cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; + goto err_rsa; + } + + ret = 0; + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; +err_rsa: + return ret; + +} +#else static int process_openssl_rsa_op(struct rte_crypto_op *cop, struct openssl_asym_session *sess) @@ -2144,6 +2288,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop, return 0; } +#endif static int process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, @@ -2155,7 +2300,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, switch (sess->xfrm_type) { case RTE_CRYPTO_ASYM_XFORM_RSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + retval = process_openssl_rsa_op_evp(op, sess); +# else retval = process_openssl_rsa_op(op, sess); +#endif break; case RTE_CRYPTO_ASYM_XFORM_MODEX: retval = process_openssl_modexp_op(op, sess); diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index 7d0da52a33..e94e72c12b 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -12,7 +12,11 @@ #include "openssl_pmd_private.h" #include "compat.h" - +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +#include +#include +#include +#endif static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { { /* MD5 HMAC */ @@ -835,6 +839,106 @@ static int openssl_set_asym_session_parameters( if (!n || !e) goto err_rsa; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD * param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_rsa; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_E, e)) { + OSSL_PARAM_BLD_free(param_bld); + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_rsa; + } + + if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) { + d = BN_bin2bn( + (const unsigned char *)xform->rsa.d.data, + xform->rsa.d.length, + d); + if (!d) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + } else { + p = BN_bin2bn((const unsigned char *) + xform->rsa.qt.p.data, + xform->rsa.qt.p.length, + p); + q = BN_bin2bn((const unsigned char *) + xform->rsa.qt.q.data, + xform->rsa.qt.q.length, + q); + dmp1 = BN_bin2bn((const unsigned char *) + xform->rsa.qt.dP.data, + xform->rsa.qt.dP.length, + dmp1); + dmq1 = BN_bin2bn((const unsigned char *) + xform->rsa.qt.dQ.data, + xform->rsa.qt.dQ.length, + dmq1); + iqmp = BN_bin2bn((const unsigned char *) + xform->rsa.qt.qInv.data, + xform->rsa.qt.qInv.length, + iqmp); + + if (!p || !q || !dmp1 || !dmq1 || !iqmp) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_FACTOR1, p) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_FACTOR2, q) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n) + || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e) + || !OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_RSA_D, d)) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *rsa_ctx = NULL; + OSSL_PARAM *params = NULL; + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) { + OSSL_PARAM_BLD_free(param_bld); + goto err_rsa; + } + + if (key_ctx == NULL + || EVP_PKEY_fromdata_init(key_ctx) <= 0 + || EVP_PKEY_fromdata(key_ctx, &pkey, + EVP_PKEY_KEYPAIR, params) <= 0) { + OSSL_PARAM_free(params); + goto err_rsa; + } + + rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL); + asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA; + asym_session->u.r.ctx = rsa_ctx; + EVP_PKEY_CTX_free(key_ctx); + OSSL_PARAM_free(params); + break; +#else RSA *rsa = RSA_new(); if (rsa == NULL) goto err_rsa; @@ -904,6 +1008,7 @@ static int openssl_set_asym_session_parameters( asym_session->u.r.rsa = rsa; asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA; break; +#endif err_rsa: BN_clear_free(n); BN_clear_free(e); @@ -1135,8 +1240,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess) { switch (sess->xfrm_type) { case RTE_CRYPTO_ASYM_XFORM_RSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + if (sess->u.r.ctx) + EVP_PKEY_CTX_free(sess->u.r.ctx); +#else if (sess->u.r.rsa) RSA_free(sess->u.r.rsa); +#endif break; case RTE_CRYPTO_ASYM_XFORM_MODEX: if (sess->u.e.ctx) { From patchwork Tue Jun 21 15:42:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ji, Kai" X-Patchwork-Id: 113191 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 1D9A0A0545; Tue, 21 Jun 2022 17:42:39 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 94A7442B6F; Tue, 21 Jun 2022 17:42:29 +0200 (CEST) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mails.dpdk.org (Postfix) with ESMTP id A5E794281E for ; Tue, 21 Jun 2022 17:42:24 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1655826144; x=1687362144; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=/+gbnO3cWAgFp0tnhjAs+JCD8HSIgEE4Nj1Wcte+wDw=; b=PAs18Wi0RLcdvQAWl/FdR11tS5dWUoQ6F9w5iuyTmYeuVDWM6kk/HwGy Vys/CoI4jQme1Pi4aj/l92v6sVlY4bwQ+zq22G6pRGTXblk99XOCPQ57c V8IXHozczoE5X7W5vf+QaIUlMnOtEvjpIdq1YxVCTn2tj/oy+6yIjDNX/ GWBn1HGlVObLPKNSMHI6aAGLlzShJu+Oh7hmaOg40ZUupoHtwPn93R9CX RRaX6Lsif9ILJpz0y5evRvMJhqxTEOaLoIzeTJWHvB5bQ1fKVHh6r7MGT ea9l5KijeR8X22bij1PkeeXyyNPUjlFTponO9tXqoiEPFujI/j3o+l9ds w==; X-IronPort-AV: E=McAfee;i="6400,9594,10385"; a="305594216" X-IronPort-AV: E=Sophos;i="5.92,209,1650956400"; d="scan'208";a="305594216" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jun 2022 08:42:24 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.92,209,1650956400"; d="scan'208";a="729889041" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by fmsmga001.fm.intel.com with ESMTP; 21 Jun 2022 08:42:23 -0700 From: Kai Ji To: dev@dpdk.org Cc: gakhil@marvell.com, Kai Ji Subject: [dpdk-dev v5 3/4] crypto/openssl: update on DH routine with 3.0 EVP API Date: Tue, 21 Jun 2022 23:42:13 +0800 Message-Id: <20220621154214.78176-4-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220621154214.78176-1-kai.ji@intel.com> References: <20220621135536.62679-1-kai.ji@intel.com> <20220621154214.78176-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch updates asymmetric DH routine in crypto openssl pmd to adopt openssl 3.0 EVP apis. Signed-off-by: Kai Ji --- drivers/crypto/openssl/openssl_pmd_private.h | 4 + drivers/crypto/openssl/rte_openssl_pmd.c | 185 +++++++++++++++++++ drivers/crypto/openssl/rte_openssl_pmd_ops.c | 47 ++++- 3 files changed, 235 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index 9d4ac721a7..b952188c9d 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -177,6 +177,10 @@ struct openssl_asym_session { struct dh { DH *dh_key; uint32_t key_op; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD * param_bld; + OSSL_PARAM_BLD *param_bld_peer; +#endif } dh; struct { DSA *dsa; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index caa5d54c0a..375dc9cfdc 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -45,6 +45,7 @@ static void HMAC_CTX_free(HMAC_CTX *ctx) #include #include +#include #define MAX_OSSL_ALGO_NAME_SIZE 16 @@ -1846,6 +1847,185 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop, } /* process dh operation */ +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static int +process_openssl_dh_op_evp(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_dh_op_param *op = &cop->asym->dh; + OSSL_PARAM_BLD *param_bld = sess->u.dh.param_bld; + OSSL_PARAM_BLD *param_bld_peer = sess->u.dh.param_bld_peer; + OSSL_PARAM *params = NULL; + EVP_PKEY *dhpkey = NULL; + EVP_PKEY *peerkey = NULL; + BIGNUM *priv_key = NULL; + BIGNUM *pub_key = NULL; + int ret = -1; + + cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED; + EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); + if (dh_ctx == NULL || param_bld == NULL) + return ret; + + if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) { + OSSL_PARAM *params_peer = NULL; + + if (!param_bld_peer) + return ret; + + pub_key = BN_bin2bn(op->pub_key.data, op->pub_key.length, + pub_key); + if (pub_key == NULL) { + OSSL_PARAM_BLD_free(param_bld_peer); + return ret; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld_peer, OSSL_PKEY_PARAM_PUB_KEY, + pub_key)) { + OPENSSL_LOG(ERR, "Failed to set public key\n"); + OSSL_PARAM_BLD_free(param_bld_peer); + BN_free(pub_key); + return ret; + } + + params_peer = OSSL_PARAM_BLD_to_param(param_bld_peer); + if (!params_peer) { + OSSL_PARAM_BLD_free(param_bld_peer); + BN_free(pub_key); + return ret; + } + + EVP_PKEY_CTX *peer_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL); + if (EVP_PKEY_keygen_init(peer_ctx) != 1) { + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + return ret; + } + + if (EVP_PKEY_CTX_set_params(peer_ctx, params_peer) != 1) { + EVP_PKEY_CTX_free(peer_ctx); + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + return ret; + } + + if (EVP_PKEY_keygen(peer_ctx, &peerkey) != 1) { + EVP_PKEY_CTX_free(peer_ctx); + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + return ret; + } + + priv_key = BN_bin2bn(op->priv_key.data, op->priv_key.length, + priv_key); + if (priv_key == NULL) { + EVP_PKEY_CTX_free(peer_ctx); + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + return ret; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, + priv_key)) { + OPENSSL_LOG(ERR, "Failed to set private key\n"); + EVP_PKEY_CTX_free(peer_ctx); + OSSL_PARAM_free(params_peer); + BN_free(pub_key); + BN_free(priv_key); + return ret; + } + + OSSL_PARAM_free(params_peer); + EVP_PKEY_CTX_free(peer_ctx); + } + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) + goto err_dh; + + if (EVP_PKEY_keygen_init(dh_ctx) != 1) + goto err_dh; + + if (EVP_PKEY_CTX_set_params(dh_ctx, params) != 1) + goto err_dh; + + if (EVP_PKEY_keygen(dh_ctx, &dhpkey) != 1) + goto err_dh; + + if (op->ke_type == RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE) { + OPENSSL_LOG(DEBUG, "%s:%d updated pub key\n", __func__, __LINE__); + if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key)) + goto err_dh; + /* output public key */ + op->pub_key.length = BN_bn2bin(pub_key, op->pub_key.data); + } + + if (op->ke_type == RTE_CRYPTO_ASYM_KE_PRIV_KEY_GENERATE) { + + OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n", __func__, __LINE__); + if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key)) + goto err_dh; + + /* provide generated private key back to user */ + op->priv_key.length = BN_bn2bin(priv_key, op->priv_key.data); + } + + if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) { + size_t skey_len; + EVP_PKEY_CTX *sc_ctx = EVP_PKEY_CTX_new(dhpkey, NULL); + if (!sc_ctx) + goto err_dh; + + if (EVP_PKEY_derive_init(sc_ctx) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + if (!peerkey) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + if (EVP_PKEY_derive_set_peer(sc_ctx, peerkey) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + /* Determine buffer length */ + if (EVP_PKEY_derive(sc_ctx, NULL, &skey_len) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + if (EVP_PKEY_derive(sc_ctx, op->shared_secret.data, &skey_len) <= 0) { + EVP_PKEY_CTX_free(sc_ctx); + goto err_dh; + } + + op->shared_secret.length = skey_len; + EVP_PKEY_CTX_free(sc_ctx); + } + + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + ret = 0; + + err_dh: + if (pub_key) + BN_free(pub_key); + if (priv_key) + BN_free(priv_key); + if (params) + OSSL_PARAM_free(params); + if (dhpkey) + EVP_PKEY_free(dhpkey); + if (peerkey) + EVP_PKEY_free(peerkey); + + EVP_PKEY_CTX_free(dh_ctx); + + return ret; +} +#else static int process_openssl_dh_op(struct rte_crypto_op *cop, struct openssl_asym_session *sess) @@ -1979,6 +2159,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop, return 0; } +#endif /* process modinv operation */ static int @@ -2313,7 +2494,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, retval = process_openssl_modinv_op(op, sess); break; case RTE_CRYPTO_ASYM_XFORM_DH: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + retval = process_openssl_dh_op_evp(op, sess); +# else retval = process_openssl_dh_op(op, sess); +#endif break; case RTE_CRYPTO_ASYM_XFORM_DSA: if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN) diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index e94e72c12b..6f5267a63a 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -1095,7 +1095,46 @@ static int openssl_set_asym_session_parameters( if (!p || !g) goto err_dh; - DH *dh = DH_new(); + DH *dh = NULL; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD *param_bld = NULL; + param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_dh; + } + if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld, + "group", "ffdhe2048", 0)) + || (!OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_FFC_P, p)) + || (!OSSL_PARAM_BLD_push_BN(param_bld, + OSSL_PKEY_PARAM_FFC_G, g))) { + OSSL_PARAM_BLD_free(param_bld); + goto err_dh; + } + + OSSL_PARAM_BLD *param_bld_peer = NULL; + param_bld_peer = OSSL_PARAM_BLD_new(); + if (!param_bld_peer) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + OSSL_PARAM_BLD_free(param_bld); + goto err_dh; + } + if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld_peer, + "group", "ffdhe2048", 0)) + || (!OSSL_PARAM_BLD_push_BN(param_bld_peer, + OSSL_PKEY_PARAM_FFC_P, p)) + || (!OSSL_PARAM_BLD_push_BN(param_bld_peer, + OSSL_PKEY_PARAM_FFC_G, g))) { + OSSL_PARAM_BLD_free(param_bld); + OSSL_PARAM_BLD_free(param_bld_peer); + goto err_dh; + } + + asym_session->u.dh.param_bld = param_bld; + asym_session->u.dh.param_bld_peer = param_bld_peer; +#else + dh = DH_new(); if (dh == NULL) { OPENSSL_LOG(ERR, "failed to allocate resources\n"); @@ -1106,6 +1145,7 @@ static int openssl_set_asym_session_parameters( DH_free(dh); goto err_dh; } +#endif asym_session->u.dh.dh_key = dh; asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DH; break; @@ -1261,8 +1301,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess) } break; case RTE_CRYPTO_ASYM_XFORM_DH: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + sess->u.dh.param_bld = NULL; + sess->u.dh.param_bld_peer = NULL; +#else if (sess->u.dh.dh_key) DH_free(sess->u.dh.dh_key); +#endif break; case RTE_CRYPTO_ASYM_XFORM_DSA: if (sess->u.s.dsa) From patchwork Tue Jun 21 15:42:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Ji, Kai" X-Patchwork-Id: 113192 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 4AA73A0545; Tue, 21 Jun 2022 17:42:45 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id BA6E942B74; Tue, 21 Jun 2022 17:42:30 +0200 (CEST) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mails.dpdk.org (Postfix) with ESMTP id 6E9124282C for ; Tue, 21 Jun 2022 17:42:26 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1655826146; x=1687362146; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=5diy7pnVzh22uvy/PmkYJhYF3C2cFqFDjBRiMMADIHs=; b=eRheOvkMBia7nGZcrVpS0JkYrSSPTkGTlivkztmk6w7y6FOIHNNsfClG MjQ9DJ3hlxEianhKlPEcJu1JyrT+f875y0bCnj3EbnMtWPHhM0FJXcB1W bW/SqtKGb3w7HsSKa2RQGUwmOyHhXbJUT9ggEAu+cbAAe0IXOGOqPoP2r koabuEl2ibLkX54IG6RhFnbEPRqwAPedCwQ2kV4jTERoVofAQcwhBIZyA Dq+vgqNpwKQuth4OxK/fo5pYnUyT13KiHtFf+WDNKsirNOgxPt9VVj05u L0oyLCdDhuHMIJ9DJ6SYKKRx4Cu2O8QnwGdWSQ3uMPLApXTbSOGRtSRN0 w==; X-IronPort-AV: E=McAfee;i="6400,9594,10385"; a="305594222" X-IronPort-AV: E=Sophos;i="5.92,209,1650956400"; d="scan'208";a="305594222" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jun 2022 08:42:26 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.92,209,1650956400"; d="scan'208";a="729889051" Received: from silpixa00400465.ir.intel.com ([10.55.128.22]) by fmsmga001.fm.intel.com with ESMTP; 21 Jun 2022 08:42:24 -0700 From: Kai Ji To: dev@dpdk.org Cc: gakhil@marvell.com, Kai Ji Subject: [dpdk-dev v5 4/4] crypto/openssl: update on DSA routine with 3.0 EVP API Date: Tue, 21 Jun 2022 23:42:14 +0800 Message-Id: <20220621154214.78176-5-kai.ji@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20220621154214.78176-1-kai.ji@intel.com> References: <20220621135536.62679-1-kai.ji@intel.com> <20220621154214.78176-1-kai.ji@intel.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org This patch updates asymmetric DSA routine in crypto openssl pmd to adopt openssl 3.0 EVP apis. Divide the single combined dsa sign test to two individual dsa sign and dsa verfiy tests. Signed-off-by: Kai Ji --- app/test/test_cryptodev_asym.c | 90 ++++++++-- doc/guides/rel_notes/release_22_07.rst | 4 + drivers/crypto/openssl/compat.h | 12 ++ drivers/crypto/openssl/openssl_pmd_private.h | 3 + drivers/crypto/openssl/rte_openssl_pmd.c | 177 ++++++++++++++++++- drivers/crypto/openssl/rte_openssl_pmd_ops.c | 72 +++++++- 6 files changed, 334 insertions(+), 24 deletions(-) diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c index 7bd7cde16e..c9c48d1e87 100644 --- a/app/test/test_cryptodev_asym.c +++ b/app/test/test_cryptodev_asym.c @@ -1642,7 +1642,7 @@ test_dh_keygenration(void) } static int -test_dsa_sign(void) +test_dsa_sign(struct rte_crypto_dsa_op_param *dsa_op) { struct crypto_testsuite_params_asym *ts_params = &testsuite_params; struct rte_mempool *op_mpool = ts_params->op_mpool; @@ -1652,9 +1652,6 @@ test_dsa_sign(void) struct rte_crypto_op *op = NULL, *result_op = NULL; void *sess = NULL; int status = TEST_SUCCESS; - uint8_t r[TEST_DH_MOD_LEN]; - uint8_t s[TEST_DH_MOD_LEN]; - uint8_t dgst[] = "35d81554afaad2cf18f3a1770d5fedc4ea5be344"; int ret; ret = rte_cryptodev_asym_session_create(dev_id, &dsa_xform, sess_mpool, &sess); @@ -1676,6 +1673,7 @@ test_dsa_sign(void) goto error_exit; } asym_op = op->asym; + asym_op->dsa = *dsa_op; debug_hexdump(stdout, "p: ", dsa_xform.dsa.p.data, dsa_xform.dsa.p.length); @@ -1689,13 +1687,6 @@ test_dsa_sign(void) /* attach asymmetric crypto session to crypto operations */ rte_crypto_op_attach_asym_session(op, sess); asym_op->dsa.op_type = RTE_CRYPTO_ASYM_OP_SIGN; - asym_op->dsa.message.data = dgst; - asym_op->dsa.message.length = sizeof(dgst); - asym_op->dsa.r.length = sizeof(r); - asym_op->dsa.r.data = r; - asym_op->dsa.s.length = sizeof(s); - asym_op->dsa.s.data = s; - RTE_LOG(DEBUG, USER1, "Process ASYM operation"); /* Process crypto operation */ @@ -1719,12 +1710,71 @@ test_dsa_sign(void) } asym_op = result_op->asym; + dsa_op->r.length = asym_op->dsa.r.length; + dsa_op->s.length = asym_op->dsa.s.length; debug_hexdump(stdout, "r:", asym_op->dsa.r.data, asym_op->dsa.r.length); debug_hexdump(stdout, "s:", asym_op->dsa.s.data, asym_op->dsa.s.length); +error_exit: + if (sess != NULL) + rte_cryptodev_asym_session_free(dev_id, sess); + if (op != NULL) + rte_crypto_op_free(op); + return status; +} + +static int +test_dsa_verify(struct rte_crypto_dsa_op_param *dsa_op) +{ + struct crypto_testsuite_params_asym *ts_params = &testsuite_params; + struct rte_mempool *op_mpool = ts_params->op_mpool; + struct rte_mempool *sess_mpool = ts_params->session_mpool; + uint8_t dev_id = ts_params->valid_devs[0]; + struct rte_crypto_asym_op *asym_op = NULL; + struct rte_crypto_op *op = NULL, *result_op = NULL; + void *sess = NULL; + int status = TEST_SUCCESS; + int ret; + ret = rte_cryptodev_asym_session_create(dev_id, &dsa_xform, sess_mpool, &sess); + if (ret < 0) { + RTE_LOG(ERR, USER1, + "line %u FAILED: %s", __LINE__, + "Session creation failed"); + status = (ret == -ENOTSUP) ? TEST_SKIPPED : TEST_FAILED; + goto error_exit; + } + /* set up crypto op data structure */ + op = rte_crypto_op_alloc(op_mpool, RTE_CRYPTO_OP_TYPE_ASYMMETRIC); + if (!op) { + RTE_LOG(ERR, USER1, + "line %u FAILED: %s", + __LINE__, "Failed to allocate asymmetric crypto " + "operation struct"); + status = TEST_FAILED; + goto error_exit; + } + asym_op = op->asym; + asym_op->dsa = *dsa_op; + + debug_hexdump(stdout, "p: ", dsa_xform.dsa.p.data, + dsa_xform.dsa.p.length); + debug_hexdump(stdout, "q: ", dsa_xform.dsa.q.data, + dsa_xform.dsa.q.length); + debug_hexdump(stdout, "g: ", dsa_xform.dsa.g.data, + dsa_xform.dsa.g.length); + + /* attach asymmetric crypto session to crypto operations */ + rte_crypto_op_attach_asym_session(op, sess); + + debug_hexdump(stdout, "r:", + asym_op->dsa.r.data, asym_op->dsa.r.length); + debug_hexdump(stdout, "s:", + asym_op->dsa.s.data, asym_op->dsa.s.length); + + RTE_LOG(DEBUG, USER1, "Process ASYM verify operation"); /* Test PMD DSA sign verification using signer public key */ asym_op->dsa.op_type = RTE_CRYPTO_ASYM_OP_VERIFY; @@ -1770,8 +1820,22 @@ static int test_dsa(void) { int status; - status = test_dsa_sign(); - TEST_ASSERT_EQUAL(status, 0, "Test failed"); + uint8_t r[TEST_DH_MOD_LEN]; + uint8_t s[TEST_DH_MOD_LEN]; + struct rte_crypto_dsa_op_param dsa_op; + uint8_t dgst[] = "35d81554afaad2cf18f3a1770d5fedc4ea5be344"; + + dsa_op.message.data = dgst; + dsa_op.message.length = sizeof(dgst); + dsa_op.r.data = r; + dsa_op.s.data = s; + dsa_op.r.length = sizeof(r); + dsa_op.s.length = sizeof(s); + + status = test_dsa_sign(&dsa_op); + TEST_ASSERT_EQUAL(status, 0, "DSA sign test failed"); + status = test_dsa_verify(&dsa_op); + TEST_ASSERT_EQUAL(status, 0, "DSA verify test failed"); return status; } diff --git a/doc/guides/rel_notes/release_22_07.rst b/doc/guides/rel_notes/release_22_07.rst index 6fc044edaa..92eb88d929 100644 --- a/doc/guides/rel_notes/release_22_07.rst +++ b/doc/guides/rel_notes/release_22_07.rst @@ -215,6 +215,10 @@ New Features Merged l3fwd-acl code into l3fwd as l3fwd-acl contains duplicate and common functions to l3fwd. +* **Update Openssl PMD with 3.0 EVP API.** + + Update Openssl PMD deprecated APIs to EVP APIs where supported in Openssl + 3.0 lib. Removed Items ------------- diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h index eecb7d3698..9f9167c4f1 100644 --- a/drivers/crypto/openssl/compat.h +++ b/drivers/crypto/openssl/compat.h @@ -104,6 +104,18 @@ get_dsa_priv_key(DSA *dsa, BIGNUM **priv_key) *priv_key = dsa->priv_key; } +#elif (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static __rte_always_inline void +set_dsa_sign(DSA_SIG *sign, BIGNUM *r, BIGNUM *s) +{ + DSA_SIG_set0(sign, r, s); +} + +static __rte_always_inline void +get_dsa_sign(DSA_SIG *sign, const BIGNUM **r, const BIGNUM **s) +{ + DSA_SIG_get0(sign, r, s); +} #else static __rte_always_inline int diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h index b952188c9d..5963a67a08 100644 --- a/drivers/crypto/openssl/openssl_pmd_private.h +++ b/drivers/crypto/openssl/openssl_pmd_private.h @@ -184,6 +184,9 @@ struct openssl_asym_session { } dh; struct { DSA *dsa; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM_BLD * param_bld; +#endif } s; } u; } __rte_cache_aligned; diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 375dc9cfdc..84bca86894 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -2,8 +2,6 @@ * Copyright(c) 2016-2017 Intel Corporation */ -#define OPENSSL_API_COMPAT 0x10100000L - #include #include #include @@ -1764,6 +1762,171 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, } /* process dsa sign operation */ +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +static int +process_openssl_dsa_sign_op_evp(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_dsa_op_param *op = &cop->asym->dsa; + EVP_PKEY_CTX *dsa_ctx = NULL; + EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL); + EVP_PKEY *pkey = NULL; + OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld; + OSSL_PARAM *params = NULL; + + size_t outlen; + unsigned char *dsa_sign_data; + const unsigned char *dsa_sign_data_p; + + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) { + OSSL_PARAM_BLD_free(param_bld); + return -1; + } + + if (key_ctx == NULL + || EVP_PKEY_fromdata_init(key_ctx) <= 0 + || EVP_PKEY_fromdata(key_ctx, &pkey, + EVP_PKEY_PUBLIC_KEY, params) <= 0) + goto err_dsa_sign; + + dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL); + if (!dsa_ctx) + goto err_dsa_sign; + + if (EVP_PKEY_sign_init(dsa_ctx) <= 0) + goto err_dsa_sign; + + if (EVP_PKEY_sign(dsa_ctx, NULL, &outlen, op->message.data, + op->message.length) <= 0) + goto err_dsa_sign; + + if (outlen <= 0) + goto err_dsa_sign; + + dsa_sign_data = OPENSSL_malloc(outlen); + if (!dsa_sign_data) + goto err_dsa_sign; + + if (EVP_PKEY_sign(dsa_ctx, dsa_sign_data, &outlen, op->message.data, + op->message.length) <= 0) { + free(dsa_sign_data); + goto err_dsa_sign; + } + + dsa_sign_data_p = (const unsigned char *)dsa_sign_data; + DSA_SIG *sign = d2i_DSA_SIG(NULL, &dsa_sign_data_p, outlen); + if (!sign) { + OPENSSL_LOG(ERR, "%s:%d\n", __func__, __LINE__); + free(dsa_sign_data); + goto err_dsa_sign; + } else { + const BIGNUM *r = NULL, *s = NULL; + get_dsa_sign(sign, &r, &s); + + op->r.length = BN_bn2bin(r, op->r.data); + op->s.length = BN_bn2bin(s, op->s.data); + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + } + + DSA_SIG_free(sign); + free(dsa_sign_data); + return 0; + +err_dsa_sign: + if (params) + OSSL_PARAM_free(params); + if (key_ctx) + EVP_PKEY_CTX_free(key_ctx); + if (dsa_ctx) + EVP_PKEY_CTX_free(dsa_ctx); + return -1; +} + +/* process dsa verify operation */ +static int +process_openssl_dsa_verify_op_evp(struct rte_crypto_op *cop, + struct openssl_asym_session *sess) +{ + struct rte_crypto_dsa_op_param *op = &cop->asym->dsa; + DSA_SIG *sign = DSA_SIG_new(); + BIGNUM *r = NULL, *s = NULL; + BIGNUM *pub_key = NULL; + OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld; + OSSL_PARAM *params = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *dsa_ctx = NULL; + EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL); + unsigned char *dsa_sig = NULL; + size_t sig_len; + int ret = -1; + + cop->status = RTE_CRYPTO_OP_STATUS_ERROR; + if (!param_bld) { + OPENSSL_LOG(ERR, " %s:%d\n", __func__, __LINE__); + return -1; + } + + r = BN_bin2bn(op->r.data, op->r.length, r); + s = BN_bin2bn(op->s.data, op->s.length, s); + pub_key = BN_bin2bn(op->y.data, op->y.length, pub_key); + if (!r || !s || !pub_key) { + BN_free(r); + BN_free(s); + BN_free(pub_key); + OSSL_PARAM_BLD_free(param_bld); + goto err_dsa_verify; + } + + set_dsa_sign(sign, r, s); + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key)) { + OSSL_PARAM_BLD_free(param_bld); + goto err_dsa_verify; + } + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (!params) { + OSSL_PARAM_BLD_free(param_bld); + goto err_dsa_verify; + } + + if (key_ctx == NULL + || EVP_PKEY_fromdata_init(key_ctx) <= 0 + || EVP_PKEY_fromdata(key_ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) + goto err_dsa_verify; + + dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL); + if (!dsa_ctx) + goto err_dsa_verify; + + if (!sign) + goto err_dsa_verify; + + sig_len = i2d_DSA_SIG(sign, &dsa_sig); + if (EVP_PKEY_verify_init(dsa_ctx) <= 0) + goto err_dsa_verify; + + ret = EVP_PKEY_verify(dsa_ctx, dsa_sig, sig_len, + op->message.data, op->message.length); + if (ret == 1) { + cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS; + ret = 0; + } + +err_dsa_verify: + if (sign) + DSA_SIG_free(sign); + if (params) + OSSL_PARAM_free(params); + if (key_ctx) + EVP_PKEY_CTX_free(key_ctx); + if (dsa_ctx) + EVP_PKEY_CTX_free(dsa_ctx); + + return ret; +} +#else static int process_openssl_dsa_sign_op(struct rte_crypto_op *cop, struct openssl_asym_session *sess) @@ -1845,6 +2008,7 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop, return 0; } +#endif /* process dh operation */ #if (OPENSSL_VERSION_NUMBER >= 0x30000000L) @@ -2501,6 +2665,14 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, #endif break; case RTE_CRYPTO_ASYM_XFORM_DSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN) + retval = process_openssl_dsa_sign_op_evp(op, sess); + else if (op->asym->dsa.op_type == + RTE_CRYPTO_ASYM_OP_VERIFY) + retval = + process_openssl_dsa_verify_op_evp(op, sess); +#else if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN) retval = process_openssl_dsa_sign_op(op, sess); else if (op->asym->dsa.op_type == @@ -2509,6 +2681,7 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, process_openssl_dsa_verify_op(op, sess); else op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; +#endif break; default: op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS; diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index 6f5267a63a..8d1f8e834a 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -812,13 +812,13 @@ static int openssl_set_asym_session_parameters( struct openssl_asym_session *asym_session, struct rte_crypto_asym_xform *xform) { - int ret = 0; + int ret = -1; if ((xform->xform_type != RTE_CRYPTO_ASYM_XFORM_DH) && (xform->next != NULL)) { OPENSSL_LOG(ERR, "chained xfrms are not supported on %s", rte_crypto_asym_xform_strings[xform->xform_type]); - return -1; + return ret; } switch (xform->xform_type) { @@ -1003,7 +1003,7 @@ static int openssl_set_asym_session_parameters( if (ret) { OPENSSL_LOG(ERR, "Failed to load rsa keys\n"); RSA_free(rsa); - return -1; + return ret; } asym_session->u.r.rsa = rsa; asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA; @@ -1029,7 +1029,7 @@ static int openssl_set_asym_session_parameters( if (ctx == NULL) { OPENSSL_LOG(ERR, " failed to allocate resources\n"); - return -1; + return ret; } BN_CTX_start(ctx); BIGNUM *mod = BN_CTX_get(ctx); @@ -1037,7 +1037,7 @@ static int openssl_set_asym_session_parameters( if (mod == NULL || exp == NULL) { BN_CTX_end(ctx); BN_CTX_free(ctx); - return -1; + return ret; } mod = BN_bin2bn((const unsigned char *) @@ -1060,14 +1060,14 @@ static int openssl_set_asym_session_parameters( if (ctx == NULL) { OPENSSL_LOG(ERR, " failed to allocate resources\n"); - return -1; + return ret; } BN_CTX_start(ctx); BIGNUM *mod = BN_CTX_get(ctx); if (mod == NULL) { BN_CTX_end(ctx); BN_CTX_free(ctx); - return -1; + return ret; } mod = BN_bin2bn((const unsigned char *) @@ -1158,6 +1158,56 @@ static int openssl_set_asym_session_parameters( } case RTE_CRYPTO_ASYM_XFORM_DSA: { +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + BIGNUM *p = NULL, *g = NULL; + BIGNUM *q = NULL, *priv_key = NULL; + BIGNUM *pub_key = BN_new(); + BN_zero(pub_key); + OSSL_PARAM_BLD *param_bld = NULL; + + p = BN_bin2bn((const unsigned char *) + xform->dsa.p.data, + xform->dsa.p.length, + p); + + g = BN_bin2bn((const unsigned char *) + xform->dsa.g.data, + xform->dsa.g.length, + g); + + q = BN_bin2bn((const unsigned char *) + xform->dsa.q.data, + xform->dsa.q.length, + q); + if (!p || !q || !g) + goto err_dsa; + + priv_key = BN_bin2bn((const unsigned char *) + xform->dsa.x.data, + xform->dsa.x.length, + priv_key); + if (priv_key == NULL) + goto err_dsa; + + param_bld = OSSL_PARAM_BLD_new(); + if (!param_bld) { + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_dsa; + } + + if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, p) + || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, g) + || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, q) + || !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_key)) { + OSSL_PARAM_BLD_free(param_bld); + OPENSSL_LOG(ERR, "failed to allocate resources\n"); + goto err_dsa; + } + asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA; + asym_session->u.s.param_bld = param_bld; + + break; +#else BIGNUM *p = NULL, *g = NULL; BIGNUM *q = NULL, *priv_key = NULL; BIGNUM *pub_key = BN_new(); @@ -1217,7 +1267,7 @@ static int openssl_set_asym_session_parameters( asym_session->u.s.dsa = dsa; asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_DSA; break; - +#endif err_dsa: BN_free(p); BN_free(q); @@ -1227,7 +1277,7 @@ static int openssl_set_asym_session_parameters( return -1; } default: - return -1; + return ret; } return 0; @@ -1310,8 +1360,12 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess) #endif break; case RTE_CRYPTO_ASYM_XFORM_DSA: +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + sess->u.s.param_bld = NULL; +#else if (sess->u.s.dsa) DSA_free(sess->u.s.dsa); +#endif break; default: break;