* Copyright(c) 2016-2017 Intel Corporation
*/
-#define OPENSSL_API_COMPAT 0x10100000L
-
#include <rte_common.h>
#include <rte_hexdump.h>
#include <rte_cryptodev.h>
#include <openssl/provider.h>
#include <openssl/core_names.h>
+#include <openssl/param_build.h>
#define MAX_OSSL_ALGO_NAME_SIZE 16
}
/* process dsa sign operation */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_dsa_sign_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
+ EVP_PKEY_CTX *dsa_ctx = NULL;
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ EVP_PKEY *pkey = NULL;
+ OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld;
+ OSSL_PARAM *params = NULL;
+
+ size_t outlen;
+ unsigned char *dsa_sign_data;
+ const unsigned char *dsa_sign_data_p;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ return -1;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey,
+ EVP_PKEY_PUBLIC_KEY, params) <= 0)
+ goto err_dsa_sign;
+
+ dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (!dsa_ctx)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign_init(dsa_ctx) <= 0)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign(dsa_ctx, NULL, &outlen, op->message.data,
+ op->message.length) <= 0)
+ goto err_dsa_sign;
+
+ if (outlen <= 0)
+ goto err_dsa_sign;
+
+ dsa_sign_data = OPENSSL_malloc(outlen);
+ if (!dsa_sign_data)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign(dsa_ctx, dsa_sign_data, &outlen, op->message.data,
+ op->message.length) <= 0) {
+ free(dsa_sign_data);
+ goto err_dsa_sign;
+ }
+
+ dsa_sign_data_p = (const unsigned char *)dsa_sign_data;
+ DSA_SIG *sign = d2i_DSA_SIG(NULL, &dsa_sign_data_p, outlen);
+ if (!sign) {
+ OPENSSL_LOG(ERR, "%s:%d\n", __func__, __LINE__);
+ free(dsa_sign_data);
+ goto err_dsa_sign;
+ } else {
+ const BIGNUM *r = NULL, *s = NULL;
+ get_dsa_sign(sign, &r, &s);
+
+ op->r.length = BN_bn2bin(r, op->r.data);
+ op->s.length = BN_bn2bin(s, op->s.data);
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ }
+
+ DSA_SIG_free(sign);
+ free(dsa_sign_data);
+ return 0;
+
+err_dsa_sign:
+ if (params)
+ OSSL_PARAM_free(params);
+ if (key_ctx)
+ EVP_PKEY_CTX_free(key_ctx);
+ if (dsa_ctx)
+ EVP_PKEY_CTX_free(dsa_ctx);
+ return -1;
+}
+
+/* process dsa verify operation */
+static int
+process_openssl_dsa_verify_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
+ DSA_SIG *sign = DSA_SIG_new();
+ BIGNUM *r = NULL, *s = NULL;
+ BIGNUM *pub_key = NULL;
+ OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *dsa_ctx = NULL;
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ unsigned char *dsa_sig = NULL;
+ size_t sig_len;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, " %s:%d\n", __func__, __LINE__);
+ return -1;
+ }
+
+ r = BN_bin2bn(op->r.data, op->r.length, r);
+ s = BN_bin2bn(op->s.data, op->s.length, s);
+ pub_key = BN_bin2bn(op->y.data, op->y.length, pub_key);
+ if (!r || !s || !pub_key) {
+ BN_free(r);
+ BN_free(s);
+ BN_free(pub_key);
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ set_dsa_sign(sign, r, s);
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
+ goto err_dsa_verify;
+
+ dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (!dsa_ctx)
+ goto err_dsa_verify;
+
+ if (!sign)
+ goto err_dsa_verify;
+
+ sig_len = i2d_DSA_SIG(sign, &dsa_sig);
+ if (EVP_PKEY_verify_init(dsa_ctx) <= 0)
+ goto err_dsa_verify;
+
+ ret = EVP_PKEY_verify(dsa_ctx, dsa_sig, sig_len,
+ op->message.data, op->message.length);
+ if (ret == 1) {
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ ret = 0;
+ }
+
+err_dsa_verify:
+ if (sign)
+ DSA_SIG_free(sign);
+ if (params)
+ OSSL_PARAM_free(params);
+ if (key_ctx)
+ EVP_PKEY_CTX_free(key_ctx);
+ if (dsa_ctx)
+ EVP_PKEY_CTX_free(dsa_ctx);
+
+ return ret;
+}
+#else
static int
process_openssl_dsa_sign_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
return 0;
}
+#endif
/* process dh operation */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_dh_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dh_op_param *op = &cop->asym->dh;
+ OSSL_PARAM_BLD *param_bld = sess->u.dh.param_bld;
+ OSSL_PARAM_BLD *param_bld_peer = sess->u.dh.param_bld_peer;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY *dhpkey = NULL;
+ EVP_PKEY *peerkey = NULL;
+ BIGNUM *priv_key = NULL;
+ BIGNUM *pub_key = NULL;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
+ EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+ if (dh_ctx == NULL || param_bld == NULL)
+ return ret;
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) {
+ OSSL_PARAM *params_peer = NULL;
+
+ if (!param_bld_peer)
+ return ret;
+
+ pub_key = BN_bin2bn(op->pub_key.data, op->pub_key.length,
+ pub_key);
+ if (pub_key == NULL) {
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ return ret;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld_peer, OSSL_PKEY_PARAM_PUB_KEY,
+ pub_key)) {
+ OPENSSL_LOG(ERR, "Failed to set public key\n");
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ params_peer = OSSL_PARAM_BLD_to_param(param_bld_peer);
+ if (!params_peer) {
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ EVP_PKEY_CTX *peer_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+ if (EVP_PKEY_keygen_init(peer_ctx) != 1) {
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (EVP_PKEY_CTX_set_params(peer_ctx, params_peer) != 1) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (EVP_PKEY_keygen(peer_ctx, &peerkey) != 1) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ priv_key = BN_bin2bn(op->priv_key.data, op->priv_key.length,
+ priv_key);
+ if (priv_key == NULL) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY,
+ priv_key)) {
+ OPENSSL_LOG(ERR, "Failed to set private key\n");
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ BN_free(priv_key);
+ return ret;
+ }
+
+ OSSL_PARAM_free(params_peer);
+ EVP_PKEY_CTX_free(peer_ctx);
+ }
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params)
+ goto err_dh;
+
+ if (EVP_PKEY_keygen_init(dh_ctx) != 1)
+ goto err_dh;
+
+ if (EVP_PKEY_CTX_set_params(dh_ctx, params) != 1)
+ goto err_dh;
+
+ if (EVP_PKEY_keygen(dh_ctx, &dhpkey) != 1)
+ goto err_dh;
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE) {
+ OPENSSL_LOG(DEBUG, "%s:%d updated pub key\n", __func__, __LINE__);
+ if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key))
+ goto err_dh;
+ /* output public key */
+ op->pub_key.length = BN_bn2bin(pub_key, op->pub_key.data);
+ }
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_PRIV_KEY_GENERATE) {
+
+ OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n", __func__, __LINE__);
+ if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key))
+ goto err_dh;
+
+ /* provide generated private key back to user */
+ op->priv_key.length = BN_bn2bin(priv_key, op->priv_key.data);
+ }
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) {
+ size_t skey_len;
+ EVP_PKEY_CTX *sc_ctx = EVP_PKEY_CTX_new(dhpkey, NULL);
+ if (!sc_ctx)
+ goto err_dh;
+
+ if (EVP_PKEY_derive_init(sc_ctx) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (!peerkey) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (EVP_PKEY_derive_set_peer(sc_ctx, peerkey) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ /* Determine buffer length */
+ if (EVP_PKEY_derive(sc_ctx, NULL, &skey_len) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (EVP_PKEY_derive(sc_ctx, op->shared_secret.data, &skey_len) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ op->shared_secret.length = skey_len;
+ EVP_PKEY_CTX_free(sc_ctx);
+ }
+
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ ret = 0;
+
+ err_dh:
+ if (pub_key)
+ BN_free(pub_key);
+ if (priv_key)
+ BN_free(priv_key);
+ if (params)
+ OSSL_PARAM_free(params);
+ if (dhpkey)
+ EVP_PKEY_free(dhpkey);
+ if (peerkey)
+ EVP_PKEY_free(peerkey);
+
+ EVP_PKEY_CTX_free(dh_ctx);
+
+ return ret;
+}
+#else
static int
process_openssl_dh_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
return 0;
}
+#endif
/* process modinv operation */
static int
}
/* process rsa operations */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_asym_op *op = cop->asym;
+ uint32_t pad = (op->rsa.padding.type);
+ uint8_t *tmp;
+ size_t outlen = 0;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx;
+ if (!rsa_ctx)
+ return ret;
+
+ switch (pad) {
+ case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
+ pad = RSA_PKCS1_PADDING;
+ break;
+ case RTE_CRYPTO_RSA_PADDING_NONE:
+ pad = RSA_NO_PADDING;
+ break;
+ default:
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ OPENSSL_LOG(ERR,
+ "rsa pad type not supported %d\n", pad);
+ return ret;
+ }
+
+ switch (op->rsa.op_type) {
+ case RTE_CRYPTO_ASYM_OP_ENCRYPT:
+ if (EVP_PKEY_encrypt_init(rsa_ctx) != 1)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+ op->rsa.cipher.length = outlen;
+
+ OPENSSL_LOG(DEBUG,
+ "length of encrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_DECRYPT:
+ if (EVP_PKEY_decrypt_init(rsa_ctx) != 1)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err_rsa;
+ op->rsa.message.length = outlen;
+
+ OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_SIGN:
+ if (EVP_PKEY_sign_init(rsa_ctx) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+ op->rsa.sign.length = outlen;
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_VERIFY:
+ tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
+ if (tmp == NULL) {
+ OPENSSL_LOG(ERR, "Memory allocation failed");
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
+ op->rsa.sign.data,
+ op->rsa.sign.length) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ OPENSSL_LOG(DEBUG,
+ "Length of public_decrypt %zu "
+ "length of message %zd\n",
+ outlen, op->rsa.message.length);
+ if (CRYPTO_memcmp(tmp, op->rsa.message.data,
+ op->rsa.message.length)) {
+ OPENSSL_LOG(ERR, "RSA sign Verification failed");
+ }
+ rte_free(tmp);
+ break;
+
+ default:
+ /* allow ops with invalid args to be pushed to
+ * completion queue
+ */
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ goto err_rsa;
+ }
+
+ ret = 0;
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+err_rsa:
+ return ret;
+
+}
+#else
static int
process_openssl_rsa_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
return 0;
}
+#endif
static int
process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
switch (sess->xfrm_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_rsa_op_evp(op, sess);
+# else
retval = process_openssl_rsa_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_MODEX:
retval = process_openssl_modexp_op(op, sess);
retval = process_openssl_modinv_op(op, sess);
break;
case RTE_CRYPTO_ASYM_XFORM_DH:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_dh_op_evp(op, sess);
+# else
retval = process_openssl_dh_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
+ retval = process_openssl_dsa_sign_op_evp(op, sess);
+ else if (op->asym->dsa.op_type ==
+ RTE_CRYPTO_ASYM_OP_VERIFY)
+ retval =
+ process_openssl_dsa_verify_op_evp(op, sess);
+#else
if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
retval = process_openssl_dsa_sign_op(op, sess);
else if (op->asym->dsa.op_type ==
process_openssl_dsa_verify_op(op, sess);
else
op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+#endif
break;
default:
op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;