#include <rte_common.h>
#include <rte_hexdump.h>
#include <rte_cryptodev.h>
-#include <rte_cryptodev_pmd.h>
+#include <cryptodev_pmd.h>
#include <rte_bus_vdev.h>
#include <rte_malloc.h>
#include <rte_cpuflags.h>
#include <openssl/hmac.h>
#include <openssl/evp.h>
-#include "rte_openssl_pmd_private.h"
+#include "openssl_pmd_private.h"
#include "compat.h"
#define DES_BLOCK_SIZE 8
}
#endif
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#include <openssl/param_build.h>
+
+#define MAX_OSSL_ALGO_NAME_SIZE 16
+
+OSSL_PROVIDER *legacy;
+OSSL_PROVIDER *deflt;
+
+static void ossl_legacy_provider_load(void)
+{
+ /* Load Multiple providers into the default (NULL) library context */
+ legacy = OSSL_PROVIDER_load(NULL, "legacy");
+ if (legacy == NULL) {
+ OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
+ return;
+ }
+
+ deflt = OSSL_PROVIDER_load(NULL, "default");
+ if (deflt == NULL) {
+ OPENSSL_LOG(ERR, "Failed to load Default provider\n");
+ OSSL_PROVIDER_unload(legacy);
+ return;
+ }
+}
+
+static void ossl_legacy_provider_unload(void)
+{
+ OSSL_PROVIDER_unload(legacy);
+ OSSL_PROVIDER_unload(deflt);
+}
+
+static __rte_always_inline const char *
+digest_name_get(enum rte_crypto_auth_algorithm algo)
+{
+ switch (algo) {
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ return OSSL_DIGEST_NAME_MD5;
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ return OSSL_DIGEST_NAME_SHA1;
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_224;
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_256;
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_384;
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ return OSSL_DIGEST_NAME_SHA2_512;
+ default:
+ return NULL;
+ }
+}
+#endif
+
static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
/*----------------------------------------------------------------------------*/
/** Get session cipher key from input cipher key */
static void
-get_cipher_key(uint8_t *input_key, int keylen, uint8_t *session_key)
+get_cipher_key(const uint8_t *input_key, int keylen, uint8_t *session_key)
{
memcpy(session_key, input_key, keylen);
}
/** Get key ede 24 bytes standard from input key */
static int
-get_cipher_key_ede(uint8_t *key, int keylen, uint8_t *key_ede)
+get_cipher_key_ede(const uint8_t *key, int keylen, uint8_t *key_ede)
{
int res = 0;
static int
openssl_set_sess_aead_enc_param(struct openssl_session *sess,
enum rte_crypto_aead_algorithm algo,
- uint8_t tag_len, uint8_t *key)
+ uint8_t tag_len, const uint8_t *key)
{
int iv_type = 0;
unsigned int do_ccm;
static int
openssl_set_sess_aead_dec_param(struct openssl_session *sess,
enum rte_crypto_aead_algorithm algo,
- uint8_t tag_len, uint8_t *key)
+ uint8_t tag_len, const uint8_t *key)
{
int iv_type = 0;
unsigned int do_ccm = 0;
sess->auth.auth.ctx = EVP_MD_CTX_create();
break;
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ case RTE_CRYPTO_AUTH_MD5_HMAC:
+ case RTE_CRYPTO_AUTH_SHA1_HMAC:
+ case RTE_CRYPTO_AUTH_SHA224_HMAC:
+ case RTE_CRYPTO_AUTH_SHA256_HMAC:
+ case RTE_CRYPTO_AUTH_SHA384_HMAC:
+ case RTE_CRYPTO_AUTH_SHA512_HMAC:
+ sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
+
+ OSSL_PARAM params[2];
+ const char *algo;
+ algo = digest_name_get(xform->auth.algo);
+ if (!algo)
+ return -EINVAL;
+ char algo_name[MAX_OSSL_ALGO_NAME_SIZE];
+ rte_memcpy(algo_name, algo, (sizeof(algo)+1));
+
+ EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
+ EVP_MAC_free(mac);
+ if (get_auth_algo(xform->auth.algo,
+ &sess->auth.hmac.evp_algo) != 0)
+ return -EINVAL;
+
+ params[0] = OSSL_PARAM_construct_utf8_string("digest",
+ algo_name, 0);
+ params[1] = OSSL_PARAM_construct_end();
+ if (EVP_MAC_init(sess->auth.hmac.ctx,
+ xform->auth.key.data,
+ xform->auth.key.length,
+ params) != 1)
+ return -EINVAL;
+ break;
+# else
case RTE_CRYPTO_AUTH_MD5_HMAC:
case RTE_CRYPTO_AUTH_SHA1_HMAC:
case RTE_CRYPTO_AUTH_SHA224_HMAC:
sess->auth.hmac.evp_algo, NULL) != 1)
return -EINVAL;
break;
-
+# endif
default:
return -ENOTSUP;
}
break;
case OPENSSL_AUTH_AS_HMAC:
EVP_PKEY_free(sess->auth.hmac.pkey);
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX_free(sess->auth.hmac.ctx);
+# else
HMAC_CTX_free(sess->auth.hmac.ctx);
+# endif
break;
default:
break;
} else {
if (likely(op->asym->session != NULL))
asym_sess = (struct openssl_asym_session *)
- get_asym_session_private_data(
- op->asym->session,
- cryptodev_driver_id);
+ op->asym->session->sess_private_data;
if (asym_sess == NULL)
op->status =
RTE_CRYPTO_OP_STATUS_INVALID_SESSION;
return NULL;
/* provide internal session */
- void *_sess = NULL;
+ void *_sess = rte_cryptodev_sym_session_create(qp->sess_mp);
void *_sess_private_data = NULL;
- if (rte_mempool_get(qp->sess_mp, (void **)&_sess))
+ if (_sess == NULL)
return NULL;
if (rte_mempool_get(qp->sess_mp_priv,
*/
static inline int
process_openssl_encryption_update(struct rte_mbuf *mbuf_src, int offset,
- uint8_t **dst, int srclen, EVP_CIPHER_CTX *ctx)
+ uint8_t **dst, int srclen, EVP_CIPHER_CTX *ctx, uint8_t inplace)
{
struct rte_mbuf *m;
int dstlen;
int l, n = srclen;
- uint8_t *src;
+ uint8_t *src, temp[EVP_CIPHER_CTX_block_size(ctx)];
for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
m = m->next)
return -1;
src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+ if (inplace)
+ *dst = src;
l = rte_pktmbuf_data_len(m) - offset;
if (srclen <= l) {
n -= l;
for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+ uint8_t diff = l - dstlen, rem;
+
src = rte_pktmbuf_mtod(m, uint8_t *);
- l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+ l = RTE_MIN(rte_pktmbuf_data_len(m), n);
+ if (diff && inplace) {
+ rem = RTE_MIN(l,
+ (EVP_CIPHER_CTX_block_size(ctx) - diff));
+ if (EVP_EncryptUpdate(ctx, temp,
+ &dstlen, src, rem) <= 0)
+ return -1;
+ n -= rem;
+ rte_memcpy(*dst, temp, diff);
+ rte_memcpy(src, temp + diff, rem);
+ src += rem;
+ l -= rem;
+ }
+ if (inplace)
+ *dst = src;
if (EVP_EncryptUpdate(ctx, *dst, &dstlen, src, l) <= 0)
return -1;
*dst += dstlen;
static inline int
process_openssl_decryption_update(struct rte_mbuf *mbuf_src, int offset,
- uint8_t **dst, int srclen, EVP_CIPHER_CTX *ctx)
+ uint8_t **dst, int srclen, EVP_CIPHER_CTX *ctx, uint8_t inplace)
{
struct rte_mbuf *m;
int dstlen;
int l, n = srclen;
- uint8_t *src;
+ uint8_t *src, temp[EVP_CIPHER_CTX_block_size(ctx)];
for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
m = m->next)
return -1;
src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+ if (inplace)
+ *dst = src;
l = rte_pktmbuf_data_len(m) - offset;
if (srclen <= l) {
n -= l;
for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+ uint8_t diff = l - dstlen, rem;
+
src = rte_pktmbuf_mtod(m, uint8_t *);
- l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+ l = RTE_MIN(rte_pktmbuf_data_len(m), n);
+ if (diff && inplace) {
+ rem = RTE_MIN(l,
+ (EVP_CIPHER_CTX_block_size(ctx) - diff));
+ if (EVP_DecryptUpdate(ctx, temp,
+ &dstlen, src, rem) <= 0)
+ return -1;
+ n -= rem;
+ rte_memcpy(*dst, temp, diff);
+ rte_memcpy(src, temp + diff, rem);
+ src += rem;
+ l -= rem;
+ }
+ if (inplace)
+ *dst = src;
if (EVP_DecryptUpdate(ctx, *dst, &dstlen, src, l) <= 0)
return -1;
*dst += dstlen;
/** Process standard openssl cipher encryption */
static int
process_openssl_cipher_encrypt(struct rte_mbuf *mbuf_src, uint8_t *dst,
- int offset, uint8_t *iv, int srclen, EVP_CIPHER_CTX *ctx)
+ int offset, uint8_t *iv, int srclen, EVP_CIPHER_CTX *ctx,
+ uint8_t inplace)
{
int totlen;
EVP_CIPHER_CTX_set_padding(ctx, 0);
if (process_openssl_encryption_update(mbuf_src, offset, &dst,
- srclen, ctx))
+ srclen, ctx, inplace))
goto process_cipher_encrypt_err;
if (EVP_EncryptFinal_ex(ctx, dst, &totlen) <= 0)
/** Process standard openssl cipher decryption */
static int
process_openssl_cipher_decrypt(struct rte_mbuf *mbuf_src, uint8_t *dst,
- int offset, uint8_t *iv, int srclen, EVP_CIPHER_CTX *ctx)
+ int offset, uint8_t *iv, int srclen, EVP_CIPHER_CTX *ctx,
+ uint8_t inplace)
{
int totlen;
EVP_CIPHER_CTX_set_padding(ctx, 0);
if (process_openssl_decryption_update(mbuf_src, offset, &dst,
- srclen, ctx))
+ srclen, ctx, inplace))
goto process_cipher_decrypt_err;
if (EVP_DecryptFinal_ex(ctx, dst, &totlen) <= 0)
if (srclen > 0)
if (process_openssl_encryption_update(mbuf_src, offset, &dst,
- srclen, ctx))
+ srclen, ctx, 0))
goto process_auth_encryption_gcm_err;
/* Workaround open ssl bug in version less then 1.0.1f */
if (EVP_EncryptUpdate(ctx, NULL, &len, aad + 18, aadlen) <= 0)
goto process_auth_encryption_ccm_err;
- if (srclen > 0)
+ if (srclen >= 0)
if (process_openssl_encryption_update(mbuf_src, offset, &dst,
- srclen, ctx))
+ srclen, ctx, 0))
goto process_auth_encryption_ccm_err;
if (EVP_EncryptFinal_ex(ctx, dst, &len) <= 0)
if (srclen > 0)
if (process_openssl_decryption_update(mbuf_src, offset, &dst,
- srclen, ctx))
+ srclen, ctx, 0))
goto process_auth_decryption_gcm_err;
/* Workaround open ssl bug in version less then 1.0.1f */
if (EVP_DecryptUpdate(ctx, NULL, &len, aad + 18, aadlen) <= 0)
goto process_auth_decryption_ccm_err;
- if (srclen > 0)
+ if (srclen >= 0)
if (process_openssl_decryption_update(mbuf_src, offset, &dst,
- srclen, ctx))
+ srclen, ctx, 0))
return -EFAULT;
return 0;
return -EINVAL;
}
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/** Process standard openssl auth algorithms with hmac */
+static int
+process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
+ int srclen, EVP_MAC_CTX *ctx)
+{
+ size_t dstlen;
+ struct rte_mbuf *m;
+ int l, n = srclen;
+ uint8_t *src;
+
+ for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+ m = m->next)
+ offset -= rte_pktmbuf_data_len(m);
+
+ if (m == 0)
+ goto process_auth_err;
+
+ src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+ l = rte_pktmbuf_data_len(m) - offset;
+ if (srclen <= l) {
+ if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
+ goto process_auth_err;
+ goto process_auth_final;
+ }
+
+ if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+ goto process_auth_err;
+
+ n -= l;
+
+ for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+ src = rte_pktmbuf_mtod(m, uint8_t *);
+ l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+ if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+ goto process_auth_err;
+ n -= l;
+ }
+
+process_auth_final:
+ if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
+ goto process_auth_err;
+
+ EVP_MAC_CTX_free(ctx);
+ return 0;
+
+process_auth_err:
+ EVP_MAC_CTX_free(ctx);
+ OPENSSL_LOG(ERR, "Process openssl auth failed");
+ return -EINVAL;
+}
+# else
/** Process standard openssl auth algorithms with hmac */
static int
process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
OPENSSL_LOG(ERR, "Process openssl auth failed");
return -EINVAL;
}
-
+# endif
/*----------------------------------------------------------------------------*/
/** Process auth/cipher combined operation */
{
uint8_t *dst, *iv;
int srclen, status;
+ uint8_t inplace = (mbuf_src == mbuf_dst) ? 1 : 0;
+ EVP_CIPHER_CTX *ctx_copy;
/*
- * Segmented destination buffer is not supported for
- * encryption/decryption
+ * Segmented OOP destination buffer is not supported for encryption/
+ * decryption. In case of des3ctr, even inplace segmented buffers are
+ * not supported.
*/
- if (!rte_pktmbuf_is_contiguous(mbuf_dst)) {
+ if (!rte_pktmbuf_is_contiguous(mbuf_dst) &&
+ (!inplace || sess->cipher.mode != OPENSSL_CIPHER_LIB)) {
op->status = RTE_CRYPTO_OP_STATUS_ERROR;
return;
}
iv = rte_crypto_op_ctod_offset(op, uint8_t *,
sess->iv.offset);
+ ctx_copy = EVP_CIPHER_CTX_new();
+ EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
if (sess->cipher.mode == OPENSSL_CIPHER_LIB)
if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
status = process_openssl_cipher_encrypt(mbuf_src, dst,
op->sym->cipher.data.offset, iv,
- srclen, sess->cipher.ctx);
+ srclen, ctx_copy, inplace);
else
status = process_openssl_cipher_decrypt(mbuf_src, dst,
op->sym->cipher.data.offset, iv,
- srclen, sess->cipher.ctx);
+ srclen, ctx_copy, inplace);
else
status = process_openssl_cipher_des3ctr(mbuf_src, dst,
op->sym->cipher.data.offset, iv,
sess->cipher.key.data, srclen,
- sess->cipher.ctx);
+ ctx_copy);
+ EVP_CIPHER_CTX_free(ctx_copy);
if (status != 0)
op->status = RTE_CRYPTO_OP_STATUS_ERROR;
}
/* Encrypt with the block aligned stream with CBC mode */
status = process_openssl_cipher_encrypt(mbuf_src, dst,
op->sym->cipher.data.offset, iv,
- srclen, sess->cipher.ctx);
+ srclen, sess->cipher.ctx, 0);
if (last_block_len) {
/* Point at last block */
dst += srclen;
/* Decrypt with CBC mode */
status |= process_openssl_cipher_decrypt(mbuf_src, dst,
op->sym->cipher.data.offset, iv,
- srclen, sess->cipher.ctx);
+ srclen, sess->cipher.ctx, 0);
}
}
{
uint8_t *dst;
int srclen, status;
+ EVP_MD_CTX *ctx_a;
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MAC_CTX *ctx_h;
+ EVP_MAC *mac;
+# else
+ HMAC_CTX *ctx_h;
+# endif
srclen = op->sym->auth.data.length;
switch (sess->auth.mode) {
case OPENSSL_AUTH_AS_AUTH:
+ ctx_a = EVP_MD_CTX_create();
+ EVP_MD_CTX_copy_ex(ctx_a, sess->auth.auth.ctx);
status = process_openssl_auth(mbuf_src, dst,
op->sym->auth.data.offset, NULL, NULL, srclen,
- sess->auth.auth.ctx, sess->auth.auth.evp_algo);
+ ctx_a, sess->auth.auth.evp_algo);
+ EVP_MD_CTX_destroy(ctx_a);
break;
case OPENSSL_AUTH_AS_HMAC:
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ ctx_h = EVP_MAC_CTX_new(mac);
+ ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
+ EVP_MAC_free(mac);
status = process_openssl_auth_hmac(mbuf_src, dst,
op->sym->auth.data.offset, srclen,
- sess->auth.hmac.ctx);
+ ctx_h);
+# else
+ ctx_h = HMAC_CTX_new();
+ HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
+ status = process_openssl_auth_hmac(mbuf_src, dst,
+ op->sym->auth.data.offset, srclen,
+ ctx_h);
+ HMAC_CTX_free(ctx_h);
+# endif
break;
default:
status = -1;
}
if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) {
- if (memcmp(dst, op->sym->auth.digest.data,
+ if (CRYPTO_memcmp(dst, op->sym->auth.digest.data,
sess->auth.digest_length) != 0) {
op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
}
/* process dsa sign operation */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_dsa_sign_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
+ EVP_PKEY_CTX *dsa_ctx = NULL;
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ EVP_PKEY *pkey = NULL;
+ OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld;
+ OSSL_PARAM *params = NULL;
+
+ size_t outlen;
+ unsigned char *dsa_sign_data;
+ const unsigned char *dsa_sign_data_p;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ return -1;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey,
+ EVP_PKEY_PUBLIC_KEY, params) <= 0)
+ goto err_dsa_sign;
+
+ dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (!dsa_ctx)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign_init(dsa_ctx) <= 0)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign(dsa_ctx, NULL, &outlen, op->message.data,
+ op->message.length) <= 0)
+ goto err_dsa_sign;
+
+ if (outlen <= 0)
+ goto err_dsa_sign;
+
+ dsa_sign_data = OPENSSL_malloc(outlen);
+ if (!dsa_sign_data)
+ goto err_dsa_sign;
+
+ if (EVP_PKEY_sign(dsa_ctx, dsa_sign_data, &outlen, op->message.data,
+ op->message.length) <= 0) {
+ free(dsa_sign_data);
+ goto err_dsa_sign;
+ }
+
+ dsa_sign_data_p = (const unsigned char *)dsa_sign_data;
+ DSA_SIG *sign = d2i_DSA_SIG(NULL, &dsa_sign_data_p, outlen);
+ if (!sign) {
+ OPENSSL_LOG(ERR, "%s:%d\n", __func__, __LINE__);
+ free(dsa_sign_data);
+ goto err_dsa_sign;
+ } else {
+ const BIGNUM *r = NULL, *s = NULL;
+ get_dsa_sign(sign, &r, &s);
+
+ op->r.length = BN_bn2bin(r, op->r.data);
+ op->s.length = BN_bn2bin(s, op->s.data);
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ }
+
+ DSA_SIG_free(sign);
+ free(dsa_sign_data);
+ return 0;
+
+err_dsa_sign:
+ if (params)
+ OSSL_PARAM_free(params);
+ if (key_ctx)
+ EVP_PKEY_CTX_free(key_ctx);
+ if (dsa_ctx)
+ EVP_PKEY_CTX_free(dsa_ctx);
+ return -1;
+}
+
+/* process dsa verify operation */
+static int
+process_openssl_dsa_verify_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dsa_op_param *op = &cop->asym->dsa;
+ DSA_SIG *sign = DSA_SIG_new();
+ BIGNUM *r = NULL, *s = NULL;
+ BIGNUM *pub_key = NULL;
+ OSSL_PARAM_BLD *param_bld = sess->u.s.param_bld;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY *pkey = NULL;
+ EVP_PKEY_CTX *dsa_ctx = NULL;
+ EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
+ unsigned char *dsa_sig = NULL;
+ size_t sig_len;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ if (!param_bld) {
+ OPENSSL_LOG(ERR, " %s:%d\n", __func__, __LINE__);
+ return -1;
+ }
+
+ r = BN_bin2bn(op->r.data, op->r.length, r);
+ s = BN_bin2bn(op->s.data, op->s.length, s);
+ pub_key = BN_bin2bn(op->y.data, op->y.length, pub_key);
+ if (!r || !s || !pub_key) {
+ BN_free(r);
+ BN_free(s);
+ BN_free(pub_key);
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ set_dsa_sign(sign, r, s);
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY, pub_key)) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params) {
+ OSSL_PARAM_BLD_free(param_bld);
+ goto err_dsa_verify;
+ }
+
+ if (key_ctx == NULL
+ || EVP_PKEY_fromdata_init(key_ctx) <= 0
+ || EVP_PKEY_fromdata(key_ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
+ goto err_dsa_verify;
+
+ dsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (!dsa_ctx)
+ goto err_dsa_verify;
+
+ if (!sign)
+ goto err_dsa_verify;
+
+ sig_len = i2d_DSA_SIG(sign, &dsa_sig);
+ if (EVP_PKEY_verify_init(dsa_ctx) <= 0)
+ goto err_dsa_verify;
+
+ ret = EVP_PKEY_verify(dsa_ctx, dsa_sig, sig_len,
+ op->message.data, op->message.length);
+ if (ret == 1) {
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ ret = 0;
+ }
+
+err_dsa_verify:
+ if (sign)
+ DSA_SIG_free(sign);
+ if (params)
+ OSSL_PARAM_free(params);
+ if (key_ctx)
+ EVP_PKEY_CTX_free(key_ctx);
+ if (dsa_ctx)
+ EVP_PKEY_CTX_free(dsa_ctx);
+
+ return ret;
+}
+#else
static int
process_openssl_dsa_sign_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
return 0;
}
+#endif
/* process dh operation */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_dh_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_dh_op_param *op = &cop->asym->dh;
+ OSSL_PARAM_BLD *param_bld = sess->u.dh.param_bld;
+ OSSL_PARAM_BLD *param_bld_peer = sess->u.dh.param_bld_peer;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY *dhpkey = NULL;
+ EVP_PKEY *peerkey = NULL;
+ BIGNUM *priv_key = NULL;
+ BIGNUM *pub_key = NULL;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
+ EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+ if (dh_ctx == NULL || param_bld == NULL)
+ return ret;
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) {
+ OSSL_PARAM *params_peer = NULL;
+
+ if (!param_bld_peer)
+ return ret;
+
+ pub_key = BN_bin2bn(op->pub_key.data, op->pub_key.length,
+ pub_key);
+ if (pub_key == NULL) {
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ return ret;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld_peer, OSSL_PKEY_PARAM_PUB_KEY,
+ pub_key)) {
+ OPENSSL_LOG(ERR, "Failed to set public key\n");
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ params_peer = OSSL_PARAM_BLD_to_param(param_bld_peer);
+ if (!params_peer) {
+ OSSL_PARAM_BLD_free(param_bld_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ EVP_PKEY_CTX *peer_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+ if (EVP_PKEY_keygen_init(peer_ctx) != 1) {
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (EVP_PKEY_CTX_set_params(peer_ctx, params_peer) != 1) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (EVP_PKEY_keygen(peer_ctx, &peerkey) != 1) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ priv_key = BN_bin2bn(op->priv_key.data, op->priv_key.length,
+ priv_key);
+ if (priv_key == NULL) {
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ return ret;
+ }
+
+ if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY,
+ priv_key)) {
+ OPENSSL_LOG(ERR, "Failed to set private key\n");
+ EVP_PKEY_CTX_free(peer_ctx);
+ OSSL_PARAM_free(params_peer);
+ BN_free(pub_key);
+ BN_free(priv_key);
+ return ret;
+ }
+
+ OSSL_PARAM_free(params_peer);
+ EVP_PKEY_CTX_free(peer_ctx);
+ }
+
+ params = OSSL_PARAM_BLD_to_param(param_bld);
+ if (!params)
+ goto err_dh;
+
+ if (EVP_PKEY_keygen_init(dh_ctx) != 1)
+ goto err_dh;
+
+ if (EVP_PKEY_CTX_set_params(dh_ctx, params) != 1)
+ goto err_dh;
+
+ if (EVP_PKEY_keygen(dh_ctx, &dhpkey) != 1)
+ goto err_dh;
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE) {
+ OPENSSL_LOG(DEBUG, "%s:%d updated pub key\n", __func__, __LINE__);
+ if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key))
+ goto err_dh;
+ /* output public key */
+ op->pub_key.length = BN_bn2bin(pub_key, op->pub_key.data);
+ }
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_PRIV_KEY_GENERATE) {
+
+ OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n", __func__, __LINE__);
+ if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key))
+ goto err_dh;
+
+ /* provide generated private key back to user */
+ op->priv_key.length = BN_bn2bin(priv_key, op->priv_key.data);
+ }
+
+ if (op->ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) {
+ size_t skey_len;
+ EVP_PKEY_CTX *sc_ctx = EVP_PKEY_CTX_new(dhpkey, NULL);
+ if (!sc_ctx)
+ goto err_dh;
+
+ if (EVP_PKEY_derive_init(sc_ctx) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (!peerkey) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (EVP_PKEY_derive_set_peer(sc_ctx, peerkey) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ /* Determine buffer length */
+ if (EVP_PKEY_derive(sc_ctx, NULL, &skey_len) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ if (EVP_PKEY_derive(sc_ctx, op->shared_secret.data, &skey_len) <= 0) {
+ EVP_PKEY_CTX_free(sc_ctx);
+ goto err_dh;
+ }
+
+ op->shared_secret.length = skey_len;
+ EVP_PKEY_CTX_free(sc_ctx);
+ }
+
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+ ret = 0;
+
+ err_dh:
+ if (pub_key)
+ BN_free(pub_key);
+ if (priv_key)
+ BN_free(priv_key);
+ if (params)
+ OSSL_PARAM_free(params);
+ if (dhpkey)
+ EVP_PKEY_free(dhpkey);
+ if (peerkey)
+ EVP_PKEY_free(peerkey);
+
+ EVP_PKEY_CTX_free(dh_ctx);
+
+ return ret;
+}
+#else
static int
process_openssl_dh_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
{
struct rte_crypto_dh_op_param *op = &cop->asym->dh;
+ struct rte_crypto_asym_op *asym_op = cop->asym;
DH *dh_key = sess->u.dh.dh_key;
BIGNUM *priv_key = NULL;
int ret = 0;
- if (sess->u.dh.key_op &
- (1 << RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE)) {
+ if (asym_op->dh.ke_type == RTE_CRYPTO_ASYM_KE_SHARED_SECRET_COMPUTE) {
/* compute shared secret using peer public key
* and current private key
* shared secret = peer_key ^ priv_key mod p
* if user provides private key,
* then first set DH with user provided private key
*/
- if ((sess->u.dh.key_op &
- (1 << RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE)) &&
- !(sess->u.dh.key_op &
- (1 << RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE))) {
+ if (asym_op->dh.ke_type == RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE &&
+ op->priv_key.length) {
/* generate public key using user-provided private key
* pub_key = g ^ priv_key mod p
*/
return 0;
}
- if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE)) {
+ if (asym_op->dh.ke_type == RTE_CRYPTO_ASYM_KE_PUB_KEY_GENERATE) {
const BIGNUM *pub_key = NULL;
OPENSSL_LOG(DEBUG, "%s:%d update public key\n",
op->pub_key.data);
}
- if (sess->u.dh.key_op &
- (1 << RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE)) {
+ if (asym_op->dh.ke_type == RTE_CRYPTO_ASYM_KE_PRIV_KEY_GENERATE) {
const BIGNUM *priv_key = NULL;
OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n",
return 0;
}
+#endif
/* process modinv operation */
static int
}
/* process rsa operations */
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static int
+process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
+ struct openssl_asym_session *sess)
+{
+ struct rte_crypto_asym_op *op = cop->asym;
+ uint32_t pad = (op->rsa.padding.type);
+ uint8_t *tmp;
+ size_t outlen = 0;
+ int ret = -1;
+
+ cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+ EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx;
+ if (!rsa_ctx)
+ return ret;
+
+ switch (pad) {
+ case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
+ pad = RSA_PKCS1_PADDING;
+ break;
+ case RTE_CRYPTO_RSA_PADDING_NONE:
+ pad = RSA_NO_PADDING;
+ break;
+ default:
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ OPENSSL_LOG(ERR,
+ "rsa pad type not supported %d\n", pad);
+ return ret;
+ }
+
+ switch (op->rsa.op_type) {
+ case RTE_CRYPTO_ASYM_OP_ENCRYPT:
+ if (EVP_PKEY_encrypt_init(rsa_ctx) != 1)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+ op->rsa.cipher.length = outlen;
+
+ OPENSSL_LOG(DEBUG,
+ "length of encrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_DECRYPT:
+ if (EVP_PKEY_decrypt_init(rsa_ctx) != 1)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err_rsa;
+
+ if (outlen <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen,
+ op->rsa.cipher.data,
+ op->rsa.cipher.length) <= 0)
+ goto err_rsa;
+ op->rsa.message.length = outlen;
+
+ OPENSSL_LOG(DEBUG, "length of decrypted text %zu\n", outlen);
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_SIGN:
+ if (EVP_PKEY_sign_init(rsa_ctx) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+ goto err_rsa;
+
+ if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
+ op->rsa.message.data,
+ op->rsa.message.length) <= 0)
+ goto err_rsa;
+ op->rsa.sign.length = outlen;
+ break;
+
+ case RTE_CRYPTO_ASYM_OP_VERIFY:
+ tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
+ if (tmp == NULL) {
+ OPENSSL_LOG(ERR, "Memory allocation failed");
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
+ op->rsa.sign.data,
+ op->rsa.sign.length) <= 0) {
+ rte_free(tmp);
+ goto err_rsa;
+ }
+
+ OPENSSL_LOG(DEBUG,
+ "Length of public_decrypt %zu "
+ "length of message %zd\n",
+ outlen, op->rsa.message.length);
+ if (CRYPTO_memcmp(tmp, op->rsa.message.data,
+ op->rsa.message.length)) {
+ OPENSSL_LOG(ERR, "RSA sign Verification failed");
+ }
+ rte_free(tmp);
+ break;
+
+ default:
+ /* allow ops with invalid args to be pushed to
+ * completion queue
+ */
+ cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ goto err_rsa;
+ }
+
+ ret = 0;
+ cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+err_rsa:
+ return ret;
+
+}
+#else
static int
process_openssl_rsa_op(struct rte_crypto_op *cop,
struct openssl_asym_session *sess)
int ret = 0;
struct rte_crypto_asym_op *op = cop->asym;
RSA *rsa = sess->u.r.rsa;
- uint32_t pad = (op->rsa.pad);
+ uint32_t pad = (op->rsa.padding.type);
uint8_t *tmp;
cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
switch (pad) {
- case RTE_CRYPTO_RSA_PKCS1_V1_5_BT0:
- case RTE_CRYPTO_RSA_PKCS1_V1_5_BT1:
- case RTE_CRYPTO_RSA_PKCS1_V1_5_BT2:
+ case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
pad = RSA_PKCS1_PADDING;
break;
case RTE_CRYPTO_RSA_PADDING_NONE:
case RTE_CRYPTO_ASYM_OP_ENCRYPT:
ret = RSA_public_encrypt(op->rsa.message.length,
op->rsa.message.data,
- op->rsa.message.data,
+ op->rsa.cipher.data,
rsa,
pad);
if (ret > 0)
- op->rsa.message.length = ret;
+ op->rsa.cipher.length = ret;
OPENSSL_LOG(DEBUG,
"length of encrypted text %d\n", ret);
break;
case RTE_CRYPTO_ASYM_OP_DECRYPT:
- ret = RSA_private_decrypt(op->rsa.message.length,
- op->rsa.message.data,
+ ret = RSA_private_decrypt(op->rsa.cipher.length,
+ op->rsa.cipher.data,
op->rsa.message.data,
rsa,
pad);
"Length of public_decrypt %d "
"length of message %zd\n",
ret, op->rsa.message.length);
- if ((ret <= 0) || (memcmp(tmp, op->rsa.message.data,
+ if ((ret <= 0) || (CRYPTO_memcmp(tmp, op->rsa.message.data,
op->rsa.message.length))) {
OPENSSL_LOG(ERR, "RSA sign Verification failed");
cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
return 0;
}
+#endif
static int
process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
switch (sess->xfrm_type) {
case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_rsa_op_evp(op, sess);
+# else
retval = process_openssl_rsa_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_MODEX:
retval = process_openssl_modexp_op(op, sess);
retval = process_openssl_modinv_op(op, sess);
break;
case RTE_CRYPTO_ASYM_XFORM_DH:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ retval = process_openssl_dh_op_evp(op, sess);
+# else
retval = process_openssl_dh_op(op, sess);
+#endif
break;
case RTE_CRYPTO_ASYM_XFORM_DSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
+ retval = process_openssl_dsa_sign_op_evp(op, sess);
+ else if (op->asym->dsa.op_type ==
+ RTE_CRYPTO_ASYM_OP_VERIFY)
+ retval =
+ process_openssl_dsa_verify_op_evp(op, sess);
+#else
if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
retval = process_openssl_dsa_sign_op(op, sess);
else if (op->asym->dsa.op_type ==
process_openssl_dsa_verify_op(op, sess);
else
op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+#endif
break;
default:
op->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
return retval;
}
+static void
+copy_plaintext(struct rte_mbuf *m_src, struct rte_mbuf *m_dst,
+ struct rte_crypto_op *op)
+{
+ uint8_t *p_src, *p_dst;
+
+ p_src = rte_pktmbuf_mtod(m_src, uint8_t *);
+ p_dst = rte_pktmbuf_mtod(m_dst, uint8_t *);
+
+ /**
+ * Copy the content between cipher offset and auth offset
+ * for generating correct digest.
+ */
+ if (op->sym->cipher.data.offset > op->sym->auth.data.offset)
+ memcpy(p_dst + op->sym->auth.data.offset,
+ p_src + op->sym->auth.data.offset,
+ op->sym->cipher.data.offset -
+ op->sym->auth.data.offset);
+}
+
/** Process crypto operation for mbuf */
static int
process_op(struct openssl_qp *qp, struct rte_crypto_op *op,
break;
case OPENSSL_CHAIN_CIPHER_AUTH:
process_openssl_cipher_op(op, sess, msrc, mdst);
+ /* OOP */
+ if (msrc != mdst)
+ copy_plaintext(msrc, mdst, op);
process_openssl_auth_op(qp, op, sess, mdst, mdst);
break;
case OPENSSL_CHAIN_AUTH_CIPHER:
dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING |
RTE_CRYPTODEV_FF_CPU_AESNI |
+ RTE_CRYPTODEV_FF_IN_PLACE_SGL |
RTE_CRYPTODEV_FF_OOP_SGL_IN_LB_OUT |
RTE_CRYPTODEV_FF_OOP_LB_IN_LB_OUT |
- RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO;
+ RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO |
+ RTE_CRYPTODEV_FF_RSA_PRIV_OP_KEY_EXP |
+ RTE_CRYPTODEV_FF_RSA_PRIV_OP_KEY_QT |
+ RTE_CRYPTODEV_FF_SYM_SESSIONLESS;
- /* Set vector instructions mode supported */
internals = dev->data->dev_private;
internals->max_nb_qpairs = init_params->max_nb_queue_pairs;
+ rte_cryptodev_pmd_probing_finish(dev);
+
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ /* Load legacy provider
+ * Some algorithms are no longer available in earlier version of openssl,
+ * unless the legacy provider explicitly loaded. e.g. DES
+ */
+ ossl_legacy_provider_load();
+# endif
return 0;
init_error:
if (cryptodev == NULL)
return -ENODEV;
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ ossl_legacy_provider_unload();
+# endif
return rte_cryptodev_pmd_destroy(cryptodev);
}
"socket_id=<int>");
RTE_PMD_REGISTER_CRYPTO_DRIVER(openssl_crypto_drv,
cryptodev_openssl_pmd_drv.driver, cryptodev_driver_id);
-
-RTE_INIT(openssl_init_log)
-{
- openssl_logtype_driver = rte_log_register("pmd.crypto.openssl");
-}
+RTE_LOG_REGISTER_DEFAULT(openssl_logtype_driver, INFO);
git.droids-corp.org / dpdk.git / blobdiff