crypto/openssl: update HMAC routine with 3.0 EVP API

This patch update the symmetric HMAC routine in crypto openssl
pmd to adopt openssl 3.0 EVP apis.

Signed-off-by: Kai Ji <kai.ji@intel.com>
Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index b2054b37540b6e696a73720589dc0aef56f8ac74..6bcfb584a46f686156b5242f0fd22365fad29d73 100644 (file)
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -134,7 +134,11 @@ struct openssl_session {
                                /**< pointer to EVP key */
                                const EVP_MD *evp_algo;
                                /**< pointer to EVP algorithm function */
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+                               EVP_MAC_CTX * ctx;
+# else
                                HMAC_CTX *ctx;
+# endif
                                /**< pointer to EVP context structure */
                        } hmac;
                };

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 6ac2dfff5a5f701e3a41080efcc003be0eda043d..06ede435dd1a4a0024b3e36bfda8e35c47cea956 100644 (file)
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -41,6 +41,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
 }
 #endif
 
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+
+#define MAX_OSSL_ALGO_NAME_SIZE                16
+
+OSSL_PROVIDER *legacy;
+OSSL_PROVIDER *deflt;
+
+static void ossl_legacy_provider_load(void)
+{
+       /* Load Multiple providers into the default (NULL) library context */
+       legacy = OSSL_PROVIDER_load(NULL, "legacy");
+       if (legacy == NULL) {
+               OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
+               return;
+       }
+
+       deflt = OSSL_PROVIDER_load(NULL, "default");
+       if (deflt == NULL) {
+               OPENSSL_LOG(ERR, "Failed to load Default provider\n");
+               OSSL_PROVIDER_unload(legacy);
+               return;
+       }
+}
+
+static void ossl_legacy_provider_unload(void)
+{
+       OSSL_PROVIDER_unload(legacy);
+       OSSL_PROVIDER_unload(deflt);
+}
+
+static __rte_always_inline const char *
+digest_name_get(enum rte_crypto_auth_algorithm algo)
+{
+       switch (algo) {
+       case RTE_CRYPTO_AUTH_MD5_HMAC:
+               return OSSL_DIGEST_NAME_MD5;
+       case RTE_CRYPTO_AUTH_SHA1_HMAC:
+               return OSSL_DIGEST_NAME_SHA1;
+       case RTE_CRYPTO_AUTH_SHA224_HMAC:
+               return OSSL_DIGEST_NAME_SHA2_224;
+       case RTE_CRYPTO_AUTH_SHA256_HMAC:
+               return OSSL_DIGEST_NAME_SHA2_256;
+       case RTE_CRYPTO_AUTH_SHA384_HMAC:
+               return OSSL_DIGEST_NAME_SHA2_384;
+       case RTE_CRYPTO_AUTH_SHA512_HMAC:
+               return OSSL_DIGEST_NAME_SHA2_512;
+       default:
+               return NULL;
+       }
+}
+#endif
+
 static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
 
 /*----------------------------------------------------------------------------*/
@@ -582,6 +637,40 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
                sess->auth.auth.ctx = EVP_MD_CTX_create();
                break;
 
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+       case RTE_CRYPTO_AUTH_MD5_HMAC:
+       case RTE_CRYPTO_AUTH_SHA1_HMAC:
+       case RTE_CRYPTO_AUTH_SHA224_HMAC:
+       case RTE_CRYPTO_AUTH_SHA256_HMAC:
+       case RTE_CRYPTO_AUTH_SHA384_HMAC:
+       case RTE_CRYPTO_AUTH_SHA512_HMAC:
+               sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
+
+               OSSL_PARAM params[2];
+               const char *algo;
+               algo = digest_name_get(xform->auth.algo);
+               if (!algo)
+                       return -EINVAL;
+               char algo_name[MAX_OSSL_ALGO_NAME_SIZE];
+               rte_memcpy(algo_name, algo, (sizeof(algo)+1));
+
+               EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+               sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
+               EVP_MAC_free(mac);
+               if (get_auth_algo(xform->auth.algo,
+                               &sess->auth.hmac.evp_algo) != 0)
+                       return -EINVAL;
+
+               params[0] = OSSL_PARAM_construct_utf8_string("digest",
+                                       algo_name, 0);
+               params[1] = OSSL_PARAM_construct_end();
+               if (EVP_MAC_init(sess->auth.hmac.ctx,
+                               xform->auth.key.data,
+                               xform->auth.key.length,
+                               params) != 1)
+                       return -EINVAL;
+               break;
+# else
        case RTE_CRYPTO_AUTH_MD5_HMAC:
        case RTE_CRYPTO_AUTH_SHA1_HMAC:
        case RTE_CRYPTO_AUTH_SHA224_HMAC:
@@ -600,7 +689,7 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
                                sess->auth.hmac.evp_algo, NULL) != 1)
                        return -EINVAL;
                break;
-
+# endif
        default:
                return -ENOTSUP;
        }
@@ -725,7 +814,11 @@ openssl_reset_session(struct openssl_session *sess)
                break;
        case OPENSSL_AUTH_AS_HMAC:
                EVP_PKEY_free(sess->auth.hmac.pkey);
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+               EVP_MAC_CTX_free(sess->auth.hmac.ctx);
+# else
                HMAC_CTX_free(sess->auth.hmac.ctx);
+# endif
                break;
        default:
                break;
@@ -1262,6 +1355,59 @@ process_auth_err:
        return -EINVAL;
 }
 
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/** Process standard openssl auth algorithms with hmac */
+static int
+process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
+               int srclen, EVP_MAC_CTX *ctx)
+{
+       size_t dstlen;
+       struct rte_mbuf *m;
+       int l, n = srclen;
+       uint8_t *src;
+
+       for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+                       m = m->next)
+               offset -= rte_pktmbuf_data_len(m);
+
+       if (m == 0)
+               goto process_auth_err;
+
+       src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+       l = rte_pktmbuf_data_len(m) - offset;
+       if (srclen <= l) {
+               if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
+                       goto process_auth_err;
+               goto process_auth_final;
+       }
+
+       if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+               goto process_auth_err;
+
+       n -= l;
+
+       for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+               src = rte_pktmbuf_mtod(m, uint8_t *);
+               l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+               if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
+                       goto process_auth_err;
+               n -= l;
+       }
+
+process_auth_final:
+       if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
+               goto process_auth_err;
+
+       EVP_MAC_CTX_free(ctx);
+       return 0;
+
+process_auth_err:
+       EVP_MAC_CTX_free(ctx);
+       OPENSSL_LOG(ERR, "Process openssl auth failed");
+       return -EINVAL;
+}
+# else
 /** Process standard openssl auth algorithms with hmac */
 static int
 process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
@@ -1314,7 +1460,7 @@ process_auth_err:
        OPENSSL_LOG(ERR, "Process openssl auth failed");
        return -EINVAL;
 }
-
+# endif
 /*----------------------------------------------------------------------------*/
 
 /** Process auth/cipher combined operation */
@@ -1328,7 +1474,6 @@ process_openssl_combined_op
        int srclen, aadlen, status = -1;
        uint32_t offset;
        uint8_t taglen;
-       EVP_CIPHER_CTX *ctx_copy;
 
        /*
         * Segmented destination buffer is not supported for
@@ -1365,8 +1510,6 @@ process_openssl_combined_op
        }
 
        taglen = sess->auth.digest_length;
-       ctx_copy = EVP_CIPHER_CTX_new();
-       EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
 
        if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
                if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1374,12 +1517,12 @@ process_openssl_combined_op
                        status = process_openssl_auth_encryption_gcm(
                                        mbuf_src, offset, srclen,
                                        aad, aadlen, iv,
-                                       dst, tag, ctx_copy);
+                                       dst, tag, sess->cipher.ctx);
                else
                        status = process_openssl_auth_encryption_ccm(
                                        mbuf_src, offset, srclen,
                                        aad, aadlen, iv,
-                                       dst, tag, taglen, ctx_copy);
+                                       dst, tag, taglen, sess->cipher.ctx);
 
        } else {
                if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1387,15 +1530,14 @@ process_openssl_combined_op
                        status = process_openssl_auth_decryption_gcm(
                                        mbuf_src, offset, srclen,
                                        aad, aadlen, iv,
-                                       dst, tag, ctx_copy);
+                                       dst, tag, sess->cipher.ctx);
                else
                        status = process_openssl_auth_decryption_ccm(
                                        mbuf_src, offset, srclen,
                                        aad, aadlen, iv,
-                                       dst, tag, taglen, ctx_copy);
+                                       dst, tag, taglen, sess->cipher.ctx);
        }
 
-       EVP_CIPHER_CTX_free(ctx_copy);
        if (status != 0) {
                if (status == (-EFAULT) &&
                                sess->auth.operation ==
@@ -1557,7 +1699,12 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
        uint8_t *dst;
        int srclen, status;
        EVP_MD_CTX *ctx_a;
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+       EVP_MAC_CTX *ctx_h;
+       EVP_MAC *mac;
+# else
        HMAC_CTX *ctx_h;
+# endif
 
        srclen = op->sym->auth.data.length;
 
@@ -1573,12 +1720,22 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
                EVP_MD_CTX_destroy(ctx_a);
                break;
        case OPENSSL_AUTH_AS_HMAC:
+# if OPENSSL_VERSION_NUMBER >= 0x30000000L
+               mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+               ctx_h = EVP_MAC_CTX_new(mac);
+               ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
+               EVP_MAC_free(mac);
+               status = process_openssl_auth_hmac(mbuf_src, dst,
+                               op->sym->auth.data.offset, srclen,
+                               ctx_h);
+# else
                ctx_h = HMAC_CTX_new();
                HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
                status = process_openssl_auth_hmac(mbuf_src, dst,
                                op->sym->auth.data.offset, srclen,
                                ctx_h);
                HMAC_CTX_free(ctx_h);
+# endif
                break;
        default:
                status = -1;
@@ -2212,6 +2369,13 @@ cryptodev_openssl_create(const char *name,
 
        rte_cryptodev_pmd_probing_finish(dev);
 
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+       /* Load legacy provider
+        * Some algorithms are no longer available in earlier version of openssl,
+        * unless the legacy provider explicitly loaded. e.g. DES
+        */
+       ossl_legacy_provider_load();
+# endif
        return 0;
 
 init_error:
@@ -2260,6 +2424,9 @@ cryptodev_openssl_remove(struct rte_vdev_device *vdev)
        if (cryptodev == NULL)
                return -ENODEV;
 
+# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+       ossl_legacy_provider_unload();
+# endif
        return rte_cryptodev_pmd_destroy(cryptodev);
 }