> Subject: [EXT] [dpdk-dev v4 1/4] crypto/openssl: 3.0 EVP update on HMAC
> routine
Title should be
Crypto/openssl: update HMAC routine with 3.0 EVP API
>
> This patch update the symmetric HMAC routine in crypto openssl
> pmd to adopt openssl 3.0 EVP apis.
>
> Signed-off-by: Kai Ji <kai...@intel.com>
> ---
> drivers/crypto/openssl/openssl_pmd_private.h | 4 +
> drivers/crypto/openssl/rte_openssl_pmd.c | 187 ++++++++++++++++++-
> 2 files changed, 181 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/crypto/openssl/openssl_pmd_private.h
> b/drivers/crypto/openssl/openssl_pmd_private.h
> index b2054b3754..86dc169aaf 100644
> --- a/drivers/crypto/openssl/openssl_pmd_private.h
> +++ b/drivers/crypto/openssl/openssl_pmd_private.h
> @@ -134,8 +134,12 @@ struct openssl_session {
> /**< pointer to EVP key */
> const EVP_MD *evp_algo;
> /**< pointer to EVP algorithm function */
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> + EVP_MAC_CTX * ctx;
> +# else
> HMAC_CTX *ctx;
> /**< pointer to EVP context structure */
> +# endif
Endif should be above comment.
> } hmac;
> };
>
> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c
> b/drivers/crypto/openssl/rte_openssl_pmd.c
> index 6ac2dfff5a..5dbe6074eb 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
> @@ -41,6 +41,61 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
> }
> #endif
>
> +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> +
> +#include <openssl/provider.h>
> +#include <openssl/core_names.h>
> +
> +#define MAX_OSSL_ALGO_NAME_SIZE 16
> +
> +OSSL_PROVIDER *legacy;
> +OSSL_PROVIDER *deflt;
> +
> +static void ossl_load_legacy_provider(void)
Static void should be separate line.
Check for other functions as well.
verb should be in the end
Ossl_legacy_provider_load/unload
> +{
> + /* Load Multiple providers into the default (NULL) library context */
> + legacy = OSSL_PROVIDER_load(NULL, "legacy");
> + if (legacy == NULL) {
> + OPENSSL_LOG(ERR, "Failed to load Legacy provider\n");
> + return;
> + }
> +
> + deflt = OSSL_PROVIDER_load(NULL, "default");
> + if (deflt == NULL) {
> + OPENSSL_LOG(ERR, "Failed to load Default provider\n");
> + OSSL_PROVIDER_unload(legacy);
> + return;
> + }
> +}
> +
> +static void ossl_unload_legacy_provider(void)
> +{
> + OSSL_PROVIDER_unload(legacy);
> + OSSL_PROVIDER_unload(deflt);
> +}
> +
> +static __rte_always_inline const char *
> +get_digest_name(const struct rte_crypto_sym_xform *xform)
Digest_name_get
> +{
> + switch (xform->auth.algo) {
> + case RTE_CRYPTO_AUTH_MD5_HMAC:
> + return OSSL_DIGEST_NAME_MD5;
> + case RTE_CRYPTO_AUTH_SHA1_HMAC:
> + return OSSL_DIGEST_NAME_SHA1;
> + case RTE_CRYPTO_AUTH_SHA224_HMAC:
> + return OSSL_DIGEST_NAME_SHA2_224;
> + case RTE_CRYPTO_AUTH_SHA256_HMAC:
> + return OSSL_DIGEST_NAME_SHA2_256;
> + case RTE_CRYPTO_AUTH_SHA384_HMAC:
> + return OSSL_DIGEST_NAME_SHA2_384;
> + case RTE_CRYPTO_AUTH_SHA512_HMAC:
> + return OSSL_DIGEST_NAME_SHA2_512;
> + default:
> + return NULL;
> + }
> +}
> +#endif
> +
> static int cryptodev_openssl_remove(struct rte_vdev_device *vdev);
>
>
> /*----------------------------------------------------------------------------*/
> @@ -582,6 +637,40 @@ openssl_set_session_auth_parameters(struct
> openssl_session *sess,
> sess->auth.auth.ctx = EVP_MD_CTX_create();
> break;
>
> +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> + case RTE_CRYPTO_AUTH_MD5_HMAC:
> + case RTE_CRYPTO_AUTH_SHA1_HMAC:
> + case RTE_CRYPTO_AUTH_SHA224_HMAC:
> + case RTE_CRYPTO_AUTH_SHA256_HMAC:
> + case RTE_CRYPTO_AUTH_SHA384_HMAC:
> + case RTE_CRYPTO_AUTH_SHA512_HMAC:
> + sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
> +
> + OSSL_PARAM params[2];
> + const char *algo;
> + algo = get_digest_name(xform);
Pass xform->auth.algo directly
> + if (!algo)
> + return -EINVAL;
> + char algo_name[MAX_OSSL_ALGO_NAME_SIZE];
> + rte_memcpy(algo_name, algo, (sizeof(algo)+1));
> +
> + EVP_MAC *mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
> + sess->auth.hmac.ctx = EVP_MAC_CTX_new(mac);
> + EVP_MAC_free(mac);
> + if (get_auth_algo(xform->auth.algo,
> + &sess->auth.hmac.evp_algo) != 0)
> + return -EINVAL;
> +
> + params[0] = OSSL_PARAM_construct_utf8_string("digest",
> + algo_name, 0);
> + params[1] = OSSL_PARAM_construct_end();
> + if (EVP_MAC_init(sess->auth.hmac.ctx,
> + xform->auth.key.data,
> + xform->auth.key.length,
> + params) != 1)
> + return -EINVAL;
> + break;
> +# else
> case RTE_CRYPTO_AUTH_MD5_HMAC:
> case RTE_CRYPTO_AUTH_SHA1_HMAC:
> case RTE_CRYPTO_AUTH_SHA224_HMAC:
> @@ -600,7 +689,7 @@ openssl_set_session_auth_parameters(struct
> openssl_session *sess,
> sess->auth.hmac.evp_algo, NULL) != 1)
> return -EINVAL;
> break;
> -
> +# endif
> default:
> return -ENOTSUP;
> }
> @@ -725,7 +814,11 @@ openssl_reset_session(struct openssl_session *sess)
> break;
> case OPENSSL_AUTH_AS_HMAC:
> EVP_PKEY_free(sess->auth.hmac.pkey);
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> + EVP_MAC_CTX_free(sess->auth.hmac.ctx);
> +# else
> HMAC_CTX_free(sess->auth.hmac.ctx);
> +# endif
> break;
> default:
> break;
> @@ -1262,6 +1355,59 @@ process_openssl_auth(struct rte_mbuf *mbuf_src,
> uint8_t *dst, int offset,
> return -EINVAL;
> }
>
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +/** Process standard openssl auth algorithms with hmac */
> +static int
> +process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int
> offset,
> + int srclen, EVP_MAC_CTX *ctx)
> +{
> + size_t dstlen;
> + struct rte_mbuf *m;
> + int l, n = srclen;
> + uint8_t *src;
> +
> + for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
> + m = m->next)
> + offset -= rte_pktmbuf_data_len(m);
> +
> + if (m == 0)
> + goto process_auth_err;
> +
> + src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
> +
> + l = rte_pktmbuf_data_len(m) - offset;
> + if (srclen <= l) {
> + if (EVP_MAC_update(ctx, (unsigned char *)src, srclen) != 1)
> + goto process_auth_err;
> + goto process_auth_final;
> + }
> +
> + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
> + goto process_auth_err;
> +
> + n -= l;
> +
> + for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
> + src = rte_pktmbuf_mtod(m, uint8_t *);
> + l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
> + if (EVP_MAC_update(ctx, (unsigned char *)src, l) != 1)
> + goto process_auth_err;
> + n -= l;
> + }
> +
> +process_auth_final:
> + if (EVP_MAC_final(ctx, dst, &dstlen, sizeof(dst)) != 1)
> + goto process_auth_err;
> +
> + EVP_MAC_CTX_free(ctx);
> + return 0;
> +
> +process_auth_err:
> + EVP_MAC_CTX_free(ctx);
> + OPENSSL_LOG(ERR, "Process openssl auth failed");
> + return -EINVAL;
> +}
> +# else
> /** Process standard openssl auth algorithms with hmac */
> static int
> process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int
> offset,
> @@ -1314,7 +1460,7 @@ process_openssl_auth_hmac(struct rte_mbuf
> *mbuf_src, uint8_t *dst, int offset,
> OPENSSL_LOG(ERR, "Process openssl auth failed");
> return -EINVAL;
> }
> -
> +# endif
>
> /*----------------------------------------------------------------------------*/
>
> /** Process auth/cipher combined operation */
> @@ -1328,7 +1474,6 @@ process_openssl_combined_op
> int srclen, aadlen, status = -1;
> uint32_t offset;
> uint8_t taglen;
> - EVP_CIPHER_CTX *ctx_copy;
>
> /*
> * Segmented destination buffer is not supported for
> @@ -1365,8 +1510,6 @@ process_openssl_combined_op
> }
>
> taglen = sess->auth.digest_length;
> - ctx_copy = EVP_CIPHER_CTX_new();
> - EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
>
> if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
> if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
> @@ -1374,12 +1517,12 @@ process_openssl_combined_op
> status = process_openssl_auth_encryption_gcm(
> mbuf_src, offset, srclen,
> aad, aadlen, iv,
> - dst, tag, ctx_copy);
> + dst, tag, sess->cipher.ctx);
> else
> status = process_openssl_auth_encryption_ccm(
> mbuf_src, offset, srclen,
> aad, aadlen, iv,
> - dst, tag, taglen, ctx_copy);
> + dst, tag, taglen, sess->cipher.ctx);
>
> } else {
> if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
> @@ -1387,15 +1530,14 @@ process_openssl_combined_op
> status = process_openssl_auth_decryption_gcm(
> mbuf_src, offset, srclen,
> aad, aadlen, iv,
> - dst, tag, ctx_copy);
> + dst, tag, sess->cipher.ctx);
> else
> status = process_openssl_auth_decryption_ccm(
> mbuf_src, offset, srclen,
> aad, aadlen, iv,
> - dst, tag, taglen, ctx_copy);
> + dst, tag, taglen, sess->cipher.ctx);
> }
>
> - EVP_CIPHER_CTX_free(ctx_copy);
> if (status != 0) {
> if (status == (-EFAULT) &&
> sess->auth.operation ==
> @@ -1557,7 +1699,12 @@ process_openssl_auth_op(struct openssl_qp *qp,
> struct rte_crypto_op *op,
> uint8_t *dst;
> int srclen, status;
> EVP_MD_CTX *ctx_a;
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> + EVP_MAC_CTX *ctx_h;
> + EVP_MAC *mac;
> +# else
> HMAC_CTX *ctx_h;
> +# endif
>
> srclen = op->sym->auth.data.length;
>
> @@ -1573,12 +1720,22 @@ process_openssl_auth_op(struct openssl_qp *qp,
> struct rte_crypto_op *op,
> EVP_MD_CTX_destroy(ctx_a);
> break;
> case OPENSSL_AUTH_AS_HMAC:
> +# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> + mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
> + ctx_h = EVP_MAC_CTX_new(mac);
> + ctx_h = EVP_MAC_CTX_dup(sess->auth.hmac.ctx);
> + EVP_MAC_free(mac);
> + status = process_openssl_auth_hmac(mbuf_src, dst,
> + op->sym->auth.data.offset, srclen,
> + ctx_h);
> +# else
> ctx_h = HMAC_CTX_new();
> HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
> status = process_openssl_auth_hmac(mbuf_src, dst,
> op->sym->auth.data.offset, srclen,
> ctx_h);
> HMAC_CTX_free(ctx_h);
> +# endif
> break;
> default:
> status = -1;
> @@ -2212,6 +2369,13 @@ cryptodev_openssl_create(const char *name,
>
> rte_cryptodev_pmd_probing_finish(dev);
>
> +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> + /* Load legacy provider
> + * Some algorithms are no longer available in earlier version of
> openssl,
> + * unless the legacy provider explicitly loaded. e.g. DES
> + */
> + ossl_load_legacy_provider();
> +# endif
> return 0;
>
> init_error:
> @@ -2260,6 +2424,9 @@ cryptodev_openssl_remove(struct rte_vdev_device
> *vdev)
> if (cryptodev == NULL)
> return -ENODEV;
>
> +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> + ossl_unload_legacy_provider();
> +# endif
> return rte_cryptodev_pmd_destroy(cryptodev);
> }
>
> --
> 2.17.1
