[dpdk-dev,v2,1/2] crypto/openssl: replace evp APIs with HMAC APIs
Checks
Commit Message
in case of HMAC the openssl APIs HMAC_XXX give
better performance for all HMAC cases as compared with
EVP_XXX
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
---
changes in v2:
patch split in two patches as per Pablo's recommendations
drivers/crypto/openssl/rte_openssl_pmd.c | 37 +++++++++++++-----------
drivers/crypto/openssl/rte_openssl_pmd_private.h | 3 +-
2 files changed, 22 insertions(+), 18 deletions(-)
Comments
> -----Original Message-----
> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> Sent: Tuesday, August 29, 2017 7:59 AM
> To: dev@dpdk.org; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>
> Cc: hemant.agrawal@nxp.com; Doherty, Declan
> <declan.doherty@intel.com>; Akhil Goyal <akhil.goyal@nxp.com>
> Subject: [PATCH v2 1/2] crypto/openssl: replace evp APIs with HMAC APIs
>
> in case of HMAC the openssl APIs HMAC_XXX give better performance for
> all HMAC cases as compared with EVP_XXX
>
> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Reviewed-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Hi Akhil,
> -----Original Message-----
> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
> Sent: Tuesday, August 29, 2017 7:59 AM
> To: dev@dpdk.org; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>
> Cc: hemant.agrawal@nxp.com; Doherty, Declan
> <declan.doherty@intel.com>; Akhil Goyal <akhil.goyal@nxp.com>
> Subject: [PATCH v2 1/2] crypto/openssl: replace evp APIs with HMAC APIs
>
> in case of HMAC the openssl APIs HMAC_XXX give better performance for
> all HMAC cases as compared with EVP_XXX
>
> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
> ---
> changes in v2:
> patch split in two patches as per Pablo's recommendations
>
> drivers/crypto/openssl/rte_openssl_pmd.c | 37 +++++++++++++-------
I just come across an issue with this patch on openssl 1.1.0 (below).
Unfortunately, I have already applied the patch in the subtree, but if you could send a patch to fix this,
I can integrate as part of that patch.
Thanks,
Pablo
drivers/crypto/openssl/rte_openssl_pmd_private.h:168:14: error: field 'ctx' has incomplete type
HMAC_CTX ctx;
^~~
In file included from drivers/crypto/openssl/rte_openssl_pmd_ops.c:39:0:
drivers/crypto/openssl/rte_openssl_pmd_private.h:168:14: error: field 'ctx' has incomplete type
HMAC_CTX ctx;
^~~
drivers/crypto/openssl/rte_openssl_pmd.c: In function 'openssl_set_session_auth_parameters':
drivers/crypto/openssl/rte_openssl_pmd.c:440:3: error: implicit declaration of function 'HMAC_CTX_init'; did you mean 'HMAC_CTX_new'? [-Werror=implicit-function-declaration]
HMAC_CTX_init(&sess->auth.hmac.ctx);
^~~~~~~~~~~~~
HMAC_CTX_new
drivers/crypto/openssl/rte_openssl_pmd.c:440:3: error: nested extern declaration of 'HMAC_CTX_init' [-Werror=nested-externs]
make[4]: *** [mk/internal/rte.compile-pre.mk:140: rte_openssl_pmd_ops.o] Error 1
make[4]: *** Waiting for unfinished jobs....
drivers/crypto/openssl/rte_openssl_pmd.c: In function 'openssl_reset_session':
drivers/crypto/openssl/rte_openssl_pmd.c:588:3: error: implicit declaration of function 'HMAC_CTX_cleanup'; did you mean 'HMAC_CTX_get_md'? [-Werror=implicit-function-declaration]
HMAC_CTX_cleanup(&sess->auth.hmac.ctx);
^~~~~~~~~~~~~~~~
HMAC_CTX_get_md
drivers/crypto/openssl/rte_openssl_pmd.c:588:3: error: nested extern declaration of 'HMAC_CTX_cleanup' [-Werror=nested-externs]
cc1: all warnings being treated as errors
make[4]: *** [mk/internal/rte.compile-pre.mk:140: rte_openssl_pmd.o] Error 1
Hi Pablo,
On 9/8/2017 7:33 PM, De Lara Guarch, Pablo wrote:
> Hi Akhil,
>
>> -----Original Message-----
>> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
>> Sent: Tuesday, August 29, 2017 7:59 AM
>> To: dev@dpdk.org; De Lara Guarch, Pablo
>> <pablo.de.lara.guarch@intel.com>
>> Cc: hemant.agrawal@nxp.com; Doherty, Declan
>> <declan.doherty@intel.com>; Akhil Goyal <akhil.goyal@nxp.com>
>> Subject: [PATCH v2 1/2] crypto/openssl: replace evp APIs with HMAC APIs
>>
>> in case of HMAC the openssl APIs HMAC_XXX give better performance for
>> all HMAC cases as compared with EVP_XXX
>>
>> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
>> ---
>> changes in v2:
>> patch split in two patches as per Pablo's recommendations
>>
>> drivers/crypto/openssl/rte_openssl_pmd.c | 37 +++++++++++++-------
>
> I just come across an issue with this patch on openssl 1.1.0 (below).
> Unfortunately, I have already applied the patch in the subtree, but if you could send a patch to fix this,
> I can integrate as part of that patch.
>
> Thanks,
> Pablo
>
> drivers/crypto/openssl/rte_openssl_pmd_private.h:168:14: error: field 'ctx' has incomplete type
> HMAC_CTX ctx;
> ^~~
> In file included from drivers/crypto/openssl/rte_openssl_pmd_ops.c:39:0:
> drivers/crypto/openssl/rte_openssl_pmd_private.h:168:14: error: field 'ctx' has incomplete type
> HMAC_CTX ctx;
> ^~~
> drivers/crypto/openssl/rte_openssl_pmd.c: In function 'openssl_set_session_auth_parameters':
> drivers/crypto/openssl/rte_openssl_pmd.c:440:3: error: implicit declaration of function 'HMAC_CTX_init'; did you mean 'HMAC_CTX_new'? [-Werror=implicit-function-declaration]
> HMAC_CTX_init(&sess->auth.hmac.ctx);
> ^~~~~~~~~~~~~
> HMAC_CTX_new
>
> drivers/crypto/openssl/rte_openssl_pmd.c:440:3: error: nested extern declaration of 'HMAC_CTX_init' [-Werror=nested-externs]
> make[4]: *** [mk/internal/rte.compile-pre.mk:140: rte_openssl_pmd_ops.o] Error 1
> make[4]: *** Waiting for unfinished jobs....
> drivers/crypto/openssl/rte_openssl_pmd.c: In function 'openssl_reset_session':
> drivers/crypto/openssl/rte_openssl_pmd.c:588:3: error: implicit declaration of function 'HMAC_CTX_cleanup'; did you mean 'HMAC_CTX_get_md'? [-Werror=implicit-function-declaration]
> HMAC_CTX_cleanup(&sess->auth.hmac.ctx);
> ^~~~~~~~~~~~~~~~
> HMAC_CTX_get_md
> drivers/crypto/openssl/rte_openssl_pmd.c:588:3: error: nested extern declaration of 'HMAC_CTX_cleanup' [-Werror=nested-externs]
> cc1: all warnings being treated as errors
> make[4]: *** [mk/internal/rte.compile-pre.mk:140: rte_openssl_pmd.o] Error 1
>
I will look into this and will send the patch ASAP.
Regards,
Akhil
Hi Pablo,
On 9/8/2017 7:33 PM, De Lara Guarch, Pablo wrote:
> Hi Akhil,
>
>> -----Original Message-----
>> From: Akhil Goyal [mailto:akhil.goyal@nxp.com]
>> Sent: Tuesday, August 29, 2017 7:59 AM
>> To: dev@dpdk.org; De Lara Guarch, Pablo
>> <pablo.de.lara.guarch@intel.com>
>> Cc: hemant.agrawal@nxp.com; Doherty, Declan
>> <declan.doherty@intel.com>; Akhil Goyal <akhil.goyal@nxp.com>
>> Subject: [PATCH v2 1/2] crypto/openssl: replace evp APIs with HMAC APIs
>>
>> in case of HMAC the openssl APIs HMAC_XXX give better performance for
>> all HMAC cases as compared with EVP_XXX
>>
>> Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
>> ---
>> changes in v2:
>> patch split in two patches as per Pablo's recommendations
>>
>> drivers/crypto/openssl/rte_openssl_pmd.c | 37 +++++++++++++-------
>
> I just come across an issue with this patch on openssl 1.1.0 (below).
> Unfortunately, I have already applied the patch in the subtree, but if you could send a patch to fix this,
> I can integrate as part of that patch.
>
I have sent a patch to fix this.
http://dpdk.org/dev/patchwork/patch/28995/
Thanks,
Akhil
@@ -39,6 +39,7 @@
#include <rte_malloc.h>
#include <rte_cpuflags.h>
+#include <openssl/hmac.h>
#include <openssl/evp.h>
#include "rte_openssl_pmd_private.h"
@@ -403,12 +404,16 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
case RTE_CRYPTO_AUTH_SHA384_HMAC:
case RTE_CRYPTO_AUTH_SHA512_HMAC:
sess->auth.mode = OPENSSL_AUTH_AS_HMAC;
- sess->auth.hmac.ctx = EVP_MD_CTX_create();
+ HMAC_CTX_init(&sess->auth.hmac.ctx);
if (get_auth_algo(xform->auth.algo,
&sess->auth.hmac.evp_algo) != 0)
return -EINVAL;
- sess->auth.hmac.pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
- xform->auth.key.data, xform->auth.key.length);
+
+ if (HMAC_Init_ex(&sess->auth.hmac.ctx,
+ xform->auth.key.data,
+ xform->auth.key.length,
+ sess->auth.hmac.evp_algo, NULL) != 1)
+ return -EINVAL;
break;
default:
@@ -547,7 +552,7 @@ openssl_reset_session(struct openssl_session *sess)
break;
case OPENSSL_AUTH_AS_HMAC:
EVP_PKEY_free(sess->auth.hmac.pkey);
- EVP_MD_CTX_destroy(sess->auth.hmac.ctx);
+ HMAC_CTX_cleanup(&sess->auth.hmac.ctx);
break;
default:
break;
@@ -971,10 +976,9 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
/** Process standard openssl auth algorithms with hmac */
static int
process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
- __rte_unused uint8_t *iv, EVP_PKEY *pkey,
- int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo)
+ int srclen, HMAC_CTX *ctx)
{
- size_t dstlen;
+ unsigned int dstlen;
struct rte_mbuf *m;
int l, n = srclen;
uint8_t *src;
@@ -986,19 +990,16 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
if (m == 0)
goto process_auth_err;
- if (EVP_DigestSignInit(ctx, NULL, algo, NULL, pkey) <= 0)
- goto process_auth_err;
-
src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
l = rte_pktmbuf_data_len(m) - offset;
if (srclen <= l) {
- if (EVP_DigestSignUpdate(ctx, (char *)src, srclen) <= 0)
+ if (HMAC_Update(ctx, (unsigned char *)src, srclen) != 1)
goto process_auth_err;
goto process_auth_final;
}
- if (EVP_DigestSignUpdate(ctx, (char *)src, l) <= 0)
+ if (HMAC_Update(ctx, (unsigned char *)src, l) != 1)
goto process_auth_err;
n -= l;
@@ -1006,13 +1007,16 @@ process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
src = rte_pktmbuf_mtod(m, uint8_t *);
l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
- if (EVP_DigestSignUpdate(ctx, (char *)src, l) <= 0)
+ if (HMAC_Update(ctx, (unsigned char *)src, l) != 1)
goto process_auth_err;
n -= l;
}
process_auth_final:
- if (EVP_DigestSignFinal(ctx, dst, &dstlen) <= 0)
+ if (HMAC_Final(ctx, dst, &dstlen) != 1)
+ goto process_auth_err;
+
+ if (unlikely(HMAC_Init_ex(ctx, NULL, 0, NULL, NULL) != 1))
goto process_auth_err;
return 0;
@@ -1265,9 +1269,8 @@ process_openssl_auth_op
break;
case OPENSSL_AUTH_AS_HMAC:
status = process_openssl_auth_hmac(mbuf_src, dst,
- op->sym->auth.data.offset, NULL,
- sess->auth.hmac.pkey, srclen,
- sess->auth.hmac.ctx, sess->auth.hmac.evp_algo);
+ op->sym->auth.data.offset, srclen,
+ &sess->auth.hmac.ctx);
break;
default:
status = -1;
@@ -34,6 +34,7 @@
#define _OPENSSL_PMD_PRIVATE_H_
#include <openssl/evp.h>
+#include <openssl/hmac.h>
#include <openssl/des.h>
#define CRYPTODEV_NAME_OPENSSL_PMD crypto_openssl
@@ -164,7 +165,7 @@ struct openssl_session {
/**< pointer to EVP key */
const EVP_MD *evp_algo;
/**< pointer to EVP algorithm function */
- EVP_MD_CTX *ctx;
+ HMAC_CTX ctx;
/**< pointer to EVP context structure */
} hmac;
};