[v2] crypto/openssl: support truncated HMAC operations
Checks
Commit Message
IPsec requires truncated HMAC operations support. Extend OpenSSL crypto
PMD to support truncated HMAC operations necessary for IPsec.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>
---
Changes since V1:
- support all digest sizes from half of corresponding digest size up to
full length.
---
drivers/crypto/openssl/rte_openssl_pmd.c | 19 ++++++++--------
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 24 ++++++++++----------
2 files changed, 22 insertions(+), 21 deletions(-)
Comments
On 9/16/2018 8:48 AM, Dmitry Eremin-Solenikov wrote:
> IPsec requires truncated HMAC operations support. Extend OpenSSL crypto
> PMD to support truncated HMAC operations necessary for IPsec.
>
> Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>
> ---
> Changes since V1:
> - support all digest sizes from half of corresponding digest size up to
> full length.
Why can't we extend this to digest size starting from 1 to full length?
Why is there a limitation for half of corresponding digest size?
>
> ---
> drivers/crypto/openssl/rte_openssl_pmd.c | 19 ++++++++--------
> drivers/crypto/openssl/rte_openssl_pmd_ops.c | 24 ++++++++++----------
> 2 files changed, 22 insertions(+), 21 deletions(-)
>
> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
> index 7d263aba3bbd..c635f1e2493c 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
> @@ -1509,15 +1509,7 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
>
> srclen = op->sym->auth.data.length;
>
> - if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY)
> - dst = qp->temp_digest;
> - else {
> - dst = op->sym->auth.digest.data;
> - if (dst == NULL)
> - dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
> - op->sym->auth.data.offset +
> - op->sym->auth.data.length);
> - }
> + dst = qp->temp_digest;
>
> switch (sess->auth.mode) {
> case OPENSSL_AUTH_AS_AUTH:
> @@ -1540,6 +1532,15 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
> sess->auth.digest_length) != 0) {
> op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
> }
> + } else {
> + uint8_t *auth_dst;
> +
> + auth_dst = op->sym->auth.digest.data;
> + if (auth_dst == NULL)
> + auth_dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
> + op->sym->auth.data.offset +
> + op->sym->auth.data.length);
> + memcpy(auth_dst, dst, sess->auth.digest_length);
> }
>
> if (status != 0)
> diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> index de2284390b12..6d3e21de404d 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> @@ -26,9 +26,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
> .increment = 1
> },
> .digest_size = {
> - .min = 16,
> + .min = 8,
> .max = 16,
> - .increment = 0
> + .increment = 1
> },
> .iv_size = { 0 }
> }, }
> @@ -68,9 +68,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
> .increment = 1
> },
> .digest_size = {
> - .min = 20,
> + .min = 10,
> .max = 20,
> - .increment = 0
> + .increment = 1
> },
> .iv_size = { 0 }
> }, }
> @@ -110,9 +110,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
> .increment = 1
> },
> .digest_size = {
> - .min = 28,
> + .min = 14,
> .max = 28,
> - .increment = 0
> + .increment = 1
> },
> .iv_size = { 0 }
> }, }
> @@ -152,9 +152,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
> .increment = 1
> },
> .digest_size = {
> - .min = 32,
> + .min = 16,
> .max = 32,
> - .increment = 0
> + .increment = 1
> },
> .iv_size = { 0 }
> }, }
> @@ -194,9 +194,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
> .increment = 1
> },
> .digest_size = {
> - .min = 48,
> + .min = 24,
> .max = 48,
> - .increment = 0
> + .increment = 1
> },
> .iv_size = { 0 }
> }, }
> @@ -236,9 +236,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
> .increment = 1
> },
> .digest_size = {
> - .min = 64,
> + .min = 32,
> .max = 64,
> - .increment = 0
> + .increment = 1
> },
> .iv_size = { 0 }
> }, }
On 25/09/18 17:46, Akhil Goyal wrote:
>
>
> On 9/16/2018 8:48 AM, Dmitry Eremin-Solenikov wrote:
>> IPsec requires truncated HMAC operations support. Extend OpenSSL crypto
>> PMD to support truncated HMAC operations necessary for IPsec.
>>
>> Signed-off-by: Dmitry Eremin-Solenikov
>> <dmitry.ereminsolenikov@linaro.org>
>> ---
>> Changes since V1:
>> - support all digest sizes from half of corresponding digest size up to
>> full length.
> Why can't we extend this to digest size starting from 1 to full length?
> Why is there a limitation for half of corresponding digest size?
Mainly because there is little point in supporting such truncated
digests. It won't be cryptographically safe.
>>
>> ---
>> drivers/crypto/openssl/rte_openssl_pmd.c | 19 ++++++++--------
>> drivers/crypto/openssl/rte_openssl_pmd_ops.c | 24 ++++++++++----------
>> 2 files changed, 22 insertions(+), 21 deletions(-)
>>
>> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c
>> b/drivers/crypto/openssl/rte_openssl_pmd.c
>> index 7d263aba3bbd..c635f1e2493c 100644
>> --- a/drivers/crypto/openssl/rte_openssl_pmd.c
>> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
>> @@ -1509,15 +1509,7 @@ process_openssl_auth_op(struct openssl_qp *qp,
>> struct rte_crypto_op *op,
>> srclen = op->sym->auth.data.length;
>> - if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY)
>> - dst = qp->temp_digest;
>> - else {
>> - dst = op->sym->auth.digest.data;
>> - if (dst == NULL)
>> - dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
>> - op->sym->auth.data.offset +
>> - op->sym->auth.data.length);
>> - }
>> + dst = qp->temp_digest;
>> switch (sess->auth.mode) {
>> case OPENSSL_AUTH_AS_AUTH:
>> @@ -1540,6 +1532,15 @@ process_openssl_auth_op(struct openssl_qp *qp,
>> struct rte_crypto_op *op,
>> sess->auth.digest_length) != 0) {
>> op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
>> }
>> + } else {
>> + uint8_t *auth_dst;
>> +
>> + auth_dst = op->sym->auth.digest.data;
>> + if (auth_dst == NULL)
>> + auth_dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
>> + op->sym->auth.data.offset +
>> + op->sym->auth.data.length);
>> + memcpy(auth_dst, dst, sess->auth.digest_length);
>> }
>> if (status != 0)
>> diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
>> b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
>> index de2284390b12..6d3e21de404d 100644
>> --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
>> +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
>> @@ -26,9 +26,9 @@ static const struct rte_cryptodev_capabilities
>> openssl_pmd_capabilities[] = {
>> .increment = 1
>> },
>> .digest_size = {
>> - .min = 16,
>> + .min = 8,
>> .max = 16,
>> - .increment = 0
>> + .increment = 1
>> },
>> .iv_size = { 0 }
>> }, }
>> @@ -68,9 +68,9 @@ static const struct rte_cryptodev_capabilities
>> openssl_pmd_capabilities[] = {
>> .increment = 1
>> },
>> .digest_size = {
>> - .min = 20,
>> + .min = 10,
>> .max = 20,
>> - .increment = 0
>> + .increment = 1
>> },
>> .iv_size = { 0 }
>> }, }
>> @@ -110,9 +110,9 @@ static const struct rte_cryptodev_capabilities
>> openssl_pmd_capabilities[] = {
>> .increment = 1
>> },
>> .digest_size = {
>> - .min = 28,
>> + .min = 14,
>> .max = 28,
>> - .increment = 0
>> + .increment = 1
>> },
>> .iv_size = { 0 }
>> }, }
>> @@ -152,9 +152,9 @@ static const struct rte_cryptodev_capabilities
>> openssl_pmd_capabilities[] = {
>> .increment = 1
>> },
>> .digest_size = {
>> - .min = 32,
>> + .min = 16,
>> .max = 32,
>> - .increment = 0
>> + .increment = 1
>> },
>> .iv_size = { 0 }
>> }, }
>> @@ -194,9 +194,9 @@ static const struct rte_cryptodev_capabilities
>> openssl_pmd_capabilities[] = {
>> .increment = 1
>> },
>> .digest_size = {
>> - .min = 48,
>> + .min = 24,
>> .max = 48,
>> - .increment = 0
>> + .increment = 1
>> },
>> .iv_size = { 0 }
>> }, }
>> @@ -236,9 +236,9 @@ static const struct rte_cryptodev_capabilities
>> openssl_pmd_capabilities[] = {
>> .increment = 1
>> },
>> .digest_size = {
>> - .min = 64,
>> + .min = 32,
>> .max = 64,
>> - .increment = 0
>> + .increment = 1
>> },
>> .iv_size = { 0 }
>> }, }
>
On 9/28/2018 3:02 AM, Dmitry Eremin-Solenikov wrote:
> On 25/09/18 17:46, Akhil Goyal wrote:
>>
>> On 9/16/2018 8:48 AM, Dmitry Eremin-Solenikov wrote:
>>> IPsec requires truncated HMAC operations support. Extend OpenSSL crypto
>>> PMD to support truncated HMAC operations necessary for IPsec.
>>>
>>> Signed-off-by: Dmitry Eremin-Solenikov
>>> <dmitry.ereminsolenikov@linaro.org>
>>> ---
>>> Changes since V1:
>>> - support all digest sizes from half of corresponding digest size up to
>>> full length.
>> Why can't we extend this to digest size starting from 1 to full length?
>> Why is there a limitation for half of corresponding digest size?
> Mainly because there is little point in supporting such truncated
> digests. It won't be cryptographically safe.
I believe we shall let the application decide the digest size and not
make this a limitation of PMD.
>
>>> ---
>>> drivers/crypto/openssl/rte_openssl_pmd.c | 19 ++++++++--------
>>> drivers/crypto/openssl/rte_openssl_pmd_ops.c | 24 ++++++++++----------
>>> 2 files changed, 22 insertions(+), 21 deletions(-)
>>>
>>> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c
>>> b/drivers/crypto/openssl/rte_openssl_pmd.c
>>> index 7d263aba3bbd..c635f1e2493c 100644
>>> --- a/drivers/crypto/openssl/rte_openssl_pmd.c
>>> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
>>> @@ -1509,15 +1509,7 @@ process_openssl_auth_op(struct openssl_qp *qp,
>>> struct rte_crypto_op *op,
>>> srclen = op->sym->auth.data.length;
>>> - if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY)
>>> - dst = qp->temp_digest;
>>> - else {
>>> - dst = op->sym->auth.digest.data;
>>> - if (dst == NULL)
>>> - dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
>>> - op->sym->auth.data.offset +
>>> - op->sym->auth.data.length);
>>> - }
>>> + dst = qp->temp_digest;
>>> switch (sess->auth.mode) {
>>> case OPENSSL_AUTH_AS_AUTH:
>>> @@ -1540,6 +1532,15 @@ process_openssl_auth_op(struct openssl_qp *qp,
>>> struct rte_crypto_op *op,
>>> sess->auth.digest_length) != 0) {
>>> op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
>>> }
>>> + } else {
>>> + uint8_t *auth_dst;
>>> +
>>> + auth_dst = op->sym->auth.digest.data;
>>> + if (auth_dst == NULL)
>>> + auth_dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
>>> + op->sym->auth.data.offset +
>>> + op->sym->auth.data.length);
>>> + memcpy(auth_dst, dst, sess->auth.digest_length);
>>> }
>>> if (status != 0)
>>> diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
>>> b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
>>> index de2284390b12..6d3e21de404d 100644
>>> --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
>>> +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
>>> @@ -26,9 +26,9 @@ static const struct rte_cryptodev_capabilities
>>> openssl_pmd_capabilities[] = {
>>> .increment = 1
>>> },
>>> .digest_size = {
>>> - .min = 16,
>>> + .min = 8,
>>> .max = 16,
>>> - .increment = 0
>>> + .increment = 1
>>> },
>>> .iv_size = { 0 }
>>> }, }
>>> @@ -68,9 +68,9 @@ static const struct rte_cryptodev_capabilities
>>> openssl_pmd_capabilities[] = {
>>> .increment = 1
>>> },
>>> .digest_size = {
>>> - .min = 20,
>>> + .min = 10,
>>> .max = 20,
>>> - .increment = 0
>>> + .increment = 1
>>> },
>>> .iv_size = { 0 }
>>> }, }
>>> @@ -110,9 +110,9 @@ static const struct rte_cryptodev_capabilities
>>> openssl_pmd_capabilities[] = {
>>> .increment = 1
>>> },
>>> .digest_size = {
>>> - .min = 28,
>>> + .min = 14,
>>> .max = 28,
>>> - .increment = 0
>>> + .increment = 1
>>> },
>>> .iv_size = { 0 }
>>> }, }
>>> @@ -152,9 +152,9 @@ static const struct rte_cryptodev_capabilities
>>> openssl_pmd_capabilities[] = {
>>> .increment = 1
>>> },
>>> .digest_size = {
>>> - .min = 32,
>>> + .min = 16,
>>> .max = 32,
>>> - .increment = 0
>>> + .increment = 1
>>> },
>>> .iv_size = { 0 }
>>> }, }
>>> @@ -194,9 +194,9 @@ static const struct rte_cryptodev_capabilities
>>> openssl_pmd_capabilities[] = {
>>> .increment = 1
>>> },
>>> .digest_size = {
>>> - .min = 48,
>>> + .min = 24,
>>> .max = 48,
>>> - .increment = 0
>>> + .increment = 1
>>> },
>>> .iv_size = { 0 }
>>> }, }
>>> @@ -236,9 +236,9 @@ static const struct rte_cryptodev_capabilities
>>> openssl_pmd_capabilities[] = {
>>> .increment = 1
>>> },
>>> .digest_size = {
>>> - .min = 64,
>>> + .min = 32,
>>> .max = 64,
>>> - .increment = 0
>>> + .increment = 1
>>> },
>>> .iv_size = { 0 }
>>> }, }
>
@@ -1509,15 +1509,7 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
srclen = op->sym->auth.data.length;
- if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY)
- dst = qp->temp_digest;
- else {
- dst = op->sym->auth.digest.data;
- if (dst == NULL)
- dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
- op->sym->auth.data.offset +
- op->sym->auth.data.length);
- }
+ dst = qp->temp_digest;
switch (sess->auth.mode) {
case OPENSSL_AUTH_AS_AUTH:
@@ -1540,6 +1532,15 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
sess->auth.digest_length) != 0) {
op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
}
+ } else {
+ uint8_t *auth_dst;
+
+ auth_dst = op->sym->auth.digest.data;
+ if (auth_dst == NULL)
+ auth_dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
+ op->sym->auth.data.offset +
+ op->sym->auth.data.length);
+ memcpy(auth_dst, dst, sess->auth.digest_length);
}
if (status != 0)
@@ -26,9 +26,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
.increment = 1
},
.digest_size = {
- .min = 16,
+ .min = 8,
.max = 16,
- .increment = 0
+ .increment = 1
},
.iv_size = { 0 }
}, }
@@ -68,9 +68,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
.increment = 1
},
.digest_size = {
- .min = 20,
+ .min = 10,
.max = 20,
- .increment = 0
+ .increment = 1
},
.iv_size = { 0 }
}, }
@@ -110,9 +110,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
.increment = 1
},
.digest_size = {
- .min = 28,
+ .min = 14,
.max = 28,
- .increment = 0
+ .increment = 1
},
.iv_size = { 0 }
}, }
@@ -152,9 +152,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
.increment = 1
},
.digest_size = {
- .min = 32,
+ .min = 16,
.max = 32,
- .increment = 0
+ .increment = 1
},
.iv_size = { 0 }
}, }
@@ -194,9 +194,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
.increment = 1
},
.digest_size = {
- .min = 48,
+ .min = 24,
.max = 48,
- .increment = 0
+ .increment = 1
},
.iv_size = { 0 }
}, }
@@ -236,9 +236,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
.increment = 1
},
.digest_size = {
- .min = 64,
+ .min = 32,
.max = 64,
- .increment = 0
+ .increment = 1
},
.iv_size = { 0 }
}, }