| Message ID | 20180916031823.17560-1-dmitry.ereminsolenikov@linaro.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v2] crypto/openssl: support truncated HMAC operations | expand |
On 9/16/2018 8:48 AM, Dmitry Eremin-Solenikov wrote: > IPsec requires truncated HMAC operations support. Extend OpenSSL crypto > PMD to support truncated HMAC operations necessary for IPsec. > > Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org> > --- > Changes since V1: > - support all digest sizes from half of corresponding digest size up to > full length. Why can't we extend this to digest size starting from 1 to full length? Why is there a limitation for half of corresponding digest size? > > --- > drivers/crypto/openssl/rte_openssl_pmd.c | 19 ++++++++-------- > drivers/crypto/openssl/rte_openssl_pmd_ops.c | 24 ++++++++++---------- > 2 files changed, 22 insertions(+), 21 deletions(-) > > diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c > index 7d263aba3bbd..c635f1e2493c 100644 > --- a/drivers/crypto/openssl/rte_openssl_pmd.c > +++ b/drivers/crypto/openssl/rte_openssl_pmd.c > @@ -1509,15 +1509,7 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, > > srclen = op->sym->auth.data.length; > > - if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) > - dst = qp->temp_digest; > - else { > - dst = op->sym->auth.digest.data; > - if (dst == NULL) > - dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *, > - op->sym->auth.data.offset + > - op->sym->auth.data.length); > - } > + dst = qp->temp_digest; > > switch (sess->auth.mode) { > case OPENSSL_AUTH_AS_AUTH: > @@ -1540,6 +1532,15 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, > sess->auth.digest_length) != 0) { > op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED; > } > + } else { > + uint8_t *auth_dst; > + > + auth_dst = op->sym->auth.digest.data; > + if (auth_dst == NULL) > + auth_dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *, > + op->sym->auth.data.offset + > + op->sym->auth.data.length); > + memcpy(auth_dst, dst, sess->auth.digest_length); > } > > if (status != 0) > diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c > index de2284390b12..6d3e21de404d 100644 > --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c > +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c > @@ -26,9 +26,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { > .increment = 1 > }, > .digest_size = { > - .min = 16, > + .min = 8, > .max = 16, > - .increment = 0 > + .increment = 1 > }, > .iv_size = { 0 } > }, } > @@ -68,9 +68,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { > .increment = 1 > }, > .digest_size = { > - .min = 20, > + .min = 10, > .max = 20, > - .increment = 0 > + .increment = 1 > }, > .iv_size = { 0 } > }, } > @@ -110,9 +110,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { > .increment = 1 > }, > .digest_size = { > - .min = 28, > + .min = 14, > .max = 28, > - .increment = 0 > + .increment = 1 > }, > .iv_size = { 0 } > }, } > @@ -152,9 +152,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { > .increment = 1 > }, > .digest_size = { > - .min = 32, > + .min = 16, > .max = 32, > - .increment = 0 > + .increment = 1 > }, > .iv_size = { 0 } > }, } > @@ -194,9 +194,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { > .increment = 1 > }, > .digest_size = { > - .min = 48, > + .min = 24, > .max = 48, > - .increment = 0 > + .increment = 1 > }, > .iv_size = { 0 } > }, } > @@ -236,9 +236,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { > .increment = 1 > }, > .digest_size = { > - .min = 64, > + .min = 32, > .max = 64, > - .increment = 0 > + .increment = 1 > }, > .iv_size = { 0 } > }, }
On 25/09/18 17:46, Akhil Goyal wrote: > > > On 9/16/2018 8:48 AM, Dmitry Eremin-Solenikov wrote: >> IPsec requires truncated HMAC operations support. Extend OpenSSL crypto >> PMD to support truncated HMAC operations necessary for IPsec. >> >> Signed-off-by: Dmitry Eremin-Solenikov >> <dmitry.ereminsolenikov@linaro.org> >> --- >> Changes since V1: >> - support all digest sizes from half of corresponding digest size up to >> full length. > Why can't we extend this to digest size starting from 1 to full length? > Why is there a limitation for half of corresponding digest size? Mainly because there is little point in supporting such truncated digests. It won't be cryptographically safe. >> >> --- >> drivers/crypto/openssl/rte_openssl_pmd.c | 19 ++++++++-------- >> drivers/crypto/openssl/rte_openssl_pmd_ops.c | 24 ++++++++++---------- >> 2 files changed, 22 insertions(+), 21 deletions(-) >> >> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c >> b/drivers/crypto/openssl/rte_openssl_pmd.c >> index 7d263aba3bbd..c635f1e2493c 100644 >> --- a/drivers/crypto/openssl/rte_openssl_pmd.c >> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c >> @@ -1509,15 +1509,7 @@ process_openssl_auth_op(struct openssl_qp *qp, >> struct rte_crypto_op *op, >> srclen = op->sym->auth.data.length; >> - if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) >> - dst = qp->temp_digest; >> - else { >> - dst = op->sym->auth.digest.data; >> - if (dst == NULL) >> - dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *, >> - op->sym->auth.data.offset + >> - op->sym->auth.data.length); >> - } >> + dst = qp->temp_digest; >> switch (sess->auth.mode) { >> case OPENSSL_AUTH_AS_AUTH: >> @@ -1540,6 +1532,15 @@ process_openssl_auth_op(struct openssl_qp *qp, >> struct rte_crypto_op *op, >> sess->auth.digest_length) != 0) { >> op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED; >> } >> + } else { >> + uint8_t *auth_dst; >> + >> + auth_dst = op->sym->auth.digest.data; >> + if (auth_dst == NULL) >> + auth_dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *, >> + op->sym->auth.data.offset + >> + op->sym->auth.data.length); >> + memcpy(auth_dst, dst, sess->auth.digest_length); >> } >> if (status != 0) >> diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c >> b/drivers/crypto/openssl/rte_openssl_pmd_ops.c >> index de2284390b12..6d3e21de404d 100644 >> --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c >> +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c >> @@ -26,9 +26,9 @@ static const struct rte_cryptodev_capabilities >> openssl_pmd_capabilities[] = { >> .increment = 1 >> }, >> .digest_size = { >> - .min = 16, >> + .min = 8, >> .max = 16, >> - .increment = 0 >> + .increment = 1 >> }, >> .iv_size = { 0 } >> }, } >> @@ -68,9 +68,9 @@ static const struct rte_cryptodev_capabilities >> openssl_pmd_capabilities[] = { >> .increment = 1 >> }, >> .digest_size = { >> - .min = 20, >> + .min = 10, >> .max = 20, >> - .increment = 0 >> + .increment = 1 >> }, >> .iv_size = { 0 } >> }, } >> @@ -110,9 +110,9 @@ static const struct rte_cryptodev_capabilities >> openssl_pmd_capabilities[] = { >> .increment = 1 >> }, >> .digest_size = { >> - .min = 28, >> + .min = 14, >> .max = 28, >> - .increment = 0 >> + .increment = 1 >> }, >> .iv_size = { 0 } >> }, } >> @@ -152,9 +152,9 @@ static const struct rte_cryptodev_capabilities >> openssl_pmd_capabilities[] = { >> .increment = 1 >> }, >> .digest_size = { >> - .min = 32, >> + .min = 16, >> .max = 32, >> - .increment = 0 >> + .increment = 1 >> }, >> .iv_size = { 0 } >> }, } >> @@ -194,9 +194,9 @@ static const struct rte_cryptodev_capabilities >> openssl_pmd_capabilities[] = { >> .increment = 1 >> }, >> .digest_size = { >> - .min = 48, >> + .min = 24, >> .max = 48, >> - .increment = 0 >> + .increment = 1 >> }, >> .iv_size = { 0 } >> }, } >> @@ -236,9 +236,9 @@ static const struct rte_cryptodev_capabilities >> openssl_pmd_capabilities[] = { >> .increment = 1 >> }, >> .digest_size = { >> - .min = 64, >> + .min = 32, >> .max = 64, >> - .increment = 0 >> + .increment = 1 >> }, >> .iv_size = { 0 } >> }, } > -- With best wishes Dmitry
On 9/28/2018 3:02 AM, Dmitry Eremin-Solenikov wrote: > On 25/09/18 17:46, Akhil Goyal wrote: >> >> On 9/16/2018 8:48 AM, Dmitry Eremin-Solenikov wrote: >>> IPsec requires truncated HMAC operations support. Extend OpenSSL crypto >>> PMD to support truncated HMAC operations necessary for IPsec. >>> >>> Signed-off-by: Dmitry Eremin-Solenikov >>> <dmitry.ereminsolenikov@linaro.org> >>> --- >>> Changes since V1: >>> - support all digest sizes from half of corresponding digest size up to >>> full length. >> Why can't we extend this to digest size starting from 1 to full length? >> Why is there a limitation for half of corresponding digest size? > Mainly because there is little point in supporting such truncated > digests. It won't be cryptographically safe. I believe we shall let the application decide the digest size and not make this a limitation of PMD. > >>> --- >>> drivers/crypto/openssl/rte_openssl_pmd.c | 19 ++++++++-------- >>> drivers/crypto/openssl/rte_openssl_pmd_ops.c | 24 ++++++++++---------- >>> 2 files changed, 22 insertions(+), 21 deletions(-) >>> >>> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c >>> b/drivers/crypto/openssl/rte_openssl_pmd.c >>> index 7d263aba3bbd..c635f1e2493c 100644 >>> --- a/drivers/crypto/openssl/rte_openssl_pmd.c >>> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c >>> @@ -1509,15 +1509,7 @@ process_openssl_auth_op(struct openssl_qp *qp, >>> struct rte_crypto_op *op, >>> srclen = op->sym->auth.data.length; >>> - if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) >>> - dst = qp->temp_digest; >>> - else { >>> - dst = op->sym->auth.digest.data; >>> - if (dst == NULL) >>> - dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *, >>> - op->sym->auth.data.offset + >>> - op->sym->auth.data.length); >>> - } >>> + dst = qp->temp_digest; >>> switch (sess->auth.mode) { >>> case OPENSSL_AUTH_AS_AUTH: >>> @@ -1540,6 +1532,15 @@ process_openssl_auth_op(struct openssl_qp *qp, >>> struct rte_crypto_op *op, >>> sess->auth.digest_length) != 0) { >>> op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED; >>> } >>> + } else { >>> + uint8_t *auth_dst; >>> + >>> + auth_dst = op->sym->auth.digest.data; >>> + if (auth_dst == NULL) >>> + auth_dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *, >>> + op->sym->auth.data.offset + >>> + op->sym->auth.data.length); >>> + memcpy(auth_dst, dst, sess->auth.digest_length); >>> } >>> if (status != 0) >>> diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c >>> b/drivers/crypto/openssl/rte_openssl_pmd_ops.c >>> index de2284390b12..6d3e21de404d 100644 >>> --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c >>> +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c >>> @@ -26,9 +26,9 @@ static const struct rte_cryptodev_capabilities >>> openssl_pmd_capabilities[] = { >>> .increment = 1 >>> }, >>> .digest_size = { >>> - .min = 16, >>> + .min = 8, >>> .max = 16, >>> - .increment = 0 >>> + .increment = 1 >>> }, >>> .iv_size = { 0 } >>> }, } >>> @@ -68,9 +68,9 @@ static const struct rte_cryptodev_capabilities >>> openssl_pmd_capabilities[] = { >>> .increment = 1 >>> }, >>> .digest_size = { >>> - .min = 20, >>> + .min = 10, >>> .max = 20, >>> - .increment = 0 >>> + .increment = 1 >>> }, >>> .iv_size = { 0 } >>> }, } >>> @@ -110,9 +110,9 @@ static const struct rte_cryptodev_capabilities >>> openssl_pmd_capabilities[] = { >>> .increment = 1 >>> }, >>> .digest_size = { >>> - .min = 28, >>> + .min = 14, >>> .max = 28, >>> - .increment = 0 >>> + .increment = 1 >>> }, >>> .iv_size = { 0 } >>> }, } >>> @@ -152,9 +152,9 @@ static const struct rte_cryptodev_capabilities >>> openssl_pmd_capabilities[] = { >>> .increment = 1 >>> }, >>> .digest_size = { >>> - .min = 32, >>> + .min = 16, >>> .max = 32, >>> - .increment = 0 >>> + .increment = 1 >>> }, >>> .iv_size = { 0 } >>> }, } >>> @@ -194,9 +194,9 @@ static const struct rte_cryptodev_capabilities >>> openssl_pmd_capabilities[] = { >>> .increment = 1 >>> }, >>> .digest_size = { >>> - .min = 48, >>> + .min = 24, >>> .max = 48, >>> - .increment = 0 >>> + .increment = 1 >>> }, >>> .iv_size = { 0 } >>> }, } >>> @@ -236,9 +236,9 @@ static const struct rte_cryptodev_capabilities >>> openssl_pmd_capabilities[] = { >>> .increment = 1 >>> }, >>> .digest_size = { >>> - .min = 64, >>> + .min = 32, >>> .max = 64, >>> - .increment = 0 >>> + .increment = 1 >>> }, >>> .iv_size = { 0 } >>> }, } >
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 7d263aba3bbd..c635f1e2493c 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -1509,15 +1509,7 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, srclen = op->sym->auth.data.length; - if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY) - dst = qp->temp_digest; - else { - dst = op->sym->auth.digest.data; - if (dst == NULL) - dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *, - op->sym->auth.data.offset + - op->sym->auth.data.length); - } + dst = qp->temp_digest; switch (sess->auth.mode) { case OPENSSL_AUTH_AS_AUTH: @@ -1540,6 +1532,15 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, sess->auth.digest_length) != 0) { op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED; } + } else { + uint8_t *auth_dst; + + auth_dst = op->sym->auth.digest.data; + if (auth_dst == NULL) + auth_dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *, + op->sym->auth.data.offset + + op->sym->auth.data.length); + memcpy(auth_dst, dst, sess->auth.digest_length); } if (status != 0) diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index de2284390b12..6d3e21de404d 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -26,9 +26,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { .increment = 1 }, .digest_size = { - .min = 16, + .min = 8, .max = 16, - .increment = 0 + .increment = 1 }, .iv_size = { 0 } }, } @@ -68,9 +68,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { .increment = 1 }, .digest_size = { - .min = 20, + .min = 10, .max = 20, - .increment = 0 + .increment = 1 }, .iv_size = { 0 } }, } @@ -110,9 +110,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { .increment = 1 }, .digest_size = { - .min = 28, + .min = 14, .max = 28, - .increment = 0 + .increment = 1 }, .iv_size = { 0 } }, } @@ -152,9 +152,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { .increment = 1 }, .digest_size = { - .min = 32, + .min = 16, .max = 32, - .increment = 0 + .increment = 1 }, .iv_size = { 0 } }, } @@ -194,9 +194,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { .increment = 1 }, .digest_size = { - .min = 48, + .min = 24, .max = 48, - .increment = 0 + .increment = 1 }, .iv_size = { 0 } }, } @@ -236,9 +236,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { .increment = 1 }, .digest_size = { - .min = 64, + .min = 32, .max = 64, - .increment = 0 + .increment = 1 }, .iv_size = { 0 } }, }
IPsec requires truncated HMAC operations support. Extend OpenSSL crypto PMD to support truncated HMAC operations necessary for IPsec. Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org> --- Changes since V1: - support all digest sizes from half of corresponding digest size up to full length. --- drivers/crypto/openssl/rte_openssl_pmd.c | 19 ++++++++-------- drivers/crypto/openssl/rte_openssl_pmd_ops.c | 24 ++++++++++---------- 2 files changed, 22 insertions(+), 21 deletions(-) -- 2.18.0