[v2] crypto/openssl: support truncated HMAC operations

Message ID 20180916031823.17560-1-dmitry.ereminsolenikov@linaro.org
State Superseded
Headers show
Series
  • [v2] crypto/openssl: support truncated HMAC operations
Related show

Commit Message

Dmitry Eremin-Solenikov Sept. 16, 2018, 3:18 a.m.
IPsec requires truncated HMAC operations support. Extend OpenSSL crypto
PMD to support truncated HMAC operations necessary for IPsec.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

---
Changes since V1:
 - support all digest sizes from half of corresponding digest size up to
   full length.

---
 drivers/crypto/openssl/rte_openssl_pmd.c     | 19 ++++++++--------
 drivers/crypto/openssl/rte_openssl_pmd_ops.c | 24 ++++++++++----------
 2 files changed, 22 insertions(+), 21 deletions(-)

-- 
2.18.0

Comments

Akhil Goyal Sept. 25, 2018, 2:46 p.m. | #1
On 9/16/2018 8:48 AM, Dmitry Eremin-Solenikov wrote:
> IPsec requires truncated HMAC operations support. Extend OpenSSL crypto

> PMD to support truncated HMAC operations necessary for IPsec.

>

> Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

> ---

> Changes since V1:

>   - support all digest sizes from half of corresponding digest size up to

>     full length.

Why can't we extend this to digest size starting from 1 to full length?
Why is there a limitation for half of corresponding digest size?
>

> ---

>   drivers/crypto/openssl/rte_openssl_pmd.c     | 19 ++++++++--------

>   drivers/crypto/openssl/rte_openssl_pmd_ops.c | 24 ++++++++++----------

>   2 files changed, 22 insertions(+), 21 deletions(-)

>

> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c

> index 7d263aba3bbd..c635f1e2493c 100644

> --- a/drivers/crypto/openssl/rte_openssl_pmd.c

> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c

> @@ -1509,15 +1509,7 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,

>   

>   	srclen = op->sym->auth.data.length;

>   

> -	if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY)

> -		dst = qp->temp_digest;

> -	else {

> -		dst = op->sym->auth.digest.data;

> -		if (dst == NULL)

> -			dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,

> -					op->sym->auth.data.offset +

> -					op->sym->auth.data.length);

> -	}

> +	dst = qp->temp_digest;

>   

>   	switch (sess->auth.mode) {

>   	case OPENSSL_AUTH_AS_AUTH:

> @@ -1540,6 +1532,15 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,

>   				sess->auth.digest_length) != 0) {

>   			op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;

>   		}

> +	} else {

> +		uint8_t *auth_dst;

> +

> +		auth_dst = op->sym->auth.digest.data;

> +		if (auth_dst == NULL)

> +			auth_dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,

> +					op->sym->auth.data.offset +

> +					op->sym->auth.data.length);

> +		memcpy(auth_dst, dst, sess->auth.digest_length);

>   	}

>   

>   	if (status != 0)

> diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c

> index de2284390b12..6d3e21de404d 100644

> --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c

> +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c

> @@ -26,9 +26,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {

>   					.increment = 1

>   				},

>   				.digest_size = {

> -					.min = 16,

> +					.min = 8,

>   					.max = 16,

> -					.increment = 0

> +					.increment = 1

>   				},

>   				.iv_size = { 0 }

>   			}, }

> @@ -68,9 +68,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {

>   					.increment = 1

>   				},

>   				.digest_size = {

> -					.min = 20,

> +					.min = 10,

>   					.max = 20,

> -					.increment = 0

> +					.increment = 1

>   				},

>   				.iv_size = { 0 }

>   			}, }

> @@ -110,9 +110,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {

>   					.increment = 1

>   				},

>   				.digest_size = {

> -					.min = 28,

> +					.min = 14,

>   					.max = 28,

> -					.increment = 0

> +					.increment = 1

>   				},

>   				.iv_size = { 0 }

>   			}, }

> @@ -152,9 +152,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {

>   					.increment = 1

>   				},

>   				.digest_size = {

> -					.min = 32,

> +					.min = 16,

>   					.max = 32,

> -					.increment = 0

> +					.increment = 1

>   				},

>   				.iv_size = { 0 }

>   			}, }

> @@ -194,9 +194,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {

>   					.increment = 1

>   				},

>   				.digest_size = {

> -					.min = 48,

> +					.min = 24,

>   					.max = 48,

> -					.increment = 0

> +					.increment = 1

>   				},

>   				.iv_size = { 0 }

>   			}, }

> @@ -236,9 +236,9 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {

>   					.increment = 1

>   				},

>   				.digest_size = {

> -					.min = 64,

> +					.min = 32,

>   					.max = 64,

> -					.increment = 0

> +					.increment = 1

>   				},

>   				.iv_size = { 0 }

>   			}, }
Dmitry Eremin-Solenikov Sept. 27, 2018, 9:32 p.m. | #2
On 25/09/18 17:46, Akhil Goyal wrote:
> 

> 

> On 9/16/2018 8:48 AM, Dmitry Eremin-Solenikov wrote:

>> IPsec requires truncated HMAC operations support. Extend OpenSSL crypto

>> PMD to support truncated HMAC operations necessary for IPsec.

>>

>> Signed-off-by: Dmitry Eremin-Solenikov

>> <dmitry.ereminsolenikov@linaro.org>

>> ---

>> Changes since V1:

>>   - support all digest sizes from half of corresponding digest size up to

>>     full length.

> Why can't we extend this to digest size starting from 1 to full length?

> Why is there a limitation for half of corresponding digest size?


Mainly because there is little point in supporting such truncated
digests. It won't be cryptographically safe.

>>

>> ---

>>   drivers/crypto/openssl/rte_openssl_pmd.c     | 19 ++++++++--------

>>   drivers/crypto/openssl/rte_openssl_pmd_ops.c | 24 ++++++++++----------

>>   2 files changed, 22 insertions(+), 21 deletions(-)

>>

>> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c

>> b/drivers/crypto/openssl/rte_openssl_pmd.c

>> index 7d263aba3bbd..c635f1e2493c 100644

>> --- a/drivers/crypto/openssl/rte_openssl_pmd.c

>> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c

>> @@ -1509,15 +1509,7 @@ process_openssl_auth_op(struct openssl_qp *qp,

>> struct rte_crypto_op *op,

>>         srclen = op->sym->auth.data.length;

>>   -    if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY)

>> -        dst = qp->temp_digest;

>> -    else {

>> -        dst = op->sym->auth.digest.data;

>> -        if (dst == NULL)

>> -            dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,

>> -                    op->sym->auth.data.offset +

>> -                    op->sym->auth.data.length);

>> -    }

>> +    dst = qp->temp_digest;

>>         switch (sess->auth.mode) {

>>       case OPENSSL_AUTH_AS_AUTH:

>> @@ -1540,6 +1532,15 @@ process_openssl_auth_op(struct openssl_qp *qp,

>> struct rte_crypto_op *op,

>>                   sess->auth.digest_length) != 0) {

>>               op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;

>>           }

>> +    } else {

>> +        uint8_t *auth_dst;

>> +

>> +        auth_dst = op->sym->auth.digest.data;

>> +        if (auth_dst == NULL)

>> +            auth_dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,

>> +                    op->sym->auth.data.offset +

>> +                    op->sym->auth.data.length);

>> +        memcpy(auth_dst, dst, sess->auth.digest_length);

>>       }

>>         if (status != 0)

>> diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c

>> b/drivers/crypto/openssl/rte_openssl_pmd_ops.c

>> index de2284390b12..6d3e21de404d 100644

>> --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c

>> +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c

>> @@ -26,9 +26,9 @@ static const struct rte_cryptodev_capabilities

>> openssl_pmd_capabilities[] = {

>>                       .increment = 1

>>                   },

>>                   .digest_size = {

>> -                    .min = 16,

>> +                    .min = 8,

>>                       .max = 16,

>> -                    .increment = 0

>> +                    .increment = 1

>>                   },

>>                   .iv_size = { 0 }

>>               }, }

>> @@ -68,9 +68,9 @@ static const struct rte_cryptodev_capabilities

>> openssl_pmd_capabilities[] = {

>>                       .increment = 1

>>                   },

>>                   .digest_size = {

>> -                    .min = 20,

>> +                    .min = 10,

>>                       .max = 20,

>> -                    .increment = 0

>> +                    .increment = 1

>>                   },

>>                   .iv_size = { 0 }

>>               }, }

>> @@ -110,9 +110,9 @@ static const struct rte_cryptodev_capabilities

>> openssl_pmd_capabilities[] = {

>>                       .increment = 1

>>                   },

>>                   .digest_size = {

>> -                    .min = 28,

>> +                    .min = 14,

>>                       .max = 28,

>> -                    .increment = 0

>> +                    .increment = 1

>>                   },

>>                   .iv_size = { 0 }

>>               }, }

>> @@ -152,9 +152,9 @@ static const struct rte_cryptodev_capabilities

>> openssl_pmd_capabilities[] = {

>>                       .increment = 1

>>                   },

>>                   .digest_size = {

>> -                    .min = 32,

>> +                    .min = 16,

>>                       .max = 32,

>> -                    .increment = 0

>> +                    .increment = 1

>>                   },

>>                   .iv_size = { 0 }

>>               }, }

>> @@ -194,9 +194,9 @@ static const struct rte_cryptodev_capabilities

>> openssl_pmd_capabilities[] = {

>>                       .increment = 1

>>                   },

>>                   .digest_size = {

>> -                    .min = 48,

>> +                    .min = 24,

>>                       .max = 48,

>> -                    .increment = 0

>> +                    .increment = 1

>>                   },

>>                   .iv_size = { 0 }

>>               }, }

>> @@ -236,9 +236,9 @@ static const struct rte_cryptodev_capabilities

>> openssl_pmd_capabilities[] = {

>>                       .increment = 1

>>                   },

>>                   .digest_size = {

>> -                    .min = 64,

>> +                    .min = 32,

>>                       .max = 64,

>> -                    .increment = 0

>> +                    .increment = 1

>>                   },

>>                   .iv_size = { 0 }

>>               }, }

> 



-- 
With best wishes
Dmitry
Akhil Goyal Sept. 28, 2018, 10:28 a.m. | #3
On 9/28/2018 3:02 AM, Dmitry Eremin-Solenikov wrote:
> On 25/09/18 17:46, Akhil Goyal wrote:

>>

>> On 9/16/2018 8:48 AM, Dmitry Eremin-Solenikov wrote:

>>> IPsec requires truncated HMAC operations support. Extend OpenSSL crypto

>>> PMD to support truncated HMAC operations necessary for IPsec.

>>>

>>> Signed-off-by: Dmitry Eremin-Solenikov

>>> <dmitry.ereminsolenikov@linaro.org>

>>> ---

>>> Changes since V1:

>>>    - support all digest sizes from half of corresponding digest size up to

>>>      full length.

>> Why can't we extend this to digest size starting from 1 to full length?

>> Why is there a limitation for half of corresponding digest size?

> Mainly because there is little point in supporting such truncated

> digests. It won't be cryptographically safe.

I believe we shall let the application decide the digest size and not 
make this a limitation of PMD.
>

>>> ---

>>>    drivers/crypto/openssl/rte_openssl_pmd.c     | 19 ++++++++--------

>>>    drivers/crypto/openssl/rte_openssl_pmd_ops.c | 24 ++++++++++----------

>>>    2 files changed, 22 insertions(+), 21 deletions(-)

>>>

>>> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c

>>> b/drivers/crypto/openssl/rte_openssl_pmd.c

>>> index 7d263aba3bbd..c635f1e2493c 100644

>>> --- a/drivers/crypto/openssl/rte_openssl_pmd.c

>>> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c

>>> @@ -1509,15 +1509,7 @@ process_openssl_auth_op(struct openssl_qp *qp,

>>> struct rte_crypto_op *op,

>>>          srclen = op->sym->auth.data.length;

>>>    -    if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY)

>>> -        dst = qp->temp_digest;

>>> -    else {

>>> -        dst = op->sym->auth.digest.data;

>>> -        if (dst == NULL)

>>> -            dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,

>>> -                    op->sym->auth.data.offset +

>>> -                    op->sym->auth.data.length);

>>> -    }

>>> +    dst = qp->temp_digest;

>>>          switch (sess->auth.mode) {

>>>        case OPENSSL_AUTH_AS_AUTH:

>>> @@ -1540,6 +1532,15 @@ process_openssl_auth_op(struct openssl_qp *qp,

>>> struct rte_crypto_op *op,

>>>                    sess->auth.digest_length) != 0) {

>>>                op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;

>>>            }

>>> +    } else {

>>> +        uint8_t *auth_dst;

>>> +

>>> +        auth_dst = op->sym->auth.digest.data;

>>> +        if (auth_dst == NULL)

>>> +            auth_dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,

>>> +                    op->sym->auth.data.offset +

>>> +                    op->sym->auth.data.length);

>>> +        memcpy(auth_dst, dst, sess->auth.digest_length);

>>>        }

>>>          if (status != 0)

>>> diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c

>>> b/drivers/crypto/openssl/rte_openssl_pmd_ops.c

>>> index de2284390b12..6d3e21de404d 100644

>>> --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c

>>> +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c

>>> @@ -26,9 +26,9 @@ static const struct rte_cryptodev_capabilities

>>> openssl_pmd_capabilities[] = {

>>>                        .increment = 1

>>>                    },

>>>                    .digest_size = {

>>> -                    .min = 16,

>>> +                    .min = 8,

>>>                        .max = 16,

>>> -                    .increment = 0

>>> +                    .increment = 1

>>>                    },

>>>                    .iv_size = { 0 }

>>>                }, }

>>> @@ -68,9 +68,9 @@ static const struct rte_cryptodev_capabilities

>>> openssl_pmd_capabilities[] = {

>>>                        .increment = 1

>>>                    },

>>>                    .digest_size = {

>>> -                    .min = 20,

>>> +                    .min = 10,

>>>                        .max = 20,

>>> -                    .increment = 0

>>> +                    .increment = 1

>>>                    },

>>>                    .iv_size = { 0 }

>>>                }, }

>>> @@ -110,9 +110,9 @@ static const struct rte_cryptodev_capabilities

>>> openssl_pmd_capabilities[] = {

>>>                        .increment = 1

>>>                    },

>>>                    .digest_size = {

>>> -                    .min = 28,

>>> +                    .min = 14,

>>>                        .max = 28,

>>> -                    .increment = 0

>>> +                    .increment = 1

>>>                    },

>>>                    .iv_size = { 0 }

>>>                }, }

>>> @@ -152,9 +152,9 @@ static const struct rte_cryptodev_capabilities

>>> openssl_pmd_capabilities[] = {

>>>                        .increment = 1

>>>                    },

>>>                    .digest_size = {

>>> -                    .min = 32,

>>> +                    .min = 16,

>>>                        .max = 32,

>>> -                    .increment = 0

>>> +                    .increment = 1

>>>                    },

>>>                    .iv_size = { 0 }

>>>                }, }

>>> @@ -194,9 +194,9 @@ static const struct rte_cryptodev_capabilities

>>> openssl_pmd_capabilities[] = {

>>>                        .increment = 1

>>>                    },

>>>                    .digest_size = {

>>> -                    .min = 48,

>>> +                    .min = 24,

>>>                        .max = 48,

>>> -                    .increment = 0

>>> +                    .increment = 1

>>>                    },

>>>                    .iv_size = { 0 }

>>>                }, }

>>> @@ -236,9 +236,9 @@ static const struct rte_cryptodev_capabilities

>>> openssl_pmd_capabilities[] = {

>>>                        .increment = 1

>>>                    },

>>>                    .digest_size = {

>>> -                    .min = 64,

>>> +                    .min = 32,

>>>                        .max = 64,

>>> -                    .increment = 0

>>> +                    .increment = 1

>>>                    },

>>>                    .iv_size = { 0 }

>>>                }, }

>

Patch

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 7d263aba3bbd..c635f1e2493c 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -1509,15 +1509,7 @@  process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 
 	srclen = op->sym->auth.data.length;
 
-	if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY)
-		dst = qp->temp_digest;
-	else {
-		dst = op->sym->auth.digest.data;
-		if (dst == NULL)
-			dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
-					op->sym->auth.data.offset +
-					op->sym->auth.data.length);
-	}
+	dst = qp->temp_digest;
 
 	switch (sess->auth.mode) {
 	case OPENSSL_AUTH_AS_AUTH:
@@ -1540,6 +1532,15 @@  process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 				sess->auth.digest_length) != 0) {
 			op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
 		}
+	} else {
+		uint8_t *auth_dst;
+
+		auth_dst = op->sym->auth.digest.data;
+		if (auth_dst == NULL)
+			auth_dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
+					op->sym->auth.data.offset +
+					op->sym->auth.data.length);
+		memcpy(auth_dst, dst, sess->auth.digest_length);
 	}
 
 	if (status != 0)
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index de2284390b12..6d3e21de404d 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -26,9 +26,9 @@  static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
 					.increment = 1
 				},
 				.digest_size = {
-					.min = 16,
+					.min = 8,
 					.max = 16,
-					.increment = 0
+					.increment = 1
 				},
 				.iv_size = { 0 }
 			}, }
@@ -68,9 +68,9 @@  static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
 					.increment = 1
 				},
 				.digest_size = {
-					.min = 20,
+					.min = 10,
 					.max = 20,
-					.increment = 0
+					.increment = 1
 				},
 				.iv_size = { 0 }
 			}, }
@@ -110,9 +110,9 @@  static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
 					.increment = 1
 				},
 				.digest_size = {
-					.min = 28,
+					.min = 14,
 					.max = 28,
-					.increment = 0
+					.increment = 1
 				},
 				.iv_size = { 0 }
 			}, }
@@ -152,9 +152,9 @@  static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
 					.increment = 1
 				},
 				.digest_size = {
-					.min = 32,
+					.min = 16,
 					.max = 32,
-					.increment = 0
+					.increment = 1
 				},
 				.iv_size = { 0 }
 			}, }
@@ -194,9 +194,9 @@  static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
 					.increment = 1
 				},
 				.digest_size = {
-					.min = 48,
+					.min = 24,
 					.max = 48,
-					.increment = 0
+					.increment = 1
 				},
 				.iv_size = { 0 }
 			}, }
@@ -236,9 +236,9 @@  static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
 					.increment = 1
 				},
 				.digest_size = {
-					.min = 64,
+					.min = 32,
 					.max = 64,
-					.increment = 0
+					.increment = 1
 				},
 				.iv_size = { 0 }
 			}, }