<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Comic Sans MS";
panose-1:3 15 7 2 3 3 2 2 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Can I know the status of this patch, and the possible impact on any existing applications because the partial hash is switched from OpenSSL to intel-ipsec-mb which is not under FIPS certification?
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Changchun <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Changchun Zhang <changchun.zhang@oracle.com><br>
<b>Date: </b>Thursday, April 14, 2022 at 2:46 PM<br>
<b>To: </b>Fan Zhang <roy.fan.zhang@intel.com>, dev@dpdk.org <dev@dpdk.org><br>
<b>Cc: </b>kai.ji@intel.com <kai.ji@intel.com>, gakhil@marvell.com <gakhil@marvell.com>, pablo.de.lara.guarch@intel.com <pablo.de.lara.guarch@intel.com>, Fan Zhang <roy.fan.zhang@intel.com><br>
<b>Subject: </b>Re: [External] : [PATCH] crypto/qat: use intel-ipsec-mb for partial hash<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt">Hi Fan,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Does it mean the intel-ipsec-mb would be prerequisite of applying QAT offloading for security application? It this is the case, as I know, the intel-ipsec-mb has no FIPS certification yet. Thus I am thinking
this would impact existing QAT based security application, right?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Comic Sans MS";color:black">Best Regards,</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Comic Sans MS";color:black">Changchun Zhang
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Fan Zhang <roy.fan.zhang@intel.com><br>
<b>Date: </b>Thursday, April 7, 2022 at 11:29 AM<br>
<b>To: </b>dev@dpdk.org <dev@dpdk.org><br>
<b>Cc: </b>kai.ji@intel.com <kai.ji@intel.com>, gakhil@marvell.com <gakhil@marvell.com>, pablo.de.lara.guarch@intel.com <pablo.de.lara.guarch@intel.com>, Fan Zhang <roy.fan.zhang@intel.com><br>
<b>Subject: </b>[External] : [PATCH] crypto/qat: use intel-ipsec-mb for partial hash</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt">Since openssl 3.0 now deprecates the low level API QAT required to<br>
perform partial hash operation when creating the session. This<br>
patch is to transfer such dependency from openssl to intel-ipsec-mb.<br>
<br>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com><br>
---<br>
drivers/common/qat/meson.build | 10 +++<br>
drivers/crypto/qat/qat_sym_session.c | 101 +++++----------------------<br>
2 files changed, 28 insertions(+), 83 deletions(-)<br>
<br>
diff --git a/drivers/common/qat/meson.build b/drivers/common/qat/meson.build<br>
index b7027f3164..d35fc69d96 100644<br>
--- a/drivers/common/qat/meson.build<br>
+++ b/drivers/common/qat/meson.build<br>
@@ -35,6 +35,16 @@ if qat_crypto and not libcrypto.found()<br>
'missing dependency, libcrypto')<br>
endif<br>
<br>
+<br>
+IMB_required_ver = '1.0.0'<br>
+libipsecmb = cc.find_library('IPSec_MB', required: false)<br>
+if not lib.found()<br>
+ build = false<br>
+ reason = 'missing dependency, "libIPSec_MB"'<br>
+else<br>
+ ext_deps += libipsecmb<br>
+endif<br>
+<br>
# The driver should not build if both compression and crypto are disabled<br>
#FIXME common code depends on compression files so check only compress!<br>
if not qat_compress # and not qat_crypto<br>
diff --git a/drivers/crypto/qat/qat_sym_session.c b/drivers/crypto/qat/qat_sym_session.c<br>
index 9d6a19c0be..05a11db750 100644<br>
--- a/drivers/crypto/qat/qat_sym_session.c<br>
+++ b/drivers/crypto/qat/qat_sym_session.c<br>
@@ -6,6 +6,7 @@<br>
#include <openssl/aes.h> /* Needed to calculate pre-compute values */<br>
#include <openssl/md5.h> /* Needed to calculate pre-compute values */<br>
#include <openssl/evp.h> /* Needed for bpi runt block processing */<br>
+#include <intel-ipsec-mb.h><br>
<br>
#include <rte_memcpy.h><br>
#include <rte_common.h><br>
@@ -1057,139 +1058,73 @@ static int qat_hash_get_block_size(enum icp_qat_hw_auth_algo qat_hash_alg)<br>
return -EFAULT;<br>
}<br>
<br>
-static int partial_hash_sha1(uint8_t *data_in, uint8_t *data_out)<br>
-{<br>
- SHA_CTX ctx;<br>
-<br>
- if (!SHA1_Init(&ctx))<br>
- return -EFAULT;<br>
- SHA1_Transform(&ctx, data_in);<br>
- rte_memcpy(data_out, &ctx, SHA_DIGEST_LENGTH);<br>
- return 0;<br>
-}<br>
-<br>
-static int partial_hash_sha224(uint8_t *data_in, uint8_t *data_out)<br>
-{<br>
- SHA256_CTX ctx;<br>
-<br>
- if (!SHA224_Init(&ctx))<br>
- return -EFAULT;<br>
- SHA256_Transform(&ctx, data_in);<br>
- rte_memcpy(data_out, &ctx, SHA256_DIGEST_LENGTH);<br>
- return 0;<br>
-}<br>
-<br>
-static int partial_hash_sha256(uint8_t *data_in, uint8_t *data_out)<br>
-{<br>
- SHA256_CTX ctx;<br>
-<br>
- if (!SHA256_Init(&ctx))<br>
- return -EFAULT;<br>
- SHA256_Transform(&ctx, data_in);<br>
- rte_memcpy(data_out, &ctx, SHA256_DIGEST_LENGTH);<br>
- return 0;<br>
-}<br>
-<br>
-static int partial_hash_sha384(uint8_t *data_in, uint8_t *data_out)<br>
-{<br>
- SHA512_CTX ctx;<br>
-<br>
- if (!SHA384_Init(&ctx))<br>
- return -EFAULT;<br>
- SHA512_Transform(&ctx, data_in);<br>
- rte_memcpy(data_out, &ctx, SHA512_DIGEST_LENGTH);<br>
- return 0;<br>
-}<br>
-<br>
-static int partial_hash_sha512(uint8_t *data_in, uint8_t *data_out)<br>
-{<br>
- SHA512_CTX ctx;<br>
-<br>
- if (!SHA512_Init(&ctx))<br>
- return -EFAULT;<br>
- SHA512_Transform(&ctx, data_in);<br>
- rte_memcpy(data_out, &ctx, SHA512_DIGEST_LENGTH);<br>
- return 0;<br>
-}<br>
-<br>
-static int partial_hash_md5(uint8_t *data_in, uint8_t *data_out)<br>
-{<br>
- MD5_CTX ctx;<br>
-<br>
- if (!MD5_Init(&ctx))<br>
- return -EFAULT;<br>
- MD5_Transform(&ctx, data_in);<br>
- rte_memcpy(data_out, &ctx, MD5_DIGEST_LENGTH);<br>
-<br>
- return 0;<br>
-}<br>
-<br>
static int<br>
partial_hash_compute(enum icp_qat_hw_auth_algo hash_alg,<br>
uint8_t *data_in, uint8_t *data_out)<br>
{<br>
+ IMB_MGR *m;<br>
+ uint32_t *hash_state_out_be32;<br>
+ uint64_t *hash_state_out_be64;<br>
int digest_size;<br>
uint8_t digest[qat_hash_get_digest_size(<br>
ICP_QAT_HW_AUTH_ALGO_DELIMITER)];<br>
- uint32_t *hash_state_out_be32;<br>
- uint64_t *hash_state_out_be64;<br>
int i;<br>
<br>
+ hash_state_out_be32 = (uint32_t *)data_out;<br>
+ hash_state_out_be64 = (uint64_t *)data_out;<br>
+<br>
/* Initialize to avoid gcc warning */<br>
memset(digest, 0, sizeof(digest));<br>
<br>
digest_size = qat_hash_get_digest_size(hash_alg);<br>
if (digest_size <= 0)<br>
return -EFAULT;<br>
+ m = alloc_mb_mgr(0);<br>
+ if (m == NULL)<br>
+ return -ENOMEM;<br>
<br>
- hash_state_out_be32 = (uint32_t *)data_out;<br>
- hash_state_out_be64 = (uint64_t *)data_out;<br>
+ init_mb_mgr_auto(m, NULL);<br>
<br>
switch (hash_alg) {<br>
case ICP_QAT_HW_AUTH_ALGO_SHA1:<br>
- if (partial_hash_sha1(data_in, digest))<br>
- return -EFAULT;<br>
+ IMB_SHA1_ONE_BLOCK(m, data_in, digest);<br>
for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)<br>
*hash_state_out_be32 =<br>
rte_bswap32(*(((uint32_t *)digest)+i));<br>
break;<br>
case ICP_QAT_HW_AUTH_ALGO_SHA224:<br>
- if (partial_hash_sha224(data_in, digest))<br>
- return -EFAULT;<br>
+ IMB_SHA224_ONE_BLOCK(m, data_in, digest);<br>
for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)<br>
*hash_state_out_be32 =<br>
rte_bswap32(*(((uint32_t *)digest)+i));<br>
break;<br>
case ICP_QAT_HW_AUTH_ALGO_SHA256:<br>
- if (partial_hash_sha256(data_in, digest))<br>
- return -EFAULT;<br>
+ IMB_SHA256_ONE_BLOCK(m, data_in, digest);<br>
for (i = 0; i < digest_size >> 2; i++, hash_state_out_be32++)<br>
*hash_state_out_be32 =<br>
rte_bswap32(*(((uint32_t *)digest)+i));<br>
break;<br>
case ICP_QAT_HW_AUTH_ALGO_SHA384:<br>
- if (partial_hash_sha384(data_in, digest))<br>
- return -EFAULT;<br>
+ IMB_SHA384_ONE_BLOCK(m, data_in, digest);<br>
for (i = 0; i < digest_size >> 3; i++, hash_state_out_be64++)<br>
*hash_state_out_be64 =<br>
rte_bswap64(*(((uint64_t *)digest)+i));<br>
break;<br>
case ICP_QAT_HW_AUTH_ALGO_SHA512:<br>
- if (partial_hash_sha512(data_in, digest))<br>
- return -EFAULT;<br>
+ IMB_SHA512_ONE_BLOCK(m, data_in, digest);<br>
for (i = 0; i < digest_size >> 3; i++, hash_state_out_be64++)<br>
*hash_state_out_be64 =<br>
rte_bswap64(*(((uint64_t *)digest)+i));<br>
break;<br>
case ICP_QAT_HW_AUTH_ALGO_MD5:<br>
- if (partial_hash_md5(data_in, data_out))<br>
- return -EFAULT;<br>
+ IMB_MD5_ONE_BLOCK(m, data_in, data_out);<br>
break;<br>
default:<br>
QAT_LOG(ERR, "invalid hash alg %u", hash_alg);<br>
return -EFAULT;<br>
}<br>
<br>
+ free_mb_mgr(m);<br>
return 0;<br>
}<br>
#define HMAC_IPAD_VALUE 0x36<br>
-- <br>
2.32.0</span><o:p></o:p></p>
</div>
</div>
</body>
</html>