[dpdk-dev] [PATCH v2] crypto/openssl: support truncated HMAC operations

Akhil Goyal akhil.goyal at nxp.com
Fri Sep 28 12:28:06 CEST 2018 


On 9/28/2018 3:02 AM, Dmitry Eremin-Solenikov wrote:
> On 25/09/18 17:46, Akhil Goyal wrote:
>>
>> On 9/16/2018 8:48 AM, Dmitry Eremin-Solenikov wrote:
>>> IPsec requires truncated HMAC operations support. Extend OpenSSL crypto
>>> PMD to support truncated HMAC operations necessary for IPsec.
>>>
>>> Signed-off-by: Dmitry Eremin-Solenikov
>>> <dmitry.ereminsolenikov at linaro.org>
>>> ---
>>> Changes since V1:
>>>    - support all digest sizes from half of corresponding digest size up to
>>>      full length.
>> Why can't we extend this to digest size starting from 1 to full length?
>> Why is there a limitation for half of corresponding digest size?
> Mainly because there is little point in supporting such truncated
> digests. It won't be cryptographically safe.
I believe we shall let the application decide the digest size and not 
make this a limitation of PMD.
>
>>> ---
>>>    drivers/crypto/openssl/rte_openssl_pmd.c     | 19 ++++++++--------
>>>    drivers/crypto/openssl/rte_openssl_pmd_ops.c | 24 ++++++++++----------
>>>    2 files changed, 22 insertions(+), 21 deletions(-)
>>>
>>> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c
>>> b/drivers/crypto/openssl/rte_openssl_pmd.c
>>> index 7d263aba3bbd..c635f1e2493c 100644
>>> --- a/drivers/crypto/openssl/rte_openssl_pmd.c
>>> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
>>> @@ -1509,15 +1509,7 @@ process_openssl_auth_op(struct openssl_qp *qp,
>>> struct rte_crypto_op *op,
>>>          srclen = op->sym->auth.data.length;
>>>    -    if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY)
>>> -        dst = qp->temp_digest;
>>> -    else {
>>> -        dst = op->sym->auth.digest.data;
>>> -        if (dst == NULL)
>>> -            dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
>>> -                    op->sym->auth.data.offset +
>>> -                    op->sym->auth.data.length);
>>> -    }
>>> +    dst = qp->temp_digest;
>>>          switch (sess->auth.mode) {
>>>        case OPENSSL_AUTH_AS_AUTH:
>>> @@ -1540,6 +1532,15 @@ process_openssl_auth_op(struct openssl_qp *qp,
>>> struct rte_crypto_op *op,
>>>                    sess->auth.digest_length) != 0) {
>>>                op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
>>>            }
>>> +    } else {
>>> +        uint8_t *auth_dst;
>>> +
>>> +        auth_dst = op->sym->auth.digest.data;
>>> +        if (auth_dst == NULL)
>>> +            auth_dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
>>> +                    op->sym->auth.data.offset +
>>> +                    op->sym->auth.data.length);
>>> +        memcpy(auth_dst, dst, sess->auth.digest_length);
>>>        }
>>>          if (status != 0)
>>> diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
>>> b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
>>> index de2284390b12..6d3e21de404d 100644
>>> --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
>>> +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
>>> @@ -26,9 +26,9 @@ static const struct rte_cryptodev_capabilities
>>> openssl_pmd_capabilities[] = {
>>>                        .increment = 1
>>>                    },
>>>                    .digest_size = {
>>> -                    .min = 16,
>>> +                    .min = 8,
>>>                        .max = 16,
>>> -                    .increment = 0
>>> +                    .increment = 1
>>>                    },
>>>                    .iv_size = { 0 }
>>>                }, }
>>> @@ -68,9 +68,9 @@ static const struct rte_cryptodev_capabilities
>>> openssl_pmd_capabilities[] = {
>>>                        .increment = 1
>>>                    },
>>>                    .digest_size = {
>>> -                    .min = 20,
>>> +                    .min = 10,
>>>                        .max = 20,
>>> -                    .increment = 0
>>> +                    .increment = 1
>>>                    },
>>>                    .iv_size = { 0 }
>>>                }, }
>>> @@ -110,9 +110,9 @@ static const struct rte_cryptodev_capabilities
>>> openssl_pmd_capabilities[] = {
>>>                        .increment = 1
>>>                    },
>>>                    .digest_size = {
>>> -                    .min = 28,
>>> +                    .min = 14,
>>>                        .max = 28,
>>> -                    .increment = 0
>>> +                    .increment = 1
>>>                    },
>>>                    .iv_size = { 0 }
>>>                }, }
>>> @@ -152,9 +152,9 @@ static const struct rte_cryptodev_capabilities
>>> openssl_pmd_capabilities[] = {
>>>                        .increment = 1
>>>                    },
>>>                    .digest_size = {
>>> -                    .min = 32,
>>> +                    .min = 16,
>>>                        .max = 32,
>>> -                    .increment = 0
>>> +                    .increment = 1
>>>                    },
>>>                    .iv_size = { 0 }
>>>                }, }
>>> @@ -194,9 +194,9 @@ static const struct rte_cryptodev_capabilities
>>> openssl_pmd_capabilities[] = {
>>>                        .increment = 1
>>>                    },
>>>                    .digest_size = {
>>> -                    .min = 48,
>>> +                    .min = 24,
>>>                        .max = 48,
>>> -                    .increment = 0
>>> +                    .increment = 1
>>>                    },
>>>                    .iv_size = { 0 }
>>>                }, }
>>> @@ -236,9 +236,9 @@ static const struct rte_cryptodev_capabilities
>>> openssl_pmd_capabilities[] = {
>>>                        .increment = 1
>>>                    },
>>>                    .digest_size = {
>>> -                    .min = 64,
>>> +                    .min = 32,
>>>                        .max = 64,
>>> -                    .increment = 0
>>> +                    .increment = 1
>>>                    },
>>>                    .iv_size = { 0 }
>>>                }, }
>

More information about the dev mailing list