Re: [dpdk-dev] [PATCH v2] crypto/openssl: support truncated HMAC operations

Fri, 28 Sep 2018 03:28:56 -0700 



On 9/28/2018 3:02 AM, Dmitry Eremin-Solenikov wrote:

On 25/09/18 17:46, Akhil Goyal wrote:


On 9/16/2018 8:48 AM, Dmitry Eremin-Solenikov wrote:

IPsec requires truncated HMAC operations support. Extend OpenSSL crypto
PMD to support truncated HMAC operations necessary for IPsec.

Signed-off-by: Dmitry Eremin-Solenikov
<dmitry.ereminsoleni...@linaro.org>
---
Changes since V1:
   - support all digest sizes from half of corresponding digest size up to
     full length.

Why can't we extend this to digest size starting from 1 to full length?
Why is there a limitation for half of corresponding digest size?

Mainly because there is little point in supporting such truncated
digests. It won't be cryptographically safe.

I believe we shall let the application decide the digest size and not 
make this a limitation of PMD.



---
   drivers/crypto/openssl/rte_openssl_pmd.c     | 19 ++++++++--------
   drivers/crypto/openssl/rte_openssl_pmd_ops.c | 24 ++++++++++----------
   2 files changed, 22 insertions(+), 21 deletions(-)

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c
b/drivers/crypto/openssl/rte_openssl_pmd.c
index 7d263aba3bbd..c635f1e2493c 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -1509,15 +1509,7 @@ process_openssl_auth_op(struct openssl_qp *qp,
struct rte_crypto_op *op,
         srclen = op->sym->auth.data.length;
   -    if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY)
-        dst = qp->temp_digest;
-    else {
-        dst = op->sym->auth.digest.data;
-        if (dst == NULL)
-            dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
-                    op->sym->auth.data.offset +
-                    op->sym->auth.data.length);
-    }
+    dst = qp->temp_digest;
         switch (sess->auth.mode) {
       case OPENSSL_AUTH_AS_AUTH:
@@ -1540,6 +1532,15 @@ process_openssl_auth_op(struct openssl_qp *qp,
struct rte_crypto_op *op,
                   sess->auth.digest_length) != 0) {
               op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
           }
+    } else {
+        uint8_t *auth_dst;
+
+        auth_dst = op->sym->auth.digest.data;
+        if (auth_dst == NULL)
+            auth_dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
+                    op->sym->auth.data.offset +
+                    op->sym->auth.data.length);
+        memcpy(auth_dst, dst, sess->auth.digest_length);
       }
         if (status != 0)
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index de2284390b12..6d3e21de404d 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -26,9 +26,9 @@ static const struct rte_cryptodev_capabilities
openssl_pmd_capabilities[] = {
                       .increment = 1
                   },
                   .digest_size = {
-                    .min = 16,
+                    .min = 8,
                       .max = 16,
-                    .increment = 0
+                    .increment = 1
                   },
                   .iv_size = { 0 }
               }, }
@@ -68,9 +68,9 @@ static const struct rte_cryptodev_capabilities
openssl_pmd_capabilities[] = {
                       .increment = 1
                   },
                   .digest_size = {
-                    .min = 20,
+                    .min = 10,
                       .max = 20,
-                    .increment = 0
+                    .increment = 1
                   },
                   .iv_size = { 0 }
               }, }
@@ -110,9 +110,9 @@ static const struct rte_cryptodev_capabilities
openssl_pmd_capabilities[] = {
                       .increment = 1
                   },
                   .digest_size = {
-                    .min = 28,
+                    .min = 14,
                       .max = 28,
-                    .increment = 0
+                    .increment = 1
                   },
                   .iv_size = { 0 }
               }, }
@@ -152,9 +152,9 @@ static const struct rte_cryptodev_capabilities
openssl_pmd_capabilities[] = {
                       .increment = 1
                   },
                   .digest_size = {
-                    .min = 32,
+                    .min = 16,
                       .max = 32,
-                    .increment = 0
+                    .increment = 1
                   },
                   .iv_size = { 0 }
               }, }
@@ -194,9 +194,9 @@ static const struct rte_cryptodev_capabilities
openssl_pmd_capabilities[] = {
                       .increment = 1
                   },
                   .digest_size = {
-                    .min = 48,
+                    .min = 24,
                       .max = 48,
-                    .increment = 0
+                    .increment = 1
                   },
                   .iv_size = { 0 }
               }, }
@@ -236,9 +236,9 @@ static const struct rte_cryptodev_capabilities
openssl_pmd_capabilities[] = {
                       .increment = 1
                   },
                   .digest_size = {
-                    .min = 64,
+                    .min = 32,
                       .max = 64,
-                    .increment = 0
+                    .increment = 1
                   },
                   .iv_size = { 0 }
               }, }


























					Reply via email to