From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>
To: Akhil Goyal <akhil.goyal@nxp.com>, dev@dpdk.org
Subject: Re: [dpdk-dev] [PATCH v2] crypto/openssl: support truncated HMAC operations
Date: Fri, 28 Sep 2018 00:32:03 +0300 [thread overview]
Message-ID: <2c10f1e1-d3b6-ee04-4df3-ca847febc416@linaro.org> (raw)
In-Reply-To: <37565196-8048-fd4b-3e88-7fe3d09236f8@nxp.com>
On 25/09/18 17:46, Akhil Goyal wrote:
>
>
> On 9/16/2018 8:48 AM, Dmitry Eremin-Solenikov wrote:
>> IPsec requires truncated HMAC operations support. Extend OpenSSL crypto
>> PMD to support truncated HMAC operations necessary for IPsec.
>>
>> Signed-off-by: Dmitry Eremin-Solenikov
>> <dmitry.ereminsolenikov@linaro.org>
>> ---
>> Changes since V1:
>> - support all digest sizes from half of corresponding digest size up to
>> full length.
> Why can't we extend this to digest size starting from 1 to full length?
> Why is there a limitation for half of corresponding digest size?
Mainly because there is little point in supporting such truncated
digests. It won't be cryptographically safe.
>>
>> ---
>> drivers/crypto/openssl/rte_openssl_pmd.c | 19 ++++++++--------
>> drivers/crypto/openssl/rte_openssl_pmd_ops.c | 24 ++++++++++----------
>> 2 files changed, 22 insertions(+), 21 deletions(-)
>>
>> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c
>> b/drivers/crypto/openssl/rte_openssl_pmd.c
>> index 7d263aba3bbd..c635f1e2493c 100644
>> --- a/drivers/crypto/openssl/rte_openssl_pmd.c
>> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
>> @@ -1509,15 +1509,7 @@ process_openssl_auth_op(struct openssl_qp *qp,
>> struct rte_crypto_op *op,
>> srclen = op->sym->auth.data.length;
>> - if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY)
>> - dst = qp->temp_digest;
>> - else {
>> - dst = op->sym->auth.digest.data;
>> - if (dst == NULL)
>> - dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
>> - op->sym->auth.data.offset +
>> - op->sym->auth.data.length);
>> - }
>> + dst = qp->temp_digest;
>> switch (sess->auth.mode) {
>> case OPENSSL_AUTH_AS_AUTH:
>> @@ -1540,6 +1532,15 @@ process_openssl_auth_op(struct openssl_qp *qp,
>> struct rte_crypto_op *op,
>> sess->auth.digest_length) != 0) {
>> op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
>> }
>> + } else {
>> + uint8_t *auth_dst;
>> +
>> + auth_dst = op->sym->auth.digest.data;
>> + if (auth_dst == NULL)
>> + auth_dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
>> + op->sym->auth.data.offset +
>> + op->sym->auth.data.length);
>> + memcpy(auth_dst, dst, sess->auth.digest_length);
>> }
>> if (status != 0)
>> diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
>> b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
>> index de2284390b12..6d3e21de404d 100644
>> --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
>> +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
>> @@ -26,9 +26,9 @@ static const struct rte_cryptodev_capabilities
>> openssl_pmd_capabilities[] = {
>> .increment = 1
>> },
>> .digest_size = {
>> - .min = 16,
>> + .min = 8,
>> .max = 16,
>> - .increment = 0
>> + .increment = 1
>> },
>> .iv_size = { 0 }
>> }, }
>> @@ -68,9 +68,9 @@ static const struct rte_cryptodev_capabilities
>> openssl_pmd_capabilities[] = {
>> .increment = 1
>> },
>> .digest_size = {
>> - .min = 20,
>> + .min = 10,
>> .max = 20,
>> - .increment = 0
>> + .increment = 1
>> },
>> .iv_size = { 0 }
>> }, }
>> @@ -110,9 +110,9 @@ static const struct rte_cryptodev_capabilities
>> openssl_pmd_capabilities[] = {
>> .increment = 1
>> },
>> .digest_size = {
>> - .min = 28,
>> + .min = 14,
>> .max = 28,
>> - .increment = 0
>> + .increment = 1
>> },
>> .iv_size = { 0 }
>> }, }
>> @@ -152,9 +152,9 @@ static const struct rte_cryptodev_capabilities
>> openssl_pmd_capabilities[] = {
>> .increment = 1
>> },
>> .digest_size = {
>> - .min = 32,
>> + .min = 16,
>> .max = 32,
>> - .increment = 0
>> + .increment = 1
>> },
>> .iv_size = { 0 }
>> }, }
>> @@ -194,9 +194,9 @@ static const struct rte_cryptodev_capabilities
>> openssl_pmd_capabilities[] = {
>> .increment = 1
>> },
>> .digest_size = {
>> - .min = 48,
>> + .min = 24,
>> .max = 48,
>> - .increment = 0
>> + .increment = 1
>> },
>> .iv_size = { 0 }
>> }, }
>> @@ -236,9 +236,9 @@ static const struct rte_cryptodev_capabilities
>> openssl_pmd_capabilities[] = {
>> .increment = 1
>> },
>> .digest_size = {
>> - .min = 64,
>> + .min = 32,
>> .max = 64,
>> - .increment = 0
>> + .increment = 1
>> },
>> .iv_size = { 0 }
>> }, }
>
--
With best wishes
Dmitry
next prev parent reply other threads:[~2018-09-27 21:32 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-16 3:18 Dmitry Eremin-Solenikov
2018-09-25 14:46 ` Akhil Goyal
2018-09-27 21:32 ` Dmitry Eremin-Solenikov [this message]
2018-09-28 10:28 ` Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2c10f1e1-d3b6-ee04-4df3-ca847febc416@linaro.org \
--to=dmitry.ereminsolenikov@linaro.org \
--cc=akhil.goyal@nxp.com \
--cc=dev@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).