Bug fix, README & v0.6.18 Version update.

- Fix Chachapoly TLS1.2 Keep alive issue. Signed-off-by: Yogaraj Alamenda <yogarajx.alamenda@intel.com>
intel · Dec 14, 2022 · c3e319b · c3e319b
1 parent ea2f554
commit c3e319b
Show file tree

Hide file tree

Showing 9 changed files with 75 additions and 52 deletions.
diff --git a/README.md b/README.md
@@ -30,8 +30,8 @@ section.
 ## Features
 Features of the QAT_Engine are described [here](docs/features.md).
 
-## Limitations
-Limitations for the QAT_Engine are described [here](docs/limitations.md).
+## Limitations and Known Issues
+Limitations and known issues for the QAT_Engine are described [here](docs/limitations.md).
 
 ## Requirements
 - [Hardware Requirements](docs/hardware_requirements.md)

diff --git a/configure.ac b/configure.ac
@@ -2,7 +2,7 @@
 # Process this file with autoconf to produce a configure script.
 
 AC_PREREQ([2.68])
-AC_INIT([qatengine], [0.6.17], [])
+AC_INIT([qatengine], [0.6.18], [])
 AC_CONFIG_SRCDIR([config.h.in])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_AUX_DIR([.])

diff --git a/docs/limitations.md b/docs/limitations.md
@@ -1,60 +1,77 @@
 ## Limitations
 
-* When forking within an application it is not valid for a cryptographic
+* When **forking** within an application it is not valid for a cryptographic
   operation to be started in the parent process, and completed in the child
   process.
-* Only one level of forking is permitted, if a child process forks again then
+* Only **one level of forking is permitted**, if a child process forks again then
   the Intel&reg; QAT OpenSSL\* Engine will not be available in that forked
   process.
-* Event driven mode of polling operation is not supported in the FreeBSD
+* **Event driven mode** of polling operation is not supported in the FreeBSD
   Operating system or in the qatlib RPM.
-* qat_contig_mem memory driver is not supported when running under FreeBSD
+* **qat_contig_mem** memory driver is not supported when running under FreeBSD
   Operating system or in the qatlib RPM. The default is to use the USDM memory
   driver supplied as part of the Intel&reg; QAT Driver.
+* **SM2, SM3 & SM4** application testing is done using BabaSSL only since OpenSSL
+  doesn't support SMx cipher suites.
+* QAT Engine doesn't support **ENCRYPT_THEN_MAC**(default) mode of operation meaning
+  when Encrypt then MAC is negotiated for symmetric ciphers say AES-CBC, the requests will not
+  get offloaded via QAT_HW, instead uses OpenSSL SW. Disable ENCRYPT_THEN_MAC with the flag
+  `SSL_OP_NO_ENCRYPT_THEN_MAC` programmatically using SSL_CTX_set_options() to offload
+  symmetric chained ciphers via QAT_HW. Please note disabling ENCRYPT_THEN_MAC has security
+  implications.
 * Support for cipher AES-128-CBC-HMAC-SHA1 and its related ciphers was broken
   in release OpenSSL\* 1.1.1d. This was later fixed in OpenSSL\* 1.1.1e release.
-* X25519/X448 support is available only from version 4.9 of the Intel&reg; QAT
+* OpenSSL 1.1.1n introduced misleading error message(undefined symbol: **EVP_PKEY_get_base_id**)
+  during engine load which can be ignored as it is not a real failure. This is later fixed in
+  OpenSSL\* 1.1.1o release.
+* X25519/X448 support is available only from **version 4.9** of the Intel&reg; QAT
   driver for Linux. Use `--disable-qat_hw_ecx` in the Intel&reg; QAT OpenSSL\* Engine
   configure when building against earlier versions of the Linux driver.
-* Support for qaeMemFreeNonZeroNUMA() USDM API is available only from version 4.10
+* Support for qaeMemFreeNonZeroNUMA() USDM API is available only from **version 4.10**
   of the Intel&reg; QAT driver for Linux. Use `--with-cc-opt="-DQAT_HW_DISABLE_NONZERO_MEMFREE"`
   in the Intel&reg; QAT OpenSSL\* Engine configuration when building against earlier
   versions of the Linux driver.
-* Support for QAT HW ECX, QAT SW ECX, QAT SW SM2 ECDSA, QAT HW PRF and QAT HW HKDF is disabled
+* From **version 4.19** of Intel&reg; QAT driver for Linux, legacy or insecure algorithms such as DES,
+  3DES, MD5, SHA1, RC4 are disabled by default so there will be failures observed in the relevant
+  ciphers. Driver needs to be built with flag "--enable-legacy-algorithms" to enable those algorithms
+  support.
+* QAT Engine built for OpenSSL3.0 is only compatible with dependant libraries also linked with OpenSSL3.0
+  libraries due to [OpenSSL#17112][1]. Same applies for OpenSSL 1.1.1.
+
+## Known Issues
+
+### Functional
+* Known issue with OpenSSL 3.0 s_server using qatengine with cipher **"DHE-RSA-CHACHA20-POLY1305"** which
+  works fine with Nginx. The issue is due to failure at EVP_PKEY_copy_parameter() in OpenSSL.
+* AES-CBC-HMAC-SHA chained ciphers does not support **pipeline feature** when built with
+  OpenSSL 3.0 as the corresponding support is not available in OpenSSL 3.0 - [OpenSSL#18298][2]
+* Support for **QAT HW ECX, QAT SW ECX, QAT SW SM2 ECDSA, QAT HW PRF and QAT HW HKDF** is disabled
   when built against OpenSSL 3.0 engine interface since OpenSSL doesn't have default implementation
   methods accessible from OpenSSL3.0 engine interface, instead it uses non-accelerated
-  implementation from OpenSSL default provider.
-* There is known performance scaling issue (performance drop with threads >32)
-  with ECDSA Ciphers in the QAT Software acceleration using multithread mode
-  in the Haproxy application. This issue is not observed when using RSA ciphers
-  or in multi-process mode.
-* There is an issue in sshd daemon application when using the QAT for default openssl.
+  implementation from OpenSSL default provider - [OpenSSL#19047][3]
+* There is an issue in **sshd** daemon application when using the QAT for default openssl.
   sshd looks to be closing the file descriptors associated with QAT engine and driver after
   initialising openssl. Similar issue was present which prevents the ability to ssh out of
   the system using the QAT engine in versions of the ssh application before OpenSSH 8.7.
-  The issue has been fixed with this commit [c9f7bba][1] . This update can be applied to
+  The issue has been fixed with this commit [c9f7bba][4] . This update can be applied to
   sshd to work-around the issue.
-* SM2 ECDH and ECDSA application testing is done using BabaSSL only since OpenSSL
-  doesn't support SMx cipher suites.
-* SM3 is disabled by default due to performance drop observed in mulithread scenario
-  for all ciphers suites due to the locks at engine_table_select in OpenSSL.
-* OpenSSL 1.1.1n introduced misleading error message(undefined symbol: EVP_PKEY_get_base_id)
-  during engine load which can be ignored as it is not a real failure. This is later fixed in
-  OpenSSL\* 1.1.1o release.
-* AES-CBC-HMAC-SHA chained ciphers does not support pipeline feature when built with
-  OpenSSL 3.0 as the corresponding support is not available in OpenSSL 3.0.
-* QAT Engine doesn't support ENCRYPT_THEN_MAC(default) mode of operation meaning
-  when Encrypt then MAC is negotiated for symmetric ciphers say AES-CBC, the requests will not
-  get offloaded via QAT_HW, instead uses OpenSSL SW. Disable ENCRYPT_THEN_MAC with the flag
-  `SSL_OP_NO_ENCRYPT_THEN_MAC` programmatically using SSL_CTX_set_options() to offload
-  symmetric chained ciphers via QAT_HW. Please note disabling ENCRYPT_THEN_MAC has security
-  implications.
-* Known issue with OpenSSL 3.0 s_server using qatengine with cipher "DHE-RSA-CHACHA20-POLY1305" which
-  works fine with Nginx. The issue is due to failure at EVP_PKEY_copy_parameter() in OpenSSL which is
-  yet to be root caused.
-* From version 4.19 of Intel&reg; QAT driver for Linux, legacy or insecure algorithms such as DES,
-  3DES, MD5, SHA1, RC4 are disabled by default so there will be failures observed in the relevant
-  ciphers. Driver needs to be built with flag "--enable-legacy-algorithms" to enable those algorithms
-  support.
+* Failures with QAT_HW SHA3 for 0 bytes file, Big file with multiple SHA3 update and
+  HMAC with SHA3.
+* Known issue with QAT_SW SM2 in ntls mode since QAT_SW SM2 doesn't have plain sign and
+  verify operation support in engine. Disable QAT_SW SM2 to workaround the issue with ntls.
+  No issues with TLS mode since it uses digestsign and digestverify which is supported.
+
+### Performance
+* There is known performance scaling issue (performance drop with threads >32)
+  with ECDSA Ciphers in the QAT Software acceleration using multithread mode
+  in the Haproxy application. This issue is not observed when using RSA ciphers
+  or in multi-process mode.
+* SM3 is disabled by default due to performance drop observed in **mulithread scenario**
+  for all ciphers suites due to the additional locks at engine_table_select introduced by
+  engine digest registration in OpenSSL - [OpenSSL#18509][5]
 
-[1]:https://github.com/openssh/openssh-portable/commit/c9f7bba2e6f70b7ac1f5ea190d890cb5162ce127
+[1]:https://github.com/openssl/openssl/pull/17112
+[2]:https://github.com/openssl/openssl/issues/18298
+[3]:https://github.com/openssl/openssl/issues/19047
+[4]:https://github.com/openssh/openssh-portable/commit/c9f7bba2e6f70b7ac1f5ea190d890cb5162ce127
+[5]:https://github.com/openssl/openssl/issues/18509
diff --git a/docs/software_requirements.md b/docs/software_requirements.md
@@ -9,7 +9,7 @@ Driver for FreeBSD. This release was validated on the following:
 * Operating system: CentOS* 8.4, Ubuntu\* 20.04.2 LTS & FreeBSD\* 12.3
 * Intel&reg; Communications Chipset C62X Series Software for Linux\*, version **4.19**
 * Intel&reg; Communications Chipset C62X Series Software for FreeBSD\*, version **3.12**
-* OpenSSL\* 1.1.1q & 3.0.5
+* OpenSSL\* 1.1.1s & 3.0.7
 * BoringSSL\* commit - [15596efa5f][1]
 * BabaSSL - 8.3.1
 
@@ -30,8 +30,8 @@ This release was validated on the following:
 * Operating system: Ubuntu\* 20.04.2 LTS
 * Intel&reg; Crypto Multi-buffer library from the [ipp-crypto][2] release
   version **IPP Crypto 2021.6**
-* Intel&reg; Multi-Buffer crypto for IPsec Library release version **v1.2**
-* OpenSSL\* 1.1.1q & 3.0.5
+* Intel&reg; Multi-Buffer crypto for IPsec Library release version **v1.3**
+* OpenSSL\* 1.1.1s & 3.0.7
 * BoringSSL\* commit - [15596efa5f][1]
 * BabaSSL - 8.3.1
 

diff --git a/e_qat.c b/e_qat.c
@@ -148,13 +148,13 @@
 const char *engine_qat_id = STR(QAT_ENGINE_ID);
 #if defined(QAT_HW) && defined(QAT_SW)
 const char *engine_qat_name =
-    "Reference implementation of QAT crypto engine(qat_hw & qat_sw) v0.6.17";
+    "Reference implementation of QAT crypto engine(qat_hw & qat_sw) v0.6.18";
 #elif QAT_HW
 const char *engine_qat_name =
-    "Reference implementation of QAT crypto engine(qat_hw) v0.6.17";
+    "Reference implementation of QAT crypto engine(qat_hw) v0.6.18";
 #else
 const char *engine_qat_name =
-    "Reference implementation of QAT crypto engine(qat_sw) v0.6.17";
+    "Reference implementation of QAT crypto engine(qat_sw) v0.6.18";
 #endif
 unsigned int engine_inited = 0;
 

diff --git a/qat_hw_chachapoly.c b/qat_hw_chachapoly.c
@@ -1681,8 +1681,8 @@ static int qat_chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
         cp_ctx->mac_key_set = 0;
 
 # if !defined(ENABLE_QAT_HW_SMALL_PKT_OFFLOAD) && !defined(QAT_OPENSSL_PROVIDER)
-        if (cp_ctx->packet_size <= qat_pkt_threshold_table_get_threshold(
-            EVP_CIPHER_CTX_nid(ctx))) {
+        if (len <= qat_pkt_threshold_table_get_threshold(
+                   EVP_CIPHER_CTX_nid(ctx))) {
             goto sw_ctrl;
         }
 # endif

diff --git a/qat_provider.h b/qat_provider.h
@@ -51,8 +51,8 @@
 # include <openssl/bio.h>
 # include <openssl/core_dispatch.h>
 
-# define QAT_PROVIDER_VERSION_STR "v0.6.17"
-# define QAT_PROVIDER_FULL_VERSION_STR "QAT Provider v0.6.17"
+# define QAT_PROVIDER_VERSION_STR "v0.6.18"
+# define QAT_PROVIDER_FULL_VERSION_STR "QAT Provider v0.6.18"
 
 # if defined(QAT_HW) && defined(QAT_SW)
 #  define QAT_PROVIDER_NAME_STR "QAT Provider for QAT_HW and QAT_SW"

diff --git a/qatengine-sw.spec b/qatengine-sw.spec
@@ -4,7 +4,7 @@
 %global enginesdir %(pkg-config --variable=enginesdir libcrypto)
 
 Name:           qatengine-sw
-Version:        0.6.17
+Version:        0.6.18
 Release:        1%{?dist}
 Summary:        Intel QuickAssist Technology (QAT) OpenSSL Engine
 # Most of the source code is BSD, with the following exceptions:
@@ -49,6 +49,9 @@ autoreconf -ivf
 %exclude %{enginesdir}/qatengine.la
 
 %changelog
+* Thu Dec 08 2022 Yogaraj Alamenda <yogarajx.alamenda@intel.com> - 0.6.18-1
+- Update to qatengine v0.6.18
+
 * Wed Nov 02 2022 Yogaraj Alamenda <yogarajx.alamenda@intel.com> - 0.6.17-1
 - Update to qatengine v0.6.17
 

diff --git a/qatengine.spec b/qatengine.spec
@@ -4,7 +4,7 @@
 %global enginesdir %(pkg-config --variable=enginesdir libcrypto)
 
 Name:           qatengine
-Version:        0.6.17
+Version:        0.6.18
 Release:        1%{?dist}
 Summary:        Intel QuickAssist Technology (QAT) OpenSSL Engine
 # Most of the source code is BSD, with the following exceptions:
@@ -46,6 +46,9 @@ autoreconf -ivf
 %exclude %{enginesdir}/qatengine.la
 
 %changelog
+* Thu Dec 08 2022 Yogaraj Alamenda <yogarajx.alamenda@intel.com> - 0.6.18-1
+- Update to qatengine v0.6.18
+
 * Wed Nov 02 2022 Yogaraj Alamenda <yogarajx.alamenda@intel.com> - 0.6.17-1
 - Update to qatengine v0.6.17