Add new feature to do cipher operation for small packets using CPU in…

…stead of QAT according to threshold

Add null check to small packet ctrl msg for invalid cipher names
Change-Id: Ide274b49c6ae5723d2a0c279103b3ad87c60542a

Signed-off-by: Steve Linsell <stevenx.linsell@intel.com>

.tools/Makefile.am

@@ -51,6 +51,7 @@ CFLAGS = $(cflags) $(cflags_cc_opt) $(cflags_enable_upstream_driver) \
 		$(cflags_enable_usdm) $(cflags_mux) $(disable_qat_rsa) \
 		$(disable_qat_ciphers) $(disable_qat_ecdh) $(disable_qat_ecdsa) \
 		$(disable_qat_dsa) $(disable_qat_dh) $(disable_qat_prf) \
+		$(enable_qat_small_pkt_offload) \
 		$(enable_qat_debug) $(enable_qat_warnings) \
 		$(enable_qat_mem_debug) $(enable_qat_mem_warnings)
 

.tools/Makefile.in

@@ -137,6 +137,7 @@ CFLAGS = $(cflags) $(cflags_cc_opt) $(cflags_enable_upstream_driver) \
 		$(cflags_enable_usdm) $(cflags_mux) $(disable_qat_rsa) \
 		$(disable_qat_ciphers) $(disable_qat_ecdh) $(disable_qat_ecdsa) \
 		$(disable_qat_dsa) $(disable_qat_dh) $(disable_qat_prf) \
+		$(enable_qat_small_pkt_offload) \
 		$(enable_qat_debug) $(enable_qat_warnings) \
 		$(enable_qat_mem_debug) $(enable_qat_mem_warnings)
 
@@ -242,6 +243,7 @@ enable_qat_debug = @enable_qat_debug@
 enable_qat_mem_debug = @enable_qat_mem_debug@
 enable_qat_mem_warnings = @enable_qat_mem_warnings@
 enable_qat_mux = @enable_qat_mux@
+enable_qat_small_pkt_offload = @enable_qat_small_pkt_offload@
 enable_qat_warnings = @enable_qat_warnings@
 enable_upstream_driver = @enable_upstream_driver@
 enable_usdm = @enable_usdm@

.tools/configure

@@ -661,6 +661,7 @@ enable_qat_mem_warnings
 enable_qat_mem_debug
 enable_qat_warnings
 enable_qat_debug
+enable_qat_small_pkt_offload
 disable_qat_prf
 disable_qat_dh
 disable_qat_dsa
@@ -793,6 +794,7 @@ enable_qat_ecdsa
 enable_qat_dsa
 enable_qat_dh
 enable_qat_prf
+enable_qat_small_pkt_offload
 enable_qat_debug
 enable_qat_warnings
 enable_qat_mem_debug
@@ -1476,6 +1478,8 @@ Optional Features:
   --disable-qat_dsa       Disable accelerated DSA offload
   --disable-qat_dh        Disable accelerated DH offload
   --disable-qat_prf       Disable accelerated PRF offload
+  --enable-qat_small_pkt_offload
+                          Enable accelerated small packet CIPHER offload
   --enable-qat_debug      Enable Engine Debug Messages
   --enable-qat_warnings   Enable Engine Warning Messages
   --enable-qat_mem_debug  Enable Memory Driver Debug Messages
@@ -11458,6 +11462,14 @@ fi
 
 
 
+# Check whether --enable-qat_small_pkt_offload was given.
+if test "${enable_qat_small_pkt_offload+set}" = set; then :
+  enableval=$enable_qat_small_pkt_offload;
+else
+  enable_qat_small_pkt_offload=unset
+fi
+
+
 
 # Parameter parsing for enabling debug/warnings
 
@@ -11721,6 +11733,17 @@ else
 $as_echo "$as_me: Not Offloading PRF to Hardware" >&6;}
 fi
 
+if test "x$enable_qat_small_pkt_offload" != "xunset"
+then
+  enable_qat_small_pkt_offload="-DOPENSSL_ENABLE_QAT_SMALL_PACKET_CIPHER_OFFLOADS"
+  { $as_echo "$as_me:${as_lineno-$LINENO}: Offloading small packet CIPHERS to Hardware" >&5
+$as_echo "$as_me: Offloading small packet CIPHERS to Hardware" >&6;}
+else
+  enable_qat_small_pkt_offload=""
+  { $as_echo "$as_me:${as_lineno-$LINENO}: Not Offloading small packet CIPHERS to Hardware" >&5
+$as_echo "$as_me: Not Offloading small packet CIPHERS to Hardware" >&6;}
+fi
+
 if test "x$enable_qat_debug" != "xunset"
 then
   enable_qat_debug="-DQAT_DEBUG"

.tools/configure.ac

@@ -64,6 +64,11 @@ AC_ARG_ENABLE(qat_prf,
               , disable_qat_prf=unset)
 AC_SUBST(disable_qat_prf)
 
+AC_ARG_ENABLE(qat_small_pkt_offload,
+              AS_HELP_STRING([--enable-qat_small_pkt_offload],
+                             [Enable accelerated small packet CIPHER offload]),
+              , enable_qat_small_pkt_offload=unset)
+AC_SUBST(enable_qat_small_pkt_offload)
 
 # Parameter parsing for enabling debug/warnings
 
@@ -261,6 +266,15 @@ else
   AC_MSG_NOTICE([Not Offloading PRF to Hardware])
 fi
 
+if test "x$enable_qat_small_pkt_offload" != "xunset"
+then
+  enable_qat_small_pkt_offload="-DOPENSSL_ENABLE_QAT_SMALL_PACKET_CIPHER_OFFLOADS"
+  AC_MSG_NOTICE([Offloading small packet CIPHERS to Hardware])
+else
+  enable_qat_small_pkt_offload=""
+  AC_MSG_NOTICE([Not Offloading small packet CIPHERS to Hardware])
+fi
+
 if test "x$enable_qat_debug" != "xunset"
 then
   enable_qat_debug="-DQAT_DEBUG"

README.md

@@ -595,6 +595,30 @@ Description:
     should be passed in as Param 3. Setting the value to -1 results in infinite
     retries. The default is 5 and the max value is 100,000. This message can be
     sent at any time after the engine is created.
+
+Message String: SET_CRYPTO_SMALL_PACKET_OFFLOAD_THRESHOLD
+Param 3:        0
+Param 4:        string of cipher algorithm name and threshold value
+Description:
+    This message is used to set the threshold that determines the size
+    crypto packets need to be before they are offloaded to the acceleration
+    device. Very small crypto packets are not efficient to offload to the
+    accelerator as it will take longer to transfer the data to and from the
+    accelerator than it will to encrypt/decrypt using the main CPU.
+    Each EVP_CIPHER supported in Intel® Quickassist Technology
+    OpenSSL\* engine can set the threshold value
+    independently according to the algorithm name as below:
+        AES-128-CBC-HMAC-SHA1
+        AES-256-CBC-HMAC-SHA1
+        AES-128-CBC-HMAC-SHA256
+        AES-256-CBC-HMAC-SHA256
+    The input format should be a string like this in one line:
+        AES-128-CBC-HMAC-SHA1:4096,AES-256-CBC-HMAC-SHA1:8192
+    Using a separator ":" between cipher name and threshold value.
+    Using a separator "," between different cipher configuration
+    The default threshold value is 2048 bytes, the minimum is 0 bytes and the
+    maximum is 16,384.
+
 ```
 
 ## Intel® Quickassist Technology OpenSSL\* Engine Build Options
@@ -701,6 +725,10 @@ Optional
     Disable/Enable Intel® Quickassist Technology
     PRF offload (enabled by default)
 
+--disable-qat_small_pkt_offload/--enable-qat_small_pkt_offload
+    Enable Intel® Quickassist Technology to offload small
+    packet cipher operations (disabled by default)
+
 --disable-qat_debug/--enable-qat_debug
     Disable/Enable debug output to aid debugging. Warning: This
     option should never be enabled in a production environment as

configure

@@ -661,6 +661,7 @@ enable_qat_mem_warnings
 enable_qat_mem_debug
 enable_qat_warnings
 enable_qat_debug
+enable_qat_small_pkt_offload
 disable_qat_prf
 disable_qat_dh
 disable_qat_dsa
@@ -793,6 +794,7 @@ enable_qat_ecdsa
 enable_qat_dsa
 enable_qat_dh
 enable_qat_prf
+enable_qat_small_pkt_offload
 enable_qat_debug
 enable_qat_warnings
 enable_qat_mem_debug
@@ -1476,6 +1478,8 @@ Optional Features:
   --disable-qat_dsa       Disable accelerated DSA offload
   --disable-qat_dh        Disable accelerated DH offload
   --disable-qat_prf       Disable accelerated PRF offload
+  --enable-qat_small_pkt_offload
+                          Enable accelerated small packet CIPHER offload
   --enable-qat_debug      Enable Engine Debug Messages
   --enable-qat_warnings   Enable Engine Warning Messages
   --enable-qat_mem_debug  Enable Memory Driver Debug Messages
@@ -11458,6 +11462,14 @@ fi
 
 
 
+# Check whether --enable-qat_small_pkt_offload was given.
+if test "${enable_qat_small_pkt_offload+set}" = set; then :
+  enableval=$enable_qat_small_pkt_offload;
+else
+  enable_qat_small_pkt_offload=unset
+fi
+
+
 
 # Parameter parsing for enabling debug/warnings
 
@@ -11721,6 +11733,17 @@ else
 $as_echo "$as_me: Not Offloading PRF to Hardware" >&6;}
 fi
 
+if test "x$enable_qat_small_pkt_offload" != "xunset"
+then
+  enable_qat_small_pkt_offload="-DOPENSSL_ENABLE_QAT_SMALL_PACKET_CIPHER_OFFLOADS"
+  { $as_echo "$as_me:${as_lineno-$LINENO}: Offloading small packet CIPHERS to Hardware" >&5
+$as_echo "$as_me: Offloading small packet CIPHERS to Hardware" >&6;}
+else
+  enable_qat_small_pkt_offload=""
+  { $as_echo "$as_me:${as_lineno-$LINENO}: Not Offloading small packet CIPHERS to Hardware" >&5
+$as_echo "$as_me: Not Offloading small packet CIPHERS to Hardware" >&6;}
+fi
+
 if test "x$enable_qat_debug" != "xunset"
 then
   enable_qat_debug="-DQAT_DEBUG"

e_qat.c

@@ -116,6 +116,8 @@
 /* OpenSSL Includes */
 #include <openssl/err.h>
 #include <openssl/async.h>
+#include <openssl/objects.h>
+#include <openssl/crypto.h>
 
 /* QAT includes */
 #ifdef USE_QAT_CONTIG_MEM
@@ -197,6 +199,18 @@ int qat_is_event_driven()
     return enable_event_driven_polling;
 }
 
+#ifndef OPENSSL_ENABLE_QAT_SMALL_PACKET_CIPHER_OFFLOADS
+int setQatSmallPacketThreshold(unsigned char *cipher_name, int threshold)
+{
+    if(threshold < 0)
+        threshold = 0;
+    else if (threshold > 16384)
+        threshold = 16384;
+    return qat_pkt_threshold_table_set_threshold(OBJ_sn2nid(cipher_name),threshold);
+}
+
+#endif
+
 /******************************************************************************
 * function:
 *         incr_curr_inst(void)
@@ -910,6 +924,7 @@ static int qat_engine_init(ENGINE *e)
 #define QAT_CMD_GET_NUM_CRYPTO_INSTANCES (ENGINE_CMD_BASE + 8)
 #define QAT_CMD_DISABLE_EVENT_DRIVEN_POLLING_MODE (ENGINE_CMD_BASE + 9)
 #define QAT_CMD_SET_EPOLL_TIMEOUT (ENGINE_CMD_BASE + 10)
+#define QAT_CMD_SET_CRYPTO_SMALL_PACKET_OFFLOAD_THRESHOLD (ENGINE_CMD_BASE + 11)
 
 static const ENGINE_CMD_DEFN qat_cmd_defns[] = {
     {
@@ -967,6 +982,11 @@ static const ENGINE_CMD_DEFN qat_cmd_defns[] = {
      "SET_EPOLL_TIMEOUT",
      "Set epoll_wait timeout",
      ENGINE_CMD_FLAG_NUMERIC},
+    {
+     QAT_CMD_SET_CRYPTO_SMALL_PACKET_OFFLOAD_THRESHOLD,
+     "SET_CRYPTO_SMALL_PACKET_OFFLOAD_THRESHOLD",
+     "Set QAT small packet threshold",
+     ENGINE_CMD_FLAG_STRING},
     {0, NULL, NULL, 0}
 };
 
@@ -1122,6 +1142,30 @@ qat_engine_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void))
         *(int *)p = numInstances;
         break;
 
+    case QAT_CMD_SET_CRYPTO_SMALL_PACKET_OFFLOAD_THRESHOLD:
+#ifndef OPENSSL_ENABLE_QAT_SMALL_PACKET_CIPHER_OFFLOADS
+        if(p) {
+            char *token;
+            while((token = strsep((char **)&p, ","))) {
+                char *name_token = strsep(&token,":");
+                char *value_token = strsep(&token,":");
+                if(name_token && value_token) {
+                    retVal = setQatSmallPacketThreshold(name_token, atoi(value_token));
+                } else {
+                    WARN("Invalid parameter!\n");
+                    retVal = 0;
+                }
+            }
+        } else {
+            WARN("Invalid parameter!\n");
+            retVal = 0;
+        }
+#else
+        WARN("QAT_CMD_SET_CRYPTO_SMALL_PACKET_OFFLOAD_THRESHOLD is not supported\n");
+        retVal = 0;
+#endif
+        break;
+
     default:
         WARN("CTRL command not implemented\n");
         retVal = 0;
@@ -1163,7 +1207,7 @@ static int qat_engine_finish(ENGINE *e)
                 }
 
                 if (0 == enable_external_polling && !qat_is_event_driven()) {
-                    if (icp_polling_threads[i] != NULL) {
+                    if ((pthread_t *) icp_polling_threads[i] != 0) {
                         pthread_join(icp_polling_threads[i], NULL);
                     }
                 }
@@ -1173,7 +1217,7 @@ static int qat_engine_finish(ENGINE *e)
     }
 
     if (0 == enable_external_polling && qat_is_event_driven()) {
-        if (icp_polling_threads[0] != NULL) {
+        if ((pthread_t *) icp_polling_threads[0] != 0) {
             pthread_join(icp_polling_threads[0], NULL);
         }
     }
@@ -1246,6 +1290,9 @@ static int qat_engine_destroy(ENGINE *e)
     qat_free_DH_methods();
     qat_free_DSA_methods();
     qat_free_RSA_methods();
+#ifndef OPENSSL_ENABLE_QAT_SMALL_PACKET_CIPHER_OFFLOADS
+    CRYPTO_THREAD_cleanup_local(&qat_pkt_threshold_table_key);
+#endif
     ERR_unload_QAT_strings();
     return 1;
 }
@@ -1292,7 +1339,9 @@ static int bind_qat(ENGINE *e, const char *id)
      * as this function will be called by a single thread.
      */
     qat_create_ciphers();
-
+#ifndef OPENSSL_ENABLE_QAT_SMALL_PACKET_CIPHER_OFFLOADS
+    CRYPTO_THREAD_run_once(&qat_pkt_threshold_table_once,qat_pkt_threshold_table_make_key);
+#endif
     DEBUG("%s: About to set mem functions\n", __func__);
 
     if (!ENGINE_set_RSA(e, qat_get_RSA_methods())) {

e_qat.h

@@ -96,13 +96,8 @@ typedef struct qat_chained_ctx_t {
      * need to be the elements present in EVP_AES_HMAC_SHA1 defined in
      * crypto/evp/e_aes_cbc_hmac_sha1.c
      */
-    AES_KEY ks;
-    SHA_CTX head, tail, md;
+
     size_t payload_length;      /* AAD length in decrypt case */
-    union {
-        unsigned int tls_ver;
-        unsigned char tls_aad[16]; /* 13 used */
-    } aux;
 
     /* QAT Session Params */
     CpaInstanceHandle instanceHandle;
@@ -145,6 +140,32 @@ typedef struct qat_chained_ctx_t {
 
 } qat_chained_ctx;
 
+typedef struct qat_chained_sha1_ctx_t {
+    /*struct EVP_AES_HMAC_SHA1 IA_key */
+    AES_KEY ks;
+    SHA_CTX head, tail, md;
+    size_t payload_length;      /* AAD length in decrypt case */
+    union {
+        unsigned int tls_ver;
+        unsigned char tls_aad[16]; /* 13 used */
+    } aux;
+
+    qat_chained_ctx    qat_ctx;
+}qat_chained_sha1_ctx;
+
+typedef struct qat_chained_sha256_ctx_t {
+    /*EVP_AES_HMAC_SHA256 IA_key*/
+    AES_KEY ks;
+    SHA256_CTX head, tail, md;
+    size_t payload_length;      /* AAD length in decrypt case */
+    union {
+        unsigned int tls_ver;
+        unsigned char tls_aad[16]; /* 13 used */
+    } aux;
+
+    qat_chained_ctx    qat_ctx;
+}qat_chained_sha256_ctx;
+
 /* qat_buffer structure for partial hash */
 typedef struct qat_buffer_t {
     struct qat_buffer_t *next;  /* next buffer in the list */