OpenSSL 3.0 Provider Support.

OpenSSL 3.0 Provider support for RSA, ECDH, ECDSA, ECX and AES-GCM using QAT_HW and QAT_SW. Co-authored-by: Jaya Naga Venkata Sudhakar <[email protected]> Co-authored-by: ravalib <[email protected]> Signed-off-by: Yogaraj Alamenda <[email protected]>
intel · Apr 1, 2022 · 38086fa · 38086fa
1 parent 5ee799a
commit 38086fa
Show file tree

Hide file tree

Showing 49 changed files with 9,352 additions and 260 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -1,6 +1,6 @@
 ACLOCAL_AMFLAGS = -I m4
 
-lib_LTLIBRARIES = qatengine.la
+lib_LTLIBRARIES = @LIBQATNAME@.la
 
 if QAT_HW
 if QAT_HW_CONTIG_MEM
@@ -24,6 +24,22 @@ QAT_COMMON_SRC = e_qat.c      \
                  qat_utils.c  \
                  qat_evp.c
 
+if QAT_PROVIDER
+ QAT_PROV_SRC = qat_prov_init.c      \
+                qat_prov_kmgmt_rsa.c \
+                qat_prov_sign_rsa.c  \
+                qat_prov_rsa.c       \
+                qat_prov_kmgmt_ecx.c \
+                qat_prov_exch_ecx.c  \
+                qat_prov_hw_ecx.c    \
+                qat_prov_sw_ecx.c    \
+                qat_prov_ciphers.c   \
+                qat_prov_kmgmt_ec.c  \
+                qat_prov_ecdsa.c     \
+                qat_prov_ecdh.c
+
+endif
+
 if QAT_OPENSSL_3
 QAT_ERR_SRC = qat_prov_err.c
 else
@@ -66,12 +82,13 @@ if QAT_SW_IPSEC
                      qat_sw_ipsec_inf.c
 endif
 
-qatengine_la_SOURCES = ${QAT_COMMON_SRC}   \
-                       ${QAT_ERR_SRC}      \
-                       ${QAT_HW_SRC}       \
-                       ${QAT_HW_MEM_SRC}   \
-                       ${QAT_SW_SRC}       \
-                       ${QAT_SW_IPSEC_SRC}
+@LIBQATNAME@_la_SOURCES = ${QAT_COMMON_SRC}   \
+                          ${QAT_PROV_SRC}     \
+                          ${QAT_ERR_SRC}      \
+                          ${QAT_HW_SRC}       \
+                          ${QAT_HW_MEM_SRC}   \
+                          ${QAT_SW_SRC}       \
+                          ${QAT_SW_IPSEC_SRC}
 
 AM_CPPFLAGS = $(includes_openssl) $(includes_qat_hw_usdm)  \
               $(includes_qat_hw) $(includes_qat_sw)
@@ -96,10 +113,10 @@ AM_CFLAGS = $(cflags) $(cflags_cc_opt) $(cflags_qat_debug_file)      \
             $(enable_qat_cycle_counts) $(enable_qat_hw_set_inst_thread)
 
 
-qatengine_la_LDFLAGS = -module -no-undefined -avoid-version       \
-                       -shared $(QAT_LD_LIB) $(QAT_HW_DRIVER_LIB) \
-                       $(QAT_HW_MEM_LIB) $(QAT_SW_CRYPTO_MB_LIB)  \
-                       $(QAT_SW_IPSEC_MB_LIB)
+@LIBQATNAME@_la_LDFLAGS = -module -no-undefined -avoid-version       \
+                          -shared $(QAT_LD_LIB) $(QAT_HW_DRIVER_LIB) \
+                          $(QAT_HW_MEM_LIB) $(QAT_SW_CRYPTO_MB_LIB)  \
+                          $(QAT_SW_IPSEC_MB_LIB)
 
 mostlyclean-generic:
 	-rm -f *.obj lib tags core .pure .nfs* \

diff --git a/configure.ac b/configure.ac
@@ -128,6 +128,11 @@ AC_ARG_ENABLE(qat_sw,
                              [Enable qat_sw acceleration using Intel(R) Crypto Multi-buffer library]))
 AC_SUBST(enable_qat_sw)
 
+AC_ARG_ENABLE(qat_provider,
+              AS_HELP_STRING([--enable-qat_provider],
+                             [Enable Provider Support for Openssl 3.0]))
+AC_SUBST(enable_qat_provider)
+
 # Parameter parsing for self tuning of the timeout in the qat_sw polling thread
 AC_ARG_ENABLE(qat_sw_heuristic_timeout,
               AS_HELP_STRING([--enable-qat_sw_heuristic_timeout],
@@ -244,6 +249,9 @@ AC_ARG_ENABLE(qat_auto_engine_init_on_fork,
                              [Disable auto initialization of the engine following a fork]))
 AC_SUBST(enable_qat_auto_engine_init_on_fork)
 
+#Default library name is qatengine
+AC_SUBST([LIBQATNAME], "qatengine")
+
 AC_CHECK_FILE(${qat_hw_dir_prefix}/include/qat/icp_sal_versions.h,
 	      [with_icp_sal_versions_h=yes],
 	      [with_icp_sal_versions_h=no])
@@ -266,21 +274,27 @@ then
   fi
 fi
 
+#OpenSSL 3.0 uses lib location based on ARCH
+AS_IF([test "$host_cpu" = "x86_64"], [AC_SUBST([openssl3_lib], "lib64")], [AC_SUBST([openssl3_lib], "lib")])
+
 # OpenSSL install dir or set system openssl install dir if not provided
 if test "x$with_openssl_install_dir" != "x"
 then
   ac_default_prefix=$with_openssl_install_dir
   if test "`grep "define OPENSSL_VERSION_MAJOR" $with_openssl_install_dir/include/openssl/opensslv.h | awk '{print $4}'`" = "3"
   then
-    AC_MSG_NOTICE([Build QAT engine against OpenSSL 3.0])
-    AC_SUBST([cflags_openssl_3], ["-DQAT_OPENSSL_3 -DOPENSSL_SUPPRESS_DEPRECATED"])
-    if test "$host_cpu" = "x86_64"
+    if test "x$enable_qat_provider" = "xyes"
     then
-      libdir="\$(with_openssl_install_dir)/lib64/engines-3"
-      AC_SUBST([OPENSSL_LIB], ["-Wl,-rpath,\$(with_openssl_install_dir)/lib64 -L\$(with_openssl_install_dir)/lib64 -lcrypto"])
+      AC_MSG_NOTICE([Build QAT Provider against OpenSSL 3.0])
+      libdir="\$(with_openssl_install_dir)/\$(openssl3_lib)/ossl-modules"
+      AC_SUBST([cflags_openssl_3], ["-DQAT_OPENSSL_3 -DOPENSSL_SUPPRESS_DEPRECATED -DQAT_OPENSSL_PROVIDER"])
+      AC_SUBST([OPENSSL_LIB], ["-Wl,-rpath,\$(with_openssl_install_dir)/\$(openssl3_lib) -L\$(with_openssl_install_dir)/\$(openssl3_lib) -lcrypto"])
+      AC_SUBST([LIBQATNAME], "qatprovider")
     else
-      libdir="\$(with_openssl_install_dir)/lib/engines-3"
-      AC_SUBST([OPENSSL_LIB], ["-Wl,-rpath,\$(with_openssl_install_dir)/lib -L\$(with_openssl_install_dir)/lib -lcrypto"])
+      AC_MSG_NOTICE([Build QAT Engine against OpenSSL 3.0])
+      libdir="\$(with_openssl_install_dir)/\$(openssl3_lib)/engines-3"
+      AC_SUBST([cflags_openssl_3], ["-DQAT_OPENSSL_3 -DOPENSSL_SUPPRESS_DEPRECATED"])
+      AC_SUBST([OPENSSL_LIB], ["-Wl,-rpath,\$(with_openssl_install_dir)/\$(openssl3_lib) -L\$(with_openssl_install_dir)/\$(openssl3_lib) -lcrypto"])
     fi
   else
     AC_MSG_NOTICE([Build QAT engine against OpenSSL 1.1.1])
@@ -295,15 +309,25 @@ else
   includes_openssl="`pkg-config --variable=includedir libcrypto`"
   if test "`grep "define OPENSSL_VERSION_MAJOR" $includes_openssl/openssl/opensslv.h | awk '{print $4}'`" = "3"
   then
-    AC_MSG_NOTICE([Build QAT engine against OpenSSL 3.0])
-    AC_SUBST([cflags_openssl_3], ["-DQAT_OPENSSL_3 -DOPENSSL_SUPPRESS_DEPRECATED"])
+    if test "x$enable_qat_provider" = "xyes"
+    then
+      AC_MSG_NOTICE([Build QAT Provider against OpenSSL 3.0])
+      AC_SUBST([cflags_openssl_3], ["-DQAT_OPENSSL_3 -DOPENSSL_SUPPRESS_DEPRECATED -DQAT_OPENSSL_PROVIDER"])
+      openssl3_lib="`pkg-config --variable=libdir libcrypto`"
+      libdir="\$(openssl3_lib)/ossl-modules"
+    else
+      AC_MSG_NOTICE([Build QAT Engine against OpenSSL 3.0])
+      AC_SUBST([cflags_openssl_3], ["-DQAT_OPENSSL_3 -DOPENSSL_SUPPRESS_DEPRECATED"])
+      libdir="`pkg-config --variable=enginesdir libcrypto`"
+    fi
   fi
-  AC_MSG_NOTICE([Install engine in the system OpenSSL enginesdir Path])
+  AC_MSG_NOTICE([Install engine/provider in the system OpenSSL Path])
   AC_SUBST([includes_openssl], ["-I`pkg-config --variable=includedir libcrypto`"])
   AC_SUBST([OPENSSL_LIB], ["-lcrypto"])
   AC_SUBST([libdir])
 fi
 AM_CONDITIONAL([QAT_OPENSSL_3], [test "x$cflags_openssl_3" != "x"])
+AM_CONDITIONAL([QAT_PROVIDER], [test "x$enable_qat_provider" = "xyes"])
 
 # If both QAT HW and QAT SW configured, then check the libraries from standard location and use accordingly.
 if test "x$cflags_qat_hw_intree" = "x"
@@ -409,7 +433,7 @@ fi
 fi
 fi
 
-if test "x$cflags_qat_hw" != "x" -a "x$cflags_qat_sw" != "x" -a "x$cflags_openssl_3" = "x"
+if test "x$cflags_qat_hw" != "x" -a "x$cflags_qat_sw" != "x"
 then
   if test "x$enable_qat_hw_ecx" = "xyes"
   then
@@ -426,11 +450,11 @@ then
   fi
   fi
   fi
-else if test "x$enable_qat_sw_ecx" != "xno" -a "x$cflags_qat_sw" != "x" -a "x$cflags_openssl_3" = "x"
+else if test "x$enable_qat_sw_ecx" != "xno" -a "x$cflags_qat_sw" != "x"
 then
   AC_SUBST([cflags_qat_ecx], ["-DENABLE_QAT_SW_ECX"])
   AC_MSG_NOTICE([Accelerating X25519 to Software (Multi-buffer)])
-else if test "x$enable_qat_hw_ecx" != "xno" -a "x$cflags_qat_hw" != "x" -a "x$cflags_openssl_3" = "x"
+else if test "x$enable_qat_hw_ecx" != "xno" -a "x$cflags_qat_hw" != "x"
 then
   AC_SUBST([cflags_qat_ecx], ["-DENABLE_QAT_HW_ECX"])
   AC_MSG_NOTICE([Accelerating X25519/X448 to Hardware])

diff --git a/docs/config_options.md b/docs/config_options.md
@@ -106,6 +106,12 @@ The following is a list of the options that can be used with the
     specify this parameter if using the USDM component, and if the path to it
     is different from the default.
 
+--enable-qat_provider
+    Enables Provider support instead of engine for OpenSSL. Valid only
+    when built against OpenSSL 3.0, default if not specified will use engine
+    interface. Currently RSA, ECDSA, ECDH, ECX and AES-GCM algorithms are
+    only supported (disabled by default).
+
 --disable-qat_hw_rsa/--enable-qat_hw_rsa
     Disable/Enable Intel(R) QAT Hardware RSA acceleration (enabled by default).
 
@@ -229,7 +235,7 @@ The following is a list of the options that can be used with the
     production environment as private key information and plaintext data will
     be logged to the file (logging to file is disabled by default).
 
---with-engine_id="<engine_id>"
+--with-qat_engine_id="<engine_id>"
    This option needs to be specified if you want to use an engine id other than
    the default which is now "qatengine" (previously it was "qat"). This option
    can be used to set engine id as "qat" for application that still uses older

diff --git a/docs/features.md b/docs/features.md
@@ -37,7 +37,8 @@
     * SM3 Hash Support using 16 Multibuffer requests (Experimental).
     * AES128-GCM, AES192-GCM and AES256-GCM
 
-[QAT_HW & QAT_SW Co-existence Feature](qat_hw.md#qat-hw-and-qat-sw-co-existence-feature)
+##### [QAT_HW & QAT_SW Co-existence Feature](qat_common.md#qat-hw-and-qat-sw-co-existence-feature)
+##### [OpenSSL 3.0 Provider Support](qat_common.md#openssl-3.0-provider-support)
 
 Note: RSA Padding schemes are handled by OpenSSL\* rather than accelerated, so the
 engine supports the same padding schemes as OpenSSL does natively.
diff --git a/docs/qat_common.md b/docs/qat_common.md
@@ -0,0 +1,34 @@
+# QAT_HW and QAT_SW Co-existence Feature
+
+Intel&reg; QAT OpenSSL\* Engine supports QAT_HW and QAT_SW Co-existence build
+with both QAT_HW and QAT_SW dependant libraries(QAT Driver, cryptom_mb and
+ipsec_mb) linked in the qatengine.so library. This support can be enabled at
+build time when both QAT_HW flag `--with-qat_hw_dir=/path/to/QAT_Driver`
+and QAT_SW flag `--enable-qat_sw` configured together in the build configure
+option.
+
+If the platform has support for both QAT_HW and QAT_SW, the default
+behaviour is to accelerate asymmetric algorithms and Symmetric chained ciphers
+using QAT Hardware and Symmetric GCM Ciphers using QAT Software. If the platform
+doesn't have QAT Hardware support then it will use QAT_SW Acceleration for
+QAT_SW asymmetric algorithms that are supported in the qatengine.
+
+The default behaviour can be changed using corresponding algorithm's enable
+flags (eg:--enable-qat_sw_rsa) in which case the individual algorithms enabled
+(either qat_hw or qat_sw) in the build configure will get accelerated.
+
+# OpenSSL 3.0 Provider Support
+
+Intel&reg; QAT OpenSSL\* Engine supports Provider interface for OpenSSL3.0.
+The qatprovider support can be enabled using configure flag `--enable-qat_provider`
+and the default if not specified will use engine interface. Currently RSA, ECDSA,
+ECDH, ECX and AES-GCM algorithms are only supported for both QAT_HW
+and QAT_SW. This support is added as an experimental feature and tested with
+OpenSSL Speed and testapp only and not tested with any application.
+
+Example OpenSSL Speed command to test using qatprovider:
+
+* QAT_HW
+     ./openssl speed -provider qatprovider -elapsed -async_jobs 72 rsa2048
+* QAT_SW
+     ./openssl speed -provider qatprovider -elapsed -async_jobs 72 rsa2048
diff --git a/docs/qat_hw.md b/docs/qat_hw.md
@@ -77,21 +77,3 @@ This document can be found on the 01.org website at the following hyperlink:
 
 [2]:https://01.org/sites/default/files/downloads/336210qatswpg-013.pdf
 
-### QAT_HW and QAT_SW Co-existence Feature
-
-Intel&reg; QAT OpenSSL\* Engine supports QAT_HW and QAT_SW Co-existence build
-with both QAT_HW and QAT_SW dependant libraries(QAT Driver, cryptom_mb and
-ipsec_mb) linked in the qatengine.so library. This support can be enabled at
-build time when both QAT_HW flag `--with-qat_hw_dir=/path/to/QAT_Driver`
-and QAT_SW flag `--enable-qat_sw` configured together in the build configure
-option.
-
-If the platform has support for both QAT_HW and QAT_SW, the default
-behaviour is to accelerate asymmetric algorithms and Symmetric chained ciphers
-using QAT Hardware and Symmetric GCM Ciphers using QAT Software. If the platform
-doesn't have QAT Hardware support then it will use QAT_SW Acceleration for
-QAT_SW asymmetric algorithms that are supported in the qatengine.
-
-The default behaviour can be changed using corresponding algorithm's enable
-flags (eg:--enable-qat_sw_rsa) in which case the individual algorithms enabled
-(either qat_hw or qat_sw) in the build configure will get accelerated.
diff --git a/e_qat.c b/e_qat.c
@@ -54,16 +54,6 @@
 
 /* Defines */
 #ifdef QAT_HW
-# define QAT_DEV "/dev/qat_dev_processes"
-# if defined(USE_QAT_CONTIG_MEM) && !defined(USE_USDM_MEM)
-#  define QAT_MEM_DEV "/dev/qat_contig_mem"
-# elif defined(USE_USDM_MEM) && !defined(USE_QAT_CONTIG_MEM)
-#  define QAT_MEM_DEV "/dev/usdm_drv"
-# elif defined(USE_USDM_MEM) && defined(USE_QAT_CONFIG_MEM)
-#  error "USE_QAT_CONTIG_MEM and USE_USDM_MEM both defined"
-# else
-#  error "No memory driver type defined"
-# endif
 # ifdef QAT_HW_INTREE
 #  define ENABLE_QAT_HW_SHA3
 #  define ENABLE_QAT_HW_CHACHAPOLY
@@ -401,7 +391,7 @@ static int qat_engine_destroy(ENGINE *e)
 }
 
 #ifdef QAT_SW_IPSEC
-static int hw_support(void) {
+int hw_support(void) {
 
     unsigned int  info[4] = {0, 0, 0, 0};
     unsigned int *ebx, *ecx, *edx;

diff --git a/e_qat.h b/e_qat.h
@@ -134,6 +134,17 @@ typedef struct {
 # define QAT_INFINITE_MAX_NUM_RETRIES -1
 # define QAT_INVALID_INSTANCE -1
 
+# define QAT_DEV "/dev/qat_dev_processes"
+# if defined(USE_QAT_CONTIG_MEM) && !defined(USE_USDM_MEM)
+#  define QAT_MEM_DEV "/dev/qat_contig_mem"
+# elif defined(USE_USDM_MEM) && !defined(USE_QAT_CONTIG_MEM)
+#  define QAT_MEM_DEV "/dev/usdm_drv"
+# elif defined(USE_USDM_MEM) && defined(USE_QAT_CONFIG_MEM)
+#  error "USE_QAT_CONTIG_MEM and USE_USDM_MEM both defined"
+# else
+#  error "No memory driver type defined"
+# endif
+
 # define QAT_INC_IN_FLIGHT_REQS(qat_int, tlv) \
             do {                              \
                 if (qat_use_signals()) {      \
@@ -269,7 +280,9 @@ typedef struct {
  * Used to size the freelist and queue as it represents how many
  * requests can be inflight at once.
  */
-# define MULTIBUFF_MAX_INFLIGHTS 128
+# ifndef MULTIBUFF_MAX_INFLIGHTS
+#  define MULTIBUFF_MAX_INFLIGHTS 128
+# endif
 
 /*
  * The maximum amount of iterations we will continue to submit
@@ -675,7 +688,6 @@ int multibuff_init(ENGINE *e);
  ******************************************************************************/
 int multibuff_finish_int(ENGINE *e, int reset_globals);
 
-
 /******************************************************************************
  * function:
  *         mb_check_thread_local(ENGINE *e, int reset_globals)
@@ -688,4 +700,9 @@ int multibuff_finish_int(ENGINE *e, int reset_globals);
 mb_thread_data *mb_check_thread_local(void);
 
 # endif
+
+# ifdef QAT_SW_IPSEC
+int hw_support(void);
+# endif
+
 #endif   /* E_QAT_H */
diff --git a/qat_evp.c b/qat_evp.c
@@ -529,8 +529,10 @@ const EVP_CIPHER *qat_create_gcm_cipher_meth(int nid, int keylen)
 
         res &= EVP_CIPHER_meth_set_iv_length(c, GCM_IV_DATA_LEN);
         res &= EVP_CIPHER_meth_set_flags(c, VAESGCM_FLAG);
+#ifndef QAT_OPENSSL_PROVIDER
         res &= EVP_CIPHER_meth_set_init(c, vaesgcm_ciphers_init);
         res &= EVP_CIPHER_meth_set_do_cipher(c, vaesgcm_ciphers_do_cipher);
+#endif
         res &= EVP_CIPHER_meth_set_cleanup(c, vaesgcm_ciphers_cleanup);
         res &= EVP_CIPHER_meth_set_impl_ctx_size(c, sizeof(vaesgcm_ctx));
         res &= EVP_CIPHER_meth_set_set_asn1_params(c, NULL);
@@ -553,8 +555,10 @@ const EVP_CIPHER *qat_create_gcm_cipher_meth(int nid, int keylen)
 
         res &= EVP_CIPHER_meth_set_iv_length(c, AES_GCM_IV_LEN);
         res &= EVP_CIPHER_meth_set_flags(c, QAT_GCM_FLAGS);
+#ifndef QAT_OPENSSL_PROVIDER
         res &= EVP_CIPHER_meth_set_init(c, qat_aes_gcm_init);
         res &= EVP_CIPHER_meth_set_do_cipher(c, qat_aes_gcm_cipher);
+#endif
         res &= EVP_CIPHER_meth_set_cleanup(c, qat_aes_gcm_cleanup);
         res &= EVP_CIPHER_meth_set_impl_ctx_size(c, sizeof(qat_gcm_ctx));
         res &= EVP_CIPHER_meth_set_set_asn1_params(c, EVP_CIPH_FLAG_DEFAULT_ASN1 ?