Bug Fixes and improvements.

- Fix ECDH & ECDSA Co-existence limitation & issues.
- Disable Chacha-poly, DH8K and SHA-3 by default.
- Fix Engines install dir for OpenSSL 3.0
- Update README and specfile.

Signed-off-by: Yogaraj Alamenda <yogarajx.alamenda@intel.com>

Author: Yogaraj-Alamenda

configure.ac

@@ -69,13 +69,13 @@ AC_ARG_ENABLE(qat_hw_gcm,
 AC_SUBST(enable_qat_hw_gcm)
 
 AC_ARG_ENABLE(qat_hw_sha3,
-              AS_HELP_STRING([--disable-qat_hw_sha3],
-                             [Disable qat_hw SHA3 offload]))
+              AS_HELP_STRING([--enable-qat_hw_sha3],
+                             [Enable qat_hw SHA3 offload]))
 AC_SUBST(enable_qat_hw_sha3)
 
 AC_ARG_ENABLE(qat_hw_chachapoly,
-              AS_HELP_STRING([--disable-qat_hw_chachapoly],
-                             [Disable qat_hw CHACHA-POLY acceleration]))
+              AS_HELP_STRING([--enable-qat_hw_chachapoly],
+                             [Enable qat_hw CHACHA-POLY acceleration]))
 AC_SUBST(enable_qat_hw_chachapoly)
 
 AC_ARG_ENABLE(qat_sw_gcm,
@@ -259,11 +259,18 @@ then
   then
     AC_MSG_NOTICE([Build QAT engine against OpenSSL 3.0])
     AC_SUBST([cflags_openssl_3], ["-DQAT_OPENSSL_3 -DOPENSSL_SUPPRESS_DEPRECATED"])
-    libdir="\$(with_openssl_install_dir)/lib/engines-3"
-    AC_SUBST([openssl_version], ["3"])
+    if test "$host_cpu" = "x86_64"
+    then
+      libdir="\$(with_openssl_install_dir)/lib64/engines-3"
+      AC_SUBST([OPENSSL_LIB], ["-Wl,-rpath,\$(with_openssl_install_dir)/lib64 -L\$(with_openssl_install_dir)/lib64 -lcrypto"])
+    else
+      libdir="\$(with_openssl_install_dir)/lib/engines-3"
+      AC_SUBST([OPENSSL_LIB], ["-Wl,-rpath,\$(with_openssl_install_dir)/lib -L\$(with_openssl_install_dir)/lib -lcrypto"])
+    fi
   else
     AC_MSG_NOTICE([Build QAT engine against OpenSSL 1.1.x])
     libdir="\$(with_openssl_install_dir)/lib/engines-1.1"
+    AC_SUBST([OPENSSL_LIB], ["-Wl,-rpath,\$(with_openssl_install_dir)/lib -L\$(with_openssl_install_dir)/lib -lcrypto"])
     if test "`grep "define OPENSSL_VERSION_NUMBER  0x101000" $with_openssl_install_dir/include/openssl/opensslv.h | wc -l`" = "1"
     then
       if test "x$with_openssl_dir" = "x"
@@ -274,7 +281,6 @@ then
     fi
   fi
   AC_SUBST([includes_openssl], ["-I\$(with_openssl_install_dir)/include"])
-  AC_SUBST([OPENSSL_LIB], ["-Wl,-rpath,\$(with_openssl_install_dir)/lib -L\$(with_openssl_install_dir)/lib -lcrypto"])
 else
   AC_PATH_TOOL(PKGCONFIG, pkg-config)
   AS_IF([test "x$PKGCONFIG" = "x"], [AC_MSG_ERROR(pkg-config not found.)], )
@@ -575,7 +581,7 @@ fi
 fi
 fi
 
-if test "x$enable_qat_hw_sha3" != "xno" -a "x$cflags_qat_hw" != "x"
+if test "x$enable_qat_hw_sha3" = "xyes" -a "x$cflags_qat_hw" != "x"
 then
   enable_qat_hw_sha3="-DENABLE_QAT_HW_SHA3"
   AC_MSG_NOTICE([Accelerating SHA3 to Hardware])
@@ -584,7 +590,7 @@ else
   AC_MSG_NOTICE([Not Accelerating SHA3 to Hardware])
 fi
 
-if test "x$enable_qat_hw_chachapoly" != "xno" -a "x$cflags_qat_hw" != "x"
+if test "x$enable_qat_hw_chachapoly" = "xyes" -a "x$cflags_qat_hw" != "x"
 then
   enable_qat_hw_chachapoly="-DENABLE_QAT_HW_CHACHAPOLY"
   AC_MSG_NOTICE([Accelerating CHACHA-POLY to Hardware])

docs/config_options.md

@@ -139,6 +139,16 @@ The following is a list of the options that can be used with the
 --disable-qat_hw_ecx/--enable-qat_hw_ecx
     Disable/Enable Intel(R) QAT Hardware X25519/X448 acceleration (enabled by default).
 
+--disable-qat_hw_sha3/--enable-qat_hw_sha3
+    Disable/Enable Intel(R) QAT Hardware SHA-3 acceleration (disabled by default).
+    This flag is valid only on 4xxx(QAT gen 4 devices) as the support is not available
+    for earlier generations of QAT devices (e.g. c62x, dh895xxcc, etc.)
+
+--disable-qat_hw_chachapoly/--enable-qat_hw_chachapoly
+    Disable/Enable Intel(R) QAT Hardware CHACHA20-POLY1305 acceleration (disabled by default).
+    This flag is valid only on 4xxx(QAT gen 4 devices) as the support is not available
+    for earlier generations of QAT devices (e.g. c62x, dh895xxcc, etc.)
+
 --disable-qat_sw_gcm/--enable-qat_sw_gcm
     Disable/Enable Intel(R) QAT Software vectorized AES-GCM acceleration.
     This flag is valid only when QAT SW acceleration is enabled using the flag

docs/features.md

@@ -22,6 +22,7 @@
 * [HMAC Key Derivation Function (HKDF) Acceleration.](qat_hw.md#intel-qat-openssl-engine-hkdf-support)
 * [Pipelined Operations](qat_hw.md#using-the-openssl-pipelining-capability)
 * [Intel® QAT OpenSSL\* Engine Software Fallback](qat_hw.md#intel-qat-openssl-engine-software-fallback-feature)
+* RSA8K, SHA3-224/256/384/512 and ChaCha20-Poly1305 using 4xxx (QAT gen4 devices) only.
 
 ## qat_sw Features
 * [Intel® QAT Software Acceleration for Asymmetric PKE and AES-GCM](qat_sw.md)

docs/limitations.md

@@ -34,5 +34,9 @@
   with ECDSA Ciphers in the QAT Software acceleration using multithread mode
   in the Haproxy application. This issue is not observed when using RSA ciphers
   or in multi-process mode.
+* There is an issue in sshd daemon application when using the QAT for default openssl.
+  sshd looks to be closing the file descriptors associated with QAT engine and driver
+  after initialising openssl. Work around in sshd which comments out the closefrom()
+  calls is needed to unblock the issue.
 
 [1]:https://github.com/openssl/openssl/pull/2581

docs/qat_hw.md

@@ -94,8 +94,4 @@ QAT_SW asymmetric algorithms that are supported in the qatengine.
 
 The default behaviour can be changed using corresponding algorithm's enable
 flags (eg:--enable-qat_sw_rsa) in which case the individual algorithms enabled
-(eiher qat_hw or qat_sw) in the build configure will get accelerated.
-
-Note: ECDH & ECDSA can be accelerated together via QAT_HW or QAT_SW and
-cannot be seperated to use different acceleration due to limitation in
-the qatengine registration.
+(either qat_hw or qat_sw) in the build configure will get accelerated.

docs/software_requirements.md

@@ -10,7 +10,7 @@ Driver for FreeBSD. This release was validated on the following:
 * Kernel: GNU\*/Linux\* 3.10.0-693
 * Intel® Communications Chipset C62X Series Software for Linux\*, version **4.14**
 * Intel® Communications Chipset C62X Series Software for FreeBSD\*, version **3.10**
-* OpenSSL\* 1.1.1k
+* OpenSSL\* 1.1.1l
 
 ## qat_sw Requirements
 Successful operation of the Intel® QAT Software acceleration requires a
@@ -31,7 +31,7 @@ This release was validated on the following:
 * Intel® Crypto Multi-buffer library from the [ipp-crypto][1] release
   version **IPP Crypto 2021.3**
 * Intel® Multi-Buffer crypto for IPsec Library release version **v1.0**
-* OpenSSL\* 1.1.1k
+* OpenSSL\* 1.1.1l
 
 [1]:https://github.com/intel/ipp-crypto
 [2]:https://github.com/intel/ipp-crypto/tree/develop/sources/ippcp/crypto_mb

e_qat.c

@@ -64,6 +64,10 @@
 # else
 #  error "No memory driver type defined"
 # endif
+# ifdef QAT_HW_INTREE
+#  define ENABLE_QAT_HW_SHA3
+#  define ENABLE_QAT_HW_CHACHAPOLY
+# endif
 #endif
 
 /* Standard Includes */
@@ -95,7 +99,6 @@
 # include "qat_hw_rsa.h"
 # include "qat_hw_dsa.h"
 # include "qat_hw_dh.h"
-# include "qat_hw_ec.h"
 # include "qat_hw_gcm.h"
 
 /* QAT includes */
@@ -149,7 +152,10 @@
 
 /* Qat engine id declaration */
 const char *engine_qat_id = STR(QAT_ENGINE_ID);
-#ifdef QAT_HW
+#if defined(QAT_HW) && defined(QAT_SW)
+const char *engine_qat_name =
+    "Reference implementation of QAT crypto engine(qat_hw & qat_sw) v0.6.8";
+#elif QAT_HW
 const char *engine_qat_name =
     "Reference implementation of QAT crypto engine(qat_hw) v0.6.8";
 #else
@@ -162,7 +168,8 @@ int qat_hw_offload = 0;
 int qat_sw_offload = 0;
 int qat_hw_rsa_offload = 0;
 int qat_hw_ecx_offload = 0;
-int qat_hw_ec_offload = 0;
+int qat_hw_ecdh_offload = 0;
+int qat_hw_ecdsa_offload = 0;
 int qat_keep_polling = 1;
 int multibuff_keep_polling = 1;
 int enable_external_polling = 0;
@@ -344,15 +351,17 @@ static int qat_engine_destroy(ENGINE *e)
 {
     DEBUG("---- Destroying Engine...\n\n");
 #ifdef QAT_HW
-    qat_free_EC_methods();
     qat_free_DH_methods();
     qat_free_DSA_methods();
     qat_free_RSA_methods();
 #endif
 
 #ifdef QAT_SW
     multibuff_free_RSA_methods();
-    mb_free_EC_methods();
+#endif
+
+#if defined(QAT_SW) || defined(QAT_HW)
+    qat_free_EC_methods();
 #endif
 
 #if defined(QAT_SW_IPSEC) || defined(QAT_HW)
@@ -365,8 +374,6 @@ static int qat_engine_destroy(ENGINE *e)
 # endif
 #endif
 
-    qat_hw_offload = 0;
-    qat_sw_offload = 0;
     QAT_DEBUG_LOG_CLOSE();
     ERR_unload_QAT_strings();
     return 1;
@@ -495,6 +502,12 @@ int qat_engine_finish_int(ENGINE *e, int reset_globals)
     if (reset_globals == QAT_RESET_GLOBALS) {
         enable_external_polling = 0;
         enable_heuristic_polling = 0;
+        qat_hw_offload = 0;
+        qat_sw_offload = 0;
+        qat_hw_rsa_offload = 0;
+        qat_hw_ecx_offload = 0;
+        qat_hw_ecdh_offload = 0;
+        qat_hw_ecdsa_offload = 0;
     }
     qat_pthread_mutex_unlock();
     CRYPTO_CLOSE_QAT_LOG();
@@ -556,9 +569,10 @@ int qat_engine_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void))
             BREAK_IF(!enable_external_polling, "POLL failed as external polling is not enabled\n");
             BREAK_IF(p == NULL, "POLL failed as the input parameter was NULL\n");
 #ifdef QAT_HW
-            BREAK_IF(qat_instance_handles == NULL, "POLL failed as no instances are available\n");
-
-            *(int *)p = (int)poll_instances();
+            if (qat_hw_offload) {
+                BREAK_IF(qat_instance_handles == NULL, "POLL failed as no instances are available\n");
+                *(int *)p = (int)poll_instances();
+            }
 #endif
 
 #ifdef QAT_SW
@@ -833,12 +847,16 @@ static int bind_qat(ENGINE *e, const char *id)
     WARN("%s - %s \n", id, engine_qat_name);
 
 #ifdef QAT_HW
-#ifdef QAT_HW_INTREE
+# ifdef QAT_HW_INTREE
     if (icp_sal_userIsQatAvailable() == CPA_TRUE) {
         qat_hw_offload = 1;
     } else {
         WARN("Qat Intree device not available\n");
-#else
+#  ifndef QAT_SW
+        goto end;
+#  endif
+    }
+# else
     if (access(QAT_DEV, F_OK) == 0) {
         qat_hw_offload = 1;
         if (access(QAT_MEM_DEV, F_OK) != 0) {
@@ -847,8 +865,11 @@ static int bind_qat(ENGINE *e, const char *id)
         }
     } else {
         WARN("Qat device not available\n");
+#  ifndef QAT_SW
+        goto end;
+#  endif
     }
-#endif
+# endif
 #endif
 
     if (id && (strcmp(id, engine_qat_id) != 0)) {
@@ -898,13 +919,6 @@ static int bind_qat(ENGINE *e, const char *id)
         }
 # endif
 
-# if defined(ENABLE_QAT_HW_ECDH) || defined(ENABLE_QAT_HW_ECDSA)
-        if (!ENGINE_set_EC(e, qat_get_EC_methods())) {
-            WARN("ENGINE_set_EC QAT HW failed\n");
-            goto end;
-        }
-# endif
-
 # ifdef ENABLE_QAT_HW_SHA3
         if (!ENGINE_set_digests(e, qat_digest_methods)) {
             WARN("ENGINE_set_digests failed\n");
@@ -931,20 +945,6 @@ static int bind_qat(ENGINE *e, const char *id)
         }
 # endif
 
-# if defined(ENABLE_QAT_SW_ECDH) || defined(ENABLE_QAT_SW_ECDSA)
-        if (!qat_hw_ec_offload &&
-            mbx_get_algo_info(MBX_ALGO_ECDHE_NIST_P256) &&
-            mbx_get_algo_info(MBX_ALGO_ECDHE_NIST_P384) &&
-            mbx_get_algo_info(MBX_ALGO_ECDSA_NIST_P256) &&
-            mbx_get_algo_info(MBX_ALGO_ECDSA_NIST_P384)) {
-            DEBUG("QAT SW ECDSA p256/p384 & ECDH p256/p384 Supported\n");
-            qat_sw_offload = 1;
-            if (!ENGINE_set_EC(e, mb_get_EC_methods())) {
-                WARN("ENGINE_set_EC QAT SW failed\n");
-                goto end;
-            }
-        }
-# endif
 #endif
 
 #ifdef QAT_SW_IPSEC
@@ -959,6 +959,20 @@ static int bind_qat(ENGINE *e, const char *id)
 #endif
 
 #if defined(QAT_HW) || defined(QAT_SW)
+     if (!ENGINE_set_EC(e, qat_get_EC_methods())) {
+          WARN("ENGINE_set_EC failed\n");
+          goto end;
+     }
+# if defined(ENABLE_QAT_SW_ECDH) || defined(ENABLE_QAT_SW_ECDSA)
+     if (mbx_get_algo_info(MBX_ALGO_ECDHE_NIST_P256) &&
+         mbx_get_algo_info(MBX_ALGO_ECDHE_NIST_P384) &&
+         mbx_get_algo_info(MBX_ALGO_ECDSA_NIST_P256) &&
+         mbx_get_algo_info(MBX_ALGO_ECDSA_NIST_P384)) {
+         DEBUG("QAT SW ECDSA p256/p384 & ECDH p256/p384 Supported\n");
+         qat_sw_offload = 1;
+     }
+# endif
+
 # ifndef QAT_OPENSSL_3
      if (!ENGINE_set_pkey_meths(e, qat_pkey_methods)) {
           WARN("ENGINE_set_pkey_meths failed\n");

e_qat.h

@@ -307,7 +307,8 @@ extern int qat_hw_offload;
 extern int qat_sw_offload;
 extern int qat_hw_rsa_offload;
 extern int qat_hw_ecx_offload;
-extern int qat_hw_ec_offload;
+extern int qat_hw_ecdh_offload;
+extern int qat_hw_ecdsa_offload;
 extern int qat_keep_polling;
 extern int multibuff_keep_polling;
 extern int enable_external_polling;