Bug Fixes, README update and Version bump to v1.8.0

Signed-off-by: Jaya Naga Venkata Sudhakar <[email protected]>

Author: bjayanax

configure.ac

@@ -2,7 +2,7 @@
 # Process this file with autoconf to produce a configure script.
 
 AC_PREREQ([2.68])
-AC_INIT([qatengine], [1.7.0], [])
+AC_INIT([qatengine], [1.8.0], [])
 AC_CONFIG_SRCDIR([config.h.in])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_AUX_DIR([.])
@@ -292,7 +292,7 @@ AC_SUBST(enable_qat_ntls)
 
 AC_ARG_ENABLE(qat_insecure_algorithms,
               AS_HELP_STRING([--enable-qat_insecure_algorithms],
-                             [Enable insecure algorithms (DSA, DH, SHA1, SHA3-224, EC <256 & RSA<2048]))
+                             [Enable insecure algorithms (DSA, DH, SHA1, SHA3-224, EC <256 & RSA<2048, AES-128-GCM, AES-128-CCM, AES-192-GCM & AES-128-CBC-HMAC-SHA256]))
 AC_SUBST(enable_qat_insecure_algorithms)
 
 AC_ARG_ENABLE(qat_hw_kpt,

cryptography-primitives

@@ -81,6 +81,8 @@
   not accelerated in OpenSSL 3.0 engine due to the issue [OpenSSL#21622](https://github.com/openssl/openssl/issues/21622)
 * Known issue in Co-existence mode with QAT provider on OpenSSL 3.2 and above during QAT_SW offload
   when QAT_HW modules are not present.
+* Known build issue with the latest commit of BoringSSL; hence, IPP Crypto 2021.10 should be used
+  for the QAT engine with BoringSSL (use the BoringSSL commit mentioned in the Software requirements section).
 ### Performance
 * There is known performance scaling issue (performance drop with threads >32)
   with ECDSA Ciphers in the QAT Software acceleration using multithread mode

docs/limitations.md

@@ -40,7 +40,7 @@ The FIPS 140-3 certification is under process.
 # Binary RPM Package
 
 QAT_Engine supports Binary Package via RPM which can be found in the Release page (Assests section)
-The Current Binary RPM Package is created for the distros RHEL 9.1, Ubuntu 22.04 and SUSE SLES15 SP3 with
+The Current Binary RPM Package is created for the distros RHEL 9.2, Ubuntu 22.04 and SUSE SLES15 SP3 with
 with default Kernel and other dependent packages from the system default.
 The RPM is generated using QAT2.0 OOT driver with QAT_SW Co-existence which means
 it will accelerate via QAT_HW for asymmetic PKE and QAT_SW for AES-GCM and supported only on

docs/qat_common.md

@@ -2,7 +2,7 @@
 
 This Intel® QAT OpenSSL\* Engine supports Multi-buffer based software
 acceleration for asymmetric PKE algorithms RSA, ECDH X25519, ECDH P-256/P-384
-and ECDSA(sign) P-256/P-384, SM2, SM3, SM4-CBC, SM4-GCM, SM4-CCM using the
+and ECDSA P-256/P-384, SM2, SM3, SM4-CBC, SM4-GCM, SM4-CCM using the
 Intel® Crypto Multi-buffer library based on Intel® AVX-512 Integer
 Fused Multiply Add (IFMA) operations.
 
@@ -18,7 +18,7 @@ utilize multibuffer operation.
 Software based acceleration for AES-GCM is supported via the Intel®
 Multi-Buffer Crypto for IPsec Library. The implementation at engine for AES-GCM
 follows synchronous mechanism to submit requests to the IPSec_MB library which
-processes requests in multiple blocks using vectorized AES and AVX512
+processes requests in multiple blocks using vectorized AES,AVX2 and AVX512
 instructions from the processor.
 
 Software acceleration features are only supported in the system that supports
@@ -29,4 +29,5 @@ AVX512F
 AVX512_IFMA
 VAES
 VPCLMULQDQ
+AVX2
 `

docs/qat_sw.md

@@ -13,13 +13,13 @@ and also from the latest versions from the links below.
 ## QAT_HW Drivers:
 * [Intel® QuickAssist Technology Driver for Linux\* HW Version 2.0][4] - **QAT20.L.1.1.50-00003**
 * [Intel® QuickAssist Technology Driver for Linux\* HW Version 1.x][5] - **QAT.L.4.26.0-00008**
-* [Intel® QuickAssist Technology Driver for FreeBSD\* HW Version 1.x and 2.0] - **QAT.B.3.14.31-00003** (FreeBSD 13.2)
+* Intel® QuickAssist Technology Driver for FreeBSD\* HW Version 1.x and 2.0 - **QAT.B.3.14.31-00003** (FreeBSD 13.2)
 * [Intel® QATlib for Linux with intree driver][7] - **QATlib 24.09.0** & **QATlib 24.02.0** (for Dockerfile only)
 * [Intel®  QATlib for FreeBSD with intree driver(FreeBSD 14)][8] - **FreeBSD QATlib 23.09.0** (FreeBSD 14)
 
 ## QAT_SW Libraries:
-* [Intel® Crypto Multi-buffer library][2] - **IPP Crypto 2021.12.1** & **IPP Crypto 2021.10** (for BoringSSL only)
-* [Intel® Multi-Buffer crypto for IPsec Library release version][3] **v1.5**
+* [Intel® Crypto Multi-buffer library][2] - **IPP Crypto v1.0.0** & **IPP Crypto 2021.10** (for BoringSSL only)
+* [Intel® Multi-Buffer crypto for IPsec Library release version][3] **v2.0**
 
 ## Crypto Libraries:
 * [OpenSSL\*][9] 1.1.1w (for FreeBSD only) & 3.0.15

docs/software_requirements.md

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 #QAT_HW OOT driver Location
-QAT17_DRIVER=https://downloadmirror.intel.com/828487/QAT.L.4.26.0-00008.tar.gz
+QAT17_DRIVER=https://downloadmirror.intel.com/838409/QAT.L.4.27.0-00006.tar.gz
 QAT20_DRIVER=https://downloadmirror.intel.com/822703/QAT20.L.1.1.50-00003.tar.gz
 
 #Supported Devices

driver_install.sh

@@ -169,13 +169,13 @@ int qat_fips_kat_test;
 const char *engine_qat_id = STR(QAT_ENGINE_ID);
 #if defined(QAT_HW) && defined(QAT_SW)
 const char *engine_qat_name =
-    "Reference implementation of QAT crypto engine(qat_hw & qat_sw) v1.7.0";
+    "Reference implementation of QAT crypto engine(qat_hw & qat_sw) v1.8.0";
 #elif QAT_HW
 const char *engine_qat_name =
-    "Reference implementation of QAT crypto engine(qat_hw) v1.7.0";
+    "Reference implementation of QAT crypto engine(qat_hw) v1.8.0";
 #else
 const char *engine_qat_name =
-    "Reference implementation of QAT crypto engine(qat_sw) v1.7.0";
+    "Reference implementation of QAT crypto engine(qat_sw) v1.8.0";
 #endif
 unsigned int engine_inited = 0;
 int fallback_to_openssl = 0;

e_qat.c

@@ -154,10 +154,8 @@ static chained_info info[] = {
     {NID_sm4_ccm, NULL, SM4_KEY_SIZE},
 #endif
 #ifdef ENABLE_QAT_HW_CCM
-# ifdef QAT_INSECURE_ALGO
     {NID_aes_128_ccm, NULL, AES_KEY_SIZE_128},
     {NID_aes_192_ccm, NULL, AES_KEY_SIZE_192},
-# endif
     {NID_aes_256_ccm, NULL, AES_KEY_SIZE_256},
 #endif
 };
@@ -192,10 +190,8 @@ int qat_cipher_nids[] = {
     NID_sm4_ccm,
 #endif
 #ifdef ENABLE_QAT_HW_CCM
-# ifdef QAT_INSECURE_ALGO
     NID_aes_128_ccm,
     NID_aes_192_ccm,
-# endif
     NID_aes_256_ccm,
 #endif
 };
@@ -293,10 +289,8 @@ static PKT_THRESHOLD qat_pkt_threshold_table[] = {
     {NID_sm3, CRYPTO_SMALL_PACKET_OFFLOAD_THRESHOLD_HW_SM3},
 # endif
 # ifdef ENABLE_QAT_HW_CCM
-#  ifdef QAT_INSECURE_ALGO
     {NID_aes_128_ccm, CRYPTO_SMALL_PACKET_OFFLOAD_THRESHOLD_DEFAULT},
     {NID_aes_192_ccm, CRYPTO_SMALL_PACKET_OFFLOAD_THRESHOLD_DEFAULT},
-#  endif
     {NID_aes_256_ccm, CRYPTO_SMALL_PACKET_OFFLOAD_THRESHOLD_DEFAULT},
 # endif
 };
@@ -854,6 +848,13 @@ const EVP_CIPHER *qat_create_gcm_cipher_meth(int nid, int keylen)
 
 #ifdef ENABLE_QAT_SW_GCM
     if (qat_sw_offload && (qat_sw_algo_enable_mask & ALGO_ENABLE_MASK_AES_GCM)) {
+#ifndef QAT_INSECURE_ALGO
+        if (nid == NID_aes_128_gcm) {
+            EVP_CIPHER_meth_free(c);
+            DEBUG("OpenSSL SW AES_GCM_%d registration succeeded\n", keylen*8);
+            return qat_gcm_cipher_sw_impl(nid);
+        }
+#endif
         res &= EVP_CIPHER_meth_set_iv_length(c, IMB_GCM_IV_DATA_LEN);
         res &= EVP_CIPHER_meth_set_flags(c, VAESGCM_FLAG);
 #ifndef QAT_OPENSSL_PROVIDER
@@ -884,8 +885,12 @@ const EVP_CIPHER *qat_create_gcm_cipher_meth(int nid, int keylen)
 #ifdef ENABLE_QAT_HW_GCM
     if (!qat_sw_gcm_offload && qat_hw_offload &&
         (qat_hw_algo_enable_mask & ALGO_ENABLE_MASK_AES_GCM)) {
+# ifdef QAT_INSECURE_ALGO
         if (nid == NID_aes_192_gcm) {
-            EVP_CIPHER_meth_free(c);
+# else
+        if (nid == NID_aes_192_gcm || nid == NID_aes_128_gcm) {
+# endif
+	    EVP_CIPHER_meth_free(c);
             DEBUG("OpenSSL SW AES_GCM_%d registration succeeded\n", keylen*8);
             return qat_gcm_cipher_sw_impl(nid);
         }
@@ -953,10 +958,21 @@ const EVP_CIPHER *qat_create_ccm_cipher_meth(int nid, int keylen)
 
     if (qat_hw_offload &&
         (qat_hw_algo_enable_mask & ALGO_ENABLE_MASK_AES_CCM)) {
+#ifndef QAT_INSECURE_ALGO
+        if (nid == NID_aes_128_ccm || nid == NID_aes_192_ccm) {
+            EVP_CIPHER_meth_free(c);
+            DEBUG("OpenSSL SW AES_CCM_%d registration succeeded\n", keylen*8);
+            return qat_ccm_cipher_sw_impl(nid);
+        }
+#endif
 #if !defined(QAT20_OOT) && !defined(QAT_HW_INTREE) \
     && !defined(QAT_HW_FBSD_OOT) && !defined(QAT_HW_FBSD_INTREE)
+# ifdef QAT_INSECURE_ALGO
         if (nid == NID_aes_192_ccm || nid == NID_aes_256_ccm) {
-            EVP_CIPHER_meth_free(c);
+# else
+        if (nid == NID_aes_256_ccm) {
+# endif
+	    EVP_CIPHER_meth_free(c);
             DEBUG("OpenSSL SW AES_CCM_%d registration succeeded\n", keylen*8);
             return qat_ccm_cipher_sw_impl(nid);
         }
@@ -1424,10 +1440,8 @@ void qat_create_ciphers(void)
                 break;
 # endif
 # ifdef ENABLE_QAT_HW_CCM
-#  ifdef QAT_INSECURE_ALGO
             case NID_aes_128_ccm:
             case NID_aes_192_ccm:
-#  endif
             case NID_aes_256_ccm:
                 info[i].cipher = (EVP_CIPHER *)
                     qat_create_ccm_cipher_meth(info[i].nid, info[i].keylen);
@@ -1498,14 +1512,10 @@ void qat_free_ciphers(void)
                 break;
 #endif
 #ifdef ENABLE_QAT_HW_CCM
-# ifdef QAT_INSECURE_ALGO
             case NID_aes_128_ccm:
-# endif
 #if defined(QAT20_OOT) || defined(QAT_HW_INTREE) \
     || defined(QAT_HW_FBSD_OOT) || defined(QAT_HW_FBSD_INTREE)
-# ifdef QAT_INSECURE_ALGO
             case NID_aes_192_ccm:
-# endif
             case NID_aes_256_ccm:
 #endif
                 if (qat_hw_aes_ccm_offload)

intel-ipsec-mb

@@ -291,7 +291,7 @@ int qat_aes_gcm_init(EVP_CIPHER_CTX *ctx,
     qctx->iv = (Cpa8U *)qctx->iv;
     qctx->next_iv = (Cpa8U *)qctx->next_iv;
     qctx->enc = enc;
-    nid = QAT_AES_GCM_CTX_get_nid((QAT_AES_GCM_CTX *)ctx);
+    nid = qat_aes_gcm_ctx_get_nid((QAT_AES_GCM_CTX *)ctx);
 #else
     qctx = QAT_GCM_GET_CTX(ctx);
 #endif
@@ -1253,7 +1253,7 @@ int qat_aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 #ifdef QAT_OPENSSL_PROVIDER
     qctx = (QAT_GCM_CTX *)ctx;
     qctx->iv = (Cpa8U *)qctx->iv;
-    nid = QAT_AES_GCM_CTX_get_nid((QAT_AES_GCM_CTX *)ctx);
+    nid = qat_aes_gcm_ctx_get_nid((QAT_AES_GCM_CTX *)ctx);
 #else
     qctx = QAT_GCM_GET_CTX(ctx);
 #endif
@@ -1635,7 +1635,7 @@ int qat_aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 #ifdef QAT_OPENSSL_PROVIDER
     qctx = (QAT_GCM_CTX *)ctx;
     qctx->iv = (Cpa8U *)qctx->iv;
-    nid = QAT_AES_GCM_CTX_get_nid((QAT_AES_GCM_CTX *)ctx);
+    nid = qat_aes_gcm_ctx_get_nid((QAT_AES_GCM_CTX *)ctx);
 #else
     qctx = QAT_GCM_GET_CTX(ctx);
 #endif