Bug Fixes in testapp and with disable flags.

- Fix RSA testapp issue when no operation provided. - Fix issue with disable flags and gcm testapp issue. - Add AES-CBC ENCRYPT_THEN_MAC limitation in README. Signed-off-by: Yogaraj Alamenda <yogarajx.alamenda@intel.com>

Author: ajitku4x

docs/limitations.md

@@ -42,3 +42,9 @@
 * AES-CBC-HMAC-SHA chained ciphers does not support pipeline feature when built with
  OpenSSL 3.0 as the corresponding support is not available in OpenSSL 3.0.
 * There is a known issue with OpenSSL s_server application using qatprovider on OpenSSL 3.0.
+* QAT Engine doesn't support ENCRYPT_THEN_MAC(default) mode of operation meaning
+ when Encrypt then MAC is negotiated for symmetric ciphers say AES-CBC, the requests will not
+ get offloaded via QAT_HW, instead uses OpenSSL SW. Disable ENCRYPT_THEN_MAC with the flag
+ `SSL_OP_NO_ENCRYPT_THEN_MAC` programmatically using SSL_CTX_set_options() to offload
+ symmetric chained ciphers via QAT_HW. Please note disabling ENCRYPT_THEN_MAC has security
+ implications.

qat_evp.c

@@ -175,7 +175,8 @@ int qat_digest_nids[] = {
 };
 const int num_digest_nids = sizeof(qat_digest_nids) / sizeof(qat_digest_nids[0]);
 
-#ifndef ENABLE_QAT_HW_SMALL_PKT_OFFLOAD
+#ifdef QAT_HW
+# ifndef ENABLE_QAT_HW_SMALL_PKT_OFFLOAD
 typedef struct cipher_threshold_table_s {
  int nid;
  int threshold;
@@ -203,6 +204,7 @@ static PKT_THRESHOLD qat_pkt_threshold_table[] = {
 
 static int pkt_threshold_table_size =
  (sizeof(qat_pkt_threshold_table) / sizeof(qat_pkt_threshold_table[0]));
+# endif
 #endif
 
 static EC_KEY_METHOD *qat_ec_method = NULL;
@@ -840,7 +842,8 @@ void qat_free_EC_methods(void)
  }
 }
 
-#ifndef ENABLE_QAT_HW_SMALL_PKT_OFFLOAD
+#ifdef QAT_HW
+# ifndef ENABLE_QAT_HW_SMALL_PKT_OFFLOAD
 /******************************************************************************
 * function:
 * qat_pkt_threshold_table_set_threshold(const char *cn, int threshold)
@@ -898,4 +901,5 @@ int qat_pkt_threshold_table_get_threshold(int nid)
  WARN("nid %d not found in threshold table", nid);
  return 0;
 }
+# endif
 #endif

test/tests.h

@@ -85,6 +85,7 @@ struct test_params_t {
  int verify_only;
  int encrypt_only;
  int decrypt_only;
+ int rsa_all;
  int async_jobs;
  ASYNC_JOB **jobs;
  ASYNC_WAIT_CTX **awcs;
@@ -101,6 +102,7 @@ struct async_additional_args_rsa {
  int verify_only;
  int encrypt_only;
  int decrypt_only;
+ int rsa_all;
  int padding;
 };
 

test/tests_aes128_gcm.c

@@ -121,6 +121,14 @@ static int run_aesgcm128_update(void *args)
 
  EVP_CIPHER_CTX *ctx = NULL;
  EVP_CIPHER_CTX *dec_ctx = NULL;
+#ifndef QAT_OPENSSL_PROVIDER
+ const EVP_CIPHER *c = ENGINE_get_cipher(e, NID_aes_128_gcm);
+
+ if (!c) {
+ INFO("AES-128-GCM cipher disabled in QAT_Engine\n");
+ e = NULL;
+ }
+#endif
 
  if (plaintext == NULL || ciphertext == NULL || dec_cipher == NULL) {
  INFO("# FAIL: [%s] --- Initial parameters malloc failed ! \n",
@@ -419,6 +427,12 @@ static int run_aesgcm128_tls(void *args)
 
  EVP_CIPHER_CTX *ctx = NULL;
  EVP_CIPHER_CTX *dec_ctx = NULL;
+ const EVP_CIPHER *c = ENGINE_get_cipher(e, NID_aes_128_gcm);
+
+ if (!c) {
+ INFO("AES-128-GCM disabled in QAT_Engine\n");
+ e = NULL;
+ }
 
  if (input == NULL) {
  INFO("# FAIL: [%s] --- Initial parameters malloc failed ! \n",

test/tests_aes256_gcm.c

@@ -126,6 +126,14 @@ static int run_aesgcm256_update(void *args)
 
  EVP_CIPHER_CTX *ctx = NULL;
  EVP_CIPHER_CTX *dec_ctx = NULL;
+#ifndef QAT_OPENSSL_PROVIDER
+ const EVP_CIPHER *c = ENGINE_get_cipher(e, NID_aes_256_gcm);
+
+ if (!c) {
+ INFO("AES-256-GCM disabled in QAT_Engine\n");
+ e = NULL;
+ }
+#endif
 
  if (plaintext == NULL || ciphertext == NULL || dec_cipher == NULL) {
  INFO("# FAIL: [%s] --- Initial parameters malloc failed ! \n",
@@ -432,6 +440,14 @@ static int run_aesgcm256_tls(void *args)
 
  EVP_CIPHER_CTX *ctx = NULL;
  EVP_CIPHER_CTX *dec_ctx = NULL;
+#ifndef QAT_OPENSSL_PROVIDER
+ const EVP_CIPHER *c = ENGINE_get_cipher(e, NID_aes_256_gcm);
+
+ if (!c) {
+ INFO("AES-256-GCM disabled in QAT_Engine\n");
+ e = NULL;
+ }
+#endif
 
  if (input == NULL) {
  INFO("# FAIL: [%s] --- Initial parameters malloc failed ! \n",

test/tests_aes_cbc_hmac_sha.c

@@ -164,7 +164,7 @@ static inline int set_pkt_threshold(ENGINE *e, const char* cipher, int thr)
  ret = ENGINE_ctrl_cmd(e, "SET_CRYPTO_SMALL_PACKET_OFFLOAD_THRESHOLD",
  0, (void *)thr_str, NULL, 0);
  if (ret != 1)
- FAIL_MSG("Failed to set threshold %d for cipher %s\n", thr, cipher);
+ WARN("Not able to set threshold %d for cipher %s\n", thr, cipher);
 
  return ret;
 }
@@ -1143,6 +1143,11 @@ static int run_aes_cbc_hmac_sha(void *pointer)
  */
  if (ti.e != NULL) {
  ret = set_pkt_threshold(ti.e, ti.c->name, 0);
+ /* Set engine to NULL as threshhold will fail if NID not supported*/
+ if (ret != 1) {
+ ti.e = NULL;
+ ret = 1;
+ }
  if (ret != 1)
  return 0;
  }

test/tests_rsa.c

@@ -2164,6 +2164,9 @@ static int run_rsa(void *args)
  int verify_only = extra_args->verify_only;
  int encrypt_only = extra_args->encrypt_only;
  int decrypt_only = extra_args->decrypt_only;
+#ifndef QAT_OPENSSL_PROVIDER
+ int rsa_all = extra_args->rsa_all;
+#endif
  int pad = extra_args->padding;
 
 #ifdef QAT_OPENSSL_PROVIDER
@@ -2570,7 +2573,7 @@ static int run_rsa(void *args)
  }
  } /* count for-loop */
 
- if (encrypt_only || decrypt_only) {
+ if (encrypt_only || decrypt_only || rsa_all) {
  /* Compare and verify the encrypted and decrypted message */
  if (verify) {
  if (memcmp(ptext, expectedPtext, plen))
@@ -2591,7 +2594,7 @@ static int run_rsa(void *args)
  }
  }
 
- if (sign_only || verify_only || status) {
+ if (sign_only || verify_only || status || rsa_all) {
  /* Compare and verify the signed and verified message */
  if (verify) {
  if (memcmp(verMsg, HashData, verLen)) {
@@ -2802,12 +2805,15 @@ static void rsa_tests_triage(TEST_PARAMS *args, int sign_only,
  extra_args.encrypt_only = encrypt_only;
  extra_args.decrypt_only = decrypt_only;
 
+ if (!sign_only && !verify_only && !encrypt_only && !decrypt_only) {
+ extra_args.rsa_all = 1;
+ }
  for (i = 0; i < sizeof(padding) / sizeof(padding[0]); i++) {
  extra_args.padding = padding[i];
  if (((padding[i] == RSA_PKCS1_OAEP_PADDING) &&
- (sign_only || verify_only)) ||
+ (sign_only || verify_only || extra_args.rsa_all)) ||
  ((padding[i] == RSA_X931_PADDING) &&
- (encrypt_only || decrypt_only)))
+ (encrypt_only || decrypt_only || extra_args.rsa_all)))
  continue;
  if (!args->enable_async)
  run_rsa(args);