Re: [lng-odp] [PATCH CATERPILLAR v3] linux-dpdk: crypto support for cipher & auth only feature

[Github ODP bot]

Dmitry Eremin-Solenikov(lumag) replied on github web page:

platform/linux-dpdk/odp_crypto.c
line 19
@@ -122,29 +130,24 @@ static int auth_alg_odp_to_rte(odp_auth_alg_t auth_alg,
        case ODP_AUTH_ALG_MD5_96:
 #endif
                auth_xform->auth.algo = RTE_CRYPTO_AUTH_MD5_HMAC;
-               auth_xform->auth.digest_length = 12;


Comment:
OK. You always use `param->auth_digest_len` if it is set. This logic is 
incorrect. It should be used for all cases except MD5_96, SHA256_128, 
AES128_GCM (where an override should be used).

> GBalakrishna wrote
> yes it works.


>> GBalakrishna wrote
>> it is set in get_crypto_dev()


>>> GBalakrishna wrote
>>> it is set in get_crypto_dev()


>>>> GBalakrishna wrote
>>>> it is set in get_crypto_dev(): auth_xform->auth.digest_length = 
>>>> cap->sym.auth.digest_size.min


>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>> All test updates should go in separate commit.


>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>> Name of the test suggests, that test is using truncated hmac, but then 
>>>>>> you specify full auth_digest_len.


>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>> and this


>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>> Will it work w/o crypto_null driver?


>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>> `res` does not quite follow `crypto_chain_order`, does it? Please 
>>>>>>>>> rename to 'order' or smth. like that.


>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>> Push this logic to `set_chain_order`


>>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>>> Make it return `crypto_chain_order`.


>>>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>>>> No need to keep this under `if (iv_length)` 


>>>>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>>>>> Liked this typo. It shows that the code never worked as expected.


>>>>>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>>>>>> same issue here.


>>>>>>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>>>>>>> Same issue here.


>>>>>>>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>>>>>>>> `auth.digest_length` should be set for MD5_96 here, but not 
>>>>>>>>>>>>>>>> for MD5_HMAC.


>>>>>>>>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>>>>>>>>> It's really not a problem at this moment, this can be fixed 
>>>>>>>>>>>>>>>>> later.


>>>>>>>>>>>>>>>>>> GBalakrishna wrote
>>>>>>>>>>>>>>>>>> oke I see. I will make the update in the next version.


>>>>>>>>>>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>>>>>>>>>>> both = Encrypt-then-MAC and MAC-cleartext


>>>>>>>>>>>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>>>>>>>>>>>> Could you please add tests cases rather than modify 
>>>>>>>>>>>>>>>>>>>> existing ones?


>>>>>>>>>>>>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>>>>>>>>>>>>> Implementation should not set digest len for cases other 
>>>>>>>>>>>>>>>>>>>>> than several deprecated auth algos.


>>>>>>>>>>>>>>>>>>>>>> GBalakrishna wrote
>>>>>>>>>>>>>>>>>>>>>>  setting digest_length is moved to get_crypto_dev(), 
>>>>>>>>>>>>>>>>>>>>>> where it reads from PMD and set the min digest length if 
>>>>>>>>>>>>>>>>>>>>>> application doesn't set it. Reagrding the QAT, I need to 
>>>>>>>>>>>>>>>>>>>>>> look at it and understand. may be as a separate PR.


>>>>>>>>>>>>>>>>>>>>>>> GBalakrishna wrote
>>>>>>>>>>>>>>>>>>>>>>> I have updated the tests so that it works with both the 
>>>>>>>>>>>>>>>>>>>>>>> platforms linux-generci & linux-dpdk.


>>>>>>>>>>>>>>>>>>>>>>>> GBalakrishna wrote
>>>>>>>>>>>>>>>>>>>>>>>> what do you mean by testing both combinations ?. We 
>>>>>>>>>>>>>>>>>>>>>>>> are testing both the combinations ENCODE & DECODE. 
>>>>>>>>>>>>>>>>>>>>>>>> It's the default value we are changing it.


>>>>>>>>>>>>>>>>>>>>>>>>> Bill Fischofer(Bill-Fischofer-Linaro) wrote:
>>>>>>>>>>>>>>>>>>>>>>>>> Checkpatch flags this line:
>>>>>>>>>>>>>>>>>>>>>>>>> ```
>>>>>>>>>>>>>>>>>>>>>>>>> WARNING: line over 80 characters
>>>>>>>>>>>>>>>>>>>>>>>>> #363: FILE: 
>>>>>>>>>>>>>>>>>>>>>>>>> platform/linux-dpdk/test/wrapper-script.sh:3:
>>>>>>>>>>>>>>>>>>>>>>>>> +export ODP_PLATFORM_PARAMS=${ODP_PLATFORM_PARAMS:--n 
>>>>>>>>>>>>>>>>>>>>>>>>> 4 --vdev "crypto_openssl" --vdev "crypto_null"}
>>>>>>>>>>>>>>>>>>>>>>>>> total: 0 errors, 1 warnings, 0 checks, 530 lines 
>>>>>>>>>>>>>>>>>>>>>>>>> checked
>>>>>>>>>>>>>>>>>>>>>>>>> NOTE: Ignored message types: AVOID_EXTERNS BIT_MACRO 
>>>>>>>>>>>>>>>>>>>>>>>>> COMPARISON_TO_NULL DEPRECATED_VARIABLE NEW_TYPEDEFS 
>>>>>>>>>>>>>>>>>>>>>>>>> PREFER_PRINTF PREFER_SCANF SPLIT_STRING 
>>>>>>>>>>>>>>>>>>>>>>>>> SSCANF_TO_KSTRTO VOLATILE
>>>>>>>>>>>>>>>>>>>>>>>>> 0001-linux-dpdk-crypto-support-for-cipher-auth-only-featu.patch
>>>>>>>>>>>>>>>>>>>>>>>>>  has style problems, please review.
>>>>>>>>>>>>>>>>>>>>>>>>> ```


>>>>>>>>>>>>>>>>>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>> I suggest to factor out cipher and auth checks as 
>>>>>>>>>>>>>>>>>>>>>>>>>> separate functions and apply them only if 
>>>>>>>>>>>>>>>>>>>>>>>>>> corresponding algorithm is not NULL. Code would be 
>>>>>>>>>>>>>>>>>>>>>>>>>> simpler.


>>>>>>>>>>>>>>>>>>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>> For deprecated MD5_96 (and SHA256_128/AES128_GCM) 
>>>>>>>>>>>>>>>>>>>>>>>>>>> application won't set `auth.digest_len`, so you 
>>>>>>>>>>>>>>>>>>>>>>>>>>> have to enforce 12 and 16 bytes digest len. For 
>>>>>>>>>>>>>>>>>>>>>>>>>>> MD5_HMAC/SHA256_HMAC (and others) application will 
>>>>>>>>>>>>>>>>>>>>>>>>>>> set `auth.digest_len`.
>>>>>>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>>>>>>> IIRC QAT driver should support truncated digests 
>>>>>>>>>>>>>>>>>>>>>>>>>>> out-of-box. Also you can try expanding pmd_openssl 
>>>>>>>>>>>>>>>>>>>>>>>>>>> to support truncated lengths, it should not be very 
>>>>>>>>>>>>>>>>>>>>>>>>>>> complicated. Also note, that full-length HMAC won't 
>>>>>>>>>>>>>>>>>>>>>>>>>>> be useful for IPsec.


>>>>>>>>>>>>>>>>>>>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>> "Do not change tests". See my previous comment.


>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Theoretically we'd better be testing both 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> combinations. The problem with test changes in 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> your commit is that you change tests rather than 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> expand them. Can you import tests from #379?


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> GBalakrishna wrote
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> not sure what do u mean here.


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> GBalakrishna wrote
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Not sure if I have fallowed. I introduced Chain 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> order because dpdk PMD's doesn't have support 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> for combination of NULL + Valid algo. So 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> linux-dpdk implementation converts the NULL 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> also to chain order as if it cipher only & auth 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> only.


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> GBalakrishna wrote
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> my understanding of auth_cipher_text = true 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> means do encode then authenticate. and when it 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> is applied together with if 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> (ODP_CRYPTO_OP_ENCODE == param->op) sets the 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> "entry->do_cipher_first"  to true by default 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and if the param->op == DECODE it sets the 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> !auth_cipher_text. I felt this is more easier 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> for understanding. 


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> GBalakrishna wrote
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> openssl PMD in 17.02 supports the digest 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> length to be min 16 bytes. But I have now 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> removed the setting digest_lengths from here 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> as it sets it from the application.


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> why?


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> `non tangere testos meos`


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I'd suggest to use ALG_NULL checks 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> directly, rather than introduce chain 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> order.


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Dmitry Eremin-Solenikov(lumag) wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> This is wrong. MD5_96 should use 12-byte 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> digest length. MD5_HMAC should use digest 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> length specified by application.


https://github.com/Linaro/odp/pull/385#discussion_r161795465
updated_at 2018-01-16 15:40:24