QAT_Engine icon indicating copy to clipboard operation
QAT_Engine copied to clipboard
verified publisher icon intel

How to Use the Engine with ssl_read and ssl_write

Open jintaoc3 opened this issue 5 years ago • 11 comments

Hi, I currently want to use openssl with QAT in my project which use openssl for server to server connection with ssl. I set up the machines as the documentation with the openssl.conf. So is the only thing to add in the code "OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);"? I did that but I don't think my ssl_write and ssl_reads are using the engine. I am using the cipher ECDHE-RSA-AES128-SHA256.

I am not sure if there are additionally steps involved or what functions I can use to set it up as they are not mentioned in the documentation. Let me know. Thanks.

jintaoc3 avatar May 12 '20 16:05 jintaoc3

Hi jintaoc3 Could you give more information/detail on your query please in order for us to fully understand your request. For example versions of OpenSSL and QAT engine (and QAT driver) and the configure commands used, in particular for the QAT engine. When you say you are 'using the cipher', how are you using it? what traffic are you running? Please give me details of this 'documentation with the openssl.conf' and how to access it. Thanks in advance.

paulturx avatar May 13 '20 13:05 paulturx

Hi Paul,

I am using QAT engine 1.7 with c62x and OPENSSL 1.1.1g. Basically I have configured it using the commands listed in the documentation of this git repository to set up QAT and openssl. The configure of the QAT engine I used is "./configure --with-qat_dir=/QAT --with-openssl_install_dir=/path" The openssl.conf file is set up by the description in section "Using the OpenSSL* Configuration File to Load/Initialize Engines".

The way I am using it is I have a client and a server each has a read process and a write process connected through ssl_connect. Before connection, they load the config file through "OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);" and are also configured by SSL_CTX_set_cipher_list to ECDHE-RSA-AES128-SHA256 (also set cipher version to TLS1.2) so I want to make sure it's using something the engine supports. Then the read process perform ssl_read and the write perform ssl_write through BIO sockets.

So I have tested the engine using the openssl executable and it works and I also see the engine being used during initial phase of my program, either by loading the openssl.conf or ssl_connect, but it is not used by the actual work done by ssl_read and ssl_write. So I am thinking maybe there is additional setup that I didn't know about. I also thought of using icp_sal_userStart but that will need to link the qat library. Thanks.

jintaoc3 avatar May 13 '20 15:05 jintaoc3

I tried calling ENGINE_load_builtin_engines(); ENGINE_by_id("qat") right after OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); but that gives me NULL. So I am not sure if the engine is loaded after all.

jintaoc3 avatar May 14 '20 18:05 jintaoc3

Hi Just to rule this out as a possible cause, can I refer you to Github QAT Engine issue #123. The later comments are probably more pertinent. Regards paulturx

paulturx avatar May 21 '20 17:05 paulturx

Yes. The thing about ENCRYPT_THEN_MAC is indeed the problem. Thank you.

jintaoc3 avatar May 27 '20 19:05 jintaoc3

On a related note, I noticed the tasks are offloaded to engine only when the openssl is statically linked to my program but fails to work when I dynamically load the ssl libraries. Any idea what could be different there and how to make it work for dynamically linked ssl libraries?

jintaoc3 avatar Jun 04 '20 00:06 jintaoc3

The ssl functions (ex. ssl_write, ssl_read) that I use are always loaded dynamically, but in order for the engine to work, I had to also put in -L/path -lssl -lcrypto at compile time.

jintaoc3 avatar Jun 04 '20 00:06 jintaoc3

I have a follow up to this issue (using the same HW as @jintaoc3 ). I have isolated this down to a simple test program that negotiates with TLS_server_method() in OpenSSL 1.1.1 L. It gets: Connected with TLS_AES_256_GCM_SHA384 encryption. What would be the block cipher that SSL_write would use in this case?

But the QAT Hw we have says: pmilosla@REMOTE@coloperf3:~> sudo /usr/local/ssl/bin/openssl engine -t -c -v qatengine (qatengine) Reference implementation of QAT crypto engine(qat_hw) v0.6.7 [RSA, DSA, DH, AES-128-CBC-HMAC-SHA1, AES-128-CBC-HMAC-SHA256, AES-256-CBC-HMAC-SHA1, AES-256-CBC-HMAC-SHA256, TLS1-PRF, HKDF, X25519, X448] [ available ]

I assume this QAT HW does not support default OpenSSL TLS 1.3 negotiation. Is there anyway to make TLS 1.3 use something this HW supports? TLS 1.2 ?

My test is QAT "fw_counters" wiggling when SSL_write is called with packet size > 2kb.

pmiloslavsky avatar Sep 23 '21 13:09 pmiloslavsky

@paulturx

pmiloslavsky avatar Sep 23 '21 13:09 pmiloslavsky

FYI the test program is here: https://github.com/pmiloslavsky/demo/tree/master/ssl_example_qat. It hs to be changed to do TLSv1_2_server_method (and client) from TLS_server_method(). Also I dont know if we need to restrict the cipher suites with SSL_CTX_set_cipher_list to the one that almost matches QAT (without the HMAC part anyway)

pmiloslavsky avatar Sep 24 '21 13:09 pmiloslavsky

I did get fw_counters to wiggle but only with TLS 1.2 and SSL_CTX_set_cipher_list(ctx, "AES256-SHA256"); [Can you explain that choice?]

[its 4x slower that default per SSL_write]

pmiloslavsky avatar Sep 24 '21 18:09 pmiloslavsky