Missing "#if OPENSSL_VERSION_NUMBER < 0x30200000" and patch

intel / QAT_Engine

Intel QuickAssist Technology( QAT) OpenSSL Engine (an OpenSSL Plug-In Engine) which provides cryptographic acceleration for both hardware and optimized software using Intel QuickAssist Technology enabled Intel platforms. https://developer.intel.com/quickassist

BSD 3-Clause "New" or "Revised" License

410 stars 128 forks source link

Missing "#if OPENSSL_VERSION_NUMBER < 0x30200000" and patch #305

Open psheer-spirent opened 8 months ago

psheer-spirent commented 8 months ago

Sir,

Yourselves are missing many "#if OPENSSL_VERSION_NUMBER < 0x30200000" necessary for OpenSSL-3,2 compatibility.

Attached is a patch.

Thank you

Paul

patch-for-3.2.diff.gz.uu.txt

psheer-spirent commented 8 months ago

I may have confused 3.2.0 and 3.2.1

bjayanax commented 7 months ago

Hi Paul, When we checked with OpenSSL3.2 & Qatengine v1.5.0 we faced some issues and added required changes to support OpenSSL3.2 in Qatengine v1.6.0 and working as expected.

Did you observe any issues with the current changes added in Qatengine V1.6.0 to support OpenSSL3.2.1. Could you please share test details? It will help us to understand further.

psheer-spirent commented 7 months ago

Yes. But my changes should be clear from the patch. Are you able to open the patch and see my changes?

bjayanax commented 7 months ago

Yes, able to see your changes in the patch. On top of our changes, we saw some additional code "export_types_ex and import_types_ex" for OpenSSL3.2 alone. Without these changes, OpenSSL 3.2 works fine for us. Could you please explain why we require this code?

psheer-spirent commented 7 months ago

I have manually compared each struct used by QAT_Engine that does "shadow" a struct in the OpenSSL source. In the first place, it is an unfortunate engineering choice to copy struct definitions in this way such that there are two definitions that need to be maintained. In any case, since they are copied, it is prudent to compare them manually to each struct in the OpenSSL source and do so for every new commit of OpenSSL. For example QAT_Engine has a struct QAT_RSA_KEYMGMT which is a copy of the definition of struct evp_keymgmt_st / EVP_KEYMGMT. To make them identical, I have added fields as shown. I am unsure if it is true that absolutely every field is required, however without my patch there is misalignment in some tests and the implementation segfaults and dumps core.

If you say OpenSSL 3.2 works fine for you, then I would say that you have not tested every signature and KEM supported, since QAT_Engine will certainly segfault.

bjayanax commented 7 months ago

Hi Paul, Would you kindly share the test commands that you have run on your end? which will be very beneficial to us. We have a plan to avoid duplication of structures further, thanks for the inputs and suggestion.

psheer-spirent commented 7 months ago

Hi Paul, Would you kindly share the test commands

Our software suite is a very large infrastructure of many software components. We do not have a small code-sample that works standalone.