intel
diff --git a/‎Makefile.am‎
Lines changed: 14 additions & 0 deletions b/‎Makefile.am‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎configure.ac‎
Lines changed: 17 additions & 0 deletions b/‎configure.ac‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎docs/config_options.md‎
Lines changed: 5 additions & 0 deletions b/‎docs/config_options.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎docs/features.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/features.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/qat_common.md‎
Lines changed: 16 additions & 0 deletions b/‎docs/qat_common.md‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎e_qat.c‎
Lines changed: 78 additions & 21 deletions b/‎e_qat.c‎
Lines changed: 78 additions & 21 deletions
@@ -53,6 +53,14 @@ if QAT_PROVIDER
                 qat_prov_capabilities.c   \
                 qat_prov_chachapoly.c     \
                 qat_prov_sign_sm2.c
+if QAT_FIPS
+ QAT_FIPS_SRC = qat_fips.c                \
+                qat_self_test_kats.c      \
+                qat_self_test_tls_prf.c   \
+                qat_prov_cmvp.c           \
+                qat_prov_sha2.c           \
+                qat_sw_sha2.c
+endif
 endif
 
 if QAT_OPENSSL_3
@@ -136,6 +144,7 @@ endif
 
 @LIBQATNAME@_la_SOURCES = ${QAT_COMMON_SRC}   \
                           ${QAT_PROV_SRC}     \
+                          ${QAT_FIPS_SRC}     \
                           ${QAT_ERR_SRC}      \
                           ${QAT_HW_SRC}       \
                           ${QAT_HW_MEM_SRC}   \
@@ -204,4 +213,9 @@ else
          -rebuild -reindex `ls *.c | sed "s/qat_bssl_err.c//"`
 endif
 
+if QAT_FIPS
+intkat:
+	$(shell ./intkat.sh)
+endif
 include test.am
+
@@ -94,6 +94,12 @@ AC_ARG_ENABLE(qat_sw_gcm,
                              [Disable qat_sw AES-GCM acceleration]))
 AC_SUBST(enable_qat_sw_gcm)
 
+AC_ARG_ENABLE(qat_sw_sha2,
+              AS_HELP_STRING([--disable-qat_sw_sha2],
+                             [Disable qat_sw SHA2 acceleration]))
+
+AC_SUBST(enable_qat_sw_sha2)
+
 AC_ARG_ENABLE(qat_sw_rsa,
               AS_HELP_STRING([--disable-qat_sw_rsa],
                              [Disable qat_sw RSA acceleration]))
@@ -284,6 +290,10 @@ AC_ARG_ENABLE(qat_plock,
               AS_HELP_STRING([--enable-qat_plock],
                              [Enable plock, an optimized read-write lock which replaces pthread read/write lock]))
 AC_SUBST(enable_qat_plock)
+AC_ARG_ENABLE(qat_fips,
+              AS_HELP_STRING([--enable-qat_fips],
+                             [Enables FIPS support]))
+AC_SUBST(enable_qat_fips)
 
 AC_ARG_ENABLE(qat_ntls,
               AS_HELP_STRING([--enable-qat_ntls],
@@ -501,6 +511,7 @@ then
     AC_SUBST([enable_qat_sw_sm2], ["no"])
     AC_SUBST([enable_qat_sw_sm4_cbc], ["no"])
     AC_SUBST([enable_qat_sw_heuristic_timeout], ["no"])
+    AC_SUBST([enable_qat_sw_sha2], ["no"])
   fi
 fi
 
@@ -579,6 +590,8 @@ if test "x$cflags_qat_sw_ipsec" != "x"
 then
   AS_IF([test "x$enable_qat_sw_gcm" != "xno"],
         [cflags_qat_sw_ipsec+=" -DENABLE_QAT_SW_GCM"; AC_MSG_NOTICE([Accelerating GCM to Software (IPSec_mb)])])
+  AS_IF([test "x$enable_qat_sw_sha2" != "xno"],
+        [cflags_qat_sw_ipsec+=" -DENABLE_QAT_SW_SHA2"; AC_MSG_NOTICE([Accelerating SHA2 to Software (IPSec_mb)])])
 fi    
 
 if test "x$cflags_qat_hw" != "x" -a  "x$cflags_qat_sw" != "x"
@@ -617,6 +630,10 @@ AS_IF([test "x$enable_qat_plock" = "xyes"],
       [cflags_common="${cflags_common} -DQAT_PLOCK"; AC_MSG_NOTICE([plock enabled])])
 AM_CONDITIONAL([QAT_PLOCK], [test "x$enable_qat_plock" != "x"])
 
+AS_IF([test "x$enable_qat_fips" = "xyes"],
+      [cflags_common="${cflags_common} -DENABLE_QAT_FIPS"; AC_MSG_NOTICE([FIPS Support enabled])])
+AM_CONDITIONAL([QAT_FIPS], [test "x$enable_qat_fips" != "x"])
+
 AS_IF([test "x$enable_qat_sw_heuristic_timeout" = "xyes" -a "x$cflags_qat_sw" != "x"],
       [cflags_common="${cflags_common} -DQAT_SW_HEURISTIC_TIMEOUT"; AC_MSG_NOTICE([QAT_SW Heuristic Timeout enabled])])
 
 
@@ -118,6 +118,11 @@ The following is a list of the options that can be used with the
     interface. Currently RSA, ECDSA, ECDH, ECX and AES-GCM algorithms are
     only supported (disabled by default).
 
+--enable-qat_fips
+    Enables FIPS support when provider is enabled. Valid only
+    when built against OpenSSL 3.0 along with the flag `--enable-qat_provider`,
+    (disabled by default).
+
 --disable-qat_hw_rsa/--enable-qat_hw_rsa
     Disable/Enable Intel(R) QAT Hardware RSA acceleration (enabled by default).
 
 
@@ -53,6 +53,7 @@ Please refer [here](qat_hw_algo.md) for supported platforms list and default beh
 ## Common Features to qat_hw & qat_sw
 * [QAT_HW & QAT_SW Co-existence with runtime configuration](qat_common.md#qat-hw-and-qat-sw-co-existence)
 * [OpenSSL 3.0 Provider Support](qat_common.md#openssl-30-provider-support)
+* [FIPS Support](qat_common.md#fips-support)
 
 Note: RSA Padding schemes are handled by OpenSSL\* or BoringSSL\* rather than accelerated, so the
 engine supports the same padding schemes as OpenSSL\* or BoringSSL\* does natively.
@@ -136,3 +136,19 @@ Example OpenSSL Speed command to test using qatprovider:
      ./openssl speed -provider qatprovider -elapsed -async_jobs 72 rsa2048
 * QAT_SW
      ./openssl speed -provider qatprovider -elapsed -async_jobs 8 rsa2048
+
+# FIPS 140-3 Certification requirements Support
+
+Intel&reg; QAT OpenSSL\* Engine contains changes to fulfill FIPS 140-3 Level 1 Certification requirements
+using QAT Provider against OpenSSL 3.0
+The FIPS support can be enabled using the configure flag `--enable-qat_fips`
+only with OpenSSL 3.0 using provider interface which needs to be enabled using `--enable-qat_provider`.
+
+When FIPS flag is enabled along with provider for OpenSSL3.0, it will run self tests, integrity tests
+and will satisfy other FIPS 140-3 CMVP & CAVP requirements.
+The FIPS is build as RPM using the spec file fips/qatengine_fips.spec with QAT_HW & QAT_SW Coexistence
+enabled along with other flags enabled.
+
+## Support Algorithms in FIPS mode
+QAT_HW target: RSA, ECDSA, ECDH, ECDHX25519, ECDHX448, AES_GCM, DSA, DH, PRF, HKDF & SHA3 algorithms.
+QAT_SW target: RSA, ECDSA, ECDH, ECDHX25519, AES_GCM & SHA2 algorithms.
@@ -124,6 +124,12 @@
 #endif /* QAT_BORINGSSL */
 #endif
 
+#ifdef QAT_SW_IPSEC
+# if defined(ENABLE_QAT_FIPS) && defined(ENABLE_QAT_SW_SHA2)
+#  include "qat_sw_sha2.h"
+# endif
+#endif
+
 /* OpenSSL Includes */
 #include <openssl/err.h>
 #include <openssl/objects.h>
@@ -137,7 +143,6 @@
 # define Genu 0x756e6547
 # define ineI 0x49656e69
 # define ntel 0x6c65746e
-
 # define VAES_BIT 9
 # define VPCLMULQDQ_BIT 10
 # define AVX512F_BIT 16
@@ -149,6 +154,11 @@
 # define QAT_ENGINE_ID qatengine
 #endif
 
+#ifdef ENABLE_QAT_FIPS
+int qat_fips_key_zeroize;
+int qat_fips_kat_test;
+#endif
+
 /* Qat engine id declaration */
 const char *engine_qat_id = STR(QAT_ENGINE_ID);
 #if defined(QAT_HW) && defined(QAT_SW)
@@ -184,6 +194,14 @@ int qat_hw_sm4_cbc_offload = 0;
 int qat_sw_sm2_offload = 0;
 int qat_hw_sha_offload = 0;
 int qat_hw_sm3_offload = 0;
+# ifdef ENABLE_QAT_FIPS
+int qat_sw_sha_offload = 0;
+# endif
+# ifdef QAT_OPENSSL_PROVIDER
+int qat_hw_dsa_offload = 0;
+int qat_hw_dh_offload = 0;
+int qat_hw_ecx_448_offload = 0;
+# endif
 int qat_sw_sm3_offload = 0;
 int qat_sw_sm4_cbc_offload = 0;
 int qat_sw_sm4_gcm_offload = 0;
@@ -216,11 +234,13 @@ pthread_cond_t qat_poll_condition = PTHREAD_COND_INITIALIZER;
 # define QAT_CONFIG_SECTION_NAME_SIZE 64
 char qat_config_section_name[QAT_CONFIG_SECTION_NAME_SIZE] = "SHIM";
 char *ICPConfigSectionName_libcrypto = qat_config_section_name;
-
 int enable_inline_polling = 0;
 int enable_event_driven_polling = 0;
 int enable_instance_for_thread = 0;
 int disable_qat_offload = 0;
+/* By default Software fallback disabled in QAT FIPs mode.
+ * Always enable_sw_fallback is zero in QAT FIPs mode.
+ */
 int enable_sw_fallback = 0;
 CpaInstanceHandle *qat_instance_handles = NULL;
 Cpa16U qat_num_instances = 0;
@@ -565,13 +585,18 @@ int qat_engine_init(ENGINE *e)
 #ifdef QAT_HW
     if (qat_hw_offload) {
         if (!qat_hw_init(e)) {
-# ifdef QAT_SW /* Co-Existence mode: Don't return failure when QAT HW initialization Failed. */
+# ifdef ENABLE_QAT_FIPS
+            fprintf(stderr, "QAT_HW initialization Failed\n");
+            return 0;
+# else
+#  ifdef QAT_SW /* Co-Existence mode: Don't return failure when QAT HW initialization Failed. */
             fallback_to_qat_sw = 1;
             WARN("QAT HW initialization Failed, switching to QAT SW.\n");
-# else
+#  else
             fprintf(stderr, "QAT HW initialization Failed.\n");
             qat_pthread_mutex_unlock();
             return 0;
+#  endif
 # endif
         }
     }
@@ -580,8 +605,13 @@ int qat_engine_init(ENGINE *e)
 #ifdef QAT_SW
     if (qat_sw_offload) {
         if (!qat_sw_init(e)) {
+# ifdef ENABLE_QAT_FIPS
+            fprintf(stderr, "QAT_SW initialization Failed\n");
+            return 0;
+# else
             WARN("QAT SW initialization Failed, switching to OpenSSL.\n");
             fallback_to_openssl = 1;
+# endif
         }
     }
 #endif
@@ -625,7 +655,6 @@ int qat_engine_finish_int(ENGINE *e, int reset_globals)
     if (qat_sw_offload)
        ret = qat_sw_finish_int(e, reset_globals);
 #endif
-
     engine_inited = 0;
 
     if (reset_globals == QAT_RESET_GLOBALS) {
@@ -1092,10 +1121,10 @@ int bind_qat(ENGINE *e, const char *id)
         return ret;
     }
 
-     if (!ENGINE_set_EC(e, qat_get_EC_methods())) {
-          WARN("ENGINE_set_EC failed\n");
-          return ret;
-     }
+    if (!ENGINE_set_EC(e, qat_get_EC_methods())) {
+        WARN("ENGINE_set_EC failed\n");
+        return ret;
+    }
 
      if (!ENGINE_set_pkey_meths(e, qat_pkey_methods)) {
           WARN("ENGINE_set_pkey_meths failed\n");
@@ -1137,31 +1166,43 @@ int bind_qat(ENGINE *e, const char *id)
     if (qat_hw_offload) {
 # ifdef ENABLE_QAT_HW_RSA
         qat_hw_rsa_offload = 1;
-        DEBUG("QAT_HW RSA for Provider Enabled\n");
+        INFO("QAT_HW RSA for Provider Enabled\n");
 # endif
 # ifdef ENABLE_QAT_HW_ECDSA
         qat_hw_ecdsa_offload = 1;
-        DEBUG("QAT_HW ECDSA for Provider Enabled\n");
+        INFO("QAT_HW ECDSA for Provider Enabled\n");
 # endif
 # ifdef ENABLE_QAT_HW_ECDH
         qat_hw_ecdh_offload = 1;
-        DEBUG("QAT_HW ECDH for Provider Enabled\n");
+        INFO("QAT_HW ECDH for Provider Enabled\n");
+# endif
+# ifdef ENABLE_QAT_HW_DSA
+        qat_hw_dsa_offload = 1;
+        INFO("QAT_HW DSA for Provider Enabled\n");
+# endif
+# ifdef ENABLE_QAT_HW_DH
+        qat_hw_dh_offload = 1;
+        INFO("QAT_HW DH for Provider Enabled\n");
 # endif
 # ifdef ENABLE_QAT_HW_ECX
         qat_hw_ecx_offload = 1;
-        DEBUG("QAT_HW ECX for Provider Enabled\n");
+        INFO("QAT_HW ECX25519 for Provider Enabled\n");
+# endif
+# ifdef ENABLE_QAT_HW_ECX
+        qat_hw_ecx_448_offload = 1;
+        INFO("QAT_HW ECX448 for Provider Enabled\n");
 # endif
 # ifdef ENABLE_QAT_HW_PRF
         qat_hw_prf_offload = 1;
-        DEBUG("QAT_HW PRF for Provider Enabled\n");
+        INFO("QAT_HW PRF for Provider Enabled\n");
 # endif
 # ifdef ENABLE_QAT_HW_HKDF
         qat_hw_hkdf_offload = 1;
-        DEBUG("QAT_HW HKDF for Provider Enabled\n");
+        INFO("QAT_HW HKDF for Provider Enabled\n");
 # endif
 # ifdef ENABLE_QAT_HW_SHA3
         qat_hw_sha_offload = 1;
-        DEBUG("QAT_HW SHA3 for Provider Enabled\n");
+        INFO("QAT_HW SHA3 for Provider Enabled\n");
 # endif
 # ifdef ENABLE_QAT_HW_GCM
         if (!qat_sw_gcm_offload) {
@@ -1178,7 +1219,7 @@ int bind_qat(ENGINE *e, const char *id)
             mbx_get_algo_info(MBX_ALGO_RSA_3K) &&
             mbx_get_algo_info(MBX_ALGO_RSA_4K)) {
             qat_sw_rsa_offload = 1;
-            DEBUG("QAT_SW RSA for Provider Enabled\n");
+            INFO("QAT_SW RSA for Provider Enabled\n");
         }
 # endif
 
@@ -1187,7 +1228,7 @@ int bind_qat(ENGINE *e, const char *id)
             mbx_get_algo_info(MBX_ALGO_ECDSA_NIST_P256) &&
             mbx_get_algo_info(MBX_ALGO_ECDSA_NIST_P384)) {
             qat_sw_ecdsa_offload = 1;
-            DEBUG("QAT_SW ECDSA for Provider Enabled\n");
+            INFO("QAT_SW ECDSA for Provider Enabled\n");
         }
 # endif
 
@@ -1196,26 +1237,42 @@ int bind_qat(ENGINE *e, const char *id)
             mbx_get_algo_info(MBX_ALGO_ECDHE_NIST_P256) &&
             mbx_get_algo_info(MBX_ALGO_ECDHE_NIST_P384)) {
             qat_sw_ecdh_offload = 1;
-            DEBUG("QAT_SW ECDH for Provider Enabled\n");
+            INFO("QAT_SW ECDH for Provider Enabled\n");
         }
 # endif
 
 # ifdef ENABLE_QAT_SW_ECX
         if (!qat_hw_ecx_offload &&
             mbx_get_algo_info(MBX_ALGO_X25519)) {
             qat_sw_ecx_offload = 1;
-            DEBUG("QAT_SW X25519 for Provider Enabled\n");
+            INFO("QAT_SW X25519 for Provider Enabled\n");
         }
 # endif
 
 # ifdef ENABLE_QAT_SW_GCM
         qat_sw_gcm_offload = 1;
         DEBUG("QAT_SW GCM for Provider Enabled\n");
+# endif
+# if defined(ENABLE_QAT_FIPS) && defined (ENABLE_QAT_SW_SHA2)
+        qat_sw_sha_offload = 1;
+        INFO("QAT_SW SHA2 for Provider Enabled\n");
+
+        if(!sha_init_ipsec_mb_mgr()) {
+            WARN("SHA IPSec_Mb Manager Initialization failed\n");
+            return 0;
+        }
 # endif
     }
     /* Create static structures for ciphers now
      * as this function will be called by a single thread. */
     qat_create_ciphers();
+# ifndef QAT_DEBUG
+    if (qat_sw_gcm_offload && !qat_hw_gcm_offload)
+        INFO("QAT_SW GCM for Provider Enabled\n");
+
+    if (qat_hw_gcm_offload && !qat_sw_gcm_offload)
+        INFO("QAT_HW GCM for Provider Enabled\n");
+# endif
 #endif
 
 #ifndef QAT_BORINGSSL
@@ -1255,7 +1312,7 @@ int bind_qat(ENGINE *e, const char *id)
 
 #ifndef OPENSSL_NO_DYNAMIC_ENGINE
 IMPLEMENT_DYNAMIC_BIND_FN(bind_qat)
-    IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_CHECK_FN()
 #endif                          /* ndef OPENSSL_NO_DYNAMIC_ENGINE */
 /* initialize Qat Engine if OPENSSL_NO_DYNAMIC_ENGINE*/
 #ifdef OPENSSL_NO_DYNAMIC_ENGINE