Is picotls compatible with intel QAT and OpenSSL's Engine module and its ASYNC_JOB?

[suddas]

I am curious about to know if it is possible to run "picotls" over Intel QAT card and offloading the crypto operations to the QAT hardware through OpenSSLs "QATEngine".. Does the "picotls" state machine support the OpenSSL's ASYNC_JOB mechanism?

[kazuho]

Correct me if I'm wrong, but Intel QAT card does not support the public key algorithms required by TLS 1.3.

[suddas]

Following Public key algorithm are supported in QAT. My understanding is RSA is no more used as key exchange for tls1.3 but used as signature algorithm. x25519 curve is not supported in QAT because Intel cores are much faster for this curve.. But rest of them are supported.

Asymmetric PKE Offload
RSA Support for Key Sizes 1024/2048/4096.
DH Support for Key Sizes 768/1024/1536/2048/3072/4096.
DSA Support for Key Sizes 160/1024, 224/2048, 256/2048, 256/3072.
ECDH Support for the following curves:
NIST Prime Curves: P-192/P-224/P-256/P-384/P-521.
NIST Binary Curves: B-163/B-233/B-283/B-409/B-571.
NIST Koblitz Curves: K-163/K-233/K-283/K-409/K-571.
ECDSA Support for the following curves:
NIST Prime Curves: P-192/P-224/P-256/P-384/P-521.
NIST Binary Curves: B-163/B-233/B-283/B-409/B-571.
NIST Koblitz Curves: K-163/K-233/K-283/K-409/K-571

https://github.com/intel/QAT_Engine

[kazuho]

To be closed by #291.

[pingyucn]

We definitely can use QAT to offload asymmetric operation, and #291 is a start to offload sign_certificate. I'd like to implement it based on #291 by QAT_engine and cryptodev which is introduced in DPDK.

[brgavino]

@kazuho and @pingyucn , I'm following this work to understand the current state of picotls async operations given various PR, such as #291 and #408 . What's the current status regarding async operations and QAT, which branch is best suited to integrate with QAT? Thanks!