Session contexts are used for temporary storage when processing a
packet.
If packets for the same session are to be processed simultaneously on
multiple cores, separate contexts must be used.
Note: with openssl 1.1.1 EVP_CIPHER_CTX can no longer be defined as a
variable on the stack: it must be allocated. This in turn reduces the
performance.
Fixes:
d61f70b4c918 ("crypto/libcrypto: add driver for OpenSSL library")
Cc: stable@dpdk.org
Signed-off-by: Thierry Herbelot <thierry.herbelot@6wind.com>
int srclen, aadlen, status = -1;
uint32_t offset;
uint8_t taglen;
int srclen, aadlen, status = -1;
uint32_t offset;
uint8_t taglen;
+ EVP_CIPHER_CTX *ctx_copy;
/*
* Segmented destination buffer is not supported for
/*
* Segmented destination buffer is not supported for
}
taglen = sess->auth.digest_length;
}
taglen = sess->auth.digest_length;
+ ctx_copy = EVP_CIPHER_CTX_new();
+ EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
status = process_openssl_auth_encryption_gcm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
status = process_openssl_auth_encryption_gcm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, sess->cipher.ctx);
else
status = process_openssl_auth_encryption_ccm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
else
status = process_openssl_auth_encryption_ccm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, taglen, sess->cipher.ctx);
+ dst, tag, taglen, ctx_copy);
} else {
if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
} else {
if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
status = process_openssl_auth_decryption_gcm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
status = process_openssl_auth_decryption_gcm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, sess->cipher.ctx);
else
status = process_openssl_auth_decryption_ccm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
else
status = process_openssl_auth_decryption_ccm(
mbuf_src, offset, srclen,
aad, aadlen, iv,
- dst, tag, taglen, sess->cipher.ctx);
+ dst, tag, taglen, ctx_copy);
+ EVP_CIPHER_CTX_free(ctx_copy);
if (status != 0) {
if (status == (-EFAULT) &&
sess->auth.operation ==
if (status != 0) {
if (status == (-EFAULT) &&
sess->auth.operation ==
{
uint8_t *dst, *iv;
int srclen, status;
{
uint8_t *dst, *iv;
int srclen, status;
+ EVP_CIPHER_CTX *ctx_copy;
/*
* Segmented destination buffer is not supported for
/*
* Segmented destination buffer is not supported for
iv = rte_crypto_op_ctod_offset(op, uint8_t *,
sess->iv.offset);
iv = rte_crypto_op_ctod_offset(op, uint8_t *,
sess->iv.offset);
+ ctx_copy = EVP_CIPHER_CTX_new();
+ EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
if (sess->cipher.mode == OPENSSL_CIPHER_LIB)
if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
status = process_openssl_cipher_encrypt(mbuf_src, dst,
op->sym->cipher.data.offset, iv,
if (sess->cipher.mode == OPENSSL_CIPHER_LIB)
if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
status = process_openssl_cipher_encrypt(mbuf_src, dst,
op->sym->cipher.data.offset, iv,
- srclen, sess->cipher.ctx);
else
status = process_openssl_cipher_decrypt(mbuf_src, dst,
op->sym->cipher.data.offset, iv,
else
status = process_openssl_cipher_decrypt(mbuf_src, dst,
op->sym->cipher.data.offset, iv,
- srclen, sess->cipher.ctx);
else
status = process_openssl_cipher_des3ctr(mbuf_src, dst,
op->sym->cipher.data.offset, iv,
sess->cipher.key.data, srclen,
else
status = process_openssl_cipher_des3ctr(mbuf_src, dst,
op->sym->cipher.data.offset, iv,
sess->cipher.key.data, srclen,
+ EVP_CIPHER_CTX_free(ctx_copy);
if (status != 0)
op->status = RTE_CRYPTO_OP_STATUS_ERROR;
}
if (status != 0)
op->status = RTE_CRYPTO_OP_STATUS_ERROR;
}
{
uint8_t *dst;
int srclen, status;
{
uint8_t *dst;
int srclen, status;
+ EVP_MD_CTX *ctx_a;
+ HMAC_CTX *ctx_h;
srclen = op->sym->auth.data.length;
srclen = op->sym->auth.data.length;
switch (sess->auth.mode) {
case OPENSSL_AUTH_AS_AUTH:
switch (sess->auth.mode) {
case OPENSSL_AUTH_AS_AUTH:
+ ctx_a = EVP_MD_CTX_create();
+ EVP_MD_CTX_copy_ex(ctx_a, sess->auth.auth.ctx);
status = process_openssl_auth(mbuf_src, dst,
op->sym->auth.data.offset, NULL, NULL, srclen,
status = process_openssl_auth(mbuf_src, dst,
op->sym->auth.data.offset, NULL, NULL, srclen,
- sess->auth.auth.ctx, sess->auth.auth.evp_algo);
+ ctx_a, sess->auth.auth.evp_algo);
+ EVP_MD_CTX_destroy(ctx_a);
break;
case OPENSSL_AUTH_AS_HMAC:
break;
case OPENSSL_AUTH_AS_HMAC:
+ ctx_h = HMAC_CTX_new();
+ HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
status = process_openssl_auth_hmac(mbuf_src, dst,
op->sym->auth.data.offset, srclen,
status = process_openssl_auth_hmac(mbuf_src, dst,
op->sym->auth.data.offset, srclen,
+ ctx_h);
+ HMAC_CTX_free(ctx_h);
break;
default:
status = -1;
break;
default:
status = -1;