crypto/openssl: use local copy for session contexts

Session contexts are used for temporary storage when processing a
packet.
If packets for the same session are to be processed simultaneously on
multiple cores, separate contexts must be used.

Note: with openssl 1.1.1 EVP_CIPHER_CTX can no longer be defined as a
variable on the stack: it must be allocated. This in turn reduces the
performance.

Fixes: d61f70b4c918 ("crypto/libcrypto: add driver for OpenSSL library")
Cc: stable@dpdk.org
Signed-off-by: Thierry Herbelot <thierry.herbelot@6wind.com>

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 6a75223..d68713e 100644 (file)
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -1290,6 +1290,7 @@ process_openssl_combined_op
        int srclen, aadlen, status = -1;
        uint32_t offset;
        uint8_t taglen;
+       EVP_CIPHER_CTX *ctx_copy;
 
        /*
         * Segmented destination buffer is not supported for
@@ -1326,6 +1327,8 @@ process_openssl_combined_op
        }
 
        taglen = sess->auth.digest_length;
+       ctx_copy = EVP_CIPHER_CTX_new();
+       EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
 
        if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
                if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1333,12 +1336,12 @@ process_openssl_combined_op
                        status = process_openssl_auth_encryption_gcm(
                                        mbuf_src, offset, srclen,
                                        aad, aadlen, iv,
-                                       dst, tag, sess->cipher.ctx);
+                                       dst, tag, ctx_copy);
                else
                        status = process_openssl_auth_encryption_ccm(
                                        mbuf_src, offset, srclen,
                                        aad, aadlen, iv,
-                                       dst, tag, taglen, sess->cipher.ctx);
+                                       dst, tag, taglen, ctx_copy);
 
        } else {
                if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1346,14 +1349,15 @@ process_openssl_combined_op
                        status = process_openssl_auth_decryption_gcm(
                                        mbuf_src, offset, srclen,
                                        aad, aadlen, iv,
-                                       dst, tag, sess->cipher.ctx);
+                                       dst, tag, ctx_copy);
                else
                        status = process_openssl_auth_decryption_ccm(
                                        mbuf_src, offset, srclen,
                                        aad, aadlen, iv,
-                                       dst, tag, taglen, sess->cipher.ctx);
+                                       dst, tag, taglen, ctx_copy);
        }
 
+       EVP_CIPHER_CTX_free(ctx_copy);
        if (status != 0) {
                if (status == (-EFAULT) &&
                                sess->auth.operation ==
@@ -1372,6 +1376,7 @@ process_openssl_cipher_op
 {
        uint8_t *dst, *iv;
        int srclen, status;
+       EVP_CIPHER_CTX *ctx_copy;
 
        /*
         * Segmented destination buffer is not supported for
@@ -1388,22 +1393,25 @@ process_openssl_cipher_op
 
        iv = rte_crypto_op_ctod_offset(op, uint8_t *,
                        sess->iv.offset);
+       ctx_copy = EVP_CIPHER_CTX_new();
+       EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
 
        if (sess->cipher.mode == OPENSSL_CIPHER_LIB)
                if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
                        status = process_openssl_cipher_encrypt(mbuf_src, dst,
                                        op->sym->cipher.data.offset, iv,
-                                       srclen, sess->cipher.ctx);
+                                       srclen, ctx_copy);
                else
                        status = process_openssl_cipher_decrypt(mbuf_src, dst,
                                        op->sym->cipher.data.offset, iv,
-                                       srclen, sess->cipher.ctx);
+                                       srclen, ctx_copy);
        else
                status = process_openssl_cipher_des3ctr(mbuf_src, dst,
                                op->sym->cipher.data.offset, iv,
                                sess->cipher.key.data, srclen,
-                               sess->cipher.ctx);
+                               ctx_copy);
 
+       EVP_CIPHER_CTX_free(ctx_copy);
        if (status != 0)
                op->status = RTE_CRYPTO_OP_STATUS_ERROR;
 }
@@ -1507,6 +1515,8 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 {
        uint8_t *dst;
        int srclen, status;
+       EVP_MD_CTX *ctx_a;
+       HMAC_CTX *ctx_h;
 
        srclen = op->sym->auth.data.length;
 
@@ -1514,14 +1524,20 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 
        switch (sess->auth.mode) {
        case OPENSSL_AUTH_AS_AUTH:
+               ctx_a = EVP_MD_CTX_create();
+               EVP_MD_CTX_copy_ex(ctx_a, sess->auth.auth.ctx);
                status = process_openssl_auth(mbuf_src, dst,
                                op->sym->auth.data.offset, NULL, NULL, srclen,
-                               sess->auth.auth.ctx, sess->auth.auth.evp_algo);
+                               ctx_a, sess->auth.auth.evp_algo);
+               EVP_MD_CTX_destroy(ctx_a);
                break;
        case OPENSSL_AUTH_AS_HMAC:
+               ctx_h = HMAC_CTX_new();
+               HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
                status = process_openssl_auth_hmac(mbuf_src, dst,
                                op->sym->auth.data.offset, srclen,
-                               sess->auth.hmac.ctx);
+                               ctx_h);
+               HMAC_CTX_free(ctx_h);
                break;
        default:
                status = -1;