From 1fa538faeb962ec7f54a1cdf8cba5271de15e17d Mon Sep 17 00:00:00 2001 From: Pablo de Lara Date: Tue, 14 Apr 2020 18:25:55 +0100 Subject: [PATCH] crypto/openssl: fix out-of-place encryption When authenticating after encrypting, if the operation is out-of-place, the destination buffer is the one that will get authenticated. If the cipher offset is higher than the authentication offset, it means that part of the text to authenticate will be plaintext, so this needs to get copied to the destination buffer, or the result will be incorrect. Fixes: d61f70b4c918 ("crypto/libcrypto: add driver for OpenSSL library") Cc: stable@dpdk.org Signed-off-by: Pablo de Lara Acked-by: Akhil Goyal --- drivers/crypto/openssl/rte_openssl_pmd.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index b820f6171d..c294f60b7d 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -2038,6 +2038,26 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op, return retval; } +static void +copy_plaintext(struct rte_mbuf *m_src, struct rte_mbuf *m_dst, + struct rte_crypto_op *op) +{ + uint8_t *p_src, *p_dst; + + p_src = rte_pktmbuf_mtod(m_src, uint8_t *); + p_dst = rte_pktmbuf_mtod(m_dst, uint8_t *); + + /** + * Copy the content between cipher offset and auth offset + * for generating correct digest. + */ + if (op->sym->cipher.data.offset > op->sym->auth.data.offset) + memcpy(p_dst + op->sym->auth.data.offset, + p_src + op->sym->auth.data.offset, + op->sym->cipher.data.offset - + op->sym->auth.data.offset); +} + /** Process crypto operation for mbuf */ static int process_op(struct openssl_qp *qp, struct rte_crypto_op *op, @@ -2060,6 +2080,9 @@ process_op(struct openssl_qp *qp, struct rte_crypto_op *op, break; case OPENSSL_CHAIN_CIPHER_AUTH: process_openssl_cipher_op(op, sess, msrc, mdst); + /* OOP */ + if (msrc != mdst) + copy_plaintext(msrc, mdst, op); process_openssl_auth_op(qp, op, sess, mdst, mdst); break; case OPENSSL_CHAIN_AUTH_CIPHER: -- 2.20.1