crypto/openssl: support scatter-gather
authorTomasz Kulasek <tomaszx.kulasek@intel.com>
Fri, 13 Jan 2017 15:23:16 +0000 (16:23 +0100)
committerPablo de Lara <pablo.de.lara.guarch@intel.com>
Wed, 18 Jan 2017 20:48:56 +0000 (21:48 +0100)
Signed-off-by: Tomasz Kulasek <tomaszx.kulasek@intel.com>
Acked-by: Declan Doherty <declan.doherty@intel.com>
doc/guides/cryptodevs/openssl.rst
drivers/crypto/openssl/rte_openssl_pmd.c

index f1c39ba..f6ed6ea 100644 (file)
@@ -112,6 +112,7 @@ Limitations
 -----------
 
 * Maximum number of sessions is 2048.
-* Chained mbufs are not supported.
+* Chained mbufs are supported only for source mbuf (destination must be
+  contiguous).
 * Hash only is not supported for GCM and GMAC.
 * Cipher only is not supported for GCM and GMAC.
index 312154a..426e407 100644 (file)
@@ -484,24 +484,112 @@ get_session(struct openssl_qp *qp, struct rte_crypto_op *op)
  * Process Operations
  *------------------------------------------------------------------------------
  */
+static inline int
+process_openssl_encryption_update(struct rte_mbuf *mbuf_src, int offset,
+               uint8_t **dst, int srclen, EVP_CIPHER_CTX *ctx)
+{
+       struct rte_mbuf *m;
+       int dstlen;
+       int l, n = srclen;
+       uint8_t *src;
+
+       for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+                       m = m->next)
+               offset -= rte_pktmbuf_data_len(m);
+
+       if (m == 0)
+               return -1;
+
+       src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+       l = rte_pktmbuf_data_len(m) - offset;
+       if (srclen <= l) {
+               if (EVP_EncryptUpdate(ctx, *dst, &dstlen, src, srclen) <= 0)
+                       return -1;
+               *dst += l;
+               return 0;
+       }
+
+       if (EVP_EncryptUpdate(ctx, *dst, &dstlen, src, l) <= 0)
+               return -1;
+
+       *dst += dstlen;
+       n -= l;
+
+       for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+               src = rte_pktmbuf_mtod(m, uint8_t *);
+               l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+               if (EVP_EncryptUpdate(ctx, *dst, &dstlen, src, l) <= 0)
+                       return -1;
+               *dst += dstlen;
+               n -= l;
+       }
+
+       return 0;
+}
+
+static inline int
+process_openssl_decryption_update(struct rte_mbuf *mbuf_src, int offset,
+               uint8_t **dst, int srclen, EVP_CIPHER_CTX *ctx)
+{
+       struct rte_mbuf *m;
+       int dstlen;
+       int l, n = srclen;
+       uint8_t *src;
+
+       for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+                       m = m->next)
+               offset -= rte_pktmbuf_data_len(m);
+
+       if (m == 0)
+               return -1;
+
+       src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+       l = rte_pktmbuf_data_len(m) - offset;
+       if (srclen <= l) {
+               if (EVP_DecryptUpdate(ctx, *dst, &dstlen, src, srclen) <= 0)
+                       return -1;
+               *dst += l;
+               return 0;
+       }
+
+       if (EVP_DecryptUpdate(ctx, *dst, &dstlen, src, l) <= 0)
+               return -1;
+
+       *dst += dstlen;
+       n -= l;
+
+       for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+               src = rte_pktmbuf_mtod(m, uint8_t *);
+               l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+               if (EVP_DecryptUpdate(ctx, *dst, &dstlen, src, l) <= 0)
+                       return -1;
+               *dst += dstlen;
+               n -= l;
+       }
+
+       return 0;
+}
 
 /** Process standard openssl cipher encryption */
 static int
-process_openssl_cipher_encrypt(uint8_t *src, uint8_t *dst,
-               uint8_t *iv, uint8_t *key, int srclen,
+process_openssl_cipher_encrypt(struct rte_mbuf *mbuf_src, uint8_t *dst,
+               int offset, uint8_t *iv, uint8_t *key, int srclen,
                EVP_CIPHER_CTX *ctx, const EVP_CIPHER *algo)
 {
-       int dstlen, totlen;
+       int totlen;
 
        if (EVP_EncryptInit_ex(ctx, algo, NULL, key, iv) <= 0)
                goto process_cipher_encrypt_err;
 
        EVP_CIPHER_CTX_set_padding(ctx, 0);
 
-       if (EVP_EncryptUpdate(ctx, dst, &dstlen, src, srclen) <= 0)
+       if (process_openssl_encryption_update(mbuf_src, offset, &dst,
+                       srclen, ctx))
                goto process_cipher_encrypt_err;
 
-       if (EVP_EncryptFinal_ex(ctx, dst + dstlen, &totlen) <= 0)
+       if (EVP_EncryptFinal_ex(ctx, dst, &totlen) <= 0)
                goto process_cipher_encrypt_err;
 
        return 0;
@@ -513,23 +601,23 @@ process_cipher_encrypt_err:
 
 /** Process standard openssl cipher decryption */
 static int
-process_openssl_cipher_decrypt(uint8_t *src, uint8_t *dst,
-               uint8_t *iv, uint8_t *key, int srclen,
+process_openssl_cipher_decrypt(struct rte_mbuf *mbuf_src, uint8_t *dst,
+               int offset, uint8_t *iv, uint8_t *key, int srclen,
                EVP_CIPHER_CTX *ctx, const EVP_CIPHER *algo)
 {
-       int dstlen, totlen;
+       int totlen;
 
        if (EVP_DecryptInit_ex(ctx, algo, NULL, key, iv) <= 0)
                goto process_cipher_decrypt_err;
 
        EVP_CIPHER_CTX_set_padding(ctx, 0);
 
-       if (EVP_DecryptUpdate(ctx, dst, &dstlen, src, srclen) <= 0)
+       if (process_openssl_decryption_update(mbuf_src, offset, &dst,
+                       srclen, ctx))
                goto process_cipher_decrypt_err;
 
-       if (EVP_DecryptFinal_ex(ctx, dst + dstlen, &totlen) <= 0)
+       if (EVP_DecryptFinal_ex(ctx, dst, &totlen) <= 0)
                goto process_cipher_decrypt_err;
-
        return 0;
 
 process_cipher_decrypt_err:
@@ -539,11 +627,25 @@ process_cipher_decrypt_err:
 
 /** Process cipher des 3 ctr encryption, decryption algorithm */
 static int
-process_openssl_cipher_des3ctr(uint8_t *src, uint8_t *dst,
-               uint8_t *iv, uint8_t *key, int srclen, EVP_CIPHER_CTX *ctx)
+process_openssl_cipher_des3ctr(struct rte_mbuf *mbuf_src, uint8_t *dst,
+               int offset, uint8_t *iv, uint8_t *key, int srclen,
+               EVP_CIPHER_CTX *ctx)
 {
        uint8_t ebuf[8], ctr[8];
        int unused, n;
+       struct rte_mbuf *m;
+       uint8_t *src;
+       int l;
+
+       for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+                       m = m->next)
+               offset -= rte_pktmbuf_data_len(m);
+
+       if (m == 0)
+               goto process_cipher_des3ctr_err;
+
+       src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+       l = rte_pktmbuf_data_len(m) - offset;
 
        /* We use 3DES encryption also for decryption.
         * IV is not important for 3DES ecb
@@ -552,9 +654,8 @@ process_openssl_cipher_des3ctr(uint8_t *src, uint8_t *dst,
                goto process_cipher_des3ctr_err;
 
        memcpy(ctr, iv, 8);
-       n = 0;
 
-       while (n < srclen) {
+       for (n = 0; n < srclen; n++) {
                if (n % 8 == 0) {
                        if (EVP_EncryptUpdate(ctx,
                                        (unsigned char *)&ebuf, &unused,
@@ -562,8 +663,16 @@ process_openssl_cipher_des3ctr(uint8_t *src, uint8_t *dst,
                                goto process_cipher_des3ctr_err;
                        ctr_inc(ctr);
                }
-               dst[n] = src[n] ^ ebuf[n % 8];
-               n++;
+               dst[n] = *(src++) ^ ebuf[n % 8];
+
+               l--;
+               if (!l) {
+                       m = m->next;
+                       if (m) {
+                               src = rte_pktmbuf_mtod(m, uint8_t *);
+                               l = rte_pktmbuf_data_len(m);
+                       }
+               }
        }
 
        return 0;
@@ -575,9 +684,9 @@ process_cipher_des3ctr_err:
 
 /** Process auth/encription aes-gcm algorithm */
 static int
-process_openssl_auth_encryption_gcm(uint8_t *src, int srclen,
-               uint8_t *aad, int aadlen, uint8_t *iv, int ivlen,
-               uint8_t *key, uint8_t *dst,     uint8_t *tag,
+process_openssl_auth_encryption_gcm(struct rte_mbuf *mbuf_src, int offset,
+               int srclen, uint8_t *aad, int aadlen, uint8_t *iv, int ivlen,
+               uint8_t *key, uint8_t *dst, uint8_t *tag,
                EVP_CIPHER_CTX *ctx, const EVP_CIPHER *algo)
 {
        int len = 0, unused = 0;
@@ -592,20 +701,20 @@ process_openssl_auth_encryption_gcm(uint8_t *src, int srclen,
        if (EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv) <= 0)
                goto process_auth_encryption_gcm_err;
 
-       if (aadlen > 0) {
+       if (aadlen > 0)
                if (EVP_EncryptUpdate(ctx, NULL, &len, aad, aadlen) <= 0)
                        goto process_auth_encryption_gcm_err;
 
-               /* Workaround open ssl bug in version less then 1.0.1f */
-               if (EVP_EncryptUpdate(ctx, empty, &unused, empty, 0) <= 0)
-                       goto process_auth_encryption_gcm_err;
-       }
-
        if (srclen > 0)
-               if (EVP_EncryptUpdate(ctx, dst, &len, src, srclen) <= 0)
+               if (process_openssl_encryption_update(mbuf_src, offset, &dst,
+                               srclen, ctx))
                        goto process_auth_encryption_gcm_err;
 
-       if (EVP_EncryptFinal_ex(ctx, dst + len, &len) <= 0)
+       /* Workaround open ssl bug in version less then 1.0.1f */
+       if (EVP_EncryptUpdate(ctx, empty, &unused, empty, 0) <= 0)
+               goto process_auth_encryption_gcm_err;
+
+       if (EVP_EncryptFinal_ex(ctx, dst, &len) <= 0)
                goto process_auth_encryption_gcm_err;
 
        if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag) <= 0)
@@ -619,10 +728,10 @@ process_auth_encryption_gcm_err:
 }
 
 static int
-process_openssl_auth_decryption_gcm(uint8_t *src, int srclen,
-               uint8_t *aad, int aadlen, uint8_t *iv, int ivlen,
-               uint8_t *key, uint8_t *dst, uint8_t *tag,
-               EVP_CIPHER_CTX *ctx, const EVP_CIPHER *algo)
+process_openssl_auth_decryption_gcm(struct rte_mbuf *mbuf_src, int offset,
+               int srclen, uint8_t *aad, int aadlen, uint8_t *iv, int ivlen,
+               uint8_t *key, uint8_t *dst, uint8_t *tag, EVP_CIPHER_CTX *ctx,
+               const EVP_CIPHER *algo)
 {
        int len = 0, unused = 0;
        uint8_t empty[] = {};
@@ -639,20 +748,20 @@ process_openssl_auth_decryption_gcm(uint8_t *src, int srclen,
        if (EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv) <= 0)
                goto process_auth_decryption_gcm_err;
 
-       if (aadlen > 0) {
+       if (aadlen > 0)
                if (EVP_DecryptUpdate(ctx, NULL, &len, aad, aadlen) <= 0)
                        goto process_auth_decryption_gcm_err;
 
-               /* Workaround open ssl bug in version less then 1.0.1f */
-               if (EVP_DecryptUpdate(ctx, empty, &unused, empty, 0) <= 0)
-                       goto process_auth_decryption_gcm_err;
-       }
-
        if (srclen > 0)
-               if (EVP_DecryptUpdate(ctx, dst, &len, src, srclen) <= 0)
+               if (process_openssl_decryption_update(mbuf_src, offset, &dst,
+                               srclen, ctx))
                        goto process_auth_decryption_gcm_err;
 
-       if (EVP_DecryptFinal_ex(ctx, dst + len, &len) <= 0)
+       /* Workaround open ssl bug in version less then 1.0.1f */
+       if (EVP_DecryptUpdate(ctx, empty, &unused, empty, 0) <= 0)
+               goto process_auth_decryption_gcm_err;
+
+       if (EVP_DecryptFinal_ex(ctx, dst, &len) <= 0)
                goto process_auth_decryption_gcm_final_err;
 
        return 0;
@@ -667,21 +776,50 @@ process_auth_decryption_gcm_final_err:
 
 /** Process standard openssl auth algorithms */
 static int
-process_openssl_auth(uint8_t *src, uint8_t *dst,
+process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
                __rte_unused uint8_t *iv, __rte_unused EVP_PKEY * pkey,
                int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo)
 {
        size_t dstlen;
+       struct rte_mbuf *m;
+       int l, n = srclen;
+       uint8_t *src;
+
+       for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+                       m = m->next)
+               offset -= rte_pktmbuf_data_len(m);
+
+       if (m == 0)
+               goto process_auth_err;
 
        if (EVP_DigestInit_ex(ctx, algo, NULL) <= 0)
                goto process_auth_err;
 
-       if (EVP_DigestUpdate(ctx, (char *)src, srclen) <= 0)
+       src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+       l = rte_pktmbuf_data_len(m) - offset;
+       if (srclen <= l) {
+               if (EVP_DigestUpdate(ctx, (char *)src, srclen) <= 0)
+                       goto process_auth_err;
+               goto process_auth_final;
+       }
+
+       if (EVP_DigestUpdate(ctx, (char *)src, l) <= 0)
                goto process_auth_err;
 
+       n -= l;
+
+       for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+               src = rte_pktmbuf_mtod(m, uint8_t *);
+               l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+               if (EVP_DigestUpdate(ctx, (char *)src, l) <= 0)
+                       goto process_auth_err;
+               n -= l;
+       }
+
+process_auth_final:
        if (EVP_DigestFinal_ex(ctx, dst, (unsigned int *)&dstlen) <= 0)
                goto process_auth_err;
-
        return 0;
 
 process_auth_err:
@@ -691,18 +829,48 @@ process_auth_err:
 
 /** Process standard openssl auth algorithms with hmac */
 static int
-process_openssl_auth_hmac(uint8_t *src, uint8_t *dst,
+process_openssl_auth_hmac(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
                __rte_unused uint8_t *iv, EVP_PKEY *pkey,
-               int srclen,     EVP_MD_CTX *ctx, const EVP_MD *algo)
+               int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo)
 {
        size_t dstlen;
+       struct rte_mbuf *m;
+       int l, n = srclen;
+       uint8_t *src;
+
+       for (m = mbuf_src; m != NULL && offset > rte_pktmbuf_data_len(m);
+                       m = m->next)
+               offset -= rte_pktmbuf_data_len(m);
+
+       if (m == 0)
+               goto process_auth_err;
 
        if (EVP_DigestSignInit(ctx, NULL, algo, NULL, pkey) <= 0)
                goto process_auth_err;
 
-       if (EVP_DigestSignUpdate(ctx, (char *)src, srclen) <= 0)
+       src = rte_pktmbuf_mtod_offset(m, uint8_t *, offset);
+
+       l = rte_pktmbuf_data_len(m) - offset;
+       if (srclen <= l) {
+               if (EVP_DigestSignUpdate(ctx, (char *)src, srclen) <= 0)
+                       goto process_auth_err;
+               goto process_auth_final;
+       }
+
+       if (EVP_DigestSignUpdate(ctx, (char *)src, l) <= 0)
                goto process_auth_err;
 
+       n -= l;
+
+       for (m = m->next; (m != NULL) && (n > 0); m = m->next) {
+               src = rte_pktmbuf_mtod(m, uint8_t *);
+               l = rte_pktmbuf_data_len(m) < n ? rte_pktmbuf_data_len(m) : n;
+               if (EVP_DigestSignUpdate(ctx, (char *)src, l) <= 0)
+                       goto process_auth_err;
+               n -= l;
+       }
+
+process_auth_final:
        if (EVP_DigestSignFinal(ctx, dst, &dstlen) <= 0)
                goto process_auth_err;
 
@@ -722,9 +890,18 @@ process_openssl_combined_op
                struct rte_mbuf *mbuf_src, struct rte_mbuf *mbuf_dst)
 {
        /* cipher */
-       uint8_t *src = NULL, *dst = NULL, *iv, *tag, *aad;
+       uint8_t *dst = NULL, *iv, *tag, *aad;
        int srclen, ivlen, aadlen, status = -1;
 
+       /*
+        * Segmented destination buffer is not supported for
+        * encryption/decryption
+        */
+       if (!rte_pktmbuf_is_contiguous(mbuf_dst)) {
+               op->status = RTE_CRYPTO_OP_STATUS_ERROR;
+               return;
+       }
+
        iv = op->sym->cipher.iv.data;
        ivlen = op->sym->cipher.iv.length;
        aad = op->sym->auth.aad.data;
@@ -740,22 +917,22 @@ process_openssl_combined_op
                srclen = 0;
        else {
                srclen = op->sym->cipher.data.length;
-               src = rte_pktmbuf_mtod_offset(mbuf_src, uint8_t *,
-                               op->sym->cipher.data.offset);
                dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
                                op->sym->cipher.data.offset);
        }
 
        if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
                status = process_openssl_auth_encryption_gcm(
-                               src, srclen, aad, aadlen, iv, ivlen,
-                               sess->cipher.key.data, dst, tag,
-                               sess->cipher.ctx, sess->cipher.evp_algo);
+                               mbuf_src, op->sym->cipher.data.offset, srclen,
+                               aad, aadlen, iv, ivlen, sess->cipher.key.data,
+                               dst, tag, sess->cipher.ctx,
+                               sess->cipher.evp_algo);
        else
                status = process_openssl_auth_decryption_gcm(
-                               src, srclen, aad, aadlen, iv, ivlen,
-                               sess->cipher.key.data, dst, tag,
-                               sess->cipher.ctx, sess->cipher.evp_algo);
+                               mbuf_src, op->sym->cipher.data.offset, srclen,
+                               aad, aadlen, iv, ivlen, sess->cipher.key.data,
+                               dst, tag, sess->cipher.ctx,
+                               sess->cipher.evp_algo);
 
        if (status != 0) {
                if (status == (-EFAULT) &&
@@ -773,12 +950,19 @@ process_openssl_cipher_op
                (struct rte_crypto_op *op, struct openssl_session *sess,
                struct rte_mbuf *mbuf_src, struct rte_mbuf *mbuf_dst)
 {
-       uint8_t *src, *dst, *iv;
+       uint8_t *dst, *iv;
        int srclen, status;
 
+       /*
+        * Segmented destination buffer is not supported for
+        * encryption/decryption
+        */
+       if (!rte_pktmbuf_is_contiguous(mbuf_dst)) {
+               op->status = RTE_CRYPTO_OP_STATUS_ERROR;
+               return;
+       }
+
        srclen = op->sym->cipher.data.length;
-       src = rte_pktmbuf_mtod_offset(mbuf_src, uint8_t *,
-                       op->sym->cipher.data.offset);
        dst = rte_pktmbuf_mtod_offset(mbuf_dst, uint8_t *,
                        op->sym->cipher.data.offset);
 
@@ -786,17 +970,20 @@ process_openssl_cipher_op
 
        if (sess->cipher.mode == OPENSSL_CIPHER_LIB)
                if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
-                       status = process_openssl_cipher_encrypt(src, dst, iv,
+                       status = process_openssl_cipher_encrypt(mbuf_src, dst,
+                                       op->sym->cipher.data.offset, iv,
                                        sess->cipher.key.data, srclen,
                                        sess->cipher.ctx,
                                        sess->cipher.evp_algo);
                else
-                       status = process_openssl_cipher_decrypt(src, dst, iv,
+                       status = process_openssl_cipher_decrypt(mbuf_src, dst,
+                                       op->sym->cipher.data.offset, iv,
                                        sess->cipher.key.data, srclen,
                                        sess->cipher.ctx,
                                        sess->cipher.evp_algo);
        else
-               status = process_openssl_cipher_des3ctr(src, dst, iv,
+               status = process_openssl_cipher_des3ctr(mbuf_src, dst,
+                               op->sym->cipher.data.offset, iv,
                                sess->cipher.key.data, srclen,
                                sess->cipher.ctx);
 
@@ -810,12 +997,10 @@ process_openssl_auth_op
                (struct rte_crypto_op *op, struct openssl_session *sess,
                struct rte_mbuf *mbuf_src, struct rte_mbuf *mbuf_dst)
 {
-       uint8_t *src, *dst;
+       uint8_t *dst;
        int srclen, status;
 
        srclen = op->sym->auth.data.length;
-       src = rte_pktmbuf_mtod_offset(mbuf_src, uint8_t *,
-                       op->sym->auth.data.offset);
 
        if (sess->auth.operation == RTE_CRYPTO_AUTH_OP_VERIFY)
                dst = (uint8_t *)rte_pktmbuf_append(mbuf_src,
@@ -830,13 +1015,14 @@ process_openssl_auth_op
 
        switch (sess->auth.mode) {
        case OPENSSL_AUTH_AS_AUTH:
-               status = process_openssl_auth(src, dst,
-                               NULL, NULL,     srclen,
+               status = process_openssl_auth(mbuf_src, dst,
+                               op->sym->auth.data.offset, NULL, NULL, srclen,
                                sess->auth.auth.ctx, sess->auth.auth.evp_algo);
                break;
        case OPENSSL_AUTH_AS_HMAC:
-               status = process_openssl_auth_hmac(src, dst,
-                               NULL, sess->auth.hmac.pkey, srclen,
+               status = process_openssl_auth_hmac(mbuf_src, dst,
+                               op->sym->auth.data.offset, NULL,
+                               sess->auth.hmac.pkey, srclen,
                                sess->auth.hmac.ctx, sess->auth.hmac.evp_algo);
                break;
        default:
@@ -850,8 +1036,7 @@ process_openssl_auth_op
                        op->status = RTE_CRYPTO_OP_STATUS_AUTH_FAILED;
                }
                /* Trim area used for digest from mbuf. */
-               rte_pktmbuf_trim(mbuf_src,
-                               op->sym->auth.digest.length);
+               rte_pktmbuf_trim(mbuf_src, op->sym->auth.digest.length);
        }
 
        if (status != 0)
@@ -902,7 +1087,6 @@ process_op(const struct openssl_qp *qp, struct rte_crypto_op *op,
                op->sym->session = NULL;
        }
 
-
        if (op->status == RTE_CRYPTO_OP_STATUS_NOT_PROCESSED)
                op->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
 
@@ -996,7 +1180,8 @@ cryptodev_openssl_create(const char *name,
 
        dev->feature_flags = RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
                        RTE_CRYPTODEV_FF_SYM_OPERATION_CHAINING |
-                       RTE_CRYPTODEV_FF_CPU_AESNI;
+                       RTE_CRYPTODEV_FF_CPU_AESNI |
+                       RTE_CRYPTODEV_FF_MBUF_SCATTER_GATHER;
 
        /* Set vector instructions mode supported */
        internals = dev->data->dev_private;