[dpdk-stable] patch 'crypto/openssl: use local copy for session contexts' has been queued to LTS release 17.11.10

luca.boccassi at gmail.com luca.boccassi at gmail.com
Thu Dec 19 15:34:13 CET 2019
Previous message: [dpdk-stable] patch 'examples/ipsec-secgw: fix SHA256-HMAC digest length' has been queued to LTS release 17.11.10
Next message: [dpdk-stable] patch 'net/fm10k: fix mbuf free in vector Rx' has been queued to LTS release 17.11.10
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,

FYI, your patch has been queued to LTS release 17.11.10

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 12/21/19. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Thanks.

Luca Boccassi

---
>From 0a6364cb0886cfdc7c6dc349ce56d4c45f51fb34 Mon Sep 17 00:00:00 2001
From: Thierry Herbelot <thierry.herbelot at 6wind.com>
Date: Wed, 11 Sep 2019 18:06:01 +0200
Subject: [PATCH] crypto/openssl: use local copy for session contexts

[ upstream commit 67ab783b5d70aed77d9ee3f3ae4688a70c42a49a ]

Session contexts are used for temporary storage when processing a
packet.
If packets for the same session are to be processed simultaneously on
multiple cores, separate contexts must be used.

Note: with openssl 1.1.1 EVP_CIPHER_CTX can no longer be defined as a
variable on the stack: it must be allocated. This in turn reduces the
performance.

Fixes: d61f70b4c918 ("crypto/libcrypto: add driver for OpenSSL library")

Signed-off-by: Thierry Herbelot <thierry.herbelot at 6wind.com>
---
 drivers/crypto/openssl/rte_openssl_pmd.c | 34 +++++++++++++++++-------
 1 file changed, 25 insertions(+), 9 deletions(-)

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 7b18bd42e7..24304d539c 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -1296,6 +1296,7 @@ process_openssl_combined_op
 	int srclen, aadlen, status = -1;
 	uint32_t offset;
 	uint8_t taglen;
+	EVP_CIPHER_CTX *ctx_copy;
 
 	/*
 	 * Segmented destination buffer is not supported for
@@ -1332,6 +1333,8 @@ process_openssl_combined_op
 	}
 
 	taglen = sess->auth.digest_length;
+	ctx_copy = EVP_CIPHER_CTX_new();
+	EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
 
 	if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
 		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1339,12 +1342,12 @@ process_openssl_combined_op
 			status = process_openssl_auth_encryption_gcm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, sess->cipher.ctx);
+					dst, tag, ctx_copy);
 		else
 			status = process_openssl_auth_encryption_ccm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, taglen, sess->cipher.ctx);
+					dst, tag, taglen, ctx_copy);
 
 	} else {
 		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1352,14 +1355,15 @@ process_openssl_combined_op
 			status = process_openssl_auth_decryption_gcm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, sess->cipher.ctx);
+					dst, tag, ctx_copy);
 		else
 			status = process_openssl_auth_decryption_ccm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, taglen, sess->cipher.ctx);
+					dst, tag, taglen, ctx_copy);
 	}
 
+	EVP_CIPHER_CTX_free(ctx_copy);
 	if (status != 0) {
 		if (status == (-EFAULT) &&
 				sess->auth.operation ==
@@ -1378,6 +1382,7 @@ process_openssl_cipher_op
 {
 	uint8_t *dst, *iv;
 	int srclen, status;
+	EVP_CIPHER_CTX *ctx_copy;
 
 	/*
 	 * Segmented destination buffer is not supported for
@@ -1394,22 +1399,25 @@ process_openssl_cipher_op
 
 	iv = rte_crypto_op_ctod_offset(op, uint8_t *,
 			sess->iv.offset);
+	ctx_copy = EVP_CIPHER_CTX_new();
+	EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
 
 	if (sess->cipher.mode == OPENSSL_CIPHER_LIB)
 		if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
 			status = process_openssl_cipher_encrypt(mbuf_src, dst,
 					op->sym->cipher.data.offset, iv,
-					srclen, sess->cipher.ctx);
+					srclen, ctx_copy);
 		else
 			status = process_openssl_cipher_decrypt(mbuf_src, dst,
 					op->sym->cipher.data.offset, iv,
-					srclen, sess->cipher.ctx);
+					srclen, ctx_copy);
 	else
 		status = process_openssl_cipher_des3ctr(mbuf_src, dst,
 				op->sym->cipher.data.offset, iv,
 				sess->cipher.key.data, srclen,
-				sess->cipher.ctx);
+				ctx_copy);
 
+	EVP_CIPHER_CTX_free(ctx_copy);
 	if (status != 0)
 		op->status = RTE_CRYPTO_OP_STATUS_ERROR;
 }
@@ -1513,6 +1521,8 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 {
 	uint8_t *dst;
 	int srclen, status;
+	EVP_MD_CTX *ctx_a;
+	HMAC_CTX *ctx_h;
 
 	srclen = op->sym->auth.data.length;
 
@@ -1528,14 +1538,20 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 
 	switch (sess->auth.mode) {
 	case OPENSSL_AUTH_AS_AUTH:
+		ctx_a = EVP_MD_CTX_create();
+		EVP_MD_CTX_copy_ex(ctx_a, sess->auth.auth.ctx);
 		status = process_openssl_auth(mbuf_src, dst,
 				op->sym->auth.data.offset, NULL, NULL, srclen,
-				sess->auth.auth.ctx, sess->auth.auth.evp_algo);
+				ctx_a, sess->auth.auth.evp_algo);
+		EVP_MD_CTX_destroy(ctx_a);
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
+		ctx_h = HMAC_CTX_new();
+		HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
 		status = process_openssl_auth_hmac(mbuf_src, dst,
 				op->sym->auth.data.offset, srclen,
-				sess->auth.hmac.ctx);
+				ctx_h);
+		HMAC_CTX_free(ctx_h);
 		break;
 	default:
 		status = -1;
-- 
2.20.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2019-12-19 14:32:30.537009914 +0000
+++ 0106-crypto-openssl-use-local-copy-for-session-contexts.patch	2019-12-19 14:32:26.245300601 +0000
@@ -1,8 +1,10 @@
-From 67ab783b5d70aed77d9ee3f3ae4688a70c42a49a Mon Sep 17 00:00:00 2001
+From 0a6364cb0886cfdc7c6dc349ce56d4c45f51fb34 Mon Sep 17 00:00:00 2001
 From: Thierry Herbelot <thierry.herbelot at 6wind.com>
 Date: Wed, 11 Sep 2019 18:06:01 +0200
 Subject: [PATCH] crypto/openssl: use local copy for session contexts
 
+[ upstream commit 67ab783b5d70aed77d9ee3f3ae4688a70c42a49a ]
+
 Session contexts are used for temporary storage when processing a
 packet.
 If packets for the same session are to be processed simultaneously on
@@ -13,7 +15,6 @@
 performance.
 
 Fixes: d61f70b4c918 ("crypto/libcrypto: add driver for OpenSSL library")
-Cc: stable at dpdk.org
 
 Signed-off-by: Thierry Herbelot <thierry.herbelot at 6wind.com>
 ---
@@ -21,10 +22,10 @@
  1 file changed, 25 insertions(+), 9 deletions(-)
 
 diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
-index 6a75223fff..d68713e7e5 100644
+index 7b18bd42e7..24304d539c 100644
 --- a/drivers/crypto/openssl/rte_openssl_pmd.c
 +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
-@@ -1290,6 +1290,7 @@ process_openssl_combined_op
+@@ -1296,6 +1296,7 @@ process_openssl_combined_op
  	int srclen, aadlen, status = -1;
  	uint32_t offset;
  	uint8_t taglen;
@@ -32,7 +33,7 @@
  
  	/*
  	 * Segmented destination buffer is not supported for
-@@ -1326,6 +1327,8 @@ process_openssl_combined_op
+@@ -1332,6 +1333,8 @@ process_openssl_combined_op
  	}
  
  	taglen = sess->auth.digest_length;
@@ -41,7 +42,7 @@
  
  	if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
  		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
-@@ -1333,12 +1336,12 @@ process_openssl_combined_op
+@@ -1339,12 +1342,12 @@ process_openssl_combined_op
  			status = process_openssl_auth_encryption_gcm(
  					mbuf_src, offset, srclen,
  					aad, aadlen, iv,
@@ -56,7 +57,7 @@
  
  	} else {
  		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
-@@ -1346,14 +1349,15 @@ process_openssl_combined_op
+@@ -1352,14 +1355,15 @@ process_openssl_combined_op
  			status = process_openssl_auth_decryption_gcm(
  					mbuf_src, offset, srclen,
  					aad, aadlen, iv,
@@ -74,7 +75,7 @@
  	if (status != 0) {
  		if (status == (-EFAULT) &&
  				sess->auth.operation ==
-@@ -1372,6 +1376,7 @@ process_openssl_cipher_op
+@@ -1378,6 +1382,7 @@ process_openssl_cipher_op
  {
  	uint8_t *dst, *iv;
  	int srclen, status;
@@ -82,7 +83,7 @@
  
  	/*
  	 * Segmented destination buffer is not supported for
-@@ -1388,22 +1393,25 @@ process_openssl_cipher_op
+@@ -1394,22 +1399,25 @@ process_openssl_cipher_op
  
  	iv = rte_crypto_op_ctod_offset(op, uint8_t *,
  			sess->iv.offset);
@@ -111,7 +112,7 @@
  	if (status != 0)
  		op->status = RTE_CRYPTO_OP_STATUS_ERROR;
  }
-@@ -1507,6 +1515,8 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
+@@ -1513,6 +1521,8 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
  {
  	uint8_t *dst;
  	int srclen, status;
@@ -120,7 +121,7 @@
  
  	srclen = op->sym->auth.data.length;
  
-@@ -1514,14 +1524,20 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
+@@ -1528,14 +1538,20 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
  
  	switch (sess->auth.mode) {
  	case OPENSSL_AUTH_AS_AUTH:
Previous message: [dpdk-stable] patch 'examples/ipsec-secgw: fix SHA256-HMAC digest length' has been queued to LTS release 17.11.10
Next message: [dpdk-stable] patch 'net/fm10k: fix mbuf free in vector Rx' has been queued to LTS release 17.11.10
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the stable mailing list