patches for DPDK stable branches
 help / color / Atom feed
* [dpdk-stable] [PATCH] drivers/crypto/openssl: use a local copy for the session contexts
@ 2019-09-11 16:06 Thierry Herbelot
  2019-11-07 10:08 ` [dpdk-stable] [dpdk-dev] " Akhil Goyal
  0 siblings, 1 reply; 2+ messages in thread
From: Thierry Herbelot @ 2019-09-11 16:06 UTC (permalink / raw)
  To: dev; +Cc: Thomas Monjalon, stable, declan.doherty

Session contexts are used for temporary storage when processing a
packet.
If packets for the same session are to be processed simultaneously on
multiple cores, separate contexts must be used.

Note: with openssl 1.1.1 EVP_CIPHER_CTX can no longer be defined as a
variable on the stack: it must be allocated. This in turn reduces the
performance.

Fixes: d61f70b4c918 ('crypto/libcrypto: add driver for OpenSSL library')
Cc: stable@dpdk.org
Cc: declan.doherty@intel.com

Signed-off-by: Thierry Herbelot <thierry.herbelot@6wind.com>
---
 drivers/crypto/openssl/rte_openssl_pmd.c | 34 +++++++++++++++++-------
 1 file changed, 25 insertions(+), 9 deletions(-)

diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 2f5552840741..ce2d12347737 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -1290,6 +1290,7 @@ process_openssl_combined_op
 	int srclen, aadlen, status = -1;
 	uint32_t offset;
 	uint8_t taglen;
+	EVP_CIPHER_CTX *ctx_copy;
 
 	/*
 	 * Segmented destination buffer is not supported for
@@ -1326,6 +1327,8 @@ process_openssl_combined_op
 	}
 
 	taglen = sess->auth.digest_length;
+	ctx_copy = EVP_CIPHER_CTX_new();
+	EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
 
 	if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {
 		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1333,12 +1336,12 @@ process_openssl_combined_op
 			status = process_openssl_auth_encryption_gcm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, sess->cipher.ctx);
+					dst, tag, ctx_copy);
 		else
 			status = process_openssl_auth_encryption_ccm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, taglen, sess->cipher.ctx);
+					dst, tag, taglen, ctx_copy);
 
 	} else {
 		if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||
@@ -1346,14 +1349,15 @@ process_openssl_combined_op
 			status = process_openssl_auth_decryption_gcm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, sess->cipher.ctx);
+					dst, tag, ctx_copy);
 		else
 			status = process_openssl_auth_decryption_ccm(
 					mbuf_src, offset, srclen,
 					aad, aadlen, iv,
-					dst, tag, taglen, sess->cipher.ctx);
+					dst, tag, taglen, ctx_copy);
 	}
 
+	EVP_CIPHER_CTX_free(ctx_copy);
 	if (status != 0) {
 		if (status == (-EFAULT) &&
 				sess->auth.operation ==
@@ -1372,6 +1376,7 @@ process_openssl_cipher_op
 {
 	uint8_t *dst, *iv;
 	int srclen, status;
+	EVP_CIPHER_CTX *ctx_copy;
 
 	/*
 	 * Segmented destination buffer is not supported for
@@ -1388,22 +1393,25 @@ process_openssl_cipher_op
 
 	iv = rte_crypto_op_ctod_offset(op, uint8_t *,
 			sess->iv.offset);
+	ctx_copy = EVP_CIPHER_CTX_new();
+	EVP_CIPHER_CTX_copy(ctx_copy, sess->cipher.ctx);
 
 	if (sess->cipher.mode == OPENSSL_CIPHER_LIB)
 		if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
 			status = process_openssl_cipher_encrypt(mbuf_src, dst,
 					op->sym->cipher.data.offset, iv,
-					srclen, sess->cipher.ctx);
+					srclen, ctx_copy);
 		else
 			status = process_openssl_cipher_decrypt(mbuf_src, dst,
 					op->sym->cipher.data.offset, iv,
-					srclen, sess->cipher.ctx);
+					srclen, ctx_copy);
 	else
 		status = process_openssl_cipher_des3ctr(mbuf_src, dst,
 				op->sym->cipher.data.offset, iv,
 				sess->cipher.key.data, srclen,
-				sess->cipher.ctx);
+				ctx_copy);
 
+	EVP_CIPHER_CTX_free(ctx_copy);
 	if (status != 0)
 		op->status = RTE_CRYPTO_OP_STATUS_ERROR;
 }
@@ -1507,6 +1515,8 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 {
 	uint8_t *dst;
 	int srclen, status;
+	EVP_MD_CTX *ctx_a;
+	HMAC_CTX *ctx_h;
 
 	srclen = op->sym->auth.data.length;
 
@@ -1514,14 +1524,20 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 
 	switch (sess->auth.mode) {
 	case OPENSSL_AUTH_AS_AUTH:
+		ctx_a = EVP_MD_CTX_create();
+		EVP_MD_CTX_copy_ex(ctx_a, sess->auth.auth.ctx);
 		status = process_openssl_auth(mbuf_src, dst,
 				op->sym->auth.data.offset, NULL, NULL, srclen,
-				sess->auth.auth.ctx, sess->auth.auth.evp_algo);
+				ctx_a, sess->auth.auth.evp_algo);
+		EVP_MD_CTX_destroy(ctx_a);
 		break;
 	case OPENSSL_AUTH_AS_HMAC:
+		ctx_h = HMAC_CTX_new();
+		HMAC_CTX_copy(ctx_h, sess->auth.hmac.ctx);
 		status = process_openssl_auth_hmac(mbuf_src, dst,
 				op->sym->auth.data.offset, srclen,
-				sess->auth.hmac.ctx);
+				ctx_h);
+		HMAC_CTX_free(ctx_h);
 		break;
 	default:
 		status = -1;
-- 
2.20.1


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [dpdk-stable] [dpdk-dev] [PATCH] drivers/crypto/openssl: use a local copy for the session contexts
  2019-09-11 16:06 [dpdk-stable] [PATCH] drivers/crypto/openssl: use a local copy for the session contexts Thierry Herbelot
@ 2019-11-07 10:08 ` " Akhil Goyal
  0 siblings, 0 replies; 2+ messages in thread
From: Akhil Goyal @ 2019-11-07 10:08 UTC (permalink / raw)
  To: Thierry Herbelot, dev; +Cc: Thomas Monjalon, stable, declan.doherty


> Session contexts are used for temporary storage when processing a
> packet.
> If packets for the same session are to be processed simultaneously on
> multiple cores, separate contexts must be used.
> 
> Note: with openssl 1.1.1 EVP_CIPHER_CTX can no longer be defined as a
> variable on the stack: it must be allocated. This in turn reduces the
> performance.
> 
> Fixes: d61f70b4c918 ('crypto/libcrypto: add driver for OpenSSL library')
> Cc: stable@dpdk.org
> Cc: declan.doherty@intel.com
> 
> Signed-off-by: Thierry Herbelot <thierry.herbelot@6wind.com>
> ---

Applied to dpdk-next-crypto

Thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-11 16:06 [dpdk-stable] [PATCH] drivers/crypto/openssl: use a local copy for the session contexts Thierry Herbelot
2019-11-07 10:08 ` [dpdk-stable] [dpdk-dev] " Akhil Goyal

patches for DPDK stable branches

Archives are clonable:
	git clone --mirror http://inbox.dpdk.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ http://inbox.dpdk.org/stable \
		stable@dpdk.org
	public-inbox-index stable


Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.stable


AGPL code for this site: git clone https://public-inbox.org/ public-inbox