From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 54B32457A1 for ; Mon, 12 Aug 2024 14:53:42 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 52C2A402C3; Mon, 12 Aug 2024 14:53:41 +0200 (CEST) Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2082.outbound.protection.outlook.com [40.107.237.82]) by mails.dpdk.org (Postfix) with ESMTP id E03A34029C for ; Mon, 12 Aug 2024 14:53:39 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=QkFItlZXhw6SSjPJ0cgz+j8WxAShFKNjBTv4NagZiNUQRUhWCpy90QDt5c3J2kAd63/PrIGuxIEW5w7YhUFAmFusHDN/fouo1oGY8DQlar6jjXIEU/K8VdM+FLBSoHu9B4S8xuEq1EAiw0kTKngqc4/Fph2RjncLyxxfMUe4M21zd6s0ko8XZBzEXLJ8cdcEcukmOpYr7KCNjkHDFmwJUdwIzZAQGzEDuywvYq1cwIXS5TpZ6aOEbkwGJp6utaJVfxrms8qeSA9hCTu7f3CFIlc9Rr2t+K6VQGUUhz1zOg+AvQ2K7YLIrUEzXPepPbEYIUEYDxmIIrBEkDUJkl8w4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IO4w1JKO7cccuGq7o3i399bGYQEnCWLe1YaWCw0td9k=; b=KpVaiJhERHG4wAWAodhE1I8zYURPDjERURxU2JfCEg6X/TKD3w9AXnc4i8KhgJDMevcZuDkDa5VvEbNMbmZxQKUROzwKOGyxgEjD8GmAU9wgAeHqBtuJVVp31lzKfk6I4UTHicpXJgafKO1eUvEAkn94XVko/SydJqAbqfrGA5KrycwN1TWUENIMjyNB+zi9oEZFvcwHYDi/GLudOA027np6rbnyQOwlG+kKZtrdqQhdIk46fVfJAZXSALyUo/8V20WHch2Y67ImdjWJJMSap0g+8L5qixgTqGB8XeQMXzUPvq9kLSGYCZAwSDrVz0xOh+EntOPD3yaWZTfv15mNBg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=foss.arm.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IO4w1JKO7cccuGq7o3i399bGYQEnCWLe1YaWCw0td9k=; b=QRdnNBX71tzBd4GiOstmNsMzGAZ/1no02EKPLGcLslOdprkmAr2R7Ahi6jp+YrhrhPmI5Fvh9oEvY7OfNOa3V3ytK/08UCi+qrko4IYhNrN8LrFmCbwoXnO3kdG0Tq6btJX9SRLkwB36dVYIf3dd45lpe5BHxqrPYdSR0EIhK/7jJ1a5Mv+rgk4IuHz7vVVqlYPx3Hdt6XFB0Yto3AUjYs9MlSqd3dyqcef1hlao4PJSERnNGz382KoFlQrMzz2JE+Jz1UM3hR8P1cWNreNmWBm5Fg7L+bxA3f+bXieZrgKhMAdI588m9Y3xTBMj3z5sfD/sOGrGR4xBqqylTkeuFw== Received: from DS7PR03CA0327.namprd03.prod.outlook.com (2603:10b6:8:2b::35) by MW4PR12MB7029.namprd12.prod.outlook.com (2603:10b6:303:1eb::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7849.19; Mon, 12 Aug 2024 12:53:35 +0000 Received: from DS1PEPF00017090.namprd03.prod.outlook.com (2603:10b6:8:2b:cafe::9b) by DS7PR03CA0327.outlook.office365.com (2603:10b6:8:2b::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.33 via Frontend Transport; Mon, 12 Aug 2024 12:53:35 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by DS1PEPF00017090.mail.protection.outlook.com (10.167.17.132) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.19 via Frontend Transport; Mon, 12 Aug 2024 12:53:34 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Mon, 12 Aug 2024 05:53:21 -0700 Received: from nvidia.com (10.126.230.35) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Mon, 12 Aug 2024 05:53:19 -0700 From: Xueming Li To: Jack Bond-Preston CC: , Kai Ji , Wathsala Vithanage , dpdk stable Subject: patch 'crypto/openssl: fix GCM and CCM thread unsafe contexts' has been queued to stable release 23.11.2 Date: Mon, 12 Aug 2024 20:48:22 +0800 Message-ID: <20240812125035.389667-26-xuemingl@nvidia.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240812125035.389667-1-xuemingl@nvidia.com> References: <20240712110153.309690-23-xuemingl@nvidia.com> <20240812125035.389667-1-xuemingl@nvidia.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.126.230.35] X-ClientProxiedBy: rnnvmail201.nvidia.com (10.129.68.8) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS1PEPF00017090:EE_|MW4PR12MB7029:EE_ X-MS-Office365-Filtering-Correlation-Id: 12d29909-2253-43f4-4430-08dcbacdc6de X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; ARA:13230040|36860700013|376014|82310400026|1800799024; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?lOmxTtzShNJL9LQW2z+j1sNHUU6pq2doxTHI6Tl3XHzjp+uSPJV8icQs4TYH?= =?us-ascii?Q?24YoYKoeLWL+KnOKkUwvN7hYaywuoiN6oI0bWQuLjGUEG56jMA6Ed/QBtz4N?= =?us-ascii?Q?uKhM0H4OsIE5l7k7Arm0a8l9fcj5ZAboQQB4gWvL/EOnzekZtdEk902mogYQ?= =?us-ascii?Q?Dtn4o2vq8CkWKOJXb9S4MlErKPR9S8FCbqKYrMh7BQJm7ynL7Tgb877iCLnP?= =?us-ascii?Q?BTLA/qDY5z/+JKzB0adjxqatZ+J3FD7Sn5VczgER2nqJKfamENg/2wj4Bzmu?= =?us-ascii?Q?Sy8W6KRWwfFxDrc88sBwCr63imLNMisKwPD2+qX/IbECevCcHuyoHTbSOSZX?= =?us-ascii?Q?3nxj2JQuHMelZrEK8DQLMXbmp/h+gJY0CUQYJDdu583HWrVzNS03fFoKkfA0?= =?us-ascii?Q?QouFIYzi/IXc+8K1E3tMXxN2SDpUblvx97mIh9Mhm08foPobGuhyFKcBTMdB?= =?us-ascii?Q?h+5JY0wEqssrDOUlrnIv2kH2vystIu8rXG0NAM2mCxAbr7xkKXt+nB5E2xN2?= =?us-ascii?Q?ZZF0c8wfU19csXjS4np8xyiKjN6UKx4854CUffioVWsafhTwjFw9+TPnshtU?= =?us-ascii?Q?SQuvtbks8lO3MEis3ECCJDiFkmqMT1Fh6Of6VnUnFH5k4zQc3Hj7/cj8xUJF?= =?us-ascii?Q?j9uEMBs1+wKV1jwwIA3Zs6HVvYGLigRvxHPhpg9bLqm4gd4+gKRCHFu8jmnE?= =?us-ascii?Q?gm0s+YHrYGwvo4WFN3F0E18S3pwPj7uS83YdSmGPtQsVNs2nfJYQaG9twKnG?= =?us-ascii?Q?GOsCo3u3N0vdAYayoE7XaCpBAM5JhMKS1JVQ/8JapFUMsNGHboIyFctCFCqG?= =?us-ascii?Q?8ZCEsFt0l5uARm65VtEldVb/AIcciZIQd1+8Xp+59xYNc1IRii0OxRDus8jS?= =?us-ascii?Q?EH0Dc6zkpSF5MQnJjR5sfm17FYynMpIG94OynL7HIDaez0kogjeI+SxTtq0B?= =?us-ascii?Q?nvBz35606ACeLFKkpGteZLUmwAlpJ0nC6+CJHsUia0+XLO64cX1mESDuGI7x?= =?us-ascii?Q?hQvHB6cQD+iUnhcpzqWgXQAEOj/O0w2s4R+RBSdx9RMu0VdCQOzbclP7ppBG?= =?us-ascii?Q?wAQyOIPme9JO4sYguQQ41D3KPQ4rHJmD3/lEnkt/hcOTettJ2fFkqx6v4N2A?= =?us-ascii?Q?viW4EruxUMggNVrRSLB+xATI9t11TSdQDnJXjruaP2jbkZf5G2JZACg4q70x?= =?us-ascii?Q?QGh9drelHaHpB5xj32QQLUApNSQsiD32G2POKfk6xs3dOzUH/0fDwS2OP5Mu?= =?us-ascii?Q?b/7Tf93VWXkOnxfNt9ntb2gVpxxg0/dirZYuauRiPJEvkg/ciTDMOk8nX8eO?= =?us-ascii?Q?CB/Zo04stsEt7+cjV5RSHRbEIcLPy2zVscqGGH3V3WgVGSSlUFEUgDaUJl3Q?= =?us-ascii?Q?rOAqiinof8WI3jAOAlG6KHmnjKC/6jwSi/F+WnMK2QV5R9FiB6LcMJtSahny?= =?us-ascii?Q?aTw3Kp+t+6Jkmr43bk2kD/217p2Ib9z0?= X-Forefront-Antispam-Report: CIP:216.228.117.160; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc6edge1.nvidia.com; CAT:NONE; SFS:(13230040)(36860700013)(376014)(82310400026)(1800799024); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2024 12:53:34.5878 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 12d29909-2253-43f4-4430-08dcbacdc6de X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.117.160]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DS1PEPF00017090.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR12MB7029 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 23.11.2 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 08/14/24. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://git.dpdk.org/dpdk-stable/log/?h=23.11-staging This queued commit can be viewed at: https://git.dpdk.org/dpdk-stable/commit/?h=23.11-staging&id=eb6a1a85e6fedeaac5c3aca29db91173e5ebaa92 Thanks. Xueming Li --- >From eb6a1a85e6fedeaac5c3aca29db91173e5ebaa92 Mon Sep 17 00:00:00 2001 From: Jack Bond-Preston Date: Wed, 3 Jul 2024 13:45:47 +0000 Subject: [PATCH] crypto/openssl: fix GCM and CCM thread unsafe contexts Cc: Xueming Li [ upstream commit 78d7765f0acbb23168b7b25e25d775bea22c48ab ] Commit 67ab783b5d70 ("crypto/openssl: use local copy for session contexts") introduced a fix for concurrency bugs which could occur when using one OpenSSL PMD session across multiple cores simultaneously. The solution was to clone the EVP contexts per-buffer to avoid them being used concurrently. However, part of commit 75adf1eae44f ("crypto/openssl: update HMAC routine with 3.0 EVP API") reverted this fix, only for combined ops (AES-GCM and AES-CCM). Fix the concurrency issue by cloning EVP contexts per-buffer. An extra workaround is required for OpenSSL versions which are >= 3.0.0, and <= 3.2.0. This is because, prior to OpenSSL 3.2.0, EVP_CIPHER_CTX_copy() is not implemented for AES-GCM or AES-CCM. When using these OpenSSL versions, create and initialise the context from scratch, per-buffer. Throughput performance uplift measurements for AES-GCM-128 encrypt on Ampere Altra Max platform: 1 worker lcore | buffer sz (B) | prev (Gbps) | optimised (Gbps) | uplift | |-----------------+---------------+--------------------+----------| | 64 | 2.60 | 1.31 | -49.5% | | 256 | 7.69 | 4.45 | -42.1% | | 1024 | 15.33 | 11.30 | -26.3% | | 2048 | 18.74 | 15.37 | -18.0% | | 4096 | 21.11 | 18.80 | -10.9% | 8 worker lcores | buffer sz (B) | prev (Gbps) | optimised (Gbps) | uplift | |-----------------+---------------+--------------------+----------| | 64 | 19.94 | 2.83 | -85.8% | | 256 | 58.84 | 11.00 | -81.3% | | 1024 | 119.71 | 42.46 | -64.5% | | 2048 | 147.69 | 80.91 | -45.2% | | 4096 | 167.39 | 121.25 | -27.6% | Fixes: 75adf1eae44f ("crypto/openssl: update HMAC routine with 3.0 EVP API") Signed-off-by: Jack Bond-Preston Acked-by: Kai Ji Reviewed-by: Wathsala Vithanage --- drivers/crypto/openssl/rte_openssl_pmd.c | 84 ++++++++++++++++++------ 1 file changed, 64 insertions(+), 20 deletions(-) diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index e8cb09defc..3e547c2039 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -350,7 +350,8 @@ get_aead_algo(enum rte_crypto_aead_algorithm sess_algo, size_t keylen, static int openssl_set_sess_aead_enc_param(struct openssl_session *sess, enum rte_crypto_aead_algorithm algo, - uint8_t tag_len, const uint8_t *key) + uint8_t tag_len, const uint8_t *key, + EVP_CIPHER_CTX **ctx) { int iv_type = 0; unsigned int do_ccm; @@ -378,7 +379,7 @@ openssl_set_sess_aead_enc_param(struct openssl_session *sess, } sess->cipher.mode = OPENSSL_CIPHER_LIB; - sess->cipher.ctx = EVP_CIPHER_CTX_new(); + *ctx = EVP_CIPHER_CTX_new(); if (get_aead_algo(algo, sess->cipher.key.length, &sess->cipher.evp_algo) != 0) @@ -388,19 +389,19 @@ openssl_set_sess_aead_enc_param(struct openssl_session *sess, sess->chain_order = OPENSSL_CHAIN_COMBINED; - if (EVP_EncryptInit_ex(sess->cipher.ctx, sess->cipher.evp_algo, + if (EVP_EncryptInit_ex(*ctx, sess->cipher.evp_algo, NULL, NULL, NULL) <= 0) return -EINVAL; - if (EVP_CIPHER_CTX_ctrl(sess->cipher.ctx, iv_type, sess->iv.length, + if (EVP_CIPHER_CTX_ctrl(*ctx, iv_type, sess->iv.length, NULL) <= 0) return -EINVAL; if (do_ccm) - EVP_CIPHER_CTX_ctrl(sess->cipher.ctx, EVP_CTRL_CCM_SET_TAG, + EVP_CIPHER_CTX_ctrl(*ctx, EVP_CTRL_CCM_SET_TAG, tag_len, NULL); - if (EVP_EncryptInit_ex(sess->cipher.ctx, NULL, NULL, key, NULL) <= 0) + if (EVP_EncryptInit_ex(*ctx, NULL, NULL, key, NULL) <= 0) return -EINVAL; return 0; @@ -410,7 +411,8 @@ openssl_set_sess_aead_enc_param(struct openssl_session *sess, static int openssl_set_sess_aead_dec_param(struct openssl_session *sess, enum rte_crypto_aead_algorithm algo, - uint8_t tag_len, const uint8_t *key) + uint8_t tag_len, const uint8_t *key, + EVP_CIPHER_CTX **ctx) { int iv_type = 0; unsigned int do_ccm = 0; @@ -437,7 +439,7 @@ openssl_set_sess_aead_dec_param(struct openssl_session *sess, } sess->cipher.mode = OPENSSL_CIPHER_LIB; - sess->cipher.ctx = EVP_CIPHER_CTX_new(); + *ctx = EVP_CIPHER_CTX_new(); if (get_aead_algo(algo, sess->cipher.key.length, &sess->cipher.evp_algo) != 0) @@ -447,24 +449,54 @@ openssl_set_sess_aead_dec_param(struct openssl_session *sess, sess->chain_order = OPENSSL_CHAIN_COMBINED; - if (EVP_DecryptInit_ex(sess->cipher.ctx, sess->cipher.evp_algo, + if (EVP_DecryptInit_ex(*ctx, sess->cipher.evp_algo, NULL, NULL, NULL) <= 0) return -EINVAL; - if (EVP_CIPHER_CTX_ctrl(sess->cipher.ctx, iv_type, + if (EVP_CIPHER_CTX_ctrl(*ctx, iv_type, sess->iv.length, NULL) <= 0) return -EINVAL; if (do_ccm) - EVP_CIPHER_CTX_ctrl(sess->cipher.ctx, EVP_CTRL_CCM_SET_TAG, + EVP_CIPHER_CTX_ctrl(*ctx, EVP_CTRL_CCM_SET_TAG, tag_len, NULL); - if (EVP_DecryptInit_ex(sess->cipher.ctx, NULL, NULL, key, NULL) <= 0) + if (EVP_DecryptInit_ex(*ctx, NULL, NULL, key, NULL) <= 0) return -EINVAL; return 0; } +static int openssl_aesni_ctx_clone(EVP_CIPHER_CTX **dest, + struct openssl_session *sess) +{ +#if (OPENSSL_VERSION_NUMBER >= 0x30200000L) + *dest = EVP_CIPHER_CTX_dup(sess->ctx); + return 0; +#elif (OPENSSL_VERSION_NUMBER >= 0x30000000L) + /* OpenSSL versions 3.0.0 <= V < 3.2.0 have no dupctx() implementation + * for AES-GCM and AES-CCM. In this case, we have to create new empty + * contexts and initialise, as we did the original context. + */ + if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) + sess->aead_algo = RTE_CRYPTO_AEAD_AES_GCM; + + if (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) + return openssl_set_sess_aead_enc_param(sess, sess->aead_algo, + sess->auth.digest_length, sess->cipher.key.data, + dest); + else + return openssl_set_sess_aead_dec_param(sess, sess->aead_algo, + sess->auth.digest_length, sess->cipher.key.data, + dest); +#else + *dest = EVP_CIPHER_CTX_new(); + if (EVP_CIPHER_CTX_copy(*dest, sess->cipher.ctx) != 1) + return -EINVAL; + return 0; +#endif +} + /** Set session cipher parameters */ static int openssl_set_session_cipher_parameters(struct openssl_session *sess, @@ -623,12 +655,14 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, return openssl_set_sess_aead_enc_param(sess, RTE_CRYPTO_AEAD_AES_GCM, xform->auth.digest_length, - xform->auth.key.data); + xform->auth.key.data, + &sess->cipher.ctx); else return openssl_set_sess_aead_dec_param(sess, RTE_CRYPTO_AEAD_AES_GCM, xform->auth.digest_length, - xform->auth.key.data); + xform->auth.key.data, + &sess->cipher.ctx); break; case RTE_CRYPTO_AUTH_MD5: @@ -770,10 +804,12 @@ openssl_set_session_aead_parameters(struct openssl_session *sess, /* Select cipher direction */ if (xform->aead.op == RTE_CRYPTO_AEAD_OP_ENCRYPT) return openssl_set_sess_aead_enc_param(sess, xform->aead.algo, - xform->aead.digest_length, xform->aead.key.data); + xform->aead.digest_length, xform->aead.key.data, + &sess->cipher.ctx); else return openssl_set_sess_aead_dec_param(sess, xform->aead.algo, - xform->aead.digest_length, xform->aead.key.data); + xform->aead.digest_length, xform->aead.key.data, + &sess->cipher.ctx); } /** Parse crypto xform chain and set private session parameters */ @@ -1590,6 +1626,12 @@ process_openssl_combined_op return; } + EVP_CIPHER_CTX *ctx; + if (openssl_aesni_ctx_clone(&ctx, sess) != 0) { + op->status = RTE_CRYPTO_OP_STATUS_ERROR; + return; + } + iv = rte_crypto_op_ctod_offset(op, uint8_t *, sess->iv.offset); if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) { @@ -1623,12 +1665,12 @@ process_openssl_combined_op status = process_openssl_auth_encryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, sess->cipher.ctx); + dst, tag, ctx); else status = process_openssl_auth_encryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, sess->cipher.ctx); + dst, tag, taglen, ctx); } else { if (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC || @@ -1636,14 +1678,16 @@ process_openssl_combined_op status = process_openssl_auth_decryption_gcm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, sess->cipher.ctx); + dst, tag, ctx); else status = process_openssl_auth_decryption_ccm( mbuf_src, offset, srclen, aad, aadlen, iv, - dst, tag, taglen, sess->cipher.ctx); + dst, tag, taglen, ctx); } + EVP_CIPHER_CTX_free(ctx); + if (status != 0) { if (status == (-EFAULT) && sess->auth.operation == -- 2.34.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2024-08-12 20:44:03.392082430 +0800 +++ 0025-crypto-openssl-fix-GCM-and-CCM-thread-unsafe-context.patch 2024-08-12 20:44:01.955069267 +0800 @@ -1 +1 @@ -From 78d7765f0acbb23168b7b25e25d775bea22c48ab Mon Sep 17 00:00:00 2001 +From eb6a1a85e6fedeaac5c3aca29db91173e5ebaa92 Mon Sep 17 00:00:00 2001 @@ -4,0 +5,3 @@ +Cc: Xueming Li + +[ upstream commit 78d7765f0acbb23168b7b25e25d775bea22c48ab ] @@ -43 +45,0 @@ -Cc: stable@dpdk.org