diff options
author | Damjan Marion <damarion@cisco.com> | 2019-04-24 15:20:35 +0200 |
---|---|---|
committer | Neale Ranns <nranns@cisco.com> | 2019-04-25 01:36:12 +0000 |
commit | d1bed687231bb64cf7761da37431ba61bc32b6d8 (patch) | |
tree | 891af80a873db9dda53c18e95f5eeb9366a1cb07 | |
parent | 20bc56ab58189ad9fa24feaaca3e76ea8e636140 (diff) |
crypto: improve key handling
Change-Id: If96f661d507305da4b96cac7b1a8f14ba90676ad
Signed-off-by: Damjan Marion <damarion@cisco.com>
-rw-r--r-- | src/plugins/crypto_ia32/aes_cbc.c | 25 | ||||
-rw-r--r-- | src/plugins/crypto_ia32/aesni.h | 7 | ||||
-rw-r--r-- | src/plugins/crypto_ia32/crypto_ia32.h | 1 | ||||
-rw-r--r-- | src/plugins/crypto_ia32/main.c | 75 | ||||
-rw-r--r-- | src/plugins/crypto_ipsecmb/ipsecmb.c | 11 | ||||
-rw-r--r-- | src/plugins/crypto_openssl/main.c | 15 | ||||
-rw-r--r-- | src/plugins/unittest/crypto/crypto.h | 1 | ||||
-rw-r--r-- | src/plugins/unittest/crypto_test.c | 48 | ||||
-rw-r--r-- | src/vnet/crypto/crypto.c | 78 | ||||
-rw-r--r-- | src/vnet/crypto/crypto.h | 51 | ||||
-rw-r--r-- | src/vnet/ipsec/esp.h | 3 | ||||
-rw-r--r-- | src/vnet/ipsec/esp_decrypt.c | 5 | ||||
-rw-r--r-- | src/vnet/ipsec/esp_encrypt.c | 5 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec.c | 13 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec.h | 2 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_if.c | 13 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.c | 18 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.h | 10 | ||||
-rw-r--r-- | src/vnet/lisp-cp/control.c | 36 |
19 files changed, 351 insertions, 66 deletions
diff --git a/src/plugins/crypto_ia32/aes_cbc.c b/src/plugins/crypto_ia32/aes_cbc.c index 091f7b6a539..7befdd2b4e6 100644 --- a/src/plugins/crypto_ia32/aes_cbc.c +++ b/src/plugins/crypto_ia32/aes_cbc.c @@ -97,7 +97,7 @@ aesni_ops_enc_aes_cbc (vlib_main_t * vm, vnet_crypto_op_t * ops[], u8 dummy[8192]; u8 *src[4] = { }; u8 *dst[4] = { }; - u8 *key[4] = { }; + vnet_crypto_key_index_t key_index[4] = { ~0, ~0, ~0, ~0 }; u32x4 dummy_mask, len = { }; u32 i, j, count, n_left = n_ops; __m128i r[4] = { }, k[4][rounds + 1]; @@ -127,10 +127,13 @@ more: dst[i] = ops[0]->dst; len[i] = ops[0]->len; dummy_mask[i] = ~0; - if (key[i] != ops[0]->key) + if (key_index[i] != ops[0]->key_index) { - aes_key_expand (k[i], ops[0]->key, ks); - key[i] = ops[0]->key; + aesni_key_data_t *kd; + key_index[i] = ops[0]->key_index; + kd = (aesni_key_data_t *) cm->key_data[key_index[i]]; + clib_memcpy_fast (k[i], kd->encrypt_key, + (rounds + 1) * sizeof (__m128i)); } ops[0]->status = VNET_CRYPTO_OP_STATUS_COMPLETED; n_left--; @@ -188,28 +191,22 @@ static_always_inline u32 aesni_ops_dec_aes_cbc (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops, aesni_key_size_t ks) { + crypto_ia32_main_t *cm = &crypto_ia32_main; int rounds = AESNI_KEY_ROUNDS (ks); vnet_crypto_op_t *op = ops[0]; + aesni_key_data_t *kd = (aesni_key_data_t *) cm->key_data[op->key_index]; u32 n_left = n_ops; - u8 *last_key; - __m128i k[rounds + 1]; ASSERT (n_ops >= 1); -key_expand: - last_key = op->key; - aes_key_expand (k, op->key, ks); - aes_key_enc_to_dec (k, ks); - decrypt: - aes_cbc_dec (k, op->src, op->dst, op->iv, op->len, rounds); + aes_cbc_dec (kd->decrypt_key, op->src, op->dst, op->iv, op->len, rounds); op->status = VNET_CRYPTO_OP_STATUS_COMPLETED; if (--n_left) { op += 1; - if (last_key != op->key) - goto key_expand; + kd = (aesni_key_data_t *) cm->key_data[op->key_index]; goto decrypt; } diff --git a/src/plugins/crypto_ia32/aesni.h b/src/plugins/crypto_ia32/aesni.h index 28e09fc5c51..80e30e51b33 100644 --- a/src/plugins/crypto_ia32/aesni.h +++ b/src/plugins/crypto_ia32/aesni.h @@ -18,6 +18,13 @@ #ifndef __aesni_h__ #define __aesni_h__ + +typedef struct +{ + __m128i encrypt_key[15]; + __m128i decrypt_key[15]; +} aesni_key_data_t; + typedef enum { AESNI_KEY_128 = 0, diff --git a/src/plugins/crypto_ia32/crypto_ia32.h b/src/plugins/crypto_ia32/crypto_ia32.h index ccb26ab1a4d..f5f09dfd499 100644 --- a/src/plugins/crypto_ia32/crypto_ia32.h +++ b/src/plugins/crypto_ia32/crypto_ia32.h @@ -27,6 +27,7 @@ typedef struct { u32 crypto_engine_index; crypto_ia32_per_thread_data_t *per_thread_data; + void **key_data; } crypto_ia32_main_t; extern crypto_ia32_main_t crypto_ia32_main; diff --git a/src/plugins/crypto_ia32/main.c b/src/plugins/crypto_ia32/main.c index 9b83f8913db..8dd596b0dd6 100644 --- a/src/plugins/crypto_ia32/main.c +++ b/src/plugins/crypto_ia32/main.c @@ -19,9 +19,80 @@ #include <vnet/plugin/plugin.h> #include <vnet/crypto/crypto.h> #include <crypto_ia32/crypto_ia32.h> +#include <crypto_ia32/aesni.h> crypto_ia32_main_t crypto_ia32_main; +static void +crypto_ia32_key_handler (vlib_main_t * vm, vnet_crypto_key_op_t kop, + vnet_crypto_key_index_t idx) +{ + vnet_crypto_key_t *key = vnet_crypto_get_key (idx); + crypto_ia32_main_t *cm = &crypto_ia32_main; + aesni_key_data_t *kd; + + switch (key->alg) + { + case VNET_CRYPTO_ALG_AES_128_CBC: + case VNET_CRYPTO_ALG_AES_192_CBC: + case VNET_CRYPTO_ALG_AES_256_CBC: + break; + default: + return; + break; + } + + if (kop == VNET_CRYPTO_KEY_OP_DEL) + { + if (idx >= vec_len (cm->key_data)) + return; + + if (cm->key_data[idx] == 0) + return; + + clib_memset_u8 (cm->key_data[idx], 0, + clib_mem_size (cm->key_data[idx])); + clib_mem_free (cm->key_data[idx]); + cm->key_data[idx] = 0; + return; + } + + vec_validate_aligned (cm->key_data, idx, CLIB_CACHE_LINE_BYTES); + + if (kop == VNET_CRYPTO_KEY_OP_MODIFY && cm->key_data[idx]) + { + clib_memset_u8 (cm->key_data[idx], 0, + clib_mem_size (cm->key_data[idx])); + clib_mem_free (cm->key_data[idx]); + } + + kd = cm->key_data[idx] = clib_mem_alloc_aligned (sizeof (aesni_key_data_t), + CLIB_CACHE_LINE_BYTES); + + /* ADD or MODIFY */ + switch (key->alg) + { + case VNET_CRYPTO_ALG_AES_128_CBC: + aes_key_expand (kd->encrypt_key, key->data, AESNI_KEY_128); + aes_key_expand (kd->decrypt_key, key->data, AESNI_KEY_128); + aes_key_enc_to_dec (kd->decrypt_key, AESNI_KEY_128); + break; + case VNET_CRYPTO_ALG_AES_192_CBC: + aes_key_expand (kd->encrypt_key, key->data, AESNI_KEY_192); + aes_key_expand (kd->decrypt_key, key->data, AESNI_KEY_192); + aes_key_enc_to_dec (kd->decrypt_key, AESNI_KEY_192); + break; + case VNET_CRYPTO_ALG_AES_256_CBC: + aes_key_expand (kd->encrypt_key, key->data, AESNI_KEY_256); + aes_key_expand (kd->decrypt_key, key->data, AESNI_KEY_256); + aes_key_enc_to_dec (kd->decrypt_key, AESNI_KEY_256); + break; + default: + return; + break; + } +} + clib_error_t * crypto_ia32_init (vlib_main_t * vm) { @@ -43,6 +114,10 @@ crypto_ia32_init (vlib_main_t * vm) (error = crypto_ia32_aesni_cbc_init (vm))) goto error; + vnet_crypto_register_key_handler (vm, cm->crypto_engine_index, + crypto_ia32_key_handler); + + error: if (error) vec_free (cm->per_thread_data); diff --git a/src/plugins/crypto_ipsecmb/ipsecmb.c b/src/plugins/crypto_ipsecmb/ipsecmb.c index 6d4d9136784..10cc32f8e6d 100644 --- a/src/plugins/crypto_ipsecmb/ipsecmb.c +++ b/src/plugins/crypto_ipsecmb/ipsecmb.c @@ -154,9 +154,10 @@ ipsecmb_ops_hmac_inline (vlib_main_t * vm, for (i = 0; i < n_ops; i++) { vnet_crypto_op_t *op = ops[i]; + vnet_crypto_key_t *key = vnet_crypto_get_key (op->key_index); u8 ipad[256], opad[256]; - hash_expand_keys (ptd->mgr, op->key, op->key_len, + hash_expand_keys (ptd->mgr, key->data, vec_len (key->data), block_size, ipad, opad, fn); job = IMB_GET_NEXT_JOB (ptd->mgr); @@ -172,7 +173,7 @@ ipsecmb_ops_hmac_inline (vlib_main_t * vm, job->cipher_direction = DECRYPT; job->chain_order = HASH_CIPHER; - job->aes_key_len_in_bytes = op->key_len; + job->aes_key_len_in_bytes = vec_len (key->data); job->u.HMAC._hashed_auth_key_xor_ipad = ipad; job->u.HMAC._hashed_auth_key_xor_opad = opad; @@ -250,9 +251,10 @@ ipsecmb_ops_cbc_cipher_inline (vlib_main_t * vm, u8 aes_enc_key_expanded[EXPANDED_KEY_N_BYTES]; u8 aes_dec_key_expanded[EXPANDED_KEY_N_BYTES]; vnet_crypto_op_t *op = ops[i]; + vnet_crypto_key_t *key = vnet_crypto_get_key (op->key_index); __m128i iv; - fn (op->key, aes_enc_key_expanded, aes_dec_key_expanded); + fn (key->data, aes_enc_key_expanded, aes_dec_key_expanded); job = IMB_GET_NEXT_JOB (ptd->mgr); @@ -380,10 +382,11 @@ ipsecmb_ops_gcm_cipher_inline (vlib_main_t * vm, { struct gcm_key_data key_data; vnet_crypto_op_t *op = ops[i]; + vnet_crypto_key_t *key = vnet_crypto_get_key (op->key_index); u32 nonce[3]; __m128i iv; - fn (op->key, &key_data); + fn (key->data, &key_data); job = IMB_GET_NEXT_JOB (ptd->mgr); diff --git a/src/plugins/crypto_openssl/main.c b/src/plugins/crypto_openssl/main.c index ac586c2af77..fb9754f85a2 100644 --- a/src/plugins/crypto_openssl/main.c +++ b/src/plugins/crypto_openssl/main.c @@ -68,12 +68,13 @@ openssl_ops_enc_cbc (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops, for (i = 0; i < n_ops; i++) { vnet_crypto_op_t *op = ops[i]; + vnet_crypto_key_t *key = vnet_crypto_get_key (op->key_index); int out_len; if (op->flags & VNET_CRYPTO_OP_FLAG_INIT_IV) RAND_bytes (op->iv, 16); - EVP_EncryptInit_ex (ctx, cipher, NULL, op->key, op->iv); + EVP_EncryptInit_ex (ctx, cipher, NULL, key->data, op->iv); EVP_EncryptUpdate (ctx, op->dst, &out_len, op->src, op->len); if (out_len < op->len) EVP_EncryptFinal_ex (ctx, op->dst + out_len, &out_len); @@ -93,9 +94,10 @@ openssl_ops_dec_cbc (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops, for (i = 0; i < n_ops; i++) { vnet_crypto_op_t *op = ops[i]; + vnet_crypto_key_t *key = vnet_crypto_get_key (op->key_index); int out_len; - EVP_DecryptInit_ex (ctx, cipher, NULL, op->key, op->iv); + EVP_DecryptInit_ex (ctx, cipher, NULL, key->data, op->iv); EVP_DecryptUpdate (ctx, op->dst, &out_len, op->src, op->len); if (out_len < op->len) EVP_DecryptFinal_ex (ctx, op->dst + out_len, &out_len); @@ -115,6 +117,7 @@ openssl_ops_enc_gcm (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops, for (i = 0; i < n_ops; i++) { vnet_crypto_op_t *op = ops[i]; + vnet_crypto_key_t *key = vnet_crypto_get_key (op->key_index); u32 nonce[3]; int len; @@ -126,7 +129,7 @@ openssl_ops_enc_gcm (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops, EVP_EncryptInit_ex (ctx, cipher, 0, 0, 0); EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_IVLEN, 12, NULL); - EVP_EncryptInit_ex (ctx, 0, 0, op->key, (u8 *) nonce); + EVP_EncryptInit_ex (ctx, 0, 0, key->data, (u8 *) nonce); if (op->aad_len) EVP_EncryptUpdate (ctx, NULL, &len, op->aad, op->aad_len); EVP_EncryptUpdate (ctx, op->dst, &len, op->src, op->len); @@ -148,11 +151,12 @@ openssl_ops_dec_gcm (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops, for (i = 0; i < n_ops; i++) { vnet_crypto_op_t *op = ops[i]; + vnet_crypto_key_t *key = vnet_crypto_get_key (op->key_index); int len; EVP_DecryptInit_ex (ctx, cipher, 0, 0, 0); EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_IVLEN, op->iv_len, 0); - EVP_DecryptInit_ex (ctx, 0, 0, op->key, op->iv); + EVP_DecryptInit_ex (ctx, 0, 0, key->data, op->iv); if (op->aad_len) EVP_DecryptUpdate (ctx, 0, &len, op->aad, op->aad_len); EVP_DecryptUpdate (ctx, op->dst, &len, op->src, op->len); @@ -181,10 +185,11 @@ openssl_ops_hmac (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops, for (i = 0; i < n_ops; i++) { vnet_crypto_op_t *op = ops[i]; + vnet_crypto_key_t *key = vnet_crypto_get_key (op->key_index); unsigned int out_len; size_t sz = op->digest_len ? op->digest_len : EVP_MD_size (md); - HMAC_Init_ex (ctx, op->key, op->key_len, md, NULL); + HMAC_Init_ex (ctx, key->data, vec_len (key->data), md, NULL); HMAC_Update (ctx, op->src, op->len); HMAC_Final (ctx, buffer, &out_len); diff --git a/src/plugins/unittest/crypto/crypto.h b/src/plugins/unittest/crypto/crypto.h index ab9f706c081..f15e34b02f0 100644 --- a/src/plugins/unittest/crypto/crypto.h +++ b/src/plugins/unittest/crypto/crypto.h @@ -45,7 +45,6 @@ typedef struct u32 rounds; u32 buffer_size; u32 n_buffers; - u8 one_key; unittest_crypto_test_registration_t *test_registrations; } crypto_test_main_t; diff --git a/src/plugins/unittest/crypto_test.c b/src/plugins/unittest/crypto_test.c index 37cdc688f5e..b4f48741573 100644 --- a/src/plugins/unittest/crypto_test.c +++ b/src/plugins/unittest/crypto_test.c @@ -38,6 +38,7 @@ test_crypto (vlib_main_t * vm, crypto_test_main_t * tm) unittest_crypto_test_registration_t **rv = 0; vnet_crypto_alg_data_t *ad; vnet_crypto_op_t *ops = 0, *op; + vnet_crypto_key_index_t *key_indices = 0; u8 *computed_data = 0, *s = 0, *err = 0; u32 computed_data_total_len = 0, n_ops = 0; u32 i; @@ -114,8 +115,10 @@ test_crypto (vlib_main_t * vm, crypto_test_main_t * tm) case VNET_CRYPTO_OP_TYPE_DECRYPT: op->iv = r->iv.data; op->iv_len = r->iv.length; - op->key = r->key.data; - op->key_len = r->key.length; + op->key_index = vnet_crypto_key_add (vm, r->alg, + r->key.data, + r->key.length); + vec_add1 (key_indices, op->key_index); op->len = r->plaintext.length; op->src = t == VNET_CRYPTO_OP_TYPE_ENCRYPT ? r->plaintext.data : r->ciphertext.data; @@ -126,8 +129,10 @@ test_crypto (vlib_main_t * vm, crypto_test_main_t * tm) case VNET_CRYPTO_OP_TYPE_AEAD_DECRYPT: op->iv = r->iv.data; op->iv_len = r->iv.length; - op->key = r->key.data; - op->key_len = r->key.length; + op->key_index = vnet_crypto_key_add (vm, r->alg, + r->key.data, + r->key.length); + vec_add1 (key_indices, op->key_index); op->aad = r->aad.data; op->aad_len = r->aad.length; op->len = r->plaintext.length; @@ -147,8 +152,10 @@ test_crypto (vlib_main_t * vm, crypto_test_main_t * tm) op->tag_len = r->tag.length; break; case VNET_CRYPTO_OP_TYPE_HMAC: - op->key = r->key.data; - op->key_len = r->key.length; + op->key_index = vnet_crypto_key_add (vm, r->alg, + r->key.data, + r->key.length); + vec_add1 (key_indices, op->key_index); op->src = r->plaintext.data; op->len = r->plaintext.length; op->digest_len = r->digest.length; @@ -250,6 +257,9 @@ test_crypto (vlib_main_t * vm, crypto_test_main_t * tm) op->digest_len); } } + + vec_foreach_index (i, key_indices) + vnet_crypto_key_del (vm, key_indices[i]); /* *INDENT-ON* */ vec_free (computed_data); @@ -269,11 +279,12 @@ test_crypto_perf (vlib_main_t * vm, crypto_test_main_t * tm) u32 *buffer_indices = 0; vnet_crypto_op_t *ops1 = 0, *ops2 = 0, *op1, *op2; vnet_crypto_alg_data_t *ad = vec_elt_at_index (cm->algs, tm->alg); + vnet_crypto_key_index_t key_index = ~0; + u8 key[32]; int buffer_size = vlib_buffer_get_default_data_size (vm); u64 seed = clib_cpu_time_now (); u64 t0[5], t1[5], t2[5], n_bytes = 0; int i, j; - u8 *key; if (tm->buffer_size > buffer_size) return clib_error_return (0, "buffer size must be <= %u", buffer_size); @@ -300,14 +311,19 @@ test_crypto_perf (vlib_main_t * vm, crypto_test_main_t * tm) } vlib_cli_output (vm, "%U: n_buffers %u buffer-size %u rounds %u " - "warmup-rounds %u one-key %s", + "warmup-rounds %u", format_vnet_crypto_alg, tm->alg, n_buffers, buffer_size, - rounds, warmup_rounds, tm->one_key ? "yes" : "no"); + rounds, warmup_rounds); vlib_cli_output (vm, " cpu-freq %.2f GHz", (f64) vm->clib_time.clocks_per_second * 1e-9); vnet_crypto_op_type_t ot = 0; + for (i = 0; i < sizeof (key); i++) + key[i] = i; + + key_index = vnet_crypto_key_add (vm, tm->alg, key, sizeof (key)); + for (i = 0; i < VNET_CRYPTO_OP_N_TYPES; i++) { vnet_crypto_op_id_t id = ad->op_by_type[i]; @@ -322,8 +338,6 @@ test_crypto_perf (vlib_main_t * vm, crypto_test_main_t * tm) vlib_buffer_t *b = vlib_get_buffer (vm, buffer_indices[i]); op1 = ops1 + i; op2 = ops2 + i; - if (i == 0) - key = b->data - 32; switch (ot) { @@ -335,7 +349,7 @@ test_crypto_perf (vlib_main_t * vm, crypto_test_main_t * tm) ad->op_by_type[VNET_CRYPTO_OP_TYPE_DECRYPT]); op1->flags = VNET_CRYPTO_OP_FLAG_INIT_IV; op1->src = op2->src = op1->dst = op2->dst = b->data; - op1->key = op2->key = tm->one_key ? key : b->data - 32; + op1->key_index = op2->key_index = key_index; op1->iv = op2->iv = b->data - 64; n_bytes += op1->len = op2->len = buffer_size; break; @@ -349,7 +363,7 @@ test_crypto_perf (vlib_main_t * vm, crypto_test_main_t * tm) [VNET_CRYPTO_OP_TYPE_AEAD_DECRYPT]); op1->flags = VNET_CRYPTO_OP_FLAG_INIT_IV; op1->src = op2->src = op1->dst = op2->dst = b->data; - op1->key = op2->key = tm->one_key ? key : b->data - 32; + op1->key_index = op2->key_index = key_index; op1->iv = op2->iv = b->data - 64; op1->aad = op2->aad = b->data - VLIB_BUFFER_PRE_DATA_SIZE; op1->aad_len = op2->aad_len = 0; @@ -358,7 +372,7 @@ test_crypto_perf (vlib_main_t * vm, crypto_test_main_t * tm) case VNET_CRYPTO_OP_TYPE_HMAC: vnet_crypto_op_init (op1, ad->op_by_type[VNET_CRYPTO_OP_TYPE_HMAC]); op1->src = b->data; - op1->key = tm->one_key ? key : b->data - 32; + op1->key_index = key_index; op1->iv = 0; op1->digest = b->data - VLIB_BUFFER_PRE_DATA_SIZE; op1->digest_len = 0; @@ -418,6 +432,10 @@ test_crypto_perf (vlib_main_t * vm, crypto_test_main_t * tm) done: if (n_alloc) vlib_buffer_free (vm, buffer_indices, n_alloc); + + if (key_index != ~0) + vnet_crypto_key_del (vm, key_index); + vec_free (buffer_indices); vec_free (ops1); vec_free (ops2); @@ -454,8 +472,6 @@ test_crypto_command_fn (vlib_main_t * vm, ; else if (unformat (input, "buffer-size %u", &tm->buffer_size)) ; - else if (unformat (input, "one-key")) - tm->one_key = 1; else return clib_error_return (0, "unknown input '%U'", format_unformat_error, input); diff --git a/src/vnet/crypto/crypto.c b/src/vnet/crypto/crypto.c index dbdb58b16f6..b748e47fd3d 100644 --- a/src/vnet/crypto/crypto.c +++ b/src/vnet/crypto/crypto.c @@ -129,7 +129,7 @@ vnet_crypto_set_handler (char *alg_name, char *engine) return 0; } -vlib_error_t * +void vnet_crypto_register_ops_handler (vlib_main_t * vm, u32 engine_index, vnet_crypto_op_id_t opt, vnet_crypto_ops_handler_t * fn) @@ -145,7 +145,7 @@ vnet_crypto_register_ops_handler (vlib_main_t * vm, u32 engine_index, { otd->active_engine_index = engine_index; cm->ops_handlers[opt] = fn; - return 0; + return; } ae = vec_elt_at_index (cm->engines, otd->active_engine_index); if (ae->priority < e->priority) @@ -154,7 +154,79 @@ vnet_crypto_register_ops_handler (vlib_main_t * vm, u32 engine_index, cm->ops_handlers[opt] = fn; } - return 0; + return; +} + +void +vnet_crypto_register_key_handler (vlib_main_t * vm, u32 engine_index, + vnet_crypto_key_handler_t * key_handler) +{ + vnet_crypto_main_t *cm = &crypto_main; + vnet_crypto_engine_t *e = vec_elt_at_index (cm->engines, engine_index); + e->key_op_handler = key_handler; + return; +} + +u32 +vnet_crypto_key_add (vlib_main_t * vm, vnet_crypto_alg_t alg, u8 * data, + u16 length) +{ + u32 index; + vnet_crypto_main_t *cm = &crypto_main; + vnet_crypto_engine_t *engine; + vnet_crypto_key_t *key; + pool_get_zero (cm->keys, key); + index = key - cm->keys; + key->alg = alg; + vec_validate_aligned (key->data, length - 1, CLIB_CACHE_LINE_BYTES); + clib_memcpy (key->data, data, length); + + /* *INDENT-OFF* */ + vec_foreach (engine, cm->engines) + if (engine->key_op_handler) + engine->key_op_handler (vm, VNET_CRYPTO_KEY_OP_ADD, index); + /* *INDENT-ON* */ + return index; +} + +void +vnet_crypto_key_del (vlib_main_t * vm, vnet_crypto_key_index_t index) +{ + vnet_crypto_main_t *cm = &crypto_main; + vnet_crypto_engine_t *engine; + vnet_crypto_key_t *key = pool_elt_at_index (cm->keys, index); + + /* *INDENT-OFF* */ + vec_foreach (engine, cm->engines) + if (engine->key_op_handler) + engine->key_op_handler (vm, VNET_CRYPTO_KEY_OP_DEL, index); + /* *INDENT-ON* */ + + clib_memset (key->data, 0, vec_len (key->data)); + vec_free (key->data); + pool_put (cm->keys, key); +} + +void +vnet_crypto_key_modify (vlib_main_t * vm, vnet_crypto_key_index_t index, + vnet_crypto_alg_t alg, u8 * data, u16 length) +{ + vnet_crypto_main_t *cm = &crypto_main; + vnet_crypto_engine_t *engine; + vnet_crypto_key_t *key = pool_elt_at_index (cm->keys, index); + + if (vec_len (key->data)) + clib_memset (key->data, 0, vec_len (key->data)); + vec_free (key->data); + vec_validate_aligned (key->data, length - 1, CLIB_CACHE_LINE_BYTES); + clib_memcpy (key->data, data, length); + key->alg = alg; + + /* *INDENT-OFF* */ + vec_foreach (engine, cm->engines) + if (engine->key_op_handler) + engine->key_op_handler (vm, VNET_CRYPTO_KEY_OP_MODIFY, index); + /* *INDENT-ON* */ } static void diff --git a/src/vnet/crypto/crypto.h b/src/vnet/crypto/crypto.h index 901c363342b..6ab32ec22bf 100644 --- a/src/vnet/crypto/crypto.h +++ b/src/vnet/crypto/crypto.h @@ -68,6 +68,13 @@ typedef enum typedef enum { + VNET_CRYPTO_KEY_OP_ADD, + VNET_CRYPTO_KEY_OP_DEL, + VNET_CRYPTO_KEY_OP_MODIFY, +} vnet_crypto_key_op_t; + +typedef enum +{ #define _(n, s) VNET_CRYPTO_OP_STATUS_##n, foreach_crypto_op_status #undef _ @@ -77,6 +84,7 @@ typedef enum /* *INDENT-OFF* */ typedef enum { + VNET_CRYPTO_ALG_NONE = 0, #define _(n, s) VNET_CRYPTO_ALG_##n, foreach_crypto_cipher_alg foreach_crypto_aead_alg @@ -87,6 +95,12 @@ typedef enum VNET_CRYPTO_N_ALGS, } vnet_crypto_alg_t; +typedef struct +{ + u8 *data; + vnet_crypto_alg_t alg:8; +} vnet_crypto_key_t; + typedef enum { VNET_CRYPTO_OP_NONE = 0, @@ -115,10 +129,10 @@ typedef struct u8 flags; #define VNET_CRYPTO_OP_FLAG_INIT_IV (1 << 0) #define VNET_CRYPTO_OP_FLAG_HMAC_CHECK (1 << 1) + u32 key_index; u32 len, salt; u16 aad_len; - u8 key_len, iv_len, digest_len, tag_len; - u8 *key; + u8 iv_len, digest_len, tag_len; u8 *iv; u8 *src; u8 *dst; @@ -141,23 +155,30 @@ typedef struct clib_bitmap_t *act_queues; } vnet_crypto_thread_t; +typedef u32 vnet_crypto_key_index_t; + typedef u32 (vnet_crypto_ops_handler_t) (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops); +typedef void (vnet_crypto_key_handler_t) (vlib_main_t * vm, + vnet_crypto_key_op_t kop, + vnet_crypto_key_index_t idx); + u32 vnet_crypto_register_engine (vlib_main_t * vm, char *name, int prio, char *desc); -vlib_error_t *vnet_crypto_register_ops_handler (vlib_main_t * vm, - u32 provider_index, - vnet_crypto_op_id_t opt, - vnet_crypto_ops_handler_t * - f); +void vnet_crypto_register_ops_handler (vlib_main_t * vm, u32 engine_index, + vnet_crypto_op_id_t opt, + vnet_crypto_ops_handler_t * oph); +void vnet_crypto_register_key_handler (vlib_main_t * vm, u32 engine_index, + vnet_crypto_key_handler_t * keyh); typedef struct { char *name; char *desc; int priority; + vnet_crypto_key_handler_t *key_op_handler; vnet_crypto_ops_handler_t *ops_handlers[VNET_CRYPTO_N_OP_IDS]; } vnet_crypto_engine_t; @@ -168,6 +189,7 @@ typedef struct vnet_crypto_ops_handler_t **ops_handlers; vnet_crypto_op_data_t opt_data[VNET_CRYPTO_N_OP_IDS]; vnet_crypto_engine_t *engines; + vnet_crypto_key_t *keys; uword *engine_index_by_name; uword *alg_index_by_name; } vnet_crypto_main_t; @@ -180,9 +202,14 @@ u32 vnet_crypto_submit_ops (vlib_main_t * vm, vnet_crypto_op_t ** jobs, u32 vnet_crypto_process_ops (vlib_main_t * vm, vnet_crypto_op_t ops[], u32 n_ops); - int vnet_crypto_set_handler (char *ops_handler_name, char *engine); +u32 vnet_crypto_key_add (vlib_main_t * vm, vnet_crypto_alg_t alg, + u8 * data, u16 length); +void vnet_crypto_key_del (vlib_main_t * vm, vnet_crypto_key_index_t index); +void vnet_crypto_key_modify (vlib_main_t * vm, vnet_crypto_key_index_t index, + vnet_crypto_alg_t alg, u8 * data, u16 len); + format_function_t format_vnet_crypto_alg; format_function_t format_vnet_crypto_engine; format_function_t format_vnet_crypto_op; @@ -197,6 +224,7 @@ vnet_crypto_op_init (vnet_crypto_op_t * op, vnet_crypto_op_id_t type) clib_memset (op, 0xfe, sizeof (*op)); op->op = type; op->flags = 0; + op->key_index = ~0; } static_always_inline vnet_crypto_op_type_t @@ -207,6 +235,13 @@ vnet_crypto_get_op_type (vnet_crypto_op_id_t id) return od->type; } +static_always_inline vnet_crypto_key_t * +vnet_crypto_get_key (vnet_crypto_key_index_t index) +{ + vnet_crypto_main_t *cm = &crypto_main; + return vec_elt_at_index (cm->keys, index); +} + #endif /* included_vnet_crypto_crypto_h */ /* diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h index 052bbfc1d88..070726faa34 100644 --- a/src/vnet/ipsec/esp.h +++ b/src/vnet/ipsec/esp.h @@ -112,8 +112,7 @@ hmac_calc (vlib_main_t * vm, ipsec_sa_t * sa, u8 * data, int data_len, return 0; vnet_crypto_op_init (op, sa->integ_op_id); - op->key = sa->integ_key.data; - op->key_len = sa->integ_key.len; + op->key_index = sa->integ_key_index; op->src = data; op->len = data_len; op->digest = signature; diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c index e74c1bb908a..5d1f20604d5 100644 --- a/src/vnet/ipsec/esp_decrypt.c +++ b/src/vnet/ipsec/esp_decrypt.c @@ -203,8 +203,7 @@ esp_decrypt_inline (vlib_main_t * vm, vec_add2_aligned (ptd->integ_ops, op, 1, CLIB_CACHE_LINE_BYTES); vnet_crypto_op_init (op, sa0->integ_op_id); - op->key = sa0->integ_key.data; - op->key_len = sa0->integ_key.len; + op->key_index = sa0->integ_key_index; op->src = payload; op->flags = VNET_CRYPTO_OP_FLAG_HMAC_CHECK; op->user_data = b - bufs; @@ -231,7 +230,7 @@ esp_decrypt_inline (vlib_main_t * vm, vnet_crypto_op_t *op; vec_add2_aligned (ptd->crypto_ops, op, 1, CLIB_CACHE_LINE_BYTES); vnet_crypto_op_init (op, sa0->crypto_dec_op_id); - op->key = sa0->crypto_key.data; + op->key_index = sa0->crypto_key_index; op->iv = payload; if (ipsec_sa_is_set_IS_AEAD (sa0)) diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index 5db10b520e3..af56302bafb 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -441,7 +441,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, vnet_crypto_op_init (op, sa0->crypto_enc_op_id); op->iv = payload - iv_sz; op->src = op->dst = payload; - op->key = sa0->crypto_key.data; + op->key_index = sa0->crypto_key_index; op->len = payload_len - icv_sz; op->flags = VNET_CRYPTO_OP_FLAG_INIT_IV; op->user_data = b - bufs; @@ -469,8 +469,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, vnet_crypto_op_init (op, sa0->integ_op_id); op->src = payload - iv_sz - sizeof (esp_header_t); op->digest = payload + payload_len - icv_sz; - op->key = sa0->integ_key.data; - op->key_len = sa0->integ_key.len; + op->key_index = sa0->integ_key_index; op->digest_len = icv_sz; op->len = payload_len - icv_sz + iv_sz + sizeof (esp_header_t); op->user_data = b - bufs; diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c index 73c5cf4d7ab..c530a44e870 100644 --- a/src/vnet/ipsec/ipsec.c +++ b/src/vnet/ipsec/ipsec.c @@ -264,43 +264,51 @@ ipsec_init (vlib_main_t * vm) a = im->crypto_algs + IPSEC_CRYPTO_ALG_DES_CBC; a->enc_op_id = VNET_CRYPTO_OP_DES_CBC_ENC; a->dec_op_id = VNET_CRYPTO_OP_DES_CBC_DEC; + a->alg = VNET_CRYPTO_ALG_DES_CBC; a->iv_size = a->block_size = 8; a = im->crypto_algs + IPSEC_CRYPTO_ALG_3DES_CBC; a->enc_op_id = VNET_CRYPTO_OP_3DES_CBC_ENC; a->dec_op_id = VNET_CRYPTO_OP_3DES_CBC_DEC; + a->alg = VNET_CRYPTO_ALG_3DES_CBC; a->iv_size = a->block_size = 8; a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_CBC_128; a->enc_op_id = VNET_CRYPTO_OP_AES_128_CBC_ENC; a->dec_op_id = VNET_CRYPTO_OP_AES_128_CBC_DEC; + a->alg = VNET_CRYPTO_ALG_AES_128_CBC; a->iv_size = a->block_size = 16; a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_CBC_192; a->enc_op_id = VNET_CRYPTO_OP_AES_192_CBC_ENC; a->dec_op_id = VNET_CRYPTO_OP_AES_192_CBC_DEC; + a->alg = VNET_CRYPTO_ALG_AES_192_CBC; a->iv_size = a->block_size = 16; a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_CBC_256; a->enc_op_id = VNET_CRYPTO_OP_AES_256_CBC_ENC; a->dec_op_id = VNET_CRYPTO_OP_AES_256_CBC_DEC; + a->alg = VNET_CRYPTO_ALG_AES_256_CBC; a->iv_size = a->block_size = 16; a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_GCM_128; a->enc_op_id = VNET_CRYPTO_OP_AES_128_GCM_ENC; a->dec_op_id = VNET_CRYPTO_OP_AES_128_GCM_DEC; + a->alg = VNET_CRYPTO_ALG_AES_128_GCM; a->iv_size = a->block_size = 8; a->icv_size = 16; a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_GCM_192; a->enc_op_id = VNET_CRYPTO_OP_AES_192_GCM_ENC; a->dec_op_id = VNET_CRYPTO_OP_AES_192_GCM_DEC; + a->alg = VNET_CRYPTO_ALG_AES_192_GCM; a->iv_size = a->block_size = 8; a->icv_size = 16; a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_GCM_256; a->enc_op_id = VNET_CRYPTO_OP_AES_256_GCM_ENC; a->dec_op_id = VNET_CRYPTO_OP_AES_256_GCM_DEC; + a->alg = VNET_CRYPTO_ALG_AES_256_GCM; a->iv_size = a->block_size = 8; a->icv_size = 16; @@ -309,22 +317,27 @@ ipsec_init (vlib_main_t * vm) i = &im->integ_algs[IPSEC_INTEG_ALG_SHA1_96]; i->op_id = VNET_CRYPTO_OP_SHA1_HMAC; + i->alg = VNET_CRYPTO_ALG_HMAC_SHA1; i->icv_size = 12; i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_256_96]; i->op_id = VNET_CRYPTO_OP_SHA1_HMAC; + i->alg = VNET_CRYPTO_ALG_HMAC_SHA256; i->icv_size = 12; i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_256_128]; i->op_id = VNET_CRYPTO_OP_SHA256_HMAC; + i->alg = VNET_CRYPTO_ALG_HMAC_SHA256; i->icv_size = 16; i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_384_192]; i->op_id = VNET_CRYPTO_OP_SHA384_HMAC; + i->alg = VNET_CRYPTO_ALG_HMAC_SHA512; i->icv_size = 24; i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_512_256]; i->op_id = VNET_CRYPTO_OP_SHA512_HMAC; + i->alg = VNET_CRYPTO_ALG_HMAC_SHA512; i->icv_size = 32; vec_validate_aligned (im->ptd, vlib_num_workers (), CLIB_CACHE_LINE_BYTES); diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h index 110bbcb3e5a..232390c0690 100644 --- a/src/vnet/ipsec/ipsec.h +++ b/src/vnet/ipsec/ipsec.h @@ -68,6 +68,7 @@ typedef struct { vnet_crypto_op_id_t enc_op_id; vnet_crypto_op_id_t dec_op_id; + vnet_crypto_alg_t alg; u8 iv_size; u8 block_size; u8 icv_size; @@ -76,6 +77,7 @@ typedef struct typedef struct { vnet_crypto_op_id_t op_id; + vnet_crypto_alg_t alg; u8 icv_size; } ipsec_main_integ_alg_t; diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c index 8d0eef21ae0..9f64634c51e 100644 --- a/src/vnet/ipsec/ipsec_if.c +++ b/src/vnet/ipsec/ipsec_if.c @@ -510,6 +510,7 @@ int ipsec_set_interface_key (vnet_main_t * vnm, u32 hw_if_index, ipsec_if_set_key_type_t type, u8 alg, u8 * key) { + vlib_main_t *vm = vlib_get_main (); ipsec_main_t *im = &ipsec_main; vnet_hw_interface_t *hi; ipsec_tunnel_if_t *t; @@ -526,24 +527,36 @@ ipsec_set_interface_key (vnet_main_t * vnm, u32 hw_if_index, sa = pool_elt_at_index (im->sad, t->output_sa_index); ipsec_sa_set_crypto_alg (sa, alg); ipsec_mk_key (&sa->crypto_key, key, vec_len (key)); + sa->crypto_calg = im->crypto_algs[alg].alg; + vnet_crypto_key_modify (vm, sa->crypto_key_index, sa->crypto_calg, + key, vec_len (key)); } else if (type == IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG) { sa = pool_elt_at_index (im->sad, t->output_sa_index); ipsec_sa_set_integ_alg (sa, alg); ipsec_mk_key (&sa->integ_key, key, vec_len (key)); + sa->integ_calg = im->integ_algs[alg].alg; + vnet_crypto_key_modify (vm, sa->integ_key_index, sa->integ_calg, + key, vec_len (key)); } else if (type == IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO) { sa = pool_elt_at_index (im->sad, t->input_sa_index); ipsec_sa_set_crypto_alg (sa, alg); ipsec_mk_key (&sa->crypto_key, key, vec_len (key)); + sa->crypto_calg = im->crypto_algs[alg].alg; + vnet_crypto_key_modify (vm, sa->crypto_key_index, sa->crypto_calg, + key, vec_len (key)); } else if (type == IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG) { sa = pool_elt_at_index (im->sad, t->input_sa_index); ipsec_sa_set_integ_alg (sa, alg); ipsec_mk_key (&sa->integ_key, key, vec_len (key)); + sa->integ_calg = im->integ_algs[alg].alg; + vnet_crypto_key_modify (vm, sa->integ_key_index, sa->integ_calg, + key, vec_len (key)); } else return VNET_API_ERROR_INVALID_VALUE; diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c index 8f41c95159b..2d2e90a1d27 100644 --- a/src/vnet/ipsec/ipsec_sa.c +++ b/src/vnet/ipsec/ipsec_sa.c @@ -100,6 +100,7 @@ ipsec_sa_set_crypto_alg (ipsec_sa_t * sa, ipsec_crypto_alg_t crypto_alg) sa->crypto_block_size = im->crypto_algs[crypto_alg].block_size; sa->crypto_enc_op_id = im->crypto_algs[crypto_alg].enc_op_id; sa->crypto_dec_op_id = im->crypto_algs[crypto_alg].dec_op_id; + sa->crypto_calg = im->crypto_algs[crypto_alg].alg; ASSERT (sa->crypto_iv_size <= ESP_MAX_IV_SIZE); ASSERT (sa->crypto_block_size <= ESP_MAX_BLOCK_SIZE); if (IPSEC_CRYPTO_ALG_IS_GCM (crypto_alg)) @@ -116,6 +117,7 @@ ipsec_sa_set_integ_alg (ipsec_sa_t * sa, ipsec_integ_alg_t integ_alg) sa->integ_alg = integ_alg; sa->integ_icv_size = im->integ_algs[integ_alg].icv_size; sa->integ_op_id = im->integ_algs[integ_alg].op_id; + sa->integ_calg = im->integ_algs[integ_alg].alg; ASSERT (sa->integ_icv_size <= ESP_MAX_ICV_SIZE); } @@ -133,6 +135,7 @@ ipsec_sa_add (u32 id, const ip46_address_t * tun_src, const ip46_address_t * tun_dst, u32 * sa_out_index) { + vlib_main_t *vm = vlib_get_main (); ipsec_main_t *im = &ipsec_main; clib_error_t *err; ipsec_sa_t *sa; @@ -164,6 +167,13 @@ ipsec_sa_add (u32 id, ip46_address_copy (&sa->tunnel_src_addr, tun_src); ip46_address_copy (&sa->tunnel_dst_addr, tun_dst); + sa->crypto_key_index = vnet_crypto_key_add (vm, + im->crypto_algs[crypto_alg].alg, + (u8 *) ck->data, ck->len); + sa->integ_key_index = vnet_crypto_key_add (vm, + im->integ_algs[integ_alg].alg, + (u8 *) ik->data, ik->len); + err = ipsec_check_support_cb (im, sa); if (err) { @@ -253,6 +263,7 @@ ipsec_sa_add (u32 id, u32 ipsec_sa_del (u32 id) { + vlib_main_t *vm = vlib_get_main (); ipsec_main_t *im = &ipsec_main; ipsec_sa_t *sa = 0; uword *p; @@ -286,6 +297,8 @@ ipsec_sa_del (u32 id) dpo_reset (&sa->dpo[IPSEC_PROTOCOL_AH]); dpo_reset (&sa->dpo[IPSEC_PROTOCOL_ESP]); } + vnet_crypto_key_del (vm, sa->crypto_key_index); + vnet_crypto_key_del (vm, sa->integ_key_index); pool_put (im->sad, sa); return 0; } @@ -320,6 +333,7 @@ ipsec_is_sa_used (u32 sa_index) int ipsec_set_sa_key (u32 id, const ipsec_key_t * ck, const ipsec_key_t * ik) { + vlib_main_t *vm = vlib_get_main (); ipsec_main_t *im = &ipsec_main; uword *p; u32 sa_index; @@ -337,12 +351,16 @@ ipsec_set_sa_key (u32 id, const ipsec_key_t * ck, const ipsec_key_t * ik) if (ck) { clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key)); + vnet_crypto_key_modify (vm, sa->crypto_key_index, sa->crypto_calg, + (u8 *) ck->data, ck->len); } /* new integ key */ if (ik) { clib_memcpy (&sa->integ_key, 0, sizeof (sa->integ_key)); + vnet_crypto_key_modify (vm, sa->integ_key_index, sa->integ_calg, + (u8 *) ik->data, ik->len); } if (ck || ik) diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h index d1b44c3165f..40850766ce1 100644 --- a/src/vnet/ipsec/ipsec_sa.h +++ b/src/vnet/ipsec/ipsec_sa.h @@ -125,9 +125,11 @@ typedef struct u32 last_seq_hi; u64 replay_window; - vnet_crypto_op_id_t crypto_enc_op_id; - vnet_crypto_op_id_t crypto_dec_op_id; - vnet_crypto_op_id_t integ_op_id; + vnet_crypto_key_index_t crypto_key_index; + vnet_crypto_key_index_t integ_key_index; + vnet_crypto_op_id_t crypto_enc_op_id:16; + vnet_crypto_op_id_t crypto_dec_op_id:16; + vnet_crypto_op_id_t integ_op_id:16; dpo_id_t dpo[IPSEC_N_PROTOCOLS]; @@ -149,9 +151,11 @@ typedef struct ipsec_crypto_alg_t crypto_alg; ipsec_key_t crypto_key; + vnet_crypto_alg_t crypto_calg; ipsec_integ_alg_t integ_alg; ipsec_key_t integ_key; + vnet_crypto_alg_t integ_calg; ip46_address_t tunnel_src_addr; ip46_address_t tunnel_dst_addr; diff --git a/src/vnet/lisp-cp/control.c b/src/vnet/lisp-cp/control.c index 340217c661e..f8e9c1d5b44 100644 --- a/src/vnet/lisp-cp/control.c +++ b/src/vnet/lisp-cp/control.c @@ -2725,6 +2725,22 @@ build_map_register_record_list (lisp_cp_main_t * lcm) return recs; } +static vnet_crypto_alg_t +lisp_key_type_to_crypto_alg (lisp_key_type_t key_id) +{ + switch (key_id) + { + case HMAC_SHA_1_96: + return VNET_CRYPTO_ALG_HMAC_SHA1; + case HMAC_SHA_256_128: + return VNET_CRYPTO_ALG_HMAC_SHA256; + default: + clib_warning ("unsupported encryption key type: %d!", key_id); + break; + } + return VNET_CRYPTO_ALG_NONE; +} + static vnet_crypto_op_id_t lisp_key_type_to_crypto_op (lisp_key_type_t key_id) { @@ -2750,17 +2766,23 @@ update_map_register_auth_data (map_register_hdr_t * map_reg_hdr, MREG_KEY_ID (map_reg_hdr) = clib_host_to_net_u16 (key_id); MREG_AUTH_DATA_LEN (map_reg_hdr) = clib_host_to_net_u16 (auth_data_len); vnet_crypto_op_t _op, *op = &_op; + vnet_crypto_key_index_t ki; vnet_crypto_op_init (op, lisp_key_type_to_crypto_op (key_id)); - op->key = key; - op->key_len = vec_len (key); op->len = msg_len; op->digest = MREG_DATA (map_reg_hdr); op->src = (u8 *) map_reg_hdr; op->digest_len = 0; op->iv = 0; + ki = vnet_crypto_key_add (lcm->vlib_main, + lisp_key_type_to_crypto_alg (key_id), key, + vec_len (key)); + + op->key_index = ki; + vnet_crypto_process_ops (lcm->vlib_main, op, 1); + vnet_crypto_key_del (lcm->vlib_main, ki); return 0; } @@ -3926,6 +3948,7 @@ is_auth_data_valid (map_notify_hdr_t * h, u32 msg_len, u16 auth_data_len; int result; vnet_crypto_op_t _op, *op = &_op; + vnet_crypto_key_index_t ki; u8 out[EVP_MAX_MD_SIZE] = { 0, }; auth_data_len = auth_data_len_by_key_id (key_id); @@ -3943,15 +3966,20 @@ is_auth_data_valid (map_notify_hdr_t * h, u32 msg_len, clib_memset (MNOTIFY_DATA (h), 0, auth_data_len); vnet_crypto_op_init (op, lisp_key_type_to_crypto_op (key_id)); - op->key = key; - op->key_len = vec_len (key); op->len = msg_len; op->digest = out; op->src = (u8 *) h; op->digest_len = 0; op->iv = 0; + ki = vnet_crypto_key_add (lcm->vlib_main, + lisp_key_type_to_crypto_alg (key_id), key, + vec_len (key)); + + op->key_index = ki; + vnet_crypto_process_ops (lcm->vlib_main, op, 1); + vnet_crypto_key_del (lcm->vlib_main, ki); result = memcmp (out, auth_data, auth_data_len); |