summaryrefslogtreecommitdiffstats
path: root/src/plugins/wireguard/wireguard_noise.c
diff options
context:
space:
mode:
authorGabriel Oginski <gabrielx.oginski@intel.com>2021-11-10 07:59:56 +0000
committerMatthew Smith <mgsmith@netgate.com>2022-01-21 14:26:53 +0000
commit492d7790ff26c569bee81617c662363652891140 (patch)
tree5d2bed7eceb1f073fb47d917627e605929f6c46a /src/plugins/wireguard/wireguard_noise.c
parent3b9c7ca0ba08c94fd65c7cac88ad617741c81361 (diff)
wireguard: add async mode for encryption packets
Originally wireguard doesn't support async mode for encryption packets. This patch add async mode for encryption in wireguard and also adds support chacha20-poly1305 algorithm in cryptodev for async handler. In addition it contains new command line to activate async mode for wireguard: set wireguard async mode on|off and also add new command to check active mode for wireguard: show wireguard mode Type: improvement Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: I141d48b42ee8dbff0112b8542ab5205268089da6
Diffstat (limited to 'src/plugins/wireguard/wireguard_noise.c')
-rw-r--r--src/plugins/wireguard/wireguard_noise.c60
1 files changed, 0 insertions, 60 deletions
diff --git a/src/plugins/wireguard/wireguard_noise.c b/src/plugins/wireguard/wireguard_noise.c
index c8605f117cd..6efec28fef8 100644
--- a/src/plugins/wireguard/wireguard_noise.c
+++ b/src/plugins/wireguard/wireguard_noise.c
@@ -630,58 +630,6 @@ error:
}
enum noise_state_crypt
-noise_sync_remote_encrypt (vlib_main_t *vm, vnet_crypto_op_t **crypto_ops,
- noise_remote_t *r, uint32_t *r_idx, uint64_t *nonce,
- uint8_t *src, size_t srclen, uint8_t *dst, u32 bi,
- u8 *iv, f64 time)
-{
- noise_keypair_t *kp;
- enum noise_state_crypt ret = SC_FAILED;
-
- if ((kp = r->r_current) == NULL)
- goto error;
-
- /* We confirm that our values are within our tolerances. We want:
- * - a valid keypair
- * - our keypair to be less than REJECT_AFTER_TIME seconds old
- * - our receive counter to be less than REJECT_AFTER_MESSAGES
- * - our send counter to be less than REJECT_AFTER_MESSAGES
- */
- if (!kp->kp_valid ||
- wg_birthdate_has_expired_opt (kp->kp_birthdate, REJECT_AFTER_TIME,
- time) ||
- kp->kp_ctr.c_recv >= REJECT_AFTER_MESSAGES ||
- ((*nonce = noise_counter_send (&kp->kp_ctr)) > REJECT_AFTER_MESSAGES))
- goto error;
-
- /* We encrypt into the same buffer, so the caller must ensure that buf
- * has NOISE_AUTHTAG_LEN bytes to store the MAC. The nonce and index
- * are passed back out to the caller through the provided data pointer. */
- *r_idx = kp->kp_remote_index;
-
- wg_prepare_sync_op (vm, crypto_ops, src, srclen, dst, NULL, 0, *nonce,
- VNET_CRYPTO_OP_CHACHA20_POLY1305_ENC, kp->kp_send_index,
- bi, iv);
-
- /* If our values are still within tolerances, but we are approaching
- * the tolerances, we notify the caller with ESTALE that they should
- * establish a new keypair. The current keypair can continue to be used
- * until the tolerances are hit. We notify if:
- * - our send counter is valid and not less than REKEY_AFTER_MESSAGES
- * - we're the initiator and our keypair is older than
- * REKEY_AFTER_TIME seconds */
- ret = SC_KEEP_KEY_FRESH;
- if ((kp->kp_valid && *nonce >= REKEY_AFTER_MESSAGES) ||
- (kp->kp_is_initiator && wg_birthdate_has_expired_opt (
- kp->kp_birthdate, REKEY_AFTER_TIME, time)))
- goto error;
-
- ret = SC_OK;
-error:
- return ret;
-}
-
-enum noise_state_crypt
noise_sync_remote_decrypt (vlib_main_t *vm, vnet_crypto_op_t **crypto_ops,
noise_remote_t *r, uint32_t r_idx, uint64_t nonce,
uint8_t *src, size_t srclen, uint8_t *dst, u32 bi,
@@ -791,14 +739,6 @@ noise_remote_handshake_index_drop (noise_remote_t * r)
u->u_index_drop (hs->hs_local_index);
}
-static uint64_t
-noise_counter_send (noise_counter_t * ctr)
-{
- uint64_t ret;
- ret = ctr->c_send++;
- return ret;
-}
-
static void
noise_kdf (uint8_t * a, uint8_t * b, uint8_t * c, const uint8_t * x,
size_t a_len, size_t b_len, size_t c_len, size_t x_len,