diff options
author | Gabriel Oginski <gabrielx.oginski@intel.com> | 2021-11-10 07:59:56 +0000 |
---|---|---|
committer | Matthew Smith <mgsmith@netgate.com> | 2022-01-21 14:26:53 +0000 |
commit | 492d7790ff26c569bee81617c662363652891140 (patch) | |
tree | 5d2bed7eceb1f073fb47d917627e605929f6c46a /src/plugins/wireguard/wireguard_noise.c | |
parent | 3b9c7ca0ba08c94fd65c7cac88ad617741c81361 (diff) |
wireguard: add async mode for encryption packets
Originally wireguard doesn't support async mode for encryption packets.
This patch add async mode for encryption in wireguard and also adds
support chacha20-poly1305 algorithm in cryptodev for async handler.
In addition it contains new command line to activate async mode for wireguard:
set wireguard async mode on|off
and also add new command to check active mode for wireguard:
show wireguard mode
Type: improvement
Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
Change-Id: I141d48b42ee8dbff0112b8542ab5205268089da6
Diffstat (limited to 'src/plugins/wireguard/wireguard_noise.c')
-rw-r--r-- | src/plugins/wireguard/wireguard_noise.c | 60 |
1 files changed, 0 insertions, 60 deletions
diff --git a/src/plugins/wireguard/wireguard_noise.c b/src/plugins/wireguard/wireguard_noise.c index c8605f117cd..6efec28fef8 100644 --- a/src/plugins/wireguard/wireguard_noise.c +++ b/src/plugins/wireguard/wireguard_noise.c @@ -630,58 +630,6 @@ error: } enum noise_state_crypt -noise_sync_remote_encrypt (vlib_main_t *vm, vnet_crypto_op_t **crypto_ops, - noise_remote_t *r, uint32_t *r_idx, uint64_t *nonce, - uint8_t *src, size_t srclen, uint8_t *dst, u32 bi, - u8 *iv, f64 time) -{ - noise_keypair_t *kp; - enum noise_state_crypt ret = SC_FAILED; - - if ((kp = r->r_current) == NULL) - goto error; - - /* We confirm that our values are within our tolerances. We want: - * - a valid keypair - * - our keypair to be less than REJECT_AFTER_TIME seconds old - * - our receive counter to be less than REJECT_AFTER_MESSAGES - * - our send counter to be less than REJECT_AFTER_MESSAGES - */ - if (!kp->kp_valid || - wg_birthdate_has_expired_opt (kp->kp_birthdate, REJECT_AFTER_TIME, - time) || - kp->kp_ctr.c_recv >= REJECT_AFTER_MESSAGES || - ((*nonce = noise_counter_send (&kp->kp_ctr)) > REJECT_AFTER_MESSAGES)) - goto error; - - /* We encrypt into the same buffer, so the caller must ensure that buf - * has NOISE_AUTHTAG_LEN bytes to store the MAC. The nonce and index - * are passed back out to the caller through the provided data pointer. */ - *r_idx = kp->kp_remote_index; - - wg_prepare_sync_op (vm, crypto_ops, src, srclen, dst, NULL, 0, *nonce, - VNET_CRYPTO_OP_CHACHA20_POLY1305_ENC, kp->kp_send_index, - bi, iv); - - /* If our values are still within tolerances, but we are approaching - * the tolerances, we notify the caller with ESTALE that they should - * establish a new keypair. The current keypair can continue to be used - * until the tolerances are hit. We notify if: - * - our send counter is valid and not less than REKEY_AFTER_MESSAGES - * - we're the initiator and our keypair is older than - * REKEY_AFTER_TIME seconds */ - ret = SC_KEEP_KEY_FRESH; - if ((kp->kp_valid && *nonce >= REKEY_AFTER_MESSAGES) || - (kp->kp_is_initiator && wg_birthdate_has_expired_opt ( - kp->kp_birthdate, REKEY_AFTER_TIME, time))) - goto error; - - ret = SC_OK; -error: - return ret; -} - -enum noise_state_crypt noise_sync_remote_decrypt (vlib_main_t *vm, vnet_crypto_op_t **crypto_ops, noise_remote_t *r, uint32_t r_idx, uint64_t nonce, uint8_t *src, size_t srclen, uint8_t *dst, u32 bi, @@ -791,14 +739,6 @@ noise_remote_handshake_index_drop (noise_remote_t * r) u->u_index_drop (hs->hs_local_index); } -static uint64_t -noise_counter_send (noise_counter_t * ctr) -{ - uint64_t ret; - ret = ctr->c_send++; - return ret; -} - static void noise_kdf (uint8_t * a, uint8_t * b, uint8_t * c, const uint8_t * x, size_t a_len, size_t b_len, size_t c_len, size_t x_len, |