9 files changed, 62 insertions, 49 deletions

diff --git a/src/crypto_engines/ipsecmb/ipsecmb.c b/src/crypto_engines/ipsecmb/ipsecmb.c
index 256856bed8c..0aeefaecebd 100644
--- a/src/crypto_engines/ipsecmb/ipsecmb.c
+++ b/src/crypto_engines/ipsecmb/ipsecmb.c
@@ -754,7 +754,7 @@ crypto_ipsecmb_key_handler (vnet_crypto_key_op_t kop,
   void *kd;
 
   /** TODO: add linked alg support **/
-  if (key->type == VNET_CRYPTO_KEY_TYPE_LINK)
+  if (key->is_link)
     return;
 
   if (kop == VNET_CRYPTO_KEY_OP_DEL)
@@ -805,10 +805,10 @@ crypto_ipsecmb_key_handler (vnet_crypto_key_op_t kop,
       u64 pad[block_qw], key_hash[block_qw];
 
       clib_memset_u8 (key_hash, 0, HMAC_MAX_BLOCK_SIZE);
-      if (vec_len (key->data) <= ad->block_size)
-	clib_memcpy_fast (key_hash, key->data, vec_len (key->data));
+      if (key->length <= ad->block_size)
+	clib_memcpy_fast (key_hash, key->data, key->length);
       else
-	ad->hash_fn (key->data, vec_len (key->data), key_hash);
+	ad->hash_fn (key->data, key->length, key_hash);
 
       for (i = 0; i < block_qw; i++)
 	pad[i] = key_hash[i] ^ 0x3636363636363636;
diff --git a/src/crypto_engines/native/main.c b/src/crypto_engines/native/main.c
index e9e71b6fb6d..193b7a51c10 100644
--- a/src/crypto_engines/native/main.c
+++ b/src/crypto_engines/native/main.c
@@ -19,7 +19,7 @@ crypto_native_key_handler (vnet_crypto_key_op_t kop,
   crypto_native_main_t *cm = &crypto_native_main;
 
   /** TODO: add linked alg support **/
-  if (key->type == VNET_CRYPTO_KEY_TYPE_LINK)
+  if (key->is_link)
     return;
 
   if (cm->key_fn[key->alg] == 0)
diff --git a/src/crypto_engines/native/sha2.c b/src/crypto_engines/native/sha2.c
index b61a5f08060..46a71b5b327 100644
--- a/src/crypto_engines/native/sha2.c
+++ b/src/crypto_engines/native/sha2.c
@@ -110,7 +110,7 @@ sha2_key_add (vnet_crypto_key_t *key, clib_sha2_type_t type)
   clib_sha2_hmac_key_data_t *kd;
 
   kd = clib_mem_alloc_aligned (sizeof (*kd), CLIB_CACHE_LINE_BYTES);
-  clib_sha2_hmac_key_data (type, key->data, vec_len (key->data), kd);
+  clib_sha2_hmac_key_data (type, key->data, key->length, kd);
 
   return kd;
 }
diff --git a/src/crypto_engines/openssl/main.c b/src/crypto_engines/openssl/main.c
index c5636add266..cfb2a5e0568 100644
--- a/src/crypto_engines/openssl/main.c
+++ b/src/crypto_engines/openssl/main.c
@@ -494,7 +494,7 @@ openssl_ctx_hmac (vnet_crypto_key_t *key, vnet_crypto_key_op_t kop,
 	  vec_validate_aligned (ptd->hmac_ctx, idx, CLIB_CACHE_LINE_BYTES);
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 	  ctx = HMAC_CTX_new ();
-	  HMAC_Init_ex (ctx, key->data, vec_len (key->data), md, NULL);
+	  HMAC_Init_ex (ctx, key->data, key->length, md, NULL);
 	  ptd->hmac_ctx[idx] = ctx;
 #else
 	  HMAC_CTX_init (&(ptd->_hmac_ctx));
@@ -507,7 +507,7 @@ openssl_ctx_hmac (vnet_crypto_key_t *key, vnet_crypto_key_op_t kop,
       for (ptd = per_thread_data; ptd - per_thread_data < num_threads; ptd++)
 	{
 	  ctx = ptd->hmac_ctx[idx];
-	  HMAC_Init_ex (ctx, key->data, vec_len (key->data), md, NULL);
+	  HMAC_Init_ex (ctx, key->data, key->length, md, NULL);
 	}
     }
   else if (VNET_CRYPTO_KEY_OP_DEL == kop)
@@ -530,7 +530,7 @@ crypto_openssl_key_handler (vnet_crypto_key_op_t kop,
   crypto_openssl_main_t *cm = &crypto_openssl_main;
 
   /** TODO: add linked alg support **/
-  if (key->type == VNET_CRYPTO_KEY_TYPE_LINK)
+  if (key->is_link)
     return;
 
   if (cm->ctx_fn[key->alg] == 0)
diff --git a/src/plugins/crypto_sw_scheduler/main.c b/src/plugins/crypto_sw_scheduler/main.c
index a594f30f823..81f13912b6b 100644
--- a/src/plugins/crypto_sw_scheduler/main.c
+++ b/src/plugins/crypto_sw_scheduler/main.c
@@ -59,7 +59,7 @@ crypto_sw_scheduler_key_handler (vnet_crypto_key_op_t kop,
 
   vec_validate (cm->keys, idx);
 
-  if (key->type == VNET_CRYPTO_KEY_TYPE_LINK)
+  if (key->is_link)
     {
       if (kop == VNET_CRYPTO_KEY_OP_DEL)
 	{
diff --git a/src/plugins/dev_octeon/crypto.c b/src/plugins/dev_octeon/crypto.c
index 9c710aed7fd..652ed3c75e9 100644
--- a/src/plugins/dev_octeon/crypto.c
+++ b/src/plugins/dev_octeon/crypto.c
@@ -1336,7 +1336,7 @@ oct_crypto_aead_session_update (vlib_main_t *vm, oct_crypto_sess_t *sess,
     }
 
   rv = roc_se_ciph_key_set (&sess->cpt_ctx, enc_type, key->data,
-			    vec_len (key->data));
+			    key->length));
   if (rv)
     {
       clib_warning ("Cryptodev: Error in setting cipher key for enc type %u",
diff --git a/src/plugins/dpdk/cryptodev/cryptodev.c b/src/plugins/dpdk/cryptodev/cryptodev.c
index 0250da7cda3..4f533406fca 100644
--- a/src/plugins/dpdk/cryptodev/cryptodev.c
+++ b/src/plugins/dpdk/cryptodev/cryptodev.c
@@ -71,7 +71,7 @@ prepare_aead_xform (struct rte_crypto_sym_xform *xform,
   aead_xform->iv.offset = CRYPTODEV_IV_OFFSET;
   aead_xform->iv.length = 12;
   aead_xform->key.data = key->data;
-  aead_xform->key.length = vec_len (key->data);
+  aead_xform->key.length = key->length;
 
   return 0;
 }
@@ -249,7 +249,7 @@ cryptodev_check_supported_vnet_alg (vnet_crypto_key_t *key)
 {
   u32 matched = 0;
 
-  if (key->type == VNET_CRYPTO_KEY_TYPE_LINK)
+  if (key->is_link)
     {
       switch (key->async_alg)
 	{
@@ -453,7 +453,7 @@ cryptodev_session_create (vlib_main_t *vm, vnet_crypto_key_index_t idx,
     rte_cryptodev_sym_session_create (sess_pool);
 #endif
 
-  if (key->type == VNET_CRYPTO_KEY_TYPE_LINK)
+  if (key->is_link)
     ret = prepare_linked_xform (xforms_enc, CRYPTODEV_OP_TYPE_ENCRYPT, key);
   else
     ret =
@@ -464,7 +464,7 @@ cryptodev_session_create (vlib_main_t *vm, vnet_crypto_key_index_t idx,
       goto clear_key;
     }
 
-  if (key->type == VNET_CRYPTO_KEY_TYPE_LINK)
+  if (key->is_link)
     prepare_linked_xform (xforms_dec, CRYPTODEV_OP_TYPE_DECRYPT, key);
   else
     prepare_aead_xform (xforms_dec, CRYPTODEV_OP_TYPE_DECRYPT, key, aad_len);
diff --git a/src/vnet/crypto/crypto.c b/src/vnet/crypto/crypto.c
index f46e307af89..ff6b42a4382 100644
--- a/src/vnet/crypto/crypto.c
+++ b/src/vnet/crypto/crypto.c
@@ -442,7 +442,8 @@ vnet_crypto_key_add (vlib_main_t * vm, vnet_crypto_alg_t alg, u8 * data,
   u32 index;
   vnet_crypto_main_t *cm = &crypto_main;
   vnet_crypto_engine_t *engine;
-  vnet_crypto_key_t *key;
+  vnet_crypto_key_t *key, **kp;
+  u32 alloc_sz = sizeof (vnet_crypto_key_t) + round_pow2 (length, 16);
 
   u8 need_barrier_sync = 0;
 
@@ -454,15 +455,19 @@ vnet_crypto_key_add (vlib_main_t * vm, vnet_crypto_alg_t alg, u8 * data,
   if (need_barrier_sync)
     vlib_worker_thread_barrier_sync (vm);
 
-  pool_get_zero (cm->keys, key);
+  pool_get (cm->keys, kp);
 
   if (need_barrier_sync)
     vlib_worker_thread_barrier_release (vm);
 
-  index = key - cm->keys;
-  key->type = VNET_CRYPTO_KEY_TYPE_DATA;
-  key->alg = alg;
-  vec_validate_aligned (key->data, length - 1, CLIB_CACHE_LINE_BYTES);
+  key = clib_mem_alloc_aligned (alloc_sz, _Alignof (vnet_crypto_key_t));
+  kp[0] = key;
+  index = kp - cm->keys;
+  *key = (vnet_crypto_key_t){
+    .index = index,
+    .alg = alg,
+    .length = length,
+  };
   clib_memcpy (key->data, data, length);
   vec_foreach (engine, cm->engines)
     if (engine->key_op_handler)
@@ -475,23 +480,16 @@ vnet_crypto_key_del (vlib_main_t * vm, vnet_crypto_key_index_t index)
 {
   vnet_crypto_main_t *cm = &crypto_main;
   vnet_crypto_engine_t *engine;
-  vnet_crypto_key_t *key = pool_elt_at_index (cm->keys, index);
+  vnet_crypto_key_t *key = cm->keys[index];
+  u32 sz = sizeof (vnet_crypto_key_t) + round_pow2 (key->length, 16);
 
   vec_foreach (engine, cm->engines)
     if (engine->key_op_handler)
       engine->key_op_handler (VNET_CRYPTO_KEY_OP_DEL, index);
 
-  if (key->type == VNET_CRYPTO_KEY_TYPE_DATA)
-    {
-      clib_memset (key->data, 0xfe, vec_len (key->data));
-      vec_free (key->data);
-    }
-  else if (key->type == VNET_CRYPTO_KEY_TYPE_LINK)
-    {
-      key->index_crypto = key->index_integ = ~0;
-    }
-
-  pool_put (cm->keys, key);
+  clib_memset (key, 0xfe, sz);
+  clib_mem_free (key);
+  pool_put_index (cm->keys, index);
 }
 
 void
@@ -523,25 +521,40 @@ vnet_crypto_key_add_linked (vlib_main_t * vm,
 			    vnet_crypto_key_index_t index_crypto,
 			    vnet_crypto_key_index_t index_integ)
 {
-  u32 index;
+  u32 index, need_barrier_sync;
   vnet_crypto_main_t *cm = &crypto_main;
   vnet_crypto_engine_t *engine;
-  vnet_crypto_key_t *key_crypto, *key_integ, *key;
+  vnet_crypto_key_t *key_crypto, *key_integ, *key, **kp;
   vnet_crypto_async_alg_t linked_alg;
 
-  key_crypto = pool_elt_at_index (cm->keys, index_crypto);
-  key_integ = pool_elt_at_index (cm->keys, index_integ);
+  key_crypto = cm->keys[index_crypto];
+  key_integ = cm->keys[index_integ];
 
   linked_alg = vnet_crypto_link_algs (key_crypto->alg, key_integ->alg);
   if (linked_alg == ~0)
     return ~0;
 
-  pool_get_zero (cm->keys, key);
-  index = key - cm->keys;
-  key->type = VNET_CRYPTO_KEY_TYPE_LINK;
-  key->index_crypto = index_crypto;
-  key->index_integ = index_integ;
-  key->async_alg = linked_alg;
+  need_barrier_sync = pool_get_will_expand (cm->keys);
+  /* If the cm->keys will expand, stop the parade. */
+  if (need_barrier_sync)
+    vlib_worker_thread_barrier_sync (vm);
+
+  pool_get (cm->keys, kp);
+
+  if (need_barrier_sync)
+    vlib_worker_thread_barrier_release (vm);
+
+  key = clib_mem_alloc_aligned (sizeof (vnet_crypto_key_t),
+				_Alignof (vnet_crypto_key_t));
+  kp[0] = key;
+  index = kp - cm->keys;
+  *key = (vnet_crypto_key_t){
+    .index = index,
+    .is_link = 1,
+    .index_crypto = index_crypto,
+    .index_integ = index_integ,
+    .async_alg = linked_alg,
+  };
 
   vec_foreach (engine, cm->engines)
     if (engine->key_op_handler)
diff --git a/src/vnet/crypto/crypto.h b/src/vnet/crypto/crypto.h
index 13d08756109..a0e7c261149 100644
--- a/src/vnet/crypto/crypto.h
+++ b/src/vnet/crypto/crypto.h
@@ -206,11 +206,13 @@ typedef enum
 
 typedef struct
 {
+  u32 index;
+  u16 length;
+  u8 is_link : 1;
   union
   {
     struct
     {
-      u8 *data;
       vnet_crypto_alg_t alg:8;
     };
     struct
@@ -220,9 +222,7 @@ typedef struct
       vnet_crypto_async_alg_t async_alg:8;
     };
   };
-#define VNET_CRYPTO_KEY_TYPE_DATA 0
-#define VNET_CRYPTO_KEY_TYPE_LINK 1
-  u8 type;
+  u8 data[];
 } vnet_crypto_key_t;
 
 typedef enum
@@ -468,7 +468,7 @@ typedef struct
   vnet_crypto_op_data_t opt_data[VNET_CRYPTO_N_OP_IDS];
   vnet_crypto_async_op_data_t async_opt_data[VNET_CRYPTO_ASYNC_OP_N_IDS];
   vnet_crypto_engine_t *engines;
-  vnet_crypto_key_t *keys;
+  vnet_crypto_key_t **keys;
   uword *engine_index_by_name;
   uword *alg_index_by_name;
   uword *async_alg_index_by_name;
@@ -545,7 +545,7 @@ static_always_inline vnet_crypto_key_t *
 vnet_crypto_get_key (vnet_crypto_key_index_t index)
 {
   vnet_crypto_main_t *cm = &crypto_main;
-  return vec_elt_at_index (cm->keys, index);
+  return cm->keys[index];
 }
 
 static_always_inline int