aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/crypto_ipsecmb/ipsecmb.c
AgeCommit message (Collapse)AuthorFilesLines
2023-03-06crypto: remove VNET_CRYPTO_OP_FLAG_INIT_IV flagBenoît Ganne1-66/+0
IV requirements vary wildly with the selected mode of operation. For example, for AES-CBC the IV must be unpredictable whereas for AES counter mode (CTR or GCM), it can be predictable but reusing an IV with the same key material is catastrophic. Because of that, it is hard to generate IV in a generic way, and it is better left to the crypto user (eg. IPsec). Type: improvement Change-Id: I32689c591d8c6572b8d37c4d24f175ea6132d3ec Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-11-14crypto-ipsecmb: fix plugin crash in VirtualBoxMaros Ondrejicka1-1/+1
Plugin checks just for AVX2 instruction set, while the v1.3 of IPsec Multi-Buffer library checks for both AVX2 and BMI2 sets during init. VirtualBox VM doesn't provide BMI2 by default to guest operating system. Result is that VPP plugin decides to use AVX2 initialization and library then doesn't do it. Since flush_job remains empty, the self-check fails and with that the whole VPP crashes on start-up. Type: fix Signed-off-by: Maros Ondrejicka <maros.ondrejicka@pantheon.tech> Change-Id: I6b661f2b9bbe6dd03b499c55c38a9b814e6d718a
2022-10-19crypto-ipsecmb: support previous ipsecmb versionsMarcel Cornu1-11/+125
Backward compatibility was broken when updating ipsecmb version to 1.3. Type: improvement Signed-off-by: marcel.d.cornu@intel.com Change-Id: I87a76859ec5e2ef6be0bc2af0960fa2494ce4297
2022-10-17crypto-ipsecmb: bump ipsecmb library to v1.3Marcel Cornu1-64/+79
- Use the latest IPsec Multi-Buffer library release v1.3 - Use ipsec-mb burst API for HMAC-SHAx algorithms - Use ipsec-mb burst API for AES-CBC and AES-CTR algorithms The new burst API available in ipsecmb v1.3 brings significant performance improvements for certain algorithms compared to the job API. Type: feature Signed-off-by: marcel.d.cornu@intel.com Change-Id: I3490b35a616a2ea77607f103426df62438c22b2b
2021-10-04build: Allow ipsec-mb plugin to build with libipsec_mb 0.55Nick Brown1-0/+4
The 0.55 version of libipsec_mb does not support the chacha functions used in the plugin. The missing symobls are: ipsecmb_ops_chacha_poly ipsecmb_ops_chacha_poly_chained IMB_CIPHER_DIRECTION Check for ipsecmb_ops_chacha_poly() and conditionalise the chacha code in the plugin on this. ipsec_mb 0.55 is the version currently found in Debian Stable (bullseye) Type: make Signed-off-by: Nick Brown <nickbroon@gmail.com> Change-Id: I88c962ac4f99a58b5cd61fb9b75f692e27d4ec30
2021-05-12crypto: add chacha20-poly1305 support to ipsecmbFan Zhang1-0/+252
Type: feature This patch adds chacha20-poly1305 single and chained algorithm support to ipsecmb crypto engine. Signed-off-by: DariuszX Kazimierski <dariuszx.kazimierski@intel.com> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Change-Id: If04ee0c8f985b07fd31dad1ce29000ec6f1733c5
2021-02-04crypto-ipsecmb: add support for AES CTRBenoît Ganne1-36/+40
Type: feature Change-Id: Ide2901f5d2111a518b2c8212aa84468cef1d72ca Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-01-25crypto-ipsecmb: more explicit errors reportingBenoît Ganne1-4/+24
Use error counters related to ipsec-mb return codes instead of 'bad-hmac' only. Type: improvement Change-Id: I9329da300a70d76b4d4ab30fa45f0a2a85d6519b Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-07-21crypto: bails out early for unsupported key typeBenoît Ganne1-4/+4
Do not access data structures based on uninitialized key->alg. Type: fix Fixes: f539578bac8b64886b57c460c9d74273e6613f8b Change-Id: I6bfb7e7a51af2c131b8bdf3bca6a38fcf1094760 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-04-30crypto: introduce async crypto infraFan Zhang1-0/+4
Type: feature Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Signed-off-by: Dariusz Kazimierski <dariuszx.kazimierski@intel.com> Signed-off-by: Piotr Kleski <piotrx.kleski@intel.com> Change-Id: I4c3fcccf55c36842b7b48aed260fef2802b5c54b
2020-03-06crypto: align per thread data to cache lineFilip Tehlar1-1/+3
Type: improvement Change-Id: I6bad46403c07b211dfda7229aed1b5e19342865f Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-02-18crypto: add chained buffer support in ipsecmb (AES-GCM)Filip Tehlar1-0/+83
Type: feature Change-Id: Ia65caf38988c7e860e6d028f93659916825ef16b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-11-22crypto-ipsecmb: use single GCM APIFan Zhang1-6/+4
Type: refactor Use ipsecmb single GCM enc/dec API to furthuer improve single buffer performance for small packets. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Change-Id: I2d34ff50d34b09f194fc0c88b6e9a3928a86fc33
2019-11-07crypto-ipsecmb: improve gcm performance using dedicated API.Fan Zhang1-88/+54
This patch improves the GCM encrypt and decrypt performance using the dedicated API provided by intel-ipsec-mb library. This helps remove the overhead caused by the JOB API. Type: feature Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Change-Id: I00c9ab3ed9f2660093fb2584feb8bca4979acee8
2019-10-22vppinfra: add clib_mem_free_sBenoît Ganne1-6/+2
IPsec zero-es all allocated key memory including memory sur-allocated by the allocator. Move it to its own function in clib mem infra to make it easier to instrument. Type: refactor Change-Id: Icd1c44d18b741e723864abce75ac93e2eff74b61 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2019-05-16init / exit function orderingDave Barach1-4/+6
The vlib init function subsystem now supports a mix of procedural and formally-specified ordering constraints. We should eliminate procedural knowledge wherever possible. The following schemes are *roughly* equivalent: static clib_error_t *init_runs_first (vlib_main_t *vm) { clib_error_t *error; ... do some stuff... if ((error = vlib_call_init_function (init_runs_next))) return error; ... } VLIB_INIT_FUNCTION (init_runs_first); and static clib_error_t *init_runs_first (vlib_main_t *vm) { ... do some stuff... } VLIB_INIT_FUNCTION (init_runs_first) = { .runs_before = VLIB_INITS("init_runs_next"), }; The first form will [most likely] call "init_runs_next" on the spot. The second form means that "init_runs_first" runs before "init_runs_next," possibly much earlier in the sequence. Please DO NOT construct sets of init functions where A before B actually means A *right before* B. It's not necessary - simply combine A and B - and it leads to hugely annoying debugging exercises when trying to switch from ad-hoc procedural ordering constraints to formal ordering constraints. Change-Id: I5e4353503bf43b4acb11a45fb33c79a5ade8426c Signed-off-by: Dave Barach <dave@barachs.net>
2019-05-07ipsec-mb: fix the "make test" on non-AESNI platformsAndrew Yourtchenko1-0/+3
"make test" fails with invalid instruction on non-AESNI platform, so do not register the ipsec-mb crypto backend in this case. Change-Id: I61887e40ce3d39880e7da534b9dee00fd677d8fd Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2019-05-03plugins: clean up plugin descriptionsDave Wallace1-1/+1
- Make plugin descriptions more consistent so the output of "show plugin" can be used in the wiki. Change-Id: I4c6feb11e7dcc5a4cf0848eed37f1d3b035c7dda Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2019-04-26crypto, ipsec: change GCM IV handlingDamjan Marion1-49/+16
- nonce construction out of salt and iv is ipsec specific so it should be handled in ipsec code - fixes GCM unit tests - GCM IV is constructed out of simple counter, per RFC4106 section 3.1 Change-Id: Ib7712cc9612830daa737f5171d8384f1d361bb61 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-25crypto_ipsecmb: CBC IV size is always equal to block sizeDamjan Marion1-27/+13
Change-Id: If8b2c8942db17a853883360885def47ce50e7ddd Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-25crypto_ipsecmb: use pre-expanded keysDamjan Marion1-218/+207
Change-Id: Ie1d34b7e71554516595e0cd228e2cd54a3b8d629 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-25crypto: improve key handlingDamjan Marion1-4/+7
Change-Id: If96f661d507305da4b96cac7b1a8f14ba90676ad Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-23Bump to intel-ipsec-mb version 0.52Damjan Marion1-2/+4
Change-Id: Ifeaf93c98e4af92da9409fa5a2114b577e8c0937 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-17crypto-ipsecmb: enable GCMNeale Ranns1-24/+220
Change-Id: I670d7899bcc63a419daf481167dc445a6386cce8 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-15crypto: fix coverity warningsFilip Tehlar1-0/+2
Change-Id: Id9dfd912517c44cf812953bd05ac04c9e172a2b7 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-04-11IPSEC-MB: Use random & non-repeating IV (VPP-1642)Neale Ranns1-14/+51
hard code IV and key lengths based on cipher. Init IV from random data, use AES instruction to rotate. Change-Id: I13a6507d12267b823c528660a903787baeba47a0 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-10crypto: Intel IPSEC-MB engineNeale Ranns1-0/+381
A plugin to use Intel IPSec MB library as a VPP crypto engine This changes uses concepts from: https://gerrit.fd.io/r/#/c/17301/ hence that author's work is acknowledge below Change-Id: I2bf3beeb10f3c9706fa5efbdc9bc023e310f5a92 Signed-off-by: Neale Ranns <nranns@cisco.com> Signed-off-by: Klement Sekera <ksekera@cisco.com>