aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/crypto_ipsecmb
AgeCommit message (Collapse)AuthorFilesLines
2021-10-04build: Allow ipsec-mb plugin to build with libipsec_mb 0.55Nick Brown2-0/+14
The 0.55 version of libipsec_mb does not support the chacha functions used in the plugin. The missing symobls are: ipsecmb_ops_chacha_poly ipsecmb_ops_chacha_poly_chained IMB_CIPHER_DIRECTION Check for ipsecmb_ops_chacha_poly() and conditionalise the chacha code in the plugin on this. ipsec_mb 0.55 is the version currently found in Debian Stable (bullseye) Type: make Signed-off-by: Nick Brown <nickbroon@gmail.com> Change-Id: I88c962ac4f99a58b5cd61fb9b75f692e27d4ec30
2021-05-12crypto: add chacha20-poly1305 support to ipsecmbFan Zhang1-0/+252
Type: feature This patch adds chacha20-poly1305 single and chained algorithm support to ipsecmb crypto engine. Signed-off-by: DariuszX Kazimierski <dariuszx.kazimierski@intel.com> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Change-Id: If04ee0c8f985b07fd31dad1ce29000ec6f1733c5
2021-04-30build: declare some CMake variables as advancedDamjan Marion1-2/+2
Type: make Change-Id: I780c1c81a50cb92bc89c05856efd8ef88479c0ab Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-02-04crypto-ipsecmb: add support for AES CTRBenoît Ganne1-36/+40
Type: feature Change-Id: Ide2901f5d2111a518b2c8212aa84468cef1d72ca Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-01-25crypto-ipsecmb: more explicit errors reportingBenoît Ganne1-4/+24
Use error counters related to ipsec-mb return codes instead of 'bad-hmac' only. Type: improvement Change-Id: I9329da300a70d76b4d4ab30fa45f0a2a85d6519b Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-07-21crypto: bails out early for unsupported key typeBenoît Ganne1-4/+4
Do not access data structures based on uninitialized key->alg. Type: fix Fixes: f539578bac8b64886b57c460c9d74273e6613f8b Change-Id: I6bfb7e7a51af2c131b8bdf3bca6a38fcf1094760 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-04-30crypto: introduce async crypto infraFan Zhang1-0/+4
Type: feature Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Signed-off-by: Dariusz Kazimierski <dariuszx.kazimierski@intel.com> Signed-off-by: Piotr Kleski <piotrx.kleski@intel.com> Change-Id: I4c3fcccf55c36842b7b48aed260fef2802b5c54b
2020-03-06crypto: align per thread data to cache lineFilip Tehlar1-1/+3
Type: improvement Change-Id: I6bad46403c07b211dfda7229aed1b5e19342865f Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-02-18crypto: add chained buffer support in ipsecmb (AES-GCM)Filip Tehlar1-0/+83
Type: feature Change-Id: Ia65caf38988c7e860e6d028f93659916825ef16b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-01-10docs: Edit FEATURE.yaml files so they can be publishedJohn DeNisco1-1/+1
Type: docs Signed-off-by: John DeNisco <jdenisco@cisco.com> Change-Id: I7280e5c5ad10a66c0787a5282291a2ef000bff5f
2020-01-02crypto-ipsecmb: Add FEATURE.yaml for all crypto engine pluginsNeale Ranns1-0/+11
Type: docs Change-Id: Ia00e3167e954271c9eb7618792fd86df288d5c19 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-11-22crypto-ipsecmb: use single GCM APIFan Zhang1-6/+4
Type: refactor Use ipsecmb single GCM enc/dec API to furthuer improve single buffer performance for small packets. Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Change-Id: I2d34ff50d34b09f194fc0c88b6e9a3928a86fc33
2019-11-07crypto-ipsecmb: improve gcm performance using dedicated API.Fan Zhang1-88/+54
This patch improves the GCM encrypt and decrypt performance using the dedicated API provided by intel-ipsec-mb library. This helps remove the overhead caused by the JOB API. Type: feature Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Change-Id: I00c9ab3ed9f2660093fb2584feb8bca4979acee8
2019-10-22vppinfra: add clib_mem_free_sBenoît Ganne1-6/+2
IPsec zero-es all allocated key memory including memory sur-allocated by the allocator. Move it to its own function in clib mem infra to make it easier to instrument. Type: refactor Change-Id: Icd1c44d18b741e723864abce75ac93e2eff74b61 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2019-08-09crypto: add '-maes' compile switchBenoît Ganne1-1/+1
AES intrinsics use builtins available only with the -maes and GCC 9 just started to enforce it. Type: fix Change-Id: Ia6825ea3eae7191a4bfee47f9fa93fad16ccf76c Signed-off-by: Benoît Ganne <bganne@cisco.com>
2019-05-16init / exit function orderingDave Barach1-4/+6
The vlib init function subsystem now supports a mix of procedural and formally-specified ordering constraints. We should eliminate procedural knowledge wherever possible. The following schemes are *roughly* equivalent: static clib_error_t *init_runs_first (vlib_main_t *vm) { clib_error_t *error; ... do some stuff... if ((error = vlib_call_init_function (init_runs_next))) return error; ... } VLIB_INIT_FUNCTION (init_runs_first); and static clib_error_t *init_runs_first (vlib_main_t *vm) { ... do some stuff... } VLIB_INIT_FUNCTION (init_runs_first) = { .runs_before = VLIB_INITS("init_runs_next"), }; The first form will [most likely] call "init_runs_next" on the spot. The second form means that "init_runs_first" runs before "init_runs_next," possibly much earlier in the sequence. Please DO NOT construct sets of init functions where A before B actually means A *right before* B. It's not necessary - simply combine A and B - and it leads to hugely annoying debugging exercises when trying to switch from ad-hoc procedural ordering constraints to formal ordering constraints. Change-Id: I5e4353503bf43b4acb11a45fb33c79a5ade8426c Signed-off-by: Dave Barach <dave@barachs.net>
2019-05-07ipsec-mb: fix the "make test" on non-AESNI platformsAndrew Yourtchenko1-0/+3
"make test" fails with invalid instruction on non-AESNI platform, so do not register the ipsec-mb crypto backend in this case. Change-Id: I61887e40ce3d39880e7da534b9dee00fd677d8fd Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2019-05-06Remove target option when IPSecMB disabledNathan Skrzypczak1-2/+1
Change-Id: I2313932bdc41a4702585aa338f22df3f6e4e23d7 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2019-05-03plugins: clean up plugin descriptionsDave Wallace1-1/+1
- Make plugin descriptions more consistent so the output of "show plugin" can be used in the wiki. Change-Id: I4c6feb11e7dcc5a4cf0848eed37f1d3b035c7dda Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2019-04-26crypto, ipsec: change GCM IV handlingDamjan Marion1-49/+16
- nonce construction out of salt and iv is ipsec specific so it should be handled in ipsec code - fixes GCM unit tests - GCM IV is constructed out of simple counter, per RFC4106 section 3.1 Change-Id: Ib7712cc9612830daa737f5171d8384f1d361bb61 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-25crypto_ipsecmb: CBC IV size is always equal to block sizeDamjan Marion1-27/+13
Change-Id: If8b2c8942db17a853883360885def47ce50e7ddd Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-25crypto_ipsecmb: use pre-expanded keysDamjan Marion1-218/+207
Change-Id: Ie1d34b7e71554516595e0cd228e2cd54a3b8d629 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-25crypto: improve key handlingDamjan Marion1-4/+7
Change-Id: If96f661d507305da4b96cac7b1a8f14ba90676ad Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-23Bump to intel-ipsec-mb version 0.52Damjan Marion1-2/+4
Change-Id: Ifeaf93c98e4af92da9409fa5a2114b577e8c0937 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-17crypto-ipsecmb: enable GCMNeale Ranns1-24/+220
Change-Id: I670d7899bcc63a419daf481167dc445a6386cce8 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-15crypto: fix coverity warningsFilip Tehlar1-0/+2
Change-Id: Id9dfd912517c44cf812953bd05ac04c9e172a2b7 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-04-11IPSEC-MB: Use random & non-repeating IV (VPP-1642)Neale Ranns2-14/+57
hard code IV and key lengths based on cipher. Init IV from random data, use AES instruction to rotate. Change-Id: I13a6507d12267b823c528660a903787baeba47a0 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-10crypto: Intel IPSEC-MB engineNeale Ranns2-0/+416
A plugin to use Intel IPSec MB library as a VPP crypto engine This changes uses concepts from: https://gerrit.fd.io/r/#/c/17301/ hence that author's work is acknowledge below Change-Id: I2bf3beeb10f3c9706fa5efbdc9bc023e310f5a92 Signed-off-by: Neale Ranns <nranns@cisco.com> Signed-off-by: Klement Sekera <ksekera@cisco.com>