Age | Commit message (Collapse) | Author | Files | Lines |
|
Adding prefetching to openssl plugin improves both sync and async mode
ipsec performance by more than 5% on N1 ampere.
Sync mode (1420b)
core count old (MPPS) new (MPPS) %diff
1c 0.972 1.01 3.90
2c 1.91 2.02 5.87
3c 2.86 3.04 6.03
Async mode (1420b)
core count old (MPPS) new (MPPS) %diff
1c 1.296 1.37 5.70
2c 2.58 2.753 6.70
3c 3.74 3.9 4.27
6c 7.52 7.832 4.14
Type: improvement
Change-Id: Ieef22c37e1330ac9f8b7e09a25c24162516b6c26
Signed-off-by: Niyaz Murshed <niyaz.murshed@arm.com>
|
|
Type: refactor
Change-Id: I5235bf3e9aff58af6ba2c14e8c6529c4fc9ec86c
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
For the openssl crypto engine based cipher encrypt/decrypt and HMAC IPSec
use cases, the openssl API calls of doing ctx init and key expansion are
moved to initialization stage.
In current implementation , the ctx is initialized with "key" and "iv" in
EVP_EncryptInit_ex (ctx, 0, 0, key->data, op->iv)
in data plane, while the ctx can be initialized with 'key' and 'iv' separately,
which means there could be two API calls:
1. EVP_EncryptInit_ex (ctx, 0, 0, key->data, 0)
2. EVP_EncryptInit_ex (ctx, 0, 0, 0, op->iv)
As the 'key' for certain IPSec SA is fixed and known, so call #1 can
be placed in IPSec SA initialization stage.
While call #2 should be kept in data plane for each packet, as the "iv"
is random for each packet.
Type: feature
Signed-off-by: Lijian Zhang <Lijian.Zhang@arm.com>
Change-Id: Ided4462c1d4a38addc3078b03d618209e040a07a
|
|
Type: improvement
Change-Id: I830f7a2ea3ac0aff5185698b9fa7a278c45116b0
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
IV requirements vary wildly with the selected mode of operation. For
example, for AES-CBC the IV must be unpredictable whereas for AES
counter mode (CTR or GCM), it can be predictable but reusing an IV with
the same key material is catastrophic.
Because of that, it is hard to generate IV in a generic way, and it is
better left to the crypto user (eg. IPsec).
Type: improvement
Change-Id: I32689c591d8c6572b8d37c4d24f175ea6132d3ec
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
In most cases we only need OpenSSL libcrypto (crypto primitives) but
not libssl (tls).
Type: improvement
Change-Id: I9dce27d23d65bf46aea2d0f8aaf417240701efcc
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Internaly, vpp uses it's own padding, so all the data
is padded using blocksize in /src/vnet/ipsec/ipsec.c
Openssl should add it's own padding, but the data
is already padded. So on decrypt stage when padding
should be removed, it can't be done. And it produces
error `bad decrypt`
Previous versions of openSSL decrypted data almost
at the beginning of EVP_DecryptUpdate/EVP_DecryptFinal_ex
and produced the same error, but data was already decrypted.
Now it's not, so some algorithms could have some problems
with it
PS. openSSL 3.x.x
Type: fix
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: If715a80228548b4e588cee222968d9da9024c438
|
|
The sys/random.h header, which provides the getrandom syscall wrapper,
was only added in glibc2.25. To make it compatible with older version,
we can directly call the syscall.
Type: improvement
Signed-off-by: Guillaume Solignac <gsoligna@cisco.com>
Change-Id: I93c5f8a49c0323511a4e34273f0b3c0e24663bfd
|
|
Type: improvement
Change-Id: I84d594d8baaf18056580455f3b2790d0f31b7b0f
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Fixes: 91f17dc
Change-Id: I860b6d5d5e9cf47d84fde0a2c92be43125038694
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
So far by suppressing depreciation messages, as there was no transition
period.
Type: make
Change-Id: I9887613fd71a22bf11bf22a04c129aca4a16867f
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: feature
Change-Id: I36041fe5c5f0ff129aee42516189807e96f62123
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I79258a95cfb75587685dffae671255063f57cbef
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Fix build errors related to chachapoly when the
system openssl version is < 0x10100000.
Type: fix
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: I62283fcc44c952ddd4d6a9f621c18e8be1af8af1
|
|
Type: feature
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: Iec28fb11b6edff1bee23117f56aa3a3e5729541a
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Signed-off-by: Rajesh Goel <rajegoel@cisco.com>
Change-Id: I8d128598b4c872f19b64c779c19b5908ba2f2c08
|
|
Type: fix
Change-Id: Ia42ff39a0a33f89901b8333a9e6ca82ca9805cc6
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: feature
Change-Id: Ie072a7c2bbb1e4a77f7001754f01897efd30fc53
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: docs
Signed-off-by: John DeNisco <jdenisco@cisco.com>
Change-Id: I7280e5c5ad10a66c0787a5282291a2ef000bff5f
|
|
Type: docs
Change-Id: Ia00e3167e954271c9eb7618792fd86df288d5c19
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Several Fixes:
1 - Anti-replay did not work with GCM becuase it overwrote the sequence
number in the ESP header. To fix i added the seq num to the per-packet
data so it is preserved
2 - The high sequence number was not byte swapped during ESP encrypt.
3 - openssl engine was the only one to return FAIL_DECRYPT for bad GCM
the others return BAD_HMAC. removed the former
4 - improved tracing to show the low and high seq numbers
5 - documented the anti-replay window checks
6 - fixed scapy patch for ESN support for GCM
7 - tests for anti-reply (w/ and w/o ESN) for each crypto algo
Change-Id: Id65d96b6d1d4dd821b2ab557e87468fff6d70e5b
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Since 3DES has 8 bytes of initialization vector and
code contains hardcode for 16 bytes, check added to
determine if crypto algorythm is 3DES_CBC and set
corresponding iv_len param
Change-Id: Iac50c8a8241e321e3b4d576c88f2496852bd905c
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
|
|
The vlib init function subsystem now supports a mix of procedural and
formally-specified ordering constraints. We should eliminate procedural
knowledge wherever possible.
The following schemes are *roughly* equivalent:
static clib_error_t *init_runs_first (vlib_main_t *vm)
{
clib_error_t *error;
... do some stuff...
if ((error = vlib_call_init_function (init_runs_next)))
return error;
...
}
VLIB_INIT_FUNCTION (init_runs_first);
and
static clib_error_t *init_runs_first (vlib_main_t *vm)
{
... do some stuff...
}
VLIB_INIT_FUNCTION (init_runs_first) =
{
.runs_before = VLIB_INITS("init_runs_next"),
};
The first form will [most likely] call "init_runs_next" on the
spot. The second form means that "init_runs_first" runs before
"init_runs_next," possibly much earlier in the sequence.
Please DO NOT construct sets of init functions where A before B
actually means A *right before* B. It's not necessary - simply combine
A and B - and it leads to hugely annoying debugging exercises when
trying to switch from ad-hoc procedural ordering constraints to formal
ordering constraints.
Change-Id: I5e4353503bf43b4acb11a45fb33c79a5ade8426c
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
- Make plugin descriptions more consistent
so the output of "show plugin" can be
used in the wiki.
Change-Id: I4c6feb11e7dcc5a4cf0848eed37f1d3b035c7dda
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
- nonce construction out of salt and iv is ipsec specific so it should be
handled in ipsec code
- fixes GCM unit tests
- GCM IV is constructed out of simple counter, per RFC4106 section 3.1
Change-Id: Ib7712cc9612830daa737f5171d8384f1d361bb61
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
... at least for use cases we are interested in
Change-Id: I1156ff354635e8f990ce2664ebc8dcd3786ddca5
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: If96f661d507305da4b96cac7b1a8f14ba90676ad
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Id2ddb77b4ec3dd543d6e638bc882923f2bac011d
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: Ib80e9bfb19a79e1adc79aef90371a15954daa993
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: I749c5a9d58128fd6d0fb8284e56b8f89cf91c609
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: I7d84bab7768421ed37813702c0413e52167f41ab
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Change-Id: Ibb3e2f3ba5f31482fc2f0dce53d68f8476608f4b
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Change-Id: Iff6f81a49b9cff5522fbb4914d47472423eac5db
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Ie8dcd9fa0d0487b146eaa62113a5ee06bd3e7d3b
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Change-Id: I438ef1f50d83560ecc608f898cfc61d7f51e1724
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Icf83c876d0880d1872b84e0a3d34be654b76149f
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
This reverts commit 785368e559dbdf50676f74f43f13423c817abb52.
Change-Id: I782ac2be4e161790c73ccd4b08492e2188a6d79d
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I4dc6749a67c0726bae20b8204a5171676308b909
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I18b30d5ee8aa60c34d52b7716b5feb7225cb0d59
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Change-Id: Ibf320b3e7b054b686f3af9a55afd5d5bda9b1048
Signed-off-by: Damjan Marion <damarion@cisco.com>
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|