crypto: Intel IPSEC-MB engine

A plugin to use Intel IPSec MB library as a VPP crypto engine

This changes uses concepts from:
  https://gerrit.fd.io/r/#/c/17301/
hence that author's work is acknowledge below

Change-Id: I2bf3beeb10f3c9706fa5efbdc9bc023e310f5a92
Signed-off-by: Neale Ranns <nranns@cisco.com>
Signed-off-by: Klement Sekera <ksekera@cisco.com>

src/plugins/crypto_ipsecmb/CMakeLists.txt

@@ -0,0 +1,35 @@
+
+# Copyright (c) 2019 Cisco Systems
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+find_path(IPSECMB_INCLUDE_DIR NAMES intel-ipsec-mb.h HINTS ${IPSECMB_INCLUDE_DIR_HINT})
+find_library(IPSECMB_LIB NAMES libIPSec_MB.a HINTS ${IPSECMB_LIB_DIR_HINT})
+
+if(IPSECMB_INCLUDE_DIR AND IPSECMB_LIB)
+
+	get_filename_component(IPSECMB_LIB_DIR ${IPSECMB_LIB} DIRECTORY)
+	set(IPSECMB_LINK_FLAGS "${IPSECMB_LINK_FLAGS} -L${IPSECMB_LIB_DIR} -Wl,--whole-archive ${IPSECMB_LIB} -Wl,--no-whole-archive")
+	set(IPSECMB_LINK_FLAGS "${IPSECMB_LINK_FLAGS} -Wl,--exclude-libs,libIPSec_MB.a,-l:libIPSec_MB.a")
+	include_directories(${IPSECMB_INCLUDE_DIR})
+	add_vpp_plugin(crypto_ipsecmb
+		SOURCES
+		ipsecmb.c
+
+		LINK_FLAGS
+		${IPSECMB_LINK_FLAGS}
+		)
+
+	message(STATUS "Intel IPSecMB found: ${IPSECMB_INCLUDE_DIR}")
+else()
+	message(STATUS "Intel IPSecMB not found")
+endif()

src/vnet/ipsec/esp_decrypt.c

@@ -232,7 +232,9 @@ esp_decrypt_inline (vlib_main_t * vm,
 	  vec_add2_aligned (ptd->crypto_ops, op, 1, CLIB_CACHE_LINE_BYTES);
 	  vnet_crypto_op_init (op, sa0->crypto_dec_op_id);
 	  op->key = sa0->crypto_key.data;
+	  op->key_len = sa0->crypto_key.len;
 	  op->iv = payload;
+	  op->iv_len = cpd.iv_sz;
 	  op->src = op->dst = payload += cpd.iv_sz;
 	  op->len = len;
 	  op->user_data = b - bufs;
@@ -280,8 +282,15 @@ esp_decrypt_inline (vlib_main_t * vm,
 	  ASSERT (op - ptd->crypto_ops < vec_len (ptd->crypto_ops));
 	  if (op->status != VNET_CRYPTO_OP_STATUS_COMPLETED)
 	    {
-	      u32 bi = op->user_data;
-	      u32 err = ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR;
+	      u32 err, bi;
+
+	      bi = op->user_data;
+
+	      if (op->status == VNET_CRYPTO_OP_STATUS_FAIL_BAD_HMAC)
+		err = ESP_DECRYPT_ERROR_INTEG_ERROR;
+	      else
+		err = ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR;
+
 	      bufs[bi]->error = node->errors[err];
 	      nexts[bi] = ESP_DECRYPT_NEXT_DROP;
 	      n--;

src/vnet/ipsec/esp_encrypt.c

@@ -431,8 +431,10 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	  vec_add2_aligned (ptd->crypto_ops, op, 1, CLIB_CACHE_LINE_BYTES);
 	  vnet_crypto_op_init (op, sa0->crypto_enc_op_id);
 	  op->iv = payload - iv_sz;
+	  op->iv_len = iv_sz;
 	  op->src = op->dst = payload;
 	  op->key = sa0->crypto_key.data;
+	  op->key_len = sa0->crypto_key.len;
 	  op->len = payload_len - icv_sz;
 	  op->flags = VNET_CRYPTO_OP_FLAG_INIT_IV;
 	  op->user_data = b - bufs;

test/test_ipsec_ah.py

@@ -313,7 +313,10 @@ class TestIpsecAhAll(ConfigIpsecAH,
         super(TestIpsecAhAll, self).tearDown()
 
     def test_integ_algs(self):
-        """SHA1_96, SHA256, SHA394, SHA512 w/ & w/o ESN"""
+        """All Engines SHA[1_96, 256, 394, 512] w/ & w/o ESN"""
+        # foreach VPP crypto engine
+        engines = ["ia32", "ipsecmb", "openssl"]
+
         algos = [{'vpp': VppEnum.vl_api_ipsec_integ_alg_t.
                   IPSEC_API_INTEG_ALG_SHA1_96,
                   'scapy': "HMAC-SHA1-96"},
@@ -331,45 +334,50 @@ class TestIpsecAhAll(ConfigIpsecAH,
                      IPSEC_API_SAD_FLAG_USE_ESN)]
 
         #
-        # loop through each of the algorithms
+        # loop through the VPP engines
         #
-        for algo in algos:
-            # with self.subTest(algo=algo['scapy']):
-            for flag in flags:
-                #
-                # setup up the config paramters
-                #
-                self.ipv4_params = IPsecIPv4Params()
-                self.ipv6_params = IPsecIPv6Params()
+        for engine in engines:
+            self.vapi.cli("set crypto engine all %s" % engine)
+            #
+            # loop through each of the algorithms
+            #
+            for algo in algos:
+                # with self.subTest(algo=algo['scapy']):
+                for flag in flags:
+                    #
+                    # setup up the config paramters
+                    #
+                    self.ipv4_params = IPsecIPv4Params()
+                    self.ipv6_params = IPsecIPv6Params()
 
-                self.params = {self.ipv4_params.addr_type:
-                               self.ipv4_params,
-                               self.ipv6_params.addr_type:
-                               self.ipv6_params}
+                    self.params = {self.ipv4_params.addr_type:
+                                   self.ipv4_params,
+                                   self.ipv6_params.addr_type:
+                                   self.ipv6_params}
 
-                for _, p in self.params.items():
-                    p.auth_algo_vpp_id = algo['vpp']
-                    p.auth_algo = algo['scapy']
-                    p.flags = p.flags | flag
+                    for _, p in self.params.items():
+                        p.auth_algo_vpp_id = algo['vpp']
+                        p.auth_algo = algo['scapy']
+                        p.flags = p.flags | flag
 
-                #
-                # configure the SPDs. SAs, etc
-                #
-                self.config_network(self.params.values())
+                    #
+                    # configure the SPDs. SAs, etc
+                    #
+                    self.config_network(self.params.values())
 
-                #
-                # run some traffic.
-                #  An exhautsive 4o6, 6o4 is not necessary for each algo
-                #
-                self.verify_tra_basic6(count=17)
-                self.verify_tra_basic4(count=17)
-                self.verify_tun_66(self.params[socket.AF_INET6], count=17)
-                self.verify_tun_44(self.params[socket.AF_INET], count=17)
+                    #
+                    # run some traffic.
+                    #  An exhautsive 4o6, 6o4 is not necessary for each algo
+                    #
+                    self.verify_tra_basic6(count=17)
+                    self.verify_tra_basic4(count=17)
+                    self.verify_tun_66(self.params[socket.AF_INET6], count=17)
+                    self.verify_tun_44(self.params[socket.AF_INET], count=17)
 
-                #
-                # remove the SPDs, SAs, etc
-                #
-                self.unconfig_network()
+                    #
+                    # remove the SPDs, SAs, etc
+                    #
+                    self.unconfig_network()
 
 
 if __name__ == '__main__':

test/test_ipsec_esp.py

@@ -322,7 +322,7 @@ class TemplateIpsecEspUdp(ConfigIpsecESP):
                               self.tun_if).add_vpp_config()
 
         self.config_esp_tun(p)
-        self.logger.info(self.vapi.ppcli("show ipsec"))
+        self.logger.info(self.vapi.ppcli("show ipsec all"))
 
         d = DpoProto.DPO_PROTO_IP4
         VppIpRoute(self,  p.remote_tun_if_host, p.addr_len,
@@ -356,7 +356,7 @@ class TestIpsecEspAll(ConfigIpsecESP,
         """All engines AES-CBC-[128, 192, 256] w/o ESN"""
 
         # foreach VPP crypto engine
-        engines = ["ia32", "openssl"]
+        engines = ["ia32", "ipsecmb", "openssl"]
 
         # foreach crypto algorithm
         algos = [{'vpp': VppEnum.vl_api_ipsec_crypto_alg_t.