wireguard: notify key changes to crypto engine

This is a prerequisite patch for the following openssl API optimization patch, which tries to offload openssl ctx init and key expansion work to the initialization stage. Wireguard adds crypto keys via vnet_crypto_key_add (), and whenever it modifies the keys, the underneath openssl crypto engine shoud be informed of the changes to update the openssl ctx. Type: feature Signed-off-by: Lijian Zhang <Lijian.Zhang@arm.com> Change-Id: I3e8f033f3f77eebcecfbd06e8e3bbbfdc95a50e2
FDio · Feb 19, 2024 · 6f8252e · 6f8252e
1 parent ff71939
commit 6f8252e
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/src/plugins/wireguard/wireguard_noise.c b/src/plugins/wireguard/wireguard_noise.c
@@ -144,6 +144,7 @@ noise_create_initiation (vlib_main_t * vm, noise_remote_t * r,
   /* es */
   if (!noise_mix_dh (hs->hs_ck, key, hs->hs_e, r->r_public))
     goto error;
+  vnet_crypto_key_update (vm, key_idx);
 
   /* s */
   noise_msg_encrypt (vm, es, l->l_public, NOISE_PUBLIC_KEY_LEN, key_idx,
@@ -152,6 +153,7 @@ noise_create_initiation (vlib_main_t * vm, noise_remote_t * r,
   /* ss */
   if (!noise_mix_ss (hs->hs_ck, key, r->r_ss))
     goto error;
+  vnet_crypto_key_update (vm, key_idx);
 
   /* {t} */
   noise_tai64n_now (ets);
@@ -198,6 +200,7 @@ noise_consume_initiation (vlib_main_t * vm, noise_local_t * l,
   /* es */
   if (!noise_mix_dh (hs.hs_ck, key, l->l_private, ue))
     goto error;
+  vnet_crypto_key_update (vm, key_idx);
 
   /* s */
 
@@ -213,6 +216,7 @@ noise_consume_initiation (vlib_main_t * vm, noise_local_t * l,
   /* ss */
   if (!noise_mix_ss (hs.hs_ck, key, r->r_ss))
     goto error;
+  vnet_crypto_key_update (vm, key_idx);
 
   /* {t} */
   if (!noise_msg_decrypt (vm, timestamp, ets,
@@ -287,6 +291,7 @@ noise_create_response (vlib_main_t * vm, noise_remote_t * r, uint32_t * s_idx,
 
   /* psk */
   noise_mix_psk (hs->hs_ck, hs->hs_hash, key, r->r_psk);
+  vnet_crypto_key_update (vm, key_idx);
 
   /* {} */
   noise_msg_encrypt (vm, en, NULL, 0, key_idx, hs->hs_hash);
@@ -341,6 +346,7 @@ noise_consume_response (vlib_main_t * vm, noise_remote_t * r, uint32_t s_idx,
 
   /* psk */
   noise_mix_psk (hs.hs_ck, hs.hs_hash, key, preshared_key);
+  vnet_crypto_key_update (vm, key_idx);
 
   /* {} */
 

diff --git a/src/vnet/crypto/crypto.c b/src/vnet/crypto/crypto.c
@@ -483,6 +483,17 @@ vnet_crypto_key_del (vlib_main_t * vm, vnet_crypto_key_index_t index)
   pool_put (cm->keys, key);
 }
 
+void
+vnet_crypto_key_update (vlib_main_t *vm, vnet_crypto_key_index_t index)
+{
+  vnet_crypto_main_t *cm = &crypto_main;
+  vnet_crypto_engine_t *engine;
+
+  vec_foreach (engine, cm->engines)
+    if (engine->key_op_handler)
+      engine->key_op_handler (vm, VNET_CRYPTO_KEY_OP_MODIFY, index);
+}
+
 vnet_crypto_async_alg_t
 vnet_crypto_link_algs (vnet_crypto_alg_t crypto_alg,
 		       vnet_crypto_alg_t integ_alg)

diff --git a/src/vnet/crypto/crypto.h b/src/vnet/crypto/crypto.h
@@ -496,6 +496,7 @@ int vnet_crypto_is_set_handler (vnet_crypto_alg_t alg);
 u32 vnet_crypto_key_add (vlib_main_t * vm, vnet_crypto_alg_t alg,
 			 u8 * data, u16 length);
 void vnet_crypto_key_del (vlib_main_t * vm, vnet_crypto_key_index_t index);
+void vnet_crypto_key_update (vlib_main_t *vm, vnet_crypto_key_index_t index);
 
 /**
  * Use 2 created keys to generate new key for linked algs (cipher + integ)