8. Crypto Libraries

CNDP does not implement or wrap any crypto API. The developer is free to choose a crypto implementation which satisfies their application’s requirements. OpenSSL* is an implementation that has support for both Intel(R) Multi-Buffer Crypto for OpenSSL* and Intel(R) QuickAssist Technology Engine for OpenSSL* (Intel(R) QAT Engine for OpenSSL*). The Multi-Buffer API is preferred when a Intel(R) QuickAssist Accelerator is not available, or in cases where offloading to an accelerator would yield less throughput, such as those processing predominantly small packets. The OpenSSL toolkit offers the developer the flexibility to choose at runtime which Engine to use, while still programming to the same high-level API.

8.1. OpenSSL*

There are many resources available to describe how to develop applications using OpenSSL. Learn more at the OpenSSL website and the QAT_Engine repo on GitHub*.

8.2. Intel(R) Multi-Buffer Crypto for IPsec Library

For developers who need fast software crypto acceleration, the intel-ipsec-mb library is efficient and easy to use. To develop an application on Ubuntu*, the libipsec-mb-dev package can be installed.

sudo apt-get install -y libipsec-mb-dev

To build an executable, add a dependency to the meson build file.

libipsecmb = cc.find_library('IPSec_MB')
executable(..., dependencies: [libipsecmb])

To use the library for, e.g. IPsec ESP Tunnel mode encryption with AES128-GCM, submit a job.

#include <intel-ipsec-mb.h>


const uint8_t secret[] = { 0, 1, 2, ...};
struct gcm_key_data key;
JOB_AES_HMAC *job;
MB_MGR mb_mgr;

init_mb_mgr_avx(&mb_mgr);

IMB_AES128_GCM_PRE(&mb_mgr, secret, &key);

job                        = IMB_GET_NEXT_JOB(&mb_mgr);
job->cipher_mode           = GCM;
job->hash_alg              = AES_GMAC;
job->chain_order           = CIPHER_HASH;
job->aes_enc_key_expanded  = &key;
job->iv                    = /* Salt + IV */
job->u.GCM.aad             = /* SPI + [E]SN */
job->auth_tag_output       = /* ICV */
job->cipher_direction      = ENCRYPT;
...

job = IMB_SUBMIT_JOB(&mb_mgr);
while (job) {
   if (job->status != STS_COMPLETED)
         ... job failed ...
   job = IMB_GET_COMPLETED_JOB(&mb_mgr);
}

while ((job = IMB_FLUSH_JOB(&mb_mgr)))
   if (job->status != STS_COMPLETED)
      ... job failed ...

The CNDP pktmbuf can be manipulated to insert the outer IPv4 header, ESP header, IV, and append the ESP trailer and ICV.

neweth = (struct ether_header *)pktmbuf_prepend(m, 20 + 8 + 8 /* IP hdr, ESP hdr, IV */);

pad = pktmbuf_append(m, pad_len + 2 + 16 /* padding, pad length, next header, ICV */);
... populate padding, pad length, next header ...

... encrypt/authenticate payload ...

/* populate outer ip header */
oip                  = (struct cne_ipv4_hdr *)(neweth + 1);
oip->version_ihl     = CNE_IPV4_VHL_DEF;
oip->type_of_service = 0;
/* length is the length of the old packet, plus new header, plus ESP trailer and ICV */
oip->total_length    = htobe16(sizeof(*oip) + pay_len + pad_len + 2 + 16);
oip->next_proto_id   = 50; /* ESP */
... remaining ip header fields
oip->hdr_checksum    = cne_ipv4_chksum(oip);

... populate esp header and IV ...

The Security Association Database (SAD) and Security Policy Database (SPD) can be implemented using the CNDP hash or ACL libraries. Finally, routing decisions can be made using the CNDP RIB/FIB libraries.