High-performance Rust bindings for Intel's Multi-Buffer Crypto for IPsec Library, providing optimized cryptographic operations for packet processing applications.
This project provides safe Rust bindings to Intel's optimized cryptographic library, which is designed for high-performance packet processing applications such as:
- IPsec - Internet Protocol Security
- TLS - Transport Layer Security
- Wireless (RAN) - Radio Access Network
- Cable - Cable modem applications
- MPEG DRM - Digital Rights Management
- π High Performance: Leverages Intel's latest instruction extensions (AVX2, AVX-512, etc.)
- π Safe Rust API: Memory-safe wrappers around the C library
- β‘ Multi-Buffer Processing: Advanced cryptographic pipelining
- π Operation Chaining: Combine encryption and authentication operations
- π― Job Management: Built-in scheduling and dispatching functions
- ποΈ Cross-Platform: Supports x86, x86_64, and aarch64 architectures
The project consists of two main crates:
Low-level unsafe FFI bindings to the Intel IPSec MB C library. This crate:
- Generates Rust bindings using
bindgen - Builds the Intel IPSec MB library from source using CMake
- Provides raw access to all C library functions
High-level safe Rust API that wraps the sys crate. This crate:
- Provides memory-safe abstractions
- Implements proper error handling
- Offers convenient APIs for common operations
- SHA-1: Secure Hash Algorithm 1
- SHA-2: SHA-224, SHA-256, SHA-384, SHA-512
- MD5: Message Digest 5
- AES: Advanced Encryption Standard
- 3DES: Triple Data Encryption Standard
- ChaCha20: Stream cipher
- HMAC: Hash-based Message Authentication Code
- Poly1305: Authenticator
- Rust: 1.70+ (2024 edition)
- CMake: 3.18+
- NASM: 2.14+ (for assembly compilation)
- Git: For submodule initialization
-
Clone the repository:
git clone <repository-url> cd intel-ipsec-mb
-
Initialize submodules:
git submodule update --init --recursive
-
Build the project:
cargo build --release
use intel_ipsec_mb::mgr::MbMgr;
fn main() -> Result<(), Box<dyn std::error::Error>> {
// Create a new manager
let mgr = MbMgr::new()?;
// Prepare input data
let input = b"Hello, World!";
let mut output = vec![0u8; 20]; // SHA-1 output size
// Compute SHA-1 hash
mgr.sha1(input, &mut output)?;
println!("SHA-1 hash: {:02x?}", output);
Ok(())
}use intel_ipsec_mb::mgr::MbMgr;
fn main() -> Result<(), Box<dyn std::error::Error>> {
let mgr = MbMgr::new()?;
unsafe {
// Get a job from the manager
let mut job = mgr.get_next_job()?;
let mut output = vec![0u8; 20];
// Fill the job with data
mgr.fill_job_sha1(&mut job, b"Hello, World!", &mut output)?;
// Submit the job for processing
mgr.submit_job()?;
println!("Hash: {:02x?}", output);
}
Ok(())
}The library supports various configuration options:
use intel_ipsec_mb::config::MbMgrConfig;
let config = MbMgrConfig::default()
.with_architecture_detection(true)
.with_forced_architecture(None);
let mgr = MbMgr::new_with_config(config)?;allow-forced: Enables runtime architecture selection (increases binary size)
PROFILE: Controls build optimization (debug/release)CARGO_CFG_TARGET_ARCH: Target architecture (x86, x86_64, aarch64)
The build system automatically configures CMake with:
BUILD_SHARED_LIBS=OFF: Static library buildBUILD_LIBRARY_ONLY=ON: Library-only buildSAFE_OPTIONS: Debug/release specific safety options
| Architecture | OS | Status |
|---|---|---|
| x86_64 | Linux | β Supported |
| x86_64 | Windows | π§ In Progress |
| x86_64 | macOS | π§ In Progress |
| x86 | Linux | β Supported |
The Intel IPSec MB library provides significant performance improvements over standard cryptographic implementations:
- Multi-buffer processing: Process multiple operations in parallel
- Instruction-level optimization: Uses latest CPU instruction sets
- Pipelining: Advanced job scheduling and dispatching
- Memory efficiency: Optimized memory access patterns
The library provides comprehensive error handling:
use intel_ipsec_mb::error::MbError;
match mgr.sha1(input, &mut output) {
Ok(_) => println!("Operation successful"),
Err(MbError::InvalidInput) => println!("Invalid input data"),
Err(MbError::InsufficientBuffer) => println!("Output buffer too small"),
Err(e) => println!("Other error: {}", e),
}- Some function pointers are wrapped as
Option<T>and need proper handling - Architecture-specific optimizations are not fully implemented
- Windows and macOS support is incomplete
- Error handling needs improvement in some areas
Contributions are welcome! Please see the TODO.md file for areas that need work.
-
Install development dependencies:
cargo install cargo-watch cargo-expand
-
Run tests:
cargo test -
Run examples:
cargo run --example basic_usage
This project is licensed under the BSD-3-Clause License - see the LICENSE file for details.
- Intel Corporation for the original IPSec Multi-Buffer Crypto Library
- The Rust community for excellent tooling and ecosystem
- Contributors to this project
- Intel IPSec MB - Original C library
- DPDK - Data Plane Development Kit
- Intel QAT Engine - QuickAssist Technology
- FD.io - Fast Data Project
For issues and questions:
- Open an issue on GitHub
- Check the TODO.md for known issues
- Review the original Intel IPSec MB documentation
Note: This is a work in progress. The API may change as development continues.