summaryrefslogtreecommitdiffstats
path: root/src/plugins/tlsopenssl/tls_openssl.c
AgeCommit message (Collapse)AuthorFilesLines
2021-08-30tls: use default OpenSSL built-in DH parametersOfer Heifetz1-0/+8
Type: improvement Motivation for this addition is to add support for cipher suites that use Diffie-Hellman Ephemeral (DHE) for key exchange. Using ephemeral DH key exchange yields forward secrecy as the connection can only be decrypted when the DH key is known. Configure OpenSSL to use the default built-in DH parameters for the SSL_CTX object. Change-Id: I31aadad047a6394ddf8bfa08471c239e0d1cd63c Signed-off-by: Ofer Heifetz <oferh@marvell.com>
2021-08-12tls: add start_listen openssl API return value checkOfer Heifetz1-4/+30
Type: improvement Check SSL_CTX_use_* API return value and exit on error. Check BIO_new return code. Release allocated BIO on error cases. Change-Id: I9c48e91727e0eeba5d7d74d06fc37634e3c20978 Signed-off-by: Ofer Heifetz <oferh@marvell.com>
2021-05-28tls: fix handling of failed acceptsFlorin Coras1-3/+12
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I34b53dcaf4f049157b538ea40a39033d43e525a5
2021-05-22tls: prealloc chunks for dtls dgram enqFlorin Coras1-2/+4
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ib25598f72f6539c07de1acee1e6049ecd28f35cc
2021-05-20tls svm: prealloc tcp fifo chunks before ssl writeFlorin Coras1-0/+7
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I7c47b55ec6f0c83f2d13e0e737d0559a32f7c837
2021-05-19tls: fix signed unsigned comparisonFlorin Coras1-2/+2
On error, the signed value is cast to unsigned. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0f94422f47e40d7c358118b2df8ab96cf4116dd0
2021-05-02tls: cleanup dtls migrated contextFlorin Coras1-4/+9
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I433cc1b7a29f785a431618641317bbfbbe2cf2f4
2021-03-24tls: fix cleanup on app close with dataFlorin Coras1-0/+3
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I35b5ae5a58ab38cc4328f9f438938fab4fbd7942
2021-03-22tls: fix tlsopenssl for remaining bufferSivaprasad Tummala1-3/+4
Type: fix 1. added additional checks for pending data in openssl_ctx_read_tls(). 2. fixed read/write typo issues. Signed-off-by: Sivaprasad Tummala <Sivaprasad.Tummala@intel.com> Change-Id: Id018c62bb9e02bf0d5f9abf929b6030b965a5d61
2021-03-11session tls: deq notifications for custom txFlorin Coras1-0/+3
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I6ed2104e9d79c367ca36460047586f9b632c3315
2021-02-09tls: dtls initial implementationFlorin Coras1-19/+225
Type: feature Basic dtls transport protocol implementation that relies on openssl wire protocol implementation. Retries/timeouts not yet supported. To test using vcl test apps, first ensure all arp entries are properly resolved and subsequently: server: vcl_server -p dtls 1234 client: vcl_client -p dtls <server-ip> 1234 -U -N 2000000 -T 1460 -X Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I04b4516a8fe9ce85ba230bcdd891f33a900046ed
2020-12-20tls: use fifo segments instead of chunksFlorin Coras1-33/+26
Type: refactor Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Id67cf8a3e1c5c9b4160689fde5de9ce7ed8a2ee3
2020-12-18tls: add custom openssl bioFlorin Coras1-183/+26
The bio interacts directly with the session so it avoids using an intermediary mem bio and, implicitly, higher memory consumption and an extra memcpy. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ifb675cfd12df86396a7a738a6cd4d0882c69ad2f
2020-04-04session tls: support tls deschedulingFlorin Coras1-22/+36
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ieb8bb9c6deb92479fdd3e045778fe5ae4782d1ea
2020-04-04session tls: improve app transports tx schedulingFlorin Coras1-10/+7
Type: improvement - allow apps to request rescheduling of tx events via SESSION_F_CUSTOM_TX flag - limit max burst per session custom tx dispatch In tls - use the new infra to reschedule tx events - use max burst bytes as upper limit to number of bytes to be encrypted Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I544a5a3337af7ebdff3406b776adf30cf96ebf3c
2020-04-03session: improve error reportingFlorin Coras1-3/+3
Type: improvement Change-Id: I9dd850a1ce85b0adb5136233f176117e0ee38817 Signed-off-by: Florin Coras <fcoras@cisco.com>
2020-02-29tls: reduce bio bufferingFlorin Coras1-2/+2
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0895eb54a8c31bfa545d30287bb0783876483d21
2020-02-26tls: fix bulk bio read/writeFlorin Coras1-47/+29
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I1f981e909c45f1731ce4bdfa959b41d349e22ef1
2020-02-26tls session: fix unlistenFlorin Coras1-4/+0
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ie3bc31fc3df662e087f7931de6c274eb3608a2d8
2020-02-25svm: refactor fifoFlorin Coras1-107/+169
Type: refactor Switch from a wrapped byte space to a "continuous" one wherein fifo chunks are appended to the fifo as more data is enqueued and chunks are removed as data is dequeued. The fifo is still subject to a maximum size, i.e., maximum number of bytes that can be enqueued, so the max number of chunks associated to the fifo is also constrained. When enqueueing data, which must fit within the available free space, if not enough "supporting" chunk memory is available, the fifo asks the fifo segment for enough chunk memory to ensure that the write can succeed. To avoid allocating large amounts of small chunks due to small writes, if possible, the size of the chunks requested is lower capped by min_alloc. When dequeuing data, all the chunks that have been completely drained, i.e., head moved beyond the chunks’ end bytes, are unlinked from the fifo and returned to the fifo segment. The one exception to this is the last chunk which is never unlinked. Change-Id: I98c1dbd9135fb79650365c7e40c29238b96cd4ee Signed-off-by: Florin Coras <fcoras@cisco.com>
2020-02-19tls: handle disconect and reset in async modeYu Ping1-5/+21
Type: fix When async is enabled and request is inflight, delay close oepration Change-Id: I713078fe9832c1599e8860fc0a6bb98588f20943 Signed-off-by: Yu Ping <ping.yu@intel.com>
2020-02-03tls: refactor for tls async event handlingYu Ping1-61/+50
Type: refactor Make sure one tls ctx has one event availble Thus ctx has the same life time with event, which can simplify the management. Change-Id: I1f4240e7316025d81bb97644946ffa399c00cd76 Signed-off-by: Yu Ping <ping.yu@intel.com>
2020-01-13tls: enable TLS OpenSSL plugin works in 3.0.0Yu Ping1-0/+5
Type: fix Change-Id: Id1602981fcc6efed1b0efe79a1fc8177457acdb5 Signed-off-by: Yu Ping <ping.yu@intel.com>
2020-01-07tls: Make tls CPS test run for a quite long timeYu Ping1-3/+7
Type: fix Change-Id: I8cfb48bd7f92689b296861dd368186408918061b Signed-off-by: Yu Ping <ping.yu@intel.com>
2019-12-05tls: change SSL_has_pending to avoid BIO check errorYu Ping1-2/+2
Type: fix Change-Id: I454aff1b187b75a1328c90e30b9b487377ae5f68 Signed-off-by: Yu Ping <ping.yu@intel.com>
2019-10-09hsa: use crypto_engine_type_t for TLSNathan Skrzypczak1-2/+2
Type: refactor This patch does the following conversions TLS_ENGINE_X -> CRYPTO_ENGINE_X tls_engine_type_t -> crypto_engine_t It does not change numbering of engines Change-Id: I872dfaec3a6713bf4229c84d1ffd98b8b2419995 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2019-10-09session: Add certificate storeNathan Skrzypczak1-8/+6
Type: feature This changes the behavior of both API calls APPLICATION_TLS_CERT_ADD & APPLICATION_TLS_KEY_ADD certificates and keys aren't bound to an app, they are passed to it via connect / listen using the message queue. This should be followed by a per protocol (QUIC/TLS) crypto_context store to save devrived structs Change-Id: I36873bc8b63b5c72776c69e8cd9febc9cae31882 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2019-08-20tls: Add C API for TLS openssl to set enginePing Yu1-5/+8
Type: feature Parameters of the engine can be set by C API. After this patch, it is easier to integrate TLS into CSIT test. Change-Id: I063cabf613aabbfad831727551579328705afb41 Signed-off-by: Ping Yu <ping.yu@intel.com>
2019-08-09tls: mark as no lookup transportFlorin Coras1-14/+24
Type:fix Also fix transport close while handshake is ongoing. Change-Id: I004c56d2297d0847c2cb77202f8fba3edaacad29 Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-08-08tls: fix close with dataFlorin Coras1-12/+43
Type:fix Also changes the way the ctx is freed. TLS now waits for tcp delete notification before freeing the ctx. Change-Id: I2f606a9ce7b3755ae9d11d6fe714fe11b65dcb98 Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-06-29svm: rename fifo tx notifications to reflect useFlorin Coras1-1/+1
Type: refactor Change-Id: I651db44acdcb666a9c63e1037352cf88c68795b5 Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-05-16init / exit function orderingDave Barach1-7/+6
The vlib init function subsystem now supports a mix of procedural and formally-specified ordering constraints. We should eliminate procedural knowledge wherever possible. The following schemes are *roughly* equivalent: static clib_error_t *init_runs_first (vlib_main_t *vm) { clib_error_t *error; ... do some stuff... if ((error = vlib_call_init_function (init_runs_next))) return error; ... } VLIB_INIT_FUNCTION (init_runs_first); and static clib_error_t *init_runs_first (vlib_main_t *vm) { ... do some stuff... } VLIB_INIT_FUNCTION (init_runs_first) = { .runs_before = VLIB_INITS("init_runs_next"), }; The first form will [most likely] call "init_runs_next" on the spot. The second form means that "init_runs_first" runs before "init_runs_next," possibly much earlier in the sequence. Please DO NOT construct sets of init functions where A before B actually means A *right before* B. It's not necessary - simply combine A and B - and it leads to hugely annoying debugging exercises when trying to switch from ad-hoc procedural ordering constraints to formal ordering constraints. Change-Id: I5e4353503bf43b4acb11a45fb33c79a5ade8426c Signed-off-by: Dave Barach <dave@barachs.net>
2019-05-08session: send tx events when data is dequeuedFlorin Coras1-0/+3
Change-Id: Ib8cb19361c42e38e3f68d7147358378fff161eb1 Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-05-03plugins: clean up plugin descriptionsDave Wallace1-1/+1
- Make plugin descriptions more consistent so the output of "show plugin" can be used in the wiki. Change-Id: I4c6feb11e7dcc5a4cf0848eed37f1d3b035c7dda Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2019-04-18tls: allow engines to customize closeFlorin Coras1-0/+24
Change-Id: I11ac3e4f59206902e5dfc326f815c877c5dd6643 Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-04-16svm_fifo rework to avoid contention on cursizeSirshak Das1-7/+7
Problems Addressed: - Contention of cursize by producer and consumer. - Reduce the no of modulo operations. Changes: - Synchronization between producer and consumer changed from cursize to head and tail indexes Implications: reduces the usable size of fifo by 1. - Using weaker memory ordering C++11 atomics to access head and tail based on producer and consumer role. - Head and tail indexes are unsigned 32 bit integers. Additions and subtraction on them are implicit 32 bit Modulo operation. - Adding weaker memory ordering variants of max_enq, max_deq, is_empty and is_full Using them appropriately in all places. Perfomance improvement (iperf3 via Hoststack): iperf3 Server: Marvell ThunderX2(AArch64) - iperf3 Client: Skylake(x86) ~6%(256 rxd/txd) - ~11%(2048 rxd/txd) Change-Id: I1d484e000e437430fdd5a819657d1c6b62443018 Signed-off-by: Sirshak Das <sirshak.das@arm.com> Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
2019-02-18tls: fix openssl/mbedtls use of app_wrk indexFlorin Coras1-2/+7
Change-Id: I7ccc948357d815a1bd4279a7079cf4db2949183c Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-02-04session: cleanup part 1Florin Coras1-19/+17
Rename core data structures. This will break compatibility for out of tree builtin apps. - stream_session_t to session_t - server_rx/tx_fifo to rx/tx_fifo - stream_session.h to session_types.h - update copyright Change-Id: I414097c6e28bcbea866fbf13b8773c7db3f49325 Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-01-28update openssl TLS async to align with openssl master branchPing Yu1-4/+2
Need to align with 3.0.0 version Change-Id: I4e8aec1f1226ce09963a9bbb3a9170d1863059ec Signed-off-by: Ping Yu <ping.yu@intel.com>
2019-01-07Change vpp code to align with openssl interface changePing Yu1-11/+15
PR in openssl community is almost done, and need to change some code in VPP to align with the openssl interface. Change-Id: Ic7da53e507b67b53958760d07738dd774b1c526d Signed-off-by: Ping Yu <ping.yu@intel.com>
2018-10-23c11 safe string handling supportDave Barach1-2/+2
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-02tls: fix disconnects for sessions with pending dataFlorin Coras1-12/+12
TLS can enqueue events to itself when app session queue cannot be entirely drained. If a pending disconnect is handled before any such event, session layer may try to dequeue data on deallocated sessions. Change-Id: I5bfc4d53ce95bc16b6a01e1b0e644aafa1ca311b Signed-off-by: Florin Coras <fcoras@cisco.com>
2018-09-15tls: fix openssl engine write complete conditionFlorin Coras1-1/+1
Change-Id: Ic1526f6916970ce2b0c4fc0d148d4396fa629b5f Signed-off-by: Florin Coras <fcoras@cisco.com>
2018-09-04add option to allow user to set ciphersPing Yu1-6/+32
Orignal code hard code TLS ciphers, and this patch allows user to set ciphers via CLI, so that user can perform the TLS testing without re-building the code. Change-Id: I0d497f6d906af25bc7a33cee5747f9a1d63e0683 Signed-off-by: Ping Yu <ping.yu@intel.com>
2018-08-17optimize init_server to reduce session overheadPing Yu1-32/+98
move un-necessary session based operation to listener split orignal openssl ctx to be session based ctx and listen ctx Change-Id: Id6c54f47b0e2171fd8924a45efcd5266ce5402d5 Signed-off-by: Ping Yu <ping.yu@intel.com>
2018-07-23tls: avoid possible async handler duplicationPing Yu1-1/+1
One handler is good enough when engine sends out a retry status Thus this patch will just go one branch Change-Id: Id81cb3fa67d2b322b0fe1b2f62cd866cf3491eb4 Signed-off-by: Ping Yu <ping.yu@intel.com>
2018-07-19Add a new communication channel between VPP and openssl enginePing Yu1-4/+23
Thus when engine buffer is full during a burst in performance tesing, this code will help VPP handle retry machansim. Change-Id: I0f9fc05d3dba8a54d34dca4c6137700d6c80f714 Signed-off-by: Ping Yu <ping.yu@intel.com>
2018-07-16Enable openssl TLS async support in client for HW acclerationPing Yu1-0/+15
Change-Id: I003e41786c549c6451a1e9e178f5871d32c20e6e Signed-off-by: Ping Yu <ping.yu@intel.com>
2018-06-15TLS async supportPing Yu1-22/+144
Change-Id: I26194e00dfb85e5cd1c65ff4e6ffd665be2d719b Signed-off-by: Ping Yu <ping.yu@intel.com>
2018-05-31Fix TLS issue to load certification and keyPing Yu1-0/+2
Change-Id: If1ef2d4bc6f90a4d4b6a345c63723117834c6504 Signed-off-by: Ping Yu <ping.yu@intel.com>