summaryrefslogtreecommitdiffstats
path: root/src/plugins/tlsopenssl/tls_openssl.c
AgeCommit message (Collapse)AuthorFilesLines
2024-09-06session: add Source Deny ListSteven Luong1-1/+4
With this feature, session enable is now modified to have 3 modes of operation session enable -- only enable session session enable rt-backend sdl -- enable session with sdl session enable rt-backend rule-table -- enable session with rule-table session rule tables are now created on demand, upon adding first rule to the rule table. refactor session table to remove depenency from sesssion rules table. Now session rules table APIs take srtg_handle and transport proto instead of srt pointer. Type: feature Change-Id: Idde6a9b2f46b29bb931f9039636562575572aa14 Signed-off-by: Steven Luong <sluong@cisco.com>
2024-04-23tls: don't upper-case cipher stringBrian Morris1-6/+1
Change-Id: Ic8308046610aa5d49d9595bcd450f9651b9915e4 Signed-off-by: Brian Morris <bmorris2@cisco.com> The string is allowed to contain lower case characters, for example "TLSv1.2" Type: fix
2024-03-30tls: fix rescheduling when no data availableFlorin Coras1-2/+5
Don't force tx rescheduling of tls session if no forward progress is made. The session will still be rescheduled by the session infra if there's pending tx data. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ic57b6ee79969055cec782938668c054bcc39f206
2024-03-20tls: avoid app session preallocationFlorin Coras1-13/+1
Since async rx event infra decouples notification event generation from delivery we no longer run the risk of having tls realloc session pools while session layer still holds a pointer to the accepted/connected tcp session. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I1bb429a058707aba1d4f32ea33615a2367e66969
2024-03-18tls: handle attepts to renegotiate hsFlorin Coras1-1/+13
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I549d0c8715e5c06bfc22be26ca1dc78ec3c29a61
2024-03-12misc: remove GNU Indent directivesDamjan Marion1-6/+0
Type: refactor Change-Id: I5235bf3e9aff58af6ba2c14e8c6529c4fc9ec86c Signed-off-by: Damjan Marion <damarion@cisco.com>
2024-02-27tls: pass reset ntf to enginesFlorin Coras1-0/+17
Type: improvement Change-Id: Ie042605e50656229874b7a93638f0f04c894410f Signed-off-by: Florin Coras <fcoras@cisco.com>
2024-01-31tls: set app closed flag in frameworkFlorin Coras1-2/+0
Set the flag in tls framework as opposed to tls engines. This is similar to passive close. Type: improvement Change-Id: I0c2a774b1ef9d7ec6ba74daf1678ea449815184f Signed-off-by: Florin Coras <fcoras@cisco.com>
2024-01-31tls: convert ctx fields to connection flagsFlorin Coras1-9/+11
Type: refactor Change-Id: I527bbc1cf2e7b6d06fd0c88b7563fb59ed28bc40 Signed-off-by: Florin Coras <fcoras@cisco.com>
2023-10-11tls: Fix SSL_CTX leak on every client sessionBrian Morris1-10/+11
Type: fix Change-Id: I35b3920288269073cdd35f79c938396128d169c9 Signed-off-by: Brian Morris <bmorris2@cisco.com>
2023-10-08tls: propagate reads to app irrespective of stateFlorin Coras1-2/+1
Session input node handles rx notifications even if session not fully accepted/connected Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I6560c45db8f8e0b7f0dc3bdd0939f13ca2f43f15
2023-10-02tls: limit openssl engine max read burstFlorin Coras1-3/+5
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ic7a8fd37d79fc9c09c8b1539d630f3b8983b8bb3
2023-05-19tls: flag no app session on handshake failureFlorin Coras1-1/+1
If openssl tls server handshake fails, track the fact that the context does not have an app session. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I5f493059a3610067b59caffbbe441ce9e0868252
2023-02-02tls: openssl: fix SSL_read partial read scenarioOfer Heifetz1-8/+10
When application performs SSL_read from the app rx-fifo, it can pre-allocate multiple segments, but there is an issue if the OpenSSL manages to partially fill in the first segment, in this case, since data is assumed to be copied over by OpenSSL to the pre-allocated segments(s), vpp uses svm_fifo_enqueue_nocopy API which performs zero copy by passing the pre-allocated segment to SSL_read. If the decrypted data size is smaller than the pre-allocated fifo segment buffer size, application will fetch buffers including zero in the area not filled in by SSL_read. Type: fix Signed-off-by: Ofer Heifetz <oferh@marvell.com> Change-Id: I941a89b17d567d86e5bd2c35785f1df043c33f38
2022-10-31tls: use safe pool reallocsFlorin Coras1-2/+3
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ia2c771cbf826526d2d06b6da022509ab02917350
2022-04-11tls: fix connected notifications with no app wrkFlorin Coras1-1/+5
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I805131b4e3d0cb2fab1d3bf76db659c67522c2e8
2022-04-07tls: fix session pool realloc on acceptFlorin Coras1-0/+3
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I68ada775810bb4a4f280962a979605b211562a52
2022-04-04tls: set client ckpair only for non-test ckpFlorin Coras1-13/+15
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I7287e40ad95dfe061fd8a7b0e99921d5540e030d
2022-04-04tls: null terminate openssl chiphersFlorin Coras1-2/+2
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I5d4e68730a75337a2e532e72f366b62d6973235e
2022-04-01tls: enable host verification by hostnamesatna1-3/+40
Type: improvement Signed-off-by: satna <satbeervarma9596@gmail.com> Change-Id: I1b1db60fa1a0e47fce273bc07b01887813fd3c48
2022-03-30tls: support to reinitialise ca_chain wo restartSaravanan Murugesan1-25/+40
Type: improvement Signed-off-by: Saravanan Murugesan <sarmurug@cisco.com> Change-Id: I90e90678ae6586019cc842f9d504d53991cfabe4
2022-03-29tls: Support for client certificate-key pairsarmurug1-0/+50
Type: improvement Signed-off-by: sarmurug <sarmurug@cisco.com> Change-Id: Ibbfe827b9c4c603a6fe7cc49970a46bd683194ce
2022-02-28tls: handle read write ssl errorsFlorin Coras1-3/+31
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: If5eed7dac4951f0510a4b4b092f66f44d0d3cacd
2022-02-28tls: Handle transport disconnect during client HS failuresSaravanan Murugesan1-1/+2
Type: fix Signed-off-by: Saravanan Murugesan <sarmurug@cisco.com> Change-Id: I5f7f4b925b3d250c5b8616d1fb35edbde50a7a23
2022-01-19svm: update number of segments in svm_fifo_segmentsFlorin Coras1-2/+2
In addition to returning the number of bytes also update the number of segments to reflect the number used. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ia87dc2aa62cea38b18dfa83df94dc2abe29d5121
2022-01-11tls: ssl close only after all data drainedFlorin Coras1-2/+2
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ia77b26db61b6f58b4ff659f09192b4ea93ed50b4
2021-10-08tls: shutdown openssl context on app closeFlorin Coras1-0/+2
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ie0fde16fb4e41637169474628808fddf343884f3
2021-08-30tls: use default OpenSSL built-in DH parametersOfer Heifetz1-0/+8
Type: improvement Motivation for this addition is to add support for cipher suites that use Diffie-Hellman Ephemeral (DHE) for key exchange. Using ephemeral DH key exchange yields forward secrecy as the connection can only be decrypted when the DH key is known. Configure OpenSSL to use the default built-in DH parameters for the SSL_CTX object. Change-Id: I31aadad047a6394ddf8bfa08471c239e0d1cd63c Signed-off-by: Ofer Heifetz <oferh@marvell.com>
2021-08-12tls: add start_listen openssl API return value checkOfer Heifetz1-4/+30
Type: improvement Check SSL_CTX_use_* API return value and exit on error. Check BIO_new return code. Release allocated BIO on error cases. Change-Id: I9c48e91727e0eeba5d7d74d06fc37634e3c20978 Signed-off-by: Ofer Heifetz <oferh@marvell.com>
2021-05-28tls: fix handling of failed acceptsFlorin Coras1-3/+12
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I34b53dcaf4f049157b538ea40a39033d43e525a5
2021-05-22tls: prealloc chunks for dtls dgram enqFlorin Coras1-2/+4
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ib25598f72f6539c07de1acee1e6049ecd28f35cc
2021-05-20tls svm: prealloc tcp fifo chunks before ssl writeFlorin Coras1-0/+7
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I7c47b55ec6f0c83f2d13e0e737d0559a32f7c837
2021-05-19tls: fix signed unsigned comparisonFlorin Coras1-2/+2
On error, the signed value is cast to unsigned. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0f94422f47e40d7c358118b2df8ab96cf4116dd0
2021-05-02tls: cleanup dtls migrated contextFlorin Coras1-4/+9
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I433cc1b7a29f785a431618641317bbfbbe2cf2f4
2021-03-24tls: fix cleanup on app close with dataFlorin Coras1-0/+3
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I35b5ae5a58ab38cc4328f9f438938fab4fbd7942
2021-03-22tls: fix tlsopenssl for remaining bufferSivaprasad Tummala1-3/+4
Type: fix 1. added additional checks for pending data in openssl_ctx_read_tls(). 2. fixed read/write typo issues. Signed-off-by: Sivaprasad Tummala <Sivaprasad.Tummala@intel.com> Change-Id: Id018c62bb9e02bf0d5f9abf929b6030b965a5d61
2021-03-11session tls: deq notifications for custom txFlorin Coras1-0/+3
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I6ed2104e9d79c367ca36460047586f9b632c3315
2021-02-09tls: dtls initial implementationFlorin Coras1-19/+225
Type: feature Basic dtls transport protocol implementation that relies on openssl wire protocol implementation. Retries/timeouts not yet supported. To test using vcl test apps, first ensure all arp entries are properly resolved and subsequently: server: vcl_server -p dtls 1234 client: vcl_client -p dtls <server-ip> 1234 -U -N 2000000 -T 1460 -X Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I04b4516a8fe9ce85ba230bcdd891f33a900046ed
2020-12-20tls: use fifo segments instead of chunksFlorin Coras1-33/+26
Type: refactor Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Id67cf8a3e1c5c9b4160689fde5de9ce7ed8a2ee3
2020-12-18tls: add custom openssl bioFlorin Coras1-183/+26
The bio interacts directly with the session so it avoids using an intermediary mem bio and, implicitly, higher memory consumption and an extra memcpy. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ifb675cfd12df86396a7a738a6cd4d0882c69ad2f
2020-04-04session tls: support tls deschedulingFlorin Coras1-22/+36
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ieb8bb9c6deb92479fdd3e045778fe5ae4782d1ea
2020-04-04session tls: improve app transports tx schedulingFlorin Coras1-10/+7
Type: improvement - allow apps to request rescheduling of tx events via SESSION_F_CUSTOM_TX flag - limit max burst per session custom tx dispatch In tls - use the new infra to reschedule tx events - use max burst bytes as upper limit to number of bytes to be encrypted Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I544a5a3337af7ebdff3406b776adf30cf96ebf3c
2020-04-03session: improve error reportingFlorin Coras1-3/+3
Type: improvement Change-Id: I9dd850a1ce85b0adb5136233f176117e0ee38817 Signed-off-by: Florin Coras <fcoras@cisco.com>
2020-02-29tls: reduce bio bufferingFlorin Coras1-2/+2
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0895eb54a8c31bfa545d30287bb0783876483d21
2020-02-26tls: fix bulk bio read/writeFlorin Coras1-47/+29
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I1f981e909c45f1731ce4bdfa959b41d349e22ef1
2020-02-26tls session: fix unlistenFlorin Coras1-4/+0
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ie3bc31fc3df662e087f7931de6c274eb3608a2d8
2020-02-25svm: refactor fifoFlorin Coras1-107/+169
Type: refactor Switch from a wrapped byte space to a "continuous" one wherein fifo chunks are appended to the fifo as more data is enqueued and chunks are removed as data is dequeued. The fifo is still subject to a maximum size, i.e., maximum number of bytes that can be enqueued, so the max number of chunks associated to the fifo is also constrained. When enqueueing data, which must fit within the available free space, if not enough "supporting" chunk memory is available, the fifo asks the fifo segment for enough chunk memory to ensure that the write can succeed. To avoid allocating large amounts of small chunks due to small writes, if possible, the size of the chunks requested is lower capped by min_alloc. When dequeuing data, all the chunks that have been completely drained, i.e., head moved beyond the chunks’ end bytes, are unlinked from the fifo and returned to the fifo segment. The one exception to this is the last chunk which is never unlinked. Change-Id: I98c1dbd9135fb79650365c7e40c29238b96cd4ee Signed-off-by: Florin Coras <fcoras@cisco.com>
2020-02-19tls: handle disconect and reset in async modeYu Ping1-5/+21
Type: fix When async is enabled and request is inflight, delay close oepration Change-Id: I713078fe9832c1599e8860fc0a6bb98588f20943 Signed-off-by: Yu Ping <ping.yu@intel.com>
2020-02-03tls: refactor for tls async event handlingYu Ping1-61/+50
Type: refactor Make sure one tls ctx has one event availble Thus ctx has the same life time with event, which can simplify the management. Change-Id: I1f4240e7316025d81bb97644946ffa399c00cd76 Signed-off-by: Yu Ping <ping.yu@intel.com>
2020-01-13tls: enable TLS OpenSSL plugin works in 3.0.0Yu Ping1-0/+5
Type: fix Change-Id: Id1602981fcc6efed1b0efe79a1fc8177457acdb5 Signed-off-by: Yu Ping <ping.yu@intel.com>