aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/tlsopenssl
AgeCommit message (Collapse)AuthorFilesLines
2021-02-09tls: dtls initial implementationFlorin Coras5-19/+462
Type: feature Basic dtls transport protocol implementation that relies on openssl wire protocol implementation. Retries/timeouts not yet supported. To test using vcl test apps, first ensure all arp entries are properly resolved and subsequently: server: vcl_server -p dtls 1234 client: vcl_client -p dtls <server-ip> 1234 -U -N 2000000 -T 1460 -X Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I04b4516a8fe9ce85ba230bcdd891f33a900046ed
2020-12-20tls: use fifo segments instead of chunksFlorin Coras1-33/+26
Type: refactor Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Id67cf8a3e1c5c9b4160689fde5de9ce7ed8a2ee3
2020-12-18tls: add custom openssl bioFlorin Coras5-184/+244
The bio interacts directly with the session so it avoids using an intermediary mem bio and, implicitly, higher memory consumption and an extra memcpy. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ifb675cfd12df86396a7a738a6cd4d0882c69ad2f
2020-12-03tls: fix passed argument in openssl pluginVladimir Medvedkin1-2/+2
Thread index used in qat_init_thread() is passed via a pointer to a variable located on a stack that does not exist when qat_init_thread is actually executed. Type: fix Fixes: f4a92f6a1c Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com> Change-Id: I65dd4e604b78fcb1cf0452d707f47f9785e6371d
2020-04-04session tls: support tls deschedulingFlorin Coras1-22/+36
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ieb8bb9c6deb92479fdd3e045778fe5ae4782d1ea
2020-04-04session tls: improve app transports tx schedulingFlorin Coras1-10/+7
Type: improvement - allow apps to request rescheduling of tx events via SESSION_F_CUSTOM_TX flag - limit max burst per session custom tx dispatch In tls - use the new infra to reschedule tx events - use max burst bytes as upper limit to number of bytes to be encrypted Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I544a5a3337af7ebdff3406b776adf30cf96ebf3c
2020-04-03session: improve error reportingFlorin Coras1-3/+3
Type: improvement Change-Id: I9dd850a1ce85b0adb5136233f176117e0ee38817 Signed-off-by: Florin Coras <fcoras@cisco.com>
2020-02-29tls: reduce bio bufferingFlorin Coras1-2/+2
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0895eb54a8c31bfa545d30287bb0783876483d21
2020-02-26tls: fix bulk bio read/writeFlorin Coras1-47/+29
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I1f981e909c45f1731ce4bdfa959b41d349e22ef1
2020-02-26tls session: fix unlistenFlorin Coras1-4/+0
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ie3bc31fc3df662e087f7931de6c274eb3608a2d8
2020-02-25svm: refactor fifoFlorin Coras1-107/+169
Type: refactor Switch from a wrapped byte space to a "continuous" one wherein fifo chunks are appended to the fifo as more data is enqueued and chunks are removed as data is dequeued. The fifo is still subject to a maximum size, i.e., maximum number of bytes that can be enqueued, so the max number of chunks associated to the fifo is also constrained. When enqueueing data, which must fit within the available free space, if not enough "supporting" chunk memory is available, the fifo asks the fifo segment for enough chunk memory to ensure that the write can succeed. To avoid allocating large amounts of small chunks due to small writes, if possible, the size of the chunks requested is lower capped by min_alloc. When dequeuing data, all the chunks that have been completely drained, i.e., head moved beyond the chunks’ end bytes, are unlinked from the fifo and returned to the fifo segment. The one exception to this is the last chunk which is never unlinked. Change-Id: I98c1dbd9135fb79650365c7e40c29238b96cd4ee Signed-off-by: Florin Coras <fcoras@cisco.com>
2020-02-20tls: need to use thread id to fetch the eventYu Ping1-2/+1
Type: fix Change-Id: I429351f04a2865be4a289a3021277f9b2ced902b Signed-off-by: Yu Ping <ping.yu@intel.com>
2020-02-19tls: handle disconect and reset in async modeYu Ping3-11/+38
Type: fix When async is enabled and request is inflight, delay close oepration Change-Id: I713078fe9832c1599e8860fc0a6bb98588f20943 Signed-off-by: Yu Ping <ping.yu@intel.com>
2020-02-18tls: Add Feature yamlYu Ping1-0/+11
Type: docs Change-Id: Id1972fd1d0769f26ee73db326c22c6a57eb6ceab Signed-off-by: Yu Ping <ping.yu@intel.com>
2020-02-03tls: refactor for tls async event handlingYu Ping4-196/+162
Type: refactor Make sure one tls ctx has one event availble Thus ctx has the same life time with event, which can simplify the management. Change-Id: I1f4240e7316025d81bb97644946ffa399c00cd76 Signed-off-by: Yu Ping <ping.yu@intel.com>
2020-01-15tls: enable async node on demandYu Ping1-3/+1
Type: fix Change-Id: Iab7c65614c94497e8ec5a96624be72c1a139e486 Signed-off-by: Yu Ping <ping.yu@intel.com>
2020-01-13tls: enable TLS OpenSSL plugin works in 3.0.0Yu Ping1-0/+5
Type: fix Change-Id: Id1602981fcc6efed1b0efe79a1fc8177457acdb5 Signed-off-by: Yu Ping <ping.yu@intel.com>
2020-01-07tls: Make tls CPS test run for a quite long timeYu Ping1-3/+7
Type: fix Change-Id: I8cfb48bd7f92689b296861dd368186408918061b Signed-off-by: Yu Ping <ping.yu@intel.com>
2019-12-05tls: change SSL_has_pending to avoid BIO check errorYu Ping1-2/+2
Type: fix Change-Id: I454aff1b187b75a1328c90e30b9b487377ae5f68 Signed-off-by: Yu Ping <ping.yu@intel.com>
2019-10-09hsa: use crypto_engine_type_t for TLSNathan Skrzypczak1-2/+2
Type: refactor This patch does the following conversions TLS_ENGINE_X -> CRYPTO_ENGINE_X tls_engine_type_t -> crypto_engine_t It does not change numbering of engines Change-Id: I872dfaec3a6713bf4229c84d1ffd98b8b2419995 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2019-10-09session: Add certificate storeNathan Skrzypczak1-8/+6
Type: feature This changes the behavior of both API calls APPLICATION_TLS_CERT_ADD & APPLICATION_TLS_KEY_ADD certificates and keys aren't bound to an app, they are passed to it via connect / listen using the message queue. This should be followed by a per protocol (QUIC/TLS) crypto_context store to save devrived structs Change-Id: I36873bc8b63b5c72776c69e8cd9febc9cae31882 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2019-09-30tls: remove api boilerplateOle Troan6-205/+9
Type: refactor Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I92c010e64aa6cc6fb2b3845b37cc24dd112fc5f9
2019-09-02tls: some rework based on TLS openssl C APIPing Yu3-26/+33
Type: fix Change-Id: I5d0ac1fe6a6770ab8b3a9c366d10387718391199 Signed-off-by: Ping Yu <ping.yu@intel.com>
2019-08-20tls: Add C API for TLS openssl to set enginePing Yu9-10/+436
Type: feature Parameters of the engine can be set by C API. After this patch, it is easier to integrate TLS into CSIT test. Change-Id: I063cabf613aabbfad831727551579328705afb41 Signed-off-by: Ping Yu <ping.yu@intel.com>
2019-08-09tls: mark as no lookup transportFlorin Coras1-14/+24
Type:fix Also fix transport close while handshake is ongoing. Change-Id: I004c56d2297d0847c2cb77202f8fba3edaacad29 Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-08-08tls: fix close with dataFlorin Coras1-12/+43
Type:fix Also changes the way the ctx is freed. TLS now waits for tcp delete notification before freeing the ctx. Change-Id: I2f606a9ce7b3755ae9d11d6fe714fe11b65dcb98 Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-06-29svm: rename fifo tx notifications to reflect useFlorin Coras1-1/+1
Type: refactor Change-Id: I651db44acdcb666a9c63e1037352cf88c68795b5 Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-05-16init / exit function orderingDave Barach1-7/+6
The vlib init function subsystem now supports a mix of procedural and formally-specified ordering constraints. We should eliminate procedural knowledge wherever possible. The following schemes are *roughly* equivalent: static clib_error_t *init_runs_first (vlib_main_t *vm) { clib_error_t *error; ... do some stuff... if ((error = vlib_call_init_function (init_runs_next))) return error; ... } VLIB_INIT_FUNCTION (init_runs_first); and static clib_error_t *init_runs_first (vlib_main_t *vm) { ... do some stuff... } VLIB_INIT_FUNCTION (init_runs_first) = { .runs_before = VLIB_INITS("init_runs_next"), }; The first form will [most likely] call "init_runs_next" on the spot. The second form means that "init_runs_first" runs before "init_runs_next," possibly much earlier in the sequence. Please DO NOT construct sets of init functions where A before B actually means A *right before* B. It's not necessary - simply combine A and B - and it leads to hugely annoying debugging exercises when trying to switch from ad-hoc procedural ordering constraints to formal ordering constraints. Change-Id: I5e4353503bf43b4acb11a45fb33c79a5ade8426c Signed-off-by: Dave Barach <dave@barachs.net>
2019-05-08session: send tx events when data is dequeuedFlorin Coras1-0/+3
Change-Id: Ib8cb19361c42e38e3f68d7147358378fff161eb1 Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-05-03plugins: clean up plugin descriptionsDave Wallace1-1/+1
- Make plugin descriptions more consistent so the output of "show plugin" can be used in the wiki. Change-Id: I4c6feb11e7dcc5a4cf0848eed37f1d3b035c7dda Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2019-04-18tls: allow engines to customize closeFlorin Coras1-0/+24
Change-Id: I11ac3e4f59206902e5dfc326f815c877c5dd6643 Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-04-16svm_fifo rework to avoid contention on cursizeSirshak Das1-7/+7
Problems Addressed: - Contention of cursize by producer and consumer. - Reduce the no of modulo operations. Changes: - Synchronization between producer and consumer changed from cursize to head and tail indexes Implications: reduces the usable size of fifo by 1. - Using weaker memory ordering C++11 atomics to access head and tail based on producer and consumer role. - Head and tail indexes are unsigned 32 bit integers. Additions and subtraction on them are implicit 32 bit Modulo operation. - Adding weaker memory ordering variants of max_enq, max_deq, is_empty and is_full Using them appropriately in all places. Perfomance improvement (iperf3 via Hoststack): iperf3 Server: Marvell ThunderX2(AArch64) - iperf3 Client: Skylake(x86) ~6%(256 rxd/txd) - ~11%(2048 rxd/txd) Change-Id: I1d484e000e437430fdd5a819657d1c6b62443018 Signed-off-by: Sirshak Das <sirshak.das@arm.com> Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
2019-02-18tls: fix openssl/mbedtls use of app_wrk indexFlorin Coras1-2/+7
Change-Id: I7ccc948357d815a1bd4279a7079cf4db2949183c Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-02-04session: cleanup part 1Florin Coras3-22/+19
Rename core data structures. This will break compatibility for out of tree builtin apps. - stream_session_t to session_t - server_rx/tx_fifo to rx/tx_fifo - stream_session.h to session_types.h - update copyright Change-Id: I414097c6e28bcbea866fbf13b8773c7db3f49325 Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-01-28update openssl TLS async to align with openssl master branchPing Yu1-4/+2
Need to align with 3.0.0 version Change-Id: I4e8aec1f1226ce09963a9bbb3a9170d1863059ec Signed-off-by: Ping Yu <ping.yu@intel.com>
2019-01-07Change vpp code to align with openssl interface changePing Yu3-36/+27
PR in openssl community is almost done, and need to change some code in VPP to align with the openssl interface. Change-Id: Ic7da53e507b67b53958760d07738dd774b1c526d Signed-off-by: Ping Yu <ping.yu@intel.com>
2018-11-08tlsopenssl: remove unused #includeKlement Sekera1-1/+0
Change-Id: I294e4f93e925c58765d4692337208fcee7d12886 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-10-23c11 safe string handling supportDave Barach2-3/+3
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-02tls: fix disconnects for sessions with pending dataFlorin Coras1-12/+12
TLS can enqueue events to itself when app session queue cannot be entirely drained. If a pending disconnect is handled before any such event, session layer may try to dequeue data on deallocated sessions. Change-Id: I5bfc4d53ce95bc16b6a01e1b0e644aafa1ca311b Signed-off-by: Florin Coras <fcoras@cisco.com>
2018-09-27add cmake build option to build openssl asyncPing Yu1-0/+11
This code is orignally in automake, but it is missing in cmake. Thus add it to make openssl async work in cmake build system Change-Id: Ie69ee9c2099273e51ce13ccab27bdd2619db4814 Signed-off-by: Ping Yu <ping.yu@intel.com>
2018-09-15tls: fix openssl engine write complete conditionFlorin Coras1-1/+1
Change-Id: Ic1526f6916970ce2b0c4fc0d148d4396fa629b5f Signed-off-by: Florin Coras <fcoras@cisco.com>
2018-09-13Add a polling configure to make thread bind with hardware enginePing Yu1-4/+9
Change-Id: Ib4130098dd9bf45370bdee9a04e4804074df58b1 Signed-off-by: Ping Yu <ping.yu@intel.com>
2018-09-04add option to allow user to set ciphersPing Yu2-6/+33
Orignal code hard code TLS ciphers, and this patch allows user to set ciphers via CLI, so that user can perform the TLS testing without re-building the code. Change-Id: I0d497f6d906af25bc7a33cee5747f9a1d63e0683 Signed-off-by: Ping Yu <ping.yu@intel.com>
2018-08-26cmake: move functions to src/cmakeDamjan Marion1-0/+1
Change-Id: Ibcb7105fa7e3c09efdce01bccd4de235fe33ea99 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-08-25cmake: improve add_vpp_plugin macroDamjan Marion1-2/+8
Change-Id: Iffd5c45ab242a919592a1f686f7f880936b68a1a Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-08-17CMake as an alternative to autotools (experimental)Damjan Marion1-0/+18
Change-Id: Ibc59323e849810531dd0963e85493efad3b86857 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-08-17optimize init_server to reduce session overheadPing Yu2-33/+107
move un-necessary session based operation to listener split orignal openssl ctx to be session based ctx and listen ctx Change-Id: Id6c54f47b0e2171fd8924a45efcd5266ce5402d5 Signed-off-by: Ping Yu <ping.yu@intel.com>
2018-08-14reduce polling and resume overhead by checking if inflight request existsPing Yu1-3/+6
Change-Id: I0777a00f0cc082bab3348be8ec0be39faa50ffed Signed-off-by: Ping Yu <ping.yu@intel.com>
2018-07-23tls: avoid possible async handler duplicationPing Yu1-1/+1
One handler is good enough when engine sends out a retry status Thus this patch will just go one branch Change-Id: Id81cb3fa67d2b322b0fe1b2f62cd866cf3491eb4 Signed-off-by: Ping Yu <ping.yu@intel.com>
2018-07-19Add a new communication channel between VPP and openssl enginePing Yu3-19/+59
Thus when engine buffer is full during a burst in performance tesing, this code will help VPP handle retry machansim. Change-Id: I0f9fc05d3dba8a54d34dca4c6137700d6c80f714 Signed-off-by: Ping Yu <ping.yu@intel.com>