| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Type: improvement
Motivation for this addition is to add support for cipher suites
that use Diffie-Hellman Ephemeral (DHE) for key exchange.
Using ephemeral DH key exchange yields forward secrecy as the
connection can only be decrypted when the DH key is known.
Configure OpenSSL to use the default built-in DH parameters for the
SSL_CTX object.
Change-Id: I31aadad047a6394ddf8bfa08471c239e0d1cd63c
Signed-off-by: Ofer Heifetz <oferh@marvell.com>
|
|
Type: improvement
Check SSL_CTX_use_* API return value and exit on error.
Check BIO_new return code.
Release allocated BIO on error cases.
Change-Id: I9c48e91727e0eeba5d7d74d06fc37634e3c20978
Signed-off-by: Ofer Heifetz <oferh@marvell.com>
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I34b53dcaf4f049157b538ea40a39033d43e525a5
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ib25598f72f6539c07de1acee1e6049ecd28f35cc
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I7c47b55ec6f0c83f2d13e0e737d0559a32f7c837
|
|
On error, the signed value is cast to unsigned.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I0f94422f47e40d7c358118b2df8ab96cf4116dd0
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I433cc1b7a29f785a431618641317bbfbbe2cf2f4
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ic24516a7242ef4193c5d751a2d5424918c390759
|
|
Type: fix
Avoid complaint that we're potentially incrementing ii which could be
null.
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I8511c07b1c2f260cc0e526d9aefeb4a051d98edf
|
|
Type: improvement
Change-Id: I1152e58d7bfcb3c4347147f87a834d45ad51cdfe
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I35b5ae5a58ab38cc4328f9f438938fab4fbd7942
|
|
Type: fix
1. added additional checks for pending data in
openssl_ctx_read_tls().
2. fixed read/write typo issues.
Signed-off-by: Sivaprasad Tummala <Sivaprasad.Tummala@intel.com>
Change-Id: Id018c62bb9e02bf0d5f9abf929b6030b965a5d61
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I6ed2104e9d79c367ca36460047586f9b632c3315
|
|
Type: feature
Basic dtls transport protocol implementation that relies on openssl
wire protocol implementation. Retries/timeouts not yet supported.
To test using vcl test apps, first ensure all arp entries are properly
resolved and subsequently:
server: vcl_server -p dtls 1234
client: vcl_client -p dtls <server-ip> 1234 -U -N 2000000 -T 1460 -X
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I04b4516a8fe9ce85ba230bcdd891f33a900046ed
|
|
Type: refactor
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Id67cf8a3e1c5c9b4160689fde5de9ce7ed8a2ee3
|
|
The bio interacts directly with the session so it avoids using an
intermediary mem bio and, implicitly, higher memory consumption and an
extra memcpy.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ifb675cfd12df86396a7a738a6cd4d0882c69ad2f
|
|
Thread index used in qat_init_thread() is passed via a pointer
to a variable located on a stack that does not exist
when qat_init_thread is actually executed.
Type: fix
Fixes: f4a92f6a1c
Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Change-Id: I65dd4e604b78fcb1cf0452d707f47f9785e6371d
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ieb8bb9c6deb92479fdd3e045778fe5ae4782d1ea
|
|
Type: improvement
- allow apps to request rescheduling of tx events via
SESSION_F_CUSTOM_TX flag
- limit max burst per session custom tx dispatch
In tls
- use the new infra to reschedule tx events
- use max burst bytes as upper limit to number of bytes to be encrypted
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I544a5a3337af7ebdff3406b776adf30cf96ebf3c
|
|
Type: improvement
Change-Id: I9dd850a1ce85b0adb5136233f176117e0ee38817
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I0895eb54a8c31bfa545d30287bb0783876483d21
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I1f981e909c45f1731ce4bdfa959b41d349e22ef1
|
|
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ie3bc31fc3df662e087f7931de6c274eb3608a2d8
|
|
Type: refactor
Switch from a wrapped byte space to a "continuous" one wherein fifo
chunks are appended to the fifo as more data is enqueued and chunks are
removed as data is dequeued.
The fifo is still subject to a maximum size, i.e., maximum number of
bytes that can be enqueued, so the max number of chunks associated to
the fifo is also constrained.
When enqueueing data, which must fit within the available free space, if
not enough "supporting" chunk memory is available, the fifo asks the
fifo segment for enough chunk memory to ensure that the write can
succeed. To avoid allocating large amounts of small chunks due to small
writes, if possible, the size of the chunks requested is lower capped by
min_alloc.
When dequeuing data, all the chunks that have been completely drained,
i.e., head moved beyond the chunks’ end bytes, are unlinked from the
fifo and returned to the fifo segment. The one exception to this is the
last chunk which is never unlinked.
Change-Id: I98c1dbd9135fb79650365c7e40c29238b96cd4ee
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Type: fix
Change-Id: I429351f04a2865be4a289a3021277f9b2ced902b
Signed-off-by: Yu Ping <ping.yu@intel.com>
|
|
Type: fix
When async is enabled and request is inflight, delay close oepration
Change-Id: I713078fe9832c1599e8860fc0a6bb98588f20943
Signed-off-by: Yu Ping <ping.yu@intel.com>
|
|
Type: docs
Change-Id: Id1972fd1d0769f26ee73db326c22c6a57eb6ceab
Signed-off-by: Yu Ping <ping.yu@intel.com>
|
|
Type: refactor
Make sure one tls ctx has one event availble
Thus ctx has the same life time with event, which can simplify the
management.
Change-Id: I1f4240e7316025d81bb97644946ffa399c00cd76
Signed-off-by: Yu Ping <ping.yu@intel.com>
|
|
Type: fix
Change-Id: Iab7c65614c94497e8ec5a96624be72c1a139e486
Signed-off-by: Yu Ping <ping.yu@intel.com>
|
|
Type: fix
Change-Id: Id1602981fcc6efed1b0efe79a1fc8177457acdb5
Signed-off-by: Yu Ping <ping.yu@intel.com>
|
|
Type: fix
Change-Id: I8cfb48bd7f92689b296861dd368186408918061b
Signed-off-by: Yu Ping <ping.yu@intel.com>
|
|
Type: fix
Change-Id: I454aff1b187b75a1328c90e30b9b487377ae5f68
Signed-off-by: Yu Ping <ping.yu@intel.com>
|
|
Type: refactor
This patch does the following conversions
TLS_ENGINE_X -> CRYPTO_ENGINE_X
tls_engine_type_t -> crypto_engine_t
It does not change numbering of engines
Change-Id: I872dfaec3a6713bf4229c84d1ffd98b8b2419995
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: feature
This changes the behavior of both API calls
APPLICATION_TLS_CERT_ADD & APPLICATION_TLS_KEY_ADD
certificates and keys aren't bound to an app, they are
passed to it via connect / listen using the message
queue.
This should be followed by a per protocol (QUIC/TLS)
crypto_context store to save devrived structs
Change-Id: I36873bc8b63b5c72776c69e8cd9febc9cae31882
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: refactor
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I92c010e64aa6cc6fb2b3845b37cc24dd112fc5f9
|
|
Type: fix
Change-Id: I5d0ac1fe6a6770ab8b3a9c366d10387718391199
Signed-off-by: Ping Yu <ping.yu@intel.com>
|
|
Type: feature
Parameters of the engine can be set by C API.
After this patch, it is easier to integrate TLS into CSIT test.
Change-Id: I063cabf613aabbfad831727551579328705afb41
Signed-off-by: Ping Yu <ping.yu@intel.com>
|
|
Type:fix
Also fix transport close while handshake is ongoing.
Change-Id: I004c56d2297d0847c2cb77202f8fba3edaacad29
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Type:fix
Also changes the way the ctx is freed. TLS now waits for tcp delete
notification before freeing the ctx.
Change-Id: I2f606a9ce7b3755ae9d11d6fe714fe11b65dcb98
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Type: refactor
Change-Id: I651db44acdcb666a9c63e1037352cf88c68795b5
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
The vlib init function subsystem now supports a mix of procedural and
formally-specified ordering constraints. We should eliminate procedural
knowledge wherever possible.
The following schemes are *roughly* equivalent:
static clib_error_t *init_runs_first (vlib_main_t *vm)
{
clib_error_t *error;
... do some stuff...
if ((error = vlib_call_init_function (init_runs_next)))
return error;
...
}
VLIB_INIT_FUNCTION (init_runs_first);
and
static clib_error_t *init_runs_first (vlib_main_t *vm)
{
... do some stuff...
}
VLIB_INIT_FUNCTION (init_runs_first) =
{
.runs_before = VLIB_INITS("init_runs_next"),
};
The first form will [most likely] call "init_runs_next" on the
spot. The second form means that "init_runs_first" runs before
"init_runs_next," possibly much earlier in the sequence.
Please DO NOT construct sets of init functions where A before B
actually means A *right before* B. It's not necessary - simply combine
A and B - and it leads to hugely annoying debugging exercises when
trying to switch from ad-hoc procedural ordering constraints to formal
ordering constraints.
Change-Id: I5e4353503bf43b4acb11a45fb33c79a5ade8426c
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Change-Id: Ib8cb19361c42e38e3f68d7147358378fff161eb1
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
- Make plugin descriptions more consistent
so the output of "show plugin" can be
used in the wiki.
Change-Id: I4c6feb11e7dcc5a4cf0848eed37f1d3b035c7dda
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Change-Id: I11ac3e4f59206902e5dfc326f815c877c5dd6643
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Problems Addressed:
- Contention of cursize by producer and consumer.
- Reduce the no of modulo operations.
Changes:
- Synchronization between producer and consumer changed from cursize
to head and tail indexes
Implications: reduces the usable size of fifo by 1.
- Using weaker memory ordering C++11 atomics to access head and tail
based on producer and consumer role.
- Head and tail indexes are unsigned 32 bit integers. Additions and
subtraction on them are implicit 32 bit Modulo operation.
- Adding weaker memory ordering variants of max_enq, max_deq, is_empty
and is_full Using them appropriately in all places.
Perfomance improvement (iperf3 via Hoststack):
iperf3 Server: Marvell ThunderX2(AArch64) - iperf3 Client: Skylake(x86)
~6%(256 rxd/txd) - ~11%(2048 rxd/txd)
Change-Id: I1d484e000e437430fdd5a819657d1c6b62443018
Signed-off-by: Sirshak Das <sirshak.das@arm.com>
Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
|
|
Change-Id: I7ccc948357d815a1bd4279a7079cf4db2949183c
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Rename core data structures. This will break compatibility for out of
tree builtin apps.
- stream_session_t to session_t
- server_rx/tx_fifo to rx/tx_fifo
- stream_session.h to session_types.h
- update copyright
Change-Id: I414097c6e28bcbea866fbf13b8773c7db3f49325
Signed-off-by: Florin Coras <fcoras@cisco.com>
|
|
Need to align with 3.0.0 version
Change-Id: I4e8aec1f1226ce09963a9bbb3a9170d1863059ec
Signed-off-by: Ping Yu <ping.yu@intel.com>
|
|
PR in openssl community is almost done, and need to change some code in VPP
to align with the openssl interface.
Change-Id: Ic7da53e507b67b53958760d07738dd774b1c526d
Signed-off-by: Ping Yu <ping.yu@intel.com>
|
|
Change-Id: I294e4f93e925c58765d4692337208fcee7d12886
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
Ofer Heifetz
Florin Coras
Damjan Marion
Sivaprasad Tummala
Vladimir Medvedkin
Yu Ping
Nathan Skrzypczak
Ole Troan
Dave Barach
Dave Wallace
Sirshak Das
Klement Sekera