summaryrefslogtreecommitdiffstats
path: root/src/plugins/tlsopenssl
AgeCommit message (Collapse)AuthorFilesLines
2023-02-02tls: openssl: fix SSL_read partial read scenarioOfer Heifetz1-8/+10
When application performs SSL_read from the app rx-fifo, it can pre-allocate multiple segments, but there is an issue if the OpenSSL manages to partially fill in the first segment, in this case, since data is assumed to be copied over by OpenSSL to the pre-allocated segments(s), vpp uses svm_fifo_enqueue_nocopy API which performs zero copy by passing the pre-allocated segment to SSL_read. If the decrypted data size is smaller than the pre-allocated fifo segment buffer size, application will fetch buffers including zero in the area not filled in by SSL_read. Type: fix Signed-off-by: Ofer Heifetz <oferh@marvell.com> Change-Id: I941a89b17d567d86e5bd2c35785f1df043c33f38
2022-10-31tls: use safe pool reallocsFlorin Coras1-2/+3
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ia2c771cbf826526d2d06b6da022509ab02917350
2022-09-26api: replace print functions wth formatDamjan Marion1-1/+0
Type: improvement Change-Id: I7f7050c19453a69a7fb6c5e62f8f57db847d9144 Signed-off-by: Damjan Marion <damarion@cisco.com>
2022-04-11tls: fix connected notifications with no app wrkFlorin Coras1-1/+5
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I805131b4e3d0cb2fab1d3bf76db659c67522c2e8
2022-04-07tls: fix session pool realloc on acceptFlorin Coras1-0/+3
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I68ada775810bb4a4f280962a979605b211562a52
2022-04-04tls: set client ckpair only for non-test ckpFlorin Coras1-13/+15
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I7287e40ad95dfe061fd8a7b0e99921d5540e030d
2022-04-04tls: null terminate openssl chiphersFlorin Coras1-2/+2
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I5d4e68730a75337a2e532e72f366b62d6973235e
2022-04-01tls: enable host verification by hostnamesatna1-3/+40
Type: improvement Signed-off-by: satna <satbeervarma9596@gmail.com> Change-Id: I1b1db60fa1a0e47fce273bc07b01887813fd3c48
2022-03-30tls: support to reinitialise ca_chain wo restartSaravanan Murugesan1-25/+40
Type: improvement Signed-off-by: Saravanan Murugesan <sarmurug@cisco.com> Change-Id: I90e90678ae6586019cc842f9d504d53991cfabe4
2022-03-29tls: Support for client certificate-key pairsarmurug1-0/+50
Type: improvement Signed-off-by: sarmurug <sarmurug@cisco.com> Change-Id: Ibbfe827b9c4c603a6fe7cc49970a46bd683194ce
2022-02-28tls: handle read write ssl errorsFlorin Coras1-3/+31
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: If5eed7dac4951f0510a4b4b092f66f44d0d3cacd
2022-02-28tls: Handle transport disconnect during client HS failuresSaravanan Murugesan1-1/+2
Type: fix Signed-off-by: Saravanan Murugesan <sarmurug@cisco.com> Change-Id: I5f7f4b925b3d250c5b8616d1fb35edbde50a7a23
2022-01-27build: fix compilation on OpenSSL 3.0Damjan Marion1-0/+1
So far by suppressing depreciation messages, as there was no transition period. Type: make Change-Id: I9887613fd71a22bf11bf22a04c129aca4a16867f Signed-off-by: Damjan Marion <damarion@cisco.com>
2022-01-19svm: update number of segments in svm_fifo_segmentsFlorin Coras1-2/+2
In addition to returning the number of bytes also update the number of segments to reflect the number used. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ia87dc2aa62cea38b18dfa83df94dc2abe29d5121
2022-01-11tls: ssl close only after all data drainedFlorin Coras1-2/+2
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ia77b26db61b6f58b4ff659f09192b4ea93ed50b4
2021-10-08tls: shutdown openssl context on app closeFlorin Coras1-0/+2
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ie0fde16fb4e41637169474628808fddf343884f3
2021-08-30tls: use default OpenSSL built-in DH parametersOfer Heifetz1-0/+8
Type: improvement Motivation for this addition is to add support for cipher suites that use Diffie-Hellman Ephemeral (DHE) for key exchange. Using ephemeral DH key exchange yields forward secrecy as the connection can only be decrypted when the DH key is known. Configure OpenSSL to use the default built-in DH parameters for the SSL_CTX object. Change-Id: I31aadad047a6394ddf8bfa08471c239e0d1cd63c Signed-off-by: Ofer Heifetz <oferh@marvell.com>
2021-08-12tls: add start_listen openssl API return value checkOfer Heifetz1-4/+30
Type: improvement Check SSL_CTX_use_* API return value and exit on error. Check BIO_new return code. Release allocated BIO on error cases. Change-Id: I9c48e91727e0eeba5d7d74d06fc37634e3c20978 Signed-off-by: Ofer Heifetz <oferh@marvell.com>
2021-05-28tls: fix handling of failed acceptsFlorin Coras1-3/+12
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I34b53dcaf4f049157b538ea40a39033d43e525a5
2021-05-22tls: prealloc chunks for dtls dgram enqFlorin Coras2-3/+5
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ib25598f72f6539c07de1acee1e6049ecd28f35cc
2021-05-20tls svm: prealloc tcp fifo chunks before ssl writeFlorin Coras1-0/+7
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I7c47b55ec6f0c83f2d13e0e737d0559a32f7c837
2021-05-19tls: fix signed unsigned comparisonFlorin Coras1-2/+2
On error, the signed value is cast to unsigned. Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0f94422f47e40d7c358118b2df8ab96cf4116dd0
2021-05-02tls: cleanup dtls migrated contextFlorin Coras1-4/+9
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I433cc1b7a29f785a431618641317bbfbbe2cf2f4
2021-04-20tls: honor tcp deq notification requestFlorin Coras1-0/+6
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ic24516a7242ef4193c5d751a2d5424918c390759
2021-04-14tls: fix coverity warningFlorin Coras1-1/+1
Type: fix Avoid complaint that we're potentially incrementing ii which could be null. Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I8511c07b1c2f260cc0e526d9aefeb4a051d98edf
2021-03-26vlib: convert foreach_vlib_main macro to be more gdb and clang-format friendlyDamjan Marion1-9/+8
Type: improvement Change-Id: I1152e58d7bfcb3c4347147f87a834d45ad51cdfe Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-03-24tls: fix cleanup on app close with dataFlorin Coras1-0/+3
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I35b5ae5a58ab38cc4328f9f438938fab4fbd7942
2021-03-22tls: fix tlsopenssl for remaining bufferSivaprasad Tummala1-3/+4
Type: fix 1. added additional checks for pending data in openssl_ctx_read_tls(). 2. fixed read/write typo issues. Signed-off-by: Sivaprasad Tummala <Sivaprasad.Tummala@intel.com> Change-Id: Id018c62bb9e02bf0d5f9abf929b6030b965a5d61
2021-03-11session tls: deq notifications for custom txFlorin Coras1-0/+3
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I6ed2104e9d79c367ca36460047586f9b632c3315
2021-02-09tls: dtls initial implementationFlorin Coras5-19/+462
Type: feature Basic dtls transport protocol implementation that relies on openssl wire protocol implementation. Retries/timeouts not yet supported. To test using vcl test apps, first ensure all arp entries are properly resolved and subsequently: server: vcl_server -p dtls 1234 client: vcl_client -p dtls <server-ip> 1234 -U -N 2000000 -T 1460 -X Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I04b4516a8fe9ce85ba230bcdd891f33a900046ed
2020-12-20tls: use fifo segments instead of chunksFlorin Coras1-33/+26
Type: refactor Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Id67cf8a3e1c5c9b4160689fde5de9ce7ed8a2ee3
2020-12-18tls: add custom openssl bioFlorin Coras5-184/+244
The bio interacts directly with the session so it avoids using an intermediary mem bio and, implicitly, higher memory consumption and an extra memcpy. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ifb675cfd12df86396a7a738a6cd4d0882c69ad2f
2020-12-03tls: fix passed argument in openssl pluginVladimir Medvedkin1-2/+2
Thread index used in qat_init_thread() is passed via a pointer to a variable located on a stack that does not exist when qat_init_thread is actually executed. Type: fix Fixes: f4a92f6a1c Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com> Change-Id: I65dd4e604b78fcb1cf0452d707f47f9785e6371d
2020-04-04session tls: support tls deschedulingFlorin Coras1-22/+36
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ieb8bb9c6deb92479fdd3e045778fe5ae4782d1ea
2020-04-04session tls: improve app transports tx schedulingFlorin Coras1-10/+7
Type: improvement - allow apps to request rescheduling of tx events via SESSION_F_CUSTOM_TX flag - limit max burst per session custom tx dispatch In tls - use the new infra to reschedule tx events - use max burst bytes as upper limit to number of bytes to be encrypted Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I544a5a3337af7ebdff3406b776adf30cf96ebf3c
2020-04-03session: improve error reportingFlorin Coras1-3/+3
Type: improvement Change-Id: I9dd850a1ce85b0adb5136233f176117e0ee38817 Signed-off-by: Florin Coras <fcoras@cisco.com>
2020-02-29tls: reduce bio bufferingFlorin Coras1-2/+2
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I0895eb54a8c31bfa545d30287bb0783876483d21
2020-02-26tls: fix bulk bio read/writeFlorin Coras1-47/+29
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I1f981e909c45f1731ce4bdfa959b41d349e22ef1
2020-02-26tls session: fix unlistenFlorin Coras1-4/+0
Type: fix Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ie3bc31fc3df662e087f7931de6c274eb3608a2d8
2020-02-25svm: refactor fifoFlorin Coras1-107/+169
Type: refactor Switch from a wrapped byte space to a "continuous" one wherein fifo chunks are appended to the fifo as more data is enqueued and chunks are removed as data is dequeued. The fifo is still subject to a maximum size, i.e., maximum number of bytes that can be enqueued, so the max number of chunks associated to the fifo is also constrained. When enqueueing data, which must fit within the available free space, if not enough "supporting" chunk memory is available, the fifo asks the fifo segment for enough chunk memory to ensure that the write can succeed. To avoid allocating large amounts of small chunks due to small writes, if possible, the size of the chunks requested is lower capped by min_alloc. When dequeuing data, all the chunks that have been completely drained, i.e., head moved beyond the chunks’ end bytes, are unlinked from the fifo and returned to the fifo segment. The one exception to this is the last chunk which is never unlinked. Change-Id: I98c1dbd9135fb79650365c7e40c29238b96cd4ee Signed-off-by: Florin Coras <fcoras@cisco.com>
2020-02-20tls: need to use thread id to fetch the eventYu Ping1-2/+1
Type: fix Change-Id: I429351f04a2865be4a289a3021277f9b2ced902b Signed-off-by: Yu Ping <ping.yu@intel.com>
2020-02-19tls: handle disconect and reset in async modeYu Ping3-11/+38
Type: fix When async is enabled and request is inflight, delay close oepration Change-Id: I713078fe9832c1599e8860fc0a6bb98588f20943 Signed-off-by: Yu Ping <ping.yu@intel.com>
2020-02-18tls: Add Feature yamlYu Ping1-0/+11
Type: docs Change-Id: Id1972fd1d0769f26ee73db326c22c6a57eb6ceab Signed-off-by: Yu Ping <ping.yu@intel.com>
2020-02-03tls: refactor for tls async event handlingYu Ping4-196/+162
Type: refactor Make sure one tls ctx has one event availble Thus ctx has the same life time with event, which can simplify the management. Change-Id: I1f4240e7316025d81bb97644946ffa399c00cd76 Signed-off-by: Yu Ping <ping.yu@intel.com>
2020-01-15tls: enable async node on demandYu Ping1-3/+1
Type: fix Change-Id: Iab7c65614c94497e8ec5a96624be72c1a139e486 Signed-off-by: Yu Ping <ping.yu@intel.com>
2020-01-13tls: enable TLS OpenSSL plugin works in 3.0.0Yu Ping1-0/+5
Type: fix Change-Id: Id1602981fcc6efed1b0efe79a1fc8177457acdb5 Signed-off-by: Yu Ping <ping.yu@intel.com>
2020-01-07tls: Make tls CPS test run for a quite long timeYu Ping1-3/+7
Type: fix Change-Id: I8cfb48bd7f92689b296861dd368186408918061b Signed-off-by: Yu Ping <ping.yu@intel.com>
2019-12-05tls: change SSL_has_pending to avoid BIO check errorYu Ping1-2/+2
Type: fix Change-Id: I454aff1b187b75a1328c90e30b9b487377ae5f68 Signed-off-by: Yu Ping <ping.yu@intel.com>
2019-10-09hsa: use crypto_engine_type_t for TLSNathan Skrzypczak1-2/+2
Type: refactor This patch does the following conversions TLS_ENGINE_X -> CRYPTO_ENGINE_X tls_engine_type_t -> crypto_engine_t It does not change numbering of engines Change-Id: I872dfaec3a6713bf4229c84d1ffd98b8b2419995 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2019-10-09session: Add certificate storeNathan Skrzypczak1-8/+6
Type: feature This changes the behavior of both API calls APPLICATION_TLS_CERT_ADD & APPLICATION_TLS_KEY_ADD certificates and keys aren't bound to an app, they are passed to it via connect / listen using the message queue. This should be followed by a per protocol (QUIC/TLS) crypto_context store to save devrived structs Change-Id: I36873bc8b63b5c72776c69e8cd9febc9cae31882 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>