Adds support for tls async processing using OpenSSL.
Adds new CLI command to configure OpenSSL TLS configurations used by
OpenSSL context and session. New CLI format is:
tls openssl set-tls [record-size <size>]
[record-split-size <size>]
[max-pipelines <size>]
Sets default values to below TLS configuration parameters:
- first_seg_size: 32MB
- add_seg_size: 256MB
Type: feature
Signed-off-by: Varun Rapelly <vrapelly@marvell.com>
Change-Id: I990be31fced9e258fdb036f5751cd67594b0bce7
Handshake completion is now tracked via a ctx flag so we no longer need
ctx_handshake_is_over.
Also, as we no longer prealloc application sessions, improve ctx state
formatting.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: If48588ecde13e56fb99d1a46238bda53ed4eae1b
With this feature, session enable is now modified to have 3 modes of operation
session enable -- only enable session
session enable rt-backend sdl -- enable session with sdl
session enable rt-backend rule-table -- enable session with rule-table
session rule tables are now created on demand, upon adding first rule
to the rule table.
refactor session table to remove depenency from sesssion rules table. Now
session rules table APIs take srtg_handle and transport
proto instead of srt pointer.
Type: feature
Change-Id: Idde6a9b2f46b29bb931f9039636562575572aa14
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: Ic8308046610aa5d49d9595bcd450f9651b9915e4
Signed-off-by: Brian Morris <bmorris2@cisco.com>
The string is allowed to contain lower case characters, for example "TLSv1.2"
Type: fix
Don't force tx rescheduling of tls session if no forward progress is
made. The session will still be rescheduled by the session infra if
there's pending tx data.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ic57b6ee79969055cec782938668c054bcc39f206
Since async rx event infra decouples notification event generation from
delivery we no longer run the risk of having tls realloc session pools
while session layer still holds a pointer to the accepted/connected tcp
session.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I1bb429a058707aba1d4f32ea33615a2367e66969
Set the flag in tls framework as opposed to tls engines. This is similar
to passive close.
Type: improvement
Change-Id: I0c2a774b1ef9d7ec6ba74daf1678ea449815184f
Signed-off-by: Florin Coras <fcoras@cisco.com>
If openssl tls server handshake fails, track the fact that the context
does not have an app session.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I5f493059a3610067b59caffbbe441ce9e0868252
When application performs SSL_read from the app rx-fifo, it can
pre-allocate multiple segments, but there is an issue if the OpenSSL
manages to partially fill in the first segment, in this case, since
data is assumed to be copied over by OpenSSL to the pre-allocated
segments(s), vpp uses svm_fifo_enqueue_nocopy API which performs
zero copy by passing the pre-allocated segment to SSL_read.
If the decrypted data size is smaller than the pre-allocated fifo
segment buffer size, application will fetch buffers including zero
in the area not filled in by SSL_read.
Type: fix
Signed-off-by: Ofer Heifetz <oferh@marvell.com>
Change-Id: I941a89b17d567d86e5bd2c35785f1df043c33f38
So far by suppressing depreciation messages, as there was no transition
period.
Type: make
Change-Id: I9887613fd71a22bf11bf22a04c129aca4a16867f
Signed-off-by: Damjan Marion <damarion@cisco.com>
In addition to returning the number of bytes also update the number of
segments to reflect the number used.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ia87dc2aa62cea38b18dfa83df94dc2abe29d5121
Type: improvement
Motivation for this addition is to add support for cipher suites
that use Diffie-Hellman Ephemeral (DHE) for key exchange.
Using ephemeral DH key exchange yields forward secrecy as the
connection can only be decrypted when the DH key is known.
Configure OpenSSL to use the default built-in DH parameters for the
SSL_CTX object.
Change-Id: I31aadad047a6394ddf8bfa08471c239e0d1cd63c
Signed-off-by: Ofer Heifetz <oferh@marvell.com>
Type: improvement
Check SSL_CTX_use_* API return value and exit on error.
Check BIO_new return code.
Release allocated BIO on error cases.
Change-Id: I9c48e91727e0eeba5d7d74d06fc37634e3c20978
Signed-off-by: Ofer Heifetz <oferh@marvell.com>
On error, the signed value is cast to unsigned.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I0f94422f47e40d7c358118b2df8ab96cf4116dd0
Type: fix
Avoid complaint that we're potentially incrementing ii which could be
null.
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I8511c07b1c2f260cc0e526d9aefeb4a051d98edf
Type: feature
Basic dtls transport protocol implementation that relies on openssl
wire protocol implementation. Retries/timeouts not yet supported.
To test using vcl test apps, first ensure all arp entries are properly
resolved and subsequently:
server: vcl_server -p dtls 1234
client: vcl_client -p dtls <server-ip> 1234 -U -N 2000000 -T 1460 -X
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I04b4516a8fe9ce85ba230bcdd891f33a900046ed
The bio interacts directly with the session so it avoids using an
intermediary mem bio and, implicitly, higher memory consumption and an
extra memcpy.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ifb675cfd12df86396a7a738a6cd4d0882c69ad2f
Thread index used in qat_init_thread() is passed via a pointer
to a variable located on a stack that does not exist
when qat_init_thread is actually executed.
Type: fix
Fixes: f4a92f6a1c
Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Change-Id: I65dd4e604b78fcb1cf0452d707f47f9785e6371d
Type: improvement
- allow apps to request rescheduling of tx events via
SESSION_F_CUSTOM_TX flag
- limit max burst per session custom tx dispatch
In tls
- use the new infra to reschedule tx events
- use max burst bytes as upper limit to number of bytes to be encrypted
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I544a5a3337af7ebdff3406b776adf30cf96ebf3c
