History log of /vpp/src/plugins/tlsopenssl/
Revision Date Author Comments
(<<< Hide modified files)
(Show modified files >>>)
9f86d225 23-Mar-2020 Florin Coras <fcoras@cisco.com>

session tls: support tls descheduling

Type: improvement

Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ieb8bb9c6deb92479fdd3e045778fe5ae4782d1ea

ed8db525 27-Feb-2020 Florin Coras <fcoras@cisco.com>

session tls: improve app transports tx scheduling

Type: improvement

- allow apps to request rescheduling of tx events via
- limit max burst per session custom tx dispatch

In tls
- use the new infra to reschedule tx events
- use max burst bytes as upper limit to number of bytes to be encrypted

Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I544a5a3337af7ebdff3406b776adf30cf96ebf3c

00e01d3e 21-Oct-2019 Florin Coras <fcoras@cisco.com>

session: improve error reporting

Type: improvement

Change-Id: I9dd850a1ce85b0adb5136233f176117e0ee38817
Signed-off-by: Florin Coras <fcoras@cisco.com>

05aceacc 26-Feb-2020 Florin Coras <fcoras@cisco.com>

tls: reduce bio buffering

Type: improvement

Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I0895eb54a8c31bfa545d30287bb0783876483d21

3017af9a 26-Feb-2020 Florin Coras <fcoras@cisco.com>

tls: fix bulk bio read/write

Type: fix

Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I1f981e909c45f1731ce4bdfa959b41d349e22ef1

aab0604c 26-Feb-2020 Florin Coras <fcoras@cisco.com>

tls session: fix unlisten

Type: fix

Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ie3bc31fc3df662e087f7931de6c274eb3608a2d8

f22f4e56 20-Dec-2019 Florin Coras <fcoras@cisco.com>

svm: refactor fifo

Type: refactor

Switch from a wrapped byte space to a "continuous" one wherein fifo
chunks are appended to the fifo as more data is enqueued and chunks are
removed as data is dequeued.

The fifo is still subject to a maximum size, i.e., maximum number of
bytes that can be enqueued, so the max number of chunks associated to
the fifo is also constrained.

When enqueueing data, which must fit within the available free space, if
not enough "supporting" chunk memory is available, the fifo asks the
fifo segment for enough chunk memory to ensure that the write can
succeed. To avoid allocating large amounts of small chunks due to small
writes, if possible, the size of the chunks requested is lower capped by

When dequeuing data, all the chunks that have been completely drained,
i.e., head moved beyond the chunks’ end bytes, are unlinked from the
fifo and returned to the fifo segment. The one exception to this is the
last chunk which is never unlinked.

Change-Id: I98c1dbd9135fb79650365c7e40c29238b96cd4ee
Signed-off-by: Florin Coras <fcoras@cisco.com>

ac267dd4 19-Feb-2020 Yu Ping <ping.yu@intel.com>

tls: need to use thread id to fetch the event

Type: fix

Change-Id: I429351f04a2865be4a289a3021277f9b2ced902b
Signed-off-by: Yu Ping <ping.yu@intel.com>

83782616 18-Feb-2020 Yu Ping <ping.yu@intel.com>

tls: handle disconect and reset in async mode

Type: fix

When async is enabled and request is inflight, delay close oepration

Change-Id: I713078fe9832c1599e8860fc0a6bb98588f20943
Signed-off-by: Yu Ping <ping.yu@intel.com>

04f7830f 18-Feb-2020 Yu Ping <ping.yu@intel.com>

tls: Add Feature yaml

Type: docs

Change-Id: Id1972fd1d0769f26ee73db326c22c6a57eb6ceab
Signed-off-by: Yu Ping <ping.yu@intel.com>

f4a92f6a 20-Jan-2020 Yu Ping <ping.yu@intel.com>

tls: refactor for tls async event handling

Type: refactor

Make sure one tls ctx has one event availble
Thus ctx has the same life time with event, which can simplify the

Change-Id: I1f4240e7316025d81bb97644946ffa399c00cd76
Signed-off-by: Yu Ping <ping.yu@intel.com>

d63b356b 14-Jan-2020 Yu Ping <ping.yu@intel.com>

tls: enable async node on demand

Type: fix

Change-Id: Iab7c65614c94497e8ec5a96624be72c1a139e486
Signed-off-by: Yu Ping <ping.yu@intel.com>

1c6486f7 09-Jan-2020 Yu Ping <ping.yu@intel.com>

tls: enable TLS OpenSSL plugin works in 3.0.0

Type: fix

Change-Id: Id1602981fcc6efed1b0efe79a1fc8177457acdb5
Signed-off-by: Yu Ping <ping.yu@intel.com>

a9ed9347 06-Jan-2020 Yu Ping <ping.yu@intel.com>

tls: Make tls CPS test run for a quite long time

Type: fix

Change-Id: I8cfb48bd7f92689b296861dd368186408918061b
Signed-off-by: Yu Ping <ping.yu@intel.com>

ce9bdfe5 28-Nov-2019 Yu Ping <ping.yu@intel.com>

tls: change SSL_has_pending to avoid BIO check error

Type: fix

Change-Id: I454aff1b187b75a1328c90e30b9b487377ae5f68
Signed-off-by: Yu Ping <ping.yu@intel.com>

82fc5fd4 13-Sep-2019 Nathan Skrzypczak <nathan.skrzypczak@gmail.com>

hsa: use crypto_engine_type_t for TLS

Type: refactor

This patch does the following conversions
tls_engine_type_t -> crypto_engine_t
It does not change numbering of engines

Change-Id: I872dfaec3a6713bf4229c84d1ffd98b8b2419995
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>

79f89537 13-Sep-2019 Nathan Skrzypczak <nathan.skrzypczak@gmail.com>

session: Add certificate store

Type: feature

This changes the behavior of both API calls
certificates and keys aren't bound to an app, they are
passed to it via connect / listen using the message

This should be followed by a per protocol (QUIC/TLS)
crypto_context store to save devrived structs

Change-Id: I36873bc8b63b5c72776c69e8cd9febc9cae31882
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>

1e582206 30-Sep-2019 Ole Troan <ot@cisco.com>

tls: remove api boilerplate

Type: refactor
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I92c010e64aa6cc6fb2b3845b37cc24dd112fc5f9

dd0cc9ec 22-Aug-2019 Ping Yu <ping.yu@intel.com>

tls: some rework based on TLS openssl C API

Type: fix

Change-Id: I5d0ac1fe6a6770ab8b3a9c366d10387718391199
Signed-off-by: Ping Yu <ping.yu@intel.com>

be4d1aa2 19-Aug-2019 Ping Yu <ping.yu@intel.com>

tls: Add C API for TLS openssl to set engine

Type: feature

Parameters of the engine can be set by C API.
After this patch, it is easier to integrate TLS into CSIT test.

Change-Id: I063cabf613aabbfad831727551579328705afb41
Signed-off-by: Ping Yu <ping.yu@intel.com>

d09236d1 09-Aug-2019 Florin Coras <fcoras@cisco.com>

tls: mark as no lookup transport


Also fix transport close while handshake is ongoing.

Change-Id: I004c56d2297d0847c2cb77202f8fba3edaacad29
Signed-off-by: Florin Coras <fcoras@cisco.com>

ef2b3357 07-Aug-2019 Florin Coras <fcoras@cisco.com>

tls: fix close with data


Also changes the way the ctx is freed. TLS now waits for tcp delete
notification before freeing the ctx.

Change-Id: I2f606a9ce7b3755ae9d11d6fe714fe11b65dcb98
Signed-off-by: Florin Coras <fcoras@cisco.com>

2d379d8c 28-Jun-2019 Florin Coras <fcoras@cisco.com>

svm: rename fifo tx notifications to reflect use

Type: refactor

Change-Id: I651db44acdcb666a9c63e1037352cf88c68795b5
Signed-off-by: Florin Coras <fcoras@cisco.com>

f8d50682 14-May-2019 Dave Barach <dave@barachs.net>

init / exit function ordering

The vlib init function subsystem now supports a mix of procedural and
formally-specified ordering constraints. We should eliminate procedural
knowledge wherever possible.

The following schemes are *roughly* equivalent:

static clib_error_t *init_runs_first (vlib_main_t *vm)
clib_error_t *error;

... do some stuff...

if ((error = vlib_call_init_function (init_runs_next)))
return error;
VLIB_INIT_FUNCTION (init_runs_first);


static clib_error_t *init_runs_first (vlib_main_t *vm)
... do some stuff...
VLIB_INIT_FUNCTION (init_runs_first) =
.runs_before = VLIB_INITS("init_runs_next"),

The first form will [most likely] call "init_runs_next" on the
spot. The second form means that "init_runs_first" runs before
"init_runs_next," possibly much earlier in the sequence.

Please DO NOT construct sets of init functions where A before B
actually means A *right before* B. It's not necessary - simply combine
A and B - and it leads to hugely annoying debugging exercises when
trying to switch from ad-hoc procedural ordering constraints to formal
ordering constraints.

Change-Id: I5e4353503bf43b4acb11a45fb33c79a5ade8426c
Signed-off-by: Dave Barach <dave@barachs.net>

0e573f56 07-May-2019 Florin Coras <fcoras@cisco.com>

session: send tx events when data is dequeued

Change-Id: Ib8cb19361c42e38e3f68d7147358378fff161eb1
Signed-off-by: Florin Coras <fcoras@cisco.com>

1d1985de 23-Apr-2019 Dave Wallace <dwallacelf@gmail.com>

plugins: clean up plugin descriptions

- Make plugin descriptions more consistent
so the output of "show plugin" can be
used in the wiki.

Change-Id: I4c6feb11e7dcc5a4cf0848eed37f1d3b035c7dda
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>

06a6a30f 17-Apr-2019 Florin Coras <fcoras@cisco.com>

tls: allow engines to customize close

Change-Id: I11ac3e4f59206902e5dfc326f815c877c5dd6643
Signed-off-by: Florin Coras <fcoras@cisco.com>

28aa539f 05-Feb-2019 Sirshak Das <sirshak.das@arm.com>

svm_fifo rework to avoid contention on cursize

Problems Addressed:
- Contention of cursize by producer and consumer.
- Reduce the no of modulo operations.

- Synchronization between producer and consumer changed from cursize
to head and tail indexes
Implications: reduces the usable size of fifo by 1.
- Using weaker memory ordering C++11 atomics to access head and tail
based on producer and consumer role.
- Head and tail indexes are unsigned 32 bit integers. Additions and
subtraction on them are implicit 32 bit Modulo operation.
- Adding weaker memory ordering variants of max_enq, max_deq, is_empty
and is_full Using them appropriately in all places.

Perfomance improvement (iperf3 via Hoststack):

iperf3 Server: Marvell ThunderX2(AArch64) - iperf3 Client: Skylake(x86)
~6%(256 rxd/txd) - ~11%(2048 rxd/txd)

Change-Id: I1d484e000e437430fdd5a819657d1c6b62443018
Signed-off-by: Sirshak Das <sirshak.das@arm.com>
Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>

df57ea0a 19-Feb-2019 Florin Coras <fcoras@cisco.com>

tls: fix openssl/mbedtls use of app_wrk index

Change-Id: I7ccc948357d815a1bd4279a7079cf4db2949183c
Signed-off-by: Florin Coras <fcoras@cisco.com>

288eaab5 03-Feb-2019 Florin Coras <fcoras@cisco.com>

session: cleanup part 1

Rename core data structures. This will break compatibility for out of
tree builtin apps.

- stream_session_t to session_t
- server_rx/tx_fifo to rx/tx_fifo
- stream_session.h to session_types.h
- update copyright

Change-Id: I414097c6e28bcbea866fbf13b8773c7db3f49325
Signed-off-by: Florin Coras <fcoras@cisco.com>

7da100bd 28-Jan-2019 Ping Yu <ping.yu@intel.com>

update openssl TLS async to align with openssl master branch

Need to align with 3.0.0 version

Change-Id: I4e8aec1f1226ce09963a9bbb3a9170d1863059ec
Signed-off-by: Ping Yu <ping.yu@intel.com>

ceebc1e7 07-Jan-2019 Ping Yu <ping.yu@intel.com>

Change vpp code to align with openssl interface change

PR in openssl community is almost done, and need to change some code in VPP
to align with the openssl interface.

Change-Id: Ic7da53e507b67b53958760d07738dd774b1c526d
Signed-off-by: Ping Yu <ping.yu@intel.com>

7040075e 08-Nov-2018 Klement Sekera <ksekera@cisco.com>

tlsopenssl: remove unused #include

Change-Id: I294e4f93e925c58765d4692337208fcee7d12886
Signed-off-by: Klement Sekera <ksekera@cisco.com>

b7b92993 17-Oct-2018 Dave Barach <dave@barachs.net>

c11 safe string handling support

Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab
Signed-off-by: Dave Barach <dave@barachs.net>

ef91534e 29-Sep-2018 Florin Coras <fcoras@cisco.com>

tls: fix disconnects for sessions with pending data

TLS can enqueue events to itself when app session queue cannot be
entirely drained. If a pending disconnect is handled before any such
event, session layer may try to dequeue data on deallocated sessions.

Change-Id: I5bfc4d53ce95bc16b6a01e1b0e644aafa1ca311b
Signed-off-by: Florin Coras <fcoras@cisco.com>

7d7b8c6d 27-Sep-2018 Ping Yu <ping.yu@intel.com>

add cmake build option to build openssl async

This code is orignally in automake, but it is missing in cmake.
Thus add it to make openssl async work in cmake build system

Change-Id: Ie69ee9c2099273e51ce13ccab27bdd2619db4814
Signed-off-by: Ping Yu <ping.yu@intel.com>

35e22cea 15-Sep-2018 Florin Coras <fcoras@cisco.com>

tls: fix openssl engine write complete condition

Change-Id: Ic1526f6916970ce2b0c4fc0d148d4396fa629b5f
Signed-off-by: Florin Coras <fcoras@cisco.com>

12a30202 13-Sep-2018 Ping Yu <ping.yu@intel.com>

Add a polling configure to make thread bind with hardware engine

Change-Id: Ib4130098dd9bf45370bdee9a04e4804074df58b1
Signed-off-by: Ping Yu <ping.yu@intel.com>

7eedb5fb 27-Aug-2018 Ping Yu <ping.yu@intel.com>

add option to allow user to set ciphers

Orignal code hard code TLS ciphers, and this patch allows user to
set ciphers via CLI, so that user can perform the TLS testing
without re-building the code.

Change-Id: I0d497f6d906af25bc7a33cee5747f9a1d63e0683
Signed-off-by: Ping Yu <ping.yu@intel.com>

d16004d5 26-Aug-2018 Damjan Marion <damarion@cisco.com>

cmake: move functions to src/cmake

Change-Id: Ibcb7105fa7e3c09efdce01bccd4de235fe33ea99
Signed-off-by: Damjan Marion <damarion@cisco.com>

74449b8b 25-Aug-2018 Damjan Marion <damarion@cisco.com>

cmake: improve add_vpp_plugin macro

Change-Id: Iffd5c45ab242a919592a1f686f7f880936b68a1a
Signed-off-by: Damjan Marion <damarion@cisco.com>

612dd6a9 29-Jul-2018 Damjan Marion <damarion@cisco.com>

CMake as an alternative to autotools (experimental)

Change-Id: Ibc59323e849810531dd0963e85493efad3b86857
Signed-off-by: Damjan Marion <damarion@cisco.com>

decda5b4 13-Aug-2018 Ping Yu <ping.yu@intel.com>

optimize init_server to reduce session overhead

move un-necessary session based operation to listener
split orignal openssl ctx to be session based ctx and listen ctx

Change-Id: Id6c54f47b0e2171fd8924a45efcd5266ce5402d5
Signed-off-by: Ping Yu <ping.yu@intel.com>

998dfd3c 13-Aug-2018 Ping Yu <ping.yu@intel.com>

reduce polling and resume overhead by checking if inflight request exists

Change-Id: I0777a00f0cc082bab3348be8ec0be39faa50ffed
Signed-off-by: Ping Yu <ping.yu@intel.com>

006e6f8a 23-Jul-2018 Ping Yu <ping.yu@intel.com>

tls: avoid possible async handler duplication

One handler is good enough when engine sends out a retry status
Thus this patch will just go one branch

Change-Id: Id81cb3fa67d2b322b0fe1b2f62cd866cf3491eb4
Signed-off-by: Ping Yu <ping.yu@intel.com>

970a0b87 19-Jul-2018 Ping Yu <ping.yu@intel.com>

Add a new communication channel between VPP and openssl engine
Thus when engine buffer is full during a burst in performance
tesing, this code will help VPP handle retry machansim.

Change-Id: I0f9fc05d3dba8a54d34dca4c6137700d6c80f714
Signed-off-by: Ping Yu <ping.yu@intel.com>

cd2fc207 16-Jul-2018 Ping Yu <ping.yu@intel.com>

Enable openssl TLS async support in client for HW accleration

Change-Id: I003e41786c549c6451a1e9e178f5871d32c20e6e
Signed-off-by: Ping Yu <ping.yu@intel.com>

e43832c7 30-May-2018 Ping Yu <ping.yu@intel.com>

TLS async support

Change-Id: I26194e00dfb85e5cd1c65ff4e6ffd665be2d719b
Signed-off-by: Ping Yu <ping.yu@intel.com>

cb91e603 31-May-2018 Ping Yu <ping.yu@intel.com>

Fix TLS issue to load certification and key

Change-Id: If1ef2d4bc6f90a4d4b6a345c63723117834c6504
Signed-off-by: Ping Yu <ping.yu@intel.com>

58d36f02 09-Mar-2018 Florin Coras <fcoras@cisco.com>

tls: add openssl engine

Change-Id: I6c215858d2c9c620787632b570950b15274c0df2
Signed-off-by: Florin Coras <fcoras@cisco.com>