Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS #3

Merged
merged 11 commits into from
Jan 1, 2019
Merged

TLS #3

merged 11 commits into from
Jan 1, 2019

Conversation

krizhanovsky
Copy link
Contributor

Call Tempesta TLS encryption from tcp_write_xmit().

@krizhanovsky krizhanovsky mentioned this pull request Jul 10, 2018
Merged
@krizhanovsky
Make irq_fpu_usable() return true for Tempesta softirqs so that
2167d08 
SIMD crypto algorithms won't be called through cryptd.
@krizhanovsky
* Fix TLS skb type handling to call sk_write_xmit() callback.
4494bae 
* Reserve room for TLS header in skb headroom.
* Reset TCP connection if we can not encrypt data on it instead of retransmit
  it in plaintext. This leads to warning similar to #984 - leave as TODO for now.
@krizhanovsky
Use atomic allocations for crypto context allocations
873ea4d
@krizhanovsky
Accurately calculate TLS record overhead and and merge it with TCP
3aa88fc 
current transmission limit.
@krizhanovsky
Print error code on sk_write_xmit() fail
a403e62
@krizhanovsky krizhanovsky requested a review from i-rinat December 25, 2018 03:32
aleksostapenko
aleksostapenko reviewed Dec 28, 2018
View reviewed changes
include/linux/skbuff.h Outdated
* queue and it's processed (first time) in tcp_write_xmit(). This time the @skb
* isn't scheduled yet, so we can use skb->dev for our needs to avoid extending
* sk_buff. We use the least significant bit to be sure that this isn't a
* pointer to not to break anything. TLS message type << 1 is alwasy smaller
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

alwasy -> always

net/ipv4/tcp_output.c Outdated
#ifdef CONFIG_SECURITY_TEMPESTA
/*
* This isn't the only place where tcp_transmit_skb() is called,
* but this is the only place were we are from Tempesta FW
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

were -> where

net/ipv4/tcp_output.c Outdated
* encryption here and get the best TLS record size.
*
* TODO Sometimes HTTP servers send headers and response body in
* different TCP segments, so coalese skbs for transmission to
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

coalese -> coalesce

@krizhanovsky krizhanovsky merged commit c06a838 into master Jan 1, 2019
@krizhanovsky krizhanovsky deleted the ak-tls branch January 1, 2019 15:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aleksostapenko aleksostapenko aleksostapenko approved these changes

@vankoven vankoven Awaiting requested review from vankoven

@i-rinat i-rinat Awaiting requested review from i-rinat

Assignees

@i-rinat i-rinat

@vankoven vankoven

@aleksostapenko aleksostapenko

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@krizhanovsky @aleksostapenko @i-rinat @vankoven