BF-5.9.6 #5
Closed
BF-5.9.6 #5
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* ECDH_compute_key() was not used, as per the comment near compute_shared_key() definition, because it only gives the x-coordinate of the result. However, the default setting, as per the errata mentioned, is to use x-coordinate only. Use ECDH_compute_key() for this as it allows h/w offload of the computation using dynamic engine feature in OpenSSL. EC_POINT_mul() doesn't allow h/w offload. * Install dh_speed and pubkey_speed. These binaries are helpful for testing openssl plugin and PKA offload. Besides, these can be used for performance measurements.
Signed-off-by: Mahantesh Salimath <mahantesh@nvidia.com>
Signed-off-by: Mahantesh Salimath <mahantesh@nvidia.com>
Signed-off-by: Mahantesh Salimath <mahantesh@nvidia.com>
* Even though systemd was not enabled prior to this commit, strongswan service files were installed and enabled in bluefield Ubuntu distributions. Hence systemd is enabled now to remove any confusion/assumption. * OpenSSL reads config from openssl.cnf If ipsec is started with PKA engine config (openssl.cnf.mlnx) loaded in openssl.cnf then it is causing corruption in PKA rings at startup. ipsec is started by systemd service strongswan-starter.service. Hence, perform copy of original openssl.cnf before ipsec is started (ExecStartPre). Now in order to load the PKA engine config, copy (openssl.cnf.mlnx) to openssl.cnf (ExecStartPost) * When using openssl.cnf.mlnx, ipsec PK operations will be offloaded to bluefield PKA HW via the openssl plugin. Signed-off-by: Mahantesh Salimath <mahantesh@nvidia.com>
* Platform is crypto enabled if 'aes', 'sha1' and 'sha2' flags are present in the output of `lscpu`. * openssl.cnf is the config file used by OpenSSL. * openssl.cnf.mlnx links to PKA engine and this can only be used if platform is crypto enabled. Signed-off-by: Mahantesh Salimath <mahantesh@nvidia.com>
The swan configuration needs the "esn" flag setting so the esn offload feature could be activated in the NIC. Without it connection drop in IPSec strongswan after about half an hour of tcp testing
ferasbi
pushed a commit
that referenced
this pull request
Dec 14, 2022
With GCC 11.3 AddressSanitizer causes the following crash when a thread
is cancelled (e.g. in the test_condvar_cancel test):
==84365==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_thread.cpp:367 "((ptr[0] == kCurrentStackFrameMagic)) != (0)" (0x0, 0x0)
#0 0x7ff0801b2988 in AsanCheckFailed ../../../../src/libsanitizer/asan/asan_rtl.cpp:74
#1 0x7ff0801d330e in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_termination.cpp:78
#2 0x7ff0801b810c in __asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, __asan::AsanThread::StackFrameAccess*) ../../../../src/libsanitizer/asan/asan_thread.cpp:367
#3 0x7ff080122e9b in __asan::GetStackAddressInformation(unsigned long, unsigned long, __asan::StackAddressDescription*) ../../../../src/libsanitizer/asan/asan_descriptions.cpp:203
#4 0x7ff0801242d8 in __asan::AddressDescription::AddressDescription(unsigned long, unsigned long, bool) ../../../../src/libsanitizer/asan/asan_descriptions.cpp:455
#5 0x7ff0801242d8 in __asan::AddressDescription::AddressDescription(unsigned long, unsigned long, bool) ../../../../src/libsanitizer/asan/asan_descriptions.cpp:439
#6 0x7ff080126a84 in __asan::ErrorGeneric::ErrorGeneric(unsigned int, unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long) ../../../../src/libsanitizer/asan/asan_errors.cpp:389
#7 0x7ff0801b1fa5 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ../../../../src/libsanitizer/asan/asan_report.cpp:476
strongswan#8 0x7ff080148fe8 in __interceptor_sigaltstack ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:9986
strongswan#9 0x7ff0801af473 in __asan::PlatformUnpoisonStacks() ../../../../src/libsanitizer/asan/asan_posix.cpp:44
strongswan#10 0x7ff0801b500c in __asan_handle_no_return ../../../../src/libsanitizer/asan/asan_rtl.cpp:612
strongswan#11 0x7ff07fe04d50 in thread_main /media/sf_scratch/src/libstrongswan/threading/thread.c:321
strongswan#12 0x7ff07d7d4b42 in start_thread nptl/pthread_create.c:442
strongswan#13 0x7ff07d8669ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
Signed-off-by: Vladimir Sokolovsky <vlad@nvidia.com>
Signed-off-by: Vladimir Sokolovsky <vlad@nvidia.com>
Seems this was forgotten in the referenced commit and actually could lead to a buffer overflow. Since charon-tkm is untrusted this isn't that much of an issue but could at least be easily exploited for a DoS attack as DH public values are set when handling IKE_SA_INIT requests. Fixes: 0356089 ("diffie-hellman: Verify public DH values in backends") Fixes: CVE-2023-41913
…ad flag Previously, when configuring hw_offload = auto, it didn't configure full HW offload. Now when configuring hw_offload = auto, we try full HW offload and if it fails then crypto HW offload and if that fails then no offload. Also removed HW_OFFLOAD_YES and replaces with HW_OFFLOAD_CRYPTO since we now have HW_OFFLOAD_FULL and HW_OFFLOAD_YES doesn't make sense. Also added the flag crypto (hw_offload = crypto) to the swanctl.conf files and kept the yes flag as legacy. Signed-off-by: Feras Bisharat <fbisharat@nvidia.com>
Signed-off-by: Feras Bisharat <fbisharat@nvidia.com>
Not to load PKA engine globally.
PKA engine will not be globally configure for every application uses OpenSSL. It will have to be explicitly loaded by "server" applications, like Strongswan, Apache, Nginx, etc...
For OpenEuler 20.03.
Add DOCA plugin to libcharon that uses DOCA IPsec Signed-off-by: Feras Bisharat <fbisharat@nvidia.com>
Signed-off-by: Feras Bisharat <fbisharat@nvidia.com>
Signed-off-by: Feras Bisharat <fbisharat@nvidia.com>
Fix copying openssl.mlnx for openEuler Signed-off-by: Feras Bisharat <fbisharat@nvidia.com>
Signed-off-by: Muhammad Abu Saleh <musaleh@nvidia.com>
add GPL license to doca_plugin code Signed-off-by: Feras Bisharat <fbisharat@nvidia.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added full HW offload support to strongSwan 5.9.6 (like BF-5.9.0).