16 #include <mbedtls/ssl.h> 17 #include <mbedtls/certs.h> 18 #include <mbedtls/entropy.h> 19 #include <mbedtls/ctr_drbg.h> 20 #include <mbedtls/timing.h> 21 #include <mbedtls/debug.h> 23 #include <vpp/app/version.h> 26 #define TLS_USE_OUR_MEM_FUNCS 0 32 mbedtls_ssl_context
ssl;
50 #if TLS_USE_OUR_MEM_FUNCS 51 #include <mbedtls/platform.h> 54 mbedtls_calloc_fn (
size_t n,
size_t size)
58 memset (ptr, 0,
sizeof (*ptr));
63 mbedtls_free_fn (
void *ptr)
82 (*ctx)->ctx.c_thread_index = thread_index;
84 (*ctx)->mbedtls_ctx_index = ctx - tm->
ctx_pool[thread_index];
85 return ((*ctx)->mbedtls_ctx_index);
94 mbedtls_ssl_close_notify (&mc->
ssl);
95 if (mc->
ssl.conf->endpoint == MBEDTLS_SSL_IS_SERVER)
97 mbedtls_x509_crt_free (&mc->
srvcert);
98 mbedtls_pk_free (&mc->
pkey);
100 mbedtls_ssl_free (&mc->
ssl);
101 mbedtls_ssl_config_free (&mc->
conf);
131 pers =
format (0,
"vpp thread %u", thread_index);
134 mbedtls_ctr_drbg_init (&mbedtls_main.
ctr_drbgs[thread_index]);
135 if ((rv = mbedtls_ctr_drbg_seed (&tm->
ctr_drbgs[thread_index],
136 mbedtls_entropy_func,
138 (
const unsigned char *) pers,
142 TLS_DBG (1,
" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", rv);
149 mbedtls_ctr_drbg_context *
155 return &mbedtls_main.
ctr_drbgs[thread_index];
171 return MBEDTLS_ERR_SSL_WANT_WRITE;
188 return (rv < 0) ? 0 : rv;
196 fprintf ((FILE *) ctx,
"%s:%04d: %s", file, line, str);
197 fflush ((FILE *) ctx);
211 mbedtls_ssl_init (&mc->
ssl);
212 mbedtls_ssl_config_init (&mc->
conf);
213 if ((rv = mbedtls_ssl_config_defaults (&mc->
conf, MBEDTLS_SSL_IS_CLIENT,
214 MBEDTLS_SSL_TRANSPORT_STREAM,
215 MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
217 TLS_DBG (1,
"failed\n ! mbedtls_ssl_config_defaults returned %d\n\n",
222 mbedtls_ssl_conf_authmode (&mc->
conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
224 mbedtls_ssl_conf_rng (&mc->
conf, mbedtls_ctr_drbg_random,
228 if ((rv = mbedtls_ssl_setup (&mc->
ssl, &mc->
conf)) != 0)
230 TLS_DBG (1,
"failed\n ! mbedtls_ssl_setup returned %d\n", rv);
234 if ((rv = mbedtls_ssl_set_hostname (&mc->
ssl,
237 TLS_DBG (1,
"failed\n ! mbedtls_ssl_set_hostname returned %d\n", rv);
248 TLS_DBG (1,
"Initiating handshake for [%u]%u", ctx->c_thread_index,
250 while (mc->
ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
252 rv = mbedtls_ssl_handshake_step (&mc->
ssl);
256 TLS_DBG (2,
"tls state for [%u]%u is %u", ctx->c_thread_index,
270 mbedtls_ssl_init (&mc->
ssl);
271 mbedtls_ssl_config_init (&mc->
conf);
272 mbedtls_x509_crt_init (&mc->
srvcert);
273 mbedtls_pk_init (&mc->
pkey);
279 if (!app->tls_cert || !app->tls_key)
281 TLS_DBG (1,
" failed\n ! tls cert and/or key not configured %d",
282 ctx->parent_app_index);
286 rv = mbedtls_x509_crt_parse (&mc->
srvcert,
287 (
const unsigned char *) app->tls_cert,
291 TLS_DBG (1,
" failed\n ! mbedtls_x509_crt_parse returned %d", rv);
295 rv = mbedtls_pk_parse_key (&mc->
pkey,
296 (
const unsigned char *) app->tls_key,
300 TLS_DBG (1,
" failed\n ! mbedtls_pk_parse_key returned %d", rv);
307 if ((rv = mbedtls_ssl_config_defaults (&mc->
conf, MBEDTLS_SSL_IS_SERVER,
308 MBEDTLS_SSL_TRANSPORT_STREAM,
309 MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
311 TLS_DBG (1,
" failed\n ! mbedtls_ssl_config_defaults returned %d", rv);
315 mbedtls_ssl_conf_rng (&mc->
conf, mbedtls_ctr_drbg_random,
326 if ((rv = mbedtls_ssl_conf_own_cert (&mc->
conf, &mc->
srvcert, &mc->
pkey))
329 TLS_DBG (1,
" failed\n ! mbedtls_ssl_conf_own_cert returned %d", rv);
333 if ((rv = mbedtls_ssl_setup (&mc->
ssl, &mc->
conf)) != 0)
335 TLS_DBG (1,
" failed\n ! mbedtls_ssl_setup returned %d", rv);
339 mbedtls_ssl_session_reset (&mc->
ssl);
347 TLS_DBG (1,
"Initiating handshake for [%u]%u", ctx->c_thread_index,
349 while (mc->
ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
351 rv = mbedtls_ssl_handshake_step (&mc->
ssl);
356 TLS_DBG (2,
"tls state for [%u]%u is %u", ctx->c_thread_index,
370 while (mc->
ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
372 rv = mbedtls_ssl_handshake_step (&mc->
ssl);
378 if (mc->
ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
384 if (mc->
ssl.conf->endpoint == MBEDTLS_SSL_IS_CLIENT)
389 if ((flags = mbedtls_ssl_get_verify_result (&mc->
ssl)) != 0)
393 mbedtls_x509_crt_verify_info (buf,
sizeof (buf),
" ! ", flags);
412 TLS_DBG (1,
"Handshake for %u complete. TLS cipher is %x",
421 u8 thread_index = ctx->c_thread_index;
423 u32 enq_max, deq_max, deq_now;
427 ASSERT (mc->
ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER);
447 wrote = mbedtls_ssl_write (&mc->
ssl, mm->
tx_bufs[thread_index], deq_now);
458 if (deq_now < deq_max)
469 u8 thread_index = ctx->c_thread_index;
470 u32 deq_max, enq_max, enq_now;
495 read = mbedtls_ssl_read (&mc->
ssl, mm->
rx_bufs[thread_index], enq_now);
520 return (mc->
ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER);
538 #if TLS_USE_OUR_MEM_FUNCS 539 mbedtls_platform_set_calloc_free (mbedtls_calloc_fn, mbedtls_free_fn);
552 for (i = 0; i < num_threads; i++)
567 clib_warning (
"Could not initialize TLS CA certificates");
571 mbedtls_x509_crt_init (&mm->
cacert);
575 clib_warning (
"Couldn't parse system CA certificates: -0x%x", -rv);
579 rv = mbedtls_x509_crt_parse (&mm->
cacert,
584 clib_warning (
"Couldn't parse test certificate: -0x%x", -rv);
588 return (rv < 0 ? -1 : 0);
616 clib_warning (
"failed to initialize entropy and random generators");
632 .version = VPP_BUILD_VER,
633 .description =
"mbedtls based TLS Engine",
mbedtls_ctr_drbg_context * tls_get_ctr_drbg()
tls_main_t * vnet_tls_get_main(void)
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
mbedtls_ctx_t *** ctx_pool
static int mbedtls_ctx_write(tls_ctx_t *ctx, stream_session_t *app_session)
const u32 test_srv_crt_rsa_len
#define TLS_DEBUG_LEVEL_CLIENT
static int tls_init_ctr_drbgs_and_entropy(u32 num_threads)
static mbedtls_main_t mbedtls_main
void tls_notify_app_enqueue(tls_ctx_t *ctx, stream_session_t *app_session)
static u32 svm_fifo_max_enqueue(svm_fifo_t *f)
static void mbedtls_ctx_free(tls_ctx_t *ctx)
static stream_session_t * session_get_from_handle(session_handle_t handle)
#define pool_get(P, E)
Allocate an object E from a pool P (unspecified alignment).
static int tls_init_ctr_seed_drbgs(void)
#define vec_reset_length(v)
Reset vector length to zero NULL-pointer tolerant.
static u32 mbedtls_ctx_alloc(void)
#define VLIB_INIT_FUNCTION(x)
static u32 svm_fifo_max_dequeue(svm_fifo_t *f)
static tls_ctx_t * mbedtls_ctx_get_w_thread(u32 ctx_index, u8 thread_index)
int svm_fifo_enqueue_nowait(svm_fifo_t *f, u32 max_bytes, const u8 *copy_from_here)
struct _stream_session_t stream_session_t
#define vlib_call_init_function(vm, x)
static uword pointer_to_uword(const void *p)
struct tls_ctx_mbedtls_ mbedtls_ctx_t
static int mbedtls_ctx_handshake_rx(tls_ctx_t *ctx)
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
int tls_init_ca_chain(void)
int tls_notify_app_connected(tls_ctx_t *ctx, u8 is_failed)
static u8 mbedtls_handshake_is_over(tls_ctx_t *ctx)
const char test_srv_crt_rsa[]
static int mbedtls_ctx_read(tls_ctx_t *ctx, stream_session_t *tls_session)
#define uword_to_pointer(u, type)
static_always_inline uword vlib_get_thread_index(void)
static int mbedtls_ctx_init_client(tls_ctx_t *ctx)
#define vec_free(V)
Free vector's memory (no header).
#define clib_warning(format, args...)
static int tls_net_send(void *ctx_indexp, const unsigned char *buf, size_t len)
struct _application application_t
#define TLS_DBG(_fmt, _args...)
void tls_register_engine(const tls_engine_vft_t *vft, tls_engine_type_t type)
mbedtls_entropy_context * entropy_pools
#define TLS_DEBUG_LEVEL_SERVER
#define pool_put_index(p, i)
Free pool element with given index.
struct mbedtls_main_ mbedtls_main_t
static void clib_mem_free(void *p)
static void * clib_mem_alloc(uword size)
static int tls_net_recv(void *ctx_indexp, unsigned char *buf, size_t len)
int svm_fifo_dequeue_drop(svm_fifo_t *f, u32 max_bytes)
static void mbedtls_debug(void *ctx, int level, const char *file, int line, const char *str)
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
application_t * application_get(u32 index)
static clib_error_t * tls_mbedtls_init(vlib_main_t *vm)
int tls_add_vpp_q_evt(svm_fifo_t *f, u8 evt_type)
int tls_notify_app_accept(tls_ctx_t *ctx)
static int mbedtls_ctx_init_server(tls_ctx_t *ctx)
static vlib_thread_main_t * vlib_get_thread_main()
mbedtls_ctr_drbg_context * ctr_drbgs
static tls_ctx_t * mbedtls_ctx_get(u32 ctx_index)
int svm_fifo_peek(svm_fifo_t *f, u32 relative_offset, u32 max_bytes, u8 *copy_here)
static clib_error_t * tls_init(vlib_main_t *vm)
int svm_fifo_dequeue_nowait(svm_fifo_t *f, u32 max_bytes, u8 *copy_here)