16 #include <openssl/ssl.h> 17 #include <openssl/conf.h> 18 #include <openssl/err.h> 19 #ifdef HAVE_OPENSSL_ASYNC 20 #include <openssl/async.h> 24 #include <vpp/app/version.h> 29 #define MAX_CRYPTO_LEN 16 44 (*ctx)->ctx.c_thread_index = thread_index;
47 (*ctx)->openssl_ctx_index = ctx - tm->
ctx_pool[thread_index];
48 return ((*ctx)->openssl_ctx_index);
57 SSL_shutdown (oc->
ssl);
111 u32 deq_max, deq_now;
115 f = tls_session->server_rx_fifo;
143 u32 enq_max, deq_now;
147 if (BIO_ctrl_pending (oc->
rbio) <= 0)
150 f = tls_session->server_tx_fifo;
177 #ifdef HAVE_OPENSSL_ASYNC 179 vpp_ssl_async_process_event (
tls_ctx_t * ctx,
188 SSL_set_async_callback (oc->
ssl, (
void *) engine_cb->
callback,
189 (
void *) engine_cb->
arg);
204 SSL_set_async_estatus (oc->
ssl, 0);
217 #ifdef HAVE_OPENSSL_ASYNC 222 while (SSL_in_init (oc->
ssl))
233 rv = SSL_do_handshake (oc->
ssl);
234 err = SSL_get_error (oc->
ssl, rv);
236 #ifdef HAVE_OPENSSL_ASYNC 238 if (SSL_get_async_estatus (oc->
ssl, &estatus)
239 && (estatus == ENGINE_STATUS_RETRY))
241 vpp_ssl_async_retry_func (ctx, myself);
243 else if (err == SSL_ERROR_WANT_ASYNC)
245 vpp_ssl_async_process_event (ctx, myself);
249 if (err != SSL_ERROR_WANT_WRITE)
251 if (err == SSL_ERROR_SSL)
254 ERR_error_string (ERR_get_error (), buf);
261 SSL_state_string_long (oc->
ssl));
263 if (SSL_in_init (oc->
ssl))
269 if (!SSL_is_server (oc->
ssl))
274 if ((rv = SSL_get_verify_result (oc->
ssl)) != X509_V_OK)
276 TLS_DBG (1,
" failed verify: %s\n",
277 X509_verify_cert_error_string (rv));
295 TLS_DBG (1,
"Handshake for %u complete. TLS cipher is %s",
304 int wrote = 0, rv, read, max_buf = 100 *
TLS_CHUNK_SIZE, max_space;
305 u32 enq_max, deq_max, deq_now, to_write;
309 f = app_session->server_tx_fifo;
314 max_space = max_buf - BIO_ctrl_pending (oc->
rbio);
315 max_space = (max_space < 0) ? 0 : max_space;
341 if (BIO_ctrl_pending (oc->
rbio) <= 0)
345 f = tls_session->server_tx_fifo;
364 if (read < enq_max && BIO_ctrl_pending (oc->
rbio) > 0)
372 if (BIO_ctrl_pending (oc->
rbio) > 0)
381 int read, wrote = 0, max_space, max_buf = 100 *
TLS_CHUNK_SIZE, rv;
383 u32 deq_max, enq_max, deq_now, to_read;
393 f = tls_session->server_rx_fifo;
395 max_space = max_buf - BIO_ctrl_pending (oc->
wbio);
396 max_space = max_space < 0 ? 0 : max_space;
397 deq_now =
clib_min (deq_max, max_space);
424 if (BIO_ctrl_pending (oc->
wbio) <= 0)
428 f = app_session->server_rx_fifo;
444 if (read < enq_max && BIO_ctrl_pending (oc->
wbio) > 0)
453 if (BIO_ctrl_pending (oc->
wbio) > 0)
462 long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
466 const SSL_METHOD *method;
468 #ifdef HAVE_OPENSSL_ASYNC 472 method = SSLv23_client_method ();
475 TLS_DBG (1,
"SSLv23_method returned null");
479 oc->
ssl_ctx = SSL_CTX_new (method);
482 TLS_DBG (1,
"SSL_CTX_new returned null");
486 SSL_CTX_set_ecdh_auto (oc->
ssl_ctx, 1);
487 SSL_CTX_set_mode (oc->
ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
488 #ifdef HAVE_OPENSSL_ASYNC 490 SSL_CTX_set_mode (oc->
ssl_ctx, SSL_MODE_ASYNC);
492 rv = SSL_CTX_set_cipher_list (oc->
ssl_ctx, (
const char *) om->
ciphers);
495 TLS_DBG (1,
"Couldn't set cipher");
499 SSL_CTX_set_options (oc->
ssl_ctx, flags);
505 TLS_DBG (1,
"Couldn't initialize ssl struct");
509 oc->
rbio = BIO_new (BIO_s_mem ());
510 oc->
wbio = BIO_new (BIO_s_mem ());
512 BIO_set_mem_eof_return (oc->
rbio, -1);
513 BIO_set_mem_eof_return (oc->
wbio, -1);
516 SSL_set_connect_state (oc->
ssl);
521 TLS_DBG (1,
"Couldn't set hostname");
528 TLS_DBG (1,
"Initiating handshake for [%u]%u", ctx->c_thread_index,
534 rv = SSL_do_handshake (oc->
ssl);
535 err = SSL_get_error (oc->
ssl, rv);
537 #ifdef HAVE_OPENSSL_ASYNC 538 if (err == SSL_ERROR_WANT_ASYNC)
541 vpp_ssl_async_process_event (ctx, handler);
545 if (err != SSL_ERROR_WANT_WRITE)
549 TLS_DBG (2,
"tls state for [%u]%u is su", ctx->c_thread_index,
558 const SSL_METHOD *method;
567 long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
573 TLS_DBG (1,
"tls cert and/or key not configured %d",
574 lctx->parent_app_index);
578 method = SSLv23_method ();
579 ssl_ctx = SSL_CTX_new (method);
586 SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
587 #ifdef HAVE_OPENSSL_ASYNC 589 SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ASYNC);
591 SSL_CTX_set_options (ssl_ctx, flags);
592 SSL_CTX_set_ecdh_auto (ssl_ctx, 1);
594 rv = SSL_CTX_set_cipher_list (ssl_ctx, (
const char *) om->
ciphers);
597 TLS_DBG (1,
"Couldn't set cipher");
604 cert_bio = BIO_new (BIO_s_mem ());
606 srvcert = PEM_read_bio_X509 (cert_bio,
NULL,
NULL,
NULL);
612 SSL_CTX_use_certificate (ssl_ctx, srvcert);
615 cert_bio = BIO_new (BIO_s_mem ());
617 pkey = PEM_read_bio_PrivateKey (cert_bio,
NULL,
NULL,
NULL);
623 SSL_CTX_use_PrivateKey (ssl_ctx, pkey);
633 lctx->tls_ssl_ctx = olc_index;
645 olc_index = lctx->tls_ssl_ctx;
649 EVP_PKEY_free (olc->
pkey);
661 u32 olc_index = ctx->tls_ssl_ctx;
665 #ifdef HAVE_OPENSSL_ASYNC 675 TLS_DBG (1,
"Couldn't initialize ssl struct");
679 oc->
rbio = BIO_new (BIO_s_mem ());
680 oc->
wbio = BIO_new (BIO_s_mem ());
682 BIO_set_mem_eof_return (oc->
rbio, -1);
683 BIO_set_mem_eof_return (oc->
wbio, -1);
686 SSL_set_accept_state (oc->
ssl);
688 TLS_DBG (1,
"Initiating handshake for [%u]%u", ctx->c_thread_index,
694 rv = SSL_do_handshake (oc->
ssl);
695 err = SSL_get_error (oc->
ssl, rv);
697 #ifdef HAVE_OPENSSL_ASYNC 698 if (err == SSL_ERROR_WANT_ASYNC)
701 vpp_ssl_async_process_event (ctx, handler);
705 if (err != SSL_ERROR_WANT_WRITE)
709 TLS_DBG (2,
"tls state for [%u]%u is su", ctx->c_thread_index,
720 return SSL_is_init_finished (mc->
ssl);
748 clib_warning (
"Could not initialize TLS CA certificates");
766 cert_bio = BIO_new (BIO_s_mem ());
768 testcert = PEM_read_bio_X509 (cert_bio,
NULL,
NULL,
NULL);
774 X509_STORE_add_cert (om->
cert_store, testcert);
777 return (rv < 0 ? -1 : 0);
794 om->
ciphers[
i] = toupper (ciphers[i]);
815 SSL_load_error_strings ();
831 (
"ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH");
836 #ifdef HAVE_OPENSSL_ASYNC 842 char *engine_name =
NULL;
843 char *engine_alg =
NULL;
844 char *ciphers =
NULL;
845 u8 engine_name_set = 0;
853 (0,
"engine has started, and no config is accepted");
858 if (
unformat (input,
"engine %s", &engine_name))
867 else if (
unformat (input,
"alg %s", &engine_alg))
870 engine_alg[i] = toupper (engine_alg[i]);
872 else if (
unformat (input,
"ciphers %s", &ciphers))
882 if (!engine_name_set)
902 .path =
"tls openssl set",
903 .short_help =
"tls openssl set [engine <engine name>] [alg [algorithm] [async]",
904 .function = tls_openssl_set_command_fn,
914 .version = VPP_BUILD_VER,
915 .description =
"openssl based TLS Engine",
tls_main_t * vnet_tls_get_main(void)
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
openssl_listen_ctx_t * lctx_pool
static int tls_openssl_set_ciphers(char *ciphers)
static u8 openssl_handshake_is_over(tls_ctx_t *ctx)
static int openssl_try_handshake_write(openssl_ctx_t *oc, stream_session_t *tls_session)
const u32 test_srv_crt_rsa_len
void openssl_async_node_enable_disable(u8 is_en)
static u32 openssl_ctx_alloc(void)
static void openssl_listen_ctx_free(openssl_listen_ctx_t *lctx)
static void openssl_ctx_free(tls_ctx_t *ctx)
void tls_notify_app_enqueue(tls_ctx_t *ctx, stream_session_t *app_session)
static u32 svm_fifo_max_enqueue(svm_fifo_t *f)
int(* callback)(void *arg)
static stream_session_t * session_get_from_handle(session_handle_t handle)
#define pool_get(P, E)
Allocate an object E from a pool P (unspecified alignment).
static u8 * svm_fifo_tail(svm_fifo_t *f)
struct _svm_fifo svm_fifo_t
static void svm_fifo_enqueue_nocopy(svm_fifo_t *f, u32 bytes)
Advance tail pointer.
memset(h->entries, 0, sizeof(h->entries[0])*entries)
#define VLIB_INIT_FUNCTION(x)
int tls_add_vpp_q_builtin_tx_evt(stream_session_t *s)
static u32 svm_fifo_max_dequeue(svm_fifo_t *f)
int openssl_engine_register(char *engine_name, char *algorithm)
#define clib_error_return(e, args...)
static int openssl_stop_listen(tls_ctx_t *lctx)
static u32 svm_fifo_max_write_chunk(svm_fifo_t *f)
Max contiguous chunk of data that can be written.
struct _stream_session_t stream_session_t
#define vlib_call_init_function(vm, x)
static u8 * svm_fifo_head(svm_fifo_t *f)
static u32 svm_fifo_max_read_chunk(svm_fifo_t *f)
Max contiguous chunk of data that can be read.
int tls_init_ca_chain(void)
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
int vpp_add_async_run_event(tls_ctx_t *ctx, openssl_resume_handler *handler)
int tls_add_vpp_q_tx_evt(stream_session_t *s)
int tls_notify_app_connected(tls_ctx_t *ctx, u8 is_failed)
tls_ctx_t * openssl_ctx_get(u32 ctx_index)
int openssl_resume_handler(tls_ctx_t *ctx, stream_session_t *tls_session)
const char test_srv_crt_rsa[]
static int openssl_ctx_write(tls_ctx_t *ctx, stream_session_t *app_session)
static int openssl_ctx_init_client(tls_ctx_t *ctx)
static_always_inline uword vlib_get_thread_index(void)
openssl_ctx_t *** ctx_pool
#define clib_warning(format, args...)
#define SESSION_INVALID_HANDLE
static openssl_main_t openssl_main
void tls_register_engine(const tls_engine_vft_t *vft, tls_engine_type_t type)
application_t * application_get(u32 app_index)
#define VLIB_CLI_COMMAND(x,...)
#define pool_put_index(p, i)
Free pool element with given index.
static clib_error_t * tls_openssl_init(vlib_main_t *vm)
u8 * tls_key
PEM encoded key.
static int openssl_try_handshake_read(openssl_ctx_t *oc, stream_session_t *tls_session)
static void * clib_mem_alloc(uword size)
tls_ctx_t * openssl_ctx_get_w_thread(u32 ctx_index, u8 thread_index)
static int openssl_ctx_init_server(tls_ctx_t *ctx)
int svm_fifo_dequeue_drop(svm_fifo_t *f, u32 max_bytes)
openssl_tls_callback_t * vpp_add_async_pending_event(tls_ctx_t *ctx, openssl_resume_handler *handler)
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
int tls_add_vpp_q_builtin_rx_evt(stream_session_t *s)
static int openssl_start_listen(tls_ctx_t *lctx)
int tls_notify_app_accept(tls_ctx_t *ctx)
static vlib_thread_main_t * vlib_get_thread_main()
u8 * tls_cert
Certificate to be used for listen sessions.
openssl_listen_ctx_t * openssl_lctx_get(u32 lctx_index)
static u32 openssl_listen_ctx_alloc(void)
static int openssl_ctx_read(tls_ctx_t *ctx, stream_session_t *tls_session)
int openssl_ctx_handshake_rx(tls_ctx_t *ctx, stream_session_t *tls_session)
static clib_error_t * tls_init(vlib_main_t *vm)
#define TLS_DBG(_lvl, _fmt, _args...)