16 #include <openssl/ssl.h> 17 #include <openssl/conf.h> 18 #include <openssl/err.h> 19 #ifdef HAVE_OPENSSL_ASYNC 20 #include <openssl/async.h> 24 #include <vpp/app/version.h> 29 #define MAX_CRYPTO_LEN 16 44 (*ctx)->ctx.c_thread_index = thread_index;
47 (*ctx)->openssl_ctx_index = ctx - tm->
ctx_pool[thread_index];
48 return ((*ctx)->openssl_ctx_index);
57 SSL_shutdown (oc->
ssl);
111 u32 deq_max, deq_now;
115 f = tls_session->server_rx_fifo;
143 u32 enq_max, deq_now;
147 if (BIO_ctrl_pending (oc->
rbio) <= 0)
150 f = tls_session->server_tx_fifo;
177 #ifdef HAVE_OPENSSL_ASYNC 179 vpp_ssl_async_process_event (
tls_ctx_t * ctx,
188 SSL_set_async_callback_arg (oc->
ssl, (
void *) engine_cb->
arg);
203 SSL_clear_async_status (oc->
ssl);
216 #ifdef HAVE_OPENSSL_ASYNC 221 while (SSL_in_init (oc->
ssl))
232 #ifdef HAVE_OPENSSL_ASYNC 234 vpp_ssl_async_process_event (ctx, myself);
237 rv = SSL_do_handshake (oc->
ssl);
238 err = SSL_get_error (oc->
ssl, rv);
240 #ifdef HAVE_OPENSSL_ASYNC 241 if (err == SSL_ERROR_WANT_ASYNC)
243 SSL_get_async_status (oc->
ssl, &estatus);
245 if (estatus == ASYNC_STATUS_EAGAIN)
247 vpp_ssl_async_retry_func (ctx, myself);
252 if (err != SSL_ERROR_WANT_WRITE)
254 if (err == SSL_ERROR_SSL)
257 ERR_error_string (ERR_get_error (), buf);
264 SSL_state_string_long (oc->
ssl));
266 if (SSL_in_init (oc->
ssl))
272 if (!SSL_is_server (oc->
ssl))
277 if ((rv = SSL_get_verify_result (oc->
ssl)) != X509_V_OK)
279 TLS_DBG (1,
" failed verify: %s\n",
280 X509_verify_cert_error_string (rv));
298 TLS_DBG (1,
"Handshake for %u complete. TLS cipher is %s",
307 int wrote = 0, rv, read, max_buf = 100 *
TLS_CHUNK_SIZE, max_space;
308 u32 enq_max, deq_max, deq_now, to_write;
312 f = app_session->server_tx_fifo;
317 max_space = max_buf - BIO_ctrl_pending (oc->
rbio);
318 max_space = (max_space < 0) ? 0 : max_space;
344 if (BIO_ctrl_pending (oc->
rbio) <= 0)
348 f = tls_session->server_tx_fifo;
367 if (read < enq_max && BIO_ctrl_pending (oc->
rbio) > 0)
375 if (BIO_ctrl_pending (oc->
rbio) > 0)
384 int read, wrote = 0, max_space, max_buf = 100 *
TLS_CHUNK_SIZE, rv;
386 u32 deq_max, enq_max, deq_now, to_read;
396 f = tls_session->server_rx_fifo;
398 max_space = max_buf - BIO_ctrl_pending (oc->
wbio);
399 max_space = max_space < 0 ? 0 : max_space;
400 deq_now =
clib_min (deq_max, max_space);
427 if (BIO_ctrl_pending (oc->
wbio) <= 0)
431 f = app_session->server_rx_fifo;
447 if (read < enq_max && BIO_ctrl_pending (oc->
wbio) > 0)
456 if (BIO_ctrl_pending (oc->
wbio) > 0)
465 long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
469 const SSL_METHOD *method;
471 #ifdef HAVE_OPENSSL_ASYNC 475 method = SSLv23_client_method ();
478 TLS_DBG (1,
"SSLv23_method returned null");
482 oc->
ssl_ctx = SSL_CTX_new (method);
485 TLS_DBG (1,
"SSL_CTX_new returned null");
489 SSL_CTX_set_ecdh_auto (oc->
ssl_ctx, 1);
490 SSL_CTX_set_mode (oc->
ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
491 #ifdef HAVE_OPENSSL_ASYNC 493 SSL_CTX_set_mode (oc->
ssl_ctx, SSL_MODE_ASYNC);
495 rv = SSL_CTX_set_cipher_list (oc->
ssl_ctx, (
const char *) om->
ciphers);
498 TLS_DBG (1,
"Couldn't set cipher");
502 SSL_CTX_set_options (oc->
ssl_ctx, flags);
508 TLS_DBG (1,
"Couldn't initialize ssl struct");
512 oc->
rbio = BIO_new (BIO_s_mem ());
513 oc->
wbio = BIO_new (BIO_s_mem ());
515 BIO_set_mem_eof_return (oc->
rbio, -1);
516 BIO_set_mem_eof_return (oc->
wbio, -1);
519 SSL_set_connect_state (oc->
ssl);
524 TLS_DBG (1,
"Couldn't set hostname");
531 TLS_DBG (1,
"Initiating handshake for [%u]%u", ctx->c_thread_index,
537 rv = SSL_do_handshake (oc->
ssl);
538 err = SSL_get_error (oc->
ssl, rv);
540 #ifdef HAVE_OPENSSL_ASYNC 541 if (err == SSL_ERROR_WANT_ASYNC)
544 vpp_ssl_async_process_event (ctx, handler);
548 if (err != SSL_ERROR_WANT_WRITE)
552 TLS_DBG (2,
"tls state for [%u]%u is su", ctx->c_thread_index,
561 const SSL_METHOD *method;
570 long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
576 TLS_DBG (1,
"tls cert and/or key not configured %d",
577 lctx->parent_app_index);
581 method = SSLv23_method ();
582 ssl_ctx = SSL_CTX_new (method);
589 SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
590 #ifdef HAVE_OPENSSL_ASYNC 592 SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ASYNC);
595 SSL_CTX_set_options (ssl_ctx, flags);
596 SSL_CTX_set_ecdh_auto (ssl_ctx, 1);
598 rv = SSL_CTX_set_cipher_list (ssl_ctx, (
const char *) om->
ciphers);
601 TLS_DBG (1,
"Couldn't set cipher");
608 cert_bio = BIO_new (BIO_s_mem ());
610 srvcert = PEM_read_bio_X509 (cert_bio,
NULL,
NULL,
NULL);
616 SSL_CTX_use_certificate (ssl_ctx, srvcert);
619 cert_bio = BIO_new (BIO_s_mem ());
621 pkey = PEM_read_bio_PrivateKey (cert_bio,
NULL,
NULL,
NULL);
627 SSL_CTX_use_PrivateKey (ssl_ctx, pkey);
637 lctx->tls_ssl_ctx = olc_index;
649 olc_index = lctx->tls_ssl_ctx;
653 EVP_PKEY_free (olc->
pkey);
665 u32 olc_index = ctx->tls_ssl_ctx;
669 #ifdef HAVE_OPENSSL_ASYNC 679 TLS_DBG (1,
"Couldn't initialize ssl struct");
683 oc->
rbio = BIO_new (BIO_s_mem ());
684 oc->
wbio = BIO_new (BIO_s_mem ());
686 BIO_set_mem_eof_return (oc->
rbio, -1);
687 BIO_set_mem_eof_return (oc->
wbio, -1);
690 SSL_set_accept_state (oc->
ssl);
692 TLS_DBG (1,
"Initiating handshake for [%u]%u", ctx->c_thread_index,
698 rv = SSL_do_handshake (oc->
ssl);
699 err = SSL_get_error (oc->
ssl, rv);
701 #ifdef HAVE_OPENSSL_ASYNC 702 if (err == SSL_ERROR_WANT_ASYNC)
705 vpp_ssl_async_process_event (ctx, handler);
709 if (err != SSL_ERROR_WANT_WRITE)
713 TLS_DBG (2,
"tls state for [%u]%u is su", ctx->c_thread_index,
724 return SSL_is_init_finished (mc->
ssl);
752 clib_warning (
"Could not initialize TLS CA certificates");
770 cert_bio = BIO_new (BIO_s_mem ());
772 testcert = PEM_read_bio_X509 (cert_bio,
NULL,
NULL,
NULL);
778 X509_STORE_add_cert (om->
cert_store, testcert);
781 return (rv < 0 ? -1 : 0);
798 om->
ciphers[
i] = toupper (ciphers[i]);
819 SSL_load_error_strings ();
835 (
"ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH");
840 #ifdef HAVE_OPENSSL_ASYNC 846 char *engine_name =
NULL;
847 char *engine_alg =
NULL;
848 char *ciphers =
NULL;
849 u8 engine_name_set = 0;
857 (0,
"engine has started, and no config is accepted");
862 if (
unformat (input,
"engine %s", &engine_name))
871 else if (
unformat (input,
"alg %s", &engine_alg))
874 engine_alg[i] = toupper (engine_alg[i]);
876 else if (
unformat (input,
"ciphers %s", &ciphers))
886 if (!engine_name_set)
906 .path =
"tls openssl set",
907 .short_help =
"tls openssl set [engine <engine name>] [alg [algorithm] [async]",
908 .function = tls_openssl_set_command_fn,
918 .version = VPP_BUILD_VER,
919 .description =
"Transport Layer Security (TLS) Engine, OpenSSL Based",
tls_main_t * vnet_tls_get_main(void)
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
openssl_listen_ctx_t * lctx_pool
int(* callback)(SSL *ssl, void *arg)
static int tls_openssl_set_ciphers(char *ciphers)
static u8 openssl_handshake_is_over(tls_ctx_t *ctx)
static int openssl_try_handshake_write(openssl_ctx_t *oc, stream_session_t *tls_session)
const u32 test_srv_crt_rsa_len
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
void openssl_async_node_enable_disable(u8 is_en)
static u32 openssl_ctx_alloc(void)
static void openssl_listen_ctx_free(openssl_listen_ctx_t *lctx)
int tls_async_openssl_callback(SSL *s, void *evt)
static void openssl_ctx_free(tls_ctx_t *ctx)
void tls_notify_app_enqueue(tls_ctx_t *ctx, stream_session_t *app_session)
static u32 svm_fifo_max_enqueue(svm_fifo_t *f)
static stream_session_t * session_get_from_handle(session_handle_t handle)
#define pool_get(P, E)
Allocate an object E from a pool P (unspecified alignment).
static u8 * svm_fifo_tail(svm_fifo_t *f)
struct _svm_fifo svm_fifo_t
static void svm_fifo_enqueue_nocopy(svm_fifo_t *f, u32 bytes)
Advance tail pointer.
#define VLIB_INIT_FUNCTION(x)
int tls_add_vpp_q_builtin_tx_evt(stream_session_t *s)
static u32 svm_fifo_max_dequeue(svm_fifo_t *f)
int openssl_engine_register(char *engine_name, char *algorithm)
#define clib_error_return(e, args...)
static int openssl_stop_listen(tls_ctx_t *lctx)
static u32 svm_fifo_max_write_chunk(svm_fifo_t *f)
Max contiguous chunk of data that can be written.
struct _stream_session_t stream_session_t
#define vlib_call_init_function(vm, x)
static u8 * svm_fifo_head(svm_fifo_t *f)
static u32 svm_fifo_max_read_chunk(svm_fifo_t *f)
Max contiguous chunk of data that can be read.
int tls_init_ca_chain(void)
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
int vpp_add_async_run_event(tls_ctx_t *ctx, openssl_resume_handler *handler)
int tls_add_vpp_q_tx_evt(stream_session_t *s)
int tls_notify_app_connected(tls_ctx_t *ctx, u8 is_failed)
tls_ctx_t * openssl_ctx_get(u32 ctx_index)
int openssl_resume_handler(tls_ctx_t *ctx, stream_session_t *tls_session)
const char test_srv_crt_rsa[]
static int openssl_ctx_write(tls_ctx_t *ctx, stream_session_t *app_session)
static int openssl_ctx_init_client(tls_ctx_t *ctx)
static_always_inline uword vlib_get_thread_index(void)
openssl_ctx_t *** ctx_pool
#define clib_warning(format, args...)
#define SESSION_INVALID_HANDLE
static openssl_main_t openssl_main
void tls_register_engine(const tls_engine_vft_t *vft, tls_engine_type_t type)
application_t * application_get(u32 app_index)
#define VLIB_CLI_COMMAND(x,...)
#define pool_put_index(p, i)
Free pool element with given index.
static clib_error_t * tls_openssl_init(vlib_main_t *vm)
u8 * tls_key
PEM encoded key.
static int openssl_try_handshake_read(openssl_ctx_t *oc, stream_session_t *tls_session)
static void * clib_mem_alloc(uword size)
tls_ctx_t * openssl_ctx_get_w_thread(u32 ctx_index, u8 thread_index)
static int openssl_ctx_init_server(tls_ctx_t *ctx)
int svm_fifo_dequeue_drop(svm_fifo_t *f, u32 max_bytes)
openssl_tls_callback_t * vpp_add_async_pending_event(tls_ctx_t *ctx, openssl_resume_handler *handler)
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
int tls_add_vpp_q_builtin_rx_evt(stream_session_t *s)
static int openssl_start_listen(tls_ctx_t *lctx)
int tls_notify_app_accept(tls_ctx_t *ctx)
static vlib_thread_main_t * vlib_get_thread_main()
u8 * tls_cert
Certificate to be used for listen sessions.
openssl_listen_ctx_t * openssl_lctx_get(u32 lctx_index)
static u32 openssl_listen_ctx_alloc(void)
static int openssl_ctx_read(tls_ctx_t *ctx, stream_session_t *tls_session)
int openssl_ctx_handshake_rx(tls_ctx_t *ctx, stream_session_t *tls_session)
static clib_error_t * tls_init(vlib_main_t *vm)
#define TLS_DBG(_lvl, _fmt, _args...)