9 #define MAX_QUEUE 12000 10 #define PTLS_MAX_PLAINTEXT_RECORD_SIZE 16384 24 (*ctx)->ctx.c_thread_index = thread_id;
27 (*ctx)->ptls_ctx_idx = ctx - pm->
ctx_pool[thread_id];
81 return ptls_handshake_is_complete (ptls_ctx->
tls);
86 session_t * tls_session, ptls_buffer_t * buf)
102 enq_now =
clib_min (enq_now, buf_left);
113 ptls_context_t *ptls_ctx;
116 static ptls_key_exchange_algorithm_t *key_exchange[] = {
117 #ifdef PTLS_OPENSSL_HAVE_X25519 118 &ptls_openssl_x25519,
120 #ifdef PTLS_OPENSSL_HAVE_SECP256r1 121 &ptls_openssl_secp256r1,
123 #ifdef PTLS_OPENSSL_HAVE_SECP384r1 124 &ptls_openssl_secp384r1,
126 #ifdef PTLS_OPENSSL_HAVE_SECP521r1 127 &ptls_openssl_secp521r1
132 if (!ckpair || !ckpair->
cert || !ckpair->
key)
134 TLS_DBG (1,
"tls cert and/or key not configured %d",
135 lctx->parent_app_wrk_index);
141 ptls_ctx = malloc (
sizeof (ptls_context_t));
144 memset (ptls_ctx, 0,
sizeof (ptls_context_t));
145 ptls_ctx->update_open_count = NULL;
154 ptls_ctx->key_exchanges = key_exchange;
155 ptls_ctx->random_bytes = ptls_openssl_random_bytes;
157 ptls_ctx->get_time = &ptls_get_time;
159 lctx->tls_ssl_ctx = ptls_lctx_idx;
170 ptls_lctx_index = lctx->tls_ssl_ctx;
203 ptls_free (ptls_ctx->
tls);
224 u8 * input,
int input_len)
226 ptls_t *tls = ptls_ctx->
tls;
228 int rv = PTLS_ERROR_IN_PROGRESS;
236 ptls_buffer_init (&buf,
"", 0);
237 size_t consumed = input_len - off;
238 rv = ptls_handshake (tls, &buf, input + off, &consumed, NULL);
241 if ((rv == 0 || rv == PTLS_ERROR_IN_PROGRESS) && buf.off != 0)
246 ptls_buffer_dispose (&buf);
248 while (rv == PTLS_ERROR_IN_PROGRESS && input_len != off);
250 while (rv == PTLS_ERROR_IN_PROGRESS);
259 int from_tls_len = 0, off, crypto_len, ret;
260 u32 deq_max, deq_now;
266 tls_rx_fifo = tls_session->
rx_fifo;
293 app_rx_fifo = app_session->
rx_fifo;
298 ptls_buffer_init (buf,
"", 0);
320 (
size_t *) & deq_now);
337 size_t consumed = crypto_len - off;
339 ptls_receive (ptls_ctx->
tls, buf,
344 while (ret == 0 && off < crypto_len);
365 ptls_buffer_dispose (buf);
380 int total_record_overhead,
int is_no_copy)
383 int total_length = content_len + total_record_overhead;
387 ptls_buffer_init (buf,
svm_fifo_tail (dst_fifo), total_length);
390 assert (!buf->is_allocated);
395 to_dst_len = buf->off;
401 ptls_buffer_init (buf, ptls_ctx->
write_content, total_length);
417 u32 deq_max, deq_now;
418 u32 enq_max, enq_now;
419 int from_app_len = 0, to_tls_len = 0, is_nocopy = 0;
423 int record_overhead = ptls_get_record_overhead (ptls_ctx->
tls);
424 int num_records, total_overhead;
427 tls_tx_fifo = tls_session->
tx_fifo;
428 app_tx_fifo = app_session->
tx_fifo;
440 app_session->
flags |= SESSION_F_CUSTOM_TX;
447 app_session->
flags |= SESSION_F_CUSTOM_TX;
467 if (enq_max <= record_overhead)
469 app_session->
flags |= SESSION_F_CUSTOM_TX;
476 if (enq_now > record_overhead)
479 from_app_len =
clib_min (deq_now, enq_now);
482 total_overhead = num_records * record_overhead;
483 if (from_app_len + total_overhead > enq_now)
484 from_app_len = enq_now - total_overhead;
488 from_app_len =
clib_min (deq_now, enq_max);
491 total_overhead = num_records * record_overhead;
492 if (from_app_len + total_overhead > enq_max)
493 from_app_len = enq_max - total_overhead;
498 from_app_len, total_overhead, is_nocopy);
512 app_session->
flags |= SESSION_F_CUSTOM_TX;
524 u32 ptls_lctx_idx = ctx->tls_ssl_ctx;
529 if (ptls_ctx->
tls == NULL)
531 TLS_DBG (1,
"Failed to initialize ptls_ssl structure");
590 .version = VPP_BUILD_VER,
591 .description =
"Transport Layer Security (TLS) Engine, Picotls Based",
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
static void picotls_confirm_app_close(tls_ctx_t *ctx)
picotls_main_t picotls_main
static int picotls_ctx_write(tls_ctx_t *ctx, session_t *app_session, transport_send_params_t *sp)
static u32 svm_fifo_max_enqueue_prod(svm_fifo_t *f)
Maximum number of bytes that can be enqueued into fifo.
tls_ctx_t * picotls_ctx_get_w_thread(u32 ctx_index, u8 thread_index)
void tls_disconnect_transport(tls_ctx_t *ctx)
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
svm_fifo_t * rx_fifo
Pointers to rx/tx buffers.
int tls_add_vpp_q_builtin_rx_evt(session_t *s)
#define TLS_RX_LEFT_LEN(x)
ptls_cipher_suite_t * ptls_vpp_crypto_cipher_suites[]
void svm_fifo_enqueue_nocopy(svm_fifo_t *f, u32 len)
Advance tail.
static session_t * session_get(u32 si, u32 thread_index)
static int picotls_transport_close(tls_ctx_t *ctx)
static u8 picotls_handshake_is_over(tls_ctx_t *ctx)
#define pool_get(P, E)
Allocate an object E from a pool P (unspecified alignment).
#define TLS_READ_LEFT_LEN(x)
static void picotls_listen_ctx_free(picotls_listen_ctx_t *lctx)
void tls_register_engine(const tls_engine_vft_t *vft, crypto_engine_type_t type)
static u8 * svm_fifo_tail(svm_fifo_t *f)
Fifo tail pointer getter.
static int picotls_try_handshake_write(picotls_ctx_t *ptls_ctx, session_t *tls_session, ptls_buffer_t *buf)
void session_transport_closing_notify(transport_connection_t *tc)
Notification from transport that connection is being closed.
static void picotls_ctx_free(tls_ctx_t *ctx)
#define VLIB_INIT_FUNCTION(x)
static u32 svm_fifo_max_dequeue(svm_fifo_t *f)
Fifo max bytes to dequeue.
static u32 svm_fifo_max_dequeue_cons(svm_fifo_t *f)
Fifo max bytes to dequeue optimized for consumer.
picotls_listen_ctx_t * lctx_pool
static int picotls_ctx_read(tls_ctx_t *ctx, session_t *tls_session)
static void picotls_handle_handshake_failure(tls_ctx_t *ctx)
int svm_fifo_dequeue(svm_fifo_t *f, u32 len, u8 *dst)
Dequeue data from fifo.
#define SESSION_INVALID_HANDLE
static u8 * svm_fifo_head(svm_fifo_t *f)
Fifo head pointer getter.
static u32 picotls_listen_ctx_alloc(void)
static int picotls_content_process(picotls_ctx_t *ptls_ctx, svm_fifo_t *src_fifo, svm_fifo_t *dst_fifo, int content_len, int total_record_overhead, int is_no_copy)
int session_dequeue_notify(session_t *s)
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
picotls_listen_ctx_t * picotls_lctx_get(u32 lctx_index)
static session_t * session_get_from_handle(session_handle_t handle)
#define PTLS_MAX_PLAINTEXT_RECORD_SIZE
int svm_fifo_enqueue(svm_fifo_t *f, u32 len, const u8 *src)
Enqueue data to fifo.
#define SESSION_INVALID_INDEX
picotls_ctx_t *** ctx_pool
app_cert_key_pair_t * app_cert_key_pair_get_if_valid(u32 index)
#define TLS_WRITE_IS_LEFT(x)
static u8 svm_fifo_needs_deq_ntf(svm_fifo_t *f, u32 n_last_deq)
Check if fifo needs dequeue notification.
static_always_inline uword vlib_get_thread_index(void)
#define vec_free(V)
Free vector's memory (no header).
void session_free(session_t *s)
static clib_error_t * tls_picotls_init(vlib_main_t *vm)
int tls_add_vpp_q_tx_evt(session_t *s)
transport_connection_t connection
ptls_context_t * ptls_ctx
int load_bio_certificate_chain(ptls_context_t *ctx, const char *cert_data)
tls_ctx_t * picotls_ctx_get(u32 ctx_index)
#define TLS_RX_IS_LEFT(x)
#define pool_put_index(p, i)
Free pool element with given index.
static int picotls_app_close(tls_ctx_t *ctx)
static void * clib_mem_alloc(uword size)
static int picotls_stop_listen(tls_ctx_t *lctx)
static int picotls_start_listen(tls_ctx_t *lctx)
static int picotls_do_handshake(picotls_ctx_t *ptls_ctx, session_t *tls_session, u8 *input, int input_len)
u32 svm_fifo_max_read_chunk(svm_fifo_t *f)
Max contiguous chunk of data that can be read.
ptls_buffer_t write_buffer
volatile u8 session_state
State in session layer state machine.
void session_transport_closed_notify(transport_connection_t *tc)
Notification from transport that it is closed.
static int picotls_ctx_init_server(tls_ctx_t *ctx)
#define TLS_WRITE_OFFSET(x)
int tls_notify_app_accept(tls_ctx_t *ctx)
void tls_notify_app_enqueue(tls_ctx_t *ctx, session_t *app_session)
static vlib_thread_main_t * vlib_get_thread_main()
#define TLS_READ_OFFSET(x)
u32 svm_fifo_max_write_chunk(svm_fifo_t *f)
Max contiguous chunk of data that can be written.
static u32 picotls_ctx_alloc(void)
int svm_fifo_dequeue_drop(svm_fifo_t *f, u32 len)
Dequeue and drop bytes from fifo.
struct _svm_fifo svm_fifo_t
ptls_buffer_t read_buffer
#define TLS_DBG(_lvl, _fmt, _args...)
int load_bio_private_key(ptls_context_t *ctx, const char *pk_data)
#define TLS_READ_IS_LEFT(x)