16 #include <mbedtls/ssl.h> 17 #include <mbedtls/certs.h> 18 #include <mbedtls/entropy.h> 19 #include <mbedtls/ctr_drbg.h> 20 #include <mbedtls/timing.h> 21 #include <mbedtls/debug.h> 23 #include <vpp/app/version.h> 26 #define TLS_USE_OUR_MEM_FUNCS 0 32 mbedtls_ssl_context
ssl;
50 #if TLS_USE_OUR_MEM_FUNCS 51 #include <mbedtls/platform.h> 54 mbedtls_calloc_fn (
size_t n,
size_t size)
63 mbedtls_free_fn (
void *ptr)
82 (*ctx)->ctx.c_thread_index = thread_index;
84 (*ctx)->mbedtls_ctx_index = ctx - tm->
ctx_pool[thread_index];
85 return ((*ctx)->mbedtls_ctx_index);
94 mbedtls_ssl_close_notify (&mc->
ssl);
95 if (mc->
ssl.conf->endpoint == MBEDTLS_SSL_IS_SERVER)
97 mbedtls_x509_crt_free (&mc->
srvcert);
98 mbedtls_pk_free (&mc->
pkey);
100 mbedtls_ssl_free (&mc->
ssl);
101 mbedtls_ssl_config_free (&mc->
conf);
132 pers =
format (0,
"vpp thread %u", thread_index);
135 mbedtls_ctr_drbg_init (&mbedtls_main.
ctr_drbgs[thread_index]);
136 if ((rv = mbedtls_ctr_drbg_seed (&tm->
ctr_drbgs[thread_index],
137 mbedtls_entropy_func,
139 (
const unsigned char *) pers,
143 TLS_DBG (1,
" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", rv);
150 mbedtls_ctr_drbg_context *
156 return &mbedtls_main.
ctr_drbgs[thread_index];
172 return MBEDTLS_ERR_SSL_WANT_WRITE;
189 return (rv < 0) ? 0 : rv;
197 fprintf ((FILE *) ctx,
"%s:%04d: %s", file, line, str);
198 fflush ((FILE *) ctx);
212 mbedtls_ssl_init (&mc->
ssl);
213 mbedtls_ssl_config_init (&mc->
conf);
214 if ((rv = mbedtls_ssl_config_defaults (&mc->
conf, MBEDTLS_SSL_IS_CLIENT,
215 MBEDTLS_SSL_TRANSPORT_STREAM,
216 MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
218 TLS_DBG (1,
"failed\n ! mbedtls_ssl_config_defaults returned %d\n\n",
223 mbedtls_ssl_conf_authmode (&mc->
conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
224 mbedtls_ssl_conf_ca_chain (&mc->
conf, &mm->
cacert, NULL);
225 mbedtls_ssl_conf_rng (&mc->
conf, mbedtls_ctr_drbg_random,
229 if ((rv = mbedtls_ssl_setup (&mc->
ssl, &mc->
conf)) != 0)
231 TLS_DBG (1,
"failed\n ! mbedtls_ssl_setup returned %d\n", rv);
235 if ((rv = mbedtls_ssl_set_hostname (&mc->
ssl,
238 TLS_DBG (1,
"failed\n ! mbedtls_ssl_set_hostname returned %d\n", rv);
249 TLS_DBG (1,
"Initiating handshake for [%u]%u", ctx->c_thread_index,
251 while (mc->
ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
253 rv = mbedtls_ssl_handshake_step (&mc->
ssl);
257 TLS_DBG (2,
"tls state for [%u]%u is %u", ctx->c_thread_index,
283 mbedtls_ssl_init (&mc->
ssl);
284 mbedtls_ssl_config_init (&mc->
conf);
285 mbedtls_x509_crt_init (&mc->
srvcert);
286 mbedtls_pk_init (&mc->
pkey);
295 if (!ckpair->
cert || !ckpair->
key)
297 TLS_DBG (1,
" failed\n ! tls cert and/or key not configured %d",
298 ctx->parent_app_wrk_index);
302 rv = mbedtls_x509_crt_parse (&mc->
srvcert,
303 (
const unsigned char *) ckpair->
cert,
307 TLS_DBG (1,
" failed\n ! mbedtls_x509_crt_parse returned %d", rv);
311 rv = mbedtls_pk_parse_key (&mc->
pkey,
312 (
const unsigned char *) ckpair->
key,
316 TLS_DBG (1,
" failed\n ! mbedtls_pk_parse_key returned %d", rv);
323 if ((rv = mbedtls_ssl_config_defaults (&mc->
conf, MBEDTLS_SSL_IS_SERVER,
324 MBEDTLS_SSL_TRANSPORT_STREAM,
325 MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
327 TLS_DBG (1,
" failed\n ! mbedtls_ssl_config_defaults returned %d", rv);
331 mbedtls_ssl_conf_rng (&mc->
conf, mbedtls_ctr_drbg_random,
341 mbedtls_ssl_conf_ca_chain (&mc->
conf, &mm->
cacert, NULL);
342 if ((rv = mbedtls_ssl_conf_own_cert (&mc->
conf, &mc->
srvcert, &mc->
pkey))
345 TLS_DBG (1,
" failed\n ! mbedtls_ssl_conf_own_cert returned %d", rv);
349 if ((rv = mbedtls_ssl_setup (&mc->
ssl, &mc->
conf)) != 0)
351 TLS_DBG (1,
" failed\n ! mbedtls_ssl_setup returned %d", rv);
355 mbedtls_ssl_session_reset (&mc->
ssl);
363 TLS_DBG (1,
"Initiating handshake for [%u]%u", ctx->c_thread_index,
365 while (mc->
ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
367 rv = mbedtls_ssl_handshake_step (&mc->
ssl);
372 TLS_DBG (2,
"tls state for [%u]%u is %u", ctx->c_thread_index,
386 while (mc->
ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
388 rv = mbedtls_ssl_handshake_step (&mc->
ssl);
394 if (mc->
ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
400 if (mc->
ssl.conf->endpoint == MBEDTLS_SSL_IS_CLIENT)
405 if ((flags = mbedtls_ssl_get_verify_result (&mc->
ssl)) != 0)
409 mbedtls_x509_crt_verify_info (buf,
sizeof (buf),
" ! ", flags);
428 TLS_DBG (1,
"Handshake for %u complete. TLS cipher is %x",
438 u8 thread_index = ctx->c_thread_index;
440 u32 enq_max, deq_max, deq_now;
444 ASSERT (mc->
ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER);
457 app_session->
flags |= SESSION_F_CUSTOM_TX;
464 wrote = mbedtls_ssl_write (&mc->
ssl, mm->
tx_bufs[thread_index], deq_now);
467 app_session->
flags |= SESSION_F_CUSTOM_TX;
475 if (deq_now < deq_max)
476 app_session->
flags |= SESSION_F_CUSTOM_TX;
486 u8 thread_index = ctx->c_thread_index;
487 u32 deq_max, enq_max, enq_now;
512 read = mbedtls_ssl_read (&mc->
ssl, mm->
rx_bufs[thread_index], enq_now);
537 return (mc->
ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER);
580 #if TLS_USE_OUR_MEM_FUNCS 581 mbedtls_platform_set_calloc_free (mbedtls_calloc_fn, mbedtls_free_fn);
594 for (i = 0; i < num_threads; i++)
609 clib_warning (
"Could not initialize TLS CA certificates");
613 mbedtls_x509_crt_init (&mm->
cacert);
617 clib_warning (
"Couldn't parse system CA certificates: -0x%x", -rv);
621 rv = mbedtls_x509_crt_parse (&mm->
cacert,
626 clib_warning (
"Couldn't parse test certificate: -0x%x", -rv);
630 return (rv < 0 ? -1 : 0);
654 clib_warning (
"failed to initialize entropy and random generators");
675 .version = VPP_BUILD_VER,
676 .description =
"Transport Layer Security (TLS) Engine, Mbedtls Based",
mbedtls_ctr_drbg_context * tls_get_ctr_drbg()
tls_main_t * vnet_tls_get_main(void)
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
int tls_notify_app_connected(tls_ctx_t *ctx, session_error_t err)
mbedtls_ctx_t *** ctx_pool
static u32 svm_fifo_max_enqueue_prod(svm_fifo_t *f)
Maximum number of bytes that can be enqueued into fifo.
vl_api_wireguard_peer_flags_t flags
void tls_disconnect_transport(tls_ctx_t *ctx)
#define TLS_DEBUG_LEVEL_CLIENT
static int tls_init_ctr_drbgs_and_entropy(u32 num_threads)
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
void session_transport_delete_notify(transport_connection_t *tc)
Notification from transport that connection is being deleted.
svm_fifo_t * rx_fifo
Pointers to rx/tx buffers.
int tls_add_vpp_q_builtin_rx_evt(session_t *s)
int svm_fifo_peek(svm_fifo_t *f, u32 offset, u32 len, u8 *dst)
Peek data from fifo.
static mbedtls_main_t mbedtls_main
static void mbedtls_ctx_free(tls_ctx_t *ctx)
#define pool_get(P, E)
Allocate an object E from a pool P (unspecified alignment).
void tls_register_engine(const tls_engine_vft_t *vft, crypto_engine_type_t type)
static int tls_init_ctr_seed_drbgs(void)
#define vec_reset_length(v)
Reset vector length to zero NULL-pointer tolerant.
void session_transport_closing_notify(transport_connection_t *tc)
Notification from transport that connection is being closed.
static u32 mbedtls_ctx_alloc(void)
#define VLIB_INIT_FUNCTION(x)
static u32 svm_fifo_max_dequeue_cons(svm_fifo_t *f)
Fifo max bytes to dequeue optimized for consumer.
static tls_ctx_t * mbedtls_ctx_get_w_thread(u32 ctx_index, u8 thread_index)
int svm_fifo_dequeue(svm_fifo_t *f, u32 len, u8 *dst)
Dequeue data from fifo.
struct tls_ctx_mbedtls_ mbedtls_ctx_t
static int mbedtls_ctx_handshake_rx(tls_ctx_t *ctx)
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
static session_t * session_get_from_handle(session_handle_t handle)
int svm_fifo_enqueue(svm_fifo_t *f, u32 len, const u8 *src)
Enqueue data to fifo.
int tls_init_ca_chain(void)
static u8 mbedtls_handshake_is_over(tls_ctx_t *ctx)
static int mbedtls_transport_close(tls_ctx_t *ctx)
static const char test_srv_crt_rsa[]
static int mbedtls_start_listen(tls_ctx_t *lctx)
app_cert_key_pair_t * app_cert_key_pair_get_if_valid(u32 index)
static_always_inline uword vlib_get_thread_index(void)
static int mbedtls_ctx_init_client(tls_ctx_t *ctx)
sll srl srl sll sra u16x4 i
#define vec_free(V)
Free vector's memory (no header).
#define clib_warning(format, args...)
static int tls_net_send(void *ctx_indexp, const unsigned char *buf, size_t len)
int tls_add_vpp_q_tx_evt(session_t *s)
transport_connection_t connection
mbedtls_entropy_context * entropy_pools
#define uword_to_pointer(u, type)
#define TLS_DEBUG_LEVEL_SERVER
#define pool_put_index(p, i)
Free pool element with given index.
struct mbedtls_main_ mbedtls_main_t
static void clib_mem_free(void *p)
static void * clib_mem_alloc(uword size)
static uword pointer_to_uword(const void *p)
static int tls_net_recv(void *ctx_indexp, unsigned char *buf, size_t len)
static void mbedtls_debug(void *ctx, int level, const char *file, int line, const char *str)
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
static int mbedtls_ctx_read(tls_ctx_t *ctx, session_t *tls_session)
void session_close(session_t *s)
Initialize session closing procedure.
static clib_error_t * tls_mbedtls_init(vlib_main_t *vm)
int tls_notify_app_accept(tls_ctx_t *ctx)
void tls_notify_app_enqueue(tls_ctx_t *ctx, session_t *app_session)
static int mbedtls_app_close(tls_ctx_t *ctx)
static int mbedtls_ctx_init_server(tls_ctx_t *ctx)
static vlib_thread_main_t * vlib_get_thread_main()
static int mbedtls_stop_listen(tls_ctx_t *lctx)
mbedtls_ctr_drbg_context * ctr_drbgs
static tls_ctx_t * mbedtls_ctx_get(u32 ctx_index)
int svm_fifo_dequeue_drop(svm_fifo_t *f, u32 len)
Dequeue and drop bytes from fifo.
#define TLS_DBG(_lvl, _fmt, _args...)
static int mbedtls_ctx_write(tls_ctx_t *ctx, session_t *app_session, transport_send_params_t *sp)
static const u32 test_srv_crt_rsa_len