FD.io VPP  v21.06-3-gbb25fbf28
Vector Packet Processing
tls_openssl.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2018 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include <openssl/ssl.h>
17 #include <openssl/conf.h>
18 #include <openssl/err.h>
19 
20 #ifdef HAVE_OPENSSL_ASYNC
21 #include <openssl/async.h>
22 #endif
23 #include <dlfcn.h>
24 #include <vnet/plugin/plugin.h>
25 #include <vpp/app/version.h>
26 #include <vnet/tls/tls.h>
27 #include <ctype.h>
28 #include <tlsopenssl/tls_openssl.h>
29 #include <tlsopenssl/tls_bios.h>
30 
31 #define MAX_CRYPTO_LEN 64
32 
34 
35 static u32
37 {
40 
42  if (!(*ctx))
43  *ctx = clib_mem_alloc (sizeof (openssl_ctx_t));
44 
45  clib_memset (*ctx, 0, sizeof (openssl_ctx_t));
46  (*ctx)->ctx.c_thread_index = thread_index;
47  (*ctx)->ctx.tls_ctx_engine = CRYPTO_ENGINE_OPENSSL;
48  (*ctx)->ctx.app_session_handle = SESSION_INVALID_HANDLE;
49  (*ctx)->openssl_ctx_index = ctx - om->ctx_pool[thread_index];
50  return ((*ctx)->openssl_ctx_index);
51 }
52 
53 static u32
55 {
57 }
58 
59 static void
61 {
63 
64  /* Cleanup ssl ctx unless migrated */
65  if (!ctx->is_migrated)
66  {
67  if (SSL_is_init_finished (oc->ssl) && !ctx->is_passive_close)
68  SSL_shutdown (oc->ssl);
69 
70  SSL_free (oc->ssl);
71  vec_free (ctx->srv_hostname);
72 
73 #ifdef HAVE_OPENSSL_ASYNC
74  openssl_evt_free (ctx->evt_index, ctx->c_thread_index);
75 #endif
76  }
77 
78  pool_put_index (openssl_main.ctx_pool[ctx->c_thread_index],
79  oc->openssl_ctx_index);
80 }
81 
82 static void *
84 {
85  openssl_ctx_t *oc = (openssl_ctx_t *) ctx, *oc_copy;
86 
87  oc_copy = clib_mem_alloc (sizeof (*oc_copy));
88  clib_memcpy (oc_copy, oc, sizeof (*oc));
89 
90  return oc_copy;
91 }
92 
93 static u32
95 {
98  openssl_ctx_t **oc;
99 
100  pool_get (om->ctx_pool[thread_index], oc);
101  /* Free the old instance instead of looking for an empty spot */
102  if (*oc)
103  clib_mem_free (*oc);
104 
105  *oc = ctx_ptr;
106  (*oc)->openssl_ctx_index = oc - om->ctx_pool[thread_index];
107  (*oc)->ctx.c_thread_index = thread_index;
108 
109  sh = (*oc)->ctx.tls_session_handle;
110  BIO_set_data ((*oc)->rbio, uword_to_pointer (sh, void *));
111  BIO_set_data ((*oc)->wbio, uword_to_pointer (sh, void *));
112 
113  return ((*oc)->openssl_ctx_index);
114 }
115 
116 tls_ctx_t *
117 openssl_ctx_get (u32 ctx_index)
118 {
119  openssl_ctx_t **ctx;
121  ctx_index);
122  return &(*ctx)->ctx;
123 }
124 
125 tls_ctx_t *
127 {
128  openssl_ctx_t **ctx;
130  return &(*ctx)->ctx;
131 }
132 
133 static u32
135 {
137  openssl_listen_ctx_t *lctx;
138 
139  pool_get (om->lctx_pool, lctx);
140 
141  clib_memset (lctx, 0, sizeof (openssl_listen_ctx_t));
142  lctx->openssl_lctx_index = lctx - om->lctx_pool;
143  return lctx->openssl_lctx_index;
144 }
145 
146 static void
148 {
150 }
151 
153 openssl_lctx_get (u32 lctx_index)
154 {
155  return pool_elt_at_index (openssl_main.lctx_pool, lctx_index);
156 }
157 
158 static int
160 {
161  int read, rv, n_fs, i;
162  const int n_segs = 2;
163  svm_fifo_seg_t fs[n_segs];
164  u32 max_enq;
165 
166  max_enq = svm_fifo_max_enqueue_prod (f);
167  if (!max_enq)
168  return 0;
169 
170  n_fs = svm_fifo_provision_chunks (f, fs, n_segs, max_enq);
171  if (n_fs < 0)
172  return 0;
173 
174  /* Return early if we can't read anything */
175  read = SSL_read (ssl, fs[0].data, fs[0].len);
176  if (read <= 0)
177  return 0;
178 
179  for (i = 1; i < n_fs; i++)
180  {
181  rv = SSL_read (ssl, fs[i].data, fs[i].len);
182  read += rv > 0 ? rv : 0;
183 
184  if (rv < (int) fs[i].len)
185  break;
186  }
187 
188  svm_fifo_enqueue_nocopy (f, read);
189 
190  return read;
191 }
192 
193 static int
195 {
196  int wrote = 0, rv, i = 0, len;
197  const int n_segs = 2;
198  svm_fifo_seg_t fs[n_segs];
199 
200  len = svm_fifo_segments (f, 0, fs, n_segs, max_len);
201  if (len <= 0)
202  return 0;
203 
204  while (wrote < len && i < n_segs)
205  {
206  rv = SSL_write (ssl, fs[i].data, fs[i].len);
207  wrote += (rv > 0) ? rv : 0;
208  if (rv < (int) fs[i].len)
209  break;
210  i++;
211  }
212 
213  if (wrote)
214  svm_fifo_dequeue_drop (f, wrote);
215 
216  return wrote;
217 }
218 
219 #ifdef HAVE_OPENSSL_ASYNC
220 static int
221 openssl_check_async_status (tls_ctx_t * ctx, openssl_resume_handler * handler,
222  session_t * session)
223 {
224  openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
225  int estatus;
226 
227  SSL_get_async_status (oc->ssl, &estatus);
228  if (estatus == ASYNC_STATUS_EAGAIN)
229  {
231  }
232  else
233  {
235  }
236 
237  return 1;
238 
239 }
240 
241 #endif
242 
243 static void
245 {
246  session_t *app_session;
247 
248  if (SSL_is_server (((openssl_ctx_t *) ctx)->ssl))
249  {
250  /*
251  * Cleanup pre-allocated app session and close transport
252  */
253  app_session =
254  session_get_if_valid (ctx->c_s_index, ctx->c_thread_index);
255  if (app_session)
256  {
257  session_free (app_session);
258  ctx->no_app_session = 1;
259  ctx->c_s_index = SESSION_INVALID_INDEX;
261  }
262  }
263  else
264  {
265  /*
266  * Also handles cleanup of the pre-allocated session
267  */
268  tls_notify_app_connected (ctx, SESSION_E_TLS_HANDSHAKE);
269  }
270 }
271 
272 int
274 {
275  openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
276  int rv = 0, err;
277 
278  while (SSL_in_init (oc->ssl))
279  {
280  if (ctx->resume)
281  {
282  ctx->resume = 0;
283  }
284  else if (!svm_fifo_max_dequeue_cons (tls_session->rx_fifo))
285  break;
286 
287  rv = SSL_do_handshake (oc->ssl);
288  err = SSL_get_error (oc->ssl, rv);
289 
290 #ifdef HAVE_OPENSSL_ASYNC
291  if (err == SSL_ERROR_WANT_ASYNC)
292  {
293  openssl_check_async_status (ctx, openssl_ctx_handshake_rx,
294  tls_session);
295  }
296 #endif
297  if (err == SSL_ERROR_SSL)
298  {
299  char buf[512];
300  ERR_error_string (ERR_get_error (), buf);
301  clib_warning ("Err: %s", buf);
302 
304  return -1;
305  }
306 
307  if (err != SSL_ERROR_WANT_WRITE && err != SSL_ERROR_WANT_READ)
308  break;
309  }
310  TLS_DBG (2, "tls state for %u is %s", oc->openssl_ctx_index,
311  SSL_state_string_long (oc->ssl));
312 
313  if (SSL_in_init (oc->ssl))
314  return -1;
315 
316  /*
317  * Handshake complete
318  */
319  if (!SSL_is_server (oc->ssl))
320  {
321  /*
322  * Verify server certificate
323  */
324  if ((rv = SSL_get_verify_result (oc->ssl)) != X509_V_OK)
325  {
326  TLS_DBG (1, " failed verify: %s\n",
327  X509_verify_cert_error_string (rv));
328 
329  /*
330  * Presence of hostname enforces strict certificate verification
331  */
332  if (ctx->srv_hostname)
333  {
334  tls_notify_app_connected (ctx, SESSION_E_TLS_HANDSHAKE);
335  return -1;
336  }
337  }
338  tls_notify_app_connected (ctx, SESSION_E_NONE);
339  }
340  else
341  {
342  /* Need to check transport status */
343  if (ctx->is_passive_close)
344  {
346  return -1;
347  }
348 
349  /* Accept failed, cleanup */
351  {
352  ctx->c_s_index = SESSION_INVALID_INDEX;
354  return -1;
355  }
356  }
357 
358  TLS_DBG (1, "Handshake for %u complete. TLS cipher is %s",
359  oc->openssl_ctx_index, SSL_get_cipher (oc->ssl));
360  return rv;
361 }
362 
363 static void
365 {
367  session_transport_closed_notify (&ctx->connection);
368 }
369 
370 static int
373 {
374  openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
375  u32 deq_max, space, enq_buf;
376  session_t *ts;
377  int wrote = 0;
378  svm_fifo_t *f;
379 
380  ts = session_get_from_handle (ctx->tls_session_handle);
382  /* Leave a bit of extra space for tls ctrl data, if any needed */
383  space = clib_max ((int) space - TLSO_CTRL_BYTES, 0);
384 
385  f = app_session->tx_fifo;
386 
387  deq_max = svm_fifo_max_dequeue_cons (f);
388  deq_max = clib_min (deq_max, space);
389  if (!deq_max)
390  goto check_tls_fifo;
391 
392  deq_max = clib_min (deq_max, sp->max_burst_size);
393 
394  /* Make sure tcp's tx fifo can actually buffer all bytes to be dequeued.
395  * If under memory pressure, tls's fifo segment might not be able to
396  * allocate the chunks needed. This also avoids errors from the underlying
397  * custom bio to the ssl infra which at times can get stuck. */
398  if (svm_fifo_provision_chunks (ts->tx_fifo, 0, 0, deq_max + TLSO_CTRL_BYTES))
399  goto check_tls_fifo;
400 
401  wrote = openssl_write_from_fifo_into_ssl (f, oc->ssl, deq_max);
402  if (!wrote)
403  goto check_tls_fifo;
404 
405  if (svm_fifo_needs_deq_ntf (f, wrote))
406  session_dequeue_notify (app_session);
407 
408 check_tls_fifo:
409 
410  if (PREDICT_FALSE (ctx->app_closed && BIO_ctrl_pending (oc->rbio) <= 0))
412 
413  /* Deschedule and wait for deq notification if fifo is almost full */
414  enq_buf = clib_min (svm_fifo_size (ts->tx_fifo) / 2, TLSO_MIN_ENQ_SPACE);
415  if (space < wrote + enq_buf)
416  {
418  transport_connection_deschedule (&ctx->connection);
420  }
421  else
422  /* Request tx reschedule of the app session */
423  app_session->flags |= SESSION_F_CUSTOM_TX;
424 
425  return wrote;
426 }
427 
428 static int
431 {
433  openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
434  u32 read = 0, to_deq, dgram_sz, enq_max;
436  session_t *us;
437  int wrote, rv;
438  u8 *buf;
439 
440  us = session_get_from_handle (ctx->tls_session_handle);
441  to_deq = svm_fifo_max_dequeue_cons (app_session->tx_fifo);
442  buf = om->tx_bufs[ctx->c_thread_index];
443 
444  while (to_deq > 0)
445  {
446  /* Peeking only pre-header dgram because the session is connected */
447  rv = svm_fifo_peek (app_session->tx_fifo, 0, sizeof (hdr), (u8 *) &hdr);
448  ASSERT (rv == sizeof (hdr) && hdr.data_length < vec_len (buf));
449  ASSERT (to_deq >= hdr.data_length + SESSION_CONN_HDR_LEN);
450 
451  dgram_sz = hdr.data_length + SESSION_CONN_HDR_LEN;
452  enq_max = dgram_sz + TLSO_CTRL_BYTES;
453  if (svm_fifo_max_enqueue_prod (us->tx_fifo) < enq_max ||
454  svm_fifo_provision_chunks (us->tx_fifo, 0, 0, enq_max))
455  {
457  transport_connection_deschedule (&ctx->connection);
459  goto done;
460  }
461 
462  rv = svm_fifo_peek (app_session->tx_fifo, SESSION_CONN_HDR_LEN,
463  hdr.data_length, buf);
464  ASSERT (rv == hdr.data_length);
465  svm_fifo_dequeue_drop (app_session->tx_fifo, dgram_sz);
466 
467  wrote = SSL_write (oc->ssl, buf, rv);
468  ASSERT (wrote > 0);
469 
470  read += rv;
471  to_deq -= dgram_sz;
472  }
473 
474 done:
475 
476  if (svm_fifo_needs_deq_ntf (app_session->tx_fifo, read))
477  session_dequeue_notify (app_session);
478 
479  if (read)
481 
482  if (PREDICT_FALSE (ctx->app_closed &&
485 
486  return read;
487 }
488 
489 static inline int
492 {
493  if (ctx->tls_type == TRANSPORT_PROTO_TLS)
494  return openssl_ctx_write_tls (ctx, app_session, sp);
495  else
496  return openssl_ctx_write_dtls (ctx, app_session, sp);
497 }
498 
499 static inline int
501 {
502  openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
503  session_t *app_session;
504  int read;
505  svm_fifo_t *f;
506 
507  if (PREDICT_FALSE (SSL_in_init (oc->ssl)))
508  {
509  if (openssl_ctx_handshake_rx (ctx, tls_session) < 0)
510  return 0;
511  }
512 
513  app_session = session_get_from_handle (ctx->app_session_handle);
514  f = app_session->rx_fifo;
515 
516  read = openssl_read_from_ssl_into_fifo (f, oc->ssl);
517 
518  /* If handshake just completed, session may still be in accepting state */
519  if (read && app_session->session_state >= SESSION_STATE_READY)
520  tls_notify_app_enqueue (ctx, app_session);
521 
522  if ((SSL_pending (oc->ssl) > 0) ||
523  svm_fifo_max_dequeue_cons (tls_session->rx_fifo))
524  tls_add_vpp_q_builtin_rx_evt (tls_session);
525 
526  return read;
527 }
528 
529 static inline int
531 {
533  openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
535  session_t *app_session;
536  u32 wrote = 0;
537  int read, rv;
538  u8 *buf;
539 
540  if (PREDICT_FALSE (SSL_in_init (oc->ssl)))
541  {
542  u32 us_index = us->session_index;
543  if (openssl_ctx_handshake_rx (ctx, us) < 0)
544  return 0;
545  /* Session pool might grow when allocating the app's session */
546  us = session_get (us_index, ctx->c_thread_index);
547  }
548 
549  buf = om->rx_bufs[ctx->c_thread_index];
550  app_session = session_get_from_handle (ctx->app_session_handle);
551  svm_fifo_fill_chunk_list (app_session->rx_fifo);
552 
553  while (svm_fifo_max_dequeue_cons (us->rx_fifo) > 0)
554  {
556  {
558  goto done;
559  }
560 
561  read = SSL_read (oc->ssl, buf, vec_len (buf));
562  if (PREDICT_FALSE (read <= 0))
563  {
564  if (read < 0)
566  goto done;
567  }
568  wrote += read;
569 
570  hdr.data_length = read;
571  hdr.data_offset = 0;
572 
573  svm_fifo_seg_t segs[2] = { { (u8 *) &hdr, sizeof (hdr) },
574  { buf, read } };
575 
576  rv = svm_fifo_enqueue_segments (app_session->rx_fifo, segs, 2,
577  0 /* allow partial */);
578  ASSERT (rv > 0);
579  }
580 
581 done:
582 
583  /* If handshake just completed, session may still be in accepting state */
584  if (app_session->session_state >= SESSION_STATE_READY)
585  tls_notify_app_enqueue (ctx, app_session);
586 
587  return wrote;
588 }
589 
590 static inline int
592 {
593  if (ctx->tls_type == TRANSPORT_PROTO_TLS)
594  return openssl_ctx_read_tls (ctx, ts);
595  else
596  return openssl_ctx_read_dtls (ctx, ts);
597 }
598 
599 static int
601 {
602  long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
603  openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
605  const SSL_METHOD *method;
606  int rv, err;
607 
608  method = ctx->tls_type == TRANSPORT_PROTO_TLS ? SSLv23_client_method () :
609  DTLS_client_method ();
610  if (method == NULL)
611  {
612  TLS_DBG (1, "(D)TLS_method returned null");
613  return -1;
614  }
615 
616  oc->ssl_ctx = SSL_CTX_new (method);
617  if (oc->ssl_ctx == NULL)
618  {
619  TLS_DBG (1, "SSL_CTX_new returned null");
620  return -1;
621  }
622 
623  SSL_CTX_set_ecdh_auto (oc->ssl_ctx, 1);
624  SSL_CTX_set_mode (oc->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
625 #ifdef HAVE_OPENSSL_ASYNC
626  if (om->async)
627  SSL_CTX_set_mode (oc->ssl_ctx, SSL_MODE_ASYNC);
628 #endif
629  rv = SSL_CTX_set_cipher_list (oc->ssl_ctx, (const char *) om->ciphers);
630  if (rv != 1)
631  {
632  TLS_DBG (1, "Couldn't set cipher");
633  return -1;
634  }
635 
636  SSL_CTX_set_options (oc->ssl_ctx, flags);
637  SSL_CTX_set_cert_store (oc->ssl_ctx, om->cert_store);
638 
639  oc->ssl = SSL_new (oc->ssl_ctx);
640  if (oc->ssl == NULL)
641  {
642  TLS_DBG (1, "Couldn't initialize ssl struct");
643  return -1;
644  }
645 
646  if (ctx->tls_type == TRANSPORT_PROTO_TLS)
647  {
648  oc->rbio = BIO_new_tls (ctx->tls_session_handle);
649  oc->wbio = BIO_new_tls (ctx->tls_session_handle);
650  }
651  else
652  {
653  oc->rbio = BIO_new_dtls (ctx->tls_session_handle);
654  oc->wbio = BIO_new_dtls (ctx->tls_session_handle);
655  }
656 
657  SSL_set_bio (oc->ssl, oc->wbio, oc->rbio);
658  SSL_set_connect_state (oc->ssl);
659 
660  rv = SSL_set_tlsext_host_name (oc->ssl, ctx->srv_hostname);
661  if (rv != 1)
662  {
663  TLS_DBG (1, "Couldn't set hostname");
664  return -1;
665  }
666 
667  /*
668  * 2. Do the first steps in the handshake.
669  */
670  TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index,
671  oc->openssl_ctx_index);
672 
673 #ifdef HAVE_OPENSSL_ASYNC
674  session_t *tls_session = session_get_from_handle (ctx->tls_session_handle);
676 #endif
677  while (1)
678  {
679  rv = SSL_do_handshake (oc->ssl);
680  err = SSL_get_error (oc->ssl, rv);
681 #ifdef HAVE_OPENSSL_ASYNC
682  if (err == SSL_ERROR_WANT_ASYNC)
683  {
684  openssl_check_async_status (ctx, openssl_ctx_handshake_rx,
685  tls_session);
686  break;
687  }
688 #endif
689  if (err != SSL_ERROR_WANT_WRITE)
690  break;
691  }
692 
693  TLS_DBG (2, "tls state for [%u]%u is su", ctx->c_thread_index,
694  oc->openssl_ctx_index, SSL_state_string_long (oc->ssl));
695  return 0;
696 }
697 
698 static int
700 {
701  const SSL_METHOD *method;
702  SSL_CTX *ssl_ctx;
703  int rv;
704  BIO *cert_bio;
705  X509 *srvcert;
706  EVP_PKEY *pkey;
707  u32 olc_index;
709  app_cert_key_pair_t *ckpair;
710 
711  long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
713 
715  if (!ckpair)
716  return -1;
717 
718  if (!ckpair->cert || !ckpair->key)
719  {
720  TLS_DBG (1, "tls cert and/or key not configured %d",
721  lctx->parent_app_wrk_index);
722  return -1;
723  }
724 
725  method = lctx->tls_type == TRANSPORT_PROTO_TLS ? SSLv23_server_method () :
726  DTLS_server_method ();
727  ssl_ctx = SSL_CTX_new (method);
728  if (!ssl_ctx)
729  {
730  clib_warning ("Unable to create SSL context");
731  return -1;
732  }
733 
734  SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
735 #ifdef HAVE_OPENSSL_ASYNC
736  if (om->async)
737  {
738  SSL_CTX_set_mode (ssl_ctx, SSL_MODE_ASYNC);
739  SSL_CTX_set_async_callback (ssl_ctx, tls_async_openssl_callback);
740  }
741 #endif
742  SSL_CTX_set_options (ssl_ctx, flags);
743  SSL_CTX_set_ecdh_auto (ssl_ctx, 1);
744 
745  rv = SSL_CTX_set_cipher_list (ssl_ctx, (const char *) om->ciphers);
746  if (rv != 1)
747  {
748  TLS_DBG (1, "Couldn't set cipher");
749  return -1;
750  }
751 
752  /*
753  * Set the key and cert
754  */
755  cert_bio = BIO_new (BIO_s_mem ());
756  BIO_write (cert_bio, ckpair->cert, vec_len (ckpair->cert));
757  srvcert = PEM_read_bio_X509 (cert_bio, NULL, NULL, NULL);
758  if (!srvcert)
759  {
760  clib_warning ("unable to parse certificate");
761  return -1;
762  }
763  SSL_CTX_use_certificate (ssl_ctx, srvcert);
764  BIO_free (cert_bio);
765 
766  cert_bio = BIO_new (BIO_s_mem ());
767  BIO_write (cert_bio, ckpair->key, vec_len (ckpair->key));
768  pkey = PEM_read_bio_PrivateKey (cert_bio, NULL, NULL, NULL);
769  if (!pkey)
770  {
771  clib_warning ("unable to parse pkey");
772  return -1;
773  }
774  SSL_CTX_use_PrivateKey (ssl_ctx, pkey);
775  BIO_free (cert_bio);
776 
777  olc_index = openssl_listen_ctx_alloc ();
778  olc = openssl_lctx_get (olc_index);
779  olc->ssl_ctx = ssl_ctx;
780  olc->srvcert = srvcert;
781  olc->pkey = pkey;
782 
783  /* store SSL_CTX into TLS level structure */
784  lctx->tls_ssl_ctx = olc_index;
785 
786  return 0;
787 
788 }
789 
790 static int
792 {
793  u32 olc_index;
795 
796  olc_index = lctx->tls_ssl_ctx;
797  olc = openssl_lctx_get (olc_index);
798 
799  X509_free (olc->srvcert);
800  EVP_PKEY_free (olc->pkey);
801 
802  SSL_CTX_free (olc->ssl_ctx);
804 
805  return 0;
806 }
807 
808 static int
810 {
811  openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
812  u32 olc_index = ctx->tls_ssl_ctx;
814  int rv, err;
815 
816  /* Start a new connection */
817 
818  olc = openssl_lctx_get (olc_index);
819  oc->ssl = SSL_new (olc->ssl_ctx);
820  if (oc->ssl == NULL)
821  {
822  TLS_DBG (1, "Couldn't initialize ssl struct");
823  return -1;
824  }
825 
826  if (ctx->tls_type == TRANSPORT_PROTO_TLS)
827  {
828  oc->rbio = BIO_new_tls (ctx->tls_session_handle);
829  oc->wbio = BIO_new_tls (ctx->tls_session_handle);
830  }
831  else
832  {
833  oc->rbio = BIO_new_dtls (ctx->tls_session_handle);
834  oc->wbio = BIO_new_dtls (ctx->tls_session_handle);
835  }
836 
837  SSL_set_bio (oc->ssl, oc->wbio, oc->rbio);
838  SSL_set_accept_state (oc->ssl);
839 
840  TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index,
841  oc->openssl_ctx_index);
842 
843 #ifdef HAVE_OPENSSL_ASYNC
844  session_t *tls_session = session_get_from_handle (ctx->tls_session_handle);
846 #endif
847  while (1)
848  {
849  rv = SSL_do_handshake (oc->ssl);
850  err = SSL_get_error (oc->ssl, rv);
851 #ifdef HAVE_OPENSSL_ASYNC
852  if (err == SSL_ERROR_WANT_ASYNC)
853  {
854  openssl_check_async_status (ctx, openssl_ctx_handshake_rx,
855  tls_session);
856  break;
857  }
858 #endif
859  if (err != SSL_ERROR_WANT_WRITE)
860  break;
861  }
862 
863  TLS_DBG (2, "tls state for [%u]%u is su", ctx->c_thread_index,
864  oc->openssl_ctx_index, SSL_state_string_long (oc->ssl));
865  return 0;
866 }
867 
868 static u8
870 {
871  openssl_ctx_t *mc = (openssl_ctx_t *) ctx;
872  if (!mc->ssl)
873  return 0;
874  return SSL_is_init_finished (mc->ssl);
875 }
876 
877 static int
879 {
880 #ifdef HAVE_OPENSSL_ASYNC
882  return 0;
883 #endif
884 
886  {
888  return 0;
889  }
890  session_transport_closing_notify (&ctx->connection);
891  return 0;
892 }
893 
894 static int
896 {
897  openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
898  session_t *app_session;
899 
900  /* Wait for all data to be written to tcp */
901  app_session = session_get_from_handle (ctx->app_session_handle);
902  if (BIO_ctrl_pending (oc->rbio) <= 0
903  && !svm_fifo_max_dequeue_cons (app_session->tx_fifo))
905  else
906  ctx->app_closed = 1;
907  return 0;
908 }
909 
912  .ctx_alloc_w_thread = openssl_ctx_alloc_w_thread,
913  .ctx_free = openssl_ctx_free,
914  .ctx_attach = openssl_ctx_attach,
915  .ctx_detach = openssl_ctx_detach,
916  .ctx_get = openssl_ctx_get,
917  .ctx_get_w_thread = openssl_ctx_get_w_thread,
918  .ctx_init_server = openssl_ctx_init_server,
919  .ctx_init_client = openssl_ctx_init_client,
920  .ctx_write = openssl_ctx_write,
921  .ctx_read = openssl_ctx_read,
922  .ctx_handshake_is_over = openssl_handshake_is_over,
923  .ctx_start_listen = openssl_start_listen,
924  .ctx_stop_listen = openssl_stop_listen,
925  .ctx_transport_close = openssl_transport_close,
926  .ctx_app_close = openssl_app_close,
927 };
928 
929 int
931 {
933  tls_main_t *tm = vnet_tls_get_main ();
934  BIO *cert_bio;
935  X509 *testcert;
936  int rv;
937 
938  if (access (tm->ca_cert_path, F_OK | R_OK) == -1)
939  {
940  clib_warning ("Could not initialize TLS CA certificates");
941  return -1;
942  }
943 
944  if (!(om->cert_store = X509_STORE_new ()))
945  {
946  clib_warning ("failed to create cert store");
947  return -1;
948  }
949 
950 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
951  rv = X509_STORE_load_file (om->cert_store, tm->ca_cert_path);
952 #else
953  rv = X509_STORE_load_locations (om->cert_store, tm->ca_cert_path, 0);
954 #endif
955 
956  if (rv < 0)
957  {
958  clib_warning ("failed to load ca certificate");
959  }
960 
961  if (tm->use_test_cert_in_ca)
962  {
963  cert_bio = BIO_new (BIO_s_mem ());
964  BIO_write (cert_bio, test_srv_crt_rsa, test_srv_crt_rsa_len);
965  testcert = PEM_read_bio_X509 (cert_bio, NULL, NULL, NULL);
966  if (!testcert)
967  {
968  clib_warning ("unable to parse certificate");
969  return -1;
970  }
971  X509_STORE_add_cert (om->cert_store, testcert);
972  rv = 0;
973  }
974  return (rv < 0 ? -1 : 0);
975 }
976 
977 int
978 tls_openssl_set_ciphers (char *ciphers)
979 {
981  int i;
982 
983  if (!ciphers)
984  {
985  return -1;
986  }
987 
988  vec_validate (om->ciphers, strlen (ciphers) - 1);
989  for (i = 0; i < vec_len (om->ciphers); i++)
990  {
991  om->ciphers[i] = toupper (ciphers[i]);
992  }
993 
994  return 0;
995 
996 }
997 
998 static clib_error_t *
1000 {
1003  clib_error_t *error = 0;
1004  u32 num_threads, i;
1005 
1007  num_threads = 1 /* main thread */ + vtm->n_threads;
1008 
1009  SSL_library_init ();
1010  SSL_load_error_strings ();
1011 
1012  if (tls_init_ca_chain ())
1013  {
1014  clib_warning ("failed to initialize TLS CA chain");
1015  return 0;
1016  }
1017 
1018  vec_validate (om->ctx_pool, num_threads - 1);
1019  vec_validate (om->rx_bufs, num_threads - 1);
1020  vec_validate (om->tx_bufs, num_threads - 1);
1021  for (i = 0; i < num_threads; i++)
1022  {
1025  }
1027 
1028  om->engine_init = 0;
1029 
1030  /* default ciphers */
1032  ("ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH");
1033 
1034  return error;
1035 }
1036 /* *INDENT-OFF* */
1038 {
1039  .runs_after = VLIB_INITS("tls_init"),
1040 };
1041 /* *INDENT-ON* */
1042 
1043 #ifdef HAVE_OPENSSL_ASYNC
1044 static clib_error_t *
1045 tls_openssl_set_command_fn (vlib_main_t * vm, unformat_input_t * input,
1046  vlib_cli_command_t * cmd)
1047 {
1049  char *engine_name = NULL;
1050  char *engine_alg = NULL;
1051  char *ciphers = NULL;
1052  u8 engine_name_set = 0;
1053  int i, async = 0;
1054 
1055  /* By present, it is not allowed to configure engine again after running */
1056  if (om->engine_init)
1057  {
1058  clib_warning ("engine has started!\n");
1059  return clib_error_return
1060  (0, "engine has started, and no config is accepted");
1061  }
1062 
1063  while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
1064  {
1065  if (unformat (input, "engine %s", &engine_name))
1066  {
1067  engine_name_set = 1;
1068  }
1069  else if (unformat (input, "async"))
1070  {
1071  async = 1;
1072  }
1073  else if (unformat (input, "alg %s", &engine_alg))
1074  {
1075  for (i = 0; i < strnlen (engine_alg, MAX_CRYPTO_LEN); i++)
1076  engine_alg[i] = toupper (engine_alg[i]);
1077  }
1078  else if (unformat (input, "ciphers %s", &ciphers))
1079  {
1080  tls_openssl_set_ciphers (ciphers);
1081  }
1082  else
1083  return clib_error_return (0, "failed: unknown input `%U'",
1084  format_unformat_error, input);
1085  }
1086 
1087  /* reset parameters if engine is not configured */
1088  if (!engine_name_set)
1089  {
1090  clib_warning ("No engine provided! \n");
1091  async = 0;
1092  }
1093  else
1094  {
1096  if (openssl_engine_register (engine_name, engine_alg, async) < 0)
1097  {
1098  return clib_error_return (0, "Failed to register %s polling",
1099  engine_name);
1100  }
1101  else
1102  {
1103  vlib_cli_output (vm, "Successfully register engine %s\n",
1104  engine_name);
1105  }
1106  }
1107  om->async = async;
1108 
1109  return 0;
1110 }
1111 
1112 /* *INDENT-OFF* */
1113 VLIB_CLI_COMMAND (tls_openssl_set_command, static) =
1114 {
1115  .path = "tls openssl set",
1116  .short_help = "tls openssl set [engine <engine name>] [alg [algorithm] [async]",
1117  .function = tls_openssl_set_command_fn,
1118 };
1119 /* *INDENT-ON* */
1120 #endif
1121 
1122 /* *INDENT-OFF* */
1123 VLIB_PLUGIN_REGISTER () = {
1124  .version = VPP_BUILD_VER,
1125  .description = "Transport Layer Security (TLS) Engine, OpenSSL Based",
1126 };
1127 /* *INDENT-ON* */
1128 
1129 /*
1130  * fd.io coding-style-patch-verification: ON
1131  *
1132  * Local Variables:
1133  * eval: (c-set-style "gnu")
1134  * End:
1135  */
tls_main_
Definition: tls.h:90
session_dgram_header_::data_length
u32 data_length
Definition: session_types.h:439
svm_fifo_segments
int svm_fifo_segments(svm_fifo_t *f, u32 offset, svm_fifo_seg_t *fs, u32 n_segs, u32 max_bytes)
Get pointers to fifo chunks data in svm_fifo_seg_t array.
Definition: svm_fifo.c:1283
svm_fifo_size
static u32 svm_fifo_size(svm_fifo_t *f)
Definition: svm_fifo.h:754
thread_index
u32 thread_index
Definition: nat44_ei_hairpinning.c:492
certificate_
Definition: application_interface.h:24
session_dgram_header_
Definition: session_types.h:437
session_dequeue_notify
int session_dequeue_notify(session_t *s)
Definition: session.c:816
openssl_listen_ctx_alloc
static u32 openssl_listen_ctx_alloc(void)
Definition: tls_openssl.c:134
openssl_lctx_get
openssl_listen_ctx_t * openssl_lctx_get(u32 lctx_index)
Definition: tls_openssl.c:153
session_::session_index
u32 session_index
Index in thread pool where session was allocated.
Definition: session_types.h:188
tls_notify_app_connected
int tls_notify_app_connected(tls_ctx_t *ctx, session_error_t err)
Definition: tls.c:212
clib_memcpy
#define clib_memcpy(d, s, n)
Definition: string.h:197
vpp_tls_async_update_event
int vpp_tls_async_update_event(tls_ctx_t *ctx, int eagain)
Definition: tls_async.c:319
openssl_ctx_write_tls
static int openssl_ctx_write_tls(tls_ctx_t *ctx, session_t *app_session, transport_send_params_t *sp)
Definition: tls_openssl.c:371
openssl_main_::rx_bufs
u8 ** rx_bufs
Definition: tls_openssl.h:56
clib_max
#define clib_max(x, y)
Definition: clib.h:335
openssl_start_listen
static int openssl_start_listen(tls_ctx_t *lctx)
Definition: tls_openssl.c:699
session_transport_closing_notify
void session_transport_closing_notify(transport_connection_t *tc)
Notification from transport that connection is being closed.
Definition: session.c:1062
f
vlib_frame_t * f
Definition: interface_output.c:1080
pool_elt_at_index
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:553
openssl_ctx_read_dtls
static int openssl_ctx_read_dtls(tls_ctx_t *ctx, session_t *us)
Definition: tls_openssl.c:530
tls_openssl_init
static clib_error_t * tls_openssl_init(vlib_main_t *vm)
Definition: tls_openssl.c:999
openssl_engine_register
int openssl_engine_register(char *engine_name, char *algorithm, int async)
Definition: tls_async.c:116
session_::tx_fifo
svm_fifo_t * tx_fifo
Definition: session_types.h:179
svm_fifo_peek
int svm_fifo_peek(svm_fifo_t *f, u32 offset, u32 len, u8 *dst)
Peek data from fifo.
Definition: svm_fifo.c:1141
clib_mem_free
static void clib_mem_free(void *p)
Definition: mem.h:311
svm_fifo_needs_deq_ntf
static u8 svm_fifo_needs_deq_ntf(svm_fifo_t *f, u32 n_last_deq)
Check if fifo needs dequeue notification.
Definition: svm_fifo.h:882
svm_fifo_fill_chunk_list
int svm_fifo_fill_chunk_list(svm_fifo_t *f)
Ensure the whole fifo size is writeable.
Definition: svm_fifo.c:1228
session_
Definition: session_types.h:175
CRYPTO_ENGINE_OPENSSL
@ CRYPTO_ENGINE_OPENSSL
Definition: application_interface.h:177
clib_error_return
#define clib_error_return(e, args...)
Definition: error.h:99
vlib_cli_command_t::path
char * path
Definition: cli.h:96
openssl_main_::tx_bufs
u8 ** tx_bufs
Definition: tls_openssl.h:57
session_handle_t
u64 session_handle_t
Definition: session_types.h:111
svm_fifo_provision_chunks
int svm_fifo_provision_chunks(svm_fifo_t *f, svm_fifo_seg_t *fs, u32 n_segs, u32 len)
Provision and return chunks for number of bytes requested.
Definition: svm_fifo.c:1244
openssl_main_::engine_init
int engine_init
Definition: tls_openssl.h:64
tls_openssl.h
tls_notify_app_accept
int tls_notify_app_accept(tls_ctx_t *ctx)
Definition: tls.c:182
tls_notify_app_enqueue
void tls_notify_app_enqueue(tls_ctx_t *ctx, session_t *app_session)
Definition: tls.c:173
SESSION_INVALID_INDEX
#define SESSION_INVALID_INDEX
Definition: session_types.h:22
tls_listen_ctx_opensl_::openssl_lctx_index
u32 openssl_lctx_index
Definition: tls_openssl.h:44
svm_fifo_seg_::len
u32 len
Definition: svm_fifo.h:55
tls_ctx_::tls_type
transport_proto_t tls_type
Definition: tls.h:87
tls_ctx_openssl_::wbio
BIO * wbio
Definition: tls_openssl.h:39
vm
vlib_main_t * vm
X-connect all packets from the HOST to the PHY.
Definition: nat44_ei.c:3047
tls_engine_vft_
Definition: tls.h:108
certificate_::key
u8 * key
Definition: application_interface.h:28
BIO_new_tls
BIO * BIO_new_tls(session_handle_t sh)
Definition: tls_bio.c:162
session_transport_closed_notify
void session_transport_closed_notify(transport_connection_t *tc)
Notification from transport that it is closed.
Definition: session.c:1150
vpp_openssl_is_inflight
int vpp_openssl_is_inflight(tls_ctx_t *ctx)
Definition: tls_async.c:306
openssl_main_::ctx_pool
openssl_ctx_t *** ctx_pool
Definition: tls_openssl.h:53
TLSO_CTRL_BYTES
#define TLSO_CTRL_BYTES
Definition: tls_openssl.h:27
unformat_input_t
struct _unformat_input_t unformat_input_t
openssl_ctx_read
static int openssl_ctx_read(tls_ctx_t *ctx, session_t *ts)
Definition: tls_openssl.c:591
tls_openssl_set_ciphers
int tls_openssl_set_ciphers(char *ciphers)
Definition: tls_openssl.c:978
session_free
void session_free(session_t *s)
Definition: session.c:227
pool_put_index
#define pool_put_index(p, i)
Free pool element with given index.
Definition: pool.h:337
error
Definition: cJSON.c:88
SESSION_CONN_HDR_LEN
#define SESSION_CONN_HDR_LEN
Definition: session_types.h:449
VLIB_PLUGIN_REGISTER
VLIB_PLUGIN_REGISTER()
tls_disconnect_transport
void tls_disconnect_transport(tls_ctx_t *ctx)
Definition: tls.c:30
openssl_ctx_alloc_w_thread
static u32 openssl_ctx_alloc_w_thread(u32 thread_index)
Definition: tls_openssl.c:36
tls_main_::use_test_cert_in_ca
u8 use_test_cert_in_ca
Definition: tls.h:102
svm_fifo_t
struct _svm_fifo svm_fifo_t
unformat
uword unformat(unformat_input_t *i, const char *fmt,...)
Definition: unformat.c:978
openssl_ctx_free
static void openssl_ctx_free(tls_ctx_t *ctx)
Definition: tls_openssl.c:60
openssl_handle_handshake_failure
static void openssl_handle_handshake_failure(tls_ctx_t *ctx)
Definition: tls_openssl.c:244
tls_listen_ctx_opensl_
Definition: tls_openssl.h:42
openssl_main_::ciphers
u8 * ciphers
Definition: tls_openssl.h:63
tls_main_::ca_cert_path
char * ca_cert_path
Definition: tls.h:103
TRANSPORT_SND_F_DESCHED
@ TRANSPORT_SND_F_DESCHED
Definition: transport.h:40
svm_fifo_seg_
Definition: svm_fifo.h:52
SVM_FIFO_WANT_DEQ_NOTIF
@ SVM_FIFO_WANT_DEQ_NOTIF
Notify on dequeue.
Definition: svm_fifo.h:35
tls_ctx_openssl_::openssl_ctx_index
u32 openssl_ctx_index
Definition: tls_openssl.h:35
TLS_DBG
#define TLS_DBG(_lvl, _fmt, _args...)
Definition: tls.h:36
session_::rx_fifo
svm_fifo_t * rx_fifo
Pointers to rx/tx buffers.
Definition: session_types.h:178
tls_ctx_openssl_::ctx
tls_ctx_t ctx
First.
Definition: tls_openssl.h:34
vec_len
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
Definition: vec_bootstrap.h:142
len
u8 len
Definition: ip_types.api:103
tls_add_vpp_q_builtin_rx_evt
int tls_add_vpp_q_builtin_rx_evt(session_t *s)
Definition: tls.c:62
tls_ctx_
Definition: tls.h:59
openssl_transport_close
static int openssl_transport_close(tls_ctx_t *ctx)
Definition: tls_openssl.c:878
openssl_confirm_app_close
static void openssl_confirm_app_close(tls_ctx_t *ctx)
Definition: tls_openssl.c:364
openssl_main_::cert_store
X509_STORE * cert_store
Definition: tls_openssl.h:62
svm_fifo_enqueue_nocopy
void svm_fifo_enqueue_nocopy(svm_fifo_t *f, u32 len)
Advance tail.
Definition: svm_fifo.c:946
tls_ctx_openssl_::rbio
BIO * rbio
Definition: tls_openssl.h:38
PREDICT_FALSE
#define PREDICT_FALSE(x)
Definition: clib.h:124
vlib_get_thread_index
static_always_inline uword vlib_get_thread_index(void)
Definition: threads.h:208
tls_bios.h
unformat_check_input
static uword unformat_check_input(unformat_input_t *i)
Definition: format.h:163
openssl_handshake_is_over
static u8 openssl_handshake_is_over(tls_ctx_t *ctx)
Definition: tls_openssl.c:869
svm_fifo_enqueue_segments
int svm_fifo_enqueue_segments(svm_fifo_t *f, const svm_fifo_seg_t segs[], u32 n_segs, u8 allow_partial)
Enqueue array of svm_fifo_seg_t in order.
Definition: svm_fifo.c:972
TLSO_MIN_ENQ_SPACE
#define TLSO_MIN_ENQ_SPACE
Definition: tls_openssl.h:28
openssl_ctx_write_dtls
static int openssl_ctx_write_dtls(tls_ctx_t *ctx, session_t *app_session, transport_send_params_t *sp)
Definition: tls_openssl.c:429
tls_ctx_openssl_::ssl
SSL * ssl
Definition: tls_openssl.h:37
openssl_ctx_init_client
static int openssl_ctx_init_client(tls_ctx_t *ctx)
Definition: tls_openssl.c:600
i
sll srl srl sll sra u16x4 i
Definition: vector_sse42.h:261
svm_fifo_dequeue_drop
int svm_fifo_dequeue_drop(svm_fifo_t *f, u32 len)
Dequeue and drop bytes from fifo.
Definition: svm_fifo.c:1168
tls_listen_ctx_opensl_::srvcert
X509 * srvcert
Definition: tls_openssl.h:47
session_dgram_header_::data_offset
u32 data_offset
Definition: session_types.h:440
format_unformat_error
u8 * format_unformat_error(u8 *s, va_list *va)
Definition: unformat.c:91
pool_get
#define pool_get(P, E)
Allocate an object E from a pool P (unspecified alignment).
Definition: pool.h:255
session_get_from_handle
static session_t * session_get_from_handle(session_handle_t handle)
Definition: session.h:356
vec_validate
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment)
Definition: vec.h:523
vpp_tls_async_init_event
int vpp_tls_async_init_event(tls_ctx_t *ctx, openssl_resume_handler *handler, session_t *session)
Definition: tls_async.c:280
openssl_ctx_handshake_rx
int openssl_ctx_handshake_rx(tls_ctx_t *ctx, session_t *tls_session)
Definition: tls_openssl.c:273
VLIB_CLI_COMMAND
#define VLIB_CLI_COMMAND(x,...)
Definition: cli.h:163
MAX_CRYPTO_LEN
#define MAX_CRYPTO_LEN
Definition: tls_openssl.c:31
openssl_main_::lctx_pool
openssl_listen_ctx_t * lctx_pool
Definition: tls_openssl.h:54
tls_listen_ctx_opensl_::pkey
EVP_PKEY * pkey
Definition: tls_openssl.h:48
openssl_evt_free
int openssl_evt_free(int event_index, u8 thread_index)
Definition: tls_async.c:212
clib_min
#define clib_min(x, y)
Definition: clib.h:342
session_get
static session_t * session_get(u32 si, u32 thread_index)
Definition: session.h:336
vlib_cli_output
void vlib_cli_output(vlib_main_t *vm, char *fmt,...)
Definition: cli.c:716
tls_ctx_openssl_
Definition: tls_openssl.h:32
tls_async_openssl_callback
int tls_async_openssl_callback(SSL *s, void *cb_arg)
Definition: tls_async.c:243
openssl_stop_listen
static int openssl_stop_listen(tls_ctx_t *lctx)
Definition: tls_openssl.c:791
plugin.h
transport_send_params_
Definition: transport.h:45
data
u8 data[128]
Definition: ipsec_types.api:92
openssl_ctx_init_server
static int openssl_ctx_init_server(tls_ctx_t *ctx)
Definition: tls_openssl.c:809
vec_free
#define vec_free(V)
Free vector's memory (no header).
Definition: vec.h:395
openssl_engine
const static tls_engine_vft_t openssl_engine
Definition: tls_openssl.c:910
space
description No buffer space
Definition: ikev2.api:563
openssl_read_from_ssl_into_fifo
static int openssl_read_from_ssl_into_fifo(svm_fifo_t *f, SSL *ssl)
Definition: tls_openssl.c:159
svm_fifo_max_enqueue_prod
static u32 svm_fifo_max_enqueue_prod(svm_fifo_t *f)
Maximum number of bytes that can be enqueued into fifo.
Definition: svm_fifo.h:607
test_srv_crt_rsa
static const char test_srv_crt_rsa[]
Definition: tls_test.h:23
vnet_tls_get_main
tls_main_t * vnet_tls_get_main(void)
Definition: tls.c:1364
ASSERT
#define ASSERT(truth)
Definition: error_bootstrap.h:69
openssl_main
openssl_main_t openssl_main
Definition: tls_openssl.c:33
vlib_thread_main_t::n_threads
u32 n_threads
Definition: threads.h:292
BIO_new_dtls
BIO * BIO_new_dtls(session_handle_t sh)
Definition: dtls_bio.c:195
session_get_if_valid
static session_t * session_get_if_valid(u64 si, u32 thread_index)
Definition: session.h:343
buf
u64 buf
Definition: application.c:493
tls_ctx_::ckpair_index
u32 ckpair_index
Definition: tls.h:86
u32
unsigned int u32
Definition: types.h:88
VLIB_INIT_FUNCTION
#define VLIB_INIT_FUNCTION(x)
Definition: init.h:172
vlib_thread_main_t
Definition: threads.h:264
openssl_ctx_write
static int openssl_ctx_write(tls_ctx_t *ctx, session_t *app_session, transport_send_params_t *sp)
Definition: tls_openssl.c:490
openssl_ctx_attach
static u32 openssl_ctx_attach(u32 thread_index, void *ctx_ptr)
Definition: tls_openssl.c:94
ctx
long ctx[MAX_CONNS]
Definition: main.c:144
openssl_ctx_detach
static void * openssl_ctx_detach(tls_ctx_t *ctx)
Definition: tls_openssl.c:83
test_srv_crt_rsa_len
static const u32 test_srv_crt_rsa_len
Definition: tls_test.h:47
openssl_ctx_get
tls_ctx_t * openssl_ctx_get(u32 ctx_index)
Definition: tls_openssl.c:117
SESSION_INVALID_HANDLE
#define SESSION_INVALID_HANDLE
Definition: session_types.h:23
tls_add_vpp_q_tx_evt
int tls_add_vpp_q_tx_evt(session_t *s)
Definition: tls.c:70
openssl_main_::async
int async
Definition: tls_openssl.h:65
openssl_ctx_alloc
static u32 openssl_ctx_alloc(void)
Definition: tls_openssl.c:54
openssl_listen_ctx_free
static void openssl_listen_ctx_free(openssl_listen_ctx_t *lctx)
Definition: tls_openssl.c:147
clib_memset
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
vlib_main_t
Definition: main.h:102
openssl_write_from_fifo_into_ssl
static int openssl_write_from_fifo_into_ssl(svm_fifo_t *f, SSL *ssl, u32 max_len)
Definition: tls_openssl.c:194
tls.h
DTLSO_MAX_DGRAM
#define DTLSO_MAX_DGRAM
Definition: tls_openssl.h:30
tls_openssl_api_init
clib_error_t * tls_openssl_api_init(vlib_main_t *vm)
Definition: tls_openssl_api.c:60
VLIB_INITS
#define VLIB_INITS(...)
Definition: init.h:352
transport_send_params_::max_burst_size
u32 max_burst_size
Definition: transport.h:59
u8
unsigned char u8
Definition: types.h:56
clib_error_t
Definition: clib_error.h:21
tls_listen_ctx_opensl_::ssl_ctx
SSL_CTX * ssl_ctx
Definition: tls_openssl.h:45
vlib_init_function_t
clib_error_t *() vlib_init_function_t(struct vlib_main_t *vm)
Definition: init.h:51
uword_to_pointer
#define uword_to_pointer(u, type)
Definition: types.h:136
tls_engine_vft_::ctx_alloc
u32(* ctx_alloc)(void)
Definition: tls.h:110
transport_send_params_::flags
transport_snd_flags_t flags
Definition: transport.h:62
clib_warning
#define clib_warning(format, args...)
Definition: error.h:59
app_cert_key_pair_get_if_valid
app_cert_key_pair_t * app_cert_key_pair_get_if_valid(u32 index)
Definition: application.c:1996
session_::flags
u32 flags
Session flags.
Definition: session_types.h:197
rv
int __clib_unused rv
Definition: application.c:491
certificate_::cert
u8 * cert
Definition: application_interface.h:29
tls_init_ca_chain
int tls_init_ca_chain(void)
Definition: tls_openssl.c:930
tls_register_engine
void tls_register_engine(const tls_engine_vft_t *vft, crypto_engine_type_t type)
Definition: tls.c:1294
tls_ctx_openssl_::ssl_ctx
SSL_CTX * ssl_ctx
Definition: tls_openssl.h:36
vlib_cli_command_t
Definition: cli.h:92
openssl_main_
Definition: tls_openssl.h:51
openssl_resume_handler
int openssl_resume_handler(tls_ctx_t *ctx, session_t *tls_session)
Definition: tls_openssl.h:68
vlib_get_thread_main
static vlib_thread_main_t * vlib_get_thread_main()
Definition: global_funcs.h:56
openssl_ctx_get_w_thread
tls_ctx_t * openssl_ctx_get_w_thread(u32 ctx_index, u8 thread_index)
Definition: tls_openssl.c:126
svm_fifo_max_dequeue_cons
static u32 svm_fifo_max_dequeue_cons(svm_fifo_t *f)
Fifo max bytes to dequeue optimized for consumer.
Definition: svm_fifo.h:487
svm_fifo_add_want_deq_ntf
static void svm_fifo_add_want_deq_ntf(svm_fifo_t *f, u8 ntf_type)
Set specific want notification flag.
Definition: svm_fifo.h:817
session_dgram_pre_hdr_
Definition: session_types.h:431
openssl_app_close
static int openssl_app_close(tls_ctx_t *ctx)
Definition: tls_openssl.c:895
session_::session_state
volatile u8 session_state
State in session layer state machine.
Definition: session_types.h:185
clib_mem_alloc
static void * clib_mem_alloc(uword size)
Definition: mem.h:253
openssl_ctx_read_tls
static int openssl_ctx_read_tls(tls_ctx_t *ctx, session_t *tls_session)
Definition: tls_openssl.c:500
UNFORMAT_END_OF_INPUT
#define UNFORMAT_END_OF_INPUT
Definition: format.h:137
vnet_session_enable_disable
clib_error_t * vnet_session_enable_disable(vlib_main_t *vm, u8 is_en)
Definition: session.c:1927
transport_connection_deschedule
static void transport_connection_deschedule(transport_connection_t *tc)
Definition: transport.h:217
flags
vl_api_wireguard_peer_flags_t flags
Definition: wireguard.api:105