mbedtls_main_t *tm = &mbedtls_main;
mbedtls_ctx_t **ctx;
- pool_get (tm->ctx_pool[thread_index], ctx);
+ pool_get_aligned_safe (tm->ctx_pool[thread_index], ctx,
+ CLIB_CACHE_LINE_BYTES);
if (!(*ctx))
*ctx = clib_mem_alloc (sizeof (mbedtls_ctx_t));
clib_memset (*ctx, 0, sizeof (mbedtls_ctx_t));
(*ctx)->ctx.c_thread_index = thread_index;
- (*ctx)->ctx.tls_ctx_engine = TLS_ENGINE_MBEDTLS;
+ (*ctx)->ctx.tls_ctx_engine = CRYPTO_ENGINE_MBEDTLS;
(*ctx)->mbedtls_ctx_index = ctx - tm->ctx_pool[thread_index];
return ((*ctx)->mbedtls_ctx_index);
}
{
mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
- if (mc->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER && !ctx->is_passive_close)
+ if (mc->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER &&
+ !(ctx->flags & TLS_CONN_F_PASSIVE_CLOSE))
mbedtls_ssl_close_notify (&mc->ssl);
if (mc->ssl.conf->endpoint == MBEDTLS_SSL_IS_SERVER)
{
mbedtls_ssl_free (&mc->ssl);
mbedtls_ssl_config_free (&mc->conf);
+ vec_free (ctx->srv_hostname);
pool_put_index (mbedtls_main.ctx_pool[ctx->c_thread_index],
mc->mbedtls_ctx_index);
}
static int
tls_net_send (void *ctx_indexp, const unsigned char *buf, size_t len)
{
- stream_session_t *tls_session;
+ session_t *tls_session;
uword ctx_index;
tls_ctx_t *ctx;
int rv;
ctx_index = pointer_to_uword (ctx_indexp);
ctx = mbedtls_ctx_get (ctx_index);
tls_session = session_get_from_handle (ctx->tls_session_handle);
- rv = svm_fifo_enqueue_nowait (tls_session->server_tx_fifo, len, buf);
+ rv = svm_fifo_enqueue (tls_session->tx_fifo, len, buf);
if (rv < 0)
return MBEDTLS_ERR_SSL_WANT_WRITE;
tls_add_vpp_q_tx_evt (tls_session);
static int
tls_net_recv (void *ctx_indexp, unsigned char *buf, size_t len)
{
- stream_session_t *tls_session;
+ session_t *tls_session;
uword ctx_index;
tls_ctx_t *ctx;
int rv;
ctx_index = pointer_to_uword (ctx_indexp);
ctx = mbedtls_ctx_get (ctx_index);
tls_session = session_get_from_handle (ctx->tls_session_handle);
- rv = svm_fifo_dequeue_nowait (tls_session->server_rx_fifo, len, buf);
+ rv = svm_fifo_dequeue (tls_session->rx_fifo, len, buf);
return (rv < 0) ? 0 : rv;
}
{
mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
mbedtls_main_t *mm = &mbedtls_main;
- application_t *app;
+ app_cert_key_pair_t *ckpair;
void *ctx_ptr;
int rv;
/*
* 1. Cert
*/
- app = application_get (ctx->parent_app_index);
- if (!app->tls_cert || !app->tls_key)
+ ckpair = app_cert_key_pair_get_if_valid (ctx->ckpair_index);
+ if (!ckpair)
+ return -1;
+
+ if (!ckpair->cert || !ckpair->key)
{
TLS_DBG (1, " failed\n ! tls cert and/or key not configured %d",
- ctx->parent_app_index);
+ ctx->parent_app_wrk_index);
return -1;
}
rv = mbedtls_x509_crt_parse (&mc->srvcert,
- (const unsigned char *) app->tls_cert,
- vec_len (app->tls_cert));
+ (const unsigned char *) ckpair->cert,
+ vec_len (ckpair->cert));
if (rv != 0)
{
TLS_DBG (1, " failed\n ! mbedtls_x509_crt_parse returned %d", rv);
}
rv = mbedtls_pk_parse_key (&mc->pkey,
- (const unsigned char *) app->tls_key,
- vec_len (app->tls_key), NULL, 0);
+ (const unsigned char *) ckpair->key,
+ vec_len (ckpair->key), NULL, 0);
if (rv != 0)
{
TLS_DBG (1, " failed\n ! mbedtls_pk_parse_key returned %d", rv);
*/
if (ctx->srv_hostname)
{
- tls_notify_app_connected (ctx, /* is failed */ 0);
+ tls_notify_app_connected (ctx, SESSION_E_TLS_HANDSHAKE);
return -1;
}
}
- tls_notify_app_connected (ctx, /* is failed */ 0);
+ tls_notify_app_connected (ctx, SESSION_E_NONE);
}
else
{
}
static int
-mbedtls_ctx_write (tls_ctx_t * ctx, stream_session_t * app_session)
+mbedtls_ctx_write (tls_ctx_t * ctx, session_t * app_session,
+ transport_send_params_t * sp)
{
mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
u8 thread_index = ctx->c_thread_index;
mbedtls_main_t *mm = &mbedtls_main;
u32 enq_max, deq_max, deq_now;
- stream_session_t *tls_session;
+ session_t *tls_session;
int wrote;
ASSERT (mc->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER);
- deq_max = svm_fifo_max_dequeue (app_session->server_tx_fifo);
+ deq_max = svm_fifo_max_dequeue_cons (app_session->tx_fifo);
if (!deq_max)
return 0;
+ deq_max = clib_min (deq_max, sp->max_burst_size);
tls_session = session_get_from_handle (ctx->tls_session_handle);
- enq_max = svm_fifo_max_enqueue (tls_session->server_tx_fifo);
+ enq_max = svm_fifo_max_enqueue_prod (tls_session->tx_fifo);
deq_now = clib_min (deq_max, TLS_CHUNK_SIZE);
if (PREDICT_FALSE (enq_max == 0))
{
- tls_add_vpp_q_builtin_tx_evt (app_session);
+ app_session->flags |= SESSION_F_CUSTOM_TX;
return 0;
}
vec_validate (mm->tx_bufs[thread_index], deq_now);
- svm_fifo_peek (app_session->server_tx_fifo, 0, deq_now,
- mm->tx_bufs[thread_index]);
+ svm_fifo_peek (app_session->tx_fifo, 0, deq_now, mm->tx_bufs[thread_index]);
wrote = mbedtls_ssl_write (&mc->ssl, mm->tx_bufs[thread_index], deq_now);
if (wrote <= 0)
{
- tls_add_vpp_q_builtin_tx_evt (app_session);
+ app_session->flags |= SESSION_F_CUSTOM_TX;
return 0;
}
- svm_fifo_dequeue_drop (app_session->server_tx_fifo, wrote);
+ svm_fifo_dequeue_drop (app_session->tx_fifo, wrote);
vec_reset_length (mm->tx_bufs[thread_index]);
tls_add_vpp_q_tx_evt (tls_session);
if (deq_now < deq_max)
- tls_add_vpp_q_builtin_tx_evt (app_session);
+ app_session->flags |= SESSION_F_CUSTOM_TX;
return 0;
}
static int
-mbedtls_ctx_read (tls_ctx_t * ctx, stream_session_t * tls_session)
+mbedtls_ctx_read (tls_ctx_t * ctx, session_t * tls_session)
{
mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
mbedtls_main_t *mm = &mbedtls_main;
u8 thread_index = ctx->c_thread_index;
u32 deq_max, enq_max, enq_now;
- stream_session_t *app_session;
+ session_t *app_session;
int read, enq;
if (PREDICT_FALSE (mc->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER))
return 0;
}
- deq_max = svm_fifo_max_dequeue (tls_session->server_rx_fifo);
+ deq_max = svm_fifo_max_dequeue_cons (tls_session->rx_fifo);
if (!deq_max)
return 0;
app_session = session_get_from_handle (ctx->app_session_handle);
- enq_max = svm_fifo_max_enqueue (app_session->server_rx_fifo);
+ enq_max = svm_fifo_max_enqueue_prod (app_session->rx_fifo);
enq_now = clib_min (enq_max, TLS_CHUNK_SIZE);
if (PREDICT_FALSE (enq_now == 0))
return 0;
}
- enq = svm_fifo_enqueue_nowait (app_session->server_rx_fifo, read,
- mm->rx_bufs[thread_index]);
+ enq = svm_fifo_enqueue (app_session->rx_fifo, read,
+ mm->rx_bufs[thread_index]);
ASSERT (enq == read);
vec_reset_length (mm->rx_bufs[thread_index]);
- if (svm_fifo_max_dequeue (tls_session->server_rx_fifo))
+ if (svm_fifo_max_dequeue_cons (tls_session->rx_fifo))
tls_add_vpp_q_builtin_rx_evt (tls_session);
if (enq > 0)
return (mc->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER);
}
+static int
+mbedtls_transport_close (tls_ctx_t * ctx)
+{
+ if (!mbedtls_handshake_is_over (ctx))
+ {
+ session_close (session_get_from_handle (ctx->tls_session_handle));
+ return 0;
+ }
+ session_transport_closing_notify (&ctx->connection);
+ return 0;
+}
+
+static int
+mbedtls_transport_reset (tls_ctx_t *ctx)
+{
+ if (!mbedtls_handshake_is_over (ctx))
+ {
+ session_close (session_get_from_handle (ctx->tls_session_handle));
+ return 0;
+ }
+
+ session_transport_reset_notify (&ctx->connection);
+ session_transport_closed_notify (&ctx->connection);
+ tls_disconnect_transport (ctx);
+ return 0;
+}
+
+static int
+mbedtls_app_close (tls_ctx_t * ctx)
+{
+ tls_disconnect_transport (ctx);
+ session_transport_delete_notify (&ctx->connection);
+ return 0;
+}
+
+static int
+mbedtls_reinit_ca_chain (void)
+{
+ /* Not supported Yet */
+ return 0;
+}
+
const static tls_engine_vft_t mbedtls_engine = {
.ctx_alloc = mbedtls_ctx_alloc,
.ctx_free = mbedtls_ctx_free,
.ctx_handshake_is_over = mbedtls_handshake_is_over,
.ctx_start_listen = mbedtls_start_listen,
.ctx_stop_listen = mbedtls_stop_listen,
+ .ctx_transport_close = mbedtls_transport_close,
+ .ctx_transport_reset = mbedtls_transport_reset,
+ .ctx_app_close = mbedtls_app_close,
+ .ctx_reinit_cachain = mbedtls_reinit_ca_chain,
};
int
{
vlib_thread_main_t *vtm = vlib_get_thread_main ();
mbedtls_main_t *mm = &mbedtls_main;
- clib_error_t *error;
u32 num_threads;
num_threads = 1 /* main thread */ + vtm->n_threads;
- if ((error = vlib_call_init_function (vm, tls_init)))
- return error;
-
if (tls_init_ca_chain ())
{
clib_warning ("failed to initialize TLS CA chain");
vec_validate (mm->rx_bufs, num_threads - 1);
vec_validate (mm->tx_bufs, num_threads - 1);
- tls_register_engine (&mbedtls_engine, TLS_ENGINE_MBEDTLS);
+ tls_register_engine (&mbedtls_engine, CRYPTO_ENGINE_MBEDTLS);
return 0;
}
-VLIB_INIT_FUNCTION (tls_mbedtls_init);
+VLIB_INIT_FUNCTION (tls_mbedtls_init) =
+{
+ .runs_after = VLIB_INITS("tls_init"),
+};
-/* *INDENT-OFF* */
VLIB_PLUGIN_REGISTER () = {
.version = VPP_BUILD_VER,
- .description = "mbedtls based TLS Engine",
+ .description = "Transport Layer Security (TLS) Engine, Mbedtls Based",
};
-/* *INDENT-ON* */
/*
* fd.io coding-style-patch-verification: ON
Code Review / vpp.git / blobdiff