#include <math.h>
-#include "certs.h"
-#include "tls_picotls.h"
-#include "pico_vpp_crypto.h"
+#include <tlspicotls/certs.h>
+#include <tlspicotls/tls_picotls.h>
+#include <tlspicotls/pico_vpp_crypto.h>
picotls_main_t picotls_main;
#define MAX_QUEUE 12000
#define PTLS_MAX_PLAINTEXT_RECORD_SIZE 16384
+static ptls_key_exchange_algorithm_t *default_key_exchange[] = {
+#ifdef PTLS_OPENSSL_HAVE_X25519
+ &ptls_openssl_x25519,
+#endif
+#ifdef PTLS_OPENSSL_HAVE_SECP256R1
+ &ptls_openssl_secp256r1,
+#endif
+#ifdef PTLS_OPENSSL_HAVE_SECP384R1
+ &ptls_openssl_secp384r1,
+#endif
+#ifdef PTLS_OPENSSL_HAVE_SECP521R1
+ &ptls_openssl_secp521r1
+#endif
+};
+
static u32
picotls_ctx_alloc (void)
{
picotls_ctx_free (tls_ctx_t * ctx)
{
picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx;
- free (ptls_ctx->rx_content);
+ vec_free (ptls_ctx->rx_content);
+ vec_free (ptls_ctx->write_content);
pool_put_index (picotls_main.ctx_pool[ctx->c_thread_index],
ptls_ctx->ptls_ctx_idx);
}
ptls_context_t *ptls_ctx;
u32 ptls_lctx_idx;
app_cert_key_pair_t *ckpair;
- static ptls_key_exchange_algorithm_t *key_exchange[] = {
-#ifdef PTLS_OPENSSL_HAVE_X25519
- &ptls_openssl_x25519,
-#endif
-#ifdef PTLS_OPENSSL_HAVE_SECP256r1
- &ptls_openssl_secp256r1,
-#endif
-#ifdef PTLS_OPENSSL_HAVE_SECP384r1
- &ptls_openssl_secp384r1,
-#endif
-#ifdef PTLS_OPENSSL_HAVE_SECP521r1
- &ptls_openssl_secp521r1
-#endif
- };
ckpair = app_cert_key_pair_get_if_valid (lctx->ckpair_index);
if (!ckpair || !ckpair->cert || !ckpair->key)
load_bio_private_key (ptls_ctx, (char *) ckpair->key);
/* setup protocol related functions */
- ptls_ctx->key_exchanges = key_exchange;
+ ptls_ctx->key_exchanges = default_key_exchange;
ptls_ctx->random_bytes = ptls_openssl_random_bytes;
ptls_ctx->cipher_suites = ptls_vpp_crypto_cipher_suites;
ptls_ctx->get_time = &ptls_get_time;
}
picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx;
ptls_free (ptls_ctx->tls);
- session_transport_closed_notify (&ctx->connection);
+ session_transport_closing_notify (&ctx->connection);
return 0;
}
picotls_ctx_read (tls_ctx_t * ctx, session_t * tls_session)
{
picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx;
- int from_tls_len = 0, to_app_len = 0, off, crypto_len, ret;
+ int from_tls_len = 0, off, crypto_len, ret;
u32 deq_max, deq_now;
- u32 enq_max, enq_now;
- ptls_buffer_t _buf, *buf = &_buf;
+ u32 enq_max;
+ ptls_buffer_t *buf = &ptls_ctx->read_buffer;
svm_fifo_t *tls_rx_fifo, *app_rx_fifo;
session_t *app_session;
if (!picotls_handshake_is_over (ctx))
{
deq_max = svm_fifo_max_dequeue_cons (tls_rx_fifo);
- deq_now = clib_min (deq_max, svm_fifo_max_read_chunk (tls_rx_fifo));
- if (!deq_now)
+ if (!deq_max)
goto done_hs;
- off = svm_fifo_dequeue (tls_rx_fifo, deq_now, TLS_RX_LEN (ptls_ctx));
+ vec_validate (ptls_ctx->rx_content, deq_max);
+ ptls_ctx->rx_offset = 0;
+ ptls_ctx->rx_len = 0;
+
+ off = svm_fifo_dequeue (tls_rx_fifo, deq_max, TLS_RX_LEN (ptls_ctx));
from_tls_len += off;
ptls_ctx->rx_len += off;
- if (from_tls_len <= 0)
- {
- tls_add_vpp_q_builtin_rx_evt (tls_session);
- goto done_hs;
- }
- if (from_tls_len < deq_max)
- {
- deq_now = clib_min (svm_fifo_max_read_chunk (tls_rx_fifo),
- deq_max - from_tls_len);
- off = svm_fifo_dequeue (tls_rx_fifo, deq_now,
- TLS_RX_LEN (ptls_ctx));
- from_tls_len += off;
- ptls_ctx->rx_len += off;
- }
+
picotls_do_handshake (ptls_ctx, tls_session, TLS_RX_OFFSET (ptls_ctx),
from_tls_len);
if (picotls_handshake_is_over (ctx))
- tls_notify_app_accept (ctx);
+ ret = ptls_is_server (ptls_ctx->tls) ?
+ tls_notify_app_accept (ctx) :
+ tls_notify_app_connected (ctx, SESSION_E_NONE);
done_hs:
if (!TLS_RX_IS_LEFT (ptls_ctx))
app_session = session_get_from_handle (ctx->app_session_handle);
app_rx_fifo = app_session->rx_fifo;
+ if (TLS_READ_IS_LEFT (ptls_ctx))
+ goto enq_buf;
+
ptls_buffer_init (buf, "", 0);
+ ptls_ctx->read_buffer_offset = 0;
if (!TLS_RX_IS_LEFT (ptls_ctx))
{
deq_now = clib_min (deq_max, svm_fifo_max_read_chunk (tls_rx_fifo));
- off = svm_fifo_dequeue (tls_rx_fifo, deq_now, TLS_RX_LEN (ptls_ctx));
- from_tls_len = off;
- ptls_ctx->rx_len += off;
-
- if (from_tls_len < deq_max)
+ if (PREDICT_FALSE (deq_now < deq_max))
{
- deq_now =
- clib_min (svm_fifo_max_read_chunk (tls_rx_fifo),
- deq_max - from_tls_len);
off =
- svm_fifo_dequeue (tls_rx_fifo, deq_now, TLS_RX_LEN (ptls_ctx));
+ svm_fifo_dequeue (tls_rx_fifo, deq_max, TLS_RX_LEN (ptls_ctx));
from_tls_len += off;
ptls_ctx->rx_len += off;
}
-
- if (from_tls_len < deq_max)
- tls_add_vpp_q_builtin_rx_evt (tls_session);
+ else
+ {
+ ret =
+ ptls_receive (ptls_ctx->tls, buf, svm_fifo_head (tls_rx_fifo),
+ (size_t *) & deq_now);
+ svm_fifo_dequeue_drop (tls_rx_fifo, deq_now);
+ goto enq_buf;
+ }
}
app_fifo:
enq_max = svm_fifo_max_enqueue_prod (app_rx_fifo);
if (!enq_max)
- {
- tls_add_vpp_q_builtin_rx_evt (tls_session);
- goto final;
- }
+ goto final;
crypto_len = clib_min (enq_max, TLS_RX_LEFT_LEN (ptls_ctx));
off = 0;
}
while (ret == 0 && off < crypto_len);
- if (ret == 0)
+enq_buf:
+
+ off =
+ svm_fifo_enqueue (app_rx_fifo, TLS_READ_LEFT_LEN (ptls_ctx),
+ TLS_READ_OFFSET (ptls_ctx));
+ if (off < 0)
{
- enq_now = clib_min (buf->off, svm_fifo_max_write_chunk (app_rx_fifo));
- to_app_len = svm_fifo_enqueue (app_rx_fifo, enq_now, buf->base);
- if (to_app_len < buf->off)
- {
- enq_now =
- clib_min (svm_fifo_max_write_chunk (app_rx_fifo),
- buf->off - to_app_len);
- to_app_len +=
- svm_fifo_enqueue (app_rx_fifo, enq_now, buf->base + to_app_len);
- }
- if (ptls_ctx->rx_len != 0 && !TLS_RX_IS_LEFT (ptls_ctx))
- {
- ptls_ctx->rx_len = 0;
- ptls_ctx->rx_offset = 0;
- }
+ tls_add_vpp_q_builtin_rx_evt (tls_session);
+ return 0;
+ }
+ ptls_ctx->read_buffer_offset += off;
+ if (!TLS_RX_IS_LEFT (ptls_ctx))
+ {
+ ptls_ctx->rx_len = 0;
+ ptls_ctx->rx_offset = 0;
}
final:
if (app_session->session_state >= SESSION_STATE_READY)
tls_notify_app_enqueue (ctx, app_session);
- if (TLS_RX_IS_LEFT (ptls_ctx))
+ if (TLS_RX_IS_LEFT (ptls_ctx) || TLS_READ_IS_LEFT (ptls_ctx)
+ || svm_fifo_max_dequeue (tls_rx_fifo))
tls_add_vpp_q_builtin_rx_evt (tls_session);
return from_tls_len;
}
static inline int
-picotls_ctx_write (tls_ctx_t * ctx, session_t * app_session)
+picotls_ctx_write (tls_ctx_t * ctx, session_t * app_session,
+ transport_send_params_t * sp)
{
picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx;
u32 deq_max, deq_now;
svm_fifo_enqueue (tls_tx_fifo, to_write, TLS_WRITE_OFFSET (ptls_ctx));
if (to_tls_len < 0)
{
- tls_add_vpp_q_builtin_tx_evt (app_session);
+ app_session->flags |= SESSION_F_CUSTOM_TX;
return 0;
}
ptls_ctx->write_buffer_offset += to_tls_len;
if (TLS_WRITE_IS_LEFT (ptls_ctx))
{
- tls_add_vpp_q_builtin_tx_evt (app_session);
+ app_session->flags |= SESSION_F_CUSTOM_TX;
return to_tls_len;
}
else
deq_max = svm_fifo_max_dequeue_cons (app_tx_fifo);
if (!deq_max)
return deq_max;
- deq_now = clib_min (deq_max, svm_fifo_max_read_chunk (app_tx_fifo));
+
+ deq_now = clib_min (deq_max, sp->max_burst_size);
+ deq_now = clib_min (deq_now, svm_fifo_max_read_chunk (app_tx_fifo));
enq_max = svm_fifo_max_enqueue_prod (tls_tx_fifo);
/** There is no engough enqueue space for one record **/
if (enq_max <= record_overhead)
{
- tls_add_vpp_q_builtin_tx_evt (app_session);
+ app_session->flags |= SESSION_F_CUSTOM_TX;
return 0;
}
tls_add_vpp_q_tx_evt (tls_session);
if (from_app_len < deq_max || TLS_WRITE_IS_LEFT (ptls_ctx))
- tls_add_vpp_q_builtin_tx_evt (app_session);
+ app_session->flags |= SESSION_F_CUSTOM_TX;
if (ctx->app_closed)
picotls_app_close (ctx);
- return 0;
+ return to_tls_len;
}
static int
ptls_ctx->rx_len = 0;
ptls_ctx->rx_offset = 0;
- ptls_ctx->rx_content = malloc (MAX_QUEUE);
+ ptls_ctx->write_buffer_offset = 0;
+ return 0;
+}
+
+static int
+picotls_ctx_init_client (tls_ctx_t *ctx)
+{
+ picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx;
+ picotls_main_t *pm = &picotls_main;
+ ptls_context_t *client_ptls_ctx = pm->client_ptls_ctx;
+ ptls_handshake_properties_t hsprop = { { { { NULL } } } };
+
+ session_t *tls_session = session_get_from_handle (ctx->tls_session_handle);
+ ptls_buffer_t hs_buf;
+
+ ptls_ctx->tls = ptls_new (client_ptls_ctx, 0);
+ if (ptls_ctx->tls == NULL)
+ {
+ TLS_DBG (1, "Failed to initialize ptls_ssl structure");
+ return -1;
+ }
+ ptls_ctx->rx_len = 0;
+ ptls_ctx->rx_offset = 0;
ptls_ctx->write_buffer_offset = 0;
+
+ ptls_buffer_init (&hs_buf, "", 0);
+ if (ptls_handshake (ptls_ctx->tls, &hs_buf, NULL, NULL, &hsprop) !=
+ PTLS_ERROR_IN_PROGRESS)
+ {
+ TLS_DBG (1, "Failed to initialize tls connection");
+ }
+
+ picotls_try_handshake_write (ptls_ctx, tls_session, &hs_buf);
+
+ ptls_buffer_dispose (&hs_buf);
+
return 0;
}
return &(*ctx)->ctx;
}
+int
+picotls_init_client_ptls_ctx (ptls_context_t **client_ptls_ctx)
+{
+ *client_ptls_ctx = clib_mem_alloc (sizeof (ptls_context_t));
+ memset (*client_ptls_ctx, 0, sizeof (ptls_context_t));
+
+ (*client_ptls_ctx)->update_open_count = NULL;
+ (*client_ptls_ctx)->key_exchanges = default_key_exchange;
+ (*client_ptls_ctx)->random_bytes = ptls_openssl_random_bytes;
+ (*client_ptls_ctx)->cipher_suites = ptls_vpp_crypto_cipher_suites;
+ (*client_ptls_ctx)->get_time = &ptls_get_time;
+
+ return 0;
+}
+
const static tls_engine_vft_t picotls_engine = {
.ctx_alloc = picotls_ctx_alloc,
.ctx_free = picotls_ctx_free,
.ctx_start_listen = picotls_start_listen,
.ctx_stop_listen = picotls_stop_listen,
.ctx_init_server = picotls_ctx_init_server,
+ .ctx_init_client = picotls_ctx_init_client,
.ctx_read = picotls_ctx_read,
.ctx_write = picotls_ctx_write,
.ctx_transport_close = picotls_transport_close,
vec_validate (pm->ctx_pool, num_threads - 1);
+ clib_rwlock_init (&picotls_main.crypto_keys_rw_lock);
+
tls_register_engine (&picotls_engine, CRYPTO_ENGINE_PICOTLS);
+ picotls_init_client_ptls_ctx (&pm->client_ptls_ctx);
+
return error;
}