#include <math.h>
-#include "certs.h"
-#include "tls_picotls.h"
-#include "pico_vpp_crypto.h"
+#include <tlspicotls/certs.h>
+#include <tlspicotls/tls_picotls.h>
+#include <tlspicotls/pico_vpp_crypto.h>
picotls_main_t picotls_main;
#define MAX_QUEUE 12000
#define PTLS_MAX_PLAINTEXT_RECORD_SIZE 16384
+static ptls_key_exchange_algorithm_t *default_key_exchange[] = {
+#ifdef PTLS_OPENSSL_HAVE_X25519
+ &ptls_openssl_x25519,
+#endif
+#ifdef PTLS_OPENSSL_HAVE_SECP256R1
+ &ptls_openssl_secp256r1,
+#endif
+#ifdef PTLS_OPENSSL_HAVE_SECP384R1
+ &ptls_openssl_secp384r1,
+#endif
+#ifdef PTLS_OPENSSL_HAVE_SECP521R1
+ &ptls_openssl_secp521r1
+#endif
+};
+
static u32
picotls_ctx_alloc (void)
{
ptls_context_t *ptls_ctx;
u32 ptls_lctx_idx;
app_cert_key_pair_t *ckpair;
- static ptls_key_exchange_algorithm_t *key_exchange[] = {
-#ifdef PTLS_OPENSSL_HAVE_X25519
- &ptls_openssl_x25519,
-#endif
-#ifdef PTLS_OPENSSL_HAVE_SECP256r1
- &ptls_openssl_secp256r1,
-#endif
-#ifdef PTLS_OPENSSL_HAVE_SECP384r1
- &ptls_openssl_secp384r1,
-#endif
-#ifdef PTLS_OPENSSL_HAVE_SECP521r1
- &ptls_openssl_secp521r1
-#endif
- };
ckpair = app_cert_key_pair_get_if_valid (lctx->ckpair_index);
if (!ckpair || !ckpair->cert || !ckpair->key)
load_bio_private_key (ptls_ctx, (char *) ckpair->key);
/* setup protocol related functions */
- ptls_ctx->key_exchanges = key_exchange;
+ ptls_ctx->key_exchanges = default_key_exchange;
ptls_ctx->random_bytes = ptls_openssl_random_bytes;
ptls_ctx->cipher_suites = ptls_vpp_crypto_cipher_suites;
ptls_ctx->get_time = &ptls_get_time;
}
picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx;
ptls_free (ptls_ctx->tls);
- session_transport_closed_notify (&ctx->connection);
+ session_transport_closing_notify (&ctx->connection);
return 0;
}
picotls_do_handshake (ptls_ctx, tls_session, TLS_RX_OFFSET (ptls_ctx),
from_tls_len);
if (picotls_handshake_is_over (ctx))
- tls_notify_app_accept (ctx);
+ ret = ptls_is_server (ptls_ctx->tls) ?
+ tls_notify_app_accept (ctx) :
+ tls_notify_app_connected (ctx, SESSION_E_NONE);
done_hs:
if (!TLS_RX_IS_LEFT (ptls_ctx))
}
static inline int
-picotls_ctx_write (tls_ctx_t * ctx, session_t * app_session)
+picotls_ctx_write (tls_ctx_t * ctx, session_t * app_session,
+ transport_send_params_t * sp)
{
picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx;
u32 deq_max, deq_now;
svm_fifo_enqueue (tls_tx_fifo, to_write, TLS_WRITE_OFFSET (ptls_ctx));
if (to_tls_len < 0)
{
- tls_add_vpp_q_builtin_tx_evt (app_session);
+ app_session->flags |= SESSION_F_CUSTOM_TX;
return 0;
}
ptls_ctx->write_buffer_offset += to_tls_len;
if (TLS_WRITE_IS_LEFT (ptls_ctx))
{
- tls_add_vpp_q_builtin_tx_evt (app_session);
+ app_session->flags |= SESSION_F_CUSTOM_TX;
return to_tls_len;
}
else
deq_max = svm_fifo_max_dequeue_cons (app_tx_fifo);
if (!deq_max)
return deq_max;
- deq_now = clib_min (deq_max, svm_fifo_max_read_chunk (app_tx_fifo));
+
+ deq_now = clib_min (deq_max, sp->max_burst_size);
+ deq_now = clib_min (deq_now, svm_fifo_max_read_chunk (app_tx_fifo));
enq_max = svm_fifo_max_enqueue_prod (tls_tx_fifo);
/** There is no engough enqueue space for one record **/
if (enq_max <= record_overhead)
{
- tls_add_vpp_q_builtin_tx_evt (app_session);
+ app_session->flags |= SESSION_F_CUSTOM_TX;
return 0;
}
tls_add_vpp_q_tx_evt (tls_session);
if (from_app_len < deq_max || TLS_WRITE_IS_LEFT (ptls_ctx))
- tls_add_vpp_q_builtin_tx_evt (app_session);
+ app_session->flags |= SESSION_F_CUSTOM_TX;
if (ctx->app_closed)
picotls_app_close (ctx);
- return 0;
+ return to_tls_len;
}
static int
return 0;
}
+static int
+picotls_ctx_init_client (tls_ctx_t *ctx)
+{
+ picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx;
+ picotls_main_t *pm = &picotls_main;
+ ptls_context_t *client_ptls_ctx = pm->client_ptls_ctx;
+ ptls_handshake_properties_t hsprop = { { { { NULL } } } };
+
+ session_t *tls_session = session_get_from_handle (ctx->tls_session_handle);
+ ptls_buffer_t hs_buf;
+
+ ptls_ctx->tls = ptls_new (client_ptls_ctx, 0);
+ if (ptls_ctx->tls == NULL)
+ {
+ TLS_DBG (1, "Failed to initialize ptls_ssl structure");
+ return -1;
+ }
+
+ ptls_ctx->rx_len = 0;
+ ptls_ctx->rx_offset = 0;
+ ptls_ctx->write_buffer_offset = 0;
+
+ ptls_buffer_init (&hs_buf, "", 0);
+ if (ptls_handshake (ptls_ctx->tls, &hs_buf, NULL, NULL, &hsprop) !=
+ PTLS_ERROR_IN_PROGRESS)
+ {
+ TLS_DBG (1, "Failed to initialize tls connection");
+ }
+
+ picotls_try_handshake_write (ptls_ctx, tls_session, &hs_buf);
+
+ ptls_buffer_dispose (&hs_buf);
+
+ return 0;
+}
+
tls_ctx_t *
picotls_ctx_get_w_thread (u32 ctx_index, u8 thread_index)
{
return &(*ctx)->ctx;
}
+int
+picotls_init_client_ptls_ctx (ptls_context_t **client_ptls_ctx)
+{
+ *client_ptls_ctx = clib_mem_alloc (sizeof (ptls_context_t));
+ memset (*client_ptls_ctx, 0, sizeof (ptls_context_t));
+
+ (*client_ptls_ctx)->update_open_count = NULL;
+ (*client_ptls_ctx)->key_exchanges = default_key_exchange;
+ (*client_ptls_ctx)->random_bytes = ptls_openssl_random_bytes;
+ (*client_ptls_ctx)->cipher_suites = ptls_vpp_crypto_cipher_suites;
+ (*client_ptls_ctx)->get_time = &ptls_get_time;
+
+ return 0;
+}
+
const static tls_engine_vft_t picotls_engine = {
.ctx_alloc = picotls_ctx_alloc,
.ctx_free = picotls_ctx_free,
.ctx_start_listen = picotls_start_listen,
.ctx_stop_listen = picotls_stop_listen,
.ctx_init_server = picotls_ctx_init_server,
+ .ctx_init_client = picotls_ctx_init_client,
.ctx_read = picotls_ctx_read,
.ctx_write = picotls_ctx_write,
.ctx_transport_close = picotls_transport_close,
vec_validate (pm->ctx_pool, num_threads - 1);
+ clib_rwlock_init (&picotls_main.crypto_keys_rw_lock);
+
tls_register_engine (&picotls_engine, CRYPTO_ENGINE_PICOTLS);
+ picotls_init_client_ptls_ctx (&pm->client_ptls_ctx);
+
return error;
}