X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Ftlsmbedtls%2Ftls_mbedtls.c;h=3fccba2ec5a1611b9b6f421751de76057d208dbc;hb=4c4223edf;hp=52d124eb84eeeba488dfcbab69a5d9412485ccfa;hpb=b7b929931a07fbb27b43d5cd105f366c3e29807e;p=vpp.git diff --git a/src/plugins/tlsmbedtls/tls_mbedtls.c b/src/plugins/tlsmbedtls/tls_mbedtls.c index 52d124eb84e..3fccba2ec5a 100644 --- a/src/plugins/tlsmbedtls/tls_mbedtls.c +++ b/src/plugins/tlsmbedtls/tls_mbedtls.c @@ -80,7 +80,7 @@ mbedtls_ctx_alloc (void) clib_memset (*ctx, 0, sizeof (mbedtls_ctx_t)); (*ctx)->ctx.c_thread_index = thread_index; - (*ctx)->ctx.tls_ctx_engine = TLS_ENGINE_MBEDTLS; + (*ctx)->ctx.tls_ctx_engine = CRYPTO_ENGINE_MBEDTLS; (*ctx)->mbedtls_ctx_index = ctx - tm->ctx_pool[thread_index]; return ((*ctx)->mbedtls_ctx_index); } @@ -100,6 +100,7 @@ mbedtls_ctx_free (tls_ctx_t * ctx) mbedtls_ssl_free (&mc->ssl); mbedtls_ssl_config_free (&mc->conf); + vec_free (ctx->srv_hostname); pool_put_index (mbedtls_main.ctx_pool[ctx->c_thread_index], mc->mbedtls_ctx_index); } @@ -158,7 +159,7 @@ tls_get_ctr_drbg () static int tls_net_send (void *ctx_indexp, const unsigned char *buf, size_t len) { - stream_session_t *tls_session; + session_t *tls_session; uword ctx_index; tls_ctx_t *ctx; int rv; @@ -166,7 +167,7 @@ tls_net_send (void *ctx_indexp, const unsigned char *buf, size_t len) ctx_index = pointer_to_uword (ctx_indexp); ctx = mbedtls_ctx_get (ctx_index); tls_session = session_get_from_handle (ctx->tls_session_handle); - rv = svm_fifo_enqueue_nowait (tls_session->server_tx_fifo, len, buf); + rv = svm_fifo_enqueue (tls_session->tx_fifo, len, buf); if (rv < 0) return MBEDTLS_ERR_SSL_WANT_WRITE; tls_add_vpp_q_tx_evt (tls_session); @@ -176,7 +177,7 @@ tls_net_send (void *ctx_indexp, const unsigned char *buf, size_t len) static int tls_net_recv (void *ctx_indexp, unsigned char *buf, size_t len) { - stream_session_t *tls_session; + session_t *tls_session; uword ctx_index; tls_ctx_t *ctx; int rv; @@ -184,7 +185,7 @@ tls_net_recv (void *ctx_indexp, unsigned char *buf, size_t len) ctx_index = pointer_to_uword (ctx_indexp); ctx = mbedtls_ctx_get (ctx_index); tls_session = session_get_from_handle (ctx->tls_session_handle); - rv = svm_fifo_dequeue_nowait (tls_session->server_rx_fifo, len, buf); + rv = svm_fifo_dequeue (tls_session->rx_fifo, len, buf); return (rv < 0) ? 0 : rv; } @@ -275,7 +276,7 @@ mbedtls_ctx_init_server (tls_ctx_t * ctx) { mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx; mbedtls_main_t *mm = &mbedtls_main; - application_t *app; + app_cert_key_pair_t *ckpair; void *ctx_ptr; int rv; @@ -287,17 +288,20 @@ mbedtls_ctx_init_server (tls_ctx_t * ctx) /* * 1. Cert */ - app = application_get (ctx->parent_app_index); - if (!app->tls_cert || !app->tls_key) + ckpair = app_cert_key_pair_get_if_valid (ctx->ckpair_index); + if (!ckpair) + return -1; + + if (!ckpair->cert || !ckpair->key) { TLS_DBG (1, " failed\n ! tls cert and/or key not configured %d", - ctx->parent_app_index); + ctx->parent_app_wrk_index); return -1; } rv = mbedtls_x509_crt_parse (&mc->srvcert, - (const unsigned char *) app->tls_cert, - vec_len (app->tls_cert)); + (const unsigned char *) ckpair->cert, + vec_len (ckpair->cert)); if (rv != 0) { TLS_DBG (1, " failed\n ! mbedtls_x509_crt_parse returned %d", rv); @@ -305,8 +309,8 @@ mbedtls_ctx_init_server (tls_ctx_t * ctx) } rv = mbedtls_pk_parse_key (&mc->pkey, - (const unsigned char *) app->tls_key, - vec_len (app->tls_key), NULL, 0); + (const unsigned char *) ckpair->key, + vec_len (ckpair->key), NULL, 0); if (rv != 0) { TLS_DBG (1, " failed\n ! mbedtls_pk_parse_key returned %d", rv); @@ -410,11 +414,11 @@ mbedtls_ctx_handshake_rx (tls_ctx_t * ctx) */ if (ctx->srv_hostname) { - tls_notify_app_connected (ctx, /* is failed */ 0); + tls_notify_app_connected (ctx, SESSION_E_TLS_HANDSHAKE); return -1; } } - tls_notify_app_connected (ctx, /* is failed */ 0); + tls_notify_app_connected (ctx, SESSION_E_NONE); } else { @@ -427,60 +431,61 @@ mbedtls_ctx_handshake_rx (tls_ctx_t * ctx) } static int -mbedtls_ctx_write (tls_ctx_t * ctx, stream_session_t * app_session) +mbedtls_ctx_write (tls_ctx_t * ctx, session_t * app_session, + transport_send_params_t * sp) { mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx; u8 thread_index = ctx->c_thread_index; mbedtls_main_t *mm = &mbedtls_main; u32 enq_max, deq_max, deq_now; - stream_session_t *tls_session; + session_t *tls_session; int wrote; ASSERT (mc->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER); - deq_max = svm_fifo_max_dequeue (app_session->server_tx_fifo); + deq_max = svm_fifo_max_dequeue_cons (app_session->tx_fifo); if (!deq_max) return 0; + deq_max = clib_min (deq_max, sp->max_burst_size); tls_session = session_get_from_handle (ctx->tls_session_handle); - enq_max = svm_fifo_max_enqueue (tls_session->server_tx_fifo); + enq_max = svm_fifo_max_enqueue_prod (tls_session->tx_fifo); deq_now = clib_min (deq_max, TLS_CHUNK_SIZE); if (PREDICT_FALSE (enq_max == 0)) { - tls_add_vpp_q_builtin_tx_evt (app_session); + app_session->flags |= SESSION_F_CUSTOM_TX; return 0; } vec_validate (mm->tx_bufs[thread_index], deq_now); - svm_fifo_peek (app_session->server_tx_fifo, 0, deq_now, - mm->tx_bufs[thread_index]); + svm_fifo_peek (app_session->tx_fifo, 0, deq_now, mm->tx_bufs[thread_index]); wrote = mbedtls_ssl_write (&mc->ssl, mm->tx_bufs[thread_index], deq_now); if (wrote <= 0) { - tls_add_vpp_q_builtin_tx_evt (app_session); + app_session->flags |= SESSION_F_CUSTOM_TX; return 0; } - svm_fifo_dequeue_drop (app_session->server_tx_fifo, wrote); + svm_fifo_dequeue_drop (app_session->tx_fifo, wrote); vec_reset_length (mm->tx_bufs[thread_index]); tls_add_vpp_q_tx_evt (tls_session); if (deq_now < deq_max) - tls_add_vpp_q_builtin_tx_evt (app_session); + app_session->flags |= SESSION_F_CUSTOM_TX; return 0; } static int -mbedtls_ctx_read (tls_ctx_t * ctx, stream_session_t * tls_session) +mbedtls_ctx_read (tls_ctx_t * ctx, session_t * tls_session) { mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx; mbedtls_main_t *mm = &mbedtls_main; u8 thread_index = ctx->c_thread_index; u32 deq_max, enq_max, enq_now; - stream_session_t *app_session; + session_t *app_session; int read, enq; if (PREDICT_FALSE (mc->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)) @@ -489,12 +494,12 @@ mbedtls_ctx_read (tls_ctx_t * ctx, stream_session_t * tls_session) return 0; } - deq_max = svm_fifo_max_dequeue (tls_session->server_rx_fifo); + deq_max = svm_fifo_max_dequeue_cons (tls_session->rx_fifo); if (!deq_max) return 0; app_session = session_get_from_handle (ctx->app_session_handle); - enq_max = svm_fifo_max_enqueue (app_session->server_rx_fifo); + enq_max = svm_fifo_max_enqueue_prod (app_session->rx_fifo); enq_now = clib_min (enq_max, TLS_CHUNK_SIZE); if (PREDICT_FALSE (enq_now == 0)) @@ -511,12 +516,12 @@ mbedtls_ctx_read (tls_ctx_t * ctx, stream_session_t * tls_session) return 0; } - enq = svm_fifo_enqueue_nowait (app_session->server_rx_fifo, read, - mm->rx_bufs[thread_index]); + enq = svm_fifo_enqueue (app_session->rx_fifo, read, + mm->rx_bufs[thread_index]); ASSERT (enq == read); vec_reset_length (mm->rx_bufs[thread_index]); - if (svm_fifo_max_dequeue (tls_session->server_rx_fifo)) + if (svm_fifo_max_dequeue_cons (tls_session->rx_fifo)) tls_add_vpp_q_builtin_rx_evt (tls_session); if (enq > 0) @@ -532,6 +537,27 @@ mbedtls_handshake_is_over (tls_ctx_t * ctx) return (mc->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER); } +static int +mbedtls_transport_close (tls_ctx_t * ctx) +{ + if (!mbedtls_handshake_is_over (ctx)) + { + session_close (session_get_from_handle (ctx->tls_session_handle)); + return 0; + } + session_transport_closing_notify (&ctx->connection); + return 0; +} + +static int +mbedtls_app_close (tls_ctx_t * ctx) +{ + tls_disconnect_transport (ctx); + session_transport_delete_notify (&ctx->connection); + mbedtls_ctx_free (ctx); + return 0; +} + const static tls_engine_vft_t mbedtls_engine = { .ctx_alloc = mbedtls_ctx_alloc, .ctx_free = mbedtls_ctx_free, @@ -544,6 +570,8 @@ const static tls_engine_vft_t mbedtls_engine = { .ctx_handshake_is_over = mbedtls_handshake_is_over, .ctx_start_listen = mbedtls_start_listen, .ctx_stop_listen = mbedtls_stop_listen, + .ctx_transport_close = mbedtls_transport_close, + .ctx_app_close = mbedtls_app_close, }; int @@ -607,14 +635,10 @@ tls_mbedtls_init (vlib_main_t * vm) { vlib_thread_main_t *vtm = vlib_get_thread_main (); mbedtls_main_t *mm = &mbedtls_main; - clib_error_t *error; u32 num_threads; num_threads = 1 /* main thread */ + vtm->n_threads; - if ((error = vlib_call_init_function (vm, tls_init))) - return error; - if (tls_init_ca_chain ()) { clib_warning ("failed to initialize TLS CA chain"); @@ -635,16 +659,21 @@ tls_mbedtls_init (vlib_main_t * vm) vec_validate (mm->rx_bufs, num_threads - 1); vec_validate (mm->tx_bufs, num_threads - 1); - tls_register_engine (&mbedtls_engine, TLS_ENGINE_MBEDTLS); + tls_register_engine (&mbedtls_engine, CRYPTO_ENGINE_MBEDTLS); return 0; } -VLIB_INIT_FUNCTION (tls_mbedtls_init); +/* *INDENT-OFF* */ +VLIB_INIT_FUNCTION (tls_mbedtls_init) = +{ + .runs_after = VLIB_INITS("tls_init"), +}; +/* *INDENT-ON* */ /* *INDENT-OFF* */ VLIB_PLUGIN_REGISTER () = { .version = VPP_BUILD_VER, - .description = "mbedtls based TLS Engine", + .description = "Transport Layer Security (TLS) Engine, Mbedtls Based", }; /* *INDENT-ON* */