X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Ftlspicotls%2Ftls_picotls.c;h=876836675be2b8c847553eca2cb9b33a6731e043;hb=1885f795ed16515eff389cc49c0b1a9611cf587e;hp=581814412c663c0e4c0bbaca5d179511a332f47b;hpb=6fe7b75f3503aea950577ab769fdf292f3707256;p=vpp.git diff --git a/src/plugins/tlspicotls/tls_picotls.c b/src/plugins/tlspicotls/tls_picotls.c index 581814412c6..876836675be 100644 --- a/src/plugins/tlspicotls/tls_picotls.c +++ b/src/plugins/tlspicotls/tls_picotls.c @@ -1,14 +1,29 @@ #include -#include "certs.h" -#include "tls_picotls.h" -#include "pico_vpp_crypto.h" +#include +#include +#include picotls_main_t picotls_main; #define MAX_QUEUE 12000 #define PTLS_MAX_PLAINTEXT_RECORD_SIZE 16384 +static ptls_key_exchange_algorithm_t *default_key_exchange[] = { +#ifdef PTLS_OPENSSL_HAVE_X25519 + &ptls_openssl_x25519, +#endif +#ifdef PTLS_OPENSSL_HAVE_SECP256R1 + &ptls_openssl_secp256r1, +#endif +#ifdef PTLS_OPENSSL_HAVE_SECP384R1 + &ptls_openssl_secp384r1, +#endif +#ifdef PTLS_OPENSSL_HAVE_SECP521R1 + &ptls_openssl_secp521r1 +#endif +}; + static u32 picotls_ctx_alloc (void) { @@ -33,6 +48,7 @@ picotls_ctx_free (tls_ctx_t * ctx) { picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx; vec_free (ptls_ctx->rx_content); + ptls_free (ptls_ctx->tls); vec_free (ptls_ctx->write_content); pool_put_index (picotls_main.ctx_pool[ctx->c_thread_index], ptls_ctx->ptls_ctx_idx); @@ -113,20 +129,6 @@ picotls_start_listen (tls_ctx_t * lctx) ptls_context_t *ptls_ctx; u32 ptls_lctx_idx; app_cert_key_pair_t *ckpair; - static ptls_key_exchange_algorithm_t *key_exchange[] = { -#ifdef PTLS_OPENSSL_HAVE_X25519 - &ptls_openssl_x25519, -#endif -#ifdef PTLS_OPENSSL_HAVE_SECP256r1 - &ptls_openssl_secp256r1, -#endif -#ifdef PTLS_OPENSSL_HAVE_SECP384r1 - &ptls_openssl_secp384r1, -#endif -#ifdef PTLS_OPENSSL_HAVE_SECP521r1 - &ptls_openssl_secp521r1 -#endif - }; ckpair = app_cert_key_pair_get_if_valid (lctx->ckpair_index); if (!ckpair || !ckpair->cert || !ckpair->key) @@ -151,7 +153,7 @@ picotls_start_listen (tls_ctx_t * lctx) load_bio_private_key (ptls_ctx, (char *) ckpair->key); /* setup protocol related functions */ - ptls_ctx->key_exchanges = key_exchange; + ptls_ctx->key_exchanges = default_key_exchange; ptls_ctx->random_bytes = ptls_openssl_random_bytes; ptls_ctx->cipher_suites = ptls_vpp_crypto_cipher_suites; ptls_ctx->get_time = &ptls_get_time; @@ -199,9 +201,7 @@ picotls_transport_close (tls_ctx_t * ctx) picotls_handle_handshake_failure (ctx); return 0; } - picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx; - ptls_free (ptls_ctx->tls); - session_transport_closed_notify (&ctx->connection); + session_transport_closing_notify (&ctx->connection); return 0; } @@ -220,158 +220,162 @@ picotls_app_close (tls_ctx_t * ctx) } static inline int -picotls_do_handshake (picotls_ctx_t * ptls_ctx, session_t * tls_session, - u8 * input, int input_len) +picotls_do_handshake (picotls_ctx_t *ptls_ctx, session_t *tcp_session) { + int rv = PTLS_ERROR_IN_PROGRESS, write = 0, i = 0, read = 0, len; + svm_fifo_t *tcp_rx_fifo = tcp_session->rx_fifo; + ptls_buffer_t *buf = &ptls_ctx->read_buffer; + const int n_segs = 2, max_len = 16384; ptls_t *tls = ptls_ctx->tls; - ptls_buffer_t buf; - int rv = PTLS_ERROR_IN_PROGRESS; - int write = 0, off; + svm_fifo_seg_t fs[n_segs]; + uword deq_now; + + ptls_buffer_init (buf, "", 0); + + len = svm_fifo_segments (tcp_rx_fifo, 0, fs, n_segs, max_len); + if (len <= 0) + return 0; - do + while (read < len && i < n_segs) { - off = 0; - do + deq_now = fs[i].len; + rv = ptls_handshake (tls, buf, fs[i].data, &deq_now, NULL); + + write += picotls_try_handshake_write (ptls_ctx, tcp_session, buf); + read += deq_now; + + if (!(rv == 0 || rv == PTLS_ERROR_IN_PROGRESS)) { - ptls_buffer_init (&buf, "", 0); - size_t consumed = input_len - off; - rv = ptls_handshake (tls, &buf, input + off, &consumed, NULL); - off += consumed; - ptls_ctx->rx_offset += consumed; - if ((rv == 0 || rv == PTLS_ERROR_IN_PROGRESS) && buf.off != 0) - { - write = picotls_try_handshake_write (ptls_ctx, tls_session, - &buf); - } - ptls_buffer_dispose (&buf); + clib_error ("unexpected error %u", rv); + break; + } + + if (!rv) + break; + + if (deq_now < fs[i].len) + { + fs[i].data += deq_now; + fs[i].len -= deq_now; } - while (rv == PTLS_ERROR_IN_PROGRESS && input_len != off); + else + i++; } - while (rv == PTLS_ERROR_IN_PROGRESS); + + if (read) + svm_fifo_dequeue_drop (tcp_rx_fifo, read); + + ptls_buffer_dispose (buf); return write; } static inline int -picotls_ctx_read (tls_ctx_t * ctx, session_t * tls_session) +picotls_ctx_read (tls_ctx_t *ctx, session_t *tcp_session) { picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx; - int from_tls_len = 0, off, crypto_len, ret; - u32 deq_max, deq_now; - u32 enq_max; ptls_buffer_t *buf = &ptls_ctx->read_buffer; - svm_fifo_t *tls_rx_fifo, *app_rx_fifo; + int off = 0, ret, i = 0, read = 0, len; + const int n_segs = 4, max_len = 32768; + svm_fifo_t *tcp_rx_fifo, *app_rx_fifo; + picotls_main_t *pm = &picotls_main; + svm_fifo_seg_t fs[n_segs]; session_t *app_session; + u32 thread_index; + uword deq_now; - tls_rx_fifo = tls_session->rx_fifo; - - if (!picotls_handshake_is_over (ctx)) + if (PREDICT_FALSE (!ptls_handshake_is_complete (ptls_ctx->tls))) { - deq_max = svm_fifo_max_dequeue_cons (tls_rx_fifo); - if (!deq_max) - goto done_hs; - - vec_validate (ptls_ctx->rx_content, deq_max); - ptls_ctx->rx_offset = 0; - ptls_ctx->rx_len = 0; - - off = svm_fifo_dequeue (tls_rx_fifo, deq_max, TLS_RX_LEN (ptls_ctx)); - from_tls_len += off; - ptls_ctx->rx_len += off; - - picotls_do_handshake (ptls_ctx, tls_session, TLS_RX_OFFSET (ptls_ctx), - from_tls_len); + picotls_do_handshake (ptls_ctx, tcp_session); if (picotls_handshake_is_over (ctx)) - tls_notify_app_accept (ctx); + { + if (ptls_is_server (ptls_ctx->tls)) + { + if (tls_notify_app_accept (ctx)) + { + ctx->c_s_index = SESSION_INVALID_INDEX; + tls_disconnect_transport (ctx); + return -1; + } + } + else + { + tls_notify_app_connected (ctx, SESSION_E_NONE); + } + } - done_hs: - if (!TLS_RX_IS_LEFT (ptls_ctx)) + if (!svm_fifo_max_dequeue (tcp_session->rx_fifo)) return 0; } + tcp_rx_fifo = tcp_session->rx_fifo; app_session = session_get_from_handle (ctx->app_session_handle); app_rx_fifo = app_session->rx_fifo; if (TLS_READ_IS_LEFT (ptls_ctx)) - goto enq_buf; + goto do_enq; - ptls_buffer_init (buf, "", 0); + len = svm_fifo_segments (tcp_rx_fifo, 0, fs, n_segs, max_len); + if (len <= 0) + goto final_checks; + + thread_index = ptls_ctx->ctx.c_thread_index; + vec_validate (pm->rx_bufs[thread_index], 2 * max_len); + ptls_buffer_init (buf, pm->rx_bufs[thread_index], 2 * max_len); ptls_ctx->read_buffer_offset = 0; - if (!TLS_RX_IS_LEFT (ptls_ctx)) + while (read < len && i < n_segs) { - deq_max = svm_fifo_max_dequeue_cons (tls_rx_fifo); - if (!deq_max) - goto app_fifo; - - deq_now = clib_min (deq_max, svm_fifo_max_read_chunk (tls_rx_fifo)); - - if (PREDICT_FALSE (deq_now < deq_max)) + deq_now = fs[i].len; + ret = ptls_receive (ptls_ctx->tls, buf, fs[i].data, &deq_now); + ASSERT (ret == 0 || ret == PTLS_ERROR_IN_PROGRESS); + read += deq_now; + if (deq_now < fs[i].len) { - off = - svm_fifo_dequeue (tls_rx_fifo, deq_max, TLS_RX_LEN (ptls_ctx)); - from_tls_len += off; - ptls_ctx->rx_len += off; + fs[i].data += deq_now; + fs[i].len -= deq_now; } else - { - ret = - ptls_receive (ptls_ctx->tls, buf, svm_fifo_head (tls_rx_fifo), - (size_t *) & deq_now); - svm_fifo_dequeue_drop (tls_rx_fifo, deq_now); - goto enq_buf; - } + i++; } -app_fifo: - - enq_max = svm_fifo_max_enqueue_prod (app_rx_fifo); - if (!enq_max) - goto final; - - crypto_len = clib_min (enq_max, TLS_RX_LEFT_LEN (ptls_ctx)); - off = 0; + if (read) + svm_fifo_dequeue_drop (tcp_rx_fifo, read); - do + if (!TLS_READ_LEFT_LEN (ptls_ctx)) { - size_t consumed = crypto_len - off; - ret = - ptls_receive (ptls_ctx->tls, buf, - TLS_RX_OFFSET (ptls_ctx), &consumed); - off += consumed; - ptls_ctx->rx_offset += off; + ptls_buffer_dispose (buf); + goto final_checks; } - while (ret == 0 && off < crypto_len); -enq_buf: +do_enq: - off = - svm_fifo_enqueue (app_rx_fifo, TLS_READ_LEFT_LEN (ptls_ctx), - TLS_READ_OFFSET (ptls_ctx)); - if (off < 0) + len = TLS_READ_LEFT_LEN (ptls_ctx); + off = svm_fifo_enqueue (app_rx_fifo, len, TLS_READ_OFFSET (ptls_ctx)); + if (off != len) { - tls_add_vpp_q_builtin_rx_evt (tls_session); - return 0; + if (off < 0) + { + off = 0; + goto final_checks; + } + ptls_ctx->read_buffer_offset += off; } - - ptls_ctx->read_buffer_offset += off; - if (!TLS_RX_IS_LEFT (ptls_ctx)) + else { - ptls_ctx->rx_len = 0; - ptls_ctx->rx_offset = 0; + buf->off = 0; + ptls_ctx->read_buffer_offset = 0; } -final: - ptls_buffer_dispose (buf); - if (app_session->session_state >= SESSION_STATE_READY) tls_notify_app_enqueue (ctx, app_session); - if (TLS_RX_IS_LEFT (ptls_ctx) || TLS_READ_IS_LEFT (ptls_ctx) - || svm_fifo_max_dequeue (tls_rx_fifo)) - tls_add_vpp_q_builtin_rx_evt (tls_session); +final_checks: + + if (TLS_READ_IS_LEFT (ptls_ctx) || svm_fifo_max_dequeue (tcp_rx_fifo)) + tls_add_vpp_q_builtin_rx_evt (tcp_session); - return from_tls_len; + return off; } static inline int @@ -452,15 +456,14 @@ picotls_ctx_write (tls_ctx_t * ctx, session_t * app_session, ptls_buffer_init (&ptls_ctx->write_buffer, "", 0); ptls_ctx->write_buffer_offset = 0; } - } deq_max = svm_fifo_max_dequeue_cons (app_tx_fifo); if (!deq_max) return deq_max; - deq_max = clib_min (deq_max, sp->max_burst_size); - deq_now = clib_min (deq_max, svm_fifo_max_read_chunk (app_tx_fifo)); + deq_now = clib_min (deq_max, sp->max_burst_size); + deq_now = clib_min (deq_now, svm_fifo_max_read_chunk (app_tx_fifo)); enq_max = svm_fifo_max_enqueue_prod (tls_tx_fifo); /** There is no engough enqueue space for one record **/ @@ -514,7 +517,7 @@ picotls_ctx_write (tls_ctx_t * ctx, session_t * app_session, if (ctx->app_closed) picotls_app_close (ctx); - return 0; + return to_tls_len; } static int @@ -539,6 +542,42 @@ picotls_ctx_init_server (tls_ctx_t * ctx) return 0; } +static int +picotls_ctx_init_client (tls_ctx_t *ctx) +{ + picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx; + picotls_main_t *pm = &picotls_main; + ptls_context_t *client_ptls_ctx = pm->client_ptls_ctx; + ptls_handshake_properties_t hsprop = { { { { NULL } } } }; + + session_t *tls_session = session_get_from_handle (ctx->tls_session_handle); + ptls_buffer_t hs_buf; + + ptls_ctx->tls = ptls_new (client_ptls_ctx, 0); + if (ptls_ctx->tls == NULL) + { + TLS_DBG (1, "Failed to initialize ptls_ssl structure"); + return -1; + } + + ptls_ctx->rx_len = 0; + ptls_ctx->rx_offset = 0; + ptls_ctx->write_buffer_offset = 0; + + ptls_buffer_init (&hs_buf, "", 0); + if (ptls_handshake (ptls_ctx->tls, &hs_buf, NULL, NULL, &hsprop) != + PTLS_ERROR_IN_PROGRESS) + { + TLS_DBG (1, "Failed to initialize tls connection"); + } + + picotls_try_handshake_write (ptls_ctx, tls_session, &hs_buf); + + ptls_buffer_dispose (&hs_buf); + + return 0; +} + tls_ctx_t * picotls_ctx_get_w_thread (u32 ctx_index, u8 thread_index) { @@ -547,6 +586,21 @@ picotls_ctx_get_w_thread (u32 ctx_index, u8 thread_index) return &(*ctx)->ctx; } +int +picotls_init_client_ptls_ctx (ptls_context_t **client_ptls_ctx) +{ + *client_ptls_ctx = clib_mem_alloc (sizeof (ptls_context_t)); + memset (*client_ptls_ctx, 0, sizeof (ptls_context_t)); + + (*client_ptls_ctx)->update_open_count = NULL; + (*client_ptls_ctx)->key_exchanges = default_key_exchange; + (*client_ptls_ctx)->random_bytes = ptls_openssl_random_bytes; + (*client_ptls_ctx)->cipher_suites = ptls_vpp_crypto_cipher_suites; + (*client_ptls_ctx)->get_time = &ptls_get_time; + + return 0; +} + const static tls_engine_vft_t picotls_engine = { .ctx_alloc = picotls_ctx_alloc, .ctx_free = picotls_ctx_free, @@ -556,6 +610,7 @@ const static tls_engine_vft_t picotls_engine = { .ctx_start_listen = picotls_start_listen, .ctx_stop_listen = picotls_stop_listen, .ctx_init_server = picotls_ctx_init_server, + .ctx_init_client = picotls_ctx_init_client, .ctx_read = picotls_ctx_read, .ctx_write = picotls_ctx_write, .ctx_transport_close = picotls_transport_close, @@ -573,9 +628,13 @@ tls_picotls_init (vlib_main_t * vm) num_threads = 1 + vtm->n_threads; vec_validate (pm->ctx_pool, num_threads - 1); + vec_validate (pm->rx_bufs, num_threads - 1); + clib_rwlock_init (&picotls_main.crypto_keys_rw_lock); tls_register_engine (&picotls_engine, CRYPTO_ENGINE_PICOTLS); + picotls_init_client_ptls_ctx (&pm->client_ptls_ctx); + return error; }