X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvcl%2Fldp.c;h=e53a61e8e8c0c9e8809eef12692d57de18119132;hb=c298f3760228ad7846d40b6850a777ca5e5c5117;hp=338c091754b913c2180e9360be6f16a63d1eddca;hpb=2d9b427a5b20dcec3d2212a3a8a47c29b4acdd46;p=vpp.git

diff --git a/src/vcl/ldp.c b/src/vcl/ldp.c
index 338c091754b..e53a61e8e8c 100644
--- a/src/vcl/ldp.c
+++ b/src/vcl/ldp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016 Cisco and/or its affiliates.
+ * Copyright (c) 2016-2019 Cisco and/or its affiliates.
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at:
@@ -99,6 +99,7 @@ typedef struct
   u32 vlsh_bit_val;
   u32 vlsh_bit_mask;
   u32 debug;
+  u8 transparent_tls;
 
   /** vcl needs next epoll_create to go to libc_epoll */
   u8 vcl_needs_real_epoll;
@@ -114,6 +115,7 @@ static ldp_main_t ldp_main = {
   .vlsh_bit_val = (1 << LDP_SID_BIT_MIN),
   .vlsh_bit_mask = (1 << LDP_SID_BIT_MIN) - 1,
   .debug = LDP_DEBUG_INIT,
+  .transparent_tls = 0,
 };
 
 static ldp_main_t *ldp = &ldp_main;
@@ -130,11 +132,8 @@ ldp_worker_get_current (void)
 static inline void
 ldp_set_app_name (char *app_name)
 {
-  int rv = snprintf (ldp->app_name, LDP_APP_NAME_MAX,
-		     "ldp-%d-%s", getpid (), app_name);
-
-  if (rv >= LDP_APP_NAME_MAX)
-    app_name[LDP_APP_NAME_MAX - 1] = 0;
+  snprintf (ldp->app_name, LDP_APP_NAME_MAX,
+	    "ldp-%d-%s", getpid (), app_name);
 }
 
 static inline char *
@@ -268,6 +267,11 @@ ldp_init (void)
 	  return -1;
 	}
     }
+  env_var_str = getenv (LDP_ENV_TLS_TRANS);
+  if (env_var_str)
+    {
+      ldp->transparent_tls = 1;
+    }
 
   /* *INDENT-OFF* */
   pool_foreach (ldpw, ldp->workers, ({
@@ -478,8 +482,13 @@ writev (int fd, const struct iovec * iov, int iovcnt)
   return size;
 }
 
+#ifdef HAVE_FCNTL64
+int
+fcntl64 (int fd, int cmd, ...)
+#else
 int
 fcntl (int fd, int cmd, ...)
+#endif
 {
   vls_handle_t vlsh;
   int rv = 0;
@@ -527,7 +536,11 @@ fcntl (int fd, int cmd, ...)
     }
   else
     {
+#ifdef HAVE_FCNTL64
+      rv = libc_vfcntl64 (fd, cmd, ap);
+#else
       rv = libc_vfcntl (fd, cmd, ap);
+#endif
     }
 
   va_end (ap);
@@ -870,6 +883,71 @@ pselect (int nfds, fd_set * __restrict readfds,
 }
 #endif
 
+/* If transparent TLS mode is turned on, then ldp will load key and cert.
+ */
+static int
+load_tls_cert (vls_handle_t vlsh)
+{
+  char *env_var_str = getenv (LDP_ENV_TLS_CERT);
+  char inbuf[4096];
+  char *tls_cert;
+  int cert_size;
+  FILE *fp;
+
+  if (env_var_str)
+    {
+      fp = fopen (env_var_str, "r");
+      if (fp == NULL)
+	{
+	  LDBG (0, "ERROR: failed to open cert file %s \n", env_var_str);
+	  return -1;
+	}
+      cert_size = fread (inbuf, sizeof (char), sizeof (inbuf), fp);
+      tls_cert = inbuf;
+      vppcom_session_tls_add_cert (vlsh_to_session_index (vlsh), tls_cert,
+				   cert_size);
+      fclose (fp);
+    }
+  else
+    {
+      LDBG (0, "ERROR: failed to read LDP environment %s\n",
+	    LDP_ENV_TLS_CERT);
+      return -1;
+    }
+  return 0;
+}
+
+static int
+load_tls_key (vls_handle_t vlsh)
+{
+  char *env_var_str = getenv (LDP_ENV_TLS_KEY);
+  char inbuf[4096];
+  char *tls_key;
+  int key_size;
+  FILE *fp;
+
+  if (env_var_str)
+    {
+      fp = fopen (env_var_str, "r");
+      if (fp == NULL)
+	{
+	  LDBG (0, "ERROR: failed to open key file %s \n", env_var_str);
+	  return -1;
+	}
+      key_size = fread (inbuf, sizeof (char), sizeof (inbuf), fp);
+      tls_key = inbuf;
+      vppcom_session_tls_add_key (vlsh_to_session_index (vlsh), tls_key,
+				  key_size);
+      fclose (fp);
+    }
+  else
+    {
+      LDBG (0, "ERROR: failed to read LDP environment %s\n", LDP_ENV_TLS_KEY);
+      return -1;
+    }
+  return 0;
+}
+
 int
 socket (int domain, int type, int protocol)
 {
@@ -883,8 +961,14 @@ socket (int domain, int type, int protocol)
   if (((domain == AF_INET) || (domain == AF_INET6)) &&
       ((sock_type == SOCK_STREAM) || (sock_type == SOCK_DGRAM)))
     {
-      u8 proto = ((sock_type == SOCK_DGRAM) ?
-		  VPPCOM_PROTO_UDP : VPPCOM_PROTO_TCP);
+      u8 proto;
+      if (ldp->transparent_tls)
+	{
+	  proto = VPPCOM_PROTO_TLS;
+	}
+      else
+	proto = ((sock_type == SOCK_DGRAM) ?
+		 VPPCOM_PROTO_UDP : VPPCOM_PROTO_TCP);
 
       LDBG (0, "calling vls_create: proto %u (%s), is_nonblocking %u",
 	    proto, vppcom_proto_str (proto), is_nonblocking);
@@ -897,6 +981,13 @@ socket (int domain, int type, int protocol)
 	}
       else
 	{
+	  if (ldp->transparent_tls)
+	    {
+	      if (load_tls_cert (vlsh) < 0 || load_tls_key (vlsh) < 0)
+		{
+		  return -1;
+		}
+	    }
 	  rv = ldp_vlsh_to_fd (vlsh);
 	}
     }
@@ -1837,6 +1928,7 @@ setsockopt (int fd, int level, int optname,
 			     (void *) optval, &optlen);
 	      break;
 	    case TCP_CONGESTION:
+	    case TCP_CORK:
 	      /* Ignore */
 	      rv = 0;
 	      break;
@@ -2389,8 +2481,11 @@ ldp_constructor (void)
 {
   swrap_constructor ();
   if (ldp_init () != 0)
-    fprintf (stderr, "\nLDP<%d>: ERROR: ldp_constructor: failed!\n",
-	     getpid ());
+    {
+      fprintf (stderr, "\nLDP<%d>: ERROR: ldp_constructor: failed!\n",
+	       getpid ());
+      _exit (1);
+    }
   else if (LDP_DEBUG > 0)
     clib_warning ("LDP<%d>: LDP constructor: done!\n", getpid ());
 }