session/application_interface.c
session/application_local.c
session/application_namespace.c
+ session/application_crypto.c
session/segment_manager.c
session/session_api.c
session/session_sdl.c
session/application_eventing.h
session/application_local.h
session/application_namespace.h
+ session/application_crypto.h
session/session_debug.h
session/segment_manager.h
session/mma_template.h
#include <vnet/session/application_namespace.h>
#include <vnet/session/application_local.h>
#include <vnet/session/application_eventing.h>
+#include <vnet/session/application_crypto.h>
#include <vnet/session/session.h>
#include <vnet/session/segment_manager.h>
}
}
-u8 *
-format_cert_key_pair (u8 * s, va_list * args)
-{
- app_cert_key_pair_t *ckpair = va_arg (*args, app_cert_key_pair_t *);
- int key_len = 0, cert_len = 0;
- cert_len = vec_len (ckpair->cert);
- key_len = vec_len (ckpair->key);
- if (ckpair->cert_key_index == 0)
- s = format (s, "DEFAULT (cert:%d, key:%d)", cert_len, key_len);
- else
- s = format (s, "%d (cert:%d, key:%d)", ckpair->cert_key_index,
- cert_len, key_len);
- return s;
-}
-
-u8 *
-format_crypto_engine (u8 * s, va_list * args)
-{
- u32 engine = va_arg (*args, u32);
- switch (engine)
- {
- case CRYPTO_ENGINE_NONE:
- return format (s, "none");
- case CRYPTO_ENGINE_MBEDTLS:
- return format (s, "mbedtls");
- case CRYPTO_ENGINE_OPENSSL:
- return format (s, "openssl");
- case CRYPTO_ENGINE_PICOTLS:
- return format (s, "picotls");
- case CRYPTO_ENGINE_VPP:
- return format (s, "vpp");
- default:
- return format (s, "unknown engine");
- }
- return s;
-}
-
-uword
-unformat_crypto_engine (unformat_input_t * input, va_list * args)
-{
- u8 *a = va_arg (*args, u8 *);
- if (unformat (input, "mbedtls"))
- *a = CRYPTO_ENGINE_MBEDTLS;
- else if (unformat (input, "openssl"))
- *a = CRYPTO_ENGINE_OPENSSL;
- else if (unformat (input, "picotls"))
- *a = CRYPTO_ENGINE_PICOTLS;
- else if (unformat (input, "vpp"))
- *a = CRYPTO_ENGINE_VPP;
- else
- return 0;
- return 1;
-}
-
u8 *
format_crypto_context (u8 * s, va_list * args)
{
crypto_context_t *crctx = va_arg (*args, crypto_context_t *);
s = format (s, "[0x%x][sub%d,ckpair%x]", crctx->ctx_index,
crctx->n_subscribers, crctx->ckpair_index);
- s = format (s, "[%U]", format_crypto_engine, crctx->crypto_engine);
+ s = format (s, "[engine:%U]", format_crypto_engine, crctx->crypto_engine);
return s;
}
}
}
-static clib_error_t *
-show_certificate_command_fn (vlib_main_t * vm, unformat_input_t * input,
- vlib_cli_command_t * cmd)
-{
- app_cert_key_pair_t *ckpair;
- session_cli_return_if_not_enabled ();
-
- pool_foreach (ckpair, app_main.cert_key_pair_store) {
- vlib_cli_output (vm, "%U", format_cert_key_pair, ckpair);
- }
- return 0;
-}
-
static inline void
appliction_format_app_mq (vlib_main_t * vm, application_t * app)
{
return 0;
}
-/* Certificate store */
-
-static app_cert_key_pair_t *
-app_cert_key_pair_alloc ()
-{
- app_cert_key_pair_t *ckpair;
- pool_get (app_main.cert_key_pair_store, ckpair);
- clib_memset (ckpair, 0, sizeof (*ckpair));
- ckpair->cert_key_index = ckpair - app_main.cert_key_pair_store;
- return ckpair;
-}
-
-app_cert_key_pair_t *
-app_cert_key_pair_get_if_valid (u32 index)
-{
- if (pool_is_free_index (app_main.cert_key_pair_store, index))
- return 0;
- return app_cert_key_pair_get (index);
-}
-
-app_cert_key_pair_t *
-app_cert_key_pair_get (u32 index)
-{
- return pool_elt_at_index (app_main.cert_key_pair_store, index);
-}
-
-app_cert_key_pair_t *
-app_cert_key_pair_get_default ()
-{
- /* To maintain legacy bapi */
- return app_cert_key_pair_get (0);
-}
-
-int
-vnet_app_add_cert_key_pair (vnet_app_add_cert_key_pair_args_t * a)
-{
- app_cert_key_pair_t *ckpair = app_cert_key_pair_alloc ();
- vec_validate (ckpair->cert, a->cert_len - 1);
- clib_memcpy_fast (ckpair->cert, a->cert, a->cert_len);
- vec_validate (ckpair->key, a->key_len - 1);
- clib_memcpy_fast (ckpair->key, a->key, a->key_len);
- a->index = ckpair->cert_key_index;
- return 0;
-}
-
-int
-vnet_app_add_cert_key_interest (u32 index, u32 app_index)
-{
- app_cert_key_pair_t *ckpair;
- if (!(ckpair = app_cert_key_pair_get_if_valid (index)))
- return -1;
- if (vec_search (ckpair->app_interests, app_index) != ~0)
- vec_add1 (ckpair->app_interests, app_index);
- return 0;
-}
-
-int
-vnet_app_del_cert_key_pair (u32 index)
-{
- app_cert_key_pair_t *ckpair;
- application_t *app;
- u32 *app_index;
-
- if (!(ckpair = app_cert_key_pair_get_if_valid (index)))
- return SESSION_E_INVALID;
-
- vec_foreach (app_index, ckpair->app_interests)
- {
- if ((app = application_get_if_valid (*app_index))
- && app->cb_fns.app_cert_key_pair_delete_callback)
- app->cb_fns.app_cert_key_pair_delete_callback (ckpair);
- }
-
- vec_free (ckpair->cert);
- vec_free (ckpair->key);
- pool_put (app_main.cert_key_pair_store, ckpair);
- return 0;
-}
-
clib_error_t *
application_init (vlib_main_t * vm)
{
u32 n_workers;
n_workers = vlib_num_workers ();
-
- /* Index 0 was originally used by legacy apis, maintain as invalid */
- (void) app_cert_key_pair_alloc ();
- am->last_crypto_engine = CRYPTO_ENGINE_LAST;
+ vec_validate (am->wrk, n_workers);
am->app_by_name = hash_create_vec (0, sizeof (u8), sizeof (uword));
- vec_validate (am->wrk, n_workers);
+ application_crypto_init ();
return 0;
}
.function = show_app_command_fn,
};
-VLIB_CLI_COMMAND (show_certificate_command, static) = {
- .path = "show app certificate",
- .short_help = "list app certs and keys present in store",
- .function = show_certificate_command_fn,
-};
-
-crypto_engine_type_t
-app_crypto_engine_type_add (void)
-{
- return (++app_main.last_crypto_engine);
-}
-
-u8
-app_crypto_engine_n_types (void)
-{
- return (app_main.last_crypto_engine + 1);
-}
-
/*
* fd.io coding-style-patch-verification: ON
*
*/
uword *app_by_name;
- /**
- * Pool from which we allocate certificates (key, cert)
- */
- app_cert_key_pair_t *cert_key_pair_store;
-
- /*
- * Last registered crypto engine type
- */
- crypto_engine_type_t last_crypto_engine;
-
/**
* App sublayer per-worker state
*/
u8 transport_proto);
void app_worker_del_detached_sm (app_worker_t * app_wrk, u32 sm_index);
u8 *format_app_worker (u8 * s, va_list * args);
-u8 *format_app_worker_listener (u8 * s, va_list * args);
-u8 *format_crypto_engine (u8 * s, va_list * args);
+u8 *format_app_worker_listener (u8 *s, va_list *args);
u8 *format_crypto_context (u8 * s, va_list * args);
void app_worker_format_connects (app_worker_t * app_wrk, int verbose);
session_error_t vnet_app_worker_add_del (vnet_app_worker_add_del_args_t *a);
uword unformat_application_proto (unformat_input_t * input, va_list * args);
-app_cert_key_pair_t *app_cert_key_pair_get (u32 index);
-app_cert_key_pair_t *app_cert_key_pair_get_if_valid (u32 index);
-app_cert_key_pair_t *app_cert_key_pair_get_default ();
-
void sapi_socket_close_w_handle (u32 api_handle);
-crypto_engine_type_t app_crypto_engine_type_add (void);
-u8 app_crypto_engine_n_types (void);
-
static inline u8
app_worker_application_is_builtin (app_worker_t *app_wrk)
{
--- /dev/null
+/* SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) 2025 Cisco Systems, Inc.
+ */
+
+#include <vnet/session/application.h>
+#include <vnet/session/application_interface.h>
+#include <vnet/session/session.h>
+
+typedef struct app_crypto_main_
+{
+ crypto_engine_type_t last_crypto_engine; /* Last crypto engine type used */
+ app_cert_key_pair_t *cert_key_pair_store; /* Pool of cert/key pairs */
+} app_crypto_main_t;
+
+static app_crypto_main_t app_crypto_main;
+
+static app_cert_key_pair_t *
+app_cert_key_pair_alloc ()
+{
+ app_cert_key_pair_t *ckpair;
+ pool_get (app_crypto_main.cert_key_pair_store, ckpair);
+ clib_memset (ckpair, 0, sizeof (*ckpair));
+ ckpair->cert_key_index = ckpair - app_crypto_main.cert_key_pair_store;
+ return ckpair;
+}
+
+app_cert_key_pair_t *
+app_cert_key_pair_get (u32 index)
+{
+ return pool_elt_at_index (app_crypto_main.cert_key_pair_store, index);
+}
+
+app_cert_key_pair_t *
+app_cert_key_pair_get_if_valid (u32 index)
+{
+ if (pool_is_free_index (app_crypto_main.cert_key_pair_store, index))
+ return 0;
+ return app_cert_key_pair_get (index);
+}
+
+app_cert_key_pair_t *
+app_cert_key_pair_get_default ()
+{
+ /* To maintain legacy bapi */
+ return app_cert_key_pair_get (0);
+}
+
+int
+vnet_app_add_cert_key_pair (vnet_app_add_cert_key_pair_args_t *a)
+{
+ app_cert_key_pair_t *ckpair = app_cert_key_pair_alloc ();
+ vec_validate (ckpair->cert, a->cert_len - 1);
+ clib_memcpy_fast (ckpair->cert, a->cert, a->cert_len);
+ vec_validate (ckpair->key, a->key_len - 1);
+ clib_memcpy_fast (ckpair->key, a->key, a->key_len);
+ a->index = ckpair->cert_key_index;
+ return 0;
+}
+
+int
+vnet_app_add_cert_key_interest (u32 index, u32 app_index)
+{
+ app_cert_key_pair_t *ckpair;
+ if (!(ckpair = app_cert_key_pair_get_if_valid (index)))
+ return -1;
+ if (vec_search (ckpair->app_interests, app_index) != ~0)
+ vec_add1 (ckpair->app_interests, app_index);
+ return 0;
+}
+
+int
+vnet_app_del_cert_key_pair (u32 index)
+{
+ app_cert_key_pair_t *ckpair;
+ application_t *app;
+ u32 *app_index;
+
+ if (!(ckpair = app_cert_key_pair_get_if_valid (index)))
+ return SESSION_E_INVALID;
+
+ vec_foreach (app_index, ckpair->app_interests)
+ {
+ if ((app = application_get_if_valid (*app_index)) &&
+ app->cb_fns.app_cert_key_pair_delete_callback)
+ app->cb_fns.app_cert_key_pair_delete_callback (ckpair);
+ }
+
+ vec_free (ckpair->cert);
+ vec_free (ckpair->key);
+ pool_put (app_crypto_main.cert_key_pair_store, ckpair);
+ return 0;
+}
+
+u8 *
+format_cert_key_pair (u8 *s, va_list *args)
+{
+ app_cert_key_pair_t *ckpair = va_arg (*args, app_cert_key_pair_t *);
+ int key_len = 0, cert_len = 0;
+ cert_len = vec_len (ckpair->cert);
+ key_len = vec_len (ckpair->key);
+ if (ckpair->cert_key_index == 0)
+ s = format (s, "DEFAULT (cert:%d, key:%d)", cert_len, key_len);
+ else
+ s = format (s, "%d (cert:%d, key:%d)", ckpair->cert_key_index, cert_len,
+ key_len);
+ return s;
+}
+
+static clib_error_t *
+show_certificate_command_fn (vlib_main_t *vm, unformat_input_t *input,
+ vlib_cli_command_t *cmd)
+{
+ app_cert_key_pair_t *ckpair;
+ session_cli_return_if_not_enabled ();
+
+ pool_foreach (ckpair, app_crypto_main.cert_key_pair_store)
+ {
+ vlib_cli_output (vm, "%U", format_cert_key_pair, ckpair);
+ }
+ return 0;
+}
+
+VLIB_CLI_COMMAND (show_certificate_command, static) = {
+ .path = "show app certificate",
+ .short_help = "list app certs and keys present in store",
+ .function = show_certificate_command_fn,
+};
+
+crypto_engine_type_t
+app_crypto_engine_type_add (void)
+{
+ return (++app_crypto_main.last_crypto_engine);
+}
+
+u8 *
+format_crypto_engine (u8 *s, va_list *args)
+{
+ u32 engine = va_arg (*args, u32);
+ switch (engine)
+ {
+ case CRYPTO_ENGINE_NONE:
+ return format (s, "none");
+ case CRYPTO_ENGINE_MBEDTLS:
+ return format (s, "mbedtls");
+ case CRYPTO_ENGINE_OPENSSL:
+ return format (s, "openssl");
+ case CRYPTO_ENGINE_PICOTLS:
+ return format (s, "picotls");
+ case CRYPTO_ENGINE_VPP:
+ return format (s, "vpp");
+ default:
+ return format (s, "unknown engine");
+ }
+ return s;
+}
+
+uword
+unformat_crypto_engine (unformat_input_t *input, va_list *args)
+{
+ u8 *a = va_arg (*args, u8 *);
+ if (unformat (input, "mbedtls"))
+ *a = CRYPTO_ENGINE_MBEDTLS;
+ else if (unformat (input, "openssl"))
+ *a = CRYPTO_ENGINE_OPENSSL;
+ else if (unformat (input, "picotls"))
+ *a = CRYPTO_ENGINE_PICOTLS;
+ else if (unformat (input, "vpp"))
+ *a = CRYPTO_ENGINE_VPP;
+ else
+ return 0;
+ return 1;
+}
+
+u8
+app_crypto_engine_n_types (void)
+{
+ return (app_crypto_main.last_crypto_engine + 1);
+}
+
+clib_error_t *
+application_crypto_init ()
+{
+ app_crypto_main_t *acm = &app_crypto_main;
+
+ /* Index 0 was originally used by legacy apis, maintain as invalid */
+ app_cert_key_pair_alloc ();
+
+ acm->last_crypto_engine = CRYPTO_ENGINE_LAST;
+ return 0;
+}
+
+VLIB_INIT_FUNCTION (application_crypto_init);
\ No newline at end of file
--- /dev/null
+/* SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) 2025 Cisco Systems, Inc.
+ */
+
+#ifndef SRC_VNET_SESSION_APPLICATION_CRYPTO_H_
+#define SRC_VNET_SESSION_APPLICATION_CRYPTO_H_
+
+#include <vnet/tls/tls_test.h>
+
+typedef struct certificate_
+{
+ u32 *app_interests; /* vec of application index asking for deletion cb */
+ u32 cert_key_index; /* index in cert & key pool */
+ u8 *key;
+ u8 *cert;
+} app_cert_key_pair_t;
+
+typedef enum crypto_engine_type_
+{
+ CRYPTO_ENGINE_NONE,
+ CRYPTO_ENGINE_OPENSSL,
+ CRYPTO_ENGINE_MBEDTLS,
+ CRYPTO_ENGINE_VPP,
+ CRYPTO_ENGINE_PICOTLS,
+ CRYPTO_ENGINE_LAST = CRYPTO_ENGINE_PICOTLS,
+} crypto_engine_type_t;
+
+typedef struct _vnet_app_add_cert_key_pair_args_
+{
+ u8 *cert;
+ u8 *key;
+ u32 cert_len;
+ u32 key_len;
+ u32 index;
+} vnet_app_add_cert_key_pair_args_t;
+
+typedef struct crypto_ctx_
+{
+ u32 ctx_index; /**< index in crypto context pool */
+ u32 n_subscribers; /**< refcount of sessions using said context */
+ u32 ckpair_index; /**< certificate & key */
+ u8 crypto_engine;
+ void *data; /**< protocol specific data */
+} crypto_context_t;
+
+/*
+ * Certificate key-pair management
+ */
+
+app_cert_key_pair_t *app_cert_key_pair_get (u32 index);
+app_cert_key_pair_t *app_cert_key_pair_get_if_valid (u32 index);
+app_cert_key_pair_t *app_cert_key_pair_get_default ();
+
+int vnet_app_add_cert_key_pair (vnet_app_add_cert_key_pair_args_t *a);
+int vnet_app_add_cert_key_interest (u32 index, u32 app_index);
+int vnet_app_del_cert_key_pair (u32 index);
+
+/*
+ * Crypto engine management
+ */
+crypto_engine_type_t app_crypto_engine_type_add (void);
+u8 app_crypto_engine_n_types (void);
+u8 *format_crypto_engine (u8 *s, va_list *args);
+uword unformat_crypto_engine (unformat_input_t *input, va_list *args);
+
+clib_error_t *application_crypto_init ();
+
+#endif /* SRC_VNET_SESSION_APPLICATION_CRYPTO_H_ */
#include <vlibmemory/api.h>
#include <svm/message_queue.h>
+#include <vnet/session/application_crypto.h>
#include <vnet/session/session_types.h>
-#include <vnet/tls/tls_test.h>
#include <svm/fifo_segment.h>
-typedef struct certificate_
-{
- u32 *app_interests; /* vec of application index asking for deletion cb */
- u32 cert_key_index; /* index in cert & key pool */
- u8 *key;
- u8 *cert;
-} app_cert_key_pair_t;
-
typedef struct session_cb_vft_
{
/** Notify server of new segment */
u8 *key;
} vnet_app_add_tls_key_args_t;
-typedef enum crypto_engine_type_
-{
- CRYPTO_ENGINE_NONE,
- CRYPTO_ENGINE_OPENSSL,
- CRYPTO_ENGINE_MBEDTLS,
- CRYPTO_ENGINE_VPP,
- CRYPTO_ENGINE_PICOTLS,
- CRYPTO_ENGINE_LAST = CRYPTO_ENGINE_PICOTLS,
-} crypto_engine_type_t;
-
-typedef struct _vnet_app_add_cert_key_pair_args_
-{
- u8 *cert;
- u8 *key;
- u32 cert_len;
- u32 key_len;
- u32 index;
-} vnet_app_add_cert_key_pair_args_t;
-
-typedef struct crypto_ctx_
-{
- u32 ctx_index; /**< index in crypto context pool */
- u32 n_subscribers; /**< refcount of sessions using said context */
- u32 ckpair_index; /**< certificate & key */
- u8 crypto_engine;
- void *data; /**< protocol specific data */
-} crypto_context_t;
-
/* Application attach options */
typedef enum
{
Code Review / vpp.git / commitdiff