From: Florin Coras Date: Tue, 27 May 2025 19:30:33 +0000 (-0400) Subject: session: move app crypto to separate files X-Git-Tag: v26.02-rc0~192 X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F42%2F43042%2F5;p=vpp.git session: move app crypto to separate files Type: refactor Change-Id: Iac10665d3060e4c585e3ee1f94743809ab09d9db Signed-off-by: Florin Coras --- diff --git a/src/vnet/CMakeLists.txt b/src/vnet/CMakeLists.txt index 65d612c0f3a..e3abe93da25 100644 --- a/src/vnet/CMakeLists.txt +++ b/src/vnet/CMakeLists.txt @@ -978,6 +978,7 @@ list(APPEND VNET_SOURCES session/application_interface.c session/application_local.c session/application_namespace.c + session/application_crypto.c session/segment_manager.c session/session_api.c session/session_sdl.c @@ -996,6 +997,7 @@ list(APPEND VNET_HEADERS session/application_eventing.h session/application_local.h session/application_namespace.h + session/application_crypto.h session/session_debug.h session/segment_manager.h session/mma_template.h diff --git a/src/vnet/session/application.c b/src/vnet/session/application.c index a550aec2b56..1ba4604a971 100644 --- a/src/vnet/session/application.c +++ b/src/vnet/session/application.c @@ -18,6 +18,7 @@ #include #include #include +#include #include #include @@ -1781,67 +1782,13 @@ application_format_connects (application_t * app, int verbose) } } -u8 * -format_cert_key_pair (u8 * s, va_list * args) -{ - app_cert_key_pair_t *ckpair = va_arg (*args, app_cert_key_pair_t *); - int key_len = 0, cert_len = 0; - cert_len = vec_len (ckpair->cert); - key_len = vec_len (ckpair->key); - if (ckpair->cert_key_index == 0) - s = format (s, "DEFAULT (cert:%d, key:%d)", cert_len, key_len); - else - s = format (s, "%d (cert:%d, key:%d)", ckpair->cert_key_index, - cert_len, key_len); - return s; -} - -u8 * -format_crypto_engine (u8 * s, va_list * args) -{ - u32 engine = va_arg (*args, u32); - switch (engine) - { - case CRYPTO_ENGINE_NONE: - return format (s, "none"); - case CRYPTO_ENGINE_MBEDTLS: - return format (s, "mbedtls"); - case CRYPTO_ENGINE_OPENSSL: - return format (s, "openssl"); - case CRYPTO_ENGINE_PICOTLS: - return format (s, "picotls"); - case CRYPTO_ENGINE_VPP: - return format (s, "vpp"); - default: - return format (s, "unknown engine"); - } - return s; -} - -uword -unformat_crypto_engine (unformat_input_t * input, va_list * args) -{ - u8 *a = va_arg (*args, u8 *); - if (unformat (input, "mbedtls")) - *a = CRYPTO_ENGINE_MBEDTLS; - else if (unformat (input, "openssl")) - *a = CRYPTO_ENGINE_OPENSSL; - else if (unformat (input, "picotls")) - *a = CRYPTO_ENGINE_PICOTLS; - else if (unformat (input, "vpp")) - *a = CRYPTO_ENGINE_VPP; - else - return 0; - return 1; -} - u8 * format_crypto_context (u8 * s, va_list * args) { crypto_context_t *crctx = va_arg (*args, crypto_context_t *); s = format (s, "[0x%x][sub%d,ckpair%x]", crctx->ctx_index, crctx->n_subscribers, crctx->ckpair_index); - s = format (s, "[%U]", format_crypto_engine, crctx->crypto_engine); + s = format (s, "[engine:%U]", format_crypto_engine, crctx->crypto_engine); return s; } @@ -1937,19 +1884,6 @@ application_format_all_clients (vlib_main_t * vm, int verbose) } } -static clib_error_t * -show_certificate_command_fn (vlib_main_t * vm, unformat_input_t * input, - vlib_cli_command_t * cmd) -{ - app_cert_key_pair_t *ckpair; - session_cli_return_if_not_enabled (); - - pool_foreach (ckpair, app_main.cert_key_pair_store) { - vlib_cli_output (vm, "%U", format_cert_key_pair, ckpair); - } - return 0; -} - static inline void appliction_format_app_mq (vlib_main_t * vm, application_t * app) { @@ -2072,85 +2006,6 @@ show_app_command_fn (vlib_main_t * vm, unformat_input_t * input, return 0; } -/* Certificate store */ - -static app_cert_key_pair_t * -app_cert_key_pair_alloc () -{ - app_cert_key_pair_t *ckpair; - pool_get (app_main.cert_key_pair_store, ckpair); - clib_memset (ckpair, 0, sizeof (*ckpair)); - ckpair->cert_key_index = ckpair - app_main.cert_key_pair_store; - return ckpair; -} - -app_cert_key_pair_t * -app_cert_key_pair_get_if_valid (u32 index) -{ - if (pool_is_free_index (app_main.cert_key_pair_store, index)) - return 0; - return app_cert_key_pair_get (index); -} - -app_cert_key_pair_t * -app_cert_key_pair_get (u32 index) -{ - return pool_elt_at_index (app_main.cert_key_pair_store, index); -} - -app_cert_key_pair_t * -app_cert_key_pair_get_default () -{ - /* To maintain legacy bapi */ - return app_cert_key_pair_get (0); -} - -int -vnet_app_add_cert_key_pair (vnet_app_add_cert_key_pair_args_t * a) -{ - app_cert_key_pair_t *ckpair = app_cert_key_pair_alloc (); - vec_validate (ckpair->cert, a->cert_len - 1); - clib_memcpy_fast (ckpair->cert, a->cert, a->cert_len); - vec_validate (ckpair->key, a->key_len - 1); - clib_memcpy_fast (ckpair->key, a->key, a->key_len); - a->index = ckpair->cert_key_index; - return 0; -} - -int -vnet_app_add_cert_key_interest (u32 index, u32 app_index) -{ - app_cert_key_pair_t *ckpair; - if (!(ckpair = app_cert_key_pair_get_if_valid (index))) - return -1; - if (vec_search (ckpair->app_interests, app_index) != ~0) - vec_add1 (ckpair->app_interests, app_index); - return 0; -} - -int -vnet_app_del_cert_key_pair (u32 index) -{ - app_cert_key_pair_t *ckpair; - application_t *app; - u32 *app_index; - - if (!(ckpair = app_cert_key_pair_get_if_valid (index))) - return SESSION_E_INVALID; - - vec_foreach (app_index, ckpair->app_interests) - { - if ((app = application_get_if_valid (*app_index)) - && app->cb_fns.app_cert_key_pair_delete_callback) - app->cb_fns.app_cert_key_pair_delete_callback (ckpair); - } - - vec_free (ckpair->cert); - vec_free (ckpair->key); - pool_put (app_main.cert_key_pair_store, ckpair); - return 0; -} - clib_error_t * application_init (vlib_main_t * vm) { @@ -2158,13 +2013,10 @@ application_init (vlib_main_t * vm) u32 n_workers; n_workers = vlib_num_workers (); - - /* Index 0 was originally used by legacy apis, maintain as invalid */ - (void) app_cert_key_pair_alloc (); - am->last_crypto_engine = CRYPTO_ENGINE_LAST; + vec_validate (am->wrk, n_workers); am->app_by_name = hash_create_vec (0, sizeof (u8), sizeof (uword)); - vec_validate (am->wrk, n_workers); + application_crypto_init (); return 0; } @@ -2178,24 +2030,6 @@ VLIB_CLI_COMMAND (show_app_command, static) = { .function = show_app_command_fn, }; -VLIB_CLI_COMMAND (show_certificate_command, static) = { - .path = "show app certificate", - .short_help = "list app certs and keys present in store", - .function = show_certificate_command_fn, -}; - -crypto_engine_type_t -app_crypto_engine_type_add (void) -{ - return (++app_main.last_crypto_engine); -} - -u8 -app_crypto_engine_n_types (void) -{ - return (app_main.last_crypto_engine + 1); -} - /* * fd.io coding-style-patch-verification: ON * diff --git a/src/vnet/session/application.h b/src/vnet/session/application.h index 2d605c3af82..92c182f63ba 100644 --- a/src/vnet/session/application.h +++ b/src/vnet/session/application.h @@ -213,16 +213,6 @@ typedef struct app_main_ */ uword *app_by_name; - /** - * Pool from which we allocate certificates (key, cert) - */ - app_cert_key_pair_t *cert_key_pair_store; - - /* - * Last registered crypto engine type - */ - crypto_engine_type_t last_crypto_engine; - /** * App sublayer per-worker state */ @@ -401,23 +391,15 @@ session_t *app_worker_proxy_listener (app_worker_t * app, u8 fib_proto, u8 transport_proto); void app_worker_del_detached_sm (app_worker_t * app_wrk, u32 sm_index); u8 *format_app_worker (u8 * s, va_list * args); -u8 *format_app_worker_listener (u8 * s, va_list * args); -u8 *format_crypto_engine (u8 * s, va_list * args); +u8 *format_app_worker_listener (u8 *s, va_list *args); u8 *format_crypto_context (u8 * s, va_list * args); void app_worker_format_connects (app_worker_t * app_wrk, int verbose); session_error_t vnet_app_worker_add_del (vnet_app_worker_add_del_args_t *a); uword unformat_application_proto (unformat_input_t * input, va_list * args); -app_cert_key_pair_t *app_cert_key_pair_get (u32 index); -app_cert_key_pair_t *app_cert_key_pair_get_if_valid (u32 index); -app_cert_key_pair_t *app_cert_key_pair_get_default (); - void sapi_socket_close_w_handle (u32 api_handle); -crypto_engine_type_t app_crypto_engine_type_add (void); -u8 app_crypto_engine_n_types (void); - static inline u8 app_worker_application_is_builtin (app_worker_t *app_wrk) { diff --git a/src/vnet/session/application_crypto.c b/src/vnet/session/application_crypto.c new file mode 100644 index 00000000000..a48ee07b4c3 --- /dev/null +++ b/src/vnet/session/application_crypto.c @@ -0,0 +1,192 @@ +/* SPDX-License-Identifier: Apache-2.0 + * Copyright (c) 2025 Cisco Systems, Inc. + */ + +#include +#include +#include + +typedef struct app_crypto_main_ +{ + crypto_engine_type_t last_crypto_engine; /* Last crypto engine type used */ + app_cert_key_pair_t *cert_key_pair_store; /* Pool of cert/key pairs */ +} app_crypto_main_t; + +static app_crypto_main_t app_crypto_main; + +static app_cert_key_pair_t * +app_cert_key_pair_alloc () +{ + app_cert_key_pair_t *ckpair; + pool_get (app_crypto_main.cert_key_pair_store, ckpair); + clib_memset (ckpair, 0, sizeof (*ckpair)); + ckpair->cert_key_index = ckpair - app_crypto_main.cert_key_pair_store; + return ckpair; +} + +app_cert_key_pair_t * +app_cert_key_pair_get (u32 index) +{ + return pool_elt_at_index (app_crypto_main.cert_key_pair_store, index); +} + +app_cert_key_pair_t * +app_cert_key_pair_get_if_valid (u32 index) +{ + if (pool_is_free_index (app_crypto_main.cert_key_pair_store, index)) + return 0; + return app_cert_key_pair_get (index); +} + +app_cert_key_pair_t * +app_cert_key_pair_get_default () +{ + /* To maintain legacy bapi */ + return app_cert_key_pair_get (0); +} + +int +vnet_app_add_cert_key_pair (vnet_app_add_cert_key_pair_args_t *a) +{ + app_cert_key_pair_t *ckpair = app_cert_key_pair_alloc (); + vec_validate (ckpair->cert, a->cert_len - 1); + clib_memcpy_fast (ckpair->cert, a->cert, a->cert_len); + vec_validate (ckpair->key, a->key_len - 1); + clib_memcpy_fast (ckpair->key, a->key, a->key_len); + a->index = ckpair->cert_key_index; + return 0; +} + +int +vnet_app_add_cert_key_interest (u32 index, u32 app_index) +{ + app_cert_key_pair_t *ckpair; + if (!(ckpair = app_cert_key_pair_get_if_valid (index))) + return -1; + if (vec_search (ckpair->app_interests, app_index) != ~0) + vec_add1 (ckpair->app_interests, app_index); + return 0; +} + +int +vnet_app_del_cert_key_pair (u32 index) +{ + app_cert_key_pair_t *ckpair; + application_t *app; + u32 *app_index; + + if (!(ckpair = app_cert_key_pair_get_if_valid (index))) + return SESSION_E_INVALID; + + vec_foreach (app_index, ckpair->app_interests) + { + if ((app = application_get_if_valid (*app_index)) && + app->cb_fns.app_cert_key_pair_delete_callback) + app->cb_fns.app_cert_key_pair_delete_callback (ckpair); + } + + vec_free (ckpair->cert); + vec_free (ckpair->key); + pool_put (app_crypto_main.cert_key_pair_store, ckpair); + return 0; +} + +u8 * +format_cert_key_pair (u8 *s, va_list *args) +{ + app_cert_key_pair_t *ckpair = va_arg (*args, app_cert_key_pair_t *); + int key_len = 0, cert_len = 0; + cert_len = vec_len (ckpair->cert); + key_len = vec_len (ckpair->key); + if (ckpair->cert_key_index == 0) + s = format (s, "DEFAULT (cert:%d, key:%d)", cert_len, key_len); + else + s = format (s, "%d (cert:%d, key:%d)", ckpair->cert_key_index, cert_len, + key_len); + return s; +} + +static clib_error_t * +show_certificate_command_fn (vlib_main_t *vm, unformat_input_t *input, + vlib_cli_command_t *cmd) +{ + app_cert_key_pair_t *ckpair; + session_cli_return_if_not_enabled (); + + pool_foreach (ckpair, app_crypto_main.cert_key_pair_store) + { + vlib_cli_output (vm, "%U", format_cert_key_pair, ckpair); + } + return 0; +} + +VLIB_CLI_COMMAND (show_certificate_command, static) = { + .path = "show app certificate", + .short_help = "list app certs and keys present in store", + .function = show_certificate_command_fn, +}; + +crypto_engine_type_t +app_crypto_engine_type_add (void) +{ + return (++app_crypto_main.last_crypto_engine); +} + +u8 * +format_crypto_engine (u8 *s, va_list *args) +{ + u32 engine = va_arg (*args, u32); + switch (engine) + { + case CRYPTO_ENGINE_NONE: + return format (s, "none"); + case CRYPTO_ENGINE_MBEDTLS: + return format (s, "mbedtls"); + case CRYPTO_ENGINE_OPENSSL: + return format (s, "openssl"); + case CRYPTO_ENGINE_PICOTLS: + return format (s, "picotls"); + case CRYPTO_ENGINE_VPP: + return format (s, "vpp"); + default: + return format (s, "unknown engine"); + } + return s; +} + +uword +unformat_crypto_engine (unformat_input_t *input, va_list *args) +{ + u8 *a = va_arg (*args, u8 *); + if (unformat (input, "mbedtls")) + *a = CRYPTO_ENGINE_MBEDTLS; + else if (unformat (input, "openssl")) + *a = CRYPTO_ENGINE_OPENSSL; + else if (unformat (input, "picotls")) + *a = CRYPTO_ENGINE_PICOTLS; + else if (unformat (input, "vpp")) + *a = CRYPTO_ENGINE_VPP; + else + return 0; + return 1; +} + +u8 +app_crypto_engine_n_types (void) +{ + return (app_crypto_main.last_crypto_engine + 1); +} + +clib_error_t * +application_crypto_init () +{ + app_crypto_main_t *acm = &app_crypto_main; + + /* Index 0 was originally used by legacy apis, maintain as invalid */ + app_cert_key_pair_alloc (); + + acm->last_crypto_engine = CRYPTO_ENGINE_LAST; + return 0; +} + +VLIB_INIT_FUNCTION (application_crypto_init); \ No newline at end of file diff --git a/src/vnet/session/application_crypto.h b/src/vnet/session/application_crypto.h new file mode 100644 index 00000000000..20e385e4ae8 --- /dev/null +++ b/src/vnet/session/application_crypto.h @@ -0,0 +1,68 @@ +/* SPDX-License-Identifier: Apache-2.0 + * Copyright (c) 2025 Cisco Systems, Inc. + */ + +#ifndef SRC_VNET_SESSION_APPLICATION_CRYPTO_H_ +#define SRC_VNET_SESSION_APPLICATION_CRYPTO_H_ + +#include + +typedef struct certificate_ +{ + u32 *app_interests; /* vec of application index asking for deletion cb */ + u32 cert_key_index; /* index in cert & key pool */ + u8 *key; + u8 *cert; +} app_cert_key_pair_t; + +typedef enum crypto_engine_type_ +{ + CRYPTO_ENGINE_NONE, + CRYPTO_ENGINE_OPENSSL, + CRYPTO_ENGINE_MBEDTLS, + CRYPTO_ENGINE_VPP, + CRYPTO_ENGINE_PICOTLS, + CRYPTO_ENGINE_LAST = CRYPTO_ENGINE_PICOTLS, +} crypto_engine_type_t; + +typedef struct _vnet_app_add_cert_key_pair_args_ +{ + u8 *cert; + u8 *key; + u32 cert_len; + u32 key_len; + u32 index; +} vnet_app_add_cert_key_pair_args_t; + +typedef struct crypto_ctx_ +{ + u32 ctx_index; /**< index in crypto context pool */ + u32 n_subscribers; /**< refcount of sessions using said context */ + u32 ckpair_index; /**< certificate & key */ + u8 crypto_engine; + void *data; /**< protocol specific data */ +} crypto_context_t; + +/* + * Certificate key-pair management + */ + +app_cert_key_pair_t *app_cert_key_pair_get (u32 index); +app_cert_key_pair_t *app_cert_key_pair_get_if_valid (u32 index); +app_cert_key_pair_t *app_cert_key_pair_get_default (); + +int vnet_app_add_cert_key_pair (vnet_app_add_cert_key_pair_args_t *a); +int vnet_app_add_cert_key_interest (u32 index, u32 app_index); +int vnet_app_del_cert_key_pair (u32 index); + +/* + * Crypto engine management + */ +crypto_engine_type_t app_crypto_engine_type_add (void); +u8 app_crypto_engine_n_types (void); +u8 *format_crypto_engine (u8 *s, va_list *args); +uword unformat_crypto_engine (unformat_input_t *input, va_list *args); + +clib_error_t *application_crypto_init (); + +#endif /* SRC_VNET_SESSION_APPLICATION_CRYPTO_H_ */ diff --git a/src/vnet/session/application_interface.h b/src/vnet/session/application_interface.h index 4d53eec1084..e9284b9806f 100644 --- a/src/vnet/session/application_interface.h +++ b/src/vnet/session/application_interface.h @@ -17,18 +17,10 @@ #include #include +#include #include -#include #include -typedef struct certificate_ -{ - u32 *app_interests; /* vec of application index asking for deletion cb */ - u32 cert_key_index; /* index in cert & key pool */ - u8 *key; - u8 *cert; -} app_cert_key_pair_t; - typedef struct session_cb_vft_ { /** Notify server of new segment */ @@ -182,34 +174,6 @@ typedef struct _vnet_application_add_tls_key_args_t u8 *key; } vnet_app_add_tls_key_args_t; -typedef enum crypto_engine_type_ -{ - CRYPTO_ENGINE_NONE, - CRYPTO_ENGINE_OPENSSL, - CRYPTO_ENGINE_MBEDTLS, - CRYPTO_ENGINE_VPP, - CRYPTO_ENGINE_PICOTLS, - CRYPTO_ENGINE_LAST = CRYPTO_ENGINE_PICOTLS, -} crypto_engine_type_t; - -typedef struct _vnet_app_add_cert_key_pair_args_ -{ - u8 *cert; - u8 *key; - u32 cert_len; - u32 key_len; - u32 index; -} vnet_app_add_cert_key_pair_args_t; - -typedef struct crypto_ctx_ -{ - u32 ctx_index; /**< index in crypto context pool */ - u32 n_subscribers; /**< refcount of sessions using said context */ - u32 ckpair_index; /**< certificate & key */ - u8 crypto_engine; - void *data; /**< protocol specific data */ -} crypto_context_t; - /* Application attach options */ typedef enum {