tls: Add C API for TLS openssl to set engine

[vpp.git] / src / plugins / tlsopenssl / tls_openssl.c

diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index 9585e3f..589d76d 100644 (file)
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -16,6 +16,7 @@
 #include <openssl/ssl.h>
 #include <openssl/conf.h>
 #include <openssl/err.h>
+
 #ifdef HAVE_OPENSSL_ASYNC
 #include <openssl/async.h>
 #endif
@@ -26,9 +27,9 @@
 #include <ctype.h>
 #include <tlsopenssl/tls_openssl.h>
 
-#define MAX_CRYPTO_LEN 16
+#define MAX_CRYPTO_LEN 64
 
-static openssl_main_t openssl_main;
+openssl_main_t openssl_main;
 static u32
 openssl_ctx_alloc (void)
 {
@@ -58,6 +59,7 @@ openssl_ctx_free (tls_ctx_t * ctx)
 
   SSL_free (oc->ssl);
 
+  vec_free (ctx->srv_hostname);
   pool_put_index (openssl_main.ctx_pool[ctx->c_thread_index],
                  oc->openssl_ctx_index);
 }
@@ -105,15 +107,14 @@ openssl_lctx_get (u32 lctx_index)
 }
 
 static int
-openssl_try_handshake_read (openssl_ctx_t * oc,
-                           stream_session_t * tls_session)
+openssl_try_handshake_read (openssl_ctx_t * oc, session_t * tls_session)
 {
   u32 deq_max, deq_now;
   svm_fifo_t *f;
   int wrote, rv;
 
-  f = tls_session->server_rx_fifo;
-  deq_max = svm_fifo_max_dequeue (f);
+  f = tls_session->rx_fifo;
+  deq_max = svm_fifo_max_dequeue_cons (f);
   if (!deq_max)
     return 0;
 
@@ -137,8 +138,7 @@ openssl_try_handshake_read (openssl_ctx_t * oc,
 }
 
 static int
-openssl_try_handshake_write (openssl_ctx_t * oc,
-                            stream_session_t * tls_session)
+openssl_try_handshake_write (openssl_ctx_t * oc, session_t * tls_session)
 {
   u32 enq_max, deq_now;
   svm_fifo_t *f;
@@ -147,8 +147,8 @@ openssl_try_handshake_write (openssl_ctx_t * oc,
   if (BIO_ctrl_pending (oc->rbio) <= 0)
     return 0;
 
-  f = tls_session->server_tx_fifo;
-  enq_max = svm_fifo_max_enqueue (f);
+  f = tls_session->tx_fifo;
+  enq_max = svm_fifo_max_enqueue_prod (f);
   if (!enq_max)
     return 0;
 
@@ -206,8 +206,30 @@ vpp_ssl_async_retry_func (tls_ctx_t * ctx, openssl_resume_handler * handler)
 
 #endif
 
+static void
+openssl_handle_handshake_failure (tls_ctx_t * ctx)
+{
+  if (SSL_is_server (((openssl_ctx_t *) ctx)->ssl))
+    {
+      /*
+       * Cleanup pre-allocated app session and close transport
+       */
+      session_free (session_get (ctx->c_s_index, ctx->c_thread_index));
+      ctx->no_app_session = 1;
+      ctx->c_s_index = SESSION_INVALID_INDEX;
+      tls_disconnect_transport (ctx);
+    }
+  else
+    {
+      /*
+       * Also handles cleanup of the pre-allocated session
+       */
+      tls_notify_app_connected (ctx, /* is failed */ 1);
+    }
+}
+
 int
-openssl_ctx_handshake_rx (tls_ctx_t * ctx, stream_session_t * tls_session)
+openssl_ctx_handshake_rx (tls_ctx_t * ctx, session_t * tls_session)
 {
   openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
   int rv = 0, err;
@@ -234,6 +256,17 @@ openssl_ctx_handshake_rx (tls_ctx_t * ctx, stream_session_t * tls_session)
 
       rv = SSL_do_handshake (oc->ssl);
       err = SSL_get_error (oc->ssl, rv);
+
+      if (err == SSL_ERROR_SSL)
+       {
+         char buf[512];
+         ERR_error_string (ERR_get_error (), buf);
+         clib_warning ("Err: %s", buf);
+
+         openssl_handle_handshake_failure (ctx);
+         return -1;
+       }
+
       openssl_try_handshake_write (oc, tls_session);
 #ifdef HAVE_OPENSSL_ASYNC
       if (err == SSL_ERROR_WANT_ASYNC)
@@ -248,15 +281,7 @@ openssl_ctx_handshake_rx (tls_ctx_t * ctx, stream_session_t * tls_session)
 #endif
 
       if (err != SSL_ERROR_WANT_WRITE)
-       {
-         if (err == SSL_ERROR_SSL)
-           {
-             char buf[512];
-             ERR_error_string (ERR_get_error (), buf);
-             clib_warning ("Err: %s", buf);
-           }
-         break;
-       }
+       break;
     }
   TLS_DBG (2, "tls state for %u is %s", oc->openssl_ctx_index,
           SSL_state_string_long (oc->ssl));
@@ -298,17 +323,24 @@ openssl_ctx_handshake_rx (tls_ctx_t * ctx, stream_session_t * tls_session)
   return rv;
 }
 
+static void
+openssl_confirm_app_close (tls_ctx_t * ctx)
+{
+  tls_disconnect_transport (ctx);
+  session_transport_closed_notify (&ctx->connection);
+}
+
 static inline int
-openssl_ctx_write (tls_ctx_t * ctx, stream_session_t * app_session)
+openssl_ctx_write (tls_ctx_t * ctx, session_t * app_session)
 {
   openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
   int wrote = 0, rv, read, max_buf = 100 * TLS_CHUNK_SIZE, max_space;
   u32 enq_max, deq_max, deq_now, to_write;
-  stream_session_t *tls_session;
+  session_t *tls_session;
   svm_fifo_t *f;
 
-  f = app_session->server_tx_fifo;
-  deq_max = svm_fifo_max_dequeue (f);
+  f = app_session->tx_fifo;
+  deq_max = svm_fifo_max_dequeue_cons (f);
   if (!deq_max)
     goto check_tls_fifo;
 
@@ -322,18 +354,21 @@ openssl_ctx_write (tls_ctx_t * ctx, stream_session_t * app_session)
       tls_add_vpp_q_builtin_tx_evt (app_session);
       goto check_tls_fifo;
     }
-  svm_fifo_dequeue_drop (app_session->server_tx_fifo, wrote);
+  svm_fifo_dequeue_drop (app_session->tx_fifo, wrote);
   if (wrote < deq_now)
     {
       to_write = clib_min (svm_fifo_max_read_chunk (f), deq_now - wrote);
       rv = SSL_write (oc->ssl, svm_fifo_head (f), to_write);
       if (rv > 0)
        {
-         svm_fifo_dequeue_drop (app_session->server_tx_fifo, rv);
+         svm_fifo_dequeue_drop (app_session->tx_fifo, rv);
          wrote += rv;
        }
     }
 
+  if (svm_fifo_needs_deq_ntf (app_session->tx_fifo, wrote))
+    session_dequeue_notify (app_session);
+
   if (wrote < deq_max)
     tls_add_vpp_q_builtin_tx_evt (app_session);
 
@@ -343,8 +378,8 @@ check_tls_fifo:
     return wrote;
 
   tls_session = session_get_from_handle (ctx->tls_session_handle);
-  f = tls_session->server_tx_fifo;
-  enq_max = svm_fifo_max_enqueue (f);
+  f = tls_session->tx_fifo;
+  enq_max = svm_fifo_max_enqueue_prod (f);
   if (!enq_max)
     {
       tls_add_vpp_q_builtin_tx_evt (app_session);
@@ -372,17 +407,19 @@ check_tls_fifo:
 
   if (BIO_ctrl_pending (oc->rbio) > 0)
     tls_add_vpp_q_builtin_tx_evt (app_session);
+  else if (ctx->app_closed)
+    openssl_confirm_app_close (ctx);
 
   return wrote;
 }
 
 static inline int
-openssl_ctx_read (tls_ctx_t * ctx, stream_session_t * tls_session)
+openssl_ctx_read (tls_ctx_t * ctx, session_t * tls_session)
 {
   int read, wrote = 0, max_space, max_buf = 100 * TLS_CHUNK_SIZE, rv;
   openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
   u32 deq_max, enq_max, deq_now, to_read;
-  stream_session_t *app_session;
+  session_t *app_session;
   svm_fifo_t *f;
 
   if (PREDICT_FALSE (SSL_in_init (oc->ssl)))
@@ -391,8 +428,8 @@ openssl_ctx_read (tls_ctx_t * ctx, stream_session_t * tls_session)
       return 0;
     }
 
-  f = tls_session->server_rx_fifo;
-  deq_max = svm_fifo_max_dequeue (f);
+  f = tls_session->rx_fifo;
+  deq_max = svm_fifo_max_dequeue_cons (f);
   max_space = max_buf - BIO_ctrl_pending (oc->wbio);
   max_space = max_space < 0 ? 0 : max_space;
   deq_now = clib_min (deq_max, max_space);
@@ -417,7 +454,7 @@ openssl_ctx_read (tls_ctx_t * ctx, stream_session_t * tls_session)
          wrote += rv;
        }
     }
-  if (svm_fifo_max_dequeue (f))
+  if (svm_fifo_max_dequeue_cons (f))
     tls_add_vpp_q_builtin_rx_evt (tls_session);
 
 check_app_fifo:
@@ -426,8 +463,8 @@ check_app_fifo:
     return wrote;
 
   app_session = session_get_from_handle (ctx->app_session_handle);
-  f = app_session->server_rx_fifo;
-  enq_max = svm_fifo_max_enqueue (f);
+  f = app_session->rx_fifo;
+  enq_max = svm_fifo_max_enqueue_prod (f);
   if (!enq_max)
     {
       tls_add_vpp_q_builtin_rx_evt (tls_session);
@@ -463,7 +500,7 @@ openssl_ctx_init_client (tls_ctx_t * ctx)
   long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
   openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
   openssl_main_t *om = &openssl_main;
-  stream_session_t *tls_session;
+  session_t *tls_session;
   const SSL_METHOD *method;
   int rv, err;
 #ifdef HAVE_OPENSSL_ASYNC
@@ -564,15 +601,20 @@ openssl_start_listen (tls_ctx_t * lctx)
   EVP_PKEY *pkey;
   u32 olc_index;
   openssl_listen_ctx_t *olc;
+  app_worker_t *app_wrk;
 
   long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
   openssl_main_t *om = &openssl_main;
 
-  app = application_get (lctx->parent_app_index);
+  app_wrk = app_worker_get (lctx->parent_app_wrk_index);
+  if (!app_wrk)
+    return -1;
+
+  app = application_get (app_wrk->app_index);
   if (!app->tls_cert || !app->tls_key)
     {
       TLS_DBG (1, "tls cert and/or key not configured %d",
-              lctx->parent_app_index);
+              lctx->parent_app_wrk_index);
       return -1;
     }
 
@@ -662,7 +704,7 @@ openssl_ctx_init_server (tls_ctx_t * ctx)
   openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
   u32 olc_index = ctx->tls_ssl_ctx;
   openssl_listen_ctx_t *olc;
-  stream_session_t *tls_session;
+  session_t *tls_session;
   int rv, err;
 #ifdef HAVE_OPENSSL_ASYNC
   openssl_resume_handler *handler;
@@ -722,6 +764,34 @@ openssl_handshake_is_over (tls_ctx_t * ctx)
   return SSL_is_init_finished (mc->ssl);
 }
 
+static int
+openssl_transport_close (tls_ctx_t * ctx)
+{
+  if (!openssl_handshake_is_over (ctx))
+    {
+      openssl_handle_handshake_failure (ctx);
+      return 0;
+    }
+  session_transport_closing_notify (&ctx->connection);
+  return 0;
+}
+
+static int
+openssl_app_close (tls_ctx_t * ctx)
+{
+  openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
+  session_t *app_session;
+
+  /* Wait for all data to be written to tcp */
+  app_session = session_get_from_handle (ctx->app_session_handle);
+  if (BIO_ctrl_pending (oc->rbio) <= 0
+      && !svm_fifo_max_dequeue_cons (app_session->tx_fifo))
+    openssl_confirm_app_close (ctx);
+  else
+    ctx->app_closed = 1;
+  return 0;
+}
+
 const static tls_engine_vft_t openssl_engine = {
   .ctx_alloc = openssl_ctx_alloc,
   .ctx_free = openssl_ctx_free,
@@ -734,6 +804,8 @@ const static tls_engine_vft_t openssl_engine = {
   .ctx_handshake_is_over = openssl_handshake_is_over,
   .ctx_start_listen = openssl_start_listen,
   .ctx_stop_listen = openssl_stop_listen,
+  .ctx_transport_close = openssl_transport_close,
+  .ctx_app_close = openssl_app_close,
 };
 
 int
@@ -779,7 +851,7 @@ tls_init_ca_chain (void)
   return (rv < 0 ? -1 : 0);
 }
 
-static int
+int
 tls_openssl_set_ciphers (char *ciphers)
 {
   openssl_main_t *om = &openssl_main;
@@ -805,14 +877,12 @@ tls_openssl_init (vlib_main_t * vm)
 {
   vlib_thread_main_t *vtm = vlib_get_thread_main ();
   openssl_main_t *om = &openssl_main;
-  clib_error_t *error;
+  clib_error_t *error = 0;
   u32 num_threads;
 
+  error = tls_openssl_api_init (vm);
   num_threads = 1 /* main thread */  + vtm->n_threads;
 
-  if ((error = vlib_call_init_function (vm, tls_init)))
-    return error;
-
   SSL_library_init ();
   SSL_load_error_strings ();
 
@@ -832,8 +902,14 @@ tls_openssl_init (vlib_main_t * vm)
   tls_openssl_set_ciphers
     ("ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH");
 
-  return 0;
+  return error;
 }
+/* *INDENT-OFF* */
+VLIB_INIT_FUNCTION (tls_openssl_init) =
+{
+  .runs_after = VLIB_INITS("tls_init"),
+};
+/* *INDENT-ON* */
 
 #ifdef HAVE_OPENSSL_ASYNC
 static clib_error_t *
@@ -888,7 +964,7 @@ tls_openssl_set_command_fn (vlib_main_t * vm, unformat_input_t * input,
     }
   else
     {
-      if (!openssl_engine_register (engine_name, engine_alg))
+      if (openssl_engine_register (engine_name, engine_alg) < 0)
        {
          return clib_error_return (0, "failed to register %s polling",
                                    engine_name);
@@ -908,13 +984,10 @@ VLIB_CLI_COMMAND (tls_openssl_set_command, static) =
 /* *INDENT-ON* */
 #endif
 
-
-VLIB_INIT_FUNCTION (tls_openssl_init);
-
 /* *INDENT-OFF* */
 VLIB_PLUGIN_REGISTER () = {
     .version = VPP_BUILD_VER,
-    .description = "openssl based TLS Engine",
+    .description = "Transport Layer Security (TLS) Engine, OpenSSL Based",
 };
 /* *INDENT-ON* */