From 20399f8f3a27d54f65c4aff92998a2a345a7adab Mon Sep 17 00:00:00 2001 From: Simon Zhang Date: Mon, 28 Dec 2020 05:40:59 +0800 Subject: [PATCH] tls: make picotls engine able to initial connection as client Type: fix Signed-off-by: Simon Zhang Change-Id: Idd14dc11e92e0851c64f83e280b52f12e32ae48d --- src/plugins/tlspicotls/tls_picotls.c | 89 +++++++++++++++++++++++++++++------- src/plugins/tlspicotls/tls_picotls.h | 1 + 2 files changed, 74 insertions(+), 16 deletions(-) diff --git a/src/plugins/tlspicotls/tls_picotls.c b/src/plugins/tlspicotls/tls_picotls.c index 58672aa6407..ef02f66a552 100644 --- a/src/plugins/tlspicotls/tls_picotls.c +++ b/src/plugins/tlspicotls/tls_picotls.c @@ -9,6 +9,21 @@ picotls_main_t picotls_main; #define MAX_QUEUE 12000 #define PTLS_MAX_PLAINTEXT_RECORD_SIZE 16384 +static ptls_key_exchange_algorithm_t *default_key_exchange[] = { +#ifdef PTLS_OPENSSL_HAVE_X25519 + &ptls_openssl_x25519, +#endif +#ifdef PTLS_OPENSSL_HAVE_SECP256R1 + &ptls_openssl_secp256r1, +#endif +#ifdef PTLS_OPENSSL_HAVE_SECP384R1 + &ptls_openssl_secp384r1, +#endif +#ifdef PTLS_OPENSSL_HAVE_SECP521R1 + &ptls_openssl_secp521r1 +#endif +}; + static u32 picotls_ctx_alloc (void) { @@ -113,20 +128,6 @@ picotls_start_listen (tls_ctx_t * lctx) ptls_context_t *ptls_ctx; u32 ptls_lctx_idx; app_cert_key_pair_t *ckpair; - static ptls_key_exchange_algorithm_t *key_exchange[] = { -#ifdef PTLS_OPENSSL_HAVE_X25519 - &ptls_openssl_x25519, -#endif -#ifdef PTLS_OPENSSL_HAVE_SECP256R1 - &ptls_openssl_secp256r1, -#endif -#ifdef PTLS_OPENSSL_HAVE_SECP384R1 - &ptls_openssl_secp384r1, -#endif -#ifdef PTLS_OPENSSL_HAVE_SECP521R1 - &ptls_openssl_secp521r1 -#endif - }; ckpair = app_cert_key_pair_get_if_valid (lctx->ckpair_index); if (!ckpair || !ckpair->cert || !ckpair->key) @@ -151,7 +152,7 @@ picotls_start_listen (tls_ctx_t * lctx) load_bio_private_key (ptls_ctx, (char *) ckpair->key); /* setup protocol related functions */ - ptls_ctx->key_exchanges = key_exchange; + ptls_ctx->key_exchanges = default_key_exchange; ptls_ctx->random_bytes = ptls_openssl_random_bytes; ptls_ctx->cipher_suites = ptls_vpp_crypto_cipher_suites; ptls_ctx->get_time = &ptls_get_time; @@ -282,7 +283,9 @@ picotls_ctx_read (tls_ctx_t * ctx, session_t * tls_session) picotls_do_handshake (ptls_ctx, tls_session, TLS_RX_OFFSET (ptls_ctx), from_tls_len); if (picotls_handshake_is_over (ctx)) - tls_notify_app_accept (ctx); + ret = ptls_is_server (ptls_ctx->tls) ? + tls_notify_app_accept (ctx) : + tls_notify_app_connected (ctx, SESSION_E_NONE); done_hs: if (!TLS_RX_IS_LEFT (ptls_ctx)) @@ -539,6 +542,42 @@ picotls_ctx_init_server (tls_ctx_t * ctx) return 0; } +static int +picotls_ctx_init_client (tls_ctx_t *ctx) +{ + picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx; + picotls_main_t *pm = &picotls_main; + ptls_context_t *client_ptls_ctx = pm->client_ptls_ctx; + ptls_handshake_properties_t hsprop = { { { { NULL } } } }; + + session_t *tls_session = session_get_from_handle (ctx->tls_session_handle); + ptls_buffer_t hs_buf; + + ptls_ctx->tls = ptls_new (client_ptls_ctx, 0); + if (ptls_ctx->tls == NULL) + { + TLS_DBG (1, "Failed to initialize ptls_ssl structure"); + return -1; + } + + ptls_ctx->rx_len = 0; + ptls_ctx->rx_offset = 0; + ptls_ctx->write_buffer_offset = 0; + + ptls_buffer_init (&hs_buf, "", 0); + if (ptls_handshake (ptls_ctx->tls, &hs_buf, NULL, NULL, &hsprop) != + PTLS_ERROR_IN_PROGRESS) + { + TLS_DBG (1, "Failed to initialize tls connection"); + } + + picotls_try_handshake_write (ptls_ctx, tls_session, &hs_buf); + + ptls_buffer_dispose (&hs_buf); + + return 0; +} + tls_ctx_t * picotls_ctx_get_w_thread (u32 ctx_index, u8 thread_index) { @@ -547,6 +586,21 @@ picotls_ctx_get_w_thread (u32 ctx_index, u8 thread_index) return &(*ctx)->ctx; } +int +picotls_init_client_ptls_ctx (ptls_context_t **client_ptls_ctx) +{ + *client_ptls_ctx = clib_mem_alloc (sizeof (ptls_context_t)); + memset (*client_ptls_ctx, 0, sizeof (ptls_context_t)); + + (*client_ptls_ctx)->update_open_count = NULL; + (*client_ptls_ctx)->key_exchanges = default_key_exchange; + (*client_ptls_ctx)->random_bytes = ptls_openssl_random_bytes; + (*client_ptls_ctx)->cipher_suites = ptls_vpp_crypto_cipher_suites; + (*client_ptls_ctx)->get_time = &ptls_get_time; + + return 0; +} + const static tls_engine_vft_t picotls_engine = { .ctx_alloc = picotls_ctx_alloc, .ctx_free = picotls_ctx_free, @@ -556,6 +610,7 @@ const static tls_engine_vft_t picotls_engine = { .ctx_start_listen = picotls_start_listen, .ctx_stop_listen = picotls_stop_listen, .ctx_init_server = picotls_ctx_init_server, + .ctx_init_client = picotls_ctx_init_client, .ctx_read = picotls_ctx_read, .ctx_write = picotls_ctx_write, .ctx_transport_close = picotls_transport_close, @@ -578,6 +633,8 @@ tls_picotls_init (vlib_main_t * vm) tls_register_engine (&picotls_engine, CRYPTO_ENGINE_PICOTLS); + picotls_init_client_ptls_ctx (&pm->client_ptls_ctx); + return error; } diff --git a/src/plugins/tlspicotls/tls_picotls.h b/src/plugins/tlspicotls/tls_picotls.h index 27341f6f4bd..29b279c7a83 100644 --- a/src/plugins/tlspicotls/tls_picotls.h +++ b/src/plugins/tlspicotls/tls_picotls.h @@ -45,6 +45,7 @@ typedef struct picotls_main_ { picotls_ctx_t ***ctx_pool; picotls_listen_ctx_t *lctx_pool; + ptls_context_t *client_ptls_ctx; clib_rwlock_t crypto_keys_rw_lock; } picotls_main_t; -- 2.16.6