From 58d36f02b45c5af38b7df81fb7976129cad3e05b Mon Sep 17 00:00:00 2001 From: Florin Coras Date: Fri, 9 Mar 2018 13:05:53 -0800 Subject: [PATCH] tls: add openssl engine Change-Id: I6c215858d2c9c620787632b570950b15274c0df2 Signed-off-by: Florin Coras --- src/configure.ac | 7 + src/plugins/Makefile.am | 4 + src/plugins/tlsmbedtls/tls_mbedtls.c | 151 +++++-- src/plugins/tlsopenssl.am | 21 + src/plugins/tlsopenssl/tls_openssl.c | 675 +++++++++++++++++++++++++++++++ src/svm/svm_fifo.h | 43 ++ src/vnet/session-apps/echo_client.c | 6 +- src/vnet/session-apps/echo_client.h | 2 +- src/vnet/session-apps/echo_server.c | 6 +- src/vnet/session/application.c | 2 + src/vnet/session/application.h | 3 + src/vnet/session/application_interface.h | 2 + src/vnet/tls/tls.c | 271 ++++++------- src/vnet/tls/tls.h | 24 +- 14 files changed, 1027 insertions(+), 190 deletions(-) create mode 100644 src/plugins/tlsopenssl.am create mode 100644 src/plugins/tlsopenssl/tls_openssl.c diff --git a/src/configure.ac b/src/configure.ac index 74d5113b93e..26c2eb5510d 100644 --- a/src/configure.ac +++ b/src/configure.ac @@ -231,6 +231,7 @@ PLUGIN_ENABLED(srv6am) PLUGIN_ENABLED(srv6as) PLUGIN_ENABLED(stn) PLUGIN_ENABLED(tlsmbedtls) +PLUGIN_ENABLED(tlsopenssl) ############################################################################### # Dependency checks @@ -306,6 +307,12 @@ AM_COND_IF([ENABLE_TLSMBEDTLS_PLUGIN], ], []) ]) +AM_COND_IF([WITH_LIBSSL], [], +[ + AC_MSG_WARN([openssl not enabled. Disabling tlsopenssl plugin]) + enable_tlsopenssl_plugin=no + AM_CONDITIONAL(ENABLE_TLSOPENSSL_PLUGIN, false) +]) ############################################################################### # JAVA diff --git a/src/plugins/Makefile.am b/src/plugins/Makefile.am index 8b46986c9b8..0381502d3da 100644 --- a/src/plugins/Makefile.am +++ b/src/plugins/Makefile.am @@ -115,6 +115,10 @@ if ENABLE_TLSMBEDTLS_PLUGIN include tlsmbedtls.am endif +if ENABLE_TLSOPENSSL_PLUGIN +include tlsopenssl.am +endif + include ../suffix-rules.mk # Remove *.la files diff --git a/src/plugins/tlsmbedtls/tls_mbedtls.c b/src/plugins/tlsmbedtls/tls_mbedtls.c index 1bae1f726f8..aaad99f0fdb 100644 --- a/src/plugins/tlsmbedtls/tls_mbedtls.c +++ b/src/plugins/tlsmbedtls/tls_mbedtls.c @@ -28,6 +28,7 @@ typedef struct tls_ctx_mbedtls_ { tls_ctx_t ctx; /**< First */ + u32 mbedtls_ctx_index; mbedtls_ssl_context ssl; mbedtls_ssl_config conf; mbedtls_x509_crt srvcert; @@ -40,6 +41,8 @@ typedef struct mbedtls_main_ mbedtls_ctr_drbg_context *ctr_drbgs; mbedtls_entropy_context *entropy_pools; mbedtls_x509_crt cacert; + u8 **rx_bufs; + u8 **tx_bufs; } mbedtls_main_t; static mbedtls_main_t mbedtls_main; @@ -64,7 +67,7 @@ mbedtls_free_fn (void *ptr) } #endif -u32 +static u32 mbedtls_ctx_alloc (void) { u8 thread_index = vlib_get_thread_index (); @@ -77,10 +80,12 @@ mbedtls_ctx_alloc (void) memset (*ctx, 0, sizeof (mbedtls_ctx_t)); (*ctx)->ctx.c_thread_index = thread_index; - return ctx - tm->ctx_pool[thread_index]; + (*ctx)->ctx.tls_ctx_engine = TLS_ENGINE_MBEDTLS; + (*ctx)->mbedtls_ctx_index = ctx - tm->ctx_pool[thread_index]; + return ((*ctx)->mbedtls_ctx_index); } -void +static void mbedtls_ctx_free (tls_ctx_t * ctx) { mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx; @@ -95,11 +100,11 @@ mbedtls_ctx_free (tls_ctx_t * ctx) mbedtls_ssl_free (&mc->ssl); mbedtls_ssl_config_free (&mc->conf); - pool_put_index (mbedtls_main.ctx_pool[vlib_get_thread_index ()], - ctx->tls_ctx_idx); + pool_put_index (mbedtls_main.ctx_pool[ctx->c_thread_index], + mc->mbedtls_ctx_index); } -tls_ctx_t * +static tls_ctx_t * mbedtls_ctx_get (u32 ctx_index) { mbedtls_ctx_t **ctx; @@ -108,7 +113,7 @@ mbedtls_ctx_get (u32 ctx_index) return &(*ctx)->ctx; } -tls_ctx_t * +static tls_ctx_t * mbedtls_ctx_get_w_thread (u32 ctx_index, u8 thread_index) { mbedtls_ctx_t **ctx; @@ -233,7 +238,7 @@ mbedtls_ctx_init_client (tls_ctx_t * ctx) return -1; } - ctx_ptr = uword_to_pointer (ctx->tls_ctx_idx, void *); + ctx_ptr = uword_to_pointer (mc->mbedtls_ctx_index, void *); mbedtls_ssl_set_bio (&mc->ssl, ctx_ptr, tls_net_send, tls_net_recv, NULL); mbedtls_debug_set_threshold (TLS_DEBUG_LEVEL_CLIENT); @@ -241,7 +246,7 @@ mbedtls_ctx_init_client (tls_ctx_t * ctx) * 2. Do the first 2 steps in the handshake. */ TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index, - ctx->tls_ctx_idx); + mc->mbedtls_ctx_index); while (mc->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) { rv = mbedtls_ssl_handshake_step (&mc->ssl); @@ -249,7 +254,7 @@ mbedtls_ctx_init_client (tls_ctx_t * ctx) break; } TLS_DBG (2, "tls state for [%u]%u is %u", ctx->c_thread_index, - ctx->tls_ctx_idx, mc->ssl.state); + mc->mbedtls_ctx_index, mc->ssl.state); return 0; } @@ -332,7 +337,7 @@ mbedtls_ctx_init_server (tls_ctx_t * ctx) } mbedtls_ssl_session_reset (&mc->ssl); - ctx_ptr = uword_to_pointer (ctx->tls_ctx_idx, void *); + ctx_ptr = uword_to_pointer (mc->mbedtls_ctx_index, void *); mbedtls_ssl_set_bio (&mc->ssl, ctx_ptr, tls_net_send, tls_net_recv, NULL); mbedtls_debug_set_threshold (TLS_DEBUG_LEVEL_SERVER); @@ -340,7 +345,7 @@ mbedtls_ctx_init_server (tls_ctx_t * ctx) * 3. Start handshake state machine */ TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index, - ctx->tls_ctx_idx); + mc->mbedtls_ctx_index); while (mc->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) { rv = mbedtls_ssl_handshake_step (&mc->ssl); @@ -349,7 +354,7 @@ mbedtls_ctx_init_server (tls_ctx_t * ctx) } TLS_DBG (2, "tls state for [%u]%u is %u", ctx->c_thread_index, - ctx->tls_ctx_idx, mc->ssl.state); + mc->mbedtls_ctx_index, mc->ssl.state); return 0; exit: @@ -357,7 +362,7 @@ exit: } static int -mbedtls_handshake_rx (tls_ctx_t * ctx) +mbedtls_ctx_handshake_rx (tls_ctx_t * ctx) { mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx; u32 flags; @@ -368,10 +373,10 @@ mbedtls_handshake_rx (tls_ctx_t * ctx) if (rv != 0) break; } - TLS_DBG (2, "tls state for %u is %u", ctx->tls_ctx_idx, mc->ssl.state); + TLS_DBG (2, "tls state for %u is %u", mc->mbedtls_ctx_index, mc->ssl.state); if (mc->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) - return HANDSHAKE_NOT_OVER; + return 0; /* * Handshake complete @@ -392,32 +397,120 @@ mbedtls_handshake_rx (tls_ctx_t * ctx) * Presence of hostname enforces strict certificate verification */ if (ctx->srv_hostname) - return CLIENT_HANDSHAKE_FAIL; + { + tls_notify_app_connected (ctx, /* is failed */ 0); + return -1; + } } - rv = CLIENT_HANDSHAKE_OK; + tls_notify_app_connected (ctx, /* is failed */ 0); } else { - rv = SERVER_HANDSHAKE_OK; + tls_notify_app_accept (ctx); } TLS_DBG (1, "Handshake for %u complete. TLS cipher is %x", - ctx->tls_ctx_idx, mc->ssl.session->ciphersuite); - return rv; + mc->mbedtls_ctx_index, mc->ssl.session->ciphersuite); + return 0; } static int -mbedtls_write (tls_ctx_t * ctx, u8 * buf, u32 len) +mbedtls_ctx_write (tls_ctx_t * ctx, stream_session_t * app_session) { mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx; - return mbedtls_ssl_write (&mc->ssl, buf, len); + u8 thread_index = ctx->c_thread_index; + mbedtls_main_t *mm = &mbedtls_main; + u32 enq_max, deq_max, deq_now; + stream_session_t *tls_session; + int wrote; + + ASSERT (mc->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER); + + deq_max = svm_fifo_max_dequeue (app_session->server_tx_fifo); + if (!deq_max) + return 0; + + tls_session = session_get_from_handle (ctx->tls_session_handle); + enq_max = svm_fifo_max_enqueue (tls_session->server_tx_fifo); + deq_now = clib_min (deq_max, TLS_CHUNK_SIZE); + + if (PREDICT_FALSE (enq_max == 0)) + { + tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); + return 0; + } + + vec_validate (mm->tx_bufs[thread_index], deq_now); + svm_fifo_peek (app_session->server_tx_fifo, 0, deq_now, + mm->tx_bufs[thread_index]); + + wrote = mbedtls_ssl_write (&mc->ssl, mm->tx_bufs[thread_index], deq_now); + if (wrote <= 0) + { + tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); + return 0; + } + + svm_fifo_dequeue_drop (app_session->server_tx_fifo, wrote); + vec_reset_length (mm->tx_bufs[thread_index]); + tls_add_vpp_q_evt (tls_session->server_tx_fifo, FIFO_EVENT_APP_TX); + + if (deq_now < deq_max) + tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); + + return 0; } static int -mbedtls_read (tls_ctx_t * ctx, u8 * buf, u32 len) +mbedtls_ctx_read (tls_ctx_t * ctx, stream_session_t * tls_session) { mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx; - return mbedtls_ssl_read (&mc->ssl, buf, len); + mbedtls_main_t *mm = &mbedtls_main; + u8 thread_index = ctx->c_thread_index; + u32 deq_max, enq_max, enq_now; + stream_session_t *app_session; + int read, enq; + + if (PREDICT_FALSE (mc->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)) + { + mbedtls_ctx_handshake_rx (ctx); + return 0; + } + + deq_max = svm_fifo_max_dequeue (tls_session->server_rx_fifo); + if (!deq_max) + return 0; + + app_session = session_get_from_handle (ctx->app_session_handle); + enq_max = svm_fifo_max_enqueue (app_session->server_rx_fifo); + enq_now = clib_min (enq_max, TLS_CHUNK_SIZE); + + if (PREDICT_FALSE (enq_now == 0)) + { + tls_add_vpp_q_evt (tls_session->server_rx_fifo, FIFO_EVENT_BUILTIN_RX); + return 0; + } + + vec_validate (mm->rx_bufs[thread_index], enq_now); + read = mbedtls_ssl_read (&mc->ssl, mm->rx_bufs[thread_index], enq_now); + if (read <= 0) + { + tls_add_vpp_q_evt (tls_session->server_rx_fifo, FIFO_EVENT_BUILTIN_RX); + return 0; + } + + enq = svm_fifo_enqueue_nowait (app_session->server_rx_fifo, read, + mm->rx_bufs[thread_index]); + ASSERT (enq == read); + vec_reset_length (mm->rx_bufs[thread_index]); + + if (svm_fifo_max_dequeue (tls_session->server_rx_fifo)) + tls_add_vpp_q_evt (tls_session->server_rx_fifo, FIFO_EVENT_BUILTIN_RX); + + if (enq > 0) + tls_notify_app_enqueue (ctx, app_session); + + return enq; } static u8 @@ -434,9 +527,8 @@ const static tls_engine_vft_t mbedtls_engine = { .ctx_get_w_thread = mbedtls_ctx_get_w_thread, .ctx_init_server = mbedtls_ctx_init_server, .ctx_init_client = mbedtls_ctx_init_client, - .ctx_handshake_rx = mbedtls_handshake_rx, - .ctx_write = mbedtls_write, - .ctx_read = mbedtls_read, + .ctx_write = mbedtls_ctx_write, + .ctx_read = mbedtls_ctx_read, .ctx_handshake_is_over = mbedtls_handshake_is_over, }; @@ -526,6 +618,9 @@ tls_mbedtls_init (vlib_main_t * vm) } vec_validate (mm->ctx_pool, num_threads - 1); + vec_validate (mm->rx_bufs, num_threads - 1); + vec_validate (mm->tx_bufs, num_threads - 1); + tls_register_engine (&mbedtls_engine, TLS_ENGINE_MBEDTLS); return 0; } diff --git a/src/plugins/tlsopenssl.am b/src/plugins/tlsopenssl.am new file mode 100644 index 00000000000..d4cab621eea --- /dev/null +++ b/src/plugins/tlsopenssl.am @@ -0,0 +1,21 @@ +# Copyright (c) 2018 Cisco Systems, Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +vppplugins_LTLIBRARIES += tlsopenssl_plugin.la + +tlsopenssl_plugin_la_SOURCES = tlsopenssl/tls_openssl.c +tlsopenssl_plugin_la_LDFLAGS = $(AM_LDFLAGS) -lssl -lcrypto +tlsopenssl_plugin_la_CFLAGS = $(AM_CFLAGS) + +# vi:syntax=automake diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c new file mode 100644 index 00000000000..0817f606ad8 --- /dev/null +++ b/src/plugins/tlsopenssl/tls_openssl.c @@ -0,0 +1,675 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include +#include +#include +#include + +typedef struct tls_ctx_openssl_ +{ + tls_ctx_t ctx; /**< First */ + u32 openssl_ctx_index; + SSL_CTX *ssl_ctx; + SSL *ssl; + BIO *rbio; + BIO *wbio; + X509 *srvcert; + EVP_PKEY *pkey; +} openssl_ctx_t; + +typedef struct openssl_main_ +{ + openssl_ctx_t ***ctx_pool; + X509_STORE *cert_store; +} openssl_main_t; + +static openssl_main_t openssl_main; + +static u32 +openssl_ctx_alloc (void) +{ + u8 thread_index = vlib_get_thread_index (); + openssl_main_t *tm = &openssl_main; + openssl_ctx_t **ctx; + + pool_get (tm->ctx_pool[thread_index], ctx); + if (!(*ctx)) + *ctx = clib_mem_alloc (sizeof (openssl_ctx_t)); + + memset (*ctx, 0, sizeof (openssl_ctx_t)); + (*ctx)->ctx.c_thread_index = thread_index; + (*ctx)->ctx.tls_ctx_engine = TLS_ENGINE_OPENSSL; + (*ctx)->ctx.app_session_handle = SESSION_INVALID_HANDLE; + (*ctx)->openssl_ctx_index = ctx - tm->ctx_pool[thread_index]; + return ((*ctx)->openssl_ctx_index); +} + +static void +openssl_ctx_free (tls_ctx_t * ctx) +{ + openssl_ctx_t *oc = (openssl_ctx_t *) ctx; + + if (SSL_is_init_finished (oc->ssl) && !ctx->is_passive_close) + SSL_shutdown (oc->ssl); + + if (SSL_is_server (oc->ssl)) + { + X509_free (oc->srvcert); + EVP_PKEY_free (oc->pkey); + } + SSL_free (oc->ssl); + + pool_put_index (openssl_main.ctx_pool[ctx->c_thread_index], + oc->openssl_ctx_index); +} + +static tls_ctx_t * +openssl_ctx_get (u32 ctx_index) +{ + openssl_ctx_t **ctx; + ctx = pool_elt_at_index (openssl_main.ctx_pool[vlib_get_thread_index ()], + ctx_index); + return &(*ctx)->ctx; +} + +static tls_ctx_t * +openssl_ctx_get_w_thread (u32 ctx_index, u8 thread_index) +{ + openssl_ctx_t **ctx; + ctx = pool_elt_at_index (openssl_main.ctx_pool[thread_index], ctx_index); + return &(*ctx)->ctx; +} + +static int +openssl_try_handshake_read (openssl_ctx_t * oc, + stream_session_t * tls_session) +{ + u32 deq_max, deq_now; + svm_fifo_t *f; + int wrote, rv; + + f = tls_session->server_rx_fifo; + deq_max = svm_fifo_max_dequeue (f); + if (!deq_max) + return 0; + + deq_now = clib_min (svm_fifo_max_read_chunk (f), deq_max); + wrote = BIO_write (oc->wbio, svm_fifo_head (f), deq_now); + if (wrote <= 0) + return 0; + + svm_fifo_dequeue_drop (f, wrote); + if (wrote < deq_max) + { + deq_now = clib_min (svm_fifo_max_read_chunk (f), deq_max - wrote); + rv = BIO_write (oc->wbio, svm_fifo_head (f), deq_now); + if (rv > 0) + { + svm_fifo_dequeue_drop (f, rv); + wrote += rv; + } + } + return wrote; +} + +static int +openssl_try_handshake_write (openssl_ctx_t * oc, + stream_session_t * tls_session) +{ + u32 enq_max, deq_now; + svm_fifo_t *f; + int read, rv; + + if (BIO_ctrl_pending (oc->rbio) <= 0) + return 0; + + f = tls_session->server_tx_fifo; + enq_max = svm_fifo_max_enqueue (f); + if (!enq_max) + return 0; + + deq_now = clib_min (svm_fifo_max_write_chunk (f), enq_max); + read = BIO_read (oc->rbio, svm_fifo_tail (f), deq_now); + if (read <= 0) + return 0; + + svm_fifo_enqueue_nocopy (f, read); + tls_add_vpp_q_evt (f, FIFO_EVENT_APP_TX); + + if (read < enq_max) + { + deq_now = clib_min (svm_fifo_max_write_chunk (f), enq_max - read); + rv = BIO_read (oc->rbio, svm_fifo_tail (f), deq_now); + if (rv > 0) + { + svm_fifo_enqueue_nocopy (f, rv); + read += rv; + } + } + + return read; +} + +static int +openssl_ctx_handshake_rx (tls_ctx_t * ctx, stream_session_t * tls_session) +{ + openssl_ctx_t *oc = (openssl_ctx_t *) ctx; + int rv = 0, err; + while (SSL_in_init (oc->ssl)) + { + if (!openssl_try_handshake_read (oc, tls_session)) + break; + + rv = SSL_do_handshake (oc->ssl); + err = SSL_get_error (oc->ssl, rv); + openssl_try_handshake_write (oc, tls_session); + if (err != SSL_ERROR_WANT_WRITE) + { + if (err == SSL_ERROR_SSL) + { + char buf[512]; + ERR_error_string (ERR_get_error (), buf); + clib_warning ("Err: %s", buf); + } + break; + } + } + TLS_DBG (2, "tls state for %u is %s", oc->openssl_ctx_index, + SSL_state_string_long (oc->ssl)); + + if (SSL_in_init (oc->ssl)) + return 0; + + /* + * Handshake complete + */ + if (!SSL_is_server (oc->ssl)) + { + /* + * Verify server certificate + */ + if ((rv = SSL_get_verify_result (oc->ssl)) != X509_V_OK) + { + TLS_DBG (1, " failed verify: %s\n", + X509_verify_cert_error_string (rv)); + + /* + * Presence of hostname enforces strict certificate verification + */ + if (ctx->srv_hostname) + { + tls_notify_app_connected (ctx, /* is failed */ 0); + return -1; + } + } + tls_notify_app_connected (ctx, /* is failed */ 0); + } + else + { + tls_notify_app_accept (ctx); + } + + TLS_DBG (1, "Handshake for %u complete. TLS cipher is %s", + oc->openssl_ctx_index, SSL_get_cipher (oc->ssl)); + return rv; +} + +static inline int +openssl_ctx_write (tls_ctx_t * ctx, stream_session_t * app_session) +{ + openssl_ctx_t *oc = (openssl_ctx_t *) ctx; + int wrote = 0, rv, read, max_buf = 100 * TLS_CHUNK_SIZE, max_space; + u32 enq_max, deq_max, deq_now, to_write; + stream_session_t *tls_session; + svm_fifo_t *f; + + f = app_session->server_tx_fifo; + deq_max = svm_fifo_max_dequeue (f); + if (!deq_max) + goto check_tls_fifo; + + max_space = max_buf - BIO_ctrl_pending (oc->rbio); + max_space = (max_space < 0) ? 0 : max_space; + deq_now = clib_min (deq_max, (u32) max_space); + to_write = clib_min (svm_fifo_max_read_chunk (f), deq_now); + wrote = SSL_write (oc->ssl, svm_fifo_head (f), to_write); + if (wrote <= 0) + { + tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); + goto check_tls_fifo; + } + svm_fifo_dequeue_drop (app_session->server_tx_fifo, wrote); + if (wrote < deq_now) + { + to_write = clib_min (svm_fifo_max_read_chunk (f), deq_now - wrote); + rv = SSL_write (oc->ssl, svm_fifo_head (f), to_write); + if (rv > 0) + { + svm_fifo_dequeue_drop (app_session->server_tx_fifo, rv); + wrote += rv; + } + } + + if (deq_now < deq_max) + tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); + +check_tls_fifo: + + if (BIO_ctrl_pending (oc->rbio) <= 0) + return wrote; + + tls_session = session_get_from_handle (ctx->tls_session_handle); + f = tls_session->server_tx_fifo; + enq_max = svm_fifo_max_enqueue (f); + if (!enq_max) + { + tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); + return wrote; + } + + deq_now = clib_min (svm_fifo_max_write_chunk (f), enq_max); + read = BIO_read (oc->rbio, svm_fifo_tail (f), deq_now); + if (read <= 0) + { + tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); + return wrote; + } + + svm_fifo_enqueue_nocopy (f, read); + tls_add_vpp_q_evt (f, FIFO_EVENT_APP_TX); + + if (read < enq_max && BIO_ctrl_pending (oc->rbio) > 0) + { + deq_now = clib_min (svm_fifo_max_write_chunk (f), enq_max - read); + read = BIO_read (oc->rbio, svm_fifo_tail (f), deq_now); + if (read > 0) + svm_fifo_enqueue_nocopy (f, read); + } + + if (BIO_ctrl_pending (oc->rbio) > 0) + tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); + + return wrote; +} + +static inline int +openssl_ctx_read (tls_ctx_t * ctx, stream_session_t * tls_session) +{ + int read, wrote = 0, max_space, max_buf = 100 * TLS_CHUNK_SIZE, rv; + openssl_ctx_t *oc = (openssl_ctx_t *) ctx; + u32 deq_max, enq_max, deq_now, to_read; + stream_session_t *app_session; + svm_fifo_t *f; + + if (PREDICT_FALSE (SSL_in_init (oc->ssl))) + { + openssl_ctx_handshake_rx (ctx, tls_session); + return 0; + } + + f = tls_session->server_rx_fifo; + deq_max = svm_fifo_max_dequeue (f); + max_space = max_buf - BIO_ctrl_pending (oc->wbio); + max_space = max_space < 0 ? 0 : max_space; + deq_now = clib_min (deq_max, max_space); + if (!deq_now) + goto check_app_fifo; + + to_read = clib_min (svm_fifo_max_read_chunk (f), deq_now); + wrote = BIO_write (oc->wbio, svm_fifo_head (f), to_read); + if (wrote <= 0) + { + tls_add_vpp_q_evt (tls_session->server_rx_fifo, FIFO_EVENT_BUILTIN_RX); + goto check_app_fifo; + } + svm_fifo_dequeue_drop (f, wrote); + if (wrote < deq_now) + { + to_read = clib_min (svm_fifo_max_read_chunk (f), deq_now - wrote); + rv = BIO_write (oc->wbio, svm_fifo_head (f), to_read); + if (rv > 0) + { + svm_fifo_dequeue_drop (f, rv); + wrote += rv; + } + } + if (svm_fifo_max_dequeue (f)) + tls_add_vpp_q_evt (tls_session->server_rx_fifo, FIFO_EVENT_BUILTIN_RX); + +check_app_fifo: + + if (BIO_ctrl_pending (oc->wbio) <= 0) + return wrote; + + app_session = session_get_from_handle (ctx->app_session_handle); + f = app_session->server_rx_fifo; + enq_max = svm_fifo_max_enqueue (f); + if (!enq_max) + { + tls_add_vpp_q_evt (tls_session->server_rx_fifo, FIFO_EVENT_BUILTIN_RX); + return wrote; + } + + deq_now = clib_min (svm_fifo_max_write_chunk (f), enq_max); + read = SSL_read (oc->ssl, svm_fifo_tail (f), deq_now); + if (read <= 0) + { + tls_add_vpp_q_evt (tls_session->server_rx_fifo, FIFO_EVENT_BUILTIN_RX); + return wrote; + } + svm_fifo_enqueue_nocopy (f, read); + if (read < enq_max && BIO_ctrl_pending (oc->wbio) > 0) + { + deq_now = clib_min (svm_fifo_max_write_chunk (f), enq_max - read); + read = SSL_read (oc->ssl, svm_fifo_tail (f), deq_now); + if (read > 0) + svm_fifo_enqueue_nocopy (f, read); + } + + tls_notify_app_enqueue (ctx, app_session); + if (BIO_ctrl_pending (oc->wbio) > 0) + tls_add_vpp_q_evt (tls_session->server_rx_fifo, FIFO_EVENT_BUILTIN_RX); + + return wrote; +} + +static int +openssl_ctx_init_client (tls_ctx_t * ctx) +{ + char *ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH"; + long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION; + openssl_ctx_t *oc = (openssl_ctx_t *) ctx; + openssl_main_t *om = &openssl_main; + stream_session_t *tls_session; + const SSL_METHOD *method; + int rv, err; + + method = SSLv23_client_method (); + if (method == NULL) + { + TLS_DBG (1, "SSLv23_method returned null"); + return -1; + } + + oc->ssl_ctx = SSL_CTX_new (method); + if (oc->ssl_ctx == NULL) + { + TLS_DBG (1, "SSL_CTX_new returned null"); + return -1; + } + + SSL_CTX_set_ecdh_auto (oc->ssl_ctx, 1); + SSL_CTX_set_mode (oc->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + rv = SSL_CTX_set_cipher_list (oc->ssl_ctx, (const char *) ciphers); + if (rv != 1) + { + TLS_DBG (1, "Couldn't set cipher"); + return -1; + } + + SSL_CTX_set_options (oc->ssl_ctx, flags); + SSL_CTX_set_cert_store (oc->ssl_ctx, om->cert_store); + + oc->ssl = SSL_new (oc->ssl_ctx); + if (oc->ssl == NULL) + { + TLS_DBG (1, "Couldn't initialize ssl struct"); + return -1; + } + + oc->rbio = BIO_new (BIO_s_mem ()); + oc->wbio = BIO_new (BIO_s_mem ()); + + BIO_set_mem_eof_return (oc->rbio, -1); + BIO_set_mem_eof_return (oc->wbio, -1); + + SSL_set_bio (oc->ssl, oc->wbio, oc->rbio); + SSL_set_connect_state (oc->ssl); + + rv = SSL_set_tlsext_host_name (oc->ssl, ctx->srv_hostname); + if (rv != 1) + { + TLS_DBG (1, "Couldn't set hostname"); + return -1; + } + + /* + * 2. Do the first steps in the handshake. + */ + TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index, + oc->openssl_ctx_index); + + tls_session = session_get_from_handle (ctx->tls_session_handle); + while (1) + { + rv = SSL_do_handshake (oc->ssl); + err = SSL_get_error (oc->ssl, rv); + openssl_try_handshake_write (oc, tls_session); + if (err != SSL_ERROR_WANT_WRITE) + break; + } + + TLS_DBG (2, "tls state for [%u]%u is su", ctx->c_thread_index, + oc->openssl_ctx_index, SSL_state_string_long (oc->ssl)); + return 0; +} + +static int +openssl_ctx_init_server (tls_ctx_t * ctx) +{ + char *ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH"; + long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION; + openssl_ctx_t *oc = (openssl_ctx_t *) ctx; + stream_session_t *tls_session; + const SSL_METHOD *method; + application_t *app; + int rv, err; + BIO *cert_bio; + + app = application_get (ctx->parent_app_index); + if (!app->tls_cert || !app->tls_key) + { + TLS_DBG (1, "tls cert and/or key not configured %d", + ctx->parent_app_index); + return -1; + } + + method = SSLv23_method (); + oc->ssl_ctx = SSL_CTX_new (method); + if (!oc->ssl_ctx) + { + clib_warning ("Unable to create SSL context"); + return -1; + } + + SSL_CTX_set_mode (oc->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + SSL_CTX_set_options (oc->ssl_ctx, flags); + SSL_CTX_set_ecdh_auto (oc->ssl_ctx, 1); + + rv = SSL_CTX_set_cipher_list (oc->ssl_ctx, (const char *) ciphers); + if (rv != 1) + { + TLS_DBG (1, "Couldn't set cipher"); + return -1; + } + + /* + * Set the key and cert + */ + cert_bio = BIO_new (BIO_s_mem ()); + BIO_write (cert_bio, app->tls_cert, vec_len (app->tls_cert)); + oc->srvcert = PEM_read_bio_X509 (cert_bio, NULL, NULL, NULL); + if (!oc->srvcert) + { + clib_warning ("unable to parse certificate"); + return -1; + } + BIO_free (cert_bio); + cert_bio = BIO_new (BIO_s_mem ()); + BIO_write (cert_bio, app->tls_key, vec_len (app->tls_key)); + oc->pkey = PEM_read_bio_PrivateKey (cert_bio, NULL, NULL, NULL); + if (!oc->pkey) + { + clib_warning ("unable to parse pkey"); + return -1; + } + + BIO_free (cert_bio); + + oc->ssl = SSL_new (oc->ssl_ctx); + if (oc->ssl == NULL) + { + TLS_DBG (1, "Couldn't initialize ssl struct"); + return -1; + } + + oc->rbio = BIO_new (BIO_s_mem ()); + oc->wbio = BIO_new (BIO_s_mem ()); + + BIO_set_mem_eof_return (oc->rbio, -1); + BIO_set_mem_eof_return (oc->wbio, -1); + + SSL_set_bio (oc->ssl, oc->wbio, oc->rbio); + SSL_set_accept_state (oc->ssl); + + TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index, + oc->openssl_ctx_index); + + tls_session = session_get_from_handle (ctx->tls_session_handle); + while (1) + { + rv = SSL_do_handshake (oc->ssl); + err = SSL_get_error (oc->ssl, rv); + openssl_try_handshake_write (oc, tls_session); + if (err != SSL_ERROR_WANT_WRITE) + break; + } + + TLS_DBG (2, "tls state for [%u]%u is su", ctx->c_thread_index, + oc->openssl_ctx_index, SSL_state_string_long (oc->ssl)); + return 0; +} + +static u8 +openssl_handshake_is_over (tls_ctx_t * ctx) +{ + openssl_ctx_t *mc = (openssl_ctx_t *) ctx; + if (!mc->ssl) + return 0; + return SSL_is_init_finished (mc->ssl); +} + +const static tls_engine_vft_t openssl_engine = { + .ctx_alloc = openssl_ctx_alloc, + .ctx_free = openssl_ctx_free, + .ctx_get = openssl_ctx_get, + .ctx_get_w_thread = openssl_ctx_get_w_thread, + .ctx_init_server = openssl_ctx_init_server, + .ctx_init_client = openssl_ctx_init_client, + .ctx_write = openssl_ctx_write, + .ctx_read = openssl_ctx_read, + .ctx_handshake_is_over = openssl_handshake_is_over, +}; + +int +tls_init_ca_chain (void) +{ + openssl_main_t *om = &openssl_main; + tls_main_t *tm = vnet_tls_get_main (); + BIO *cert_bio; + X509 *testcert; + int rv; + + if (access (tm->ca_cert_path, F_OK | R_OK) == -1) + { + clib_warning ("Could not initialize TLS CA certificates"); + return -1; + } + + if (!(om->cert_store = X509_STORE_new ())) + { + clib_warning ("failed to create cert store"); + return -1; + } + + rv = X509_STORE_load_locations (om->cert_store, tm->ca_cert_path, 0); + if (rv < 0) + { + clib_warning ("failed to load ca certificate"); + } + + if (tm->use_test_cert_in_ca) + { + cert_bio = BIO_new (BIO_s_mem ()); + BIO_write (cert_bio, test_srv_crt_rsa, test_srv_crt_rsa_len); + testcert = PEM_read_bio_X509 (cert_bio, NULL, NULL, NULL); + if (!testcert) + { + clib_warning ("unable to parse certificate"); + return -1; + } + X509_STORE_add_cert (om->cert_store, testcert); + rv = 0; + } + return (rv < 0 ? -1 : 0); +} + +static clib_error_t * +tls_openssl_init (vlib_main_t * vm) +{ + vlib_thread_main_t *vtm = vlib_get_thread_main (); + openssl_main_t *om = &openssl_main; + clib_error_t *error; + u32 num_threads; + + num_threads = 1 /* main thread */ + vtm->n_threads; + + if ((error = vlib_call_init_function (vm, tls_init))) + return error; + + SSL_library_init (); + SSL_load_error_strings (); + + if (tls_init_ca_chain ()) + { + clib_warning ("failed to initialize TLS CA chain"); + return 0; + } + + vec_validate (om->ctx_pool, num_threads - 1); + + tls_register_engine (&openssl_engine, TLS_ENGINE_OPENSSL); + return 0; +} + +VLIB_INIT_FUNCTION (tls_openssl_init); + +/* *INDENT-OFF* */ +VLIB_PLUGIN_REGISTER () = { + .version = VPP_BUILD_VER, + .description = "openssl based TLS Engine", +}; +/* *INDENT-ON* */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/svm/svm_fifo.h b/src/svm/svm_fifo.h index 0d859513853..d06d77a42f7 100644 --- a/src/svm/svm_fifo.h +++ b/src/svm/svm_fifo.h @@ -167,6 +167,49 @@ svm_fifo_newest_ooo_segment_reset (svm_fifo_t * f) f->ooos_newest = OOO_SEGMENT_INVALID_INDEX; } +/** + * Max contiguous chunk of data that can be read + */ +always_inline u32 +svm_fifo_max_read_chunk (svm_fifo_t * f) +{ + return ((f->tail > f->head) ? (f->tail - f->head) : (f->nitems - f->head)); +} + +/** + * Max contiguous chunk of data that can be written + */ +always_inline u32 +svm_fifo_max_write_chunk (svm_fifo_t * f) +{ + return ((f->tail >= f->head) ? (f->nitems - f->tail) : (f->head - f->tail)); +} + +/** + * Advance tail pointer + * + * Useful for moving tail pointer after external enqueue. + */ +always_inline void +svm_fifo_enqueue_nocopy (svm_fifo_t * f, u32 bytes) +{ + ASSERT (bytes <= svm_fifo_max_enqueue (f)); + f->tail = (f->tail + bytes) % f->nitems; + f->cursize += bytes; +} + +always_inline u8 * +svm_fifo_head (svm_fifo_t * f) +{ + return (f->data + f->head); +} + +always_inline u8 * +svm_fifo_tail (svm_fifo_t * f) +{ + return (f->data + f->tail); +} + always_inline u32 ooo_segment_distance_from_tail (svm_fifo_t * f, u32 pos) { diff --git a/src/vnet/session-apps/echo_client.c b/src/vnet/session-apps/echo_client.c index 5b70d4906bc..2cfb471413c 100644 --- a/src/vnet/session-apps/echo_client.c +++ b/src/vnet/session-apps/echo_client.c @@ -458,8 +458,8 @@ echo_clients_attach (u8 * appns_id, u64 appns_flags, u64 appns_secret) options[APP_OPTIONS_TX_FIFO_SIZE] = ecm->fifo_size; options[APP_OPTIONS_PRIVATE_SEGMENT_COUNT] = ecm->private_segment_count; options[APP_OPTIONS_PREALLOC_FIFO_PAIRS] = prealloc_fifos; - options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_IS_BUILTIN; + options[APP_OPTIONS_TLS_ENGINE] = ecm->tls_engine; if (appns_id) { options[APP_OPTIONS_FLAGS] |= appns_flags; @@ -575,6 +575,8 @@ echo_clients_command_fn (vlib_main_t * vm, ecm->test_bytes = 0; ecm->test_failed = 0; ecm->vlib_main = vm; + ecm->tls_engine = TLS_ENGINE_OPENSSL; + if (thread_main->n_vlib_mains > 1) clib_spinlock_init (&ecm->sessions_lock); vec_free (ecm->connect_uri); @@ -632,6 +634,8 @@ echo_clients_command_fn (vlib_main_t * vm, ecm->no_output = 1; else if (unformat (input, "test-bytes")) ecm->test_bytes = 1; + else if (unformat (input, "tls-engine %d", &ecm->tls_engine)) + ; else return clib_error_return (0, "failed: unknown input `%U'", format_unformat_error, input); diff --git a/src/vnet/session-apps/echo_client.h b/src/vnet/session-apps/echo_client.h index 4ae63ecee1f..5712da5b8c8 100644 --- a/src/vnet/session-apps/echo_client.h +++ b/src/vnet/session-apps/echo_client.h @@ -64,7 +64,7 @@ typedef struct u32 connections_per_batch; /**< Connections to rx/tx at once */ u32 private_segment_count; /**< Number of private fifo segs */ u32 private_segment_size; /**< size of private fifo segs */ - + u32 tls_engine; /**< TLS engine mbedtls/openssl */ /* * Test state variables */ diff --git a/src/vnet/session-apps/echo_server.c b/src/vnet/session-apps/echo_server.c index 39d848f5d8c..9f34d4c0a5e 100644 --- a/src/vnet/session-apps/echo_server.c +++ b/src/vnet/session-apps/echo_server.c @@ -40,7 +40,7 @@ typedef struct u32 private_segment_count; /**< Number of private segments */ u32 private_segment_size; /**< Size of private segments */ char *server_uri; /**< Server URI */ - + u32 tls_engine; /**< TLS engine: mbedtls/openssl */ /* * Test state */ @@ -295,6 +295,7 @@ echo_server_attach (u8 * appns_id, u64 appns_flags, u64 appns_secret) a->options[APP_OPTIONS_RX_FIFO_SIZE] = esm->fifo_size; a->options[APP_OPTIONS_TX_FIFO_SIZE] = esm->fifo_size; a->options[APP_OPTIONS_PRIVATE_SEGMENT_COUNT] = esm->private_segment_count; + a->options[APP_OPTIONS_TLS_ENGINE] = esm->tls_engine; a->options[APP_OPTIONS_PREALLOC_FIFO_PAIRS] = esm->prealloc_fifos ? esm->prealloc_fifos : 1; @@ -408,6 +409,7 @@ echo_server_create_command_fn (vlib_main_t * vm, unformat_input_t * input, esm->prealloc_fifos = 0; esm->private_segment_count = 0; esm->private_segment_size = 0; + esm->tls_engine = TLS_ENGINE_OPENSSL; vec_free (esm->server_uri); while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) @@ -446,6 +448,8 @@ echo_server_create_command_fn (vlib_main_t * vm, unformat_input_t * input, ; else if (unformat (input, "stop")) is_stop = 1; + else if (unformat (input, "tls-engine %d", &esm->tls_engine)) + ; else return clib_error_return (0, "failed: unknown input `%U'", format_unformat_error, input); diff --git a/src/vnet/session/application.c b/src/vnet/session/application.c index 12f816bfe3b..14169fab83d 100644 --- a/src/vnet/session/application.c +++ b/src/vnet/session/application.c @@ -305,6 +305,8 @@ application_init (application_t * app, u32 api_client_index, u64 * options, props->tx_fifo_size = options[APP_OPTIONS_TX_FIFO_SIZE]; if (options[APP_OPTIONS_EVT_QUEUE_SIZE]) props->evt_q_size = options[APP_OPTIONS_EVT_QUEUE_SIZE]; + if (options[APP_OPTIONS_TLS_ENGINE]) + app->tls_engine = options[APP_OPTIONS_TLS_ENGINE]; props->segment_type = seg_type; first_seg_size = options[APP_OPTIONS_SEGMENT_SIZE]; diff --git a/src/vnet/session/application.h b/src/vnet/session/application.h index 8e5c2de0494..4050cb47bd4 100644 --- a/src/vnet/session/application.h +++ b/src/vnet/session/application.h @@ -125,6 +125,9 @@ typedef struct _application /** PEM encoded key */ u8 *tls_key; + + /** Preferred tls engine */ + u8 tls_engine; } application_t; #define APP_INVALID_INDEX ((u32)~0) diff --git a/src/vnet/session/application_interface.h b/src/vnet/session/application_interface.h index deddb648630..f72a4619974 100644 --- a/src/vnet/session/application_interface.h +++ b/src/vnet/session/application_interface.h @@ -21,6 +21,7 @@ #include #include #include +#include typedef struct _vnet_app_attach_args_t { @@ -124,6 +125,7 @@ typedef enum APP_OPTIONS_NAMESPACE_SECRET, APP_OPTIONS_PROXY_TRANSPORT, APP_OPTIONS_ACCEPT_COOKIE, + APP_OPTIONS_TLS_ENGINE, APP_OPTIONS_N_OPTIONS } app_attach_options_index_t; diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c index 65900c8b2cf..040db020f77 100644 --- a/src/vnet/tls/tls.c +++ b/src/vnet/tls/tls.c @@ -20,8 +20,23 @@ static tls_main_t tls_main; static tls_engine_vft_t *tls_vfts; -#define DEFAULT_ENGINE 0 -void tls_disconnect (u32 ctx_index, u32 thread_index); +#define TLS_INVALID_HANDLE ~0 +#define TLS_IDX_MASK 0x00FFFFFF +#define TLS_ENGINE_TYPE_SHIFT 29 + +void tls_disconnect (u32 ctx_handle, u32 thread_index); + +tls_engine_type_t +tls_get_available_engine (void) +{ + int i; + for (i = 0; i < vec_len (tls_vfts); i++) + { + if (tls_vfts[i].ctx_alloc) + return i; + } + return TLS_ENGINE_NONE; +} int tls_add_vpp_q_evt (svm_fifo_t * f, u8 evt_type) @@ -169,7 +184,15 @@ tls_ctx_half_open_index (tls_ctx_t * ctx) return (ctx - tls_main.half_open_ctx_pool); } -static int +void +tls_notify_app_enqueue (tls_ctx_t * ctx, stream_session_t * app_session) +{ + application_t *app; + app = application_get_if_valid (app_session->app_index); + tls_add_app_q_evt (app, app_session); +} + +int tls_notify_app_accept (tls_ctx_t * ctx) { stream_session_t *app_listener, *app_session; @@ -185,7 +208,7 @@ tls_notify_app_accept (tls_ctx_t * ctx) app_session = session_alloc (vlib_get_thread_index ()); app_session->app_index = ctx->parent_app_index; - app_session->connection_index = ctx->tls_ctx_idx; + app_session->connection_index = ctx->tls_ctx_handle; app_session->session_type = app_listener->session_type; app_session->listener_index = app_listener->session_index; if ((rv = session_alloc_fifos (sm, app_session))) @@ -198,7 +221,7 @@ tls_notify_app_accept (tls_ctx_t * ctx) return app->cb_fns.session_accept_callback (app_session); } -static int +int tls_notify_app_connected (tls_ctx_t * ctx, u8 is_failed) { int (*cb_fn) (u32, u32, stream_session_t *, u8); @@ -215,7 +238,7 @@ tls_notify_app_connected (tls_ctx_t * ctx, u8 is_failed) sm = application_get_connect_segment_manager (app); app_session = session_alloc (vlib_get_thread_index ()); app_session->app_index = ctx->parent_app_index; - app_session->connection_index = ctx->tls_ctx_idx; + app_session->connection_index = ctx->tls_ctx_handle; app_session->session_type = session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4); if (session_alloc_fifos (sm, app_session)) @@ -228,93 +251,91 @@ tls_notify_app_connected (tls_ctx_t * ctx, u8 is_failed) app_session, 0 /* not failed */ )) { TLS_DBG (1, "failed to notify app"); - tls_disconnect (ctx->tls_ctx_idx, vlib_get_thread_index ()); + tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ()); } return 0; failed: + tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ()); return cb_fn (ctx->parent_app_index, ctx->parent_app_api_context, 0, 1 /* failed */ ); } +static inline void +tls_ctx_parse_handle (u32 ctx_handle, u32 * ctx_index, u32 * engine_type) +{ + *ctx_index = ctx_handle & TLS_IDX_MASK; + *engine_type = ctx_handle >> TLS_ENGINE_TYPE_SHIFT; +} + +static inline tls_engine_type_t +tls_get_engine_type (tls_engine_type_t preferred) +{ + if (!tls_vfts[preferred].ctx_alloc) + return tls_get_available_engine (); + return preferred; +} + static inline u32 -tls_ctx_alloc (void) +tls_ctx_alloc (tls_engine_type_t engine_type) { - return tls_vfts[DEFAULT_ENGINE].ctx_alloc (); + u32 ctx_index; + ctx_index = tls_vfts[engine_type].ctx_alloc (); + return (((u32) engine_type << TLS_ENGINE_TYPE_SHIFT) | ctx_index); } static inline void tls_ctx_free (tls_ctx_t * ctx) { vec_free (ctx->srv_hostname); - tls_vfts[DEFAULT_ENGINE].ctx_free (ctx); + tls_vfts[ctx->tls_ctx_engine].ctx_free (ctx); } static inline tls_ctx_t * -tls_ctx_get (u32 ctx_index) +tls_ctx_get (u32 ctx_handle) { - return tls_vfts[DEFAULT_ENGINE].ctx_get (ctx_index); + u32 ctx_index, engine_type; + tls_ctx_parse_handle (ctx_handle, &ctx_index, &engine_type); + return tls_vfts[engine_type].ctx_get (ctx_index); } static inline tls_ctx_t * -tls_ctx_get_w_thread (u32 ctx_index, u8 thread_index) +tls_ctx_get_w_thread (u32 ctx_handle, u8 thread_index) { - return tls_vfts[DEFAULT_ENGINE].ctx_get_w_thread (ctx_index, thread_index); + u32 ctx_index, engine_type; + tls_ctx_parse_handle (ctx_handle, &ctx_index, &engine_type); + return tls_vfts[engine_type].ctx_get_w_thread (ctx_index, thread_index); } static inline int tls_ctx_init_server (tls_ctx_t * ctx) { - return tls_vfts[DEFAULT_ENGINE].ctx_init_server (ctx); + return tls_vfts[ctx->tls_ctx_engine].ctx_init_server (ctx); } static inline int tls_ctx_init_client (tls_ctx_t * ctx) { - return tls_vfts[DEFAULT_ENGINE].ctx_init_client (ctx); + return tls_vfts[ctx->tls_ctx_engine].ctx_init_client (ctx); } static inline int -tls_ctx_write (tls_ctx_t * ctx, u8 * buf, u32 len) +tls_ctx_write (tls_ctx_t * ctx, stream_session_t * app_session) { - return tls_vfts[DEFAULT_ENGINE].ctx_write (ctx, buf, len); + return tls_vfts[ctx->tls_ctx_engine].ctx_write (ctx, app_session); } static inline int -tls_ctx_read (tls_ctx_t * ctx, u8 * buf, u32 len) +tls_ctx_read (tls_ctx_t * ctx, stream_session_t * tls_session) { - return tls_vfts[DEFAULT_ENGINE].ctx_read (ctx, buf, len); + return tls_vfts[ctx->tls_ctx_engine].ctx_read (ctx, tls_session); } static inline u8 tls_ctx_handshake_is_over (tls_ctx_t * ctx) { - return tls_vfts[DEFAULT_ENGINE].ctx_handshake_is_over (ctx); -} - -static inline int -tls_handshake_rx (tls_ctx_t * ctx) -{ - int rv; - rv = tls_vfts[DEFAULT_ENGINE].ctx_handshake_rx (ctx); - - switch (rv) - { - case CLIENT_HANDSHAKE_OK: - tls_notify_app_connected (ctx, /* is failed */ 0); - break; - case CLIENT_HANDSHAKE_FAIL: - tls_disconnect (ctx->tls_ctx_idx, vlib_get_thread_index ()); - tls_notify_app_connected (ctx, /* is failed */ 1); - break; - case SERVER_HANDSHAKE_OK: - tls_notify_app_accept (ctx); - break; - default: - return 0; - } - return 0; + return tls_vfts[ctx->tls_ctx_engine].ctx_handshake_is_over (ctx); } void @@ -360,23 +381,24 @@ tls_session_accept_callback (stream_session_t * tls_session) { stream_session_t *tls_listener; tls_ctx_t *lctx, *ctx; - u32 ctx_index; + u32 ctx_handle; tls_listener = listen_session_get (tls_session->session_type, tls_session->listener_index); lctx = tls_listener_ctx_get (tls_listener->opaque); - ctx_index = tls_ctx_alloc (); - ctx = tls_ctx_get (ctx_index); + + ctx_handle = tls_ctx_alloc (lctx->tls_ctx_engine); + ctx = tls_ctx_get (ctx_handle); memcpy (ctx, lctx, sizeof (*lctx)); ctx->c_thread_index = vlib_get_thread_index (); - ctx->tls_ctx_idx = ctx_index; + ctx->tls_ctx_handle = ctx_handle; tls_session->session_state = SESSION_STATE_READY; - tls_session->opaque = ctx_index; + tls_session->opaque = ctx_handle; ctx->tls_session_handle = session_handle (tls_session); ctx->listener_ctx_index = tls_listener->opaque; - TLS_DBG (1, "Accept on listener %u new connection [%u]%u", - tls_listener->opaque, vlib_get_thread_index (), ctx_index); + TLS_DBG (1, "Accept on listener %u new connection [%u]%x", + tls_listener->opaque, vlib_get_thread_index (), ctx_handle); return tls_ctx_init_server (ctx); } @@ -384,95 +406,22 @@ tls_session_accept_callback (stream_session_t * tls_session) int tls_app_tx_callback (stream_session_t * app_session) { - stream_session_t *tls_session; tls_ctx_t *ctx; - static u8 *tmp_buf; - u32 enq_max, deq_max, deq_now; - int wrote; - - ctx = tls_ctx_get (app_session->connection_index); - if (!tls_ctx_handshake_is_over (ctx)) - tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); - - deq_max = svm_fifo_max_dequeue (app_session->server_tx_fifo); - if (!deq_max) + if (PREDICT_FALSE (app_session->session_state == SESSION_STATE_CLOSED)) return 0; - - tls_session = session_get_from_handle (ctx->tls_session_handle); - enq_max = svm_fifo_max_enqueue (tls_session->server_tx_fifo); - deq_now = clib_min (deq_max, TLS_CHUNK_SIZE); - - if (PREDICT_FALSE (enq_max == 0)) - { - tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); - return 0; - } - - vec_validate (tmp_buf, deq_now); - svm_fifo_peek (app_session->server_tx_fifo, 0, deq_now, tmp_buf); - wrote = tls_ctx_write (ctx, tmp_buf, deq_now); - if (wrote <= 0) - { - tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); - return 0; - } - - svm_fifo_dequeue_drop (app_session->server_tx_fifo, wrote); - vec_reset_length (tmp_buf); - - tls_add_vpp_q_evt (tls_session->server_tx_fifo, FIFO_EVENT_APP_TX); - - if (deq_now < deq_max) - tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); - + ctx = tls_ctx_get (app_session->connection_index); + tls_ctx_write (ctx, app_session); return 0; } int tls_app_rx_callback (stream_session_t * tls_session) { - stream_session_t *app_session; - u32 deq_max, enq_max, enq_now; - application_t *app; - static u8 *tmp_buf; tls_ctx_t *ctx; - int read, enq; ctx = tls_ctx_get (tls_session->opaque); - if (!tls_ctx_handshake_is_over (ctx)) - return tls_handshake_rx (ctx); - - deq_max = svm_fifo_max_dequeue (tls_session->server_rx_fifo); - if (!deq_max) - return 0; - - app_session = session_get_from_handle (ctx->app_session_handle); - enq_max = svm_fifo_max_enqueue (app_session->server_rx_fifo); - enq_now = clib_min (enq_max, TLS_CHUNK_SIZE); - - if (PREDICT_FALSE (enq_now == 0)) - { - tls_add_vpp_q_evt (tls_session->server_rx_fifo, FIFO_EVENT_BUILTIN_RX); - return 0; - } - - vec_validate (tmp_buf, enq_now); - read = tls_ctx_read (ctx, tmp_buf, enq_now); - if (read <= 0) - { - tls_add_vpp_q_evt (tls_session->server_rx_fifo, FIFO_EVENT_BUILTIN_RX); - return 0; - } - - enq = svm_fifo_enqueue_nowait (app_session->server_rx_fifo, read, tmp_buf); - ASSERT (enq == read); - vec_reset_length (tmp_buf); - - if (svm_fifo_max_dequeue (tls_session->server_rx_fifo)) - tls_add_vpp_q_evt (tls_session->server_rx_fifo, FIFO_EVENT_BUILTIN_RX); - - app = application_get_if_valid (app_session->app_index); - return tls_add_app_q_evt (app, app_session); + tls_ctx_read (ctx, tls_session); + return 0; } int @@ -482,7 +431,7 @@ tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index, int (*cb_fn) (u32, u32, stream_session_t *, u8); application_t *app; tls_ctx_t *ho_ctx, *ctx; - u32 ctx_index; + u32 ctx_handle; ho_ctx = tls_ctx_half_open_get (ho_ctx_index); app = application_get (ho_ctx->parent_app_index); @@ -496,21 +445,21 @@ tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index, 1 /* failed */ ); } - ctx_index = tls_ctx_alloc (); - ctx = tls_ctx_get (ctx_index); + ctx_handle = tls_ctx_alloc (ho_ctx->tls_ctx_engine); + ctx = tls_ctx_get (ctx_handle); clib_memcpy (ctx, ho_ctx, sizeof (*ctx)); tls_ctx_half_open_reader_unlock (); tls_ctx_half_open_free (ho_ctx_index); ctx->c_thread_index = vlib_get_thread_index (); - ctx->tls_ctx_idx = ctx_index; + ctx->tls_ctx_handle = ctx_handle; - TLS_DBG (1, "TCP connect for %u returned %u. New connection [%u]%u", + TLS_DBG (1, "TCP connect for %u returned %u. New connection [%u]%x", ho_ctx_index, is_fail, vlib_get_thread_index (), - (ctx) ? ctx_index : ~0); + (ctx) ? ctx_handle : ~0); ctx->tls_session_handle = session_handle (tls_session); - tls_session->opaque = ctx_index; + tls_session->opaque = ctx_handle; tls_session->session_state = SESSION_STATE_READY; return tls_ctx_init_client (ctx); @@ -533,6 +482,7 @@ int tls_connect (transport_endpoint_t * tep) { session_endpoint_extended_t *sep; + tls_engine_type_t engine_type; session_endpoint_t tls_sep; tls_main_t *tm = &tls_main; application_t *app; @@ -541,6 +491,13 @@ tls_connect (transport_endpoint_t * tep) int rv; sep = (session_endpoint_extended_t *) tep; + app = application_get (sep->app_index); + engine_type = tls_get_engine_type (app->tls_engine); + if (engine_type == TLS_ENGINE_NONE) + { + clib_warning ("No tls engine_type available"); + return -1; + } ctx_index = tls_ctx_half_open_alloc (); ctx = tls_ctx_half_open_get (ctx_index); @@ -554,27 +511,27 @@ tls_connect (transport_endpoint_t * tep) } tls_ctx_half_open_reader_unlock (); - app = application_get (sep->app_index); application_alloc_connects_segment_manager (app); + ctx->tls_ctx_engine = engine_type; clib_memcpy (&tls_sep, sep, sizeof (tls_sep)); tls_sep.transport_proto = TRANSPORT_PROTO_TCP; if ((rv = application_connect (tm->app_index, ctx_index, &tls_sep))) return rv; - TLS_DBG (1, "New connect request %u", ctx_index); + TLS_DBG (1, "New connect request %u engine %d", ctx_index, engine_type); return 0; } void -tls_disconnect (u32 ctx_index, u32 thread_index) +tls_disconnect (u32 ctx_handle, u32 thread_index) { stream_session_t *tls_session, *app_session; tls_ctx_t *ctx; - TLS_DBG (1, "Disconnecting %u", ctx_index); + TLS_DBG (1, "Disconnecting %x", ctx_handle); - ctx = tls_ctx_get (ctx_index); + ctx = tls_ctx_get (ctx_handle); tls_session = session_get_from_handle (ctx->tls_session_handle); stream_session_disconnect (tls_session); @@ -593,7 +550,7 @@ u32 tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) { tls_main_t *tm = &tls_main; - application_t *tls_app; + application_t *tls_app, *app; session_handle_t tls_handle; session_endpoint_extended_t *sep; stream_session_t *tls_listener; @@ -601,12 +558,18 @@ tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) u32 lctx_index; session_type_t st; stream_session_t *app_listener; + tls_engine_type_t engine_type; sep = (session_endpoint_extended_t *) tep; + app = application_get (sep->app_index); + engine_type = tls_get_engine_type (app->tls_engine); + if (engine_type == TLS_ENGINE_NONE) + { + clib_warning ("No tls engine_type available"); + return -1; + } + lctx_index = tls_listener_ctx_alloc (); - lctx = tls_listener_ctx_get (lctx_index); - st = session_type_from_proto_and_ip (sep->transport_proto, sep->is_ip4); - app_listener = listen_session_get (st, app_listener_index); tls_app = application_get (tm->app_index); sep->transport_proto = TRANSPORT_PROTO_TCP; @@ -616,10 +579,19 @@ tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) tls_listener = listen_session_get_from_handle (tls_handle); tls_listener->opaque = lctx_index; + + st = session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, sep->is_ip4); + app_listener = listen_session_get (st, app_listener_index); + + lctx = tls_listener_ctx_get (lctx_index); lctx->parent_app_index = sep->app_index; lctx->tls_session_handle = tls_handle; lctx->app_session_handle = listen_session_get_handle (app_listener); lctx->tcp_is_ip4 = sep->is_ip4; + lctx->tls_ctx_engine = engine_type; + + TLS_DBG (1, "Started listening %d, engine type %d", lctx_index, + engine_type); return lctx_index; } @@ -739,11 +711,15 @@ tls_register_engine (const tls_engine_vft_t * vft, tls_engine_type_t type) clib_error_t * tls_init (vlib_main_t * vm) { + vlib_thread_main_t *vtm = vlib_get_thread_main (); vnet_app_attach_args_t _a, *a = &_a; u64 options[APP_OPTIONS_N_OPTIONS]; u32 segment_size = 512 << 20; tls_main_t *tm = &tls_main; u32 fifo_size = 64 << 10; + u32 num_threads; + + num_threads = 1 /* main thread */ + vtm->n_threads; memset (a, 0, sizeof (*a)); memset (options, 0, sizeof (options)); @@ -769,6 +745,9 @@ tls_init (vlib_main_t * vm) tm->app_index = a->app_index; clib_rwlock_init (&tm->half_open_rwlock); + vec_validate (tm->rx_bufs, num_threads - 1); + vec_validate (tm->tx_bufs, num_threads - 1); + transport_register_protocol (TRANSPORT_PROTO_TLS, &tls_proto, FIB_PROTOCOL_IP4, ~0); transport_register_protocol (TRANSPORT_PROTO_TLS, &tls_proto, diff --git a/src/vnet/tls/tls.h b/src/vnet/tls/tls.h index 0dfc48bd336..c900b10b5e7 100644 --- a/src/vnet/tls/tls.h +++ b/src/vnet/tls/tls.h @@ -43,6 +43,7 @@ typedef CLIB_PACKED (struct tls_cxt_id_ session_handle_t tls_session_handle; u32 listener_ctx_index; u8 tcp_is_ip4; + u8 tls_engine_id; }) tls_ctx_id_t; /* *INDENT-ON* */ @@ -60,7 +61,8 @@ typedef struct tls_ctx_ #define tls_session_handle c_tls_ctx_id.tls_session_handle #define listener_ctx_index c_tls_ctx_id.listener_ctx_index #define tcp_is_ip4 c_tls_ctx_id.tcp_is_ip4 -#define tls_ctx_idx c_c_index +#define tls_ctx_engine c_tls_ctx_id.tls_engine_id +#define tls_ctx_handle c_c_index /* Temporary storage for session open opaque. Overwritten once * underlying tcp connection is established */ #define parent_app_api_context c_s_index @@ -75,6 +77,8 @@ typedef struct tls_main_ tls_ctx_t *listener_ctx_pool; tls_ctx_t *half_open_ctx_pool; clib_rwlock_t half_open_rwlock; + u8 **rx_bufs; + u8 **tx_bufs; /* * Config @@ -91,22 +95,14 @@ typedef struct tls_engine_vft_ tls_ctx_t *(*ctx_get_w_thread) (u32 ctx_index, u8 thread_index); int (*ctx_init_client) (tls_ctx_t * ctx); int (*ctx_init_server) (tls_ctx_t * ctx); - int (*ctx_read) (tls_ctx_t * ctx, u8 * buf, u32 len); - int (*ctx_write) (tls_ctx_t * ctx, u8 * buf, u32 len); - int (*ctx_handshake_rx) (tls_ctx_t * ctx); + int (*ctx_read) (tls_ctx_t * ctx, stream_session_t * tls_session); + int (*ctx_write) (tls_ctx_t * ctx, stream_session_t * app_session); u8 (*ctx_handshake_is_over) (tls_ctx_t * ctx); } tls_engine_vft_t; -enum tls_handshake_results_ -{ - HANDSHAKE_NOT_OVER, - CLIENT_HANDSHAKE_OK, - CLIENT_HANDSHAKE_FAIL, - SERVER_HANDSHAKE_OK -}; - typedef enum tls_engine_type_ { + TLS_ENGINE_NONE, TLS_ENGINE_MBEDTLS, TLS_ENGINE_OPENSSL, TLS_N_ENGINES @@ -116,7 +112,9 @@ tls_main_t *vnet_tls_get_main (void); void tls_register_engine (const tls_engine_vft_t * vft, tls_engine_type_t type); int tls_add_vpp_q_evt (svm_fifo_t * f, u8 evt_type); - +int tls_notify_app_accept (tls_ctx_t * ctx); +int tls_notify_app_connected (tls_ctx_t * ctx, u8 is_failed); +void tls_notify_app_enqueue (tls_ctx_t * ctx, stream_session_t * app_session); #endif /* SRC_VNET_TLS_TLS_H_ */ /* * fd.io coding-style-patch-verification: ON -- 2.16.6