FD.io VPP  v19.04.1-1-ge4a0f9f
Vector Packet Processing
tls_mbedtls.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2018 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include <mbedtls/ssl.h>
17 #include <mbedtls/certs.h>
18 #include <mbedtls/entropy.h>
19 #include <mbedtls/ctr_drbg.h>
20 #include <mbedtls/timing.h>
21 #include <mbedtls/debug.h>
22 #include <vnet/plugin/plugin.h>
23 #include <vpp/app/version.h>
24 #include <vnet/tls/tls.h>
25 
26 #define TLS_USE_OUR_MEM_FUNCS 0
27 
28 typedef struct tls_ctx_mbedtls_
29 {
30  tls_ctx_t ctx; /**< First */
32  mbedtls_ssl_context ssl;
33  mbedtls_ssl_config conf;
34  mbedtls_x509_crt srvcert;
35  mbedtls_pk_context pkey;
37 
38 typedef struct mbedtls_main_
39 {
41  mbedtls_ctr_drbg_context *ctr_drbgs;
42  mbedtls_entropy_context *entropy_pools;
43  mbedtls_x509_crt cacert;
47 
49 
50 #if TLS_USE_OUR_MEM_FUNCS
51 #include <mbedtls/platform.h>
52 
53 void *
54 mbedtls_calloc_fn (size_t n, size_t size)
55 {
56  void *ptr;
57  ptr = clib_mem_alloc (n * size);
58  clib_memset (ptr, 0, sizeof (*ptr));
59  return ptr;
60 }
61 
62 void
63 mbedtls_free_fn (void *ptr)
64 {
65  if (ptr)
66  clib_mem_free (ptr);
67 }
68 #endif
69 
70 static u32
72 {
73  u8 thread_index = vlib_get_thread_index ();
76 
77  pool_get (tm->ctx_pool[thread_index], ctx);
78  if (!(*ctx))
79  *ctx = clib_mem_alloc (sizeof (mbedtls_ctx_t));
80 
81  clib_memset (*ctx, 0, sizeof (mbedtls_ctx_t));
82  (*ctx)->ctx.c_thread_index = thread_index;
83  (*ctx)->ctx.tls_ctx_engine = TLS_ENGINE_MBEDTLS;
84  (*ctx)->mbedtls_ctx_index = ctx - tm->ctx_pool[thread_index];
85  return ((*ctx)->mbedtls_ctx_index);
86 }
87 
88 static void
90 {
91  mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
92 
93  if (mc->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER && !ctx->is_passive_close)
94  mbedtls_ssl_close_notify (&mc->ssl);
95  if (mc->ssl.conf->endpoint == MBEDTLS_SSL_IS_SERVER)
96  {
97  mbedtls_x509_crt_free (&mc->srvcert);
98  mbedtls_pk_free (&mc->pkey);
99  }
100  mbedtls_ssl_free (&mc->ssl);
101  mbedtls_ssl_config_free (&mc->conf);
102 
103  pool_put_index (mbedtls_main.ctx_pool[ctx->c_thread_index],
104  mc->mbedtls_ctx_index);
105 }
106 
107 static tls_ctx_t *
108 mbedtls_ctx_get (u32 ctx_index)
109 {
110  mbedtls_ctx_t **ctx;
111  ctx = pool_elt_at_index (mbedtls_main.ctx_pool[vlib_get_thread_index ()],
112  ctx_index);
113  return &(*ctx)->ctx;
114 }
115 
116 static tls_ctx_t *
117 mbedtls_ctx_get_w_thread (u32 ctx_index, u8 thread_index)
118 {
119  mbedtls_ctx_t **ctx;
120  ctx = pool_elt_at_index (mbedtls_main.ctx_pool[thread_index], ctx_index);
121  return &(*ctx)->ctx;
122 }
123 
124 static int
126 {
127  u32 thread_index = vlib_get_thread_index ();
129  u8 *pers;
130  int rv;
131  pers = format (0, "vpp thread %u", thread_index);
132 
133  mbedtls_entropy_init (&tm->entropy_pools[thread_index]);
134  mbedtls_ctr_drbg_init (&mbedtls_main.ctr_drbgs[thread_index]);
135  if ((rv = mbedtls_ctr_drbg_seed (&tm->ctr_drbgs[thread_index],
136  mbedtls_entropy_func,
137  &tm->entropy_pools[thread_index],
138  (const unsigned char *) pers,
139  vec_len (pers))) != 0)
140  {
141  vec_free (pers);
142  TLS_DBG (1, " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", rv);
143  return -1;
144  }
145  vec_free (pers);
146  return 0;
147 }
148 
149 mbedtls_ctr_drbg_context *
151 {
152  u8 thread_index = vlib_get_thread_index ();
153  if (PREDICT_FALSE (!mbedtls_main.ctr_drbgs[thread_index].f_entropy))
155  return &mbedtls_main.ctr_drbgs[thread_index];
156 }
157 
158 static int
159 tls_net_send (void *ctx_indexp, const unsigned char *buf, size_t len)
160 {
161  session_t *tls_session;
162  uword ctx_index;
163  tls_ctx_t *ctx;
164  int rv;
165 
166  ctx_index = pointer_to_uword (ctx_indexp);
167  ctx = mbedtls_ctx_get (ctx_index);
168  tls_session = session_get_from_handle (ctx->tls_session_handle);
169  rv = svm_fifo_enqueue_nowait (tls_session->tx_fifo, len, buf);
170  if (rv < 0)
171  return MBEDTLS_ERR_SSL_WANT_WRITE;
172  tls_add_vpp_q_tx_evt (tls_session);
173  return rv;
174 }
175 
176 static int
177 tls_net_recv (void *ctx_indexp, unsigned char *buf, size_t len)
178 {
179  session_t *tls_session;
180  uword ctx_index;
181  tls_ctx_t *ctx;
182  int rv;
183 
184  ctx_index = pointer_to_uword (ctx_indexp);
185  ctx = mbedtls_ctx_get (ctx_index);
186  tls_session = session_get_from_handle (ctx->tls_session_handle);
187  rv = svm_fifo_dequeue_nowait (tls_session->rx_fifo, len, buf);
188  return (rv < 0) ? 0 : rv;
189 }
190 
191 static void
192 mbedtls_debug (void *ctx, int level, const char *file, int line,
193  const char *str)
194 {
195  ((void) level);
196  fprintf ((FILE *) ctx, "%s:%04d: %s", file, line, str);
197  fflush ((FILE *) ctx);
198 }
199 
200 static int
202 {
203  mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
205  void *ctx_ptr;
206  int rv;
207 
208  /*
209  * 1. Setup SSL
210  */
211  mbedtls_ssl_init (&mc->ssl);
212  mbedtls_ssl_config_init (&mc->conf);
213  if ((rv = mbedtls_ssl_config_defaults (&mc->conf, MBEDTLS_SSL_IS_CLIENT,
214  MBEDTLS_SSL_TRANSPORT_STREAM,
215  MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
216  {
217  TLS_DBG (1, "failed\n ! mbedtls_ssl_config_defaults returned %d\n\n",
218  rv);
219  return -1;
220  }
221 
222  mbedtls_ssl_conf_authmode (&mc->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
223  mbedtls_ssl_conf_ca_chain (&mc->conf, &mm->cacert, NULL);
224  mbedtls_ssl_conf_rng (&mc->conf, mbedtls_ctr_drbg_random,
225  tls_get_ctr_drbg ());
226  mbedtls_ssl_conf_dbg (&mc->conf, mbedtls_debug, stdout);
227 
228  if ((rv = mbedtls_ssl_setup (&mc->ssl, &mc->conf)) != 0)
229  {
230  TLS_DBG (1, "failed\n ! mbedtls_ssl_setup returned %d\n", rv);
231  return -1;
232  }
233 
234  if ((rv = mbedtls_ssl_set_hostname (&mc->ssl,
235  (const char *) ctx->srv_hostname)) != 0)
236  {
237  TLS_DBG (1, "failed\n ! mbedtls_ssl_set_hostname returned %d\n", rv);
238  return -1;
239  }
240 
241  ctx_ptr = uword_to_pointer (mc->mbedtls_ctx_index, void *);
242  mbedtls_ssl_set_bio (&mc->ssl, ctx_ptr, tls_net_send, tls_net_recv, NULL);
243  mbedtls_debug_set_threshold (TLS_DEBUG_LEVEL_CLIENT);
244 
245  /*
246  * 2. Do the first 2 steps in the handshake.
247  */
248  TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index,
249  mc->mbedtls_ctx_index);
250  while (mc->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
251  {
252  rv = mbedtls_ssl_handshake_step (&mc->ssl);
253  if (rv != 0)
254  break;
255  }
256  TLS_DBG (2, "tls state for [%u]%u is %u", ctx->c_thread_index,
257  mc->mbedtls_ctx_index, mc->ssl.state);
258  return 0;
259 }
260 
261 static int
263 {
264  return 0;
265 }
266 
267 static int
269 {
270  return 0;
271 }
272 
273 static int
275 {
276  mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
278  app_worker_t *app_wrk;
279  application_t *app;
280  void *ctx_ptr;
281  int rv;
282 
283  mbedtls_ssl_init (&mc->ssl);
284  mbedtls_ssl_config_init (&mc->conf);
285  mbedtls_x509_crt_init (&mc->srvcert);
286  mbedtls_pk_init (&mc->pkey);
287 
288  /*
289  * 1. Cert
290  */
291  app_wrk = app_worker_get (ctx->parent_app_wrk_index);
292  if (!app_wrk)
293  return -1;
294 
295  app = application_get (app_wrk->app_index);
296  if (!app->tls_cert || !app->tls_key)
297  {
298  TLS_DBG (1, " failed\n ! tls cert and/or key not configured %d",
299  ctx->parent_app_wrk_index);
300  return -1;
301  }
302 
303  rv = mbedtls_x509_crt_parse (&mc->srvcert,
304  (const unsigned char *) app->tls_cert,
305  vec_len (app->tls_cert));
306  if (rv != 0)
307  {
308  TLS_DBG (1, " failed\n ! mbedtls_x509_crt_parse returned %d", rv);
309  goto exit;
310  }
311 
312  rv = mbedtls_pk_parse_key (&mc->pkey,
313  (const unsigned char *) app->tls_key,
314  vec_len (app->tls_key), NULL, 0);
315  if (rv != 0)
316  {
317  TLS_DBG (1, " failed\n ! mbedtls_pk_parse_key returned %d", rv);
318  goto exit;
319  }
320 
321  /*
322  * 2. SSL context config
323  */
324  if ((rv = mbedtls_ssl_config_defaults (&mc->conf, MBEDTLS_SSL_IS_SERVER,
325  MBEDTLS_SSL_TRANSPORT_STREAM,
326  MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
327  {
328  TLS_DBG (1, " failed\n ! mbedtls_ssl_config_defaults returned %d", rv);
329  goto exit;
330  }
331 
332  mbedtls_ssl_conf_rng (&mc->conf, mbedtls_ctr_drbg_random,
333  tls_get_ctr_drbg ());
334  mbedtls_ssl_conf_dbg (&mc->conf, mbedtls_debug, stdout);
335 
336  /* TODO CACHE
337  mbedtls_ssl_conf_session_cache( &ctx->conf, &cache,
338  mbedtls_ssl_cache_get,
339  mbedtls_ssl_cache_set );
340  */
341 
342  mbedtls_ssl_conf_ca_chain (&mc->conf, &mm->cacert, NULL);
343  if ((rv = mbedtls_ssl_conf_own_cert (&mc->conf, &mc->srvcert, &mc->pkey))
344  != 0)
345  {
346  TLS_DBG (1, " failed\n ! mbedtls_ssl_conf_own_cert returned %d", rv);
347  goto exit;
348  }
349 
350  if ((rv = mbedtls_ssl_setup (&mc->ssl, &mc->conf)) != 0)
351  {
352  TLS_DBG (1, " failed\n ! mbedtls_ssl_setup returned %d", rv);
353  goto exit;
354  }
355 
356  mbedtls_ssl_session_reset (&mc->ssl);
357  ctx_ptr = uword_to_pointer (mc->mbedtls_ctx_index, void *);
358  mbedtls_ssl_set_bio (&mc->ssl, ctx_ptr, tls_net_send, tls_net_recv, NULL);
359  mbedtls_debug_set_threshold (TLS_DEBUG_LEVEL_SERVER);
360 
361  /*
362  * 3. Start handshake state machine
363  */
364  TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index,
365  mc->mbedtls_ctx_index);
366  while (mc->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
367  {
368  rv = mbedtls_ssl_handshake_step (&mc->ssl);
369  if (rv != 0)
370  break;
371  }
372 
373  TLS_DBG (2, "tls state for [%u]%u is %u", ctx->c_thread_index,
374  mc->mbedtls_ctx_index, mc->ssl.state);
375  return 0;
376 
377 exit:
378  return -1;
379 }
380 
381 static int
383 {
384  mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
385  u32 flags;
386  int rv;
387  while (mc->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
388  {
389  rv = mbedtls_ssl_handshake_step (&mc->ssl);
390  if (rv != 0)
391  break;
392  }
393  TLS_DBG (2, "tls state for %u is %u", mc->mbedtls_ctx_index, mc->ssl.state);
394 
395  if (mc->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
396  return 0;
397 
398  /*
399  * Handshake complete
400  */
401  if (mc->ssl.conf->endpoint == MBEDTLS_SSL_IS_CLIENT)
402  {
403  /*
404  * Verify server certificate
405  */
406  if ((flags = mbedtls_ssl_get_verify_result (&mc->ssl)) != 0)
407  {
408  char buf[512];
409  TLS_DBG (1, " failed\n");
410  mbedtls_x509_crt_verify_info (buf, sizeof (buf), " ! ", flags);
411  TLS_DBG (1, "%s\n", buf);
412 
413  /*
414  * Presence of hostname enforces strict certificate verification
415  */
416  if (ctx->srv_hostname)
417  {
418  tls_notify_app_connected (ctx, /* is failed */ 0);
419  return -1;
420  }
421  }
422  tls_notify_app_connected (ctx, /* is failed */ 0);
423  }
424  else
425  {
426  tls_notify_app_accept (ctx);
427  }
428 
429  TLS_DBG (1, "Handshake for %u complete. TLS cipher is %x",
430  mc->mbedtls_ctx_index, mc->ssl.session->ciphersuite);
431  return 0;
432 }
433 
434 static int
436 {
437  mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
438  u8 thread_index = ctx->c_thread_index;
440  u32 enq_max, deq_max, deq_now;
441  session_t *tls_session;
442  int wrote;
443 
444  ASSERT (mc->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER);
445 
446  deq_max = svm_fifo_max_dequeue (app_session->tx_fifo);
447  if (!deq_max)
448  return 0;
449 
450  tls_session = session_get_from_handle (ctx->tls_session_handle);
451  enq_max = svm_fifo_max_enqueue (tls_session->tx_fifo);
452  deq_now = clib_min (deq_max, TLS_CHUNK_SIZE);
453 
454  if (PREDICT_FALSE (enq_max == 0))
455  {
456  tls_add_vpp_q_builtin_tx_evt (app_session);
457  return 0;
458  }
459 
460  vec_validate (mm->tx_bufs[thread_index], deq_now);
461  svm_fifo_peek (app_session->tx_fifo, 0, deq_now, mm->tx_bufs[thread_index]);
462 
463  wrote = mbedtls_ssl_write (&mc->ssl, mm->tx_bufs[thread_index], deq_now);
464  if (wrote <= 0)
465  {
466  tls_add_vpp_q_builtin_tx_evt (app_session);
467  return 0;
468  }
469 
470  svm_fifo_dequeue_drop (app_session->tx_fifo, wrote);
471  vec_reset_length (mm->tx_bufs[thread_index]);
472  tls_add_vpp_q_tx_evt (tls_session);
473 
474  if (deq_now < deq_max)
475  tls_add_vpp_q_builtin_tx_evt (app_session);
476 
477  return 0;
478 }
479 
480 static int
482 {
483  mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
485  u8 thread_index = ctx->c_thread_index;
486  u32 deq_max, enq_max, enq_now;
487  session_t *app_session;
488  int read, enq;
489 
490  if (PREDICT_FALSE (mc->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER))
491  {
493  return 0;
494  }
495 
496  deq_max = svm_fifo_max_dequeue (tls_session->rx_fifo);
497  if (!deq_max)
498  return 0;
499 
500  app_session = session_get_from_handle (ctx->app_session_handle);
501  enq_max = svm_fifo_max_enqueue (app_session->rx_fifo);
502  enq_now = clib_min (enq_max, TLS_CHUNK_SIZE);
503 
504  if (PREDICT_FALSE (enq_now == 0))
505  {
506  tls_add_vpp_q_builtin_rx_evt (tls_session);
507  return 0;
508  }
509 
510  vec_validate (mm->rx_bufs[thread_index], enq_now);
511  read = mbedtls_ssl_read (&mc->ssl, mm->rx_bufs[thread_index], enq_now);
512  if (read <= 0)
513  {
514  tls_add_vpp_q_builtin_rx_evt (tls_session);
515  return 0;
516  }
517 
518  enq = svm_fifo_enqueue_nowait (app_session->rx_fifo, read,
519  mm->rx_bufs[thread_index]);
520  ASSERT (enq == read);
521  vec_reset_length (mm->rx_bufs[thread_index]);
522 
523  if (svm_fifo_max_dequeue (tls_session->rx_fifo))
524  tls_add_vpp_q_builtin_rx_evt (tls_session);
525 
526  if (enq > 0)
527  tls_notify_app_enqueue (ctx, app_session);
528 
529  return enq;
530 }
531 
532 static u8
534 {
535  mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
536  return (mc->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER);
537 }
538 
539 const static tls_engine_vft_t mbedtls_engine = {
541  .ctx_free = mbedtls_ctx_free,
542  .ctx_get = mbedtls_ctx_get,
543  .ctx_get_w_thread = mbedtls_ctx_get_w_thread,
544  .ctx_init_server = mbedtls_ctx_init_server,
545  .ctx_init_client = mbedtls_ctx_init_client,
546  .ctx_write = mbedtls_ctx_write,
547  .ctx_read = mbedtls_ctx_read,
548  .ctx_handshake_is_over = mbedtls_handshake_is_over,
549  .ctx_start_listen = mbedtls_start_listen,
550  .ctx_stop_listen = mbedtls_stop_listen,
551 };
552 
553 int
555 {
556 #if TLS_USE_OUR_MEM_FUNCS
557  mbedtls_platform_set_calloc_free (mbedtls_calloc_fn, mbedtls_free_fn);
558 #endif
559  return 0;
560 }
561 
562 static int
564 {
566  int i;
567 
568  vec_validate (mm->ctr_drbgs, num_threads - 1);
569  vec_validate (mm->entropy_pools, num_threads - 1);
570  for (i = 0; i < num_threads; i++)
571  mm->ctr_drbgs[i].f_entropy = 0;
572 
573  return 0;
574 }
575 
576 int
578 {
580  tls_main_t *tm = vnet_tls_get_main ();
581  int rv;
582 
583  if (access (tm->ca_cert_path, F_OK | R_OK) == -1)
584  {
585  clib_warning ("Could not initialize TLS CA certificates");
586  return -1;
587  }
588 
589  mbedtls_x509_crt_init (&mm->cacert);
590  rv = mbedtls_x509_crt_parse_file (&mm->cacert, tm->ca_cert_path);
591  if (rv < 0)
592  {
593  clib_warning ("Couldn't parse system CA certificates: -0x%x", -rv);
594  }
595  if (tm->use_test_cert_in_ca)
596  {
597  rv = mbedtls_x509_crt_parse (&mm->cacert,
598  (const unsigned char *) test_srv_crt_rsa,
600  if (rv < 0)
601  {
602  clib_warning ("Couldn't parse test certificate: -0x%x", -rv);
603  return -1;
604  }
605  }
606  return (rv < 0 ? -1 : 0);
607 }
608 
609 static clib_error_t *
611 {
614  clib_error_t *error;
615  u32 num_threads;
616 
617  num_threads = 1 /* main thread */ + vtm->n_threads;
618 
619  if ((error = vlib_call_init_function (vm, tls_init)))
620  return error;
621 
622  if (tls_init_ca_chain ())
623  {
624  clib_warning ("failed to initialize TLS CA chain");
625  return 0;
626  }
627  if (tls_init_mem ())
628  {
629  clib_warning ("failed to initialize mem");
630  return 0;
631  }
632  if (tls_init_ctr_drbgs_and_entropy (num_threads))
633  {
634  clib_warning ("failed to initialize entropy and random generators");
635  return 0;
636  }
637 
638  vec_validate (mm->ctx_pool, num_threads - 1);
639  vec_validate (mm->rx_bufs, num_threads - 1);
640  vec_validate (mm->tx_bufs, num_threads - 1);
641 
642  tls_register_engine (&mbedtls_engine, TLS_ENGINE_MBEDTLS);
643  return 0;
644 }
645 
647 
648 /* *INDENT-OFF* */
650  .version = VPP_BUILD_VER,
651  .description = "Transport Layer Security (TLS) Engine, Mbedtls Based",
652 };
653 /* *INDENT-ON* */
654 
655 /*
656  * fd.io coding-style-patch-verification: ON
657  *
658  * Local Variables:
659  * eval: (c-set-style "gnu")
660  * End:
661  */
mbedtls_ctr_drbg_context * tls_get_ctr_drbg()
Definition: tls_mbedtls.c:150
tls_main_t * vnet_tls_get_main(void)
Definition: tls.c:833
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
Definition: vec.h:439
mbedtls_x509_crt srvcert
Definition: tls_mbedtls.c:34
u32 flags
Definition: vhost_user.h:115
mbedtls_ctx_t *** ctx_pool
Definition: tls_mbedtls.c:40
#define clib_min(x, y)
Definition: clib.h:295
svm_fifo_t * tx_fifo
#define TLS_DEBUG_LEVEL_CLIENT
Definition: tls.h:25
char * ca_cert_path
Definition: tls.h:94
mbedtls_ssl_context ssl
Definition: tls_mbedtls.c:32
static int tls_init_ctr_drbgs_and_entropy(u32 num_threads)
Definition: tls_mbedtls.c:563
#define NULL
Definition: clib.h:58
svm_fifo_t * rx_fifo
Pointers to rx/tx buffers.
int tls_add_vpp_q_builtin_rx_evt(session_t *s)
Definition: tls.c:62
static mbedtls_main_t mbedtls_main
Definition: tls_mbedtls.c:48
int i
clib_memset(h->entries, 0, sizeof(h->entries[0])*entries)
u8 use_test_cert_in_ca
Definition: tls.h:93
static u32 svm_fifo_max_enqueue(svm_fifo_t *f)
Definition: svm_fifo.h:147
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:424
static void mbedtls_ctx_free(tls_ctx_t *ctx)
Definition: tls_mbedtls.c:89
#define pool_get(P, E)
Allocate an object E from a pool P (unspecified alignment).
Definition: pool.h:236
static int tls_init_ctr_seed_drbgs(void)
Definition: tls_mbedtls.c:125
unsigned char u8
Definition: types.h:56
#define vec_reset_length(v)
Reset vector length to zero NULL-pointer tolerant.
tls_ctx_t ctx
First.
Definition: tls_mbedtls.c:30
static u32 mbedtls_ctx_alloc(void)
Definition: tls_mbedtls.c:71
#define VLIB_INIT_FUNCTION(x)
Definition: init.h:163
static u32 svm_fifo_max_dequeue(svm_fifo_t *f)
Definition: svm_fifo.h:129
static tls_ctx_t * mbedtls_ctx_get_w_thread(u32 ctx_index, u8 thread_index)
Definition: tls_mbedtls.c:117
u8 is_passive_close
Definition: tls.h:76
int svm_fifo_enqueue_nowait(svm_fifo_t *f, u32 max_bytes, const u8 *copy_from_here)
Definition: svm_fifo.c:530
unsigned int u32
Definition: types.h:88
#define vlib_call_init_function(vm, x)
Definition: init.h:260
int tls_add_vpp_q_builtin_tx_evt(session_t *s)
Definition: tls.c:78
struct tls_ctx_mbedtls_ mbedtls_ctx_t
#define TLS_CHUNK_SIZE
Definition: tls.h:28
static int mbedtls_ctx_handshake_rx(tls_ctx_t *ctx)
Definition: tls_mbedtls.c:382
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:514
uword size
mbedtls_pk_context pkey
Definition: tls_mbedtls.c:35
static session_t * session_get_from_handle(session_handle_t handle)
Definition: session.h:227
Definition: tls.h:81
int tls_init_ca_chain(void)
Definition: tls_mbedtls.c:577
int tls_notify_app_connected(tls_ctx_t *ctx, u8 is_failed)
Definition: tls.c:222
static u8 mbedtls_handshake_is_over(tls_ctx_t *ctx)
Definition: tls_mbedtls.c:533
#define PREDICT_FALSE(x)
Definition: clib.h:111
int tls_init_mem(void)
Definition: tls_mbedtls.c:554
static const char test_srv_crt_rsa[]
Definition: tls_test.h:23
Definition: tls.h:57
static int mbedtls_start_listen(tls_ctx_t *lctx)
Definition: tls_mbedtls.c:262
u32(* ctx_alloc)(void)
Definition: tls.h:101
u8 len
Definition: ip_types.api:49
static int mbedtls_ctx_write(tls_ctx_t *ctx, session_t *app_session)
Definition: tls_mbedtls.c:435
static_always_inline uword vlib_get_thread_index(void)
Definition: threads.h:212
vlib_main_t * vm
Definition: buffer.c:312
static int mbedtls_ctx_init_client(tls_ctx_t *ctx)
Definition: tls_mbedtls.c:201
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:341
mbedtls_x509_crt cacert
Definition: tls_mbedtls.c:43
#define clib_warning(format, args...)
Definition: error.h:59
static int tls_net_send(void *ctx_indexp, const unsigned char *buf, size_t len)
Definition: tls_mbedtls.c:159
int tls_add_vpp_q_tx_evt(session_t *s)
Definition: tls.c:70
void tls_register_engine(const tls_engine_vft_t *vft, tls_engine_type_t type)
Definition: tls.c:747
application_t * application_get(u32 app_index)
Definition: application.c:447
mbedtls_entropy_context * entropy_pools
Definition: tls_mbedtls.c:42
#define uword_to_pointer(u, type)
Definition: types.h:136
#define TLS_DEBUG_LEVEL_SERVER
Definition: tls.h:26
#define pool_put_index(p, i)
Free pool element with given index.
Definition: pool.h:311
#define ASSERT(truth)
struct mbedtls_main_ mbedtls_main_t
VLIB_PLUGIN_REGISTER()
static void clib_mem_free(void *p)
Definition: mem.h:205
u8 * tls_key
PEM encoded key.
Definition: application.h:119
static void * clib_mem_alloc(uword size)
Definition: mem.h:132
static uword pointer_to_uword(const void *p)
Definition: types.h:131
static int tls_net_recv(void *ctx_indexp, unsigned char *buf, size_t len)
Definition: tls_mbedtls.c:177
int svm_fifo_dequeue_drop(svm_fifo_t *f, u32 max_bytes)
Definition: svm_fifo.c:734
app_worker_t * app_worker_get(u32 wrk_index)
static void mbedtls_debug(void *ctx, int level, const char *file, int line, const char *str)
Definition: tls_mbedtls.c:192
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
static int mbedtls_ctx_read(tls_ctx_t *ctx, session_t *tls_session)
Definition: tls_mbedtls.c:481
u64 uword
Definition: types.h:112
static clib_error_t * tls_mbedtls_init(vlib_main_t *vm)
Definition: tls_mbedtls.c:610
u8 * srv_hostname
Definition: tls.h:78
mbedtls_ssl_config conf
Definition: tls_mbedtls.c:33
int tls_notify_app_accept(tls_ctx_t *ctx)
Definition: tls.c:190
u32 app_index
Index of owning app.
Definition: application.h:43
void tls_notify_app_enqueue(tls_ctx_t *ctx, session_t *app_session)
Definition: tls.c:181
static int mbedtls_ctx_init_server(tls_ctx_t *ctx)
Definition: tls_mbedtls.c:274
static vlib_thread_main_t * vlib_get_thread_main()
Definition: global_funcs.h:32
u8 * tls_cert
Certificate to be used for listen sessions.
Definition: application.h:116
static int mbedtls_stop_listen(tls_ctx_t *lctx)
Definition: tls_mbedtls.c:268
mbedtls_ctr_drbg_context * ctr_drbgs
Definition: tls_mbedtls.c:41
static tls_ctx_t * mbedtls_ctx_get(u32 ctx_index)
Definition: tls_mbedtls.c:108
int svm_fifo_peek(svm_fifo_t *f, u32 relative_offset, u32 max_bytes, u8 *copy_here)
Definition: svm_fifo.c:726
static clib_error_t * tls_init(vlib_main_t *vm)
Definition: tls.c:754
int svm_fifo_dequeue_nowait(svm_fifo_t *f, u32 max_bytes, u8 *copy_here)
Definition: svm_fifo.c:678
#define TLS_DBG(_lvl, _fmt, _args...)
Definition: tls.h:36
static const u32 test_srv_crt_rsa_len
Definition: tls_test.h:47