FD.io VPP  v20.09-64-g4f7b92f0a
Vector Packet Processing
tls_mbedtls.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2018 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include <mbedtls/ssl.h>
17 #include <mbedtls/certs.h>
18 #include <mbedtls/entropy.h>
19 #include <mbedtls/ctr_drbg.h>
20 #include <mbedtls/timing.h>
21 #include <mbedtls/debug.h>
22 #include <vnet/plugin/plugin.h>
23 #include <vpp/app/version.h>
24 #include <vnet/tls/tls.h>
25 
26 #define TLS_USE_OUR_MEM_FUNCS 0
27 
28 typedef struct tls_ctx_mbedtls_
29 {
30  tls_ctx_t ctx; /**< First */
32  mbedtls_ssl_context ssl;
33  mbedtls_ssl_config conf;
34  mbedtls_x509_crt srvcert;
35  mbedtls_pk_context pkey;
37 
38 typedef struct mbedtls_main_
39 {
41  mbedtls_ctr_drbg_context *ctr_drbgs;
42  mbedtls_entropy_context *entropy_pools;
43  mbedtls_x509_crt cacert;
47 
49 
50 #if TLS_USE_OUR_MEM_FUNCS
51 #include <mbedtls/platform.h>
52 
53 void *
54 mbedtls_calloc_fn (size_t n, size_t size)
55 {
56  void *ptr;
57  ptr = clib_mem_alloc (n * size);
58  clib_memset (ptr, 0, sizeof (*ptr));
59  return ptr;
60 }
61 
62 void
63 mbedtls_free_fn (void *ptr)
64 {
65  if (ptr)
66  clib_mem_free (ptr);
67 }
68 #endif
69 
70 static u32
72 {
73  u8 thread_index = vlib_get_thread_index ();
76 
77  pool_get (tm->ctx_pool[thread_index], ctx);
78  if (!(*ctx))
79  *ctx = clib_mem_alloc (sizeof (mbedtls_ctx_t));
80 
81  clib_memset (*ctx, 0, sizeof (mbedtls_ctx_t));
82  (*ctx)->ctx.c_thread_index = thread_index;
83  (*ctx)->ctx.tls_ctx_engine = CRYPTO_ENGINE_MBEDTLS;
84  (*ctx)->mbedtls_ctx_index = ctx - tm->ctx_pool[thread_index];
85  return ((*ctx)->mbedtls_ctx_index);
86 }
87 
88 static void
90 {
91  mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
92 
93  if (mc->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER && !ctx->is_passive_close)
94  mbedtls_ssl_close_notify (&mc->ssl);
95  if (mc->ssl.conf->endpoint == MBEDTLS_SSL_IS_SERVER)
96  {
97  mbedtls_x509_crt_free (&mc->srvcert);
98  mbedtls_pk_free (&mc->pkey);
99  }
100  mbedtls_ssl_free (&mc->ssl);
101  mbedtls_ssl_config_free (&mc->conf);
102 
103  vec_free (ctx->srv_hostname);
104  pool_put_index (mbedtls_main.ctx_pool[ctx->c_thread_index],
105  mc->mbedtls_ctx_index);
106 }
107 
108 static tls_ctx_t *
109 mbedtls_ctx_get (u32 ctx_index)
110 {
111  mbedtls_ctx_t **ctx;
112  ctx = pool_elt_at_index (mbedtls_main.ctx_pool[vlib_get_thread_index ()],
113  ctx_index);
114  return &(*ctx)->ctx;
115 }
116 
117 static tls_ctx_t *
118 mbedtls_ctx_get_w_thread (u32 ctx_index, u8 thread_index)
119 {
120  mbedtls_ctx_t **ctx;
121  ctx = pool_elt_at_index (mbedtls_main.ctx_pool[thread_index], ctx_index);
122  return &(*ctx)->ctx;
123 }
124 
125 static int
127 {
128  u32 thread_index = vlib_get_thread_index ();
130  u8 *pers;
131  int rv;
132  pers = format (0, "vpp thread %u", thread_index);
133 
134  mbedtls_entropy_init (&tm->entropy_pools[thread_index]);
135  mbedtls_ctr_drbg_init (&mbedtls_main.ctr_drbgs[thread_index]);
136  if ((rv = mbedtls_ctr_drbg_seed (&tm->ctr_drbgs[thread_index],
137  mbedtls_entropy_func,
138  &tm->entropy_pools[thread_index],
139  (const unsigned char *) pers,
140  vec_len (pers))) != 0)
141  {
142  vec_free (pers);
143  TLS_DBG (1, " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", rv);
144  return -1;
145  }
146  vec_free (pers);
147  return 0;
148 }
149 
150 mbedtls_ctr_drbg_context *
152 {
153  u8 thread_index = vlib_get_thread_index ();
154  if (PREDICT_FALSE (!mbedtls_main.ctr_drbgs[thread_index].f_entropy))
156  return &mbedtls_main.ctr_drbgs[thread_index];
157 }
158 
159 static int
160 tls_net_send (void *ctx_indexp, const unsigned char *buf, size_t len)
161 {
162  session_t *tls_session;
163  uword ctx_index;
164  tls_ctx_t *ctx;
165  int rv;
166 
167  ctx_index = pointer_to_uword (ctx_indexp);
168  ctx = mbedtls_ctx_get (ctx_index);
169  tls_session = session_get_from_handle (ctx->tls_session_handle);
170  rv = svm_fifo_enqueue (tls_session->tx_fifo, len, buf);
171  if (rv < 0)
172  return MBEDTLS_ERR_SSL_WANT_WRITE;
173  tls_add_vpp_q_tx_evt (tls_session);
174  return rv;
175 }
176 
177 static int
178 tls_net_recv (void *ctx_indexp, unsigned char *buf, size_t len)
179 {
180  session_t *tls_session;
181  uword ctx_index;
182  tls_ctx_t *ctx;
183  int rv;
184 
185  ctx_index = pointer_to_uword (ctx_indexp);
186  ctx = mbedtls_ctx_get (ctx_index);
187  tls_session = session_get_from_handle (ctx->tls_session_handle);
188  rv = svm_fifo_dequeue (tls_session->rx_fifo, len, buf);
189  return (rv < 0) ? 0 : rv;
190 }
191 
192 static void
193 mbedtls_debug (void *ctx, int level, const char *file, int line,
194  const char *str)
195 {
196  ((void) level);
197  fprintf ((FILE *) ctx, "%s:%04d: %s", file, line, str);
198  fflush ((FILE *) ctx);
199 }
200 
201 static int
203 {
204  mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
206  void *ctx_ptr;
207  int rv;
208 
209  /*
210  * 1. Setup SSL
211  */
212  mbedtls_ssl_init (&mc->ssl);
213  mbedtls_ssl_config_init (&mc->conf);
214  if ((rv = mbedtls_ssl_config_defaults (&mc->conf, MBEDTLS_SSL_IS_CLIENT,
215  MBEDTLS_SSL_TRANSPORT_STREAM,
216  MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
217  {
218  TLS_DBG (1, "failed\n ! mbedtls_ssl_config_defaults returned %d\n\n",
219  rv);
220  return -1;
221  }
222 
223  mbedtls_ssl_conf_authmode (&mc->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
224  mbedtls_ssl_conf_ca_chain (&mc->conf, &mm->cacert, NULL);
225  mbedtls_ssl_conf_rng (&mc->conf, mbedtls_ctr_drbg_random,
226  tls_get_ctr_drbg ());
227  mbedtls_ssl_conf_dbg (&mc->conf, mbedtls_debug, stdout);
228 
229  if ((rv = mbedtls_ssl_setup (&mc->ssl, &mc->conf)) != 0)
230  {
231  TLS_DBG (1, "failed\n ! mbedtls_ssl_setup returned %d\n", rv);
232  return -1;
233  }
234 
235  if ((rv = mbedtls_ssl_set_hostname (&mc->ssl,
236  (const char *) ctx->srv_hostname)) != 0)
237  {
238  TLS_DBG (1, "failed\n ! mbedtls_ssl_set_hostname returned %d\n", rv);
239  return -1;
240  }
241 
242  ctx_ptr = uword_to_pointer (mc->mbedtls_ctx_index, void *);
243  mbedtls_ssl_set_bio (&mc->ssl, ctx_ptr, tls_net_send, tls_net_recv, NULL);
244  mbedtls_debug_set_threshold (TLS_DEBUG_LEVEL_CLIENT);
245 
246  /*
247  * 2. Do the first 2 steps in the handshake.
248  */
249  TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index,
250  mc->mbedtls_ctx_index);
251  while (mc->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
252  {
253  rv = mbedtls_ssl_handshake_step (&mc->ssl);
254  if (rv != 0)
255  break;
256  }
257  TLS_DBG (2, "tls state for [%u]%u is %u", ctx->c_thread_index,
258  mc->mbedtls_ctx_index, mc->ssl.state);
259  return 0;
260 }
261 
262 static int
264 {
265  return 0;
266 }
267 
268 static int
270 {
271  return 0;
272 }
273 
274 static int
276 {
277  mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
279  app_cert_key_pair_t *ckpair;
280  void *ctx_ptr;
281  int rv;
282 
283  mbedtls_ssl_init (&mc->ssl);
284  mbedtls_ssl_config_init (&mc->conf);
285  mbedtls_x509_crt_init (&mc->srvcert);
286  mbedtls_pk_init (&mc->pkey);
287 
288  /*
289  * 1. Cert
290  */
292  if (!ckpair)
293  return -1;
294 
295  if (!ckpair->cert || !ckpair->key)
296  {
297  TLS_DBG (1, " failed\n ! tls cert and/or key not configured %d",
298  ctx->parent_app_wrk_index);
299  return -1;
300  }
301 
302  rv = mbedtls_x509_crt_parse (&mc->srvcert,
303  (const unsigned char *) ckpair->cert,
304  vec_len (ckpair->cert));
305  if (rv != 0)
306  {
307  TLS_DBG (1, " failed\n ! mbedtls_x509_crt_parse returned %d", rv);
308  goto exit;
309  }
310 
311  rv = mbedtls_pk_parse_key (&mc->pkey,
312  (const unsigned char *) ckpair->key,
313  vec_len (ckpair->key), NULL, 0);
314  if (rv != 0)
315  {
316  TLS_DBG (1, " failed\n ! mbedtls_pk_parse_key returned %d", rv);
317  goto exit;
318  }
319 
320  /*
321  * 2. SSL context config
322  */
323  if ((rv = mbedtls_ssl_config_defaults (&mc->conf, MBEDTLS_SSL_IS_SERVER,
324  MBEDTLS_SSL_TRANSPORT_STREAM,
325  MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
326  {
327  TLS_DBG (1, " failed\n ! mbedtls_ssl_config_defaults returned %d", rv);
328  goto exit;
329  }
330 
331  mbedtls_ssl_conf_rng (&mc->conf, mbedtls_ctr_drbg_random,
332  tls_get_ctr_drbg ());
333  mbedtls_ssl_conf_dbg (&mc->conf, mbedtls_debug, stdout);
334 
335  /* TODO CACHE
336  mbedtls_ssl_conf_session_cache( &ctx->conf, &cache,
337  mbedtls_ssl_cache_get,
338  mbedtls_ssl_cache_set );
339  */
340 
341  mbedtls_ssl_conf_ca_chain (&mc->conf, &mm->cacert, NULL);
342  if ((rv = mbedtls_ssl_conf_own_cert (&mc->conf, &mc->srvcert, &mc->pkey))
343  != 0)
344  {
345  TLS_DBG (1, " failed\n ! mbedtls_ssl_conf_own_cert returned %d", rv);
346  goto exit;
347  }
348 
349  if ((rv = mbedtls_ssl_setup (&mc->ssl, &mc->conf)) != 0)
350  {
351  TLS_DBG (1, " failed\n ! mbedtls_ssl_setup returned %d", rv);
352  goto exit;
353  }
354 
355  mbedtls_ssl_session_reset (&mc->ssl);
356  ctx_ptr = uword_to_pointer (mc->mbedtls_ctx_index, void *);
357  mbedtls_ssl_set_bio (&mc->ssl, ctx_ptr, tls_net_send, tls_net_recv, NULL);
358  mbedtls_debug_set_threshold (TLS_DEBUG_LEVEL_SERVER);
359 
360  /*
361  * 3. Start handshake state machine
362  */
363  TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index,
364  mc->mbedtls_ctx_index);
365  while (mc->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
366  {
367  rv = mbedtls_ssl_handshake_step (&mc->ssl);
368  if (rv != 0)
369  break;
370  }
371 
372  TLS_DBG (2, "tls state for [%u]%u is %u", ctx->c_thread_index,
373  mc->mbedtls_ctx_index, mc->ssl.state);
374  return 0;
375 
376 exit:
377  return -1;
378 }
379 
380 static int
382 {
383  mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
384  u32 flags;
385  int rv;
386  while (mc->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
387  {
388  rv = mbedtls_ssl_handshake_step (&mc->ssl);
389  if (rv != 0)
390  break;
391  }
392  TLS_DBG (2, "tls state for %u is %u", mc->mbedtls_ctx_index, mc->ssl.state);
393 
394  if (mc->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
395  return 0;
396 
397  /*
398  * Handshake complete
399  */
400  if (mc->ssl.conf->endpoint == MBEDTLS_SSL_IS_CLIENT)
401  {
402  /*
403  * Verify server certificate
404  */
405  if ((flags = mbedtls_ssl_get_verify_result (&mc->ssl)) != 0)
406  {
407  char buf[512];
408  TLS_DBG (1, " failed\n");
409  mbedtls_x509_crt_verify_info (buf, sizeof (buf), " ! ", flags);
410  TLS_DBG (1, "%s\n", buf);
411 
412  /*
413  * Presence of hostname enforces strict certificate verification
414  */
415  if (ctx->srv_hostname)
416  {
417  tls_notify_app_connected (ctx, SESSION_E_TLS_HANDSHAKE);
418  return -1;
419  }
420  }
421  tls_notify_app_connected (ctx, SESSION_E_NONE);
422  }
423  else
424  {
425  tls_notify_app_accept (ctx);
426  }
427 
428  TLS_DBG (1, "Handshake for %u complete. TLS cipher is %x",
429  mc->mbedtls_ctx_index, mc->ssl.session->ciphersuite);
430  return 0;
431 }
432 
433 static int
436 {
437  mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
438  u8 thread_index = ctx->c_thread_index;
440  u32 enq_max, deq_max, deq_now;
441  session_t *tls_session;
442  int wrote;
443 
444  ASSERT (mc->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER);
445 
446  deq_max = svm_fifo_max_dequeue_cons (app_session->tx_fifo);
447  if (!deq_max)
448  return 0;
449 
450  deq_max = clib_min (deq_max, sp->max_burst_size);
451  tls_session = session_get_from_handle (ctx->tls_session_handle);
452  enq_max = svm_fifo_max_enqueue_prod (tls_session->tx_fifo);
453  deq_now = clib_min (deq_max, TLS_CHUNK_SIZE);
454 
455  if (PREDICT_FALSE (enq_max == 0))
456  {
457  app_session->flags |= SESSION_F_CUSTOM_TX;
458  return 0;
459  }
460 
461  vec_validate (mm->tx_bufs[thread_index], deq_now);
462  svm_fifo_peek (app_session->tx_fifo, 0, deq_now, mm->tx_bufs[thread_index]);
463 
464  wrote = mbedtls_ssl_write (&mc->ssl, mm->tx_bufs[thread_index], deq_now);
465  if (wrote <= 0)
466  {
467  app_session->flags |= SESSION_F_CUSTOM_TX;
468  return 0;
469  }
470 
471  svm_fifo_dequeue_drop (app_session->tx_fifo, wrote);
472  vec_reset_length (mm->tx_bufs[thread_index]);
473  tls_add_vpp_q_tx_evt (tls_session);
474 
475  if (deq_now < deq_max)
476  app_session->flags |= SESSION_F_CUSTOM_TX;
477 
478  return 0;
479 }
480 
481 static int
483 {
484  mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
486  u8 thread_index = ctx->c_thread_index;
487  u32 deq_max, enq_max, enq_now;
488  session_t *app_session;
489  int read, enq;
490 
491  if (PREDICT_FALSE (mc->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER))
492  {
494  return 0;
495  }
496 
497  deq_max = svm_fifo_max_dequeue_cons (tls_session->rx_fifo);
498  if (!deq_max)
499  return 0;
500 
501  app_session = session_get_from_handle (ctx->app_session_handle);
502  enq_max = svm_fifo_max_enqueue_prod (app_session->rx_fifo);
503  enq_now = clib_min (enq_max, TLS_CHUNK_SIZE);
504 
505  if (PREDICT_FALSE (enq_now == 0))
506  {
507  tls_add_vpp_q_builtin_rx_evt (tls_session);
508  return 0;
509  }
510 
511  vec_validate (mm->rx_bufs[thread_index], enq_now);
512  read = mbedtls_ssl_read (&mc->ssl, mm->rx_bufs[thread_index], enq_now);
513  if (read <= 0)
514  {
515  tls_add_vpp_q_builtin_rx_evt (tls_session);
516  return 0;
517  }
518 
519  enq = svm_fifo_enqueue (app_session->rx_fifo, read,
520  mm->rx_bufs[thread_index]);
521  ASSERT (enq == read);
522  vec_reset_length (mm->rx_bufs[thread_index]);
523 
524  if (svm_fifo_max_dequeue_cons (tls_session->rx_fifo))
525  tls_add_vpp_q_builtin_rx_evt (tls_session);
526 
527  if (enq > 0)
528  tls_notify_app_enqueue (ctx, app_session);
529 
530  return enq;
531 }
532 
533 static u8
535 {
536  mbedtls_ctx_t *mc = (mbedtls_ctx_t *) ctx;
537  return (mc->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER);
538 }
539 
540 static int
542 {
543  if (!mbedtls_handshake_is_over (ctx))
544  {
545  session_close (session_get_from_handle (ctx->tls_session_handle));
546  return 0;
547  }
549  return 0;
550 }
551 
552 static int
554 {
557  mbedtls_ctx_free (ctx);
558  return 0;
559 }
560 
561 const static tls_engine_vft_t mbedtls_engine = {
563  .ctx_free = mbedtls_ctx_free,
564  .ctx_get = mbedtls_ctx_get,
565  .ctx_get_w_thread = mbedtls_ctx_get_w_thread,
566  .ctx_init_server = mbedtls_ctx_init_server,
567  .ctx_init_client = mbedtls_ctx_init_client,
568  .ctx_write = mbedtls_ctx_write,
569  .ctx_read = mbedtls_ctx_read,
570  .ctx_handshake_is_over = mbedtls_handshake_is_over,
571  .ctx_start_listen = mbedtls_start_listen,
572  .ctx_stop_listen = mbedtls_stop_listen,
573  .ctx_transport_close = mbedtls_transport_close,
574  .ctx_app_close = mbedtls_app_close,
575 };
576 
577 int
579 {
580 #if TLS_USE_OUR_MEM_FUNCS
581  mbedtls_platform_set_calloc_free (mbedtls_calloc_fn, mbedtls_free_fn);
582 #endif
583  return 0;
584 }
585 
586 static int
588 {
590  int i;
591 
592  vec_validate (mm->ctr_drbgs, num_threads - 1);
593  vec_validate (mm->entropy_pools, num_threads - 1);
594  for (i = 0; i < num_threads; i++)
595  mm->ctr_drbgs[i].f_entropy = 0;
596 
597  return 0;
598 }
599 
600 int
602 {
604  tls_main_t *tm = vnet_tls_get_main ();
605  int rv;
606 
607  if (access (tm->ca_cert_path, F_OK | R_OK) == -1)
608  {
609  clib_warning ("Could not initialize TLS CA certificates");
610  return -1;
611  }
612 
613  mbedtls_x509_crt_init (&mm->cacert);
614  rv = mbedtls_x509_crt_parse_file (&mm->cacert, tm->ca_cert_path);
615  if (rv < 0)
616  {
617  clib_warning ("Couldn't parse system CA certificates: -0x%x", -rv);
618  }
619  if (tm->use_test_cert_in_ca)
620  {
621  rv = mbedtls_x509_crt_parse (&mm->cacert,
622  (const unsigned char *) test_srv_crt_rsa,
624  if (rv < 0)
625  {
626  clib_warning ("Couldn't parse test certificate: -0x%x", -rv);
627  return -1;
628  }
629  }
630  return (rv < 0 ? -1 : 0);
631 }
632 
633 static clib_error_t *
635 {
638  u32 num_threads;
639 
640  num_threads = 1 /* main thread */ + vtm->n_threads;
641 
642  if (tls_init_ca_chain ())
643  {
644  clib_warning ("failed to initialize TLS CA chain");
645  return 0;
646  }
647  if (tls_init_mem ())
648  {
649  clib_warning ("failed to initialize mem");
650  return 0;
651  }
652  if (tls_init_ctr_drbgs_and_entropy (num_threads))
653  {
654  clib_warning ("failed to initialize entropy and random generators");
655  return 0;
656  }
657 
658  vec_validate (mm->ctx_pool, num_threads - 1);
659  vec_validate (mm->rx_bufs, num_threads - 1);
660  vec_validate (mm->tx_bufs, num_threads - 1);
661 
662  tls_register_engine (&mbedtls_engine, CRYPTO_ENGINE_MBEDTLS);
663  return 0;
664 }
665 
666 /* *INDENT-OFF* */
668 {
669  .runs_after = VLIB_INITS("tls_init"),
670 };
671 /* *INDENT-ON* */
672 
673 /* *INDENT-OFF* */
675  .version = VPP_BUILD_VER,
676  .description = "Transport Layer Security (TLS) Engine, Mbedtls Based",
677 };
678 /* *INDENT-ON* */
679 
680 /*
681  * fd.io coding-style-patch-verification: ON
682  *
683  * Local Variables:
684  * eval: (c-set-style "gnu")
685  * End:
686  */
mbedtls_ctr_drbg_context * tls_get_ctr_drbg()
Definition: tls_mbedtls.c:151
tls_main_t * vnet_tls_get_main(void)
Definition: tls.c:996
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
Definition: vec.h:509
int tls_notify_app_connected(tls_ctx_t *ctx, session_error_t err)
Definition: tls.c:211
mbedtls_x509_crt srvcert
Definition: tls_mbedtls.c:34
mbedtls_ctx_t *** ctx_pool
Definition: tls_mbedtls.c:40
#define clib_min(x, y)
Definition: clib.h:327
static u32 svm_fifo_max_enqueue_prod(svm_fifo_t *f)
Maximum number of bytes that can be enqueued into fifo.
Definition: svm_fifo.h:524
vl_api_wireguard_peer_flags_t flags
Definition: wireguard.api:103
void tls_disconnect_transport(tls_ctx_t *ctx)
Definition: tls.c:30
svm_fifo_t * tx_fifo
#define TLS_DEBUG_LEVEL_CLIENT
Definition: tls.h:25
char * ca_cert_path
Definition: tls.h:99
mbedtls_ssl_context ssl
Definition: tls_mbedtls.c:32
static int tls_init_ctr_drbgs_and_entropy(u32 num_threads)
Definition: tls_mbedtls.c:587
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
void session_transport_delete_notify(transport_connection_t *tc)
Notification from transport that connection is being deleted.
Definition: session.c:970
svm_fifo_t * rx_fifo
Pointers to rx/tx buffers.
int tls_add_vpp_q_builtin_rx_evt(session_t *s)
Definition: tls.c:62
int svm_fifo_peek(svm_fifo_t *f, u32 offset, u32 len, u8 *dst)
Peek data from fifo.
Definition: svm_fifo.c:1044
static mbedtls_main_t mbedtls_main
Definition: tls_mbedtls.c:48
u8 use_test_cert_in_ca
Definition: tls.h:98
vlib_main_t * vm
Definition: in2out_ed.c:1582
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:424
static void mbedtls_ctx_free(tls_ctx_t *ctx)
Definition: tls_mbedtls.c:89
u32 flags
Session flags.
#define pool_get(P, E)
Allocate an object E from a pool P (unspecified alignment).
Definition: pool.h:252
void tls_register_engine(const tls_engine_vft_t *vft, crypto_engine_type_t type)
Definition: tls.c:903
static int tls_init_ctr_seed_drbgs(void)
Definition: tls_mbedtls.c:126
unsigned char u8
Definition: types.h:56
#define vec_reset_length(v)
Reset vector length to zero NULL-pointer tolerant.
void session_transport_closing_notify(transport_connection_t *tc)
Notification from transport that connection is being closed.
Definition: session.c:948
tls_ctx_t ctx
First.
Definition: tls_mbedtls.c:30
static u32 mbedtls_ctx_alloc(void)
Definition: tls_mbedtls.c:71
#define VLIB_INIT_FUNCTION(x)
Definition: init.h:173
static u32 svm_fifo_max_dequeue_cons(svm_fifo_t *f)
Fifo max bytes to dequeue optimized for consumer.
Definition: svm_fifo.h:404
static tls_ctx_t * mbedtls_ctx_get_w_thread(u32 ctx_index, u8 thread_index)
Definition: tls_mbedtls.c:118
u8 is_passive_close
Definition: tls.h:77
unsigned int u32
Definition: types.h:88
int svm_fifo_dequeue(svm_fifo_t *f, u32 len, u8 *dst)
Dequeue data from fifo.
Definition: svm_fifo.c:1009
struct tls_ctx_mbedtls_ mbedtls_ctx_t
#define TLS_CHUNK_SIZE
Definition: tls.h:28
static int mbedtls_ctx_handshake_rx(tls_ctx_t *ctx)
Definition: tls_mbedtls.c:381
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:534
mbedtls_pk_context pkey
Definition: tls_mbedtls.c:35
static session_t * session_get_from_handle(session_handle_t handle)
Definition: session.h:321
u32 size
Definition: vhost_user.h:106
Definition: tls.h:86
int svm_fifo_enqueue(svm_fifo_t *f, u32 len, const u8 *src)
Enqueue data to fifo.
Definition: svm_fifo.c:838
int tls_init_ca_chain(void)
Definition: tls_mbedtls.c:601
static u8 mbedtls_handshake_is_over(tls_ctx_t *ctx)
Definition: tls_mbedtls.c:534
#define PREDICT_FALSE(x)
Definition: clib.h:120
static int mbedtls_transport_close(tls_ctx_t *ctx)
Definition: tls_mbedtls.c:541
int tls_init_mem(void)
Definition: tls_mbedtls.c:578
static const char test_srv_crt_rsa[]
Definition: tls_test.h:23
Definition: tls.h:58
static int mbedtls_start_listen(tls_ctx_t *lctx)
Definition: tls_mbedtls.c:263
u32(* ctx_alloc)(void)
Definition: tls.h:106
u32 ckpair_index
Definition: tls.h:83
u8 len
Definition: ip_types.api:92
app_cert_key_pair_t * app_cert_key_pair_get_if_valid(u32 index)
Definition: application.c:1686
static_always_inline uword vlib_get_thread_index(void)
Definition: threads.h:219
static int mbedtls_ctx_init_client(tls_ctx_t *ctx)
Definition: tls_mbedtls.c:202
sll srl srl sll sra u16x4 i
Definition: vector_sse42.h:317
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:380
mbedtls_x509_crt cacert
Definition: tls_mbedtls.c:43
#define clib_warning(format, args...)
Definition: error.h:59
static int tls_net_send(void *ctx_indexp, const unsigned char *buf, size_t len)
Definition: tls_mbedtls.c:160
int tls_add_vpp_q_tx_evt(session_t *s)
Definition: tls.c:70
transport_connection_t connection
Definition: tls.h:62
mbedtls_entropy_context * entropy_pools
Definition: tls_mbedtls.c:42
#define uword_to_pointer(u, type)
Definition: types.h:136
#define TLS_DEBUG_LEVEL_SERVER
Definition: tls.h:26
#define pool_put_index(p, i)
Free pool element with given index.
Definition: pool.h:331
#define ASSERT(truth)
struct mbedtls_main_ mbedtls_main_t
VLIB_PLUGIN_REGISTER()
static void clib_mem_free(void *p)
Definition: mem.h:215
static void * clib_mem_alloc(uword size)
Definition: mem.h:157
static uword pointer_to_uword(const void *p)
Definition: types.h:131
static int tls_net_recv(void *ctx_indexp, unsigned char *buf, size_t len)
Definition: tls_mbedtls.c:178
static void mbedtls_debug(void *ctx, int level, const char *file, int line, const char *str)
Definition: tls_mbedtls.c:193
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
static int mbedtls_ctx_read(tls_ctx_t *ctx, session_t *tls_session)
Definition: tls_mbedtls.c:482
void session_close(session_t *s)
Initialize session closing procedure.
Definition: session.c:1363
u64 uword
Definition: types.h:112
static clib_error_t * tls_mbedtls_init(vlib_main_t *vm)
Definition: tls_mbedtls.c:634
u8 * srv_hostname
Definition: tls.h:81
mbedtls_ssl_config conf
Definition: tls_mbedtls.c:33
int tls_notify_app_accept(tls_ctx_t *ctx)
Definition: tls.c:181
void tls_notify_app_enqueue(tls_ctx_t *ctx, session_t *app_session)
Definition: tls.c:172
static int mbedtls_app_close(tls_ctx_t *ctx)
Definition: tls_mbedtls.c:553
static int mbedtls_ctx_init_server(tls_ctx_t *ctx)
Definition: tls_mbedtls.c:275
static vlib_thread_main_t * vlib_get_thread_main()
Definition: global_funcs.h:32
static int mbedtls_stop_listen(tls_ctx_t *lctx)
Definition: tls_mbedtls.c:269
mbedtls_ctr_drbg_context * ctr_drbgs
Definition: tls_mbedtls.c:41
static tls_ctx_t * mbedtls_ctx_get(u32 ctx_index)
Definition: tls_mbedtls.c:109
int svm_fifo_dequeue_drop(svm_fifo_t *f, u32 len)
Dequeue and drop bytes from fifo.
Definition: svm_fifo.c:1068
#define VLIB_INITS(...)
Definition: init.h:357
#define TLS_DBG(_lvl, _fmt, _args...)
Definition: tls.h:36
static int mbedtls_ctx_write(tls_ctx_t *ctx, session_t *app_session, transport_send_params_t *sp)
Definition: tls_mbedtls.c:434
static const u32 test_srv_crt_rsa_len
Definition: tls_test.h:47