16 #include <openssl/ssl.h> 17 #include <openssl/conf.h> 18 #include <openssl/err.h> 19 #ifdef HAVE_OPENSSL_ASYNC 20 #include <openssl/async.h> 24 #include <vpp/app/version.h> 29 #define MAX_CRYPTO_LEN 16 44 (*ctx)->ctx.c_thread_index = thread_index;
47 (*ctx)->openssl_ctx_index = ctx - tm->
ctx_pool[thread_index];
48 return ((*ctx)->openssl_ctx_index);
57 SSL_shutdown (oc->
ssl);
59 if (SSL_is_server (oc->
ssl))
62 EVP_PKEY_free (oc->
pkey);
95 f = tls_session->server_rx_fifo;
123 u32 enq_max, deq_now;
127 if (BIO_ctrl_pending (oc->
rbio) <= 0)
130 f = tls_session->server_tx_fifo;
157 #ifdef HAVE_OPENSSL_ASYNC 159 vpp_ssl_async_process_event (
tls_ctx_t * ctx,
168 SSL_set_async_callback (oc->
ssl, (
void *) engine_cb->
callback,
169 (
void *) engine_cb->
arg);
173 TLS_DBG (
"completed assoicated fd with tls session\n");
184 #ifdef HAVE_OPENSSL_ASYNC 188 while (SSL_in_init (oc->
ssl))
199 rv = SSL_do_handshake (oc->
ssl);
200 err = SSL_get_error (oc->
ssl, rv);
202 #ifdef HAVE_OPENSSL_ASYNC 203 if (err == SSL_ERROR_WANT_ASYNC)
206 vpp_ssl_async_process_event (ctx, myself);
210 if (err != SSL_ERROR_WANT_WRITE)
212 if (err == SSL_ERROR_SSL)
215 ERR_error_string (ERR_get_error (), buf);
222 SSL_state_string_long (oc->
ssl));
224 if (SSL_in_init (oc->
ssl))
230 if (!SSL_is_server (oc->
ssl))
235 if ((rv = SSL_get_verify_result (oc->
ssl)) != X509_V_OK)
237 TLS_DBG (1,
" failed verify: %s\n",
238 X509_verify_cert_error_string (rv));
256 TLS_DBG (1,
"Handshake for %u complete. TLS cipher is %s",
265 int wrote = 0, rv, read, max_buf = 100 *
TLS_CHUNK_SIZE, max_space;
266 u32 enq_max, deq_max, deq_now, to_write;
270 f = app_session->server_tx_fifo;
275 max_space = max_buf - BIO_ctrl_pending (oc->
rbio);
276 max_space = (max_space < 0) ? 0 : max_space;
297 if (deq_now < deq_max)
302 if (BIO_ctrl_pending (oc->
rbio) <= 0)
306 f = tls_session->server_tx_fifo;
325 if (read < enq_max && BIO_ctrl_pending (oc->
rbio) > 0)
333 if (BIO_ctrl_pending (oc->
rbio) > 0)
342 int read, wrote = 0, max_space, max_buf = 100 *
TLS_CHUNK_SIZE, rv;
344 u32 deq_max, enq_max, deq_now, to_read;
354 f = tls_session->server_rx_fifo;
356 max_space = max_buf - BIO_ctrl_pending (oc->
wbio);
357 max_space = max_space < 0 ? 0 : max_space;
358 deq_now =
clib_min (deq_max, max_space);
385 if (BIO_ctrl_pending (oc->
wbio) <= 0)
389 f = app_session->server_rx_fifo;
405 if (read < enq_max && BIO_ctrl_pending (oc->
wbio) > 0)
414 if (BIO_ctrl_pending (oc->
wbio) > 0)
423 char *ciphers =
"ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH";
424 long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
428 const SSL_METHOD *method;
430 #ifdef HAVE_OPENSSL_ASYNC 434 method = SSLv23_client_method ();
437 TLS_DBG (1,
"SSLv23_method returned null");
441 oc->
ssl_ctx = SSL_CTX_new (method);
444 TLS_DBG (1,
"SSL_CTX_new returned null");
448 SSL_CTX_set_ecdh_auto (oc->
ssl_ctx, 1);
449 SSL_CTX_set_mode (oc->
ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
450 #ifdef HAVE_OPENSSL_ASYNC 452 SSL_CTX_set_mode (oc->
ssl_ctx, SSL_MODE_ASYNC);
454 rv = SSL_CTX_set_cipher_list (oc->
ssl_ctx, (
const char *) ciphers);
457 TLS_DBG (1,
"Couldn't set cipher");
461 SSL_CTX_set_options (oc->
ssl_ctx, flags);
467 TLS_DBG (1,
"Couldn't initialize ssl struct");
471 oc->
rbio = BIO_new (BIO_s_mem ());
472 oc->
wbio = BIO_new (BIO_s_mem ());
474 BIO_set_mem_eof_return (oc->
rbio, -1);
475 BIO_set_mem_eof_return (oc->
wbio, -1);
478 SSL_set_connect_state (oc->
ssl);
483 TLS_DBG (1,
"Couldn't set hostname");
490 TLS_DBG (1,
"Initiating handshake for [%u]%u", ctx->c_thread_index,
496 rv = SSL_do_handshake (oc->
ssl);
497 err = SSL_get_error (oc->
ssl, rv);
499 #ifdef HAVE_OPENSSL_ASYNC 500 if (err == SSL_ERROR_WANT_ASYNC)
503 vpp_ssl_async_process_event (ctx, handler);
507 if (err != SSL_ERROR_WANT_WRITE)
511 TLS_DBG (2,
"tls state for [%u]%u is su", ctx->c_thread_index,
519 char *ciphers =
"ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH";
520 long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
523 const SSL_METHOD *method;
527 #ifdef HAVE_OPENSSL_ASYNC 533 if (!app->tls_cert || !app->tls_key)
535 TLS_DBG (1,
"tls cert and/or key not configured %d",
536 ctx->parent_app_index);
540 method = SSLv23_method ();
541 oc->
ssl_ctx = SSL_CTX_new (method);
548 SSL_CTX_set_mode (oc->
ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
549 #ifdef HAVE_OPENSSL_ASYNC 551 SSL_CTX_set_mode (oc->
ssl_ctx, SSL_MODE_ASYNC);
553 SSL_CTX_set_options (oc->
ssl_ctx, flags);
554 SSL_CTX_set_ecdh_auto (oc->
ssl_ctx, 1);
556 rv = SSL_CTX_set_cipher_list (oc->
ssl_ctx, (
const char *) ciphers);
559 TLS_DBG (1,
"Couldn't set cipher");
566 cert_bio = BIO_new (BIO_s_mem ());
567 BIO_write (cert_bio, app->tls_cert,
vec_len (app->tls_cert));
578 cert_bio = BIO_new (BIO_s_mem ());
579 BIO_write (cert_bio, app->tls_key,
vec_len (app->tls_key));
596 TLS_DBG (1,
"Couldn't initialize ssl struct");
600 oc->
rbio = BIO_new (BIO_s_mem ());
601 oc->
wbio = BIO_new (BIO_s_mem ());
603 BIO_set_mem_eof_return (oc->
rbio, -1);
604 BIO_set_mem_eof_return (oc->
wbio, -1);
607 SSL_set_accept_state (oc->
ssl);
609 TLS_DBG (1,
"Initiating handshake for [%u]%u", ctx->c_thread_index,
615 rv = SSL_do_handshake (oc->
ssl);
616 err = SSL_get_error (oc->
ssl, rv);
618 #ifdef HAVE_OPENSSL_ASYNC 619 if (err == SSL_ERROR_WANT_ASYNC)
622 vpp_ssl_async_process_event (ctx, handler);
626 if (err != SSL_ERROR_WANT_WRITE)
630 TLS_DBG (2,
"tls state for [%u]%u is su", ctx->c_thread_index,
641 return SSL_is_init_finished (mc->
ssl);
667 clib_warning (
"Could not initialize TLS CA certificates");
685 cert_bio = BIO_new (BIO_s_mem ());
687 testcert = PEM_read_bio_X509 (cert_bio,
NULL,
NULL,
NULL);
693 X509_STORE_add_cert (om->
cert_store, testcert);
696 return (rv < 0 ? -1 : 0);
713 SSL_load_error_strings ();
730 #ifdef HAVE_OPENSSL_ASYNC 736 char *engine_name =
NULL;
737 char *engine_alg =
NULL;
738 u8 engine_name_set = 0;
746 (0,
"engine has started, and no config is accepted");
751 if (
unformat (input,
"engine %s", &engine_name))
760 else if (
unformat (input,
"alg %s", &engine_alg))
763 engine_alg[i] = toupper (engine_alg[i]);
771 if (!engine_name_set)
791 .path =
"tls openssl set",
792 .short_help =
"tls openssl set [engine <engine name>] [alg [algorithm] [async]",
793 .function = tls_openssl_set_command_fn,
803 .version = VPP_BUILD_VER,
804 .description =
"openssl based TLS Engine",
tls_main_t * vnet_tls_get_main(void)
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
static u8 openssl_handshake_is_over(tls_ctx_t *ctx)
static int openssl_try_handshake_write(openssl_ctx_t *oc, stream_session_t *tls_session)
const u32 test_srv_crt_rsa_len
void openssl_async_node_enable_disable(u8 is_en)
static u32 openssl_ctx_alloc(void)
static void openssl_ctx_free(tls_ctx_t *ctx)
void tls_notify_app_enqueue(tls_ctx_t *ctx, stream_session_t *app_session)
static u32 svm_fifo_max_enqueue(svm_fifo_t *f)
int(* callback)(void *arg)
static stream_session_t * session_get_from_handle(session_handle_t handle)
#define pool_get(P, E)
Allocate an object E from a pool P (unspecified alignment).
static u8 * svm_fifo_tail(svm_fifo_t *f)
struct _svm_fifo svm_fifo_t
static void svm_fifo_enqueue_nocopy(svm_fifo_t *f, u32 bytes)
Advance tail pointer.
#define VLIB_INIT_FUNCTION(x)
static u32 svm_fifo_max_dequeue(svm_fifo_t *f)
int openssl_engine_register(char *engine_name, char *algorithm)
#define clib_error_return(e, args...)
static u32 svm_fifo_max_write_chunk(svm_fifo_t *f)
Max contiguous chunk of data that can be written.
struct _stream_session_t stream_session_t
#define vlib_call_init_function(vm, x)
static u8 * svm_fifo_head(svm_fifo_t *f)
static u32 svm_fifo_max_read_chunk(svm_fifo_t *f)
Max contiguous chunk of data that can be read.
int tls_init_ca_chain(void)
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
int tls_notify_app_connected(tls_ctx_t *ctx, u8 is_failed)
tls_ctx_t * openssl_ctx_get(u32 ctx_index)
int openssl_resume_handler(tls_ctx_t *ctx, stream_session_t *tls_session)
const char test_srv_crt_rsa[]
static int openssl_ctx_write(tls_ctx_t *ctx, stream_session_t *app_session)
static int openssl_ctx_init_client(tls_ctx_t *ctx)
static_always_inline uword vlib_get_thread_index(void)
openssl_ctx_t *** ctx_pool
#define clib_warning(format, args...)
#define SESSION_INVALID_HANDLE
static openssl_main_t openssl_main
struct _application application_t
#define TLS_DBG(_fmt, _args...)
void tls_register_engine(const tls_engine_vft_t *vft, tls_engine_type_t type)
#define VLIB_CLI_COMMAND(x,...)
#define pool_put_index(p, i)
Free pool element with given index.
static clib_error_t * tls_openssl_init(vlib_main_t *vm)
static int openssl_try_handshake_read(openssl_ctx_t *oc, stream_session_t *tls_session)
static void * clib_mem_alloc(uword size)
tls_ctx_t * openssl_ctx_get_w_thread(u32 ctx_index, u8 thread_index)
static int openssl_ctx_init_server(tls_ctx_t *ctx)
int svm_fifo_dequeue_drop(svm_fifo_t *f, u32 max_bytes)
openssl_tls_callback_t * vpp_add_async_pending_event(tls_ctx_t *ctx, openssl_resume_handler *handler)
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
application_t * application_get(u32 index)
int tls_add_vpp_q_evt(svm_fifo_t *f, u8 evt_type)
int tls_notify_app_accept(tls_ctx_t *ctx)
static vlib_thread_main_t * vlib_get_thread_main()
static int openssl_ctx_read(tls_ctx_t *ctx, stream_session_t *tls_session)
int openssl_ctx_handshake_rx(tls_ctx_t *ctx, stream_session_t *tls_session)
static clib_error_t * tls_init(vlib_main_t *vm)