16 #include <mbedtls/ssl.h> 17 #include <mbedtls/certs.h> 18 #include <mbedtls/entropy.h> 19 #include <mbedtls/ctr_drbg.h> 20 #include <mbedtls/timing.h> 21 #include <mbedtls/debug.h> 23 #include <vpp/app/version.h> 26 #define TLS_USE_OUR_MEM_FUNCS 0 32 mbedtls_ssl_context
ssl;
50 #if TLS_USE_OUR_MEM_FUNCS 51 #include <mbedtls/platform.h> 54 mbedtls_calloc_fn (
size_t n,
size_t size)
63 mbedtls_free_fn (
void *ptr)
82 (*ctx)->ctx.c_thread_index = thread_index;
84 (*ctx)->mbedtls_ctx_index = ctx - tm->
ctx_pool[thread_index];
85 return ((*ctx)->mbedtls_ctx_index);
94 mbedtls_ssl_close_notify (&mc->
ssl);
95 if (mc->
ssl.conf->endpoint == MBEDTLS_SSL_IS_SERVER)
97 mbedtls_x509_crt_free (&mc->
srvcert);
98 mbedtls_pk_free (&mc->
pkey);
100 mbedtls_ssl_free (&mc->
ssl);
101 mbedtls_ssl_config_free (&mc->
conf);
131 pers =
format (0,
"vpp thread %u", thread_index);
134 mbedtls_ctr_drbg_init (&mbedtls_main.
ctr_drbgs[thread_index]);
135 if ((rv = mbedtls_ctr_drbg_seed (&tm->
ctr_drbgs[thread_index],
136 mbedtls_entropy_func,
138 (
const unsigned char *) pers,
142 TLS_DBG (1,
" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", rv);
149 mbedtls_ctr_drbg_context *
155 return &mbedtls_main.
ctr_drbgs[thread_index];
171 return MBEDTLS_ERR_SSL_WANT_WRITE;
188 return (rv < 0) ? 0 : rv;
196 fprintf ((FILE *) ctx,
"%s:%04d: %s", file, line, str);
197 fflush ((FILE *) ctx);
211 mbedtls_ssl_init (&mc->
ssl);
212 mbedtls_ssl_config_init (&mc->
conf);
213 if ((rv = mbedtls_ssl_config_defaults (&mc->
conf, MBEDTLS_SSL_IS_CLIENT,
214 MBEDTLS_SSL_TRANSPORT_STREAM,
215 MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
217 TLS_DBG (1,
"failed\n ! mbedtls_ssl_config_defaults returned %d\n\n",
222 mbedtls_ssl_conf_authmode (&mc->
conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
224 mbedtls_ssl_conf_rng (&mc->
conf, mbedtls_ctr_drbg_random,
228 if ((rv = mbedtls_ssl_setup (&mc->
ssl, &mc->
conf)) != 0)
230 TLS_DBG (1,
"failed\n ! mbedtls_ssl_setup returned %d\n", rv);
234 if ((rv = mbedtls_ssl_set_hostname (&mc->
ssl,
237 TLS_DBG (1,
"failed\n ! mbedtls_ssl_set_hostname returned %d\n", rv);
248 TLS_DBG (1,
"Initiating handshake for [%u]%u", ctx->c_thread_index,
250 while (mc->
ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
252 rv = mbedtls_ssl_handshake_step (&mc->
ssl);
256 TLS_DBG (2,
"tls state for [%u]%u is %u", ctx->c_thread_index,
282 mbedtls_ssl_init (&mc->
ssl);
283 mbedtls_ssl_config_init (&mc->
conf);
284 mbedtls_x509_crt_init (&mc->
srvcert);
285 mbedtls_pk_init (&mc->
pkey);
293 TLS_DBG (1,
" failed\n ! tls cert and/or key not configured %d",
294 ctx->parent_app_index);
298 rv = mbedtls_x509_crt_parse (&mc->
srvcert,
299 (
const unsigned char *) app->
tls_cert,
303 TLS_DBG (1,
" failed\n ! mbedtls_x509_crt_parse returned %d", rv);
307 rv = mbedtls_pk_parse_key (&mc->
pkey,
308 (
const unsigned char *) app->
tls_key,
312 TLS_DBG (1,
" failed\n ! mbedtls_pk_parse_key returned %d", rv);
319 if ((rv = mbedtls_ssl_config_defaults (&mc->
conf, MBEDTLS_SSL_IS_SERVER,
320 MBEDTLS_SSL_TRANSPORT_STREAM,
321 MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
323 TLS_DBG (1,
" failed\n ! mbedtls_ssl_config_defaults returned %d", rv);
327 mbedtls_ssl_conf_rng (&mc->
conf, mbedtls_ctr_drbg_random,
338 if ((rv = mbedtls_ssl_conf_own_cert (&mc->
conf, &mc->
srvcert, &mc->
pkey))
341 TLS_DBG (1,
" failed\n ! mbedtls_ssl_conf_own_cert returned %d", rv);
345 if ((rv = mbedtls_ssl_setup (&mc->
ssl, &mc->
conf)) != 0)
347 TLS_DBG (1,
" failed\n ! mbedtls_ssl_setup returned %d", rv);
351 mbedtls_ssl_session_reset (&mc->
ssl);
359 TLS_DBG (1,
"Initiating handshake for [%u]%u", ctx->c_thread_index,
361 while (mc->
ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
363 rv = mbedtls_ssl_handshake_step (&mc->
ssl);
368 TLS_DBG (2,
"tls state for [%u]%u is %u", ctx->c_thread_index,
382 while (mc->
ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
384 rv = mbedtls_ssl_handshake_step (&mc->
ssl);
390 if (mc->
ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
396 if (mc->
ssl.conf->endpoint == MBEDTLS_SSL_IS_CLIENT)
401 if ((flags = mbedtls_ssl_get_verify_result (&mc->
ssl)) != 0)
405 mbedtls_x509_crt_verify_info (buf,
sizeof (buf),
" ! ", flags);
424 TLS_DBG (1,
"Handshake for %u complete. TLS cipher is %x",
433 u8 thread_index = ctx->c_thread_index;
435 u32 enq_max, deq_max, deq_now;
439 ASSERT (mc->
ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER);
459 wrote = mbedtls_ssl_write (&mc->
ssl, mm->
tx_bufs[thread_index], deq_now);
470 if (deq_now < deq_max)
481 u8 thread_index = ctx->c_thread_index;
482 u32 deq_max, enq_max, enq_now;
507 read = mbedtls_ssl_read (&mc->
ssl, mm->
rx_bufs[thread_index], enq_now);
532 return (mc->
ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER);
552 #if TLS_USE_OUR_MEM_FUNCS 553 mbedtls_platform_set_calloc_free (mbedtls_calloc_fn, mbedtls_free_fn);
566 for (i = 0; i < num_threads; i++)
581 clib_warning (
"Could not initialize TLS CA certificates");
585 mbedtls_x509_crt_init (&mm->
cacert);
589 clib_warning (
"Couldn't parse system CA certificates: -0x%x", -rv);
593 rv = mbedtls_x509_crt_parse (&mm->
cacert,
598 clib_warning (
"Couldn't parse test certificate: -0x%x", -rv);
602 return (rv < 0 ? -1 : 0);
630 clib_warning (
"failed to initialize entropy and random generators");
646 .version = VPP_BUILD_VER,
647 .description =
"Transport Layer Security (TLS) Engine, Mbedtls Based",
mbedtls_ctr_drbg_context * tls_get_ctr_drbg()
tls_main_t * vnet_tls_get_main(void)
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
mbedtls_ctx_t *** ctx_pool
static int mbedtls_ctx_write(tls_ctx_t *ctx, stream_session_t *app_session)
const u32 test_srv_crt_rsa_len
#define TLS_DEBUG_LEVEL_CLIENT
static int tls_init_ctr_drbgs_and_entropy(u32 num_threads)
static mbedtls_main_t mbedtls_main
void tls_notify_app_enqueue(tls_ctx_t *ctx, stream_session_t *app_session)
clib_memset(h->entries, 0, sizeof(h->entries[0])*entries)
static u32 svm_fifo_max_enqueue(svm_fifo_t *f)
static void mbedtls_ctx_free(tls_ctx_t *ctx)
static stream_session_t * session_get_from_handle(session_handle_t handle)
#define pool_get(P, E)
Allocate an object E from a pool P (unspecified alignment).
static int tls_init_ctr_seed_drbgs(void)
#define vec_reset_length(v)
Reset vector length to zero NULL-pointer tolerant.
static u32 mbedtls_ctx_alloc(void)
#define VLIB_INIT_FUNCTION(x)
int tls_add_vpp_q_builtin_tx_evt(stream_session_t *s)
static u32 svm_fifo_max_dequeue(svm_fifo_t *f)
static tls_ctx_t * mbedtls_ctx_get_w_thread(u32 ctx_index, u8 thread_index)
int svm_fifo_enqueue_nowait(svm_fifo_t *f, u32 max_bytes, const u8 *copy_from_here)
struct _stream_session_t stream_session_t
#define vlib_call_init_function(vm, x)
struct tls_ctx_mbedtls_ mbedtls_ctx_t
static int mbedtls_ctx_handshake_rx(tls_ctx_t *ctx)
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
int tls_add_vpp_q_tx_evt(stream_session_t *s)
int tls_init_ca_chain(void)
int tls_notify_app_connected(tls_ctx_t *ctx, u8 is_failed)
static u8 mbedtls_handshake_is_over(tls_ctx_t *ctx)
const char test_srv_crt_rsa[]
static int mbedtls_ctx_read(tls_ctx_t *ctx, stream_session_t *tls_session)
static int mbedtls_start_listen(tls_ctx_t *lctx)
static_always_inline uword vlib_get_thread_index(void)
static int mbedtls_ctx_init_client(tls_ctx_t *ctx)
#define vec_free(V)
Free vector's memory (no header).
#define clib_warning(format, args...)
static int tls_net_send(void *ctx_indexp, const unsigned char *buf, size_t len)
void tls_register_engine(const tls_engine_vft_t *vft, tls_engine_type_t type)
application_t * application_get(u32 app_index)
mbedtls_entropy_context * entropy_pools
#define uword_to_pointer(u, type)
#define TLS_DEBUG_LEVEL_SERVER
#define pool_put_index(p, i)
Free pool element with given index.
struct mbedtls_main_ mbedtls_main_t
static void clib_mem_free(void *p)
u8 * tls_key
PEM encoded key.
static void * clib_mem_alloc(uword size)
static uword pointer_to_uword(const void *p)
static int tls_net_recv(void *ctx_indexp, unsigned char *buf, size_t len)
int svm_fifo_dequeue_drop(svm_fifo_t *f, u32 max_bytes)
static void mbedtls_debug(void *ctx, int level, const char *file, int line, const char *str)
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
int tls_add_vpp_q_builtin_rx_evt(stream_session_t *s)
static clib_error_t * tls_mbedtls_init(vlib_main_t *vm)
int tls_notify_app_accept(tls_ctx_t *ctx)
static int mbedtls_ctx_init_server(tls_ctx_t *ctx)
static vlib_thread_main_t * vlib_get_thread_main()
u8 * tls_cert
Certificate to be used for listen sessions.
static int mbedtls_stop_listen(tls_ctx_t *lctx)
mbedtls_ctr_drbg_context * ctr_drbgs
static tls_ctx_t * mbedtls_ctx_get(u32 ctx_index)
int svm_fifo_peek(svm_fifo_t *f, u32 relative_offset, u32 max_bytes, u8 *copy_here)
static clib_error_t * tls_init(vlib_main_t *vm)
int svm_fifo_dequeue_nowait(svm_fifo_t *f, u32 max_bytes, u8 *copy_here)
#define TLS_DBG(_lvl, _fmt, _args...)