diff options
author | Nathan Skrzypczak <nathan.skrzypczak@gmail.com> | 2019-11-12 16:41:00 +0100 |
---|---|---|
committer | Florin Coras <florin.coras@gmail.com> | 2019-11-26 19:12:32 +0000 |
commit | c298f3760228ad7846d40b6850a777ca5e5c5117 (patch) | |
tree | 9ec806ff6ec27a15af3836fb2c1e197d8dccc8b9 /src/plugins/quic/quic.c | |
parent | be2ad0b4743ed8a3875a5b6039c10c66eb07614c (diff) |
quic: Refactor for crypto contexts
Type: refactor
Change-Id: I5ec7079d34826edd7a3048ae1d44037386f5d3ff
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
Diffstat (limited to 'src/plugins/quic/quic.c')
-rw-r--r-- | src/plugins/quic/quic.c | 267 |
1 files changed, 113 insertions, 154 deletions
diff --git a/src/plugins/quic/quic.c b/src/plugins/quic/quic.c index de7ea536094..3cc26d9a351 100644 --- a/src/plugins/quic/quic.c +++ b/src/plugins/quic/quic.c @@ -32,13 +32,115 @@ static char *quic_error_strings[] = { #define quic_error(n,s) s, -#include "quic_error.def" +#include <plugins/quic/quic_error.def> #undef quic_error }; static quic_main_t quic_main; static void quic_update_timer (quic_ctx_t * ctx); static int quic_check_quic_session_connected (quic_ctx_t * ctx); +static quicly_stream_open_t on_stream_open; +static quicly_closed_by_peer_t on_closed_by_peer; +static quicly_now_t quicly_vpp_now_cb; + +static int +quic_store_quicly_ctx (application_t * app, u32 ckpair_index, + u8 crypto_engine) +{ + quic_main_t *qm = &quic_main; + quicly_context_t *quicly_ctx; + ptls_iovec_t key_vec; + app_cert_key_pair_t *ckpair; + u64 max_enq; + if (app->quicly_ctx) + return 0; + + if (crypto_engine == CRYPTO_ENGINE_NONE) + { + QUIC_DBG (2, "No crypto engine specified, using %d", crypto_engine); + crypto_engine = qm->default_crypto_engine; + } + if (!clib_bitmap_get (qm->available_crypto_engines, crypto_engine)) + { + QUIC_DBG (1, "Quic does not support crypto engine %d", crypto_engine); + return VNET_API_ERROR_MISSING_CERT_KEY; + } + + quicly_ctx_data_t *quicly_ctx_data = + clib_mem_alloc (sizeof (quicly_ctx_data_t)); + clib_memset (quicly_ctx_data, 0, sizeof (*quicly_ctx_data)); /* picotls depends on this */ + quicly_ctx = &quicly_ctx_data->quicly_ctx; + ptls_context_t *ptls_ctx = &quicly_ctx_data->ptls_ctx; + ptls_ctx->random_bytes = ptls_openssl_random_bytes; + ptls_ctx->get_time = &ptls_get_time; + ptls_ctx->key_exchanges = ptls_openssl_key_exchanges; + ptls_ctx->cipher_suites = qm->quic_ciphers[crypto_engine]; + ptls_ctx->certificates.list = NULL; + ptls_ctx->certificates.count = 0; + ptls_ctx->esni = NULL; + ptls_ctx->on_client_hello = NULL; + ptls_ctx->emit_certificate = NULL; + ptls_ctx->sign_certificate = NULL; + ptls_ctx->verify_certificate = NULL; + ptls_ctx->ticket_lifetime = 86400; + ptls_ctx->max_early_data_size = 8192; + ptls_ctx->hkdf_label_prefix__obsolete = NULL; + ptls_ctx->require_dhe_on_psk = 1; + ptls_ctx->encrypt_ticket = &qm->session_cache.super; + + app->quicly_ctx = (u64 *) quicly_ctx; + clib_memcpy (quicly_ctx, &quicly_spec_context, sizeof (quicly_context_t)); + + quicly_ctx->max_packet_size = QUIC_MAX_PACKET_SIZE; + quicly_ctx->tls = ptls_ctx; + quicly_ctx->stream_open = &on_stream_open; + quicly_ctx->closed_by_peer = &on_closed_by_peer; + quicly_ctx->now = &quicly_vpp_now_cb; + quicly_amend_ptls_context (quicly_ctx->tls); + + quicly_ctx->transport_params.max_data = QUIC_INT_MAX; + quicly_ctx->transport_params.max_streams_uni = (uint64_t) 1 << 60; + quicly_ctx->transport_params.max_streams_bidi = (uint64_t) 1 << 60; + + /* max_enq is FIFO_SIZE - 1 */ + max_enq = app->sm_properties.rx_fifo_size - 1; + quicly_ctx->transport_params.max_stream_data.bidi_local = max_enq; + max_enq = app->sm_properties.tx_fifo_size - 1; + quicly_ctx->transport_params.max_stream_data.bidi_remote = max_enq; + quicly_ctx->transport_params.max_stream_data.uni = QUIC_INT_MAX; + + quicly_ctx->tls->random_bytes (quicly_ctx_data->cid_key, 16); + quicly_ctx_data->cid_key[16] = 0; + key_vec = ptls_iovec_init (quicly_ctx_data->cid_key, + strlen (quicly_ctx_data->cid_key)); + quicly_ctx->cid_encryptor = + quicly_new_default_cid_encryptor (&ptls_openssl_bfecb, + &ptls_openssl_aes128ecb, + &ptls_openssl_sha256, key_vec); + + ckpair = app_cert_key_pair_get_if_valid (ckpair_index); + if (!ckpair || !ckpair->key || !ckpair->cert) + { + QUIC_DBG (1, "Wrong ckpair id %d\n", ckpair_index); + goto error; + } + if (load_bio_private_key (quicly_ctx->tls, (char *) ckpair->key)) + { + QUIC_DBG (1, "failed to read private key from app configuration\n"); + goto error; + } + if (load_bio_certificate_chain (quicly_ctx->tls, (char *) ckpair->cert)) + { + QUIC_DBG (1, "failed to load certificate\n"); + goto error; + } + return 0; + +error: + clib_mem_free (quicly_ctx_data); + return VNET_API_ERROR_MISSING_CERT_KEY; +} + /* Helper functions */ @@ -719,9 +821,6 @@ quic_on_closed_by_peer (quicly_closed_by_peer_t * self, quicly_conn_t * conn, session_transport_closing_notify (&ctx->connection); } -static quicly_stream_open_t on_stream_open = { quic_on_stream_open }; -static quicly_closed_by_peer_t on_closed_by_peer = { quic_on_closed_by_peer }; - /* Timer handling */ static int64_t @@ -737,8 +836,6 @@ quic_get_time (quicly_now_t * self) return quic_get_thread_time (thread_index); } -static quicly_now_t quicly_vpp_now_cb = { quic_get_time }; - static u32 quic_set_time_now (u32 thread_index) { @@ -842,149 +939,6 @@ quic_expired_timers_dispatch (u32 * expired_timers) } } -static int -quic_encrypt_ticket_cb (ptls_encrypt_ticket_t * _self, ptls_t * tls, - int is_encrypt, ptls_buffer_t * dst, ptls_iovec_t src) -{ - quic_session_cache_t *self = (void *) _self; - int ret; - - if (is_encrypt) - { - - /* replace the cached entry along with a newly generated session id */ - clib_mem_free (self->data.base); - if ((self->data.base = clib_mem_alloc (src.len)) == NULL) - return PTLS_ERROR_NO_MEMORY; - - ptls_get_context (tls)->random_bytes (self->id, sizeof (self->id)); - clib_memcpy (self->data.base, src.base, src.len); - self->data.len = src.len; - - /* store the session id in buffer */ - if ((ret = ptls_buffer_reserve (dst, sizeof (self->id))) != 0) - return ret; - clib_memcpy (dst->base + dst->off, self->id, sizeof (self->id)); - dst->off += sizeof (self->id); - - } - else - { - - /* check if session id is the one stored in cache */ - if (src.len != sizeof (self->id)) - return PTLS_ERROR_SESSION_NOT_FOUND; - if (clib_memcmp (self->id, src.base, sizeof (self->id)) != 0) - return PTLS_ERROR_SESSION_NOT_FOUND; - - /* return the cached value */ - if ((ret = ptls_buffer_reserve (dst, self->data.len)) != 0) - return ret; - clib_memcpy (dst->base + dst->off, self->data.base, self->data.len); - dst->off += self->data.len; - } - - return 0; -} - -static int -quic_store_quicly_ctx (application_t * app, u32 ckpair_index, - u8 crypto_engine) -{ - quic_main_t *qm = &quic_main; - quicly_context_t *quicly_ctx; - ptls_iovec_t key_vec; - app_cert_key_pair_t *ckpair; - u64 max_enq; - if (app->quicly_ctx) - return 0; - - if (crypto_engine == CRYPTO_ENGINE_NONE) - { - QUIC_DBG (2, "No crypto engine specified, using %d", crypto_engine); - crypto_engine = qm->default_crypto_engine; - } - if (!clib_bitmap_get (qm->available_crypto_engines, crypto_engine)) - { - QUIC_ERR ("Quic does not support crypto engine %d", crypto_engine); - return VNET_API_ERROR_MISSING_CERT_KEY; - } - - quicly_ctx_data_t *quicly_ctx_data = - clib_mem_alloc (sizeof (quicly_ctx_data_t)); - clib_memset (quicly_ctx_data, 0, sizeof (*quicly_ctx_data)); /* picotls depends on this */ - quicly_ctx = &quicly_ctx_data->quicly_ctx; - ptls_context_t *ptls_ctx = &quicly_ctx_data->ptls_ctx; - ptls_ctx->random_bytes = ptls_openssl_random_bytes; - ptls_ctx->get_time = &ptls_get_time; - ptls_ctx->key_exchanges = ptls_openssl_key_exchanges; - ptls_ctx->cipher_suites = qm->quic_ciphers[crypto_engine]; - ptls_ctx->certificates.list = NULL; - ptls_ctx->certificates.count = 0; - ptls_ctx->esni = NULL; - ptls_ctx->on_client_hello = NULL; - ptls_ctx->emit_certificate = NULL; - ptls_ctx->sign_certificate = NULL; - ptls_ctx->verify_certificate = NULL; - ptls_ctx->ticket_lifetime = 86400; - ptls_ctx->max_early_data_size = 8192; - ptls_ctx->hkdf_label_prefix__obsolete = NULL; - ptls_ctx->require_dhe_on_psk = 1; - ptls_ctx->encrypt_ticket = &qm->session_cache.super; - - app->quicly_ctx = (u64 *) quicly_ctx; - clib_memcpy (quicly_ctx, &quicly_spec_context, sizeof (quicly_context_t)); - - quicly_ctx->max_packet_size = QUIC_MAX_PACKET_SIZE; - quicly_ctx->tls = ptls_ctx; - quicly_ctx->stream_open = &on_stream_open; - quicly_ctx->closed_by_peer = &on_closed_by_peer; - quicly_ctx->now = &quicly_vpp_now_cb; - quicly_amend_ptls_context (quicly_ctx->tls); - - quicly_ctx->transport_params.max_data = QUIC_INT_MAX; - quicly_ctx->transport_params.max_streams_uni = (uint64_t) 1 << 60; - quicly_ctx->transport_params.max_streams_bidi = (uint64_t) 1 << 60; - - /* max_enq is FIFO_SIZE - 1 */ - max_enq = app->sm_properties.rx_fifo_size - 1; - quicly_ctx->transport_params.max_stream_data.bidi_local = max_enq; - max_enq = app->sm_properties.tx_fifo_size - 1; - quicly_ctx->transport_params.max_stream_data.bidi_remote = max_enq; - quicly_ctx->transport_params.max_stream_data.uni = QUIC_INT_MAX; - - quicly_ctx->tls->random_bytes (quicly_ctx_data->cid_key, 16); - quicly_ctx_data->cid_key[16] = 0; - key_vec = ptls_iovec_init (quicly_ctx_data->cid_key, - strlen (quicly_ctx_data->cid_key)); - quicly_ctx->cid_encryptor = - quicly_new_default_cid_encryptor (&ptls_openssl_bfecb, - &ptls_openssl_aes128ecb, - &ptls_openssl_sha256, key_vec); - - ckpair = app_cert_key_pair_get_if_valid (ckpair_index); - if (!ckpair || !ckpair->key || !ckpair->cert) - { - QUIC_ERR ("Wrong ckpair id %d\n", ckpair_index); - goto error; - } - if (load_bio_private_key (quicly_ctx->tls, (char *) ckpair->key)) - { - QUIC_ERR ("failed to read private key from app configuration\n"); - goto error; - } - if (load_bio_certificate_chain (quicly_ctx->tls, (char *) ckpair->cert)) - { - QUIC_ERR ("failed to load certificate\n"); - goto error; - } - return 0; - -error: - clib_mem_free (quicly_ctx_data); - return VNET_API_ERROR_MISSING_CERT_KEY; -} - /* Transport proto functions */ static int @@ -1099,11 +1053,12 @@ quic_connect_connection (session_endpoint_cfg_t * sep) app_worker_t *app_wrk; application_t *app; u32 ctx_index; + u32 thread_index = vlib_get_thread_index (); int error; clib_memset (cargs, 0, sizeof (*cargs)); - ctx_index = quic_ctx_alloc (vlib_get_thread_index ()); - ctx = quic_ctx_get (ctx_index, vlib_get_thread_index ()); + ctx_index = quic_ctx_alloc (thread_index); + ctx = quic_ctx_get (ctx_index, thread_index); ctx->parent_app_wrk_id = sep->app_wrk_index; ctx->c_s_index = QUIC_SESSION_INVALID; ctx->c_c_index = ctx_index; @@ -1215,6 +1170,7 @@ quic_start_listen (u32 quic_listen_session_index, transport_endpoint_t * tep) quic_ctx_t *lctx; u32 lctx_index; app_listener_t *app_listener; + int rv; sep = (session_endpoint_cfg_t *) tep; app_wrk = app_worker_get (sep->app_wrk_index); @@ -1232,8 +1188,8 @@ quic_start_listen (u32 quic_listen_session_index, transport_endpoint_t * tep) args->app_index = qm->app_index; args->sep_ext = *sep; args->sep_ext.ns_index = app->ns_index; - if (vnet_listen (args)) - return -1; + if ((rv = vnet_listen (args))) + return rv; lctx_index = quic_ctx_alloc (0); udp_handle = args->handle; @@ -1480,7 +1436,6 @@ quic_receive_connection (void *arg) QUIC_DBG (2, "Received conn %u (now %u)", temp_ctx->c_thread_index, new_ctx_id); - clib_memcpy (new_ctx, temp_ctx, sizeof (quic_ctx_t)); clib_mem_free (temp_ctx); @@ -2150,6 +2105,10 @@ static const transport_proto_vft_t quic_proto = { }; /* *INDENT-ON* */ +static quicly_stream_open_t on_stream_open = { quic_on_stream_open }; +static quicly_closed_by_peer_t on_closed_by_peer = { quic_on_closed_by_peer }; +static quicly_now_t quicly_vpp_now_cb = { quic_get_time }; + static void quic_register_cipher_suite (crypto_engine_type_t type, ptls_cipher_suite_t ** ciphers) |