summaryrefslogtreecommitdiffstats
path: root/src/plugins
diff options
context:
space:
mode:
authorSimon Zhang <yuwei1.zhang@intel.com>2019-10-14 19:41:51 +0800
committerFlorin Coras <florin.coras@gmail.com>2019-11-10 18:44:44 +0000
commitf83194c2f45bcc736edc8246b510a29c1df15756 (patch)
tree15ce3276d4cf42ec2e2c990d273078d191775bfd /src/plugins
parentaa43914df656bbd7340b8dbd68f23f8fe0aabfd5 (diff)
tls: picotls engine basic enabling for TLS
Type: feature Change-Id: I700d999771d837604dd0571741f4f0bcbec82403 Signed-off-by: Simon Zhang <yuwei1.zhang@intel.com>
Diffstat (limited to 'src/plugins')
-rw-r--r--src/plugins/tlspicotls/CMakeLists.txt27
-rw-r--r--src/plugins/tlspicotls/certs.c200
-rw-r--r--src/plugins/tlspicotls/certs.h31
-rw-r--r--src/plugins/tlspicotls/tls_picotls.c580
-rw-r--r--src/plugins/tlspicotls/tls_picotls.h40
5 files changed, 878 insertions, 0 deletions
diff --git a/src/plugins/tlspicotls/CMakeLists.txt b/src/plugins/tlspicotls/CMakeLists.txt
new file mode 100644
index 00000000000..ba01278acad
--- /dev/null
+++ b/src/plugins/tlspicotls/CMakeLists.txt
@@ -0,0 +1,27 @@
+include (CheckFunctionExists)
+
+message(STATUS "Looking for picotls")
+
+
+find_path (PICOTLS_INCLUDE_DIR NAMES picotls.h)
+find_library (PICOTLS_CORE_LIBRARY NAMES "libpicotls-core.a")
+find_library (PICOTLS_OPENSSL_LIBRARY NAMES "libpicotls-openssl.a")
+
+list (APPEND PICOTLS_LINK_LIBRARIES
+ ${PICOTLS_CORE_LIBRARY}
+ ${PICOTLS_OPENSSL_LIBRARY}
+)
+
+if (PICOTLS_INCLUDE_DIR AND PICOTLS_LINK_LIBRARIES)
+ include_directories (${PICOTLS_INCLUDE_DIR})
+ add_vpp_plugin(tlspicotls
+ SOURCES
+ tls_picotls.c
+ certs.c
+
+ LINK_LIBRARIES ${PICOTLS_LINK_LIBRARIES}
+ )
+ message (STATUS "Found picotls in ${PICOTLS_INCLUDE_DIR} and ${PICOTLS_CORE_LIBRARY}")
+else ()
+ message (WARNING "-- picotls not found")
+endif ()
diff --git a/src/plugins/tlspicotls/certs.c b/src/plugins/tlspicotls/certs.c
new file mode 100644
index 00000000000..aef5cc419ba
--- /dev/null
+++ b/src/plugins/tlspicotls/certs.c
@@ -0,0 +1,200 @@
+#include <openssl/pem.h>
+#include <vppinfra/error.h>
+#include "certs.h"
+
+int
+ptls_compare_separator_line (const char *line, const char *begin_or_end,
+ const char *label)
+{
+ int ret = strncmp (line, "-----", 5);
+ size_t text_index = 5;
+
+ if (ret == 0)
+ {
+ size_t begin_or_end_length = strlen (begin_or_end);
+ ret = strncmp (line + text_index, begin_or_end, begin_or_end_length);
+ text_index += begin_or_end_length;
+ }
+
+ if (ret == 0)
+ {
+ ret = line[text_index] - ' ';
+ text_index++;
+ }
+
+ if (ret == 0)
+ {
+ size_t label_length = strlen (label);
+ ret = strncmp (line + text_index, label, label_length);
+ text_index += label_length;
+ }
+
+ if (ret == 0)
+ {
+ ret = strncmp (line + text_index, "-----", 5);
+ }
+
+ return ret;
+}
+
+int
+ptls_get_bio_pem_object (BIO * bio, const char *label, ptls_buffer_t * buf)
+{
+ int ret = PTLS_ERROR_PEM_LABEL_NOT_FOUND;
+ char line[256];
+ ptls_base64_decode_state_t state;
+
+ /* Get the label on a line by itself */
+ while (BIO_gets (bio, line, 256))
+ {
+ if (ptls_compare_separator_line (line, "BEGIN", label) == 0)
+ {
+ ret = 0;
+ ptls_base64_decode_init (&state);
+ break;
+ }
+ }
+ /* Get the data in the buffer */
+ while (ret == 0 && BIO_gets (bio, line, 256))
+ {
+ if (ptls_compare_separator_line (line, "END", label) == 0)
+ {
+ if (state.status == PTLS_BASE64_DECODE_DONE
+ || (state.status == PTLS_BASE64_DECODE_IN_PROGRESS
+ && state.nbc == 0))
+ {
+ ret = 0;
+ }
+ else
+ {
+ ret = PTLS_ERROR_INCORRECT_BASE64;
+ }
+ break;
+ }
+ else
+ {
+ ret = ptls_base64_decode (line, &state, buf);
+ }
+ }
+
+ return ret;
+}
+
+int
+ptls_load_bio_pem_objects (BIO * bio, const char *label, ptls_iovec_t * list,
+ size_t list_max, size_t * nb_objects)
+{
+ int ret = 0;
+ size_t count = 0;
+
+ *nb_objects = 0;
+
+ if (ret == 0)
+ {
+ while (count < list_max)
+ {
+ ptls_buffer_t buf;
+
+ ptls_buffer_init (&buf, "", 0);
+
+ ret = ptls_get_bio_pem_object (bio, label, &buf);
+
+ if (ret == 0)
+ {
+ if (buf.off > 0 && buf.is_allocated)
+ {
+ list[count].base = buf.base;
+ list[count].len = buf.off;
+ count++;
+ }
+ else
+ {
+ ptls_buffer_dispose (&buf);
+ }
+ }
+ else
+ {
+ ptls_buffer_dispose (&buf);
+ break;
+ }
+ }
+ }
+
+ if (ret == PTLS_ERROR_PEM_LABEL_NOT_FOUND && count > 0)
+ {
+ ret = 0;
+ }
+
+ *nb_objects = count;
+
+ return ret;
+}
+
+#define PTLS_MAX_CERTS_IN_CONTEXT 16
+
+int
+ptls_load_bio_certificates (ptls_context_t * ctx, BIO * bio)
+{
+ int ret = 0;
+
+ ctx->certificates.list =
+ (ptls_iovec_t *) malloc (PTLS_MAX_CERTS_IN_CONTEXT *
+ sizeof (ptls_iovec_t));
+
+ if (ctx->certificates.list == NULL)
+ {
+ ret = PTLS_ERROR_NO_MEMORY;
+ }
+ else
+ {
+ ret =
+ ptls_load_bio_pem_objects (bio, "CERTIFICATE", ctx->certificates.list,
+ PTLS_MAX_CERTS_IN_CONTEXT,
+ &ctx->certificates.count);
+ }
+
+ return ret;
+}
+
+int
+load_bio_certificate_chain (ptls_context_t * ctx, const char *cert_data)
+{
+ BIO *cert_bio;
+ cert_bio = BIO_new_mem_buf (cert_data, -1);
+ if (ptls_load_bio_certificates (ctx, cert_bio) != 0)
+ {
+ BIO_free (cert_bio);
+ return -1;
+ }
+ BIO_free (cert_bio);
+ return 0;
+}
+
+int
+load_bio_private_key (ptls_context_t * ctx, const char *pk_data)
+{
+ static ptls_openssl_sign_certificate_t sc;
+ EVP_PKEY *pkey;
+ BIO *key_bio;
+
+ key_bio = BIO_new_mem_buf (pk_data, -1);
+ pkey = PEM_read_bio_PrivateKey (key_bio, NULL, NULL, NULL);
+ BIO_free (key_bio);
+
+ if (pkey == NULL)
+ return -1;
+
+ ptls_openssl_init_sign_certificate (&sc, pkey);
+ EVP_PKEY_free (pkey);
+
+ ctx->sign_certificate = &sc.super;
+ return 0;
+}
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/plugins/tlspicotls/certs.h b/src/plugins/tlspicotls/certs.h
new file mode 100644
index 00000000000..475a84ade32
--- /dev/null
+++ b/src/plugins/tlspicotls/certs.h
@@ -0,0 +1,31 @@
+#ifndef __included_certs_h__
+#define __included_certs_h__
+
+#include <picotls/openssl.h>
+#include <picotls/pembase64.h>
+
+int ptls_compare_separator_line (const char *line, const char *begin_or_end,
+ const char *label);
+
+int ptls_get_bio_pem_object (BIO * bio, const char *label,
+ ptls_buffer_t * buf);
+
+int ptls_load_bio_pem_objects (BIO * bio, const char *label,
+ ptls_iovec_t * list, size_t list_max,
+ size_t * nb_objects);
+
+int ptls_load_bio_certificates (ptls_context_t * ctx, BIO * bio);
+
+int load_bio_certificate_chain (ptls_context_t * ctx, const char *cert_data);
+
+int load_bio_private_key (ptls_context_t * ctx, const char *pk_data);
+
+#endif /* __included_certs_h__ */
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/plugins/tlspicotls/tls_picotls.c b/src/plugins/tlspicotls/tls_picotls.c
new file mode 100644
index 00000000000..aa8203f22dc
--- /dev/null
+++ b/src/plugins/tlspicotls/tls_picotls.c
@@ -0,0 +1,580 @@
+#include <math.h>
+
+#include "certs.h"
+#include "tls_picotls.h"
+
+picotls_main_t picotls_main;
+
+#define MAX_QUEUE 12000
+#define PTLS_MAX_PLAINTEXT_RECORD_SIZE 16384
+
+static u32
+picotls_ctx_alloc (void)
+{
+ u8 thread_id = vlib_get_thread_index ();
+ picotls_main_t *pm = &picotls_main;
+ picotls_ctx_t **ctx;
+
+ pool_get (pm->ctx_pool[thread_id], ctx);
+ if (!(*ctx))
+ *ctx = clib_mem_alloc (sizeof (picotls_ctx_t));
+
+ clib_memset (*ctx, 0, sizeof (picotls_ctx_t));
+ (*ctx)->ctx.c_thread_index = thread_id;
+ (*ctx)->ctx.tls_ctx_engine = CRYPTO_ENGINE_PICOTLS;
+ (*ctx)->ctx.app_session_handle = SESSION_INVALID_HANDLE;
+ (*ctx)->ptls_ctx_idx = ctx - pm->ctx_pool[thread_id];
+ return (*ctx)->ptls_ctx_idx;
+}
+
+static void
+picotls_ctx_free (tls_ctx_t * ctx)
+{
+ picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx;
+ free (ptls_ctx->rx_content);
+ pool_put_index (picotls_main.ctx_pool[ctx->c_thread_index],
+ ptls_ctx->ptls_ctx_idx);
+}
+
+static u32
+picotls_listen_ctx_alloc (void)
+{
+ picotls_main_t *pm = &picotls_main;
+ picotls_listen_ctx_t *ptls_lctx;
+
+ pool_get (pm->lctx_pool, ptls_lctx);
+
+ clib_memset (ptls_lctx, 0, sizeof (picotls_listen_ctx_t));
+ ptls_lctx->ptls_lctx_index = ptls_lctx - pm->lctx_pool;
+ return ptls_lctx->ptls_lctx_index;
+}
+
+static void
+picotls_listen_ctx_free (picotls_listen_ctx_t * lctx)
+{
+ pool_put_index (picotls_main.lctx_pool, lctx->ptls_lctx_index);
+}
+
+tls_ctx_t *
+picotls_ctx_get (u32 ctx_index)
+{
+ picotls_ctx_t **ctx;
+ ctx =
+ pool_elt_at_index (picotls_main.ctx_pool[vlib_get_thread_index ()],
+ ctx_index);
+ return &(*ctx)->ctx;
+}
+
+picotls_listen_ctx_t *
+picotls_lctx_get (u32 lctx_index)
+{
+ return pool_elt_at_index (picotls_main.lctx_pool, lctx_index);
+}
+
+static u8
+picotls_handshake_is_over (tls_ctx_t * ctx)
+{
+ picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx;
+ assert (ptls_ctx->tls);
+ return ptls_handshake_is_complete (ptls_ctx->tls);
+}
+
+static int
+picotls_try_handshake_write (picotls_ctx_t * ptls_ctx,
+ session_t * tls_session, ptls_buffer_t * buf)
+{
+ u32 enq_max, enq_now;
+ svm_fifo_t *f;
+ int write, buf_left;
+
+ if (buf->off <= 0)
+ return 0;
+
+ f = tls_session->tx_fifo;
+ buf_left = buf->off;
+ enq_max = svm_fifo_max_enqueue_prod (f);
+ if (!enq_max)
+ return 0;
+
+ enq_now = clib_min (svm_fifo_max_write_chunk (f), enq_max);
+ enq_now = clib_min (enq_now, buf_left);
+ write = svm_fifo_enqueue (f, enq_now, buf->base);
+ buf_left -= write;
+ tls_add_vpp_q_tx_evt (tls_session);
+ return write;
+}
+
+static int
+picotls_start_listen (tls_ctx_t * lctx)
+{
+ picotls_listen_ctx_t *ptls_lctx;
+ ptls_context_t *ptls_ctx;
+ u32 ptls_lctx_idx;
+ app_cert_key_pair_t *ckpair;
+ static ptls_key_exchange_algorithm_t *key_exchange[] = {
+#ifdef PTLS_OPENSSL_HAVE_X25519
+ &ptls_openssl_x25519,
+#endif
+#ifdef PTLS_OPENSSL_HAVE_SECP256r1
+ &ptls_openssl_secp256r1,
+#endif
+#ifdef PTLS_OPENSSL_HAVE_SECP384r1
+ &ptls_openssl_secp384r1,
+#endif
+#ifdef PTLS_OPENSSL_HAVE_SECP521r1
+ &ptls_openssl_secp521r1
+#endif
+ };
+
+ ckpair = app_cert_key_pair_get_if_valid (lctx->ckpair_index);
+ if (!ckpair->cert || !ckpair->key)
+ {
+ TLS_DBG (1, "tls cert and/or key not configured %d",
+ ctx->parent_app_wrk_index);
+ return -1;
+ }
+
+ ptls_lctx_idx = picotls_listen_ctx_alloc ();
+ ptls_lctx = picotls_lctx_get (ptls_lctx_idx);
+ ptls_ctx = malloc (sizeof (ptls_context_t));
+ ptls_lctx->ptls_ctx = ptls_ctx;
+
+ memset (ptls_ctx, 0, sizeof (ptls_context_t));
+ ptls_ctx->update_open_count = NULL;
+
+ /*
+ * Process certificate & private key.
+ */
+ load_bio_certificate_chain (ptls_ctx, (char *) ckpair->cert);
+ load_bio_private_key (ptls_ctx, (char *) ckpair->key);
+
+ /* setup protocol related functions */
+ ptls_ctx->key_exchanges = key_exchange;
+ ptls_ctx->random_bytes = ptls_openssl_random_bytes;
+ ptls_ctx->cipher_suites = ptls_openssl_cipher_suites;
+ ptls_ctx->get_time = &ptls_get_time;
+
+ lctx->tls_ssl_ctx = ptls_lctx_idx;
+
+ return 0;
+}
+
+static int
+picotls_stop_listen (tls_ctx_t * lctx)
+{
+ u32 ptls_lctx_index;
+ picotls_listen_ctx_t *ptls_lctx;
+
+ ptls_lctx_index = lctx->tls_ssl_ctx;
+ ptls_lctx = picotls_lctx_get (ptls_lctx_index);
+
+ picotls_listen_ctx_free (ptls_lctx);
+
+ return 0;
+}
+
+static void
+picotls_handle_handshake_failure (tls_ctx_t * ctx)
+{
+ session_free (session_get (ctx->c_s_index, ctx->c_thread_index));
+ ctx->no_app_session = 1;
+ ctx->c_s_index = SESSION_INVALID_INDEX;
+ tls_disconnect_transport (ctx);
+}
+
+static void
+picotls_confirm_app_close (tls_ctx_t * ctx)
+{
+ tls_disconnect_transport (ctx);
+ session_transport_closed_notify (&ctx->connection);
+}
+
+static int
+picotls_transport_close (tls_ctx_t * ctx)
+{
+ if (!picotls_handshake_is_over (ctx))
+ {
+ picotls_handle_handshake_failure (ctx);
+ return 0;
+ }
+ picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx;
+ ptls_free (ptls_ctx->tls);
+ session_transport_closed_notify (&ctx->connection);
+ return 0;
+}
+
+static int
+picotls_app_close (tls_ctx_t * ctx)
+{
+ picotls_confirm_app_close (ctx);
+
+ return 0;
+}
+
+static inline int
+picotls_do_handshake (picotls_ctx_t * ptls_ctx, session_t * tls_session,
+ u8 * input, int input_len)
+{
+ ptls_t *tls = ptls_ctx->tls;
+ ptls_buffer_t buf;
+ int rv = PTLS_ERROR_IN_PROGRESS;
+ int write, off;
+
+ do
+ {
+ off = 0;
+ do
+ {
+ ptls_buffer_init (&buf, "", 0);
+ size_t consumed = input_len - off;
+ rv = ptls_handshake (tls, &buf, input + off, &consumed, NULL);
+ off += consumed;
+ if ((rv == 0 || rv == PTLS_ERROR_IN_PROGRESS) && buf.off != 0)
+ {
+ write =
+ picotls_try_handshake_write (ptls_ctx, tls_session, &buf);
+ }
+ ptls_buffer_dispose (&buf);
+ }
+ while (rv == PTLS_ERROR_IN_PROGRESS && input_len != off);
+ }
+ while (rv == PTLS_ERROR_IN_PROGRESS);
+
+ return write;
+}
+
+static inline int
+picotls_ctx_read (tls_ctx_t * ctx, session_t * tls_session)
+{
+ picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx;
+ u8 *input;
+ int to_read, from_tls_len = 0, to_app_len = 0, crypto_len, ret;
+ u32 deq_max, deq_now;
+ u32 enq_max, enq_now;
+ ptls_buffer_t _buf, *buf = &_buf;
+ svm_fifo_t *tls_rx_fifo, *app_rx_fifo;
+ session_t *app_session;
+
+ tls_rx_fifo = tls_session->rx_fifo;
+
+ if (!picotls_handshake_is_over (ctx))
+ {
+ deq_max = svm_fifo_max_dequeue_cons (tls_rx_fifo);
+ input = malloc (deq_max);
+ memset (input, 0, deq_max);
+
+ deq_now = clib_min (deq_max, svm_fifo_max_read_chunk (tls_rx_fifo));
+ if (!deq_now)
+ return 0;
+
+ from_tls_len += svm_fifo_dequeue (tls_rx_fifo, deq_now, input);
+ if (from_tls_len <= 0)
+ {
+ tls_add_vpp_q_builtin_rx_evt (tls_session);
+ return 0;
+ }
+ if (from_tls_len < deq_max)
+ {
+ deq_now =
+ clib_min (svm_fifo_max_read_chunk (tls_rx_fifo),
+ deq_max - from_tls_len);
+ from_tls_len +=
+ svm_fifo_dequeue (tls_rx_fifo, deq_now, input + from_tls_len);
+ }
+ picotls_do_handshake (ptls_ctx, tls_session, input, from_tls_len);
+ if (picotls_handshake_is_over (ctx))
+ tls_notify_app_accept (ctx);
+
+ free (input);
+ return 0;
+ }
+
+ app_session = session_get_from_handle (ctx->app_session_handle);
+ app_rx_fifo = app_session->rx_fifo;
+
+ ptls_buffer_init (buf, "", 0);
+
+ deq_max = svm_fifo_max_dequeue_cons (tls_rx_fifo);
+
+ if (!deq_max || deq_max > MAX_QUEUE - ptls_ctx->rx_len)
+ {
+ goto app_fifo;
+ }
+
+ deq_now = clib_min (deq_max, svm_fifo_max_read_chunk (tls_rx_fifo));
+
+ from_tls_len =
+ svm_fifo_dequeue (tls_rx_fifo, deq_now,
+ ptls_ctx->rx_content + ptls_ctx->rx_len);
+ if (from_tls_len <= 0)
+ {
+ tls_add_vpp_q_builtin_rx_evt (tls_session);
+ goto app_fifo;
+ }
+ if (from_tls_len < deq_max)
+ {
+ deq_now =
+ clib_min (svm_fifo_max_read_chunk (tls_rx_fifo),
+ deq_max - from_tls_len);
+ from_tls_len +=
+ svm_fifo_dequeue (tls_rx_fifo, deq_now,
+ ptls_ctx->rx_content + ptls_ctx->rx_len +
+ from_tls_len);
+ }
+ ptls_ctx->rx_len += from_tls_len;
+
+app_fifo:
+ if (ptls_ctx->rx_len <= 0 || ptls_ctx->rx_offset == ptls_ctx->rx_len)
+ {
+ if (ptls_ctx->rx_len != 0)
+ {
+ ptls_ctx->rx_len = 0;
+ ptls_ctx->rx_offset = 0;
+ tls_add_vpp_q_builtin_rx_evt (tls_session);
+ }
+ return from_tls_len;
+ }
+
+ enq_max = svm_fifo_max_enqueue_prod (app_rx_fifo);
+ if (!enq_max)
+ {
+ tls_add_vpp_q_builtin_rx_evt (tls_session);
+ goto final;
+ }
+
+ crypto_len = clib_min (enq_max, ptls_ctx->rx_len - ptls_ctx->rx_offset);
+ crypto_len = clib_min (crypto_len, from_tls_len);
+ int off = 0;
+
+ do
+ {
+ size_t consumed = crypto_len - off;
+ ret =
+ ptls_receive (ptls_ctx->tls, buf,
+ ptls_ctx->rx_content + ptls_ctx->rx_offset + off,
+ &consumed);
+ off += consumed;
+ }
+ while (ret == 0 && off < crypto_len);
+
+ if (ret == 0)
+ {
+ ptls_ctx->rx_offset += crypto_len;
+
+ to_read = clib_min (enq_max, buf->off);
+ enq_now = clib_min (to_read, svm_fifo_max_write_chunk (app_rx_fifo));
+ to_app_len = svm_fifo_enqueue (app_rx_fifo, enq_now, buf->base);
+ if (to_app_len < buf->off)
+ {
+ enq_now =
+ clib_min (svm_fifo_max_write_chunk (app_rx_fifo),
+ buf->off - to_app_len);
+ to_app_len +=
+ svm_fifo_enqueue (app_rx_fifo, enq_now, buf->base + to_app_len);
+ }
+ }
+
+final:
+ ptls_buffer_dispose (buf);
+ if (ctx->app_closed)
+ {
+ picotls_confirm_app_close (ctx);
+ return from_tls_len;
+ }
+
+ tls_notify_app_enqueue (ctx, app_session);
+ return from_tls_len;
+}
+
+static inline int
+picotls_content_process (ptls_t * tls, svm_fifo_t * src_fifo,
+ svm_fifo_t * dst_fifo, int content_len,
+ int total_record_overhead, int is_no_copy)
+{
+ ptls_buffer_t _buf, *buf = &_buf;
+ int total_length = content_len + total_record_overhead;
+ int to_dst_len;
+ if (is_no_copy)
+ {
+ ptls_buffer_init (buf, svm_fifo_tail (dst_fifo), total_length);
+ ptls_send (tls, buf, svm_fifo_head (src_fifo), content_len);
+
+ assert (!buf->is_allocated);
+ assert (buf->base == svm_fifo_tail (dst_fifo));
+
+ svm_fifo_dequeue_drop (src_fifo, content_len);
+ svm_fifo_enqueue_nocopy (dst_fifo, buf->off);
+ to_dst_len = buf->off;
+ }
+ else
+ {
+ uint8_t *buf_content = malloc (total_length);
+ ptls_buffer_init (buf, buf_content, total_length);
+
+ ptls_send (tls, buf, svm_fifo_head (src_fifo), content_len);
+ svm_fifo_dequeue_drop (src_fifo, content_len);
+
+ to_dst_len = svm_fifo_enqueue (dst_fifo, buf->off, buf->base);
+ if (to_dst_len < buf->off)
+ to_dst_len +=
+ svm_fifo_enqueue (dst_fifo, buf->off - to_dst_len,
+ buf->base + to_dst_len);
+ ptls_buffer_dispose (buf);
+ }
+ return to_dst_len;
+}
+
+static inline int
+picotls_ctx_write (tls_ctx_t * ctx, session_t * app_session)
+{
+ picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx;
+ u32 deq_max, deq_now;
+ u32 enq_max, enq_now;
+ int from_app_len = 0, to_tls_len = 0, is_nocopy = 0;
+ svm_fifo_t *tls_tx_fifo, *app_tx_fifo;
+ session_t *tls_session;
+
+ int record_overhead = ptls_get_record_overhead (ptls_ctx->tls);
+ int num_records, total_overhead;
+
+ tls_session = session_get_from_handle (ctx->tls_session_handle);
+ tls_tx_fifo = tls_session->tx_fifo;
+ app_tx_fifo = app_session->tx_fifo;
+
+ deq_max = svm_fifo_max_dequeue_cons (app_tx_fifo);
+ if (!deq_max)
+ return deq_max;
+ deq_now = clib_min (deq_max, svm_fifo_max_read_chunk (app_tx_fifo));
+
+ enq_max = svm_fifo_max_enqueue_prod (tls_tx_fifo);
+
+ /** There is no engough enqueue space for one record **/
+ if (enq_max < record_overhead)
+ {
+ tls_add_vpp_q_builtin_tx_evt (app_session);
+ return 0;
+ }
+
+ enq_now = clib_min (enq_max, svm_fifo_max_write_chunk (tls_tx_fifo));
+
+ /** Allowed to execute no-copy crypto operation **/
+ if (enq_now > record_overhead)
+ {
+ is_nocopy = 1;
+ from_app_len = clib_min (deq_now, enq_now);
+ num_records =
+ ceil ((f64) from_app_len / PTLS_MAX_PLAINTEXT_RECORD_SIZE);
+ total_overhead = num_records * record_overhead;
+ if (from_app_len + total_overhead > enq_now)
+ from_app_len = enq_now - total_overhead;
+
+
+ }
+ else
+ {
+ from_app_len = clib_min (deq_now, enq_max);
+ num_records =
+ ceil ((f64) from_app_len / PTLS_MAX_PLAINTEXT_RECORD_SIZE);
+ total_overhead = num_records * record_overhead;
+ if (from_app_len + total_overhead > enq_max)
+ from_app_len = enq_max - total_overhead;
+
+ }
+
+ to_tls_len =
+ picotls_content_process (ptls_ctx->tls, app_tx_fifo, tls_tx_fifo,
+ from_app_len, total_overhead, is_nocopy);
+
+ if (svm_fifo_needs_deq_ntf (app_tx_fifo, from_app_len))
+ session_dequeue_notify (app_session);
+
+ if (to_tls_len)
+ tls_add_vpp_q_tx_evt (tls_session);
+ tls_add_vpp_q_builtin_tx_evt (app_session);
+
+ return 0;
+}
+
+static int
+picotls_ctx_init_server (tls_ctx_t * ctx)
+{
+ picotls_ctx_t *ptls_ctx = (picotls_ctx_t *) ctx;
+ u32 ptls_lctx_idx = ctx->tls_ssl_ctx;
+ picotls_listen_ctx_t *ptls_lctx;
+
+ ptls_lctx = picotls_lctx_get (ptls_lctx_idx);
+ ptls_ctx->tls = ptls_new (ptls_lctx->ptls_ctx, 1);
+ if (ptls_ctx->tls == NULL)
+ {
+ TLS_DBG (1, "Failed to initialize ptls_ssl structure");
+ return -1;
+ }
+
+ ptls_ctx->rx_len = 0;
+ ptls_ctx->rx_offset = 0;
+
+ ptls_ctx->rx_content = malloc (MAX_QUEUE);
+
+ return 0;
+}
+
+tls_ctx_t *
+picotls_ctx_get_w_thread (u32 ctx_index, u8 thread_index)
+{
+ picotls_ctx_t **ctx;
+ ctx = pool_elt_at_index (picotls_main.ctx_pool[thread_index], ctx_index);
+ return &(*ctx)->ctx;
+}
+
+const static tls_engine_vft_t picotls_engine = {
+ .ctx_alloc = picotls_ctx_alloc,
+ .ctx_free = picotls_ctx_free,
+ .ctx_get = picotls_ctx_get,
+ .ctx_get_w_thread = picotls_ctx_get_w_thread,
+ .ctx_handshake_is_over = picotls_handshake_is_over,
+ .ctx_start_listen = picotls_start_listen,
+ .ctx_stop_listen = picotls_stop_listen,
+ .ctx_init_server = picotls_ctx_init_server,
+ .ctx_read = picotls_ctx_read,
+ .ctx_write = picotls_ctx_write,
+ .ctx_transport_close = picotls_transport_close,
+ .ctx_app_close = picotls_app_close,
+};
+
+static clib_error_t *
+tls_picotls_init (vlib_main_t * vm)
+{
+ vlib_thread_main_t *vtm = vlib_get_thread_main ();
+ picotls_main_t *pm = &picotls_main;
+ clib_error_t *error = 0;
+ u32 num_threads;
+
+ num_threads = 1 + vtm->n_threads;
+
+ vec_validate (pm->ctx_pool, num_threads - 1);
+
+ tls_register_engine (&picotls_engine, CRYPTO_ENGINE_PICOTLS);
+
+ return error;
+}
+
+/* *INDENT-OFF* */
+VLIB_INIT_FUNCTION (tls_picotls_init) = {
+ .runs_after = VLIB_INITS ("tls_init"),
+};
+/* *INDENT-ON* */
+
+/* *INDENT-OFF* */
+VLIB_PLUGIN_REGISTER () = {
+ .version = VPP_BUILD_VER,
+ .description = "Transport Layer Security (TLS) Engine, Picotls Based",
+};
+/* *INDENT-ON* */
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/plugins/tlspicotls/tls_picotls.h b/src/plugins/tlspicotls/tls_picotls.h
new file mode 100644
index 00000000000..835f4a6b071
--- /dev/null
+++ b/src/plugins/tlspicotls/tls_picotls.h
@@ -0,0 +1,40 @@
+#ifndef __included_tls_picotls_h__
+#define __included_tls_picotls_h__
+
+#include <picotls.h>
+#include <picotls/openssl.h>
+#include <vnet/plugin/plugin.h>
+#include <vnet/tls/tls.h>
+#include <vpp/app/version.h>
+
+typedef struct tls_ctx_picotls_
+{
+ tls_ctx_t ctx;
+ u32 ptls_ctx_idx;
+ ptls_t *tls;
+ u8 *rx_content;
+ int rx_offset;
+ int rx_len;
+} picotls_ctx_t;
+
+typedef struct tls_listen_ctx_picotls_
+{
+ u32 ptls_lctx_index;
+ ptls_context_t *ptls_ctx;
+} picotls_listen_ctx_t;
+
+typedef struct picotls_main_
+{
+ picotls_ctx_t ***ctx_pool;
+ picotls_listen_ctx_t *lctx_pool;
+} picotls_main_t;
+
+#endif /* __included_quic_certs_h__ */
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */