aboutsummaryrefslogtreecommitdiffstats
path: root/src/vcl/ldp.c
diff options
context:
space:
mode:
authorFlorin Coras <fcoras@cisco.com>2021-01-05 17:03:29 -0800
committerDave Barach <openvpp@barachs.net>2021-01-07 16:55:02 +0000
commita5a9efd4d1995ef6d46dfab4e5b8aba9c5d114ef (patch)
tree63db95ce5645cafed795284bd3138535f9605c65 /src/vcl/ldp.c
parente294de6f876587ddc34ab02771771aea60087adc (diff)
vcl session: switch to generic cert key apis
Remove the deprecated tls apis. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ia1e12bd813671146f0aca22e83d04c23ac13e595
Diffstat (limited to 'src/vcl/ldp.c')
-rw-r--r--src/vcl/ldp.c105
1 files changed, 56 insertions, 49 deletions
diff --git a/src/vcl/ldp.c b/src/vcl/ldp.c
index 98ed4a9b1ab..b72c0c54acd 100644
--- a/src/vcl/ldp.c
+++ b/src/vcl/ldp.c
@@ -100,10 +100,15 @@ typedef struct
u32 vlsh_bit_val;
u32 vlsh_bit_mask;
u32 debug;
- u8 transparent_tls;
/** vcl needs next epoll_create to go to libc_epoll */
u8 vcl_needs_real_epoll;
+
+ /**
+ * crypto state used only for testing
+ */
+ u8 transparent_tls;
+ u32 ckpair_index;
} ldp_main_t;
#define LDP_DEBUG ldp->debug
@@ -121,6 +126,7 @@ static ldp_main_t ldp_main = {
.vlsh_bit_mask = (1 << LDP_SID_BIT_MIN) - 1,
.debug = LDP_DEBUG_INIT,
.transparent_tls = 0,
+ .ckpair_index = ~0,
};
static ldp_main_t *ldp = &ldp_main;
@@ -902,68 +908,71 @@ pselect (int nfds, fd_set * __restrict readfds,
/* If transparent TLS mode is turned on, then ldp will load key and cert.
*/
static int
-load_tls_cert (vls_handle_t vlsh)
+load_cert_key_pair (void)
{
- char *env_var_str = getenv (LDP_ENV_TLS_CERT);
- char inbuf[4096];
- char *tls_cert;
- int cert_size;
+ char *cert_str = getenv (LDP_ENV_TLS_CERT);
+ char *key_str = getenv (LDP_ENV_TLS_KEY);
+ char cert_buf[4096], key_buf[4096];
+ int cert_size, key_size;
+ vppcom_cert_key_pair_t crypto;
+ int ckp_index;
FILE *fp;
- if (env_var_str)
- {
- fp = fopen (env_var_str, "r");
- if (fp == NULL)
- {
- LDBG (0, "ERROR: failed to open cert file %s \n", env_var_str);
- return -1;
- }
- cert_size = fread (inbuf, sizeof (char), sizeof (inbuf), fp);
- tls_cert = inbuf;
- vppcom_session_tls_add_cert (vlsh_to_session_index (vlsh), tls_cert,
- cert_size);
- fclose (fp);
- }
- else
+ if (!cert_str || !key_str)
{
LDBG (0, "ERROR: failed to read LDP environment %s\n",
LDP_ENV_TLS_CERT);
return -1;
}
- return 0;
-}
-static int
-load_tls_key (vls_handle_t vlsh)
-{
- char *env_var_str = getenv (LDP_ENV_TLS_KEY);
- char inbuf[4096];
- char *tls_key;
- int key_size;
- FILE *fp;
+ fp = fopen (cert_str, "r");
+ if (fp == NULL)
+ {
+ LDBG (0, "ERROR: failed to open cert file %s \n", cert_str);
+ return -1;
+ }
+ cert_size = fread (cert_buf, sizeof (char), sizeof (cert_buf), fp);
+ fclose (fp);
- if (env_var_str)
+ fp = fopen (key_str, "r");
+ if (fp == NULL)
{
- fp = fopen (env_var_str, "r");
- if (fp == NULL)
- {
- LDBG (0, "ERROR: failed to open key file %s \n", env_var_str);
- return -1;
- }
- key_size = fread (inbuf, sizeof (char), sizeof (inbuf), fp);
- tls_key = inbuf;
- vppcom_session_tls_add_key (vlsh_to_session_index (vlsh), tls_key,
- key_size);
- fclose (fp);
+ LDBG (0, "ERROR: failed to open key file %s \n", key_str);
+ return -1;
}
- else
+ key_size = fread (key_buf, sizeof (char), sizeof (key_buf), fp);
+ fclose (fp);
+
+ crypto.cert = cert_buf;
+ crypto.key = key_buf;
+ crypto.cert_len = cert_size;
+ crypto.key_len = key_size;
+ ckp_index = vppcom_add_cert_key_pair (&crypto);
+ if (ckp_index < 0)
{
- LDBG (0, "ERROR: failed to read LDP environment %s\n", LDP_ENV_TLS_KEY);
+ LDBG (0, "ERROR: failed to add cert key pair\n");
return -1;
}
+
+ ldp->ckpair_index = ckp_index;
+
return 0;
}
+static int
+assign_cert_key_pair (vls_handle_t vlsh)
+{
+ uint32_t ckp_len;
+
+ if (ldp->ckpair_index == ~0 && load_cert_key_pair () < 0)
+ return -1;
+
+ ckp_len = sizeof (ldp->ckpair_index);
+ return vppcom_session_attr (vlsh_to_session_index (vlsh),
+ VPPCOM_ATTR_SET_CKPAIR, &ldp->ckpair_index,
+ &ckp_len);
+}
+
int
socket (int domain, int type, int protocol)
{
@@ -999,10 +1008,8 @@ socket (int domain, int type, int protocol)
{
if (ldp->transparent_tls)
{
- if (load_tls_cert (vlsh) < 0 || load_tls_key (vlsh) < 0)
- {
- return -1;
- }
+ if (assign_cert_key_pair (vlsh) < 0)
+ return -1;
}
rv = ldp_vlsh_to_fd (vlsh);
}