diff options
author | Florin Coras <fcoras@cisco.com> | 2018-03-05 16:53:07 -0800 |
---|---|---|
committer | Dave Barach <openvpp@barachs.net> | 2018-03-07 13:27:59 +0000 |
commit | 8f89dd01289ea9e97405432d2351a19c842dd6d5 (patch) | |
tree | 67ab5d20f9ebbd34ee8d9fec2dfc3d97297fd0f7 /src/vnet | |
parent | 7139e757b13212f3fd8e3f3f401018375fed0c61 (diff) |
tls: enforce certificate verification
- add option to use test certificate in the ca chain
- add hostname to extended session endpoint fields and connect api
parameters. If hostname is present, certificate validation is
enforced.
- use /etc/ssl/certs/ca-certificates.crt to bootstrap CA cert. A
different path can be provided via startup config
Change-Id: I046f9c6ff3ae6a9c2d71220cb62eca8f7b10e5fb
Signed-off-by: Florin Coras <fcoras@cisco.com>
Diffstat (limited to 'src/vnet')
-rw-r--r-- | src/vnet/session-apps/echo_client.c | 5 | ||||
-rw-r--r-- | src/vnet/session-apps/proxy.c | 1 | ||||
-rw-r--r-- | src/vnet/session-apps/tls.c | 126 | ||||
-rw-r--r-- | src/vnet/session/application_interface.c | 144 | ||||
-rw-r--r-- | src/vnet/session/application_interface.h | 4 | ||||
-rw-r--r-- | src/vnet/session/session.api | 7 | ||||
-rw-r--r-- | src/vnet/session/session.c | 9 | ||||
-rwxr-xr-x | src/vnet/session/session_api.c | 19 | ||||
-rw-r--r-- | src/vnet/session/session_test.c | 6 | ||||
-rw-r--r-- | src/vnet/session/stream_session.h | 15 |
10 files changed, 212 insertions, 124 deletions
diff --git a/src/vnet/session-apps/echo_client.c b/src/vnet/session-apps/echo_client.c index 7bf98470df0..5b70d4906bc 100644 --- a/src/vnet/session-apps/echo_client.c +++ b/src/vnet/session-apps/echo_client.c @@ -520,14 +520,13 @@ echo_clients_connect (vlib_main_t * vm, u32 n_clients) vnet_connect_args_t _a, *a = &_a; clib_error_t *error = 0; int i; + + memset (a, 0, sizeof (*a)); for (i = 0; i < n_clients; i++) { - memset (a, 0, sizeof (*a)); - a->uri = (char *) ecm->connect_uri; a->api_context = i; a->app_index = ecm->app_index; - a->mp = 0; if ((error = vnet_connect_uri (a))) return error; diff --git a/src/vnet/session-apps/proxy.c b/src/vnet/session-apps/proxy.c index af490177502..190821780e5 100644 --- a/src/vnet/session-apps/proxy.c +++ b/src/vnet/session-apps/proxy.c @@ -220,7 +220,6 @@ proxy_rx_callback (stream_session_t * s) a->uri = (char *) pm->client_uri; a->api_context = proxy_index; a->app_index = pm->active_open_app_index; - a->mp = 0; vnet_connect_uri (a); } diff --git a/src/vnet/session-apps/tls.c b/src/vnet/session-apps/tls.c index 50c36361f2b..d71dfb43d3c 100644 --- a/src/vnet/session-apps/tls.c +++ b/src/vnet/session-apps/tls.c @@ -22,11 +22,13 @@ #include <mbedtls/timing.h> #include <mbedtls/debug.h> -#define TLS_DEBUG (0) -#define TLS_DEBUG_LEVEL_CLIENT (0) -#define TLS_DEBUG_LEVEL_SERVER (0) -#define TLS_CHUNK_SIZE (1 << 14) -#define TLS_USE_OUR_MEM_FUNCS (0) +#define TLS_DEBUG 0 +#define TLS_DEBUG_LEVEL_CLIENT 0 +#define TLS_DEBUG_LEVEL_SERVER 0 + +#define TLS_CHUNK_SIZE (1 << 14) +#define TLS_USE_OUR_MEM_FUNCS 0 +#define TLS_CA_CERT_PATH "/etc/ssl/certs/ca-certificates.crt" #if TLS_DEBUG #define TLS_DBG(_lvl, _fmt, _args...) \ @@ -67,6 +69,8 @@ typedef CLIB_PACKED (struct tls_cxt_id_ }) tls_ctx_id_t; /* *INDENT-ON* */ +STATIC_ASSERT (sizeof (tls_ctx_id_t) <= 42, "ctx id must be less than 42"); + typedef struct tls_ctx_ { union @@ -85,6 +89,7 @@ typedef struct tls_ctx_ #define parent_app_api_context c_s_index u8 is_passive_close; + u8 *srv_hostname; mbedtls_ssl_context ssl; mbedtls_ssl_config conf; mbedtls_x509_crt srvcert; @@ -101,6 +106,12 @@ typedef struct tls_main_ tls_ctx_t *half_open_ctx_pool; clib_rwlock_t half_open_rwlock; mbedtls_x509_crt cacert; + + /* + * Config + */ + u8 use_test_cert_in_ca; + char *ca_cert_path; } tls_main_t; static tls_main_t tls_main; @@ -188,6 +199,7 @@ tls_ctx_alloc (void) void tls_ctx_free (tls_ctx_t * ctx) { + vec_free (ctx->srv_hostname); pool_put_index (tls_main.ctx_pool[vlib_get_thread_index ()], ctx->tls_ctx_idx); } @@ -416,7 +428,8 @@ tls_ctx_init_client (tls_ctx_t * ctx) return -1; } - if ((rv = mbedtls_ssl_set_hostname (&ctx->ssl, "SERVER NAME")) != 0) + if ((rv = mbedtls_ssl_set_hostname (&ctx->ssl, + (const char *) ctx->srv_hostname)) != 0) { TLS_DBG (1, "failed\n ! mbedtls_ssl_set_hostname returned %d\n", rv); return -1; @@ -424,14 +437,13 @@ tls_ctx_init_client (tls_ctx_t * ctx) ctx_ptr = uword_to_pointer (ctx->tls_ctx_idx, void *); mbedtls_ssl_set_bio (&ctx->ssl, ctx_ptr, tls_net_send, tls_net_recv, NULL); - mbedtls_debug_set_threshold (TLS_DEBUG_LEVEL_CLIENT); /* * 2. Do the first 2 steps in the handshake. */ TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index, - tls_ctx_index (ctx)); + ctx->tls_ctx_idx); while (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) { rv = mbedtls_ssl_handshake_step (&ctx->ssl); @@ -439,13 +451,14 @@ tls_ctx_init_client (tls_ctx_t * ctx) break; } TLS_DBG (2, "tls state for [%u]%u is %u", ctx->c_thread_index, - tls_ctx_index (ctx), ctx->ssl.state); + ctx->tls_ctx_idx, ctx->ssl.state); return 0; } static int tls_ctx_init_server (tls_ctx_t * ctx) { + tls_main_t *tm = &tls_main; application_t *app; void *ctx_ptr; int rv; @@ -468,17 +481,7 @@ tls_ctx_init_server (tls_ctx_t * ctx) rv = mbedtls_x509_crt_parse (&ctx->srvcert, (const unsigned char *) app->tls_cert, - mbedtls_test_srv_crt_len); - if (rv != 0) - { - TLS_DBG (1, " failed\n ! mbedtls_x509_crt_parse returned %d", rv); - goto exit; - } - - /* TODO clone CA */ - rv = mbedtls_x509_crt_parse (&ctx->srvcert, - (const unsigned char *) mbedtls_test_cas_pem, - mbedtls_test_cas_pem_len); + vec_len (app->tls_cert)); if (rv != 0) { TLS_DBG (1, " failed\n ! mbedtls_x509_crt_parse returned %d", rv); @@ -487,7 +490,7 @@ tls_ctx_init_server (tls_ctx_t * ctx) rv = mbedtls_pk_parse_key (&ctx->pkey, (const unsigned char *) app->tls_key, - mbedtls_test_srv_key_len, NULL, 0); + vec_len (app->tls_key), NULL, 0); if (rv != 0) { TLS_DBG (1, " failed\n ! mbedtls_pk_parse_key returned %d", rv); @@ -515,7 +518,7 @@ tls_ctx_init_server (tls_ctx_t * ctx) mbedtls_ssl_cache_set ); */ - mbedtls_ssl_conf_ca_chain (&ctx->conf, ctx->srvcert.next, NULL); + mbedtls_ssl_conf_ca_chain (&ctx->conf, &tm->cacert, NULL); if ((rv = mbedtls_ssl_conf_own_cert (&ctx->conf, &ctx->srvcert, &ctx->pkey)) != 0) { @@ -539,7 +542,7 @@ tls_ctx_init_server (tls_ctx_t * ctx) * 3. Start handshake state machine */ TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index, - tls_ctx_index (ctx)); + ctx->tls_ctx_idx); while (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) { rv = mbedtls_ssl_handshake_step (&ctx->ssl); @@ -548,7 +551,7 @@ tls_ctx_init_server (tls_ctx_t * ctx) } TLS_DBG (2, "tls state for [%u]%u is %u", ctx->c_thread_index, - tls_ctx_index (ctx), ctx->ssl.state); + ctx->tls_ctx_idx, ctx->ssl.state); return 0; exit: @@ -585,7 +588,7 @@ tls_notify_app_accept (tls_ctx_t * ctx) } static int -tls_notify_app_connected (tls_ctx_t * ctx) +tls_notify_app_connected (tls_ctx_t * ctx, u8 is_failed) { int (*cb_fn) (u32, u32, stream_session_t *, u8); stream_session_t *app_session; @@ -595,6 +598,9 @@ tls_notify_app_connected (tls_ctx_t * ctx) app = application_get (ctx->parent_app_index); cb_fn = app->cb_fns.session_connected_callback; + if (is_failed) + goto failed; + sm = application_get_connect_segment_manager (app); app_session = session_alloc (vlib_get_thread_index ()); app_session->app_index = ctx->parent_app_index; @@ -632,7 +638,7 @@ tls_handshake_rx (tls_ctx_t * ctx) if (rv != 0) break; } - TLS_DBG (2, "tls state for %u is %u", tls_ctx_index (ctx), ctx->ssl.state); + TLS_DBG (2, "tls state for %u is %u", ctx->tls_ctx_idx, ctx->ssl.state); if (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) return 0; @@ -652,12 +658,17 @@ tls_handshake_rx (tls_ctx_t * ctx) mbedtls_x509_crt_verify_info (buf, sizeof (buf), " ! ", flags); TLS_DBG (1, "%s\n", buf); - /* For testing purposes not enforcing this */ - /* tls_disconnect (tls_ctx_index (ctx), vlib_get_thread_index ()); - return -1; + /* + * Presence of hostname enforces strict certificate verification */ + if (ctx->srv_hostname) + { + tls_disconnect (ctx->tls_ctx_idx, vlib_get_thread_index ()); + tls_notify_app_connected (ctx, /* is failed */ 1); + return -1; + } } - tls_notify_app_connected (ctx); + tls_notify_app_connected (ctx, /* is failed */ 0); } else { @@ -665,7 +676,7 @@ tls_handshake_rx (tls_ctx_t * ctx) } TLS_DBG (1, "Handshake for %u complete. TLS cipher is %x", - tls_ctx_index (ctx), ctx->ssl.session->ciphersuite); + ctx->tls_ctx_idx, ctx->ssl.session->ciphersuite); return 0; } @@ -899,6 +910,11 @@ tls_connect (transport_endpoint_t * tep) ctx->parent_app_index = sep->app_index; ctx->parent_app_api_context = sep->opaque; ctx->tcp_is_ip4 = sep->is_ip4; + if (sep->hostname) + { + ctx->srv_hostname = format (0, "%v", sep->hostname); + vec_terminate_c_string (ctx->srv_hostname); + } tls_ctx_half_open_reader_unlock (); app = application_get (sep->app_index); @@ -1101,17 +1117,33 @@ tls_init_ca_chain (void) tls_main_t *tm = &tls_main; int rv; - /* TODO config */ + if (!tm->ca_cert_path) + tm->ca_cert_path = TLS_CA_CERT_PATH; + + if (access (tm->ca_cert_path, F_OK | R_OK) == -1) + { + clib_warning ("Could not initialize TLS CA certificates"); + return -1; + } + mbedtls_x509_crt_init (&tm->cacert); - rv = mbedtls_x509_crt_parse (&tm->cacert, - (const unsigned char *) mbedtls_test_cas_pem, - mbedtls_test_cas_pem_len); + rv = mbedtls_x509_crt_parse_file (&tm->cacert, tm->ca_cert_path); if (rv < 0) { - clib_warning ("mbedtls_x509_crt_parse returned -0x%x", -rv); - return -1; + clib_warning ("Couldn't parse system CA certificates: -0x%x", -rv); } - return 0; + if (tm->use_test_cert_in_ca) + { + rv = mbedtls_x509_crt_parse (&tm->cacert, + (const unsigned char *) test_srv_crt_rsa, + test_srv_crt_rsa_len); + if (rv < 0) + { + clib_warning ("Couldn't parse test certificate: -0x%x", -rv); + return -1; + } + } + return (rv < 0 ? -1 : 0); } clib_error_t * @@ -1175,6 +1207,24 @@ tls_init (vlib_main_t * vm) VLIB_INIT_FUNCTION (tls_init); +static clib_error_t * +tls_config_fn (vlib_main_t * vm, unformat_input_t * input) +{ + tls_main_t *tm = &tls_main; + while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (input, "use-test-cert-in-ca")) + tm->use_test_cert_in_ca = 1; + else if (unformat (input, "ca-cert-path %s", &tm->ca_cert_path)) + ; + else + return clib_error_return (0, "unknown input `%U'", + format_unformat_error, input); + } + return 0; +} + +VLIB_EARLY_CONFIG_FUNCTION (tls_config_fn, "tls"); /* * fd.io coding-style-patch-verification: ON * diff --git a/src/vnet/session/application_interface.c b/src/vnet/session/application_interface.c index 12a5701fdf3..dbd5e49417f 100644 --- a/src/vnet/session/application_interface.c +++ b/src/vnet/session/application_interface.c @@ -27,54 +27,58 @@ */ const char test_srv_crt_rsa[] = "-----BEGIN CERTIFICATE-----\r\n" - "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" - "MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" - "MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" - "A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" - "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" - "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" - "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" - "tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" - "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" - "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" - "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" - "FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJxnXClY\r\n" - "oHkbp70cqBrsGXLybA74czbO5RdLEgFs7rHVS9r+c293luS/KdliLScZqAzYVylw\r\n" - "UfRWvKMoWhHYKp3dEIS4xTXk6/5zXxhv9Rw8SGc8qn6vITHk1S1mPevtekgasY5Y\r\n" - "iWQuM3h4YVlRH3HHEMAD1TnAexfXHHDFQGe+Bd1iAbz1/sH9H8l4StwX6egvTK3M\r\n" - "wXRwkKkvjKaEDA9ATbZx0mI8LGsxSuCqe9r9dyjmttd47J1p1Rulz3CLzaRcVIuS\r\n" - "RRQfaD8neM9c1S/iJ/amTVqJxA1KOdOS5780WhPfSArA+g4qAmSjelc3p4wWpha8\r\n" - "zhuYwjVuX6JHG0c=\r\n" "-----END CERTIFICATE-----\r\n"; + "MIID5zCCAs+gAwIBAgIJALeMYCEHrTtJMA0GCSqGSIb3DQEBCwUAMIGJMQswCQYD\r\n" + "VQQGEwJVUzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCFNhbiBKb3NlMQ4wDAYDVQQK\r\n" + "DAVDaXNjbzEOMAwGA1UECwwFZmQuaW8xFjAUBgNVBAMMDXRlc3R0bHMuZmQuaW8x\r\n" + "IjAgBgkqhkiG9w0BCQEWE3ZwcC1kZXZAbGlzdHMuZmQuaW8wHhcNMTgwMzA1MjEx\r\n" + "NTEyWhcNMjgwMzAyMjExNTEyWjCBiTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB\r\n" + "MREwDwYDVQQHDAhTYW4gSm9zZTEOMAwGA1UECgwFQ2lzY28xDjAMBgNVBAsMBWZk\r\n" + "LmlvMRYwFAYDVQQDDA10ZXN0dGxzLmZkLmlvMSIwIAYJKoZIhvcNAQkBFhN2cHAt\r\n" + "ZGV2QGxpc3RzLmZkLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\r\n" + "4C1k8a1DuStgggqT4o09fP9sJ2dC54bxhS/Xk2VEfaIZ222WSo4X/syRVfVy9Yah\r\n" + "cpI1zJ/RDxaZSFhgA+nPZBrFMsrULkrdAOpOVj8eDEp9JuWdO2ODSoFnCvLxcYWB\r\n" + "Yc5kHryJpEaGJl1sFQSesnzMFty/59ta0stk0Fp8r5NhIjWvSovGzPo6Bhz+VS2c\r\n" + "ebIZh4x1t2hHaFcgm0qJoJ6DceReWCW8w+yOVovTolGGq+bpb2Hn7MnRSZ2K2NdL\r\n" + "+aLXpkZbS/AODP1FF2vTO1mYL290LO7/51vJmPXNKSDYMy5EvILr5/VqtjsFCwRL\r\n" + "Q4jcM/+GeHSAFWx4qIv0BwIDAQABo1AwTjAdBgNVHQ4EFgQUWa1SOB37xmT53tZQ\r\n" + "aXuLLhRI7U8wHwYDVR0jBBgwFoAUWa1SOB37xmT53tZQaXuLLhRI7U8wDAYDVR0T\r\n" + "BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAoUht13W4ya27NVzQuCMvqPWL3VM4\r\n" + "3xbPFk02FaGz/WupPu276zGlzJAZrbuDcQowwwU1Ni1Yygxl96s1c2M5rHDTrOKG\r\n" + "rK0hbkSFBo+i6I8u4HiiQ4rYmG0Hv6+sXn3of0HsbtDPGgWZoipPWDljPYEURu3e\r\n" + "3HRe/Dtsj9CakBoSDzs8ndWaBR+f4sM9Tk1cjD46Gq2T/qpSPXqKxEUXlzhdCAn4\r\n" + "twub17Bq2kykHpppCwPg5M+v30tHG/R2Go15MeFWbEJthFk3TZMjKL7UFs7fH+x2\r\n" + "wSonXb++jY+KmCb93C+soABBizE57g/KmiR2IxQ/LMjDik01RSUIaM0lLA==\r\n" + "-----END CERTIFICATE-----\r\n"; const u32 test_srv_crt_rsa_len = sizeof (test_srv_crt_rsa); const char test_srv_key_rsa[] = - "-----BEGIN RSA PRIVATE KEY-----\r\n" - "MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n" - "lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2\r\n" - "2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ\r\n" - "Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i\r\n" - "GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb\r\n" - "y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ\r\n" - "++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G\r\n" - "Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z\r\n" - "/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm\r\n" - "WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He\r\n" - "GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa\r\n" - "TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28\r\n" - "CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK\r\n" - "nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u\r\n" - "AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g\r\n" - "sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s\r\n" - "mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic\r\n" - "BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv\r\n" - "whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b\r\n" - "vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs\r\n" - "3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP\r\n" - "3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED\r\n" - "ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH\r\n" - "4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n" - "TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n" - "-----END RSA PRIVATE KEY-----\r\n"; + "-----BEGIN PRIVATE KEY-----\r\n" + "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDgLWTxrUO5K2CC\r\n" + "CpPijT18/2wnZ0LnhvGFL9eTZUR9ohnbbZZKjhf+zJFV9XL1hqFykjXMn9EPFplI\r\n" + "WGAD6c9kGsUyytQuSt0A6k5WPx4MSn0m5Z07Y4NKgWcK8vFxhYFhzmQevImkRoYm\r\n" + "XWwVBJ6yfMwW3L/n21rSy2TQWnyvk2EiNa9Ki8bM+joGHP5VLZx5shmHjHW3aEdo\r\n" + "VyCbSomgnoNx5F5YJbzD7I5Wi9OiUYar5ulvYefsydFJnYrY10v5otemRltL8A4M\r\n" + "/UUXa9M7WZgvb3Qs7v/nW8mY9c0pINgzLkS8guvn9Wq2OwULBEtDiNwz/4Z4dIAV\r\n" + "bHioi/QHAgMBAAECggEBAMzGipP8+oT166U+NlJXRFifFVN1DvdhG9PWnOxGL+c3\r\n" + "ILmBBC08WQzmHshPemBvR6DZkA1H23cV5JTiLWrFtC00CvhXsLRMrE5+uWotI6yE\r\n" + "iofybMroHvD6/X5R510UX9hQ6MHu5ShLR5VZ9zXHz5MpTmB/60jG5dLx+jgcwBK8\r\n" + "LuGv2YB/WCUwT9QJ3YU2eaingnXtz/MrFbkbltrqlnBdlD+kTtw6Yac9y1XuuQXc\r\n" + "BPeulLNDuPolJVWbUvDBZrpt2dXTgz8ws1sv+wCNE0xwQJsqW4Nx3QkpibUL9RUr\r\n" + "CVbKlNfa9lopT6nGKlgX69R/uH35yh9AOsfasro6w0ECgYEA82UJ8u/+ORah+0sF\r\n" + "Q0FfW5MTdi7OAUHOz16pUsGlaEv0ERrjZxmAkHA/VRwpvDBpx4alCv0Hc39PFLIk\r\n" + "nhSsM2BEuBkTAs6/GaoNAiBtQVE/hN7awNRWVmlieS0go3Y3dzaE9IUMyj8sPOFT\r\n" + "5JdJ6BM69PHKCkY3dKdnnfpFEuECgYEA68mRpteunF1mdZgXs+WrN+uLlRrQR20F\r\n" + "ZyMYiUCH2Dtn26EzA2moy7FipIIrQcX/j+KhYNGM3e7MU4LymIO29E18mn8JODnH\r\n" + "sQOXzBTsf8A4yIVMkcuQD3bfb0JiUGYUPOidTp2N7IJA7+6Yc3vQOyb74lnKnJoO\r\n" + "gougPT2wS+cCgYAn7muzb6xFsXDhyW0Tm6YJYBfRS9yAWEuVufINobeBZPSl2cN1\r\n" + "Jrnw+HlrfTNbrJWuJmjtZJXUXQ6cVp2rUbjutNyRV4vG6iRwEXYQ40EJdkr1gZpi\r\n" + "CHQhuShuuPih2MNAy7EEbM+sXrDjTBR3bFqzuHPzu7dp+BshCFX3lRfAAQKBgGQt\r\n" + "K5i7IhCFDjb/+3IPLgOAK7mZvsvZ4eXD33TQ2eZgtut1PXtBtNl17/b85uv293Fm\r\n" + "VDISVcsk3eLNS8zIiT6afUoWlxAwXEs0v5WRfjl4radkGvgGiJpJYvyeM67877RB\r\n" + "EDSKc/X8ESLfOB44iGvZUEMG6zJFscx9DgN25iQZAoGAbyd+JEWwdVH9/K3IH1t2\r\n" + "PBkZX17kNWv+iVM1WyFjbe++vfKZCrOJiyiqhDeEqgrP3AuNMlaaduC3VRC3G5oV\r\n" + "Mj1tlhDWQ/qhvKdCKNdIVQYDE75nw+FRWV8yYkHAnXYW3tNoweDIwixE0hkPR1bc\r\n" + "oEjPLVNtx8SOj/M4rhaPT3I=\r\n" "-----END PRIVATE KEY-----\r\n"; const u32 test_srv_key_rsa_len = sizeof (test_srv_key_rsa); static u8 @@ -315,8 +319,9 @@ global_scope: /** * unformat a vnet URI * - * transport-proto://ip46-addr:port - * eg. tcp://ip46-addr:port + * transport-proto://[hostname]ip46-addr:port + * eg. tcp://ip46-addr:port + * tls://[testtsl.fd.io]ip46-addr:port * * u8 ip46_address[16]; * u16 port_in_host_byte_order; @@ -331,12 +336,21 @@ global_scope: uword unformat_vnet_uri (unformat_input_t * input, va_list * args) { - session_endpoint_t *sep = va_arg (*args, session_endpoint_t *); + session_endpoint_extended_t *sep = va_arg (*args, + session_endpoint_extended_t *); u32 transport_proto = 0, port; - if (unformat - (input, "%U://%U/%d", unformat_transport_proto, &transport_proto, - unformat_ip4_address, &sep->ip.ip4, &port)) + if (unformat (input, "%U://%U/%d", unformat_transport_proto, + &transport_proto, unformat_ip4_address, &sep->ip.ip4, &port)) + { + sep->transport_proto = transport_proto; + sep->port = clib_host_to_net_u16 (port); + sep->is_ip4 = 1; + return 1; + } + else if (unformat (input, "%U://[%s]%U/%d", unformat_transport_proto, + &transport_proto, &sep->hostname, unformat_ip4_address, + &sep->ip.ip4, &port)) { sep->transport_proto = transport_proto; sep->port = clib_host_to_net_u16 (port); @@ -352,14 +366,23 @@ unformat_vnet_uri (unformat_input_t * input, va_list * args) sep->is_ip4 = 0; return 1; } + else if (unformat (input, "%U://[%s]%U/%d", unformat_transport_proto, + &transport_proto, &sep->hostname, unformat_ip6_address, + &sep->ip.ip6, &port)) + { + sep->transport_proto = transport_proto; + sep->port = clib_host_to_net_u16 (port); + sep->is_ip4 = 0; + return 1; + } return 0; } static u8 *cache_uri; -static session_endpoint_t *cache_sep; +static session_endpoint_extended_t *cache_sep; int -parse_uri (char *uri, session_endpoint_t * sep) +parse_uri (char *uri, session_endpoint_extended_t * sep) { unformat_input_t _input, *input = &_input; @@ -483,20 +506,20 @@ vnet_application_detach (vnet_app_detach_args_t * a) int vnet_bind_uri (vnet_bind_args_t * a) { - session_endpoint_t sep = SESSION_ENDPOINT_NULL; + session_endpoint_extended_t sep = SESSION_ENDPOINT_EXT_NULL; int rv; rv = parse_uri (a->uri, &sep); if (rv) return rv; - return vnet_bind_i (a->app_index, &sep, &a->handle); + return vnet_bind_i (a->app_index, (session_endpoint_t *) & sep, &a->handle); } int vnet_unbind_uri (vnet_unbind_args_t * a) { - session_endpoint_t sep = SESSION_ENDPOINT_NULL; + session_endpoint_extended_t sep = SESSION_ENDPOINT_EXT_NULL; stream_session_t *listener; int rv; @@ -505,7 +528,7 @@ vnet_unbind_uri (vnet_unbind_args_t * a) return rv; /* NOTE: only default table supported for uri */ - listener = session_lookup_listener (0, &sep); + listener = session_lookup_listener (0, (session_endpoint_t *) & sep); if (!listener) return VNET_API_ERROR_ADDRESS_NOT_IN_USE; @@ -515,7 +538,7 @@ vnet_unbind_uri (vnet_unbind_args_t * a) clib_error_t * vnet_connect_uri (vnet_connect_args_t * a) { - session_endpoint_t sep = SESSION_ENDPOINT_NULL; + session_endpoint_extended_t sep = SESSION_ENDPOINT_EXT_NULL; int rv; /* Parse uri */ @@ -523,7 +546,8 @@ vnet_connect_uri (vnet_connect_args_t * a) if (rv) return clib_error_return_code (0, rv, 0, "app init: %d", rv); - if ((rv = application_connect (a->app_index, a->api_context, &sep))) + if ((rv = application_connect (a->app_index, a->api_context, + (session_endpoint_t *) & sep))) return clib_error_return_code (0, rv, 0, "connect failed"); return 0; } @@ -579,7 +603,7 @@ vnet_unbind (vnet_unbind_args_t * a) clib_error_t * vnet_connect (vnet_connect_args_t * a) { - session_endpoint_t *sep = &a->sep; + session_endpoint_t *sep = (session_endpoint_t *) & a->sep; int rv; if ((rv = application_connect (a->app_index, a->api_context, sep))) diff --git a/src/vnet/session/application_interface.h b/src/vnet/session/application_interface.h index 2ab09d6f52d..deddb648630 100644 --- a/src/vnet/session/application_interface.h +++ b/src/vnet/session/application_interface.h @@ -83,13 +83,11 @@ typedef struct _vnet_connect_args union { char *uri; - session_endpoint_t sep; + session_endpoint_extended_t sep; }; u32 app_index; u32 api_context; - /* Used for redirects */ - void *mp; session_handle_t session_handle; } vnet_connect_args_t; diff --git a/src/vnet/session/session.api b/src/vnet/session/session.api index 336b51cd333..bf88e82f336 100644 --- a/src/vnet/session/session.api +++ b/src/vnet/session/session.api @@ -13,7 +13,7 @@ * limitations under the License. */ -option version = "1.0.1"; +option version = "1.0.2"; /** \brief client->vpp, attach application to session layer @param client_index - opaque cookie to identify the sender @@ -292,6 +292,9 @@ autoreply define unbind_sock { @param ip - ip address @param port - port @param proto - protocol 0 - TCP 1 - UDP + @param hostname-len - length of hostname + @param hostname - destination's hostname. If present, used by protocols + like tls. */ autoreply define connect_sock { u32 client_index; @@ -303,6 +306,8 @@ autoreply define connect_sock { u8 ip[16]; u16 port; u8 proto; + u8 hostname_len; + u8 hostname[hostname_len]; }; /** \brief Bind reply diff --git a/src/vnet/session/session.c b/src/vnet/session/session.c index 09e3ded6dff..d4220d4ae6b 100644 --- a/src/vnet/session/session.c +++ b/src/vnet/session/session.c @@ -878,12 +878,11 @@ session_open_vc (u32 app_index, session_endpoint_t * rmt, u32 opaque) int session_open_app (u32 app_index, session_endpoint_t * rmt, u32 opaque) { - session_endpoint_extended_t sep; - clib_memcpy (&sep, rmt, sizeof (*rmt)); - sep.app_index = app_index; - sep.opaque = opaque; + session_endpoint_extended_t *sep = (session_endpoint_extended_t *) rmt; + sep->app_index = app_index; + sep->opaque = opaque; - return tp_vfts[rmt->transport_proto].open ((transport_endpoint_t *) & sep); + return tp_vfts[rmt->transport_proto].open ((transport_endpoint_t *) sep); } typedef int (*session_open_service_fn) (u32, session_endpoint_t *, u32); diff --git a/src/vnet/session/session_api.c b/src/vnet/session/session_api.c index 6694a40c348..b25911eb306 100755 --- a/src/vnet/session/session_api.c +++ b/src/vnet/session/session_api.c @@ -561,12 +561,10 @@ vl_api_connect_uri_t_handler (vl_api_connect_uri_t * mp) a->uri = (char *) mp->uri; a->api_context = mp->context; a->app_index = app->index; - a->mp = mp; if ((error = vnet_connect_uri (a))) { rv = clib_error_get_code (error); - if (rv != VNET_API_ERROR_SESSION_REDIRECT) - clib_error_report (error); + clib_error_report (error); } } else @@ -579,7 +577,7 @@ vl_api_connect_uri_t_handler (vl_api_connect_uri_t * mp) * the connection is established. In case of the redirects, the reply * will come from the server app. */ - if (rv == 0 || rv == VNET_API_ERROR_SESSION_REDIRECT) + if (rv == 0) return; done: @@ -838,6 +836,7 @@ vl_api_connect_sock_t_handler (vl_api_connect_sock_t * mp) svm_queue_t *client_q; ip46_address_t *ip46 = (ip46_address_t *) mp->ip; + memset (a, 0, sizeof (*a)); client_q = vl_api_client_index_to_input_queue (mp->client_index); mp->client_queue_address = pointer_to_uword (client_q); a->sep.is_ip4 = mp->is_ip4; @@ -846,22 +845,26 @@ vl_api_connect_sock_t_handler (vl_api_connect_sock_t * mp) a->sep.transport_proto = mp->proto; a->sep.fib_index = mp->vrf; a->sep.sw_if_index = ENDPOINT_INVALID_INDEX; + if (mp->hostname_len) + { + vec_validate (a->sep.hostname, mp->hostname_len - 1); + clib_memcpy (a->sep.hostname, mp->hostname, mp->hostname_len); + } a->api_context = mp->context; a->app_index = app->index; - a->mp = mp; if ((error = vnet_connect (a))) { rv = clib_error_get_code (error); - if (rv != VNET_API_ERROR_SESSION_REDIRECT) - clib_error_report (error); + clib_error_report (error); } + vec_free (a->sep.hostname); } else { rv = VNET_API_ERROR_APPLICATION_NOT_ATTACHED; } - if (rv == 0 || rv == VNET_API_ERROR_SESSION_REDIRECT) + if (rv == 0) return; /* Got some error, relay it */ diff --git a/src/vnet/session/session_test.c b/src/vnet/session/session_test.c index 91ac351f860..ceac7039940 100644 --- a/src/vnet/session/session_test.c +++ b/src/vnet/session/session_test.c @@ -244,10 +244,10 @@ session_test_namespace (vlib_main_t * vm, unformat_input_t * input) }; vnet_connect_args_t connect_args = { - .sep = client_sep, .app_index = 0, .api_context = 0, }; + clib_memcpy (&connect_args.sep, &client_sep, sizeof (client_sep)); vnet_unbind_args_t unbind_args = { .handle = bind_args.handle, @@ -1032,10 +1032,10 @@ session_test_rules (vlib_main_t * vm, unformat_input_t * input) " 5.6.7.9/32 4321 in local table should return deny"); vnet_connect_args_t connect_args = { - .sep = sep, .app_index = attach_args.app_index, .api_context = 0, }; + clib_memcpy (&connect_args.sep, &sep, sizeof (sep)); /* Try connecting */ error = vnet_connect (&connect_args); @@ -1312,7 +1312,7 @@ session_test_rules (vlib_main_t * vm, unformat_input_t * input) connect_args.app_index = server_index; - connect_args.sep = sep; + clib_memcpy (&connect_args.sep, &sep, sizeof (sep)); error = vnet_connect (&connect_args); SESSION_TEST ((error != 0), "connect should fail"); diff --git a/src/vnet/session/stream_session.h b/src/vnet/session/stream_session.h index 6f6dce66040..b7a5eee4b12 100644 --- a/src/vnet/session/stream_session.h +++ b/src/vnet/session/stream_session.h @@ -141,7 +141,6 @@ typedef struct local_session_ #define foreach_session_endpoint_fields \ foreach_transport_connection_fields \ _(u8, transport_proto) \ - _(u8, app_proto) \ typedef struct _session_endpoint { @@ -157,6 +156,7 @@ typedef struct _session_endpoint_extended #undef _ u32 app_index; u32 opaque; + u8 *hostname; } session_endpoint_extended_t; #define SESSION_IP46_ZERO \ @@ -173,7 +173,18 @@ typedef struct _session_endpoint_extended .is_ip4 = 0, \ .port = 0, \ .transport_proto = 0, \ - .app_proto = 0, \ +} +#define SESSION_ENDPOINT_EXT_NULL \ +{ \ + .sw_if_index = ENDPOINT_INVALID_INDEX, \ + .ip = SESSION_IP46_ZERO, \ + .fib_index = ENDPOINT_INVALID_INDEX, \ + .is_ip4 = 0, \ + .port = 0, \ + .transport_proto = 0, \ + .app_index = ENDPOINT_INVALID_INDEX, \ + .opaque = ENDPOINT_INVALID_INDEX, \ + .hostname = 0, \ } #define session_endpoint_to_transport(_sep) ((transport_endpoint_t *)_sep) |