aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet
diff options
context:
space:
mode:
authorFlorin Coras <fcoras@cisco.com>2018-03-05 16:53:07 -0800
committerDave Barach <openvpp@barachs.net>2018-03-07 13:27:59 +0000
commit8f89dd01289ea9e97405432d2351a19c842dd6d5 (patch)
tree67ab5d20f9ebbd34ee8d9fec2dfc3d97297fd0f7 /src/vnet
parent7139e757b13212f3fd8e3f3f401018375fed0c61 (diff)
tls: enforce certificate verification
- add option to use test certificate in the ca chain - add hostname to extended session endpoint fields and connect api parameters. If hostname is present, certificate validation is enforced. - use /etc/ssl/certs/ca-certificates.crt to bootstrap CA cert. A different path can be provided via startup config Change-Id: I046f9c6ff3ae6a9c2d71220cb62eca8f7b10e5fb Signed-off-by: Florin Coras <fcoras@cisco.com>
Diffstat (limited to 'src/vnet')
-rw-r--r--src/vnet/session-apps/echo_client.c5
-rw-r--r--src/vnet/session-apps/proxy.c1
-rw-r--r--src/vnet/session-apps/tls.c126
-rw-r--r--src/vnet/session/application_interface.c144
-rw-r--r--src/vnet/session/application_interface.h4
-rw-r--r--src/vnet/session/session.api7
-rw-r--r--src/vnet/session/session.c9
-rwxr-xr-xsrc/vnet/session/session_api.c19
-rw-r--r--src/vnet/session/session_test.c6
-rw-r--r--src/vnet/session/stream_session.h15
10 files changed, 212 insertions, 124 deletions
diff --git a/src/vnet/session-apps/echo_client.c b/src/vnet/session-apps/echo_client.c
index 7bf98470df0..5b70d4906bc 100644
--- a/src/vnet/session-apps/echo_client.c
+++ b/src/vnet/session-apps/echo_client.c
@@ -520,14 +520,13 @@ echo_clients_connect (vlib_main_t * vm, u32 n_clients)
vnet_connect_args_t _a, *a = &_a;
clib_error_t *error = 0;
int i;
+
+ memset (a, 0, sizeof (*a));
for (i = 0; i < n_clients; i++)
{
- memset (a, 0, sizeof (*a));
-
a->uri = (char *) ecm->connect_uri;
a->api_context = i;
a->app_index = ecm->app_index;
- a->mp = 0;
if ((error = vnet_connect_uri (a)))
return error;
diff --git a/src/vnet/session-apps/proxy.c b/src/vnet/session-apps/proxy.c
index af490177502..190821780e5 100644
--- a/src/vnet/session-apps/proxy.c
+++ b/src/vnet/session-apps/proxy.c
@@ -220,7 +220,6 @@ proxy_rx_callback (stream_session_t * s)
a->uri = (char *) pm->client_uri;
a->api_context = proxy_index;
a->app_index = pm->active_open_app_index;
- a->mp = 0;
vnet_connect_uri (a);
}
diff --git a/src/vnet/session-apps/tls.c b/src/vnet/session-apps/tls.c
index 50c36361f2b..d71dfb43d3c 100644
--- a/src/vnet/session-apps/tls.c
+++ b/src/vnet/session-apps/tls.c
@@ -22,11 +22,13 @@
#include <mbedtls/timing.h>
#include <mbedtls/debug.h>
-#define TLS_DEBUG (0)
-#define TLS_DEBUG_LEVEL_CLIENT (0)
-#define TLS_DEBUG_LEVEL_SERVER (0)
-#define TLS_CHUNK_SIZE (1 << 14)
-#define TLS_USE_OUR_MEM_FUNCS (0)
+#define TLS_DEBUG 0
+#define TLS_DEBUG_LEVEL_CLIENT 0
+#define TLS_DEBUG_LEVEL_SERVER 0
+
+#define TLS_CHUNK_SIZE (1 << 14)
+#define TLS_USE_OUR_MEM_FUNCS 0
+#define TLS_CA_CERT_PATH "/etc/ssl/certs/ca-certificates.crt"
#if TLS_DEBUG
#define TLS_DBG(_lvl, _fmt, _args...) \
@@ -67,6 +69,8 @@ typedef CLIB_PACKED (struct tls_cxt_id_
}) tls_ctx_id_t;
/* *INDENT-ON* */
+STATIC_ASSERT (sizeof (tls_ctx_id_t) <= 42, "ctx id must be less than 42");
+
typedef struct tls_ctx_
{
union
@@ -85,6 +89,7 @@ typedef struct tls_ctx_
#define parent_app_api_context c_s_index
u8 is_passive_close;
+ u8 *srv_hostname;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt srvcert;
@@ -101,6 +106,12 @@ typedef struct tls_main_
tls_ctx_t *half_open_ctx_pool;
clib_rwlock_t half_open_rwlock;
mbedtls_x509_crt cacert;
+
+ /*
+ * Config
+ */
+ u8 use_test_cert_in_ca;
+ char *ca_cert_path;
} tls_main_t;
static tls_main_t tls_main;
@@ -188,6 +199,7 @@ tls_ctx_alloc (void)
void
tls_ctx_free (tls_ctx_t * ctx)
{
+ vec_free (ctx->srv_hostname);
pool_put_index (tls_main.ctx_pool[vlib_get_thread_index ()],
ctx->tls_ctx_idx);
}
@@ -416,7 +428,8 @@ tls_ctx_init_client (tls_ctx_t * ctx)
return -1;
}
- if ((rv = mbedtls_ssl_set_hostname (&ctx->ssl, "SERVER NAME")) != 0)
+ if ((rv = mbedtls_ssl_set_hostname (&ctx->ssl,
+ (const char *) ctx->srv_hostname)) != 0)
{
TLS_DBG (1, "failed\n ! mbedtls_ssl_set_hostname returned %d\n", rv);
return -1;
@@ -424,14 +437,13 @@ tls_ctx_init_client (tls_ctx_t * ctx)
ctx_ptr = uword_to_pointer (ctx->tls_ctx_idx, void *);
mbedtls_ssl_set_bio (&ctx->ssl, ctx_ptr, tls_net_send, tls_net_recv, NULL);
-
mbedtls_debug_set_threshold (TLS_DEBUG_LEVEL_CLIENT);
/*
* 2. Do the first 2 steps in the handshake.
*/
TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index,
- tls_ctx_index (ctx));
+ ctx->tls_ctx_idx);
while (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
{
rv = mbedtls_ssl_handshake_step (&ctx->ssl);
@@ -439,13 +451,14 @@ tls_ctx_init_client (tls_ctx_t * ctx)
break;
}
TLS_DBG (2, "tls state for [%u]%u is %u", ctx->c_thread_index,
- tls_ctx_index (ctx), ctx->ssl.state);
+ ctx->tls_ctx_idx, ctx->ssl.state);
return 0;
}
static int
tls_ctx_init_server (tls_ctx_t * ctx)
{
+ tls_main_t *tm = &tls_main;
application_t *app;
void *ctx_ptr;
int rv;
@@ -468,17 +481,7 @@ tls_ctx_init_server (tls_ctx_t * ctx)
rv = mbedtls_x509_crt_parse (&ctx->srvcert,
(const unsigned char *) app->tls_cert,
- mbedtls_test_srv_crt_len);
- if (rv != 0)
- {
- TLS_DBG (1, " failed\n ! mbedtls_x509_crt_parse returned %d", rv);
- goto exit;
- }
-
- /* TODO clone CA */
- rv = mbedtls_x509_crt_parse (&ctx->srvcert,
- (const unsigned char *) mbedtls_test_cas_pem,
- mbedtls_test_cas_pem_len);
+ vec_len (app->tls_cert));
if (rv != 0)
{
TLS_DBG (1, " failed\n ! mbedtls_x509_crt_parse returned %d", rv);
@@ -487,7 +490,7 @@ tls_ctx_init_server (tls_ctx_t * ctx)
rv = mbedtls_pk_parse_key (&ctx->pkey,
(const unsigned char *) app->tls_key,
- mbedtls_test_srv_key_len, NULL, 0);
+ vec_len (app->tls_key), NULL, 0);
if (rv != 0)
{
TLS_DBG (1, " failed\n ! mbedtls_pk_parse_key returned %d", rv);
@@ -515,7 +518,7 @@ tls_ctx_init_server (tls_ctx_t * ctx)
mbedtls_ssl_cache_set );
*/
- mbedtls_ssl_conf_ca_chain (&ctx->conf, ctx->srvcert.next, NULL);
+ mbedtls_ssl_conf_ca_chain (&ctx->conf, &tm->cacert, NULL);
if ((rv = mbedtls_ssl_conf_own_cert (&ctx->conf, &ctx->srvcert, &ctx->pkey))
!= 0)
{
@@ -539,7 +542,7 @@ tls_ctx_init_server (tls_ctx_t * ctx)
* 3. Start handshake state machine
*/
TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index,
- tls_ctx_index (ctx));
+ ctx->tls_ctx_idx);
while (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
{
rv = mbedtls_ssl_handshake_step (&ctx->ssl);
@@ -548,7 +551,7 @@ tls_ctx_init_server (tls_ctx_t * ctx)
}
TLS_DBG (2, "tls state for [%u]%u is %u", ctx->c_thread_index,
- tls_ctx_index (ctx), ctx->ssl.state);
+ ctx->tls_ctx_idx, ctx->ssl.state);
return 0;
exit:
@@ -585,7 +588,7 @@ tls_notify_app_accept (tls_ctx_t * ctx)
}
static int
-tls_notify_app_connected (tls_ctx_t * ctx)
+tls_notify_app_connected (tls_ctx_t * ctx, u8 is_failed)
{
int (*cb_fn) (u32, u32, stream_session_t *, u8);
stream_session_t *app_session;
@@ -595,6 +598,9 @@ tls_notify_app_connected (tls_ctx_t * ctx)
app = application_get (ctx->parent_app_index);
cb_fn = app->cb_fns.session_connected_callback;
+ if (is_failed)
+ goto failed;
+
sm = application_get_connect_segment_manager (app);
app_session = session_alloc (vlib_get_thread_index ());
app_session->app_index = ctx->parent_app_index;
@@ -632,7 +638,7 @@ tls_handshake_rx (tls_ctx_t * ctx)
if (rv != 0)
break;
}
- TLS_DBG (2, "tls state for %u is %u", tls_ctx_index (ctx), ctx->ssl.state);
+ TLS_DBG (2, "tls state for %u is %u", ctx->tls_ctx_idx, ctx->ssl.state);
if (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
return 0;
@@ -652,12 +658,17 @@ tls_handshake_rx (tls_ctx_t * ctx)
mbedtls_x509_crt_verify_info (buf, sizeof (buf), " ! ", flags);
TLS_DBG (1, "%s\n", buf);
- /* For testing purposes not enforcing this */
- /* tls_disconnect (tls_ctx_index (ctx), vlib_get_thread_index ());
- return -1;
+ /*
+ * Presence of hostname enforces strict certificate verification
*/
+ if (ctx->srv_hostname)
+ {
+ tls_disconnect (ctx->tls_ctx_idx, vlib_get_thread_index ());
+ tls_notify_app_connected (ctx, /* is failed */ 1);
+ return -1;
+ }
}
- tls_notify_app_connected (ctx);
+ tls_notify_app_connected (ctx, /* is failed */ 0);
}
else
{
@@ -665,7 +676,7 @@ tls_handshake_rx (tls_ctx_t * ctx)
}
TLS_DBG (1, "Handshake for %u complete. TLS cipher is %x",
- tls_ctx_index (ctx), ctx->ssl.session->ciphersuite);
+ ctx->tls_ctx_idx, ctx->ssl.session->ciphersuite);
return 0;
}
@@ -899,6 +910,11 @@ tls_connect (transport_endpoint_t * tep)
ctx->parent_app_index = sep->app_index;
ctx->parent_app_api_context = sep->opaque;
ctx->tcp_is_ip4 = sep->is_ip4;
+ if (sep->hostname)
+ {
+ ctx->srv_hostname = format (0, "%v", sep->hostname);
+ vec_terminate_c_string (ctx->srv_hostname);
+ }
tls_ctx_half_open_reader_unlock ();
app = application_get (sep->app_index);
@@ -1101,17 +1117,33 @@ tls_init_ca_chain (void)
tls_main_t *tm = &tls_main;
int rv;
- /* TODO config */
+ if (!tm->ca_cert_path)
+ tm->ca_cert_path = TLS_CA_CERT_PATH;
+
+ if (access (tm->ca_cert_path, F_OK | R_OK) == -1)
+ {
+ clib_warning ("Could not initialize TLS CA certificates");
+ return -1;
+ }
+
mbedtls_x509_crt_init (&tm->cacert);
- rv = mbedtls_x509_crt_parse (&tm->cacert,
- (const unsigned char *) mbedtls_test_cas_pem,
- mbedtls_test_cas_pem_len);
+ rv = mbedtls_x509_crt_parse_file (&tm->cacert, tm->ca_cert_path);
if (rv < 0)
{
- clib_warning ("mbedtls_x509_crt_parse returned -0x%x", -rv);
- return -1;
+ clib_warning ("Couldn't parse system CA certificates: -0x%x", -rv);
}
- return 0;
+ if (tm->use_test_cert_in_ca)
+ {
+ rv = mbedtls_x509_crt_parse (&tm->cacert,
+ (const unsigned char *) test_srv_crt_rsa,
+ test_srv_crt_rsa_len);
+ if (rv < 0)
+ {
+ clib_warning ("Couldn't parse test certificate: -0x%x", -rv);
+ return -1;
+ }
+ }
+ return (rv < 0 ? -1 : 0);
}
clib_error_t *
@@ -1175,6 +1207,24 @@ tls_init (vlib_main_t * vm)
VLIB_INIT_FUNCTION (tls_init);
+static clib_error_t *
+tls_config_fn (vlib_main_t * vm, unformat_input_t * input)
+{
+ tls_main_t *tm = &tls_main;
+ while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (input, "use-test-cert-in-ca"))
+ tm->use_test_cert_in_ca = 1;
+ else if (unformat (input, "ca-cert-path %s", &tm->ca_cert_path))
+ ;
+ else
+ return clib_error_return (0, "unknown input `%U'",
+ format_unformat_error, input);
+ }
+ return 0;
+}
+
+VLIB_EARLY_CONFIG_FUNCTION (tls_config_fn, "tls");
/*
* fd.io coding-style-patch-verification: ON
*
diff --git a/src/vnet/session/application_interface.c b/src/vnet/session/application_interface.c
index 12a5701fdf3..dbd5e49417f 100644
--- a/src/vnet/session/application_interface.c
+++ b/src/vnet/session/application_interface.c
@@ -27,54 +27,58 @@
*/
const char test_srv_crt_rsa[] =
"-----BEGIN CERTIFICATE-----\r\n"
- "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"
- "MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
- "MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"
- "A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n"
- "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n"
- "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n"
- "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n"
- "tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n"
- "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n"
- "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n"
- "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n"
- "FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJxnXClY\r\n"
- "oHkbp70cqBrsGXLybA74czbO5RdLEgFs7rHVS9r+c293luS/KdliLScZqAzYVylw\r\n"
- "UfRWvKMoWhHYKp3dEIS4xTXk6/5zXxhv9Rw8SGc8qn6vITHk1S1mPevtekgasY5Y\r\n"
- "iWQuM3h4YVlRH3HHEMAD1TnAexfXHHDFQGe+Bd1iAbz1/sH9H8l4StwX6egvTK3M\r\n"
- "wXRwkKkvjKaEDA9ATbZx0mI8LGsxSuCqe9r9dyjmttd47J1p1Rulz3CLzaRcVIuS\r\n"
- "RRQfaD8neM9c1S/iJ/amTVqJxA1KOdOS5780WhPfSArA+g4qAmSjelc3p4wWpha8\r\n"
- "zhuYwjVuX6JHG0c=\r\n" "-----END CERTIFICATE-----\r\n";
+ "MIID5zCCAs+gAwIBAgIJALeMYCEHrTtJMA0GCSqGSIb3DQEBCwUAMIGJMQswCQYD\r\n"
+ "VQQGEwJVUzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCFNhbiBKb3NlMQ4wDAYDVQQK\r\n"
+ "DAVDaXNjbzEOMAwGA1UECwwFZmQuaW8xFjAUBgNVBAMMDXRlc3R0bHMuZmQuaW8x\r\n"
+ "IjAgBgkqhkiG9w0BCQEWE3ZwcC1kZXZAbGlzdHMuZmQuaW8wHhcNMTgwMzA1MjEx\r\n"
+ "NTEyWhcNMjgwMzAyMjExNTEyWjCBiTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB\r\n"
+ "MREwDwYDVQQHDAhTYW4gSm9zZTEOMAwGA1UECgwFQ2lzY28xDjAMBgNVBAsMBWZk\r\n"
+ "LmlvMRYwFAYDVQQDDA10ZXN0dGxzLmZkLmlvMSIwIAYJKoZIhvcNAQkBFhN2cHAt\r\n"
+ "ZGV2QGxpc3RzLmZkLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\r\n"
+ "4C1k8a1DuStgggqT4o09fP9sJ2dC54bxhS/Xk2VEfaIZ222WSo4X/syRVfVy9Yah\r\n"
+ "cpI1zJ/RDxaZSFhgA+nPZBrFMsrULkrdAOpOVj8eDEp9JuWdO2ODSoFnCvLxcYWB\r\n"
+ "Yc5kHryJpEaGJl1sFQSesnzMFty/59ta0stk0Fp8r5NhIjWvSovGzPo6Bhz+VS2c\r\n"
+ "ebIZh4x1t2hHaFcgm0qJoJ6DceReWCW8w+yOVovTolGGq+bpb2Hn7MnRSZ2K2NdL\r\n"
+ "+aLXpkZbS/AODP1FF2vTO1mYL290LO7/51vJmPXNKSDYMy5EvILr5/VqtjsFCwRL\r\n"
+ "Q4jcM/+GeHSAFWx4qIv0BwIDAQABo1AwTjAdBgNVHQ4EFgQUWa1SOB37xmT53tZQ\r\n"
+ "aXuLLhRI7U8wHwYDVR0jBBgwFoAUWa1SOB37xmT53tZQaXuLLhRI7U8wDAYDVR0T\r\n"
+ "BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAoUht13W4ya27NVzQuCMvqPWL3VM4\r\n"
+ "3xbPFk02FaGz/WupPu276zGlzJAZrbuDcQowwwU1Ni1Yygxl96s1c2M5rHDTrOKG\r\n"
+ "rK0hbkSFBo+i6I8u4HiiQ4rYmG0Hv6+sXn3of0HsbtDPGgWZoipPWDljPYEURu3e\r\n"
+ "3HRe/Dtsj9CakBoSDzs8ndWaBR+f4sM9Tk1cjD46Gq2T/qpSPXqKxEUXlzhdCAn4\r\n"
+ "twub17Bq2kykHpppCwPg5M+v30tHG/R2Go15MeFWbEJthFk3TZMjKL7UFs7fH+x2\r\n"
+ "wSonXb++jY+KmCb93C+soABBizE57g/KmiR2IxQ/LMjDik01RSUIaM0lLA==\r\n"
+ "-----END CERTIFICATE-----\r\n";
const u32 test_srv_crt_rsa_len = sizeof (test_srv_crt_rsa);
const char test_srv_key_rsa[] =
- "-----BEGIN RSA PRIVATE KEY-----\r\n"
- "MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n"
- "lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2\r\n"
- "2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ\r\n"
- "Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i\r\n"
- "GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb\r\n"
- "y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ\r\n"
- "++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G\r\n"
- "Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z\r\n"
- "/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm\r\n"
- "WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He\r\n"
- "GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa\r\n"
- "TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28\r\n"
- "CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK\r\n"
- "nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u\r\n"
- "AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g\r\n"
- "sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s\r\n"
- "mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic\r\n"
- "BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv\r\n"
- "whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b\r\n"
- "vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs\r\n"
- "3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP\r\n"
- "3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED\r\n"
- "ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH\r\n"
- "4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n"
- "TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n"
- "-----END RSA PRIVATE KEY-----\r\n";
+ "-----BEGIN PRIVATE KEY-----\r\n"
+ "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDgLWTxrUO5K2CC\r\n"
+ "CpPijT18/2wnZ0LnhvGFL9eTZUR9ohnbbZZKjhf+zJFV9XL1hqFykjXMn9EPFplI\r\n"
+ "WGAD6c9kGsUyytQuSt0A6k5WPx4MSn0m5Z07Y4NKgWcK8vFxhYFhzmQevImkRoYm\r\n"
+ "XWwVBJ6yfMwW3L/n21rSy2TQWnyvk2EiNa9Ki8bM+joGHP5VLZx5shmHjHW3aEdo\r\n"
+ "VyCbSomgnoNx5F5YJbzD7I5Wi9OiUYar5ulvYefsydFJnYrY10v5otemRltL8A4M\r\n"
+ "/UUXa9M7WZgvb3Qs7v/nW8mY9c0pINgzLkS8guvn9Wq2OwULBEtDiNwz/4Z4dIAV\r\n"
+ "bHioi/QHAgMBAAECggEBAMzGipP8+oT166U+NlJXRFifFVN1DvdhG9PWnOxGL+c3\r\n"
+ "ILmBBC08WQzmHshPemBvR6DZkA1H23cV5JTiLWrFtC00CvhXsLRMrE5+uWotI6yE\r\n"
+ "iofybMroHvD6/X5R510UX9hQ6MHu5ShLR5VZ9zXHz5MpTmB/60jG5dLx+jgcwBK8\r\n"
+ "LuGv2YB/WCUwT9QJ3YU2eaingnXtz/MrFbkbltrqlnBdlD+kTtw6Yac9y1XuuQXc\r\n"
+ "BPeulLNDuPolJVWbUvDBZrpt2dXTgz8ws1sv+wCNE0xwQJsqW4Nx3QkpibUL9RUr\r\n"
+ "CVbKlNfa9lopT6nGKlgX69R/uH35yh9AOsfasro6w0ECgYEA82UJ8u/+ORah+0sF\r\n"
+ "Q0FfW5MTdi7OAUHOz16pUsGlaEv0ERrjZxmAkHA/VRwpvDBpx4alCv0Hc39PFLIk\r\n"
+ "nhSsM2BEuBkTAs6/GaoNAiBtQVE/hN7awNRWVmlieS0go3Y3dzaE9IUMyj8sPOFT\r\n"
+ "5JdJ6BM69PHKCkY3dKdnnfpFEuECgYEA68mRpteunF1mdZgXs+WrN+uLlRrQR20F\r\n"
+ "ZyMYiUCH2Dtn26EzA2moy7FipIIrQcX/j+KhYNGM3e7MU4LymIO29E18mn8JODnH\r\n"
+ "sQOXzBTsf8A4yIVMkcuQD3bfb0JiUGYUPOidTp2N7IJA7+6Yc3vQOyb74lnKnJoO\r\n"
+ "gougPT2wS+cCgYAn7muzb6xFsXDhyW0Tm6YJYBfRS9yAWEuVufINobeBZPSl2cN1\r\n"
+ "Jrnw+HlrfTNbrJWuJmjtZJXUXQ6cVp2rUbjutNyRV4vG6iRwEXYQ40EJdkr1gZpi\r\n"
+ "CHQhuShuuPih2MNAy7EEbM+sXrDjTBR3bFqzuHPzu7dp+BshCFX3lRfAAQKBgGQt\r\n"
+ "K5i7IhCFDjb/+3IPLgOAK7mZvsvZ4eXD33TQ2eZgtut1PXtBtNl17/b85uv293Fm\r\n"
+ "VDISVcsk3eLNS8zIiT6afUoWlxAwXEs0v5WRfjl4radkGvgGiJpJYvyeM67877RB\r\n"
+ "EDSKc/X8ESLfOB44iGvZUEMG6zJFscx9DgN25iQZAoGAbyd+JEWwdVH9/K3IH1t2\r\n"
+ "PBkZX17kNWv+iVM1WyFjbe++vfKZCrOJiyiqhDeEqgrP3AuNMlaaduC3VRC3G5oV\r\n"
+ "Mj1tlhDWQ/qhvKdCKNdIVQYDE75nw+FRWV8yYkHAnXYW3tNoweDIwixE0hkPR1bc\r\n"
+ "oEjPLVNtx8SOj/M4rhaPT3I=\r\n" "-----END PRIVATE KEY-----\r\n";
const u32 test_srv_key_rsa_len = sizeof (test_srv_key_rsa);
static u8
@@ -315,8 +319,9 @@ global_scope:
/**
* unformat a vnet URI
*
- * transport-proto://ip46-addr:port
- * eg. tcp://ip46-addr:port
+ * transport-proto://[hostname]ip46-addr:port
+ * eg. tcp://ip46-addr:port
+ * tls://[testtsl.fd.io]ip46-addr:port
*
* u8 ip46_address[16];
* u16 port_in_host_byte_order;
@@ -331,12 +336,21 @@ global_scope:
uword
unformat_vnet_uri (unformat_input_t * input, va_list * args)
{
- session_endpoint_t *sep = va_arg (*args, session_endpoint_t *);
+ session_endpoint_extended_t *sep = va_arg (*args,
+ session_endpoint_extended_t *);
u32 transport_proto = 0, port;
- if (unformat
- (input, "%U://%U/%d", unformat_transport_proto, &transport_proto,
- unformat_ip4_address, &sep->ip.ip4, &port))
+ if (unformat (input, "%U://%U/%d", unformat_transport_proto,
+ &transport_proto, unformat_ip4_address, &sep->ip.ip4, &port))
+ {
+ sep->transport_proto = transport_proto;
+ sep->port = clib_host_to_net_u16 (port);
+ sep->is_ip4 = 1;
+ return 1;
+ }
+ else if (unformat (input, "%U://[%s]%U/%d", unformat_transport_proto,
+ &transport_proto, &sep->hostname, unformat_ip4_address,
+ &sep->ip.ip4, &port))
{
sep->transport_proto = transport_proto;
sep->port = clib_host_to_net_u16 (port);
@@ -352,14 +366,23 @@ unformat_vnet_uri (unformat_input_t * input, va_list * args)
sep->is_ip4 = 0;
return 1;
}
+ else if (unformat (input, "%U://[%s]%U/%d", unformat_transport_proto,
+ &transport_proto, &sep->hostname, unformat_ip6_address,
+ &sep->ip.ip6, &port))
+ {
+ sep->transport_proto = transport_proto;
+ sep->port = clib_host_to_net_u16 (port);
+ sep->is_ip4 = 0;
+ return 1;
+ }
return 0;
}
static u8 *cache_uri;
-static session_endpoint_t *cache_sep;
+static session_endpoint_extended_t *cache_sep;
int
-parse_uri (char *uri, session_endpoint_t * sep)
+parse_uri (char *uri, session_endpoint_extended_t * sep)
{
unformat_input_t _input, *input = &_input;
@@ -483,20 +506,20 @@ vnet_application_detach (vnet_app_detach_args_t * a)
int
vnet_bind_uri (vnet_bind_args_t * a)
{
- session_endpoint_t sep = SESSION_ENDPOINT_NULL;
+ session_endpoint_extended_t sep = SESSION_ENDPOINT_EXT_NULL;
int rv;
rv = parse_uri (a->uri, &sep);
if (rv)
return rv;
- return vnet_bind_i (a->app_index, &sep, &a->handle);
+ return vnet_bind_i (a->app_index, (session_endpoint_t *) & sep, &a->handle);
}
int
vnet_unbind_uri (vnet_unbind_args_t * a)
{
- session_endpoint_t sep = SESSION_ENDPOINT_NULL;
+ session_endpoint_extended_t sep = SESSION_ENDPOINT_EXT_NULL;
stream_session_t *listener;
int rv;
@@ -505,7 +528,7 @@ vnet_unbind_uri (vnet_unbind_args_t * a)
return rv;
/* NOTE: only default table supported for uri */
- listener = session_lookup_listener (0, &sep);
+ listener = session_lookup_listener (0, (session_endpoint_t *) & sep);
if (!listener)
return VNET_API_ERROR_ADDRESS_NOT_IN_USE;
@@ -515,7 +538,7 @@ vnet_unbind_uri (vnet_unbind_args_t * a)
clib_error_t *
vnet_connect_uri (vnet_connect_args_t * a)
{
- session_endpoint_t sep = SESSION_ENDPOINT_NULL;
+ session_endpoint_extended_t sep = SESSION_ENDPOINT_EXT_NULL;
int rv;
/* Parse uri */
@@ -523,7 +546,8 @@ vnet_connect_uri (vnet_connect_args_t * a)
if (rv)
return clib_error_return_code (0, rv, 0, "app init: %d", rv);
- if ((rv = application_connect (a->app_index, a->api_context, &sep)))
+ if ((rv = application_connect (a->app_index, a->api_context,
+ (session_endpoint_t *) & sep)))
return clib_error_return_code (0, rv, 0, "connect failed");
return 0;
}
@@ -579,7 +603,7 @@ vnet_unbind (vnet_unbind_args_t * a)
clib_error_t *
vnet_connect (vnet_connect_args_t * a)
{
- session_endpoint_t *sep = &a->sep;
+ session_endpoint_t *sep = (session_endpoint_t *) & a->sep;
int rv;
if ((rv = application_connect (a->app_index, a->api_context, sep)))
diff --git a/src/vnet/session/application_interface.h b/src/vnet/session/application_interface.h
index 2ab09d6f52d..deddb648630 100644
--- a/src/vnet/session/application_interface.h
+++ b/src/vnet/session/application_interface.h
@@ -83,13 +83,11 @@ typedef struct _vnet_connect_args
union
{
char *uri;
- session_endpoint_t sep;
+ session_endpoint_extended_t sep;
};
u32 app_index;
u32 api_context;
- /* Used for redirects */
- void *mp;
session_handle_t session_handle;
} vnet_connect_args_t;
diff --git a/src/vnet/session/session.api b/src/vnet/session/session.api
index 336b51cd333..bf88e82f336 100644
--- a/src/vnet/session/session.api
+++ b/src/vnet/session/session.api
@@ -13,7 +13,7 @@
* limitations under the License.
*/
-option version = "1.0.1";
+option version = "1.0.2";
/** \brief client->vpp, attach application to session layer
@param client_index - opaque cookie to identify the sender
@@ -292,6 +292,9 @@ autoreply define unbind_sock {
@param ip - ip address
@param port - port
@param proto - protocol 0 - TCP 1 - UDP
+ @param hostname-len - length of hostname
+ @param hostname - destination's hostname. If present, used by protocols
+ like tls.
*/
autoreply define connect_sock {
u32 client_index;
@@ -303,6 +306,8 @@ autoreply define connect_sock {
u8 ip[16];
u16 port;
u8 proto;
+ u8 hostname_len;
+ u8 hostname[hostname_len];
};
/** \brief Bind reply
diff --git a/src/vnet/session/session.c b/src/vnet/session/session.c
index 09e3ded6dff..d4220d4ae6b 100644
--- a/src/vnet/session/session.c
+++ b/src/vnet/session/session.c
@@ -878,12 +878,11 @@ session_open_vc (u32 app_index, session_endpoint_t * rmt, u32 opaque)
int
session_open_app (u32 app_index, session_endpoint_t * rmt, u32 opaque)
{
- session_endpoint_extended_t sep;
- clib_memcpy (&sep, rmt, sizeof (*rmt));
- sep.app_index = app_index;
- sep.opaque = opaque;
+ session_endpoint_extended_t *sep = (session_endpoint_extended_t *) rmt;
+ sep->app_index = app_index;
+ sep->opaque = opaque;
- return tp_vfts[rmt->transport_proto].open ((transport_endpoint_t *) & sep);
+ return tp_vfts[rmt->transport_proto].open ((transport_endpoint_t *) sep);
}
typedef int (*session_open_service_fn) (u32, session_endpoint_t *, u32);
diff --git a/src/vnet/session/session_api.c b/src/vnet/session/session_api.c
index 6694a40c348..b25911eb306 100755
--- a/src/vnet/session/session_api.c
+++ b/src/vnet/session/session_api.c
@@ -561,12 +561,10 @@ vl_api_connect_uri_t_handler (vl_api_connect_uri_t * mp)
a->uri = (char *) mp->uri;
a->api_context = mp->context;
a->app_index = app->index;
- a->mp = mp;
if ((error = vnet_connect_uri (a)))
{
rv = clib_error_get_code (error);
- if (rv != VNET_API_ERROR_SESSION_REDIRECT)
- clib_error_report (error);
+ clib_error_report (error);
}
}
else
@@ -579,7 +577,7 @@ vl_api_connect_uri_t_handler (vl_api_connect_uri_t * mp)
* the connection is established. In case of the redirects, the reply
* will come from the server app.
*/
- if (rv == 0 || rv == VNET_API_ERROR_SESSION_REDIRECT)
+ if (rv == 0)
return;
done:
@@ -838,6 +836,7 @@ vl_api_connect_sock_t_handler (vl_api_connect_sock_t * mp)
svm_queue_t *client_q;
ip46_address_t *ip46 = (ip46_address_t *) mp->ip;
+ memset (a, 0, sizeof (*a));
client_q = vl_api_client_index_to_input_queue (mp->client_index);
mp->client_queue_address = pointer_to_uword (client_q);
a->sep.is_ip4 = mp->is_ip4;
@@ -846,22 +845,26 @@ vl_api_connect_sock_t_handler (vl_api_connect_sock_t * mp)
a->sep.transport_proto = mp->proto;
a->sep.fib_index = mp->vrf;
a->sep.sw_if_index = ENDPOINT_INVALID_INDEX;
+ if (mp->hostname_len)
+ {
+ vec_validate (a->sep.hostname, mp->hostname_len - 1);
+ clib_memcpy (a->sep.hostname, mp->hostname, mp->hostname_len);
+ }
a->api_context = mp->context;
a->app_index = app->index;
- a->mp = mp;
if ((error = vnet_connect (a)))
{
rv = clib_error_get_code (error);
- if (rv != VNET_API_ERROR_SESSION_REDIRECT)
- clib_error_report (error);
+ clib_error_report (error);
}
+ vec_free (a->sep.hostname);
}
else
{
rv = VNET_API_ERROR_APPLICATION_NOT_ATTACHED;
}
- if (rv == 0 || rv == VNET_API_ERROR_SESSION_REDIRECT)
+ if (rv == 0)
return;
/* Got some error, relay it */
diff --git a/src/vnet/session/session_test.c b/src/vnet/session/session_test.c
index 91ac351f860..ceac7039940 100644
--- a/src/vnet/session/session_test.c
+++ b/src/vnet/session/session_test.c
@@ -244,10 +244,10 @@ session_test_namespace (vlib_main_t * vm, unformat_input_t * input)
};
vnet_connect_args_t connect_args = {
- .sep = client_sep,
.app_index = 0,
.api_context = 0,
};
+ clib_memcpy (&connect_args.sep, &client_sep, sizeof (client_sep));
vnet_unbind_args_t unbind_args = {
.handle = bind_args.handle,
@@ -1032,10 +1032,10 @@ session_test_rules (vlib_main_t * vm, unformat_input_t * input)
" 5.6.7.9/32 4321 in local table should return deny");
vnet_connect_args_t connect_args = {
- .sep = sep,
.app_index = attach_args.app_index,
.api_context = 0,
};
+ clib_memcpy (&connect_args.sep, &sep, sizeof (sep));
/* Try connecting */
error = vnet_connect (&connect_args);
@@ -1312,7 +1312,7 @@ session_test_rules (vlib_main_t * vm, unformat_input_t * input)
connect_args.app_index = server_index;
- connect_args.sep = sep;
+ clib_memcpy (&connect_args.sep, &sep, sizeof (sep));
error = vnet_connect (&connect_args);
SESSION_TEST ((error != 0), "connect should fail");
diff --git a/src/vnet/session/stream_session.h b/src/vnet/session/stream_session.h
index 6f6dce66040..b7a5eee4b12 100644
--- a/src/vnet/session/stream_session.h
+++ b/src/vnet/session/stream_session.h
@@ -141,7 +141,6 @@ typedef struct local_session_
#define foreach_session_endpoint_fields \
foreach_transport_connection_fields \
_(u8, transport_proto) \
- _(u8, app_proto) \
typedef struct _session_endpoint
{
@@ -157,6 +156,7 @@ typedef struct _session_endpoint_extended
#undef _
u32 app_index;
u32 opaque;
+ u8 *hostname;
} session_endpoint_extended_t;
#define SESSION_IP46_ZERO \
@@ -173,7 +173,18 @@ typedef struct _session_endpoint_extended
.is_ip4 = 0, \
.port = 0, \
.transport_proto = 0, \
- .app_proto = 0, \
+}
+#define SESSION_ENDPOINT_EXT_NULL \
+{ \
+ .sw_if_index = ENDPOINT_INVALID_INDEX, \
+ .ip = SESSION_IP46_ZERO, \
+ .fib_index = ENDPOINT_INVALID_INDEX, \
+ .is_ip4 = 0, \
+ .port = 0, \
+ .transport_proto = 0, \
+ .app_index = ENDPOINT_INVALID_INDEX, \
+ .opaque = ENDPOINT_INVALID_INDEX, \
+ .hostname = 0, \
}
#define session_endpoint_to_transport(_sep) ((transport_endpoint_t *)_sep)