summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--build/external/patches/quicly_0.0.2-vpp/0001-Add-function-ptr-in-ptls-ctx-for-aead_encrypt.patch33
-rw-r--r--src/plugins/quic/CMakeLists.txt1
-rw-r--r--src/plugins/quic/quic.c35
-rw-r--r--src/plugins/quic/quic_crypto.c336
-rw-r--r--src/plugins/quic/quic_crypto.h31
5 files changed, 436 insertions, 0 deletions
diff --git a/build/external/patches/quicly_0.0.2-vpp/0001-Add-function-ptr-in-ptls-ctx-for-aead_encrypt.patch b/build/external/patches/quicly_0.0.2-vpp/0001-Add-function-ptr-in-ptls-ctx-for-aead_encrypt.patch
new file mode 100644
index 00000000000..80f3bcb684f
--- /dev/null
+++ b/build/external/patches/quicly_0.0.2-vpp/0001-Add-function-ptr-in-ptls-ctx-for-aead_encrypt.patch
@@ -0,0 +1,33 @@
+diff --git a/deps/picotls/include/picotls.h b/deps/picotls/include/picotls.h
+index 06d62f9..de33b86 100644
+--- a/deps/picotls/include/picotls.h
++++ b/deps/picotls/include/picotls.h
+@@ -276,6 +276,8 @@ typedef struct st_ptls_aead_context_t {
+ size_t (*do_encrypt_final)(struct st_ptls_aead_context_t *ctx, void *output);
+ size_t (*do_decrypt)(struct st_ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen, const void *iv,
+ const void *aad, size_t aadlen);
++ size_t (*do_encrypt)(struct st_ptls_aead_context_t *ctx, void *output, const void *input, size_t inlen, uint64_t seq,
++ const void *iv, const void *aad, size_t aadlen);
+ } ptls_aead_context_t;
+
+ /**
+diff --git a/deps/picotls/lib/picotls.c b/deps/picotls/lib/picotls.c
+index 70d2fef..f98f7b4 100644
+--- a/deps/picotls/lib/picotls.c
++++ b/deps/picotls/lib/picotls.c
+@@ -4890,6 +4890,13 @@ size_t ptls_aead_encrypt(ptls_aead_context_t *ctx, void *output, const void *inp
+ {
+ size_t off = 0;
+
++ if(ctx->do_encrypt)
++ {
++ uint8_t iv[PTLS_MAX_IV_SIZE];
++ ptls_aead__build_iv(ctx, iv, seq);
++ return ctx->do_encrypt(ctx, output, input, inlen, seq, iv, aad, aadlen);
++ }
++
+ ptls_aead_encrypt_init(ctx, seq, aad, aadlen);
+ off += ptls_aead_encrypt_update(ctx, ((uint8_t *)output) + off, input, inlen);
+ off += ptls_aead_encrypt_final(ctx, ((uint8_t *)output) + off);
+
+
diff --git a/src/plugins/quic/CMakeLists.txt b/src/plugins/quic/CMakeLists.txt
index ccd49682e8c..70a1243b3b3 100644
--- a/src/plugins/quic/CMakeLists.txt
+++ b/src/plugins/quic/CMakeLists.txt
@@ -31,6 +31,7 @@ if(QUICLY_INCLUDE_DIR AND QUIC_LINK_LIBRARIES)
add_vpp_plugin(quic
SOURCES
quic.c
+ quic_crypto.c
INSTALL_HEADERS
quic.h
diff --git a/src/plugins/quic/quic.c b/src/plugins/quic/quic.c
index b46cdb3f018..6c1a3c37bd5 100644
--- a/src/plugins/quic/quic.c
+++ b/src/plugins/quic/quic.c
@@ -30,6 +30,8 @@
#include <picotls/openssl.h>
#include <picotls/pembase64.h>
+#include <quic/quic_crypto.h>
+
static quic_main_t quic_main;
static void quic_update_timer (quic_ctx_t * ctx);
@@ -2539,7 +2541,40 @@ quic_init (vlib_main_t * vm)
VLIB_INIT_FUNCTION (quic_init);
+static clib_error_t *
+quic_plugin_crypto_command_fn (vlib_main_t * vm,
+ unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (input, "vpp"))
+ {
+ quic_tlsctx.cipher_suites = vpp_crypto_cipher_suites;
+ return 0;
+ }
+ else if (unformat (input, "picotls"))
+ {
+ quic_tlsctx.cipher_suites = ptls_openssl_cipher_suites;
+ return 0;
+ }
+ else
+ return clib_error_return (0, "unknown input '%U'",
+ format_unformat_error, input);
+ }
+
+ return clib_error_return (0, "unknown input '%U'",
+ format_unformat_error, input);
+}
+
/* *INDENT-OFF* */
+VLIB_CLI_COMMAND(quic_plugin_crypto_command, static)=
+{
+ .path = "quic set crypto api",
+ .short_help = "quic set crypto api [picotls, vpp]",
+ .function = quic_plugin_crypto_command_fn,
+};
+
VLIB_PLUGIN_REGISTER () =
{
.version = VPP_BUILD_VER,
diff --git a/src/plugins/quic/quic_crypto.c b/src/plugins/quic/quic_crypto.c
new file mode 100644
index 00000000000..6c198960c24
--- /dev/null
+++ b/src/plugins/quic/quic_crypto.c
@@ -0,0 +1,336 @@
+/*
+ * Copyright (c) 2019 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <quic/quic_crypto.h>
+#include <quic/quic.h>
+
+#include <vnet/crypto/crypto.h>
+
+#include <picotls/openssl.h>
+#include <quicly.h>
+
+typedef void (*quicly_do_transform_fn) (ptls_cipher_context_t *, void *,
+ const void *, size_t);
+
+struct cipher_context_t
+{
+ ptls_cipher_context_t super;
+ vnet_crypto_op_t op;
+ u32 key_index;
+};
+
+struct aead_crypto_context_t
+{
+ ptls_aead_context_t super;
+ vnet_crypto_op_t op;
+ u32 key_index;
+};
+
+vnet_crypto_main_t *cm = &crypto_main;
+
+static void
+vpp_crypto_cipher_do_init (ptls_cipher_context_t * _ctx, const void *iv)
+{
+ struct cipher_context_t *ctx = (struct cipher_context_t *) _ctx;
+
+ vnet_crypto_op_id_t id;
+ if (!strcmp (ctx->super.algo->name, "AES128-CTR"))
+ {
+ id = VNET_CRYPTO_OP_AES_128_CTR_ENC;
+ }
+ else if (!strcmp (ctx->super.algo->name, "AES256-CTR"))
+ {
+ id = VNET_CRYPTO_OP_AES_256_CTR_ENC;
+ }
+ else
+ {
+ QUIC_DBG (1, "%s, Invalid crypto cipher : ", __FUNCTION__,
+ _ctx->algo->name);
+ assert (0);
+ }
+
+ vnet_crypto_op_init (&ctx->op, id);
+ ctx->op.iv = (u8 *) iv;
+ ctx->op.key_index = ctx->key_index;
+}
+
+static void
+vpp_crypto_cipher_dispose (ptls_cipher_context_t * _ctx)
+{
+ /* Do nothing */
+}
+
+static void
+vpp_crypto_cipher_encrypt (ptls_cipher_context_t * _ctx, void *output,
+ const void *input, size_t _len)
+{
+ vlib_main_t *vm = vlib_get_main ();
+ struct cipher_context_t *ctx = (struct cipher_context_t *) _ctx;
+
+ ctx->op.src = (u8 *) input;
+ ctx->op.dst = output;
+ ctx->op.len = _len;
+
+ vnet_crypto_process_ops (vm, &ctx->op, 1);
+}
+
+static int
+vpp_crypto_cipher_setup_crypto (ptls_cipher_context_t * _ctx, int is_enc,
+ const void *key, const EVP_CIPHER * cipher,
+ quicly_do_transform_fn do_transform)
+{
+ struct cipher_context_t *ctx = (struct cipher_context_t *) _ctx;
+
+ ctx->super.do_dispose = vpp_crypto_cipher_dispose;
+ ctx->super.do_init = vpp_crypto_cipher_do_init;
+ ctx->super.do_transform = do_transform;
+
+ vlib_main_t *vm = vlib_get_main ();
+ vnet_crypto_alg_t algo;
+ if (!strcmp (ctx->super.algo->name, "AES128-CTR"))
+ {
+ algo = VNET_CRYPTO_ALG_AES_128_CTR;
+ }
+ else if (!strcmp (ctx->super.algo->name, "AES256-CTR"))
+ {
+ algo = VNET_CRYPTO_ALG_AES_256_CTR;
+ }
+ else
+ {
+ QUIC_DBG (1, "%s, Invalid crypto cipher : ", __FUNCTION__,
+ _ctx->algo->name);
+ assert (0);
+ }
+
+ ctx->key_index = vnet_crypto_key_add (vm, algo,
+ (u8 *) key, _ctx->algo->key_size);
+
+ return 0;
+}
+
+static int
+aes128ctr_setup_crypto (ptls_cipher_context_t * ctx, int is_enc,
+ const void *key)
+{
+ return vpp_crypto_cipher_setup_crypto (ctx, 1, key, EVP_aes_128_ctr (),
+ vpp_crypto_cipher_encrypt);
+}
+
+static int
+aes256ctr_setup_crypto (ptls_cipher_context_t * ctx, int is_enc,
+ const void *key)
+{
+ return vpp_crypto_cipher_setup_crypto (ctx, 1, key, EVP_aes_256_ctr (),
+ vpp_crypto_cipher_encrypt);
+}
+
+size_t
+vpp_crypto_aead_encrypt (ptls_aead_context_t * _ctx, void *output,
+ const void *input, size_t inlen, uint64_t seq,
+ const void *iv, const void *aad, size_t aadlen)
+{
+ QUIC_DBG (1, "[quic] %s", __FUNCTION__);
+
+ vlib_main_t *vm = vlib_get_main ();
+ struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *) _ctx;
+
+ vnet_crypto_op_id_t id;
+ if (!strcmp (ctx->super.algo->name, "AES128-GCM"))
+ {
+ id = VNET_CRYPTO_OP_AES_128_GCM_ENC;
+ }
+ else if (!strcmp (ctx->super.algo->name, "AES256-GCM"))
+ {
+ id = VNET_CRYPTO_OP_AES_256_GCM_ENC;
+ }
+ else
+ {
+ assert (0);
+ }
+
+ vnet_crypto_op_init (&ctx->op, id);
+ ctx->op.aad = (u8 *) aad;
+ ctx->op.aad_len = aadlen;
+ ctx->op.iv = (u8 *) iv;
+
+ ctx->op.src = (u8 *) input;
+ ctx->op.dst = output;
+ ctx->op.key_index = ctx->key_index;
+ ctx->op.len = inlen;
+
+ ctx->op.tag_len = ctx->super.algo->tag_size;
+ ctx->op.tag = ctx->op.src + inlen;
+
+ vnet_crypto_process_ops (vm, &ctx->op, 1);
+
+ return ctx->op.len + ctx->op.tag_len;
+}
+
+size_t
+vpp_crypto_aead_decrypt (ptls_aead_context_t * _ctx, void *_output,
+ const void *input, size_t inlen, const void *iv,
+ const void *aad, size_t aadlen)
+{
+ QUIC_DBG (1, "[quic] %s", __FUNCTION__);
+
+ vlib_main_t *vm = vlib_get_main ();
+ struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *) _ctx;
+
+ vnet_crypto_op_id_t id;
+ if (!strcmp (ctx->super.algo->name, "AES128-GCM"))
+ {
+ id = VNET_CRYPTO_OP_AES_128_GCM_DEC;
+ }
+ else if (!strcmp (ctx->super.algo->name, "AES256-GCM"))
+ {
+ id = VNET_CRYPTO_OP_AES_256_GCM_DEC;
+ }
+ else
+ {
+ assert (0);
+ }
+
+ vnet_crypto_op_init (&ctx->op, id);
+ ctx->op.aad = (u8 *) aad;
+ ctx->op.aad_len = aadlen;
+ ctx->op.iv = (u8 *) iv;
+
+ ctx->op.src = (u8 *) input;
+ ctx->op.dst = _output;
+ ctx->op.key_index = ctx->key_index;
+ ctx->op.len = inlen - ctx->super.algo->tag_size;
+
+ ctx->op.tag_len = ctx->super.algo->tag_size;
+ ctx->op.tag = ctx->op.src + ctx->op.len;
+
+ vnet_crypto_process_ops (vm, &ctx->op, 1);
+
+ return ctx->op.len;
+}
+
+static void
+vpp_crypto_aead_dispose_crypto (ptls_aead_context_t * _ctx)
+{
+ QUIC_DBG (1, "[quic] %s", __FUNCTION__);
+}
+
+static int
+vpp_crypto_aead_setup_crypto (ptls_aead_context_t * _ctx, int is_enc,
+ const void *key, const EVP_CIPHER * cipher)
+{
+ QUIC_DBG (1, "%s, algo : ", __FUNCTION__, _ctx->algo->name);
+
+ vlib_main_t *vm = vlib_get_main ();
+ struct aead_crypto_context_t *ctx = (struct aead_crypto_context_t *) _ctx;
+
+ vnet_crypto_alg_t algo;
+ if (!strcmp (ctx->super.algo->name, "AES128-GCM"))
+ {
+ algo = VNET_CRYPTO_ALG_AES_128_GCM;
+ }
+ else if (!strcmp (ctx->super.algo->name, "AES256-GCM"))
+ {
+ algo = VNET_CRYPTO_ALG_AES_256_GCM;
+ }
+ else
+ {
+ QUIC_DBG (1, "%s, algo : ", __FUNCTION__, _ctx->algo->name);
+ assert (0);
+ }
+
+ ctx->super.do_decrypt = vpp_crypto_aead_decrypt;
+ ctx->super.do_encrypt = vpp_crypto_aead_encrypt;
+ ctx->super.dispose_crypto = vpp_crypto_aead_dispose_crypto;
+
+ ctx->key_index = vnet_crypto_key_add (vm, algo,
+ (u8 *) key, _ctx->algo->key_size);
+
+ return 0;
+}
+
+static int
+vpp_crypto_aead_aes128gcm_setup_crypto (ptls_aead_context_t * ctx, int is_enc,
+ const void *key)
+{
+ return vpp_crypto_aead_setup_crypto (ctx, is_enc, key, EVP_aes_128_gcm ());
+}
+
+static int
+vpp_crypto_aead_aes256gcm_setup_crypto (ptls_aead_context_t * ctx, int is_enc,
+ const void *key)
+{
+ return vpp_crypto_aead_setup_crypto (ctx, is_enc, key, EVP_aes_256_gcm ());
+}
+
+ptls_cipher_algorithm_t vpp_crypto_aes128ctr = { "AES128-CTR",
+ PTLS_AES128_KEY_SIZE,
+ 1, PTLS_AES_IV_SIZE,
+ sizeof (struct cipher_context_t),
+ aes128ctr_setup_crypto
+};
+
+ptls_cipher_algorithm_t vpp_crypto_aes256ctr = { "AES256-CTR",
+ PTLS_AES256_KEY_SIZE,
+ 1 /* block size */ ,
+ PTLS_AES_IV_SIZE,
+ sizeof (struct cipher_context_t),
+ aes256ctr_setup_crypto
+};
+
+ptls_aead_algorithm_t vpp_crypto_aes128gcm = { "AES128-GCM",
+ &vpp_crypto_aes128ctr,
+ NULL,
+ PTLS_AES128_KEY_SIZE,
+ PTLS_AESGCM_IV_SIZE,
+ PTLS_AESGCM_TAG_SIZE,
+ sizeof (struct aead_crypto_context_t),
+ vpp_crypto_aead_aes128gcm_setup_crypto
+};
+
+ptls_aead_algorithm_t vpp_crypto_aes256gcm = { "AES256-GCM",
+ &vpp_crypto_aes256ctr,
+ NULL,
+ PTLS_AES256_KEY_SIZE,
+ PTLS_AESGCM_IV_SIZE,
+ PTLS_AESGCM_TAG_SIZE,
+ sizeof (struct aead_crypto_context_t),
+ vpp_crypto_aead_aes256gcm_setup_crypto
+};
+
+ptls_cipher_suite_t vpp_crypto_aes128gcmsha256 =
+ { PTLS_CIPHER_SUITE_AES_128_GCM_SHA256,
+ &vpp_crypto_aes128gcm,
+ &ptls_openssl_sha256
+};
+
+ptls_cipher_suite_t vpp_crypto_aes256gcmsha384 =
+ { PTLS_CIPHER_SUITE_AES_256_GCM_SHA384,
+ &vpp_crypto_aes256gcm,
+ &ptls_openssl_sha384
+};
+
+ptls_cipher_suite_t *vpp_crypto_cipher_suites[] =
+ { &vpp_crypto_aes256gcmsha384,
+ &vpp_crypto_aes128gcmsha256,
+ NULL
+};
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/plugins/quic/quic_crypto.h b/src/plugins/quic/quic_crypto.h
new file mode 100644
index 00000000000..8e4bbf92834
--- /dev/null
+++ b/src/plugins/quic/quic_crypto.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (c) 2019 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef __included_vpp_quic_crypto_h__
+#define __included_vpp_quic_crypto_h__
+
+#include <quicly.h>
+
+extern ptls_cipher_suite_t *vpp_crypto_cipher_suites[];
+
+#endif /* __included_vpp_quic_crypto_h__ */
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */