From d918cc54eb5f178ccf81dc2463d176cffcd63df1 Mon Sep 17 00:00:00 2001 From: Saravanan Murugesan Date: Mon, 28 Feb 2022 19:54:11 +0530 Subject: tls: support to reinitialise ca_chain wo restart Type: improvement Signed-off-by: Saravanan Murugesan Change-Id: I90e90678ae6586019cc842f9d504d53991cfabe4 --- src/plugins/tlsmbedtls/tls_mbedtls.c | 8 +++++ src/plugins/tlsopenssl/tls_openssl.c | 65 ++++++++++++++++++++++-------------- src/plugins/tlspicotls/tls_picotls.c | 8 +++++ src/vnet/tls/tls.c | 6 ++++ src/vnet/tls/tls.h | 2 ++ 5 files changed, 64 insertions(+), 25 deletions(-) diff --git a/src/plugins/tlsmbedtls/tls_mbedtls.c b/src/plugins/tlsmbedtls/tls_mbedtls.c index 3fccba2ec5a..8d6b7ac5498 100644 --- a/src/plugins/tlsmbedtls/tls_mbedtls.c +++ b/src/plugins/tlsmbedtls/tls_mbedtls.c @@ -558,6 +558,13 @@ mbedtls_app_close (tls_ctx_t * ctx) return 0; } +static int +mbedtls_reinit_ca_chain (void) +{ + /* Not supported Yet */ + return 0; +} + const static tls_engine_vft_t mbedtls_engine = { .ctx_alloc = mbedtls_ctx_alloc, .ctx_free = mbedtls_ctx_free, @@ -572,6 +579,7 @@ const static tls_engine_vft_t mbedtls_engine = { .ctx_stop_listen = mbedtls_stop_listen, .ctx_transport_close = mbedtls_transport_close, .ctx_app_close = mbedtls_app_close, + .ctx_reinit_cachain = mbedtls_reinit_ca_chain, }; int diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c index 740ba059e77..75494aac6de 100644 --- a/src/plugins/tlsopenssl/tls_openssl.c +++ b/src/plugins/tlsopenssl/tls_openssl.c @@ -27,6 +27,7 @@ #include #include #include +#include #define MAX_CRYPTO_LEN 64 @@ -1022,25 +1023,6 @@ openssl_app_close (tls_ctx_t * ctx) return 0; } -const static tls_engine_vft_t openssl_engine = { - .ctx_alloc = openssl_ctx_alloc, - .ctx_alloc_w_thread = openssl_ctx_alloc_w_thread, - .ctx_free = openssl_ctx_free, - .ctx_attach = openssl_ctx_attach, - .ctx_detach = openssl_ctx_detach, - .ctx_get = openssl_ctx_get, - .ctx_get_w_thread = openssl_ctx_get_w_thread, - .ctx_init_server = openssl_ctx_init_server, - .ctx_init_client = openssl_ctx_init_client, - .ctx_write = openssl_ctx_write, - .ctx_read = openssl_ctx_read, - .ctx_handshake_is_over = openssl_handshake_is_over, - .ctx_start_listen = openssl_start_listen, - .ctx_stop_listen = openssl_stop_listen, - .ctx_transport_close = openssl_transport_close, - .ctx_app_close = openssl_app_close, -}; - int tls_init_ca_chain (void) { @@ -1089,6 +1071,39 @@ tls_init_ca_chain (void) return (rv < 0 ? -1 : 0); } +int +openssl_reinit_ca_chain (void) +{ + openssl_main_t *om = &openssl_main; + + /* Remove/free existing x509_store */ + if (om->cert_store) + { + X509_STORE_free (om->cert_store); + } + return tls_init_ca_chain (); +} + +const static tls_engine_vft_t openssl_engine = { + .ctx_alloc = openssl_ctx_alloc, + .ctx_alloc_w_thread = openssl_ctx_alloc_w_thread, + .ctx_free = openssl_ctx_free, + .ctx_attach = openssl_ctx_attach, + .ctx_detach = openssl_ctx_detach, + .ctx_get = openssl_ctx_get, + .ctx_get_w_thread = openssl_ctx_get_w_thread, + .ctx_init_server = openssl_ctx_init_server, + .ctx_init_client = openssl_ctx_init_client, + .ctx_write = openssl_ctx_write, + .ctx_read = openssl_ctx_read, + .ctx_handshake_is_over = openssl_handshake_is_over, + .ctx_start_listen = openssl_start_listen, + .ctx_stop_listen = openssl_stop_listen, + .ctx_transport_close = openssl_transport_close, + .ctx_app_close = openssl_app_close, + .ctx_reinit_cachain = openssl_reinit_ca_chain, +}; + int tls_openssl_set_ciphers (char *ciphers) { @@ -1124,12 +1139,6 @@ tls_openssl_init (vlib_main_t * vm) SSL_library_init (); SSL_load_error_strings (); - if (tls_init_ca_chain ()) - { - clib_warning ("failed to initialize TLS CA chain"); - return 0; - } - vec_validate (om->ctx_pool, num_threads - 1); vec_validate (om->rx_bufs, num_threads - 1); vec_validate (om->tx_bufs, num_threads - 1); @@ -1146,6 +1155,12 @@ tls_openssl_init (vlib_main_t * vm) tls_openssl_set_ciphers ("ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH"); + if (tls_init_ca_chain ()) + { + clib_warning ("failed to initialize TLS CA chain"); + return 0; + } + return error; } /* *INDENT-OFF* */ diff --git a/src/plugins/tlspicotls/tls_picotls.c b/src/plugins/tlspicotls/tls_picotls.c index 54a9d19fe65..afb48f1c72e 100644 --- a/src/plugins/tlspicotls/tls_picotls.c +++ b/src/plugins/tlspicotls/tls_picotls.c @@ -722,6 +722,13 @@ picotls_init_client_ptls_ctx (ptls_context_t **client_ptls_ctx) return 0; } +int +picotls_reinit_ca_chain (void) +{ + /* Not supported yet */ + return 0; +} + const static tls_engine_vft_t picotls_engine = { .ctx_alloc = picotls_ctx_alloc, .ctx_free = picotls_ctx_free, @@ -736,6 +743,7 @@ const static tls_engine_vft_t picotls_engine = { .ctx_write = picotls_ctx_write, .ctx_transport_close = picotls_transport_close, .ctx_app_close = picotls_app_close, + .ctx_reinit_cachain = picotls_reinit_ca_chain, }; static clib_error_t * diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c index becd29f20e0..14495b2c77e 100644 --- a/src/vnet/tls/tls.c +++ b/src/vnet/tls/tls.c @@ -398,6 +398,12 @@ tls_ctx_handshake_is_over (tls_ctx_t * ctx) return tls_vfts[ctx->tls_ctx_engine].ctx_handshake_is_over (ctx); } +int +tls_reinit_ca_chain (crypto_engine_type_t tls_engine_id) +{ + return tls_vfts[tls_engine_id].ctx_reinit_cachain (); +} + void tls_notify_app_io_error (tls_ctx_t *ctx) { diff --git a/src/vnet/tls/tls.h b/src/vnet/tls/tls.h index 54798e0230f..4a5da15a88f 100644 --- a/src/vnet/tls/tls.h +++ b/src/vnet/tls/tls.h @@ -125,6 +125,7 @@ typedef struct tls_engine_vft_ int (*ctx_stop_listen) (tls_ctx_t * ctx); int (*ctx_transport_close) (tls_ctx_t * ctx); int (*ctx_app_close) (tls_ctx_t * ctx); + int (*ctx_reinit_cachain) (void); } tls_engine_vft_t; tls_main_t *vnet_tls_get_main (void); @@ -139,6 +140,7 @@ int tls_notify_app_connected (tls_ctx_t * ctx, session_error_t err); void tls_notify_app_enqueue (tls_ctx_t * ctx, session_t * app_session); void tls_notify_app_io_error (tls_ctx_t *ctx); void tls_disconnect_transport (tls_ctx_t * ctx); +int tls_reinit_ca_chain (crypto_engine_type_t tls_engine_id); #endif /* SRC_VNET_TLS_TLS_H_ */ /* -- cgit 1.2.3-korg