From a5a9efd4d1995ef6d46dfab4e5b8aba9c5d114ef Mon Sep 17 00:00:00 2001 From: Florin Coras Date: Tue, 5 Jan 2021 17:03:29 -0800 Subject: vcl session: switch to generic cert key apis Remove the deprecated tls apis. Type: improvement Signed-off-by: Florin Coras Change-Id: Ia1e12bd813671146f0aca22e83d04c23ac13e595 --- src/plugins/hs_apps/echo_client.c | 33 +++++++++++++------------ src/plugins/hs_apps/echo_client.h | 1 + src/plugins/hs_apps/echo_server.c | 36 +++++++++++++--------------- src/plugins/hs_apps/http_server.c | 40 ++++++++++++++++++------------- src/plugins/hs_apps/vcl/vcl_test_client.c | 28 ++++++++++++++++++---- src/plugins/hs_apps/vcl/vcl_test_server.c | 20 ++++++++++++---- 6 files changed, 100 insertions(+), 58 deletions(-) (limited to 'src/plugins/hs_apps') diff --git a/src/plugins/hs_apps/echo_client.c b/src/plugins/hs_apps/echo_client.c index 50d815748a5..c26329468ec 100644 --- a/src/plugins/hs_apps/echo_client.c +++ b/src/plugins/hs_apps/echo_client.c @@ -620,8 +620,7 @@ static session_cb_vft_t echo_clients = { static clib_error_t * echo_clients_attach (u8 * appns_id, u64 appns_flags, u64 appns_secret) { - vnet_app_add_tls_cert_args_t _a_cert, *a_cert = &_a_cert; - vnet_app_add_tls_key_args_t _a_key, *a_key = &_a_key; + vnet_app_add_cert_key_pair_args_t _ck_pair, *ck_pair = &_ck_pair; u32 prealloc_fifos, segment_size = 256 << 20; echo_client_main_t *ecm = &echo_client_main; vnet_app_attach_args_t _a, *a = &_a; @@ -667,17 +666,14 @@ echo_clients_attach (u8 * appns_id, u64 appns_flags, u64 appns_secret) ecm->app_index = a->app_index; vec_free (a->name); - clib_memset (a_cert, 0, sizeof (*a_cert)); - a_cert->app_index = a->app_index; - vec_validate (a_cert->cert, test_srv_crt_rsa_len); - clib_memcpy_fast (a_cert->cert, test_srv_crt_rsa, test_srv_crt_rsa_len); - vnet_app_add_tls_cert (a_cert); - - clib_memset (a_key, 0, sizeof (*a_key)); - a_key->app_index = a->app_index; - vec_validate (a_key->key, test_srv_key_rsa_len); - clib_memcpy_fast (a_key->key, test_srv_key_rsa, test_srv_key_rsa_len); - vnet_app_add_tls_key (a_key); + clib_memset (ck_pair, 0, sizeof (*ck_pair)); + ck_pair->cert = (u8 *) test_srv_crt_rsa; + ck_pair->key = (u8 *) test_srv_key_rsa; + ck_pair->cert_len = test_srv_crt_rsa_len; + ck_pair->key_len = test_srv_key_rsa_len; + vnet_app_add_cert_key_pair (ck_pair); + ecm->ckpair_index = ck_pair->index; + return 0; } @@ -693,6 +689,8 @@ echo_clients_detach () rv = vnet_application_detach (da); ecm->test_client_attached = 0; ecm->app_index = ~0; + vnet_app_del_cert_key_pair (ecm->ckpair_index); + return rv; } @@ -723,20 +721,25 @@ echo_clients_start_tx_pthread (echo_client_main_t * ecm) clib_error_t * echo_clients_connect (vlib_main_t * vm, u32 n_clients) { + session_endpoint_cfg_t sep = SESSION_ENDPOINT_CFG_NULL; echo_client_main_t *ecm = &echo_client_main; vnet_connect_args_t _a, *a = &_a; int i, rv; clib_memset (a, 0, sizeof (*a)); + if (parse_uri ((char *) ecm->connect_uri, &sep)) + return clib_error_return (0, "invalid uri"); + for (i = 0; i < n_clients; i++) { - a->uri = (char *) ecm->connect_uri; + clib_memcpy (&a->sep_ext, &sep, sizeof (sep)); a->api_context = i; a->app_index = ecm->app_index; + a->sep_ext.ckpair_index = ecm->ckpair_index; vlib_worker_thread_barrier_sync (vm); - if ((rv = vnet_connect_uri (a))) + if ((rv = vnet_connect (a))) { vlib_worker_thread_barrier_release (vm); return clib_error_return (0, "connect returned: %d", rv); diff --git a/src/plugins/hs_apps/echo_client.h b/src/plugins/hs_apps/echo_client.h index 34cf0bd4764..c4983ca78d8 100644 --- a/src/plugins/hs_apps/echo_client.h +++ b/src/plugins/hs_apps/echo_client.h @@ -66,6 +66,7 @@ typedef struct u8 is_dgram; u32 no_copy; /**< Don't memcpy data to tx fifo */ u32 quic_streams; /**< QUIC streams per connection */ + u32 ckpair_index; /**< Cert key pair for tls/quic */ /* * Test state variables diff --git a/src/plugins/hs_apps/echo_server.c b/src/plugins/hs_apps/echo_server.c index a5335bb2f20..1c4022537ba 100644 --- a/src/plugins/hs_apps/echo_server.c +++ b/src/plugins/hs_apps/echo_server.c @@ -47,7 +47,9 @@ typedef struct u32 private_segment_size; /**< Size of private segments */ char *server_uri; /**< Server URI */ u32 tls_engine; /**< TLS engine: mbedtls/openssl */ + u32 ckpair_index; /**< Cert and key for tls/quic */ u8 is_dgram; /**< set if transport is dgram */ + /* * Test state */ @@ -304,8 +306,7 @@ static session_cb_vft_t echo_server_session_cb_vft = { static int echo_server_attach (u8 * appns_id, u64 appns_flags, u64 appns_secret) { - vnet_app_add_tls_cert_args_t _a_cert, *a_cert = &_a_cert; - vnet_app_add_tls_key_args_t _a_key, *a_key = &_a_key; + vnet_app_add_cert_key_pair_args_t _ck_pair, *ck_pair = &_ck_pair; echo_server_main_t *esm = &echo_server_main; vnet_app_attach_args_t _a, *a = &_a; u64 options[APP_OPTIONS_N_OPTIONS]; @@ -357,17 +358,14 @@ echo_server_attach (u8 * appns_id, u64 appns_flags, u64 appns_secret) esm->app_index = a->app_index; vec_free (a->name); - clib_memset (a_cert, 0, sizeof (*a_cert)); - a_cert->app_index = a->app_index; - vec_validate (a_cert->cert, test_srv_crt_rsa_len); - clib_memcpy_fast (a_cert->cert, test_srv_crt_rsa, test_srv_crt_rsa_len); - vnet_app_add_tls_cert (a_cert); - - clib_memset (a_key, 0, sizeof (*a_key)); - a_key->app_index = a->app_index; - vec_validate (a_key->key, test_srv_key_rsa_len); - clib_memcpy_fast (a_key->key, test_srv_key_rsa, test_srv_key_rsa_len); - vnet_app_add_tls_key (a_key); + clib_memset (ck_pair, 0, sizeof (*ck_pair)); + ck_pair->cert = (u8 *) test_srv_crt_rsa; + ck_pair->key = (u8 *) test_srv_key_rsa; + ck_pair->cert_len = test_srv_crt_rsa_len; + ck_pair->key_len = test_srv_key_rsa_len; + vnet_app_add_cert_key_pair (ck_pair); + esm->ckpair_index = ck_pair->index; + return 0; } @@ -381,6 +379,7 @@ echo_server_detach (void) da->app_index = esm->app_index; rv = vnet_application_detach (da); esm->app_index = ~0; + vnet_app_del_cert_key_pair (esm->ckpair_index); return rv; } @@ -389,17 +388,16 @@ echo_server_listen () { i32 rv; echo_server_main_t *esm = &echo_server_main; - vnet_listen_args_t _args = { - .app_index = esm->app_index, - .sep_ext = { - .app_wrk_index = 0, - } - }, *args = &_args; + vnet_listen_args_t _args = { 0 }, *args = &_args; + + args->sep_ext.app_wrk_index = 0; if ((rv = parse_uri (esm->server_uri, &args->sep_ext))) { return -1; } + args->app_index = esm->app_index; + args->sep_ext.ckpair_index = esm->ckpair_index; if (args->sep_ext.transport_proto == TRANSPORT_PROTO_UDP) { diff --git a/src/plugins/hs_apps/http_server.c b/src/plugins/hs_apps/http_server.c index ce4e09addbc..e1674d5d2f1 100644 --- a/src/plugins/hs_apps/http_server.c +++ b/src/plugins/hs_apps/http_server.c @@ -73,6 +73,9 @@ typedef struct /* process node index for evnt scheduling */ u32 node_index; + /* Cert key pair for tls */ + u32 ckpair_index; + tw_timer_wheel_2t_1w_2048sl_t tw; clib_spinlock_t tw_lock; @@ -712,8 +715,7 @@ static session_cb_vft_t http_server_session_cb_vft = { static int http_server_attach () { - vnet_app_add_tls_cert_args_t _a_cert, *a_cert = &_a_cert; - vnet_app_add_tls_key_args_t _a_key, *a_key = &_a_key; + vnet_app_add_cert_key_pair_args_t _ck_pair, *ck_pair = &_ck_pair; http_server_main_t *hsm = &http_server_main; u64 options[APP_OPTIONS_N_OPTIONS]; vnet_app_attach_args_t _a, *a = &_a; @@ -746,17 +748,13 @@ http_server_attach () vec_free (a->name); hsm->app_index = a->app_index; - clib_memset (a_cert, 0, sizeof (*a_cert)); - a_cert->app_index = a->app_index; - vec_validate (a_cert->cert, test_srv_crt_rsa_len); - clib_memcpy_fast (a_cert->cert, test_srv_crt_rsa, test_srv_crt_rsa_len); - vnet_app_add_tls_cert (a_cert); - - clib_memset (a_key, 0, sizeof (*a_key)); - a_key->app_index = a->app_index; - vec_validate (a_key->key, test_srv_key_rsa_len); - clib_memcpy_fast (a_key->key, test_srv_key_rsa, test_srv_key_rsa_len); - vnet_app_add_tls_key (a_key); + clib_memset (ck_pair, 0, sizeof (*ck_pair)); + ck_pair->cert = (u8 *) test_srv_crt_rsa; + ck_pair->key = (u8 *) test_srv_key_rsa; + ck_pair->cert_len = test_srv_crt_rsa_len; + ck_pair->key_len = test_srv_key_rsa_len; + vnet_app_add_cert_key_pair (ck_pair); + hsm->ckpair_index = ck_pair->index; return 0; } @@ -764,14 +762,24 @@ http_server_attach () static int http_server_listen () { + session_endpoint_cfg_t sep = SESSION_ENDPOINT_CFG_NULL; http_server_main_t *hsm = &http_server_main; vnet_listen_args_t _a, *a = &_a; + char *uri = "tcp://0.0.0.0/80"; + clib_memset (a, 0, sizeof (*a)); a->app_index = hsm->app_index; - a->uri = "tcp://0.0.0.0/80"; + if (hsm->uri) - a->uri = (char *) hsm->uri; - return vnet_bind_uri (a); + uri = (char *) hsm->uri; + + if (parse_uri (uri, &sep)) + return -1; + + clib_memcpy (&a->sep_ext, &sep, sizeof (sep)); + a->sep_ext.ckpair_index = hsm->ckpair_index; + + return vnet_listen (a); } static void diff --git a/src/plugins/hs_apps/vcl/vcl_test_client.c b/src/plugins/hs_apps/vcl/vcl_test_client.c index 51544a7a445..0aff98ef1dd 100644 --- a/src/plugins/hs_apps/vcl/vcl_test_client.c +++ b/src/plugins/hs_apps/vcl/vcl_test_client.c @@ -51,6 +51,7 @@ typedef struct vcl_test_t post_test; uint8_t proto; uint32_t n_workers; + uint32_t ckpair_index; volatile int active_workers; struct sockaddr_storage server_addr; } vcl_test_client_main_t; @@ -265,6 +266,13 @@ vtc_connect_test_sessions (vcl_test_client_worker_t * wrk) return ts->fd; } + if (vcm->proto == VPPCOM_PROTO_TLS) + { + uint32_t ckp_len = sizeof (vcm->ckpair_index); + vppcom_session_attr (ts->fd, VPPCOM_ATTR_SET_CKPAIR, + &vcm->ckpair_index, &ckp_len); + } + /* Connect is blocking */ rv = vppcom_session_connect (ts->fd, &vcm->server_endpt); if (rv < 0) @@ -1099,11 +1107,23 @@ main (int argc, char **argv) if (vcm->proto == VPPCOM_PROTO_TLS || vcm->proto == VPPCOM_PROTO_QUIC) { + vppcom_cert_key_pair_t ckpair; + uint32_t ckp_len; + int ckp_index; + vtinf ("Adding tls certs ..."); - vppcom_session_tls_add_cert (ctrl->fd, vcl_test_crt_rsa, - vcl_test_crt_rsa_len); - vppcom_session_tls_add_key (ctrl->fd, vcl_test_key_rsa, - vcl_test_key_rsa_len); + ckpair.cert = vcl_test_crt_rsa; + ckpair.key = vcl_test_key_rsa; + ckpair.cert_len = vcl_test_crt_rsa_len; + ckpair.key_len = vcl_test_key_rsa_len; + ckp_index = vppcom_add_cert_key_pair (&ckpair); + if (ckp_index < 0) + vtfail ("vppcom_add_cert_key_pair()", ckp_index); + + vcm->ckpair_index = ckp_index; + ckp_len = sizeof (ckp_index); + vppcom_session_attr (ctrl->fd, VPPCOM_ATTR_SET_CKPAIR, &ckp_index, + &ckp_len); } vtinf ("Connecting to server..."); diff --git a/src/plugins/hs_apps/vcl/vcl_test_server.c b/src/plugins/hs_apps/vcl/vcl_test_server.c index 798fd72b481..a2a4d6ac3b0 100644 --- a/src/plugins/hs_apps/vcl/vcl_test_server.c +++ b/src/plugins/hs_apps/vcl/vcl_test_server.c @@ -553,10 +553,22 @@ vts_worker_init (vcl_test_server_worker_t * wrk) if (vsm->cfg.proto == VPPCOM_PROTO_TLS || vsm->cfg.proto == VPPCOM_PROTO_QUIC) { - vppcom_session_tls_add_cert (wrk->listen_fd, vcl_test_crt_rsa, - vcl_test_crt_rsa_len); - vppcom_session_tls_add_key (wrk->listen_fd, vcl_test_key_rsa, - vcl_test_key_rsa_len); + vppcom_cert_key_pair_t ckpair; + uint32_t ckp_len; + int ckp_index; + + vtinf ("Adding tls certs ..."); + ckpair.cert = vcl_test_crt_rsa; + ckpair.key = vcl_test_key_rsa; + ckpair.cert_len = vcl_test_crt_rsa_len; + ckpair.key_len = vcl_test_key_rsa_len; + ckp_index = vppcom_add_cert_key_pair (&ckpair); + if (ckp_index < 0) + vtfail ("vppcom_add_cert_key_pair()", ckp_index); + + ckp_len = sizeof (ckp_index); + vppcom_session_attr (wrk->listen_fd, VPPCOM_ATTR_SET_CKPAIR, &ckp_index, + &ckp_len); } rv = vppcom_session_bind (wrk->listen_fd, &vsm->cfg.endpt); -- cgit 1.2.3-korg