From 79f89537c6fd3baeac03354a3381f42895fe2ca8 Mon Sep 17 00:00:00 2001 From: Nathan Skrzypczak Date: Fri, 13 Sep 2019 11:08:13 +0200 Subject: session: Add certificate store Type: feature This changes the behavior of both API calls APPLICATION_TLS_CERT_ADD & APPLICATION_TLS_KEY_ADD certificates and keys aren't bound to an app, they are passed to it via connect / listen using the message queue. This should be followed by a per protocol (QUIC/TLS) crypto_context store to save devrived structs Change-Id: I36873bc8b63b5c72776c69e8cd9febc9cae31882 Signed-off-by: Nathan Skrzypczak --- src/vnet/session/session_api.c | 117 ++++++++++++++++++++++++++++++----------- 1 file changed, 87 insertions(+), 30 deletions(-) (limited to 'src/vnet/session/session_api.c') diff --git a/src/vnet/session/session_api.c b/src/vnet/session/session_api.c index c55aab33541..c17d98c0517 100755 --- a/src/vnet/session/session_api.c +++ b/src/vnet/session/session_api.c @@ -59,6 +59,8 @@ _(SESSION_RULE_ADD_DEL, session_rule_add_del) \ _(SESSION_RULES_DUMP, session_rules_dump) \ _(APPLICATION_TLS_CERT_ADD, application_tls_cert_add) \ _(APPLICATION_TLS_KEY_ADD, application_tls_key_add) \ +_(APP_ADD_CERT_KEY_PAIR, app_add_cert_key_pair) \ +_(APP_DEL_CERT_KEY_PAIR, app_del_cert_key_pair) \ _(APP_WORKER_ADD_DEL, app_worker_add_del) \ static int @@ -1059,7 +1061,7 @@ vl_api_app_worker_add_del_t_handler (vl_api_app_worker_add_del_t * mp) application_t *app; u8 fd_flags = 0; - if (!session_main_is_enabled ()) + if (session_main_is_enabled () == 0) { rv = VNET_API_ERROR_FEATURE_DISABLED; goto done; @@ -1138,7 +1140,7 @@ vl_api_app_namespace_add_del_t_handler (vl_api_app_namespace_add_del_t * mp) u32 appns_index = 0; u8 *ns_id = 0; int rv = 0; - if (!session_main_is_enabled ()) + if (session_main_is_enabled () == 0) { rv = VNET_API_ERROR_FEATURE_DISABLED; goto done; @@ -1355,17 +1357,85 @@ vl_api_session_rules_dump_t_handler (vl_api_one_map_server_dump_t * mp) /* *INDENT-ON* */ } +static void +vl_api_app_add_cert_key_pair_t_handler (vl_api_app_add_cert_key_pair_t * mp) +{ + vl_api_app_add_cert_key_pair_reply_t *rmp; + vnet_app_add_cert_key_pair_args_t _a, *a = &_a; + u32 certkey_len, key_len, cert_len; + int rv = 0; + if (session_main_is_enabled () == 0) + { + rv = VNET_API_ERROR_FEATURE_DISABLED; + goto done; + } + + cert_len = clib_net_to_host_u16 (mp->cert_len); + if (cert_len > 10000) + { + rv = VNET_API_ERROR_INVALID_VALUE; + goto done; + } + + certkey_len = clib_net_to_host_u16 (mp->certkey_len); + if (certkey_len < cert_len) + { + rv = VNET_API_ERROR_INVALID_VALUE; + goto done; + } + + key_len = certkey_len - cert_len; + if (key_len > 10000) + { + rv = VNET_API_ERROR_INVALID_VALUE; + goto done; + } + + clib_memset (a, 0, sizeof (*a)); + vec_validate (a->cert, cert_len); + vec_validate (a->key, key_len); + clib_memcpy_fast (a->cert, mp->certkey, cert_len); + clib_memcpy_fast (a->key, mp->certkey + cert_len, key_len); + rv = vnet_app_add_cert_key_pair (a); + vec_free (a->cert); + vec_free (a->key); + +done: + /* *INDENT-OFF* */ + REPLY_MACRO2 (VL_API_APP_ADD_CERT_KEY_PAIR_REPLY, ({ + if (!rv) + rmp->index = a->index; + })); + /* *INDENT-ON* */ +} + +static void +vl_api_app_del_cert_key_pair_t_handler (vl_api_app_del_cert_key_pair_t * mp) +{ + vl_api_app_del_cert_key_pair_reply_t *rmp; + int rv = 0; + if (session_main_is_enabled () == 0) + { + rv = VNET_API_ERROR_FEATURE_DISABLED; + goto done; + } + rv = vnet_app_del_cert_key_pair (mp->index); + +done: + REPLY_MACRO (VL_API_APP_ADD_CERT_KEY_PAIR_REPLY); +} + +/* ### WILL BE DEPRECATED POST 20.01 ### */ static void vl_api_application_tls_cert_add_t_handler (vl_api_application_tls_cert_add_t * mp) { - vl_api_app_namespace_add_del_reply_t *rmp; - vnet_app_add_tls_cert_args_t _a, *a = &_a; - clib_error_t *error; + vl_api_application_tls_cert_add_reply_t *rmp; + app_cert_key_pair_t *ckpair; application_t *app; u32 cert_len; int rv = 0; - if (!session_main_is_enabled ()) + if (session_main_is_enabled () == 0) { rv = VNET_API_ERROR_FEATURE_DISABLED; goto done; @@ -1375,37 +1445,31 @@ vl_api_application_tls_cert_add_t_handler (vl_api_application_tls_cert_add_t * rv = VNET_API_ERROR_APPLICATION_NOT_ATTACHED; goto done; } - clib_memset (a, 0, sizeof (*a)); - a->app_index = app->app_index; cert_len = clib_net_to_host_u16 (mp->cert_len); if (cert_len > 10000) { rv = VNET_API_ERROR_INVALID_VALUE; goto done; } - vec_validate (a->cert, cert_len); - clib_memcpy_fast (a->cert, mp->cert, cert_len); - if ((error = vnet_app_add_tls_cert (a))) - { - rv = clib_error_get_code (error); - clib_error_report (error); - } - vec_free (a->cert); + ckpair = app_cert_key_pair_get_default (); + vec_validate (ckpair->cert, cert_len); + clib_memcpy_fast (ckpair->cert, mp->cert, cert_len); + done: REPLY_MACRO (VL_API_APPLICATION_TLS_CERT_ADD_REPLY); } +/* ### WILL BE DEPRECATED POST 20.01 ### */ static void vl_api_application_tls_key_add_t_handler (vl_api_application_tls_key_add_t * mp) { - vl_api_app_namespace_add_del_reply_t *rmp; - vnet_app_add_tls_key_args_t _a, *a = &_a; - clib_error_t *error; + vl_api_application_tls_key_add_reply_t *rmp; + app_cert_key_pair_t *ckpair; application_t *app; u32 key_len; int rv = 0; - if (!session_main_is_enabled ()) + if (session_main_is_enabled () == 0) { rv = VNET_API_ERROR_FEATURE_DISABLED; goto done; @@ -1415,22 +1479,15 @@ vl_api_application_tls_key_add_t_handler (vl_api_application_tls_key_add_t * rv = VNET_API_ERROR_APPLICATION_NOT_ATTACHED; goto done; } - clib_memset (a, 0, sizeof (*a)); - a->app_index = app->app_index; key_len = clib_net_to_host_u16 (mp->key_len); if (key_len > 10000) { rv = VNET_API_ERROR_INVALID_VALUE; goto done; } - vec_validate (a->key, key_len); - clib_memcpy_fast (a->key, mp->key, key_len); - if ((error = vnet_app_add_tls_key (a))) - { - rv = clib_error_get_code (error); - clib_error_report (error); - } - vec_free (a->key); + ckpair = app_cert_key_pair_get_default (); + vec_validate (ckpair->key, key_len); + clib_memcpy_fast (ckpair->key, mp->key, key_len); done: REPLY_MACRO (VL_API_APPLICATION_TLS_KEY_ADD_REPLY); } -- cgit 1.2.3-korg