From e191d76d248ebbb022533d518b447b7df4efd371 Mon Sep 17 00:00:00 2001
From: Florin Coras <fcoras@cisco.com>
Date: Wed, 11 Aug 2021 14:55:49 -0700
Subject: session vcl: cert key add/del with socket api

Type: improvement

Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I70791285cbf427479d2dcbf70ffdce2253add2fb
---
 src/vnet/session/application_interface.h | 20 ++++++++
 src/vnet/session/session_api.c           | 80 ++++++++++++++++++++++++++++++++
 src/vnet/session/session_types.h         |  1 +
 3 files changed, 101 insertions(+)

(limited to 'src/vnet')

diff --git a/src/vnet/session/application_interface.h b/src/vnet/session/application_interface.h
index b10dd6c150d..ca8dc38c4e1 100644
--- a/src/vnet/session/application_interface.h
+++ b/src/vnet/session/application_interface.h
@@ -817,6 +817,8 @@ typedef enum app_sapi_msg_type
   APP_SAPI_MSG_TYPE_ADD_DEL_WORKER,
   APP_SAPI_MSG_TYPE_ADD_DEL_WORKER_REPLY,
   APP_SAPI_MSG_TYPE_SEND_FDS,
+  APP_SAPI_MSG_TYPE_ADD_DEL_CERT_KEY,
+  APP_SAPI_MSG_TYPE_ADD_DEL_CERT_KEY_REPLY,
 } __clib_packed app_sapi_msg_type_e;
 
 typedef struct app_sapi_attach_msg_
@@ -861,6 +863,22 @@ typedef struct app_sapi_worker_add_del_reply_msg_
   u8 is_add;
 } __clib_packed app_sapi_worker_add_del_reply_msg_t;
 
+typedef struct app_sapi_cert_key_add_del_msg_
+{
+  u32 context;
+  u32 index;
+  u16 cert_len;
+  u16 certkey_len;
+  u8 is_add;
+} __clib_packed app_sapi_cert_key_add_del_msg_t;
+
+typedef struct app_sapi_cert_key_add_del_reply_msg_
+{
+  u32 context;
+  i32 retval;
+  u32 index;
+} __clib_packed app_sapi_cert_key_add_del_reply_msg_t;
+
 typedef struct app_sapi_msg_
 {
   app_sapi_msg_type_e type;
@@ -870,6 +888,8 @@ typedef struct app_sapi_msg_
     app_sapi_attach_reply_msg_t attach_reply;
     app_sapi_worker_add_del_msg_t worker_add_del;
     app_sapi_worker_add_del_reply_msg_t worker_add_del_reply;
+    app_sapi_cert_key_add_del_msg_t cert_key_add_del;
+    app_sapi_cert_key_add_del_reply_msg_t cert_key_add_del_reply;
   };
 } __clib_packed app_sapi_msg_t;
 
diff --git a/src/vnet/session/session_api.c b/src/vnet/session/session_api.c
index 00e67dcd2d0..e420099e308 100644
--- a/src/vnet/session/session_api.c
+++ b/src/vnet/session/session_api.c
@@ -1488,6 +1488,83 @@ done:
   clib_socket_sendmsg (cs, &msg, sizeof (msg), fds, n_fds);
 }
 
+static void
+sapi_add_del_cert_key_handler (app_namespace_t *app_ns, clib_socket_t *cs,
+			       app_sapi_cert_key_add_del_msg_t *mp)
+{
+  vnet_app_add_cert_key_pair_args_t _a, *a = &_a;
+  app_sapi_cert_key_add_del_reply_msg_t *rmp;
+  app_sapi_msg_t msg = { 0 };
+  int rv = 0;
+
+  if (mp->is_add)
+    {
+      const u32 max_certkey_len = 2e4, max_cert_len = 1e4, max_key_len = 1e4;
+      clib_error_t *err;
+      u8 *certkey = 0;
+      u32 key_len;
+
+      if (mp->certkey_len > max_certkey_len)
+	{
+	  rv = SESSION_E_INVALID;
+	  goto send_reply;
+	}
+
+      vec_validate (certkey, mp->certkey_len - 1);
+      err = clib_socket_recvmsg (cs, certkey, mp->certkey_len, 0, 0);
+      if (err)
+	{
+	  clib_error_report (err);
+	  clib_error_free (err);
+	  rv = SESSION_E_INVALID;
+	  goto send_reply;
+	}
+
+      if (mp->cert_len > max_cert_len)
+	{
+	  rv = SESSION_E_INVALID;
+	  goto send_reply;
+	}
+
+      if (mp->certkey_len < mp->cert_len)
+	{
+	  rv = SESSION_E_INVALID;
+	  goto send_reply;
+	}
+
+      key_len = mp->certkey_len - mp->cert_len;
+      if (key_len > max_key_len)
+	{
+	  rv = SESSION_E_INVALID;
+	  goto send_reply;
+	}
+
+      clib_memset (a, 0, sizeof (*a));
+      a->cert = certkey;
+      a->key = certkey + mp->cert_len;
+      a->cert_len = mp->cert_len;
+      a->key_len = key_len;
+      rv = vnet_app_add_cert_key_pair (a);
+
+      vec_free (certkey);
+    }
+  else
+    {
+      rv = vnet_app_del_cert_key_pair (mp->index);
+    }
+
+send_reply:
+
+  msg.type = APP_SAPI_MSG_TYPE_ADD_DEL_CERT_KEY_REPLY;
+  rmp = &msg.cert_key_add_del_reply;
+  rmp->retval = rv;
+  rmp->context = mp->context;
+  if (!rv && mp->is_add)
+    rmp->index = a->index;
+
+  clib_socket_sendmsg (cs, &msg, sizeof (msg), 0, 0);
+}
+
 static void
 sapi_socket_detach (app_namespace_t * app_ns, clib_socket_t * cs)
 {
@@ -1548,6 +1625,9 @@ sapi_sock_read_ready (clib_file_t * cf)
     case APP_SAPI_MSG_TYPE_ADD_DEL_WORKER:
       sapi_add_del_worker_handler (app_ns, cs, &msg.worker_add_del);
       break;
+    case APP_SAPI_MSG_TYPE_ADD_DEL_CERT_KEY:
+      sapi_add_del_cert_key_handler (app_ns, cs, &msg.cert_key_add_del);
+      break;
     default:
       clib_warning ("app wrk %u unknown message type: %u",
 		    handle->aah_app_wrk_index, msg.type);
diff --git a/src/vnet/session/session_types.h b/src/vnet/session/session_types.h
index 246978e0ac3..0cf463d569d 100644
--- a/src/vnet/session/session_types.h
+++ b/src/vnet/session/session_types.h
@@ -469,6 +469,7 @@ STATIC_ASSERT (sizeof (session_dgram_hdr_t) == (SESSION_CONN_ID_LEN + 8),
   _ (PORTINUSE, "lcl port in use")                                            \
   _ (IPINUSE, "ip in use")                                                    \
   _ (ALREADY_LISTENING, "ip port pair already listened on")                   \
+  _ (INVALID, "invalid value")                                                \
   _ (INVALID_RMT_IP, "invalid remote ip")                                     \
   _ (INVALID_APPWRK, "invalid app worker")                                    \
   _ (INVALID_NS, "invalid namespace")                                         \
-- 
cgit 1.2.3-korg