summaryrefslogtreecommitdiffstats
path: root/src/vnet/tls/tls.h
blob: 528cdad703bfe07c6fad230edc8801cf6bcdf5bf (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
/*
 * Copyright (c) 2018-2019 Cisco and/or its affiliates.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <vnet/session/application_interface.h>
#include <vnet/session/application.h>
#include <vnet/session/session.h>
#include <vppinfra/lock.h>

#ifndef SRC_VNET_TLS_TLS_H_
#define SRC_VNET_TLS_TLS_H_

#define TLS_DEBUG		0
#define TLS_DEBUG_LEVEL_CLIENT 	0
#define TLS_DEBUG_LEVEL_SERVER 	0

#define TLS_CHUNK_SIZE 		(1 << 14)
#define TLS_CA_CERT_PATH	"/etc/ssl/certs/ca-certificates.crt"

#if TLS_DEBUG
#define TLS_DBG(_lvl, _fmt, _args...) 			\
  if (_lvl <= TLS_DEBUG) 				\
    clib_warning (_fmt, ##_args)
#else
#define TLS_DBG(_lvl, _fmt, _args...)
#endif

typedef struct tls_cxt_id_
{
  session_handle_t app_session_handle;
  session_handle_t tls_session_handle;
  void *migrate_ctx;
  u32 parent_app_wrk_index;
  u32 ssl_ctx;
  union
  {
    u32 listener_ctx_index;
    u32 parent_app_api_ctx;
  };
  u8 tcp_is_ip4;
  u8 tls_engine_id;
} tls_ctx_id_t;

STATIC_ASSERT (sizeof (tls_ctx_id_t) <= TRANSPORT_CONN_ID_LEN,
	       "ctx id must be less than TRANSPORT_CONN_ID_LEN");

#define foreach_tls_conn_flags                                                \
  _ (HO_DONE, "ho-done")                                                      \
  _ (PASSIVE_CLOSE, "passive-close")                                          \
  _ (APP_CLOSED, "app-closed")                                                \
  _ (MIGRATED, "migrated")                                                    \
  _ (NO_APP_SESSION, "no-app-session")                                        \
  _ (RESUME, "resume")

typedef enum tls_conn_flags_bit_
{
#define _(sym, str) TLS_CONN_F_BIT_##sym,
  foreach_tls_conn_flags
#undef _
} tls_conn_flags_bit_t;

typedef enum tls_conn_flags_
{
#define _(sym, str) TLS_CONN_F_##sym = 1 << TLS_CONN_F_BIT_##sym,
  foreach_tls_conn_flags
#undef _
} __clib_packed tls_conn_flags_t;

typedef struct tls_ctx_
{
  union
  {
    transport_connection_t connection;
    tls_ctx_id_t c_tls_ctx_id;
  };
#define parent_app_wrk_index c_tls_ctx_id.parent_app_wrk_index
#define app_session_handle c_tls_ctx_id.app_session_handle
#define tls_session_handle c_tls_ctx_id.tls_session_handle
#define listener_ctx_index c_tls_ctx_id.listener_ctx_index
#define tcp_is_ip4 c_tls_ctx_id.tcp_is_ip4
#define tls_ctx_engine c_tls_ctx_id.tls_engine_id
#define tls_ssl_ctx c_tls_ctx_id.ssl_ctx
#define tls_ctx_handle c_c_index
  /* Temporary storage for session open opaque. Overwritten once
   * underlying tcp connection is established */
#define parent_app_api_context c_tls_ctx_id.parent_app_api_ctx
#define migration_ctx	       c_tls_ctx_id.migrate_ctx

  tls_conn_flags_t flags;
  u8 *srv_hostname;
  u32 evt_index;
  u32 ckpair_index;
  transport_proto_t tls_type;
} tls_ctx_t;

typedef struct tls_main_
{
  u32 app_index;
  tls_ctx_t *listener_ctx_pool;
  tls_ctx_t *half_open_ctx_pool;
  u32 *postponed_ho_free;
  u32 *ho_free_list;
  u8 **rx_bufs;
  u8 **tx_bufs;

  /*
   * Config
   */
  u8 use_test_cert_in_ca;
  char *ca_cert_path;
  u64 first_seg_size;
  u64 add_seg_size;
  u32 fifo_size;
} tls_main_t;

typedef struct tls_engine_vft_
{
  u32 (*ctx_alloc) (void);
  u32 (*ctx_alloc_w_thread) (u32 thread_index);
  void (*ctx_free) (tls_ctx_t * ctx);
  void *(*ctx_detach) (tls_ctx_t *ctx);
  u32 (*ctx_attach) (u32 thread_index, void *ctx);
  tls_ctx_t *(*ctx_get) (u32 ctx_index);
  tls_ctx_t *(*ctx_get_w_thread) (u32 ctx_index, u8 thread_index);
  int (*ctx_init_client) (tls_ctx_t * ctx);
  int (*ctx_init_server) (tls_ctx_t * ctx);
  int (*ctx_read) (tls_ctx_t * ctx, session_t * tls_session);
  int (*ctx_write) (tls_ctx_t * ctx, session_t * app_session,
		    transport_send_params_t * sp);
    u8 (*ctx_handshake_is_over) (tls_ctx_t * ctx);
  int (*ctx_start_listen) (tls_ctx_t * ctx);
  int (*ctx_stop_listen) (tls_ctx_t * ctx);
  int (*ctx_transport_close) (tls_ctx_t * ctx);
  int (*ctx_transport_reset) (tls_ctx_t *ctx);
  int (*ctx_app_close) (tls_ctx_t * ctx);
  int (*ctx_reinit_cachain) (void);
} tls_engine_vft_t;

tls_main_t *vnet_tls_get_main (void);
void tls_register_engine (const tls_engine_vft_t * vft,
			  crypto_engine_type_t type);
int tls_add_vpp_q_rx_evt (session_t * s);
int tls_add_vpp_q_tx_evt (session_t * s);
int tls_add_vpp_q_builtin_tx_evt (session_t * s);
int tls_add_vpp_q_builtin_rx_evt (session_t * s);
int tls_notify_app_accept (tls_ctx_t * ctx);
int tls_notify_app_connected (tls_ctx_t * ctx, session_error_t err);
void tls_notify_app_enqueue (tls_ctx_t * ctx, session_t * app_session);
void tls_notify_app_io_error (tls_ctx_t *ctx);
void tls_disconnect_transport (tls_ctx_t * ctx);
int tls_reinit_ca_chain (crypto_engine_type_t tls_engine_id);

void tls_add_postponed_ho_cleanups (u32 ho_index);
void tls_flush_postponed_ho_cleanups ();

#endif /* SRC_VNET_TLS_TLS_H_ */

/*
 * fd.io coding-style-patch-verification: ON
 *
 * Local Variables:
 * eval: (c-set-style "gnu")
 * End:
 */