X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;ds=sidebyside;f=src%2Fvnet%2Ftls%2Ftls.c;h=a27d731aca0adbadff57c1c8af026294f830618b;hb=3109d1c29872a18642088b05fa1e2e2291241cc3;hp=5f336cba0f0f8581bed8defcbed0858363da0f86;hpb=1cbcdcef20b7950e91d63ecf61c9bb1586e1e0b2;p=vpp.git diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c index 5f336cba0f0..a27d731aca0 100644 --- a/src/vnet/tls/tls.c +++ b/src/vnet/tls/tls.c @@ -61,8 +61,7 @@ tls_add_vpp_q_rx_evt (session_t * s) int tls_add_vpp_q_builtin_rx_evt (session_t * s) { - if (svm_fifo_set_event (s->rx_fifo)) - session_send_io_evt_to_thread (s->rx_fifo, SESSION_IO_EVT_BUILTIN_RX); + session_enqueue_notify (s); return 0; } @@ -75,9 +74,10 @@ tls_add_vpp_q_tx_evt (session_t * s) } static inline int -tls_add_app_q_evt (app_worker_t * app, session_t * app_session) +tls_add_app_q_evt (app_worker_t *app_wrk, session_t *app_session) { - return app_worker_lock_and_send_event (app, app_session, SESSION_IO_EVT_RX); + app_worker_add_event (app_wrk, app_session, SESSION_IO_EVT_RX); + return 0; } u32 @@ -115,57 +115,74 @@ u32 tls_ctx_half_open_alloc (void) { tls_main_t *tm = &tls_main; - u8 will_expand = pool_get_will_expand (tm->half_open_ctx_pool); tls_ctx_t *ctx; - u32 ctx_index; - if (PREDICT_FALSE (will_expand && vlib_num_workers ())) - { - clib_rwlock_writer_lock (&tm->half_open_rwlock); - pool_get_zero (tm->half_open_ctx_pool, ctx); - ctx->c_c_index = ctx - tm->half_open_ctx_pool; - ctx_index = ctx->c_c_index; - clib_rwlock_writer_unlock (&tm->half_open_rwlock); - } - else - { - /* reader lock assumption: only main thread will call pool_get */ - clib_rwlock_reader_lock (&tm->half_open_rwlock); - pool_get_zero (tm->half_open_ctx_pool, ctx); - ctx->c_c_index = ctx - tm->half_open_ctx_pool; - ctx_index = ctx->c_c_index; - clib_rwlock_reader_unlock (&tm->half_open_rwlock); - } - return ctx_index; + if (vec_len (tm->postponed_ho_free)) + tls_flush_postponed_ho_cleanups (); + + pool_get_aligned_safe (tm->half_open_ctx_pool, ctx, CLIB_CACHE_LINE_BYTES); + + clib_memset (ctx, 0, sizeof (*ctx)); + ctx->c_c_index = ctx - tm->half_open_ctx_pool; + ctx->c_thread_index = transport_cl_thread (); + + return ctx->c_c_index; } void tls_ctx_half_open_free (u32 ho_index) { - tls_main_t *tm = &tls_main; - clib_rwlock_writer_lock (&tm->half_open_rwlock); pool_put_index (tls_main.half_open_ctx_pool, ho_index); - clib_rwlock_writer_unlock (&tm->half_open_rwlock); } tls_ctx_t * tls_ctx_half_open_get (u32 ctx_index) { tls_main_t *tm = &tls_main; - clib_rwlock_reader_lock (&tm->half_open_rwlock); return pool_elt_at_index (tm->half_open_ctx_pool, ctx_index); } void -tls_ctx_half_open_reader_unlock () +tls_add_postponed_ho_cleanups (u32 ho_index) { - clib_rwlock_reader_unlock (&tls_main.half_open_rwlock); + tls_main_t *tm = &tls_main; + vec_add1 (tm->postponed_ho_free, ho_index); } -u32 -tls_ctx_half_open_index (tls_ctx_t * ctx) +static void +tls_ctx_ho_try_free (u32 ho_index) { - return (ctx - tls_main.half_open_ctx_pool); + tls_ctx_t *ctx; + + ctx = tls_ctx_half_open_get (ho_index); + /* Probably tcp connected just before tcp establish timeout and + * worker that owns established session has not yet received + * @ref tls_session_connected_cb */ + if (!(ctx->flags & TLS_CONN_F_HO_DONE)) + { + ctx->tls_session_handle = SESSION_INVALID_HANDLE; + tls_add_postponed_ho_cleanups (ho_index); + return; + } + if (!ctx->no_app_session) + session_half_open_delete_notify (&ctx->connection); + tls_ctx_half_open_free (ho_index); +} + +void +tls_flush_postponed_ho_cleanups () +{ + tls_main_t *tm = &tls_main; + u32 *ho_indexp, *tmp; + + tmp = tm->postponed_ho_free; + tm->postponed_ho_free = tm->ho_free_list; + tm->ho_free_list = tmp; + + vec_foreach (ho_indexp, tm->ho_free_list) + tls_ctx_ho_try_free (*ho_indexp); + + vec_reset_length (tm->ho_free_list); } void @@ -199,6 +216,7 @@ tls_notify_app_accept (tls_ctx_t * ctx) { TLS_DBG (1, "failed to allocate fifos"); session_free (app_session); + ctx->no_app_session = 1; return rv; } ctx->app_session_handle = session_handle (app_session); @@ -210,13 +228,16 @@ tls_notify_app_accept (tls_ctx_t * ctx) int tls_notify_app_connected (tls_ctx_t * ctx, session_error_t err) { + u32 parent_app_api_ctx; session_t *app_session; app_worker_t *app_wrk; app_wrk = app_worker_get_if_valid (ctx->parent_app_wrk_index); if (!app_wrk) { - tls_disconnect_transport (ctx); + if (ctx->tls_type == TRANSPORT_PROTO_TLS) + session_free (session_get (ctx->c_s_index, ctx->c_thread_index)); + ctx->no_app_session = 1; return -1; } @@ -250,27 +271,31 @@ tls_notify_app_connected (tls_ctx_t * ctx, session_error_t err) } app_session->app_wrk_index = ctx->parent_app_wrk_index; + app_session->opaque = ctx->parent_app_api_context; if ((err = app_worker_init_connected (app_wrk, app_session))) - goto failed; + { + app_worker_connect_notify (app_wrk, 0, err, ctx->parent_app_api_context); + ctx->no_app_session = 1; + session_free (app_session); + return -1; + } app_session->session_state = SESSION_STATE_READY; - if (app_worker_connect_notify (app_wrk, app_session, - SESSION_E_NONE, ctx->parent_app_api_context)) + parent_app_api_ctx = ctx->parent_app_api_context; + ctx->app_session_handle = session_handle (app_session); + + if (app_worker_connect_notify (app_wrk, app_session, SESSION_E_NONE, + parent_app_api_ctx)) { TLS_DBG (1, "failed to notify app"); - app_session->session_state = SESSION_STATE_CONNECTING; - tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ()); + session_free (session_get (ctx->c_s_index, ctx->c_thread_index)); + ctx->no_app_session = 1; return -1; } - ctx->app_session_handle = session_handle (app_session); - return 0; -failed: - ctx->no_app_session = 1; - tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ()); send_reply: return app_worker_connect_notify (app_wrk, 0, err, ctx->parent_app_api_context); @@ -431,27 +456,23 @@ tls_session_reset_callback (session_t * s) tls_disconnect_transport (ctx); } else - if ((app_session = - session_get_if_valid (ctx->c_s_index, ctx->c_thread_index))) { - session_free (app_session); - ctx->c_s_index = SESSION_INVALID_INDEX; - tls_disconnect_transport (ctx); + app_session = session_get_if_valid (ctx->c_s_index, ctx->c_thread_index); + if (app_session) + { + session_free (app_session); + ctx->c_s_index = SESSION_INVALID_INDEX; + ctx->no_app_session = 1; + tls_disconnect_transport (ctx); + } } } static void tls_session_cleanup_ho (session_t *s) { - tls_ctx_t *ctx; - u32 ho_index; - /* session opaque stores the opaque passed on connect */ - ho_index = s->opaque; - ctx = tls_ctx_half_open_get (ho_index); - session_half_open_delete_notify (&ctx->connection); - tls_ctx_half_open_reader_unlock (); - tls_ctx_half_open_free (ho_index); + tls_ctx_ho_try_free (s->opaque); } int @@ -510,30 +531,45 @@ tls_session_accept_callback (session_t * tls_session) * on tls_session rx and potentially invalidating the session pool */ app_session = session_alloc (ctx->c_thread_index); app_session->session_state = SESSION_STATE_CREATED; + app_session->session_type = + session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4); + app_session->connection_index = ctx->tls_ctx_handle; ctx->c_s_index = app_session->session_index; TLS_DBG (1, "Accept on listener %u new connection [%u]%x", tls_listener->opaque, vlib_get_thread_index (), ctx_handle); - return tls_ctx_init_server (ctx); + if (tls_ctx_init_server (ctx)) + { + /* Do not free ctx yet, in case we have pending rx events */ + session_free (app_session); + ctx->no_app_session = 1; + tls_disconnect_transport (ctx); + } + + return 0; } int -tls_app_rx_callback (session_t * tls_session) +tls_app_rx_callback (session_t *ts) { tls_ctx_t *ctx; /* DTLS session migrating, wait for next notification */ - if (PREDICT_FALSE (tls_session->flags & SESSION_F_IS_MIGRATING)) + if (PREDICT_FALSE (ts->flags & SESSION_F_IS_MIGRATING)) return 0; - ctx = tls_ctx_get (tls_session->opaque); - if (PREDICT_FALSE (ctx->no_app_session)) + /* Read rescheduled but underlying transport deleted now */ + if (PREDICT_FALSE ((ts->session_state == SESSION_STATE_TRANSPORT_DELETED))) + return 0; + + ctx = tls_ctx_get (ts->opaque); + if (PREDICT_FALSE (ctx->no_app_session || ctx->app_closed)) { TLS_DBG (1, "Local App closed"); return 0; } - tls_ctx_read (ctx, tls_session); + tls_ctx_read (ctx, ts); return 0; } @@ -558,12 +594,12 @@ tls_session_connected_cb (u32 tls_app_index, u32 ho_ctx_index, u32 ctx_handle; ho_ctx = tls_ctx_half_open_get (ho_ctx_index); + ho_ctx->flags |= TLS_CONN_F_HO_DONE; ctx_handle = tls_ctx_alloc (ho_ctx->tls_ctx_engine); ctx = tls_ctx_get (ctx_handle); clib_memcpy_fast (ctx, ho_ctx, sizeof (*ctx)); /* Half-open freed on tcp half-open cleanup notification */ - tls_ctx_half_open_reader_unlock (); ctx->c_thread_index = vlib_get_thread_index (); ctx->tls_ctx_handle = ctx_handle; @@ -586,7 +622,13 @@ tls_session_connected_cb (u32 tls_app_index, u32 ho_ctx_index, app_session->session_type = st; app_session->connection_index = ctx->tls_ctx_handle; - return tls_ctx_init_client (ctx); + if (tls_ctx_init_client (ctx)) + { + tls_notify_app_connected (ctx, SESSION_E_TLS_HANDSHAKE); + tls_disconnect_transport (ctx); + } + + return 0; } int @@ -618,13 +660,13 @@ tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index, u32 api_context; ho_ctx = tls_ctx_half_open_get (ho_ctx_index); + ho_ctx->flags |= TLS_CONN_F_HO_DONE; app_wrk = app_worker_get_if_valid (ho_ctx->parent_app_wrk_index); if (app_wrk) { api_context = ho_ctx->parent_app_api_context; app_worker_connect_notify (app_wrk, 0, err, api_context); } - tls_ctx_half_open_reader_unlock (); return 0; } @@ -705,11 +747,22 @@ dtls_session_migrate_callback (session_t *us, session_handle_t new_sh) tls_ctx_free (ctx); } +static void +tls_session_transport_closed_callback (session_t *ts) +{ + tls_ctx_t *ctx; + + ctx = tls_ctx_get_w_thread (ts->opaque, ts->thread_index); + if (!ctx->no_app_session) + session_transport_closed_notify (&ctx->connection); +} + static session_cb_vft_t tls_app_cb_vft = { .session_accept_callback = tls_session_accept_callback, .session_disconnect_callback = tls_session_disconnect_callback, .session_connected_callback = tls_session_connected_callback, .session_reset_callback = tls_session_reset_callback, + .session_transport_closed_callback = tls_session_transport_closed_callback, .half_open_cleanup_callback = tls_session_cleanup_ho, .add_segment_callback = tls_add_segment_callback, .del_segment_callback = tls_del_segment_callback, @@ -762,7 +815,6 @@ tls_connect (transport_endpoint_cfg_t * tep) ctx->srv_hostname = format (0, "%s", ccfg->hostname); vec_terminate_c_string (ctx->srv_hostname); } - tls_ctx_half_open_reader_unlock (); ctx->tls_ctx_engine = engine_type; @@ -772,7 +824,10 @@ tls_connect (transport_endpoint_cfg_t * tep) cargs->api_context = ctx_index; cargs->sep_ext.ns_index = app->ns_index; if ((rv = vnet_connect (cargs))) - return rv; + { + tls_ctx_half_open_free (ctx_index); + return rv; + } /* Track half-open tcp session in case we need to clean it up */ ctx->tls_session_handle = cargs->sh; @@ -932,39 +987,53 @@ tls_listener_get (u32 listener_index) static transport_connection_t * tls_half_open_get (u32 ho_index) { - tls_main_t *tm = &tls_main; tls_ctx_t *ctx; ctx = tls_ctx_half_open_get (ho_index); - clib_rwlock_reader_unlock (&tm->half_open_rwlock); return &ctx->connection; } static void tls_cleanup_ho (u32 ho_index) { - tls_main_t *tm = &tls_main; - session_handle_t tcp_sh; tls_ctx_t *ctx; + session_t *s; ctx = tls_ctx_half_open_get (ho_index); - tcp_sh = ctx->tls_session_handle; - clib_rwlock_reader_unlock (&tm->half_open_rwlock); - session_cleanup_half_open (tcp_sh); - tls_ctx_half_open_free (ho_index); + /* Already pending cleanup */ + if (ctx->tls_session_handle == SESSION_INVALID_HANDLE) + { + ASSERT (ctx->flags & TLS_CONN_F_HO_DONE); + ctx->no_app_session = 1; + return; + } + + s = session_get_from_handle (ctx->tls_session_handle); + /* If no pending cleanup notification, force cleanup now. Otherwise, + * wait for cleanup notification and set no app session on ctx */ + if (s->session_state != SESSION_STATE_TRANSPORT_DELETED) + { + session_cleanup_half_open (ctx->tls_session_handle); + tls_ctx_half_open_free (ho_index); + } + else + ctx->no_app_session = 1; } int tls_custom_tx_callback (void *session, transport_send_params_t * sp) { - session_t *app_session = (session_t *) session; + session_t *as = (session_t *) session; tls_ctx_t *ctx; - if (PREDICT_FALSE (app_session->session_state - >= SESSION_STATE_TRANSPORT_CLOSED)) - return 0; + if (PREDICT_FALSE (as->session_state >= SESSION_STATE_TRANSPORT_CLOSED || + as->session_state <= SESSION_STATE_ACCEPTING)) + { + sp->flags |= TRANSPORT_SND_F_DESCHED; + return 0; + } - ctx = tls_ctx_get (app_session->connection_index); - return tls_ctx_write (ctx, app_session, sp); + ctx = tls_ctx_get (as->connection_index); + return tls_ctx_write (ctx, as, sp); } u8 * @@ -1075,6 +1144,7 @@ format_tls_half_open (u8 * s, va_list * args) { u32 ho_index = va_arg (*args, u32); u32 __clib_unused thread_index = va_arg (*args, u32); + u32 __clib_unused verbose = va_arg (*args, u32); session_t *tcp_ho; tls_ctx_t *ho_ctx; @@ -1086,7 +1156,6 @@ format_tls_half_open (u8 * s, va_list * args) ho_ctx->parent_app_wrk_index, ho_ctx->tls_ctx_engine, tcp_ho->thread_index, tcp_ho->session_index); - tls_ctx_half_open_reader_unlock (); return s; } @@ -1121,7 +1190,7 @@ tls_enable (vlib_main_t * vm, u8 is_en) vnet_app_attach_args_t _a, *a = &_a; u64 options[APP_OPTIONS_N_OPTIONS]; tls_main_t *tm = &tls_main; - u32 fifo_size = 128 << 12; + u32 fifo_size = 512 << 10; if (!is_en) { @@ -1330,8 +1399,6 @@ tls_init (vlib_main_t * vm) if (!tm->ca_cert_path) tm->ca_cert_path = TLS_CA_CERT_PATH; - clib_rwlock_init (&tm->half_open_rwlock); - vec_validate (tm->rx_bufs, num_threads - 1); vec_validate (tm->tx_bufs, num_threads - 1);