X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Ftls%2Ftls.c;h=23ba70aa4f06fbb7f90ed6ccee98c8fc9cf7c39e;hb=HEAD;hp=57dcc7fbb54d922afae1e9f1396401d7640e9a0a;hpb=88dd3cf6033b336ff5635189464cd82e8047732d;p=vpp.git diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c index 57dcc7fbb54..5f00e6e302d 100644 --- a/src/vnet/tls/tls.c +++ b/src/vnet/tls/tls.c @@ -22,7 +22,7 @@ static tls_engine_vft_t *tls_vfts; #define TLS_INVALID_HANDLE ~0 #define TLS_IDX_MASK 0x00FFFFFF -#define TLS_ENGINE_TYPE_SHIFT 29 +#define TLS_ENGINE_TYPE_SHIFT 28 void tls_disconnect (u32 ctx_handle, u32 thread_index); @@ -61,8 +61,7 @@ tls_add_vpp_q_rx_evt (session_t * s) int tls_add_vpp_q_builtin_rx_evt (session_t * s) { - if (svm_fifo_set_event (s->rx_fifo)) - session_send_io_evt_to_thread (s->rx_fifo, SESSION_IO_EVT_BUILTIN_RX); + session_enqueue_notify (s); return 0; } @@ -75,9 +74,10 @@ tls_add_vpp_q_tx_evt (session_t * s) } static inline int -tls_add_app_q_evt (app_worker_t * app, session_t * app_session) +tls_add_app_q_evt (app_worker_t *app_wrk, session_t *app_session) { - return app_worker_lock_and_send_event (app, app_session, SESSION_IO_EVT_RX); + app_worker_add_event (app_wrk, app_session, SESSION_IO_EVT_RX); + return 0; } u32 @@ -115,57 +115,74 @@ u32 tls_ctx_half_open_alloc (void) { tls_main_t *tm = &tls_main; - u8 will_expand = 0; tls_ctx_t *ctx; - u32 ctx_index; - pool_get_aligned_will_expand (tm->half_open_ctx_pool, will_expand, 0); - if (PREDICT_FALSE (will_expand && vlib_num_workers ())) - { - clib_rwlock_writer_lock (&tm->half_open_rwlock); - pool_get (tm->half_open_ctx_pool, ctx); - ctx_index = ctx - tm->half_open_ctx_pool; - clib_rwlock_writer_unlock (&tm->half_open_rwlock); - } - else - { - /* reader lock assumption: only main thread will call pool_get */ - clib_rwlock_reader_lock (&tm->half_open_rwlock); - pool_get (tm->half_open_ctx_pool, ctx); - ctx_index = ctx - tm->half_open_ctx_pool; - clib_rwlock_reader_unlock (&tm->half_open_rwlock); - } + if (vec_len (tm->postponed_ho_free)) + tls_flush_postponed_ho_cleanups (); + + pool_get_aligned_safe (tm->half_open_ctx_pool, ctx, CLIB_CACHE_LINE_BYTES); + clib_memset (ctx, 0, sizeof (*ctx)); - return ctx_index; + ctx->c_c_index = ctx - tm->half_open_ctx_pool; + ctx->c_thread_index = transport_cl_thread (); + + return ctx->c_c_index; } void tls_ctx_half_open_free (u32 ho_index) { - tls_main_t *tm = &tls_main; - clib_rwlock_writer_lock (&tm->half_open_rwlock); pool_put_index (tls_main.half_open_ctx_pool, ho_index); - clib_rwlock_writer_unlock (&tm->half_open_rwlock); } tls_ctx_t * tls_ctx_half_open_get (u32 ctx_index) { tls_main_t *tm = &tls_main; - clib_rwlock_reader_lock (&tm->half_open_rwlock); return pool_elt_at_index (tm->half_open_ctx_pool, ctx_index); } void -tls_ctx_half_open_reader_unlock () +tls_add_postponed_ho_cleanups (u32 ho_index) { - clib_rwlock_reader_unlock (&tls_main.half_open_rwlock); + tls_main_t *tm = &tls_main; + vec_add1 (tm->postponed_ho_free, ho_index); } -u32 -tls_ctx_half_open_index (tls_ctx_t * ctx) +static void +tls_ctx_ho_try_free (u32 ho_index) { - return (ctx - tls_main.half_open_ctx_pool); + tls_ctx_t *ctx; + + ctx = tls_ctx_half_open_get (ho_index); + /* Probably tcp connected just before tcp establish timeout and + * worker that owns established session has not yet received + * @ref tls_session_connected_cb */ + if (!(ctx->flags & TLS_CONN_F_HO_DONE)) + { + ctx->tls_session_handle = SESSION_INVALID_HANDLE; + tls_add_postponed_ho_cleanups (ho_index); + return; + } + if (!(ctx->flags & TLS_CONN_F_NO_APP_SESSION)) + session_half_open_delete_notify (&ctx->connection); + tls_ctx_half_open_free (ho_index); +} + +void +tls_flush_postponed_ho_cleanups () +{ + tls_main_t *tm = &tls_main; + u32 *ho_indexp, *tmp; + + tmp = tm->postponed_ho_free; + tm->postponed_ho_free = tm->ho_free_list; + tm->ho_free_list = tmp; + + vec_foreach (ho_indexp, tm->ho_free_list) + tls_ctx_ho_try_free (*ho_indexp); + + vec_reset_length (tm->ho_free_list); } void @@ -188,17 +205,19 @@ tls_notify_app_accept (tls_ctx_t * ctx) lctx = tls_listener_ctx_get (ctx->listener_ctx_index); app_listener = listen_session_get_from_handle (lctx->app_session_handle); - app_session = session_get (ctx->c_s_index, ctx->c_thread_index); - app_session->app_wrk_index = ctx->parent_app_wrk_index; - app_session->connection_index = ctx->tls_ctx_handle; + app_session = session_alloc (ctx->c_thread_index); + app_session->session_state = SESSION_STATE_ACCEPTING; app_session->session_type = app_listener->session_type; app_session->listener_handle = listen_session_get_handle (app_listener); - app_session->session_state = SESSION_STATE_ACCEPTING; + app_session->app_wrk_index = ctx->parent_app_wrk_index; + app_session->connection_index = ctx->tls_ctx_handle; + ctx->c_s_index = app_session->session_index; if ((rv = app_worker_init_accepted (app_session))) { TLS_DBG (1, "failed to allocate fifos"); session_free (app_session); + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; return rv; } ctx->app_session_handle = session_handle (app_session); @@ -210,64 +229,68 @@ tls_notify_app_accept (tls_ctx_t * ctx) int tls_notify_app_connected (tls_ctx_t * ctx, session_error_t err) { + u32 parent_app_api_ctx; session_t *app_session; app_worker_t *app_wrk; app_wrk = app_worker_get_if_valid (ctx->parent_app_wrk_index); if (!app_wrk) { - tls_disconnect_transport (ctx); + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; return -1; } if (err) { - /* Free app session pre-allocated when transport was established */ - if (ctx->tls_type == TRANSPORT_PROTO_TLS) - session_free (session_get (ctx->c_s_index, ctx->c_thread_index)); - goto failed; + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; + goto send_reply; } - /* For DTLS the app session is not preallocated because the underlying udp - * session might migrate to a different worker during the handshake */ + app_session = session_alloc (ctx->c_thread_index); + app_session->session_state = SESSION_STATE_CREATED; + app_session->connection_index = ctx->tls_ctx_handle; + if (ctx->tls_type == TRANSPORT_PROTO_DTLS) { - session_type_t st; - app_session = session_alloc (ctx->c_thread_index); - app_session->session_state = SESSION_STATE_CREATED; - ctx->c_s_index = app_session->session_index; - st = + /* Cleanup half-open session as we don't get notification from udp */ + session_half_open_delete_notify (&ctx->connection); + app_session->session_type = session_type_from_proto_and_ip (TRANSPORT_PROTO_DTLS, ctx->tcp_is_ip4); - app_session->session_type = st; - app_session->connection_index = ctx->tls_ctx_handle; } else { - app_session = session_get (ctx->c_s_index, ctx->c_thread_index); + app_session->session_type = + session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4); } app_session->app_wrk_index = ctx->parent_app_wrk_index; + app_session->opaque = ctx->parent_app_api_context; + ctx->c_s_index = app_session->session_index; if ((err = app_worker_init_connected (app_wrk, app_session))) - goto failed; + { + app_worker_connect_notify (app_wrk, 0, err, ctx->parent_app_api_context); + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; + session_free (app_session); + return -1; + } app_session->session_state = SESSION_STATE_READY; - if (app_worker_connect_notify (app_wrk, app_session, - SESSION_E_NONE, ctx->parent_app_api_context)) + parent_app_api_ctx = ctx->parent_app_api_context; + ctx->app_session_handle = session_handle (app_session); + + if (app_worker_connect_notify (app_wrk, app_session, SESSION_E_NONE, + parent_app_api_ctx)) { TLS_DBG (1, "failed to notify app"); - app_session->session_state = SESSION_STATE_CONNECTING; - tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ()); + session_free (session_get (ctx->c_s_index, ctx->c_thread_index)); + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; return -1; } - ctx->app_session_handle = session_handle (app_session); - return 0; -failed: - ctx->no_app_session = 1; - tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ()); +send_reply: return app_worker_connect_notify (app_wrk, 0, err, ctx->parent_app_api_context); } @@ -360,7 +383,7 @@ tls_ctx_write (tls_ctx_t * ctx, session_t * app_session, sp->max_burst_size = sp->max_burst_size * TRANSPORT_PACER_MIN_MSS; n_wrote = tls_vfts[ctx->tls_ctx_engine].ctx_write (ctx, app_session, sp); - sp->max_burst_size = n_wrote; + sp->bytes_dequeued = n_wrote; return n_wrote > 0 ? clib_max (n_wrote / TRANSPORT_PACER_MIN_MSS, 1) : 0; } @@ -376,6 +399,12 @@ tls_ctx_transport_close (tls_ctx_t * ctx) return tls_vfts[ctx->tls_ctx_engine].ctx_transport_close (ctx); } +static inline int +tls_ctx_transport_reset (tls_ctx_t *ctx) +{ + return tls_vfts[ctx->tls_ctx_engine].ctx_transport_reset (ctx); +} + static inline int tls_ctx_app_close (tls_ctx_t * ctx) { @@ -394,30 +423,37 @@ tls_ctx_handshake_is_over (tls_ctx_t * ctx) return tls_vfts[ctx->tls_ctx_engine].ctx_handshake_is_over (ctx); } +int +tls_reinit_ca_chain (crypto_engine_type_t tls_engine_id) +{ + return tls_vfts[tls_engine_id].ctx_reinit_cachain (); +} + void -tls_session_reset_callback (session_t * s) +tls_notify_app_io_error (tls_ctx_t *ctx) +{ + ASSERT (tls_ctx_handshake_is_over (ctx)); + + session_transport_reset_notify (&ctx->connection); + session_transport_closed_notify (&ctx->connection); + tls_disconnect_transport (ctx); +} + +void +tls_session_reset_callback (session_t *ts) { tls_ctx_t *ctx; - transport_connection_t *tc; - session_t *app_session; - ctx = tls_ctx_get (s->opaque); - ctx->is_passive_close = 1; - tc = &ctx->connection; - if (tls_ctx_handshake_is_over (ctx)) - { - session_transport_reset_notify (tc); - session_transport_closed_notify (tc); - tls_disconnect_transport (ctx); - } - else - if ((app_session = - session_get_if_valid (ctx->c_s_index, ctx->c_thread_index))) - { - session_free (app_session); - ctx->c_s_index = SESSION_INVALID_INDEX; - tls_disconnect_transport (ctx); - } + ctx = tls_ctx_get_w_thread (ts->opaque, ts->thread_index); + ctx->flags |= TLS_CONN_F_PASSIVE_CLOSE; + tls_ctx_transport_reset (ctx); +} + +static void +tls_session_cleanup_ho (session_t *s) +{ + /* session opaque stores the opaque passed on connect */ + tls_ctx_ho_try_free (s->opaque); } int @@ -445,56 +481,69 @@ tls_session_disconnect_callback (session_t * tls_session) || vlib_thread_is_main_w_barrier ()); ctx = tls_ctx_get_w_thread (tls_session->opaque, tls_session->thread_index); - ctx->is_passive_close = 1; + ctx->flags |= TLS_CONN_F_PASSIVE_CLOSE; tls_ctx_transport_close (ctx); } int -tls_session_accept_callback (session_t * tls_session) +tls_session_accept_callback (session_t *ts) { - session_t *tls_listener, *app_session; + session_t *tls_listener; tls_ctx_t *lctx, *ctx; u32 ctx_handle; - tls_listener = - listen_session_get_from_handle (tls_session->listener_handle); + tls_listener = listen_session_get_from_handle (ts->listener_handle); lctx = tls_listener_ctx_get (tls_listener->opaque); ctx_handle = tls_ctx_alloc (lctx->tls_ctx_engine); ctx = tls_ctx_get (ctx_handle); - memcpy (ctx, lctx, sizeof (*lctx)); - ctx->c_thread_index = vlib_get_thread_index (); + clib_memcpy (ctx, lctx, sizeof (*lctx)); + ctx->c_s_index = SESSION_INVALID_INDEX; + ctx->c_thread_index = ts->thread_index; ctx->tls_ctx_handle = ctx_handle; - tls_session->session_state = SESSION_STATE_READY; - tls_session->opaque = ctx_handle; - ctx->tls_session_handle = session_handle (tls_session); + ts->opaque = ctx_handle; + ctx->tls_session_handle = session_handle (ts); ctx->listener_ctx_index = tls_listener->opaque; ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; ctx->ckpair_index = lctx->ckpair_index; - /* Preallocate app session. Avoids allocating a session post handshake - * on tls_session rx and potentially invalidating the session pool */ - app_session = session_alloc (ctx->c_thread_index); - app_session->session_state = SESSION_STATE_CREATED; - ctx->c_s_index = app_session->session_index; - TLS_DBG (1, "Accept on listener %u new connection [%u]%x", tls_listener->opaque, vlib_get_thread_index (), ctx_handle); - return tls_ctx_init_server (ctx); + if (tls_ctx_init_server (ctx)) + { + /* Do not free ctx yet, in case we have pending rx events */ + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; + tls_disconnect_transport (ctx); + } + + if (ts->session_state < SESSION_STATE_READY) + ts->session_state = SESSION_STATE_READY; + + return 0; } int -tls_app_rx_callback (session_t * tls_session) +tls_app_rx_callback (session_t *ts) { tls_ctx_t *ctx; /* DTLS session migrating, wait for next notification */ - if (PREDICT_FALSE (tls_session->flags & SESSION_F_IS_MIGRATING)) + if (PREDICT_FALSE (ts->flags & SESSION_F_IS_MIGRATING)) return 0; - ctx = tls_ctx_get (tls_session->opaque); - tls_ctx_read (ctx, tls_session); + /* Read rescheduled but underlying transport deleted now */ + if (PREDICT_FALSE ((ts->session_state == SESSION_STATE_TRANSPORT_DELETED))) + return 0; + + ctx = tls_ctx_get (ts->opaque); + if (PREDICT_FALSE ((ctx->flags & TLS_CONN_F_NO_APP_SESSION) || + (ctx->flags & TLS_CONN_F_APP_CLOSED))) + { + TLS_DBG (1, "Local App closed"); + return 0; + } + tls_ctx_read (ctx, ts); return 0; } @@ -513,35 +562,17 @@ int tls_session_connected_cb (u32 tls_app_index, u32 ho_ctx_index, session_t *tls_session, session_error_t err) { - session_t *app_session; tls_ctx_t *ho_ctx, *ctx; - session_type_t st; u32 ctx_handle; ho_ctx = tls_ctx_half_open_get (ho_ctx_index); - if (err) - { - app_worker_t *app_wrk; - u32 api_context; - int rv = 0; - - app_wrk = app_worker_get_if_valid (ho_ctx->parent_app_wrk_index); - if (app_wrk) - { - api_context = ho_ctx->parent_app_api_context; - app_worker_connect_notify (app_wrk, 0, err, api_context); - } - tls_ctx_half_open_reader_unlock (); - tls_ctx_half_open_free (ho_ctx_index); - return rv; - } - ctx_handle = tls_ctx_alloc (ho_ctx->tls_ctx_engine); ctx = tls_ctx_get (ctx_handle); clib_memcpy_fast (ctx, ho_ctx, sizeof (*ctx)); - tls_ctx_half_open_reader_unlock (); - tls_ctx_half_open_free (ho_ctx_index); + + /* Half-open freed on tcp half-open cleanup notification */ + __atomic_fetch_or (&ho_ctx->flags, TLS_CONN_F_HO_DONE, __ATOMIC_RELEASE); ctx->c_thread_index = vlib_get_thread_index (); ctx->tls_ctx_handle = ctx_handle; @@ -553,18 +584,17 @@ tls_session_connected_cb (u32 tls_app_index, u32 ho_ctx_index, ctx->tls_session_handle = session_handle (tls_session); tls_session->opaque = ctx_handle; - tls_session->session_state = SESSION_STATE_READY; - /* Preallocate app session. Avoids allocating a session post handshake - * on tls_session rx and potentially invalidating the session pool */ - app_session = session_alloc (ctx->c_thread_index); - app_session->session_state = SESSION_STATE_CREATED; - ctx->c_s_index = app_session->session_index; - st = session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4); - app_session->session_type = st; - app_session->connection_index = ctx->tls_ctx_handle; + if (tls_ctx_init_client (ctx)) + { + tls_notify_app_connected (ctx, SESSION_E_TLS_HANDSHAKE); + tls_disconnect_transport (ctx); + } - return tls_ctx_init_client (ctx); + if (tls_session->session_state < SESSION_STATE_READY) + tls_session->session_state = SESSION_STATE_READY; + + return 0; } int @@ -573,7 +603,7 @@ dtls_session_connected_cb (u32 app_wrk_index, u32 ctx_handle, session_t *us, { tls_ctx_t *ctx; - ctx = tls_ctx_get_w_thread (ctx_handle, 1 /* udp allocs on thread 1 */); + ctx = tls_ctx_get_w_thread (ctx_handle, transport_cl_thread ()); ctx->tls_session_handle = session_handle (us); ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; @@ -589,6 +619,24 @@ int tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index, session_t *tls_session, session_error_t err) { + if (err) + { + app_worker_t *app_wrk; + tls_ctx_t *ho_ctx; + u32 api_context; + + ho_ctx = tls_ctx_half_open_get (ho_ctx_index); + ho_ctx->flags |= TLS_CONN_F_HO_DONE; + app_wrk = app_worker_get_if_valid (ho_ctx->parent_app_wrk_index); + if (app_wrk) + { + api_context = ho_ctx->parent_app_api_context; + app_worker_connect_notify (app_wrk, 0, err, api_context); + } + + return 0; + } + if (session_get_transport_proto (tls_session) == TRANSPORT_PROTO_TCP) return tls_session_connected_cb (tls_app_index, ho_ctx_index, tls_session, err); @@ -611,7 +659,7 @@ tls_app_session_cleanup (session_t * s, session_cleanup_ntf_t ntf) } ctx = tls_ctx_get (s->opaque); - if (!ctx->no_app_session) + if (!(ctx->flags & TLS_CONN_F_NO_APP_SESSION)) session_transport_delete_notify (&ctx->connection); tls_ctx_free (ctx); } @@ -633,6 +681,15 @@ dtls_migrate_ctx (void *arg) us = session_get_from_handle (ctx->tls_session_handle); us->opaque = ctx_handle; us->flags &= ~SESSION_F_IS_MIGRATING; + + /* Probably the app detached while the session was migrating. Cleanup */ + if (session_half_open_migrated_notify (&ctx->connection)) + { + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; + tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ()); + return; + } + if (svm_fifo_max_dequeue (us->tx_fifo)) session_send_io_evt_to_thread (us->tx_fifo, SESSION_IO_EVT_TX); } @@ -647,7 +704,8 @@ dtls_session_migrate_callback (session_t *us, session_handle_t new_sh) ctx = tls_ctx_get_w_thread (us->opaque, us->thread_index); ctx->tls_session_handle = new_sh; cloned_ctx = tls_ctx_detach (ctx); - ctx->is_migrated = 1; + ctx->flags |= TLS_CONN_F_MIGRATED; + session_half_open_migrate_notify (&ctx->connection); session_send_rpc_evt_to_thread (new_thread, dtls_migrate_ctx, (void *) cloned_ctx); @@ -655,11 +713,23 @@ dtls_session_migrate_callback (session_t *us, session_handle_t new_sh) tls_ctx_free (ctx); } +static void +tls_session_transport_closed_callback (session_t *ts) +{ + tls_ctx_t *ctx; + + ctx = tls_ctx_get_w_thread (ts->opaque, ts->thread_index); + if (!(ctx->flags & TLS_CONN_F_NO_APP_SESSION)) + session_transport_closed_notify (&ctx->connection); +} + static session_cb_vft_t tls_app_cb_vft = { .session_accept_callback = tls_session_accept_callback, .session_disconnect_callback = tls_session_disconnect_callback, .session_connected_callback = tls_session_connected_callback, .session_reset_callback = tls_session_reset_callback, + .session_transport_closed_callback = tls_session_transport_closed_callback, + .half_open_cleanup_callback = tls_session_cleanup_ho, .add_segment_callback = tls_add_segment_callback, .del_segment_callback = tls_del_segment_callback, .builtin_app_rx_callback = tls_app_rx_callback, @@ -704,14 +774,14 @@ tls_connect (transport_endpoint_cfg_t * tep) ctx->tcp_is_ip4 = sep->is_ip4; ctx->tls_type = sep->transport_proto; ctx->ckpair_index = ccfg->ckpair_index; + ctx->c_proto = TRANSPORT_PROTO_TLS; + ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; if (ccfg->hostname[0]) { ctx->srv_hostname = format (0, "%s", ccfg->hostname); vec_terminate_c_string (ctx->srv_hostname); } - tls_ctx_half_open_reader_unlock (); - app_worker_alloc_connects_segment_manager (app_wrk); ctx->tls_ctx_engine = engine_type; clib_memcpy_fast (&cargs->sep, sep, sizeof (session_endpoint_t)); @@ -720,10 +790,16 @@ tls_connect (transport_endpoint_cfg_t * tep) cargs->api_context = ctx_index; cargs->sep_ext.ns_index = app->ns_index; if ((rv = vnet_connect (cargs))) - return rv; + { + tls_ctx_half_open_free (ctx_index); + return rv; + } + + /* Track half-open tcp session in case we need to clean it up */ + ctx->tls_session_handle = cargs->sh; TLS_DBG (1, "New connect request %u engine %d", ctx_index, engine_type); - return 0; + return ctx_index; } void @@ -734,11 +810,12 @@ tls_disconnect (u32 ctx_handle, u32 thread_index) TLS_DBG (1, "Disconnecting %x", ctx_handle); ctx = tls_ctx_get (ctx_handle); + ctx->flags |= TLS_CONN_F_APP_CLOSED; tls_ctx_app_close (ctx); } u32 -tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) +tls_start_listen (u32 app_listener_index, transport_endpoint_cfg_t *tep) { vnet_listen_args_t _bargs, *args = &_bargs; transport_endpt_crypto_cfg_t *ccfg; @@ -799,6 +876,8 @@ tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) lctx->tls_ctx_engine = engine_type; lctx->tls_type = sep->transport_proto; lctx->ckpair_index = ccfg->ckpair_index; + lctx->c_s_index = app_listener_index; + lctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; if (tls_vfts[engine_type].ctx_start_listen (lctx)) { @@ -872,19 +951,56 @@ tls_listener_get (u32 listener_index) return &ctx->connection; } +static transport_connection_t * +tls_half_open_get (u32 ho_index) +{ + tls_ctx_t *ctx; + ctx = tls_ctx_half_open_get (ho_index); + return &ctx->connection; +} + +static void +tls_cleanup_ho (u32 ho_index) +{ + tls_ctx_t *ctx; + session_t *s; + + ctx = tls_ctx_half_open_get (ho_index); + /* Already pending cleanup */ + if (ctx->tls_session_handle == SESSION_INVALID_HANDLE) + { + ASSERT (ctx->flags & TLS_CONN_F_HO_DONE); + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; + return; + } + + s = session_get_from_handle (ctx->tls_session_handle); + /* If no pending cleanup notification, force cleanup now. Otherwise, + * wait for cleanup notification and set no app session on ctx */ + if (s->session_state != SESSION_STATE_TRANSPORT_DELETED) + { + session_cleanup_half_open (ctx->tls_session_handle); + tls_ctx_half_open_free (ho_index); + } + else + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; +} + int tls_custom_tx_callback (void *session, transport_send_params_t * sp) { - session_t *app_session = (session_t *) session; + session_t *as = (session_t *) session; tls_ctx_t *ctx; - if (PREDICT_FALSE (app_session->session_state - >= SESSION_STATE_TRANSPORT_CLOSED)) - return 0; + if (PREDICT_FALSE (as->session_state >= SESSION_STATE_TRANSPORT_CLOSED || + as->session_state <= SESSION_STATE_ACCEPTING)) + { + sp->flags |= TRANSPORT_SND_F_DESCHED; + return 0; + } - sp->flags = 0; - ctx = tls_ctx_get (app_session->connection_index); - return tls_ctx_write (ctx, app_session, sp); + ctx = tls_ctx_get (as->connection_index); + return tls_ctx_write (ctx, as, sp); } u8 * @@ -993,11 +1109,20 @@ format_tls_listener (u8 * s, va_list * args) u8 * format_tls_half_open (u8 * s, va_list * args) { - u32 tc_index = va_arg (*args, u32); + u32 ho_index = va_arg (*args, u32); u32 __clib_unused thread_index = va_arg (*args, u32); - tls_ctx_t *ctx = tls_ctx_half_open_get (tc_index); - s = format (s, "[TLS] half-open app %u", ctx->parent_app_wrk_index); - tls_ctx_half_open_reader_unlock (); + u32 __clib_unused verbose = va_arg (*args, u32); + session_t *tcp_ho; + tls_ctx_t *ho_ctx; + + ho_ctx = tls_ctx_half_open_get (ho_index); + + tcp_ho = session_get_from_handle (ho_ctx->tls_session_handle); + s = format (s, "[%d:%d][%s] half-open app_wrk %u engine %u ts %d:%d", + ho_ctx->c_thread_index, ho_ctx->c_s_index, "TLS", + ho_ctx->parent_app_wrk_index, ho_ctx->tls_ctx_engine, + tcp_ho->thread_index, tcp_ho->session_index); + return s; } @@ -1006,10 +1131,11 @@ tls_transport_endpoint_get (u32 ctx_handle, u32 thread_index, transport_endpoint_t * tep, u8 is_lcl) { tls_ctx_t *ctx = tls_ctx_get_w_thread (ctx_handle, thread_index); - session_t *tcp_session; + session_t *ts; - tcp_session = session_get_from_handle (ctx->tls_session_handle); - session_get_endpoint (tcp_session, tep, is_lcl); + ts = session_get_from_handle (ctx->tls_session_handle); + if (ts && ts->session_state < SESSION_STATE_TRANSPORT_DELETED) + session_get_endpoint (ts, tep, is_lcl); } static void @@ -1028,12 +1154,11 @@ tls_transport_listener_endpoint_get (u32 ctx_handle, static clib_error_t * tls_enable (vlib_main_t * vm, u8 is_en) { - u32 add_segment_size = 256 << 20, first_seg_size = 32 << 20; vnet_app_detach_args_t _da, *da = &_da; vnet_app_attach_args_t _a, *a = &_a; u64 options[APP_OPTIONS_N_OPTIONS]; tls_main_t *tm = &tls_main; - u32 fifo_size = 128 << 12; + u32 fifo_size = 512 << 10; if (!is_en) { @@ -1043,7 +1168,6 @@ tls_enable (vlib_main_t * vm, u8 is_en) return 0; } - first_seg_size = tm->first_seg_size ? tm->first_seg_size : first_seg_size; fifo_size = tm->fifo_size ? tm->fifo_size : fifo_size; clib_memset (a, 0, sizeof (*a)); @@ -1053,8 +1177,8 @@ tls_enable (vlib_main_t * vm, u8 is_en) a->api_client_index = APP_INVALID_INDEX; a->options = options; a->name = format (0, "tls"); - a->options[APP_OPTIONS_SEGMENT_SIZE] = first_seg_size; - a->options[APP_OPTIONS_ADD_SEGMENT_SIZE] = add_segment_size; + a->options[APP_OPTIONS_SEGMENT_SIZE] = tm->first_seg_size; + a->options[APP_OPTIONS_ADD_SEGMENT_SIZE] = tm->add_seg_size; a->options[APP_OPTIONS_RX_FIFO_SIZE] = fifo_size; a->options[APP_OPTIONS_TX_FIFO_SIZE] = fifo_size; a->options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_IS_BUILTIN; @@ -1081,6 +1205,8 @@ static const transport_proto_vft_t tls_proto = { .stop_listen = tls_stop_listen, .get_connection = tls_connection_get, .get_listener = tls_listener_get, + .get_half_open = tls_half_open_get, + .cleanup_ho = tls_cleanup_ho, .custom_tx = tls_custom_tx_callback, .format_connection = format_tls_connection, .format_half_open = format_tls_half_open, @@ -1091,7 +1217,7 @@ static const transport_proto_vft_t tls_proto = { .name = "tls", .short_name = "J", .tx_type = TRANSPORT_TX_INTERNAL, - .service_type = TRANSPORT_SERVICE_APP, + .service_type = TRANSPORT_SERVICE_VC, }, }; @@ -1124,21 +1250,22 @@ dtls_connect (transport_endpoint_cfg_t *tep) return -1; } - ctx_handle = tls_ctx_alloc_w_thread (engine_type, 1 /* because of udp */); - ctx = tls_ctx_get_w_thread (ctx_handle, 1); + ctx_handle = tls_ctx_alloc_w_thread (engine_type, transport_cl_thread ()); + ctx = tls_ctx_get_w_thread (ctx_handle, transport_cl_thread ()); ctx->parent_app_wrk_index = sep->app_wrk_index; ctx->parent_app_api_context = sep->opaque; ctx->tcp_is_ip4 = sep->is_ip4; ctx->ckpair_index = ccfg->ckpair_index; ctx->tls_type = sep->transport_proto; ctx->tls_ctx_handle = ctx_handle; + ctx->c_proto = TRANSPORT_PROTO_DTLS; + ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; if (ccfg->hostname[0]) { ctx->srv_hostname = format (0, "%s", ccfg->hostname); vec_terminate_c_string (ctx->srv_hostname); } - app_worker_alloc_connects_segment_manager (app_wrk); ctx->tls_ctx_engine = engine_type; clib_memcpy_fast (&cargs->sep, sep, sizeof (session_endpoint_t)); @@ -1152,7 +1279,15 @@ dtls_connect (transport_endpoint_cfg_t *tep) TLS_DBG (1, "New DTLS connect request %x engine %d", ctx_handle, engine_type); - return 0; + return ctx_handle; +} + +static transport_connection_t * +dtls_half_open_get (u32 ho_index) +{ + tls_ctx_t *ho_ctx; + ho_ctx = tls_ctx_get_w_thread (ho_index, transport_cl_thread ()); + return &ho_ctx->connection; } static void @@ -1161,6 +1296,33 @@ dtls_cleanup_callback (u32 ctx_index, u32 thread_index) /* No op */ } +static void +dtls_cleanup_ho (u32 ho_index) +{ + tls_ctx_t *ctx; + ctx = tls_ctx_get_w_thread (ho_index, transport_cl_thread ()); + tls_ctx_free (ctx); +} + +u8 * +format_dtls_half_open (u8 *s, va_list *args) +{ + u32 ho_index = va_arg (*args, u32); + u32 __clib_unused thread_index = va_arg (*args, u32); + tls_ctx_t *ho_ctx; + session_t *us; + + ho_ctx = tls_ctx_get_w_thread (ho_index, transport_cl_thread ()); + + us = session_get_from_handle (ho_ctx->tls_session_handle); + s = format (s, "[%d:%d][%s] half-open app_wrk %u engine %u us %d:%d", + ho_ctx->c_thread_index, ho_ctx->c_s_index, "DTLS", + ho_ctx->parent_app_wrk_index, ho_ctx->tls_ctx_engine, + us->thread_index, us->session_index); + + return s; +} + static const transport_proto_vft_t dtls_proto = { .enable = 0, .connect = dtls_connect, @@ -1169,10 +1331,12 @@ static const transport_proto_vft_t dtls_proto = { .stop_listen = tls_stop_listen, .get_connection = tls_connection_get, .get_listener = tls_listener_get, + .get_half_open = dtls_half_open_get, .custom_tx = tls_custom_tx_callback, .cleanup = dtls_cleanup_callback, + .cleanup_ho = dtls_cleanup_ho, .format_connection = format_tls_connection, - .format_half_open = format_tls_half_open, + .format_half_open = format_dtls_half_open, .format_listener = format_tls_listener, .get_transport_endpoint = tls_transport_endpoint_get, .get_transport_listener_endpoint = tls_transport_listener_endpoint_get, @@ -1180,7 +1344,7 @@ static const transport_proto_vft_t dtls_proto = { .name = "dtls", .short_name = "D", .tx_type = TRANSPORT_TX_INTERNAL, - .service_type = TRANSPORT_SERVICE_APP, + .service_type = TRANSPORT_SERVICE_VC, }, }; @@ -1203,11 +1367,12 @@ tls_init (vlib_main_t * vm) if (!tm->ca_cert_path) tm->ca_cert_path = TLS_CA_CERT_PATH; - clib_rwlock_init (&tm->half_open_rwlock); - vec_validate (tm->rx_bufs, num_threads - 1); vec_validate (tm->tx_bufs, num_threads - 1); + tm->first_seg_size = 32 << 20; + tm->add_seg_size = 256 << 20; + transport_register_protocol (TRANSPORT_PROTO_TLS, &tls_proto, FIB_PROTOCOL_IP4, ~0); transport_register_protocol (TRANSPORT_PROTO_TLS, &tls_proto, @@ -1236,6 +1401,9 @@ tls_config_fn (vlib_main_t * vm, unformat_input_t * input) else if (unformat (input, "first-segment-size %U", unformat_memory_size, &tm->first_seg_size)) ; + else if (unformat (input, "add-segment-size %U", unformat_memory_size, + &tm->add_seg_size)) + ; else if (unformat (input, "fifo-size %U", unformat_memory_size, &tmp)) { if (tmp >= 0x100000000ULL) @@ -1252,7 +1420,7 @@ tls_config_fn (vlib_main_t * vm, unformat_input_t * input) return 0; } -VLIB_EARLY_CONFIG_FUNCTION (tls_config_fn, "tls"); +VLIB_CONFIG_FUNCTION (tls_config_fn, "tls"); tls_main_t * vnet_tls_get_main (void)