X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Ftls%2Ftls.c;h=23ba70aa4f06fbb7f90ed6ccee98c8fc9cf7c39e;hb=HEAD;hp=8d38be4ef8ebaafe4fd7a1e7527acc64fd43c55e;hpb=a0abbff4849e8b8721b70769ae1f3ef27dd6733c;p=vpp.git diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c index 8d38be4ef8e..5f00e6e302d 100644 --- a/src/vnet/tls/tls.c +++ b/src/vnet/tls/tls.c @@ -22,7 +22,7 @@ static tls_engine_vft_t *tls_vfts; #define TLS_INVALID_HANDLE ~0 #define TLS_IDX_MASK 0x00FFFFFF -#define TLS_ENGINE_TYPE_SHIFT 29 +#define TLS_ENGINE_TYPE_SHIFT 28 void tls_disconnect (u32 ctx_handle, u32 thread_index); @@ -38,7 +38,7 @@ tls_disconnect_transport (tls_ctx_t * ctx) clib_warning ("disconnect returned"); } -tls_engine_type_t +crypto_engine_type_t tls_get_available_engine (void) { int i; @@ -47,7 +47,7 @@ tls_get_available_engine (void) if (tls_vfts[i].ctx_alloc) return i; } - return TLS_ENGINE_NONE; + return CRYPTO_ENGINE_NONE; } int @@ -61,8 +61,7 @@ tls_add_vpp_q_rx_evt (session_t * s) int tls_add_vpp_q_builtin_rx_evt (session_t * s) { - if (svm_fifo_set_event (s->rx_fifo)) - session_send_io_evt_to_thread (s->rx_fifo, SESSION_IO_EVT_BUILTIN_RX); + session_enqueue_notify (s); return 0; } @@ -74,19 +73,11 @@ tls_add_vpp_q_tx_evt (session_t * s) return 0; } -int -tls_add_vpp_q_builtin_tx_evt (session_t * s) -{ - if (svm_fifo_set_event (s->tx_fifo)) - session_send_io_evt_to_thread_custom (s, s->thread_index, - SESSION_IO_EVT_BUILTIN_TX); - return 0; -} - static inline int -tls_add_app_q_evt (app_worker_t * app, session_t * app_session) +tls_add_app_q_evt (app_worker_t *app_wrk, session_t *app_session) { - return app_worker_lock_and_send_event (app, app_session, SESSION_IO_EVT_RX); + app_worker_add_event (app_wrk, app_session, SESSION_IO_EVT_RX); + return 0; } u32 @@ -124,57 +115,74 @@ u32 tls_ctx_half_open_alloc (void) { tls_main_t *tm = &tls_main; - u8 will_expand = 0; tls_ctx_t *ctx; - u32 ctx_index; - pool_get_aligned_will_expand (tm->half_open_ctx_pool, will_expand, 0); - if (PREDICT_FALSE (will_expand && vlib_num_workers ())) - { - clib_rwlock_writer_lock (&tm->half_open_rwlock); - pool_get (tm->half_open_ctx_pool, ctx); - ctx_index = ctx - tm->half_open_ctx_pool; - clib_rwlock_writer_unlock (&tm->half_open_rwlock); - } - else - { - /* reader lock assumption: only main thread will call pool_get */ - clib_rwlock_reader_lock (&tm->half_open_rwlock); - pool_get (tm->half_open_ctx_pool, ctx); - ctx_index = ctx - tm->half_open_ctx_pool; - clib_rwlock_reader_unlock (&tm->half_open_rwlock); - } + if (vec_len (tm->postponed_ho_free)) + tls_flush_postponed_ho_cleanups (); + + pool_get_aligned_safe (tm->half_open_ctx_pool, ctx, CLIB_CACHE_LINE_BYTES); + clib_memset (ctx, 0, sizeof (*ctx)); - return ctx_index; + ctx->c_c_index = ctx - tm->half_open_ctx_pool; + ctx->c_thread_index = transport_cl_thread (); + + return ctx->c_c_index; } void tls_ctx_half_open_free (u32 ho_index) { - tls_main_t *tm = &tls_main; - clib_rwlock_writer_lock (&tm->half_open_rwlock); pool_put_index (tls_main.half_open_ctx_pool, ho_index); - clib_rwlock_writer_unlock (&tm->half_open_rwlock); } tls_ctx_t * tls_ctx_half_open_get (u32 ctx_index) { tls_main_t *tm = &tls_main; - clib_rwlock_reader_lock (&tm->half_open_rwlock); return pool_elt_at_index (tm->half_open_ctx_pool, ctx_index); } void -tls_ctx_half_open_reader_unlock () +tls_add_postponed_ho_cleanups (u32 ho_index) { - clib_rwlock_reader_unlock (&tls_main.half_open_rwlock); + tls_main_t *tm = &tls_main; + vec_add1 (tm->postponed_ho_free, ho_index); } -u32 -tls_ctx_half_open_index (tls_ctx_t * ctx) +static void +tls_ctx_ho_try_free (u32 ho_index) { - return (ctx - tls_main.half_open_ctx_pool); + tls_ctx_t *ctx; + + ctx = tls_ctx_half_open_get (ho_index); + /* Probably tcp connected just before tcp establish timeout and + * worker that owns established session has not yet received + * @ref tls_session_connected_cb */ + if (!(ctx->flags & TLS_CONN_F_HO_DONE)) + { + ctx->tls_session_handle = SESSION_INVALID_HANDLE; + tls_add_postponed_ho_cleanups (ho_index); + return; + } + if (!(ctx->flags & TLS_CONN_F_NO_APP_SESSION)) + session_half_open_delete_notify (&ctx->connection); + tls_ctx_half_open_free (ho_index); +} + +void +tls_flush_postponed_ho_cleanups () +{ + tls_main_t *tm = &tls_main; + u32 *ho_indexp, *tmp; + + tmp = tm->postponed_ho_free; + tm->postponed_ho_free = tm->ho_free_list; + tm->ho_free_list = tmp; + + vec_foreach (ho_indexp, tm->ho_free_list) + tls_ctx_ho_try_free (*ho_indexp); + + vec_reset_length (tm->ho_free_list); } void @@ -197,71 +205,94 @@ tls_notify_app_accept (tls_ctx_t * ctx) lctx = tls_listener_ctx_get (ctx->listener_ctx_index); app_listener = listen_session_get_from_handle (lctx->app_session_handle); - app_session = session_get (ctx->c_s_index, ctx->c_thread_index); - app_session->app_wrk_index = ctx->parent_app_wrk_index; - app_session->connection_index = ctx->tls_ctx_handle; + app_session = session_alloc (ctx->c_thread_index); + app_session->session_state = SESSION_STATE_ACCEPTING; app_session->session_type = app_listener->session_type; app_session->listener_handle = listen_session_get_handle (app_listener); - app_session->session_state = SESSION_STATE_ACCEPTING; + app_session->app_wrk_index = ctx->parent_app_wrk_index; + app_session->connection_index = ctx->tls_ctx_handle; + ctx->c_s_index = app_session->session_index; if ((rv = app_worker_init_accepted (app_session))) { TLS_DBG (1, "failed to allocate fifos"); session_free (app_session); + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; return rv; } ctx->app_session_handle = session_handle (app_session); - session_lookup_add_connection (&ctx->connection, - session_handle (app_session)); ctx->parent_app_wrk_index = app_session->app_wrk_index; app_wrk = app_worker_get (app_session->app_wrk_index); return app_worker_accept_notify (app_wrk, app_session); } int -tls_notify_app_connected (tls_ctx_t * ctx, u8 is_failed) +tls_notify_app_connected (tls_ctx_t * ctx, session_error_t err) { + u32 parent_app_api_ctx; session_t *app_session; app_worker_t *app_wrk; app_wrk = app_worker_get_if_valid (ctx->parent_app_wrk_index); if (!app_wrk) { - tls_disconnect_transport (ctx); + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; return -1; } - if (is_failed) - goto failed; + if (err) + { + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; + goto send_reply; + } - app_session = session_get (ctx->c_s_index, ctx->c_thread_index); - app_session->app_wrk_index = ctx->parent_app_wrk_index; + app_session = session_alloc (ctx->c_thread_index); + app_session->session_state = SESSION_STATE_CREATED; app_session->connection_index = ctx->tls_ctx_handle; - app_session->session_type = - session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4); - if (app_worker_init_connected (app_wrk, app_session)) - goto failed; + if (ctx->tls_type == TRANSPORT_PROTO_DTLS) + { + /* Cleanup half-open session as we don't get notification from udp */ + session_half_open_delete_notify (&ctx->connection); + app_session->session_type = + session_type_from_proto_and_ip (TRANSPORT_PROTO_DTLS, ctx->tcp_is_ip4); + } + else + { + app_session->session_type = + session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4); + } + + app_session->app_wrk_index = ctx->parent_app_wrk_index; + app_session->opaque = ctx->parent_app_api_context; + ctx->c_s_index = app_session->session_index; - app_session->session_state = SESSION_STATE_CONNECTING; - if (app_worker_connect_notify (app_wrk, app_session, - ctx->parent_app_api_context)) + if ((err = app_worker_init_connected (app_wrk, app_session))) { - TLS_DBG (1, "failed to notify app"); - tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ()); + app_worker_connect_notify (app_wrk, 0, err, ctx->parent_app_api_context); + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; + session_free (app_session); return -1; } - ctx->app_session_handle = session_handle (app_session); app_session->session_state = SESSION_STATE_READY; - session_lookup_add_connection (&ctx->connection, - session_handle (app_session)); + parent_app_api_ctx = ctx->parent_app_api_context; + ctx->app_session_handle = session_handle (app_session); + + if (app_worker_connect_notify (app_wrk, app_session, SESSION_E_NONE, + parent_app_api_ctx)) + { + TLS_DBG (1, "failed to notify app"); + session_free (session_get (ctx->c_s_index, ctx->c_thread_index)); + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; + return -1; + } return 0; -failed: - tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ()); - return app_worker_connect_notify (app_wrk, 0, ctx->parent_app_api_context); +send_reply: + return app_worker_connect_notify (app_wrk, 0, err, + ctx->parent_app_api_context); } static inline void @@ -271,22 +302,51 @@ tls_ctx_parse_handle (u32 ctx_handle, u32 * ctx_index, u32 * engine_type) *engine_type = ctx_handle >> TLS_ENGINE_TYPE_SHIFT; } -static inline tls_engine_type_t -tls_get_engine_type (tls_engine_type_t preferred) +static inline crypto_engine_type_t +tls_get_engine_type (crypto_engine_type_t requested, + crypto_engine_type_t preferred) { + if (requested != CRYPTO_ENGINE_NONE) + { + if (tls_vfts[requested].ctx_alloc) + return requested; + return CRYPTO_ENGINE_NONE; + } if (!tls_vfts[preferred].ctx_alloc) return tls_get_available_engine (); return preferred; } static inline u32 -tls_ctx_alloc (tls_engine_type_t engine_type) +tls_ctx_alloc (crypto_engine_type_t engine_type) { u32 ctx_index; ctx_index = tls_vfts[engine_type].ctx_alloc (); return (((u32) engine_type << TLS_ENGINE_TYPE_SHIFT) | ctx_index); } +static inline u32 +tls_ctx_alloc_w_thread (crypto_engine_type_t engine_type, u32 thread_index) +{ + u32 ctx_index; + ctx_index = tls_vfts[engine_type].ctx_alloc_w_thread (thread_index); + return (((u32) engine_type << TLS_ENGINE_TYPE_SHIFT) | ctx_index); +} + +static inline u32 +tls_ctx_attach (crypto_engine_type_t engine_type, u32 thread_index, void *ctx) +{ + u32 ctx_index; + ctx_index = tls_vfts[engine_type].ctx_attach (thread_index, ctx); + return (((u32) engine_type << TLS_ENGINE_TYPE_SHIFT) | ctx_index); +} + +static inline void * +tls_ctx_detach (tls_ctx_t *ctx) +{ + return tls_vfts[ctx->tls_ctx_engine].ctx_detach (ctx); +} + static inline tls_ctx_t * tls_ctx_get (u32 ctx_handle) { @@ -316,9 +376,15 @@ tls_ctx_init_client (tls_ctx_t * ctx) } static inline int -tls_ctx_write (tls_ctx_t * ctx, session_t * app_session) +tls_ctx_write (tls_ctx_t * ctx, session_t * app_session, + transport_send_params_t * sp) { - return tls_vfts[ctx->tls_ctx_engine].ctx_write (ctx, app_session); + u32 n_wrote; + + sp->max_burst_size = sp->max_burst_size * TRANSPORT_PACER_MIN_MSS; + n_wrote = tls_vfts[ctx->tls_ctx_engine].ctx_write (ctx, app_session, sp); + sp->bytes_dequeued = n_wrote; + return n_wrote > 0 ? clib_max (n_wrote / TRANSPORT_PACER_MIN_MSS, 1) : 0; } static inline int @@ -333,6 +399,12 @@ tls_ctx_transport_close (tls_ctx_t * ctx) return tls_vfts[ctx->tls_ctx_engine].ctx_transport_close (ctx); } +static inline int +tls_ctx_transport_reset (tls_ctx_t *ctx) +{ + return tls_vfts[ctx->tls_ctx_engine].ctx_transport_reset (ctx); +} + static inline int tls_ctx_app_close (tls_ctx_t * ctx) { @@ -342,7 +414,6 @@ tls_ctx_app_close (tls_ctx_t * ctx) void tls_ctx_free (tls_ctx_t * ctx) { - vec_free (ctx->srv_hostname); tls_vfts[ctx->tls_ctx_engine].ctx_free (ctx); } @@ -352,10 +423,37 @@ tls_ctx_handshake_is_over (tls_ctx_t * ctx) return tls_vfts[ctx->tls_ctx_engine].ctx_handshake_is_over (ctx); } +int +tls_reinit_ca_chain (crypto_engine_type_t tls_engine_id) +{ + return tls_vfts[tls_engine_id].ctx_reinit_cachain (); +} + void -tls_session_reset_callback (session_t * s) +tls_notify_app_io_error (tls_ctx_t *ctx) { - clib_warning ("called..."); + ASSERT (tls_ctx_handshake_is_over (ctx)); + + session_transport_reset_notify (&ctx->connection); + session_transport_closed_notify (&ctx->connection); + tls_disconnect_transport (ctx); +} + +void +tls_session_reset_callback (session_t *ts) +{ + tls_ctx_t *ctx; + + ctx = tls_ctx_get_w_thread (ts->opaque, ts->thread_index); + ctx->flags |= TLS_CONN_F_PASSIVE_CLOSE; + tls_ctx_transport_reset (ctx); +} + +static void +tls_session_cleanup_ho (session_t *s) +{ + /* session opaque stores the opaque passed on connect */ + tls_ctx_ho_try_free (s->opaque); } int @@ -379,125 +477,274 @@ tls_session_disconnect_callback (session_t * tls_session) TLS_DBG (1, "TCP disconnecting handle %x session %u", tls_session->opaque, tls_session->session_index); - ctx = tls_ctx_get (tls_session->opaque); - ctx->is_passive_close = 1; + ASSERT (tls_session->thread_index == vlib_get_thread_index () + || vlib_thread_is_main_w_barrier ()); + + ctx = tls_ctx_get_w_thread (tls_session->opaque, tls_session->thread_index); + ctx->flags |= TLS_CONN_F_PASSIVE_CLOSE; tls_ctx_transport_close (ctx); } int -tls_session_accept_callback (session_t * tls_session) +tls_session_accept_callback (session_t *ts) { - session_t *tls_listener, *app_session; + session_t *tls_listener; tls_ctx_t *lctx, *ctx; u32 ctx_handle; - tls_listener = - listen_session_get_from_handle (tls_session->listener_handle); + tls_listener = listen_session_get_from_handle (ts->listener_handle); lctx = tls_listener_ctx_get (tls_listener->opaque); ctx_handle = tls_ctx_alloc (lctx->tls_ctx_engine); ctx = tls_ctx_get (ctx_handle); - memcpy (ctx, lctx, sizeof (*lctx)); - ctx->c_thread_index = vlib_get_thread_index (); + clib_memcpy (ctx, lctx, sizeof (*lctx)); + ctx->c_s_index = SESSION_INVALID_INDEX; + ctx->c_thread_index = ts->thread_index; ctx->tls_ctx_handle = ctx_handle; - tls_session->session_state = SESSION_STATE_READY; - tls_session->opaque = ctx_handle; - ctx->tls_session_handle = session_handle (tls_session); + ts->opaque = ctx_handle; + ctx->tls_session_handle = session_handle (ts); ctx->listener_ctx_index = tls_listener->opaque; - - /* Preallocate app session. Avoids allocating a session post handshake - * on tls_session rx and potentially invalidating the session pool */ - app_session = session_alloc (ctx->c_thread_index); - app_session->session_state = SESSION_STATE_CLOSED; - ctx->c_s_index = app_session->session_index; + ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; + ctx->ckpair_index = lctx->ckpair_index; TLS_DBG (1, "Accept on listener %u new connection [%u]%x", tls_listener->opaque, vlib_get_thread_index (), ctx_handle); - return tls_ctx_init_server (ctx); + if (tls_ctx_init_server (ctx)) + { + /* Do not free ctx yet, in case we have pending rx events */ + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; + tls_disconnect_transport (ctx); + } + + if (ts->session_state < SESSION_STATE_READY) + ts->session_state = SESSION_STATE_READY; + + return 0; +} + +int +tls_app_rx_callback (session_t *ts) +{ + tls_ctx_t *ctx; + + /* DTLS session migrating, wait for next notification */ + if (PREDICT_FALSE (ts->flags & SESSION_F_IS_MIGRATING)) + return 0; + + /* Read rescheduled but underlying transport deleted now */ + if (PREDICT_FALSE ((ts->session_state == SESSION_STATE_TRANSPORT_DELETED))) + return 0; + + ctx = tls_ctx_get (ts->opaque); + if (PREDICT_FALSE ((ctx->flags & TLS_CONN_F_NO_APP_SESSION) || + (ctx->flags & TLS_CONN_F_APP_CLOSED))) + { + TLS_DBG (1, "Local App closed"); + return 0; + } + tls_ctx_read (ctx, ts); + return 0; } int -tls_app_rx_callback (session_t * tls_session) +tls_app_tx_callback (session_t * tls_session) { tls_ctx_t *ctx; ctx = tls_ctx_get (tls_session->opaque); - tls_ctx_read (ctx, tls_session); + transport_connection_reschedule (&ctx->connection); + return 0; } int -tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index, - session_t * tls_session, u8 is_fail) +tls_session_connected_cb (u32 tls_app_index, u32 ho_ctx_index, + session_t *tls_session, session_error_t err) { - session_t *app_session; tls_ctx_t *ho_ctx, *ctx; u32 ctx_handle; ho_ctx = tls_ctx_half_open_get (ho_ctx_index); - if (is_fail) + ctx_handle = tls_ctx_alloc (ho_ctx->tls_ctx_engine); + ctx = tls_ctx_get (ctx_handle); + clib_memcpy_fast (ctx, ho_ctx, sizeof (*ctx)); + + /* Half-open freed on tcp half-open cleanup notification */ + __atomic_fetch_or (&ho_ctx->flags, TLS_CONN_F_HO_DONE, __ATOMIC_RELEASE); + + ctx->c_thread_index = vlib_get_thread_index (); + ctx->tls_ctx_handle = ctx_handle; + ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; + + TLS_DBG (1, "TCP connect for %u returned %u. New connection [%u]%x", + ho_ctx_index, err, vlib_get_thread_index (), + (ctx) ? ctx_handle : ~0); + + ctx->tls_session_handle = session_handle (tls_session); + tls_session->opaque = ctx_handle; + + if (tls_ctx_init_client (ctx)) + { + tls_notify_app_connected (ctx, SESSION_E_TLS_HANDSHAKE); + tls_disconnect_transport (ctx); + } + + if (tls_session->session_state < SESSION_STATE_READY) + tls_session->session_state = SESSION_STATE_READY; + + return 0; +} + +int +dtls_session_connected_cb (u32 app_wrk_index, u32 ctx_handle, session_t *us, + session_error_t err) +{ + tls_ctx_t *ctx; + + ctx = tls_ctx_get_w_thread (ctx_handle, transport_cl_thread ()); + + ctx->tls_session_handle = session_handle (us); + ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; + us->opaque = ctx_handle; + + /* We don't preallocate the app session because the udp session might + * actually migrate to a different worker at the end of the handshake */ + + return tls_ctx_init_client (ctx); +} + +int +tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index, + session_t *tls_session, session_error_t err) +{ + if (err) { app_worker_t *app_wrk; + tls_ctx_t *ho_ctx; u32 api_context; - int rv = 0; + ho_ctx = tls_ctx_half_open_get (ho_ctx_index); + ho_ctx->flags |= TLS_CONN_F_HO_DONE; app_wrk = app_worker_get_if_valid (ho_ctx->parent_app_wrk_index); if (app_wrk) { - api_context = ho_ctx->c_s_index; - app_worker_connect_notify (app_wrk, 0, api_context); + api_context = ho_ctx->parent_app_api_context; + app_worker_connect_notify (app_wrk, 0, err, api_context); } - tls_ctx_half_open_reader_unlock (); - tls_ctx_half_open_free (ho_ctx_index); - return rv; + + return 0; } - ctx_handle = tls_ctx_alloc (ho_ctx->tls_ctx_engine); - ctx = tls_ctx_get (ctx_handle); - clib_memcpy_fast (ctx, ho_ctx, sizeof (*ctx)); - tls_ctx_half_open_reader_unlock (); - tls_ctx_half_open_free (ho_ctx_index); + if (session_get_transport_proto (tls_session) == TRANSPORT_PROTO_TCP) + return tls_session_connected_cb (tls_app_index, ho_ctx_index, tls_session, + err); + else + return dtls_session_connected_cb (tls_app_index, ho_ctx_index, tls_session, + err); +} - ctx->c_thread_index = vlib_get_thread_index (); +static void +tls_app_session_cleanup (session_t * s, session_cleanup_ntf_t ntf) +{ + tls_ctx_t *ctx; + + if (ntf == SESSION_CLEANUP_TRANSPORT) + { + /* Allow cleanup of tcp session */ + if (s->session_state == SESSION_STATE_TRANSPORT_DELETED) + session_close (s); + return; + } + + ctx = tls_ctx_get (s->opaque); + if (!(ctx->flags & TLS_CONN_F_NO_APP_SESSION)) + session_transport_delete_notify (&ctx->connection); + tls_ctx_free (ctx); +} + +static void +dtls_migrate_ctx (void *arg) +{ + tls_ctx_t *ctx = (tls_ctx_t *) arg; + u32 ctx_handle, thread_index; + session_t *us; + + thread_index = session_thread_from_handle (ctx->tls_session_handle); + ASSERT (thread_index == vlib_get_thread_index ()); + + ctx_handle = tls_ctx_attach (ctx->tls_ctx_engine, thread_index, ctx); + ctx = tls_ctx_get_w_thread (ctx_handle, thread_index); ctx->tls_ctx_handle = ctx_handle; - TLS_DBG (1, "TCP connect for %u returned %u. New connection [%u]%x", - ho_ctx_index, is_fail, vlib_get_thread_index (), - (ctx) ? ctx_handle : ~0); + us = session_get_from_handle (ctx->tls_session_handle); + us->opaque = ctx_handle; + us->flags &= ~SESSION_F_IS_MIGRATING; - ctx->tls_session_handle = session_handle (tls_session); - tls_session->opaque = ctx_handle; - tls_session->session_state = SESSION_STATE_READY; + /* Probably the app detached while the session was migrating. Cleanup */ + if (session_half_open_migrated_notify (&ctx->connection)) + { + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; + tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ()); + return; + } - /* Preallocate app session. Avoids allocating a session post handshake - * on tls_session rx and potentially invalidating the session pool */ - app_session = session_alloc (ctx->c_thread_index); - app_session->session_state = SESSION_STATE_CLOSED; - ctx->c_s_index = app_session->session_index; + if (svm_fifo_max_dequeue (us->tx_fifo)) + session_send_io_evt_to_thread (us->tx_fifo, SESSION_IO_EVT_TX); +} - return tls_ctx_init_client (ctx); +static void +dtls_session_migrate_callback (session_t *us, session_handle_t new_sh) +{ + u32 new_thread = session_thread_from_handle (new_sh); + tls_ctx_t *ctx, *cloned_ctx; + + /* Migrate dtls context to new thread */ + ctx = tls_ctx_get_w_thread (us->opaque, us->thread_index); + ctx->tls_session_handle = new_sh; + cloned_ctx = tls_ctx_detach (ctx); + ctx->flags |= TLS_CONN_F_MIGRATED; + session_half_open_migrate_notify (&ctx->connection); + + session_send_rpc_evt_to_thread (new_thread, dtls_migrate_ctx, + (void *) cloned_ctx); + + tls_ctx_free (ctx); +} + +static void +tls_session_transport_closed_callback (session_t *ts) +{ + tls_ctx_t *ctx; + + ctx = tls_ctx_get_w_thread (ts->opaque, ts->thread_index); + if (!(ctx->flags & TLS_CONN_F_NO_APP_SESSION)) + session_transport_closed_notify (&ctx->connection); } -/* *INDENT-OFF* */ static session_cb_vft_t tls_app_cb_vft = { .session_accept_callback = tls_session_accept_callback, .session_disconnect_callback = tls_session_disconnect_callback, .session_connected_callback = tls_session_connected_callback, .session_reset_callback = tls_session_reset_callback, + .session_transport_closed_callback = tls_session_transport_closed_callback, + .half_open_cleanup_callback = tls_session_cleanup_ho, .add_segment_callback = tls_add_segment_callback, .del_segment_callback = tls_del_segment_callback, .builtin_app_rx_callback = tls_app_rx_callback, + .builtin_app_tx_callback = tls_app_tx_callback, + .session_migrate_callback = dtls_session_migrate_callback, + .session_cleanup_callback = tls_app_session_cleanup, }; -/* *INDENT-ON* */ int tls_connect (transport_endpoint_cfg_t * tep) { vnet_connect_args_t _cargs = { {}, }, *cargs = &_cargs; + transport_endpt_crypto_cfg_t *ccfg; + crypto_engine_type_t engine_type; session_endpoint_cfg_t *sep; - tls_engine_type_t engine_type; tls_main_t *tm = &tls_main; app_worker_t *app_wrk; application_t *app; @@ -506,13 +753,18 @@ tls_connect (transport_endpoint_cfg_t * tep) int rv; sep = (session_endpoint_cfg_t *) tep; + if (!sep->ext_cfg) + return SESSION_E_NOEXTCFG; + app_wrk = app_worker_get (sep->app_wrk_index); app = application_get (app_wrk->app_index); - engine_type = tls_get_engine_type (app->tls_engine); - if (engine_type == TLS_ENGINE_NONE) + + ccfg = &sep->ext_cfg->crypto; + engine_type = tls_get_engine_type (ccfg->crypto_engine, app->tls_engine); + if (engine_type == CRYPTO_ENGINE_NONE) { clib_warning ("No tls engine_type available"); - return -1; + return SESSION_E_NOCRYPTOENG; } ctx_index = tls_ctx_half_open_alloc (); @@ -520,14 +772,16 @@ tls_connect (transport_endpoint_cfg_t * tep) ctx->parent_app_wrk_index = sep->app_wrk_index; ctx->parent_app_api_context = sep->opaque; ctx->tcp_is_ip4 = sep->is_ip4; - if (sep->hostname) + ctx->tls_type = sep->transport_proto; + ctx->ckpair_index = ccfg->ckpair_index; + ctx->c_proto = TRANSPORT_PROTO_TLS; + ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; + if (ccfg->hostname[0]) { - ctx->srv_hostname = format (0, "%v", sep->hostname); + ctx->srv_hostname = format (0, "%s", ccfg->hostname); vec_terminate_c_string (ctx->srv_hostname); } - tls_ctx_half_open_reader_unlock (); - app_worker_alloc_connects_segment_manager (app_wrk); ctx->tls_ctx_engine = engine_type; clib_memcpy_fast (&cargs->sep, sep, sizeof (session_endpoint_t)); @@ -536,10 +790,16 @@ tls_connect (transport_endpoint_cfg_t * tep) cargs->api_context = ctx_index; cargs->sep_ext.ns_index = app->ns_index; if ((rv = vnet_connect (cargs))) - return rv; + { + tls_ctx_half_open_free (ctx_index); + return rv; + } + + /* Track half-open tcp session in case we need to clean it up */ + ctx->tls_session_handle = cargs->sh; TLS_DBG (1, "New connect request %u engine %d", ctx_index, engine_type); - return 0; + return ctx_index; } void @@ -550,42 +810,55 @@ tls_disconnect (u32 ctx_handle, u32 thread_index) TLS_DBG (1, "Disconnecting %x", ctx_handle); ctx = tls_ctx_get (ctx_handle); + ctx->flags |= TLS_CONN_F_APP_CLOSED; tls_ctx_app_close (ctx); } u32 -tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) +tls_start_listen (u32 app_listener_index, transport_endpoint_cfg_t *tep) { vnet_listen_args_t _bargs, *args = &_bargs; + transport_endpt_crypto_cfg_t *ccfg; app_worker_t *app_wrk; tls_main_t *tm = &tls_main; session_handle_t tls_al_handle; session_endpoint_cfg_t *sep; session_t *tls_listener; session_t *app_listener; - tls_engine_type_t engine_type; + crypto_engine_type_t engine_type; application_t *app; app_listener_t *al; tls_ctx_t *lctx; u32 lctx_index; + int rv; sep = (session_endpoint_cfg_t *) tep; + if (!sep->ext_cfg) + return SESSION_E_NOEXTCFG; + app_wrk = app_worker_get (sep->app_wrk_index); app = application_get (app_wrk->app_index); - engine_type = tls_get_engine_type (app->tls_engine); - if (engine_type == TLS_ENGINE_NONE) + + ccfg = &sep->ext_cfg->crypto; + engine_type = tls_get_engine_type (ccfg->crypto_engine, app->tls_engine); + if (engine_type == CRYPTO_ENGINE_NONE) { clib_warning ("No tls engine_type available"); - return -1; + return SESSION_E_NOCRYPTOENG; } - sep->transport_proto = TRANSPORT_PROTO_TCP; clib_memset (args, 0, sizeof (*args)); args->app_index = tm->app_index; args->sep_ext = *sep; args->sep_ext.ns_index = app->ns_index; - if (vnet_listen (args)) - return -1; + args->sep_ext.transport_proto = TRANSPORT_PROTO_TCP; + if (sep->transport_proto == TRANSPORT_PROTO_DTLS) + { + args->sep_ext.transport_proto = TRANSPORT_PROTO_UDP; + args->sep_ext.transport_flags = TRANSPORT_CFG_F_CONNECTED; + } + if ((rv = vnet_listen (args))) + return rv; lctx_index = tls_listener_ctx_alloc (); tls_al_handle = args->handle; @@ -601,8 +874,23 @@ tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) lctx->app_session_handle = listen_session_get_handle (app_listener); lctx->tcp_is_ip4 = sep->is_ip4; lctx->tls_ctx_engine = engine_type; + lctx->tls_type = sep->transport_proto; + lctx->ckpair_index = ccfg->ckpair_index; + lctx->c_s_index = app_listener_index; + lctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; - tls_vfts[engine_type].ctx_start_listen (lctx); + if (tls_vfts[engine_type].ctx_start_listen (lctx)) + { + vnet_unlisten_args_t a = { + .handle = lctx->tls_session_handle, + .app_index = tls_main.app_index, + .wrk_map_index = 0 + }; + if ((vnet_unlisten (&a))) + clib_warning ("unlisten returned"); + tls_listener_ctx_free (lctx); + lctx_index = SESSION_INVALID_INDEX; + } TLS_DBG (1, "Started listening %d, engine type %d", lctx_index, engine_type); @@ -612,11 +900,26 @@ tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) u32 tls_stop_listen (u32 lctx_index) { - tls_engine_type_t engine_type; + session_endpoint_t sep = SESSION_ENDPOINT_NULL; + crypto_engine_type_t engine_type; + transport_connection_t *lc; tls_ctx_t *lctx; + session_t *ls; int rv; lctx = tls_listener_ctx_get (lctx_index); + + /* Cleanup listener from session lookup table */ + ls = session_get_from_handle (lctx->tls_session_handle); + lc = session_get_transport (ls); + + sep.fib_index = lc->fib_index; + sep.port = lc->lcl_port; + sep.is_ip4 = lc->is_ip4; + sep.transport_proto = lctx->tls_type; + clib_memcpy (&sep.ip, &lc->lcl_ip, sizeof (lc->lcl_ip)); + session_lookup_del_session_endpoint2 (&sep); + vnet_unlisten_args_t a = { .handle = lctx->tls_session_handle, .app_index = tls_main.app_index, @@ -648,33 +951,120 @@ tls_listener_get (u32 listener_index) return &ctx->connection; } +static transport_connection_t * +tls_half_open_get (u32 ho_index) +{ + tls_ctx_t *ctx; + ctx = tls_ctx_half_open_get (ho_index); + return &ctx->connection; +} + +static void +tls_cleanup_ho (u32 ho_index) +{ + tls_ctx_t *ctx; + session_t *s; + + ctx = tls_ctx_half_open_get (ho_index); + /* Already pending cleanup */ + if (ctx->tls_session_handle == SESSION_INVALID_HANDLE) + { + ASSERT (ctx->flags & TLS_CONN_F_HO_DONE); + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; + return; + } + + s = session_get_from_handle (ctx->tls_session_handle); + /* If no pending cleanup notification, force cleanup now. Otherwise, + * wait for cleanup notification and set no app session on ctx */ + if (s->session_state != SESSION_STATE_TRANSPORT_DELETED) + { + session_cleanup_half_open (ctx->tls_session_handle); + tls_ctx_half_open_free (ho_index); + } + else + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; +} + int -tls_custom_tx_callback (void *session) +tls_custom_tx_callback (void *session, transport_send_params_t * sp) { - session_t *app_session = (session_t *) session; + session_t *as = (session_t *) session; tls_ctx_t *ctx; - if (PREDICT_FALSE (app_session->session_state - >= SESSION_STATE_TRANSPORT_CLOSED)) - return 0; + if (PREDICT_FALSE (as->session_state >= SESSION_STATE_TRANSPORT_CLOSED || + as->session_state <= SESSION_STATE_ACCEPTING)) + { + sp->flags |= TRANSPORT_SND_F_DESCHED; + return 0; + } - ctx = tls_ctx_get (app_session->connection_index); - tls_ctx_write (ctx, app_session); - return 0; + ctx = tls_ctx_get (as->connection_index); + return tls_ctx_write (ctx, as, sp); } u8 * format_tls_ctx (u8 * s, va_list * args) { - u32 tcp_si, tcp_ti, ctx_index, ctx_engine, app_si, app_ti; + u32 tcp_si, tcp_ti, ctx_index, ctx_engine; tls_ctx_t *ctx = va_arg (*args, tls_ctx_t *); + char *proto; + proto = ctx->tls_type == TRANSPORT_PROTO_TLS ? "TLS" : "DTLS"; session_parse_handle (ctx->tls_session_handle, &tcp_si, &tcp_ti); tls_ctx_parse_handle (ctx->tls_ctx_handle, &ctx_index, &ctx_engine); - session_parse_handle (ctx->app_session_handle, &app_si, &app_ti); - s = format (s, "[%d:%d][TLS] app_wrk %u index %u engine %u tcp %d:%d", - app_ti, app_si, ctx->parent_app_wrk_index, ctx_index, - ctx_engine, tcp_ti, tcp_si); + s = + format (s, "[%d:%d][%s] app_wrk %u index %u engine %u ts %d:%d", + ctx->c_thread_index, ctx->c_s_index, proto, + ctx->parent_app_wrk_index, ctx_index, ctx_engine, tcp_ti, tcp_si); + + return s; +} + +static u8 * +format_tls_listener_ctx (u8 * s, va_list * args) +{ + session_t *tls_listener; + app_listener_t *al; + tls_ctx_t *ctx; + char *proto; + + ctx = va_arg (*args, tls_ctx_t *); + + proto = ctx->tls_type == TRANSPORT_PROTO_TLS ? "TLS" : "DTLS"; + al = app_listener_get_w_handle (ctx->tls_session_handle); + tls_listener = app_listener_get_session (al); + s = format (s, "[%d:%d][%s] app_wrk %u engine %u ts %d:%d", + ctx->c_thread_index, ctx->c_s_index, proto, + ctx->parent_app_wrk_index, ctx->tls_ctx_engine, + tls_listener->thread_index, tls_listener->session_index); + + return s; +} + +static u8 * +format_tls_ctx_state (u8 * s, va_list * args) +{ + tls_ctx_t *ctx; + session_t *ts; + + ctx = va_arg (*args, tls_ctx_t *); + ts = session_get (ctx->c_s_index, ctx->c_thread_index); + if (ts->session_state == SESSION_STATE_LISTENING) + s = format (s, "%s", "LISTEN"); + else + { + if (ts->session_state >= SESSION_STATE_TRANSPORT_CLOSED) + s = format (s, "%s", "CLOSED"); + else if (ts->session_state == SESSION_STATE_APP_CLOSED) + s = format (s, "%s", "APP-CLOSED"); + else if (ts->session_state >= SESSION_STATE_TRANSPORT_CLOSING) + s = format (s, "%s", "CLOSING"); + else if (tls_ctx_handshake_is_over (ctx)) + s = format (s, "%s", "ESTABLISHED"); + else + s = format (s, "%s", "HANDSHAKE"); + } return s; } @@ -691,12 +1081,11 @@ format_tls_connection (u8 * s, va_list * args) if (!ctx) return s; - s = format (s, "%-50U", format_tls_ctx, ctx); + s = format (s, "%-" SESSION_CLI_ID_LEN "U", format_tls_ctx, ctx); if (verbose) { - session_t *ts; - ts = session_get_from_handle (ctx->app_session_handle); - s = format (s, "state: %-7u", ts->session_state); + s = format (s, "%-" SESSION_CLI_STATE_LEN "U", format_tls_ctx_state, + ctx); if (verbose > 1) s = format (s, "\n"); } @@ -708,29 +1097,32 @@ format_tls_listener (u8 * s, va_list * args) { u32 tc_index = va_arg (*args, u32); u32 __clib_unused thread_index = va_arg (*args, u32); - u32 __clib_unused verbose = va_arg (*args, u32); + u32 verbose = va_arg (*args, u32); tls_ctx_t *ctx = tls_listener_ctx_get (tc_index); - session_t *tls_listener; - app_listener_t *al; - u32 app_si, app_ti; - al = app_listener_get_w_handle (ctx->tls_session_handle); - tls_listener = app_listener_get_session (al); - session_parse_handle (ctx->app_session_handle, &app_si, &app_ti); - s = format (s, "[%d:%d][TLS] app_wrk %u engine %u tcp %d:%d", - app_ti, app_si, ctx->parent_app_wrk_index, ctx->tls_ctx_engine, - tls_listener->thread_index, tls_listener->session_index); + s = format (s, "%-" SESSION_CLI_ID_LEN "U", format_tls_listener_ctx, ctx); + if (verbose) + s = format (s, "%-" SESSION_CLI_STATE_LEN "U", format_tls_ctx_state, ctx); return s; } u8 * format_tls_half_open (u8 * s, va_list * args) { - u32 tc_index = va_arg (*args, u32); + u32 ho_index = va_arg (*args, u32); u32 __clib_unused thread_index = va_arg (*args, u32); - tls_ctx_t *ctx = tls_ctx_half_open_get (tc_index); - s = format (s, "[TLS] half-open app %u", ctx->parent_app_wrk_index); - tls_ctx_half_open_reader_unlock (); + u32 __clib_unused verbose = va_arg (*args, u32); + session_t *tcp_ho; + tls_ctx_t *ho_ctx; + + ho_ctx = tls_ctx_half_open_get (ho_index); + + tcp_ho = session_get_from_handle (ho_ctx->tls_session_handle); + s = format (s, "[%d:%d][%s] half-open app_wrk %u engine %u ts %d:%d", + ho_ctx->c_thread_index, ho_ctx->c_s_index, "TLS", + ho_ctx->parent_app_wrk_index, ho_ctx->tls_ctx_engine, + tcp_ho->thread_index, tcp_ho->session_index); + return s; } @@ -739,10 +1131,11 @@ tls_transport_endpoint_get (u32 ctx_handle, u32 thread_index, transport_endpoint_t * tep, u8 is_lcl) { tls_ctx_t *ctx = tls_ctx_get_w_thread (ctx_handle, thread_index); - session_t *tcp_session; + session_t *ts; - tcp_session = session_get_from_handle (ctx->tls_session_handle); - session_get_endpoint (tcp_session, tep, is_lcl); + ts = session_get_from_handle (ctx->tls_session_handle); + if (ts && ts->session_state < SESSION_STATE_TRANSPORT_DELETED) + session_get_endpoint (ts, tep, is_lcl); } static void @@ -758,14 +1151,62 @@ tls_transport_listener_endpoint_get (u32 ctx_handle, session_get_endpoint (tls_listener, tep, is_lcl); } -/* *INDENT-OFF* */ +static clib_error_t * +tls_enable (vlib_main_t * vm, u8 is_en) +{ + vnet_app_detach_args_t _da, *da = &_da; + vnet_app_attach_args_t _a, *a = &_a; + u64 options[APP_OPTIONS_N_OPTIONS]; + tls_main_t *tm = &tls_main; + u32 fifo_size = 512 << 10; + + if (!is_en) + { + da->app_index = tm->app_index; + da->api_client_index = APP_INVALID_INDEX; + vnet_application_detach (da); + return 0; + } + + fifo_size = tm->fifo_size ? tm->fifo_size : fifo_size; + + clib_memset (a, 0, sizeof (*a)); + clib_memset (options, 0, sizeof (options)); + + a->session_cb_vft = &tls_app_cb_vft; + a->api_client_index = APP_INVALID_INDEX; + a->options = options; + a->name = format (0, "tls"); + a->options[APP_OPTIONS_SEGMENT_SIZE] = tm->first_seg_size; + a->options[APP_OPTIONS_ADD_SEGMENT_SIZE] = tm->add_seg_size; + a->options[APP_OPTIONS_RX_FIFO_SIZE] = fifo_size; + a->options[APP_OPTIONS_TX_FIFO_SIZE] = fifo_size; + a->options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_IS_BUILTIN; + a->options[APP_OPTIONS_FLAGS] |= APP_OPTIONS_FLAGS_USE_GLOBAL_SCOPE; + a->options[APP_OPTIONS_FLAGS] |= APP_OPTIONS_FLAGS_IS_TRANSPORT_APP; + + if (vnet_application_attach (a)) + { + clib_warning ("failed to attach tls app"); + return clib_error_return (0, "failed to attach tls app"); + } + + tm->app_index = a->app_index; + vec_free (a->name); + + return 0; +} + static const transport_proto_vft_t tls_proto = { + .enable = tls_enable, .connect = tls_connect, .close = tls_disconnect, .start_listen = tls_start_listen, .stop_listen = tls_stop_listen, .get_connection = tls_connection_get, .get_listener = tls_listener_get, + .get_half_open = tls_half_open_get, + .cleanup_ho = tls_cleanup_ho, .custom_tx = tls_custom_tx_callback, .format_connection = format_tls_connection, .format_half_open = format_tls_half_open, @@ -773,14 +1214,142 @@ static const transport_proto_vft_t tls_proto = { .get_transport_endpoint = tls_transport_endpoint_get, .get_transport_listener_endpoint = tls_transport_listener_endpoint_get, .transport_options = { + .name = "tls", + .short_name = "J", .tx_type = TRANSPORT_TX_INTERNAL, - .service_type = TRANSPORT_SERVICE_APP, + .service_type = TRANSPORT_SERVICE_VC, + }, +}; + +int +dtls_connect (transport_endpoint_cfg_t *tep) +{ + vnet_connect_args_t _cargs = { {}, }, *cargs = &_cargs; + transport_endpt_crypto_cfg_t *ccfg; + crypto_engine_type_t engine_type; + session_endpoint_cfg_t *sep; + tls_main_t *tm = &tls_main; + app_worker_t *app_wrk; + application_t *app; + tls_ctx_t *ctx; + u32 ctx_handle; + int rv; + + sep = (session_endpoint_cfg_t *) tep; + if (!sep->ext_cfg) + return -1; + + app_wrk = app_worker_get (sep->app_wrk_index); + app = application_get (app_wrk->app_index); + + ccfg = &sep->ext_cfg->crypto; + engine_type = tls_get_engine_type (ccfg->crypto_engine, app->tls_engine); + if (engine_type == CRYPTO_ENGINE_NONE) + { + clib_warning ("No tls engine_type available"); + return -1; + } + + ctx_handle = tls_ctx_alloc_w_thread (engine_type, transport_cl_thread ()); + ctx = tls_ctx_get_w_thread (ctx_handle, transport_cl_thread ()); + ctx->parent_app_wrk_index = sep->app_wrk_index; + ctx->parent_app_api_context = sep->opaque; + ctx->tcp_is_ip4 = sep->is_ip4; + ctx->ckpair_index = ccfg->ckpair_index; + ctx->tls_type = sep->transport_proto; + ctx->tls_ctx_handle = ctx_handle; + ctx->c_proto = TRANSPORT_PROTO_DTLS; + ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; + if (ccfg->hostname[0]) + { + ctx->srv_hostname = format (0, "%s", ccfg->hostname); + vec_terminate_c_string (ctx->srv_hostname); + } + + ctx->tls_ctx_engine = engine_type; + + clib_memcpy_fast (&cargs->sep, sep, sizeof (session_endpoint_t)); + cargs->sep.transport_proto = TRANSPORT_PROTO_UDP; + cargs->app_index = tm->app_index; + cargs->api_context = ctx_handle; + cargs->sep_ext.ns_index = app->ns_index; + cargs->sep_ext.transport_flags = TRANSPORT_CFG_F_CONNECTED; + if ((rv = vnet_connect (cargs))) + return rv; + + TLS_DBG (1, "New DTLS connect request %x engine %d", ctx_handle, + engine_type); + return ctx_handle; +} + +static transport_connection_t * +dtls_half_open_get (u32 ho_index) +{ + tls_ctx_t *ho_ctx; + ho_ctx = tls_ctx_get_w_thread (ho_index, transport_cl_thread ()); + return &ho_ctx->connection; +} + +static void +dtls_cleanup_callback (u32 ctx_index, u32 thread_index) +{ + /* No op */ +} + +static void +dtls_cleanup_ho (u32 ho_index) +{ + tls_ctx_t *ctx; + ctx = tls_ctx_get_w_thread (ho_index, transport_cl_thread ()); + tls_ctx_free (ctx); +} + +u8 * +format_dtls_half_open (u8 *s, va_list *args) +{ + u32 ho_index = va_arg (*args, u32); + u32 __clib_unused thread_index = va_arg (*args, u32); + tls_ctx_t *ho_ctx; + session_t *us; + + ho_ctx = tls_ctx_get_w_thread (ho_index, transport_cl_thread ()); + + us = session_get_from_handle (ho_ctx->tls_session_handle); + s = format (s, "[%d:%d][%s] half-open app_wrk %u engine %u us %d:%d", + ho_ctx->c_thread_index, ho_ctx->c_s_index, "DTLS", + ho_ctx->parent_app_wrk_index, ho_ctx->tls_ctx_engine, + us->thread_index, us->session_index); + + return s; +} + +static const transport_proto_vft_t dtls_proto = { + .enable = 0, + .connect = dtls_connect, + .close = tls_disconnect, + .start_listen = tls_start_listen, + .stop_listen = tls_stop_listen, + .get_connection = tls_connection_get, + .get_listener = tls_listener_get, + .get_half_open = dtls_half_open_get, + .custom_tx = tls_custom_tx_callback, + .cleanup = dtls_cleanup_callback, + .cleanup_ho = dtls_cleanup_ho, + .format_connection = format_tls_connection, + .format_half_open = format_dtls_half_open, + .format_listener = format_tls_listener, + .get_transport_endpoint = tls_transport_endpoint_get, + .get_transport_listener_endpoint = tls_transport_listener_endpoint_get, + .transport_options = { + .name = "dtls", + .short_name = "D", + .tx_type = TRANSPORT_TX_INTERNAL, + .service_type = TRANSPORT_SERVICE_VC, }, }; -/* *INDENT-ON* */ void -tls_register_engine (const tls_engine_vft_t * vft, tls_engine_type_t type) +tls_register_engine (const tls_engine_vft_t * vft, crypto_engine_type_t type) { vec_validate (tls_vfts, type); tls_vfts[type] = *vft; @@ -789,52 +1358,30 @@ tls_register_engine (const tls_engine_vft_t * vft, tls_engine_type_t type) static clib_error_t * tls_init (vlib_main_t * vm) { - u32 add_segment_size = (4096ULL << 20) - 1, first_seg_size = 32 << 20; vlib_thread_main_t *vtm = vlib_get_thread_main (); - u32 num_threads, fifo_size = 128 << 10; - vnet_app_attach_args_t _a, *a = &_a; - u64 options[APP_OPTIONS_N_OPTIONS]; tls_main_t *tm = &tls_main; + u32 num_threads; - first_seg_size = tm->first_seg_size ? tm->first_seg_size : first_seg_size; - fifo_size = tm->fifo_size ? tm->fifo_size : fifo_size; num_threads = 1 /* main thread */ + vtm->n_threads; - clib_memset (a, 0, sizeof (*a)); - clib_memset (options, 0, sizeof (options)); - - a->session_cb_vft = &tls_app_cb_vft; - a->api_client_index = APP_INVALID_INDEX; - a->options = options; - a->name = format (0, "tls"); - a->options[APP_OPTIONS_SEGMENT_SIZE] = first_seg_size; - a->options[APP_OPTIONS_ADD_SEGMENT_SIZE] = add_segment_size; - a->options[APP_OPTIONS_RX_FIFO_SIZE] = fifo_size; - a->options[APP_OPTIONS_TX_FIFO_SIZE] = fifo_size; - a->options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_IS_BUILTIN; - a->options[APP_OPTIONS_FLAGS] |= APP_OPTIONS_FLAGS_USE_GLOBAL_SCOPE; - a->options[APP_OPTIONS_FLAGS] |= APP_OPTIONS_FLAGS_IS_TRANSPORT_APP; - - if (vnet_application_attach (a)) - { - clib_warning ("failed to attach tls app"); - return clib_error_return (0, "failed to attach tls app"); - } - if (!tm->ca_cert_path) tm->ca_cert_path = TLS_CA_CERT_PATH; - tm->app_index = a->app_index; - clib_rwlock_init (&tm->half_open_rwlock); - vec_validate (tm->rx_bufs, num_threads - 1); vec_validate (tm->tx_bufs, num_threads - 1); + tm->first_seg_size = 32 << 20; + tm->add_seg_size = 256 << 20; + transport_register_protocol (TRANSPORT_PROTO_TLS, &tls_proto, FIB_PROTOCOL_IP4, ~0); transport_register_protocol (TRANSPORT_PROTO_TLS, &tls_proto, FIB_PROTOCOL_IP6, ~0); - vec_free (a->name); + + transport_register_protocol (TRANSPORT_PROTO_DTLS, &dtls_proto, + FIB_PROTOCOL_IP4, ~0); + transport_register_protocol (TRANSPORT_PROTO_DTLS, &dtls_proto, + FIB_PROTOCOL_IP6, ~0); return 0; } @@ -844,6 +1391,7 @@ static clib_error_t * tls_config_fn (vlib_main_t * vm, unformat_input_t * input) { tls_main_t *tm = &tls_main; + uword tmp; while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) { if (unformat (input, "use-test-cert-in-ca")) @@ -853,9 +1401,18 @@ tls_config_fn (vlib_main_t * vm, unformat_input_t * input) else if (unformat (input, "first-segment-size %U", unformat_memory_size, &tm->first_seg_size)) ; - else if (unformat (input, "fifo-size %U", unformat_memory_size, - &tm->fifo_size)) + else if (unformat (input, "add-segment-size %U", unformat_memory_size, + &tm->add_seg_size)) ; + else if (unformat (input, "fifo-size %U", unformat_memory_size, &tmp)) + { + if (tmp >= 0x100000000ULL) + { + return clib_error_return + (0, "fifo-size %llu (0x%llx) too large", tmp, tmp); + } + tm->fifo_size = tmp; + } else return clib_error_return (0, "unknown input `%U'", format_unformat_error, input); @@ -863,7 +1420,7 @@ tls_config_fn (vlib_main_t * vm, unformat_input_t * input) return 0; } -VLIB_EARLY_CONFIG_FUNCTION (tls_config_fn, "tls"); +VLIB_CONFIG_FUNCTION (tls_config_fn, "tls"); tls_main_t * vnet_tls_get_main (void)