X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Ftls%2Ftls.c;h=257f48cd9ba1be190ed0f8b8559ac993117f44f7;hb=837826169fd51c1d2bb7703e479447f5d4ffa9a5;hp=4fff72f1cda177cb72b6e001133429df00112511;hpb=d09236d17d86a5d50166b2017f8f30a560c6e1b8;p=vpp.git diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c index 4fff72f1cda..257f48cd9ba 100644 --- a/src/vnet/tls/tls.c +++ b/src/vnet/tls/tls.c @@ -38,7 +38,7 @@ tls_disconnect_transport (tls_ctx_t * ctx) clib_warning ("disconnect returned"); } -tls_engine_type_t +crypto_engine_type_t tls_get_available_engine (void) { int i; @@ -47,7 +47,7 @@ tls_get_available_engine (void) if (tls_vfts[i].ctx_alloc) return i; } - return TLS_ENGINE_NONE; + return CRYPTO_ENGINE_NONE; } int @@ -211,8 +211,6 @@ tls_notify_app_accept (tls_ctx_t * ctx) return rv; } ctx->app_session_handle = session_handle (app_session); - session_lookup_add_connection (&ctx->connection, - session_handle (app_session)); ctx->parent_app_wrk_index = app_session->app_wrk_index; app_wrk = app_worker_get (app_session->app_wrk_index); return app_worker_accept_notify (app_wrk, app_session); @@ -254,8 +252,6 @@ tls_notify_app_connected (tls_ctx_t * ctx, u8 is_failed) ctx->app_session_handle = session_handle (app_session); app_session->session_state = SESSION_STATE_READY; - session_lookup_add_connection (&ctx->connection, - session_handle (app_session)); return 0; @@ -274,8 +270,8 @@ tls_ctx_parse_handle (u32 ctx_handle, u32 * ctx_index, u32 * engine_type) *engine_type = ctx_handle >> TLS_ENGINE_TYPE_SHIFT; } -static inline tls_engine_type_t -tls_get_engine_type (tls_engine_type_t preferred) +static inline crypto_engine_type_t +tls_get_engine_type (crypto_engine_type_t preferred) { if (!tls_vfts[preferred].ctx_alloc) return tls_get_available_engine (); @@ -283,7 +279,7 @@ tls_get_engine_type (tls_engine_type_t preferred) } static inline u32 -tls_ctx_alloc (tls_engine_type_t engine_type) +tls_ctx_alloc (crypto_engine_type_t engine_type) { u32 ctx_index; ctx_index = tls_vfts[engine_type].ctx_alloc (); @@ -358,11 +354,26 @@ void tls_session_reset_callback (session_t * s) { tls_ctx_t *ctx; + transport_connection_t *tc; + session_t *app_session; ctx = tls_ctx_get (s->opaque); - session_transport_reset_notify (&ctx->connection); - session_transport_closed_notify (&ctx->connection); - tls_disconnect_transport (ctx); + ctx->is_passive_close = 1; + tc = &ctx->connection; + if (tls_ctx_handshake_is_over (ctx)) + { + session_transport_reset_notify (tc); + session_transport_closed_notify (tc); + tls_disconnect_transport (ctx); + } + else + if ((app_session = + session_get_if_valid (ctx->c_s_index, ctx->c_thread_index))) + { + session_free (app_session); + ctx->c_s_index = SESSION_INVALID_INDEX; + tls_disconnect_transport (ctx); + } } int @@ -386,7 +397,10 @@ tls_session_disconnect_callback (session_t * tls_session) TLS_DBG (1, "TCP disconnecting handle %x session %u", tls_session->opaque, tls_session->session_index); - ctx = tls_ctx_get (tls_session->opaque); + ASSERT (tls_session->thread_index == vlib_get_thread_index () + || vlib_thread_is_main_w_barrier ()); + + ctx = tls_ctx_get_w_thread (tls_session->opaque, tls_session->thread_index); ctx->is_passive_close = 1; tls_ctx_transport_close (ctx); } @@ -412,11 +426,12 @@ tls_session_accept_callback (session_t * tls_session) ctx->tls_session_handle = session_handle (tls_session); ctx->listener_ctx_index = tls_listener->opaque; ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; + ctx->ckpair_index = lctx->ckpair_index; /* Preallocate app session. Avoids allocating a session post handshake * on tls_session rx and potentially invalidating the session pool */ app_session = session_alloc (ctx->c_thread_index); - app_session->session_state = SESSION_STATE_CLOSED; + app_session->session_state = SESSION_STATE_CREATED; ctx->c_s_index = app_session->session_index; TLS_DBG (1, "Accept on listener %u new connection [%u]%x", @@ -483,7 +498,7 @@ tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index, /* Preallocate app session. Avoids allocating a session post handshake * on tls_session rx and potentially invalidating the session pool */ app_session = session_alloc (ctx->c_thread_index); - app_session->session_state = SESSION_STATE_CLOSED; + app_session->session_state = SESSION_STATE_CREATED; ctx->c_s_index = app_session->session_index; return tls_ctx_init_client (ctx); @@ -521,7 +536,7 @@ tls_connect (transport_endpoint_cfg_t * tep) { vnet_connect_args_t _cargs = { {}, }, *cargs = &_cargs; session_endpoint_cfg_t *sep; - tls_engine_type_t engine_type; + crypto_engine_type_t engine_type; tls_main_t *tm = &tls_main; app_worker_t *app_wrk; application_t *app; @@ -533,7 +548,7 @@ tls_connect (transport_endpoint_cfg_t * tep) app_wrk = app_worker_get (sep->app_wrk_index); app = application_get (app_wrk->app_index); engine_type = tls_get_engine_type (app->tls_engine); - if (engine_type == TLS_ENGINE_NONE) + if (engine_type == CRYPTO_ENGINE_NONE) { clib_warning ("No tls engine_type available"); return -1; @@ -587,7 +602,7 @@ tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) session_endpoint_cfg_t *sep; session_t *tls_listener; session_t *app_listener; - tls_engine_type_t engine_type; + crypto_engine_type_t engine_type; application_t *app; app_listener_t *al; tls_ctx_t *lctx; @@ -597,17 +612,17 @@ tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) app_wrk = app_worker_get (sep->app_wrk_index); app = application_get (app_wrk->app_index); engine_type = tls_get_engine_type (app->tls_engine); - if (engine_type == TLS_ENGINE_NONE) + if (engine_type == CRYPTO_ENGINE_NONE) { clib_warning ("No tls engine_type available"); return -1; } - sep->transport_proto = TRANSPORT_PROTO_TCP; clib_memset (args, 0, sizeof (*args)); args->app_index = tm->app_index; args->sep_ext = *sep; args->sep_ext.ns_index = app->ns_index; + args->sep_ext.transport_proto = TRANSPORT_PROTO_TCP; if (vnet_listen (args)) return -1; @@ -625,6 +640,7 @@ tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) lctx->app_session_handle = listen_session_get_handle (app_listener); lctx->tcp_is_ip4 = sep->is_ip4; lctx->tls_ctx_engine = engine_type; + lctx->ckpair_index = sep->ckpair_index; if (tls_vfts[engine_type].ctx_start_listen (lctx)) { @@ -647,7 +663,7 @@ tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) u32 tls_stop_listen (u32 lctx_index) { - tls_engine_type_t engine_type; + crypto_engine_type_t engine_type; tls_ctx_t *lctx; int rv; @@ -714,6 +730,44 @@ format_tls_ctx (u8 * s, va_list * args) return s; } +static u8 * +format_tls_listener_ctx (u8 * s, va_list * args) +{ + session_t *tls_listener; + app_listener_t *al; + u32 app_si, app_ti; + tls_ctx_t *ctx; + + ctx = va_arg (*args, tls_ctx_t *); + + al = app_listener_get_w_handle (ctx->tls_session_handle); + tls_listener = app_listener_get_session (al); + session_parse_handle (ctx->app_session_handle, &app_si, &app_ti); + s = format (s, "[%d:%d][TLS] app_wrk %u engine %u tcp %d:%d", + app_ti, app_si, ctx->parent_app_wrk_index, ctx->tls_ctx_engine, + tls_listener->thread_index, tls_listener->session_index); + + return s; +} + +static u8 * +format_tls_ctx_state (u8 * s, va_list * args) +{ + tls_ctx_t *ctx; + session_t *ts; + + ctx = va_arg (*args, tls_ctx_t *); + ts = session_get_from_handle (ctx->app_session_handle); + if (ts->session_state == SESSION_STATE_LISTENING) + s = format (s, "%s", "LISTEN"); + else if (tls_ctx_handshake_is_over (ctx)) + s = format (s, "%s", "ESTABLISHED"); + else + s = format (s, "%s", "HANDSHAKE"); + + return s; +} + u8 * format_tls_connection (u8 * s, va_list * args) { @@ -729,9 +783,7 @@ format_tls_connection (u8 * s, va_list * args) s = format (s, "%-50U", format_tls_ctx, ctx); if (verbose) { - session_t *ts; - ts = session_get_from_handle (ctx->app_session_handle); - s = format (s, "state: %-7u", ts->session_state); + s = format (s, "%-15U", format_tls_ctx_state, ctx); if (verbose > 1) s = format (s, "\n"); } @@ -743,18 +795,12 @@ format_tls_listener (u8 * s, va_list * args) { u32 tc_index = va_arg (*args, u32); u32 __clib_unused thread_index = va_arg (*args, u32); - u32 __clib_unused verbose = va_arg (*args, u32); + u32 verbose = va_arg (*args, u32); tls_ctx_t *ctx = tls_listener_ctx_get (tc_index); - session_t *tls_listener; - app_listener_t *al; - u32 app_si, app_ti; - al = app_listener_get_w_handle (ctx->tls_session_handle); - tls_listener = app_listener_get_session (al); - session_parse_handle (ctx->app_session_handle, &app_si, &app_ti); - s = format (s, "[%d:%d][TLS] app_wrk %u engine %u tcp %d:%d", - app_ti, app_si, ctx->parent_app_wrk_index, ctx->tls_ctx_engine, - tls_listener->thread_index, tls_listener->session_index); + s = format (s, "%-50U", format_tls_listener_ctx, ctx); + if (verbose) + s = format (s, "%-15U", format_tls_ctx_state, ctx); return s; } @@ -815,7 +861,7 @@ static const transport_proto_vft_t tls_proto = { /* *INDENT-ON* */ void -tls_register_engine (const tls_engine_vft_t * vft, tls_engine_type_t type) +tls_register_engine (const tls_engine_vft_t * vft, crypto_engine_type_t type) { vec_validate (tls_vfts, type); tls_vfts[type] = *vft; @@ -879,6 +925,7 @@ static clib_error_t * tls_config_fn (vlib_main_t * vm, unformat_input_t * input) { tls_main_t *tm = &tls_main; + uword tmp; while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) { if (unformat (input, "use-test-cert-in-ca")) @@ -888,9 +935,15 @@ tls_config_fn (vlib_main_t * vm, unformat_input_t * input) else if (unformat (input, "first-segment-size %U", unformat_memory_size, &tm->first_seg_size)) ; - else if (unformat (input, "fifo-size %U", unformat_memory_size, - &tm->fifo_size)) - ; + else if (unformat (input, "fifo-size %U", unformat_memory_size, &tmp)) + { + if (tmp >= 0x100000000ULL) + { + return clib_error_return + (0, "fifo-size %llu (0x%llx) too large", tmp, tmp); + } + tm->fifo_size = tmp; + } else return clib_error_return (0, "unknown input `%U'", format_unformat_error, input);