X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Ftls%2Ftls.c;h=88ce3591bb6e1d2b033af7a2c7c37c1b86a9cb83;hb=refs%2Fchanges%2F40%2F25840%2F12;hp=d5dbf2e16d1ad237eabe7633b911129f9fa7213c;hpb=b5e94e3c8582a00b920d7b22dd839b94e7ded595;p=vpp.git diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c index d5dbf2e16d1..88ce3591bb6 100644 --- a/src/vnet/tls/tls.c +++ b/src/vnet/tls/tls.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018 Cisco and/or its affiliates. + * Copyright (c) 2018-2019 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: @@ -26,7 +26,19 @@ static tls_engine_vft_t *tls_vfts; void tls_disconnect (u32 ctx_handle, u32 thread_index); -tls_engine_type_t +void +tls_disconnect_transport (tls_ctx_t * ctx) +{ + vnet_disconnect_args_t a = { + .handle = ctx->tls_session_handle, + .app_index = tls_main.app_index, + }; + + if (vnet_disconnect_session (&a)) + clib_warning ("disconnect returned"); +} + +crypto_engine_type_t tls_get_available_engine (void) { int i; @@ -35,21 +47,46 @@ tls_get_available_engine (void) if (tls_vfts[i].ctx_alloc) return i; } - return TLS_ENGINE_NONE; + return CRYPTO_ENGINE_NONE; +} + +int +tls_add_vpp_q_rx_evt (session_t * s) +{ + if (svm_fifo_set_event (s->rx_fifo)) + session_send_io_evt_to_thread (s->rx_fifo, SESSION_IO_EVT_RX); + return 0; +} + +int +tls_add_vpp_q_builtin_rx_evt (session_t * s) +{ + if (svm_fifo_set_event (s->rx_fifo)) + session_send_io_evt_to_thread (s->rx_fifo, SESSION_IO_EVT_BUILTIN_RX); + return 0; +} + +int +tls_add_vpp_q_tx_evt (session_t * s) +{ + if (svm_fifo_set_event (s->tx_fifo)) + session_send_io_evt_to_thread (s->tx_fifo, SESSION_IO_EVT_TX); + return 0; } int -tls_add_vpp_q_evt (svm_fifo_t * f, u8 evt_type) +tls_add_vpp_q_builtin_tx_evt (session_t * s) { - if (svm_fifo_set_event (f)) - session_send_io_evt_to_thread (f, evt_type); + if (svm_fifo_set_event (s->tx_fifo)) + session_send_io_evt_to_thread_custom (s, s->thread_index, + SESSION_IO_EVT_BUILTIN_TX); return 0; } static inline int -tls_add_app_q_evt (app_worker_t * app, stream_session_t * app_session) +tls_add_app_q_evt (app_worker_t * app, session_t * app_session) { - return app_worker_lock_and_send_event (app, app_session, FIFO_EVENT_APP_RX); + return app_worker_lock_and_send_event (app, app_session, SESSION_IO_EVT_RX); } u32 @@ -59,13 +96,15 @@ tls_listener_ctx_alloc (void) tls_ctx_t *ctx; pool_get (tm->listener_ctx_pool, ctx); - memset (ctx, 0, sizeof (*ctx)); + clib_memset (ctx, 0, sizeof (*ctx)); return ctx - tm->listener_ctx_pool; } void tls_listener_ctx_free (tls_ctx_t * ctx) { + if (CLIB_DEBUG) + memset (ctx, 0xfb, sizeof (*ctx)); pool_put (tls_main.listener_ctx_pool, ctx); } @@ -94,6 +133,7 @@ tls_ctx_half_open_alloc (void) { clib_rwlock_writer_lock (&tm->half_open_rwlock); pool_get (tm->half_open_ctx_pool, ctx); + ctx_index = ctx - tm->half_open_ctx_pool; clib_rwlock_writer_unlock (&tm->half_open_rwlock); } else @@ -101,10 +141,10 @@ tls_ctx_half_open_alloc (void) /* reader lock assumption: only main thread will call pool_get */ clib_rwlock_reader_lock (&tm->half_open_rwlock); pool_get (tm->half_open_ctx_pool, ctx); + ctx_index = ctx - tm->half_open_ctx_pool; clib_rwlock_reader_unlock (&tm->half_open_rwlock); } - memset (ctx, 0, sizeof (*ctx)); - ctx_index = ctx - tm->half_open_ctx_pool; + clib_memset (ctx, 0, sizeof (*ctx)); return ctx_index; } @@ -138,96 +178,89 @@ tls_ctx_half_open_index (tls_ctx_t * ctx) } void -tls_notify_app_enqueue (tls_ctx_t * ctx, stream_session_t * app_session) +tls_notify_app_enqueue (tls_ctx_t * ctx, session_t * app_session) { - app_worker_t *app; - app = app_worker_get_if_valid (app_session->app_wrk_index); - if (PREDICT_TRUE (app != 0)) - tls_add_app_q_evt (app, app_session); + app_worker_t *app_wrk; + app_wrk = app_worker_get_if_valid (app_session->app_wrk_index); + if (PREDICT_TRUE (app_wrk != 0)) + tls_add_app_q_evt (app_wrk, app_session); } int tls_notify_app_accept (tls_ctx_t * ctx) { - stream_session_t *app_listener, *app_session; - segment_manager_t *sm; + session_t *app_listener, *app_session; app_worker_t *app_wrk; - application_t *app; tls_ctx_t *lctx; int rv; - app_wrk = app_worker_get (ctx->parent_app_index); - app = application_get (app_wrk->app_index); lctx = tls_listener_ctx_get (ctx->listener_ctx_index); + app_listener = listen_session_get_from_handle (lctx->app_session_handle); - app_session = session_alloc (vlib_get_thread_index ()); - app_session->app_wrk_index = ctx->parent_app_index; + app_session = session_get (ctx->c_s_index, ctx->c_thread_index); + app_session->app_wrk_index = ctx->parent_app_wrk_index; app_session->connection_index = ctx->tls_ctx_handle; - - app_listener = listen_session_get_from_handle (lctx->app_session_handle); app_session->session_type = app_listener->session_type; - app_session->listener_index = app_listener->session_index; - sm = app_worker_get_listen_segment_manager (app_wrk, app_listener); - app_session->t_app_index = tls_main.app_index; + app_session->listener_handle = listen_session_get_handle (app_listener); + app_session->session_state = SESSION_STATE_ACCEPTING; - if ((rv = session_alloc_fifos (sm, app_session))) + if ((rv = app_worker_init_accepted (app_session))) { TLS_DBG (1, "failed to allocate fifos"); + session_free (app_session); return rv; } - ctx->c_s_index = app_session->session_index; ctx->app_session_handle = session_handle (app_session); - session_lookup_add_connection (&ctx->connection, - session_handle (app_session)); - return app->cb_fns.session_accept_callback (app_session); + ctx->parent_app_wrk_index = app_session->app_wrk_index; + app_wrk = app_worker_get (app_session->app_wrk_index); + return app_worker_accept_notify (app_wrk, app_session); } int tls_notify_app_connected (tls_ctx_t * ctx, u8 is_failed) { - int (*cb_fn) (u32, u32, stream_session_t *, u8); - stream_session_t *app_session; - segment_manager_t *sm; + session_t *app_session; app_worker_t *app_wrk; - application_t *app; - app_wrk = app_worker_get (ctx->parent_app_index); - app = application_get (app_wrk->app_index); - cb_fn = app->cb_fns.session_connected_callback; + app_wrk = app_worker_get_if_valid (ctx->parent_app_wrk_index); + if (!app_wrk) + { + tls_disconnect_transport (ctx); + return -1; + } if (is_failed) goto failed; - sm = app_worker_get_connect_segment_manager (app_wrk); - app_session = session_alloc (vlib_get_thread_index ()); - app_session->app_wrk_index = ctx->parent_app_index; + app_session = session_get (ctx->c_s_index, ctx->c_thread_index); + app_session->app_wrk_index = ctx->parent_app_wrk_index; app_session->connection_index = ctx->tls_ctx_handle; app_session->session_type = session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4); - app_session->t_app_index = tls_main.app_index; - if (session_alloc_fifos (sm, app_session)) + if (app_worker_init_connected (app_wrk, app_session)) goto failed; - ctx->app_session_handle = session_handle (app_session); - ctx->c_s_index = app_session->session_index; - app_session->session_state = SESSION_STATE_READY; - if (cb_fn (ctx->parent_app_index, ctx->parent_app_api_context, - app_session, 0 /* not failed */ )) + app_session->session_state = SESSION_STATE_CONNECTING; + if (app_worker_connect_notify (app_wrk, app_session, + ctx->parent_app_api_context)) { TLS_DBG (1, "failed to notify app"); tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ()); + return -1; } - session_lookup_add_connection (&ctx->connection, - session_handle (app_session)); + ctx->app_session_handle = session_handle (app_session); + app_session->session_state = SESSION_STATE_READY; return 0; failed: + /* Free app session pre-allocated when transport was established */ + session_free (session_get (ctx->c_s_index, ctx->c_thread_index)); + ctx->no_app_session = 1; tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ()); - return cb_fn (ctx->parent_app_index, ctx->parent_app_api_context, 0, - 1 /* failed */ ); + return app_worker_connect_notify (app_wrk, 0, ctx->parent_app_api_context); } static inline void @@ -237,8 +270,8 @@ tls_ctx_parse_handle (u32 ctx_handle, u32 * ctx_index, u32 * engine_type) *engine_type = ctx_handle >> TLS_ENGINE_TYPE_SHIFT; } -static inline tls_engine_type_t -tls_get_engine_type (tls_engine_type_t preferred) +static inline crypto_engine_type_t +tls_get_engine_type (crypto_engine_type_t preferred) { if (!tls_vfts[preferred].ctx_alloc) return tls_get_available_engine (); @@ -246,20 +279,13 @@ tls_get_engine_type (tls_engine_type_t preferred) } static inline u32 -tls_ctx_alloc (tls_engine_type_t engine_type) +tls_ctx_alloc (crypto_engine_type_t engine_type) { u32 ctx_index; ctx_index = tls_vfts[engine_type].ctx_alloc (); return (((u32) engine_type << TLS_ENGINE_TYPE_SHIFT) | ctx_index); } -static inline void -tls_ctx_free (tls_ctx_t * ctx) -{ - vec_free (ctx->srv_hostname); - tls_vfts[ctx->tls_ctx_engine].ctx_free (ctx); -} - static inline tls_ctx_t * tls_ctx_get (u32 ctx_handle) { @@ -289,71 +315,105 @@ tls_ctx_init_client (tls_ctx_t * ctx) } static inline int -tls_ctx_write (tls_ctx_t * ctx, stream_session_t * app_session) +tls_ctx_write (tls_ctx_t * ctx, session_t * app_session) { return tls_vfts[ctx->tls_ctx_engine].ctx_write (ctx, app_session); } static inline int -tls_ctx_read (tls_ctx_t * ctx, stream_session_t * tls_session) +tls_ctx_read (tls_ctx_t * ctx, session_t * tls_session) { return tls_vfts[ctx->tls_ctx_engine].ctx_read (ctx, tls_session); } -static inline u8 +static inline int +tls_ctx_transport_close (tls_ctx_t * ctx) +{ + return tls_vfts[ctx->tls_ctx_engine].ctx_transport_close (ctx); +} + +static inline int +tls_ctx_app_close (tls_ctx_t * ctx) +{ + return tls_vfts[ctx->tls_ctx_engine].ctx_app_close (ctx); +} + +void +tls_ctx_free (tls_ctx_t * ctx) +{ + tls_vfts[ctx->tls_ctx_engine].ctx_free (ctx); +} + +u8 tls_ctx_handshake_is_over (tls_ctx_t * ctx) { return tls_vfts[ctx->tls_ctx_engine].ctx_handshake_is_over (ctx); } void -tls_session_reset_callback (stream_session_t * s) +tls_session_reset_callback (session_t * s) { - clib_warning ("called..."); + tls_ctx_t *ctx; + transport_connection_t *tc; + session_t *app_session; + + ctx = tls_ctx_get (s->opaque); + ctx->is_passive_close = 1; + tc = &ctx->connection; + if (tls_ctx_handshake_is_over (ctx)) + { + session_transport_reset_notify (tc); + session_transport_closed_notify (tc); + tls_disconnect_transport (ctx); + } + else + if ((app_session = + session_get_if_valid (ctx->c_s_index, ctx->c_thread_index))) + { + session_free (app_session); + ctx->c_s_index = SESSION_INVALID_INDEX; + tls_disconnect_transport (ctx); + } } int -tls_add_segment_callback (u32 client_index, const ssvm_private_t * fs) +tls_add_segment_callback (u32 client_index, u64 segment_handle) { /* No-op for builtin */ return 0; } int -tls_del_segment_callback (u32 client_index, const ssvm_private_t * fs) +tls_del_segment_callback (u32 client_index, u64 segment_handle) { return 0; } void -tls_session_disconnect_callback (stream_session_t * tls_session) +tls_session_disconnect_callback (session_t * tls_session) { - stream_session_t *app_session; tls_ctx_t *ctx; - app_worker_t *app_wrk; - application_t *app; - ctx = tls_ctx_get (tls_session->opaque); - if (!tls_ctx_handshake_is_over (ctx)) - { - stream_session_disconnect (tls_session); - return; - } + TLS_DBG (1, "TCP disconnecting handle %x session %u", tls_session->opaque, + tls_session->session_index); + + ASSERT (tls_session->thread_index == vlib_get_thread_index () + || vlib_thread_is_main_w_barrier ()); + + ctx = tls_ctx_get_w_thread (tls_session->opaque, tls_session->thread_index); ctx->is_passive_close = 1; - app_wrk = app_worker_get (ctx->parent_app_index); - app = application_get (app_wrk->app_index); - app_session = session_get_from_handle (ctx->app_session_handle); - app->cb_fns.session_disconnect_callback (app_session); + tls_ctx_transport_close (ctx); } int -tls_session_accept_callback (stream_session_t * tls_session) +tls_session_accept_callback (session_t * tls_session) { - stream_session_t *tls_listener; + session_t *tls_listener, *app_session; tls_ctx_t *lctx, *ctx; u32 ctx_handle; - tls_listener = listen_session_get (tls_session->listener_index); + tls_listener = + listen_session_get_from_handle (tls_session->listener_handle); lctx = tls_listener_ctx_get (tls_listener->opaque); ctx_handle = tls_ctx_alloc (lctx->tls_ctx_engine); @@ -365,6 +425,14 @@ tls_session_accept_callback (stream_session_t * tls_session) tls_session->opaque = ctx_handle; ctx->tls_session_handle = session_handle (tls_session); ctx->listener_ctx_index = tls_listener->opaque; + ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; + ctx->ckpair_index = lctx->ckpair_index; + + /* Preallocate app session. Avoids allocating a session post handshake + * on tls_session rx and potentially invalidating the session pool */ + app_session = session_alloc (ctx->c_thread_index); + app_session->session_state = SESSION_STATE_CREATED; + ctx->c_s_index = app_session->session_index; TLS_DBG (1, "Accept on listener %u new connection [%u]%x", tls_listener->opaque, vlib_get_thread_index (), ctx_handle); @@ -373,18 +441,7 @@ tls_session_accept_callback (stream_session_t * tls_session) } int -tls_app_tx_callback (stream_session_t * app_session) -{ - tls_ctx_t *ctx; - if (PREDICT_FALSE (app_session->session_state == SESSION_STATE_CLOSED)) - return 0; - ctx = tls_ctx_get (app_session->connection_index); - tls_ctx_write (ctx, app_session); - return 0; -} - -int -tls_app_rx_callback (stream_session_t * tls_session) +tls_app_rx_callback (session_t * tls_session) { tls_ctx_t *ctx; @@ -395,8 +452,9 @@ tls_app_rx_callback (stream_session_t * tls_session) int tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index, - stream_session_t * tls_session, u8 is_fail) + session_t * tls_session, u8 is_fail) { + session_t *app_session; tls_ctx_t *ho_ctx, *ctx; u32 ctx_handle; @@ -404,29 +462,30 @@ tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index, if (is_fail) { - int (*cb_fn) (u32, u32, stream_session_t *, u8); - u32 wrk_index, api_context; app_worker_t *app_wrk; - application_t *app; - - wrk_index = ho_ctx->parent_app_index; - api_context = ho_ctx->c_s_index; + u32 api_context; + int rv = 0; + + app_wrk = app_worker_get_if_valid (ho_ctx->parent_app_wrk_index); + if (app_wrk) + { + api_context = ho_ctx->c_s_index; + app_worker_connect_notify (app_wrk, 0, api_context); + } tls_ctx_half_open_reader_unlock (); tls_ctx_half_open_free (ho_ctx_index); - app_wrk = app_worker_get (ho_ctx->parent_app_index); - app = application_get (app_wrk->app_index); - cb_fn = app->cb_fns.session_connected_callback; - return cb_fn (wrk_index, api_context, 0, 1 /* failed */ ); + return rv; } ctx_handle = tls_ctx_alloc (ho_ctx->tls_ctx_engine); ctx = tls_ctx_get (ctx_handle); - clib_memcpy (ctx, ho_ctx, sizeof (*ctx)); + clib_memcpy_fast (ctx, ho_ctx, sizeof (*ctx)); tls_ctx_half_open_reader_unlock (); tls_ctx_half_open_free (ho_ctx_index); ctx->c_thread_index = vlib_get_thread_index (); ctx->tls_ctx_handle = ctx_handle; + ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; TLS_DBG (1, "TCP connect for %u returned %u. New connection [%u]%x", ho_ctx_index, is_fail, vlib_get_thread_index (), @@ -436,9 +495,29 @@ tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index, tls_session->opaque = ctx_handle; tls_session->session_state = SESSION_STATE_READY; + /* Preallocate app session. Avoids allocating a session post handshake + * on tls_session rx and potentially invalidating the session pool */ + app_session = session_alloc (ctx->c_thread_index); + app_session->session_state = SESSION_STATE_CREATED; + ctx->c_s_index = app_session->session_index; + return tls_ctx_init_client (ctx); } +static void +tls_app_session_cleanup (session_t * s, session_cleanup_ntf_t ntf) +{ + tls_ctx_t *ctx; + + if (ntf == SESSION_CLEANUP_TRANSPORT) + return; + + ctx = tls_ctx_get (s->opaque); + if (!ctx->no_app_session) + session_transport_delete_notify (&ctx->connection); + tls_ctx_free (ctx); +} + /* *INDENT-OFF* */ static session_cb_vft_t tls_app_cb_vft = { .session_accept_callback = tls_session_accept_callback, @@ -448,28 +527,28 @@ static session_cb_vft_t tls_app_cb_vft = { .add_segment_callback = tls_add_segment_callback, .del_segment_callback = tls_del_segment_callback, .builtin_app_rx_callback = tls_app_rx_callback, - .builtin_app_tx_callback = tls_app_tx_callback, + .session_cleanup_callback = tls_app_session_cleanup, }; /* *INDENT-ON* */ int -tls_connect (transport_endpoint_t * tep) +tls_connect (transport_endpoint_cfg_t * tep) { vnet_connect_args_t _cargs = { {}, }, *cargs = &_cargs; - session_endpoint_extended_t *sep; - tls_engine_type_t engine_type; + session_endpoint_cfg_t *sep; + crypto_engine_type_t engine_type; tls_main_t *tm = &tls_main; app_worker_t *app_wrk; - clib_error_t *error; application_t *app; tls_ctx_t *ctx; u32 ctx_index; + int rv; - sep = (session_endpoint_extended_t *) tep; + sep = (session_endpoint_cfg_t *) tep; app_wrk = app_worker_get (sep->app_wrk_index); app = application_get (app_wrk->app_index); engine_type = tls_get_engine_type (app->tls_engine); - if (engine_type == TLS_ENGINE_NONE) + if (engine_type == CRYPTO_ENGINE_NONE) { clib_warning ("No tls engine_type available"); return -1; @@ -477,7 +556,7 @@ tls_connect (transport_endpoint_t * tep) ctx_index = tls_ctx_half_open_alloc (); ctx = tls_ctx_half_open_get (ctx_index); - ctx->parent_app_index = sep->app_wrk_index; + ctx->parent_app_wrk_index = sep->app_wrk_index; ctx->parent_app_api_context = sep->opaque; ctx->tcp_is_ip4 = sep->is_ip4; if (sep->hostname) @@ -490,12 +569,13 @@ tls_connect (transport_endpoint_t * tep) app_worker_alloc_connects_segment_manager (app_wrk); ctx->tls_ctx_engine = engine_type; - clib_memcpy (&cargs->sep, sep, sizeof (session_endpoint_t)); + clib_memcpy_fast (&cargs->sep, sep, sizeof (session_endpoint_t)); cargs->sep.transport_proto = TRANSPORT_PROTO_TCP; cargs->app_index = tm->app_index; cargs->api_context = ctx_index; - if ((error = vnet_connect (cargs))) - return clib_error_get_code (error); + cargs->sep_ext.ns_index = app->ns_index; + if ((rv = vnet_connect (cargs))) + return rv; TLS_DBG (1, "New connect request %u engine %d", ctx_index, engine_type); return 0; @@ -509,66 +589,71 @@ tls_disconnect (u32 ctx_handle, u32 thread_index) TLS_DBG (1, "Disconnecting %x", ctx_handle); ctx = tls_ctx_get (ctx_handle); - - vnet_disconnect_args_t a = { - .handle = ctx->tls_session_handle, - .app_index = tls_main.app_index, - }; - - if (vnet_disconnect_session (&a)) - clib_warning ("disconnect returned"); - - stream_session_delete_notify (&ctx->connection); - tls_ctx_free (ctx); + tls_ctx_app_close (ctx); } u32 tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) { - vnet_bind_args_t _bargs, *args = &_bargs; + vnet_listen_args_t _bargs, *args = &_bargs; app_worker_t *app_wrk; tls_main_t *tm = &tls_main; - session_handle_t tls_handle; - session_endpoint_extended_t *sep; - stream_session_t *tls_listener; - stream_session_t *app_listener; - tls_engine_type_t engine_type; + session_handle_t tls_al_handle; + session_endpoint_cfg_t *sep; + session_t *tls_listener; + session_t *app_listener; + crypto_engine_type_t engine_type; application_t *app; + app_listener_t *al; tls_ctx_t *lctx; u32 lctx_index; - sep = (session_endpoint_extended_t *) tep; + sep = (session_endpoint_cfg_t *) tep; app_wrk = app_worker_get (sep->app_wrk_index); app = application_get (app_wrk->app_index); engine_type = tls_get_engine_type (app->tls_engine); - if (engine_type == TLS_ENGINE_NONE) + if (engine_type == CRYPTO_ENGINE_NONE) { clib_warning ("No tls engine_type available"); return -1; } - sep->transport_proto = TRANSPORT_PROTO_TCP; - memset (args, 0, sizeof (*args)); + clib_memset (args, 0, sizeof (*args)); args->app_index = tm->app_index; args->sep_ext = *sep; - if (vnet_bind (args)) + args->sep_ext.ns_index = app->ns_index; + args->sep_ext.transport_proto = TRANSPORT_PROTO_TCP; + if (vnet_listen (args)) return -1; - tls_handle = args->handle; lctx_index = tls_listener_ctx_alloc (); - tls_listener = listen_session_get_from_handle (tls_handle); + tls_al_handle = args->handle; + al = app_listener_get_w_handle (tls_al_handle); + tls_listener = app_listener_get_session (al); tls_listener->opaque = lctx_index; app_listener = listen_session_get (app_listener_index); lctx = tls_listener_ctx_get (lctx_index); - lctx->parent_app_index = sep->app_wrk_index; - lctx->tls_session_handle = tls_handle; + lctx->parent_app_wrk_index = sep->app_wrk_index; + lctx->tls_session_handle = tls_al_handle; lctx->app_session_handle = listen_session_get_handle (app_listener); lctx->tcp_is_ip4 = sep->is_ip4; lctx->tls_ctx_engine = engine_type; + lctx->ckpair_index = sep->ckpair_index; - tls_vfts[engine_type].ctx_start_listen (lctx); + if (tls_vfts[engine_type].ctx_start_listen (lctx)) + { + vnet_unlisten_args_t a = { + .handle = lctx->tls_session_handle, + .app_index = tls_main.app_index, + .wrk_map_index = 0 + }; + if ((vnet_unlisten (&a))) + clib_warning ("unlisten returned"); + tls_listener_ctx_free (lctx); + lctx_index = SESSION_INVALID_INDEX; + } TLS_DBG (1, "Started listening %d, engine type %d", lctx_index, engine_type); @@ -578,17 +663,33 @@ tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) u32 tls_stop_listen (u32 lctx_index) { - tls_engine_type_t engine_type; + session_endpoint_t sep = SESSION_ENDPOINT_NULL; + crypto_engine_type_t engine_type; + transport_connection_t *lc; tls_ctx_t *lctx; + session_t *ls; + int rv; lctx = tls_listener_ctx_get (lctx_index); - vnet_unbind_args_t a = { + + /* Cleanup listener from session lookup table */ + ls = session_get_from_handle (lctx->tls_session_handle); + lc = session_get_transport (ls); + + sep.fib_index = lc->fib_index; + sep.port = lc->lcl_port; + sep.is_ip4 = lc->is_ip4; + sep.transport_proto = TRANSPORT_PROTO_TLS; + clib_memcpy (&sep.ip, &lc->lcl_ip, sizeof (lc->lcl_ip)); + session_lookup_del_session_endpoint2 (&sep); + + vnet_unlisten_args_t a = { .handle = lctx->tls_session_handle, .app_index = tls_main.app_index, .wrk_map_index = 0 /* default wrk */ }; - if (vnet_unbind (&a)) - clib_warning ("unbind returned"); + if ((rv = vnet_unlisten (&a))) + clib_warning ("unlisten returned %d", rv); engine_type = lctx->tls_ctx_engine; tls_vfts[engine_type].ctx_stop_listen (lctx); @@ -613,19 +714,72 @@ tls_listener_get (u32 listener_index) return &ctx->connection; } +int +tls_custom_tx_callback (void *session, u32 max_burst_size) +{ + session_t *app_session = (session_t *) session; + tls_ctx_t *ctx; + + if (PREDICT_FALSE (app_session->session_state + >= SESSION_STATE_TRANSPORT_CLOSED)) + return 0; + + ctx = tls_ctx_get (app_session->connection_index); + tls_ctx_write (ctx, app_session); + return 0; +} + u8 * format_tls_ctx (u8 * s, va_list * args) { + u32 tcp_si, tcp_ti, ctx_index, ctx_engine, app_si, app_ti; tls_ctx_t *ctx = va_arg (*args, tls_ctx_t *); - u32 thread_index = va_arg (*args, u32); - u32 child_si, child_ti; - session_parse_handle (ctx->tls_session_handle, &child_si, &child_ti); - if (thread_index != child_ti) - clib_warning ("app and tls sessions are on different threads!"); + session_parse_handle (ctx->tls_session_handle, &tcp_si, &tcp_ti); + tls_ctx_parse_handle (ctx->tls_ctx_handle, &ctx_index, &ctx_engine); + session_parse_handle (ctx->app_session_handle, &app_si, &app_ti); + s = format (s, "[%d:%d][TLS] app_wrk %u index %u engine %u tcp %d:%d", + app_ti, app_si, ctx->parent_app_wrk_index, ctx_index, + ctx_engine, tcp_ti, tcp_si); + + return s; +} + +static u8 * +format_tls_listener_ctx (u8 * s, va_list * args) +{ + session_t *tls_listener; + app_listener_t *al; + u32 app_si, app_ti; + tls_ctx_t *ctx; + + ctx = va_arg (*args, tls_ctx_t *); + + al = app_listener_get_w_handle (ctx->tls_session_handle); + tls_listener = app_listener_get_session (al); + session_parse_handle (ctx->app_session_handle, &app_si, &app_ti); + s = format (s, "[%d:%d][TLS] app_wrk %u engine %u tcp %d:%d", + app_ti, app_si, ctx->parent_app_wrk_index, ctx->tls_ctx_engine, + tls_listener->thread_index, tls_listener->session_index); + + return s; +} + +static u8 * +format_tls_ctx_state (u8 * s, va_list * args) +{ + tls_ctx_t *ctx; + session_t *ts; + + ctx = va_arg (*args, tls_ctx_t *); + ts = session_get_from_handle (ctx->app_session_handle); + if (ts->session_state == SESSION_STATE_LISTENING) + s = format (s, "%s", "LISTEN"); + else if (tls_ctx_handshake_is_over (ctx)) + s = format (s, "%s", "ESTABLISHED"); + else + s = format (s, "%s", "HANDSHAKE"); - s = format (s, "[#%d][TLS] app %u child %u", child_ti, - ctx->parent_app_index, child_si); return s; } @@ -641,10 +795,10 @@ format_tls_connection (u8 * s, va_list * args) if (!ctx) return s; - s = format (s, "%-50U", format_tls_ctx, ctx, thread_index); + s = format (s, "%-50U", format_tls_ctx, ctx); if (verbose) { - s = format (s, "%-15s", "state"); + s = format (s, "%-15U", format_tls_ctx_state, ctx); if (verbose > 1) s = format (s, "\n"); } @@ -655,43 +809,76 @@ u8 * format_tls_listener (u8 * s, va_list * args) { u32 tc_index = va_arg (*args, u32); + u32 __clib_unused thread_index = va_arg (*args, u32); + u32 verbose = va_arg (*args, u32); tls_ctx_t *ctx = tls_listener_ctx_get (tc_index); - u32 listener_index, thread_index; - listen_session_parse_handle (ctx->tls_session_handle, &listener_index, - &thread_index); - return format (s, "[TLS] listener app %u child %u", ctx->parent_app_index, - listener_index); + s = format (s, "%-50U", format_tls_listener_ctx, ctx); + if (verbose) + s = format (s, "%-15U", format_tls_ctx_state, ctx); + return s; } u8 * format_tls_half_open (u8 * s, va_list * args) { u32 tc_index = va_arg (*args, u32); + u32 __clib_unused thread_index = va_arg (*args, u32); tls_ctx_t *ctx = tls_ctx_half_open_get (tc_index); - s = format (s, "[TLS] half-open app %u", ctx->parent_app_index); + s = format (s, "[TLS] half-open app %u", ctx->parent_app_wrk_index); tls_ctx_half_open_reader_unlock (); return s; } +static void +tls_transport_endpoint_get (u32 ctx_handle, u32 thread_index, + transport_endpoint_t * tep, u8 is_lcl) +{ + tls_ctx_t *ctx = tls_ctx_get_w_thread (ctx_handle, thread_index); + session_t *tcp_session; + + tcp_session = session_get_from_handle (ctx->tls_session_handle); + session_get_endpoint (tcp_session, tep, is_lcl); +} + +static void +tls_transport_listener_endpoint_get (u32 ctx_handle, + transport_endpoint_t * tep, u8 is_lcl) +{ + session_t *tls_listener; + app_listener_t *al; + tls_ctx_t *ctx = tls_listener_ctx_get (ctx_handle); + + al = app_listener_get_w_handle (ctx->tls_session_handle); + tls_listener = app_listener_get_session (al); + session_get_endpoint (tls_listener, tep, is_lcl); +} + /* *INDENT-OFF* */ -const static transport_proto_vft_t tls_proto = { - .open = tls_connect, +static const transport_proto_vft_t tls_proto = { + .connect = tls_connect, .close = tls_disconnect, - .bind = tls_start_listen, + .start_listen = tls_start_listen, + .stop_listen = tls_stop_listen, .get_connection = tls_connection_get, .get_listener = tls_listener_get, - .unbind = tls_stop_listen, - .tx_type = TRANSPORT_TX_INTERNAL, - .service_type = TRANSPORT_SERVICE_APP, + .custom_tx = tls_custom_tx_callback, .format_connection = format_tls_connection, .format_half_open = format_tls_half_open, .format_listener = format_tls_listener, + .get_transport_endpoint = tls_transport_endpoint_get, + .get_transport_listener_endpoint = tls_transport_listener_endpoint_get, + .transport_options = { + .name = "tls", + .short_name = "J", + .tx_type = TRANSPORT_TX_INTERNAL, + .service_type = TRANSPORT_SERVICE_APP, + }, }; /* *INDENT-ON* */ void -tls_register_engine (const tls_engine_vft_t * vft, tls_engine_type_t type) +tls_register_engine (const tls_engine_vft_t * vft, crypto_engine_type_t type) { vec_validate (tls_vfts, type); tls_vfts[type] = *vft; @@ -700,24 +887,26 @@ tls_register_engine (const tls_engine_vft_t * vft, tls_engine_type_t type) static clib_error_t * tls_init (vlib_main_t * vm) { + u32 add_segment_size = 256 << 20, first_seg_size = 32 << 20; vlib_thread_main_t *vtm = vlib_get_thread_main (); + u32 num_threads, fifo_size = 128 << 10; vnet_app_attach_args_t _a, *a = &_a; u64 options[APP_OPTIONS_N_OPTIONS]; - u32 segment_size = 512 << 20; tls_main_t *tm = &tls_main; - u32 fifo_size = 64 << 10; - u32 num_threads; + first_seg_size = tm->first_seg_size ? tm->first_seg_size : first_seg_size; + fifo_size = tm->fifo_size ? tm->fifo_size : fifo_size; num_threads = 1 /* main thread */ + vtm->n_threads; - memset (a, 0, sizeof (*a)); - memset (options, 0, sizeof (options)); + clib_memset (a, 0, sizeof (*a)); + clib_memset (options, 0, sizeof (options)); a->session_cb_vft = &tls_app_cb_vft; a->api_client_index = APP_INVALID_INDEX; a->options = options; a->name = format (0, "tls"); - a->options[APP_OPTIONS_SEGMENT_SIZE] = segment_size; + a->options[APP_OPTIONS_SEGMENT_SIZE] = first_seg_size; + a->options[APP_OPTIONS_ADD_SEGMENT_SIZE] = add_segment_size; a->options[APP_OPTIONS_RX_FIFO_SIZE] = fifo_size; a->options[APP_OPTIONS_TX_FIFO_SIZE] = fifo_size; a->options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_IS_BUILTIN; @@ -753,12 +942,25 @@ static clib_error_t * tls_config_fn (vlib_main_t * vm, unformat_input_t * input) { tls_main_t *tm = &tls_main; + uword tmp; while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) { if (unformat (input, "use-test-cert-in-ca")) tm->use_test_cert_in_ca = 1; else if (unformat (input, "ca-cert-path %s", &tm->ca_cert_path)) ; + else if (unformat (input, "first-segment-size %U", unformat_memory_size, + &tm->first_seg_size)) + ; + else if (unformat (input, "fifo-size %U", unformat_memory_size, &tmp)) + { + if (tmp >= 0x100000000ULL) + { + return clib_error_return + (0, "fifo-size %llu (0x%llx) too large", tmp, tmp); + } + tm->fifo_size = tmp; + } else return clib_error_return (0, "unknown input `%U'", format_unformat_error, input);