X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Ftls%2Ftls.c;h=996c20f28291f4db01983f2dbed48f9b2e0bcc81;hb=a8d266a7a4bf1188739dcd6d3ddcc8173282d95d;hp=85ac7f8022c48fccb9945d982c3b140ca6348f5e;hpb=009303dc06f8ecf4ed16c71e18c4e7fd40372eeb;p=vpp.git diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c index 85ac7f8022c..996c20f2829 100644 --- a/src/vnet/tls/tls.c +++ b/src/vnet/tls/tls.c @@ -61,8 +61,7 @@ tls_add_vpp_q_rx_evt (session_t * s) int tls_add_vpp_q_builtin_rx_evt (session_t * s) { - if (svm_fifo_set_event (s->rx_fifo)) - session_send_io_evt_to_thread (s->rx_fifo, SESSION_IO_EVT_BUILTIN_RX); + session_enqueue_notify (s); return 0; } @@ -75,9 +74,10 @@ tls_add_vpp_q_tx_evt (session_t * s) } static inline int -tls_add_app_q_evt (app_worker_t * app, session_t * app_session) +tls_add_app_q_evt (app_worker_t *app_wrk, session_t *app_session) { - return app_worker_lock_and_send_event (app, app_session, SESSION_IO_EVT_RX); + app_worker_add_event (app_wrk, app_session, SESSION_IO_EVT_RX); + return 0; } u32 @@ -117,10 +117,14 @@ tls_ctx_half_open_alloc (void) tls_main_t *tm = &tls_main; tls_ctx_t *ctx; + if (vec_len (tm->postponed_ho_free)) + tls_flush_postponed_ho_cleanups (); + pool_get_aligned_safe (tm->half_open_ctx_pool, ctx, CLIB_CACHE_LINE_BYTES); clib_memset (ctx, 0, sizeof (*ctx)); ctx->c_c_index = ctx - tm->half_open_ctx_pool; + ctx->c_thread_index = transport_cl_thread (); return ctx->c_c_index; } @@ -138,6 +142,49 @@ tls_ctx_half_open_get (u32 ctx_index) return pool_elt_at_index (tm->half_open_ctx_pool, ctx_index); } +void +tls_add_postponed_ho_cleanups (u32 ho_index) +{ + tls_main_t *tm = &tls_main; + vec_add1 (tm->postponed_ho_free, ho_index); +} + +static void +tls_ctx_ho_try_free (u32 ho_index) +{ + tls_ctx_t *ctx; + + ctx = tls_ctx_half_open_get (ho_index); + /* Probably tcp connected just before tcp establish timeout and + * worker that owns established session has not yet received + * @ref tls_session_connected_cb */ + if (!(ctx->flags & TLS_CONN_F_HO_DONE)) + { + ctx->tls_session_handle = SESSION_INVALID_HANDLE; + tls_add_postponed_ho_cleanups (ho_index); + return; + } + if (!(ctx->flags & TLS_CONN_F_NO_APP_SESSION)) + session_half_open_delete_notify (&ctx->connection); + tls_ctx_half_open_free (ho_index); +} + +void +tls_flush_postponed_ho_cleanups () +{ + tls_main_t *tm = &tls_main; + u32 *ho_indexp, *tmp; + + tmp = tm->postponed_ho_free; + tm->postponed_ho_free = tm->ho_free_list; + tm->ho_free_list = tmp; + + vec_foreach (ho_indexp, tm->ho_free_list) + tls_ctx_ho_try_free (*ho_indexp); + + vec_reset_length (tm->ho_free_list); +} + void tls_notify_app_enqueue (tls_ctx_t * ctx, session_t * app_session) { @@ -158,17 +205,19 @@ tls_notify_app_accept (tls_ctx_t * ctx) lctx = tls_listener_ctx_get (ctx->listener_ctx_index); app_listener = listen_session_get_from_handle (lctx->app_session_handle); - app_session = session_get (ctx->c_s_index, ctx->c_thread_index); - app_session->app_wrk_index = ctx->parent_app_wrk_index; - app_session->connection_index = ctx->tls_ctx_handle; + app_session = session_alloc (ctx->c_thread_index); + app_session->session_state = SESSION_STATE_ACCEPTING; app_session->session_type = app_listener->session_type; app_session->listener_handle = listen_session_get_handle (app_listener); - app_session->session_state = SESSION_STATE_ACCEPTING; + app_session->app_wrk_index = ctx->parent_app_wrk_index; + app_session->connection_index = ctx->tls_ctx_handle; + ctx->c_s_index = app_session->session_index; if ((rv = app_worker_init_accepted (app_session))) { TLS_DBG (1, "failed to allocate fifos"); session_free (app_session); + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; return rv; } ctx->app_session_handle = session_handle (app_session); @@ -187,45 +236,44 @@ tls_notify_app_connected (tls_ctx_t * ctx, session_error_t err) app_wrk = app_worker_get_if_valid (ctx->parent_app_wrk_index); if (!app_wrk) { - if (ctx->tls_type == TRANSPORT_PROTO_TLS) - session_free (session_get (ctx->c_s_index, ctx->c_thread_index)); - ctx->no_app_session = 1; + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; return -1; } if (err) { - /* Free app session pre-allocated when transport was established */ - if (ctx->tls_type == TRANSPORT_PROTO_TLS) - session_free (session_get (ctx->c_s_index, ctx->c_thread_index)); - ctx->no_app_session = 1; + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; goto send_reply; } - /* For DTLS the app session is not preallocated because the underlying udp - * session might migrate to a different worker during the handshake */ + app_session = session_alloc (ctx->c_thread_index); + app_session->session_state = SESSION_STATE_CREATED; + app_session->connection_index = ctx->tls_ctx_handle; + if (ctx->tls_type == TRANSPORT_PROTO_DTLS) { - session_type_t st; /* Cleanup half-open session as we don't get notification from udp */ session_half_open_delete_notify (&ctx->connection); - app_session = session_alloc (ctx->c_thread_index); - app_session->session_state = SESSION_STATE_CREATED; - ctx->c_s_index = app_session->session_index; - st = + app_session->session_type = session_type_from_proto_and_ip (TRANSPORT_PROTO_DTLS, ctx->tcp_is_ip4); - app_session->session_type = st; - app_session->connection_index = ctx->tls_ctx_handle; } else { - app_session = session_get (ctx->c_s_index, ctx->c_thread_index); + app_session->session_type = + session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4); } app_session->app_wrk_index = ctx->parent_app_wrk_index; + app_session->opaque = ctx->parent_app_api_context; + ctx->c_s_index = app_session->session_index; if ((err = app_worker_init_connected (app_wrk, app_session))) - goto failed; + { + app_worker_connect_notify (app_wrk, 0, err, ctx->parent_app_api_context); + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; + session_free (app_session); + return -1; + } app_session->session_state = SESSION_STATE_READY; parent_app_api_ctx = ctx->parent_app_api_context; @@ -236,15 +284,12 @@ tls_notify_app_connected (tls_ctx_t * ctx, session_error_t err) { TLS_DBG (1, "failed to notify app"); session_free (session_get (ctx->c_s_index, ctx->c_thread_index)); - ctx->no_app_session = 1; + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; return -1; } return 0; -failed: - ctx->no_app_session = 1; - tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ()); send_reply: return app_worker_connect_notify (app_wrk, 0, err, ctx->parent_app_api_context); @@ -354,6 +399,12 @@ tls_ctx_transport_close (tls_ctx_t * ctx) return tls_vfts[ctx->tls_ctx_engine].ctx_transport_close (ctx); } +static inline int +tls_ctx_transport_reset (tls_ctx_t *ctx) +{ + return tls_vfts[ctx->tls_ctx_engine].ctx_transport_reset (ctx); +} + static inline int tls_ctx_app_close (tls_ctx_t * ctx) { @@ -389,42 +440,20 @@ tls_notify_app_io_error (tls_ctx_t *ctx) } void -tls_session_reset_callback (session_t * s) +tls_session_reset_callback (session_t *ts) { tls_ctx_t *ctx; - transport_connection_t *tc; - session_t *app_session; - ctx = tls_ctx_get (s->opaque); - ctx->is_passive_close = 1; - tc = &ctx->connection; - if (tls_ctx_handshake_is_over (ctx)) - { - session_transport_reset_notify (tc); - session_transport_closed_notify (tc); - tls_disconnect_transport (ctx); - } - else - if ((app_session = - session_get_if_valid (ctx->c_s_index, ctx->c_thread_index))) - { - session_free (app_session); - ctx->c_s_index = SESSION_INVALID_INDEX; - tls_disconnect_transport (ctx); - } + ctx = tls_ctx_get_w_thread (ts->opaque, ts->thread_index); + ctx->flags |= TLS_CONN_F_PASSIVE_CLOSE; + tls_ctx_transport_reset (ctx); } static void tls_session_cleanup_ho (session_t *s) { - tls_ctx_t *ctx; - u32 ho_index; - /* session opaque stores the opaque passed on connect */ - ho_index = s->opaque; - ctx = tls_ctx_half_open_get (ho_index); - session_half_open_delete_notify (&ctx->connection); - tls_ctx_half_open_free (ho_index); + tls_ctx_ho_try_free (s->opaque); } int @@ -452,14 +481,14 @@ tls_session_disconnect_callback (session_t * tls_session) || vlib_thread_is_main_w_barrier ()); ctx = tls_ctx_get_w_thread (tls_session->opaque, tls_session->thread_index); - ctx->is_passive_close = 1; + ctx->flags |= TLS_CONN_F_PASSIVE_CLOSE; tls_ctx_transport_close (ctx); } int tls_session_accept_callback (session_t * tls_session) { - session_t *tls_listener, *app_session; + session_t *tls_listener; tls_ctx_t *lctx, *ctx; u32 ctx_handle; @@ -469,7 +498,7 @@ tls_session_accept_callback (session_t * tls_session) ctx_handle = tls_ctx_alloc (lctx->tls_ctx_engine); ctx = tls_ctx_get (ctx_handle); - memcpy (ctx, lctx, sizeof (*lctx)); + clib_memcpy (ctx, lctx, sizeof (*lctx)); ctx->c_thread_index = vlib_get_thread_index (); ctx->tls_ctx_handle = ctx_handle; tls_session->session_state = SESSION_STATE_READY; @@ -479,34 +508,40 @@ tls_session_accept_callback (session_t * tls_session) ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; ctx->ckpair_index = lctx->ckpair_index; - /* Preallocate app session. Avoids allocating a session post handshake - * on tls_session rx and potentially invalidating the session pool */ - app_session = session_alloc (ctx->c_thread_index); - app_session->session_state = SESSION_STATE_CREATED; - ctx->c_s_index = app_session->session_index; - TLS_DBG (1, "Accept on listener %u new connection [%u]%x", tls_listener->opaque, vlib_get_thread_index (), ctx_handle); - return tls_ctx_init_server (ctx); + if (tls_ctx_init_server (ctx)) + { + /* Do not free ctx yet, in case we have pending rx events */ + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; + tls_disconnect_transport (ctx); + } + + return 0; } int -tls_app_rx_callback (session_t * tls_session) +tls_app_rx_callback (session_t *ts) { tls_ctx_t *ctx; /* DTLS session migrating, wait for next notification */ - if (PREDICT_FALSE (tls_session->flags & SESSION_F_IS_MIGRATING)) + if (PREDICT_FALSE (ts->flags & SESSION_F_IS_MIGRATING)) return 0; - ctx = tls_ctx_get (tls_session->opaque); - if (PREDICT_FALSE (ctx->no_app_session)) + /* Read rescheduled but underlying transport deleted now */ + if (PREDICT_FALSE ((ts->session_state == SESSION_STATE_TRANSPORT_DELETED))) + return 0; + + ctx = tls_ctx_get (ts->opaque); + if (PREDICT_FALSE ((ctx->flags & TLS_CONN_F_NO_APP_SESSION) || + (ctx->flags & TLS_CONN_F_APP_CLOSED))) { TLS_DBG (1, "Local App closed"); return 0; } - tls_ctx_read (ctx, tls_session); + tls_ctx_read (ctx, ts); return 0; } @@ -525,9 +560,7 @@ int tls_session_connected_cb (u32 tls_app_index, u32 ho_ctx_index, session_t *tls_session, session_error_t err) { - session_t *app_session; tls_ctx_t *ho_ctx, *ctx; - session_type_t st; u32 ctx_handle; ho_ctx = tls_ctx_half_open_get (ho_ctx_index); @@ -535,7 +568,9 @@ tls_session_connected_cb (u32 tls_app_index, u32 ho_ctx_index, ctx_handle = tls_ctx_alloc (ho_ctx->tls_ctx_engine); ctx = tls_ctx_get (ctx_handle); clib_memcpy_fast (ctx, ho_ctx, sizeof (*ctx)); + /* Half-open freed on tcp half-open cleanup notification */ + __atomic_fetch_or (&ho_ctx->flags, TLS_CONN_F_HO_DONE, __ATOMIC_RELEASE); ctx->c_thread_index = vlib_get_thread_index (); ctx->tls_ctx_handle = ctx_handle; @@ -547,18 +582,17 @@ tls_session_connected_cb (u32 tls_app_index, u32 ho_ctx_index, ctx->tls_session_handle = session_handle (tls_session); tls_session->opaque = ctx_handle; - tls_session->session_state = SESSION_STATE_READY; - /* Preallocate app session. Avoids allocating a session post handshake - * on tls_session rx and potentially invalidating the session pool */ - app_session = session_alloc (ctx->c_thread_index); - app_session->session_state = SESSION_STATE_CREATED; - ctx->c_s_index = app_session->session_index; - st = session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4); - app_session->session_type = st; - app_session->connection_index = ctx->tls_ctx_handle; + if (tls_ctx_init_client (ctx)) + { + tls_notify_app_connected (ctx, SESSION_E_TLS_HANDSHAKE); + tls_disconnect_transport (ctx); + } - return tls_ctx_init_client (ctx); + if (tls_session->session_state < SESSION_STATE_READY) + tls_session->session_state = SESSION_STATE_READY; + + return 0; } int @@ -590,6 +624,7 @@ tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index, u32 api_context; ho_ctx = tls_ctx_half_open_get (ho_ctx_index); + ho_ctx->flags |= TLS_CONN_F_HO_DONE; app_wrk = app_worker_get_if_valid (ho_ctx->parent_app_wrk_index); if (app_wrk) { @@ -622,7 +657,7 @@ tls_app_session_cleanup (session_t * s, session_cleanup_ntf_t ntf) } ctx = tls_ctx_get (s->opaque); - if (!ctx->no_app_session) + if (!(ctx->flags & TLS_CONN_F_NO_APP_SESSION)) session_transport_delete_notify (&ctx->connection); tls_ctx_free (ctx); } @@ -648,7 +683,7 @@ dtls_migrate_ctx (void *arg) /* Probably the app detached while the session was migrating. Cleanup */ if (session_half_open_migrated_notify (&ctx->connection)) { - ctx->no_app_session = 1; + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ()); return; } @@ -667,7 +702,7 @@ dtls_session_migrate_callback (session_t *us, session_handle_t new_sh) ctx = tls_ctx_get_w_thread (us->opaque, us->thread_index); ctx->tls_session_handle = new_sh; cloned_ctx = tls_ctx_detach (ctx); - ctx->is_migrated = 1; + ctx->flags |= TLS_CONN_F_MIGRATED; session_half_open_migrate_notify (&ctx->connection); session_send_rpc_evt_to_thread (new_thread, dtls_migrate_ctx, @@ -676,11 +711,22 @@ dtls_session_migrate_callback (session_t *us, session_handle_t new_sh) tls_ctx_free (ctx); } +static void +tls_session_transport_closed_callback (session_t *ts) +{ + tls_ctx_t *ctx; + + ctx = tls_ctx_get_w_thread (ts->opaque, ts->thread_index); + if (!(ctx->flags & TLS_CONN_F_NO_APP_SESSION)) + session_transport_closed_notify (&ctx->connection); +} + static session_cb_vft_t tls_app_cb_vft = { .session_accept_callback = tls_session_accept_callback, .session_disconnect_callback = tls_session_disconnect_callback, .session_connected_callback = tls_session_connected_callback, .session_reset_callback = tls_session_reset_callback, + .session_transport_closed_callback = tls_session_transport_closed_callback, .half_open_cleanup_callback = tls_session_cleanup_ho, .add_segment_callback = tls_add_segment_callback, .del_segment_callback = tls_del_segment_callback, @@ -742,7 +788,10 @@ tls_connect (transport_endpoint_cfg_t * tep) cargs->api_context = ctx_index; cargs->sep_ext.ns_index = app->ns_index; if ((rv = vnet_connect (cargs))) - return rv; + { + tls_ctx_half_open_free (ctx_index); + return rv; + } /* Track half-open tcp session in case we need to clean it up */ ctx->tls_session_handle = cargs->sh; @@ -759,6 +808,7 @@ tls_disconnect (u32 ctx_handle, u32 thread_index) TLS_DBG (1, "Disconnecting %x", ctx_handle); ctx = tls_ctx_get (ctx_handle); + ctx->flags |= TLS_CONN_F_APP_CLOSED; tls_ctx_app_close (ctx); } @@ -911,24 +961,44 @@ static void tls_cleanup_ho (u32 ho_index) { tls_ctx_t *ctx; + session_t *s; ctx = tls_ctx_half_open_get (ho_index); - session_cleanup_half_open (ctx->tls_session_handle); - tls_ctx_half_open_free (ho_index); + /* Already pending cleanup */ + if (ctx->tls_session_handle == SESSION_INVALID_HANDLE) + { + ASSERT (ctx->flags & TLS_CONN_F_HO_DONE); + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; + return; + } + + s = session_get_from_handle (ctx->tls_session_handle); + /* If no pending cleanup notification, force cleanup now. Otherwise, + * wait for cleanup notification and set no app session on ctx */ + if (s->session_state != SESSION_STATE_TRANSPORT_DELETED) + { + session_cleanup_half_open (ctx->tls_session_handle); + tls_ctx_half_open_free (ho_index); + } + else + ctx->flags |= TLS_CONN_F_NO_APP_SESSION; } int tls_custom_tx_callback (void *session, transport_send_params_t * sp) { - session_t *app_session = (session_t *) session; + session_t *as = (session_t *) session; tls_ctx_t *ctx; - if (PREDICT_FALSE (app_session->session_state - >= SESSION_STATE_TRANSPORT_CLOSED)) - return 0; + if (PREDICT_FALSE (as->session_state >= SESSION_STATE_TRANSPORT_CLOSED || + as->session_state <= SESSION_STATE_ACCEPTING)) + { + sp->flags |= TRANSPORT_SND_F_DESCHED; + return 0; + } - ctx = tls_ctx_get (app_session->connection_index); - return tls_ctx_write (ctx, app_session, sp); + ctx = tls_ctx_get (as->connection_index); + return tls_ctx_write (ctx, as, sp); } u8 * @@ -1039,6 +1109,7 @@ format_tls_half_open (u8 * s, va_list * args) { u32 ho_index = va_arg (*args, u32); u32 __clib_unused thread_index = va_arg (*args, u32); + u32 __clib_unused verbose = va_arg (*args, u32); session_t *tcp_ho; tls_ctx_t *ho_ctx; @@ -1058,10 +1129,11 @@ tls_transport_endpoint_get (u32 ctx_handle, u32 thread_index, transport_endpoint_t * tep, u8 is_lcl) { tls_ctx_t *ctx = tls_ctx_get_w_thread (ctx_handle, thread_index); - session_t *tcp_session; + session_t *ts; - tcp_session = session_get_from_handle (ctx->tls_session_handle); - session_get_endpoint (tcp_session, tep, is_lcl); + ts = session_get_from_handle (ctx->tls_session_handle); + if (ts && ts->session_state < SESSION_STATE_TRANSPORT_DELETED) + session_get_endpoint (ts, tep, is_lcl); } static void @@ -1084,7 +1156,7 @@ tls_enable (vlib_main_t * vm, u8 is_en) vnet_app_attach_args_t _a, *a = &_a; u64 options[APP_OPTIONS_N_OPTIONS]; tls_main_t *tm = &tls_main; - u32 fifo_size = 128 << 12; + u32 fifo_size = 512 << 10; if (!is_en) {