X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Ftls%2Ftls.c;h=c2616fdde23866f1f6403795054cdd6872ad15be;hb=985d9293a08dc3da016fbeeaa3f8fff10e1b504e;hp=373da7b512c91fb2dc4676b1f6f4c43336e4c9dc;hpb=8a140616a5bab477817e7ed59afe6b01bd3d2f3a;p=vpp.git diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c index 373da7b512c..c2616fdde23 100644 --- a/src/vnet/tls/tls.c +++ b/src/vnet/tls/tls.c @@ -26,7 +26,7 @@ static tls_engine_vft_t *tls_vfts; void tls_disconnect (u32 ctx_handle, u32 thread_index); -static void +void tls_disconnect_transport (tls_ctx_t * ctx) { vnet_disconnect_args_t a = { @@ -38,7 +38,7 @@ tls_disconnect_transport (tls_ctx_t * ctx) clib_warning ("disconnect returned"); } -tls_engine_type_t +crypto_engine_type_t tls_get_available_engine (void) { int i; @@ -47,14 +47,14 @@ tls_get_available_engine (void) if (tls_vfts[i].ctx_alloc) return i; } - return TLS_ENGINE_NONE; + return CRYPTO_ENGINE_NONE; } int tls_add_vpp_q_rx_evt (session_t * s) { if (svm_fifo_set_event (s->rx_fifo)) - session_send_io_evt_to_thread (s->rx_fifo, FIFO_EVENT_APP_RX); + session_send_io_evt_to_thread (s->rx_fifo, SESSION_IO_EVT_RX); return 0; } @@ -62,7 +62,7 @@ int tls_add_vpp_q_builtin_rx_evt (session_t * s) { if (svm_fifo_set_event (s->rx_fifo)) - session_send_io_evt_to_thread (s->rx_fifo, FIFO_EVENT_BUILTIN_RX); + session_send_io_evt_to_thread (s->rx_fifo, SESSION_IO_EVT_BUILTIN_RX); return 0; } @@ -70,7 +70,7 @@ int tls_add_vpp_q_tx_evt (session_t * s) { if (svm_fifo_set_event (s->tx_fifo)) - session_send_io_evt_to_thread (s->tx_fifo, FIFO_EVENT_APP_TX); + session_send_io_evt_to_thread (s->tx_fifo, SESSION_IO_EVT_TX); return 0; } @@ -79,14 +79,14 @@ tls_add_vpp_q_builtin_tx_evt (session_t * s) { if (svm_fifo_set_event (s->tx_fifo)) session_send_io_evt_to_thread_custom (s, s->thread_index, - FIFO_EVENT_BUILTIN_TX); + SESSION_IO_EVT_BUILTIN_TX); return 0; } static inline int tls_add_app_q_evt (app_worker_t * app, session_t * app_session) { - return app_worker_lock_and_send_event (app, app_session, FIFO_EVENT_APP_RX); + return app_worker_lock_and_send_event (app, app_session, SESSION_IO_EVT_RX); } u32 @@ -180,10 +180,10 @@ tls_ctx_half_open_index (tls_ctx_t * ctx) void tls_notify_app_enqueue (tls_ctx_t * ctx, session_t * app_session) { - app_worker_t *app; - app = app_worker_get_if_valid (app_session->app_wrk_index); - if (PREDICT_TRUE (app != 0)) - tls_add_app_q_evt (app, app_session); + app_worker_t *app_wrk; + app_wrk = app_worker_get_if_valid (app_session->app_wrk_index); + if (PREDICT_TRUE (app_wrk != 0)) + tls_add_app_q_evt (app_wrk, app_session); } int @@ -201,8 +201,7 @@ tls_notify_app_accept (tls_ctx_t * ctx) app_session->app_wrk_index = ctx->parent_app_wrk_index; app_session->connection_index = ctx->tls_ctx_handle; app_session->session_type = app_listener->session_type; - app_session->listener_index = app_listener->session_index; - app_session->t_app_index = tls_main.app_index; + app_session->listener_handle = listen_session_get_handle (app_listener); app_session->session_state = SESSION_STATE_ACCEPTING; if ((rv = app_worker_init_accepted (app_session))) @@ -212,8 +211,6 @@ tls_notify_app_accept (tls_ctx_t * ctx) return rv; } ctx->app_session_handle = session_handle (app_session); - session_lookup_add_connection (&ctx->connection, - session_handle (app_session)); ctx->parent_app_wrk_index = app_session->app_wrk_index; app_wrk = app_worker_get (app_session->app_wrk_index); return app_worker_accept_notify (app_wrk, app_session); @@ -240,7 +237,6 @@ tls_notify_app_connected (tls_ctx_t * ctx, u8 is_failed) app_session->connection_index = ctx->tls_ctx_handle; app_session->session_type = session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4); - app_session->t_app_index = tls_main.app_index; if (app_worker_init_connected (app_wrk, app_session)) goto failed; @@ -256,12 +252,13 @@ tls_notify_app_connected (tls_ctx_t * ctx, u8 is_failed) ctx->app_session_handle = session_handle (app_session); app_session->session_state = SESSION_STATE_READY; - session_lookup_add_connection (&ctx->connection, - session_handle (app_session)); return 0; failed: + /* Free app session pre-allocated when transport was established */ + session_free (session_get (ctx->c_s_index, ctx->c_thread_index)); + ctx->no_app_session = 1; tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ()); return app_worker_connect_notify (app_wrk, 0, ctx->parent_app_api_context); } @@ -273,8 +270,8 @@ tls_ctx_parse_handle (u32 ctx_handle, u32 * ctx_index, u32 * engine_type) *engine_type = ctx_handle >> TLS_ENGINE_TYPE_SHIFT; } -static inline tls_engine_type_t -tls_get_engine_type (tls_engine_type_t preferred) +static inline crypto_engine_type_t +tls_get_engine_type (crypto_engine_type_t preferred) { if (!tls_vfts[preferred].ctx_alloc) return tls_get_available_engine (); @@ -282,20 +279,13 @@ tls_get_engine_type (tls_engine_type_t preferred) } static inline u32 -tls_ctx_alloc (tls_engine_type_t engine_type) +tls_ctx_alloc (crypto_engine_type_t engine_type) { u32 ctx_index; ctx_index = tls_vfts[engine_type].ctx_alloc (); return (((u32) engine_type << TLS_ENGINE_TYPE_SHIFT) | ctx_index); } -static inline void -tls_ctx_free (tls_ctx_t * ctx) -{ - vec_free (ctx->srv_hostname); - tls_vfts[ctx->tls_ctx_engine].ctx_free (ctx); -} - static inline tls_ctx_t * tls_ctx_get (u32 ctx_handle) { @@ -336,7 +326,25 @@ tls_ctx_read (tls_ctx_t * ctx, session_t * tls_session) return tls_vfts[ctx->tls_ctx_engine].ctx_read (ctx, tls_session); } -static inline u8 +static inline int +tls_ctx_transport_close (tls_ctx_t * ctx) +{ + return tls_vfts[ctx->tls_ctx_engine].ctx_transport_close (ctx); +} + +static inline int +tls_ctx_app_close (tls_ctx_t * ctx) +{ + return tls_vfts[ctx->tls_ctx_engine].ctx_app_close (ctx); +} + +void +tls_ctx_free (tls_ctx_t * ctx) +{ + tls_vfts[ctx->tls_ctx_engine].ctx_free (ctx); +} + +u8 tls_ctx_handshake_is_over (tls_ctx_t * ctx) { return tls_vfts[ctx->tls_ctx_engine].ctx_handshake_is_over (ctx); @@ -345,7 +353,20 @@ tls_ctx_handshake_is_over (tls_ctx_t * ctx) void tls_session_reset_callback (session_t * s) { - clib_warning ("called..."); + tls_ctx_t *ctx; + transport_connection_t *tc; + session_t *app_session; + + ctx = tls_ctx_get (s->opaque); + tc = &ctx->connection; + if (tls_ctx_handshake_is_over (ctx)) + { + session_transport_reset_notify (tc); + session_transport_closed_notify (tc); + } + else if ((app_session = session_get (tc->s_index, tc->thread_index))) + session_free (app_session); + tls_disconnect_transport (ctx); } int @@ -364,22 +385,17 @@ tls_del_segment_callback (u32 client_index, u64 segment_handle) void tls_session_disconnect_callback (session_t * tls_session) { - session_t *app_session; tls_ctx_t *ctx; - app_worker_t *app_wrk; - application_t *app; - ctx = tls_ctx_get (tls_session->opaque); - if (!tls_ctx_handshake_is_over (ctx)) - { - session_close (tls_session); - return; - } + TLS_DBG (1, "TCP disconnecting handle %x session %u", tls_session->opaque, + tls_session->session_index); + + ASSERT (tls_session->thread_index == vlib_get_thread_index () + || vlib_thread_is_main_w_barrier ()); + + ctx = tls_ctx_get_w_thread (tls_session->opaque, tls_session->thread_index); ctx->is_passive_close = 1; - app_wrk = app_worker_get (ctx->parent_app_wrk_index); - app = application_get (app_wrk->app_index); - app_session = session_get_from_handle (ctx->app_session_handle); - app->cb_fns.session_disconnect_callback (app_session); + tls_ctx_transport_close (ctx); } int @@ -389,7 +405,8 @@ tls_session_accept_callback (session_t * tls_session) tls_ctx_t *lctx, *ctx; u32 ctx_handle; - tls_listener = listen_session_get (tls_session->listener_index); + tls_listener = + listen_session_get_from_handle (tls_session->listener_handle); lctx = tls_listener_ctx_get (tls_listener->opaque); ctx_handle = tls_ctx_alloc (lctx->tls_ctx_engine); @@ -401,11 +418,13 @@ tls_session_accept_callback (session_t * tls_session) tls_session->opaque = ctx_handle; ctx->tls_session_handle = session_handle (tls_session); ctx->listener_ctx_index = tls_listener->opaque; + ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; + ctx->ckpair_index = lctx->ckpair_index; /* Preallocate app session. Avoids allocating a session post handshake * on tls_session rx and potentially invalidating the session pool */ app_session = session_alloc (ctx->c_thread_index); - app_session->session_state = SESSION_STATE_CLOSED; + app_session->session_state = SESSION_STATE_CREATED; ctx->c_s_index = app_session->session_index; TLS_DBG (1, "Accept on listener %u new connection [%u]%x", @@ -414,17 +433,6 @@ tls_session_accept_callback (session_t * tls_session) return tls_ctx_init_server (ctx); } -int -tls_app_tx_callback (session_t * app_session) -{ - tls_ctx_t *ctx; - if (PREDICT_FALSE (app_session->session_state == SESSION_STATE_CLOSED)) - return 0; - ctx = tls_ctx_get (app_session->connection_index); - tls_ctx_write (ctx, app_session); - return 0; -} - int tls_app_rx_callback (session_t * tls_session) { @@ -447,19 +455,15 @@ tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index, if (is_fail) { - int (*cb_fn) (u32, u32, session_t *, u8), rv = 0; - u32 wrk_index, api_context; app_worker_t *app_wrk; - application_t *app; + u32 api_context; + int rv = 0; - wrk_index = ho_ctx->parent_app_wrk_index; app_wrk = app_worker_get_if_valid (ho_ctx->parent_app_wrk_index); if (app_wrk) { api_context = ho_ctx->c_s_index; - app = application_get (app_wrk->app_index); - cb_fn = app->cb_fns.session_connected_callback; - rv = cb_fn (wrk_index, api_context, 0, 1 /* failed */ ); + app_worker_connect_notify (app_wrk, 0, api_context); } tls_ctx_half_open_reader_unlock (); tls_ctx_half_open_free (ho_ctx_index); @@ -474,6 +478,7 @@ tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index, ctx->c_thread_index = vlib_get_thread_index (); ctx->tls_ctx_handle = ctx_handle; + ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; TLS_DBG (1, "TCP connect for %u returned %u. New connection [%u]%x", ho_ctx_index, is_fail, vlib_get_thread_index (), @@ -486,12 +491,26 @@ tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index, /* Preallocate app session. Avoids allocating a session post handshake * on tls_session rx and potentially invalidating the session pool */ app_session = session_alloc (ctx->c_thread_index); - app_session->session_state = SESSION_STATE_CLOSED; + app_session->session_state = SESSION_STATE_CREATED; ctx->c_s_index = app_session->session_index; return tls_ctx_init_client (ctx); } +static void +tls_app_session_cleanup (session_t * s, session_cleanup_ntf_t ntf) +{ + tls_ctx_t *ctx; + + if (ntf == SESSION_CLEANUP_TRANSPORT) + return; + + ctx = tls_ctx_get (s->opaque); + if (!ctx->no_app_session) + session_transport_delete_notify (&ctx->connection); + tls_ctx_free (ctx); +} + /* *INDENT-OFF* */ static session_cb_vft_t tls_app_cb_vft = { .session_accept_callback = tls_session_accept_callback, @@ -501,7 +520,7 @@ static session_cb_vft_t tls_app_cb_vft = { .add_segment_callback = tls_add_segment_callback, .del_segment_callback = tls_del_segment_callback, .builtin_app_rx_callback = tls_app_rx_callback, - .builtin_app_tx_callback = tls_app_tx_callback, + .session_cleanup_callback = tls_app_session_cleanup, }; /* *INDENT-ON* */ @@ -510,7 +529,7 @@ tls_connect (transport_endpoint_cfg_t * tep) { vnet_connect_args_t _cargs = { {}, }, *cargs = &_cargs; session_endpoint_cfg_t *sep; - tls_engine_type_t engine_type; + crypto_engine_type_t engine_type; tls_main_t *tm = &tls_main; app_worker_t *app_wrk; application_t *app; @@ -522,7 +541,7 @@ tls_connect (transport_endpoint_cfg_t * tep) app_wrk = app_worker_get (sep->app_wrk_index); app = application_get (app_wrk->app_index); engine_type = tls_get_engine_type (app->tls_engine); - if (engine_type == TLS_ENGINE_NONE) + if (engine_type == CRYPTO_ENGINE_NONE) { clib_warning ("No tls engine_type available"); return -1; @@ -563,9 +582,7 @@ tls_disconnect (u32 ctx_handle, u32 thread_index) TLS_DBG (1, "Disconnecting %x", ctx_handle); ctx = tls_ctx_get (ctx_handle); - tls_disconnect_transport (ctx); - session_transport_delete_notify (&ctx->connection); - tls_ctx_free (ctx); + tls_ctx_app_close (ctx); } u32 @@ -578,7 +595,7 @@ tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) session_endpoint_cfg_t *sep; session_t *tls_listener; session_t *app_listener; - tls_engine_type_t engine_type; + crypto_engine_type_t engine_type; application_t *app; app_listener_t *al; tls_ctx_t *lctx; @@ -588,17 +605,17 @@ tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) app_wrk = app_worker_get (sep->app_wrk_index); app = application_get (app_wrk->app_index); engine_type = tls_get_engine_type (app->tls_engine); - if (engine_type == TLS_ENGINE_NONE) + if (engine_type == CRYPTO_ENGINE_NONE) { clib_warning ("No tls engine_type available"); return -1; } - sep->transport_proto = TRANSPORT_PROTO_TCP; clib_memset (args, 0, sizeof (*args)); args->app_index = tm->app_index; args->sep_ext = *sep; args->sep_ext.ns_index = app->ns_index; + args->sep_ext.transport_proto = TRANSPORT_PROTO_TCP; if (vnet_listen (args)) return -1; @@ -616,8 +633,20 @@ tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) lctx->app_session_handle = listen_session_get_handle (app_listener); lctx->tcp_is_ip4 = sep->is_ip4; lctx->tls_ctx_engine = engine_type; + lctx->ckpair_index = sep->ckpair_index; - tls_vfts[engine_type].ctx_start_listen (lctx); + if (tls_vfts[engine_type].ctx_start_listen (lctx)) + { + vnet_unlisten_args_t a = { + .handle = lctx->tls_session_handle, + .app_index = tls_main.app_index, + .wrk_map_index = 0 + }; + if ((vnet_unlisten (&a))) + clib_warning ("unlisten returned"); + tls_listener_ctx_free (lctx); + lctx_index = SESSION_INVALID_INDEX; + } TLS_DBG (1, "Started listening %d, engine type %d", lctx_index, engine_type); @@ -627,7 +656,7 @@ tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) u32 tls_stop_listen (u32 lctx_index) { - tls_engine_type_t engine_type; + crypto_engine_type_t engine_type; tls_ctx_t *lctx; int rv; @@ -663,19 +692,72 @@ tls_listener_get (u32 listener_index) return &ctx->connection; } +int +tls_custom_tx_callback (void *session, u32 max_burst_size) +{ + session_t *app_session = (session_t *) session; + tls_ctx_t *ctx; + + if (PREDICT_FALSE (app_session->session_state + >= SESSION_STATE_TRANSPORT_CLOSED)) + return 0; + + ctx = tls_ctx_get (app_session->connection_index); + tls_ctx_write (ctx, app_session); + return 0; +} + u8 * format_tls_ctx (u8 * s, va_list * args) { + u32 tcp_si, tcp_ti, ctx_index, ctx_engine, app_si, app_ti; tls_ctx_t *ctx = va_arg (*args, tls_ctx_t *); - u32 thread_index = va_arg (*args, u32); - u32 child_si, child_ti; - session_parse_handle (ctx->tls_session_handle, &child_si, &child_ti); - if (thread_index != child_ti) - clib_warning ("app and tls sessions are on different threads!"); + session_parse_handle (ctx->tls_session_handle, &tcp_si, &tcp_ti); + tls_ctx_parse_handle (ctx->tls_ctx_handle, &ctx_index, &ctx_engine); + session_parse_handle (ctx->app_session_handle, &app_si, &app_ti); + s = format (s, "[%d:%d][TLS] app_wrk %u index %u engine %u tcp %d:%d", + app_ti, app_si, ctx->parent_app_wrk_index, ctx_index, + ctx_engine, tcp_ti, tcp_si); + + return s; +} + +static u8 * +format_tls_listener_ctx (u8 * s, va_list * args) +{ + session_t *tls_listener; + app_listener_t *al; + u32 app_si, app_ti; + tls_ctx_t *ctx; + + ctx = va_arg (*args, tls_ctx_t *); + + al = app_listener_get_w_handle (ctx->tls_session_handle); + tls_listener = app_listener_get_session (al); + session_parse_handle (ctx->app_session_handle, &app_si, &app_ti); + s = format (s, "[%d:%d][TLS] app_wrk %u engine %u tcp %d:%d", + app_ti, app_si, ctx->parent_app_wrk_index, ctx->tls_ctx_engine, + tls_listener->thread_index, tls_listener->session_index); + + return s; +} + +static u8 * +format_tls_ctx_state (u8 * s, va_list * args) +{ + tls_ctx_t *ctx; + session_t *ts; + + ctx = va_arg (*args, tls_ctx_t *); + ts = session_get_from_handle (ctx->app_session_handle); + if (ts->session_state == SESSION_STATE_LISTENING) + s = format (s, "%s", "LISTEN"); + else if (tls_ctx_handshake_is_over (ctx)) + s = format (s, "%s", "ESTABLISHED"); + else + s = format (s, "%s", "HANDSHAKE"); - s = format (s, "[#%d][TLS] app %u child %u", child_ti, - ctx->parent_app_wrk_index, child_si); return s; } @@ -691,12 +773,10 @@ format_tls_connection (u8 * s, va_list * args) if (!ctx) return s; - s = format (s, "%-50U", format_tls_ctx, ctx, thread_index); + s = format (s, "%-50U", format_tls_ctx, ctx); if (verbose) { - session_t *ts; - ts = session_get_from_handle (ctx->app_session_handle); - s = format (s, "state: %-7u", ts->session_state); + s = format (s, "%-15U", format_tls_ctx_state, ctx); if (verbose > 1) s = format (s, "\n"); } @@ -707,44 +787,74 @@ u8 * format_tls_listener (u8 * s, va_list * args) { u32 tc_index = va_arg (*args, u32); - u32 __clib_unused verbose = va_arg (*args, u32); + u32 __clib_unused thread_index = va_arg (*args, u32); + u32 verbose = va_arg (*args, u32); tls_ctx_t *ctx = tls_listener_ctx_get (tc_index); - u32 listener_index, thread_index; - listen_session_parse_handle (ctx->tls_session_handle, &listener_index, - &thread_index); - return format (s, "[TLS] listener app %u child %u", - ctx->parent_app_wrk_index, listener_index); + s = format (s, "%-50U", format_tls_listener_ctx, ctx); + if (verbose) + s = format (s, "%-15U", format_tls_ctx_state, ctx); + return s; } u8 * format_tls_half_open (u8 * s, va_list * args) { u32 tc_index = va_arg (*args, u32); + u32 __clib_unused thread_index = va_arg (*args, u32); tls_ctx_t *ctx = tls_ctx_half_open_get (tc_index); s = format (s, "[TLS] half-open app %u", ctx->parent_app_wrk_index); tls_ctx_half_open_reader_unlock (); return s; } +static void +tls_transport_endpoint_get (u32 ctx_handle, u32 thread_index, + transport_endpoint_t * tep, u8 is_lcl) +{ + tls_ctx_t *ctx = tls_ctx_get_w_thread (ctx_handle, thread_index); + session_t *tcp_session; + + tcp_session = session_get_from_handle (ctx->tls_session_handle); + session_get_endpoint (tcp_session, tep, is_lcl); +} + +static void +tls_transport_listener_endpoint_get (u32 ctx_handle, + transport_endpoint_t * tep, u8 is_lcl) +{ + session_t *tls_listener; + app_listener_t *al; + tls_ctx_t *ctx = tls_listener_ctx_get (ctx_handle); + + al = app_listener_get_w_handle (ctx->tls_session_handle); + tls_listener = app_listener_get_session (al); + session_get_endpoint (tls_listener, tep, is_lcl); +} + /* *INDENT-OFF* */ -const static transport_proto_vft_t tls_proto = { +static const transport_proto_vft_t tls_proto = { .connect = tls_connect, .close = tls_disconnect, .start_listen = tls_start_listen, .stop_listen = tls_stop_listen, .get_connection = tls_connection_get, .get_listener = tls_listener_get, - .tx_type = TRANSPORT_TX_INTERNAL, - .service_type = TRANSPORT_SERVICE_APP, + .custom_tx = tls_custom_tx_callback, .format_connection = format_tls_connection, .format_half_open = format_tls_half_open, .format_listener = format_tls_listener, + .get_transport_endpoint = tls_transport_endpoint_get, + .get_transport_listener_endpoint = tls_transport_listener_endpoint_get, + .transport_options = { + .tx_type = TRANSPORT_TX_INTERNAL, + .service_type = TRANSPORT_SERVICE_APP, + }, }; /* *INDENT-ON* */ void -tls_register_engine (const tls_engine_vft_t * vft, tls_engine_type_t type) +tls_register_engine (const tls_engine_vft_t * vft, crypto_engine_type_t type) { vec_validate (tls_vfts, type); tls_vfts[type] = *vft; @@ -753,14 +863,15 @@ tls_register_engine (const tls_engine_vft_t * vft, tls_engine_type_t type) static clib_error_t * tls_init (vlib_main_t * vm) { + u32 add_segment_size = 256 << 20, first_seg_size = 32 << 20; vlib_thread_main_t *vtm = vlib_get_thread_main (); + u32 num_threads, fifo_size = 128 << 10; vnet_app_attach_args_t _a, *a = &_a; u64 options[APP_OPTIONS_N_OPTIONS]; - u32 segment_size = 512 << 20; tls_main_t *tm = &tls_main; - u32 fifo_size = 64 << 10; - u32 num_threads; + first_seg_size = tm->first_seg_size ? tm->first_seg_size : first_seg_size; + fifo_size = tm->fifo_size ? tm->fifo_size : fifo_size; num_threads = 1 /* main thread */ + vtm->n_threads; clib_memset (a, 0, sizeof (*a)); @@ -770,8 +881,8 @@ tls_init (vlib_main_t * vm) a->api_client_index = APP_INVALID_INDEX; a->options = options; a->name = format (0, "tls"); - a->options[APP_OPTIONS_SEGMENT_SIZE] = segment_size; - a->options[APP_OPTIONS_ADD_SEGMENT_SIZE] = segment_size; + a->options[APP_OPTIONS_SEGMENT_SIZE] = first_seg_size; + a->options[APP_OPTIONS_ADD_SEGMENT_SIZE] = add_segment_size; a->options[APP_OPTIONS_RX_FIFO_SIZE] = fifo_size; a->options[APP_OPTIONS_TX_FIFO_SIZE] = fifo_size; a->options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_IS_BUILTIN; @@ -807,12 +918,25 @@ static clib_error_t * tls_config_fn (vlib_main_t * vm, unformat_input_t * input) { tls_main_t *tm = &tls_main; + uword tmp; while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) { if (unformat (input, "use-test-cert-in-ca")) tm->use_test_cert_in_ca = 1; else if (unformat (input, "ca-cert-path %s", &tm->ca_cert_path)) ; + else if (unformat (input, "first-segment-size %U", unformat_memory_size, + &tm->first_seg_size)) + ; + else if (unformat (input, "fifo-size %U", unformat_memory_size, &tmp)) + { + if (tmp >= 0x100000000ULL) + { + return clib_error_return + (0, "fifo-size %llu (0x%llx) too large", tmp, tmp); + } + tm->fifo_size = tmp; + } else return clib_error_return (0, "unknown input `%U'", format_unformat_error, input);