X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Ftls%2Ftls.c;h=c2616fdde23866f1f6403795054cdd6872ad15be;hb=985d9293a08dc3da016fbeeaa3f8fff10e1b504e;hp=65900c8b2cf148b8ae2871459ef26aaca2bb8c90;hpb=d77eee64b17762bf21f8dbe0b9f955513f81f1a5;p=vpp.git diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c index 65900c8b2cf..c2616fdde23 100644 --- a/src/vnet/tls/tls.c +++ b/src/vnet/tls/tls.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018 Cisco and/or its affiliates. + * Copyright (c) 2018-2019 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: @@ -20,71 +20,75 @@ static tls_main_t tls_main; static tls_engine_vft_t *tls_vfts; -#define DEFAULT_ENGINE 0 -void tls_disconnect (u32 ctx_index, u32 thread_index); +#define TLS_INVALID_HANDLE ~0 +#define TLS_IDX_MASK 0x00FFFFFF +#define TLS_ENGINE_TYPE_SHIFT 29 -int -tls_add_vpp_q_evt (svm_fifo_t * f, u8 evt_type) -{ - session_fifo_event_t evt; - svm_queue_t *q; +void tls_disconnect (u32 ctx_handle, u32 thread_index); - if (svm_fifo_set_event (f)) - { - evt.fifo = f; - evt.event_type = evt_type; +void +tls_disconnect_transport (tls_ctx_t * ctx) +{ + vnet_disconnect_args_t a = { + .handle = ctx->tls_session_handle, + .app_index = tls_main.app_index, + }; - q = session_manager_get_vpp_event_queue (f->master_thread_index); - if (PREDICT_TRUE (q->cursize < q->maxsize)) - { - svm_queue_add (q, (u8 *) & evt, 0 /* do wait for mutex */ ); - } - else - { - clib_warning ("vpp's evt q full"); - return -1; - } - } - return 0; + if (vnet_disconnect_session (&a)) + clib_warning ("disconnect returned"); } -static inline int -tls_add_app_q_evt (application_t * app, stream_session_t * app_session) +crypto_engine_type_t +tls_get_available_engine (void) { - session_fifo_event_t evt; - svm_queue_t *q; - - if (PREDICT_FALSE (app_session->session_state == SESSION_STATE_CLOSED)) + int i; + for (i = 0; i < vec_len (tls_vfts); i++) { - /* Session is closed so app will never clean up. Flush rx fifo */ - u32 to_dequeue = svm_fifo_max_dequeue (app_session->server_rx_fifo); - if (to_dequeue) - svm_fifo_dequeue_drop (app_session->server_rx_fifo, to_dequeue); - return 0; + if (tls_vfts[i].ctx_alloc) + return i; } + return CRYPTO_ENGINE_NONE; +} - if (app->cb_fns.builtin_app_rx_callback) - return app->cb_fns.builtin_app_rx_callback (app_session); +int +tls_add_vpp_q_rx_evt (session_t * s) +{ + if (svm_fifo_set_event (s->rx_fifo)) + session_send_io_evt_to_thread (s->rx_fifo, SESSION_IO_EVT_RX); + return 0; +} - if (svm_fifo_set_event (app_session->server_rx_fifo)) - { - evt.fifo = app_session->server_rx_fifo; - evt.event_type = FIFO_EVENT_APP_RX; - q = app->event_queue; +int +tls_add_vpp_q_builtin_rx_evt (session_t * s) +{ + if (svm_fifo_set_event (s->rx_fifo)) + session_send_io_evt_to_thread (s->rx_fifo, SESSION_IO_EVT_BUILTIN_RX); + return 0; +} - if (PREDICT_TRUE (q->cursize < q->maxsize)) - { - svm_queue_add (q, (u8 *) & evt, 0 /* do wait for mutex */ ); - } - else - { - clib_warning ("app evt q full"); - return -1; - } - } +int +tls_add_vpp_q_tx_evt (session_t * s) +{ + if (svm_fifo_set_event (s->tx_fifo)) + session_send_io_evt_to_thread (s->tx_fifo, SESSION_IO_EVT_TX); + return 0; +} + +int +tls_add_vpp_q_builtin_tx_evt (session_t * s) +{ + if (svm_fifo_set_event (s->tx_fifo)) + session_send_io_evt_to_thread_custom (s, s->thread_index, + SESSION_IO_EVT_BUILTIN_TX); return 0; } +static inline int +tls_add_app_q_evt (app_worker_t * app, session_t * app_session) +{ + return app_worker_lock_and_send_event (app, app_session, SESSION_IO_EVT_RX); +} + u32 tls_listener_ctx_alloc (void) { @@ -92,13 +96,15 @@ tls_listener_ctx_alloc (void) tls_ctx_t *ctx; pool_get (tm->listener_ctx_pool, ctx); - memset (ctx, 0, sizeof (*ctx)); + clib_memset (ctx, 0, sizeof (*ctx)); return ctx - tm->listener_ctx_pool; } void tls_listener_ctx_free (tls_ctx_t * ctx) { + if (CLIB_DEBUG) + memset (ctx, 0xfb, sizeof (*ctx)); pool_put (tls_main.listener_ctx_pool, ctx); } @@ -127,16 +133,18 @@ tls_ctx_half_open_alloc (void) { clib_rwlock_writer_lock (&tm->half_open_rwlock); pool_get (tm->half_open_ctx_pool, ctx); - memset (ctx, 0, sizeof (*ctx)); ctx_index = ctx - tm->half_open_ctx_pool; clib_rwlock_writer_unlock (&tm->half_open_rwlock); } else { + /* reader lock assumption: only main thread will call pool_get */ + clib_rwlock_reader_lock (&tm->half_open_rwlock); pool_get (tm->half_open_ctx_pool, ctx); - memset (ctx, 0, sizeof (*ctx)); ctx_index = ctx - tm->half_open_ctx_pool; + clib_rwlock_reader_unlock (&tm->half_open_rwlock); } + clib_memset (ctx, 0, sizeof (*ctx)); return ctx_index; } @@ -169,353 +177,340 @@ tls_ctx_half_open_index (tls_ctx_t * ctx) return (ctx - tls_main.half_open_ctx_pool); } -static int +void +tls_notify_app_enqueue (tls_ctx_t * ctx, session_t * app_session) +{ + app_worker_t *app_wrk; + app_wrk = app_worker_get_if_valid (app_session->app_wrk_index); + if (PREDICT_TRUE (app_wrk != 0)) + tls_add_app_q_evt (app_wrk, app_session); +} + +int tls_notify_app_accept (tls_ctx_t * ctx) { - stream_session_t *app_listener, *app_session; - segment_manager_t *sm; - application_t *app; + session_t *app_listener, *app_session; + app_worker_t *app_wrk; tls_ctx_t *lctx; int rv; - app = application_get (ctx->parent_app_index); lctx = tls_listener_ctx_get (ctx->listener_ctx_index); app_listener = listen_session_get_from_handle (lctx->app_session_handle); - sm = application_get_listen_segment_manager (app, app_listener); - app_session = session_alloc (vlib_get_thread_index ()); - app_session->app_index = ctx->parent_app_index; - app_session->connection_index = ctx->tls_ctx_idx; + app_session = session_get (ctx->c_s_index, ctx->c_thread_index); + app_session->app_wrk_index = ctx->parent_app_wrk_index; + app_session->connection_index = ctx->tls_ctx_handle; app_session->session_type = app_listener->session_type; - app_session->listener_index = app_listener->session_index; - if ((rv = session_alloc_fifos (sm, app_session))) + app_session->listener_handle = listen_session_get_handle (app_listener); + app_session->session_state = SESSION_STATE_ACCEPTING; + + if ((rv = app_worker_init_accepted (app_session))) { TLS_DBG (1, "failed to allocate fifos"); + session_free (app_session); return rv; } - ctx->c_s_index = app_session->session_index; ctx->app_session_handle = session_handle (app_session); - return app->cb_fns.session_accept_callback (app_session); + ctx->parent_app_wrk_index = app_session->app_wrk_index; + app_wrk = app_worker_get (app_session->app_wrk_index); + return app_worker_accept_notify (app_wrk, app_session); } -static int +int tls_notify_app_connected (tls_ctx_t * ctx, u8 is_failed) { - int (*cb_fn) (u32, u32, stream_session_t *, u8); - stream_session_t *app_session; - segment_manager_t *sm; - application_t *app; + session_t *app_session; + app_worker_t *app_wrk; - app = application_get (ctx->parent_app_index); - cb_fn = app->cb_fns.session_connected_callback; + app_wrk = app_worker_get_if_valid (ctx->parent_app_wrk_index); + if (!app_wrk) + { + tls_disconnect_transport (ctx); + return -1; + } if (is_failed) goto failed; - sm = application_get_connect_segment_manager (app); - app_session = session_alloc (vlib_get_thread_index ()); - app_session->app_index = ctx->parent_app_index; - app_session->connection_index = ctx->tls_ctx_idx; + app_session = session_get (ctx->c_s_index, ctx->c_thread_index); + app_session->app_wrk_index = ctx->parent_app_wrk_index; + app_session->connection_index = ctx->tls_ctx_handle; app_session->session_type = session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4); - if (session_alloc_fifos (sm, app_session)) + + if (app_worker_init_connected (app_wrk, app_session)) goto failed; - ctx->app_session_handle = session_handle (app_session); - ctx->c_s_index = app_session->session_index; - app_session->session_state = SESSION_STATE_READY; - if (cb_fn (ctx->parent_app_index, ctx->parent_app_api_context, - app_session, 0 /* not failed */ )) + app_session->session_state = SESSION_STATE_CONNECTING; + if (app_worker_connect_notify (app_wrk, app_session, + ctx->parent_app_api_context)) { TLS_DBG (1, "failed to notify app"); - tls_disconnect (ctx->tls_ctx_idx, vlib_get_thread_index ()); + tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ()); + return -1; } + ctx->app_session_handle = session_handle (app_session); + app_session->session_state = SESSION_STATE_READY; + return 0; failed: - return cb_fn (ctx->parent_app_index, ctx->parent_app_api_context, 0, - 1 /* failed */ ); + /* Free app session pre-allocated when transport was established */ + session_free (session_get (ctx->c_s_index, ctx->c_thread_index)); + ctx->no_app_session = 1; + tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ()); + return app_worker_connect_notify (app_wrk, 0, ctx->parent_app_api_context); } -static inline u32 -tls_ctx_alloc (void) +static inline void +tls_ctx_parse_handle (u32 ctx_handle, u32 * ctx_index, u32 * engine_type) { - return tls_vfts[DEFAULT_ENGINE].ctx_alloc (); + *ctx_index = ctx_handle & TLS_IDX_MASK; + *engine_type = ctx_handle >> TLS_ENGINE_TYPE_SHIFT; } -static inline void -tls_ctx_free (tls_ctx_t * ctx) +static inline crypto_engine_type_t +tls_get_engine_type (crypto_engine_type_t preferred) { - vec_free (ctx->srv_hostname); - tls_vfts[DEFAULT_ENGINE].ctx_free (ctx); + if (!tls_vfts[preferred].ctx_alloc) + return tls_get_available_engine (); + return preferred; +} + +static inline u32 +tls_ctx_alloc (crypto_engine_type_t engine_type) +{ + u32 ctx_index; + ctx_index = tls_vfts[engine_type].ctx_alloc (); + return (((u32) engine_type << TLS_ENGINE_TYPE_SHIFT) | ctx_index); } static inline tls_ctx_t * -tls_ctx_get (u32 ctx_index) +tls_ctx_get (u32 ctx_handle) { - return tls_vfts[DEFAULT_ENGINE].ctx_get (ctx_index); + u32 ctx_index, engine_type; + tls_ctx_parse_handle (ctx_handle, &ctx_index, &engine_type); + return tls_vfts[engine_type].ctx_get (ctx_index); } static inline tls_ctx_t * -tls_ctx_get_w_thread (u32 ctx_index, u8 thread_index) +tls_ctx_get_w_thread (u32 ctx_handle, u8 thread_index) { - return tls_vfts[DEFAULT_ENGINE].ctx_get_w_thread (ctx_index, thread_index); + u32 ctx_index, engine_type; + tls_ctx_parse_handle (ctx_handle, &ctx_index, &engine_type); + return tls_vfts[engine_type].ctx_get_w_thread (ctx_index, thread_index); } static inline int tls_ctx_init_server (tls_ctx_t * ctx) { - return tls_vfts[DEFAULT_ENGINE].ctx_init_server (ctx); + return tls_vfts[ctx->tls_ctx_engine].ctx_init_server (ctx); } static inline int tls_ctx_init_client (tls_ctx_t * ctx) { - return tls_vfts[DEFAULT_ENGINE].ctx_init_client (ctx); + return tls_vfts[ctx->tls_ctx_engine].ctx_init_client (ctx); } static inline int -tls_ctx_write (tls_ctx_t * ctx, u8 * buf, u32 len) +tls_ctx_write (tls_ctx_t * ctx, session_t * app_session) { - return tls_vfts[DEFAULT_ENGINE].ctx_write (ctx, buf, len); + return tls_vfts[ctx->tls_ctx_engine].ctx_write (ctx, app_session); } static inline int -tls_ctx_read (tls_ctx_t * ctx, u8 * buf, u32 len) +tls_ctx_read (tls_ctx_t * ctx, session_t * tls_session) { - return tls_vfts[DEFAULT_ENGINE].ctx_read (ctx, buf, len); + return tls_vfts[ctx->tls_ctx_engine].ctx_read (ctx, tls_session); } -static inline u8 -tls_ctx_handshake_is_over (tls_ctx_t * ctx) +static inline int +tls_ctx_transport_close (tls_ctx_t * ctx) { - return tls_vfts[DEFAULT_ENGINE].ctx_handshake_is_over (ctx); + return tls_vfts[ctx->tls_ctx_engine].ctx_transport_close (ctx); } static inline int -tls_handshake_rx (tls_ctx_t * ctx) +tls_ctx_app_close (tls_ctx_t * ctx) { - int rv; - rv = tls_vfts[DEFAULT_ENGINE].ctx_handshake_rx (ctx); + return tls_vfts[ctx->tls_ctx_engine].ctx_app_close (ctx); +} - switch (rv) - { - case CLIENT_HANDSHAKE_OK: - tls_notify_app_connected (ctx, /* is failed */ 0); - break; - case CLIENT_HANDSHAKE_FAIL: - tls_disconnect (ctx->tls_ctx_idx, vlib_get_thread_index ()); - tls_notify_app_connected (ctx, /* is failed */ 1); - break; - case SERVER_HANDSHAKE_OK: - tls_notify_app_accept (ctx); - break; - default: - return 0; - } - return 0; +void +tls_ctx_free (tls_ctx_t * ctx) +{ + tls_vfts[ctx->tls_ctx_engine].ctx_free (ctx); +} + +u8 +tls_ctx_handshake_is_over (tls_ctx_t * ctx) +{ + return tls_vfts[ctx->tls_ctx_engine].ctx_handshake_is_over (ctx); } void -tls_session_reset_callback (stream_session_t * s) +tls_session_reset_callback (session_t * s) { - clib_warning ("called..."); + tls_ctx_t *ctx; + transport_connection_t *tc; + session_t *app_session; + + ctx = tls_ctx_get (s->opaque); + tc = &ctx->connection; + if (tls_ctx_handshake_is_over (ctx)) + { + session_transport_reset_notify (tc); + session_transport_closed_notify (tc); + } + else if ((app_session = session_get (tc->s_index, tc->thread_index))) + session_free (app_session); + tls_disconnect_transport (ctx); } int -tls_add_segment_callback (u32 client_index, const ssvm_private_t * fs) +tls_add_segment_callback (u32 client_index, u64 segment_handle) { /* No-op for builtin */ return 0; } int -tls_del_segment_callback (u32 client_index, const ssvm_private_t * fs) +tls_del_segment_callback (u32 client_index, u64 segment_handle) { return 0; } void -tls_session_disconnect_callback (stream_session_t * tls_session) +tls_session_disconnect_callback (session_t * tls_session) { - stream_session_t *app_session; tls_ctx_t *ctx; - application_t *app; - ctx = tls_ctx_get (tls_session->opaque); - if (!tls_ctx_handshake_is_over (ctx)) - { - stream_session_disconnect (tls_session); - return; - } + TLS_DBG (1, "TCP disconnecting handle %x session %u", tls_session->opaque, + tls_session->session_index); + + ASSERT (tls_session->thread_index == vlib_get_thread_index () + || vlib_thread_is_main_w_barrier ()); + + ctx = tls_ctx_get_w_thread (tls_session->opaque, tls_session->thread_index); ctx->is_passive_close = 1; - app = application_get (ctx->parent_app_index); - app_session = session_get_from_handle (ctx->app_session_handle); - app->cb_fns.session_disconnect_callback (app_session); + tls_ctx_transport_close (ctx); } int -tls_session_accept_callback (stream_session_t * tls_session) +tls_session_accept_callback (session_t * tls_session) { - stream_session_t *tls_listener; + session_t *tls_listener, *app_session; tls_ctx_t *lctx, *ctx; - u32 ctx_index; + u32 ctx_handle; - tls_listener = listen_session_get (tls_session->session_type, - tls_session->listener_index); + tls_listener = + listen_session_get_from_handle (tls_session->listener_handle); lctx = tls_listener_ctx_get (tls_listener->opaque); - ctx_index = tls_ctx_alloc (); - ctx = tls_ctx_get (ctx_index); + + ctx_handle = tls_ctx_alloc (lctx->tls_ctx_engine); + ctx = tls_ctx_get (ctx_handle); memcpy (ctx, lctx, sizeof (*lctx)); ctx->c_thread_index = vlib_get_thread_index (); - ctx->tls_ctx_idx = ctx_index; + ctx->tls_ctx_handle = ctx_handle; tls_session->session_state = SESSION_STATE_READY; - tls_session->opaque = ctx_index; + tls_session->opaque = ctx_handle; ctx->tls_session_handle = session_handle (tls_session); ctx->listener_ctx_index = tls_listener->opaque; + ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; + ctx->ckpair_index = lctx->ckpair_index; - TLS_DBG (1, "Accept on listener %u new connection [%u]%u", - tls_listener->opaque, vlib_get_thread_index (), ctx_index); - - return tls_ctx_init_server (ctx); -} - -int -tls_app_tx_callback (stream_session_t * app_session) -{ - stream_session_t *tls_session; - tls_ctx_t *ctx; - static u8 *tmp_buf; - u32 enq_max, deq_max, deq_now; - int wrote; - - ctx = tls_ctx_get (app_session->connection_index); - if (!tls_ctx_handshake_is_over (ctx)) - tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); - - deq_max = svm_fifo_max_dequeue (app_session->server_tx_fifo); - if (!deq_max) - return 0; - - tls_session = session_get_from_handle (ctx->tls_session_handle); - enq_max = svm_fifo_max_enqueue (tls_session->server_tx_fifo); - deq_now = clib_min (deq_max, TLS_CHUNK_SIZE); - - if (PREDICT_FALSE (enq_max == 0)) - { - tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); - return 0; - } - - vec_validate (tmp_buf, deq_now); - svm_fifo_peek (app_session->server_tx_fifo, 0, deq_now, tmp_buf); - wrote = tls_ctx_write (ctx, tmp_buf, deq_now); - if (wrote <= 0) - { - tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); - return 0; - } - - svm_fifo_dequeue_drop (app_session->server_tx_fifo, wrote); - vec_reset_length (tmp_buf); - - tls_add_vpp_q_evt (tls_session->server_tx_fifo, FIFO_EVENT_APP_TX); + /* Preallocate app session. Avoids allocating a session post handshake + * on tls_session rx and potentially invalidating the session pool */ + app_session = session_alloc (ctx->c_thread_index); + app_session->session_state = SESSION_STATE_CREATED; + ctx->c_s_index = app_session->session_index; - if (deq_now < deq_max) - tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX); + TLS_DBG (1, "Accept on listener %u new connection [%u]%x", + tls_listener->opaque, vlib_get_thread_index (), ctx_handle); - return 0; + return tls_ctx_init_server (ctx); } int -tls_app_rx_callback (stream_session_t * tls_session) +tls_app_rx_callback (session_t * tls_session) { - stream_session_t *app_session; - u32 deq_max, enq_max, enq_now; - application_t *app; - static u8 *tmp_buf; tls_ctx_t *ctx; - int read, enq; ctx = tls_ctx_get (tls_session->opaque); - if (!tls_ctx_handshake_is_over (ctx)) - return tls_handshake_rx (ctx); - - deq_max = svm_fifo_max_dequeue (tls_session->server_rx_fifo); - if (!deq_max) - return 0; - - app_session = session_get_from_handle (ctx->app_session_handle); - enq_max = svm_fifo_max_enqueue (app_session->server_rx_fifo); - enq_now = clib_min (enq_max, TLS_CHUNK_SIZE); - - if (PREDICT_FALSE (enq_now == 0)) - { - tls_add_vpp_q_evt (tls_session->server_rx_fifo, FIFO_EVENT_BUILTIN_RX); - return 0; - } - - vec_validate (tmp_buf, enq_now); - read = tls_ctx_read (ctx, tmp_buf, enq_now); - if (read <= 0) - { - tls_add_vpp_q_evt (tls_session->server_rx_fifo, FIFO_EVENT_BUILTIN_RX); - return 0; - } - - enq = svm_fifo_enqueue_nowait (app_session->server_rx_fifo, read, tmp_buf); - ASSERT (enq == read); - vec_reset_length (tmp_buf); - - if (svm_fifo_max_dequeue (tls_session->server_rx_fifo)) - tls_add_vpp_q_evt (tls_session->server_rx_fifo, FIFO_EVENT_BUILTIN_RX); - - app = application_get_if_valid (app_session->app_index); - return tls_add_app_q_evt (app, app_session); + tls_ctx_read (ctx, tls_session); + return 0; } int tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index, - stream_session_t * tls_session, u8 is_fail) + session_t * tls_session, u8 is_fail) { - int (*cb_fn) (u32, u32, stream_session_t *, u8); - application_t *app; + session_t *app_session; tls_ctx_t *ho_ctx, *ctx; - u32 ctx_index; + u32 ctx_handle; ho_ctx = tls_ctx_half_open_get (ho_ctx_index); - app = application_get (ho_ctx->parent_app_index); - cb_fn = app->cb_fns.session_connected_callback; if (is_fail) { + app_worker_t *app_wrk; + u32 api_context; + int rv = 0; + + app_wrk = app_worker_get_if_valid (ho_ctx->parent_app_wrk_index); + if (app_wrk) + { + api_context = ho_ctx->c_s_index; + app_worker_connect_notify (app_wrk, 0, api_context); + } tls_ctx_half_open_reader_unlock (); tls_ctx_half_open_free (ho_ctx_index); - return cb_fn (ho_ctx->parent_app_index, ho_ctx->c_s_index, 0, - 1 /* failed */ ); + return rv; } - ctx_index = tls_ctx_alloc (); - ctx = tls_ctx_get (ctx_index); - clib_memcpy (ctx, ho_ctx, sizeof (*ctx)); + ctx_handle = tls_ctx_alloc (ho_ctx->tls_ctx_engine); + ctx = tls_ctx_get (ctx_handle); + clib_memcpy_fast (ctx, ho_ctx, sizeof (*ctx)); tls_ctx_half_open_reader_unlock (); tls_ctx_half_open_free (ho_ctx_index); ctx->c_thread_index = vlib_get_thread_index (); - ctx->tls_ctx_idx = ctx_index; + ctx->tls_ctx_handle = ctx_handle; + ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; - TLS_DBG (1, "TCP connect for %u returned %u. New connection [%u]%u", + TLS_DBG (1, "TCP connect for %u returned %u. New connection [%u]%x", ho_ctx_index, is_fail, vlib_get_thread_index (), - (ctx) ? ctx_index : ~0); + (ctx) ? ctx_handle : ~0); ctx->tls_session_handle = session_handle (tls_session); - tls_session->opaque = ctx_index; + tls_session->opaque = ctx_handle; tls_session->session_state = SESSION_STATE_READY; + /* Preallocate app session. Avoids allocating a session post handshake + * on tls_session rx and potentially invalidating the session pool */ + app_session = session_alloc (ctx->c_thread_index); + app_session->session_state = SESSION_STATE_CREATED; + ctx->c_s_index = app_session->session_index; + return tls_ctx_init_client (ctx); } +static void +tls_app_session_cleanup (session_t * s, session_cleanup_ntf_t ntf) +{ + tls_ctx_t *ctx; + + if (ntf == SESSION_CLEANUP_TRANSPORT) + return; + + ctx = tls_ctx_get (s->opaque); + if (!ctx->no_app_session) + session_transport_delete_notify (&ctx->connection); + tls_ctx_free (ctx); +} + /* *INDENT-OFF* */ static session_cb_vft_t tls_app_cb_vft = { .session_accept_callback = tls_session_accept_callback, @@ -525,26 +520,36 @@ static session_cb_vft_t tls_app_cb_vft = { .add_segment_callback = tls_add_segment_callback, .del_segment_callback = tls_del_segment_callback, .builtin_app_rx_callback = tls_app_rx_callback, - .builtin_app_tx_callback = tls_app_tx_callback, + .session_cleanup_callback = tls_app_session_cleanup, }; /* *INDENT-ON* */ int -tls_connect (transport_endpoint_t * tep) +tls_connect (transport_endpoint_cfg_t * tep) { - session_endpoint_extended_t *sep; - session_endpoint_t tls_sep; + vnet_connect_args_t _cargs = { {}, }, *cargs = &_cargs; + session_endpoint_cfg_t *sep; + crypto_engine_type_t engine_type; tls_main_t *tm = &tls_main; + app_worker_t *app_wrk; application_t *app; tls_ctx_t *ctx; u32 ctx_index; int rv; - sep = (session_endpoint_extended_t *) tep; + sep = (session_endpoint_cfg_t *) tep; + app_wrk = app_worker_get (sep->app_wrk_index); + app = application_get (app_wrk->app_index); + engine_type = tls_get_engine_type (app->tls_engine); + if (engine_type == CRYPTO_ENGINE_NONE) + { + clib_warning ("No tls engine_type available"); + return -1; + } ctx_index = tls_ctx_half_open_alloc (); ctx = tls_ctx_half_open_get (ctx_index); - ctx->parent_app_index = sep->app_index; + ctx->parent_app_wrk_index = sep->app_wrk_index; ctx->parent_app_api_context = sep->opaque; ctx->tcp_is_ip4 = sep->is_ip4; if (sep->hostname) @@ -554,84 +559,119 @@ tls_connect (transport_endpoint_t * tep) } tls_ctx_half_open_reader_unlock (); - app = application_get (sep->app_index); - application_alloc_connects_segment_manager (app); + app_worker_alloc_connects_segment_manager (app_wrk); + ctx->tls_ctx_engine = engine_type; - clib_memcpy (&tls_sep, sep, sizeof (tls_sep)); - tls_sep.transport_proto = TRANSPORT_PROTO_TCP; - if ((rv = application_connect (tm->app_index, ctx_index, &tls_sep))) + clib_memcpy_fast (&cargs->sep, sep, sizeof (session_endpoint_t)); + cargs->sep.transport_proto = TRANSPORT_PROTO_TCP; + cargs->app_index = tm->app_index; + cargs->api_context = ctx_index; + cargs->sep_ext.ns_index = app->ns_index; + if ((rv = vnet_connect (cargs))) return rv; - TLS_DBG (1, "New connect request %u", ctx_index); + TLS_DBG (1, "New connect request %u engine %d", ctx_index, engine_type); return 0; } void -tls_disconnect (u32 ctx_index, u32 thread_index) +tls_disconnect (u32 ctx_handle, u32 thread_index) { - stream_session_t *tls_session, *app_session; tls_ctx_t *ctx; - TLS_DBG (1, "Disconnecting %u", ctx_index); + TLS_DBG (1, "Disconnecting %x", ctx_handle); - ctx = tls_ctx_get (ctx_index); - tls_session = session_get_from_handle (ctx->tls_session_handle); - stream_session_disconnect (tls_session); - - app_session = session_get_from_handle_if_valid (ctx->app_session_handle); - if (app_session) - { - segment_manager_dealloc_fifos (app_session->svm_segment_index, - app_session->server_rx_fifo, - app_session->server_tx_fifo); - session_free (app_session); - } - tls_ctx_free (ctx); + ctx = tls_ctx_get (ctx_handle); + tls_ctx_app_close (ctx); } u32 tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep) { + vnet_listen_args_t _bargs, *args = &_bargs; + app_worker_t *app_wrk; tls_main_t *tm = &tls_main; - application_t *tls_app; - session_handle_t tls_handle; - session_endpoint_extended_t *sep; - stream_session_t *tls_listener; + session_handle_t tls_al_handle; + session_endpoint_cfg_t *sep; + session_t *tls_listener; + session_t *app_listener; + crypto_engine_type_t engine_type; + application_t *app; + app_listener_t *al; tls_ctx_t *lctx; u32 lctx_index; - session_type_t st; - stream_session_t *app_listener; - sep = (session_endpoint_extended_t *) tep; - lctx_index = tls_listener_ctx_alloc (); - lctx = tls_listener_ctx_get (lctx_index); - st = session_type_from_proto_and_ip (sep->transport_proto, sep->is_ip4); - app_listener = listen_session_get (st, app_listener_index); + sep = (session_endpoint_cfg_t *) tep; + app_wrk = app_worker_get (sep->app_wrk_index); + app = application_get (app_wrk->app_index); + engine_type = tls_get_engine_type (app->tls_engine); + if (engine_type == CRYPTO_ENGINE_NONE) + { + clib_warning ("No tls engine_type available"); + return -1; + } - tls_app = application_get (tm->app_index); - sep->transport_proto = TRANSPORT_PROTO_TCP; - if (application_start_listen (tls_app, (session_endpoint_t *) sep, - &tls_handle)) - return ~0; + clib_memset (args, 0, sizeof (*args)); + args->app_index = tm->app_index; + args->sep_ext = *sep; + args->sep_ext.ns_index = app->ns_index; + args->sep_ext.transport_proto = TRANSPORT_PROTO_TCP; + if (vnet_listen (args)) + return -1; - tls_listener = listen_session_get_from_handle (tls_handle); + lctx_index = tls_listener_ctx_alloc (); + tls_al_handle = args->handle; + al = app_listener_get_w_handle (tls_al_handle); + tls_listener = app_listener_get_session (al); tls_listener->opaque = lctx_index; - lctx->parent_app_index = sep->app_index; - lctx->tls_session_handle = tls_handle; + + app_listener = listen_session_get (app_listener_index); + + lctx = tls_listener_ctx_get (lctx_index); + lctx->parent_app_wrk_index = sep->app_wrk_index; + lctx->tls_session_handle = tls_al_handle; lctx->app_session_handle = listen_session_get_handle (app_listener); lctx->tcp_is_ip4 = sep->is_ip4; + lctx->tls_ctx_engine = engine_type; + lctx->ckpair_index = sep->ckpair_index; + + if (tls_vfts[engine_type].ctx_start_listen (lctx)) + { + vnet_unlisten_args_t a = { + .handle = lctx->tls_session_handle, + .app_index = tls_main.app_index, + .wrk_map_index = 0 + }; + if ((vnet_unlisten (&a))) + clib_warning ("unlisten returned"); + tls_listener_ctx_free (lctx); + lctx_index = SESSION_INVALID_INDEX; + } + + TLS_DBG (1, "Started listening %d, engine type %d", lctx_index, + engine_type); return lctx_index; } u32 tls_stop_listen (u32 lctx_index) { - tls_main_t *tm = &tls_main; - application_t *tls_app; + crypto_engine_type_t engine_type; tls_ctx_t *lctx; + int rv; + lctx = tls_listener_ctx_get (lctx_index); - tls_app = application_get (tm->app_index); - application_stop_listen (tls_app, lctx->tls_session_handle); + vnet_unlisten_args_t a = { + .handle = lctx->tls_session_handle, + .app_index = tls_main.app_index, + .wrk_map_index = 0 /* default wrk */ + }; + if ((rv = vnet_unlisten (&a))) + clib_warning ("unlisten returned %d", rv); + + engine_type = lctx->tls_ctx_engine; + tls_vfts[engine_type].ctx_stop_listen (lctx); + tls_listener_ctx_free (lctx); return 0; } @@ -652,19 +692,72 @@ tls_listener_get (u32 listener_index) return &ctx->connection; } +int +tls_custom_tx_callback (void *session, u32 max_burst_size) +{ + session_t *app_session = (session_t *) session; + tls_ctx_t *ctx; + + if (PREDICT_FALSE (app_session->session_state + >= SESSION_STATE_TRANSPORT_CLOSED)) + return 0; + + ctx = tls_ctx_get (app_session->connection_index); + tls_ctx_write (ctx, app_session); + return 0; +} + u8 * format_tls_ctx (u8 * s, va_list * args) { + u32 tcp_si, tcp_ti, ctx_index, ctx_engine, app_si, app_ti; tls_ctx_t *ctx = va_arg (*args, tls_ctx_t *); - u32 thread_index = va_arg (*args, u32); - u32 child_si, child_ti; - session_parse_handle (ctx->tls_session_handle, &child_si, &child_ti); - if (thread_index != child_ti) - clib_warning ("app and tls sessions are on different threads!"); + session_parse_handle (ctx->tls_session_handle, &tcp_si, &tcp_ti); + tls_ctx_parse_handle (ctx->tls_ctx_handle, &ctx_index, &ctx_engine); + session_parse_handle (ctx->app_session_handle, &app_si, &app_ti); + s = format (s, "[%d:%d][TLS] app_wrk %u index %u engine %u tcp %d:%d", + app_ti, app_si, ctx->parent_app_wrk_index, ctx_index, + ctx_engine, tcp_ti, tcp_si); + + return s; +} + +static u8 * +format_tls_listener_ctx (u8 * s, va_list * args) +{ + session_t *tls_listener; + app_listener_t *al; + u32 app_si, app_ti; + tls_ctx_t *ctx; + + ctx = va_arg (*args, tls_ctx_t *); + + al = app_listener_get_w_handle (ctx->tls_session_handle); + tls_listener = app_listener_get_session (al); + session_parse_handle (ctx->app_session_handle, &app_si, &app_ti); + s = format (s, "[%d:%d][TLS] app_wrk %u engine %u tcp %d:%d", + app_ti, app_si, ctx->parent_app_wrk_index, ctx->tls_ctx_engine, + tls_listener->thread_index, tls_listener->session_index); + + return s; +} + +static u8 * +format_tls_ctx_state (u8 * s, va_list * args) +{ + tls_ctx_t *ctx; + session_t *ts; + + ctx = va_arg (*args, tls_ctx_t *); + ts = session_get_from_handle (ctx->app_session_handle); + if (ts->session_state == SESSION_STATE_LISTENING) + s = format (s, "%s", "LISTEN"); + else if (tls_ctx_handshake_is_over (ctx)) + s = format (s, "%s", "ESTABLISHED"); + else + s = format (s, "%s", "HANDSHAKE"); - s = format (s, "[#%d][TLS] app %u child %u", child_ti, - ctx->parent_app_index, child_si); return s; } @@ -680,10 +773,10 @@ format_tls_connection (u8 * s, va_list * args) if (!ctx) return s; - s = format (s, "%-50U", format_tls_ctx, ctx, thread_index); + s = format (s, "%-50U", format_tls_ctx, ctx); if (verbose) { - s = format (s, "%-15s", "state"); + s = format (s, "%-15U", format_tls_ctx_state, ctx); if (verbose > 1) s = format (s, "\n"); } @@ -694,68 +787,107 @@ u8 * format_tls_listener (u8 * s, va_list * args) { u32 tc_index = va_arg (*args, u32); + u32 __clib_unused thread_index = va_arg (*args, u32); + u32 verbose = va_arg (*args, u32); tls_ctx_t *ctx = tls_listener_ctx_get (tc_index); - u32 listener_index, type; - listen_session_parse_handle (ctx->tls_session_handle, &type, - &listener_index); - return format (s, "[TLS] listener app %u child %u", ctx->parent_app_index, - listener_index); + s = format (s, "%-50U", format_tls_listener_ctx, ctx); + if (verbose) + s = format (s, "%-15U", format_tls_ctx_state, ctx); + return s; } u8 * format_tls_half_open (u8 * s, va_list * args) { u32 tc_index = va_arg (*args, u32); + u32 __clib_unused thread_index = va_arg (*args, u32); tls_ctx_t *ctx = tls_ctx_half_open_get (tc_index); - s = format (s, "[TLS] half-open app %u", ctx->parent_app_index); + s = format (s, "[TLS] half-open app %u", ctx->parent_app_wrk_index); tls_ctx_half_open_reader_unlock (); return s; } +static void +tls_transport_endpoint_get (u32 ctx_handle, u32 thread_index, + transport_endpoint_t * tep, u8 is_lcl) +{ + tls_ctx_t *ctx = tls_ctx_get_w_thread (ctx_handle, thread_index); + session_t *tcp_session; + + tcp_session = session_get_from_handle (ctx->tls_session_handle); + session_get_endpoint (tcp_session, tep, is_lcl); +} + +static void +tls_transport_listener_endpoint_get (u32 ctx_handle, + transport_endpoint_t * tep, u8 is_lcl) +{ + session_t *tls_listener; + app_listener_t *al; + tls_ctx_t *ctx = tls_listener_ctx_get (ctx_handle); + + al = app_listener_get_w_handle (ctx->tls_session_handle); + tls_listener = app_listener_get_session (al); + session_get_endpoint (tls_listener, tep, is_lcl); +} + /* *INDENT-OFF* */ -const static transport_proto_vft_t tls_proto = { - .open = tls_connect, +static const transport_proto_vft_t tls_proto = { + .connect = tls_connect, .close = tls_disconnect, - .bind = tls_start_listen, + .start_listen = tls_start_listen, + .stop_listen = tls_stop_listen, .get_connection = tls_connection_get, .get_listener = tls_listener_get, - .unbind = tls_stop_listen, - .tx_type = TRANSPORT_TX_INTERNAL, - .service_type = TRANSPORT_SERVICE_APP, + .custom_tx = tls_custom_tx_callback, .format_connection = format_tls_connection, .format_half_open = format_tls_half_open, .format_listener = format_tls_listener, + .get_transport_endpoint = tls_transport_endpoint_get, + .get_transport_listener_endpoint = tls_transport_listener_endpoint_get, + .transport_options = { + .tx_type = TRANSPORT_TX_INTERNAL, + .service_type = TRANSPORT_SERVICE_APP, + }, }; /* *INDENT-ON* */ void -tls_register_engine (const tls_engine_vft_t * vft, tls_engine_type_t type) +tls_register_engine (const tls_engine_vft_t * vft, crypto_engine_type_t type) { vec_validate (tls_vfts, type); tls_vfts[type] = *vft; } -clib_error_t * +static clib_error_t * tls_init (vlib_main_t * vm) { + u32 add_segment_size = 256 << 20, first_seg_size = 32 << 20; + vlib_thread_main_t *vtm = vlib_get_thread_main (); + u32 num_threads, fifo_size = 128 << 10; vnet_app_attach_args_t _a, *a = &_a; u64 options[APP_OPTIONS_N_OPTIONS]; - u32 segment_size = 512 << 20; tls_main_t *tm = &tls_main; - u32 fifo_size = 64 << 10; - memset (a, 0, sizeof (*a)); - memset (options, 0, sizeof (options)); + first_seg_size = tm->first_seg_size ? tm->first_seg_size : first_seg_size; + fifo_size = tm->fifo_size ? tm->fifo_size : fifo_size; + num_threads = 1 /* main thread */ + vtm->n_threads; + + clib_memset (a, 0, sizeof (*a)); + clib_memset (options, 0, sizeof (options)); a->session_cb_vft = &tls_app_cb_vft; - a->api_client_index = (1 << 24) + 1; + a->api_client_index = APP_INVALID_INDEX; a->options = options; - a->options[APP_OPTIONS_SEGMENT_SIZE] = segment_size; + a->name = format (0, "tls"); + a->options[APP_OPTIONS_SEGMENT_SIZE] = first_seg_size; + a->options[APP_OPTIONS_ADD_SEGMENT_SIZE] = add_segment_size; a->options[APP_OPTIONS_RX_FIFO_SIZE] = fifo_size; a->options[APP_OPTIONS_TX_FIFO_SIZE] = fifo_size; a->options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_IS_BUILTIN; a->options[APP_OPTIONS_FLAGS] |= APP_OPTIONS_FLAGS_USE_GLOBAL_SCOPE; + a->options[APP_OPTIONS_FLAGS] |= APP_OPTIONS_FLAGS_IS_TRANSPORT_APP; if (vnet_application_attach (a)) { @@ -769,11 +901,14 @@ tls_init (vlib_main_t * vm) tm->app_index = a->app_index; clib_rwlock_init (&tm->half_open_rwlock); + vec_validate (tm->rx_bufs, num_threads - 1); + vec_validate (tm->tx_bufs, num_threads - 1); + transport_register_protocol (TRANSPORT_PROTO_TLS, &tls_proto, FIB_PROTOCOL_IP4, ~0); transport_register_protocol (TRANSPORT_PROTO_TLS, &tls_proto, FIB_PROTOCOL_IP6, ~0); - + vec_free (a->name); return 0; } @@ -783,12 +918,25 @@ static clib_error_t * tls_config_fn (vlib_main_t * vm, unformat_input_t * input) { tls_main_t *tm = &tls_main; + uword tmp; while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) { if (unformat (input, "use-test-cert-in-ca")) tm->use_test_cert_in_ca = 1; else if (unformat (input, "ca-cert-path %s", &tm->ca_cert_path)) ; + else if (unformat (input, "first-segment-size %U", unformat_memory_size, + &tm->first_seg_size)) + ; + else if (unformat (input, "fifo-size %U", unformat_memory_size, &tmp)) + { + if (tmp >= 0x100000000ULL) + { + return clib_error_return + (0, "fifo-size %llu (0x%llx) too large", tmp, tmp); + } + tm->fifo_size = tmp; + } else return clib_error_return (0, "unknown input `%U'", format_unformat_error, input);