X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Ftls%2Ftls.c;h=cfe2c3a3eaef21be7c5095c9adc5332873db41a7;hb=96453fd2417ebd1d69354a7fb692976129cea80e;hp=16405707bc91ad0e232a856f7775725f3246fd06;hpb=ef2b3357b4b2a682ef81ffa2c71cec14f83101d6;p=vpp.git

diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c
index 16405707bc9..cfe2c3a3eae 100644
--- a/src/vnet/tls/tls.c
+++ b/src/vnet/tls/tls.c
@@ -38,7 +38,7 @@ tls_disconnect_transport (tls_ctx_t * ctx)
     clib_warning ("disconnect returned");
 }
 
-tls_engine_type_t
+crypto_engine_type_t
 tls_get_available_engine (void)
 {
   int i;
@@ -47,7 +47,7 @@ tls_get_available_engine (void)
       if (tls_vfts[i].ctx_alloc)
 	return i;
     }
-  return TLS_ENGINE_NONE;
+  return CRYPTO_ENGINE_NONE;
 }
 
 int
@@ -274,8 +274,8 @@ tls_ctx_parse_handle (u32 ctx_handle, u32 * ctx_index, u32 * engine_type)
   *engine_type = ctx_handle >> TLS_ENGINE_TYPE_SHIFT;
 }
 
-static inline tls_engine_type_t
-tls_get_engine_type (tls_engine_type_t preferred)
+static inline crypto_engine_type_t
+tls_get_engine_type (crypto_engine_type_t preferred)
 {
   if (!tls_vfts[preferred].ctx_alloc)
     return tls_get_available_engine ();
@@ -283,7 +283,7 @@ tls_get_engine_type (tls_engine_type_t preferred)
 }
 
 static inline u32
-tls_ctx_alloc (tls_engine_type_t engine_type)
+tls_ctx_alloc (crypto_engine_type_t engine_type)
 {
   u32 ctx_index;
   ctx_index = tls_vfts[engine_type].ctx_alloc ();
@@ -357,7 +357,20 @@ tls_ctx_handshake_is_over (tls_ctx_t * ctx)
 void
 tls_session_reset_callback (session_t * s)
 {
-  clib_warning ("called...");
+  tls_ctx_t *ctx;
+  transport_connection_t *tc;
+  session_t *app_session;
+
+  ctx = tls_ctx_get (s->opaque);
+  tc = &ctx->connection;
+  if (tls_ctx_handshake_is_over (ctx))
+    {
+      session_transport_reset_notify (tc);
+      session_transport_closed_notify (tc);
+    }
+  else if ((app_session = session_get (tc->s_index, tc->thread_index)))
+    session_free (app_session);
+  tls_disconnect_transport (ctx);
 }
 
 int
@@ -381,7 +394,10 @@ tls_session_disconnect_callback (session_t * tls_session)
   TLS_DBG (1, "TCP disconnecting handle %x session %u", tls_session->opaque,
 	   tls_session->session_index);
 
-  ctx = tls_ctx_get (tls_session->opaque);
+  ASSERT (tls_session->thread_index == vlib_get_thread_index ()
+	  || vlib_thread_is_main_w_barrier ());
+
+  ctx = tls_ctx_get_w_thread (tls_session->opaque, tls_session->thread_index);
   ctx->is_passive_close = 1;
   tls_ctx_transport_close (ctx);
 }
@@ -406,11 +422,13 @@ tls_session_accept_callback (session_t * tls_session)
   tls_session->opaque = ctx_handle;
   ctx->tls_session_handle = session_handle (tls_session);
   ctx->listener_ctx_index = tls_listener->opaque;
+  ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP;
+  ctx->ckpair_index = lctx->ckpair_index;
 
   /* Preallocate app session. Avoids allocating a session post handshake
    * on tls_session rx and potentially invalidating the session pool */
   app_session = session_alloc (ctx->c_thread_index);
-  app_session->session_state = SESSION_STATE_CLOSED;
+  app_session->session_state = SESSION_STATE_CREATED;
   ctx->c_s_index = app_session->session_index;
 
   TLS_DBG (1, "Accept on listener %u new connection [%u]%x",
@@ -464,6 +482,7 @@ tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index,
 
   ctx->c_thread_index = vlib_get_thread_index ();
   ctx->tls_ctx_handle = ctx_handle;
+  ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP;
 
   TLS_DBG (1, "TCP connect for %u returned %u. New connection [%u]%x",
 	   ho_ctx_index, is_fail, vlib_get_thread_index (),
@@ -476,7 +495,7 @@ tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index,
   /* Preallocate app session. Avoids allocating a session post handshake
    * on tls_session rx and potentially invalidating the session pool */
   app_session = session_alloc (ctx->c_thread_index);
-  app_session->session_state = SESSION_STATE_CLOSED;
+  app_session->session_state = SESSION_STATE_CREATED;
   ctx->c_s_index = app_session->session_index;
 
   return tls_ctx_init_client (ctx);
@@ -514,7 +533,7 @@ tls_connect (transport_endpoint_cfg_t * tep)
 {
   vnet_connect_args_t _cargs = { {}, }, *cargs = &_cargs;
   session_endpoint_cfg_t *sep;
-  tls_engine_type_t engine_type;
+  crypto_engine_type_t engine_type;
   tls_main_t *tm = &tls_main;
   app_worker_t *app_wrk;
   application_t *app;
@@ -526,7 +545,7 @@ tls_connect (transport_endpoint_cfg_t * tep)
   app_wrk = app_worker_get (sep->app_wrk_index);
   app = application_get (app_wrk->app_index);
   engine_type = tls_get_engine_type (app->tls_engine);
-  if (engine_type == TLS_ENGINE_NONE)
+  if (engine_type == CRYPTO_ENGINE_NONE)
     {
       clib_warning ("No tls engine_type available");
       return -1;
@@ -580,7 +599,7 @@ tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep)
   session_endpoint_cfg_t *sep;
   session_t *tls_listener;
   session_t *app_listener;
-  tls_engine_type_t engine_type;
+  crypto_engine_type_t engine_type;
   application_t *app;
   app_listener_t *al;
   tls_ctx_t *lctx;
@@ -590,7 +609,7 @@ tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep)
   app_wrk = app_worker_get (sep->app_wrk_index);
   app = application_get (app_wrk->app_index);
   engine_type = tls_get_engine_type (app->tls_engine);
-  if (engine_type == TLS_ENGINE_NONE)
+  if (engine_type == CRYPTO_ENGINE_NONE)
     {
       clib_warning ("No tls engine_type available");
       return -1;
@@ -618,6 +637,7 @@ tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep)
   lctx->app_session_handle = listen_session_get_handle (app_listener);
   lctx->tcp_is_ip4 = sep->is_ip4;
   lctx->tls_ctx_engine = engine_type;
+  lctx->ckpair_index = sep->ckpair_index;
 
   if (tls_vfts[engine_type].ctx_start_listen (lctx))
     {
@@ -640,7 +660,7 @@ tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep)
 u32
 tls_stop_listen (u32 lctx_index)
 {
-  tls_engine_type_t engine_type;
+  crypto_engine_type_t engine_type;
   tls_ctx_t *lctx;
   int rv;
 
@@ -808,7 +828,7 @@ static const transport_proto_vft_t tls_proto = {
 /* *INDENT-ON* */
 
 void
-tls_register_engine (const tls_engine_vft_t * vft, tls_engine_type_t type)
+tls_register_engine (const tls_engine_vft_t * vft, crypto_engine_type_t type)
 {
   vec_validate (tls_vfts, type);
   tls_vfts[type] = *vft;
@@ -872,6 +892,7 @@ static clib_error_t *
 tls_config_fn (vlib_main_t * vm, unformat_input_t * input)
 {
   tls_main_t *tm = &tls_main;
+  uword tmp;
   while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
     {
       if (unformat (input, "use-test-cert-in-ca"))
@@ -881,9 +902,15 @@ tls_config_fn (vlib_main_t * vm, unformat_input_t * input)
       else if (unformat (input, "first-segment-size %U", unformat_memory_size,
 			 &tm->first_seg_size))
 	;
-      else if (unformat (input, "fifo-size %U", unformat_memory_size,
-			 &tm->fifo_size))
-	;
+      else if (unformat (input, "fifo-size %U", unformat_memory_size, &tmp))
+	{
+	  if (tmp >= 0x100000000ULL)
+	    {
+	      return clib_error_return
+		(0, "fifo-size %llu (0x%llx) too large", tmp, tmp);
+	    }
+	  tm->fifo_size = tmp;
+	}
       else
 	return clib_error_return (0, "unknown input `%U'",
 				  format_unformat_error, input);