FD.io VPP  v19.04.4-rc0-5-ge88582fac
Vector Packet Processing
tls.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2018-2019 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
17 #include <vppinfra/lock.h>
18 #include <vnet/tls/tls.h>
19 
22 
23 #define TLS_INVALID_HANDLE ~0
24 #define TLS_IDX_MASK 0x00FFFFFF
25 #define TLS_ENGINE_TYPE_SHIFT 29
26 
27 void tls_disconnect (u32 ctx_handle, u32 thread_index);
28 
29 static void
31 {
33  .handle = ctx->tls_session_handle,
34  .app_index = tls_main.app_index,
35  };
36 
37  if (vnet_disconnect_session (&a))
38  clib_warning ("disconnect returned");
39 }
40 
43 {
44  int i;
45  for (i = 0; i < vec_len (tls_vfts); i++)
46  {
47  if (tls_vfts[i].ctx_alloc)
48  return i;
49  }
50  return TLS_ENGINE_NONE;
51 }
52 
53 int
55 {
56  if (svm_fifo_set_event (s->rx_fifo))
58  return 0;
59 }
60 
61 int
63 {
64  if (svm_fifo_set_event (s->rx_fifo))
66  return 0;
67 }
68 
69 int
71 {
72  if (svm_fifo_set_event (s->tx_fifo))
74  return 0;
75 }
76 
77 int
79 {
80  if (svm_fifo_set_event (s->tx_fifo))
83  return 0;
84 }
85 
86 static inline int
88 {
89  return app_worker_lock_and_send_event (app, app_session, SESSION_IO_EVT_RX);
90 }
91 
92 u32
94 {
95  tls_main_t *tm = &tls_main;
96  tls_ctx_t *ctx;
97 
98  pool_get (tm->listener_ctx_pool, ctx);
99  clib_memset (ctx, 0, sizeof (*ctx));
100  return ctx - tm->listener_ctx_pool;
101 }
102 
103 void
105 {
106  if (CLIB_DEBUG)
107  memset (ctx, 0xfb, sizeof (*ctx));
108  pool_put (tls_main.listener_ctx_pool, ctx);
109 }
110 
111 tls_ctx_t *
113 {
114  return pool_elt_at_index (tls_main.listener_ctx_pool, ctx_index);
115 }
116 
117 u32
119 {
120  return (ctx - tls_main.listener_ctx_pool);
121 }
122 
123 u32
125 {
126  tls_main_t *tm = &tls_main;
127  u8 will_expand = 0;
128  tls_ctx_t *ctx;
129  u32 ctx_index;
130 
131  pool_get_aligned_will_expand (tm->half_open_ctx_pool, will_expand, 0);
132  if (PREDICT_FALSE (will_expand && vlib_num_workers ()))
133  {
135  pool_get (tm->half_open_ctx_pool, ctx);
136  ctx_index = ctx - tm->half_open_ctx_pool;
138  }
139  else
140  {
141  /* reader lock assumption: only main thread will call pool_get */
143  pool_get (tm->half_open_ctx_pool, ctx);
144  ctx_index = ctx - tm->half_open_ctx_pool;
146  }
147  clib_memset (ctx, 0, sizeof (*ctx));
148  return ctx_index;
149 }
150 
151 void
153 {
154  tls_main_t *tm = &tls_main;
156  pool_put_index (tls_main.half_open_ctx_pool, ho_index);
158 }
159 
160 tls_ctx_t *
162 {
163  tls_main_t *tm = &tls_main;
165  return pool_elt_at_index (tm->half_open_ctx_pool, ctx_index);
166 }
167 
168 void
170 {
172 }
173 
174 u32
176 {
177  return (ctx - tls_main.half_open_ctx_pool);
178 }
179 
180 void
182 {
183  app_worker_t *app_wrk;
184  app_wrk = app_worker_get_if_valid (app_session->app_wrk_index);
185  if (PREDICT_TRUE (app_wrk != 0))
186  tls_add_app_q_evt (app_wrk, app_session);
187 }
188 
189 int
191 {
192  session_t *app_listener, *app_session;
193  app_worker_t *app_wrk;
194  tls_ctx_t *lctx;
195  int rv;
196 
197  lctx = tls_listener_ctx_get (ctx->listener_ctx_index);
198  app_listener = listen_session_get_from_handle (lctx->app_session_handle);
199 
200  app_session = session_get (ctx->c_s_index, ctx->c_thread_index);
201  app_session->app_wrk_index = ctx->parent_app_wrk_index;
202  app_session->connection_index = ctx->tls_ctx_handle;
203  app_session->session_type = app_listener->session_type;
204  app_session->listener_index = app_listener->session_index;
205  app_session->session_state = SESSION_STATE_ACCEPTING;
206 
207  if ((rv = app_worker_init_accepted (app_session)))
208  {
209  TLS_DBG (1, "failed to allocate fifos");
210  session_free (app_session);
211  return rv;
212  }
213  ctx->app_session_handle = session_handle (app_session);
215  session_handle (app_session));
216  ctx->parent_app_wrk_index = app_session->app_wrk_index;
217  app_wrk = app_worker_get (app_session->app_wrk_index);
218  return app_worker_accept_notify (app_wrk, app_session);
219 }
220 
221 int
223 {
224  session_t *app_session;
225  app_worker_t *app_wrk;
226 
227  app_wrk = app_worker_get_if_valid (ctx->parent_app_wrk_index);
228  if (!app_wrk)
229  {
231  return -1;
232  }
233 
234  if (is_failed)
235  goto failed;
236 
237  app_session = session_get (ctx->c_s_index, ctx->c_thread_index);
238  app_session->app_wrk_index = ctx->parent_app_wrk_index;
239  app_session->connection_index = ctx->tls_ctx_handle;
240  app_session->session_type =
242 
243  if (app_worker_init_connected (app_wrk, app_session))
244  goto failed;
245 
247  if (app_worker_connect_notify (app_wrk, app_session,
248  ctx->parent_app_api_context))
249  {
250  TLS_DBG (1, "failed to notify app");
251  tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ());
252  return -1;
253  }
254 
255  ctx->app_session_handle = session_handle (app_session);
256  app_session->session_state = SESSION_STATE_READY;
258  session_handle (app_session));
259 
260  return 0;
261 
262 failed:
263  tls_disconnect (ctx->tls_ctx_handle, vlib_get_thread_index ());
264  return app_worker_connect_notify (app_wrk, 0, ctx->parent_app_api_context);
265 }
266 
267 static inline void
268 tls_ctx_parse_handle (u32 ctx_handle, u32 * ctx_index, u32 * engine_type)
269 {
270  *ctx_index = ctx_handle & TLS_IDX_MASK;
271  *engine_type = ctx_handle >> TLS_ENGINE_TYPE_SHIFT;
272 }
273 
274 static inline tls_engine_type_t
276 {
277  if (!tls_vfts[preferred].ctx_alloc)
278  return tls_get_available_engine ();
279  return preferred;
280 }
281 
282 static inline u32
284 {
285  u32 ctx_index;
286  ctx_index = tls_vfts[engine_type].ctx_alloc ();
287  return (((u32) engine_type << TLS_ENGINE_TYPE_SHIFT) | ctx_index);
288 }
289 
290 static inline void
292 {
293  vec_free (ctx->srv_hostname);
294  tls_vfts[ctx->tls_ctx_engine].ctx_free (ctx);
295 }
296 
297 static inline tls_ctx_t *
298 tls_ctx_get (u32 ctx_handle)
299 {
300  u32 ctx_index, engine_type;
301  tls_ctx_parse_handle (ctx_handle, &ctx_index, &engine_type);
302  return tls_vfts[engine_type].ctx_get (ctx_index);
303 }
304 
305 static inline tls_ctx_t *
306 tls_ctx_get_w_thread (u32 ctx_handle, u8 thread_index)
307 {
308  u32 ctx_index, engine_type;
309  tls_ctx_parse_handle (ctx_handle, &ctx_index, &engine_type);
310  return tls_vfts[engine_type].ctx_get_w_thread (ctx_index, thread_index);
311 }
312 
313 static inline int
315 {
316  return tls_vfts[ctx->tls_ctx_engine].ctx_init_server (ctx);
317 }
318 
319 static inline int
321 {
322  return tls_vfts[ctx->tls_ctx_engine].ctx_init_client (ctx);
323 }
324 
325 static inline int
327 {
328  return tls_vfts[ctx->tls_ctx_engine].ctx_write (ctx, app_session);
329 }
330 
331 static inline int
333 {
334  return tls_vfts[ctx->tls_ctx_engine].ctx_read (ctx, tls_session);
335 }
336 
337 static inline u8
339 {
340  return tls_vfts[ctx->tls_ctx_engine].ctx_handshake_is_over (ctx);
341 }
342 
343 void
345 {
346  clib_warning ("called...");
347 }
348 
349 int
350 tls_add_segment_callback (u32 client_index, u64 segment_handle)
351 {
352  /* No-op for builtin */
353  return 0;
354 }
355 
356 int
357 tls_del_segment_callback (u32 client_index, u64 segment_handle)
358 {
359  return 0;
360 }
361 
362 void
364 {
365  tls_ctx_t *ctx;
366 
367  TLS_DBG (1, "TCP disconnecting handle %x session %u", tls_session->opaque,
368  tls_session->session_index);
369 
370  ctx = tls_ctx_get (tls_session->opaque);
371  if (!tls_ctx_handshake_is_over (ctx))
372  {
373  session_close (tls_session);
374  return;
375  }
376  ctx->is_passive_close = 1;
378 }
379 
380 int
382 {
383  session_t *tls_listener, *app_session;
384  tls_ctx_t *lctx, *ctx;
385  u32 ctx_handle;
386 
387  tls_listener = listen_session_get (tls_session->listener_index);
388  lctx = tls_listener_ctx_get (tls_listener->opaque);
389 
390  ctx_handle = tls_ctx_alloc (lctx->tls_ctx_engine);
391  ctx = tls_ctx_get (ctx_handle);
392  memcpy (ctx, lctx, sizeof (*lctx));
393  ctx->c_thread_index = vlib_get_thread_index ();
394  ctx->tls_ctx_handle = ctx_handle;
395  tls_session->session_state = SESSION_STATE_READY;
396  tls_session->opaque = ctx_handle;
397  ctx->tls_session_handle = session_handle (tls_session);
398  ctx->listener_ctx_index = tls_listener->opaque;
399 
400  /* Preallocate app session. Avoids allocating a session post handshake
401  * on tls_session rx and potentially invalidating the session pool */
402  app_session = session_alloc (ctx->c_thread_index);
403  app_session->session_state = SESSION_STATE_CLOSED;
404  ctx->c_s_index = app_session->session_index;
405 
406  TLS_DBG (1, "Accept on listener %u new connection [%u]%x",
407  tls_listener->opaque, vlib_get_thread_index (), ctx_handle);
408 
409  return tls_ctx_init_server (ctx);
410 }
411 
412 int
414 {
415  tls_ctx_t *ctx;
416 
417  ctx = tls_ctx_get (tls_session->opaque);
418  tls_ctx_read (ctx, tls_session);
419  return 0;
420 }
421 
422 int
423 tls_session_connected_callback (u32 tls_app_index, u32 ho_ctx_index,
424  session_t * tls_session, u8 is_fail)
425 {
426  session_t *app_session;
427  tls_ctx_t *ho_ctx, *ctx;
428  u32 ctx_handle;
429 
430  ho_ctx = tls_ctx_half_open_get (ho_ctx_index);
431 
432  if (is_fail)
433  {
434  app_worker_t *app_wrk;
435  u32 api_context;
436  int rv = 0;
437 
438  app_wrk = app_worker_get_if_valid (ho_ctx->parent_app_wrk_index);
439  if (app_wrk)
440  {
441  api_context = ho_ctx->c_s_index;
442  app_worker_connect_notify (app_wrk, 0, api_context);
443  }
445  tls_ctx_half_open_free (ho_ctx_index);
446  return rv;
447  }
448 
449  ctx_handle = tls_ctx_alloc (ho_ctx->tls_ctx_engine);
450  ctx = tls_ctx_get (ctx_handle);
451  clib_memcpy_fast (ctx, ho_ctx, sizeof (*ctx));
453  tls_ctx_half_open_free (ho_ctx_index);
454 
455  ctx->c_thread_index = vlib_get_thread_index ();
456  ctx->tls_ctx_handle = ctx_handle;
457 
458  TLS_DBG (1, "TCP connect for %u returned %u. New connection [%u]%x",
459  ho_ctx_index, is_fail, vlib_get_thread_index (),
460  (ctx) ? ctx_handle : ~0);
461 
462  ctx->tls_session_handle = session_handle (tls_session);
463  tls_session->opaque = ctx_handle;
464  tls_session->session_state = SESSION_STATE_READY;
465 
466  /* Preallocate app session. Avoids allocating a session post handshake
467  * on tls_session rx and potentially invalidating the session pool */
468  app_session = session_alloc (ctx->c_thread_index);
469  app_session->session_state = SESSION_STATE_CLOSED;
470  ctx->c_s_index = app_session->session_index;
471 
472  return tls_ctx_init_client (ctx);
473 }
474 
475 /* *INDENT-OFF* */
477  .session_accept_callback = tls_session_accept_callback,
478  .session_disconnect_callback = tls_session_disconnect_callback,
479  .session_connected_callback = tls_session_connected_callback,
480  .session_reset_callback = tls_session_reset_callback,
481  .add_segment_callback = tls_add_segment_callback,
482  .del_segment_callback = tls_del_segment_callback,
483  .builtin_app_rx_callback = tls_app_rx_callback,
484 };
485 /* *INDENT-ON* */
486 
487 int
489 {
490  vnet_connect_args_t _cargs = { {}, }, *cargs = &_cargs;
492  tls_engine_type_t engine_type;
493  tls_main_t *tm = &tls_main;
494  app_worker_t *app_wrk;
495  application_t *app;
496  tls_ctx_t *ctx;
497  u32 ctx_index;
498  int rv;
499 
500  sep = (session_endpoint_cfg_t *) tep;
501  app_wrk = app_worker_get (sep->app_wrk_index);
502  app = application_get (app_wrk->app_index);
503  engine_type = tls_get_engine_type (app->tls_engine);
504  if (engine_type == TLS_ENGINE_NONE)
505  {
506  clib_warning ("No tls engine_type available");
507  return -1;
508  }
509 
510  ctx_index = tls_ctx_half_open_alloc ();
511  ctx = tls_ctx_half_open_get (ctx_index);
512  ctx->parent_app_wrk_index = sep->app_wrk_index;
513  ctx->parent_app_api_context = sep->opaque;
514  ctx->tcp_is_ip4 = sep->is_ip4;
515  if (sep->hostname)
516  {
517  ctx->srv_hostname = format (0, "%v", sep->hostname);
519  }
521 
523  ctx->tls_ctx_engine = engine_type;
524 
525  clib_memcpy_fast (&cargs->sep, sep, sizeof (session_endpoint_t));
526  cargs->sep.transport_proto = TRANSPORT_PROTO_TCP;
527  cargs->app_index = tm->app_index;
528  cargs->api_context = ctx_index;
529  cargs->sep_ext.ns_index = app->ns_index;
530  if ((rv = vnet_connect (cargs)))
531  return rv;
532 
533  TLS_DBG (1, "New connect request %u engine %d", ctx_index, engine_type);
534  return 0;
535 }
536 
537 void
538 tls_disconnect (u32 ctx_handle, u32 thread_index)
539 {
540  tls_ctx_t *ctx;
541 
542  TLS_DBG (1, "Disconnecting %x", ctx_handle);
543 
544  ctx = tls_ctx_get (ctx_handle);
547  tls_ctx_free (ctx);
548 }
549 
550 u32
551 tls_start_listen (u32 app_listener_index, transport_endpoint_t * tep)
552 {
553  vnet_listen_args_t _bargs, *args = &_bargs;
554  app_worker_t *app_wrk;
555  tls_main_t *tm = &tls_main;
556  session_handle_t tls_al_handle;
558  session_t *tls_listener;
559  session_t *app_listener;
560  tls_engine_type_t engine_type;
561  application_t *app;
562  app_listener_t *al;
563  tls_ctx_t *lctx;
564  u32 lctx_index;
565 
566  sep = (session_endpoint_cfg_t *) tep;
567  app_wrk = app_worker_get (sep->app_wrk_index);
568  app = application_get (app_wrk->app_index);
569  engine_type = tls_get_engine_type (app->tls_engine);
570  if (engine_type == TLS_ENGINE_NONE)
571  {
572  clib_warning ("No tls engine_type available");
573  return -1;
574  }
575 
576  sep->transport_proto = TRANSPORT_PROTO_TCP;
577  clib_memset (args, 0, sizeof (*args));
578  args->app_index = tm->app_index;
579  args->sep_ext = *sep;
580  args->sep_ext.ns_index = app->ns_index;
581  if (vnet_listen (args))
582  return -1;
583 
584  lctx_index = tls_listener_ctx_alloc ();
585  tls_al_handle = args->handle;
586  al = app_listener_get_w_handle (tls_al_handle);
587  tls_listener = app_listener_get_session (al);
588  tls_listener->opaque = lctx_index;
589 
590  app_listener = listen_session_get (app_listener_index);
591 
592  lctx = tls_listener_ctx_get (lctx_index);
593  lctx->parent_app_wrk_index = sep->app_wrk_index;
594  lctx->tls_session_handle = tls_al_handle;
595  lctx->app_session_handle = listen_session_get_handle (app_listener);
596  lctx->tcp_is_ip4 = sep->is_ip4;
597  lctx->tls_ctx_engine = engine_type;
598 
599  tls_vfts[engine_type].ctx_start_listen (lctx);
600 
601  TLS_DBG (1, "Started listening %d, engine type %d", lctx_index,
602  engine_type);
603  return lctx_index;
604 }
605 
606 u32
607 tls_stop_listen (u32 lctx_index)
608 {
609  tls_engine_type_t engine_type;
610  tls_ctx_t *lctx;
611  int rv;
612 
613  lctx = tls_listener_ctx_get (lctx_index);
615  .handle = lctx->tls_session_handle,
616  .app_index = tls_main.app_index,
617  .wrk_map_index = 0 /* default wrk */
618  };
619  if ((rv = vnet_unlisten (&a)))
620  clib_warning ("unlisten returned %d", rv);
621 
622  engine_type = lctx->tls_ctx_engine;
623  tls_vfts[engine_type].ctx_stop_listen (lctx);
624 
625  tls_listener_ctx_free (lctx);
626  return 0;
627 }
628 
630 tls_connection_get (u32 ctx_index, u32 thread_index)
631 {
632  tls_ctx_t *ctx;
633  ctx = tls_ctx_get_w_thread (ctx_index, thread_index);
634  return &ctx->connection;
635 }
636 
638 tls_listener_get (u32 listener_index)
639 {
640  tls_ctx_t *ctx;
641  ctx = tls_listener_ctx_get (listener_index);
642  return &ctx->connection;
643 }
644 
645 int
646 tls_custom_tx_callback (void *session)
647 {
648  session_t *app_session = (session_t *) session;
649  tls_ctx_t *ctx;
650 
651  if (PREDICT_FALSE (app_session->session_state
653  return 0;
654 
655  ctx = tls_ctx_get (app_session->connection_index);
656  tls_ctx_write (ctx, app_session);
657  return 0;
658 }
659 
660 u8 *
661 format_tls_ctx (u8 * s, va_list * args)
662 {
663  u32 tcp_si, tcp_ti, ctx_index, ctx_engine, app_si, app_ti;
664  tls_ctx_t *ctx = va_arg (*args, tls_ctx_t *);
665 
666  session_parse_handle (ctx->tls_session_handle, &tcp_si, &tcp_ti);
667  tls_ctx_parse_handle (ctx->tls_ctx_handle, &ctx_index, &ctx_engine);
668  session_parse_handle (ctx->app_session_handle, &app_si, &app_ti);
669  s = format (s, "[%d:%d][TLS] app_wrk %u index %u engine %u tcp %d:%d",
670  app_ti, app_si, ctx->parent_app_wrk_index, ctx_index,
671  ctx_engine, tcp_ti, tcp_si);
672 
673  return s;
674 }
675 
676 u8 *
677 format_tls_connection (u8 * s, va_list * args)
678 {
679  u32 ctx_index = va_arg (*args, u32);
680  u32 thread_index = va_arg (*args, u32);
681  u32 verbose = va_arg (*args, u32);
682  tls_ctx_t *ctx;
683 
684  ctx = tls_ctx_get_w_thread (ctx_index, thread_index);
685  if (!ctx)
686  return s;
687 
688  s = format (s, "%-50U", format_tls_ctx, ctx);
689  if (verbose)
690  {
691  session_t *ts;
692  ts = session_get_from_handle (ctx->app_session_handle);
693  s = format (s, "state: %-7u", ts->session_state);
694  if (verbose > 1)
695  s = format (s, "\n");
696  }
697  return s;
698 }
699 
700 u8 *
701 format_tls_listener (u8 * s, va_list * args)
702 {
703  u32 tc_index = va_arg (*args, u32);
704  u32 __clib_unused verbose = va_arg (*args, u32);
705  tls_ctx_t *ctx = tls_listener_ctx_get (tc_index);
706  session_t *tls_listener;
707  app_listener_t *al;
708  u32 app_si, app_ti;
709 
710  al = app_listener_get_w_handle (ctx->tls_session_handle);
711  tls_listener = app_listener_get_session (al);
712  session_parse_handle (ctx->app_session_handle, &app_si, &app_ti);
713  s = format (s, "[%d:%d][TLS] app_wrk %u engine %u tcp %d:%d",
714  app_ti, app_si, ctx->parent_app_wrk_index, ctx->tls_ctx_engine,
715  tls_listener->thread_index, tls_listener->session_index);
716  return s;
717 }
718 
719 u8 *
720 format_tls_half_open (u8 * s, va_list * args)
721 {
722  u32 tc_index = va_arg (*args, u32);
723  tls_ctx_t *ctx = tls_ctx_half_open_get (tc_index);
724  s = format (s, "[TLS] half-open app %u", ctx->parent_app_wrk_index);
726  return s;
727 }
728 
729 /* *INDENT-OFF* */
731  .connect = tls_connect,
732  .close = tls_disconnect,
733  .start_listen = tls_start_listen,
734  .stop_listen = tls_stop_listen,
735  .get_connection = tls_connection_get,
736  .get_listener = tls_listener_get,
737  .custom_tx = tls_custom_tx_callback,
738  .tx_type = TRANSPORT_TX_INTERNAL,
739  .service_type = TRANSPORT_SERVICE_APP,
740  .format_connection = format_tls_connection,
741  .format_half_open = format_tls_half_open,
742  .format_listener = format_tls_listener,
743 };
744 /* *INDENT-ON* */
745 
746 void
748 {
749  vec_validate (tls_vfts, type);
750  tls_vfts[type] = *vft;
751 }
752 
753 static clib_error_t *
755 {
756  u32 add_segment_size = (4096ULL << 20) - 1, first_seg_size = 32 << 20;
758  u32 num_threads, fifo_size = 128 << 10;
759  vnet_app_attach_args_t _a, *a = &_a;
760  u64 options[APP_OPTIONS_N_OPTIONS];
761  tls_main_t *tm = &tls_main;
762 
763  first_seg_size = tm->first_seg_size ? tm->first_seg_size : first_seg_size;
764  fifo_size = tm->fifo_size ? tm->fifo_size : fifo_size;
765  num_threads = 1 /* main thread */ + vtm->n_threads;
766 
767  clib_memset (a, 0, sizeof (*a));
768  clib_memset (options, 0, sizeof (options));
769 
770  a->session_cb_vft = &tls_app_cb_vft;
771  a->api_client_index = APP_INVALID_INDEX;
772  a->options = options;
773  a->name = format (0, "tls");
774  a->options[APP_OPTIONS_SEGMENT_SIZE] = first_seg_size;
775  a->options[APP_OPTIONS_ADD_SEGMENT_SIZE] = add_segment_size;
776  a->options[APP_OPTIONS_RX_FIFO_SIZE] = fifo_size;
777  a->options[APP_OPTIONS_TX_FIFO_SIZE] = fifo_size;
778  a->options[APP_OPTIONS_FLAGS] = APP_OPTIONS_FLAGS_IS_BUILTIN;
779  a->options[APP_OPTIONS_FLAGS] |= APP_OPTIONS_FLAGS_USE_GLOBAL_SCOPE;
780  a->options[APP_OPTIONS_FLAGS] |= APP_OPTIONS_FLAGS_IS_TRANSPORT_APP;
781 
782  if (vnet_application_attach (a))
783  {
784  clib_warning ("failed to attach tls app");
785  return clib_error_return (0, "failed to attach tls app");
786  }
787 
788  if (!tm->ca_cert_path)
790 
791  tm->app_index = a->app_index;
793 
794  vec_validate (tm->rx_bufs, num_threads - 1);
795  vec_validate (tm->tx_bufs, num_threads - 1);
796 
798  FIB_PROTOCOL_IP4, ~0);
800  FIB_PROTOCOL_IP6, ~0);
801  vec_free (a->name);
802  return 0;
803 }
804 
806 
807 static clib_error_t *
809 {
810  tls_main_t *tm = &tls_main;
812  {
813  if (unformat (input, "use-test-cert-in-ca"))
814  tm->use_test_cert_in_ca = 1;
815  else if (unformat (input, "ca-cert-path %s", &tm->ca_cert_path))
816  ;
817  else if (unformat (input, "first-segment-size %U", unformat_memory_size,
818  &tm->first_seg_size))
819  ;
820  else if (unformat (input, "fifo-size %U", unformat_memory_size,
821  &tm->fifo_size))
822  ;
823  else
824  return clib_error_return (0, "unknown input `%U'",
825  format_unformat_error, input);
826  }
827  return 0;
828 }
829 
831 
832 tls_main_t *
834 {
835  return &tls_main;
836 }
837 
838 /*
839  * fd.io coding-style-patch-verification: ON
840  *
841  * Local Variables:
842  * eval: (c-set-style "gnu")
843  * End:
844  */
tls_main_t * vnet_tls_get_main(void)
Definition: tls.c:833
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
Definition: vec.h:439
static void clib_rwlock_reader_lock(clib_rwlock_t *p)
Definition: lock.h:139
int app_worker_lock_and_send_event(app_worker_t *app, session_t *s, u8 evt_type)
Send event to application.
u32 connection_index
Index of the transport connection associated to the session.
static tls_main_t tls_main
Definition: tls.c:20
int app_worker_init_accepted(session_t *s)
static tls_engine_type_t tls_get_engine_type(tls_engine_type_t preferred)
Definition: tls.c:275
session_type_t session_type
Type built from transport and network protocol types.
a
Definition: bitmap.h:538
static const transport_proto_vft_t tls_proto
Definition: tls.c:730
static void clib_rwlock_writer_lock(clib_rwlock_t *p)
Definition: lock.h:177
svm_fifo_t * tx_fifo
#define TLS_ENGINE_TYPE_SHIFT
Definition: tls.c:25
u32 ns_index
Namespace the application belongs to.
Definition: application.h:104
struct _vnet_connect_args vnet_connect_args_t
struct _vnet_unlisten_args_t vnet_unlisten_args_t
u32 tls_ctx_half_open_alloc(void)
Definition: tls.c:124
#define PREDICT_TRUE(x)
Definition: clib.h:112
u32 tls_listener_ctx_alloc(void)
Definition: tls.c:93
void tls_session_reset_callback(session_t *s)
Definition: tls.c:344
u32 session_index
Index in thread pool where session was allocated.
clib_rwlock_t half_open_rwlock
Definition: tls.h:86
unsigned long u64
Definition: types.h:89
char * ca_cert_path
Definition: tls.h:94
int(* ctx_init_server)(tls_ctx_t *ctx)
Definition: tls.h:106
#define clib_memcpy_fast(a, b, c)
Definition: string.h:81
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
void session_transport_delete_notify(transport_connection_t *tc)
Notification from transport that connection is being deleted.
Definition: session.c:746
svm_fifo_t * rx_fifo
Pointers to rx/tx buffers.
int tls_add_vpp_q_builtin_rx_evt(session_t *s)
Definition: tls.c:62
static clib_error_t * tls_config_fn(vlib_main_t *vm, unformat_input_t *input)
Definition: tls.c:808
static session_t * listen_session_get_from_handle(session_handle_t handle)
Definition: session.h:452
#define pool_get_aligned_will_expand(P, YESNO, A)
See if pool_get will expand the pool or not.
Definition: pool.h:242
#define vec_terminate_c_string(V)
(If necessary) NULL terminate a vector containing a c-string.
Definition: vec.h:1014
tls_ctx_t *(* ctx_get_w_thread)(u32 ctx_index, u8 thread_index)
Definition: tls.h:104
u8 * format_tls_connection(u8 *s, va_list *args)
Definition: tls.c:677
int i
void(* ctx_free)(tls_ctx_t *ctx)
Definition: tls.h:102
int(* ctx_init_client)(tls_ctx_t *ctx)
Definition: tls.h:105
u8 use_test_cert_in_ca
Definition: tls.h:93
transport_connection_t * tls_connection_get(u32 ctx_index, u32 thread_index)
Definition: tls.c:630
void tls_session_disconnect_callback(session_t *tls_session)
Definition: tls.c:363
static session_t * session_get(u32 si, u32 thread_index)
Definition: session.h:207
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:424
int vnet_unlisten(vnet_unlisten_args_t *a)
Definition: application.c:1065
int tls_app_rx_callback(session_t *tls_session)
Definition: tls.c:413
int(* ctx_read)(tls_ctx_t *ctx, session_t *tls_session)
Definition: tls.h:107
static int tls_ctx_read(tls_ctx_t *ctx, session_t *tls_session)
Definition: tls.c:332
#define pool_get(P, E)
Allocate an object E from a pool P (unspecified alignment).
Definition: pool.h:236
static tls_ctx_t * tls_ctx_get_w_thread(u32 ctx_handle, u8 thread_index)
Definition: tls.c:306
static void session_parse_handle(session_handle_t handle, u32 *index, u32 *thread_index)
unsigned char u8
Definition: types.h:56
struct _vnet_bind_args_t vnet_listen_args_t
static session_handle_t session_handle(session_t *s)
u32 app_index
Definition: tls.h:83
void session_transport_closing_notify(transport_connection_t *tc)
Notification from transport that connection is being closed.
Definition: session.c:724
static void tls_ctx_free(tls_ctx_t *ctx)
Definition: tls.c:291
void tls_listener_ctx_free(tls_ctx_t *ctx)
Definition: tls.c:104
#define VLIB_INIT_FUNCTION(x)
Definition: init.h:163
struct _vnet_disconnect_args_t vnet_disconnect_args_t
u8 * format_tls_listener(u8 *s, va_list *args)
Definition: tls.c:701
static tls_engine_vft_t * tls_vfts
Definition: tls.c:21
u8 is_passive_close
Definition: tls.h:76
#define clib_error_return(e, args...)
Definition: error.h:99
static void tls_ctx_parse_handle(u32 ctx_handle, u32 *ctx_index, u32 *engine_type)
Definition: tls.c:268
int tls_del_segment_callback(u32 client_index, u64 segment_handle)
Definition: tls.c:357
unsigned int u32
Definition: types.h:88
int session_send_io_evt_to_thread(svm_fifo_t *f, session_evt_type_t evt_type)
Definition: session.c:86
tls_ctx_t *(* ctx_get)(u32 ctx_index)
Definition: tls.h:103
static u8 tls_ctx_handshake_is_over(tls_ctx_t *ctx)
Definition: tls.c:338
int tls_add_vpp_q_builtin_tx_evt(session_t *s)
Definition: tls.c:78
u8 tls_engine
Preferred tls engine.
Definition: application.h:122
struct _vnet_app_attach_args_t vnet_app_attach_args_t
struct _transport_proto_vft transport_proto_vft_t
struct _session_endpoint_cfg session_endpoint_cfg_t
static session_type_t session_type_from_proto_and_ip(transport_proto_t proto, u8 is_ip4)
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:514
static void clib_rwlock_init(clib_rwlock_t *p)
Definition: lock.h:122
#define TLS_IDX_MASK
Definition: tls.c:24
u32 tls_listener_ctx_index(tls_ctx_t *ctx)
Definition: tls.c:118
static void clib_rwlock_reader_unlock(clib_rwlock_t *p)
Definition: lock.h:157
int app_worker_accept_notify(app_worker_t *app_wrk, session_t *s)
static session_t * session_get_from_handle(session_handle_t handle)
Definition: session.h:227
session_t * app_listener_get_session(app_listener_t *al)
Definition: application.c:301
static int tls_add_app_q_evt(app_worker_t *app, session_t *app_session)
Definition: tls.c:87
u8(* ctx_handshake_is_over)(tls_ctx_t *ctx)
Definition: tls.h:109
long ctx[MAX_CONNS]
Definition: main.c:144
void tls_ctx_half_open_reader_unlock()
Definition: tls.c:169
struct _unformat_input_t unformat_input_t
Definition: tls.h:81
#define pool_put(P, E)
Free an object E in pool P.
Definition: pool.h:286
int tls_session_accept_callback(session_t *tls_session)
Definition: tls.c:381
#define APP_INVALID_INDEX
Definition: application.h:164
int tls_notify_app_connected(tls_ctx_t *ctx, u8 is_failed)
Definition: tls.c:222
#define PREDICT_FALSE(x)
Definition: clib.h:111
int(* ctx_start_listen)(tls_ctx_t *ctx)
Definition: tls.h:110
u64 first_seg_size
Definition: tls.h:95
app_worker_t * app_worker_get_if_valid(u32 wrk_index)
Definition: tls.h:57
u32(* ctx_alloc)(void)
Definition: tls.h:101
static u64 listen_session_get_handle(session_t *s)
Definition: session.h:445
u32 fifo_size
Definition: tls.h:96
int(* ctx_write)(tls_ctx_t *ctx, session_t *app_session)
Definition: tls.h:108
int vnet_application_attach(vnet_app_attach_args_t *a)
Attach application to vpp.
Definition: application.c:839
static void clib_rwlock_writer_unlock(clib_rwlock_t *p)
Definition: lock.h:185
static u8 svm_fifo_set_event(svm_fifo_t *f)
Sets fifo event flag.
Definition: svm_fifo.h:172
u8 * format_tls_ctx(u8 *s, va_list *args)
Definition: tls.c:661
app transport service
#define VLIB_EARLY_CONFIG_FUNCTION(x, n,...)
Definition: init.h:216
#define UNFORMAT_END_OF_INPUT
Definition: format.h:144
u8 ** rx_bufs
Definition: tls.h:87
tls_engine_type_t tls_get_available_engine(void)
Definition: tls.c:42
static_always_inline uword vlib_get_thread_index(void)
Definition: threads.h:212
void tls_disconnect(u32 ctx_handle, u32 thread_index)
Definition: tls.c:538
vlib_main_t * vm
Definition: buffer.c:312
transport_connection_t * tls_listener_get(u32 listener_index)
Definition: tls.c:638
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:341
void session_free(session_t *s)
Definition: session.c:175
static int tls_ctx_write(tls_ctx_t *ctx, session_t *app_session)
Definition: tls.c:326
#define clib_warning(format, args...)
Definition: error.h:59
struct _stream_session_cb_vft session_cb_vft_t
int tls_add_vpp_q_tx_evt(session_t *s)
Definition: tls.c:70
struct _transport_connection transport_connection_t
transport_connection_t connection
Definition: tls.h:61
static int tls_ctx_init_client(tls_ctx_t *ctx)
Definition: tls.c:320
int app_worker_init_connected(app_worker_t *app_wrk, session_t *s)
void tls_register_engine(const tls_engine_vft_t *vft, tls_engine_type_t type)
Definition: tls.c:747
application_t * application_get(u32 app_index)
Definition: application.c:447
void transport_register_protocol(transport_proto_t transport_proto, const transport_proto_vft_t *vft, fib_protocol_t fib_proto, u32 output_node)
Register transport virtual function table.
Definition: transport.c:248
static tls_ctx_t * tls_ctx_get(u32 ctx_handle)
Definition: tls.c:298
int tls_add_segment_callback(u32 client_index, u64 segment_handle)
Definition: tls.c:350
int tls_connect(transport_endpoint_cfg_t *tep)
Definition: tls.c:488
static int tls_ctx_init_server(tls_ctx_t *ctx)
Definition: tls.c:314
apps acting as transports
app_listener_t * app_listener_get_w_handle(session_handle_t handle)
Definition: application.c:120
#define pool_put_index(p, i)
Free pool element with given index.
Definition: pool.h:311
int(* ctx_stop_listen)(tls_ctx_t *ctx)
Definition: tls.h:111
int tls_custom_tx_callback(void *session)
Definition: tls.c:646
int vnet_listen(vnet_listen_args_t *a)
Definition: application.c:977
tls_ctx_t * tls_listener_ctx_get(u32 ctx_index)
Definition: tls.c:112
int vnet_connect(vnet_connect_args_t *a)
Definition: application.c:1029
tls_ctx_t * half_open_ctx_pool
Definition: tls.h:85
u8 thread_index
Index of the thread that allocated the session.
session_t * session_alloc(u32 thread_index)
Definition: session.c:150
u8 ** tx_bufs
Definition: tls.h:88
u32 tls_stop_listen(u32 lctx_index)
Definition: tls.c:607
app_worker_t * app_worker_get(u32 wrk_index)
u64 session_handle_t
u32 tls_ctx_half_open_index(tls_ctx_t *ctx)
Definition: tls.c:175
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
volatile u8 session_state
State in session layer state machine.
int tls_add_vpp_q_rx_evt(session_t *s)
Definition: tls.c:54
u32 opaque
Opaque, for general use.
void session_close(session_t *s)
Initialize session closing procedure.
Definition: session.c:1069
int app_worker_alloc_connects_segment_manager(app_worker_t *app)
int vnet_disconnect_session(vnet_disconnect_args_t *a)
Definition: application.c:1094
u8 * srv_hostname
Definition: tls.h:78
int session_send_io_evt_to_thread_custom(void *data, u32 thread_index, session_evt_type_t evt_type)
Definition: session.c:93
unformat_function_t unformat_memory_size
Definition: format.h:295
int tls_notify_app_accept(tls_ctx_t *ctx)
Definition: tls.c:190
u32 app_index
Index of owning app.
Definition: application.h:43
int session_lookup_add_connection(transport_connection_t *tc, u64 value)
Add transport connection to a session table.
void tls_notify_app_enqueue(tls_ctx_t *ctx, session_t *app_session)
Definition: tls.c:181
void tls_ctx_half_open_free(u32 ho_index)
Definition: tls.c:152
u8 * format_unformat_error(u8 *s, va_list *va)
Definition: unformat.c:91
static vlib_thread_main_t * vlib_get_thread_main()
Definition: global_funcs.h:32
static u32 vlib_num_workers()
Definition: threads.h:366
static u32 tls_ctx_alloc(tls_engine_type_t engine_type)
Definition: tls.c:283
static void tls_disconnect_transport(tls_ctx_t *ctx)
Definition: tls.c:30
u32 app_wrk_index
Index of the app worker that owns the session.
#define TLS_CA_CERT_PATH
Definition: tls.h:29
struct _session_endpoint session_endpoint_t
enum tls_engine_type_ tls_engine_type_t
u8 * format_tls_half_open(u8 *s, va_list *args)
Definition: tls.c:720
static clib_error_t * tls_init(vlib_main_t *vm)
Definition: tls.c:754
static session_cb_vft_t tls_app_cb_vft
Definition: tls.c:476
int app_worker_connect_notify(app_worker_t *app_wrk, session_t *s, u32 opaque)
#define TLS_DBG(_lvl, _fmt, _args...)
Definition: tls.h:36
u32 tls_start_listen(u32 app_listener_index, transport_endpoint_t *tep)
Definition: tls.c:551
tls_ctx_t * listener_ctx_pool
Definition: tls.h:84
int tls_session_connected_callback(u32 tls_app_index, u32 ho_ctx_index, session_t *tls_session, u8 is_fail)
Definition: tls.c:423
static session_t * listen_session_get(u32 ls_index)
Definition: session.h:475
uword unformat(unformat_input_t *i, const char *fmt,...)
Definition: unformat.c:972
tls_ctx_t * tls_ctx_half_open_get(u32 ctx_index)
Definition: tls.c:161
static uword unformat_check_input(unformat_input_t *i)
Definition: format.h:170
u32 listener_index
Parent listener session index if the result of an accept.