aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorin Coras <fcoras@cisco.com>2024-02-27 17:10:25 -0800
committerDave Barach <vpp@barachs.net>2024-03-20 20:07:05 +0000
commite565902654aea1e73b740cf68daa3d116cc15f9e (patch)
tree096b72da34e79ab29ae517f171797c8798406545
parent40c95f50bae22ac47412ad640d35a14d4597b466 (diff)
tls: avoid app session preallocation
Since async rx event infra decouples notification event generation from delivery we no longer run the risk of having tls realloc session pools while session layer still holds a pointer to the accepted/connected tcp session. Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I1bb429a058707aba1d4f32ea33615a2367e66969
-rw-r--r--src/plugins/tlsopenssl/tls_openssl.c14
-rw-r--r--src/plugins/tlspicotls/tls_picotls.c1
-rw-r--r--src/vnet/tls/tls.c56
3 files changed, 15 insertions, 56 deletions
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index 75e58f6579a..a21e3bb54c1 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -263,8 +263,6 @@ openssl_check_async_status (tls_ctx_t * ctx, openssl_resume_handler * handler,
static void
openssl_handle_handshake_failure (tls_ctx_t * ctx)
{
- session_t *app_session;
-
/* Failed to renegotiate handshake */
if (ctx->flags & TLS_CONN_F_HS_DONE)
{
@@ -275,18 +273,8 @@ openssl_handle_handshake_failure (tls_ctx_t * ctx)
if (SSL_is_server (((openssl_ctx_t *) ctx)->ssl))
{
- /*
- * Cleanup pre-allocated app session and close transport
- */
- app_session =
- session_get_if_valid (ctx->c_s_index, ctx->c_thread_index);
- if (app_session)
- {
- session_free (app_session);
- ctx->c_s_index = SESSION_INVALID_INDEX;
- tls_disconnect_transport (ctx);
- }
ctx->flags |= TLS_CONN_F_NO_APP_SESSION;
+ tls_disconnect_transport (ctx);
}
else
{
diff --git a/src/plugins/tlspicotls/tls_picotls.c b/src/plugins/tlspicotls/tls_picotls.c
index 81c4b2ecf57..7375b928206 100644
--- a/src/plugins/tlspicotls/tls_picotls.c
+++ b/src/plugins/tlspicotls/tls_picotls.c
@@ -179,7 +179,6 @@ picotls_stop_listen (tls_ctx_t * lctx)
static void
picotls_handle_handshake_failure (tls_ctx_t * ctx)
{
- session_free (session_get (ctx->c_s_index, ctx->c_thread_index));
ctx->flags |= TLS_CONN_F_NO_APP_SESSION;
ctx->c_s_index = SESSION_INVALID_INDEX;
tls_disconnect_transport (ctx);
diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c
index 3c06498e6e0..3096dd53106 100644
--- a/src/vnet/tls/tls.c
+++ b/src/vnet/tls/tls.c
@@ -205,12 +205,13 @@ tls_notify_app_accept (tls_ctx_t * ctx)
lctx = tls_listener_ctx_get (ctx->listener_ctx_index);
app_listener = listen_session_get_from_handle (lctx->app_session_handle);
- app_session = session_get (ctx->c_s_index, ctx->c_thread_index);
- app_session->app_wrk_index = ctx->parent_app_wrk_index;
- app_session->connection_index = ctx->tls_ctx_handle;
+ app_session = session_alloc (ctx->c_thread_index);
+ app_session->session_state = SESSION_STATE_ACCEPTING;
app_session->session_type = app_listener->session_type;
app_session->listener_handle = listen_session_get_handle (app_listener);
- app_session->session_state = SESSION_STATE_ACCEPTING;
+ app_session->app_wrk_index = ctx->parent_app_wrk_index;
+ app_session->connection_index = ctx->tls_ctx_handle;
+ ctx->c_s_index = app_session->session_index;
if ((rv = app_worker_init_accepted (app_session)))
{
@@ -235,43 +236,36 @@ tls_notify_app_connected (tls_ctx_t * ctx, session_error_t err)
app_wrk = app_worker_get_if_valid (ctx->parent_app_wrk_index);
if (!app_wrk)
{
- if (ctx->tls_type == TRANSPORT_PROTO_TLS)
- session_free (session_get (ctx->c_s_index, ctx->c_thread_index));
ctx->flags |= TLS_CONN_F_NO_APP_SESSION;
return -1;
}
if (err)
{
- /* Free app session pre-allocated when transport was established */
- if (ctx->tls_type == TRANSPORT_PROTO_TLS)
- session_free (session_get (ctx->c_s_index, ctx->c_thread_index));
ctx->flags |= TLS_CONN_F_NO_APP_SESSION;
goto send_reply;
}
- /* For DTLS the app session is not preallocated because the underlying udp
- * session might migrate to a different worker during the handshake */
+ app_session = session_alloc (ctx->c_thread_index);
+ app_session->session_state = SESSION_STATE_CREATED;
+ app_session->connection_index = ctx->tls_ctx_handle;
+
if (ctx->tls_type == TRANSPORT_PROTO_DTLS)
{
- session_type_t st;
/* Cleanup half-open session as we don't get notification from udp */
session_half_open_delete_notify (&ctx->connection);
- app_session = session_alloc (ctx->c_thread_index);
- app_session->session_state = SESSION_STATE_CREATED;
- ctx->c_s_index = app_session->session_index;
- st =
+ app_session->session_type =
session_type_from_proto_and_ip (TRANSPORT_PROTO_DTLS, ctx->tcp_is_ip4);
- app_session->session_type = st;
- app_session->connection_index = ctx->tls_ctx_handle;
}
else
{
- app_session = session_get (ctx->c_s_index, ctx->c_thread_index);
+ app_session->session_type =
+ session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4);
}
app_session->app_wrk_index = ctx->parent_app_wrk_index;
app_session->opaque = ctx->parent_app_api_context;
+ ctx->c_s_index = app_session->session_index;
if ((err = app_worker_init_connected (app_wrk, app_session)))
{
@@ -494,7 +488,7 @@ tls_session_disconnect_callback (session_t * tls_session)
int
tls_session_accept_callback (session_t * tls_session)
{
- session_t *tls_listener, *app_session;
+ session_t *tls_listener;
tls_ctx_t *lctx, *ctx;
u32 ctx_handle;
@@ -514,23 +508,12 @@ tls_session_accept_callback (session_t * tls_session)
ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP;
ctx->ckpair_index = lctx->ckpair_index;
- /* Preallocate app session. Avoids allocating a session post handshake
- * on tls_session rx and potentially invalidating the session pool */
- app_session = session_alloc (ctx->c_thread_index);
- app_session->session_state = SESSION_STATE_CREATED;
- app_session->session_type =
- session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4);
- app_session->connection_index = ctx->tls_ctx_handle;
- app_session->app_wrk_index = APP_INVALID_INDEX;
- ctx->c_s_index = app_session->session_index;
-
TLS_DBG (1, "Accept on listener %u new connection [%u]%x",
tls_listener->opaque, vlib_get_thread_index (), ctx_handle);
if (tls_ctx_init_server (ctx))
{
/* Do not free ctx yet, in case we have pending rx events */
- session_free (app_session);
ctx->flags |= TLS_CONN_F_NO_APP_SESSION;
tls_disconnect_transport (ctx);
}
@@ -577,9 +560,7 @@ int
tls_session_connected_cb (u32 tls_app_index, u32 ho_ctx_index,
session_t *tls_session, session_error_t err)
{
- session_t *app_session;
tls_ctx_t *ho_ctx, *ctx;
- session_type_t st;
u32 ctx_handle;
ho_ctx = tls_ctx_half_open_get (ho_ctx_index);
@@ -603,15 +584,6 @@ tls_session_connected_cb (u32 tls_app_index, u32 ho_ctx_index,
tls_session->opaque = ctx_handle;
tls_session->session_state = SESSION_STATE_READY;
- /* Preallocate app session. Avoids allocating a session post handshake
- * on tls_session rx and potentially invalidating the session pool */
- app_session = session_alloc (ctx->c_thread_index);
- app_session->session_state = SESSION_STATE_CREATED;
- ctx->c_s_index = app_session->session_index;
- st = session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4);
- app_session->session_type = st;
- app_session->connection_index = ctx->tls_ctx_handle;
-
if (tls_ctx_init_client (ctx))
{
tls_notify_app_connected (ctx, SESSION_E_TLS_HANDSHAKE);