diff options
author | Florin Coras <fcoras@cisco.com> | 2024-02-27 17:10:25 -0800 |
---|---|---|
committer | Dave Barach <vpp@barachs.net> | 2024-03-20 20:07:05 +0000 |
commit | e565902654aea1e73b740cf68daa3d116cc15f9e (patch) | |
tree | 096b72da34e79ab29ae517f171797c8798406545 | |
parent | 40c95f50bae22ac47412ad640d35a14d4597b466 (diff) |
tls: avoid app session preallocation
Since async rx event infra decouples notification event generation from
delivery we no longer run the risk of having tls realloc session pools
while session layer still holds a pointer to the accepted/connected tcp
session.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I1bb429a058707aba1d4f32ea33615a2367e66969
-rw-r--r-- | src/plugins/tlsopenssl/tls_openssl.c | 14 | ||||
-rw-r--r-- | src/plugins/tlspicotls/tls_picotls.c | 1 | ||||
-rw-r--r-- | src/vnet/tls/tls.c | 56 |
3 files changed, 15 insertions, 56 deletions
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c index 75e58f6579a..a21e3bb54c1 100644 --- a/src/plugins/tlsopenssl/tls_openssl.c +++ b/src/plugins/tlsopenssl/tls_openssl.c @@ -263,8 +263,6 @@ openssl_check_async_status (tls_ctx_t * ctx, openssl_resume_handler * handler, static void openssl_handle_handshake_failure (tls_ctx_t * ctx) { - session_t *app_session; - /* Failed to renegotiate handshake */ if (ctx->flags & TLS_CONN_F_HS_DONE) { @@ -275,18 +273,8 @@ openssl_handle_handshake_failure (tls_ctx_t * ctx) if (SSL_is_server (((openssl_ctx_t *) ctx)->ssl)) { - /* - * Cleanup pre-allocated app session and close transport - */ - app_session = - session_get_if_valid (ctx->c_s_index, ctx->c_thread_index); - if (app_session) - { - session_free (app_session); - ctx->c_s_index = SESSION_INVALID_INDEX; - tls_disconnect_transport (ctx); - } ctx->flags |= TLS_CONN_F_NO_APP_SESSION; + tls_disconnect_transport (ctx); } else { diff --git a/src/plugins/tlspicotls/tls_picotls.c b/src/plugins/tlspicotls/tls_picotls.c index 81c4b2ecf57..7375b928206 100644 --- a/src/plugins/tlspicotls/tls_picotls.c +++ b/src/plugins/tlspicotls/tls_picotls.c @@ -179,7 +179,6 @@ picotls_stop_listen (tls_ctx_t * lctx) static void picotls_handle_handshake_failure (tls_ctx_t * ctx) { - session_free (session_get (ctx->c_s_index, ctx->c_thread_index)); ctx->flags |= TLS_CONN_F_NO_APP_SESSION; ctx->c_s_index = SESSION_INVALID_INDEX; tls_disconnect_transport (ctx); diff --git a/src/vnet/tls/tls.c b/src/vnet/tls/tls.c index 3c06498e6e0..3096dd53106 100644 --- a/src/vnet/tls/tls.c +++ b/src/vnet/tls/tls.c @@ -205,12 +205,13 @@ tls_notify_app_accept (tls_ctx_t * ctx) lctx = tls_listener_ctx_get (ctx->listener_ctx_index); app_listener = listen_session_get_from_handle (lctx->app_session_handle); - app_session = session_get (ctx->c_s_index, ctx->c_thread_index); - app_session->app_wrk_index = ctx->parent_app_wrk_index; - app_session->connection_index = ctx->tls_ctx_handle; + app_session = session_alloc (ctx->c_thread_index); + app_session->session_state = SESSION_STATE_ACCEPTING; app_session->session_type = app_listener->session_type; app_session->listener_handle = listen_session_get_handle (app_listener); - app_session->session_state = SESSION_STATE_ACCEPTING; + app_session->app_wrk_index = ctx->parent_app_wrk_index; + app_session->connection_index = ctx->tls_ctx_handle; + ctx->c_s_index = app_session->session_index; if ((rv = app_worker_init_accepted (app_session))) { @@ -235,43 +236,36 @@ tls_notify_app_connected (tls_ctx_t * ctx, session_error_t err) app_wrk = app_worker_get_if_valid (ctx->parent_app_wrk_index); if (!app_wrk) { - if (ctx->tls_type == TRANSPORT_PROTO_TLS) - session_free (session_get (ctx->c_s_index, ctx->c_thread_index)); ctx->flags |= TLS_CONN_F_NO_APP_SESSION; return -1; } if (err) { - /* Free app session pre-allocated when transport was established */ - if (ctx->tls_type == TRANSPORT_PROTO_TLS) - session_free (session_get (ctx->c_s_index, ctx->c_thread_index)); ctx->flags |= TLS_CONN_F_NO_APP_SESSION; goto send_reply; } - /* For DTLS the app session is not preallocated because the underlying udp - * session might migrate to a different worker during the handshake */ + app_session = session_alloc (ctx->c_thread_index); + app_session->session_state = SESSION_STATE_CREATED; + app_session->connection_index = ctx->tls_ctx_handle; + if (ctx->tls_type == TRANSPORT_PROTO_DTLS) { - session_type_t st; /* Cleanup half-open session as we don't get notification from udp */ session_half_open_delete_notify (&ctx->connection); - app_session = session_alloc (ctx->c_thread_index); - app_session->session_state = SESSION_STATE_CREATED; - ctx->c_s_index = app_session->session_index; - st = + app_session->session_type = session_type_from_proto_and_ip (TRANSPORT_PROTO_DTLS, ctx->tcp_is_ip4); - app_session->session_type = st; - app_session->connection_index = ctx->tls_ctx_handle; } else { - app_session = session_get (ctx->c_s_index, ctx->c_thread_index); + app_session->session_type = + session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4); } app_session->app_wrk_index = ctx->parent_app_wrk_index; app_session->opaque = ctx->parent_app_api_context; + ctx->c_s_index = app_session->session_index; if ((err = app_worker_init_connected (app_wrk, app_session))) { @@ -494,7 +488,7 @@ tls_session_disconnect_callback (session_t * tls_session) int tls_session_accept_callback (session_t * tls_session) { - session_t *tls_listener, *app_session; + session_t *tls_listener; tls_ctx_t *lctx, *ctx; u32 ctx_handle; @@ -514,23 +508,12 @@ tls_session_accept_callback (session_t * tls_session) ctx->c_flags |= TRANSPORT_CONNECTION_F_NO_LOOKUP; ctx->ckpair_index = lctx->ckpair_index; - /* Preallocate app session. Avoids allocating a session post handshake - * on tls_session rx and potentially invalidating the session pool */ - app_session = session_alloc (ctx->c_thread_index); - app_session->session_state = SESSION_STATE_CREATED; - app_session->session_type = - session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4); - app_session->connection_index = ctx->tls_ctx_handle; - app_session->app_wrk_index = APP_INVALID_INDEX; - ctx->c_s_index = app_session->session_index; - TLS_DBG (1, "Accept on listener %u new connection [%u]%x", tls_listener->opaque, vlib_get_thread_index (), ctx_handle); if (tls_ctx_init_server (ctx)) { /* Do not free ctx yet, in case we have pending rx events */ - session_free (app_session); ctx->flags |= TLS_CONN_F_NO_APP_SESSION; tls_disconnect_transport (ctx); } @@ -577,9 +560,7 @@ int tls_session_connected_cb (u32 tls_app_index, u32 ho_ctx_index, session_t *tls_session, session_error_t err) { - session_t *app_session; tls_ctx_t *ho_ctx, *ctx; - session_type_t st; u32 ctx_handle; ho_ctx = tls_ctx_half_open_get (ho_ctx_index); @@ -603,15 +584,6 @@ tls_session_connected_cb (u32 tls_app_index, u32 ho_ctx_index, tls_session->opaque = ctx_handle; tls_session->session_state = SESSION_STATE_READY; - /* Preallocate app session. Avoids allocating a session post handshake - * on tls_session rx and potentially invalidating the session pool */ - app_session = session_alloc (ctx->c_thread_index); - app_session->session_state = SESSION_STATE_CREATED; - ctx->c_s_index = app_session->session_index; - st = session_type_from_proto_and_ip (TRANSPORT_PROTO_TLS, ctx->tcp_is_ip4); - app_session->session_type = st; - app_session->connection_index = ctx->tls_ctx_handle; - if (tls_ctx_init_client (ctx)) { tls_notify_app_connected (ctx, SESSION_E_TLS_HANDSHAKE); |