diff options
author | Florin Coras <fcoras@cisco.com> | 2020-12-16 17:05:56 -0800 |
---|---|---|
committer | Dave Barach <openvpp@barachs.net> | 2020-12-18 22:28:03 +0000 |
commit | 5b8b1aec213baf65d3051c849f5f3deff37d06b5 (patch) | |
tree | cfdcaa17dad3c48b27c8e358fbb4b6b53e3e9523 /src/plugins/tlsopenssl/tls_openssl.c | |
parent | 8b60fb0fe6e29aac1847c0b381c0f84165b27b61 (diff) |
tls: add custom openssl bio
The bio interacts directly with the session so it avoids using an
intermediary mem bio and, implicitly, higher memory consumption and an
extra memcpy.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ifb675cfd12df86396a7a738a6cd4d0882c69ad2f
Diffstat (limited to 'src/plugins/tlsopenssl/tls_openssl.c')
-rw-r--r-- | src/plugins/tlsopenssl/tls_openssl.c | 209 |
1 files changed, 26 insertions, 183 deletions
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c index 669a503487f..5e49dbfe6c9 100644 --- a/src/plugins/tlsopenssl/tls_openssl.c +++ b/src/plugins/tlsopenssl/tls_openssl.c @@ -26,6 +26,7 @@ #include <vnet/tls/tls.h> #include <ctype.h> #include <tlsopenssl/tls_openssl.h> +#include <tlsopenssl/tls_bio.h> #define MAX_CRYPTO_LEN 64 @@ -110,39 +111,6 @@ openssl_lctx_get (u32 lctx_index) } static int -openssl_read_from_bio_into_fifo (svm_fifo_t * f, BIO * bio, u32 enq_max) -{ - svm_fifo_chunk_t *c; - int read, rv; - u32 enq_now; - - svm_fifo_fill_chunk_list (f); - - enq_now = clib_min (svm_fifo_max_write_chunk (f), enq_max); - if (!enq_now) - return 0; - - read = BIO_read (bio, svm_fifo_tail (f), enq_now); - if (read <= 0) - return 0; - - c = svm_fifo_tail_chunk (f); - while ((c = c->next) && read < enq_max) - { - enq_now = clib_min (c->length, enq_max - read); - rv = BIO_read (bio, c->data, enq_now); - read += rv > 0 ? rv : 0; - - if (rv < enq_now) - break; - } - - svm_fifo_enqueue_nocopy (f, read); - - return read; -} - -static int openssl_read_from_ssl_into_fifo (svm_fifo_t * f, SSL * ssl) { u32 enq_now, enq_max; @@ -180,34 +148,6 @@ openssl_read_from_ssl_into_fifo (svm_fifo_t * f, SSL * ssl) } static int -openssl_write_from_fifo_into_bio (svm_fifo_t * f, BIO * bio, u32 len) -{ - svm_fifo_chunk_t *c; - int wrote, rv; - u32 deq_now; - - deq_now = clib_min (svm_fifo_max_read_chunk (f), len); - wrote = BIO_write (bio, svm_fifo_head (f), deq_now); - if (wrote <= 0) - return 0; - - c = svm_fifo_head_chunk (f); - while ((c = c->next) && wrote < len) - { - deq_now = clib_min (c->length, len - wrote); - rv = BIO_write (bio, c->data, deq_now); - wrote += rv > 0 ? rv : 0; - - if (rv < deq_now) - break; - } - - svm_fifo_dequeue_drop (f, wrote); - - return wrote; -} - -static int openssl_write_from_fifo_into_ssl (svm_fifo_t * f, SSL * ssl, u32 len) { svm_fifo_chunk_t *c; @@ -235,40 +175,6 @@ openssl_write_from_fifo_into_ssl (svm_fifo_t * f, SSL * ssl, u32 len) return wrote; } -static int -openssl_try_handshake_read (openssl_ctx_t * oc, session_t * tls_session) -{ - svm_fifo_t *f; - u32 deq_max; - - f = tls_session->rx_fifo; - deq_max = svm_fifo_max_dequeue_cons (f); - if (!deq_max) - return 0; - - return openssl_write_from_fifo_into_bio (f, oc->wbio, deq_max); -} - -static int -openssl_try_handshake_write (openssl_ctx_t * oc, session_t * tls_session) -{ - u32 read, enq_max; - - if (BIO_ctrl_pending (oc->rbio) <= 0) - return 0; - - enq_max = svm_fifo_max_enqueue_prod (tls_session->tx_fifo); - if (!enq_max) - return 0; - - read = openssl_read_from_bio_into_fifo (tls_session->tx_fifo, oc->rbio, - enq_max); - if (read) - tls_add_vpp_q_tx_evt (tls_session); - - return read; -} - #ifdef HAVE_OPENSSL_ASYNC static int openssl_check_async_status (tls_ctx_t * ctx, openssl_resume_handler * handler, @@ -334,7 +240,7 @@ openssl_ctx_handshake_rx (tls_ctx_t * ctx, session_t * tls_session) { ctx->resume = 0; } - else if (!openssl_try_handshake_read (oc, tls_session)) + else if (!svm_fifo_max_dequeue_cons (tls_session->rx_fifo)) break; rv = SSL_do_handshake (oc->ssl); @@ -357,9 +263,7 @@ openssl_ctx_handshake_rx (tls_ctx_t * ctx, session_t * tls_session) return -1; } - openssl_try_handshake_write (oc, tls_session); - - if (err != SSL_ERROR_WANT_WRITE) + if (err != SSL_ERROR_WANT_WRITE && err != SSL_ERROR_WANT_READ) break; } TLS_DBG (2, "tls state for %u is %s", oc->openssl_ctx_index, @@ -418,25 +322,26 @@ openssl_ctx_write (tls_ctx_t * ctx, session_t * app_session, transport_send_params_t * sp) { openssl_ctx_t *oc = (openssl_ctx_t *) ctx; - int wrote = 0, read, max_buf = 4 * TLS_CHUNK_SIZE, max_space, n_pending; - u32 deq_max, to_write, enq_max; - session_t *tls_session; + u32 deq_max, space, enq_buf; + session_t *ts; + int wrote = 0; svm_fifo_t *f; + ts = session_get_from_handle (ctx->tls_session_handle); + space = svm_fifo_max_enqueue_prod (ts->tx_fifo); + /* Leave a bit of extra space for tls ctrl data, if any needed */ + space = clib_max ((int) space - TLSO_CTRL_BYTES, 0); + f = app_session->tx_fifo; deq_max = svm_fifo_max_dequeue_cons (f); + deq_max = clib_min (deq_max, space); if (!deq_max) goto check_tls_fifo; deq_max = clib_min (deq_max, sp->max_burst_size); - /* Figure out how much data to write */ - max_space = max_buf - BIO_ctrl_pending (oc->rbio); - max_space = (max_space < 0) ? 0 : max_space; - to_write = clib_min (deq_max, (u32) max_space); - - wrote = openssl_write_from_fifo_into_ssl (f, oc->ssl, to_write); + wrote = openssl_write_from_fifo_into_ssl (f, oc->ssl, deq_max); if (!wrote) goto check_tls_fifo; @@ -445,31 +350,11 @@ openssl_ctx_write (tls_ctx_t * ctx, session_t * app_session, check_tls_fifo: - if ((n_pending = BIO_ctrl_pending (oc->rbio)) <= 0) - return wrote; - - tls_session = session_get_from_handle (ctx->tls_session_handle); - - enq_max = svm_fifo_max_enqueue_prod (tls_session->tx_fifo); - if (!enq_max) - goto maybe_reschedule; - - read = openssl_read_from_bio_into_fifo (tls_session->tx_fifo, oc->rbio, - enq_max); - if (!read) - goto maybe_reschedule; - - tls_add_vpp_q_tx_evt (tls_session); - - if (PREDICT_FALSE (ctx->app_closed && !BIO_ctrl_pending (oc->rbio))) - openssl_confirm_app_close (ctx); - -maybe_reschedule: - - if (!svm_fifo_max_enqueue_prod (tls_session->tx_fifo)) + /* Deschedule and wait for deq notification if fifo is almost full */ + enq_buf = clib_min (svm_fifo_size (ts->tx_fifo) / 2, TLSO_MIN_ENQ_SPACE); + if (space < wrote + enq_buf) { - svm_fifo_add_want_deq_ntf (tls_session->tx_fifo, - SVM_FIFO_WANT_DEQ_NOTIF); + svm_fifo_add_want_deq_ntf (ts->tx_fifo, SVM_FIFO_WANT_DEQ_NOTIF); transport_connection_deschedule (&ctx->connection); sp->flags |= TRANSPORT_SND_F_DESCHED; } @@ -483,57 +368,26 @@ maybe_reschedule: static inline int openssl_ctx_read (tls_ctx_t * ctx, session_t * tls_session) { - int read, wrote = 0, max_space, max_buf = 4 * TLS_CHUNK_SIZE; openssl_ctx_t *oc = (openssl_ctx_t *) ctx; - u32 deq_max, to_write; session_t *app_session; + int read, wrote = 0; svm_fifo_t *f; if (PREDICT_FALSE (SSL_in_init (oc->ssl))) { if (openssl_ctx_handshake_rx (ctx, tls_session) < 0) return 0; - else - goto check_app_fifo; - } - - f = tls_session->rx_fifo; - - deq_max = svm_fifo_max_dequeue_cons (f); - max_space = max_buf - BIO_ctrl_pending (oc->wbio); - max_space = max_space < 0 ? 0 : max_space; - to_write = clib_min (deq_max, max_space); - if (!to_write) - goto check_app_fifo; - - wrote = openssl_write_from_fifo_into_bio (f, oc->wbio, to_write); - if (!wrote) - { - tls_add_vpp_q_builtin_rx_evt (tls_session); - goto check_app_fifo; } - if (svm_fifo_max_dequeue_cons (f)) - tls_add_vpp_q_builtin_rx_evt (tls_session); - -check_app_fifo: - - if (BIO_ctrl_pending (oc->wbio) <= 0) - return wrote; - app_session = session_get_from_handle (ctx->app_session_handle); f = app_session->rx_fifo; read = openssl_read_from_ssl_into_fifo (f, oc->ssl); - if (!read) - { - tls_add_vpp_q_builtin_rx_evt (tls_session); - return wrote; - } /* If handshake just completed, session may still be in accepting state */ - if (app_session->session_state >= SESSION_STATE_READY) + if (read && app_session->session_state >= SESSION_STATE_READY) tls_notify_app_enqueue (ctx, app_session); + if (SSL_pending (oc->ssl) > 0) tls_add_vpp_q_builtin_rx_evt (tls_session); @@ -546,7 +400,6 @@ openssl_ctx_init_client (tls_ctx_t * ctx) long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION; openssl_ctx_t *oc = (openssl_ctx_t *) ctx; openssl_main_t *om = &openssl_main; - session_t *tls_session; const SSL_METHOD *method; int rv, err; @@ -587,11 +440,8 @@ openssl_ctx_init_client (tls_ctx_t * ctx) return -1; } - oc->rbio = BIO_new (BIO_s_mem ()); - oc->wbio = BIO_new (BIO_s_mem ()); - - BIO_set_mem_eof_return (oc->rbio, -1); - BIO_set_mem_eof_return (oc->wbio, -1); + oc->rbio = BIO_new_tls (ctx->tls_session_handle); + oc->wbio = BIO_new_tls (ctx->tls_session_handle); SSL_set_bio (oc->ssl, oc->wbio, oc->rbio); SSL_set_connect_state (oc->ssl); @@ -609,16 +459,14 @@ openssl_ctx_init_client (tls_ctx_t * ctx) TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index, oc->openssl_ctx_index); - tls_session = session_get_from_handle (ctx->tls_session_handle); - #ifdef HAVE_OPENSSL_ASYNC + session_t *tls_session = session_get_from_handle (ctx->tls_session_handle); vpp_tls_async_init_event (ctx, openssl_ctx_handshake_rx, tls_session); #endif while (1) { rv = SSL_do_handshake (oc->ssl); err = SSL_get_error (oc->ssl, rv); - openssl_try_handshake_write (oc, tls_session); #ifdef HAVE_OPENSSL_ASYNC if (err == SSL_ERROR_WANT_ASYNC) { @@ -751,7 +599,6 @@ openssl_ctx_init_server (tls_ctx_t * ctx) openssl_ctx_t *oc = (openssl_ctx_t *) ctx; u32 olc_index = ctx->tls_ssl_ctx; openssl_listen_ctx_t *olc; - session_t *tls_session; int rv, err; /* Start a new connection */ @@ -764,11 +611,8 @@ openssl_ctx_init_server (tls_ctx_t * ctx) return -1; } - oc->rbio = BIO_new (BIO_s_mem ()); - oc->wbio = BIO_new (BIO_s_mem ()); - - BIO_set_mem_eof_return (oc->rbio, -1); - BIO_set_mem_eof_return (oc->wbio, -1); + oc->rbio = BIO_new_tls (ctx->tls_session_handle); + oc->wbio = BIO_new_tls (ctx->tls_session_handle); SSL_set_bio (oc->ssl, oc->wbio, oc->rbio); SSL_set_accept_state (oc->ssl); @@ -776,15 +620,14 @@ openssl_ctx_init_server (tls_ctx_t * ctx) TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index, oc->openssl_ctx_index); - tls_session = session_get_from_handle (ctx->tls_session_handle); #ifdef HAVE_OPENSSL_ASYNC + session_t *tls_session = session_get_from_handle (ctx->tls_session_handle); vpp_tls_async_init_event (ctx, openssl_ctx_handshake_rx, tls_session); #endif while (1) { rv = SSL_do_handshake (oc->ssl); err = SSL_get_error (oc->ssl, rv); - openssl_try_handshake_write (oc, tls_session); #ifdef HAVE_OPENSSL_ASYNC if (err == SSL_ERROR_WANT_ASYNC) { |