diff options
author | Florin Coras <fcoras@cisco.com> | 2018-02-21 12:07:41 -0800 |
---|---|---|
committer | Dave Barach <openvpp@barachs.net> | 2018-03-02 12:54:31 +0000 |
commit | 371ca50a74a9c4f1b74c4c1b65c6fdec610fcfc3 (patch) | |
tree | 947e800faa7846223bdf8fb73429c657ddaf5805 /src/vnet/session | |
parent | 9e6356962a0cbb84f7ea9056b954d65aaa231a61 (diff) |
session: first approximation implementation of tls
It consists of two main parts. First, add an application transport type
whereby applications can offer transport to other applications. For
instance, a tls app can offer transport services to other applications.
And second, a tls transport app that leverages the mbedtls library for
tls protocol implementation.
Change-Id: I616996c6e6539a9e2368fab8a1ac874d7c5d9838
Signed-off-by: Florin Coras <fcoras@cisco.com>
Diffstat (limited to 'src/vnet/session')
-rw-r--r-- | src/vnet/session/application.c | 45 | ||||
-rw-r--r-- | src/vnet/session/application.h | 32 | ||||
-rw-r--r-- | src/vnet/session/application_interface.c | 92 | ||||
-rw-r--r-- | src/vnet/session/application_interface.h | 39 | ||||
-rw-r--r-- | src/vnet/session/session.api | 28 | ||||
-rw-r--r-- | src/vnet/session/session.c | 222 | ||||
-rw-r--r-- | src/vnet/session/session.h | 23 | ||||
-rwxr-xr-x | src/vnet/session/session_api.c | 60 | ||||
-rw-r--r-- | src/vnet/session/session_debug.h | 2 | ||||
-rw-r--r-- | src/vnet/session/session_node.c | 18 | ||||
-rw-r--r-- | src/vnet/session/session_test.c | 10 | ||||
-rw-r--r-- | src/vnet/session/stream_session.h | 33 | ||||
-rw-r--r-- | src/vnet/session/transport.c | 4 | ||||
-rw-r--r-- | src/vnet/session/transport.h | 34 | ||||
-rw-r--r-- | src/vnet/session/transport_interface.h | 35 |
15 files changed, 525 insertions, 152 deletions
diff --git a/src/vnet/session/application.c b/src/vnet/session/application.c index b80aa3391a6..12f816bfe3b 100644 --- a/src/vnet/session/application.c +++ b/src/vnet/session/application.c @@ -209,6 +209,9 @@ application_del (application_t * app) */ application_local_sessions_del (app); + vec_free (app->tls_cert); + vec_free (app->tls_key); + application_table_del (app); pool_put (app_pool, app); } @@ -473,10 +476,22 @@ int application_open_session (application_t * app, session_endpoint_t * sep, u32 api_context) { - segment_manager_t *sm; int rv; /* Make sure we have a segment manager for connects */ + application_alloc_connects_segment_manager (app); + + if ((rv = session_open (app->index, sep, api_context))) + return rv; + + return 0; +} + +int +application_alloc_connects_segment_manager (application_t * app) +{ + segment_manager_t *sm; + if (app->connects_seg_manager == APP_INVALID_SEGMENT_MANAGER_INDEX) { sm = application_alloc_segment_manager (app); @@ -484,10 +499,6 @@ application_open_session (application_t * app, session_endpoint_t * sep, return -1; app->connects_seg_manager = segment_manager_index (sm); } - - if ((rv = session_open (app->index, sep, api_context))) - return rv; - return 0; } @@ -1156,6 +1167,30 @@ application_local_sessions_del (application_t * app) segment_manager_del (sm); } +clib_error_t * +vnet_app_add_tls_cert (vnet_app_add_tls_cert_args_t * a) +{ + application_t *app; + app = application_get (a->app_index); + if (!app) + return clib_error_return_code (0, VNET_API_ERROR_APPLICATION_NOT_ATTACHED, + 0, "app %u doesn't exist", a->app_index); + app->tls_cert = vec_dup (a->cert); + return 0; +} + +clib_error_t * +vnet_app_add_tls_key (vnet_app_add_tls_key_args_t * a) +{ + application_t *app; + app = application_get (a->app_index); + if (!app) + return clib_error_return_code (0, VNET_API_ERROR_APPLICATION_NOT_ATTACHED, + 0, "app %u doesn't exist", a->app_index); + app->tls_key = vec_dup (a->key); + return 0; +} + u8 * format_application_listener (u8 * s, va_list * args) { diff --git a/src/vnet/session/application.h b/src/vnet/session/application.h index 6fb0f066ad3..8e5c2de0494 100644 --- a/src/vnet/session/application.h +++ b/src/vnet/session/application.h @@ -20,12 +20,6 @@ #include <vnet/session/session.h> #include <vnet/session/segment_manager.h> #include <vnet/session/application_namespace.h> -typedef enum -{ - APP_SERVER, - APP_CLIENT, - APP_N_TYPES -} application_type_t; typedef struct _stream_session_cb_vft { @@ -49,8 +43,11 @@ typedef struct _stream_session_cb_vft /** Notify app that session was reset */ void (*session_reset_callback) (stream_session_t * s); - /** Direct RX callback, for built-in servers */ - int (*builtin_server_rx_callback) (stream_session_t * session); + /** Direct RX callback for built-in application */ + int (*builtin_app_rx_callback) (stream_session_t * session); + + /** Direct TX callback for built-in application */ + int (*builtin_app_tx_callback) (stream_session_t * session); } session_cb_vft_t; @@ -118,6 +115,16 @@ typedef struct _application /** Hash table of the app's local connects */ uword *local_connects; + + /* + * TLS Specific + */ + + /** Certificate to be used for listen sessions */ + u8 *tls_cert; + + /** PEM encoded key */ + u8 *tls_key; } application_t; #define APP_INVALID_INDEX ((u32)~0) @@ -152,6 +159,8 @@ segment_manager_t *application_get_listen_segment_manager (application_t * ls); segment_manager_t *application_get_connect_segment_manager (application_t * app); +int application_alloc_connects_segment_manager (application_t * app); + int application_is_proxy (application_t * app); int application_is_builtin (application_t * app); int application_is_builtin_proxy (application_t * app); @@ -245,6 +254,13 @@ application_local_session_listener_has_transport (local_session_t * ls) return (tp != TRANSPORT_PROTO_NONE); } +void send_local_session_disconnect_callback (u32 app_index, + local_session_t * ls); + +int application_connect (u32 client_index, u32 api_context, + session_endpoint_t * sep); + +uword unformat_application_proto (unformat_input_t * input, va_list * args); #endif /* SRC_VNET_SESSION_APPLICATION_H_ */ diff --git a/src/vnet/session/application_interface.c b/src/vnet/session/application_interface.c index fd079b5147b..12a5701fdf3 100644 --- a/src/vnet/session/application_interface.c +++ b/src/vnet/session/application_interface.c @@ -22,6 +22,61 @@ VPP's application/session API bind/unbind/connect/disconnect calls */ +/* + * TLS server cert and keys to be used for testing only + */ +const char test_srv_crt_rsa[] = + "-----BEGIN CERTIFICATE-----\r\n" + "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" + "MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" + "MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" + "A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" + "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" + "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" + "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" + "tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" + "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" + "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" + "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" + "FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJxnXClY\r\n" + "oHkbp70cqBrsGXLybA74czbO5RdLEgFs7rHVS9r+c293luS/KdliLScZqAzYVylw\r\n" + "UfRWvKMoWhHYKp3dEIS4xTXk6/5zXxhv9Rw8SGc8qn6vITHk1S1mPevtekgasY5Y\r\n" + "iWQuM3h4YVlRH3HHEMAD1TnAexfXHHDFQGe+Bd1iAbz1/sH9H8l4StwX6egvTK3M\r\n" + "wXRwkKkvjKaEDA9ATbZx0mI8LGsxSuCqe9r9dyjmttd47J1p1Rulz3CLzaRcVIuS\r\n" + "RRQfaD8neM9c1S/iJ/amTVqJxA1KOdOS5780WhPfSArA+g4qAmSjelc3p4wWpha8\r\n" + "zhuYwjVuX6JHG0c=\r\n" "-----END CERTIFICATE-----\r\n"; +const u32 test_srv_crt_rsa_len = sizeof (test_srv_crt_rsa); + +const char test_srv_key_rsa[] = + "-----BEGIN RSA PRIVATE KEY-----\r\n" + "MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n" + "lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2\r\n" + "2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ\r\n" + "Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i\r\n" + "GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb\r\n" + "y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ\r\n" + "++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G\r\n" + "Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z\r\n" + "/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm\r\n" + "WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He\r\n" + "GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa\r\n" + "TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28\r\n" + "CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK\r\n" + "nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u\r\n" + "AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g\r\n" + "sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s\r\n" + "mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic\r\n" + "BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv\r\n" + "whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b\r\n" + "vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs\r\n" + "3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP\r\n" + "3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED\r\n" + "ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH\r\n" + "4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n" + "TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n" + "-----END RSA PRIVATE KEY-----\r\n"; +const u32 test_srv_key_rsa_len = sizeof (test_srv_key_rsa); + static u8 session_endpoint_is_local (session_endpoint_t * sep) { @@ -179,8 +234,8 @@ vnet_unbind_i (u32 app_index, session_handle_t handle) } int -vnet_connect_i (u32 client_index, u32 api_context, session_endpoint_t * sep, - void *mp) +application_connect (u32 client_index, u32 api_context, + session_endpoint_t * sep) { application_t *server, *client; u32 table_index, server_index, li; @@ -277,22 +332,23 @@ uword unformat_vnet_uri (unformat_input_t * input, va_list * args) { session_endpoint_t *sep = va_arg (*args, session_endpoint_t *); - u32 transport_proto = 0; - if (unformat (input, "%U://%U/%d", unformat_transport_proto, - &transport_proto, unformat_ip4_address, &sep->ip.ip4, - &sep->port)) + u32 transport_proto = 0, port; + + if (unformat + (input, "%U://%U/%d", unformat_transport_proto, &transport_proto, + unformat_ip4_address, &sep->ip.ip4, &port)) { sep->transport_proto = transport_proto; - sep->port = clib_host_to_net_u16 (sep->port); + sep->port = clib_host_to_net_u16 (port); sep->is_ip4 = 1; return 1; } - if (unformat (input, "%U://%U/%d", unformat_transport_proto, - &transport_proto, unformat_ip6_address, &sep->ip.ip6, - &sep->port)) + else if (unformat (input, "%U://%U/%d", unformat_transport_proto, + &transport_proto, unformat_ip6_address, &sep->ip.ip6, + &port)) { sep->transport_proto = transport_proto; - sep->port = clib_host_to_net_u16 (sep->port); + sep->port = clib_host_to_net_u16 (port); sep->is_ip4 = 0; return 1; } @@ -440,8 +496,8 @@ vnet_bind_uri (vnet_bind_args_t * a) int vnet_unbind_uri (vnet_unbind_args_t * a) { - stream_session_t *listener; session_endpoint_t sep = SESSION_ENDPOINT_NULL; + stream_session_t *listener; int rv; rv = parse_uri (a->uri, &sep); @@ -459,15 +515,15 @@ vnet_unbind_uri (vnet_unbind_args_t * a) clib_error_t * vnet_connect_uri (vnet_connect_args_t * a) { - session_endpoint_t sep_null = SESSION_ENDPOINT_NULL; + session_endpoint_t sep = SESSION_ENDPOINT_NULL; int rv; /* Parse uri */ - a->sep = sep_null; - rv = parse_uri (a->uri, &a->sep); + rv = parse_uri (a->uri, &sep); if (rv) return clib_error_return_code (0, rv, 0, "app init: %d", rv); - if ((rv = vnet_connect_i (a->app_index, a->api_context, &a->sep, a->mp))) + + if ((rv = application_connect (a->app_index, a->api_context, &sep))) return clib_error_return_code (0, rv, 0, "connect failed"); return 0; } @@ -523,8 +579,10 @@ vnet_unbind (vnet_unbind_args_t * a) clib_error_t * vnet_connect (vnet_connect_args_t * a) { + session_endpoint_t *sep = &a->sep; int rv; - if ((rv = vnet_connect_i (a->app_index, a->api_context, &a->sep, a->mp))) + + if ((rv = application_connect (a->app_index, a->api_context, sep))) return clib_error_return_code (0, rv, 0, "connect failed"); return 0; } diff --git a/src/vnet/session/application_interface.h b/src/vnet/session/application_interface.h index 4b7a2dfa66c..2ab09d6f52d 100644 --- a/src/vnet/session/application_interface.h +++ b/src/vnet/session/application_interface.h @@ -30,7 +30,7 @@ typedef struct _vnet_app_attach_args_t /** Application and segment manager options */ u64 *options; - /* Namespace id */ + /** ID of the namespace the app has access to */ u8 *namespace_id; /** Session to application callback functions */ @@ -80,8 +80,11 @@ typedef struct _vnet_unbind_args_t typedef struct _vnet_connect_args { - char *uri; - session_endpoint_t sep; + union + { + char *uri; + session_endpoint_t sep; + }; u32 app_index; u32 api_context; @@ -96,6 +99,18 @@ typedef struct _vnet_disconnect_args_t u32 app_index; } vnet_disconnect_args_t; +typedef struct _vnet_application_add_tls_cert_args_t +{ + u32 app_index; + u8 *cert; +} vnet_app_add_tls_cert_args_t; + +typedef struct _vnet_application_add_tls_key_args_t +{ + u32 app_index; + u8 *key; +} vnet_app_add_tls_key_args_t; + /* Application attach options */ typedef enum { @@ -136,24 +151,24 @@ typedef enum _app_options_flags #undef _ } app_options_flags_t; -clib_error_t *vnet_application_attach (vnet_app_attach_args_t * a); -int vnet_application_detach (vnet_app_detach_args_t * a); - int vnet_bind_uri (vnet_bind_args_t *); int vnet_unbind_uri (vnet_unbind_args_t * a); clib_error_t *vnet_connect_uri (vnet_connect_args_t * a); -int vnet_disconnect_session (vnet_disconnect_args_t * a); +clib_error_t *vnet_application_attach (vnet_app_attach_args_t * a); clib_error_t *vnet_bind (vnet_bind_args_t * a); clib_error_t *vnet_connect (vnet_connect_args_t * a); clib_error_t *vnet_unbind (vnet_unbind_args_t * a); +int vnet_application_detach (vnet_app_detach_args_t * a); +int vnet_disconnect_session (vnet_disconnect_args_t * a); -int -api_parse_session_handle (u64 handle, u32 * session_index, - u32 * thread_index); +clib_error_t *vnet_app_add_tls_cert (vnet_app_add_tls_cert_args_t * a); +clib_error_t *vnet_app_add_tls_key (vnet_app_add_tls_key_args_t * a); -void send_local_session_disconnect_callback (u32 app_index, - local_session_t * ls); +extern const char test_srv_crt_rsa[]; +extern const u32 test_srv_crt_rsa_len; +extern const char test_srv_key_rsa[]; +extern const u32 test_srv_key_rsa_len; #endif /* __included_uri_h__ */ diff --git a/src/vnet/session/session.api b/src/vnet/session/session.api index a6739fc61bf..336b51cd333 100644 --- a/src/vnet/session/session.api +++ b/src/vnet/session/session.api @@ -51,6 +51,34 @@ define application_attach_reply { u8 segment_name[128]; }; +/** \brief Application add TLS certificate + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param cert_len - certificate length + @param cert - certificate as a string +*/ +autoreply define application_tls_cert_add { + u32 client_index; + u32 context; + u32 app_index; + u16 cert_len; + u8 cert[cert_len]; +}; + +/** \brief Application add TLS key + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param key_len - certificate length + @param key - PEM encoded key as a string +*/ +autoreply define application_tls_key_add { + u32 client_index; + u32 context; + u32 app_index; + u16 key_len; + u8 key[key_len]; +}; + /** \brief client->vpp, attach application to session layer @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request diff --git a/src/vnet/session/session.c b/src/vnet/session/session.c index de3cbc57d66..09e3ded6dff 100644 --- a/src/vnet/session/session.c +++ b/src/vnet/session/session.c @@ -103,7 +103,7 @@ session_alloc (u32 thread_index) return s; } -static void +void session_free (stream_session_t * s) { pool_put (session_manager_main.sessions[s->thread_index], s); @@ -111,7 +111,7 @@ session_free (stream_session_t * s) memset (s, 0xFA, sizeof (*s)); } -static int +int session_alloc_fifos (segment_manager_t * sm, stream_session_t * s) { svm_fifo_t *server_rx_fifo = 0, *server_tx_fifo = 0; @@ -463,9 +463,9 @@ session_enqueue_notify (stream_session_t * s, u8 block) return 0; } - /* Built-in server? Hand event to the callback... */ - if (app->cb_fns.builtin_server_rx_callback) - return app->cb_fns.builtin_server_rx_callback (s); + /* Built-in app? Hand event to the callback... */ + if (app->cb_fns.builtin_app_rx_callback) + return app->cb_fns.builtin_app_rx_callback (s); /* If no event, send one */ if (svm_fifo_set_event (s->server_rx_fifo)) @@ -548,13 +548,13 @@ stream_session_init_fifos_pointers (transport_connection_t * tc, int session_stream_connect_notify (transport_connection_t * tc, u8 is_fail) { - application_t *app; + u32 opaque = 0, new_ti, new_si; stream_session_t *new_s = 0; - u64 handle; - u32 opaque = 0; - int error = 0; segment_manager_t *sm; + application_t *app; u8 alloc_fifos; + int error = 0; + u64 handle; /* * Find connection handle and cleanup half-open table @@ -588,7 +588,11 @@ session_stream_connect_notify (transport_connection_t * tc, u8 is_fail) error = -1; } else - new_s->app_index = app->index; + { + new_s->app_index = app->index; + new_si = new_s->session_index; + new_ti = new_s->thread_index; + } } /* @@ -599,12 +603,18 @@ session_stream_connect_notify (transport_connection_t * tc, u8 is_fail) { SESSION_DBG ("failed to notify app"); if (!is_fail) - stream_session_disconnect_transport (new_s); + { + new_s = session_get (new_si, new_ti); + stream_session_disconnect_transport (new_s); + } } else { if (!is_fail) - new_s->session_state = SESSION_STATE_READY; + { + new_s = session_get (new_si, new_ti); + new_s->session_state = SESSION_STATE_READY; + } } return error; @@ -790,21 +800,8 @@ stream_session_accept (transport_connection_t * tc, u32 listener_index, return 0; } -/** - * Ask transport to open connection to remote transport endpoint. - * - * Stores handle for matching request with reply since the call can be - * asynchronous. For instance, for TCP the 3-way handshake must complete - * before reply comes. Session is only created once connection is established. - * - * @param app_index Index of the application requesting the connect - * @param st Session type requested. - * @param tep Remote transport endpoint - * @param opaque Opaque data (typically, api_context) the application expects - * on open completion. - */ int -session_open (u32 app_index, session_endpoint_t * rmt, u32 opaque) +session_open_cl (u32 app_index, session_endpoint_t * rmt, u32 opaque) { transport_connection_t *tc; transport_endpoint_t *tep; @@ -812,7 +809,44 @@ session_open (u32 app_index, session_endpoint_t * rmt, u32 opaque) stream_session_t *s; application_t *app; int rv; + + tep = session_endpoint_to_transport (rmt); + rv = tp_vfts[rmt->transport_proto].open (tep); + if (rv < 0) + { + SESSION_DBG ("Transport failed to open connection."); + return VNET_API_ERROR_SESSION_CONNECT; + } + + tc = tp_vfts[rmt->transport_proto].get_half_open ((u32) rv); + + /* For dgram type of service, allocate session and fifos now. + */ + app = application_get (app_index); + sm = application_get_connect_segment_manager (app); + + if (session_alloc_and_init (sm, tc, 1, &s)) + return -1; + s->app_index = app->index; + s->session_state = SESSION_STATE_CONNECTING_READY; + + /* Tell the app about the new event fifo for this session */ + app->cb_fns.session_connected_callback (app->index, opaque, s, 0); + + return 0; +} + +int +session_open_vc (u32 app_index, session_endpoint_t * rmt, u32 opaque) +{ + transport_connection_t *tc; + transport_endpoint_t *tep; u64 handle; + int rv; + + /* TODO until udp is fixed */ + if (rmt->transport_proto == TRANSPORT_PROTO_UDP) + return session_open_cl (app_index, rmt, opaque); tep = session_endpoint_to_transport (rmt); rv = tp_vfts[rmt->transport_proto].open (tep); @@ -826,38 +860,60 @@ session_open (u32 app_index, session_endpoint_t * rmt, u32 opaque) /* If transport offers a stream service, only allocate session once the * connection has been established. + * Add connection to half-open table and save app and tc index. The + * latter is needed to help establish the connection while the former + * is needed when the connect notify comes and we have to notify the + * external app */ - if (transport_is_stream (rmt->transport_proto)) - { - /* Add connection to half-open table and save app and tc index. The - * latter is needed to help establish the connection while the former - * is needed when the connect notify comes and we have to notify the - * external app - */ - handle = (((u64) app_index) << 32) | (u64) tc->c_index; - session_lookup_add_half_open (tc, handle); - - /* Store api_context (opaque) for when the reply comes. Not the nicest - * thing but better than allocating a separate half-open pool. - */ - tc->s_index = opaque; - } - /* For dgram type of service, allocate session and fifos now. + handle = (((u64) app_index) << 32) | (u64) tc->c_index; + session_lookup_add_half_open (tc, handle); + + /* Store api_context (opaque) for when the reply comes. Not the nicest + * thing but better than allocating a separate half-open pool. */ - else - { - app = application_get (app_index); - sm = application_get_connect_segment_manager (app); + tc->s_index = opaque; + return 0; +} - if (session_alloc_and_init (sm, tc, 1, &s)) - return -1; - s->app_index = app->index; - s->session_state = SESSION_STATE_CONNECTING_READY; +int +session_open_app (u32 app_index, session_endpoint_t * rmt, u32 opaque) +{ + session_endpoint_extended_t sep; + clib_memcpy (&sep, rmt, sizeof (*rmt)); + sep.app_index = app_index; + sep.opaque = opaque; - /* Tell the app about the new event fifo for this session */ - app->cb_fns.session_connected_callback (app->index, opaque, s, 0); - } - return 0; + return tp_vfts[rmt->transport_proto].open ((transport_endpoint_t *) & sep); +} + +typedef int (*session_open_service_fn) (u32, session_endpoint_t *, u32); + +/* *INDENT-OFF* */ +static session_open_service_fn session_open_srv_fns[TRANSPORT_N_SERVICES] = { + session_open_vc, + session_open_cl, + session_open_app, +}; +/* *INDENT-ON* */ + +/** + * Ask transport to open connection to remote transport endpoint. + * + * Stores handle for matching request with reply since the call can be + * asynchronous. For instance, for TCP the 3-way handshake must complete + * before reply comes. Session is only created once connection is established. + * + * @param app_index Index of the application requesting the connect + * @param st Session type requested. + * @param tep Remote transport endpoint + * @param opaque Opaque data (typically, api_context) the application expects + * on open completion. + */ +int +session_open (u32 app_index, session_endpoint_t * rmt, u32 opaque) +{ + transport_service_type_t tst = tp_vfts[rmt->transport_proto].service_type; + return session_open_srv_fns[tst] (app_index, rmt, opaque); } /** @@ -869,7 +925,7 @@ session_open (u32 app_index, session_endpoint_t * rmt, u32 opaque) * @param tep Local endpoint to be listened on. */ int -stream_session_listen (stream_session_t * s, session_endpoint_t * sep) +session_listen_vc (stream_session_t * s, session_endpoint_t * sep) { transport_connection_t *tc; u32 tci; @@ -895,6 +951,36 @@ stream_session_listen (stream_session_t * s, session_endpoint_t * sep) return 0; } +int +session_listen_app (stream_session_t * s, session_endpoint_t * sep) +{ + session_endpoint_extended_t esep; + clib_memcpy (&esep, sep, sizeof (*sep)); + esep.app_index = s->app_index; + + return tp_vfts[sep->transport_proto].bind (s->session_index, + (transport_endpoint_t *) & esep); +} + +typedef int (*session_listen_service_fn) (stream_session_t *, + session_endpoint_t *); + +/* *INDENT-OFF* */ +static session_listen_service_fn +session_listen_srv_fns[TRANSPORT_N_SERVICES] = { + session_listen_vc, + session_listen_vc, + session_listen_app, +}; +/* *INDENT-ON* */ + +int +stream_session_listen (stream_session_t * s, session_endpoint_t * sep) +{ + transport_service_type_t tst = tp_vfts[sep->transport_proto].service_type; + return session_listen_srv_fns[tst] (s, sep); +} + /** * Ask transport to stop listening on local transport endpoint. * @@ -1039,6 +1125,14 @@ session_manager_get_evt_q_segment (void) return 0; } +/* *INDENT-OFF* */ +static session_fifo_rx_fn *session_tx_fns[TRANSPORT_TX_N_FNS] = { + session_tx_fifo_peek_and_snd, + session_tx_fifo_dequeue_and_snd, + session_tx_fifo_dequeue_internal +}; +/* *INDENT-ON* */ + /** * Initialize session layer for given transport proto and ip version * @@ -1061,15 +1155,18 @@ session_register_transport (transport_proto_t transport_proto, vec_validate (smm->session_tx_fns, session_type); /* *INDENT-OFF* */ - foreach_vlib_main (({ - next_index = vlib_node_add_next (this_vlib_main, session_queue_node.index, - output_node); - })); + if (output_node != ~0) + { + foreach_vlib_main (({ + next_index = vlib_node_add_next (this_vlib_main, + session_queue_node.index, + output_node); + })); + } /* *INDENT-ON* */ smm->session_type_to_next[session_type] = next_index; - session_manager_set_transport_rx_fn (session_type, - vft->tx_fifo_offset != 0); + smm->session_tx_fns[session_type] = session_tx_fns[vft->tx_type]; } transport_connection_t * @@ -1118,8 +1215,7 @@ session_manager_main_enable (vlib_main_t * vm) segment_manager_main_init_args_t _sm_args = { 0 }, *sm_args = &_sm_args; session_manager_main_t *smm = &session_manager_main; vlib_thread_main_t *vtm = vlib_get_thread_main (); - u32 num_threads; - u32 preallocated_sessions_per_worker; + u32 num_threads, preallocated_sessions_per_worker; int i, j; num_threads = 1 /* main thread */ + vtm->n_threads; diff --git a/src/vnet/session/session.h b/src/vnet/session/session.h index 364c6462dec..a6118d12766 100644 --- a/src/vnet/session/session.h +++ b/src/vnet/session/session.h @@ -114,6 +114,7 @@ typedef int extern session_fifo_rx_fn session_tx_fifo_peek_and_snd; extern session_fifo_rx_fn session_tx_fifo_dequeue_and_snd; +extern session_fifo_rx_fn session_tx_fifo_dequeue_internal; u8 session_node_lookup_fifo_event (svm_fifo_t * f, session_fifo_event_t * e); @@ -233,6 +234,8 @@ stream_session_is_valid (u32 si, u8 thread_index) } stream_session_t *session_alloc (u32 thread_index); +int session_alloc_fifos (segment_manager_t * sm, stream_session_t * s); +void session_free (stream_session_t * s); always_inline stream_session_t * session_get (u32 si, u32 thread_index) @@ -453,7 +456,6 @@ transport_connection_t *session_get_transport (stream_session_t * s); u32 stream_session_tx_fifo_max_dequeue (transport_connection_t * tc); -stream_session_t *session_alloc (u32 thread_index); int session_enqueue_stream_connection (transport_connection_t * tc, vlib_buffer_t * b, u32 offset, @@ -531,6 +533,13 @@ listen_session_get_from_handle (session_handle_t handle) return s; } +always_inline void +listen_session_parse_handle (session_handle_t handle, u32 * type, u32 * index) +{ + *type = handle >> 32; + *index = handle & 0xFFFFFFFF; +} + always_inline stream_session_t * listen_session_new (session_type_t type) { @@ -573,18 +582,6 @@ session_manager_get_listener (u8 session_type, u32 index) index); } -/** - * Set peek or dequeue function for given session type - * - * Reliable transport protocols will probably want to use a peek function - */ -always_inline void -session_manager_set_transport_rx_fn (session_type_t type, u8 is_peek) -{ - session_manager_main.session_tx_fns[type] = (is_peek) ? - session_tx_fifo_peek_and_snd : session_tx_fifo_dequeue_and_snd; -} - always_inline u8 session_manager_is_enabled () { diff --git a/src/vnet/session/session_api.c b/src/vnet/session/session_api.c index f21701c3896..6c2643c8995 100755 --- a/src/vnet/session/session_api.c +++ b/src/vnet/session/session_api.c @@ -56,6 +56,8 @@ _(SESSION_ENABLE_DISABLE, session_enable_disable) \ _(APP_NAMESPACE_ADD_DEL, app_namespace_add_del) \ _(SESSION_RULE_ADD_DEL, session_rule_add_del) \ _(SESSION_RULES_DUMP, session_rules_dump) \ +_(APPLICATION_TLS_CERT_ADD, application_tls_cert_add) \ +_(APPLICATION_TLS_KEY_ADD, application_tls_key_add) \ static int session_send_memfd_fd (vl_api_registration_t * reg, const ssvm_private_t * sp) @@ -1102,6 +1104,64 @@ vl_api_session_rules_dump_t_handler (vl_api_one_map_server_dump_t * mp) /* *INDENT-ON* */ } +static void +vl_api_application_tls_cert_add_t_handler (vl_api_application_tls_cert_add_t * + mp) +{ + vl_api_app_namespace_add_del_reply_t *rmp; + vnet_app_add_tls_cert_args_t _a, *a = &_a; + clib_error_t *error; + u32 cert_len; + int rv = 0; + if (!session_manager_is_enabled ()) + { + rv = VNET_API_ERROR_FEATURE_DISABLED; + goto done; + } + memset (a, 0, sizeof (*a)); + a->app_index = clib_net_to_host_u32 (mp->app_index); + cert_len = clib_net_to_host_u16 (mp->cert_len); + vec_validate (a->cert, cert_len); + clib_memcpy (a->cert, mp->cert, cert_len); + if ((error = vnet_app_add_tls_cert (a))) + { + rv = clib_error_get_code (error); + clib_error_report (error); + } + vec_free (a->cert); +done: + REPLY_MACRO (VL_API_APPLICATION_TLS_CERT_ADD_REPLY); +} + +static void +vl_api_application_tls_key_add_t_handler (vl_api_application_tls_key_add_t * + mp) +{ + vl_api_app_namespace_add_del_reply_t *rmp; + vnet_app_add_tls_key_args_t _a, *a = &_a; + clib_error_t *error; + u32 key_len; + int rv = 0; + if (!session_manager_is_enabled ()) + { + rv = VNET_API_ERROR_FEATURE_DISABLED; + goto done; + } + memset (a, 0, sizeof (*a)); + a->app_index = clib_net_to_host_u32 (mp->app_index); + key_len = clib_net_to_host_u16 (mp->key_len); + vec_validate (a->key, key_len); + clib_memcpy (a->key, mp->key, key_len); + if ((error = vnet_app_add_tls_key (a))) + { + rv = clib_error_get_code (error); + clib_error_report (error); + } + vec_free (a->key); +done: + REPLY_MACRO (VL_API_APPLICATION_TLS_KEY_ADD_REPLY); +} + static clib_error_t * application_reaper_cb (u32 client_index) { diff --git a/src/vnet/session/session_debug.h b/src/vnet/session/session_debug.h index 702fe96ad33..12c667c08d8 100644 --- a/src/vnet/session/session_debug.h +++ b/src/vnet/session/session_debug.h @@ -33,7 +33,7 @@ typedef enum _session_evt_dbg #define SESSION_DEBUG (0 && TRANSPORT_DEBUG) #define SESSION_DEQ_NODE_EVTS (0) -#define SESSION_EVT_POLL_DBG (1) +#define SESSION_EVT_POLL_DBG (0) #if SESSION_DEBUG diff --git a/src/vnet/session/session_node.c b/src/vnet/session/session_node.c index 796056e7088..9cd0ef18415 100644 --- a/src/vnet/session/session_node.c +++ b/src/vnet/session/session_node.c @@ -389,6 +389,20 @@ session_tx_fifo_dequeue_and_snd (vlib_main_t * vm, vlib_node_runtime_t * node, n_tx_pkts, 0); } +int +session_tx_fifo_dequeue_internal (vlib_main_t * vm, + vlib_node_runtime_t * node, + session_manager_main_t * smm, + session_fifo_event_t * e0, + stream_session_t * s0, u32 thread_index, + int *n_tx_pkts) +{ + application_t *app; + app = application_get (s0->opaque); + svm_fifo_unset_event (s0->server_tx_fifo); + return app->cb_fns.builtin_app_tx_callback (s0); +} + always_inline stream_session_t * session_event_get_session (session_fifo_event_t * e, u8 thread_index) { @@ -505,7 +519,7 @@ session_node_lookup_fifo_event (svm_fifo_t * f, session_fifo_event_t * e) clib_memcpy (e, headp, q->elsize); found = session_node_cmp_event (e, f); if (found) - break; + return 1; if (++index == q->maxsize) index = 0; } @@ -657,7 +671,7 @@ skip_dequeue: continue; svm_fifo_unset_event (s0->server_rx_fifo); app = application_get (s0->app_index); - app->cb_fns.builtin_server_rx_callback (s0); + app->cb_fns.builtin_app_rx_callback (s0); break; case FIFO_EVENT_RPC: fp = e0->rpc_args.fp; diff --git a/src/vnet/session/session_test.c b/src/vnet/session/session_test.c index 85e8732ddab..91ac351f860 100644 --- a/src/vnet/session/session_test.c +++ b/src/vnet/session/session_test.c @@ -69,12 +69,6 @@ dummy_del_segment_callback (u32 client_index, const ssvm_private_t * fs) return 0; } -int -dummy_redirect_connect_callback (u32 client_index, void *mp) -{ - return VNET_API_ERROR_SESSION_REDIRECT; -} - void dummy_session_disconnect_callback (stream_session_t * s) { @@ -104,7 +98,7 @@ static session_cb_vft_t dummy_session_cbs = { .session_connected_callback = dummy_session_connected_callback, .session_accept_callback = dummy_session_accept_callback, .session_disconnect_callback = dummy_session_disconnect_callback, - .builtin_server_rx_callback = dummy_server_rx_callback, + .builtin_app_rx_callback = dummy_server_rx_callback, .add_segment_callback = dummy_add_segment_callback, .del_segment_callback = dummy_del_segment_callback, }; @@ -1316,8 +1310,10 @@ session_test_rules (vlib_main_t * vm, unformat_input_t * input) SESSION_TEST ((handle == SESSION_DROP_HANDLE), "lookup for 1.2.3.4/32 1234 " "5.6.7.8/16 432*2* in local table should return deny"); + connect_args.app_index = server_index; connect_args.sep = sep; + error = vnet_connect (&connect_args); SESSION_TEST ((error != 0), "connect should fail"); rv = clib_error_get_code (error); diff --git a/src/vnet/session/stream_session.h b/src/vnet/session/stream_session.h index 5c4601daa31..6f6dce66040 100644 --- a/src/vnet/session/stream_session.h +++ b/src/vnet/session/stream_session.h @@ -85,8 +85,13 @@ typedef struct _stream_session_t /** Transport specific */ u32 connection_index; - /** Parent listener session if the result of an accept */ - u32 listener_index; + union + { + /** Parent listener session if the result of an accept */ + u32 listener_index; + /** Opaque, for general use */ + u32 opaque; + }; CLIB_CACHE_LINE_ALIGN_MARK (pad); } stream_session_t; @@ -133,20 +138,27 @@ typedef struct local_session_ CLIB_CACHE_LINE_ALIGN_MARK (pad); } local_session_t; +#define foreach_session_endpoint_fields \ + foreach_transport_connection_fields \ + _(u8, transport_proto) \ + _(u8, app_proto) \ + typedef struct _session_endpoint { - /* - * Network specific - */ #define _(type, name) type name; - foreach_transport_connection_fields + foreach_session_endpoint_fields #undef _ - /* - * Session specific - */ - u8 transport_proto; /**< transport protocol for session */ } session_endpoint_t; +typedef struct _session_endpoint_extended +{ +#define _(type, name) type name; + foreach_session_endpoint_fields +#undef _ + u32 app_index; + u32 opaque; +} session_endpoint_extended_t; + #define SESSION_IP46_ZERO \ { \ .ip6 = { \ @@ -161,6 +173,7 @@ typedef struct _session_endpoint .is_ip4 = 0, \ .port = 0, \ .transport_proto = 0, \ + .app_proto = 0, \ } #define session_endpoint_to_transport(_sep) ((transport_endpoint_t *)_sep) diff --git a/src/vnet/session/transport.c b/src/vnet/session/transport.c index acbb4f65e7a..797bdad1eaa 100644 --- a/src/vnet/session/transport.c +++ b/src/vnet/session/transport.c @@ -96,6 +96,10 @@ unformat_transport_proto (unformat_input_t * input, va_list * args) *proto = TRANSPORT_PROTO_SCTP; else if (unformat (input, "SCTP")) *proto = TRANSPORT_PROTO_SCTP; + else if (unformat (input, "tls")) + *proto = TRANSPORT_PROTO_TLS; + else if (unformat (input, "TLS")) + *proto = TRANSPORT_PROTO_TLS; else return 0; return 1; diff --git a/src/vnet/session/transport.h b/src/vnet/session/transport.h index 76ee2262ecd..ed9eb02754e 100644 --- a/src/vnet/session/transport.h +++ b/src/vnet/session/transport.h @@ -25,20 +25,34 @@ */ typedef struct _transport_connection { - ip46_address_t rmt_ip; /**< Remote IP */ - ip46_address_t lcl_ip; /**< Local IP */ - u16 lcl_port; /**< Local port */ - u16 rmt_port; /**< Remote port */ - u8 proto; /**< Protocol id */ - u8 is_ip4; /**< Flag if IP4 connection */ - u32 fib_index; /**< Network namespace */ + /** Connection ID */ + union + { + /* + * Network connection ID tuple + */ + struct + { + ip46_address_t rmt_ip; /**< Remote IP */ + ip46_address_t lcl_ip; /**< Local IP */ + u16 lcl_port; /**< Local port */ + u16 rmt_port; /**< Remote port */ + u8 proto; /**< Protocol id */ + u8 is_ip4; /**< Flag if IP4 connection */ + u32 fib_index; /**< Network namespace */ + }; + /* + * Opaque connection ID + */ + u8 opaque_conn_id[42]; + }; u32 s_index; /**< Parent session index */ u32 c_index; /**< Connection index in transport pool */ u32 thread_index; /**< Worker-thread index */ - fib_node_index_t rmt_fei; /**< FIB entry index for rmt */ - dpo_id_t rmt_dpo; /**< Forwarding DPO for rmt */ + /*fib_node_index_t rmt_fei; + dpo_id_t rmt_dpo; */ #if TRANSPORT_DEBUG elog_track_t elog_track; /**< Event logging */ @@ -64,6 +78,7 @@ typedef struct _transport_connection #define c_cc_stat_tstamp connection.cc_stat_tstamp #define c_rmt_fei connection.rmt_fei #define c_rmt_dpo connection.rmt_dpo +#define c_opaque_id connection.opaque_conn_id } transport_connection_t; typedef enum _transport_proto @@ -72,6 +87,7 @@ typedef enum _transport_proto TRANSPORT_PROTO_UDP, TRANSPORT_PROTO_SCTP, TRANSPORT_PROTO_NONE, + TRANSPORT_PROTO_TLS, TRANSPORT_N_PROTO } transport_proto_t; diff --git a/src/vnet/session/transport_interface.h b/src/vnet/session/transport_interface.h index 09542e6a6aa..04a5ff263b1 100644 --- a/src/vnet/session/transport_interface.h +++ b/src/vnet/session/transport_interface.h @@ -19,9 +19,26 @@ #include <vnet/vnet.h> #include <vnet/session/transport.h> +typedef enum transport_dequeue_type_ +{ + TRANSPORT_TX_PEEK, /**< reliable transport protos */ + TRANSPORT_TX_DEQUEUE, /**< unreliable transport protos */ + TRANSPORT_TX_INTERNAL, /**< apps acting as transports */ + TRANSPORT_TX_N_FNS +} transport_tx_fn_type_t; + +typedef enum transport_service_type_ +{ + TRANSPORT_SERVICE_VC, /**< virtual circuit service */ + TRANSPORT_SERVICE_CL, /**< connectionless service */ + TRANSPORT_SERVICE_APP, /**< app transport service */ + TRANSPORT_N_SERVICES +} transport_service_type_t; + /* * Transport protocol virtual function table */ +/* *INDENT-OFF* */ typedef struct _transport_proto_vft { /* @@ -37,10 +54,11 @@ typedef struct _transport_proto_vft /* * Transmission */ - u32 (*push_header) (transport_connection_t * tconn, vlib_buffer_t * b); - u16 (*send_mss) (transport_connection_t * tc); - u32 (*send_space) (transport_connection_t * tc); - u32 (*tx_fifo_offset) (transport_connection_t * tc); + + u32 (*push_header) (transport_connection_t * tconn, vlib_buffer_t * b); + u16 (*send_mss) (transport_connection_t * tc); + u32 (*send_space) (transport_connection_t * tc); + u32 (*tx_fifo_offset) (transport_connection_t * tc); void (*update_time) (f64 time_now, u8 thread_index); /* @@ -56,11 +74,18 @@ typedef struct _transport_proto_vft u8 *(*format_connection) (u8 * s, va_list * args); u8 *(*format_listener) (u8 * s, va_list * args); u8 *(*format_half_open) (u8 * s, va_list * args); + + /* + * Properties + */ + transport_tx_fn_type_t tx_type; + transport_service_type_t service_type; } transport_proto_vft_t; +/* *INDENT-ON* */ extern transport_proto_vft_t *tp_vfts; -#define transport_proto_foreach(VAR, BODY) \ +#define transport_proto_foreach(VAR, BODY) \ do { \ for (VAR = 0; VAR < vec_len (tp_vfts); VAR++) \ if (tp_vfts[VAR].push_header != 0) \ |